search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.36k stars 1.64k forks source link

AttributeError when running cme winrm with usernames file #310

Closed mez-0 closed 5 years ago

mez-0 commented 5 years ago

Steps to reproduce

The winrm mode doesn't like using users/password files. This was used against a HackTheBox machine, (Heist) and in doing so; cme crashed. Note, here is the machine info: Windows 10.0 Build 17763 x64

> cme winrm 10.10.10.149 -u usernames.txt -p passwords.txt          
WINRM       10.10.10.149    5985   SUPPORTDESK      [*] http://10.10.10.149:5985/wsman
Traceback (most recent call last):
  File "src/gevent/greenlet.py", line 817, in gevent._greenlet.Greenlet.run
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/winrm.py", line 22, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 41, in __init__
    self.proto_flow()
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/winrm.py", line 42, in proto_flow
    if self.login():
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 168, in login
    if self.args.hash:
AttributeError: 'Namespace' object has no attribute 'hash'
2019-08-14T19:00:18Z <Greenlet at 0x7ff9aa95adb8: winrm(Namespace(cred_id=[], darrell=False, domain=None, , <protocol.database instance at 0x7ff9b2487710>, '10.10.10.149')> failed with AttributeError
  1. Simply run the command against the box and watch it die.

Command string used

cme winrm 10.10.10.149 -u usernames.txt -p passwords.txt

CME verbose output (using the --verbose flag)

> cme --verbose winrm 10.10.10.149 -u usernames.txt -p passwords.txt
DEBUG Passed args:
{'cred_id': [],
 'darrell': False,
 'domain': None,
 'execute': None,
 'fail_limit': None,
 'gfail_limit': None,
 'jitter': None,
 'list_modules': False,
 'local_auth': False,
 'module': None,
 'module_options': [],
 'no_output': False,
 'password': ['passwords.txt'],
 'protocol': 'winrm',
 'ps_execute': None,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'show_module_options': False,
 'target': ['10.10.10.149'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'username': ['usernames.txt'],
 'verbose': True}
DEBUG Starting new HTTPS connection (1): 10.10.10.149:5986
DEBUG Starting new HTTP connection (1): 10.10.10.149:5985
DEBUG http://10.10.10.149:5985 "GET /wsman HTTP/1.1" 405 0

CME Version (cme --version)

4.0.1dev - Bug Pr0n

OS

Distributor ID: Ubuntu
Description:    Ubuntu 18.04.3 LTS
Release:    18.04
Codename:   bionic
Linux meliodas 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Target OS

> cme smb 10.10.10.149                                              
SMB         10.10.10.149    445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SUPPORTDESK) (signing:False) (SMBv1:False)

Detailed issue explanation

It seems to communicate with cme winrm 10.10.10.149 -u admin -p admin, but when the list is specified; thats when it dies.

It also works if you use:

cme --verbose winrm 10.10.10.149 -u admin -p passwords.txt

But, it crashes when -u usernames.txt and -p secr3t.

For reference, the usernames file is:

> cat usernames.txt 
rout3r
admin
hazard
awsmhacks commented 5 years ago

@mez0cc
right after the line winrm_parser = parser.add_parser('winrm', help="own stuff using WINRM", parents=[std_parser, module_parser]) in /cme/protocols/winrm.py (line 26)

Add this line: winrm_parser.add_argument("-H", '--hash', metavar="HASH", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')

then rebuild ~
python setup.py install

mez-0 commented 5 years ago

@awsmhacks, sorted it. Thanks.