During an internal penetration test you captured the NTLM hash of the local Administrator account from several Windows 10 workstations using an SMB relay attack. The customer's endpoint detection rules quarantine any new executables written to disk, so you must avoid dropping files on the target. Which approach allows you to execute commands on one of the compromised hosts while honoring this restriction?
Start a password-guessing attack against the local Administrator account until the clear-text password is discovered.
Leverage Impacket's wmiexec.py to perform a Pass-the-Hash attack over WMI and run commands in memory on the remote host.
Forge a Golden Ticket for the Administrator account and authenticate via Kerberos to obtain a remote shell.
Use PsExec with the stolen hash to install its service and open an interactive shell over SMB.
Windows Management Instrumentation (WMI) remote execution can be performed through Impacket's wmiexec.py (or similar tooling) by supplying the stolen NTLM hash instead of the clear-text password-an example of a Pass-the-Hash attack. Because WMI uses DCOM to spawn cmd.exe in memory over the network, no auxiliary binaries need to be copied to the target's file system, keeping the operation fileless.
PsExec also supports Pass-the-Hash, but it transfers and launches a temporary service executable (psexesvc) on disk, which would violate the "no file write" constraint. Brute-forcing the Administrator password would be noisy, slow and unnecessary since valid credentials are already available. A Golden Ticket attack manipulates Kerberos in a domain context and is irrelevant to local-account NTLM hashes on standalone workstations.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an NTLM hash, and why is it useful in a Pass-the-Hash attack?
Open an interactive chat with Bash
How does Impacket's wmiexec.py work, and why is it beneficial in this scenario?
Open an interactive chat with Bash
What is SMB relay and how does it help in capturing NTLM hashes?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
System Hacking Phases and Attack Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .