PrivEsc Question about NTLM hashes with Responder

[johnsherlock]

I have collected different NTLMv2 hashes,
RDP, SMB.

Issue: even if I crack the password, the IP in the log name, doesn't have the ports open, so I can't connect to the machine.. what's the point of those NTLMv2 hashes, they can be accessed only if inside the network? is there any other tool rather than Responder that does a more effective exploitation and provides RCE/shell?

 

[molotov477]

Its not the NTLMv2 hash that is the issue, even if you crack any hash but you do not have access to the service they are linked/ valid for, they are no good.
As for getting RCE or Shell, it all depends on what kind of access you have, if there's an SMB port open and you have valid credentials, you can use the impacket toolkit (psexec, wmiexec etc) to get a shell, if you have Win Remote Management available, you can use Evil-WinRM and so on so forth.

Another way those credentials could be used is to validate to a Microsoft Exchange Server or find any other web application that requires AD authentication, depending on what web apps are exposed over the internet, you can try and see if there are any authenticated exploits available that you can leverage to get a reverse shell or get RCE.

At the end, it all depends on how creative you can get with the information you have and what you can do with it.

 

[johnsherlock]

Its not the NTLMv2 hash that is the issue, even if you crack any hash but you do not have access to the service they are linked/ valid for, they are no good.
As for getting RCE or Shell, it all depends on what kind of access you have, if there's an SMB port open and you have valid credentials, you can use the impacket toolkit (psexec, wmiexec etc) to get a shell, if you have Win Remote Management available, you can use Evil-WinRM and so on so forth.

Another way those credentials could be used is to validate to a Microsoft Exchange Server or find any other web application that requires AD authentication, depending on what web apps are exposed over the internet, you can try and see if there are any authenticated exploits available that you can leverage to get a reverse shell or get RCE.

At the end, it all depends on how creative you can get with the information you have and what you can do with it.

I have attempted doing that, it appeared that most targets weren't worthy and the ones that are have filtered ports. very sad.

 

[molotov477]

I have attempted doing that, it appeared that most targets weren't worthy and the ones that are have filtered ports. very sad.

Well, not all targets are worthy but sometimes you just get lucky, just be patient and see what all comes your way.