search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.45k stars 1.64k forks source link

crackmapexec `--shares` features bugs out sometimes. #476

Closed Xyan1d3 closed 3 years ago

Xyan1d3 commented 3 years ago

The --shares feature does not work consistently and bugs out 80% of the time.

I have a habit of running cme everywhere I see an smb. When I run crackmapexec smb 10.10.10.134 -u '' -p '' --shares it spits out a lot of errors.

It Should have listed me the shares and the access I have on the respective shares.

image

┌─[Magisk@Xyan1d3]─[10.10.14.18]─[~/htb/bastion]
└──╼ # crackmapexec smb 10.10.10.134 -u '' -p '' --shares
SMB         10.10.10.134    445    BASTION          [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB         10.10.10.134    445    BASTION          [-] Bastion\: STATUS_ACCESS_DENIED
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/impacket/nmb.py", line 979, in non_polling_read
    received = self._sock.recv(bytes_left)
ConnectionResetError: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 542, in shares
    for share in self.conn.listShares():
  File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 407, in listShares
    dce.connect()
  File "/usr/local/lib/python3.9/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 800, in connect
    return self._transport.connect()
  File "/usr/local/lib/python3.9/dist-packages/impacket/dcerpc/v5/transport.py", line 411, in connect
    self.__tid = self.__smb_connection.connectTree('IPC$')
  File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 384, in connectTree
    return self._SMBConnection.connect_tree(share)
  File "/usr/local/lib/python3.9/dist-packages/impacket/smb.py", line 2763, in tree_connect_andx
    smb = self.recvSMB()
  File "/usr/local/lib/python3.9/dist-packages/impacket/smb.py", line 2521, in recvSMB
    r = self._sess.recv_packet(self.__timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket/nmb.py", line 914, in recv_packet
    data = self.__read(timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket/nmb.py", line 997, in __read
    data = self.read_function(4, timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket/nmb.py", line 983, in non_polling_read
    raise NetBIOSError('Error occurs while reading from remote', ERRCLASS_OS, ex[0])
TypeError: 'ConnectionResetError' object is not subscriptable

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/crackmapexec", line 33, in <module>
    sys.exit(load_entry_point('crackmapexec==5.1.4.dev0', 'console_scripts', 'crackmapexec')())
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 272, in main
    asyncio.run(
  File "/usr/lib/python3.9/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 102, in start_threadpool
    await asyncio.gather(*jobs)
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 68, in run_protocol
    await asyncio.wait_for(
  File "/usr/lib/python3.9/asyncio/tasks.py", line 442, in wait_for
    return await fut
  File "/usr/lib/python3.9/concurrent/futures/thread.py", line 52, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 121, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 59, in __init__
    self.proto_flow()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 99, in proto_flow
    self.call_cmd_args()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 106, in call_cmd_args
    getattr(self, k)()
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 581, in shares
    error = e.getErrorString()
AttributeError: 'TypeError' object has no attribute 'getErrorString'

Crackmapexec info

The smbclient works as expected. image

mpgn commented 3 years ago

Thanks I will check :)

mpgn commented 3 years ago

So, the server is not vulnerable to null session but anonymous authentication:

┌──(mpgn㉿kali)-[~/CrackMapExec]
└─$ poetry run crackmapexec smb 10.10.10.134 -u 'a' -p '' --shares  
SMB         10.10.10.134    445    BASTION          [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB         10.10.10.134    445    BASTION          [+] Bastion\a: 
SMB         10.10.10.134    445    BASTION          [+] Enumerated shares
SMB         10.10.10.134    445    BASTION          Share           Permissions     Remark
SMB         10.10.10.134    445    BASTION          -----           -----------     ------
SMB         10.10.10.134    445    BASTION          ADMIN$                          Remote Admin
SMB         10.10.10.134    445    BASTION          Backups         READ            
SMB         10.10.10.134    445    BASTION          C$                              Default share
SMB         10.10.10.134    445    BASTION          IPC$                            Remote IPC

:)

Don't hesitate to re open the issue if needed :)