[/opt/CrackMapExec] $ poetry run cme --verbose smb --shares --sessions --disks --loggedon-users --users --groups --computers --local-groups --pass-pol 172.16.1.5
DEBUG:root:Passed args:
{'aesKey': None,
'amsi_bypass': None,
'clear_obfscripts': False,
'codec': 'utf-8',
'computers': '',
'connectback_host': None,
'content': False,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'depth': None,
'disks': True,
'domain': None,
'enabled': False,
'exclude_dirs': '',
'exec_method': None,
'execute': None,
'export': None,
'fail_limit': None,
'force_ps32': False,
'gen_relay_list': None,
'get_file': None,
'gfail_limit': None,
'groups': '',
'hash': [],
'jitter': None,
'kdcHost': None,
'kerberos': False,
'laps': None,
'list_modules': False,
'local_auth': False,
'local_groups': '',
'loggedon_users': True,
'loggedon_users_filter': None,
'lsa': False,
'module': None,
'module_options': [],
'no_bruteforce': False,
'no_output': False,
'ntds': None,
'obfs': False,
'only_files': False,
'pass_pol': True,
'password': [],
'pattern': None,
'port': 445,
'protocol': 'smb',
'ps_execute': None,
'put_file': None,
'regex': None,
'rid_brute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'sessions': True,
'share': 'C$',
'shares': True,
'show_module_options': False,
'smb_server_port': 445,
'smb_timeout': 2,
'spider': None,
'spider_folder': '.',
'target': ['172.16.1.5'],
'threads': 100,
'timeout': None,
'ufail_limit': None,
'use_kcache': False,
'username': [],
'userntds': None,
'users': '',
'verbose': True,
'wmi': None,
'wmi_namespace': 'root\\cimv2'}
DEBUG Passed args:
{'aesKey': None,
'amsi_bypass': None,
'clear_obfscripts': False,
'codec': 'utf-8',
'computers': '',
'connectback_host': None,
'content': False,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'depth': None,
'disks': True,
'domain': None,
'enabled': False,
'exclude_dirs': '',
'exec_method': None,
'execute': None,
'export': None,
'fail_limit': None,
'force_ps32': False,
'gen_relay_list': None,
'get_file': None,
'gfail_limit': None,
'groups': '',
'hash': [],
'jitter': None,
'kdcHost': None,
'kerberos': False,
'laps': None,
'list_modules': False,
'local_auth': False,
'local_groups': '',
'loggedon_users': True,
'loggedon_users_filter': None,
'lsa': False,
'module': None,
'module_options': [],
'no_bruteforce': False,
'no_output': False,
'ntds': None,
'obfs': False,
'only_files': False,
'pass_pol': True,
'password': [],
'pattern': None,
'port': 445,
'protocol': 'smb',
'ps_execute': None,
'put_file': None,
'regex': None,
'rid_brute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'sessions': True,
'share': 'C$',
'shares': True,
'show_module_options': False,
'smb_server_port': 445,
'smb_timeout': 2,
'spider': None,
'spider_folder': '.',
'target': ['172.16.1.5'],
'threads': 100,
'timeout': None,
'ufail_limit': None,
'use_kcache': False,
'username': [],
'userntds': None,
'users': '',
'verbose': True,
'wmi': None,
'wmi_namespace': 'root\\cimv2'}
DEBUG:asyncio:Using selector: EpollSelector
DEBUG Using selector: EpollSelector
DEBUG:root:Running
DEBUG Running
DEBUG:root:Started thread poller
DEBUG Started thread poller
SMB 172.16.1.5 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:corp.local) (signing:True) (SMBv1:True)
DEBUG:root:Calling shares()
DEBUG Calling shares()
DEBUG:root:Stopped thread poller
DEBUG Stopped thread poller
Traceback (most recent call last):
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 358, in connectTree
return self._SMBConnection.connect_tree(share)
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smb.py", line 2835, in tree_connect_andx
if smb.isValidAnswer(SMB.SMB_COM_TREE_CONNECT_ANDX):
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smb.py", line 778, in isValidAnswer
raise SessionError("SMB Library Error", self['ErrorClass'] + (self['_reserved'] << 8), self['ErrorCode'], self['Flags2'] & SMB.FLAGS2_NT_STATUS, self)
impacket.smb.SessionError: SMB SessionError: class: ERRSRV, code: ERRbaduid(The UID is not known as a valid ID on this session.)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/CrackMapExec/cme/protocols/smb.py", line 717, in shares
for share in self.conn.listShares():
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 382, in listShares
dce.connect()
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/rpcrt.py", line 803, in connect
return self._transport.connect()
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/transport.py", line 517, in connect
self.__tid = self.__smb_connection.connectTree('IPC$')
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 360, in connectTree
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: 0x5b
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/CrackMapExec/cme/protocols/smb.py", line 717, in shares
for share in self.conn.listShares():
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 382, in listShares
dce.connect()
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/rpcrt.py", line 803, in connect
return self._transport.connect()
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/transport.py", line 517, in connect
self.__tid = self.__smb_connection.connectTree('IPC$')
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 360, in connectTree
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: 0x5b
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/opt/CrackMapExec/cme/crackmapexec.py", line 257, in main
asyncio.run(
File "/usr/lib64/python3.10/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib64/python3.10/asyncio/base_events.py", line 649, in run_until_complete
return future.result()
File "/opt/CrackMapExec/cme/crackmapexec.py", line 105, in start_threadpool
await asyncio.gather(*jobs)
File "/opt/CrackMapExec/cme/crackmapexec.py", line 69, in run_protocol
await asyncio.wait_for(
File "/usr/lib64/python3.10/asyncio/tasks.py", line 408, in wait_for
return await fut
File "/usr/lib64/python3.10/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
File "/opt/CrackMapExec/cme/protocols/smb.py", line 143, in __init__
connection.__init__(self, args, db, host)
File "/opt/CrackMapExec/cme/connection.py", line 65, in __init__
self.proto_flow()
File "/opt/CrackMapExec/cme/connection.py", line 105, in proto_flow
self.call_cmd_args()
File "/opt/CrackMapExec/cme/connection.py", line 112, in call_cmd_args
r = getattr(self, k)()
File "/opt/CrackMapExec/cme/protocols/smb.py", line 756, in shares
error = get_error_string(e)
File "/opt/CrackMapExec/cme/protocols/smb.py", line 66, in get_error_string
es = exception.getErrorString()
File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 989, in getErrorString
return nt_errors.ERROR_MESSAGES[self.error]
KeyError: 91
CME Version (cme --version)
Version : 5.4.1
Codename: Indestructible G0thm0g
OS
OpenSUSE Tumbleweed
Target OS
Windows Server 2016 Standard 14393 x64
Detailed issue explanation
Whenever I provide the --shares option and don't have permission to list those, Impacket throws an exception. CME seems to not handle this exception properly like it does with flags such as --session, --disks and others. Removing the --shares flag helps in not crashing CME.
Steps to reproduce
Command string used
CME verbose output (using the --verbose flag)
CME Version (cme --version)
OS
OpenSUSE Tumbleweed
Target OS
Windows Server 2016 Standard 14393 x64
Detailed issue explanation
Whenever I provide the
--shares
option and don't have permission to list those, Impacket throws an exception. CME seems to not handle this exception properly like it does with flags such as--session
,--disks
and others. Removing the--shares
flag helps in not crashing CME.