Welcome to Logos Red, I go bylogos and:
Want to pass compromised Windows credentials around?
In this guide we’ll take a look at “Pass the password/ Pass the Hash” attacks and how we can leverage a simple password to owning a domain. To do so we’ll use a tool called “crackmapexec” under Kali Linux.
Don’t worry, I made it as simple as I could. Anyone can follow along.
My Promise
This post will finally end your meaningless search for a valid answer, and you will leave with knowing how to use crackmapexec.
If there are still any questions left, let me know so I can add it to help the next person who will arrive here.
My Goal
To help you improve in less time than it took me and to make sure you leave with what I promised.
I want you to join our community and for this to be a place that you revisit often.
Requirements
- An Active Directory lab, such as the one I built here: How To Set Up a Kali Linux Active Directory Hacking Lab
- A Kali Linux Machine: How to Import Kali Linux Into QEMU/KVM
Previous Attacks
- How To Perform an LLMNR Poisoning Attack Using Kali Linux
- How To Perform an SMB Relay Attack Using Kali Linux
- How to Attack Active Directory IPv6 DNS with mitm6 & Kali Linux
- Active Directory Enumeration Guide: BloodHound & PowerView
What are we covering?
This is meant for the period in an assessment where you’ve managed to gain a password or a hash but you don’t know how to advance. Maybe you’ve done so through LLMNR Poisoning, mitm6, OSINT or phishing.

The simplest way to do so is to just pass the password/hash around. You take the credentials you have and you see if they work on any other machine.
Administrators often reuse passwords on different machines and this simple attack could land you a few different accounts.
Crackmapexec is designed to do exactly that.
Crackmapexec
It should be automatically installed on Kali Linux, if not run the following:
sudo apt install crackmapexec
Pass the Password
You can run the following command to perform a “Pass the Password” attack:
crackmapexec smb <IP_ADDRESS> -u <compromised_user> -d <domain> -p <compromised_password>
You can of course use CIDR notation to attack the whole subnet instead of just a single IP.
What is CIDR notation?
CIDR notation is just a simple way to express how a network is structured. Here are some videos on subnetting from NetworkChuck that explains it: what is an IP Address? // You SUCK at Subnetting // EP 1

If you see “Pwn3d!” it means that the attack has worked. But you might get false positives, such as:

We get a “[+]” but no “Pwn3d!” which usually indicates a false positive as 192.168.122.155 is the domain controller.
Can’t win that easily sometimes.
If you get a “Pwn3d!” you can dump the local SAM hashes by adding –sam at the end.

Pass the Hash
Sometimes we can’t crack the password as it might be too complex. But that doesn’t stop us from trying to pass the hash around.
We can do so with the following command:
crackmapexec smb <IP_ADDRESS> -u "<LOCAL_USER>" -H <COMPROMISED_HASH> --local-auth

Unfortunately we once again don’t win that easily. But this is a really powerful attack and if done right could land you a network.
PSExec
If you’ve managed to pwn some machines on a network the next move is to try PSExec with the hash that you’ve got.
PSExec will attempt to run a .exe so that it can give you a reverse shell on the machine.
The following command will do exactly that:
impacket-psexec <LOCAL_USER>@<IP_ADDRESS> -hashes <COMPROMISED_HASH>

Not bad, although this is isn’t realistic. I had to edit some registry values and disable the antivirus to get this.
Can’t win that easily against Windows Defender.
But you might encounter somebody that has disabled their antivirus. Or runs some old version of Windows.
Make sure to always check.
Mitigations
Privilege Access Management
There are certain enterprise solutions that help mitigate these attacks by rotating passwords, and checking in/out accounts when needed.
Solutions such as BeyondTrust, LastPass Enterprise or CyberArk can prove very helpful in mitigating these attacks.
Utilize Strong Passwords
This step will ensure that local passwords can’t be cracked to further aid lateral movement.
Preferably generated through a password manager such as Bitwarden: https://bitwarden.com
Which should improve both employee satisfaction due to ease of use and also improve the company’s security.
Limit account re-use
Make sure that you do not reuse local administrator passwords. This step will completely stop “Pass the Hash” attacks.
Conclusion
To wrap up, we’ve covered how to execute “Pass the Password” and “Pass the Hash” attacks using crackmapexec on Kali Linux, allowing us to take advantage of compromised credentials to move laterally across a network.
First, we walked through installing and running crackmapexec for “Pass the Password,” using simple commands to check multiple machines for reused credentials.
Next, we tackled “Pass the Hash” for situations where passwords are too complex to crack but hashes are available. Lastly, we explored using PSExec for more advanced post-exploitation scenarios, including creating reverse shells.
As always, implement strong security practices like Privilege Access Management, unique passwords, and avoiding account reuse to protect against these attacks.
More Resources
If you didn’t understand something or you need some help, we have our own Discord community and I currently offer free coaching.
You can also leave us some feedback with what you did not understand and we will make sure to correct it.




