On this page you will find a comprehensive list of all CrackMapExec modules that are currently available in the latest public version (5.1.7dev) of CrackMapExec, one of the most capable tools for pentesting internal networks.
CrackMapExec (or CME) contains a number of modules which makes this tool so useful. I’m hoping that this list will help you navigate through all the modules more easily and gives you information on how to use them.
Introduction
In the latest version of CME, there are 68 modules in total. These modules are all in the post exploitation category, complementing the CME’s powerful login brute force capabilities and password spraying attack features. On this page, however, you will find information only related to the modules.
If you are looking for how to use CrackMapExec in general, please check these excellent resources:
Below you can find the list of CME modules as shown while using the tool. CME currently supports the following network protocols:
- LDAP (port 389 or 636) – 5 modules
- MSSQL (port 1433) – 23 modules
- SMB (port 135, 139 or 445) – 39 modules
- SSH (port 22) – 1 module
- WinRM (port 5985 or 5986) – 0 modules
Alright, let’s get to the actual lists. By clicking on the module links you will find detailed information about each module with examples on how to use it.
CME LDAP modules
Here’s a list of all CrackMapExec modules that can be used with LDAP protocol:
# cme ldap -L
[*] MAQ Retrieves the MachineAccountQuota domain-level attribute
[*] adcs Find PKI Enrollment Services in Active Directory
[*] get-desc-users Get description of the users. May contained password
[*] laps Retrieves the LAPS passwords
[*] user-desc Get user descriptions stored in Active Directory
CME MSSQL modules
Here’s a list of all CrackMapExec modules that can be used with MSSQL protocol:
# cme mssql -L
[*] Get-ComputerDetails Enumerates sysinfo
[*] empire_exec Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] enum_chrome Decrypts saved Chrome passwords using Get-ChromeDump
[*] get_keystrokes Logs keys pressed, time and the active window
[*] get_netdomaincontroller Enumerates all domain controllers
[*] get_netrdpsession Enumerates all active RDP sessions
[*] get_timedscreenshot Takes screenshots at a regular interval
[*] invoke_sessiongopher Digs up saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using SessionGopher
[*] invoke_vnc Injects a VNC client in memory
[*] met_inject Downloads the Meterpreter stager and injects it into memory
[*] mimikatz Dumps all logon credentials from memory
[*] mimikatz_enum_chrome Decrypts saved Chrome passwords using Mimikatz
[*] mimikatz_enum_vault_creds Decrypts saved credentials in Windows Vault/Credential Manager
[*] mimikittenz Executes Mimikittenz
[*] mssql_priv Enumerate and exploit MSSQL privileges
[*] multirdp Patches terminal services in memory to allow multiple RDP users
[*] netripper Capture's credentials by using API hooking
[*] pe_inject Downloads the specified DLL/EXE and injects it into memory
[*] rid_hijack Executes the RID hijacking persistence hook.
[*] shellcode_inject Downloads the specified raw shellcode and injects it into memory
[*] test_connection Pings a host
[*] tokens Enumerates available tokens
[*] web_delivery Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
CME SMB modules
Here’s a list of all CrackMapExec modules that can be used with SMB protocol:
# cme smb -L
[*] Get-ComputerDetails Enumerates sysinfo
[*] bh_owned Set pwned computer as owned in Bloodhound
[*] bloodhound Executes the BloodHound recon script on the target and retreives the results to the attackers' machine
[*] empire_exec Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] enum_avproducts Gathers information on all endpoint protection solutions installed on the the remote host(s) via WMI
[*] enum_chrome Decrypts saved Chrome passwords using Get-ChromeDump
[*] enum_dns Uses WMI to dump DNS from an AD DNS Server
[*] get_keystrokes Logs keys pressed, time and the active window
[*] get_netdomaincontroller Enumerates all domain controllers
[*] get_netrdpsession Enumerates all active RDP sessions
[*] get_timedscreenshot Takes screenshots at a regular interval
[*] gpp_autologin Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
[*] invoke_sessiongopher Digs up saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using SessionGopher
[*] invoke_vnc Injects a VNC client in memory
[*] lsassy Dump lsass and parse the result remotely with lsassy
[*] met_inject Downloads the Meterpreter stager and injects it into memory
[*] mimikatz Dumps all logon credentials from memory
[*] mimikatz_enum_chrome Decrypts saved Chrome passwords using Mimikatz
[*] mimikatz_enum_vault_creds Decrypts saved credentials in Windows Vault/Credential Manager
[*] mimikittenz Executes Mimikittenz
[*] multirdp Patches terminal services in memory to allow multiple RDP users
[*] netripper Capture's credentials by using API hooking
[*] pe_inject Downloads the specified DLL/EXE and injects it into memory
[*] rdp Enables/Disables RDP
[*] rid_hijack Executes the RID hijacking persistence hook.
[*] runasppl Check if the registry value RunAsPPL is set or not
[*] scuffy Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares
[*] shellcode_inject Downloads the specified raw shellcode and injects it into memory
[*] slinky Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions
[*] spider_plus List files on the target server (excluding `DIR` directories and `EXT` extensions) and save them to the `OUTPUT` directory if they are smaller then `SIZE`
[*] spooler Detect if print spooler is enabled or not
[*] test_connection Pings a host
[*] tokens Enumerates available tokens
[*] uac Checks UAC status
[*] wdigest Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1
[*] web_delivery Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
[*] webdav Checks whether the WebClient service is running on the target
[*] wireless Get key of all wireless interfaces
CME SSH modules
Here’s a list of all CrackMapExec modules that can be used with SSH protocol:
# cme ssh -L
[*] mimipenguin Dumps cleartext credentials in memory
CME WinRM modules
Here’s a list of all CrackMapExec modules that can be used with WinRM protocol:
# cme winrm -L
As you can see, there are currently no modules at this point.
Conclusion
CrackMapExec is still an actively maintained project with new features and more modules potentially coming in the future. I will do my best to keep this page updated, but if you find something is missing, please don’t hesitate to contact me.
If you find this list useful, please consider subscribing and following InfosecMatter on Twitter, Facebook or Github to keep up with the latest developments. You can also buy me a coffee to support this website.
SHARE THIS