search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.35k stars 1.64k forks source link

cmedb not populated when using winrm #740

Closed Techbrunch closed 1 year ago

Techbrunch commented 1 year ago

Describe the bug

When using cme winrm with a valid password the cmedb is not populated with the credentials.

To Reproduce

[Feb 12, 2023 - 22:12:36 (CET)] exegol-htb-cascade DB # cme winrm $TARGET -u $USER -p $PASSWORD
SMB         10.129.217.173  5985   CASC-DC1         [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP        10.129.217.173  5985   CASC-DC1         [*] http://10.129.217.173:5985/wsman
WINRM       10.129.217.173  5985   CASC-DC1         [+] cascade.local\ArkSvc:w3lc0meFr31nd (admin)
[Feb 12, 2023 - 22:12:52 (CET)] exegol-htb-cascade DB # cmedb
cmedb (default)(smb) > creds

+Credentials---------+-----------+---------+----------+----------+
| CredID | Admin On  | CredType  | Domain  | UserName | Password |
+--------+-----------+-----------+---------+----------+----------+
| 1      | 0 Host(s) | plaintext | CASCADE | s.smith  | sT333ve2 |
+--------+-----------+-----------+---------+----------+----------+

cmedb (default)(smb) > exit
[Feb 12, 2023 - 22:13:22 (CET)] exegol-htb-cascade DB # cme smb $TARGET -u $USER -p $PASSWORD
SMB         10.129.217.173  445    CASC-DC1         [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB         10.129.217.173  445    CASC-DC1         [+] cascade.local\ArkSvc:w3lc0meFr31nd
[Feb 12, 2023 - 22:13:32 (CET)] exegol-htb-cascade DB # cmedb
cmedb (default)(smb) > creds

+Credentials---------+-----------+---------+----------+---------------+
| CredID | Admin On  | CredType  | Domain  | UserName | Password      |
+--------+-----------+-----------+---------+----------+---------------+
| 1      | 0 Host(s) | plaintext | CASCADE | s.smith  | sT333ve2      |
| 2      | 0 Host(s) | plaintext | CASCADE | ArkSvc   | w3lc0meFr31nd |
+--------+-----------+-----------+---------+----------+---------------+

Expected behavior

using cme winrm should populate the cme db.

Crackmapexec info

Marshall-Hallenbeck commented 1 year ago

@Techbrunch in your example you are using the winrm module, but you are in the smb cmedb database. Looking at the code, it doesn't seem like anything but the smb and mssql dbs do anything, anyway, so that doesn't matter I guess.

I've been updating the entire cmedb and associated database functionality, so I should be able to add this in.

mpgn commented 1 year ago

Hello,

Thanks for the issue, it is now fixed on the last public release of CrackMapExec https://github.com/mpgn/CrackMapExec v6.0.0

Regards,

mpgn