search

PowerShellEmpire / PowerTools

PowerTools is a collection of PowerShell projects with a focus on offensive operations.
Other
2.05k stars 811 forks source link

line 508 Invoke-WmiMethod : Access is denied. #3

Closed vector-sigma closed 9 years ago

vector-sigma commented 9 years ago

I'm running with a local admin account, also tried a DA account, and using the hostname vs an IP address. Specifying the domain name with the user name also returned the same error. My target host is windows 7, PS ver 3, no host Firewall

Invoke-WmiMethod - Remote - 0x80070005 (E_ACCESSDENIED) on technet

beacon> powershell $PSversiontable
[*] Tasked beacon to run: $PSversiontable
[+] host called home, sent: 23 bytes
[+] received output: 

Name                           Value                                           
----                           -----                                           
PSVersion                      3.0                                             
WSManStackVersion              3.0                                             
SerializationVersion           1.1.0.1                                         
CLRVersion                     4.0.30319.18444                                 
BuildVersion                   6.2.9200.16398                                  
PSCompatibleVersions           {1.0, 2.0, 3.0}                                 
PSRemotingProtocolVersion      2.2    

beacon> powershell Invoke-MassSearch -Hosts 192.168.1.100 -Username localadmin -Password P@ssword -Verbose -Debug
[*] Tasked beacon to run: Invoke-MassSearch -Hosts 192.168.1.100 -Username localadmin -Password P@ssword -Verbose -Debug

[+] host called home, sent: 103 bytes
[+] received output: 
#< CLIXML

[+] received output: 
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<S S="verbose">Sleeping, letting the web server stand up...</S>
<S S="verbose">Executing command on host "192.168.1.100"</S>
<S S="Error">Invoke-WmiMethod : Access is denied. (Exception from HRESULT: 0x80070005 _x000D__x000A_</S>
<S S="Error">(E_ACCESSDENIED))_x000D__x000A_</S><S S="Error">At line:508 char:13_x000D__x000A_</S>
<S S="Error">+             Invoke-WmiMethod -ComputerName $_ -Path Win32_process -Name _x000D__x000A_</S>
<S S="Error">create - ..._x000D__x000A_</S>
<S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S>
<S S="Error">~~~_x000D__x000A_</S><S S="Error">    + CategoryInfo          : NotSpecified: (:) [Invoke-WmiMethod], Unauthoriz _x000D__x000A_</S>
<S S="Error">   edAccessException_x000D__x000A_</S>
<S S="Error">    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow _x000D__x000A_</S>
<S S="Error">   erShell.Commands.InvokeWmiMethod_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S>
<S S="verbose">Waiting 30 seconds for commands to trigger...</S>
<S S="verbose">Killing the web server</S>
</Objs>
HarmJ0y commented 9 years ago

So you might be running into the KB2871997 patch (http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/) for a local admin account, not sure why a DA would produce the same issue. The 'access denied' error implies that the WMI method execution itself is being denied from the machine for some reason.

Try starting a new process as the DA with runas, then try running- Invoke-WmiMethod -ComputerName "192.168.1.100" -Path Win32_process -Name create -ArgumentList "cmd.exe"

What's the error that comes back from that?