Pass-The-Hash/whosthere

From aldeid
Jump to navigation Jump to search
You are here:
WHOSTHERE.EXE / WHOSTHERE-ALT.EXE

Description

This tool lists the active LSA logon sessions with NTLM credentials.

Usage

WHOSTHERE

Syntax

whosthere.exe [options]

Options

-B
try to find out the correct addresses in run-time, is now used by default
-D
prints debug information.
-i
whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found.
-t
establishes interval used by the -i switch (by default 2 seconds).
-o
dump output to a file, -o filename
-a
specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSESSIONLIST_COUNT_ADDR
(WARNING!: if you use the wrong values the system may crash)

WHOSTHERE-ALT

Syntax

whosthere.exe [options]

Options

-D
prints debug information
-i
whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found.
-t
establishes interval used by the -i switch (by default 2 seconds).
-o
dump output to a file, -o filename

Example

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Comments

Retrieved from "https://www.aldeid.com/w/index.php?title=Pass-The-Hash/whosthere&oldid=24117"