Scribd Logo
Upload

Welcome to Scribd!

  • 196 views

    Crackmapexec

    Uploaded by

    lczancanella
    Crackmapexec is a tool that allows executing commands and PowerShell scripts on remote hosts using various authentication methods like SMB, WinRM, SSH. It supports options like verbose output, command execution, domain specification, username/password, Kerberos and LAPS authentication. It also provides options for Powershell obfuscation, bypassing AMSI detection and SMB timeouts.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Crackmapexec

    Uploaded by

    lczancanella
    196 views1 page
    Crackmapexec is a tool that allows executing commands and PowerShell scripts on remote hosts using various authentication methods like SMB, WinRM, SSH. It supports options like verbose output, command execution, domain specification, username/password, Kerberos and LAPS authentication. It also provides options for Powershell obfuscation, bypassing AMSI detection and SMB timeouts.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Crackmapexec is a tool that allows executing commands and PowerShell scripts on remote hosts using various authentication methods like SMB, WinRM, SSH. It supports options like verbose output, command execution, domain specification, username/password, Kerberos and LAPS authentication. It also provides options for Powershell obfuscation, bypassing AMSI detection and SMB timeouts.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    196 views1 page

    Crackmapexec

    Uploaded by

    lczancanella
    Crackmapexec is a tool that allows executing commands and PowerShell scripts on remote hosts using various authentication methods like SMB, WinRM, SSH. It supports options like verbose output, command execution, domain specification, username/password, Kerberos and LAPS authentication. It also provides options for Powershell obfuscation, bypassing AMSI detection and SMB timeouts.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 1

    Crackmapexec

    winrm options
    Command Execution --verbose -h, --help
    options
    --no-output enable verbose output show this help message and exit
    --local-auth -h, --help
    do not retrieve command output --darrell -t THREADS
    authenticate locally to each target show this help message and exit
    -x COMMAND give Darrell a hand set how many concurrent threads to use (default: 100)
    -d DOMAIN -id CRED_ID [CRED_ID ...]
    execute the specified command --jitter INTERVAL --timeout TIMEOUT
    domain to authenticate to database credential ID(s) to use for authentication
    -X PS_COMMAND sets a random delay between each connection (default: max timeout in seconds of each thread (default: None)
    --laps [LAPS] -u USERNAME [USERNAME ...] None)
    execute the specified PowerShell command
    LAPS authentification username(s) or file(s) containing usernames

    --ignore-ssl-cert -p PASSWORD [PASSWORD ...]


    smb
    Ignore Certificate Verification password(s) or file(s) containing passwords
    Powershell Obfuscation
    --ssl -k, --kerberos options
    --obfs
    Connect to SSL Enabled WINRM Use Kerberos authentication --laps [LAPS] -h, --help
    Obfuscate PowerShell scripts
    --port PORT --use-kcache LAPS authentification show this help message and exit
    --amsi-bypass FILE
    Custom WinRM port Use Kerberos authentication from ccache file --smb-timeout SMB_TIMEOUT -id CRED_ID [CRED_ID ...]
    (KRB5CCNAME) File with a custom AMSI bypass
    --continue-on-success SMB connection timeout, default 2 secondes database credential ID(s) to use for authentication
    --export EXPORT [EXPORT ...] --clear-obfscripts
    continues authentication attempts even after successes --continue-on-success -u USERNAME [USERNAME ...]
    Export result into a file, probably buggy Clear all cached obfuscated PowerShell scripts
    --no-bruteforce continues authentication attempts even after username(s) or file(s) containing usernames
    --aesKey AESKEY [AESKEY ...] Command Execution successes
    No spray when using file for username and password -p PASSWORD [PASSWORD ...]
    (user1 => password1, user2 => password2 AES key to use for Kerberos Authentication (128 or 256 --exec-method {smbexec,mmcexec,wmiexec,atexec} --gen-relay-list OUTPUT_FILE
    bits) password(s) or file(s) containing passwords
    -H HASH [HASH ...], --hash HASH [HASH ...] method to execute the command. Ignored if in outputs all hosts that don't require SMB signing to the
    --kdcHost KDCHOST MSSQL mode (default: wmiexec) specified file -k, --kerberos
    NTLM hash(es) or file(s) containing NTLM hashes
    FQDN of the domain controller. If omitted it will use the --codec CODEC --smb-server-port SMB_SERVER_PORT Use Kerberos authentication
    --connectback-host CHOST domain part (FQDN) specified in the target parameter
    Set encoding used (codec) from the target's output specify a server port for SMB --use-kcache
    IP for the remote system to connect back to (default: same --gfail-limit LIMIT (default "utf-8"). If errors are detected, run chcp.com Use Kerberos authentication from ccache file
    as server-host) --share SHARE
    max number of global failed login attempts --force-ps32 (KRB5CCNAME)
    --server-port PORT specify a share (default: C$)
    --ufail-limit LIMIT force the PowerShell command to run in a 32-bit process --export EXPORT [EXPORT ...]
    start the server on the specified port --port {139,445}
    max number of failed login attempts per username --no-output Export result into a file, probably buggy
    --server-host HOST SMB port (default: 445)
    --fail-limit LIMIT do not retrieve command output --aesKey AESKEY [AESKEY ...]
    IP to bind the server to (default: 0.0.0.0) --local-auth
    max number of failed login attempts per host -x COMMAND AES key to use for Kerberos Authentication (128 or 256
    --server {http,https} authenticate locally to each target bits)
    -M MODULE, --module MODULE execute the specified command
    use the selected server (default: https) -d DOMAIN --kdcHost KDCHOST
    module to use -X PS_COMMAND
    --options domain to authenticate to FQDN of the domain controller. If omitted it will use the
    -o MODULE_OPTION [MODULE_OPTION ...] execute the specified PowerShell command domain part (FQDN) specified in the target parameter
    display module options --no-bruteforce
    module options Files --gfail-limit LIMIT
    No spray when using file for username and password
    -L, --list-modules --put-file FILE FILE (user1 => password1, user2 => password2 max number of global failed login attempts
    list available modules Put a local file into remote target, ex: whoami.txt \ -H HASH [HASH ...], --hash HASH [HAS --ufail-limit LIMIT
    \Windows\\Temp\\whoami.txt
    Credential Gathering NTLM hash(es) or file(s) containing NTLM hashes max number of failed login attempts per username
    --get-file FILE FILE
    --connectback-host CHOST --fail-limit LIMIT
    --lsa --sam Get a remote file, ex: \\Windows\\Temp\\whoami.txt
    whoami.txt IP for the remote system to connect back to (default: same max number of failed login attempts per host
    dump LSA secrets from target systems dump SAM hashes from target systems
    as server-host)
    -M MODULE, --module MODULE
    --server-port PORT
    module to use
    ldap start the server on the specified port
    -o MODULE_OPTION [MODULE_OPTI
    --server-host HOST
    Retrieve useful information on the domain module options
    options
    IP to bind the server to (default: 0.0.0.0)
    --trusted-for-delegation -L, --list-modules
    --local-auth -h, --help
    Get the list of users and computers with flag --server {https,http}
    list available modules
    TRUSTED_FOR_DELEGATION authenticate locally to each target show this help message and exit
    use the selected server (default: https)
    --options
    --password-not-required -d DOMAIN -id CRED_ID [CRED_ID ...]
    display module options
    Get the list of users with flag PASSWD_NOTREQD domain to authenticate to database credential ID(s) to use for authentication

    --admin-count --no-smb -u USERNAME [USERNAME ...] Credential Gathering


    Get objets that had the value adminCount=1 No smb connection username(s) or file(s) containing usernames --user USERNTDS --sam
    --users --port {636,389} -p PASSWORD [PASSWORD ...] Dump selected user from DC dump SAM hashes from target systems

    Enumerate enabled domain users LDAP port (default: 389) password(s) or file(s) containing passwords --enabled --lsa
    --groups --continue-on-success -k, --kerberos Only dump enabled targets from DC dump LSA secrets from target systems
    Enumerate domain groups continues authentication attempts even after successes Use Kerberos authentication --ntds [{drsuapi,vss}]
    --gmsa --no-bruteforce --use-kcache dump the NTDS.dit from target DCs using the specifed
    method (default: drsuapi)
    Enumerate GMSA passwords No spray when using file for username and password Use Kerberos authentication from ccache file
    (user1 => password1, user2 => password2 (KRB5CCNAME)
    --get-sid Mapping/Enumeration
    -H HASH [HASH ...], --hash HASH [HASH ...] --export EXPORT [EXPORT ...]
    Get domain sid --wmi-namespace NAMESPACE --shares
    NTLM hash(es) or file(s) containing NTLM hashes Export result into a file, probably buggy
    WMI Namespace (default: root\cimv2) enumerate shares and access
    --connectback-host CHOST --aesKey AESKEY [AESKEY ...]
    --wmi QUERY --sessions
    IP for the remote system to connect back to (default: same AES key to use for Kerberos Authentication (128 or 256
    as server-host) bits) issues the specified WMI query enumerate active sessions
    --server-port PORT --kdcHost KDCHOST --rid-brute [MAX_RID] --disks
    start the server on the specified port FQDN of the domain controller. If omitted it will use the enumerate users by bruteforcing RID's (default: 4000) enumerate disks
    domain part (FQDN) specified in the target parameter
    --server-host HOST --loggedon-users-filter LOGGEDON_USERS_FILTER
    --gfail-limit LIMIT
    IP to bind the server to (default: 0.0.0.0) --pass-pol only search for specific user, works with regex
    max number of global failed login attempts
    --server {http,https} dump password policy --loggedon-users
    --ufail-limit LIMIT
    use the selected server (default: https) --local-groups [GROUP] enumerate logged on users
    max number of failed login attempts per username
    --options enumerate local groups, if a group is specified then its --users [USER]
    --fail-limit LIMIT members are enumerated
    display module options enumerate domain users, if a user is specified than only its
    max number of failed login attempts per host --computers [COMPUTER] information is queried.
    -L, --list-modules
    -M MODULE, --module MODULE enumerate computer users --groups [GROUP]
    list available modules
    module to use enumerate domain groups, if a group is specified than its
    members are enumerated
    -o MODULE_OPTION [MODULE_OPTION ...]

    module options Spidering


    Retrevie hash on the remote DC --only-files --spider SHARE
    only spider files share to spider
    --kerberoasting KERBEROASTING --asreproast ASREPROAST
    --depth DEPTH --spider-folder FOLDER
    Get TGS ticket ready to crack with hashcat Get AS_REP response ready to crack with hashcat
    max spider recursion depth (default: infinity & beyond) folder to spider (default: root share directory)
    --regex REGEX [REGEX ...] --content
    mssql regex(s) to search for in folders, filenames and file content enable file content searching
    Files --pattern PATTERN [PATTERN ...] --exclude-dirs DIR_LIST
    options
    --put-file FILE FILE pattern(s) to search for in folders, filenames and file directories to exclude from spidering
    --continue-on-success -h, --help content
    Put a local file into remote target, ex: whoami.txt C:
    \Windows\Temp\whoami.txt continues authentication attempts even after successes show this help message and exit

    --get-file FILE FILE --no-bruteforce -id CRED_ID [CRED_ID ...]


    ssh
    Get a remote file, ex: C:\Windows\Temp\whoami.txt No spray when using file for username and password database credential ID(s) to use for authentication
    whoami.txt (user1 => password1, user2 => password2 Command Execution
    -u USERNAME [USERNAME ...] options
    Powershell Obfuscation -q QUERY, --query QUERY --no-output
    username(s) or file(s) containing usernames --continue-on-success -h, --help
    --obfs execute the specified query against the MSSQL DB do not retrieve command output
    -p PASSWORD [PASSWORD ...] continues authentication attempts even after successes show this help message and exit
    Obfuscate PowerShell scripts --port PORT -x COMMAND
    password(s) or file(s) containing passwords --port PORT -id CRED_ID [CRED_ID ...]
    --clear-obfscripts MSSQL port (default: 1433) execute the specified command
    -k, --kerberos SSH port (default: 22) database credential ID(s) to use for authentication
    Clear all cached obfuscated PowerShell scripts -H HASH [HASH ...], --hash HASH [HASH ...]
    Use Kerberos authentication --key-file KEY_FILE -u USERNAME [USERNAME ...]
    NTLM hash(es) or file(s) containing NTLM hashes
    --use-kcache Authenticate using the specified private key. Treats the username(s) or file(s) containing usernames
    --local-auth password parameter as the key's passphrase.
    Use Kerberos authentication from ccache file -p PASSWORD [PASSWORD ...]
    authenticate locally to each target (KRB5CCNAME) --no-bruteforce
    password(s) or file(s) containing passwords
    -d DOMAIN --export EXPORT [EXPORT ...] No spray when using file for username and password
    (user1 => password1, user2 => password2 -k, --kerberos
    domain name Export result into a file, probably buggy
    --connectback-host CHOST Use Kerberos authentication
    --connectback-host CHOST --aesKey AESKEY [AESKEY ...]
    IP for the remote system to connect back to (default: same --use-kcache
    IP for the remote system to connect back to (default: same AES key to use for Kerberos Authentication (128 or 256
    as server-host) bits) as server-host) Use Kerberos authentication from ccache file
    --server-port PORT (KRB5CCNAME)
    --server-port PORT --kdcHost KDCHOST
    start the server on the specified port --export EXPORT [EXPORT ...]
    start the server on the specified port FQDN of the domain controller. If omitted it will use the
    domain part (FQDN) specified in the target parameter --server-host HOST Export result into a file, probably buggy
    --server-host HOST
    --gfail-limit LIMIT IP to bind the server to (default: 0.0.0.0) --aesKey AESKEY [AESKEY ...]
    IP to bind the server to (default: 0.0.0.0)
    max number of global failed login attempts --server {https,http} AES key to use for Kerberos Authentication (128 or 256
    --server {http,https} bits)
    --ufail-limit LIMIT use the selected server (default: https)
    use the selected server (default: https) --kdcHost KDCHOST
    max number of failed login attempts per username --options
    --options FQDN of the domain controller. If omitted it will use the
    --fail-limit LIMIT display module options domain part (FQDN) specified in the target parameter
    display module options
    max number of failed login attempts per host -L, --list-modules list available modules --gfail-limit LIMIT
    -L, --list-modules
    -M MODULE, --module MODULE list available modules max number of global failed login attempts
    list available modules
    module to use -o MODULE_OPTION [MODULE_OPTION ...] --ufail-limit LIMIT
    -o MODULE_OPTION [MODULE_OPTION ...] module options max number of failed login attempts per username
    module options -M MODULE, --module MODULE --fail-limit LIMIT

    Command Execution module to use max number of failed login attempts per host

    -X PS_COMMAND --force-ps32

    execute the specified PowerShell command force the PowerShell command to run in a 32-bit process rdp
    -x COMMAND --no-output Screenshot
    options
    execute the specified command do not retrieve command output --screenshot
    --local-auth -h, --help
    Screenshot RDP if connection success
    authenticate locally to each target show this help message and exit
    ftp --screentime SCREENTIME
    -d DOMAIN -id CRED_ID [CRED_ID ...]
    Time to wait for desktop image
    options domain to authenticate to database credential ID(s) to use for authentication
    --res RES
    --nla-screenshot -u USERNAME [USERNAME ...]
    -continue-on-success -h, --help
    Resolution in "WIDTHxHEIGHT" format. Default: "1024x768"
    Screenshot RDP login prompt if NLA is disabled username(s) or file(s) containing usernames
    continues authentication attempts even after successes show this help message and exit
    --rdp-timeout RDP_TIMEOUT -p PASSWORD [PASSWORD ...]
    --port PORT -id CRED_ID [CRED_ID ...]
    RDP timeout on socket connection password(s) or file(s) containing passwords
    FTP port (default: 21) database credential ID(s) to use for authentication
    --port PORT -k, --kerberos
    --no-bruteforce -u USERNAME [USERNAME ...]
    Custom RDP port Use Kerberos authentication
    No spray when using file for username and password username(s) or file(s) containing usernames
    (user1 => password1, user2 => password2 --continue-on-success --use-kcache
    -p PASSWORD [PASSWORD ...] @hackinarticles
    --connectback-host CHOST continues authentication attempts even after successes Use Kerberos authentication from ccache file
    password(s) or file(s) containing passwords
    (KRB5CCNAME)
    IP for the remote system to connect back to (default: same --no-bruteforce
    as server-host) -k, --kerberos https://github.com/Ignitetechnologies
    --export EXPORT [EXPORT ...]
    No spray when using file for username and password
    --server-port PORT Use Kerberos authentication
    (user1 => password1, user2 => password2 Export result into a file, probably buggy
    start the server on the specified port --use-kcache https://in.linkedin.com/company/hackingarticles -H HASH [HASH ...], --hash HASH [HASH ...] --aesKey AESKEY [AESKEY ...]
    --server-host HOST Use Kerberos authentication from ccache file (
    NTLM hash(es) or file(s) containing NTLM hashes AES key to use for Kerberos Authentication (128 or 256
    bits)
    IP to bind the server to (default: 0.0.0.0) KRB5CCNAME) --connectback-host CHOST
    --kdcHost KDCHOST
    --server {https,http} --export EXPORT [EXPORT ...] IP for the remote system to connect back to (default: same
    as server-host) FQDN of the domain controller. If omitted it will use the
    use the selected server (default: https) Export result into a file, probably buggy
    domain part (FQDN) specified in the target parameter
    --server-port PORT
    --options --aesKey AESKEY [AESKEY ...]
    --gfail-limit LIMIT
    start the server on the specified port
    display module options AES key to use for Kerberos Authentication (128 or 256
    max number of global failed login attempts
    bits) --server-host HOST
    -L, --list-modules
    --ufail-limit LIMIT
    --kdcHost KDCHOST IP to bind the server to (default: 0.0.0.0)
    list available modules
    max number of failed login attempts per username
    FQDN of the domain controller. If omitted it will use the --server {http,https}
    -o MODULE_OPTION [MODULE_OPTION ...] domain part (FQDN) specified in the target parameter --fail-limit LIMIT
    use the selected server (default: https)
    module options --gfail-limit LIMIT max number of failed login attempts per host
    --options
    -M MODULE, --module MODULE max number of global failed login attempts -M MODULE, --module MODULE
    display module options
    module to use --ufail-limit LIMIT module to use
    -L, --list-modules
    max number of failed login attempts per username -o MODULE_OPTION [MODULE_OPTION ...]
    list available modules
    --fail-limit LIMIT module options
    max number of failed login attempts per host

    You might also like