From enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more.
This package is a swiss army knife for pentesting Windows/Active Directory environments.
OSCP: Officially allowed during the exam according to the OSCP Exam FAQ
- Official Documentation
- Crackmapexec (Offensive Security Cheatsheet)
Help
crackmapexec -hldap ssh smb winrm mssqlFix errors
/usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if result['type'] is not 'searchResEntry':sudo nano /usr/lib/python3/dist-packages/pywerview/requester.py # Skip searchResRef
for result in search_results:
### MODIFIED TO FIX CRACKMAPEXEC !!! ###
#if result['type'] is not 'searchResEntry':
if result['type'] != 'searchResEntry':LDAP
Help
crackmapexec ldap -husage: crackmapexec ldap [-h] [-id CRED_ID [CRED_ID ...]] [-u USERNAME [USERNAME ...]] [-p PASSWORD [PASSWORD ...]] [-k] [--export EXPORT [EXPORT ...]]
[--aesKey AESKEY [AESKEY ...]] [--kdcHost KDCHOST] [--gfail-limit LIMIT | --ufail-limit LIMIT | --fail-limit LIMIT] [-M MODULE]
[-o MODULE_OPTION [MODULE_OPTION ...]] [-L] [--options] [--server {https,http}] [--server-host HOST] [--server-port PORT]
[--connectback-host CHOST] [-H HASH [HASH ...]] [--no-bruteforce] [--continue-on-success] [--port {636,389}]
[-d DOMAIN | --local-auth] [--asreproast ASREPROAST] [--kerberoasting KERBEROASTING] [--trusted-for-delegation]
[--password-not-required] [--admin-count] [--users] [--groups]
[target ...]List modules
Use “-M <modulename>”.
crackmapexec ldap -L[*] MAQ Retrieves the MachineAccountQuota domain-level attribute
[*] adcs Find PKI Enrollment Services in Active Directory and Certificate Templates Names
[*] get-desc-users Get description of the users. May contained password
[*] laps Retrieves the LAPS passwords
[*] ldap-signing Check whether LDAP signing is required
[*] subnets Retrieves the different Sites and Subnets of an Active Directory
[*] user-desc Get user descriptions stored in Active Directorycrackmapexec ldap -M get-desc-users --optionsUse modules
crackmapexec ldap -M ldap-signing $IPFilter not tested, see filters from ldapsearch?
crackmapexec ldap $IP -u user -p password -d example.com -M get-desc-users -o FILTER="user"Use Kerberos tickets
-k, --kerberos Use Kerberos authentication from ccache file (KRB5CCNAME)export KRB5CCNAME=baduser.ccache
crackmapexec ldap -k $IPRetrieve the different Sites and Subnets of an Active Directory
crackmapexec ldap $DC_IP -u $USER -d $DOMAIN -p $PASS -M subnetsSamba
Get machine name, domain and OS.
crackmapexec smb $IP–no-bruteforce No spray when using file for username and password (user1 => password1, user2 => password2
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txtcrackmapexec smb $IP -u samaccount.name -p "SomePass" --no-bruteforce --continue-on-successcrackmapexec smb $IP -u Administrator -p $WL --no-bruteforce --continue-on-successcrackmapexec smb $IP -u users.txt -H hashes.txt --no-bruteforce --continue-on-successEnumerate shares and access on a network
crackmapexec smb x.x.x.0/24 -u $USER -p $PASS -d $DOMAIN --sharesSearch for pattern in folders and filenames (NOT in file content)
crackmapexec smb $IP -u $USER -p $PASS --spider C\$ --pattern passw user admin account network login cred mdp motdepassSearch for pattern in folders, filenames and file content
❗ Be careful, can be long and verbose.
crackmapexec smb $IP -u $USER -p $PASS --spider C\$ --content --pattern passw user admin account network login cred mdp motdepassTest on Kali
To test is in Kali Linux, start a SMB server using impacket-smbserver.
sudo impacket-smbserver myshare /home/kali/sharecrackmapexec smb $KALI_IP -u "" -p "" --spider MYSHARE --pattern revCheck if vulnerable to Zerologon
See Zerologon (CVE-2020-1472).
crackmapexec smb $IP -u $USER -p $PASS -d example.com -M zerologonSSH
crackmapexec ssh $IPWinRM
Check if hashes are valid. File hash.txt contains all hashes LM:NTLM
users
Alice
Bobhashes.txt
LM:NTLM
LM:NTLMcrackmapexec winrm $IP -u users -H hashes.txt–no-bruteforce No spray when using file for username and password (user1 => password1, user2 => password2
crackmapexec winrm $IP -u users.txt -p passwords.txt --no-bruteforce