CrackMapExec - The Greatest Tool You've Never Heard Of

So about a month back I started posting what we thought would be "weekly" security tutorials/thoughts/ideas, however the last month has been insane for us at SNT. I finally had time to break away and even more time to think about what I wanted my "comeback post" to be about. I stumbled across this little lightweight tool some time ago and thought this would be the perfect opportunity to explain how I use it in a penetration test how it helps get the goods. 

So first off, credit where credit is due, this tool is an awesome little project by byt3bl33d3r who has some great tools and programs under his belt. I suggest you take a look at his Github page and play around with some of his projects. They are a godsend to penetration testers. https://github.com/byt3bl33d3r

Okay, now that that is out of our system, it's time to dig in with CrackMapExec (CME). Installing the tool could not be simpler. Run the following on your kali linux command line. If this fails, i suggest pulling it from Github and installing it that way. 

apt-get install crackmapexec

If it doesn't install using the above command, I recommend doing an "apt-get update && apt-get upgrade" to make sure you have the latest and greatest packages from OffSec and the Kali squad.

I've found this tool incredibly useful for the following areas. 

Finding Local Admin Rights Across A Network - So, the "old" way I was doing this was using metasploits auxiliary/scanner/smb/smb_login script once I obtained local administrator username/hashes. Although this script has worked wonderfully for as long as I can remember, all it can do is scan where the user might have local administrator rights. CrackMapExec is like MSF's smb_login, but on steroids. 

Running Mimikatz on an entire range - So, once I had local admin rights to numerous machines on the network due to shared local admin accounts, the next challenge I had was finding that elusive logged in domain administrator or stealing the juicy password from memory. There a ton of different ways you finagle this in metsploit or some other framework, however, I always found every way to be somewhat clunky and not incredible reliable. Sure, SMBexec is one tool that can do "similar" things, however, installing that and having it work has become cumbersome lately. SMBexec is not the most lightweight tool in the world and if I'm on a pentest with a new VM or don't have the time (probably more of a patience than time thing) it can ruin your day and pentesting momentum. Sometimes that can be hard to come by. 

Also, like others have said before me, bombing mimikatz on a /24 is the most satisfying thing in the world.  CME can do this - and then some!

The Database

One of the coolest things about this tool is that it logs everything to a database. This is insanely helpful when you stumble across numerous credentials/hashes or have a ton of shell windows open at once and you accidentally close out of that *one* window. It logs everything to a nice database which you can access by typing "cmedb". It's reminiscent of a core impact-esque database that houses these username and password combinations during a penetration test. 

My Usage

During a penetration test, I use numerous tools to map the network in various ways. Some can be using active directory or null sessions, others can be using masscan/nmap to see whats alive, etc. I've found CME to be useful because it can map the network rather quickly and also saves it to a database. To do this, I generally perform the following command.

crackmapexec smb 192.168.1.1/24

*Note: Depending on how you installed CME, you may have to type "cme" or "crackmapexec" to run the tool. YMMV.

The output of the command should looks something like the following.

Host Discovery with CME

Host Discovery with CME

The above results were on my lab network, which I have a HP printer and a windows workstation. 

The next step is to start feeding CME some username and password/hash combinations so that it can work its magic and do the dirty work for us. To do this, you are going to want to use the following commands. 

crackmapexec smb 192.168.1.1/24 -u CoolAdmin -p ARealGoodPassword 
Seeing where "CoolAdmin" can login

Seeing where "CoolAdmin" can login

Sweet. We found that CoolAdmin can log into the device at 192.168.1.188! But it looks like he can just login, and he doesn't have any local admin rights on the machine. What a bummer.

Lucky for us, we happen to have the local administrative username and password for the local admin "Administrator". We will run the command above again, except this time we are going to use the local hash. In this case, I have included both the LM and NTLM values, you can of course skate by with just the NTLM value. The usage for a username and hash combination is shown below.

crackmapexec smb 192.168.1.1/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B

Now, you will know you have local administrative rights to the machine(s) because CME has possibly the greatest way of telling you. Pwn3d!

Get Pwn3d!

Get Pwn3d!

Ideally, from a penetration testing point of view and what makes me excited is running this tool on a network range and seeing hundreds of those little yellow words of decimation.

The next thing you are going to want to do is run mimikatz across that whole range to extract any passwords that may be hanging out in memory. To do this with CME, you run the following command. Note that I'm switching back to -p for a plaintext password, if you have a hash, just substitute it for the -H value as shown above. 

crackmapexec smb 192.168.1.1/24 -u Administrator -p Password1 -M mimikatz

By default, this should run the equivalent to "sekurlsa::logonpasswords" via mimikatz. The results are shown below.

Getting the goods!

Getting the goods!

I suggest you read the CME documentation and look at some of the other amazing things this tool can do and automate penetration testing. Hope you enjoyed this!