CrackMapExec:域环境渗透中的瑞士军刀
jopen 9年前
CrackMapExec:使用Python编写的一款工具,堪称Windows 活动目录/域 环境渗透测试里的一把瑞士军刀,这工具功能真的很强大、齐全!
Powered by Impacket
CrackMapExec 项目灵感来源:
@agsolino的 wmiexec.py , wmiquery.py , smbexec.py , samrdump.py , secretsdump.py , atexec.py 以及 lookupsid.py
@ShawnDEvans的 smbmap
@gojhonny的 CredCrack
@pentestgeek的 smbexec
项目中部分代码参考了@T-S-A的 smbspider 脚本
另外包含了 PowerSploit 项目中的一些脚本:
Invoke-ReflectivePEInjection.ps1
以及 PowerTools 知识库 PowerView 脚本
描述
CrackMapExec提供了域环境(活动目录)渗透测试中一站式便携工具,它具有列举登录用户、通过SMB(Server Message Block)网络文件共享协议爬虫列出SMB分享列表,
执行类似于Psexec的攻击、使用powerShell脚本执行自动式Mimikatz/Shellcode/DLL注入到内存中,dump NTDS.dit密码。
工具改进完善:
纯Python脚本,无需外部依赖;
全双工多进程;
使用本地WinAPI会话发现session会话控制、用户、dump 存储在SAM中的windows HASH值;
使用参数
______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______ / || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / | | ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----' | | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | | | `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----. \______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______| Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino) Inspired by: @ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap @gojhonny's CredCrack https://github.com/gojhonny/CredCrack @pentestgeek's smbexec https://github.com/pentestgeek/smbexec Version: 2.3 Codename: 'Pink Bubbles' positional arguments: target The target IP, range, CIDR identifier, hostname, FQDN or list or file containg a list of targets optional arguments: -h, --help show this help message and exit //打印帮助信息 -v, --version show program's version number and exit //显示程序版本信息 -t THREADS Set how many concurrent threads to use (defaults to 100) //指定进程数 默认为100 -u USERNAME Username(s) or file containing usernames //指定用户名 -p PASSWORD Password(s) or file containing passwords //指定密码 -H HASH NTLM hash(es) or file containing NTLM hashes -C COMBO_FILE Combo file containing a list of domain\username:password or username:password entries -k HEX_KEY AES key to use for Kerberos Authentication (128 or 256 bits) -d DOMAIN Domain name //指定域 -n NAMESPACE WMI Namespace (default: //./root/cimv2) -s SHARE Specify a share (default: C$) //指定分享 --kerb Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters --port {139,445} SMB port (default: 445) //指定SMB端口 默认445 --server {http,https} Use the selected server (defaults to http) //指定http或https 默认使用http --server-port PORT Start the server on the specified port --fail-limit LIMIT The max number of failed login attempts allowed per host (default: None) --gfail-limit LIMIT The max number of failed login attempts allowed globally (default: None) --verbose Enable verbose output Credential Gathering: Options for gathering credentials --sam Dump SAM hashes from target systems --lsa Dump LSA secrets from target systems --gpp-passwords Retrieve plaintext passwords and other information for accounts pushed through Group Policy Preferences --ntds {ninja,vss,drsuapi} Dump the NTDS.dit from target DCs using the specifed method (drsuapi is the fastest) --ntds-history Dump NTDS.dit password history --ntds-pwdLastSet Shows the pwdLastSet attribute for each NTDS.dit account --mimikatz Run Invoke-Mimikatz (sekurlsa::logonpasswords) on target systems --mimikatz-cmd MIMIKATZ_CMD Run Invoke-Mimikatz with the specified command --enable-wdigest Creates the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1 --disable-wdigest Deletes the 'UseLogonCredential' registry key Mapping/Enumeration: Options for Mapping/Enumerating --shares List shares //列出分享 --check-uac Checks UAC status //检查UAC状态 --sessions Enumerate active sessions --disks Enumerate disks --users Enumerate users --rid-brute [MAX_RID] Enumerate users by bruteforcing RID's (defaults to 4000) --pass-pol Dump password policy --lusers Enumerate logged on users --powerview POWERVIEW_CMD Run the specified PowerView command --wmi QUERY Issues the specified WMI query Spidering: Options for spidering shares --spider [FOLDER] Folder to spider (defaults to top level directory) --content Enable file content searching --exclude-dirs DIR_LIST Directories to exclude from spidering --pattern PATTERN Pattern to search for in folders, filenames and file content --patternfile PATTERNFILE File containing patterns to search for in folders, filenames and file content --depth DEPTH Spider recursion depth (default: 10) Command Execution: Options for executing commands --execm {atexec,wmi,smbexec} Method to execute the command (default: wmi) --ps-arch {auto,64,32} Process architecture all PowerShell code/commands should run in (default: auto) --no-output Do not retrieve command output -x COMMAND Execute the specified command -X PS_COMMAND Excute the specified powershell command Shellcode/EXE/DLL/Meterpreter Injection: Options for injecting Shellcode/EXE/DLL/Meterpreter in memory using PowerShell --inject {met_reverse_http,met_reverse_https,exe,shellcode,dll} Inject Shellcode, EXE, DLL or Meterpreter --path PATH Path to the Shellcode/EXE/DLL you want to inject on the target systems (ignored if injecting Meterpreter) --procid PROCID Process ID to inject the Shellcode/EXE/DLL/Meterpreter into (if omitted, will inject within the running PowerShell process) --exeargs EXEARGS Arguments to pass to the EXE being reflectively loaded (ignored if not injecting an EXE) --met-options LHOST LPORT Meterpreter options (ignored if not injecting Meterpreter) Filesystem Interaction: Options for interacting with filesystems --list [PATH] List contents of a directory (defaults to top level directory) --download SRC DST Download a file from the remote systems --upload SRC DST Upload a file to the remote systems --delete PATH Delete a remote file Service Interaction: Options for interacting with Windows services --service {status,list,create,stop,start,config,change,delete} --name NAME Service name --display NAME Service display name --bin-path PATH Binary path --service-type TYPE Service type --start-type TYPE Service start type --start-name NAME Name of the account under which the service should run --start-pass PASS Password of the account whose name was specified with the --start-name parameter MSSQL Interaction: Options for interacting with MSSQL DB's --mssql [QUERY] Authenticate with the provided credentials against the MSSQL service, optionally execute the specified query --mssql-port PORT MSSQL service port (default: 1433) --mssql-instance Enumerate the MSSQL intances on the target hosts --enable-xpcmdshell Enable xp_cmdshell on target DB's --disable-xpcmdshell Disable xp_cmdshell on target DB's --xp-cmd COMMAND Execute the specified command using xp_cmdshell
* 项目地址: GitHub 0xroot编译,内容有所删减/改动 ,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM)