Sometimes a password will be too long or complex to crack. In that case, you could instead try to pass the hash. In this type of attack, when you log on to the target operating system or application, you provide the user name and the hash of the password, rather than the password itself. You obtain the hash by inducing the operating system or application to dump them from RAM, the Windows Registry, or a credentials file. Metasploit has many hashdump-related modules you can use against Linux, Windows, applications, and other platforms. Most of them are post modules you run after you have compromised the target and obtained a Meterpreter prompt. Here are a few for collecting hashes:

post/windows/gather/smart_hashdump
post/linux/gather/hashdump
post/pro/multi/gather/hashdump
post/windows/gather/credentials/domain_hashdump
post/windows/gather/credentials/mssql_local_hashdump
post/windows/gather/credentials/skype
post/windows/gather/credentials/avira_password
post/windows/gather/credentials/mcafee_vse_hashdump
Dumping hashes

Note: To obtain a complete list of hashdump-related Metasploit tools, conduct a search at the Metasploit console, such as search hash platform:windows.

Once you have the hashes, there are several tools you can use to test usability, pass, or crack them, including:

  • Metasploit modules exploit/windows/smb/psexec and auxiliary/scanner/smb/smb_login
  • Hydra
  • Medusa
  • Veil-Catapult
Pass the hash attack

Passing the hash does not work in all cases. For example, Windows Defender Credential Guard protects against this. You wouldn't even be able to pass the Administrator hash. You would need to turn off Windows Defender first. Separately, if Windows Defender is not running on the target, you might have to edit the Registry. Windows operating systems starting with Vista have a User Account Control (UAC) policy setting that disallows other local administrators from running privileged tasks across the network. If you want to pass the hash of another local admin, you could disable the restriction by navigating the Registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, and then creating a DWORD entry of LocalAccountTokenFilterPolicy with a value of 1.

Note: For information about disabling Windows Defender Credential Guard, see https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage.

Note: For an interesting article on disabling the LocalAccountTokenFilterPolicy, see http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/