CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
Usage
Running cme --help will list general options and protocols that are available (Notice the 'protocols' section below):
#~ crackmapexec --helpusage:cme [-h] [-v] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell] [--verbose] {http,smb,mssql}... ______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______
/ || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / |
| ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----'
| | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | |
| `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----.
\______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______|
AswissarmyknifeforpentestingnetworksForgedby@byt3bl33d3rusingthepowahofdankmemesVersion:4.0.0devCodename:'Sercurty'optionalarguments:-h,--helpshowthishelpmessageandexit-v,--versionshowprogram's version number and exit -t THREADS set how many concurrent threads to use (default: 100) --timeout TIMEOUT max timeout in seconds of each thread (default: None) --jitter INTERVAL sets a random delay between each connection (default: None) --darrell give Darrell a hand --verbose enable verbose outputprotocols: available protocols {http,smb,mssql} http own stuff using HTTP(S) smb own stuff using SMB and/or Active Directory mssql own stuff using MSSQL and/or Active Directory
Target Formats
Every protocol supports targets by CIDR notation(s), IP address(s), IP range(s), hostname(s), a file containing a list of targets or combination of all of the latter:
crackmapexec <protocol> ms.evilcorp.org
crackmapexec <protocol>192.168.1.0192.168.0.2
crackmapexec <protocol>192.168.1.0/24
crackmapexec <protocol>192.168.1.0-2810.0.0.1-67
crackmapexec <protocol> ~/targets.txt
Using Credentials
Every protocol supports using credentials in one form or another. For details on using credentials with a specific protocol, see the appropriate wiki section. Generally speaking, to use credentials, you can run the following commands:
βΉοΈ By default CME will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. Usefull for spraying a single password against a large user list.
