search

S3cur3Th1sSh1t / WinPwn

Automation for internal Windows Penetrationtest / AD-Security
BSD 3-Clause "New" or "Revised" License
3.34k stars 517 forks source link

I am unable to get NTLM Hashes using Inveigh using WinPwn #44

Open IAMinZoho opened 2 years ago

IAMinZoho commented 2 years ago

I did check the directory but no file is created. Nothing that shows the ntlm hashes. I tried editing the invoke-Inveigh command with FileOutput -Disabled but still couldn't make it work. Are there any logs that I can share? I did see that the Inveigh module of WinPwn would open a new PS Script process but going through some earlier issues (posted in Github), I learned that AMSI bypass was not getting applied to Inveigh. So I assume that Inveigh loads and runs on the existing PS session but still I am unable to get the NTLM hashes. No output file in the Directory.

Any help would be greatly appreciated!

S3cur3Th1sSh1t commented 2 years ago

It’s not loaded in a new Powershell process anymore. I did change that, so it’s running in the current process where the AMSI bypass definitely was applied before.

I cannot troubleshoot that for you, as I don’t know if any hashes were gathered at all. 🤷‍♂️ Maybe there were no incoming connections?

IAMinZoho commented 2 years ago

Thanks for replying. I did start 2 inveigh sessions, one from Robertson's repo and the other from Winpwn. The screenshot is from a Win 10 PC - MNPC1 (192.168.200.20) and on a domain controller - MNDC (192.168.200.2), I tried accessing MNPC1 in 2 ways from MNDC:

  1. from run window --> \192.168.200.20
  2. from a browser window --> http://192.168.200.20

I did get NTLM hashes on Inveigh session from Robertson, but not on the WinPwn session:

1234

Please let me know if I can share any other details.

S3cur3Th1sSh1t commented 2 years ago

What if you use -ConsoleOutput No in Inveigh? Because I’m using that in WinPwn, as you can see on the screenshot the output directory is one sub directory of your desktop folder. The hashes should be there in a text file.

S3cur3Th1sSh1t commented 2 years ago

WinPwn just doesn’t print the hashes out in the console window. Can you verify that the hashes are in a text file in the screenshot folder?

IAMinZoho commented 2 years ago

Thanks for taking the time. Yes, I did check the output directory for WinPwn but could not find any text files. As per your instructions, I did use the same configuration on Inveigh.ps1: Invoke-Inveigh -ConsoleOutput N -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -FileOutput Y

I got the text files, please check the screenshot:

Sir