π±
π±
π±
π±
CrackMapExec ~ CME WIKI
Public Release - v5.3.0
@byt3bl33d3r
@mpgn_x64
Searchβ¦
Introduction
π₯
News 2022
Changelog
Sponsoring CME
Other Gitbook
Getting Started
Installation
Selecting & Using a Protocol
Target Formats
Using Credentials
Using Kerberos
Using Modules
Database General Usage
π
BloodHound integration
Report bugs or new features
π
Audit Mode
SMB protocol
π
Scan for vulnerabilities
Enumeration
Password spraying
Authentication
Command execution
Spidering Shares
Get and Put files
Obtaining Credentials
π
Defeating LAPS
π
Spooler, WebDav running ?
LDAP protocol
Authentication
ASREPRoast
Kerberoasting
Unconstrained delegation
Admin Count
Machine Account Quota
Get user descriptions
π
Exploit ESC8 (adcs)
WINRM protocol
Password spraying
Authentication
Command execution
π
Defeating LAPS
MSSQL protocol
Password spraying
Authentication
MSSQL Privesc
MSSQL command
Windows command
SSH protocol
Password spraying
Authentication
Command execution
π
RDP Protocol
Password spraying
Install aardwolf lib
Powered By
GitBook
Authentication
WinRM Authentication
Testing credentials
#~ cme winrm 192.168.1.0/24 -u user -p password
Expected Results:
WINRM 192.168.255.131 5985 ROGER [*] http://192.168.255.131:5985/wsman
WINRM 192.168.255.131 5985 ROGER [+] GOLD\user:password (Pwn3d!)
If the SMB port is closed you can also use the flag
-d DOMAIN
to avoid an SMB connection
#~ cme winrm 192.168.1.0/24 -u user -p password -d DOMAIN
Expected Results:
WINRM 192.168.255.131 5985 192.168.255.131 [*] http://192.168.255.131:5985/wsman
WINRM 192.168.255.131 5985 192.168.255.131 [+] GOLD\user:password (Pwn3d!)
Example
Monteverde machine is a good example to test
WinRM
procotol with CrackMapExec
https://www.hackthebox.eu/home/machines/profile/223
www.hackthebox.eu
β
WINRM protocol - Previous
Password spraying
Next - WINRM protocol
Command execution
Last modified
6mo ago
Copy link
Outline
WinRM Authentication
Example