Comment on page
🐉
Indestructible G0thm0g
CrackMapExec 5.4.0 is now up-do-date and available to everyone
CrackMapExec version 5.4.0 is now publicly available to everyone on Github and Kali Linux. You can git clone or directly download the binaries on the Github release page or just
apt install crackmapexec
. This version contains a lot of new additions made by the community. Huge step has been taken and I hope you will enjoy this new version.If you want to compile CrackMapExec with poetry, you will need to install Rust. More info on this page Installation for Unix

Third, since I launch the operation COIN in June 2022, I never has so much Pull Request from the community, this is amazing and a proof that giving something to the contributors is a good way to engage the community in your project ! Really, thank you all and thanks to BZHunt again for sponsoring the coins !!!

14 Pull Requests in just one month !!!

All the contributors during a 3 months period
Finally and this is maybe the most important message, I propably don't say it enough on twitter but I wanted to thanks all people that sponsors CrackMapExec through Porchetta.Industries. You are not only sponsoring CrackMapExec but also all tools from Skelsec like Pypykatz, aardwold etc but also NPK from @c6fc and SysWhispers3 from klezVirus !
Now let's take the time to list the new feature of CrackMapExec ! All the features can be also found in the latest version of CME in Kali).
You can now recon FTP servers on an internal network but also bruteforce FTP credentials with CME ! Addition made by https://twitter.com/RiiRoman

The LDAP protocol has been refactored by https://twitter.com/Nurfed1 to improve the usability with kerberos auth and make CME compatible using cross domain (trusted or child).
Thanks to Zblurx, CME now support kerberos authentication using user /pass or user/hash and you don't need to use a krb5ccname env variable with a ticket !!! Addition by https://twitter.com/_zblurx
Using this new feature, we have all the ingredients to build our own Kerbrute inside CME. CrackMapExec is able to tell you if a user exist or not on the domain and if this user vulnerable to PRE-AUTH vulnerability !!

The days of awk if over to extract the data of CME output, you can now export shares, credentials etc using the export function inside cmedb. Addition by https://twitter.com/gray_sec

You can now dcsync only enabled users or a specific user with CrackMapExec

A new code feature has been added to LDAP protocol to retreive gMSA NT hash if you have the permission to read the password ! Addition by https://twitter.com/pentest_swissky

And yes thanks to https://github.com/lap1nou, you can now screenshot the login page of any host with NLA disabled and see wich user is currently connected to it, cool feature Addition by https://twitter.com/lapinousexy
👍


You can now upload and download using MSSQL protocol, this changement has been added to the nanodump module to upload and exploit an lsass dump through out a MSSQL ! Addition by https://twitter.com/__n0mad


Probably one of my favorite module, if you have admin access to the sys admin machine and he uses keepass, just trick him with this simple module and steal all his master password. Addition by https://twitter.com/d3lb3_

With this module you will be able to get the networks records of the active directory meaning if you have a valid account, a way to get a list of IP/domain name of the internal network. Good module to buy some time instead of nmap port 445.

ZakSec did an amazing work on Masky and most important he developed the tool as a librairy. Thanks to this, we now have a Masky module inside CME. If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT !!! Addition by https://twitter.com/_ZakSec

During internal pentest, sometime you already compromise everyting but you want to push a little bit more. If the company is using Teams, just use the plugins teams to steal the cookie and send a direct message to the owner or anyone else on Teams :D Addition by https://twitter.com/KuiilSec

This module is DeathStar but in CME. Use it with caution of course :) With an initial admin access, it will dump lsass recursively using BloodHound to find local admins path (adminTo) to harvest more users and find new paths until DA ! Addition by https://github.com/pgormanDS

Quicky check if LDAP is signed and channel Binding activated ! Addition by https://twitter.com/theluemmel

Quickly read some DACL properties over an account like "Who can dcsync ?" for example without runing Bloodhound ! :) Addition by https://twitter.com/BlWasp_

Check if NTLMv1 is enabled on the remote target ! You will need admin privilege for this one :) Addition by https://twitter.com/tw1sm

That's all, hope you will enjoy this version, for the one who sponsors the project, we are already on version 5.4.1
😄
Last modified 4mo ago