Sources of inspiration for the CrackMapExec project:
@agsolino’s wmiexec.py, wmiquery.py, smbexec.py, samrdump.py, secretsdump.py, atexec.py and lookupsid.py
Smbmap by @ShawnDEvans
CredCrack by @gojhonny
@pentestgeek’s smbexec
Some codes in the project refer to the smbspider script of @T-S-A
In addition, some scripts in the PowerSploit project are included:
Invoke-Mimikatz.ps1
Invoke-NinjaCopy.ps1
Invoke-ReflectivePEInjection.ps1
Invoke-Shellcode.ps1
Get-GPPPassword.ps1
And PowerView script from PowerTools Knowledge Base
description
CrackMapExec provides a one-stop portable tool for penetration testing in a domain environment (active directory). It has the ability to list logged-in users and list SMB share lists through the SMB (Server Message Block) network file sharing protocol crawler.
Perform an attack similar to Psexec, use the powerShell script to execute automatic Mimikatz/Shellcode/DLL injection into memory, dump NTDS.dit password.
Improved tools:
Pure Python script, no external dependencies;
Full-duplex multi-process;
Use the local WinAPI session to discover the windows HASH value of session control, user, dump stored in SAM;
Use parameters
______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______
/ || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / |
| ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----'
| | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | |
| `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----.
\______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______|
Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r
Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino)
Inspired by:
@ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap
@gojhonny's CredCrack https://github.com/gojhonny/CredCrack
@pentestgeek's smbexec https://github.com/pentestgeek/smbexec
Version: 2.3
Codename: 'Pink Bubbles'
positional arguments:
target The target IP, range, CIDR identifier, hostname, FQDN or list or file containg a list of targets
optional arguments:
-h, --help show this help message and exit //Print help information
-v, --version show program's version number and exit //Display program version information
-t THREADS Set how many concurrent threads to use (defaults to 100) //Specify the number of processes,The default is 100
-u USERNAME Username(s) or file containing usernames //Specify username
-p PASSWORD Password(s) or file containing passwords //Specify password
-H HASH NTLM hash(es) or file containing NTLM hashes
-C COMBO_FILE Combo file containing a list of domain\username:password or username:password entries
-k HEX_KEY AES key to use for Kerberos Authentication (128 or 256 bits)
-d DOMAIN Domain name //Designated domain
-n NAMESPACE WMI Namespace (default: //./root/cimv2)
-s SHARE Specify a share (default: C$) //Designated share
--kerb Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters
--port {139,445} SMB port (default: 445) //Specify SMB port default 445
--server {http,https}
Use the selected server (defaults to http) //Specify http or https, use http by default
--server-port PORT Start the server on the specified port
--fail-limit LIMIT The max number of failed login attempts allowed per host (default: None)
--gfail-limit LIMIT The max number of failed login attempts allowed globally (default: None)
--verbose Enable verbose output
Credential Gathering:
Options for gathering credentials
--sam Dump SAM hashes from target systems
--lsa Dump LSA secrets from target systems
--gpp-passwords Retrieve plaintext passwords and other information for accounts pushed through Group Policy Preferences
--ntds {ninja,vss,drsuapi}
Dump the NTDS.dit from target DCs using the specifed method
(drsuapi is the fastest)
--ntds-history Dump NTDS.dit password history
--ntds-pwdLastSet Shows the pwdLastSet attribute for each NTDS.dit account
--mimikatz Run Invoke-Mimikatz (sekurlsa::logonpasswords) on target systems
--mimikatz-cmd MIMIKATZ_CMD
Run Invoke-Mimikatz with the specified command
--enable-wdigest Creates the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1
--disable-wdigest Deletes the 'UseLogonCredential' registry key
Mapping/Enumeration:
Options for Mapping/Enumerating
--shares List shares //List shares
--check-uac Checks UAC status //Check UAC status
--sessions Enumerate active sessions
--disks Enumerate disks
--users Enumerate users
--rid-brute [MAX_RID]
Enumerate users by bruteforcing RID's (defaults to 4000)
--pass-pol Dump password policy
--lusers Enumerate logged on users
--powerview POWERVIEW_CMD
Run the specified PowerView command
--wmi QUERY Issues the specified WMI query
Spidering:
Options for spidering shares
--spider [FOLDER] Folder to spider (defaults to top level directory)
--content Enable file content searching
--exclude-dirs DIR_LIST
Directories to exclude from spidering
--pattern PATTERN Pattern to search for in folders, filenames and file content
--patternfile PATTERNFILE
File containing patterns to search for in folders, filenames and file content
--depth DEPTH Spider recursion depth (default: 10)
Command Execution:
Options for executing commands
--execm {atexec,wmi,smbexec}
Method to execute the command (default: wmi)
--ps-arch {auto,64,32}
Process architecture all PowerShell code/commands should run in (default: auto)
--no-output Do not retrieve command output
-x COMMAND Execute the specified command
-X PS_COMMAND Excute the specified powershell command
Shellcode/EXE/DLL/Meterpreter Injection:
Options for injecting Shellcode/EXE/DLL/Meterpreter in memory using PowerShell
--inject {met_reverse_http,met_reverse_https,exe,shellcode,dll}
Inject Shellcode, EXE, DLL or Meterpreter
--path PATH Path to the Shellcode/EXE/DLL you want to inject on the target systems (ignored if injecting Meterpreter)
--procid PROCID Process ID to inject the Shellcode/EXE/DLL/Meterpreter into (if omitted, will inject within the running PowerShell process)
--exeargs EXEARGS Arguments to pass to the EXE being reflectively loaded (ignored if not injecting an EXE)
--met-options LHOST LPORT
Meterpreter options (ignored if not injecting Meterpreter)
Filesystem Interaction:
Options for interacting with filesystems
--list [PATH] List contents of a directory (defaults to top level directory)
--download SRC DST Download a file from the remote systems
--upload SRC DST Upload a file to the remote systems
--delete PATH Delete a remote file
Service Interaction:
Options for interacting with Windows services
--service {status,list,create,stop,start,config,change,delete}
--name NAME Service name
--display NAME Service display name
--bin-path PATH Binary path
--service-type TYPE Service type
--start-type TYPE Service start type
--start-name NAME Name of the account under which the service should run
--start-pass PASS Password of the account whose name was specified with the --start-name parameter
MSSQL Interaction:
Options for interacting with MSSQL DB's
--mssql [QUERY] Authenticate with the provided credentials against the MSSQL service, optionally execute the specified query
--mssql-port PORT MSSQL service port (default: 1433)
--mssql-instance Enumerate the MSSQL intances on the target hosts
--enable-xpcmdshell Enable xp_cmdshell on target DB's
--disable-xpcmdshell Disable xp_cmdshell on target DB's
--xp-cmd COMMAND Execute the specified command using xp_cmdshell
* project address:https://github.com/byt3bl33d3r/CrackMapExec
Reviews
There are no reviews yet.