Ethernet Attacks with CrackMapExec

[cmaddy]

CrackMapExec is a fantastic tool developed by Byt3bl33de3r and can be found here: https://github.com/byt3bl33d3r/CrackMapExec

As stated in the repo's README, it's powered by Impacket and takes queues and inspiration from several other tools targeting SMB, WMI, and Windows in general. I recommend reading up on it if you are unfamiliar. For now, it's worth mentioning that CrackMapExec (CME) is also a Python library that can be installed with pip and used like a standard tool, i.e. you can type "crackmapexec" and use it without needing a Python script to act as a vehicle. I installed it on the Bunny and have used it for some network based attacks using RNDIS_ETHERNET mode.

If you'd like to do the same, I encourage you to install pip. Connect to the Bunny via SSH and use curl with the "insecure" and output file options, like so:

• cd /pentest
• curl -k -O https://bootstrap.pypa.io/get-pip.py

Now check your Bunny's current system date and time. If it's not current then you need to update it or Python and SSL will throw a fit because the date/time is wrong. Then use Python to run the script:

• python get-pip.py

That may take some time to complete, but pip will open up a lot of possibilities and assist with Python tools and dependencies. Once that's done, you'll need to install packages required for supporting OpenSSL/PyOpenSSL. You'll need to have shared your internet connection with the Bunny for this to work.

• apt-get install build-essential libssl-dev libffi-dev python-dev

Once those packages have been installed successfully, you should now be able to successfully use pip to install CME. If something goes wrong with this next step, it's almost certainly related to the cryptography library and a missing dependency. Read the error carefully and Google it. You can be certain there will be several GitHub and StackOverflow hits at the top. Run pip:

• pip install crackmapexec

Once that is done, you can test everything by just running "crackmapexec" in your terminal and you should see CME spit out its help text and version information. You're now ready to include CME commands in your Bunny payloads. CME is a network attack tool, so you can use it against locked PCs. A very basic example of this is:

crackmapexec $TARGET_IP

That command tells CME to connect to the target's IP address via SMB. If that much can be done, CME will return a hostname and the target's operating system build. This is a fast "attack" and can be used to, let's say, fingerprint a machine quickly to prove you had access and collect some information.

You can go a step further with this:

crackmapexec $TARGET_IP -u "" -p ""

That tells CME to try a Null session with SMB. If the target disallows Null sessions nothing bad happens. You still get the basic OS details. If the target allows for a Null session to be initiated then you can check for success and then potentially proceed with something like running CME again with the addition of "--shares" to enumerate network shares and gather additional information.

If you happen to have a password hash or credentials from an earlier attack (perhaps phishing or passed to you from a teammate), those creds can be used with CME and any CME-based payload can be easily edited to include the credentials for a much wider variety of attacks.