One of the tools that I like to use against Windows based machines during a pentest or a CTF is CrackMapExec, by Marcello Salvati (aka byt3bl33d3r). I have used this tool on various *nix systems for a couple of years and wanted to share some of the basics that work for me.
In my effort to migrate tools to OSX, I used the installation instructions and installed the latest bleeding-edge 5.1.0dev package into a Virtual Python Environment. As to my Virtual Python Environment, I installed it using Homebrew.
To launch the environment, simply execute a pipenv shell.
Once in the virtual environment, execute cme — help to make sure that CrackMapExec is operational.
One of the first enumeration commands I like to execute is cme smb <ip address>. There are other methods to get the same information, but I like to stay in the same tool as long as possible.
Next, I usually will execute cme winrm <ip address> to determine if the target has PSRemoting enabled.
Continuing enumeration, I execute cme <ip address> — pass-pol to determine my options for being able to brute force a system. At times, I am not able to obtain the password policy with null access and have to use known good credentials.
Once I know the password policy, I will try to brute force with a user list and/or a password list by executing cme smb <ip address> -d <domain> -u <user list> -p <password list>.
After obtaining valid credentials, I then focus on local system credential spraying by executing cme smb <ip address(es)> -u <username> -p <password> — local-auth; trying to determine if I can obtain access or privileged access to the target(s).
I then repeat the above process, but use domain credentials instead; cme smb <ip address(es)> -d <domain> -u <username> -p <password>.
Once again, I repeat the same process as above, but this time I use a domain hash; cme smb <ip address(es)> -d <domain> -u <username> -H <ntlm hash>.
And again, testing for WinRM access; cme winrm <ip address> -u <username> -p <password>.
One more time looking for permissions for network shares; cme smb <ip address> -u <username> -p <password> — shares.
After obtaining a Pwn3d! tag, I usually have some type of privileged access on the target(s). Once that occurs, I try to dump the local SAM database by executing cme smb <ip address(es)> -d <domain> -u <username> -H <ntlm hash> — sam.
Repeating the above, I try to dump the LSA Secrets by executing cme smb <ip address(es)> -d <domain> -u <username> -H <ntlm hash> — lsa.
And finally, I rinse and repeat the above processes until I have met my objective or exhausted my resources.
References:
https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation#mac-osx
https://mpgn.gitbook.io/crackmapexec/
Disclaimer:
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.
