search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.29k stars 1.64k forks source link

No output when using usernames and passwords for any protocol - Kali 2021-2022 version <=5.4-5.1.0 #778

Closed javalogicuser closed 1 year ago

javalogicuser commented 1 year ago

Steps to reproduce

──(venv)(root㉿kali)-[/opt] └─# cme winrm -u /home/kali/usernames.txt -p /home/kali/passwords.txt -d domain.local

-- No output given, cannot do any password spraying across domain/network -- crackmapexec or cme doesn't give any output, just moves to the next line

┌──(venv)(root㉿kali)-[/opt]

┌──(venv)(root㉿kali)-[/opt] └─# cme --verbose winrm -u /home/kali/HTB/ZEPHYR/usernames.txt -p /home/kali/HTB/ZEPHYR/passwords.txt -d zsm.local /home/kali/HTB/ZEPHYR/192.168.210-hosts.txt DEBUG Passed args: {'aesKey': None, 'connectback_host': None, 'continue_on_success': False, 'cred_id': [], 'darrell': False, 'domain': 'zsm.local', 'execute': None, 'export': None, 'fail_limit': None, 'gfail_limit': None, 'hash': [], 'jitter': None, 'kdcHost': None, 'kerberos': False, 'list_modules': False, 'local_auth': False, 'module': None, 'module_options': [], 'no_bruteforce': False, 'no_output': False, 'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'], 'port': 0, 'protocol': 'winrm', 'ps_execute': None, 'server': 'https', 'server_host': '0.0.0.0', 'server_port': None, 'show_module_options': False, 'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'], 'threads': 100, 'timeout': None, 'ufail_limit': None, 'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'], 'verbose': True} DEBUG Using selector: EpollSelector DEBUG Running DEBUG Started thread poller DEBUG Starting new HTTPS connection (1): 192.168.210.1:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.11:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.12:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.13:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.14:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.10:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.15:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.100:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.16:5986 DEBUG Starting new HTTP connection (1): 192.168.210.11:5985 DEBUG Starting new HTTP connection (1): 192.168.210.1:5985 DEBUG Starting new HTTP connection (1): 192.168.210.12:5985 DEBUG Starting new HTTP connection (1): 192.168.210.10:5985 DEBUG Starting new HTTP connection (1): 192.168.210.14:5985 DEBUG Starting new HTTP connection (1): 192.168.210.13:5985 DEBUG Starting new HTTP connection (1): 192.168.210.15:5985 DEBUG Starting new HTTP connection (1): 192.168.210.100:5985 DEBUG Starting new HTTP connection (1): 192.168.210.16:5985 DEBUG Stopped thread poller

CME Version (cme --version)

5.4, 5.3, 5.23, 5.1.0

OS

─# uname -a && cat /etc/issue Linux kali 6.0.0-kali6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.12-1kali1 (2022-12-19) x86_64 GNU/Linux Kali GNU/Linux Rolling \n \l

Target OS

Windows

-- No output given, cannot do any password spraying across domain/network -- crackmapexec or cme doesn't give any output, just moves to the next line -- using RDP, SMB, WINRM, SSH

NeffIsBack commented 1 year ago

The target must be specified behind the protocol. Can you retest that with smb(/and the other)? For your winrm call I am not sure what breaks the connection, as it actually accepts the specified targets.

javalogicuser commented 1 year ago

I've tried both ways, with multiple protocols, with the outcome being the same, no output. I'm trying to get it to read the targets in from a txt file, is that not correct? All the examples I've seen do it this way. Here's the output when I specify the hosts at the beginning:

┌──(root㉿kali)-[/opt] └─# ./cme --verbose -t 200 winrm /home/kali/HTB/ZEPHYR/192.168.210-hosts.txt -u /home/kali/HTB/ZEPHYR/usernames.txt -p /home/kali/HTB/ZEPHYR/passwords.txt
DEBUG:root:Passed args: {'aesKey': None, 'connectback_host': None, 'continue_on_success': False, 'cred_id': [], 'darrell': False, 'domain': None, 'execute': None, 'export': None, 'fail_limit': None, 'gfail_limit': None, 'hash': [], 'ignore_ssl_cert': False, 'jitter': None, 'kdcHost': None, 'kerberos': False, 'laps': None, 'list_modules': False, 'local_auth': False, 'lsa': False, 'module': None, 'module_options': [], 'no_bruteforce': False, 'no_output': False, 'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'], 'port': 0, 'protocol': 'winrm', 'ps_execute': None, 'sam': False, 'server': 'https', 'server_host': '0.0.0.0', 'server_port': None, 'show_module_options': False, 'ssl': False, 'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'], 'threads': 200, 'timeout': None, 'ufail_limit': None, 'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'], 'verbose': True} DEBUG Passed args: {'aesKey': None, 'connectback_host': None, 'continue_on_success': False, 'cred_id': [], 'darrell': False, 'domain': None, 'execute': None, 'export': None, 'fail_limit': None, 'gfail_limit': None, 'hash': [], 'ignore_ssl_cert': False, 'jitter': None, 'kdcHost': None, 'kerberos': False, 'laps': None, 'list_modules': False, 'local_auth': False, 'lsa': False, 'module': None, 'module_options': [], 'no_bruteforce': False, 'no_output': False, 'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'], 'port': 0, 'protocol': 'winrm', 'ps_execute': None, 'sam': False, 'server': 'https', 'server_host': '0.0.0.0', 'server_port': None, 'show_module_options': False, 'ssl': False, 'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'], 'threads': 200, 'timeout': None, 'ufail_limit': None, 'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'], 'verbose': True} DEBUG:asyncio:Using selector: EpollSelector DEBUG Using selector: EpollSelector DEBUG:root:Running DEBUG Running DEBUG:root:Started thread poller DEBUG Started thread poller DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.1:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.1:5986 DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.11:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.11:5986 DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.12:5986 DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.10:5986 DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.13:5986 DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.15:5986 DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.14:5986 DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.16:5986 DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.100:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.12:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.10:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.13:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.15:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.14:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.16:5986 DEBUG Starting new HTTPS connection (1): 192.168.210.100:5986 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.1:5985 DEBUG Starting new HTTP connection (1): 192.168.210.1:5985 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.10:5985 DEBUG Starting new HTTP connection (1): 192.168.210.10:5985 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.15:5985 DEBUG Starting new HTTP connection (1): 192.168.210.15:5985 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.16:5985 DEBUG Starting new HTTP connection (1): 192.168.210.16:5985 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.14:5985 DEBUG Starting new HTTP connection (1): 192.168.210.14:5985 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.12:5985 DEBUG Starting new HTTP connection (1): 192.168.210.12:5985 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.13:5985 DEBUG Starting new HTTP connection (1): 192.168.210.13:5985 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.11:5985 DEBUG Starting new HTTP connection (1): 192.168.210.11:5985 DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.100:5985 DEBUG Starting new HTTP connection (1): 192.168.210.100:5985 DEBUG:root:Stopped thread poller DEBUG Stopped thread poller

Not sure what to check...SMB is the same way...thanks for looking into this.

The target must be specified behind the protocol. Can you retest that with smb(/and the other)? For your winrm call I am not sure what breaks the connection, as it actually accepts the specified targets.

NeffIsBack commented 1 year ago

The command should be working as specified. In the debug args the target/username/password files are also present.

As even cme shutdowns properly ("Stopped thread poller") it really looks like your hosts are not reachable. Can you check if the protocol specified is enabled on the targets? Also can you give me a verbose run with SMB? I am more familiar with the SMB implementation.

mpgn commented 1 year ago

Hello,

Thanks for the issue, it is now fixed on the last public release of CrackMapExec https://github.com/mpgn/CrackMapExec v6.0.0

Regards,

mpgn