Case sensitivity in domains

[horlok]

I've been working through a tutorial that involves creating a basic active directory domain themed around marvel, in order to teach some hacking tools including crackmapexec.

I set up the forest with the Root domain name: MARVEL.local

and was following along with a video which instructed me to give the command

crackmapexec smb 192.68.184.0/24 -u fcastle -d MARVEL.local -p Password1

however, despite the video showing this result being successful and leading to two pawned devices when I run the exact command I only get the domain controller. I have checked a number of times.

When I rerun the command changing the name from MARVEL.local to marvel.local however the command succeeds (with no other changes made).

It is certainly not impossible that I made a mistake somewhere when following the step by step instructions. But I know that when I set up the Root domain name originally I certainly typed the capitals (because I screenshotted it).

So my question really relates to whether the screenshot relates to intentional functionality, is a bug with crackmapexec, or is just a reflection of my ability to reproduce someone else's tutorial properly. Potentially crackmapexec has changed since the tutorial was created and feasibly there is a good reason for this?

Finally just to clarify I'm definitely not trying to pick holes in the tool - which from what I can tell is awesome. So most importantly thank you for all the hard work on a cracking tool. Screenshot attached.

[NeffIsBack]

From your screenshot it looks like your two missing servers are just not visible on the network (atleast smb). How cme works is that it will look for every open smb port on the network. If it does find one it will enumerate several infos, for example if possible the OS, name etc. but this is not limited to windows.
Even a Unix system or anything else with SMB (port 445) open will be reported with the display statement (blue [*]), but then probably with incorrect information. After that it tries to "log into" the server using your credentials and either report success with normal user privileges (green [+]) or even administrative privileges (green [+] with yellow Pwn3d label)

TLDR;
If you don't even see the blue info message your server is probably just not accessible on SMB port 445 in the network. Just check with nmap to see if there is a host and which ports are available

[horlok]

Thanks for getting back to me. Apologies, for the confusion here. The first two entries have been intentionally blacked out by me - to avoid any disclosure of sensitive information.

The issue with the screen shots is that when I give the argument -d MARVEL.local neither SPIDERMAN nor THEPUNISHER are detected at all, yet running the exact same command immediately afterwards with -d marvel.local finds both devices, indeed is able to pwn them both.

I'm trying to work out what makes crackmapexec case sensitive (when the original forest is set up as MARVEL.local - the version that doesn't return anything).

Ultimately it may have just been a blip - don't worry about it. I just couldn't tell why without making changes to any devices on the network simply rerunning the same command but with the case changed produced more results.