Scribd
Upload
329 views

Crackmapexec

Crackmapexec is a tool that allows executing commands and PowerShell scripts on remote hosts using various authentication methods like SMB, WinRM, SSH. It supports options like verbose output, command execution, domain specification, username/password, Kerberos and LAPS authentication. It also provides options for Powershell obfuscation, bypassing AMSI detection and SMB timeouts.

Uploaded by

lczancanella
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
329 views

Crackmapexec

Crackmapexec is a tool that allows executing commands and PowerShell scripts on remote hosts using various authentication methods like SMB, WinRM, SSH. It supports options like verbose output, command execution, domain specification, username/password, Kerberos and LAPS authentication. It also provides options for Powershell obfuscation, bypassing AMSI detection and SMB timeouts.

Uploaded by

lczancanella
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Crackmapexec

winrm options
Command Execution --verbose -h, --help
options
--no-output enable verbose output show this help message and exit
--local-auth -h, --help
do not retrieve command output --darrell -t THREADS
authenticate locally to each target show this help message and exit
-x COMMAND give Darrell a hand set how many concurrent threads to use (default: 100)
-d DOMAIN -id CRED_ID [CRED_ID ...]
execute the specified command --jitter INTERVAL --timeout TIMEOUT
domain to authenticate to database credential ID(s) to use for authentication
-X PS_COMMAND sets a random delay between each connection (default: max timeout in seconds of each thread (default: None)
--laps [LAPS] -u USERNAME [USERNAME ...] None)
execute the specified PowerShell command
LAPS authentification username(s) or file(s) containing usernames

--ignore-ssl-cert -p PASSWORD [PASSWORD ...]


smb
Ignore Certificate Verification password(s) or file(s) containing passwords
Powershell Obfuscation
--ssl -k, --kerberos options
--obfs
Connect to SSL Enabled WINRM Use Kerberos authentication --laps [LAPS] -h, --help
Obfuscate PowerShell scripts
--port PORT --use-kcache LAPS authentification show this help message and exit
--amsi-bypass FILE
Custom WinRM port Use Kerberos authentication from ccache file --smb-timeout SMB_TIMEOUT -id CRED_ID [CRED_ID ...]
(KRB5CCNAME) File with a custom AMSI bypass
--continue-on-success SMB connection timeout, default 2 secondes database credential ID(s) to use for authentication
--export EXPORT [EXPORT ...] --clear-obfscripts
continues authentication attempts even after successes --continue-on-success -u USERNAME [USERNAME ...]
Export result into a file, probably buggy Clear all cached obfuscated PowerShell scripts
--no-bruteforce continues authentication attempts even after username(s) or file(s) containing usernames
--aesKey AESKEY [AESKEY ...] Command Execution successes
No spray when using file for username and password -p PASSWORD [PASSWORD ...]
(user1 => password1, user2 => password2 AES key to use for Kerberos Authentication (128 or 256 --exec-method {smbexec,mmcexec,wmiexec,atexec} --gen-relay-list OUTPUT_FILE
bits) password(s) or file(s) containing passwords
-H HASH [HASH ...], --hash HASH [HASH ...] method to execute the command. Ignored if in outputs all hosts that don't require SMB signing to the
--kdcHost KDCHOST MSSQL mode (default: wmiexec) specified file -k, --kerberos
NTLM hash(es) or file(s) containing NTLM hashes
FQDN of the domain controller. If omitted it will use the --codec CODEC --smb-server-port SMB_SERVER_PORT Use Kerberos authentication
--connectback-host CHOST domain part (FQDN) specified in the target parameter
Set encoding used (codec) from the target's output specify a server port for SMB --use-kcache
IP for the remote system to connect back to (default: same --gfail-limit LIMIT (default "utf-8"). If errors are detected, run chcp.com Use Kerberos authentication from ccache file
as server-host) --share SHARE
max number of global failed login attempts --force-ps32 (KRB5CCNAME)
--server-port PORT specify a share (default: C$)
--ufail-limit LIMIT force the PowerShell command to run in a 32-bit process --export EXPORT [EXPORT ...]
start the server on the specified port --port {139,445}
max number of failed login attempts per username --no-output Export result into a file, probably buggy
--server-host HOST SMB port (default: 445)
--fail-limit LIMIT do not retrieve command output --aesKey AESKEY [AESKEY ...]
IP to bind the server to (default: 0.0.0.0) --local-auth
max number of failed login attempts per host -x COMMAND AES key to use for Kerberos Authentication (128 or 256
--server {http,https} authenticate locally to each target bits)
-M MODULE, --module MODULE execute the specified command
use the selected server (default: https) -d DOMAIN --kdcHost KDCHOST
module to use -X PS_COMMAND
--options domain to authenticate to FQDN of the domain controller. If omitted it will use the
-o MODULE_OPTION [MODULE_OPTION ...] execute the specified PowerShell command domain part (FQDN) specified in the target parameter
display module options --no-bruteforce
module options Files --gfail-limit LIMIT
No spray when using file for username and password
-L, --list-modules --put-file FILE FILE (user1 => password1, user2 => password2 max number of global failed login attempts
list available modules Put a local file into remote target, ex: whoami.txt \ -H HASH [HASH ...], --hash HASH [HAS --ufail-limit LIMIT
\Windows\\Temp\\whoami.txt
Credential Gathering NTLM hash(es) or file(s) containing NTLM hashes max number of failed login attempts per username
--get-file FILE FILE
--connectback-host CHOST --fail-limit LIMIT
--lsa --sam Get a remote file, ex: \\Windows\\Temp\\whoami.txt
whoami.txt IP for the remote system to connect back to (default: same max number of failed login attempts per host
dump LSA secrets from target systems dump SAM hashes from target systems
as server-host)
-M MODULE, --module MODULE
--server-port PORT
module to use
ldap start the server on the specified port
-o MODULE_OPTION [MODULE_OPTI
--server-host HOST
Retrieve useful information on the domain module options
options
IP to bind the server to (default: 0.0.0.0)
--trusted-for-delegation -L, --list-modules
--local-auth -h, --help
Get the list of users and computers with flag --server {https,http}
list available modules
TRUSTED_FOR_DELEGATION authenticate locally to each target show this help message and exit
use the selected server (default: https)
--options
--password-not-required -d DOMAIN -id CRED_ID [CRED_ID ...]
display module options
Get the list of users with flag PASSWD_NOTREQD domain to authenticate to database credential ID(s) to use for authentication

--admin-count --no-smb -u USERNAME [USERNAME ...] Credential Gathering


Get objets that had the value adminCount=1 No smb connection username(s) or file(s) containing usernames --user USERNTDS --sam
--users --port {636,389} -p PASSWORD [PASSWORD ...] Dump selected user from DC dump SAM hashes from target systems

Enumerate enabled domain users LDAP port (default: 389) password(s) or file(s) containing passwords --enabled --lsa
--groups --continue-on-success -k, --kerberos Only dump enabled targets from DC dump LSA secrets from target systems
Enumerate domain groups continues authentication attempts even after successes Use Kerberos authentication --ntds [{drsuapi,vss}]
--gmsa --no-bruteforce --use-kcache dump the NTDS.dit from target DCs using the specifed
method (default: drsuapi)
Enumerate GMSA passwords No spray when using file for username and password Use Kerberos authentication from ccache file
(user1 => password1, user2 => password2 (KRB5CCNAME)
--get-sid Mapping/Enumeration
-H HASH [HASH ...], --hash HASH [HASH ...] --export EXPORT [EXPORT ...]
Get domain sid --wmi-namespace NAMESPACE --shares
NTLM hash(es) or file(s) containing NTLM hashes Export result into a file, probably buggy
WMI Namespace (default: root\cimv2) enumerate shares and access
--connectback-host CHOST --aesKey AESKEY [AESKEY ...]
--wmi QUERY --sessions
IP for the remote system to connect back to (default: same AES key to use for Kerberos Authentication (128 or 256
as server-host) bits) issues the specified WMI query enumerate active sessions
--server-port PORT --kdcHost KDCHOST --rid-brute [MAX_RID] --disks
start the server on the specified port FQDN of the domain controller. If omitted it will use the enumerate users by bruteforcing RID's (default: 4000) enumerate disks
domain part (FQDN) specified in the target parameter
--server-host HOST --loggedon-users-filter LOGGEDON_USERS_FILTER
--gfail-limit LIMIT
IP to bind the server to (default: 0.0.0.0) --pass-pol only search for specific user, works with regex
max number of global failed login attempts
--server {http,https} dump password policy --loggedon-users
--ufail-limit LIMIT
use the selected server (default: https) --local-groups [GROUP] enumerate logged on users
max number of failed login attempts per username
--options enumerate local groups, if a group is specified then its --users [USER]
--fail-limit LIMIT members are enumerated
display module options enumerate domain users, if a user is specified than only its
max number of failed login attempts per host --computers [COMPUTER] information is queried.
-L, --list-modules
-M MODULE, --module MODULE enumerate computer users --groups [GROUP]
list available modules
module to use enumerate domain groups, if a group is specified than its
members are enumerated
-o MODULE_OPTION [MODULE_OPTION ...]

module options Spidering


Retrevie hash on the remote DC --only-files --spider SHARE
only spider files share to spider
--kerberoasting KERBEROASTING --asreproast ASREPROAST
--depth DEPTH --spider-folder FOLDER
Get TGS ticket ready to crack with hashcat Get AS_REP response ready to crack with hashcat
max spider recursion depth (default: infinity & beyond) folder to spider (default: root share directory)
--regex REGEX [REGEX ...] --content
mssql regex(s) to search for in folders, filenames and file content enable file content searching
Files --pattern PATTERN [PATTERN ...] --exclude-dirs DIR_LIST
options
--put-file FILE FILE pattern(s) to search for in folders, filenames and file directories to exclude from spidering
--continue-on-success -h, --help content
Put a local file into remote target, ex: whoami.txt C:
\Windows\Temp\whoami.txt continues authentication attempts even after successes show this help message and exit

--get-file FILE FILE --no-bruteforce -id CRED_ID [CRED_ID ...]


ssh
Get a remote file, ex: C:\Windows\Temp\whoami.txt No spray when using file for username and password database credential ID(s) to use for authentication
whoami.txt (user1 => password1, user2 => password2 Command Execution
-u USERNAME [USERNAME ...] options
Powershell Obfuscation -q QUERY, --query QUERY --no-output
username(s) or file(s) containing usernames --continue-on-success -h, --help
--obfs execute the specified query against the MSSQL DB do not retrieve command output
-p PASSWORD [PASSWORD ...] continues authentication attempts even after successes show this help message and exit
Obfuscate PowerShell scripts --port PORT -x COMMAND
password(s) or file(s) containing passwords --port PORT -id CRED_ID [CRED_ID ...]
--clear-obfscripts MSSQL port (default: 1433) execute the specified command
-k, --kerberos SSH port (default: 22) database credential ID(s) to use for authentication
Clear all cached obfuscated PowerShell scripts -H HASH [HASH ...], --hash HASH [HASH ...]
Use Kerberos authentication --key-file KEY_FILE -u USERNAME [USERNAME ...]
NTLM hash(es) or file(s) containing NTLM hashes
--use-kcache Authenticate using the specified private key. Treats the username(s) or file(s) containing usernames
--local-auth password parameter as the key's passphrase.
Use Kerberos authentication from ccache file -p PASSWORD [PASSWORD ...]
authenticate locally to each target (KRB5CCNAME) --no-bruteforce
password(s) or file(s) containing passwords
-d DOMAIN --export EXPORT [EXPORT ...] No spray when using file for username and password
(user1 => password1, user2 => password2 -k, --kerberos
domain name Export result into a file, probably buggy
--connectback-host CHOST Use Kerberos authentication
--connectback-host CHOST --aesKey AESKEY [AESKEY ...]
IP for the remote system to connect back to (default: same --use-kcache
IP for the remote system to connect back to (default: same AES key to use for Kerberos Authentication (128 or 256
as server-host) bits) as server-host) Use Kerberos authentication from ccache file
--server-port PORT (KRB5CCNAME)
--server-port PORT --kdcHost KDCHOST
start the server on the specified port --export EXPORT [EXPORT ...]
start the server on the specified port FQDN of the domain controller. If omitted it will use the
domain part (FQDN) specified in the target parameter --server-host HOST Export result into a file, probably buggy
--server-host HOST
--gfail-limit LIMIT IP to bind the server to (default: 0.0.0.0) --aesKey AESKEY [AESKEY ...]
IP to bind the server to (default: 0.0.0.0)
max number of global failed login attempts --server {https,http} AES key to use for Kerberos Authentication (128 or 256
--server {http,https} bits)
--ufail-limit LIMIT use the selected server (default: https)
use the selected server (default: https) --kdcHost KDCHOST
max number of failed login attempts per username --options
--options FQDN of the domain controller. If omitted it will use the
--fail-limit LIMIT display module options domain part (FQDN) specified in the target parameter
display module options
max number of failed login attempts per host -L, --list-modules list available modules --gfail-limit LIMIT
-L, --list-modules
-M MODULE, --module MODULE list available modules max number of global failed login attempts
list available modules
module to use -o MODULE_OPTION [MODULE_OPTION ...] --ufail-limit LIMIT
-o MODULE_OPTION [MODULE_OPTION ...] module options max number of failed login attempts per username
module options -M MODULE, --module MODULE --fail-limit LIMIT

Command Execution module to use max number of failed login attempts per host

-X PS_COMMAND --force-ps32

execute the specified PowerShell command force the PowerShell command to run in a 32-bit process rdp
-x COMMAND --no-output Screenshot
options
execute the specified command do not retrieve command output --screenshot
--local-auth -h, --help
Screenshot RDP if connection success
authenticate locally to each target show this help message and exit
ftp --screentime SCREENTIME
-d DOMAIN -id CRED_ID [CRED_ID ...]
Time to wait for desktop image
options domain to authenticate to database credential ID(s) to use for authentication
--res RES
--nla-screenshot -u USERNAME [USERNAME ...]
-continue-on-success -h, --help
Resolution in "WIDTHxHEIGHT" format. Default: "1024x768"
Screenshot RDP login prompt if NLA is disabled username(s) or file(s) containing usernames
continues authentication attempts even after successes show this help message and exit
--rdp-timeout RDP_TIMEOUT -p PASSWORD [PASSWORD ...]
--port PORT -id CRED_ID [CRED_ID ...]
RDP timeout on socket connection password(s) or file(s) containing passwords
FTP port (default: 21) database credential ID(s) to use for authentication
--port PORT -k, --kerberos
--no-bruteforce -u USERNAME [USERNAME ...]
Custom RDP port Use Kerberos authentication
No spray when using file for username and password username(s) or file(s) containing usernames
(user1 => password1, user2 => password2 --continue-on-success --use-kcache
-p PASSWORD [PASSWORD ...] @hackinarticles
--connectback-host CHOST continues authentication attempts even after successes Use Kerberos authentication from ccache file
password(s) or file(s) containing passwords
(KRB5CCNAME)
IP for the remote system to connect back to (default: same --no-bruteforce
as server-host) -k, --kerberos https://github.com/Ignitetechnologies
--export EXPORT [EXPORT ...]
No spray when using file for username and password
--server-port PORT Use Kerberos authentication
(user1 => password1, user2 => password2 Export result into a file, probably buggy
start the server on the specified port --use-kcache https://in.linkedin.com/company/hackingarticles -H HASH [HASH ...], --hash HASH [HASH ...] --aesKey AESKEY [AESKEY ...]
--server-host HOST Use Kerberos authentication from ccache file (
NTLM hash(es) or file(s) containing NTLM hashes AES key to use for Kerberos Authentication (128 or 256
bits)
IP to bind the server to (default: 0.0.0.0) KRB5CCNAME) --connectback-host CHOST
--kdcHost KDCHOST
--server {https,http} --export EXPORT [EXPORT ...] IP for the remote system to connect back to (default: same
as server-host) FQDN of the domain controller. If omitted it will use the
use the selected server (default: https) Export result into a file, probably buggy
domain part (FQDN) specified in the target parameter
--server-port PORT
--options --aesKey AESKEY [AESKEY ...]
--gfail-limit LIMIT
start the server on the specified port
display module options AES key to use for Kerberos Authentication (128 or 256
max number of global failed login attempts
bits) --server-host HOST
-L, --list-modules
--ufail-limit LIMIT
--kdcHost KDCHOST IP to bind the server to (default: 0.0.0.0)
list available modules
max number of failed login attempts per username
FQDN of the domain controller. If omitted it will use the --server {http,https}
-o MODULE_OPTION [MODULE_OPTION ...] domain part (FQDN) specified in the target parameter --fail-limit LIMIT
use the selected server (default: https)
module options --gfail-limit LIMIT max number of failed login attempts per host
--options
-M MODULE, --module MODULE max number of global failed login attempts -M MODULE, --module MODULE
display module options
module to use --ufail-limit LIMIT module to use
-L, --list-modules
max number of failed login attempts per username -o MODULE_OPTION [MODULE_OPTION ...]
list available modules
--fail-limit LIMIT module options
max number of failed login attempts per host

You might also like