Using CrackMapExec

Using CrackMapExec  Medium

Active Directory presents a vast attack surface and often requires us to use many different tools during an assessment. The CrackMapExec tool, known as a "Swiss Army Knife" for testing networks, facilitates enumeration, attacks, and post-exploitation that can be leveraged against most any domain using multiple network protocols. It is a versatile and highly customizable tool that should be in any penetration tester's toolbox.

Created by mpgn
Co-Authors: plaintextHTB

To start this course Sign Up!


This module will teach you how to get the best out of CrackMapExec (CME) through various interactive lessons and a final lab. CrackMapExec is a tool that helps automate assessing the security of large networks composed of Windows workstations and servers. Mastering CME is great for anyone performing internal penetration tests.

In this module, we will cover the following:

  • Recon
  • Password Spraying using various protocols
  • Finding accounts and secrets
  • Exploiting Kerberosting and ASREPRoasting
  • Executing remote commands and injecting an Empire/Meterpreter stager
  • Extracting data from Active Directory
  • The cmedb, CrackMapExec's database
  • Creating our own CME module

This module is broken down into sections with accompanying hands-on exercises to practice the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

As you work through the module, you will see example commands and command output for the topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the interactive sections' target host or your virtual machine.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "Medium" and assumes a working knowledge of the Windows and Linux operating systems and an understanding of Active Directory enumeration and attacks.

A firm grasp of the following modules can be considered prerequisite for the successful completion of this module:

  • Networking Fundamentals
  • Linux Fundamentals
  • Windows Fundamentals
  • Introduction to Windows Command Line
  • Introduction to Active Directory
  • Active Directory Enumeration & Attacks


  • What is CrackMapExec?
  • Installation & Binaries
  • Targets and Protocols
  • Basic SMB Reconnaissance
  • Exploiting NULL/Anonymous Sessions
  • Password Spraying
  • Finding ASREPRoastable Accounts
  • Searching for Accounts in Group Policy Objects
  • Working with Modules
  • MSSQL Enumeration and Attacks
  • Finding Kerberoastable Accounts
  • Spidering and Finding Juicy Information in an SMB Share
  • Proxychains with CME
  • Stealing Hashes
  • Mapping and Enumeration with SMB
  • LDAP and RDP Enumeration
  • Command Execution
  • Finding Secrets and Using Them
  • Getting Sessions in a C2 Framework
  • BloodHound Integration
  • Popular Modules
  • Vulnerability Scan Modules
  • Creating Our Own CME Module
  • Additional CME Functionality
  • Kerberos Authentication
  • Mastering the CMEDB
  • Skills Assessment
To start this course Sign Up!