search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.29k stars 1.64k forks source link

Crash when not allowed to list SMB shares #780

Closed Anthirian closed 1 year ago

Anthirian commented 1 year ago

Steps to reproduce

  1. Enumerate shares on a system without specifying authentication
  2. Observe Impacket exceptions thrown, that are not graciously handled by CME
  3. CME crashes

Command string used

[/opt/CrackMapExec] $ poetry run cme --verbose smb --shares --sessions --disks --loggedon-users --users --groups --computers --local-groups --pass-pol 172.16.1.5

CME verbose output (using the --verbose flag)

[/opt/CrackMapExec] $ poetry run cme --verbose smb --shares --sessions --disks --loggedon-users --users --groups --computers --local-groups --pass-pol 172.16.1.5
DEBUG:root:Passed args:
{'aesKey': None,
 'amsi_bypass': None,
 'clear_obfscripts': False,
 'codec': 'utf-8',
 'computers': '',
 'connectback_host': None,
 'content': False,
 'continue_on_success': False,
 'cred_id': [],
 'darrell': False,
 'depth': None,
 'disks': True,
 'domain': None,
 'enabled': False,
 'exclude_dirs': '',
 'exec_method': None,
 'execute': None,
 'export': None,
 'fail_limit': None,
 'force_ps32': False,
 'gen_relay_list': None,
 'get_file': None,
 'gfail_limit': None,
 'groups': '',
 'hash': [],
 'jitter': None,
 'kdcHost': None,
 'kerberos': False,
 'laps': None,
 'list_modules': False,
 'local_auth': False,
 'local_groups': '',
 'loggedon_users': True,
 'loggedon_users_filter': None,
 'lsa': False,
 'module': None,
 'module_options': [],
 'no_bruteforce': False,
 'no_output': False,
 'ntds': None,
 'obfs': False,
 'only_files': False,
 'pass_pol': True,
 'password': [],
 'pattern': None,
 'port': 445,
 'protocol': 'smb',                                                                                                                                                                                                                                 
 'ps_execute': None,
 'put_file': None,
 'regex': None,
 'rid_brute': None,
 'sam': False,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'sessions': True,
 'share': 'C$',
 'shares': True,
 'show_module_options': False,
 'smb_server_port': 445,
 'smb_timeout': 2,
 'spider': None,
 'spider_folder': '.',
 'target': ['172.16.1.5'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'use_kcache': False,
 'username': [],
 'userntds': None,
 'users': '',
 'verbose': True,
 'wmi': None,
 'wmi_namespace': 'root\\cimv2'}
DEBUG Passed args:
{'aesKey': None,
 'amsi_bypass': None,
 'clear_obfscripts': False,
 'codec': 'utf-8',
 'computers': '',
 'connectback_host': None,
 'content': False,
 'continue_on_success': False,
 'cred_id': [],
 'darrell': False,
 'depth': None,
 'disks': True,
 'domain': None,
 'enabled': False,
 'exclude_dirs': '',
 'exec_method': None,
 'execute': None,
 'export': None,
 'fail_limit': None,
 'force_ps32': False,
 'gen_relay_list': None,
 'get_file': None,
 'gfail_limit': None,
 'groups': '',
 'hash': [],
 'jitter': None,
 'kdcHost': None,
 'kerberos': False,
 'laps': None,
 'list_modules': False,                                                                                                                                                                                                                              
 'local_auth': False,
 'local_groups': '',
 'loggedon_users': True,
 'loggedon_users_filter': None,
 'lsa': False,
 'module': None,
 'module_options': [],
 'no_bruteforce': False,
 'no_output': False,
 'ntds': None,
 'obfs': False,
 'only_files': False,
 'pass_pol': True,
 'password': [],
 'pattern': None,
 'port': 445,
 'protocol': 'smb',
 'ps_execute': None,
 'put_file': None,
 'regex': None,
 'rid_brute': None,
 'sam': False,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'sessions': True,
 'share': 'C$',
 'shares': True,
 'show_module_options': False,
 'smb_server_port': 445,
 'smb_timeout': 2,
 'spider': None,
 'spider_folder': '.',
 'target': ['172.16.1.5'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'use_kcache': False,
 'username': [],
 'userntds': None,
 'users': '',
 'verbose': True,
 'wmi': None,
 'wmi_namespace': 'root\\cimv2'}

DEBUG:asyncio:Using selector: EpollSelector
DEBUG Using selector: EpollSelector
DEBUG:root:Running
DEBUG Running
DEBUG:root:Started thread poller
DEBUG Started thread poller
SMB         172.16.1.5      445    DC01             [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:corp.local) (signing:True) (SMBv1:True)
DEBUG:root:Calling shares()
DEBUG Calling shares()
DEBUG:root:Stopped thread poller
DEBUG Stopped thread poller
Traceback (most recent call last):
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 358, in connectTree
    return self._SMBConnection.connect_tree(share)
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smb.py", line 2835, in tree_connect_andx
    if smb.isValidAnswer(SMB.SMB_COM_TREE_CONNECT_ANDX):
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smb.py", line 778, in isValidAnswer
    raise SessionError("SMB Library Error", self['ErrorClass'] + (self['_reserved'] << 8), self['ErrorCode'], self['Flags2'] & SMB.FLAGS2_NT_STATUS, self)
impacket.smb.SessionError: SMB SessionError: class: ERRSRV, code: ERRbaduid(The UID is not known as a valid ID on this session.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/CrackMapExec/cme/protocols/smb.py", line 717, in shares
    for share in self.conn.listShares():
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 382, in listShares
    dce.connect()
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/rpcrt.py", line 803, in connect
    return self._transport.connect()
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/transport.py", line 517, in connect
    self.__tid = self.__smb_connection.connectTree('IPC$')
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 360, in connectTree
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: 0x5b

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/CrackMapExec/cme/protocols/smb.py", line 717, in shares
    for share in self.conn.listShares():
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 382, in listShares
    dce.connect()
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/rpcrt.py", line 803, in connect
    return self._transport.connect()
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/transport.py", line 517, in connect
    self.__tid = self.__smb_connection.connectTree('IPC$')
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 360, in connectTree
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: 0x5b

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/opt/CrackMapExec/cme/crackmapexec.py", line 257, in main
    asyncio.run(
  File "/usr/lib64/python3.10/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib64/python3.10/asyncio/base_events.py", line 649, in run_until_complete
    return future.result()
  File "/opt/CrackMapExec/cme/crackmapexec.py", line 105, in start_threadpool
    await asyncio.gather(*jobs)
  File "/opt/CrackMapExec/cme/crackmapexec.py", line 69, in run_protocol
    await asyncio.wait_for(
  File "/usr/lib64/python3.10/asyncio/tasks.py", line 408, in wait_for
    return await fut
  File "/usr/lib64/python3.10/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/opt/CrackMapExec/cme/protocols/smb.py", line 143, in __init__
    connection.__init__(self, args, db, host)
  File "/opt/CrackMapExec/cme/connection.py", line 65, in __init__
    self.proto_flow()
  File "/opt/CrackMapExec/cme/connection.py", line 105, in proto_flow
    self.call_cmd_args()
  File "/opt/CrackMapExec/cme/connection.py", line 112, in call_cmd_args
    r = getattr(self, k)()
  File "/opt/CrackMapExec/cme/protocols/smb.py", line 756, in shares
    error = get_error_string(e)
  File "/opt/CrackMapExec/cme/protocols/smb.py", line 66, in get_error_string
    es =  exception.getErrorString()
  File "/home/geert/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 989, in getErrorString
    return nt_errors.ERROR_MESSAGES[self.error]
KeyError: 91

CME Version (cme --version)

Version : 5.4.1
Codename: Indestructible G0thm0g

OS

OpenSUSE Tumbleweed

Target OS

Windows Server 2016 Standard 14393 x64

Detailed issue explanation

Whenever I provide the --shares option and don't have permission to list those, Impacket throws an exception. CME seems to not handle this exception properly like it does with flags such as --session, --disks and others. Removing the --shares flag helps in not crashing CME.

mpgn commented 1 year ago

Hello,

Thanks for the issue, it is now fixed on the last public release of CrackMapExec https://github.com/mpgn/CrackMapExec v6.0.0

Regards,

mpgn