search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.29k stars 1.64k forks source link

Master d2ea13f gives error on scanning SMB shares #774

Closed sandervandegeijn closed 1 year ago

sandervandegeijn commented 1 year ago

Describe the bug Checked out d2ea13f and built docker container from it

execute crackmapexec smb hosts.up -u username -p password —shares

Traceback (most recent call last):
  File "/usr/local/bin/crackmapexec", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.11/site-packages/cme/crackmapexec.py", line 257, in main
    asyncio.run(
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/cme/crackmapexec.py", line 105, in start_threadpool
    await asyncio.gather(*jobs)
  File "/usr/local/lib/python3.11/site-packages/cme/crackmapexec.py", line 69, in run_protocol
    await asyncio.wait_for(
  File "/usr/local/lib/python3.11/asyncio/tasks.py", line 442, in wait_for
    return await fut
           ^^^^^^^^^
  File "/usr/local/lib/python3.11/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/cme/protocols/smb.py", line 143, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/local/lib/python3.11/site-packages/cme/connection.py", line 65, in __init__
    self.proto_flow()
  File "/usr/local/lib/python3.11/site-packages/cme/connection.py", line 101, in proto_flow
    if self.login() or (self.username == '' and self.password == ''):
       ^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/cme/connection.py", line 300, in login
    elif self.plaintext_login(self.domain, user, password): return True
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/cme/protocols/smb.py", line 450, in plaintext_login
    self.conn.login(self.username, self.password, domain)
  File "/usr/local/lib/python3.11/site-packages/impacket/smbconnection.py", line 278, in login
    return self._SMBConnection.login(user, password, domain, lmhash, nthash)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/impacket/smb3.py", line 1009, in login
    type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, respToken['ResponseToken'], user, password, domain, lmhash, nthash)
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/impacket/ntlm.py", line 628, in getNTLMSSPType3
    ntlmChallengeResponse = NTLMAuthChallengeResponse(user, password, ntlmChallenge['challenge'])
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/impacket/ntlm.py", line 443, in __init__
    lmhash = compute_lmhash(password)
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/impacket/ntlm.py", line 745, in compute_lmhash
    lmhash  = __DES_block(b(password[:7]), KNOWN_DES_INPUT)
                          ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/six.py", line 644, in b
    return s.encode("latin-1")
           ^^^^^^^^^^^^^^^^^^^
UnicodeEncodeError: 'latin-1' codec can't encode character '\u2014' in position 0: ordinal not in range(256)

To Reproduce Steps to reproduce the behavior: See above

Expected behavior No error

Screenshots

Crackmapexec info Docker container built from the dockerfile provided in the repo

Additional context

NeffIsBack commented 1 year ago

At first glance it looks like the password contains some weird characters. Would it be possible to provide the full password?

sandervandegeijn commented 1 year ago

Sure, changed the password:

crackmapexec smb hosts.up -u SRV_ACCOUNT -p stexUk3j28 —shares

hosts.up contains one IP per line.

NeffIsBack commented 1 year ago

Does this also happen without --shares? Also can you try to enquote the password like so: "stexUk3j28"

sandervandegeijn commented 1 year ago

Unbelievable I didn't spot this, I was using the notes app on a mac to keep track of what I was doing. Should have used vscode...... --shares becomes —shares. Subtle difference but... Okay that cost me more than a hour lol.

Stupid thing is, this has happened to me before, the Windows mmc snap-in also copies a hidden char when you copy the ssl thumbprint. Oh well you live you learn, thanks for the quick response.