Quartz 4

CrackMapExec (CME)

2 min read

attack tools #hash PostExploitation

CrackMapExec is a versatile tool that can perform pass-the-hash attacks, execute commands, and more using NTLM hashes. It is designed for post-exploitation scenarios involving NTLM hashes.

Core Capabilities

  • Credential Stuffing: Automatically tests a list of usernames and passwords (or hashes) against every machine on a subnet to see where they work.

  • Password Spraying

  • Protocol Support: While famous for Server Message Block (SMB), it also supports WinRM, WMI, MSSQL, LDAP, SSH, and RDP.

  • Database Integration: It maintains a local database of every host discovered and every set of credentials successfully validated, allowing for easy tracking during a long engagement.

  • Module System: Supports various modules that can be “injected” into the workflow, such as modules to dump the LSA secrets, check for specific vulnerabilities like BlueKeep, or execute Mimikatz.

💻 Common Commands

Since you are tracking CLItool usage, here is how you build a command in CME:

CommandDescription
crackmapexec smb [Subnet] -u [User] -p [Pass]Credential Validation: Checks if a specific set of credentials works across a range of IPs.
crackmapexec smb [Subnet] -u [User] -H [Hash]Pass-the-Hash: Uses an NTLM hash instead of a password to authenticate.
crackmapexec smb [Subnet] --sharesShare Enumeration: Finds every accessible share across the network for the current user.
crackmapexec smb [IP] -u [User] -p [Pass] -M mimikatzModule Execution: Runs the Mimikatz module on the target to dump hashes.
crackmapexec smb [Subnet] --pass-polPassword Policy: Remotely pulls the domain’s password policy (length, complexity, etc.).

CrackMapExec (CME)

📝 Overview

What it is: A post-exploitation tool that helps automate assessing the security of large Active Directory networks. It leverages legitimate protocols to move laterally and enumerate targets. Target Phase: Enumeration / Lateral Movement / Post-Exploitation Operating System: Linux (Kali/Parrot)

⚙️ Core Capabilities

  • Mass Authentication: Tests credentials/hashes against entire subnets.
  • Spidering: Can search through shares for specific file patterns (like “config” or “pass”).
  • Database Tracking: Automatically logs valid credentials and found hosts.

⚠️ Notes & Limitations

  • EDR Detection: Because it is very “chatty” and touches many machines at once, modern EDRs often flag CME activity as a “Lateral Movement” or “Brute Force” event.
  • Successor: Note that the original project has transitioned into a new version called NetExec (nxc), which is the currently maintained version you’ll see in newer labs.

🏷️ Tags

CrackMapExec CME CLItool ActiveDirectory SMB LateralMovement PenTestPlus

Graph View