Invoke-TheHash is a PowerShell module providing utilities to perform “Pass-the-Hash” style remote operations over WMI and SMB by supplying NTLM hashes instead of plaintext passwords. The project includes multiple scripts/modules (Invoke-WMIExec, Invoke-SMBExec, Invoke-SMBEnum, Invoke-SMBClient, and a wrapper Invoke-TheHash) so operators can choose enumeration, file access, or command execution modes. It uses .NET’s TcpClient for direct SMB/WMI connections and performs authentication by inserting an NTLM hash into the NTLMv2 protocol flow. The module supports both local accounts and domain accounts (via domain parameter), and it accepts either LM:NTLM or pure NTLM format hashes. For command execution, it can create services on remote hosts (SMBExec style) or use WMI class methods. Since it works over network protocols rather than relying on built-in Windows clients, it can bypass some limitations or restrictions in constrained environments.
Features
- Threaded / asynchronous execution over large IP ranges to speed multi-target operations
- Built-in detection evasion (e.g. randomizing timing, jitter, port hopping)
- Logging and audit mode to record which targets succeeded/failed and why
- Integration with credential stores or hash vaults instead of requiring manual hash input
- Support for SMB signing negotiation / fallback when target requires signing
- Modular plugin hooks so new transports (e.g. RPC, DCOM) could be added later
Project Samples
