The Network Execution Tool
 
 
 
Go to file
byt3bl33d3r 58edfe18f3 Code cleanup of the execute method in the Connection class in
connection.py

Additionally, since the smbexec execution method seems to be detected by
a number of AV HIPS'es, i've switched the default execution method order
to:
1. wmiexec
2. atexec
3. smbexec

Furthermore, the method argument in the execute function now accepts a
list of exec methods.
2016-06-14 18:58:19 -06:00
cme Code cleanup of the execute method in the Connection class in 2016-06-14 18:58:19 -06:00
.gitignore Added entry in .gitignore 2016-04-08 22:13:01 -06:00
.gitmodules Second round of refactoring for packaging 2016-06-03 23:42:26 -06:00
LICENSE Re-added License to master 2016-03-30 00:45:16 -06:00
MANIFEST.in Second round of refactoring for packaging 2016-06-03 23:42:26 -06:00
README.md Added a VERY SMALL TAG ZOMG 2016-06-08 22:03:48 -06:00
requirements.txt Second round of refactoring for packaging 2016-06-03 23:42:26 -06:00
setup.py Version bump 2016-06-08 21:51:25 -06:00

README.md

Supported Python versions

CrackMapExec

A swiss army knife for pentesting Windows/Active Directory environments

Powered by Impacket

This project was inspired by/based off of:

Unintentional contributors:

This repo also includes the PowerSploit repository as a submodule.

#Description

CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!

From enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL's into memory using Powershell, dumping the NTDS.dit and more!

The biggest improvements over the above tools are:

  • Pure Python script, no external tools required
  • Fully concurrent threading
  • Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc...
  • Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc...)

Additionally, a database is used to store used/dumped credentals. It also automatically correlates Admin credentials to hosts and vice-versa allowing you to easily keep track of credential sets and gain additional situational awareness in large environments.

#Installation

Use virtualenvwrapper to install CrackMapExec in a python virtualenv

To get the latest stable version:

#~ pip install git+https://github.com/CoreSecurity/impacket
#~ pip install crackmapexec

If you like living on the bleeding-edge:

#~ pip install git+https://github.com/CoreSecurity/impacket
#~ git clone https://github.com/byt3bl33d3r/CrackMapExec
#- cd CrackMapExec && git submodule init && git submodule update --recursive
#~ python setup.py install

Note for Kali/Debian/Ubuntu Users:

If you get compilation errors run apt-get install -y libssl-dev libffi-dev python-dev build-essential and try again.

#Documentation, Tutorials, Examples See the project's wiki for documentation and usage examples

#Quick Demo

Demo of V3.0 coming soon!

#Usage

  ______ .______           ___        ______  __  ___ .___  ___.      ___      .______    _______ ___   ___  _______   ______ 
 /      ||   _  \         /   \      /      ||  |/  / |   \/   |     /   \     |   _  \  |   ____|\  \ /  / |   ____| /      |
|  ,----'|  |_)  |       /  ^  \    |  ,----'|  '  /  |  \  /  |    /  ^  \    |  |_)  | |  |__    \  V  /  |  |__   |  ,----'
|  |     |      /       /  /_\  \   |  |     |    <   |  |\/|  |   /  /_\  \   |   ___/  |   __|    >   <   |   __|  |  |     
|  `----.|  |\  \----. /  _____  \  |  `----.|  .  \  |  |  |  |  /  _____  \  |  |      |  |____  /  .  \  |  |____ |  `----.
 \______|| _| `._____|/__/     \__\  \______||__|\__\ |__|  |__| /__/     \__\ | _|      |_______|/__/ \__\ |_______| \______|

                 Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r

                       Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino)

                                                   Inspired by:
                            @ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap
                            @gojhonny's CredCrack https://github.com/gojhonny/CredCrack
                            @pentestgeek's smbexec https://github.com/pentestgeek/smbexec
                                                     
                                                  Version: 3.1
                                              Codename: 'Duchess'


positional arguments:
  target                The target IP(s), range(s), CIDR(s), hostname(s), FQDN(s) or file(s) containg a list of targets

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -t THREADS            Set how many concurrent threads to use (defaults to 100)
  -id CRED_ID           Database credential ID to use for authentication
  -u [USERNAME [USERNAME ...]]
                        Username(s) or file(s) containing usernames
  -d DOMAIN             Domain name
  -p [PASSWORD [PASSWORD ...]]
                        Password(s) or file(s) containing passwords
  -H [HASH [HASH ...]]  NTLM hash(es) or file(s) containing NTLM hashes
  -M MODULE, --module MODULE
                        Payload module to use
  -o [MODULE_OPTION [MODULE_OPTION ...]]
                        Payload module options
  -L, --list-modules    List available modules
  --show-options        Display module options
  --share SHARE         Specify a share (default: C$)
  --smb-port {139,445}  SMB port (default: 445)
  --mssql-port PORT     MSSQL port (default: 1433)
  --server {http,https}
                        Use the selected server (default: https)
  --server-host HOST    IP to bind the server to (default: 0.0.0.0)
  --server-port PORT    Start the server on the specified port
  --local-auth          Authenticate locally to each target
  --timeout TIMEOUT     Max timeout in seconds of each thread (default: 20)
  --verbose             Enable verbose output

Credential Gathering:
  Options for gathering credentials

  --sam                 Dump SAM hashes from target systems
  --lsa                 Dump LSA secrets from target systems
  --ntds {vss,drsuapi}  Dump the NTDS.dit from target DCs using the specifed method
                        (drsuapi is the fastest)
  --ntds-history        Dump NTDS.dit password history
  --ntds-pwdLastSet     Shows the pwdLastSet attribute for each NTDS.dit account
  --wdigest {enable,disable}
                        Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1

Mapping/Enumeration:
  Options for Mapping/Enumerating

  --shares              Enumerate shares and access
  --uac                 Checks UAC status
  --sessions            Enumerate active sessions
  --disks               Enumerate disks
  --users               Enumerate users
  --rid-brute [MAX_RID]
                        Enumerate users by bruteforcing RID's (default: 4000)
  --pass-pol            Dump password policy
  --lusers              Enumerate logged on users
  --wmi QUERY           Issues the specified WMI query
  --wmi-namespace NAMESPACE
                        WMI Namespace (default: //./root/cimv2)

Spidering:
  Options for spidering shares

  --spider [FOLDER]     Folder to spider (default: root directory)
  --content             Enable file content searching
  --exclude-dirs DIR_LIST
                        Directories to exclude from spidering
  --pattern [PATTERN [PATTERN ...]]
                        Pattern(s) to search for in folders, filenames and file content
  --regex [REGEX [REGEX ...]]
                        Regex(s) to search for in folders, filenames and file content
  --depth DEPTH         Spider recursion depth (default: 10)

Command Execution:
  Options for executing commands

  --exec-method {atexec,smbexec,wmiexec}
                        Method to execute the command. Ignored if in MSSQL mode (default: wmiexec)
  --force-ps32          Force the PowerShell command to run in a 32-bit process
  --no-output           Do not retrieve command output
  -x COMMAND            Execute the specified command
  -X PS_COMMAND         Execute the specified PowerShell command

MSSQL Interaction:
  Options for interacting with MSSQL DBs

  --mssql               Switches CME into MSSQL Mode. If credentials are provided will authenticate against all discovered MSSQL DBs
  --mssql-query QUERY   Execute the specifed query against the MSSQL DB

I swear I had something for this...

#To do

  • Kerberos support
  • 0wn everything