What can one do with a user’s NTHASH?

I have a valid username, domain name and an NTHASH. I do not have the password. Have kept it for cracking and responder so far did not help (wpad is blocked by policy it seems, or default IE / win11/10 setting) but in the meantime is it possible for me to use the NTHASH and enumerate usernames, domain admins. I tried ‘cme’ and it gave me some users via rid bf and password policy - that’s it.

rpcclient , despite of providing the NTHASH asks for the password

smbclient does not play ball.

Any other options to use NTHASH?

Can I do anything with the original user’s system - they use MacOS though.

Furthermore, is it possible for me to use this with bloodhound and sense where the admins are logged into and where?

Apologies for asking too many questions.

I am picking up network testing after 9 years! Everything is different, but somethings are the same. Any help/lead would be appreciated.

Thank you.

1 Like

Sorry, haven’t really looked into NTHASH all that much. Maybe HackTricks could lend a hand? (you can search directly by service you want to test or NTHASH). It’s a pretty nice resource and I recommend it. Hope someone with more knowledge can come around and help you more. Cheers and gl!

Try Pass the hash technique, for example, I found that the NT hash for the user f00 is c46b9e588fa0d112de6f59fd6d58eae3 This account is part of a group which is the local administrator of all the users’ workstations. We can replay it on another machine using the psexec.py tool.

$: psexec.py -hashes :c46b9e588fa0d112de6f59fd6d58eae3 [email protected] whoami

you can use CrackMapExec tool to automate the authentication on different targets

# Local administration account
crackmapexec smb --local-auth -u Administrateur -H 20cc650a5ac276a1cfc22fbc23beada1 10.10.0.1 -x whoami

# Domain account
crackmapexec smb -u foo -H c46b9e588fa0d112de6f59fd6d58eae3 -d 0x00.local  10.10.0.0 -x whoami
1 Like

Thank you for the replies. Appreciated.

Unfortunately, the user I have is not an administrator anywhere on any Windows system in the domain except for their own MacOS system.
My enquiry was more on the lines of how to list all users and admins etc. on the domain controller using a username and the corresponding NTHASH.

I know one can fire, net user administrators /domain
But for that one needs to be logged in using a domain account, which I am not. I just have one user’s hash.
Nevertheless I shall try the above. Thank you.