CrackMapExec – A Swiss Army Knife for Pentesting Networks

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.

CME makes heavy use of the Impacket library and the PowerSploit Toolkit for working with network protocols and performing a variety of post-exploitation techniques. Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios.

CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments! From enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more!

The biggest improvements over the above tools are:

  • Pure Python script, no external tools required
  • Fully concurrent threading
  • Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc…
  • Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc…)

Additionally, a database is used to store used/dumped credentals. It also automatically correlates Admin credentials to hosts and vice-versa allowing you to easily keep track of credential sets and gain additional situational awareness in large environments.


Pentesting Active Directory Environments:

  • Pure Python script, no external tools required
  • Fully concurrent threading
  • Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc…
  • Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc…)



Use virtualenvwrapper to install CrackMapExec in a python virtualenv

Kali/Debian/Ubuntu Users:

  • Run: apt-get install -y libssl-dev libffi-dev python-dev build-essential

To get the latest stable version:

#~ pip install crackmapexec

Git Clone Install

#~ git clone
#- cd CrackMapExec && git submodule init && git submodule update --recursive
#~ python install



Once CrackMapExec is installed, it can be executed using the following command.


To see all the available options, run CME with the help command.

cme --help

CME comes with http, ssh, smb, mssql, and winrm protocols. The options available for each protocol can be viewed using the following help command.

cme protocols

cme <protocol name> --help

To see available set of modules for each protocol, use the –L flag.

cme <protocol name> -L

For instance, we can check the available modules for mssql protocol in the following manner.

cme mssql –L

mssql available modules

To run the protocol and module together on the target host, use the following command.

cme <protocol name> <target host> -M <module name>

Each module has a set of options that can be explored by using the –options arguments in the following command.

cme <protocol name> <target host> -M <module name> --options

The desired module option can be implemented in the command by using the –o flag in the following manner.

cme <protocol name> <target host> -M <module name> -o <module option>
                Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r

                      Powered by Impacket (@agsolino)

                                                  Inspired by:
                           @ShawnDEvans's smbmap
                           @gojhonny's CredCrack
                           @pentestgeek's smbexec

positional arguments:
  target                The target range, CIDR identifier or file containing targets

optional arguments:
  -h, --help            show this help message and exit
  -t THREADS            Set how many concurrent threads to use
  -u USERNAME           Username, if omitted null session assumed
  -p PASSWORD           Password
  -H HASH               NTLM hash
  -n NAMESPACE          Namespace name (default //./root/cimv2)
  -d DOMAIN             Domain name
  -s SHARE              Specify a share (default: C$)
  -P {139,445}          SMB port (default: 445)
  -v                    Enable verbose output

Credential Gathering:
  Options for gathering credentials

  --sam                 Dump SAM hashes from target systems
  --mimikatz            Run Invoke-Mimikatz on target systems
  --ntds {ninja,vss,drsuapi}
                        Dump the NTDS.dit from target DCs using the specifed method
                        (drsuapi is the fastest)

  Options for Mapping/Enumerating

  --shares              List shares
  --sessions            Enumerate active sessions
  --users               Enumerate users
  --lusers              Enumerate logged on users
  --wmi QUERY           Issues the specified WMI query

Account Bruteforcing:
  Options for bruteforcing SMB accounts

  --bruteforce USER_FILE PASS_FILE
                        Your wordlists containing Usernames and Passwords
  --exhaust             Don't stop on first valid account found

  Options for spidering shares

  --spider FOLDER       Folder to spider (defaults to share root dir)
  --pattern PATTERN     Pattern to search for in filenames and folders
  --patternfile PATTERNFILE
                        File containing patterns to search for
  --depth DEPTH         Spider recursion depth (default: 1)

Command Execution:
  Options for executing commands

  --execm {atexec,wmi,smbexec}
                        Method to execute the command (default: smbexec)
  -x COMMAND            Execute the specified command
  -X PS_COMMAND         Excute the specified powershell command

Shellcode/EXE/DLL injection:
  Options for injecting Shellcode/EXE/DLL's using PowerShell

  --inject {exe,shellcode,dll}
                        Inject Shellcode, EXE or a DLL
  --path PATH           Path to the Shellcode/EXE/DLL you want to inject on the target systems
  --procid PROCID       Process ID to inject the Shellcode/EXE/DLL into (if omitted, will inject within the running PowerShell process)
  --exeargs EXEARGS     Arguments to pass to the EXE being reflectively loaded (ignored if not injecting an EXE)

Filesystem interaction:
  Options for interacting with filesystems

  --list PATH           List contents of a directory
  --download PATH       Download a file from the remote systems
  --upload SRC DST      Upload a file to the remote systems
  --delete PATH         Delete a remote file

There's been an awakening... have you felt it?

Leave a Reply

Your email address will not be published. Required fields are marked *