Crackmapexec File List

[Brook Mithani]

Notesabout command reference:

The following use cases assume you have a Kali Linux host connected to an internal network.

For the examples it is also assumed hosts are within a 192.168.1.0/24 IP space.If CME isnt giving output of anykind, you probably have something wrong with the command.

*Note*: By default CME will exit after a successful login is found.Using the --continue-on-success flag will continue spraying even after a valid password is found. Usefull for spraying a single password against a large user listUsage example:

If you want to force CME to use only one execution method you can specify which one using the --exec-method flag.

The command execution method is denoted in the Executed Command output line.

WMIEXEC example, note the 'Executed command via wmiexec' output line.

This CrackMapExec cheat sheet includes everything you need to get started using this powerful penetration testing tool used by penetration testers, red teamers, and cyber security professionals to test their systems against cyber attacks.

CrackMapExec is an incredibly powerful tool to add to your arsenal. Its ability to conduct post-exploitation activities against Active Directory environments is unmatched by any other open-source tool.

Penetration testers or red teamers can harness this ability to perform thorough assessments of an organization's security posture, identify vulnerabilities, and recommend improvements that bolster its cyber defense.

It can even let you execute your own Windows Management Instrumentation (WMI) queries to gather information about Active Directory objects, such as organizational units (OUs), policies, and service accounts, while blending in with legitimate network traffic.

CrackMapExec is infamous for its password attacks and credential dumping capabilities. The tool can run remote commands on systems to identify high-value accounts (e.g., Administrators) and run password spraying or brute attacks against those accounts.

CrackMapExec can target services like SMB, WinRM, and LDAP to gain access to target machines. It can use usernames, passwords, hashes, and Kerberos tickets to authenticate to these services using pass-the-hash and pass-the-ticket attacks.

Post-exploitation is another area where CrackMapExec shines. The tool can establish persistence on compromised hosts, collect detailed information about the network, systems, and installed applications, and even move files between machines.

CrackMapExec has more advanced features. These include the ability to run PowerShell commands and scripts and even obfuscate them. The tool also integrates with other hacking frameworks like Metasploit and C2 frameworks (e.g., PowerShell Empire).

CrackMapExec (CME) is an open-source hacking tool for enumerating, attacking, and performing post-exploitation activities in Windows Active Directory environments. Impacket is a suite of Python scripts for Active Directory enumeration and exploitation using various protocols. These two tools share similarities in the protocols and services they target. However, CrackMapExec is a standalone tool for automating post-exploitation tasks, and Impacket is a library that works with network protocols to craft your own hacking tools.

CrackMapExec can be used to discover and enumerate information on remote machines. A popular reconnaissance technique used by hackers is to enumerate the password policies of target machines. This allows them to identify weak passwords vulnerable to password spraying or brute force attacks. To do this using CrackMapExec, execute the command crackmapexec smb -u -p --pass-pol.

hi all. i am stuck on password lab easy. i found the first accoutn creds, but when i SSH it seems there isnt much on it. it seems must have a 2 account to be brute force and ssh in. any hint? i have tried brute force for almost 1 hour an nothing. Please, need help

Hydra finds the correct password. The username.list contains the username m***. I also checked it with crackmapexec, and I could find the correct credentials in its output but it considered it as incorrect.

I am stuck on question 2 of the Vulnerability Scan Modules section; I have checked for and tried to exploit multiple vulnerabilities but the only one I have successfully exploited was the zerologon exploit which does not allow me to read the c drive. can you point me in the right direction.

Thank you for tip @moayad11 . Now I am stuck to acquire credential for user that can list service/computer account. I have tried back and enumerates folders to get some interesting files, brute force with many pass combinations and use other escalation paths like null session for that user.

Despite being a veteran protocol, New Technology Lan Manager (NTLM) remains one of the most common authentication protocols used in Windows environments. Even though Kerberos offers enhanced security features over NTLM, many systems and functions still depend on NTLM, making it impossible for most organizations to move away from it entirely.

Unfortunately, there are a number of known attack techniques that exploit the way NTLM operates in order to gain a foothold in a target environment. Additionally, these attacks leverage misconfigurations and related protocols (such as SMB, IPv6, LLMNR, NBT-NS) that are also quite common in internal networks. Moreover, tools to find and exploit such misconfigurations are readily available, meaning that novice attackers can leverage these techniques.

Attacker techniques have evolved, and new NTLM exposures have been identified, resulting in various iterations of the NTLM relay attack. At a basic level, the attacker uses man-in-the-middle techniques to listen in on network traffic, ideally listening for some form of authentication challenge being exchanged between the client and server. Authentication challenges are critical to this form of attack. Throughout the remainder of this post, we examine different forms of the attack, as well as ways to protect your network.

In our example above, the results show SMB signing on the domain controller, but the other two clients in the domain have signing disabled, which makes them perfect relay targets. The list generated by CME will be used in future attacks.

1b. To identify if LLMNR or NBT-NS is enabled on the network, we can run Responder to capture LLMNR, NetBIOS, and multicast DNS (mDNS) broadcast traffic. Download Responder, follow the setup guide, and reconfigure the Responder.conf file to the following configurations: SMB = Off, HTTP = Off. This will ensure Responder only listens for SMB and HTTP traffic and does not respond.

1c. Run Responder.py with the following syntax: sudo python Responder.py -I wlan0 -dwv. The -dwv flags will enable the Responder to poison LLMNR, NBT-NS, and mDNS traffic. Alternatively, Responder can be run with -A flag to analyze broadcast traffic and not respond. If LLMNR, NBT-NS, or mDNS traffic is enabled, then we should see broadcast traffic in the console.

We see Responder poisoning LLMNR, NBT-NS, and mDNS traffic. This means that we have verified LLMNR and NBT-NS are enabled on the network, which verifies that we have everything we need to attempt an NTLM relay attack.

1d. After setting up Responder to poison LLMNR and NBT-NS traffic, we wait for a user to access an SMB share with signing disabled. Below is an example of one of the domain users accessing an SMB server without signing required.

It is important to note that NetNTLMv1/v2 hashes are not NTLM hashes that can be used in pass-the-hash attacks. NetNTLM hashes like the ones we captured in Responder can only be used in relay attacks or cracked using Hashcat but CANNOT be used in pass-the-hash attacks. These hashes can be captured using Responder and are used for network authentication, which is the result of the challenge and response protocol. On the other hand, NTLM hashes CAN be used in pass-the-hash type attacks. NTLM hashes are stored in the SAM database in the domain controller, which can be acquired by dumping the SAM database using a combination of tools (NTLMRelayX, mitm6, PetitPotam, Printerbug, Responder, secretsdump.py). In the following sections, these different methods of capturing NTLM hashes will be explored.

This NTLM relay attack is one of the most common methods, which requires the use of ntlmrelayx.py and Responder. This attack is very similar to the previous attack we conducted; however, in this scenario, we are using both Responder and ntlmrelayx.py. Like the previous attack, this method relies on LLMNR or NBT-NS being enabled.

2a. Download Impacket, follow the setup guide and run ntlmrelayx.py using the following syntax: python ntlmrelayx.py -of -tf -smb2support. For the -tf flag, you will need to supply ntlmrelayx with a file that contains the list of SMB shares with signing disabled.

2b. Run Responder.py with the following syntax: sudo python Responder.py -I wlan0 -dwv. NTLM relay will be our SMB and HTTP server for this attack, so ensure Responder.py is configured with SMB = Off and HTTP = Off.

In this scenario, we will replicate the same relay we produced previously, but with the addition of using SOCKS and proxy chains. Using this method will give us the ability to perform other attacks with different tools by using the other scripts found within Impacket. Another benefit of this approach is that it gives you a better overview of your successful relayed attempts. This approach requires the use of ntlmrelayx, proxy chains, and secretsdump.py.

3d. Download ProxyChains and reconfigure proxychains4.conf to set proxy chains to the NTLM relay SOCKS proxy. In our example, this was achieved by modifying the proxychains4.conf file with the following configuration:

3e. Using ProxyChains, we used the secretsdump.py script from Impacket to dump the SAM hashes (NTLM hashes) from one of the active SMB relay sessions. Run proxy chains with the following syntax: sudo proxychains secretdump.py -no-pass /@. This method enabled us to use any tool we want and ignore any passwords required by using the relay credentials. For example, instead of running secretsdump.py, we could use other scripts such as getST.py, addcomputer.py, rpcdump.py, getUserSPNs.py, getADUser.py, etc.

3a8082e126