👑
Major release for CrackMapExec
From Sponsorware version to public version
Since June 2021, CrackMapExec is updated only on the Porchetta plateform and not on the public repository. The cost of a sponsorship is 60$ for 6 months access to all tools on Porchetta, but while some people are happy to support tools that help them so much during internal pentest, some others can be hesitant, not knowing what they will support.
In this post we will only focus about CrackMapExec, all the features listed below have been available for sponsors and only sponsors during ~5 months, helping them to take big advantages during internal pentest as some features and modules can save lot of time.
Nevertheless, it's been more than 6 months since the public repository has not been udpated and it's time to merge all the features from the private repository to the public one !
This post will help you do track down all the new updates and issues fixed that have been pushed to CrackMapExec since porchetta has been launched.
If you want to follow the latest update of CME without waiting for a blogpost, follow me on twitter @mpgn_x64 and don't forget to follow porchetta industries @porchetta_ind for the latest news about all the others tools !
The latest version of CrackMapExec is 5.2.2 !
Most of people using CrackMapexec have been in this case where CME is stuck and never finishes ! In reality CrackMapExec is taking his time, in fact 60 seconds per host, so if you launch CME on a /24 but with only two hosts accessible, you will wait a lot before CME finish ! This behavior can be excepted in a very slow network but in the general case, it is useless and therefore I have added multiple timeouts (3 secondes) that will help you to stop with the CTRL-C or CTRL-Z ugly technique !
End of the CTRL-Z era my friend !
image
This was something that always bother me a lot, every time you want to execute a command with option
-x or -X you have to run CME as sudo since the port 445 was needed. This was an old feature that is now deprecated.No more sudo needed :
image
Long time feature for me, I've always dreamed about this one and it is done. You can now configure CrackMapExec to send the account pwn3d to neo4j (for Bloodhound). Every time CrackMapExec will find a valid credential, it will be added to BloodHound as owned ! Very usefull when you dump the lsass process and you get 20 accounts in one run !!
2021-11-20_16-29
Probably on of the most usefull new feature in CrackMapExec ! On one of my last engagement I realize that within the use of LAPS, it was a bit of a pain to use CME. You had to use the module LAPS (and target a specific server) and then use the credential on this server. Honestly it was painfull and it defeat the all purpose of CME!
I take the time to develop a new core feature in CrackMapExec for the SMB protocol called
--laps. If you have compromised an account that can read LAPS password, you can now use this account and target every computer you want on the network, CME will automatically use this account to get the LAPS password of the computer targeted :)
image
Not long ago, @Pixis publish a new release for his tool LSASSY (a tool that will dump lsass remotely), he then make an update of the lsassy module on CrackMapExec ! On my daily routing, I always use lsassy directly instead of the module but in some case where I know this will not be trigger by any av, I use the module lsassy to get faster.
I was recently checking on the "Protected Users" group specificities and learn that it only use Kerberos authentication and this is why you can't get any NTLM hash on the lsass process ! Excellent news for blueteam no ? Even if the machine is compromised, the attacker will not be able to steal the ntlm hash of the users member of "Protected Users". Well, not so much ! Thanks to @remiescourrou update, lsassy is able to also grab kerberos ticket using pypykatz. You can then get the kerberos ticket (valid ~4 hours) and then feed this ticket withing CrackMapExec :
image
How many time I got frustrated by CrackMapExec during an engagment because when I tried to enumerate users with NULL Session no result where showed while enum4linux was working fine. This is now resolved folks !
image
This one is pretty cool ! When you use the protocol LDAP to spray credentials you currently don't know if the account is on a privileged group like "Domain Admin", "Enterprise admin" etc. This is now fixed and if you compromise a domain admin, CrackMapExec will show you the "Pwn3d" flag! Bonus, LDAP will now show the status of the account you compromise (account is locked / password must be changed etc) just like the protocol SMB !
image
Thanks to @qtc-de and @snovvcrash contributions, a new module called "adcs" can be used to quicly get the list of ADCS servers and list all certificates templates. While this module can really evolve to show more and more info, someone who really love python whispered in my ear that a really cool tool related to ADCS exploits will come soon, you probably guess who
👀
👀
👀
Another big thanks to @qtc-de for this module that help you to check if the webdav service is enabled or not on the remote target. Why this is important ?
It allows attackers to elicit authentications made over HTTP instead of SMB, hence heightening NTLM relay capabilities.
Follow this link to get all the implications :
image
Sometimes, research about "how to dump the lsass process" evolve, to be quicker or stealer to avoid getting caught by EDR etc. Two new tools come up lately:
- 1.HandleKatz: A position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump() by @thefLinkk
- 2.
- Syscalls are called from an ntdll address to bypass some syscall detections
- Windows APIs are called using dynamic invoke
- The minidump by default has an invalid signature to avoid detection
- No calls to dbghelp or any other library are made, all the dump logic is implemented in nanodump
- Supports process forking to avoid the permission
PROCESS_VM_READ - Supports handle duplication
- Supports MalSecLogon
- You can load nanodump in LSASS as a Security Support Provider (SSP)
I have integrated them into CrackMapExec as module:
FEJv7PYXsAE8Mmv
I also add the module
procdump to dump the lsass process using procdump.exe. This is the original module developed in 2019 with @Pixis before lsassy even exists !In december I have added four modules to quickly detect a vulnerable Domain Controller or server.
- 1.
- 2.
- 3.
- 4.
crackmapexec smb <ip> -u '' -p '' -M ms17-010(not tested outside HTB) @ ywolf - 5.
You have notice that there is five modules on the screenshot, the last one
ioxidresolver will helps you to identify hosts that have additional active interfaces, which usually means, virtual machines, VPNs, connected wireless, docker, etc. Really usefull on internal pentest sometimes to target the right server directly and avoid losing time !Nine issues from the public repository have been fixed:
As you see, the sponsorware version of CrackMapExec have been updated non-stop since june 2021, I want to thanks all the sponsors, I will continue to update CME and next commits, bug fix and new updates will be done on the sponsors version of CME !
Peace 🪂
Last modified 10mo ago