Using Kerberos
Using Kerberos authentication with crackmapexec

Using Kerberos

CME does support Kerberos authentication, use KRB5CCNAME env name to specify the ticket.
when using the option --kerberos, you need to specify the same hostname (FQDN) as the one from the kerberos ticket
1
$ export KRB5CCNAME=/home/bonclay/impacket/administrator.ccache
2
$ cme smb zoro.gold.local --kerberos
3
SMB zoro.gold.local 445 ZORO [*] Windows 10.0 Build 14393 (name:ZORO) (domain:gold.local) (signing:False) (SMBv1:False)
4
SMB zoro.gold.local 445 ZORO [+] gold.local\administrator (Pwn3d!)
5
$ sudo cme smb zoro.gold.local --kerberos -x whoami
6
SMB zoro.gold.local 445 ZORO [*] Windows 10.0 Build 14393 (name:ZORO) (domain:gold.local) (signing:False) (SMBv1:False)
7
SMB zoro.gold.local 445 ZORO [+] gold.local\administrator (Pwn3d!)
8
SMB zoro.gold.local 445 ZORO [+] Executed command
9
SMB zoro.gold.local 445 ZORO gold\administrator
10
​
11
$ export KRB5CCNAME=/home/bonclay/impacket/bonclay.ccache
12
$ sudo cme smb zoro.gold.local --kerberos -x whoami
13
SMB zoro.gold.local 445 ZORO [*] Windows 10.0 Build 14393 (name:ZORO) (domain:gold.local) (signing:False) (SMBv1:False)
14
SMB zoro.gold.local 445 ZORO [+] gold.local\bonclay
Copied!
kerberos-cme
Example with LDAP and option --kdcHost
1
poetry run crackmapexec ldap poudlard.wizard -k --kdcHost dc01.poudlard.wizard
2
SMB poudlard.wizard 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:poudlard.wizard) (signing:True) (SMBv1:False)
3
LDAP poudlard.wizard 389 DC01 [+] poudlard.wizard\
Copied!
Last modified 9d ago
Copy link