If we download the tool and test it, we find a single binary, which when called with the -h option shows us the help. This binary provides us with all the functionality provided by the different binaries that were part of the Pass-the-Hash Toolkit, plus some new functionalities that until now we did not have, such as keeping on screen a list of users who at all times have an active login, in the purest style the "watch" command of Linux.
Focusing on the options that will be most directly useful for the realization of the pass-the-hash, first of all we must obtain the Hash that we want to supplant. For this there are a variety of ways to do it, but to give an example that was already used in our previous post, we could do it with the hashdump command of Meterpreter:
Once we have the Hash (in this or that way) we just have to call the wce.exe with the -s option to change our current Hash in memory for the new hash, and in this way usurp the identity:
Once this is done, we can verify that the credentials have been successfully changed with the -l option:wce.exe -s User:Domain:LMHash:NTHash
Once this is done, we can use any tool that is authenticated through Windows (for example, shares) to access other computers with the credentials of the user whose Hash we had obtained. We can see a demonstration of this in our previous post.
One of the great advantages that I see to this tool with respect to the Pass-the-Hash Toolkit, apart from the fact that it is more comfortable to have all the functionality in a single binary, and the extra functions that we find, is that it seems to have a much improved recognition of the type of system in which it runs (that or Hernán has included the addresses of a Windows XP in Spanish).
If you remember, in the presentation we made in the FIST we commented that the Pass-the-Hash Toolkit had to know in which directions of the memory it should read and write the hashes, and that although it had a series of hardcoded hashes, for a Windows XP in Spanish it was necessary to provide them by hand through the -a option, since they did not come by default. There were several doubts about this process, so we ended up publishing another post on how to get these addresses for your system.
Well, with WCE this previous step will not be necessary, let's not dabemos if because Hernán has included a broader list of addresses or because the tool has a search mechanism that obtains these addresses by itself.
Source: Pentester
