CredCrack was born.
CredCrack was developed in python and made to be quick and quiet. It exfiltrates credentials in memory and in the clear while highlighting domain administrator accounts for you!
How it works
CredCrack begins by setting up the stage. It will automatically start the apache service and deploy two files to your /var/www directory. One is named fun.ps1 and another named creds.php. Additionally, the assessor running the script is responsible for downloading Invoke-Mimikatz.ps1 and storing it in the same directory (/var/www).
After it is done setting up, CredCrack will validate the list of systems provided to ensure it can reach them and that they have port 445 open. It will remove systems that can't be reached and proceed to query systems for the list of domain administrators.
The fun.ps1 powershell script will execute mimikatz in memory and send back the credentials to the assessor's system in a POST request (which creds.php intercepts).
Domain Administrator Credentials in 17 seconds
CredCrack has two main functionalities. CredCrack uses the provided local administrative user credentials to enumerate share privileges or harvest credentials across a network. to run. One reason to use the enumerate share functionality is to determine if the provided user has write or administrative access on a system. Refer to the syntax and example screenshot below for sample usage.
CredCrack was made to faciliate obtaining domain administrator credentials on an assessment. It has already helped me significantly on assessments and I hope it can help others as well. CredCrack does not have any dependencies other than Invoke-Mimikatz.ps1 if run on Kali Linux. For more information on CredCrack visit my Github page. For information on defending against CredCrack and similar attacks check out my other post.