# Enumerating Users With CME - Anonymously

#### Install Crackmapexec

```
python3 -m pip install pipx
git clone https://github.com/Porchetta-Industries/CrackMapExec
cd CrackMapExec
pip install .
```

### crackmapexec

From enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more.

IP range to quickly get netbios answers by windows computers. This is a very quick way to get all the windows machine IP, FQDN and domains

```
crackmapexec smb 192.168.56.1/24
```

<figure><img src="https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2FIiZvkgiHD7FzuHwq4PKF%2Fimage.png?alt=media&#x26;token=0e701239-1533-447d-8942-b4d1d123f063" alt=""><figcaption></figcaption></figure>

### Enumerating Users

```
crackmapexec smb 192.168.56.10 --users
crackmapexec smb 192.168.56.12 --users
crackmapexec smb 192.168.56.11 --users
```

and we found our first password! Let's save it and keep the recon.

<figure><img src="https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2F9p8SeAoMiG22qXj9BzS9%2Fimage.png?alt=media&#x26;token=b181e7ac-ff77-4a64-8f5a-45039e405efc" alt=""><figcaption></figcaption></figure>

### Password Policy

we could also retrieve the password policy before trying bruteforce. The password policy show us that if we fail 5 times in 5 minutes we lock the accounts for 5minutes.

```
crackmapexec smb 192.168.56.10 --pass-pol
crackmapexec smb 192.168.56.12 --pass-pol
crackmapexec smb 192.168.56.11 --pass-pol
```

<figure><img src="https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2F5a7qJQyqUjwVLEdPhRmm%2Fimage.png?alt=media&#x26;token=e77adecc-3765-44ee-b662-f96c540b5404" alt=""><figcaption></figcaption></figure>

```
```