Crackmapexec Smb Cheat Sheet

0 views
Skip to first unread message

Betty Neyhart

unread,
Jun 17, 2024, 10:40:33 PM6/17/24
to pumcampmatu

A Quick and Easy CrackMapExec SMB Cheat Sheet

CrackMapExec (CME) is a versatile and powerful tool for pentesters and red teamers who want to perform various attacks and operations on Windows networks using the Server Message Block (SMB) protocol. SMB is a network file sharing protocol that allows users to access files, printers, and other resources on a remote server. SMB is also used for authentication, authorization, and communication between Windows hosts.

crackmapexec smb cheat sheet


Download Zip https://xiuty.com/2yHhiQ



In this article, we will provide a simple and concise cheat sheet for using CME to perform common tasks such as enumeration, credential spraying, command execution, and credential dumping using SMB. We will assume that you have already installed CME on your system and that you have a valid username and password or hash to authenticate to the target network. We will also use the following notation:

    • UserName: The username to authenticate with.
    • PASS: The password or hash to authenticate with.
    • DOMAIN: The domain name of the target network.
    • HOST: The IP address or hostname of a specific target host.

    Enumeration

    Enumeration is the process of gathering information about the target network, such as live hosts, shares, sessions, users, groups, policies, etc. CME provides various options to perform enumeration using SMB. Here are some examples:

    Network Enumeration

    To scan the target network for live hosts and their basic information, such as OS version, name, domain, signing status, and SMB version, use the following command:

    cme smb 10.0.0.0/24

    This will output something like this:

    SMB 10.0.0.1 445 DC01 [*] Windows Server 2019 Standard 17763 x64 (name:DC01) (domain:DOMAIN) (signing:True) (SMBv1:False)
    SMB 10.0.0.2 445 WEB01 [*] Windows Server 2016 Standard 14393 x64 (name:WEB01) (domain:DOMAIN) (signing:True) (SMBv1:False)
    SMB 10.0.0.3 445 SQL01 [*] Windows Server 2016 Standard 14393 x64 (name:SQL01) (domain:DOMAIN) (signing:True) (SMBv1:False)
    SMB 10.0.0.4 445 WIN10 [*] Windows 10 Pro 19041 x64 (name:WIN10) (domain:DOMAIN) (signing:False) (SMBv1:False)

    Share Enumeration

    To enumerate the available shares on the target hosts and check their access permissions, use the following command:

    cme smb 10.0.0.0/24 -u UserName -p 'PASS' --shares

    This will output something like this:

    SMB 10.0.0.1 445 DC01 [+] DOMAIN\UserName:PASS
    SMB 10.0.0.1 445 DC01 [+] Enumerated shares
    SMB 10.0.0.1 445 DC01 Share Permissions Remark
    SMB 10.0.0.1 445 DC01 ----- ----------- ------
    SMB 10.0.0.1 445 DC01 ADMIN$ READ Remote Admin
    SMB 10.0.0.1 445 DC01 C$ READ Default share
    SMB 10.0.0.1 445 DC01 IPC$ READ Remote IPC
    SMB 10.0.0.1 445 DC01 NETLOGON READ Logon server share
    SMB 10.0.0.1 445 DC01 SYSVOL READ Logon server share
    ...SNIP...

    Session Enumeration

    To enumerate the active sessions on the target hosts and get their usernames and source IPs, use the following command:

    cme smb 10 e8e8a447ac
    Reply all
    Reply to author
    Forward
    0 new messages