CRACKMAPEXEC v5.4 – A swiss army knife for pentesting networks

CRACKMAPEXEC

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve its functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.

CME makes heavy use of the Impacket library (developed by @asolino) and the PowerSploit Toolkit (developed by @mattifestation) for working with network protocols and performing a variety of post-exploitation techniques.

Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfiguration, and simulate attack scenarios.

CrackMapExec is developed by @byt3bl33d3r

This repository contains the following repositories as submodules:

• Impacket
• Pywinrm
• Pywerview
• PowerSploit
• Invoke-Obfuscation
• Invoke-Vnc
• Mimikittenz
• NetRipper
• RandomPS-Scripts
• SessionGopher
• Mimipenguin

Changelog v5.4

What’s Changed

• Compatibility with lsassy v3.1.3 by @Hackndo in #603
• Added an LDAP checker for Signing AND Channel Binding by @LuemmelSec in #606
• Hash_spider Module by @pgormanDS in #528
• Fix subnets module by @snovvcrash in #609
• Adding shebang and encoding utf-8 for all python files by @wlayzz in #608
• whoami LDAP module by @spyr0-sec in #613
• Fix logging with LDAPS protocol by @Dramelac in #641
• Cmedb export shares by @ILightThings in #638
• FTP Protocol Addition by @RomanRII in #639
• LDAP protocol improvements and scan-network module bugfix by @nurfed1 in #642
• Mssql upload / download by @guervild in #597
• Add the new daclread.py LDAP module and the msada_guids.py library by @BlWasp in #610
• Add KeePass discovery module by @d3lb3 in #636
• Add KeePass trigger abuse module by @d3lb3 in #637
• Improved cmedb export function by @ILightThings in #643
• Module to check for NTLMv1 Compatibility by @Tw1sm in #640
• Module to check for AlwaysInstallElevated by @bogey3 in #646
• fix(#649) : Fix Wrong filename on RDP screenshot issue by @jdouliez in #650
• Added functionality to retrieve ssoauthookie from Microsoft Teams local db by @R-Secure in #647
• Improve CMEDB HELP after loosing too much time with workspace .. by @shoxxdj in #652
• Update teams_localdb.py to support multi users by @LuemmelSec in #654
• Add GMSA module by @swisskyrepo in #614
• Fix regression for mssql with local_auth thx @juliourena by @mpgn in #658
• Add Masky module by @Z4kSec in #653
• Fix kerberos authentication by @zblurx in #655
• Fix #663 – Preventing non admin with access to share folder to READ and WRITE. by @juliourena in #665
• Added an NLA disabled screenshot function by @lap1nou in #666
• Add the Impersonate module by @Dfte in #601
• Fix #668 – Remove @requires_admin flag for WMI queries by @juliourena in #669
• Bump aardwolf to version 0.2.0 by @mpgn in #662
• bugfix : cant export csv by @shoxxdj in #670
• Fix #671 – handlekatz and procdump modules fail by @juliourena in #672
• Fix #674 – web_delivery module – Added the option to select architecture (64 or 32) by @juliourena in #675
• Fix #676 – bh_owned module output always returning false by @juliourena in #677

Download & Tutorial

Demo

Using the empire_exec module in CrackMapExec v4.0

Using the met_inject module in CrackMapExec v4.0

Copyright (c) 2020, byt3bl33d3r

Source: https://github.com/byt3bl33d3r/