CrackMapExec Bh_owned (smb)
This page contains detailed information about how to use the bh_owned CME module while using the smb protocol. For list of all CrackMapExec modules, visit the CrackMapExec Module Library.
Description
This module sets a computer as owned in the BloodHound. BloodHound is a framework for visualization of relationships in Active Directory and identifying attack paths for gaining Domain Admin privileges
The bh_owned module is OPSEC safe. This means that it doesn't touch the disk and therefore shouldn't trigger any alarms.
Supported Protocols
- smb
Module Source Code
Authors
- Romain Bentz (pixis - @hackanddo)
Module Options
Here is a complete list of bh_owned module options:
# cme smb -M bh_owned --options
[*] bh_owned module options:
URI URI for Neo4j database (default: 127.0.0.1)
PORT Listening port for Neo4j database (default: 7687)
USER Username for Neo4j database (default: 'neo4j')
PASS Password for Neo4j database (default: 'neo4j')
Note that none of these options is required. If you want to change any of the default values, you can do so by adding, e.g. -o URI=VALUE parameter to the command line.
Module Usage
This is how to use the bh_owned module while using the smb protocol:
Syntax:
# cme smb <TARGET[s]> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -M bh_owned
Local admin:
# cme smb 10.0.5.1 -u Administrator -p P@ss123 -d . -M bh_owned
# cme smb 10.0.5.1 -u Administrator -p P@ss123 --local-auth -M bh_owned
Domain user:
# cme smb 10.0.5.1 -u bkpadmin -p P@ss123 -d target.corp -M bh_owned
CrackMapExec also supports passing the hash, so you can specify NTLM hash instead of a password:
# cme smb 10.0.5.1 -u Administrator -H 432b022dc22aa5afe884e986b8383ff2 -d . -M bh_owned
# cme smb 10.0.5.1 -u bkpadmin -H 432b022dc22aa5afe884e986b8383ff2 -d target.corp -M bh_owned
The bh_owned module can be also used against multiple hosts. Here's how to run it against multiple hosts:# cme smb target_list.txt -u Administrator -p P@ss123 -d . -M bh_owned
# cme smb 10.0.5.0/24 -u Administrator -p P@ss123 -d . -M bh_owned
# cme smb 10.0.5.1-100 -u Administrator -p P@ss123 -d . -M bh_owned
References
Version
This page has been created based on CrackMapExec version 5.1.7dev.
Visit CrackMapExec Module Library for more modules.