search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.38k stars 1.64k forks source link

RC4 cipher drops error in cme mssql mode (i.e. "no cipher match") ! #173

Closed jaredbarez closed 7 years ago

jaredbarez commented 7 years ago

Steps to reproduce

git clone https://github.com/byt3bl33d3r/CrackMapExec cd CrackMapExec && git submodule init && git submodule update --recursive python setup.py install cme mssql -u sa -p 'badpass!!!' -a normal 10.10.10.10

Command string used (command launched as root)

cme mssql -u sa -p 'badpass!!!' -a normal 10.10.10.10

CME verbose output (using the --verbose flag)

DEBUG Passed args:
{'auth_type': 'normal',
 'cred_id': [],
 'darrell': False,
 'domain': None,
 'execute': None,
 'fail_limit': None,
 'force_ps32': False,
 'gfail_limit': None,
 'hash': [],
 'jitter': None,
 'list_modules': False,
 'local_auth': False,
 'module': None,
 'module_options': [],
 'no_output': False,
 'password': ['badpass!!!'],
 'port': 1433,
 'protocol': 'mssql',
 'ps_execute': None,
 'query': None,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'show_module_options': False,
 'target': ['10.10.10.10'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'username': ['sa'],
 'verbose': True}
DEBUG Encryption required, switching to TLS
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/gevent-1.2.1-py2.7-linux-i686.egg/gevent/greenlet.py", line 536, in run
    result = self._run(*self.args, **self.kwargs)
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/protocols/mssql.py", line 24, in __init__
    connection.__init__(self, args, db , host)
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/connection.py", line 39, in __init__
    self.proto_flow()
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/protocols/mssql.py", line 51, in proto_flow
    self.login()
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/connection.py", line 211, in login
    if self.plaintext_login(self.domain, user, password): return True
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/protocols/mssql.py", line 149, in plaintext_login
    res = self.conn.login(None, username, password, domain, None, True if self.args.auth_type is 'windows' else False)
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/tds.py", line 862, in login
    ctx.set_cipher_list('RC4')
  File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 832, in set_cipher_list
    _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1
  File "/usr/lib/python2.7/dist-packages/OpenSSL/_util.py", line 61, in openssl_assert
    exception_from_error_queue(error)
  File "/usr/lib/python2.7/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
    raise exception_type(errors)
Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher match')]
Wed May 17 16:58:39 2017 <Greenlet at 0xb6b65e3cL: mssql(Namespace(auth_type='normal', cred_id=[], darrell=, <protocol.database instance at 0xb6b7c9cc>, '10.10.10.10')> failed with Error

OS

Kali Linux 2017.1 4.9.0-kali4-686-pae (same issue in amd64 version)

Target OS

Windows Server 2008 R2 Standard 7601 Service Pack 1

Detailed issue explanation

Default install of Kali Linux 2017.1 and default install of CME (dev). Cannot get it working (as described) altough connecting with provided credentials works without problem when used from within msfconsole. Please help

byt3bl33d3r commented 7 years ago

I've run into this as well, It seems to be an issue with Impackets MS-TDS implementation and some changes that were made to pyOpenSSL (https://github.com/CoreSecurity/impacket/issues/269). Whenever I get the time I'll try to look into it more closely.

byt3bl33d3r commented 7 years ago

This was fixed in Impacket with https://github.com/CoreSecurity/impacket/commit/754ee112e525ec1842115b9001fa5535e31e403d

Cheers

jaredbarez commented 7 years ago

Hmmmm... After updating impacket (and CME) now I get new type of error: "[Error 104] Connection reset by peer":

cme --verbose mssql 10.10.10.10 -u sa -p 'badpass!!!' -a normal DEBUG Passed args: {'auth_type': 'normal', 'cred_id': [], 'darrell': False, 'domain': None, 'execute': None, 'fail_limit': None, 'force_ps32': False, 'gfail_limit': None, 'hash': [], 'jitter': None, 'list_modules': False, 'local_auth': False, 'module': None, 'module_options': [], 'no_output': False, 'password': ['badpass!!!'], 'port': 1433, 'protocol': 'mssql', 'ps_execute': None, 'query': None, 'server': 'https', 'server_host': '0.0.0.0', 'server_port': None, 'show_module_options': False, 'target': ['10.10.10.10'], 'threads': 100, 'timeout': None, 'ufail_limit': None, 'username': ['sa'], 'verbose': True} MSSQL 10.10.10.10 1433 None [*] MSSQL DB Instances: 1 MSSQL 10.10.10.10 1433 None Instance 0 MSSQL 10.10.10.10 1433 None ServerName:TEST MSSQL 10.10.10.10 1433 None tcp:1433 MSSQL 10.10.10.10 1433 None IsClustered:No MSSQL 10.10.10.10 1433 None Version:10.50.2500.0 MSSQL 10.10.10.10 1433 None np:\TEST\pipe\MSSQL$TEST\sql\query MSSQL 10.10.10.10 1433 None InstanceName:TEST

DEBUG Encryption required, switching to TLS Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/gevent-1.2.1-py2.7-linux-i686.egg/gevent/greenlet.py", line 536, in run result = self._run(*self.args, *self.kwargs) File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/protocols/mssql.py", line 24, in init connection.init(self, args, db , host) File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/connection.py", line 39, in init self.proto_flow() File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/protocols/mssql.py", line 51, in proto_flow self.login() File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/connection.py", line 211, in login if self.plaintext_login(self.domain, user, password): return True File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/protocols/mssql.py", line 149, in plaintext_login res = self.conn.login(None, username, password, domain, None, True if self.args.auth_type is 'windows' else False) File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/tds.py", line 914, in login tds = self.recvTDS() File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/tds.py", line 577, in recvTDS packet = TDSPacket(self.socketRecv(packetSize)) File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/tds.py", line 557, in socketRecv data = self.socket.recv(packetSize) File "/usr/local/lib/python2.7/dist-packages/gevent-1.2.1-py2.7-linux-i686.egg/gevent/_socket2.py", line 277, in recv return sock.recv(args) error: [Errno 104] Connection reset by peer Mon May 22 10:22:15 2017 <Greenlet at 0xb6bcde3cL: mssql(Namespace(auth_type='normal', cred_id=[], darrell=, <protocol.database instance at 0xb6be49ec>, '10.10.10.10')> failed with error

#