Lateral Movement with CrackMapExec

Lateral Movement with CrackMapExec

In the previous post, we explored how attackers can use Mimikatz to automatically escalate privileges to Domain Admins using Empire and DeathStar. In this post, I will take a look at another open-source tool that leverages Mimikatz to harvest credentials and move laterally through an Active Directory environment: CrackMapExec.

Self-described as a “swiss army knife for pentesting networks”, CrackMapExec is a Python-based utility that is geared towards evaluating and exploiting weaknesses in Active Directory security. This approach involves gathering credentials and using them for lateral movement across Active Directory computers. CrackMapExec comes bundled with a Mimikatz module (via PowerSploit) to assist in the credential harvesting.

What I like most about CrackMapExec is its ability to perform discovery of an environment. Also, CrackMapExec integrates well with Empire and DeathStar, allowing it to deploy agents across the network for these applications to use. This provides attackers with a powerful post-exploitation attack sequence where CrackMapExec can perform reconnaissance and the initial lateral movement, and then deploy Empire/DeathStar agents to compromised machines to automate the rest and achieve domain dominance.

To better understand how CrackMapExec fits into an attacker’s toolkit, let’s take a closer look at some of its capabilities.

Domain Reconnaissance

CrackMapExec provides some simple ways to learn more about the Active Directory domain that an attacker has gained a foothold in. One useful query enumerates the domain’s password policy including complexity requirements and lockout settings. This can help dictate whether brute force attacks may be an option for credential compromise. By targeting a domain controller with the pass-pol option, this information is easily displayed. Use CrackMapExec (CME) to target a domain controller with pass-pol to see the domain's password policy and Active Directory lockout settings

Also, you can use the rid-brute option to enumerate all AD objects including users and groups by guessing every resource identifier (RID), which is the ending set of digits to a security identifier (SID). Use CrackMapExec (CME) rid-brute option to find all Active Directory objects with the resource identifier (RID), part of the security identifier (SID)

Another piece of useful information CrackMapExec can gather is what anti-virus software is in use. By targeting one or more computers with the enum_avproducts module, this information is quickly discovered. In my environment, you can see Windows Defender is running. Use CrackMapExec (CME) with the enum_avproducts module to see what anti-virus software is in use

Now that we have a feel for the domain, let’s move on to some of the more interesting capabilities of CrackMapExec.

Lateral Movement

I found the lateral movement capabilities of CrackMapExec very valuable. You can utilize a username and NTLM hash and try it against a list of computers or an IP range to see where the user has rights.

Issuing a command specifying an IP range will discover the host information for all hosts in that range, and whether your specified account has rights.Use CrackMapExec (CME) lateral movement capabilities to check the rights an account has across an IP range for all the hosts in that range

Issuing a command by text file provides a more focused way to target hosts if you know which ones you are after (perhaps by using the rid-brute option). Use CrackMapExec (CME) rid-brute option to know the hosts the compromised account has access to

Now that we know everywhere our compromised account has access, it’s time to gather some more credentials from these locations.

Our Good Friend Mimikatz

Like many other tools focused on Active Directory credentials, CrackMapExec uses Mimikatz to gather accounts and password data. By targeting hosts with the Mimikatz module, you can gather credentials and store them in the credential database for later use. You can also specify custom Mimikatz commands if needed. Use CrackMapExec (CME) with Mimikatz Invoke-Mimikatz PowerShell script (PowerSploit) to add to the CrackMapExec credential database with the cmedb utility

This will launch the Invoke-Mimikatz PowerShell script from PowerSploit. The credentials are displayed with their hashes and they are added to the CrackMapExec credential database. You can access this database using the cmedb utility that is part of CrackMapExec: Use cmedb utility to access the CrackMapExec (CME) credential database with cmedb creds with the credentials displayed with their hashes

Once you have your credential database, you can use these credentials by specifying an ID in your commands rather than providing the account and password information. Use CrackMapExec (CME) credential database by specifying credID rather than account and password information

Teaming Up with Empire & DeathStar

CrackMapExec can deploy Empire agents to compromised machines. This makes further post-exploitation activities even easier, especially if using DeathStar’s automated attack capabilities.

By using the empire_exec module and specifying the listener you want the agents to use, this will deploy and activate the agents en masse. All collected credentials can be imported into the CrackMapExec credential database. Deploy CrackMapExec (CME) Empire and DeathStar by using the empire_exec to specify the listener you want the agents to use

With all of these capabilities, CrackMapExec can make it easy for any pen tester or attacker to take a compromised computer and quickly spread through an organization with a few basic commands.

In our next post, we will explore PowerShell protections that can help mitigate these attacks.

This is the second installment in our blog series, How Attackers Are Stealing Your Credentials with Mimikatz. Sign up to receive notifications when each new blog is posted, or check back every Tuesday for the latest edition.

To register for the webinar on How Attackers Are Stealing Your Credentials with Mimikatz, please click here.

Jeff Warren is STEALTHbits’ Vice President of Product Management. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.

With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.

Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.

Leave a Reply

Your email address will not be published. Required fields are marked *