In the previous post, we explored how attackers can use Mimikatz to automatically escalate privileges to Domain Admins using Empire and DeathStar. In this post, I will take a look at another open-source tool that leverages Mimikatz to harvest credentials and move laterally through an Active Directory environment: CrackMapExec.
Self-described as a “swiss army knife for pentesting networks”, CrackMapExec is a Python-based utility that is geared towards evaluating and exploiting weaknesses in Active Directory security. This approach involves gathering credentials and using them for lateral movement across Active Directory computers. CrackMapExec comes bundled with a Mimikatz module (via PowerSploit) to assist in the credential harvesting.
What I like most about CrackMapExec is its ability to perform discovery of an environment. Also, CrackMapExec integrates well with Empire and DeathStar, allowing it to deploy agents across the network for these applications to use. This provides attackers with a powerful post-exploitation attack sequence where CrackMapExec can perform reconnaissance and the initial lateral movement, and then deploy Empire/DeathStar agents to compromised machines to automate the rest and achieve domain dominance.
To better understand how CrackMapExec fits into an attacker’s toolkit, let’s take a closer look at some of its capabilities.
Domain Reconnaissance
CrackMapExec provides some simple ways to learn more about the Active Directory domain that an attacker has gained a foothold in. One useful query enumerates the domain’s password policy including complexity requirements and lockout settings. This can help dictate whether brute force attacks may be an option for credential compromise. By targeting a domain controller with the pass-pol option, this information is easily displayed.
Also, you can use the rid-brute option to enumerate all AD objects including users and groups by guessing every resource identifier (RID), which is the ending set of digits to a security identifier (SID).
Another piece of useful information CrackMapExec can gather is what anti-virus software is in use. By targeting one or more computers with the enum_avproducts module, this information is quickly discovered. In my environment, you can see Windows Defender is running.
Now that we have a feel for the domain, let’s move on to some of the more interesting capabilities of CrackMapExec.
Lateral Movement
I found the lateral movement capabilities of CrackMapExec very valuable. You can utilize a username and NTLM hash and try it against a list of computers or an IP range to see where the user has rights.
Issuing a command specifying an IP range will discover the host information for all hosts in that range, and whether your specified account has rights.
Issuing a command by text file provides a more focused way to target hosts if you know which ones you are after (perhaps by using the rid-brute option).
Now that we know everywhere our compromised account has access, it’s time to gather some more credentials from these locations.
Our Good Friend Mimikatz
Like many other tools focused on Active Directory credentials, CrackMapExec uses Mimikatz to gather accounts and password data. By targeting hosts with the Mimikatz module, you can gather credentials and store them in the credential database for later use. You can also specify custom Mimikatz commands if needed.
This will launch the Invoke-Mimikatz PowerShell script from PowerSploit. The credentials are displayed with their hashes and they are added to the CrackMapExec credential database. You can access this database using the cmedb utility that is part of CrackMapExec:
Once you have your credential database, you can use these credentials by specifying an ID in your commands rather than providing the account and password information.
Teaming Up with Empire & DeathStar
CrackMapExec can deploy Empire agents to compromised machines. This makes further post-exploitation activities even easier, especially if using DeathStar’s automated attack capabilities.
By using the empire_exec module and specifying the listener you want the agents to use, this will deploy and activate the agents en masse. All collected credentials can be imported into the CrackMapExec credential database.
With all of these capabilities, CrackMapExec can make it easy for any pen tester or attacker to take a compromised computer and quickly spread through an organization with a few basic commands.
In our next post, we will explore PowerShell protections that can help mitigate these attacks.
- Post #1 – Automating Mimikatz with Empire & DeathStar Read Now
- Post #3 – Ways to Detect and Mitigate These Attacks Read Now
- Post #4 – How Attackers Are Bypassing These Protections Read Now
To watch the Mimkatz Attacks webinar, please click here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits – now part of Netwrix, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Related Posts
- Understanding Lateral Movement and Privilege Escalation
- SERVER (UN)TRUST ACCOUNT
- Making Internal Reconnaissance Harder Using NetCease and SAMRi10
- Setup, Configuration, and Task Execution with Covenant: The Complete Guide
- Protecting Against DCShadow
- What is a DCShadow Attack and How to Defend Against it
- Next-Gen Open Source C2 Frameworks in a Post PSEmpire World: Covenant
- Detecting Persistence through Active Directory Extended Rights
- Lateral Movement Through Pass-the-Cache
- Resource-Based Constrained Delegation Abuse
Leave a Reply