SessionRelay
Creates a cmd.exe process as each user logon session on the remote system and connects back to a non-existent share to the host specified by -ListenerIP
. This can then be used with tools such as Inveigh or Responder to capture NTLMv2 hashes, or with ntlmrelayx to relay captured hashes.
For example, assuming the below output. We can see the remote host currently has the users standarduser and srv2019-admin within existing logon sessions. PsMapExec can force each one of these users to to connect to a non-existing share on a listener and we can capture their NTLMv1 or NTLMv2 hashes.
Supported Methods
SMB
SessionHunter (WMI)
WMI
WinRM
Optional Parameters
Usage
Before using the module, ensure a listener such as Inveigh or Responder is running. The below example covers usage for capturing hashes with Inveigh.
Last updated