[Feature Request] Pass the Hash Support

[IppSec]

It would be nice to have the ability to spray user accounts with NTLM Hashes. The two main use cases I imagine for this is:

• Pulling an NTLM Hash off a local workstation, then spraying AD to look for password re-use
• Testing passwords from domain controller backups (old copies of NTDS.DIT).

Currently, this can be done with https://github.com/3gstudent/pyKerbrute, but is an extremely hacky solution using Python2.

[ropnop]

Good idea! This would require a bit of hack in gokrb5 but it can work. Basically instead of calling client.NewWithPassword, we'll call client.NewWithKeytab and manually create at temporary keytab with the NTLM hash as the encryption key. The "hack" will just be to change the library so it can accept a raw encryption key in RC4 instead of the expected plaintext password when calling AddEntry. Should have a workign branch in a few days - do you have a lab you could test in? My AD lab is down unfortunately I don't even have a working DC I can try kerbrute against at the moment

[P4cm4n90]

Any updates on this subject? I can help with testing.

[TryA9ain]

i can help too