CrackMapExec 5.4.0 is now up-do-date and available to everyone
CrackMapExec version 5.4.0 is now publicly available to everyone on Github and Kali Linux. You can git clone or directly download the binaries on the Github release page or just
apt install crackmapexec. This version contains a lot of new additions made by the community. Huge step has been taken and I hope you will enjoy this new version.
Third, since I launch the operation COIN in June 2022, I never has so much Pull Request from the community, this is amazing and a proof that giving something to the contributors is a good way to engage the community in your project ! Really, thank you all and thanks to BZHunt again for sponsoring the coins !!!
14 Pull Requests in just one month !!!
All the contributors during a 3 months period
Finally and this is maybe the most important message, I propably don't say it enough on twitter but I wanted to thanks all people that sponsors CrackMapExec through Porchetta.Industries. You are not only sponsoring CrackMapExec but also all tools from Skelsec like Pypykatz, aardwold etc but also NPK from @c6fc and SysWhispers3 from klezVirus !
Now let's take the time to list the new feature of CrackMapExec ! All the features can be also found in the latest version of CME in Kali).
Using this new feature, we have all the ingredients to build our own Kerbrute inside CME. CrackMapExec is able to tell you if a user exist or not on the domain and if this user vulnerable to PRE-AUTH vulnerability !!
You can now dcsync only enabled users or a specific user with CrackMapExec
You can now upload and download using MSSQL protocol, this changement has been added to the nanodump module to upload and exploit an lsass dump through out a MSSQL ! Addition by https://twitter.com/__n0mad
Probably one of my favorite module, if you have admin access to the sys admin machine and he uses keepass, just trick him with this simple module and steal all his master password. Addition by https://twitter.com/d3lb3_
With this module you will be able to get the networks records of the active directory meaning if you have a valid account, a way to get a list of IP/domain name of the internal network. Good module to buy some time instead of nmap port 445.
ZakSec did an amazing work on Masky and most important he developed the tool as a librairy. Thanks to this, we now have a Masky module inside CME. If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT !!! Addition by https://twitter.com/_ZakSec
During internal pentest, sometime you already compromise everyting but you want to push a little bit more. If the company is using Teams, just use the plugins teams to steal the cookie and send a direct message to the owner or anyone else on Teams :D Addition by https://twitter.com/KuiilSec
This module is DeathStar but in CME. Use it with caution of course :) With an initial admin access, it will dump lsass recursively using BloodHound to find local admins path (adminTo) to harvest more users and find new paths until DA ! Addition by https://github.com/pgormanDS
That's all, hope you will enjoy this version, for the one who sponsors the project, we are already on version 5.4.1