CrackMapExec — Pentesting Active Directory Environments
CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!
From enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more!
CrackMapExec v2.3 Released
Pentesting Active Directory Environments:
- Pure Python script, no external tools required
- Fully concurrent threading
- Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc…
- Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc…)
[adsense size='1']
Installation on Kali Linux
Run pip install --upgrade -r requirements.txt
A swiss army knife for pentesting
Windows/Active Directory environments
Usage
Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r
Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino)
Inspired by:
@ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap
@gojhonny's CredCrack https://github.com/gojhonny/CredCrack
@pentestgeek's smbexec https://github.com/pentestgeek/smbexec
positional arguments:
target The target range, CIDR identifier or file containing targets
optional arguments:
-h, --help show this help message and exit
-t THREADS Set how many concurrent threads to use
-u USERNAME Username, if omitted null session assumed
-p PASSWORD Password
-H HASH NTLM hash
-n NAMESPACE Namespace name (default //./root/cimv2)
-d DOMAIN Domain name
-s SHARE Specify a share (default: C$)
-P {139,445} SMB port (default: 445)
-v Enable verbose output
Credential Gathering:
Options for gathering credentials
--sam Dump SAM hashes from target systems
--mimikatz Run Invoke-Mimikatz on target systems
--ntds {ninja,vss,drsuapi}
Dump the NTDS.dit from target DCs using the specifed method
(drsuapi is the fastest)
[adsense size='2']
Mapping/Enumeration:
Options for Mapping/Enumerating
--shares List shares
--sessions Enumerate active sessions
--users Enumerate users
--lusers Enumerate logged on users
--wmi QUERY Issues the specified WMI query
Account Bruteforcing:
Options for bruteforcing SMB accounts
--bruteforce USER_FILE PASS_FILE
Your wordlists containing Usernames and Passwords
--exhaust Don't stop on first valid account found
Spidering:
Options for spidering shares
--spider FOLDER Folder to spider (defaults to share root dir)
--pattern PATTERN Pattern to search for in filenames and folders
--patternfile PATTERNFILE
File containing patterns to search for
--depth DEPTH Spider recursion depth (default: 1)
Command Execution:
Options for executing commands
--execm {atexec,wmi,smbexec}
Method to execute the command (default: smbexec)
-x COMMAND Execute the specified command
-X PS_COMMAND Excute the specified powershell command
Shellcode/EXE/DLL injection:
Options for injecting Shellcode/EXE/DLL's using PowerShell
--inject {exe,shellcode,dll}
Inject Shellcode, EXE or a DLL
--path PATH Path to the Shellcode/EXE/DLL you want to inject on the target systems
--procid PROCID Process ID to inject the Shellcode/EXE/DLL into (if omitted, will inject within the running PowerShell process)
--exeargs EXEARGS Arguments to pass to the EXE being reflectively loaded (ignored if not injecting an EXE)
Filesystem interaction:
Options for interacting with filesystems
--list PATH List contents of a directory
--download PATH Download a file from the remote systems
--upload SRC DST Upload a file to the remote systems
--delete PATH Delete a remote file
There's been an awakening... have you felt it?
[adsense size='3']
Gloss