This note assumes default configuration
All requirements below assume a default Windows / AD configuration, but users may have been granted special permissions (e.g., access to
ADMIN$
, member of Remote Management Users, etc).
Here are some common ways to access a Windows host, either with a password or hash. Sometimes you just have to try a few different tools of the same kind to pivot successfully.
- SMB
ADMIN$
(need admin privileges on remote host): - PowerShell remoting via WinRM: evil-winrm
- RDP (if RDP is enabled)
- xfreerdp (w/ PtH support)
- SSH (if SSH service is enabled)
Also see Tools for a list of tools compatible with pass-the-hash. Since they support pass-the-hash, they also support regular password authentication.