Russian3434 / armitage

Automatically exported from code.google.com/p/armitage
0 stars 0 forks source link

User names with spaces not stored in creds when dumped with lsass method #154

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Run lsass method on a system with spaces in user name

What is the expected output? What do you see instead?

Expect to see all credentials added to creds, instead only credentials with no 
white space are added.

What version of Metasploit are you using (type: svn info)? On which
operating system?
4.7.2-2013101601, kali linux

Which database are you using?
Postgres

Please provide any additional information below.

The offending line, from scripts/passhash.sl :

[$queue addCommand: $null, "creds -a $host -p 445 -t smb_hash -u $user -P 
$hash"];

As user is not properly quoted, metasploit cannot parse this input correctly.

Msfconsole example failure:
msf > creds  -a 10.10.10.7 -p 445 -t smb_hash -u Mix Alpha Numeric -P 
9d8e0729169de7a53dc4a1bbae4793f5:1a890a173d9e98edeb6a38df418e4ae4
[-] Invalid host parameter, Alpha.

Msfconsole example success, after quoting:
msf > creds  -a 10.10.10.7 -p 445 -t smb_hash -u 'Mix Alpha Numeric' -P 
9d8e0729169de7a53dc4a1bbae4793f5:1a890a173d9e98edeb6a38df418e4ae4
[*] Time: 2013-10-31 03:19:04 UTC Credential: host=10.10.10.7 port=445 
proto=tcp sname= type=smb_hash user=Mix Alpha Numeric 
pass=9d8e0729169de7a53dc4a1bbae4793f5:1a890a173d9e98edeb6a38df418e4ae4 
active=true

I'm not sure the proper quote style of your language here, but changing line 77 
like this seems to do the trick:

[$queue addCommand: $null, "creds -a $host -p 445 -t smb_hash -u \'$user\' -P 
$hash"];

Probably should do the same in like 39 for the mimikatz method also.

Original issue reported on code.google.com by steve.pi...@gmail.com on 31 Oct 2013 at 3:55

GoogleCodeExporter commented 8 years ago
Hah! Thanks for the note and especially thanks for tracking down where/how to 
fix it. Few people do this and as a developer, I have a great deal of gratitude 
for this effort you've made. I plan to push an update in about a week or two 
(no later!)  I'll verify this and if it's good, it'll be in. 

Original comment by rsmu...@gmail.com on 31 Oct 2013 at 5:24

GoogleCodeExporter commented 8 years ago
Any chance this will make it an update in the near future?  It appears it 
didn't make it in the last one.

Mostly matters to me because I have some demo accounts with spaces in the names 
I use for various events..

Original comment by steve.pi...@gmail.com on 2 Jan 2014 at 10:04

GoogleCodeExporter commented 8 years ago
Let me look into this. I thought I addressed this... but maybe not.

Original comment by rsmu...@gmail.com on 2 Jan 2014 at 10:37

GoogleCodeExporter commented 8 years ago
Ok, thanks for following up on this. I forgot to take action when you first 
opened this ticket. I apologize for that. The fix is in place and it works. 
It'll probably be 1-2 months before I push an Armitage release next. In the 
mean time, I pushed a build with these fixes to the SVN repos. You can get it 
here:

https://code.google.com/p/armitage/source/browse/#svn%2Ftrunk%2Frelease%2Farmita
ge-unix%253Fstate%253Dclosed

Original comment by rsmu...@gmail.com on 4 Jan 2014 at 4:46