Closed javalogicuser closed 1 year ago
The target must be specified behind the protocol. Can you retest that with smb(/and the other)? For your winrm call I am not sure what breaks the connection, as it actually accepts the specified targets.
I've tried both ways, with multiple protocols, with the outcome being the same, no output. I'm trying to get it to read the targets in from a txt file, is that not correct? All the examples I've seen do it this way. Here's the output when I specify the hosts at the beginning:
┌──(root㉿kali)-[/opt]
└─# ./cme --verbose -t 200 winrm /home/kali/HTB/ZEPHYR/192.168.210-hosts.txt -u /home/kali/HTB/ZEPHYR/usernames.txt -p /home/kali/HTB/ZEPHYR/passwords.txt
DEBUG:root:Passed args:
{'aesKey': None,
'connectback_host': None,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'domain': None,
'execute': None,
'export': None,
'fail_limit': None,
'gfail_limit': None,
'hash': [],
'ignore_ssl_cert': False,
'jitter': None,
'kdcHost': None,
'kerberos': False,
'laps': None,
'list_modules': False,
'local_auth': False,
'lsa': False,
'module': None,
'module_options': [],
'no_bruteforce': False,
'no_output': False,
'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'],
'port': 0,
'protocol': 'winrm',
'ps_execute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'show_module_options': False,
'ssl': False,
'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'],
'threads': 200,
'timeout': None,
'ufail_limit': None,
'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'],
'verbose': True}
DEBUG Passed args:
{'aesKey': None,
'connectback_host': None,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'domain': None,
'execute': None,
'export': None,
'fail_limit': None,
'gfail_limit': None,
'hash': [],
'ignore_ssl_cert': False,
'jitter': None,
'kdcHost': None,
'kerberos': False,
'laps': None,
'list_modules': False,
'local_auth': False,
'lsa': False,
'module': None,
'module_options': [],
'no_bruteforce': False,
'no_output': False,
'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'],
'port': 0,
'protocol': 'winrm',
'ps_execute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'show_module_options': False,
'ssl': False,
'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'],
'threads': 200,
'timeout': None,
'ufail_limit': None,
'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'],
'verbose': True}
DEBUG:asyncio:Using selector: EpollSelector
DEBUG Using selector: EpollSelector
DEBUG:root:Running
DEBUG Running
DEBUG:root:Started thread poller
DEBUG Started thread poller
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.1:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.1:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.11:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.11:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.12:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.10:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.13:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.15:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.14:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.16:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.100:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.12:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.10:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.13:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.15:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.14:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.16:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.100:5986
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.1:5985
DEBUG Starting new HTTP connection (1): 192.168.210.1:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.10:5985
DEBUG Starting new HTTP connection (1): 192.168.210.10:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.15:5985
DEBUG Starting new HTTP connection (1): 192.168.210.15:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.16:5985
DEBUG Starting new HTTP connection (1): 192.168.210.16:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.14:5985
DEBUG Starting new HTTP connection (1): 192.168.210.14:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.12:5985
DEBUG Starting new HTTP connection (1): 192.168.210.12:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.13:5985
DEBUG Starting new HTTP connection (1): 192.168.210.13:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.11:5985
DEBUG Starting new HTTP connection (1): 192.168.210.11:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.100:5985
DEBUG Starting new HTTP connection (1): 192.168.210.100:5985
DEBUG:root:Stopped thread poller
DEBUG Stopped thread poller
Not sure what to check...SMB is the same way...thanks for looking into this.
The target must be specified behind the protocol. Can you retest that with smb(/and the other)? For your winrm call I am not sure what breaks the connection, as it actually accepts the specified targets.
The command should be working as specified. In the debug args the target/username/password files are also present.
As even cme shutdowns properly ("Stopped thread poller") it really looks like your hosts are not reachable. Can you check if the protocol specified is enabled on the targets? Also can you give me a verbose run with SMB? I am more familiar with the SMB implementation.
Hello,
Thanks for the issue, it is now fixed on the last public release of CrackMapExec https://github.com/mpgn/CrackMapExec v6.0.0
Regards,
mpgn
Steps to reproduce
──(venv)(root㉿kali)-[/opt] └─# cme winrm -u /home/kali/usernames.txt -p /home/kali/passwords.txt -d domain.local
-- No output given, cannot do any password spraying across domain/network -- crackmapexec or cme doesn't give any output, just moves to the next line
┌──(venv)(root㉿kali)-[/opt]
┌──(venv)(root㉿kali)-[/opt] └─# cme --verbose winrm -u /home/kali/HTB/ZEPHYR/usernames.txt -p /home/kali/HTB/ZEPHYR/passwords.txt -d zsm.local /home/kali/HTB/ZEPHYR/192.168.210-hosts.txt DEBUG Passed args: {'aesKey': None, 'connectback_host': None, 'continue_on_success': False, 'cred_id': [], 'darrell': False, 'domain': 'zsm.local', 'execute': None, 'export': None, 'fail_limit': None, 'gfail_limit': None, 'hash': [], 'jitter': None, 'kdcHost': None, 'kerberos': False, 'list_modules': False, 'local_auth': False, 'module': None, 'module_options': [], 'no_bruteforce': False, 'no_output': False, 'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'], 'port': 0, 'protocol': 'winrm', 'ps_execute': None, 'server': 'https', 'server_host': '0.0.0.0', 'server_port': None, 'show_module_options': False, 'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'], 'threads': 100, 'timeout': None, 'ufail_limit': None, 'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'], 'verbose': True} DEBUG Using selector: EpollSelector DEBUG Running DEBUG Started thread poller DEBUG Starting new HTTPS connection (1): 192.168.210.1:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.11:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.12:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.13:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.14:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.10:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.15:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.100:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.16:5986 DEBUG Starting new HTTP connection (1): 192.168.210.11:5985 DEBUG Starting new HTTP connection (1): 192.168.210.1:5985 DEBUG Starting new HTTP connection (1): 192.168.210.12:5985 DEBUG Starting new HTTP connection (1): 192.168.210.10:5985 DEBUG Starting new HTTP connection (1): 192.168.210.14:5985 DEBUG Starting new HTTP connection (1): 192.168.210.13:5985 DEBUG Starting new HTTP connection (1): 192.168.210.15:5985 DEBUG Starting new HTTP connection (1): 192.168.210.100:5985 DEBUG Starting new HTTP connection (1): 192.168.210.16:5985 DEBUG Stopped thread poller
CME Version (cme --version)
5.4, 5.3, 5.23, 5.1.0
OS
─# uname -a && cat /etc/issue Linux kali 6.0.0-kali6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.12-1kali1 (2022-12-19) x86_64 GNU/Linux Kali GNU/Linux Rolling \n \l
Target OS
Windows
-- No output given, cannot do any password spraying across domain/network -- crackmapexec or cme doesn't give any output, just moves to the next line -- using RDP, SMB, WINRM, SSH