These are attacks you do after you have some sort of credentials or like maybe a shell or something like that.
If we crack a password and or can dump the SAM hashes we can leverage both for lateral movments in networks.
Lets pass the password we cracked so we basically throw a cracked password and throw it around the whole subnet so we can use a tool called crackmapexec for it and with this tool we can either pass a password or even a hash around a network with username and see where these credentials fit in. Many times a lot of local adminstrator use the same kind of passwords for a lot of services and that were this thing helps us .
Basically all you gotta do is go to temrinal and do
apt install crackmapexec and its done .
So lets say we have everything running again and to use this tool we can even see the manual and everything .
And we can use —local if we wanna do it locally. There are a lot of things here .
So the syntax is
crackmapexec $IP(First 3).0/24 -u fcastle -d Marvel.local -p Password1
This tries to access SMB and see if the password works on that.If it says pwned basically it means we own the machine basically and we can use psexec.py to get access to that machine. By doing something like psexec.py we use this credentials and use the IP of the pwned computer like this
psexec.py marvel/fcastle:Password1@$IP
This is will give us a shell basically which is great and we can also use the meterpreter psexec shell using metasploit .
and in the crackmapexec we can add - - sam at the end and sometimes this doesnt work but if the machine has been pwned it will try to dump sam hashes for us. and we can do a lot lot of stuff with this tool .