PYTHON [ CrackMapExec : is a post-exploitation tool that helps automate assessing the security of large Active Directory networks ]

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.

CME makes heavy use of the Impacket library (developed by @asolino) and the PowerSploit Toolkit (developed by @mattifestation) for working with network protocols and performing a variety of post-exploitation techniques.

Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios.

CrackMapExec is developed by @byt3bl33d3r

 

Installtion:

* Install Python 

* Download And Install Microsoft Visual C++ 9.0 is required. Get it from http://aka.ms/vcpython27

* Open CMD And Type : pip install --user crackmapexec

 

Doc:  https://github.com/byt3bl33d3r/CrackMapExec/wiki/

 

positional arguments:
  target                The target IP(s), range(s), CIDR(s), hostname(s), FQDN(s) or file(s) containg a list of targets

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -t THREADS            Set how many concurrent threads to use (default: 100)
  -id CRED_ID [CRED_ID ...]
                        Database credential ID(s) to use for authentication
  -u USERNAME [USERNAME ...]
                        Username(s) or file(s) containing usernames
  -d DOMAIN             Domain name
  --local-auth          Authenticate locally to each target
  -p PASSWORD [PASSWORD ...]
                        Password(s) or file(s) containing passwords
  -H HASH [HASH ...]    NTLM hash(es) or file(s) containing NTLM hashes
  -M MODULE, --module MODULE
                        Payload module to use
  -o MODULE_OPTION [MODULE_OPTION ...]
                        Payload module options
  -L, --list-modules    List available modules
  --show-options        Display module options
  --share SHARE         Specify a share (default: C$)
  --smb-port {139,445}  SMB port (default: 445)
  --mssql-port PORT     MSSQL port (default: 1433)
  --server {http,https}
                        Use the selected server (default: https)
  --server-host HOST    IP to bind the server to (default: 0.0.0.0)
  --server-port PORT    Start the server on the specified port
  --timeout TIMEOUT     Max timeout in seconds of each thread (default: 20)
  --gfail-limit LIMIT   Max number of global failed login attempts
  --ufail-limit LIMIT   Max number of failed login attempts per username
  --fail-limit LIMIT    Max number of failed login attempts per host
  --verbose             Enable verbose output

Credential Gathering:
  Options for gathering credentials

  --sam                 Dump SAM hashes from target systems
  --lsa                 Dump LSA secrets from target systems
  --ntds {vss,drsuapi}  Dump the NTDS.dit from target DCs using the specifed method
                        (drsuapi is the fastest)
  --ntds-history        Dump NTDS.dit password history
  --ntds-pwdLastSet     Shows the pwdLastSet attribute for each NTDS.dit account
  --wdigest {enable,disable}
                        Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1

Mapping/Enumeration:
  Options for Mapping/Enumerating

  --shares              Enumerate shares and access
  --uac                 Checks UAC status
  --sessions            Enumerate active sessions
  --disks               Enumerate disks
  --users               Enumerate users
  --rid-brute [MAX_RID]
                        Enumerate users by bruteforcing RID's (default: 4000)
  --pass-pol            Dump password policy
  --lusers              Enumerate logged on users
  --wmi QUERY           Issues the specified WMI query
  --wmi-namespace NAMESPACE
                        WMI Namespace (default: //./root/cimv2)

Spidering:
  Options for spidering shares

  --spider [FOLDER]     Folder to spider (default: root directory)
  --content             Enable file content searching
  --exclude-dirs DIR_LIST
                        Directories to exclude from spidering
  --pattern PATTERN [PATTERN ...]
                        Pattern(s) to search for in folders, filenames and file content
  --regex REGEX [REGEX ...]
                        Regex(s) to search for in folders, filenames and file content
  --depth DEPTH         Spider recursion depth (default: 10)

Command Execution:
  Options for executing commands

  --exec-method {smbexec,wmiexec,atexec}
                        Method to execute the command. Ignored if in MSSQL mode (default: wmiexec)
  --force-ps32          Force the PowerShell command to run in a 32-bit process
  --no-output           Do not retrieve command output
  -x COMMAND            Execute the specified command
  -X PS_COMMAND         Execute the specified PowerShell command

MSSQL Interaction:
  Options for interacting with MSSQL DBs

  --mssql               Switches CME into MSSQL Mode. If credentials are provided will authenticate against all discovered MSSQL DBs
  --mssql-query QUERY   Execute the specifed query against the MSSQL DB
  --mssql-auth {windows,normal}
                        MSSQL authentication type to use (default: windows)