CrackMapExec – Active Directory Post-Exploitation Tool

Last updated: July 31, 2017 | 6,043 views

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve its functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.

CrackMapExec - Post-Exploitation Tool

CME makes heavy use of the Impacket library and the PowerSploit Toolkit for working with network protocols and performing a variety of post-exploitation techniques.

Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios.

Usage

#~ cme --help
usage: cme [-h] [-v] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL]
           [--darrell] [--verbose]
           {http,smb,mssql} ...

      ______ .______           ___        ______  __  ___ .___  ___.      ___      .______    _______ ___   ___  _______   ______
     /      ||   _  \         /   \      /      ||  |/  / |   \/   |     /   \     |   _  \  |   ____|\  \ /  / |   ____| /      |
    |  ,----'|  |_)  |       /  ^  \    |  ,----'|  '  /  |  \  /  |    /  ^  \    |  |_)  | |  |__    \  V  /  |  |__   |  ,----'
    |  |     |      /       /  /_\  \   |  |     |    <   |  |\/|  |   /  /_\  \   |   ___/  |   __|    >   <   |   __|  |  |
    |  `----.|  |\  \----. /  _____  \  |  `----.|  .  \  |  |  |  |  /  _____  \  |  |      |  |____  /  .  \  |  |____ |  `----.
     \______|| _| `._____|/__/     \__\  \______||__|\__\ |__|  |__| /__/     \__\ | _|      |_______|/__/ \__\ |_______| \______|

                                         A swiss army knife for pentesting networks
                                    Forged by @byt3bl33d3r using the powah of dank memes

                                                      Version: 4.0.0dev
                                                     Codename: 'Sercurty'

optional arguments:
  -h, --help         show this help message and exit
  -v, --version      show program's version number and exit
  -t THREADS         set how many concurrent threads to use (default: 100)
  --timeout TIMEOUT  max timeout in seconds of each thread (default: None)
  --jitter INTERVAL  sets a random delay between each connection (default: None)
  --darrell          give Darrell a hand
  --verbose          enable verbose output

protocols:
  available protocols

  {http,smb,mssql}
    http             own stuff using HTTP(S)
    smb              own stuff using SMB and/or Active Directory
    mssql            own stuff using MSSQL and/or Active Directory

Serrrrrrcuuurrrty?

#~ cme --help

usage: cme [-h] [-v] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL]

[--darrell] [--verbose]

{http,smb,mssql} ...

______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______

/ || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / |

| ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----'

| | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | |

| `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----.

\______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______|

A swiss army knife for pentesting networks

Forged by @byt3bl33d3r using the powah of dank memes

Version: 4.0.0dev

Codename: 'Sercurty'

optional arguments:

-h, --help show this help message and exit

-v, --version show program's version number and exit

-t THREADS set how many concurrent threads to use (default: 100)

--timeout TIMEOUT max timeout in seconds of each thread (default: None)

--jitter INTERVAL sets a random delay between each connection (default: None)

--darrell give Darrell a hand

--verbose enable verbose output

protocols:

available protocols

{http,smb,mssql}

http own stuff using HTTP(S)

smb own stuff using SMB and/or Active Directory

mssql own stuff using MSSQL and/or Active Directory

Serrrrrrcuuurrrty?

Example:

crackmapexec <protocol> ms.evilcorp.org
crackmapexec <protocol> 192.168.1.0 192.168.0.2
crackmapexec <protocol> 192.168.1.0/24
crackmapexec <protocol> 192.168.1.0-28 10.0.0.1-67
crackmapexec <protocol> ~/targets.txt