Links
🐉

Indestructible G0thm0g

CrackMapExec 5.4.0 is now up-do-date and available to everyone

CrackMapExec 5.4.0 available for everyone

CrackMapExec version 5.4.0 is now publicly available to everyone on Github and Kali Linux. You can git clone or directly download the binaries on the Github release page or just apt install crackmapexec. This version contains a lot of new additions made by the community. Huge step has been taken and I hope you will enjoy this new version.
If you want to compile CrackMapExec with poetry, you will need to install Rust. More info on this page Installation for Unix​

Less stacktraces (hopefully)

Second, this new version should fix a lot of bug which should decrease the number of stacktrace, I'm not saying there is no stacktrace anymore but thanks to the contribution of the public community, awesome PR #560 #561 have been made to reduce that number !

Amazing contributions from the community

Third, since I launch the operation COIN in June 2022, I never has so much Pull Request from the community, this is amazing and a proof that giving something to the contributors is a good way to engage the community in your project ! Really, thank you all and thanks to BZHunt again for sponsoring the coins !!!
14 Pull Requests in just one month !!!
All the contributors during a 3 months period

Thanks to all sponsors on Porchetta Industries

Finally and this is maybe the most important message, I propably don't say it enough on twitter but I wanted to thanks all people that sponsors CrackMapExec through Porchetta.Industries. You are not only sponsoring CrackMapExec but also all tools from Skelsec like Pypykatz, aardwold etc but also NPK from @c6fc and SysWhispers3 from klezVirus !

New features and bug fix

Now let's take the time to list the new feature of CrackMapExec ! All the features can be also found in the latest version of CME in Kali).

A new protocol has been added => FTP

You can now recon FTP servers on an internal network but also bruteforce FTP credentials with CME ! Addition made by https://twitter.com/RiiRoman​

Long live to Kerberos => kerbrute inside CME

The LDAP protocol has been refactored by https://twitter.com/Nurfed1 to improve the usability with kerberos auth and make CME compatible using cross domain (trusted or child).
Thanks to Zblurx, CME now support kerberos authentication using user /pass or user/hash and you don't need to use a krb5ccname env variable with a ticket !!! Addition by https://twitter.com/_zblurx​
Using this new feature, we have all the ingredients to build our own Kerbrute inside CME. CrackMapExec is able to tell you if a user exist or not on the domain and if this user vulnerable to PRE-AUTH vulnerability !!

Export your cmedb as CSV

The days of awk if over to extract the data of CME output, you can now export shares, credentials etc using the export function inside cmedb. Addition by https://twitter.com/gray_sec​

Update on the --ntds option

You can now dcsync only enabled users or a specific user with CrackMapExec

Get gMSA password for every service account

A new code feature has been added to LDAP protocol to retreive gMSA NT hash if you have the permission to read the password ! Addition by https://twitter.com/pentest_swissky​

RDP screenshot without credentials with NLA disabled

And yes thanks to https://github.com/lap1nou, you can now screenshot the login page of any host with NLA disabled and see wich user is currently connected to it, cool feature
👍
Addition by https://twitter.com/lapinousexy​

Upload and download with the MSSQL protocol

You can now upload and download using MSSQL protocol, this changement has been added to the nanodump module to upload and exploit an lsass dump through out a MSSQL ! Addition by https://twitter.com/__n0mad​

New module: Discover and steal KeePass master password

Probably one of my favorite module, if you have admin access to the sys admin machine and he uses keepass, just trick him with this simple module and steal all his master password. Addition by https://twitter.com/d3lb3_​

New module: Get all the network (ip / hostname)

With this module you will be able to get the networks records of the active directory meaning if you have a valid account, a way to get a list of IP/domain name of the internal network. Good module to buy some time instead of nmap port 445.

New module: Masky

ZakSec did an amazing work on Masky and most important he developed the tool as a librairy. Thanks to this, we now have a Masky module inside CME. If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT !!! Addition by https://twitter.com/_ZakSec​

New module: Steal Miscosoft Teams session token

During internal pentest, sometime you already compromise everyting but you want to push a little bit more. If the company is using Teams, just use the plugins teams to steal the cookie and send a direct message to the owner or anyone else on Teams :D Addition by https://twitter.com/KuiilSec​

New module: Hash_spider a module that is similar to DeathStar project

This module is DeathStar but in CME. Use it with caution of course :) With an initial admin access, it will dump lsass recursively using BloodHound to find local admins path (adminTo) to harvest more users and find new paths until DA ! Addition by https://github.com/pgormanDS​

New module: check if LDAP is signed or not

Quicky check if LDAP is signed and channel Binding activated ! Addition by https://twitter.com/theluemmel​

New module: read DACL of a specific account

Quickly read some DACL properties over an account like "Who can dcsync ?" for example without runing Bloodhound ! :) Addition by https://twitter.com/BlWasp_​

New module: check if NTLMv1 is enabled on a target

Check if NTLMv1 is enabled on the remote target ! You will need admin privilege for this one :) Addition by https://twitter.com/tw1sm​
​
That's all, hope you will enjoy this version, for the one who sponsors the project, we are already on version 5.4.1
😄
​
​
​
​