search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.37k stars 1.64k forks source link

Unable to perform command execution via -X #478

Closed sysdefendr closed 2 years ago

sysdefendr commented 3 years ago

Command string used

sudo crackmapexec smb 10.0.0.40 -u Administrator -p P@ssword! -X whoami

CME verbose output (using the --verbose flag)

┌──(kali㉿sysaggressr)-[~]
└─$ crackmapexec --verbose                                                                                                                                                                              2 ⨯
DEBUG Passed args:
{'darrell': False,
 'jitter': None,
 'protocol': None,
 'threads': 100,
 'timeout': None,
 'verbose': True}
Traceback (most recent call last):
  File "/usr/bin/crackmapexec", line 33, in <module>
    sys.exit(load_entry_point('crackmapexec==5.1.4.dev0', 'console_scripts', 'crackmapexec')())
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 202, in main
    protocol_path = p_loader.get_protocols()[args.protocol]['path']
KeyError: None

CME Version (cme --version)

┌──(kali㉿sysaggressr)-[~]
└─$ sudo crackmapexec --version                                                                                                                                                                         2 ⨯
usage: crackmapexec [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell] [--verbose] {smb,winrm,mssql,ldap,ssh} ...
crackmapexec: error: unrecognized arguments: --version

OS

Kali 2021.2

Target OS

Windows 10 Enterprise Evaluation v21H1

Detailed issue explanation

I can check against creds but trying to run commands with -X is not working for me. https://github.com/byt3bl33d3r/CrackMapExec/issues/434 has some suggestions like changed to v 22 of impacket. I installed that vers and it still gets stuck. After it gives me the list of systems I can gain access to, several minutes elapse and then the python traceback error pop up.

┌──(kali㉿sysaggressr)-[~/tools/impacket]
└─$ sudo crackmapexec smb 10.0.0.40 -u Administrator -p P@ssword! -X whoami       
SMB         10.0.0.40       445    WINDEV2106EVAL   [*] Windows 10.0 Build 19041 x64 (name:WINDEV2106EVAL) (domain:WinDev2106Eval) (signing:False) (SMBv1:False)
SMB         10.0.0.40       445    WINDEV2106EVAL   [+] WinDev2106Eval\Administrator:P@ssword! (Pwn3d!)
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/cme/protocols/smb/atexec.py", line 59, in execute_handler
    self.doStuff(data, fileless=True)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb/atexec.py", line 144, in doStuff
    tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/tsch.py", line 673, in hSchRpcRegisterTask
    return dce.request(request)
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 857, in request
    answer = self.recv()
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1321, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/crackmapexec", line 33, in <module>
    sys.exit(load_entry_point('crackmapexec==5.1.4.dev0', 'console_scripts', 'crackmapexec')())
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 272, in main
    asyncio.run(
  File "/usr/lib/python3.9/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 102, in start_threadpool
    await asyncio.gather(*jobs)
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 68, in run_protocol
    await asyncio.wait_for(
  File "/usr/lib/python3.9/asyncio/tasks.py", line 442, in wait_for
    return await fut
  File "/usr/lib/python3.9/concurrent/futures/thread.py", line 52, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 121, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 59, in __init__
    self.proto_flow()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 99, in proto_flow
    self.call_cmd_args()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 106, in call_cmd_args
    getattr(self, k)()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 30, in _decorator
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 526, in ps_execute
    self.execute(create_ps_command(payload, force_ps32=force_ps32, dont_obfs=dont_obfs, custom_amsi=amsi_bypass), get_output, methods)
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 30, in _decorator
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 95, in _decorator
    output = func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 504, in execute
    output = u'{}'.format(exec_method.execute(payload, get_output).strip())
  File "/usr/lib/python3/dist-packages/cme/protocols/smb/atexec.py", line 44, in execute
    self.execute_handler(command)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb/atexec.py", line 61, in execute_handler
    self.doStuff(data)
  File "/usr/lib/python3/dist-packages/cme/protocols/smb/atexec.py", line 144, in doStuff
    tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/tsch.py", line 673, in hSchRpcRegisterTask
    return dce.request(request)
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 857, in request
    answer = self.recv()
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1321, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied
mpgn commented 3 years ago

I think you are exactly in this case from @0xdf

https://0xdf.gitlab.io/2020/06/01/resolute-more-beyond-root.html

sysdefendr commented 3 years ago

I think you are exactly in this case from @0xdf

https://0xdf.gitlab.io/2020/06/01/resolute-more-beyond-root.html

Thanks a lot! I'm going to try this a little later and will let you know how it turns out.

mpgn commented 3 years ago

Any update ? :)

ghost commented 2 years ago

@sysdefendr Hi. Try to disable defender and firewall. It works by me =)

0xJs commented 2 years ago

Seems that only disabling Windows Firewall is enough. Anyone found a resolution without disabling the firewall? I would like to keep it turned on in my lab environment. But just opening up port 445 doesn't seem to do the trick.