<aside> 📌 Summary
</aside>
During Active Directory assessment, gaining a shell isn’t always required, so it doesn’t always need to focus too much on those.
From NTLMv1 Hash or simply password, we can use exploit/windows/smb/psexec module from msfconsole to obtain a shell. Note that the option smbpass takes passwords as well as hashes.
The psexec tool of https://github.com/fortra/impacket allows connecting with a limited shell. The domain may be written partially or completely, like ORB, orb and ORB.local both work.
psexec.py orb/lkisaka:"Password1"@192.168.149.178
You can also leave the password blank to enter the password later when the password cannot be stored in a string, for example.
psexec.py orb/lkisaka:@192.168.149.178
This tool also allows it to be used with hashes through the flag -hashes.
psexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
Know that if psexec is caught, you can use alternative tools that work exactly the same way, like wmiexec or smbexec.
<aside> 💡 Note: it’s maybe just for me but those other tools often do not work…
</aside>