This repository has been archived by the owner on Dec 6, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Command Execution
byt3bl33d3r edited this page Dec 25, 2015
·
9 revisions
#Command Execution
Executing commands on a windows system requires Administrator credentials which you must specify with the -u
, -p
or -H
flags.
By default CrackMapExec tries to execute all commands via WMI.
In the following example, we try to execute whoami
on the target using the -x
flag:
~# sudo python crackmapexec.py 172.16.112.130 -u Administrator -p P@ssw0rd -x whoami
12-25-2015 13:04:14 [*] 172.16.112.130:445 is running Windows 10.0 Build 10240 (name:WIN10BOX) (domain:WIN10BOX)
12-25-2015 13:04:15 [+] 172.16.112.130:445 Login successful WIN10BOX\Administrator:P@ssw0rd
12-25-2015 13:04:16 [+] 172.16.112.130:445 Executed command via WMIEXEC
12-25-2015 13:04:16 win10box\administrator
You can also directly execute PowerShell commands using the -X
flag:
~# sudo python crackmapexec.py 172.16.112.130 -u Administrator -p P@ssw0rd -X '$PSVersionTable'
12-25-2015 15:35:10 [*] 172.16.112.130:445 is running Windows 10.0 Build 10240 (name:WIN10BOX) (domain:WIN10BOX)
12-25-2015 15:35:10 [+] 172.16.112.130:445 Login successful WIN10BOX\Administrator:P@ssw0rd
12-25-2015 15:35:15 [+] 172.16.112.130:445 Executed command via WMIEXEC
12-25-2015 15:35:15 Name Value
12-25-2015 15:35:15 ---- -----
12-25-2015 15:35:15 PSVersion 5.0.10240.16384
12-25-2015 15:35:15 WSManStackVersion 3.0
12-25-2015 15:35:15 SerializationVersion 1.1.0.1
12-25-2015 15:35:15 CLRVersion 4.0.30319.42000
12-25-2015 15:35:15 BuildVersion 10.0.10240.16384
12-25-2015 15:35:15 PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
12-25-2015 15:35:15 PSRemotingProtocolVersion 2.3
#Execution Methods CrackMapExec can execute commands via 3 methods
- smbexec
- wmi
- atexec
You can specify which one to use with the --execm
flag (the default method is WMI).