🖊️ Author: Nairuz Abulhul
🌐 Blog: R3dbuck3t
Install Python Dev modules
sudo apt-get install -y libssl-dev libffi-dev python-dev-is-python3 build-essential
git clone <https://github.com/byt3bl33d3r/CrackMapExec.git>
Install Poetry
sudo pip3 install poetry
Move to the CrackMapExec directory and run poetry
cd CrackMapExec
sudo poetry install
Run CrackMapExec
sudo poetry run crackmapexec
Without authentication, CrackMapExec can display basic SMB information about servers and workstations. This information includes the fully qualified domain name (FQDN), which can indicate whether a machine is domain-joined or separate. Additionally, it reveals the Windows version and architecture (x86/x64), SMB version, and whether signing is enabled, all of which are useful for identifying machines that can be targeted for SMB relay attacks.
Basic SMB Info
zink0x001@htb[/htb]$ crackmapexec smb 192.168.133.0/24
192.168.133.1 445 DESKTOP-DKCQVG2 [*] Windows 10.0 Build 19041 x64 (name:DESKTOP-DKCQVG2) (domain:DESKTOP-DKCQVG2) (signing:False) (SMBv1:False)
192.168.133.158 445 WIN-TOE6NQTR989 [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-TOE6NQTR989) (domain:inlanefreight.htb) (signing:True) (SMBv1:True)
192.168.133.157 445 WIN7 [*] Windows 7 Ultimate 7601 Service Pack 1 x64 (name:WIN7) (domain:WIN7) (signing:False) (SMBv1:True)
Getting all Hosts with SMB Signing Disabled, It will enumerate a list of SMB hosts with signing not enforced, allowing you to relay credentials to them using ntlmrelayx.py.
zink0x001@htb[/htb]$ crackmapexec smb 192.168.1.0/24 --gen-relay-list relaylistOutputFilename.txt
SMB 192.168.1.101 445 DC2012A [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012A) (domain:OCEAN) (signing:True) (SMBv1:True)
SMB 192.168.1.102 445 DC2012B [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC2012B) (domain:EARTH) (signing:True) (SMBv1:True)
SMB 192.168.1.111 445 SERVER1 [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:SERVER1) (domain:PACIFIC) (signing:False) (SMBv1:True)