CrackMapExec : The Basics

by Vince
in Blog
Hits: 839

The description states:  "CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions."

This is one of those tools that I've used from time to time when another one of my tools wasn't doing what I wanted it to do.  That happened recently and I decided to make a big cheat sheet with a list of commands.  The following is a subset,  the basics, and if you're not familiar with this tool, it might be worth exploring.

Again, not to get repetitive but this tool abuses built-in functions and without any credentials, we can enumerate systems:



If we have credentials, we can spray the credentials across the network and locate systems where we can login.  The green [+] signs are positive hits.


Once we locate the domain controller, we can get the password policy to help us avoid lockouts and gather more information about the environment. 


With credentials, we can enumerate shares.  If we switch the IP address from a single IP to the subnet, say /23, we can spray the entire network in search of shares.


Hunting for users:


And finally with administrative credentials, we can pull hashes:


These are just some basics and it's definitely worth exploring.  I would add a couple of final thoughts regarding some of the syntax.  In some cases (all cases?), it assumes the credentials are from the domain.  We can force this to local user with the --local-auth flag.  The -x flag will allow us to execute commands assuming we have proper privileges.  For example, -x 'quser' will show use the currently logged in user.  The -m flag flag allows us to execute modules.  For example -m modules/credentials/mimikatz.py

I haven't tried the last bit only because Mimikatz typically gets picked up by endpoint protection and I just assume the execution against a machine will get detected.  I will give that a shot in the lab to see if my suspicions are true.