CrackMapExec icon indicating copy to clipboard operation
CrackMapExec copied to clipboard

Published 20 hours ago verified publisher icon byt3bl33d3r

[RFF] Targeted Operations

Open aress31 opened this issue 4 years ago • 8 comments

CME is great but in a recent engagement I realised that the following feature would help save a lot of time and generate much less traffic on client networks.

I managed to grab the local admin pass for 1K+ hosts, so I had the exact list of machine with their associated local Administrator password, however could not find any way to input a file like:

  • [computer] [username] [password]

Had to spray these creds although I knew exactly which one were working for which box.

Could you please consider implementing this feature in future release?

Thanks, aress31

aress31 avatar Aug 23 '21 13:08 aress31

Hello @aress31 is this related to LAPS situation or non domain joined domain ?

I'm curious of the use case :)

mpgn avatar Oct 16 '21 20:10 mpgn

@mpgn your guess is spot on, related to LAPS, gaining access over 1K machines thanks to LAPS and then wanting to perform targeted post exploitation things on all these machines at once using the gathered creds. :)

aress31 avatar Oct 16 '21 20:10 aress31

I will think about a solution where you just add the credential of the user who can read LAPS password and just fire the command.

Something like this:

cme /tmp/hosts -u can_read_laps -p password --laps --sam

mpgn avatar Oct 16 '21 21:10 mpgn

No my suggestion is global.

If I have 100 valid creds (username + password) and the associated machines where these creds work, I might want to mass run mimikatz or run other post exploitation modules or commands.

Therefore, IMHO we need a new switch that parses an input a file with the following format:

username  password hostname

aress31 avatar Oct 16 '21 21:10 aress31

cme /tmp/hosts -u can_read_laps -p password --lap implemented for sponsors

If I have 100 valid creds (username + password) and the associated machines where these creds work, I might want to mass run mimikatz or run other post exploitation modules or commands.

This is the kind of scenario where you found a csv with custom password of each adm ? Otherwise I don't see the benefit of adding a new method to pass credz

mpgn avatar Oct 18 '21 18:10 mpgn

Well we can grab credentials via many different ways and want to pwn multiple machines at once using these creds. Right now the only way of doing it is having a huge list of username and a huge list of passwords and each combinaison will be tried causing flooding the env with unnecessary requests.

On Mon, 18 Oct 2021, 20:06 mpgn, @.***> wrote:

cme /tmp/hosts -u can_read_laps -p password --lap implemented for sponsors

If I have 100 valid creds (username + password) and the associated machines where these creds work, I might want to mass run mimikatz or run other post exploitation modules or commands.

This is the kind of scenario where you found a csv with custom password of each adm ? Otherwise I don't see the benefit of this

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/byt3bl33d3r/CrackMapExec/issues/483#issuecomment-946030442, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACYQNVVPKGCGUEDRSIZP2K3UHRO3LANCNFSM5CUSEIQA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

aress31 avatar Oct 18 '21 18:10 aress31

A bash loop can do the trick quite easy also

mpgn avatar Oct 18 '21 19:10 mpgn

That's my workaround would love to see this feature built-in 😇

On Mon, 18 Oct 2021, 21:22 mpgn, @.***> wrote:

A bash loop can do the trick quite easy also

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/byt3bl33d3r/CrackMapExec/issues/483#issuecomment-946090046, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACYQNVVYEWCW4NUQKLV6Z63UHRXXDANCNFSM5CUSEIQA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

aress31 avatar Oct 18 '21 19:10 aress31

Hello,

Thanks for the issue, it is now fixed on the last public release of CrackMapExec https://github.com/mpgn/CrackMapExec v6.0.0

Regards,

mpgn

mpgn avatar Jun 26 '23 20:06 mpgn