{
	"id": "272939f0-5c8e-4ed7-9ed2-cb4010d4cac5",
	"created_at": "2026-04-06T00:08:56.678869Z",
	"updated_at": "2026-04-10T03:20:44.952668Z",
	"deleted_at": null,
	"sha1_hash": "2e5cbff9ee1b906f4d5e411baedaef210112d570",
	"title": "GitHub - Kevin-Robertson/Invoke-TheHash: PowerShell Pass The Hash Utils",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 215692,
	"plain_text": "GitHub - Kevin-Robertson/Invoke-TheHash: PowerShell Pass The\r\nHash Utils\r\nBy Kevin-Robertson\r\nArchived: 2026-04-05 18:44:32 UTC\r\nInvoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and\r\nSMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM\r\nhash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.\r\nRequirements\r\nMinimum PowerShell 2.0\r\nImport\r\nImport-Module ./Invoke-TheHash.psd1\r\nor\r\n. ./Invoke-WMIExec.ps1\r\n. ./Invoke-SMBExec.ps1\r\n. ./Invoke-SMBEnum.ps1\r\n. ./Invoke-SMBClient.ps1\r\n. ./Invoke-TheHash.ps1\r\nFunctions\r\nInvoke-WMIExec\r\nInvoke-SMBExec\r\nInvoke-SMBEnum\r\nInvoke-SMBClient\r\nInvoke-TheHash\r\nInvoke-WMIExec\r\nWMI command execution function.\r\nParameters:\r\nTarget - Hostname or IP address of target.\r\nUsername - Username to use for authentication.\r\nhttps://github.com/Kevin-Robertson/Invoke-TheHash\r\nPage 1 of 8\n\nDomain - Domain to use for authentication. This parameter is not needed with local accounts or when\r\nusing @domain after the username.\r\nHash - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM\r\nformat.\r\nCommand - Command to execute on the target. If a command is not specified, the function will just check\r\nto see if the username and hash has access to WMI on the target.\r\nSleep - Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds.\r\nExample:\r\nInvoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Command \"command or launcher to execute\" -verbose\r\nScreenshot:\r\nInvoke-SMBExec\r\nSMB (PsExec) command execution function supporting SMB1, SMB2.1, with and without SMB signing.\r\nParameters:\r\nTarget - Hostname or IP address of target.\r\nUsername - Username to use for authentication.\r\nDomain - Domain to use for authentication. This parameter is not needed with local accounts or when\r\nusing @domain after the username.\r\nHash - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM\r\nformat.\r\nCommand - Command to execute on the target. If a command is not specified, the function will just check\r\nto see if the username and hash has access to SCM on the target.\r\nhttps://github.com/Kevin-Robertson/Invoke-TheHash\r\nPage 2 of 8\n\nCommandCOMSPEC - Default = Enabled: Prepend %COMSPEC% /C to Command.\r\nService - Default = 20 Character Random: Name of the service to create and delete on the target.\r\nSleep - Default = 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds.\r\nVersion - Default = Auto: (Auto,1,2.1) Force SMB version. The default behavior is to perform SMB\r\nversion negotiation and use SMB2.1 if supported by the target.\r\nExample:\r\nInvoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Command \"command or launcher to execute\" -verbose\r\nExample:\r\nCheck SMB signing requirements on target. Invoke-SMBExec -Target 192.168.100.20\r\nScreenshot:\r\nInvoke-SMBEnum\r\nInvoke-SMBEnum performs User, Group, NetSession and Share enumeration tasks over SMB2.1 with and\r\nwithout SMB signing.\r\nParameters:\r\nTarget - Hostname or IP address of target.\r\nUsername - Username to use for authentication.\r\nDomain - Domain to use for authentication. This parameter is not needed with local accounts or when\r\nusing @domain after the username.\r\nHash - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM\r\nformat.\r\nAction - (All,Group,NetSession,Share,User) Default = Share: Enumeration action to perform.\r\nGroup - Default = Administrators: Group to enumerate.\r\nhttps://github.com/Kevin-Robertson/Invoke-TheHash\r\nPage 3 of 8\n\nSleep - Default = 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds.\r\nVersion - Default = Auto: (Auto,1,2.1) Force SMB version. The default behavior is to perform SMB\r\nversion negotiation and use SMB2.1 if supported by the target. Note, only the signing check works with\r\nSMB1.\r\nExample:\r\nInvoke-SMBEnum -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -verbose\r\nScreenshot:\r\nInvoke-SMBClient\r\nSMB client function supporting SMB2.1 and SMB signing. This function primarily provides SMB file\r\nshare capabilities for working with hashes that do not have remote command execution privilege. This\r\nfunction can also be used for staging payloads for use with Invoke-WMIExec and Invoke-SMBExec. Note\r\nthat Invoke-SMBClient is built on the .NET TCPClient and does not use the Windows SMB client. Invoke-SMBClient is much slower than the Windows client.\r\nParameters:\r\nUsername - Username to use for authentication.\r\nhttps://github.com/Kevin-Robertson/Invoke-TheHash\r\nPage 4 of 8\n\nDomain - Domain to use for authentication. This parameter is not needed with local accounts or when\r\nusing @domain after the username.\r\nHash - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM\r\nformat.\r\nAction - Default = List: (List/Recurse/Delete/Get/Put) Action to perform.\r\n1. List: Lists the contents of a directory.\r\n2. Recurse: Lists the contents of a directory and all subdirectories.\r\n3. Delete: Deletes a file.\r\n4. Get: Downloads a file.\r\n5. Put: Uploads a file and sets the creation, access, and last write times to match the source file.\r\nSource\r\n1. List and Recurse: UNC path to a directory.\r\n2. Delete: UNC path to a file.\r\n3. Get: UNC path to a file.\r\n4. Put: File to upload. If a full path is not specified, the file must be in the current directory.\r\nWhen using the 'Modify' switch, 'Source' must be a byte array.\r\nDestination\r\n1. List and Recurse: Not used.\r\n2. Delete: Not used.\r\n3. Get: If used, value will be the new filename of downloaded file. If a full path is not specified,\r\nthe file will be created in the current directory.\r\n4. Put: UNC path for uploaded file. The filename must be specified.\r\nModify\r\n1. List and Recurse: The function will output an object consisting of directory contents.\r\n2. Delete: Not used.\r\n3. Get: The function will output a byte array of the downloaded file instead of writing the file to\r\ndisk. It's advisable to use this only with smaller files and to send the output to a variable.\r\n4. Put: Uploads a byte array to a new destination file.\r\nNoProgress - Prevents displaying an upload and download progress bar.\r\nSleep - Default = 100 Milliseconds: Sets the function's Start-Sleep values in milliseconds.\r\nVersion - Default = Auto: (Auto,1,2.1) Force SMB version. The default behavior is to perform SMB\r\nversion negotiation and use SMB2.1 if supported by the target. Note, only the signing check works with\r\nSMB1.\r\nExample:\r\nList the contents of a root share directory.\r\nInvoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Source \\\\server\\share -verbose\r\nExample:\r\nhttps://github.com/Kevin-Robertson/Invoke-TheHash\r\nPage 5 of 8\n\nRecursively list the contents of a share starting at the root.\r\nInvoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Action Recurse -Source \\\\server\\share\r\nExample:\r\nRecursively list the contents of a share subdirectory and return only the contents output to a variable.\r\n$directory_contents = Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Action Recurse -Source \\\\server\\share\\subdirectory -Modify\r\nExample:\r\nDelete a file on a share.\r\nInvoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Action Delete -Source \\\\server\\share\\file.txt\r\nExample:\r\nDelete a file in subdirectories within a share.\r\nInvoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Action Delete -Source\r\n\\\\server\\share\\subdirectory\\subdirectory\\file.txt\r\nExample:\r\nDownload a file from a share.\r\nInvoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\\\server\\share\\file.txt\r\nExample:\r\nDownload a file from within a share subdirectory and set a new filename.\r\nInvoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\\\server\\share\\subdirectory\\file.txt -Destination\r\nfile.txt\r\nExample:\r\nDownload a file from a share to a byte array variable instead of disk.\r\n$password_file = Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Action Get -Source \\\\server\\share\\file.txt -Modify\r\nExample:\r\nhttps://github.com/Kevin-Robertson/Invoke-TheHash\r\nPage 6 of 8\n\nUpload a file to a share subdirectory.\r\nInvoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Action Put -Source file.exe -Destination\r\n\\\\server\\share\\subdirectory\\file.exe\r\nExample:\r\nUpload a file to share from a byte array variable.\r\nInvoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash\r\nF6F38B793DB6A94BA04A52F1D3EE92F0 -Action Put -Source $file_byte_array -Destination\r\n\\\\server\\share\\file.txt -Modify\r\nScreenshot:\r\nInvoke-TheHash\r\nFunction for running Invoke-TheHash functions against multiple targets.\r\nParameters:\r\nType - Sets the desired Invoke-TheHash function. Set to either SMBClient, SMBEnum, SMBExec, or\r\nWMIExec.\r\nTarget - List of hostnames, IP addresses, CIDR notation, or IP ranges for targets.\r\nTargetExclude - List of hostnames, IP addresses, CIDR notation, or IP ranges to exclude from the list or\r\ntargets.\r\nPortCheckDisable - (Switch) Disable WMI or SMB port check. Since this function is not yet threaded, the\r\nport check serves to speed up he function by checking for an open WMI or SMB port before attempting a\r\nfull synchronous TCPClient connection.\r\nPortCheckTimeout - Default = 100: Set the no response timeout in milliseconds for the WMI or SMB\r\nport check.\r\nhttps://github.com/Kevin-Robertson/Invoke-TheHash\r\nPage 7 of 8\n\nUsername - Username to use for authentication.\r\nDomain - Domain to use for authentication. This parameter is not needed with local accounts or when\r\nusing @domain after the username.\r\nHash - NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM\r\nformat.\r\nCommand - Command to execute on the target. If a command is not specified, the function will just check\r\nto see if the username and hash has access to WMI or SCM on the target.\r\nCommandCOMSPEC - Default = Enabled: SMBExec type only. Prepend %COMSPEC% /C to\r\nCommand.\r\nService - Default = 20 Character Random: SMBExec type only. Name of the service to create and delete\r\non the target.\r\nSMB1 - (Switch) Force SMB1. SMBExec type only. The default behavior is to perform SMB version\r\nnegotiation and use SMB2 if supported by the target.\r\nSleep - Default = WMI 10 Milliseconds, SMB 150 Milliseconds: Sets the function's Start-Sleep values in\r\nmilliseconds.\r\nExample:\r\nInvoke-TheHash -Type WMIExec -Target 192.168.100.0/24 -TargetExclude 192.168.100.50 -Username\r\nAdministrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0\r\nScreenshot:\r\nSource: https://github.com/Kevin-Robertson/Invoke-TheHash\r\nhttps://github.com/Kevin-Robertson/Invoke-TheHash\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://github.com/Kevin-Robertson/Invoke-TheHash"
	],
	"report_names": [
		"Invoke-TheHash"
	],
	"threat_actors": [],
	"ts_created_at": 1775434136,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2e5cbff9ee1b906f4d5e411baedaef210112d570.pdf",
		"text": "https://archive.orkl.eu/2e5cbff9ee1b906f4d5e411baedaef210112d570.txt",
		"img": "https://archive.orkl.eu/2e5cbff9ee1b906f4d5e411baedaef210112d570.jpg"
	}
}