search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.37k stars 1.64k forks source link

MSSQL SSL/TLS WantRead error #344

Closed 0x5ECF4ULT closed 4 years ago

0x5ECF4ULT commented 4 years ago

Steps to reproduce

  1. Launch cme mssql <target> -u <username> -H <hash> --local-auth
  2. See error

Command string used

See above point 1

CME verbose output (using the --verbose flag)

DEBUG Passed args:
{'auth_type': 'windows',
 'clear_obfscripts': False,
 'cred_id': [],
 'darrell': False,
 'domain': None,
 'execute': None,
 'fail_limit': None,
 'force_ps32': False,
 'gfail_limit': None,
 'hash': ['redacted'],
 'jitter': None,
 'list_modules': False,
 'local_auth': True,
 'module': None,
 'module_options': [],
 'mssql_query': None,
 'no_output': False,
 'obfs': False,
 'password': [],
 'port': 1433,
 'protocol': 'mssql',
 'ps_execute': None,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'show_module_options': False,
 'target': ['redacted'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'username': ['redacted'],
 'verbose': True}
DEBUG Encryption required, switching to TLS
Traceback (most recent call last):
  File "/home/tacticaldevc/.local/lib/python3.7/site-packages/impacket/tds.py", line 917, in login
    tls.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1622, in _raise_ssl_error
    raise WantReadError()
OpenSSL.SSL.WantReadError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "src/gevent/greenlet.py", line 766, in gevent._greenlet.Greenlet.run
  File "/usr/local/lib/python3.7/dist-packages/crackmapexec-5.0.0.dev0-py3.7.egg/cme/protocols/mssql.py", line 22, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/local/lib/python3.7/dist-packages/crackmapexec-5.0.0.dev0-py3.7.egg/cme/connection.py", line 42, in __init__
    self.proto_flow()
  File "/usr/local/lib/python3.7/dist-packages/crackmapexec-5.0.0.dev0-py3.7.egg/cme/protocols/mssql.py", line 53, in proto_flow
    self.login()
  File "/usr/local/lib/python3.7/dist-packages/crackmapexec-5.0.0.dev0-py3.7.egg/cme/connection.py", line 201, in login
    if self.hash_login(self.domain, user, ntlm_hash): return True
  File "/usr/local/lib/python3.7/dist-packages/crackmapexec-5.0.0.dev0-py3.7.egg/cme/protocols/mssql.py", line 190, in hash_login
    res = self.conn.login(None, username, '', domain, ':' + nthash if not lmhash else ntlm_hash, True)
  File "/home/tacticaldevc/.local/lib/python3.7/site-packages/impacket/tds.py", line 921, in login
    tds = self.recvTDS()
  File "/home/tacticaldevc/.local/lib/python3.7/site-packages/impacket/tds.py", line 606, in recvTDS
    packet = TDSPacket(self.socketRecv(packetSize))
  File "/home/tacticaldevc/.local/lib/python3.7/site-packages/impacket/structure.py", line 84, in __init__
    self.fromString(data)
  File "/home/tacticaldevc/.local/lib/python3.7/site-packages/impacket/structure.py", line 149, in fromString
    self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
  File "/home/tacticaldevc/.local/lib/python3.7/site-packages/impacket/structure.py", line 382, in unpack
    return unpack(format, data)[0]
struct.error: ('unpack requires a buffer of 1 bytes', "When unpacking field 'Type | <B | b''[:1]'")
2020-04-20T08:55:01Z <Greenlet at 0x7f0b6f2c34d0: mssql(Namespace(auth_type='windows', clear_obfscripts=Fa, <protocol.database object at 0x7f0b6b1e7690>, 'notenserver.htl-wien5.schule')> failed with error

CME Version (cme --version)

5.0.0dev (prior versions also affected)

OS

Ubuntu 19.10

Target OS

Windows Server 2003 R2 SP2

Detailed issue explanation

When executing the command above it fails during SSL/TLS setup. It may be due to the target using SSL/TLS 1.0/1.1.

mpgn commented 4 years ago

Hello, can you try with mssqlclient tool from impacket to check if the error does not come from impacket ?

mssqlclient.py -p 1433 user:password@10.10.10.5
0x5ECF4ULT commented 4 years ago

Yes. Throws the same error

mpgn commented 4 years ago

Open the issue on impacket repo then, don't forget to paste the link of the issue on this thread so I can follow the update :)

0x5ECF4ULT commented 4 years ago

I'm sorry. I've opened an issue here: https://github.com/SecureAuthCorp/impacket/issues/827

mpgn commented 4 years ago

Solution https://github.com/SecureAuthCorp/impacket/issues/827#issuecomment-652966362