[RFF] Targeted Operations

[aress31]

CME is great but in a recent engagement I realised that the following feature would help save a lot of time and generate much less traffic on client networks.

I managed to grab the local admin pass for 1K+ hosts, so I had the exact list of machine with their associated local Administrator password, however could not find any way to input a file like:

• [computer] [username] [password]

Had to spray these creds although I knew exactly which one were working for which box.

Could you please consider implementing this feature in future release?

Thanks, aress31

[mpgn]

Hello @aress31 is this related to LAPS situation or non domain joined domain ?

I'm curious of the use case :)

[aress31]

@mpgn your guess is spot on, related to LAPS, gaining access over 1K machines thanks to LAPS and then wanting to perform targeted post exploitation things on all these machines at once using the gathered creds. :)

[mpgn]

I will think about a solution where you just add the credential of the user who can read LAPS password and just fire the command.

Something like this:

cme /tmp/hosts -u can_read_laps -p password --laps --sam

[aress31]

No my suggestion is global.

If I have 100 valid creds (username + password) and the associated machines where these creds work, I might want to mass run mimikatz or run other post exploitation modules or commands.

Therefore, IMHO we need a new switch that parses an input a file with the following format:

username  password hostname

[mpgn]

cme /tmp/hosts -u can_read_laps -p password --lap implemented for sponsors

If I have 100 valid creds (username + password) and the associated machines where these creds work, I might want to mass run mimikatz or run other post exploitation modules or commands.

This is the kind of scenario where you found a csv with custom password of each adm ? Otherwise I don't see the benefit of adding a new method to pass credz

[aress31]

Well we can grab credentials via many different ways and want to pwn multiple machines at once using these creds. Right now the only way of doing it is having a huge list of username and a huge list of passwords and each combinaison will be tried causing flooding the env with unnecessary requests.

On Mon, 18 Oct 2021, 20:06 mpgn, @.***> wrote:

cme /tmp/hosts -u can_read_laps -p password --lap implemented for sponsors

If I have 100 valid creds (username + password) and the associated machines where these creds work, I might want to mass run mimikatz or run other post exploitation modules or commands.

This is the kind of scenario where you found a csv with custom password of each adm ? Otherwise I don't see the benefit of this

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/byt3bl33d3r/CrackMapExec/issues/483#issuecomment-946030442, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACYQNVVPKGCGUEDRSIZP2K3UHRO3LANCNFSM5CUSEIQA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[mpgn]

A bash loop can do the trick quite easy also

[aress31]

That's my workaround would love to see this feature built-in 😇

On Mon, 18 Oct 2021, 21:22 mpgn, @.***> wrote:

A bash loop can do the trick quite easy also

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/byt3bl33d3r/CrackMapExec/issues/483#issuecomment-946090046, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACYQNVVYEWCW4NUQKLV6Z63UHRXXDANCNFSM5CUSEIQA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[mpgn]

Hello,

Thanks for the issue, it is now fixed on the last public release of CrackMapExec https://github.com/mpgn/CrackMapExec v6.0.0

Regards,

mpgn