Hacking Tools

CrackMapExec –Post Exploitation tool for Active Directory Networks

CrackMapExec(CME) is a post exploitation tool that can be used for tasks like cracking administrative rights and mapping active directory networks. Active directory is a windows OS utility that provides services like protocols to access other directories in the network, security services through SSL and Kerberos authentication, organizational data storage in a centralized location, and making data available to the network servers with concurrent updates. CME is packed with different sub-modules including Impacket, Powersploit, Invoke-Subfuscation, Invoke-Vnc, Mimikittenz, NetRipper, SessionGopher, RandomPS-Scripts, MimiPenguin, Pywerview, and Pywinrim. These sub-modules work along with the CME protocols, such as http, smb, mssql, and winrm. For example, Impacket and Powersploit work with the network protocols in the post exploitation techniques. Besides post-exploitation, CME has the blue team features as well, such as assessing account privileges, identifying networks misconfigurations, and simulating attacks.

CME Installation

CME is supported by Linux and Mac OSX. In Kali Linux, the tool can be installed using the following commands.

git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
python setup.py install

The –recursive argument in the git command automatically downloads all the sub-modules packages in CME directory. However, if any sub-module gives an error while running the tool, reinstall the sub-module separately to resolve the issue.

It is recommended to use pipenv to avoid any conflicts between the system’s and CME packages. The following commands need to be run to install CrackMapExec using pipenv.

apt-get install -y libssl-dev libffi-dev python-dev build-essential
pip install --user pipenv
git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec && pipenv install
pipenv shell
python setup.py install

Running CrackMapExec

Once CrackMapExec is installed, it can be executed using the following command.


To see all the available options, run CME with the help command.

cme --help

CME comes with http, ssh, smb, mssql, and winrm protocols. The options available for each protocol can be viewed using the following help command.

cme <protocol name> --help

To see available set of modules for each protocol, use the –L flag.

cme <protocol name> -L

For instance, we can check the available modules for mssql protocol in the following manner.

cme mssql –L

To run the protocol and module together on the target host, use the following command.

cme <protocol name> <target host> -M <module name>

Each module has a set of options that can be explored by using the –options arguments in the following command.

cme <protocol name> <target host> -M <module name> --options

The desired module option can be implemented in the command by using the –o flag in the following manner.

cme <protocol name> <target host> -M <module name> -o <module option>

What Bunny rating does it get?

To Top

Pin It on Pinterest

Share This