CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve its functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
CME makes heavy use of the Impacket library and the PowerSploit Toolkit for working with network protocols and performing a variety of post-exploitation techniques.
Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios.
Usage
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
#~ cme --help usage: cme [-h] [-v] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell] [--verbose] {http,smb,mssql} ... ______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______ / || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / | | ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----' | | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | | | `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----. \______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______| A swiss army knife for pentesting networks Forged by @byt3bl33d3r using the powah of dank memes Version: 4.0.0dev Codename: 'Sercurty' optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit -t THREADS set how many concurrent threads to use (default: 100) --timeout TIMEOUT max timeout in seconds of each thread (default: None) --jitter INTERVAL sets a random delay between each connection (default: None) --darrell give Darrell a hand --verbose enable verbose output protocols: available protocols {http,smb,mssql} http own stuff using HTTP(S) smb own stuff using SMB and/or Active Directory mssql own stuff using MSSQL and/or Active Directory Serrrrrrcuuurrrty? |
Example:
1 2 3 4 5 |
crackmapexec <protocol> ms.evilcorp.org crackmapexec <protocol> 192.168.1.0 192.168.0.2 crackmapexec <protocol> 192.168.1.0/24 crackmapexec <protocol> 192.168.1.0-28 10.0.0.1-67 crackmapexec <protocol> ~/targets.txt |
You can download CrackMapExec here:
Or read more here.