The tool breaks when using -x or -X with correct credentials

[init5-SF]

Describe the bug After updating the tool using apt install, CME breaks when using the -x or -X To Reproduce

root@kali:/opt/tools# crackmapexec smb 192.168.1.111 -u admin -p <password> -x whoami
SMB         192.168.1.111   445    FSOCIETY         [*] Windows 10.0 Build 19041 x64 (name:FSOCIETY) (domain:FSOCIETY) (signing:False) (SMBv1:False)
SMB         192.168.1.111   445    FSOCIETY         [+] FSOCIETY\admin:<password> (Pwn3d!)
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/cme/protocols/smb/atexec.py", line 59, in execute_handler
    self.doStuff(data, fileless=True)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb/atexec.py", line 144, in doStuff
    tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
  File "/root/.local/lib/python3.8/site-packages/impacket/dcerpc/v5/tsch.py", line 673, in hSchRpcRegisterTask
    return dce.request(request)
  File "/root/.local/lib/python3.8/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/root/.local/lib/python3.8/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/crackmapexec", line 33, in <module>
    sys.exit(load_entry_point('crackmapexec==5.1.3.dev0', 'console_scripts', 'crackmapexec')())
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 272, in main
    asyncio.run(
  File "/usr/lib/python3.8/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
    return future.result()
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 102, in start_threadpool
    await asyncio.gather(*jobs)
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 68, in run_protocol
    await asyncio.wait_for(
  File "/usr/lib/python3.8/asyncio/tasks.py", line 455, in wait_for
    return await fut
  File "/usr/lib/python3.8/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 121, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 47, in __init__
    self.proto_flow()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 86, in proto_flow
    self.call_cmd_args()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 93, in call_cmd_args
    getattr(self, k)()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 18, in _decorator
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 95, in _decorator
    output = func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 503, in execute
    output = u'{}'.format(exec_method.execute(payload, get_output).strip())
  File "/usr/lib/python3/dist-packages/cme/protocols/smb/atexec.py", line 44, in execute
    self.execute_handler(command)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb/atexec.py", line 61, in execute_handler
    self.doStuff(data)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb/atexec.py", line 144, in doStuff
    tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
  File "/root/.local/lib/python3.8/site-packages/impacket/dcerpc/v5/tsch.py", line 673, in hSchRpcRegisterTask
    return dce.request(request)
  File "/root/.local/lib/python3.8/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/root/.local/lib/python3.8/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

Expected behavior Should return the result of the whoami command

Crackmapexec info

• OS: Kali
• Version of CME: 5.1.3dev
• Installed from apt or using latest release ? apt

[mpgn]

Hello,

Can you try with wmiexec method ?

crackmapexec ip -u user -p 'pass' -x whoami --exec-method wmiexec

[init5-SF]

Hi, sure! This test gave a slightly different error:

Traceback (most recent call last):
  File "/usr/bin/crackmapexec", line 33, in <module>
    sys.exit(load_entry_point('crackmapexec==5.1.3.dev0', 'console_scripts', 'crackmapexec')())
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 272, in main
    asyncio.run(
  File "/usr/lib/python3.8/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
    return future.result()
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 102, in start_threadpool
    await asyncio.gather(*jobs)
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 68, in run_protocol
    await asyncio.wait_for(
  File "/usr/lib/python3.8/asyncio/tasks.py", line 455, in wait_for
    return await fut
  File "/usr/lib/python3.8/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 121, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 47, in __init__
    self.proto_flow()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 86, in proto_flow
    self.call_cmd_args()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 93, in call_cmd_args
    getattr(self, k)()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 18, in _decorator
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 95, in _decorator
    output = func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 503, in execute
    output = u'{}'.format(exec_method.execute(payload, get_output).strip())
UnboundLocalError: local variable 'exec_method' referenced before assignment

[mpgn]

Try with impacket wmiexec

[init5-SF]

Done. It gave me this error:

Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] SMBv3.0 dialect used
[-] DCOM SessionError: code: 0x80010111 - RPC_E_INVALID_HEADER - OLE received a packet with an invalid header.

This is a Windows 10 64-bit (2004) I tried both tools CME & wmiexec against a Windows 7 and they both worked fine, including the -x parameter! Seems to be OS dependent. :(

Any thoughts around this?

• EDIT: AV on both test benches is off.

[mpgn]

The issue seems to be on Impacket side https://github.com/SecureAuthCorp/impacket/issues/896

You can install the version 0.22 of impacket to fix this problem.

[iloiote]

Me just I need code for python Sent from my Huawei Mobile-------- Original Message --------Subject: Re: [byt3bl33d3r/CrackMapExec] The tool breaks when using -x or -X with correct credentials (#434)From: mpgn To: byt3bl33d3r/CrackMapExec CC: Subscribed The issue seems to be on Impacket side SecureAuthCorp/impacket#896 You can install the version 0.22 of impacket to fix this problem.

—You are receiving this because you are subscribed to this thread.Reply to this email directly, view it on GitHub, or unsubscribe.

[mpgn]

no update, closing

[init5-SF]

no update, closing

Sorry for the huge delay, I am already using Impacket v0.9.22