CrackMapExec Adcs (ldap)

This page contains detailed information about how to use the adcs CME module while using the ldap protocol. For list of all CrackMapExec modules, visit the CrackMapExec Module Library.

Description

---

Find PKI Enrollment Services in Active Directory.

The adcs module is OPSEC safe. This means that it doesn't touch the disk and therefore shouldn't trigger any alarms.

Supported Protocols

---

• ldap

Module Source Code

---

• https://github.com/byt3bl33d3r/CrackMapExec/tree/master/cme/modules/adcs.py

Authors

---

• Tobias Neitzel (@qtc_de)

Module Usage

---

This is how to use the adcs module while using the ldap protocol:

Syntax:
# cme ldap <TARGET[s]> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -M adcs

Local admin
# cme ldap 10.0.5.1 -u Administrator -p P@ss123 -d . -M adcs
# cme ldap 10.0.5.1 -u Administrator -p P@ss123 --local-auth -M adcs

Domain user
# cme ldap 10.0.5.1 -u bkpadmin -p P@ss123 -d target.corp -M adcs

CrackMapExec also supports passing the hash, so you can specify NTLM hash instead of a password:

# cme ldap 10.0.5.1 -u Administrator -H 432b022dc22aa5afe884e986b8383ff2 -d . -M adcs
# cme ldap 10.0.5.1 -u bkpadmin -H 432b022dc22aa5afe884e986b8383ff2 -d target.corp -M adcs

The adcs module can be also used against multiple hosts. Here's how to run it against multiple hosts:

# cme ldap target_list.txt -u Administrator -p P@ss123 -d . -M adcs
# cme ldap 10.0.5.0/24 -u Administrator -p P@ss123 -d . -M adcs
# cme ldap 10.0.5.1-100 -u Administrator -p P@ss123 -d . -M adcs

Module Options

---

As you can see below, the spooler module doesn't have any additional options options:

# cme ldap -M adcs --options
[*] adcs module options:

        The module does not support any module specific options. Instead, just configure
        some attributes that are required throughout the script.

Version

---

This page has been created based on CrackMapExec version 5.1.7dev.
Visit CrackMapExec Module Library for more modules.