How to Use CrackMapExec DB to Store and Manage Credentials
CrackMapExec (CME) is a popular tool for pentesting Windows and Active Directory environments. It can perform various tasks such as enumerating users, spidering shares, executing commands, injecting shellcode, dumping hashes, and more. But did you know that CME also has a powerful database feature that can help you store and manage the credentials you obtain during your engagements?
In this article, we will show you how to use CME DB to save and correlate credentials, query the database, and export the data for further analysis.
What is CME DB?
CME DB is a feature of CME that automatically stores all the credentials and other information that CME collects during its operations. CME DB uses SQLite as the backend database engine, which means you don't need to install or configure anything else to use it.
CME DB has several advantages over other credential management tools:
It is integrated with CME, so you don't need to switch between tools or copy and paste data.
It supports multiple protocols, such as SMB, LDAP, MSSQL, SSH, FTP, RDP, and WinRM.
It can correlate admin credentials to hosts and vice versa, allowing you to easily identify high-value targets and pivot points.
It can export the data in various formats, such as CSV, JSON, or BloodHound.
How to use CME DB?
To use CME DB, you need to have CME installed on your system. You can download the latest version of CME from the official website or from GitHub. You can also install it using Kali Linux's package manager.
Once you have CME installed, you can run it with any protocol and options you want. For example, if you want to scan a network range using SMB and dump hashes from the hosts, you can run:
This will launch CME with SMB protocol and try to authenticate with the username \"administrator\" and password \"Password123\" on each host in the network range. It will also try to dump the SAM hashes from the hosts using Mimikatz.
As CME runs, it will automatically create a database file named \"smb.db\" in your current directory. This file contains all the data that CME collects during the scan. You can view the contents of this file using any SQLite viewer or using CME's built-in database manager.
To access CME's database manager, you need to run:
This will launch an interactive shell where you can query and manipulate the database. You can use SQL commands or CME's custom commands to work with the data. For example, if you want to list all the credentials that CME has stored in the database, you can run:
This will display a table with columns such as domain, username, password, hash, pillaged_from_ip, pillaged_from_name, etc. You can also filter or sort the results using SQL syntax. For example, if you want to list only the credentials that have admin privileges on at least one host, you can run:
cmedb> select * from creds where is_admin = 1;
If you want to list all the hosts that have a specific credential set on them, you can run:
cmedb> select * from hosts where domain = 'CORP' and username = 'administrator';
You can also use CME's custom commands to perform common tasks such as exporting the data or importing other data sources. For example, if you want to export all the credentials in CSV format, you can run:
cmedb> export creds csv
This will create a file named \"creds.csv\" in your current directory with all the credentials in comma-separated values format. You can 06063cd7f5