search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.46k stars 1.64k forks source link

Error when supplying FQDN's as targets #165

Closed cclements closed 7 years ago

cclements commented 7 years ago

Getting this with the latest 4.0 rev:

----------------------------------------
Exception happened during processing of request from ('172.28.4.28', 56503)
Traceback (most recent call last):
  File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock
    self.process_request(request, client_address)
  File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request
    self.finish_request(request, client_address)
  File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
    self.handle()
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
    self.handle_one_request()
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
    method()
  File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST
    self.server.module.on_response(self.server.context, self)
  File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response
    hostid = context.db.get_computers(response.client_address[0])[0][0]
IndexError: list index out of range
----------------------------------------

This happened on 29/30 systems I targeted today,and cme hung with "waiting on 29..." message on repeat.

Any more info I can provide to help?

byt3bl33d3r commented 7 years ago

Can you give me all the info thats requested in the Issue template?

thanks

cclements commented 7 years ago

Steps to reproduce

  1. Run the command referenced below
  2. Observe results

Command string used

cme smb -u 'user' -p 'pass' -M mimikatz

CME verbose output (using the --verbose flag)

https://gist.github.com/cclements/09c6db6a010acab7f6bd345e21973636

OS

Arch Linux

Target OS

See debug output

Detailed issue explanation

byt3bl33d3r commented 7 years ago

From the error it seems like its unable to pull the host id from the database. Out of curiousity can you run cmedb->proto smb->hosts and paste the output? Thanks for the report btw

cclements commented 7 years ago

Not sure if it's the issue, but it looks like the target names are being entered as IPs, but the console log during the run references the IP addresses, e.g.:

MIMIKATZ 172.28.2.68 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -

Hosts:

  HostID  Admins         IP               Hostname                 Domain           OS
  ------  ------         --               --------                 ------           --
  1       1 Cred(s)      172.23.3.50      CDC01                  TEST             Windows Server 2008 R2 Standard 7601 Service Pack 1
  2       1 Cred(s)      CDC01.sometarget.com CDC01                  TEST             Windows Server 2008 R2 Standard 7601 Service Pack 1
  3       1 Cred(s)      CDC03.sometarget.com CDC03                  TEST             Windows Server 2008 R2 Standard 7601 Service Pack 1
  4       1 Cred(s)      CDC02.sometarget.com CDC02                  TEST             Windows Server 2008 R2 Standard 7601 Service Pack 1
  5       1 Cred(s)      ACTSMPROX.sometarget.comACTSMPROX              TEST             Windows Server 2008 R2 Standard 7601 Service Pack 1
  6       1 Cred(s)      ACTSMAD.sometarget.comACTSMAD                TEST             Windows Server 2008 R2 Standard 7601 Service Pack 1
  7       1 Cred(s)      CQAS01.sometarget.comCQAS01                 TEST             Windows Server 2012 R2 Standard 9600
  8       1 Cred(s)      SRV2.sometarget.comSRV2               TEST             Windows Server (R) 2008 Standard 6002 Service Pack 2
  9       1 Cred(s)      SRV3.sometarget.comSRV3               TEST             Windows Server (R) 2008 Standard 6002 Service Pack 2
  10      1 Cred(s)      SRV1.sometarget.comSRV1               TEST             Windows Server (R) 2008 Standard 6002 Service Pack 2
  11      1 Cred(s)      TLPORTAL.sometarget.comTLPORTAL                 TEST             Windows Server 2012 R2 Standard 9600
  12      1 Cred(s)      ACTSM1.sometarget.comACTSM1                 TEST             Windows Server 2008 R2 Enterprise 7601 Service Pack 1
  13      1 Cred(s)      ACDRTSM1.sometarget.comACDRTSM1               TEST             Windows Server 2008 R2 Enterprise 7601 Service Pack 1
  14      1 Cred(s)      TLCANISTER.sometarget.comTLCANISTER               TEST             Windows Server 2012 R2 Standard 9600
  15      1 Cred(s)      AC29.sometarget.com  AC29                   TEST             Windows Server 2012 Standard 9200
  16      1 Cred(s)      ACSEPM.sometarget.comACSEPM                 TEST             Windows Server 2012 R2 Standard 9600
  17      1 Cred(s)      CDRDC01.sometarget.comCDRDC01                TEST             Windows Server 2008 R2 Standard 7601 Service Pack 1
  18      1 Cred(s)      JUMP.sometarget.comJUMP               TEST             Windows Server 2012 R2 Standard 9600
  19      1 Cred(s)      AC51.sometarget.com  AC51                   TEST             Windows Server (R) 2008 Enterprise 6002 Service Pack 2
  20      1 Cred(s)      CIVRTST02.sometarget.comCIVRTST02              TEST             Windows Server 2012 R2 Standard 9600
  21      1 Cred(s)      CIVRTST01.sometarget.comCIVRTST01              TEST             Windows Server 2012 R2 Standard 9600
  22      1 Cred(s)      CCOGNOS01.sometarget.comCCOGNOS01              TEST             Windows Server 2012 R2 Standard 9600
  23      1 Cred(s)      SRV7.sometarget.comSRV7               TEST             Windows Server (R) 2008 Standard 6002 Service Pack 2
  24      1 Cred(s)      ACCOG01.sometarget.comACCOG01                TEST             Windows Server (R) 2008 Standard without Hyper-V 6002 Service Pack 2
  25      1 Cred(s)      SRV5.sometarget.comSRV5               TEST             Windows Server (R) 2008 Standard 6002 Service Pack 2
  26      1 Cred(s)      SRV4.sometarget.comSRV4               TEST             Windows Server (R) 2008 Standard 6002 Service Pack 2
  27      1 Cred(s)      SRV6.sometarget.comSRV6               TEST             Windows Server (R) 2008 Standard 6002 Service Pack 2
  28      1 Cred(s)      CAZDC01.sometarget.comCAZDC01                TEST             Windows Server 2008 R2 Standard 7601 Service Pack 1
  29      1 Cred(s)      JUMPDR.sometarget.comJUMPDR             TEST             Windows Server 2012 R2 Standard 9600
  30      1 Cred(s)      NTISCISVR3V.sometarget.comNTISCISVR3V              TEST             Windows Server 2008 R2 Standard 7601 Service Pack 1
byt3bl33d3r commented 7 years ago

huh interesting. Yup that definitely seems to be the issue. Are you providing hostname's instead of IP's as targets for CME by any chance? Could be a bug the hostname translation logic

byt3bl33d3r commented 7 years ago

Also just fyi (unless you redacted the OS's) seems like most of the OS's are >= Windows 2008R2, which won't give you creds with mimikatz by default

cclements commented 7 years ago

Yeah, all the failed targets were specified in the command with the fqdn's. Thanks for the heads up about >2k8R2, I knew about that limitation, this was just a quick spray and pray after I cracked an admin pass during an engagement.

byt3bl33d3r commented 7 years ago

cool thats definitely the issue then, should be able to push out a fix later today. Cheers

byt3bl33d3r commented 7 years ago

@cclements should be fixed now. Re-open otherwise. Thanks!