pivot to a Windows host

This note assumes default configuration

All requirements below assume a default Windows / AD configuration, but users may have been granted special permissions (e.g., access to ADMIN$, member of Remote Management Users, etc).

Here are some common ways to access a Windows host, either with a password or hash. Sometimes you just have to try a few different tools of the same kind to pivot successfully.

• SMB ADMIN$ (need admin privileges on remote host):
  • smbexec: stealthier alternative for PsExec
    • available from either Impacket or NetExec (CME fork)
  • PsExec
• PowerShell remoting via WinRM: evil-winrm
• RDP (if RDP is enabled)
  • xfreerdp (w/ PtH support)
• SSH (if SSH service is enabled)

Also see Tools for a list of tools compatible with pass-the-hash. Since they support pass-the-hash, they also support regular password authentication.