NETWORK SECURITY
CrackMapExec in Action: Enumerating Windows Networks (Part 1)
Strategically Mapping Targets inside the Internal Network
CrackMapExec, known as CME, is a useful tool to use during internal pentesting assessments to assess the security of Windows networks. It performs network enumeration and identifies hosts and services while enumerating shares, users, and groups within the network.
In this article, we will discuss the initial steps of network reconnaissance, focusing on gathering information from machines that allow anonymous authentication to obtain access to the network. We will use exercises from Hack The Box Academy as examples.
Table of Contents
- Enumerating SMB Information
- Enumerating Users Accounts
- Enumerating Password Policies
- Enumerating Shares
Enumerating SMB Information
The tool gathers essential SMB information, such as the fully qualified domain name (FQDN) that helps identify whether a machine is domain-joined or separate, the Windows version and architecture (x86/x64), and the SMB version.
It can also detect if the SMB signing is enabled, which helps us identify machines that could be targeted for stealing hashes and relay attacks.
To enumerate the SMB information, run the crackmapexec
, specify the SMB protocol, and pass the IP/s (separately in a file or use CIDR ranges).
crackmapexec smb 10.129.204.177
Enumerating Users Accounts
Another thing to look for in the initial recon is identifying user accounts. We can create a list of users from machines that allow anonymous sessions and then perform password attacks against them. Or search for roastable (AS-REP) accounts, which can be cracked to gain access to the domain.
To enumerate users, we run crackmapexec
with the --users
option to list all users on the target machines and export them into a file with the option --export
.
The tool does not offer a specific option for anonymous sessions; instead, we can pass an empty string for the username (-u) and password (-p).
crackmapexec smb 10.129.204.177 -u '' -p '' --users
What I like about the --users
option is that it displays not only the users’ accounts but also their description fields, where sometimes we can find credentials we can use or information about the account type, such as service accounts.
Enumerating Password Policies
When conducting network pentests, a common mistake is failing to consider the password policy when attempting password attacks. This can result in accounts being locked out or burning down the network 🔥.
Understanding the password policy, especially the Lockout Threshold, Password Complexity, and Length, is crucial in determining how we structure password spraying or brute-forcing attacks.
To enumerate the password policy, we run crackmapexec
with the --pass-pol
option. The screenshot below sets the lockout threshold to None, meaning the accounts will never be locked out.
In real-world scenarios, you will often see that some organizations may set a low threshold of 3 or 5 failed attempts, while others choose higher attempts of 10 or more to reduce accidental lockouts.
crackmapexec smb 10.129.204.177 -u '' -p '' --pass-pol
Enumerating SMB Shares
Shared folders are the best places to look for juicy information; you will find sensitive data such as confidential documents, financial records, or privileged user credentials that help you move deeply into the network.
To list the available shares, run crackmapexec
with the--shares
option and a random username for the -u
option, such as “guest”. Note that the tool does not accept empty strings as usernames when running the shares option, so we must specify a random username.
crackmapexec smb 10.129.29.43 -u guest -p '' --shares
The screenshot below shows an access denied error when passing empty strings as username.
Also, to display the files and directories in a shared folder, we can use the options --spider
with the share name and --regex .
In the example below, we listed the contents of IT share.
crackmapexec smb 10.129.203.121 -u guest -p '' --spider IT --regex .
As a pentester, having CrackMapExec tool is valuable for gaining insights about a network and its hosts.
In upcoming articles, we will explore additional ways to utilize the tool in preforming authenticated enumeration, password spraying and relay attacks.
Thanks for stopping by!
🔔You can find a list of all the commands that have been used in this post at R3d Buck3T Notion (Internal Pentesting Methodology — CrackMapExec)