Command Execution

#Command Execution Executing commands on a windows system requires Administrator credentials which you must specify with the -u, -p or -H flags.

By default CrackMapExec tries to execute all commands via WMI.

In the following example, we try to execute whoami on the target using the -x flag:

~# python crackmapexec.py 172.16.112.130 -u Administrator -p P@ssw0rd -x whoami
12-25-2015 13:04:14 [*] 172.16.112.130:445 is running Windows 10.0 Build 10240 (name:WIN10BOX) (domain:WIN10BOX)
12-25-2015 13:04:15 [+] 172.16.112.130:445 Login successful WIN10BOX\Administrator:P@ssw0rd
12-25-2015 13:04:16 [+] 172.16.112.130:445 Executed command via WMIEXEC
12-25-2015 13:04:16 win10box\administrator

You can also directly execute PowerShell commands using the -X flag:

~# python crackmapexec.py 172.16.112.130 -u Administrator -p P@ssw0rd -X '$PSVersionTable'
12-25-2015 15:35:10 [*] 172.16.112.130:445 is running Windows 10.0 Build 10240 (name:WIN10BOX) (domain:WIN10BOX)
12-25-2015 15:35:10 [+] 172.16.112.130:445 Login successful WIN10BOX\Administrator:P@ssw0rd
12-25-2015 15:35:15 [+] 172.16.112.130:445 Executed command via WMIEXEC
12-25-2015 15:35:15 Name                           Value
12-25-2015 15:35:15 ----                           -----
12-25-2015 15:35:15 PSVersion                      5.0.10240.16384
12-25-2015 15:35:15 WSManStackVersion              3.0
12-25-2015 15:35:15 SerializationVersion           1.1.0.1
12-25-2015 15:35:15 CLRVersion                     4.0.30319.42000
12-25-2015 15:35:15 BuildVersion                   10.0.10240.16384
12-25-2015 15:35:15 PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
12-25-2015 15:35:15 PSRemotingProtocolVersion      2.3

#Execution Methods CrackMapExec can execute commands via 3 methods

• smbexec
• wmi
• atexec

You can specify which one to use with the --execm flag (the default method is WMI).