One of the tools that I like to use against Windows based machines during a pentest or a CTF is CrackMapExec, by Marcello Salvati (aka byt3bl33d3r). I have used this tool on various *nix systems for a couple of years and wanted to share some of the basics that work for me.

In my effort to migrate tools to OSX, I used the installation instructions and installed the latest bleeding-edge 5.1.0dev package into a Virtual Python Environment. As to my Virtual Python Environment, I installed it using Homebrew.

To launch the environment, simply execute a pipenv shell.

Figure 1: Executed Virtual Environment

Once in the virtual environment, execute cme — help to make sure that CrackMapExec is operational.

Figure 2: Executed CME

One of the first enumeration commands I like to execute is cme smb <ip address>. There are other methods to get the same information, but I like to stay in the same tool as long as possible.

Figure 3: OS Enumeration

Next, I usually will execute cme winrm <ip address> to determine if the target has PSRemoting enabled.

Figure 4: WinRM Enumeration

Continuing enumeration, I execute cme <ip address> — pass-pol to determine my options for being able to brute force a system. At times, I am not able to obtain the password policy with null access and have to use known good credentials.

Figure 5: Password Policy (No Access)
Figure 6: Password Policy (Credentialed)

Once I know the password policy, I will try to brute force with a user list and/or a password list by executing cme smb <ip address> -d <domain> -u <user list> -p <password list>.

Figure 7: Brute Forcing (w/Lists)
Figure 8: No Brute Forcing (Single List)

After obtaining valid credentials, I then focus on local system credential spraying by executing cme smb <ip address(es)> -u <username> -p <password> — local-auth; trying to determine if I can obtain access or privileged access to the target(s).

Figure 9: Local Credential Spraying

I then repeat the above process, but use domain credentials instead; cme smb <ip address(es)> -d <domain> -u <username> -p <password>.

Figure 10: Domain Credential Spraying

Once again, I repeat the same process as above, but this time I use a domain hash; cme smb <ip address(es)> -d <domain> -u <username> -H <ntlm hash>.

Figure 11: Domain Hash Spraying

And again, testing for WinRM access; cme winrm <ip address> -u <username> -p <password>.

Figure 12: WinRM Administrator Access (pwn3d)

One more time looking for permissions for network shares; cme smb <ip address> -u <username> -p <password> — shares.

Figure 13: Enumerating Shares

After obtaining a Pwn3d! tag, I usually have some type of privileged access on the target(s). Once that occurs, I try to dump the local SAM database by executing cme smb <ip address(es)> -d <domain> -u <username> -H <ntlm hash> — sam.

Figure 14: Dumping SAM Database

Repeating the above, I try to dump the LSA Secrets by executing cme smb <ip address(es)> -d <domain> -u <username> -H <ntlm hash> — lsa.

Figure 15: Dumping LSA Secrets

And finally, I rinse and repeat the above processes until I have met my objective or exhausted my resources.



This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.

Information within this article is “as is”, without warranty of any sort.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store