Guide to Active Directory Post Compromise: crackmapexec

Free Coaching
Our Discord
Free Pentest
Feedback

Welcome to Logos Red, I go bylogos and:

Want to pass compromised Windows credentials around?

In this guide we’ll take a look at “Pass the password/ Pass the Hash” attacks and how we can leverage a simple password to owning a domain. To do so we’ll use a tool called “crackmapexec” under Kali Linux.

Don’t worry, I made it as simple as I could. Anyone can follow along.

My Promise

This post will finally end your meaningless search for a valid answer, and you will leave with knowing how to use crackmapexec.

If there are still any questions left, let me know so I can add it to help the next person who will arrive here.

My Goal

To help you improve in less time than it took me and to make sure you leave with what I promised.

I want you to join our community and for this to be a place that you revisit often.

Requirements

Previous Attacks

What are we covering?

This is meant for the period in an assessment where you’ve managed to gain a password or a hash but you don’t know how to advance. Maybe you’ve done so through LLMNR Poisoning, mitm6, OSINT or phishing.

The simplest way to do so is to just pass the password/hash around. You take the credentials you have and you see if they work on any other machine.

Administrators often reuse passwords on different machines and this simple attack could land you a few different accounts.

Crackmapexec is designed to do exactly that.

Crackmapexec

It should be automatically installed on Kali Linux, if not run the following:

sudo apt install crackmapexec

Pass the Password

You can run the following command to perform a “Pass the Password” attack:

crackmapexec smb <IP_ADDRESS> -u <compromised_user> -d <domain> -p <compromised_password>

You can of course use CIDR notation to attack the whole subnet instead of just a single IP.

If you see “Pwn3d!” it means that the attack has worked. But you might get false positives, such as:

We get a “[+]” but no “Pwn3d!” which usually indicates a false positive as 192.168.122.155 is the domain controller.

Can’t win that easily sometimes.

If you get a “Pwn3d!” you can dump the local SAM hashes by adding –sam at the end.

Pass the Hash

Sometimes we can’t crack the password as it might be too complex. But that doesn’t stop us from trying to pass the hash around.

We can do so with the following command:

crackmapexec smb <IP_ADDRESS> -u "<LOCAL_USER>"  -H <COMPROMISED_HASH> --local-auth

Unfortunately we once again don’t win that easily. But this is a really powerful attack and if done right could land you a network.

PSExec

If you’ve managed to pwn some machines on a network the next move is to try PSExec with the hash that you’ve got.

PSExec will attempt to run a .exe so that it can give you a reverse shell on the machine.

The following command will do exactly that:

impacket-psexec <LOCAL_USER>@<IP_ADDRESS> -hashes <COMPROMISED_HASH>

Not bad, although this is isn’t realistic. I had to edit some registry values and disable the antivirus to get this.

Can’t win that easily against Windows Defender.

But you might encounter somebody that has disabled their antivirus. Or runs some old version of Windows.

Make sure to always check.

Mitigations

Privilege Access Management

There are certain enterprise solutions that help mitigate these attacks by rotating passwords, and checking in/out accounts when needed.

Solutions such as BeyondTrust, LastPass Enterprise or CyberArk can prove very helpful in mitigating these attacks.

Utilize Strong Passwords

This step will ensure that local passwords can’t be cracked to further aid lateral movement.

Preferably generated through a password manager such as Bitwarden: https://bitwarden.com

Which should improve both employee satisfaction due to ease of use and also improve the company’s security.

Limit account re-use

Make sure that you do not reuse local administrator passwords. This step will completely stop “Pass the Hash” attacks.

Conclusion

To wrap up, we’ve covered how to execute “Pass the Password” and “Pass the Hash” attacks using crackmapexec on Kali Linux, allowing us to take advantage of compromised credentials to move laterally across a network.

First, we walked through installing and running crackmapexec for “Pass the Password,” using simple commands to check multiple machines for reused credentials.

Next, we tackled “Pass the Hash” for situations where passwords are too complex to crack but hashes are available. Lastly, we explored using PSExec for more advanced post-exploitation scenarios, including creating reverse shells.

As always, implement strong security practices like Privilege Access Management, unique passwords, and avoiding account reuse to protect against these attacks.

More Resources

If you didn’t understand something or you need some help, we have our own Discord community and I currently offer free coaching.

You can also leave us some feedback with what you did not understand and we will make sure to correct it.

Free Coaching
Our Discord
Feedback

Scroll to Top