Crackmapexec Jitter
Maya Malbon
This CrackMapExec cheat sheet includes everything you need to get started using this powerful penetration testing tool used by penetration testers, red teamers, and cyber security professionals to test their systems against cyber attacks.
CrackMapExec is an incredibly powerful tool to add to your arsenal. Its ability to conduct post-exploitation activities against Active Directory environments is unmatched by any other open-source tool.
Penetration testers or red teamers can harness this ability to perform thorough assessments of an organization's security posture, identify vulnerabilities, and recommend improvements that bolster its cyber defense.
It can even let you execute your own Windows Management Instrumentation (WMI) queries to gather information about Active Directory objects, such as organizational units (OUs), policies, and service accounts, while blending in with legitimate network traffic.
CrackMapExec is infamous for its password attacks and credential dumping capabilities. The tool can run remote commands on systems to identify high-value accounts (e.g., Administrators) and run password spraying or brute attacks against those accounts.
CrackMapExec can target services like SMB, WinRM, and LDAP to gain access to target machines. It can use usernames, passwords, hashes, and Kerberos tickets to authenticate to these services using pass-the-hash and pass-the-ticket attacks.
Post-exploitation is another area where CrackMapExec shines. The tool can establish persistence on compromised hosts, collect detailed information about the network, systems, and installed applications, and even move files between machines.
CrackMapExec has more advanced features. These include the ability to run PowerShell commands and scripts and even obfuscate them. The tool also integrates with other hacking frameworks like Metasploit and C2 frameworks (e.g., PowerShell Empire).
CrackMapExec (CME) is an open-source hacking tool for enumerating, attacking, and performing post-exploitation activities in Windows Active Directory environments. Impacket is a suite of Python scripts for Active Directory enumeration and exploitation using various protocols. These two tools share similarities in the protocols and services they target. However, CrackMapExec is a standalone tool for automating post-exploitation tasks, and Impacket is a library that works with network protocols to craft your own hacking tools.
CrackMapExec can be used to discover and enumerate information on remote machines. A popular reconnaissance technique used by hackers is to enumerate the password policies of target machines. This allows them to identify weak passwords vulnerable to password spraying or brute force attacks. To do this using CrackMapExec, execute the command crackmapexec smb -u -p --pass-pol.
Para este laboratorio nos vamos a basar en una mquina Parrot Security, pero tambin podra ser una mquina Kali linux o una debian, la ventaja de estas dos primeras es que ya vienen con muchas herramientas listas para pruebas de penetracin y ejercicio de Red Team, en este ejemplo vamos a ir a la pgina oficial de Parrot y descargamos la versin Security
Escogemos el tamao que deseemos, por defecto nos dice que sean 20 GB, pero segn el uso que le vayamos a dar y la capacidad de nuestra mquina principal, escogemos el espacio que deseemos y podemos escoger entre ponerlo como un disco dinmico o fijo, en este caso lo pongo como fijo, ya que de esta manera puede ser un poco ms rpido, pero ambas funcionan bien
iniciamos una terminal y ponemos el comando sudo supara pasarnos al usuario root, la primera vez nos dice que le asignemos una contrasea, ponemos la contrasea que queremos para nuestro usuario root y le damos enter
Vamos a instalar crackmapexec aprovechado que ya tenemos pip3 instalado vamos a realizar la instalacin con ste, pip3 install crackmapexec nos instalar las dependencias necesarias para correr nuestra herramienta
La siguiente herramienta ser kerbrute esta herramienta nos ayuda a realizar ataques de fuerza bruta en el protocolo de kerberos, se puede instalar con pip3 o clonarnos su repositorio y ejecutarla desde ah, para este ejemplo vamos a realizarlo desde pip3 pip3 install kerbute
Tambin la herramienta sed viene instalada con nuestro sistema por defecto, que la utilizaremos para realizar un filtro en uno de nuestros archivos, pero si no es el caso podemos instalar de esta manera: apt install sed
Continuando con nuestra instalacin de herramientas, seguiremos con usersgenerator, una herramienta que nos sirve para realizar un listado de posibles usuarios cuando le pasamos una lista de nombres y apellidos, podemos clonarnos el repositorio o instalarlo con pip3, pip3 install usersgeneratorque para este laboratorio lo vamos a realizar de esta manera
Otra herramienta que vamos a estar utilizando mucho, para estos ataques en Active Directory es impacket en las ultimas distribuciones de parrot security ya vienen instaladas con el sistema, pero si no es el caso podemos instalarnos esta herramienta clonando su repositorio o instalarla con el comando apt install python3-impacket
Vamos a utilizar la herramienta John the Ripper que nos sirve para crackear contraseas, como algunas de las anteriores, esta herramienta viene instalada por defecto en nuestro sistema Parrot Security, pero si no es el caso podemos instalarla de esta manera: apt install john -y
Vamos a descargarnos el script de LDAPDomainDump que nos permite realizar un volcado de informacin de Active Directory a travs de LDAP, podemos instalar la herramienta o clonarnos su repositorio, para este ejemplo vamos a clonarlo, nos copiamos el repositorio
Una vez copiado, en nuestra mquina para este ejemplo vamos a irnos a /opt/ y ah clonarnos ste repositorio con el comando git clone y el link del repositorio de esta manera git clone una vez clonado entramos al directorio que este nos crea llamado ldapdomaindump, donde podemos ver el script ldapdomaindump.py y con python3 lo corremos para ver que nos responde correctamente
O para esta laboratorio nos descargamos solo el script que necesitamos Invoke-PowerShellTcp.ps1 con la herramienta wget que nos permite traer el contenido de una web, en este caso el script de nishang, para tener una reverse shell , si no se tiene la herramienta se puede instalar de esta manera:
Vamos a instalar una herramienta llamada responder esta herramienta permite envenenar la red y poder obtener algunos hash o informacin que pase por esta para instalarnos esta herramienta podemos clonar su repositorio desde GitHub o podemos instalar directamente en nuestro sistema de esta manera apt install responder aunque ya viene instalada por defecto en nuestro sistema Parrot Security
Ya para finalizar vamos a descargar los diccionarios que vamos a utilizar en esta prctica, el primero que vamos a utilizar es el KaonashiWPA100M de kaonashi, como dice el nombre, este diccionario cuenta con 100 millones de contraseas, vamos a la git hub de kaonashi
y como segundo diccionario vamos a utilizar el rockyou.txt que por lo general ya viene en nuestro sistema operativo Parrot, pero si no es el caso podemos descrgalo de este enlace rockyou.txt que es una descarga directa
The information on .net and how it is used for exploitation is really well written. The important parts are that .net language can be used, and provides access to key Windows services such as Win32 and API calls. These can make direct system calls and assist in evading anti-virus solutions as they are a legitimate part of the underlying Windows workings.
Building your own tools is amazingly useful. Even if that is just renaming Mimikatz to macrodogz. Sometimes small changes like that and removing twitter handles/authors names and descriptions can be enough to evade AV at a basic level.
The results show that 258 hosts are up. A /24 has 256 hosts available, which seems very close to our total number. Looking at the results, all hosts are shown as Up within the 192.168.100.0/24 range, which would indicate a firewall causing issues. However in the other range, there are only 2 hosts up:
This means we need to add the domain name to our /etc/hosts file for the webpage the load properly. This means we can use the domain name, rather than the IP and our machine knows where to look at for that information.
The next step is remote code execution to gain access to the underlying server. To do this, we need to use the local file inclusion to look at the code of the pages and find a vulnerable function that we can inject data into.
Stabilising a shell is important to make sure you can access all features and provide functionality, the most commonly used method is with python. There are a couple of steps, but I only ever do the first:
However, I did have a look in our current directory and found a db_connect.php file, this was worth reading as it provides us a username, password and server IP for a database. This might come in handy later on.
Focus now changes to finding out about the environment and the access this container has to other containers and systems on the network. Three different ways to port scan are explained, however before we get to that, where is this host connected to?
On this occasion, nothing overly helpful here. In a real life environment you might get different passwords, or users passwords. These could then be used to spray round the network or used for further exploits.
Time to break out of this container! The info is useful, with standard methods abusing misconfigurations rather than active vulnerabilities. However, we are going for the more complicated exploitation route.
The amount of output is amazing, the tool authors have done an amazing job. There are a lot of areas highlighted red and the networking explains our query from earlier, about how we were dropped onto a different range. The Holonet networking is really impressive.
Looking through the data there are lots of areas that should be noted. These include an outdated sudo version (1.8.31), the fact docker is present and the fact apache is installed. Linpeas also brings back the password for the WordPress site, hosted within the wp-config.php file.
64591212e2