The Pen Tester's Framework: crackmapexec

As I mentioned in my intro post, I have started with the vulnerability-analysis modules and just went in alphabetical order.  

So we start with crackmapexec

Crackmapexec is a recon tool for when you are on a Windows network. It is called the swiss army knives of pentesting tools, and I agree. As the readme.md file says, there are a selection of core functions that can be called using arguments, but you can read a man page, right?

  • Credential Gathering
  • Mapping
  • Enumeration
  • Spidering
  • Command Execution
  • Shellcode injection
  • File System Interaction
So this is just a scanning tool. I am going to run it on my POINT network, and not just because the FALE VPN is down. AGAIN. (Dammit, Matt, you had. ONE. JOB.)  How much damage can it cause, right?

Oh, awesome. I ran it and nothing happened.

It turns out that the alias that PTF puts in for crackmapexec doesn't work. I am not sure why. I consistently get a 'too few arguments' error when I tried to use it.  Instead, I needed to run /pentest/vulnerability-analysis/cracmapexec/crackmapexec.py directly (as su) to make it work.

So once I got that far, everything seemed smooth. The basic commands work well and scanned my network for shares here at POINT.

sudo python crackmapexec.py -t 10 192.168.240.0/24 --shares

Interestingly, it had some problems with my NAS

[+] 192.168.240.106:445 is running  (name:BAGOFHOLDING) (domain:BAGOFHOLDING)
[-] 192.168.240.106:445 SMB SessionError: STATUS_USER_SESSION_DELETED(The remote user session has been deleted.)

If I got dig into the underlying Impacket, which drives crashmapexec, I find that there probably is an SMB issue:

    def smb2Close(self, connId, smbServer, recvPacket):
        connData = smbServer.getConnectionData(connId)
        # We're closing the connection trying to flush the client's
        # cache.
        if connData['MS15011']['StopConnection'] is True:
            return [smb2.SMB2Error()], None, STATUS_USER_SESSION_DELETED
        return self.origsmb2Close(connId, smbServer, recvPacket)

Fascinating stuff, but did it get the shares? No, I apparently need to give it credentials. That's interesting.  There aren't very many things that you can do without creds as it turns out, so you at least need to know one user's login.  That's kinda a bummer, but I guess it depends on what you are looking for. As it is, I would file this under post-exploitation, rather than vulnerability-analysis, since it is for use after you are already in the network.  Maybe that's just me.

And it really is just for Windows PCs.  It saw my three Windows 10 workstations, a client's Windows 7 box, and strangely my NAS, which is a Synology DS412+. I'm sure the SMB shares are what kicked it off, and the non-windows underlying environment is what caused the user session failure.  Interestingly, crackmapexec didn't see my Windows 10 Rasberry Pi 2, or the Windows Phones that were on my network. Wonder why.

So, in the final analysis, crackmapexec looks like a really slick tool, almost could be a management tool for Windows environments given the ability to run a command on a number of machines. If the underlying code were a little more modular then some really great stuff could be done with it at the scripting level.  And it turned me on to Impacket, with which I was not familiar.

Comments are closed

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList