CrackMapExec:域环境渗透中的瑞士军刀
来源:互联网 发布:分层数据流程图 编辑:程序博客网 时间:2024/05/20 12:47
CrackMapExec:使用Python编写的一款工具,堪称Windows 活动目录/域 环境渗透测试里的一把瑞士军刀,这工具功能真的很强大、齐全!
Powered by Impacket
CrackMapExec项目灵感来源:
@agsolino的wmiexec.py,wmiquery.py, smbexec.py, samrdump.py, secretsdump.py, atexec.py 以及lookupsid.py
@ShawnDEvans的smbmap
@gojhonny的CredCrack
@pentestgeek的smbexec
项目中部分代码参考了@T-S-A的smbspider脚本
另外包含了PowerSploit项目中的一些脚本:
Invoke-Mimikatz.ps1
Invoke-NinjaCopy.ps1
Invoke-ReflectivePEInjection.ps1
Invoke-Shellcode.ps1
Get-GPPPassword.ps1
以及PowerTools知识库PowerView 脚本
描述
CrackMapExec提供了域环境(活动目录)渗透测试中一站式便携工具,它具有列举登录用户、通过SMB(Server Message Block)网络文件共享协议爬虫列出SMB分享列表,
执行类似于Psexec的攻击、使用powerShell脚本执行自动式Mimikatz/Shellcode/DLL注入到内存中,dump NTDS.dit密码。
工具改进完善:
纯Python脚本,无需外部依赖;
全双工多进程;
使用本地WinAPI会话发现session会话控制、用户、dump 存储在SAM中的windows HASH值;
演示视频
使用参数
______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______ / || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / || ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----'| | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | | | `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----. \______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______| Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino) Inspired by: @ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap @gojhonny's CredCrack https://github.com/gojhonny/CredCrack @pentestgeek's smbexec https://github.com/pentestgeek/smbexec Version: 2.3 Codename: 'Pink Bubbles'positional arguments: target The target IP, range, CIDR identifier, hostname, FQDN or list or file containg a list of targetsoptional arguments: -h, --help show this help message and exit //打印帮助信息 -v, --version show program's version number and exit //显示程序版本信息 -t THREADS Set how many concurrent threads to use (defaults to 100) //指定进程数 默认为100 -u USERNAME Username(s) or file containing usernames //指定用户名 -p PASSWORD Password(s) or file containing passwords //指定密码 -H HASH NTLM hash(es) or file containing NTLM hashes -C COMBO_FILE Combo file containing a list of domain\username:password or username:password entries -k HEX_KEY AES key to use for Kerberos Authentication (128 or 256 bits) -d DOMAIN Domain name //指定域 -n NAMESPACE WMI Namespace (default: //./root/cimv2) -s SHARE Specify a share (default: C$) //指定分享 --kerb Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters --port {139,445} SMB port (default: 445) //指定SMB端口 默认445 --server {http,https} Use the selected server (defaults to http) //指定http或https 默认使用http --server-port PORT Start the server on the specified port --fail-limit LIMIT The max number of failed login attempts allowed per host (default: None) --gfail-limit LIMIT The max number of failed login attempts allowed globally (default: None) --verbose Enable verbose outputCredential Gathering: Options for gathering credentials --sam Dump SAM hashes from target systems --lsa Dump LSA secrets from target systems --gpp-passwords Retrieve plaintext passwords and other information for accounts pushed through Group Policy Preferences --ntds {ninja,vss,drsuapi} Dump the NTDS.dit from target DCs using the specifed method (drsuapi is the fastest) --ntds-history Dump NTDS.dit password history --ntds-pwdLastSet Shows the pwdLastSet attribute for each NTDS.dit account --mimikatz Run Invoke-Mimikatz (sekurlsa::logonpasswords) on target systems --mimikatz-cmd MIMIKATZ_CMD Run Invoke-Mimikatz with the specified command --enable-wdigest Creates the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1 --disable-wdigest Deletes the 'UseLogonCredential' registry keyMapping/Enumeration: Options for Mapping/Enumerating --shares List shares //列出分享 --check-uac Checks UAC status //检查UAC状态 --sessions Enumerate active sessions --disks Enumerate disks --users Enumerate users --rid-brute [MAX_RID] Enumerate users by bruteforcing RID's (defaults to 4000) --pass-pol Dump password policy --lusers Enumerate logged on users --powerview POWERVIEW_CMD Run the specified PowerView command --wmi QUERY Issues the specified WMI querySpidering: Options for spidering shares --spider [FOLDER] Folder to spider (defaults to top level directory) --content Enable file content searching --exclude-dirs DIR_LIST Directories to exclude from spidering --pattern PATTERN Pattern to search for in folders, filenames and file content --patternfile PATTERNFILE File containing patterns to search for in folders, filenames and file content --depth DEPTH Spider recursion depth (default: 10)Command Execution: Options for executing commands --execm {atexec,wmi,smbexec} Method to execute the command (default: wmi) --ps-arch {auto,64,32} Process architecture all PowerShell code/commands should run in (default: auto) --no-output Do not retrieve command output -x COMMAND Execute the specified command -X PS_COMMAND Excute the specified powershell commandShellcode/EXE/DLL/Meterpreter Injection: Options for injecting Shellcode/EXE/DLL/Meterpreter in memory using PowerShell --inject {met_reverse_http,met_reverse_https,exe,shellcode,dll} Inject Shellcode, EXE, DLL or Meterpreter --path PATH Path to the Shellcode/EXE/DLL you want to inject on the target systems (ignored if injecting Meterpreter) --procid PROCID Process ID to inject the Shellcode/EXE/DLL/Meterpreter into (if omitted, will inject within the running PowerShell process) --exeargs EXEARGS Arguments to pass to the EXE being reflectively loaded (ignored if not injecting an EXE) --met-options LHOST LPORT Meterpreter options (ignored if not injecting Meterpreter)Filesystem Interaction: Options for interacting with filesystems --list [PATH] List contents of a directory (defaults to top level directory) --download SRC DST Download a file from the remote systems --upload SRC DST Upload a file to the remote systems --delete PATH Delete a remote fileService Interaction: Options for interacting with Windows services --service {status,list,create,stop,start,config,change,delete} --name NAME Service name --display NAME Service display name --bin-path PATH Binary path --service-type TYPE Service type --start-type TYPE Service start type --start-name NAME Name of the account under which the service should run --start-pass PASS Password of the account whose name was specified with the --start-name parameterMSSQL Interaction: Options for interacting with MSSQL DB's --mssql [QUERY] Authenticate with the provided credentials against the MSSQL service, optionally execute the specified query --mssql-port PORT MSSQL service port (default: 1433) --mssql-instance Enumerate the MSSQL intances on the target hosts --enable-xpcmdshell Enable xp_cmdshell on target DB's --disable-xpcmdshell Disable xp_cmdshell on target DB's --xp-cmd COMMAND Execute the specified command using xp_cmdshell
0 0
- CrackMapExec:域环境渗透中的瑞士军刀
- CrackMapExec:域环境渗透中的瑞士军刀
- 域环境下的渗透
- 域环境下的渗透
- 域环境下的渗透
- 域环境下的渗透
- linux中的"瑞士军刀"
- linux中的瑞士军刀
- 网络安全中的“瑞士军刀” nc
- 网络中的瑞士军刀---nc.exe
- 软件开发中的“瑞士军刀综合征”
- 软件开发中的“瑞士军刀综合征”
- 软件开发中的瑞士军刀综合症
- 软件开发中的“瑞士军刀综合症”
- 软件开发中的瑞士军刀综合症
- Netcat 命令--网络工具中的瑞士军刀
- 软件开发中的瑞士军刀综合症
- Netcat命令:网络工具中的瑞士军刀
- Linux网络编程:原始套接字的魔力【续】
- 结合WordCount实例精解Hadoop的数据存储和运算
- sh/bash/csh/Tcsh/ksh/pdksh等shell本质区别
- 编码格式批转换,将指定编码转换为设置的编码
- 观察者模式
- CrackMapExec:域环境渗透中的瑞士军刀
- html5学习记录03:超链接
- 一些用到的SQL语句
- 揭开网络编程常见API的面纱【上】
- OpenCV进行图像相似度对比的几种办法
- Hadoop bin/hadoop namenode -format 时遇到的几个问题
- 课程流恢复步骤和恢复后的地址
- Java基本功——Reference
- Swift版快速排序
