Password Attackspentestingactive-directorysmbwinrmmssqlrdpldapsshftp

CrackMapExec

Swiss army knife for pentesting Windows/Active Directory environments. Enumerates users, shares, executes attacks, and dumps credentials using native WinAPI calls.

Description

CrackMapExec is a pure Python tool for pentesting networks, particularly Windows/Active Directory setups. It handles tasks from enumerating logged-on users and spidering SMB shares to executing psexec-style attacks, auto-injecting Mimikatz/Shellcode/DLLs via Powershell, and dumping NTDS.dit.

Key advantages include fully concurrent threading, no external tools required, and opsec safety by avoiding binary uploads for credential dumping or shellcode injection. It uses only native WinAPI calls for discovering sessions, users, and dumping SAM hashes.

A database stores used/dumped credentials, correlating admin credentials to hosts for situational awareness in large environments. Supports protocols like MSSQL, WinRM, RDP, LDAP, SMB, SSH, and FTP.

How It Works

Operates as a fully concurrent Python script using native WinAPI calls for session discovery, user enumeration, and SAM/NTDS.dit dumping without uploading binaries. Supports multiple protocols (mssql, winrm, rdp, ldap, smb, ssh, ftp) for authentication, execution, and post-exploitation. Includes a database (cmedb) for credential tracking and host correlation. Features threading, timeouts, jitter for evasion, and opsec-safe memory injection via Powershell.

Installation

bash

sudo apt install crackmapexec

Flags

-h, --helpshow this help message and exit

-t THREADSset how many concurrent threads to use (default: 100)

--timeout TIMEOUTmax timeout in seconds of each thread (default: None)

--jitter INTERVALsets a random delay between each connection (default: None)

--darrellgive Darrell a hand

--verboseenable verbose output

Examples

Display the full help message and usage information for the tool

crackmapexec -h

Show help for the credential database management tool (note: requires config file)

cmedb -h

Enumerate or attack SMB shares on a target host with provided credentials

crackmapexec smb //target -u user -p pass

Execute commands or own the target using WinRM protocol

crackmapexec winrm target -u user -p pass

Interact with LDAP services on a domain controller

crackmapexec ldap dc.example.com -u user -p pass

Own the target using MSSQL protocol

crackmapexec mssql mssql-server -u sa -p pass

Target RDP services with 50 threads and verbose output

crackmapexec rdp target -t 50 --verbose

Updated 2026-04-16kali.org ↗