Multiple errors in SMB Spider

AlessandroZ commented 8 years ago

Hi,

During my pentest, I wanted to try your tool, it seems to be great, but I had lots of errors. I fixed all errors I saw. I hope it will help you to build something more stable and great. All these patchs have been tested during my tests.

Share access denied

Cause: When we do not have access to the C$. The smb connection failed.
Stacktrace:

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 534, in run
    result = self._run(*self.args, **self.kwargs)
  File "/usr/local/lib/python2.7/dist-packages/cme/connector.py", line 172, in connector
    spider.spider(args.spider, args.depth)
  File "/usr/local/lib/python2.7/dist-packages/cme/spider/smbspider.py", line 40, in spider
    for result in filelist:
UnboundLocalError: local variable 'filelist' referenced before assignment

Fix:

filelist = ''
try:
    filelist = self.smbconnection.listPath(self.args.share, subfolder)
    self.dir_list(filelist, subfolder)
    if depth == 0:
        return
except SessionError as e:
    if not filelist:
        self.logger.error("The smb connection to the %s share has failed !" % self.args.share)
        return 
    pass

Error using regex

Command line :

crackmapexec <IP> -u <USER> -p <PASSWORD> --share test --spider test --content --regex "password=*"

Stacktrace:

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/cme/spider/smbspider.py", line 113, in search_content
    if re.findall(pattern, contents):
UnboundLocalError: local variable 'pattern' referenced before assignment

Fix:

elif self.args.regex:
    for regex in self.args.regex:
        if re.findall(regex, contents):
            self.logger.highlight(u"//{}/{}{} [lastm:'{}' size:{} offset:{} regex:'{}']".format(self.args.share,
                                                                                              path,
                                                                                              result.get_longname(),
                                                                                              strftime('%Y-%m-%d %H:%M', localtime(result.get_mtime_epoch())), 
                                                                                              result.get_filesize(),
                                                                                              rfile.tell(),
                                                                                              regex))

Error when regex is not correct

When the regex is not correct:

Command line used:

crackmapexec <IP> -u <USER> -p <PASSWORD> --share test --spider test --content --regex "*password=*"

Stacktrace:

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 534, in run
    result = self._run(*self.args, **self.kwargs)
  File "/usr/local/lib/python2.7/dist-packages/cme/connector.py", line 172, in connector
    spider.spider(args.spider, args.depth)
  File "/usr/local/lib/python2.7/dist-packages/cme/spider/smbspider.py", line 34, in spider
    self.dir_list(filelist, subfolder)
  File "/usr/local/lib/python2.7/dist-packages/cme/spider/smbspider.py", line 68, in dir_list
    if re.findall(regex, result.get_longname()):
  File "/usr/lib/python2.7/re.py", line 181, in findall
    return _compile(pattern, flags).findall(string)
  File "/usr/lib/python2.7/re.py", line 251, in _compile
    raise error, v # invalid expression
error: nothing to repeat

Function: spider
Class: SMBSpider
Fix:

filelist = ''
try:
    filelist = self.smbconnection.listPath(self.args.share, subfolder)
    self.dir_list(filelist, subfolder)
    if depth == 0:
        return
except SessionError as e:
    if not filelist:
        self.logger.error("The smb connection to the %s share has failed !" % self.args.share)
        return 
    pass
except Exception, e:
    self.logger.error("An unexpected error occured: %s" % e[0])
    return

Infinite loop while spidering

Cause: I was blocked in an infinite loop until I debug the problem. The file never ended (I don't know why). However, the content returned was empty.
File: smbspider.py
Class: SMBSpider
Function search_content
Fix:

while True:
    try:
        contents = rfile.read(4096)
        if not contents:
            break
    except SessionError as e:
        if 'STATUS_END_OF_FILE' in str(e):
            break

Stoping using CTRL-C

When the search-content function took too long, I wanted to kill it using CTRL-C command. Most of time I had this stacktrace (few times, it was well catched).

^CTraceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 534, in run
    result = self._run(*self.args, **self.kwargs)
  File "/usr/local/lib/python2.7/dist-packages/cme/connector.py", line 172, in connector
    spider.spider(args.spider, args.depth)
  File "/usr/local/lib/python2.7/dist-packages/cme/spider/smbspider.py", line 33, in spider
    self.dir_list(filelist, subfolder)
  File "/usr/local/lib/python2.7/dist-packages/cme/spider/smbspider.py", line 76, in dir_list
    self.search_content(path, result)
  File "/usr/local/lib/python2.7/dist-packages/cme/spider/smbspider.py", line 91, in search_content
    contents = rfile.read(4096)
  File "/usr/local/lib/python2.7/dist-packages/cme/remotefile.py", line 23, in read
    data =  self.__smbConnection.readFile(self.__tid, self.__fid, self.__currentOffset, bytesToRead)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 487, in readFile
    bytesRead = self._SMBConnection.read_andx(treeId, fileId, offset, toRead)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 1616, in read_andx
    return self.read(tid, fid, offset, max_size, wait_answer)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 1018, in read
    ans = self.recvSMB(packetID)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 376, in recvSMB
    packet = SMB2Packet(data.get_trailer())
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb3structs.py", line 434, in __init__
    Structure.__init__(self,data)
  File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 82, in __init__
    self.fromString(data)
  File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 140, in fromString
    size = self.calcUnpackSize(field[1], data, field[0])
  File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 444, in calcUnpackSize
    return self[lengthField]
KeyboardInterrupt
<Greenlet at 0x7f887d865f50: connector('xxx.xxx.xxx.xxx', Namespace(command=None, cred_id=None, depth=10, do, <cme.database.CMEDatabase instance at 0x7f887d5fe7, None, None, None)> failed with KeyboardInterrupt

Function: connector
File: connector.py
Fix:

if args.spider:
    spider = SMBSpider(logger, connection, args)
    try:
        spider.spider(args.spider, args.depth)
    except KeyboardInterrupt:
        logger.error("Keyboard interrupt !")

Thanks again for your work !!!

Alessandro

byt3bl33d3r commented 8 years ago

Awesome, thanks for this! The SMB spider code needs a complete overhaul anyway. As soon as I get some time I'll merge these changes in with the new code.

Cheers!

byt3bl33d3r commented 8 years ago

This should be fixed now, let me know otherwise!

byt3bl33d3r / CrackMapExec