New feature: HTB Academy Badges Learn More

Using CrackMapExec

Active Directory presents a vast attack surface and often requires us to use many different tools during an assessment. The CrackMapExec tool, known as a "Swiss Army Knife" for testing networks, facilitates enumeration, attacks, and post-exploitation that can be leveraged against most any domain using multiple network protocols. It is a versatile and highly customizable tool that should be in any penetration tester's toolbox.


Created by mpgn
Co-Authors: plaintextHTB

Medium Offensive


This module will teach you how to get the best out of CrackMapExec (CME) through various interactive lessons and a final lab. CrackMapExec is a tool that helps automate assessing the security of large networks composed of Windows workstations and servers. Mastering CME is great for anyone performing internal penetration tests.

In this module, we will cover the following:

  • Recon
  • Password Spraying using various protocols
  • Finding accounts and secrets
  • Exploiting Kerberosting and ASREPRoasting
  • Executing remote commands and injecting an Empire/Meterpreter stager
  • Extracting data from Active Directory
  • The cmedb, CrackMapExec's database
  • Creating our own CME module

This module is broken down into sections with accompanying hands-on exercises to practice the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

As you work through the module, you will see example commands and command output for the topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the interactive sections' target host or your virtual machine.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "Medium" and assumes a working knowledge of the Windows and Linux operating systems and an understanding of Active Directory enumeration and attacks.

A firm grasp of the following modules can be considered prerequisite for the successful completion of this module:

  • Networking Fundamentals
  • Linux Fundamentals
  • Windows Fundamentals
  • Introduction to Windows Command Line
  • Introduction to Active Directory
  • Active Directory Enumeration & Attacks

What is CrackMapExec?

CrackMapExec (a.k.a CME) is a tool that helps assess the security of large networks composed of Windows workstations and servers.


CME heavily uses the Impacket library to work with network protocols and perform a variety of post-exploitation techniques. To understand the power of CME, we need to imagine simple scenarios:

  1. We are working on an internal security assessment of over 1,000 Windows workstations and servers. How do we test whether the single set of credentials we have works for a local administrator on one or more machines?

  2. We only have one target and several sets of credentials in our possession, but we need to know if they are still valid. How do we test them quickly?

  3. We obtained local administrator credentials and want to dump the SAM file on each compromised workstation quickly. Do we use yet another tool, or do we go manually through each workstation?

These questions can be answered using many tools and techniques, but it can be handy to deal with multiple tools from several authors. This is where CrackMapExec steps in and helps us automate all the little things we need during an internal penetration test. CME also gathers credentials we found during the security assessment into a database so we can go back to them later as needed. The output is intuitive and straightforward, and the tool works on Linux and Windows and supports socks proxy and multiple protocols.

Although meant to be used primarily for offensive purposes (e.g., internal pentesting), CME can be used by blue teams to assess account privileges, find possible misconfigurations, and simulate attack scenarios.

Since June 2021, CrackMapExec has been updated only on the Porchetta platform and not on the public repository. A sponsorship costs $60 for six (6) months of access to all tools on Porchetta. The private repository is merged with the public repository every six (6) months. However, community contributions are available to everyone immediately. CrackMapExec is developed by @byt3bl33d3r and @mpgn. The official documentation can be found on the CrackMapExec Wiki.

Now that we've set the stage with a brief overview of the CME tool let's get it set up on our penetration testing system of choice before digging into the various functionality.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.