search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.35k stars 1.64k forks source link

Cant escape # signs #725

Closed J-Lucci closed 1 year ago

J-Lucci commented 1 year ago

When trying to run crackmapexec rdp if the password has a # sign in it the module wont work

crackmapexec rdp 0.0.0.0 -u 'uname' -p 'pwd#' --nla-screenshot --screenshot
RDP         ~~~~~~~~~~~~~~~~~~ (domain:~~~~~~~~~~) (nla:True)
RDP         ~~~~~~~~~~~~~~~~~~~
Traceback (most recent call last):
  File "/usr/bin/crackmapexec", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 257, in main
    asyncio.run(
  File "/usr/lib/python3.10/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.10/asyncio/base_events.py", line 649, in run_until_complete
    return future.result()
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 105, in start_threadpool
    await asyncio.gather(*jobs)
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 69, in run_protocol
    await asyncio.wait_for(
  File "/usr/lib/python3.10/asyncio/tasks.py", line 408, in wait_for
    return await fut
  File "/usr/lib/python3.10/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/rdp.py", line 59, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 65, in __init__
    self.proto_flow()
  File "/usr/lib/python3/dist-packages/cme/protocols/rdp.py", line 91, in proto_flow
    self.call_cmd_args()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 112, in call_cmd_args
    r = getattr(self, k)()
  File "/usr/lib/python3/dist-packages/cme/protocols/rdp.py", line 242, in screenshot
    asyncio.run(self.screen())
  File "/usr/lib/python3.10/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.10/asyncio/base_events.py", line 649, in run_until_complete
    return future.result()
  File "/usr/lib/python3/dist-packages/cme/protocols/rdp.py", line 232, in screen
    await self.connect_rdp(self.url)
  File "/usr/lib/python3/dist-packages/cme/protocols/rdp.py", line 152, in connect_rdp
    connectionfactory = RDPConnectionFactory.from_url(url, self.iosettings)
  File "/usr/lib/python3/dist-packages/aardwolf/commons/factory.py", line 68, in from_url
    target = RDPTarget.from_url(connection_url)
  File "/usr/lib/python3/dist-packages/aardwolf/commons/target.py", line 78, in from_url
    if url_e.port:
  File "/usr/lib/python3.10/urllib/parse.py", line 177, in port
    raise ValueError(f"Port could not be cast to integer value as {port!r}")
ValueError: Port could not be cast to integer value as 'pwd'

I know the account works, I can do it manually - I know the script works with passwords that dont include a #. I've tried single quotes, double quotes, escape chars, -p=, etc. to no avail

CME 5.4.0

NeffIsBack commented 1 year ago

Can confirm cme is dying when a # is in the password. The reason is urlparse uses # as seperator for "fragments", therefore everything brokes apart. I opened an issue on skelsec/aardwolf#11 as i have no clue how to fix this problem.

mpgn commented 1 year ago

I'm on it :)

mpgn commented 1 year ago

Hello,

Thanks for the issue, it is now fixed on the last public release of CrackMapExec https://github.com/mpgn/CrackMapExec v6.0.0

Regards,

mpgn