When running the lsassy module against a server, it crashes in case that no credentials could be acquired.
Dummy output:
# cme smb hostname -u user -p pass --local-auth -M lsassy
SMB hostname.domain.local 445 hostname [*] Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (name:hostname) (domain:hostname) (signing:False) (SMBv1:True)
SMB hostname.domain.local 445 hostname [+] hostname\user:pass (Pwn3d!)
LSASSY hostname.domain.local 445 hostname [*] No credentials found
Traceback (most recent call last):
File "/usr/bin/cme", line 8, in <module>
sys.exit(main())
File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 254, in main
asyncio.run(
File "/usr/lib/python3.9/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
return future.result()
File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 102, in start_threadpool
await asyncio.gather(*jobs)
File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 68, in run_protocol
await asyncio.wait_for(
File "/usr/lib/python3.9/asyncio/tasks.py", line 442, in wait_for
return await fut
File "/usr/lib/python3.9/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 125, in __init__
connection.__init__(self, args, db, host)
File "/usr/lib/python3/dist-packages/cme/connection.py", line 62, in __init__
self.proto_flow()
File "/usr/lib/python3/dist-packages/cme/connection.py", line 100, in proto_flow
self.call_modules()
File "/usr/lib/python3/dist-packages/cme/connection.py", line 132, in call_modules
self.module.on_admin_login(context, self)
File "/usr/lib/python3/dist-packages/cme/modules/lsassy_dump.py", line 76, in on_admin_login
self.process_credentials(context, connection, credentials_output)
File "/usr/lib/python3/dist-packages/cme/modules/lsassy_dump.py", line 89, in process_credentials
add_user_bh(credz_bh, domain, context.log, connection.config)
UnboundLocalError: local variable 'domain' referenced before assignment
Crackmapexec info
OS: Kali
CME 5.2.2
Installed from apt, but the relevant source code shouldn't have changed in the meantime
Additional context
If I read the source correctly, domain is only assigned if there are credentials (for cred in credentials:). Therefore, add_user_bh fails if the for loop is never entered.
mpgn
commented
2 years ago
When running the lsassy module against a server, it crashes in case that no credentials could be acquired.
Dummy output:
Crackmapexec info
Additional context If I read the source correctly,
domainis only assigned if there are credentials (for cred in credentials:). Therefore,add_user_bhfails if the for loop is never entered.