Pass The Hash RDP (Windows 2012 R2)

Having read a few articles about the restricted-admin mode on RDP I decided to give this ago to make sure I had all the tools in order to use this attack.

I installed a machine with windows server 2012 R2 edition and enabled RDP.

Then I dumped the hashes from the box as shown here is metasploit using the smart_hashdump module.

Once I had got the hashes I installed xfreerdp which by default comes with the PassTheHash (PTH)option. This is the correct syntax for doing this:

And  voila, we have an RDP session by using the hash not the users password. Brilliant!!!!

Thanks all, hope you find this useful 😉


Leave a comment

Your email address will not be published. Required fields are marked *