0xma Cyber Security Articles

June 18, 2021

Brute Force Windows Server SMB Credentials with CrackMapExec

In this tutorial we will see how to bruteforce SMB credentials using a username and password list. This can help us identify users that use common passwords which would make our organization vulnerable to attacks.

Running an nmap scan on the target shows the open ports. We can see that SMB (TCP port 445) is open and that the target is running Windows Server 2016.

nmap scan of the target box.

Executing crackmapexec by itself shows all the available options that we can use with it. We can see that it supports different protocols such as ldap, winrm, smb, mssql and ssh.

crackmapexec help options. crackmapexec help options.

This is our user list.

User list.

And this is our password list.

Password list.

Since we are trying to brute force the SMB credentails, we have to use the smb option. It is followed by the IP address of the target. The -u option takes the user list and the -p option takes the password list. Note that once it finds a password, it will stop running. As we can see after finding the password for the bhult user, crackmapexec stopped running.

Executing crackmapexec.

If we want to trying all the users and passwords in both the lists, we can use the --continue-on-success option. Now we can see that crackmapexec managed to find the password for the tlavel user as well.

Executing crackmapexec with continue on success option.

You can follow me on Twitter mujtabareads.