A swiss army knife for pentesting Windows/Active Directory environments
Powered by Impacket
This project was inspired by/based off of:
- @agsolino's wmiexec.py, wmiquery.py, smbexec.py, samrdump.py, secretsdump.py, atexec.py and lookupsid.py scripts (beyond awesome)
- @ShawnDEvans's smbmap
- @gojhonny's CredCrack
- @pentestgeek's smbexec
Unintentional contributors:
This repo also includes the PowerSploit repository as a submodule.
#Description
CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!
From enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL's into memory using Powershell, dumping the NTDS.dit and more!
The biggest improvements over the above tools are:
- Pure Python script, no external tools required
- Fully concurrent threading
- Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc...
- Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc...)
#Installation
To get the latest stable version: pip install --process-dependency-links crackmapexec
If you like living on the bleeding-edge: pip install --process-dependency-links git+https://github.com/byt3bl33d3r/CrackMapExec
Note for Kali/Debian/Ubuntu Users:
If you get compilation errors run apt-get install -y libssl-dev libffi-dev python-dev build-essential and try again.
#Quick Demo
Demo of V3.0 coming soon!
#Usage
______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______
/ || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / |
| ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----'
| | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | |
| `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----.
\______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______|
Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r
Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino)
Inspired by:
@ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap
@gojhonny's CredCrack https://github.com/gojhonny/CredCrack
@pentestgeek's smbexec https://github.com/pentestgeek/smbexec
Version: 3.1
Codename: 'Duchess'
positional arguments:
target The target IP(s), range(s), CIDR(s), hostname(s), FQDN(s) or file(s) containg a list of targets
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-t THREADS Set how many concurrent threads to use (defaults to 100)
-id CRED_ID Database credential ID to use for authentication
-u [USERNAME [USERNAME ...]]
Username(s) or file(s) containing usernames
-d DOMAIN Domain name
-p [PASSWORD [PASSWORD ...]]
Password(s) or file(s) containing passwords
-H [HASH [HASH ...]] NTLM hash(es) or file(s) containing NTLM hashes
-M MODULE, --module MODULE
Payload module to use
-o [MODULE_OPTION [MODULE_OPTION ...]]
Payload module options
-L, --list-modules List available modules
--show-options Display module options
--share SHARE Specify a share (default: C$)
--smb-port {139,445} SMB port (default: 445)
--mssql-port PORT MSSQL port (default: 1433)
--server {http,https}
Use the selected server (default: https)
--server-host HOST IP to bind the server to (default: 0.0.0.0)
--server-port PORT Start the server on the specified port
--local-auth Authenticate locally to each target
--timeout TIMEOUT Max timeout in seconds of each thread (default: 20)
--verbose Enable verbose output
Credential Gathering:
Options for gathering credentials
--sam Dump SAM hashes from target systems
--lsa Dump LSA secrets from target systems
--ntds {vss,drsuapi} Dump the NTDS.dit from target DCs using the specifed method
(drsuapi is the fastest)
--ntds-history Dump NTDS.dit password history
--ntds-pwdLastSet Shows the pwdLastSet attribute for each NTDS.dit account
--wdigest {enable,disable}
Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1
Mapping/Enumeration:
Options for Mapping/Enumerating
--shares Enumerate shares and access
--uac Checks UAC status
--sessions Enumerate active sessions
--disks Enumerate disks
--users Enumerate users
--rid-brute [MAX_RID]
Enumerate users by bruteforcing RID's (default: 4000)
--pass-pol Dump password policy
--lusers Enumerate logged on users
--wmi QUERY Issues the specified WMI query
--wmi-namespace NAMESPACE
WMI Namespace (default: //./root/cimv2)
Spidering:
Options for spidering shares
--spider [FOLDER] Folder to spider (default: root directory)
--content Enable file content searching
--exclude-dirs DIR_LIST
Directories to exclude from spidering
--pattern [PATTERN [PATTERN ...]]
Pattern(s) to search for in folders, filenames and file content
--regex [REGEX [REGEX ...]]
Regex(s) to search for in folders, filenames and file content
--depth DEPTH Spider recursion depth (default: 10)
Command Execution:
Options for executing commands
--exec-method {atexec,smbexec,wmiexec}
Method to execute the command. Ignored if in MSSQL mode (default: wmiexec)
--force-ps32 Force the PowerShell command to run in a 32-bit process
--no-output Do not retrieve command output
-x COMMAND Execute the specified command
-X PS_COMMAND Execute the specified PowerShell command
MSSQL Interaction:
Options for interacting with MSSQL DBs
--mssql Switches CME into MSSQL Mode. If credentials are provided will authenticate against all discovered MSSQL DBs
--mssql-query QUERY Execute the specifed query against the MSSQL DB
I swear I had something for this...
#To do
- Kerberos support
0wn everything