Closed n0bl1nk closed 4 years ago
mpgn
commented
4 years ago Hello,
I'm not able to reproduce on my side. The stackstrace shows that the method atexec is used, which means that the method wmiexec and mmexec have failed also. I would nmap the target to check open port and start from this point
n0bl1nk
commented
4 years ago Hello, I checked with Nmap, everything works properly. 1- I tried on the same domain address with a different kali, 2- I opened a different domain address and included windows 8 and windows 7 machines in it and I tested cme on two different kali machines Result: I got the same result in all environments
in addition to the pictures I uploaded on the first post:
Windows 7 -- Execute Payload But No Session
Windows 8 Same Error Message
New Domain Controller -- Execute Payload And opened is session
Sessions
mpgn
commented
4 years ago Try with the flag --verbose so we can have the debug output
n0bl1nk
commented
4 years ago Verbose mode
--------------------------------**EXTRA OUTPUT**--------------------------------------
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/impacket/nmb.py", line 979, in non_polling_read
received = self._sock.recv(bytes_left)
File "/usr/lib/python3/dist-packages/gevent/_socket3.py", line 382, in recv
self._wait(self._read_event)
File "src/gevent/_hub_primitives.py", line 284, in gevent.__hub_primitives.wait_on_socket
File "src/gevent/_hub_primitives.py", line 289, in gevent.__hub_primitives.wait_on_socket
File "src/gevent/_hub_primitives.py", line 280, in gevent.__hub_primitives._primitive_wait
File "src/gevent/_hub_primitives.py", line 281, in gevent.__hub_primitives._primitive_wait
File "src/gevent/_hub_primitives.py", line 46, in gevent.__hub_primitives.WaitOperationsGreenlet.wait
File "src/gevent/_hub_primitives.py", line 46, in gevent.__hub_primitives.WaitOperationsGreenlet.wait
File "src/gevent/_hub_primitives.py", line 55, in gevent.__hub_primitives.WaitOperationsGreenlet.wait
File "src/gevent/_waiter.py", line 151, in gevent.__waiter.Waiter.get
File "src/gevent/_greenlet_primitives.py", line 60, in gevent.__greenlet_primitives.SwitchOutGreenletWithLoop.switch
File "src/gevent/_greenlet_primitives.py", line 60, in gevent.__greenlet_primitives.SwitchOutGreenletWithLoop.switch
File "src/gevent/_greenlet_primitives.py", line 64, in gevent.__greenlet_primitives.SwitchOutGreenletWithLoop.switch
File "src/gevent/__greenlet_primitives.pxd", line 35, in gevent.__greenlet_primitives._greenlet_switch
socket.timeout: timed out
During handling of the above exception, another exception occurred:
--------------------------------**END**---------------------------------------
Traceback (most recent call last):
File "src/gevent/greenlet.py", line 766, in gevent._greenlet.Greenlet.run
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/protocols/smb.py", line 110, in __init__
connection.__init__(self, args, db, host)
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/connection.py", line 47, in __init__
self.proto_flow()
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/connection.py", line 84, in proto_flow
self.call_modules()
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/connection.py", line 114, in call_modules
self.module.on_admin_login(context, self)
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/modules/met_inject.py", line 55, in on_admin_login
connection.ps_execute(command, force_ps32=True)
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/connection.py", line 18, in _decorator
return func(self, *args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/protocols/smb.py", line 485, in ps_execute
self.execute(create_ps_command(payload, force_ps32=force_ps32, dont_obfs=dont_obfs), get_output, methods)
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/connection.py", line 18, in _decorator
return func(self, *args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/protocols/smb.py", line 83, in _decorator
output = func(self, *args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/protocols/smb.py", line 464, in execute
output = u'{}'.format(exec_method.execute(payload, get_output).strip())
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/protocols/smb/atexec.py", line 44, in execute
self.execute_handler(command)
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/protocols/smb/atexec.py", line 63, in execute_handler
self.doStuff(data)
File "/usr/local/lib/python3.8/dist-packages/crackmapexec-5.0.2.dev0-py3.8.egg/cme/protocols/smb/atexec.py", line 144, in doStuff
tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/tsch.py", line 673, in hSchRpcRegisterTask
return dce.request(request)
File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 855, in request
self.call(request.opnum, request, uuid)
File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 844, in call
return self.send(DCERPC_RawCall(function, body.getData(), uuid))
File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1295, in send
self._transport_send(data, forceWriteAndx = 1, forceRecv =data['flags'] & PFC_LAST_FRAG)
File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1234, in _transport_send
self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv)
File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/transport.py", line 435, in send
self.__smb_connection.writeFile(self.__tid, self.__handle, data)
File "/usr/local/lib/python3.8/dist-packages/impacket/smbconnection.py", line 565, in writeFile
return self._SMBConnection.writeFile(treeId, fileId, data, offset)
File "/usr/local/lib/python3.8/dist-packages/impacket/smb3.py", line 1583, in writeFile
written = self.write(treeId, fileId, writeData, writeOffset, len(writeData))
File "/usr/local/lib/python3.8/dist-packages/impacket/smb3.py", line 1287, in write
ans = self.recvSMB(packetID)
File "/usr/local/lib/python3.8/dist-packages/impacket/smb3.py", line 436, in recvSMB
data = self._NetBIOSSession.recv_packet(self._timeout)
File "/usr/local/lib/python3.8/dist-packages/impacket/nmb.py", line 914, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python3.8/dist-packages/impacket/nmb.py", line 997, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python3.8/dist-packages/impacket/nmb.py", line 981, in non_polling_read
raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out.
2020-06-23T16:04:14Z <Greenlet at 0x7f96808b76a0: smb(Namespace(aesKey=False, clear_obfscripts=False, co, <protocol.database object at 0x7f9680ae7eb0>, '192.168.211.20')> failed with NetBIOSTimeoutHello, Any progress? Is there a fix that can be made by the user?
n0bl1nk
commented
4 years ago This problem no longer available.
Describe the bug Can only get the connection with the domain admin user on the domain controller. I get an error message on other clients.
Screenshots
met inject with authorized user
only the connection on the domain controller was available
Error Message
Crackmapexec info
How was the setup done?
~ apt-get install -y libssl-dev libffi-dev python-dev build-essential
~ git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
~ cd CrackMapExec
~ python3 setup.py install
Additional context impacket packages are up to date: pip3 install --upgrade impacket