Most recent

Red Team 104: CrackMapExec

By Eitan Bremler

Welcome back to our series on red teams! Here, we’re explaining the tools and concepts behind the in-house organizations designed to test a company’s defenses. We started by introducing Kali Linux, a foundational operating system for penetration testing.

Over the last few blogs in this series, we’ve talked about something called “getting shell.” In layman’s terms, getting shell access to a computer, server, or application means that a hacker is able to take it over remotely. The hacker can open a command prompt on their computer that connects to the infected system and execute commands.

Many times, getting shell as a red team member means that you’ve won – you’ve successfully penetrated the defenses of your site and it’s time to wrap up. Sometimes, however, you’ll find that shell is just the beginning. You may have shell on a database, for example, but if the database contains nothing of interest, your work is still cut out for you.

When this happens, you have three goals:

  1. Persist – ensure you can’t be dislodged if someone reboots or re-images their machine.

  2. Move – traverse the network to find better targets.

  3. Escalate – upgrade your privileges to access more sensitive data stores

How do you do this? One of the best tools for moving behind the scenes as an attacker is called CrackMapExec (CME).

Getting Started with CrackMapExec

Unlike the other tools we’ve covered in the past, CME is not installed by default in Kali Linux. Fortunately, the installation process is easy, even if you’re relatively new to the operating system – it should download, install, and configure with just a single input on your command line.

To begin with, this tool is a post-exploitation tool. It assumes that you already have shell, or at very least a single login to the network. Your next step is to use the tool to map the rest of the network – what else is there? CME can scan the network and tell you how many machines are attached to a given domain.

Your next step is to determine the limits of your abilities. You have default access, but you need administrator credentials. How badly will the system resist your attempt to get them? CME will tell you if the authentication systems for your targeted network will do things like lock you out if you make too many failed attempts within a given window.

Assuming not, the next step is to see what happens when you login. CME is fully concurrent, so it can do things like log you into multiple machines at once or log you into multiple machines using multiple sets of credentials. This allows you to test the same login across the entire network at the same time. As you do this, CME will tell you the extent of privileges – whether you have read-only or read-write permissions over various machines and directories.

Finally, let’s say that you manage to find a set of credentials with admin privileges over a given machine. The machine may have nothing interesting on it, but it’s a start. CME gives you the tools to start escalating from there. First, wait until someone with a higher level of access logs on, then use your admin credentials to enable the UseLogonCredential registry key. Once that admin logs out and logs on again, their password will be dumped from memory – in plaintext! – into the CME database.

How to Defend Against CrackMapExec?

CME is as detailed and powerful in its own way as tools like Metasploit, and like Metasploit, we’ve barely scratched the surface of this tool’s capabilities. Suffice to say that it adds scale and automation to the task of penetration testing, which makes it great for red team members who have to audit systems with hundreds or even thousands of machines. That said, it also has stealthy capabilities that an attacker could use to slowly and carefully break into even a carefully-guarded network.

At Safe-T, we’re well aware of the potential for damage caused by attackers who move laterally through the network. This is a hallmark of advanced threats and capabilities. To protect against it, our Software-Defined Access product offers the power of a Zero Trust Network, which segregates internal networks to prevent attackers from escalating privileges. To learn more, contact us for a free demo today.

Software Defined Access WP
All posts

Get Email Updates

Sign up for our monthly newsletter and latest blog posts....keep up to date on the latest security data news!