CrackMapExec：域环境渗透中的瑞士军刀

CrackMapExec：使用Python编写的一款工具，堪称Windows 活动目录/域 环境渗透测试里的一把瑞士军刀，这工具功能真的很强大、齐全！

Powered by Impacket

CrackMapExec 项目灵感来源：

@agsolino的 wmiexec.py , wmiquery.py , smbexec.py , samrdump.py , secretsdump.py , atexec.py 以及 lookupsid.py

@ShawnDEvans的 smbmap

@gojhonny的 CredCrack

@pentestgeek的 smbexec

项目中部分代码参考了@T-S-A的 smbspider 脚本

另外包含了 PowerSploit 项目中的一些脚本：

Invoke-Mimikatz.ps1

Invoke-NinjaCopy.ps1

Invoke-ReflectivePEInjection.ps1

Invoke-Shellcode.ps1

Get-GPPPassword.ps1

以及 PowerTools 知识库 PowerView 脚本

描述

CrackMapExec提供了域环境（活动目录）渗透测试中一站式便携工具，它具有列举登录用户、通过SMB(Server Message Block)网络文件共享协议爬虫列出SMB分享列表，

执行类似于Psexec的攻击、使用powerShell脚本执行自动式Mimikatz/Shellcode/DLL注入到内存中，dump NTDS.dit密码。

工具改进完善：

纯Python脚本，无需外部依赖；

全双工多进程；

使用本地WinAPI会话发现session会话控制、用户、dump 存储在SAM中的windows HASH值；

演示视频

使用参数

  ______ .______           ___        ______  __  ___ .___  ___.      ___      .______    _______ ___   ___  _______   ______   /      ||   _  /         /   /      /      ||  |/  / |   //   |     /   /     |   _  /  |   ____|/  / /  / |   ____| /      | |  ,----'|  |_)  |       /  ^  /    |  ,----'|  '  /  |  /  /  |    /  ^  /    |  |_)  | |  |__    /  V  /  |  |__   |  ,----' |  |     |      /       /  /_/  /   |  |     |    <   |  |//|  |   /  /_/  /   |   ___/  |   __|    >   <   |   __|  |  |      |  `----.|  |/  /----. /  _____  /  |  `----.|  .  /  |  |  |  |  /  _____  /  |  |      |  |____  /  .  /  |  |____ |  `----.  /______|| _| `._____|/__/     /__/  /______||__|/__/ |__|  |__| /__/     /__/ | _|      |_______|/__/ /__/ |_______| /______|                   Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r                         Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino)                                                     Inspired by:                             @ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap                             @gojhonny's CredCrack https://github.com/gojhonny/CredCrack                             @pentestgeek's smbexec https://github.com/pentestgeek/smbexec                                                    Version: 2.3                                             Codename: 'Pink Bubbles'  positional arguments:   target                The target IP, range, CIDR identifier, hostname, FQDN or list or file containg a list of targets  optional arguments:   -h, --help            show this help message and exit //打印帮助信息   -v, --version         show program's version number and exit  //显示程序版本信息   -t THREADS            Set how many concurrent threads to use (defaults to 100)  //指定进程数 默认为100   -u USERNAME           Username(s) or file containing usernames  //指定用户名   -p PASSWORD           Password(s) or file containing passwords  //指定密码   -H HASH               NTLM hash(es) or file containing NTLM hashes     -C COMBO_FILE         Combo file containing a list of domain/username:password or username:password entries   -k HEX_KEY            AES key to use for Kerberos Authentication (128 or 256 bits)   -d DOMAIN             Domain name  //指定域   -n NAMESPACE          WMI Namespace (default: //./root/cimv2)   -s SHARE              Specify a share (default: C$)  //指定分享   --kerb                Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters   --port {139,445}      SMB port (default: 445) //指定SMB端口 默认445   --server {http,https}                         Use the selected server (defaults to http) //指定http或https 默认使用http   --server-port PORT    Start the server on the specified port     --fail-limit LIMIT    The max number of failed login attempts allowed per host (default: None)   --gfail-limit LIMIT   The max number of failed login attempts allowed globally (default: None)   --verbose             Enable verbose output  Credential Gathering:   Options for gathering credentials    --sam                 Dump SAM hashes from target systems   --lsa                 Dump LSA secrets from target systems   --gpp-passwords       Retrieve plaintext passwords and other information for accounts pushed through Group Policy Preferences   --ntds {ninja,vss,drsuapi}                         Dump the NTDS.dit from target DCs using the specifed method                         (drsuapi is the fastest)   --ntds-history        Dump NTDS.dit password history   --ntds-pwdLastSet     Shows the pwdLastSet attribute for each NTDS.dit account   --mimikatz            Run Invoke-Mimikatz (sekurlsa::logonpasswords) on target systems   --mimikatz-cmd MIMIKATZ_CMD                         Run Invoke-Mimikatz with the specified command   --enable-wdigest      Creates the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1   --disable-wdigest     Deletes the 'UseLogonCredential' registry key  Mapping/Enumeration:   Options for Mapping/Enumerating    --shares              List shares  //列出分享   --check-uac           Checks UAC status //检查UAC状态   --sessions            Enumerate active sessions   --disks               Enumerate disks   --users               Enumerate users   --rid-brute [MAX_RID]                         Enumerate users by bruteforcing RID's (defaults to 4000)   --pass-pol            Dump password policy   --lusers              Enumerate logged on users   --powerview POWERVIEW_CMD                         Run the specified PowerView command   --wmi QUERY           Issues the specified WMI query  Spidering:   Options for spidering shares    --spider [FOLDER]     Folder to spider (defaults to top level directory)   --content             Enable file content searching   --exclude-dirs DIR_LIST                         Directories to exclude from spidering   --pattern PATTERN     Pattern to search for in folders, filenames and file content   --patternfile PATTERNFILE                         File containing patterns to search for in folders, filenames and file content   --depth DEPTH         Spider recursion depth (default: 10)  Command Execution:   Options for executing commands    --execm {atexec,wmi,smbexec}                         Method to execute the command (default: wmi)   --ps-arch {auto,64,32}                         Process architecture all PowerShell code/commands should run in (default: auto)   --no-output           Do not retrieve command output   -x COMMAND            Execute the specified command   -X PS_COMMAND         Excute the specified powershell command  Shellcode/EXE/DLL/Meterpreter Injection:   Options for injecting Shellcode/EXE/DLL/Meterpreter in memory using PowerShell    --inject {met_reverse_http,met_reverse_https,exe,shellcode,dll}                         Inject Shellcode, EXE, DLL or Meterpreter   --path PATH           Path to the Shellcode/EXE/DLL you want to inject on the target systems (ignored if injecting Meterpreter)   --procid PROCID       Process ID to inject the Shellcode/EXE/DLL/Meterpreter into (if omitted, will inject within the running PowerShell process)   --exeargs EXEARGS     Arguments to pass to the EXE being reflectively loaded (ignored if not injecting an EXE)   --met-options LHOST LPORT                         Meterpreter options (ignored if not injecting Meterpreter)  Filesystem Interaction:   Options for interacting with filesystems    --list [PATH]         List contents of a directory (defaults to top level directory)   --download SRC DST    Download a file from the remote systems   --upload SRC DST      Upload a file to the remote systems   --delete PATH         Delete a remote file  Service Interaction:   Options for interacting with Windows services    --service {status,list,create,stop,start,config,change,delete}   --name NAME           Service name   --display NAME        Service display name   --bin-path PATH       Binary path   --service-type TYPE   Service type   --start-type TYPE     Service start type   --start-name NAME     Name of the account under which the service should run   --start-pass PASS     Password of the account whose name was specified with the --start-name parameter  MSSQL Interaction:   Options for interacting with MSSQL DB's    --mssql [QUERY]       Authenticate with the provided credentials against the MSSQL service, optionally execute the specified query   --mssql-port PORT     MSSQL service port (default: 1433)   --mssql-instance      Enumerate the MSSQL intances on the target hosts   --enable-xpcmdshell   Enable xp_cmdshell on target DB's   --disable-xpcmdshell  Disable xp_cmdshell on target DB's   --xp-cmd COMMAND      Execute the specified command using xp_cmdshell

* 项目地址： GitHub 0xroot编译，内容有所删减/改动 ，转载请注明来自FreeBuf黑客与极客（FreeBuf.COM)