I love CrackMapExec. Seriously, it’s one of my favorite tools to use for internal Active Directory pentesting. Once you find valid credentials, you can throw it into this tool to pass it around the network and see where else those creds are valid. Let’s say you find a password within a log file, but don’t know what username its for? CrackMapExec will tell you. Let’s say you compromise a machine and dump the SAM database and are curious what other machines the hashes might be valid on? CrackMapExec will tell you.

This post intends to serve as a guide for some additional things that I’ve learned about CrackMapExec, that I want to remember in the future. This is far from a comprehensive list of what the tool can do, but it will be updated over time.

---

Mass Execution of Commands

Let’s say you’ve captured elevated credentials for a user that is admin on multiple machines across the domain. You can use the -c flag to execute commands.

I made a post that used this feature of CME to mass deploy Covenant launchers. You can check that out at Using CrackMapExec to Install Covenant C2 Launchers.

---

Brute Forcing

This tool is extremely useful for many use cases, but did you know it can also perform brute force attacks?

Let’s create a user list along with a password list. Then we can just feed it to CME with the following syntax.

crackmapexec smb <target> -u <users.txt> -p <passwords.txt> --continue-on-success

Note: Be careful when doing this, as you will lock out users if there is a password policy in place.

---

Don’t Sleep on WinRM

Once you’ve found valid credentials, CrackMapExec’s SMB function will only display “Pwn3d” if the user is a local administrator. However, there is another function that you can try instead.

crackmapexec winrm <target> -u <user> -p <password>

If this returns Pwn3d, then you can leverage EvilWinRM to get the shell.

evil-winrm -i <target> -u <username> -p <password>