Packages and Binaries:

passing-the-hash

This package contains modified versions of Curl, Iceweasel, FreeTDS, Samba 4, WinEXE and WMI. They are installed as executables starting with the “pth-” string.

Installed size: 13.90 MB
How to install: sudo apt install passing-the-hash

Dependencies:
  • libc6
  • libcrypt1
  • libgmp10
  • libgnutls30t64
  • libgssapi-krb5-2
  • libhogweed6t64
  • libidn2-0
  • libldap-2.5-0
  • libnettle8t64
  • librtmp1
  • libssl3t64
  • samba-common-bin
  • smbclient
  • sqsh
  • winexe
  • zlib1g
pth-curl
root@kali:~# pth-curl -h
Usage: curl [options...] <url>
 -d, --data <data>           HTTP POST data
 -f, --fail                  Fail fast with no output on HTTP errors
 -h, --help <category>       Get help for commands
 -i, --include               Include response headers in output
 -o, --output <file>         Write to file instead of stdout
 -O, --remote-name           Write output to file named as remote file
 -s, --silent                Silent mode
 -T, --upload-file <file>    Transfer local FILE to destination
 -u, --user <user:password>  Server user and password
 -A, --user-agent <name>     Send User-Agent <name> to server
 -v, --verbose               Make the operation more talkative
 -V, --version               Show version number and quit

This is not the full help, this menu is stripped into categories.
Use "--help category" to get an overview of all categories.
For all options use the manual or "--help all".

pth-net
root@kali:~# pth-net -h
Usage:
  Use 'net help rpc' to get more extensive information about 'net rpc' commands.
  Use 'net help rap' to get more extensive information about 'net rap' commands.
  Use 'net help ads' to get more extensive information about 'net ads' commands.
  Use 'net help file' to get more information about 'net file' commands.
  Use 'net help share' to get more information about 'net share' commands.
  Use 'net help session' to get more information about 'net session' commands.
  Use 'net help server' to get more information about 'net server' commands.
  Use 'net help domain' to get more information about 'net domain' commands.
  Use 'net help printq' to get more information about 'net printq' commands.
  Use 'net help user' to get more information about 'net user' commands.
  Use 'net help group' to get more information about 'net group' commands.
  Use 'net help groupmap' to get more information about 'net groupmap' commands.
  Use 'net help sam' to get more information about 'net sam' commands.
  Use 'net help validate' to get more information about 'net validate' commands.
  Use 'net help groupmember' to get more information about 'net groupmember' commands.
  Use 'net help admin' to get more information about 'net admin' commands.
  Use 'net help service' to get more information about 'net service' commands.
  Use 'net help password' to get more information about 'net password' commands.
  Use 'net help primarytrust' to get more extensive information about 'net primarytrust' commands.
  Use 'net help changetrustpw' to get more information about 'net changetrustpw'.
  net [options] changesecretpw
    Change the ADS domain member machine account password in secrets.tdb.
    Do NOT use this function unless you know what it does.
    Requires the -f flag to work.
  net -U user[%%password] [-W domain] setauthuser
    Set the auth user, password (and optionally domain
    Will prompt for password if not given.
  net setauthuser delete
    Delete the existing auth user settings.
  net getauthuser
    Get the current winbind auth user settings.
  Use 'net help time' to get more information about 'net time' commands.
  Use 'net help lookup' to get more information about 'net lookup' commands.
  Use 'net help g_lock' to get more information about 'net g_lock' commands.
  Use 'net help join' to get more information about 'net join'.
  Use 'net help offlinejoin' to get more information about 'net offlinejoin'.
  Use 'net help dom' to get more information about 'net dom' commands.
  Use 'net help cache' to get more information about 'net cache' commands.
  net getlocalsid
  net setlocalsid S-1-5-21-x-y-z
  net setdomainsid S-1-5-21-x-y-z
  net getdomainsid
  net maxrid
  Use 'net help idmap to get more information about 'net idmap' commands.
  Use 'net help status' to get more information about 'net status' commands.
  Use 'net help usershare to get more information about 'net usershare' commands.
  Use 'net help usersidlist' to get more information about 'net usersidlist'.
  Use 'net help conf' to get more information about 'net conf' commands.
  Use 'net help registry' to get more information about 'net registry' commands.
  Use 'net help eventlog' to get more information about 'net eventlog' commands.
  Use 'net help printing' to get more information about 'net printing' commands.
  Use 'net help serverid' to get more information about 'net serverid' commands.
  Use 'net help notify' to get more information about 'net notify' commands.
  Use 'net help tdb' to get more information about 'net tdb' commands.
  Use 'net help vfs' to get more information about 'net vfs' commands.
  Use 'net help witness' to get more information about 'net witness' commands.
  Use 'net help help' to list usage information for 'net' commands.

pth-rpcclient
root@kali:~# pth-rpcclient --help
Usage: rpcclient [OPTION...] BINDING-STRING|HOST
Options:
  -c, --command=COMMANDS                       Execute semicolon separated cmds
  -I, --dest-ip=IP                             Specify destination IP address
  -p, --port=PORT                              Specify port number

Help options:
  -?, --help                                   Show this help message
      --usage                                  Display brief usage message

Common Samba options:
  -d, --debuglevel=DEBUGLEVEL                  Set debug level
      --debug-stdout                           Send debug output to standard
                                               output
  -s, --configfile=CONFIGFILE                  Use alternative configuration
                                               file
      --option=name=value                      Set smb.conf option from
                                               command line
  -l, --log-basename=LOGFILEBASE               Basename for log/debug files
      --leak-report                            enable talloc leak reporting on
                                               exit
      --leak-report-full                       enable full talloc leak
                                               reporting on exit

Connection options:
  -R, --name-resolve=NAME-RESOLVE-ORDER        Use these name resolution
                                               services only
  -O, --socket-options=SOCKETOPTIONS           socket options to use
  -m, --max-protocol=MAXPROTOCOL               Set max protocol level
  -n, --netbiosname=NETBIOSNAME                Primary netbios name
      --netbios-scope=SCOPE                    Use this Netbios scope
  -W, --workgroup=WORKGROUP                    Set the workgroup name
      --realm=REALM                            Set the realm name

Credential options:
  -U, --user=[DOMAIN/]USERNAME[%PASSWORD]      Set the network username
  -N, --no-pass                                Don't ask for a password
      --password=STRING                        Password
      --pw-nt-hash                             The supplied password is the NT
                                               hash
  -A, --authentication-file=FILE               Get the credentials from a file
  -P, --machine-pass                           Use stored machine account
                                               password
      --simple-bind-dn=DN                      DN to use for a simple bind
      --use-kerberos=desired|required|off      Use Kerberos authentication
      --use-krb5-ccache=CCACHE                 Credentials cache location for
                                               Kerberos
      --use-winbind-ccache                     Use the winbind ccache for
                                               authentication
      --client-protection=sign|encrypt|off     Configure used protection for
                                               client connections

Deprecated legacy options:
  -k, --kerberos                               DEPRECATED: Migrate to
                                               --use-kerberos

Version options:
  -V, --version                                Print version

pth-smbclient
root@kali:~# pth-smbclient --help
Usage: smbclient [OPTIONS] service <password>
  -M, --message=HOST                           Send message
  -I, --ip-address=IP                          Use this IP to connect to
  -E, --stderr                                 Write messages to stderr
                                               instead of stdout
  -L, --list=HOST                              Get a list of shares available
                                               on a host
  -T, --tar=<c|x>IXFvgbNan                     Command line tar
  -D, --directory=DIR                          Start from directory
  -c, --command=STRING                         Execute semicolon separated
                                               commands
  -b, --send-buffer=BYTES                      Changes the transmit/send buffer
  -t, --timeout=SECONDS                        Changes the per-operation
                                               timeout
  -p, --port=PORT                              Port to connect to
  -g, --grepable                               Produce grepable output
  -q, --quiet                                  Suppress help message
  -B, --browse                                 Browse SMB servers using DNS

Help options:
  -?, --help                                   Show this help message
      --usage                                  Display brief usage message

Common Samba options:
  -d, --debuglevel=DEBUGLEVEL                  Set debug level
      --debug-stdout                           Send debug output to standard
                                               output
  -s, --configfile=CONFIGFILE                  Use alternative configuration
                                               file
      --option=name=value                      Set smb.conf option from
                                               command line
  -l, --log-basename=LOGFILEBASE               Basename for log/debug files
      --leak-report                            enable talloc leak reporting on
                                               exit
      --leak-report-full                       enable full talloc leak
                                               reporting on exit

Connection options:
  -R, --name-resolve=NAME-RESOLVE-ORDER        Use these name resolution
                                               services only
  -O, --socket-options=SOCKETOPTIONS           socket options to use
  -m, --max-protocol=MAXPROTOCOL               Set max protocol level
  -n, --netbiosname=NETBIOSNAME                Primary netbios name
      --netbios-scope=SCOPE                    Use this Netbios scope
  -W, --workgroup=WORKGROUP                    Set the workgroup name
      --realm=REALM                            Set the realm name

Credential options:
  -U, --user=[DOMAIN/]USERNAME[%PASSWORD]      Set the network username
  -N, --no-pass                                Don't ask for a password
      --password=STRING                        Password
      --pw-nt-hash                             The supplied password is the NT
                                               hash
  -A, --authentication-file=FILE               Get the credentials from a file
  -P, --machine-pass                           Use stored machine account
                                               password
      --simple-bind-dn=DN                      DN to use for a simple bind
      --use-kerberos=desired|required|off      Use Kerberos authentication
      --use-krb5-ccache=CCACHE                 Credentials cache location for
                                               Kerberos
      --use-winbind-ccache                     Use the winbind ccache for
                                               authentication
      --client-protection=sign|encrypt|off     Configure used protection for
                                               client connections

Deprecated legacy options:
  -k, --kerberos                               DEPRECATED: Migrate to
                                               --use-kerberos

Version options:
  -V, --version                                Print version

pth-smbget
root@kali:~# pth-smbget --help
Usage: smbget [OPTION...]
  -a, --guest                                  Work as user guest
  -e, --encrypt                                Encrypt SMB transport
  -r, --resume                                 Automatically resume aborted
                                               files
  -u, --update                                 Download only when remote file
                                               is newer than local file or
                                               local file is missing
      --recursive                              Recursively download files
  -b, --blocksize=INT                          Change number of bytes in a
                                               block
  -o, --outputfile=STRING                      Write downloaded data to
                                               specified file
      --stdout                                 Write data to stdout
  -D, --dots                                   Show dots as progress indication
  -q, --quiet                                  Be quiet
  -v, --verbose                                Be verbose
      --limit-rate=INT                         Limit download speed to this
                                               many KB/s

Help options:
  -?, --help                                   Show this help message
      --usage                                  Display brief usage message

Common Samba options:
  -d, --debuglevel=DEBUGLEVEL                  Set debug level
      --debug-stdout                           Send debug output to standard
                                               output
  -s, --configfile=CONFIGFILE                  Use alternative configuration
                                               file
      --option=name=value                      Set smb.conf option from
                                               command line
  -l, --log-basename=LOGFILEBASE               Basename for log/debug files
      --leak-report                            enable talloc leak reporting on
                                               exit
      --leak-report-full                       enable full talloc leak
                                               reporting on exit

Connection options:
  -R, --name-resolve=NAME-RESOLVE-ORDER        Use these name resolution
                                               services only
  -O, --socket-options=SOCKETOPTIONS           socket options to use
  -m, --max-protocol=MAXPROTOCOL               Set max protocol level
  -n, --netbiosname=NETBIOSNAME                Primary netbios name
      --netbios-scope=SCOPE                    Use this Netbios scope
  -W, --workgroup=WORKGROUP                    Set the workgroup name
      --realm=REALM                            Set the realm name

Credential options:
  -U, --user=[DOMAIN/]USERNAME[%PASSWORD]      Set the network username
  -N, --no-pass                                Don't ask for a password
      --password=STRING                        Password
      --pw-nt-hash                             The supplied password is the NT
                                               hash
  -A, --authentication-file=FILE               Get the credentials from a file
  -P, --machine-pass                           Use stored machine account
                                               password
      --simple-bind-dn=DN                      DN to use for a simple bind
      --use-kerberos=desired|required|off      Use Kerberos authentication
      --use-krb5-ccache=CCACHE                 Credentials cache location for
                                               Kerberos
      --use-winbind-ccache                     Use the winbind ccache for
                                               authentication
      --client-protection=sign|encrypt|off     Configure used protection for
                                               client connections

Deprecated legacy options:
  -k, --kerberos                               DEPRECATED: Migrate to
                                               --use-kerberos

Version options:
  -V, --version                                Print version

pth-sqsh
root@kali:~# pth-sqsh --help
Use: sqsh [-a count] [-A packet_size] [-b] [-B] [-c [cmdend]] [-C sql]
          [-d severity] [-D database] [-e] [-E editor] [-f severity]
          [-G TDS version] [-h] [-H hostname] [-i filename] [-I interfaces]
          [-J charset] [-k keywords] [-K keytab] [-l level|flags]
          [-L var=value] [-m style] [-n {on|off}] [-N appname] [-o filename]
          [-p] [-P [password]] [-Q query_timeout] [-r [sqshrc]]
          [-R principal] [-s colsep] [-S server] [-t [filter]]
          [-T login_timeout] [-U username] [-v] [-V [bcdimoqru]] [-w width]
          [-X] [-y directory] [-z language] [-Z [secmech]]
          [--appname        appname] [--clientapplname clientapplname]
          [--clienthostname clienthostname] [--clientname     clientname]
          [--hostname       hostname] [--help          ] [--version       ]

 -a  Max. # of errors before abort       -p  Display performance stats
 -A  Adjust TDS packet size              -P  Sybase password (NULL)
 -b  Suppress banner message on startup  -Q  Query timeout period in seconds
 -B  Turn off file buffering on startup  -r  Specify name of .sqshrc
 -c  Alias for the 'go' command          -R  Network security server principal
 -C  Send sql statement to server        -s  Alternate column separator (\t)
 -d  Min. severity level to display      -S  Name of Sybase server ($DSQUERY)
 -D  Change database context on startup  -t  Filter batches through program
 -e  Echo batch prior to executing       -T  Login timeout period in seconds
 -E  Replace default editor (vi)         -U  Name of Sybase user
 -f  Min. severity level for failure     -v  Display current version and exit
 -G  TDS version to use                  -V  Request network security services
 -h  Disable headers and footers         -w  Adjust result display width
 -H  Set the client hostname             -X  Enable client password encryption
 -i  Read input from file                -y  Override value of $SYBASE
 -I  Alternate interfaces file           -z  Alternate display language
 -J  Client character set                -Z  Network security mechanism
 -k  Specify alternate keywords file     --appname         Set application name
 -K  Network security keytab file (DCE)  --clientapplname  Set client appl name
 -l  Set debugging level                 --clienthostname  Set client host name
 -L  Set the value of a given variable   --clientname      Set client name
 -m  Set display mode                    --hostname        Set hostname
 -n  Set chained transaction mode        --help            Show help text only
 -N  Set application name (sqsh-3.0)     --version         Show version only
 -o  Direct all output to file          


pth-winexe
root@kali:~# pth-winexe -h
Usage: winexe [OPTION]... //HOST COMMAND
Options:
  -h, --help                                  Display help message
  -V, --version                               Display version number
  -U, --user=[DOMAIN/]USERNAME[%PASSWORD]     Set the network username
  -A, --authentication-file=FILE              Get the credentials from a file
  -N, --no-pass                               Do not ask for a password
  -k, --kerberos=STRING                       Use Kerberos, -k [yes|no]
  -d, --debuglevel=DEBUGLEVEL                 Set debug level
      --uninstall                             Uninstall winexe service after
                                              remote execution
      --reinstall                             Reinstall winexe service before
                                              remote execution
      --system                                Use SYSTEM account
      --profile                               Load user profile
      --convert                               Try to convert characters
                                              between local and remote
                                              code-pages
      --runas=[DOMAIN\]USERNAME%PASSWORD      Run as the given user (BEWARE:
                                              this password is sent in
                                              cleartext over the network!)
      --runas-file=FILE                       Run as user options defined in a
                                              file
      --interactive=0|1                       Desktop interaction: 0 -
                                              disallow, 1 - allow. If allow,
                                              also use the --system switch
                                              (Windows requirement). Vista
                                              does not support this option.
      --ostype=0|1|2                          OS type: 0 - 32-bit, 1 - 64-bit,
                                              2 - winexe will decide.
                                              Determines which version (32-bit
                                              or 64-bit) of service will be
                                              installed.

pth-wmic
root@kali:~# pth-wmic --help
Usage: //host query

Example: wmic -U [domain/]adminuser%password //host "select * from Win32_ComputerSystem"
  --namespace=STRING                          WMI namespace, default to
                                              root\cimv2
  --delimiter=STRING                          delimiter to use when querying
                                              multiple values, default to '|'

Help options:
  -?, --help                                  Show this help message
  --usage                                     Display brief usage message

Common samba options:
  -d, --debuglevel=DEBUGLEVEL                 Set debug level
  --debug-stderr                              Send debug output to STDERR
  -s, --configfile=CONFIGFILE                 Use alternative configuration
                                              file
  --option=name=value                         Set smb.conf option from command
                                              line
  -l, --log-basename=LOGFILEBASE              Basename for log/debug files
  --leak-report                               enable talloc leak reporting on
                                              exit
  --leak-report-full                          enable full talloc leak
                                              reporting on exit

Connection options:
  -R, --name-resolve=NAME-RESOLVE-ORDER       Use these name resolution
                                              services only
  -O, --socket-options=SOCKETOPTIONS          socket options to use
  -n, --netbiosname=NETBIOSNAME               Primary netbios name
  -W, --workgroup=WORKGROUP                   Set the workgroup name
  --realm=REALM                               Set the realm name
  -i, --scope=SCOPE                           Use this Netbios scope
  -m, --maxprotocol=MAXPROTOCOL               Set max protocol level

Authentication options:
  -U, --user=[DOMAIN\]USERNAME[%PASSWORD]     Set the network username
  -N, --no-pass                               Don't ask for a password
  --password=STRING                           Password
  -A, --authentication-file=FILE              Get the credentials from a file
  -S, --signing=on|off|required               Set the client signing state
  -P, --machine-pass                          Use stored machine account
                                              password (implies -k)
  --simple-bind-dn=STRING                     DN to use for a simple bind
  -k, --kerberos=STRING                       Use Kerberos
  --use-security-mechanisms=STRING            Restricted list of
                                              authentication mechanisms
                                              available for use with this
                                              authentication

Common samba options:
  -V, --version                               Print version

pth-wmis
root@kali:~# pth-wmis --help
Usage: //host

Example: wmis -U [domain/]adminuser%password //host cmd.exe /c dir c:\ > c:\windows\temp\output.txt 

Help options:
  -?, --help                                  Show this help message
  --usage                                     Display brief usage message

Common samba options:
  -d, --debuglevel=DEBUGLEVEL                 Set debug level
  --debug-stderr                              Send debug output to STDERR
  -s, --configfile=CONFIGFILE                 Use alternative configuration
                                              file
  --option=name=value                         Set smb.conf option from command
                                              line
  -l, --log-basename=LOGFILEBASE              Basename for log/debug files
  --leak-report                               enable talloc leak reporting on
                                              exit
  --leak-report-full                          enable full talloc leak
                                              reporting on exit

Connection options:
  -R, --name-resolve=NAME-RESOLVE-ORDER       Use these name resolution
                                              services only
  -O, --socket-options=SOCKETOPTIONS          socket options to use
  -n, --netbiosname=NETBIOSNAME               Primary netbios name
  -W, --workgroup=WORKGROUP                   Set the workgroup name
  --realm=REALM                               Set the realm name
  -i, --scope=SCOPE                           Use this Netbios scope
  -m, --maxprotocol=MAXPROTOCOL               Set max protocol level

Authentication options:
  -U, --user=[DOMAIN\]USERNAME[%PASSWORD]     Set the network username
  -N, --no-pass                               Don't ask for a password
  --password=STRING                           Password
  -A, --authentication-file=FILE              Get the credentials from a file
  -S, --signing=on|off|required               Set the client signing state
  -P, --machine-pass                          Use stored machine account
                                              password (implies -k)
  --simple-bind-dn=STRING                     DN to use for a simple bind
  -k, --kerberos=STRING                       Use Kerberos
  --use-security-mechanisms=STRING            Restricted list of
                                              authentication mechanisms
                                              available for use with this
                                              authentication

Common samba options:
  -V, --version                               Print version

Updated on: 2024-May-23