search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.29k stars 1.64k forks source link

crackmapexec does not execute command when called with password #798

Closed jcdenton1984 closed 1 year ago

jcdenton1984 commented 1 year ago

I run CME as described in the documentation with a user and password specified against a Windows machine. Via the -x or -X option a command should be executed. This does not work however. Here is a debug from that execution:

crackmapexec --debug smb 192.168.XXX.202 -u user -p 'password' -X whoami             
[20:29:29] DEBUG    Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True,               crackmapexec.py:87
                    version=False, protocol='smb', target=['192.168.XXX.202'], cred_id=[], username=['user'], password=['password'],                   
                    kerberos=False, no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None, aesKey=None, kdcHost=None,                       
                    gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[], list_modules=False,                                     
                    show_module_options=False, server='https', server_host='0.0.0.0', server_port=None, connectback_host=None, hash=[],                          
                    domain=None, local_auth=False, port=445, share='C$', smb_server_port=445, gen_relay_list=None, smb_timeout=2, laps=None,                     
                    sam=False, lsa=False, ntds=None, dpapi=None, mkfile=None, pvk=None, enabled=False, userntds=None, shares=False,                              
                    filter_shares=None, sessions=False, disks=False, loggedon_users_filter=None, loggedon_users=False, users=None,                               
                    groups=None, computers=None, local_groups=None, pass_pol=False, rid_brute=None, wmi=None, wmi_namespace='root\\cimv2',                       
                    spider=None, spider_folder='.', content=False, exclude_dirs='', pattern=None, regex=None, depth=None, only_files=False,                      
                    put_file=None, get_file=None, append_host=False, exec_method=None, codec='utf-8', force_ps32=False, no_output=False,                         
                    execute=None, ps_execute='whoami', obfs=False, amsi_bypass=None, clear_obfscripts=False)                                                     
           DEBUG    Protocol: smb                                                                                                             crackmapexec.py:143
           DEBUG    Protocol Path: /home/jc/.local/pipx/venvs/crackmapexec/lib/python3.11/site-packages/cme/protocols/smb.py                  crackmapexec.py:146
           DEBUG    Protocol DB Path: /home/jc/.local/pipx/venvs/crackmapexec/lib/python3.11/site-packages/cme/protocols/smb/database.py      crackmapexec.py:148
           DEBUG    Protocol Object: <class 'protocol.smb'>                                                                                   crackmapexec.py:151
           DEBUG    Protocol DB Object: <class 'protocol.database'>                                                                           crackmapexec.py:153
           DEBUG    DB Path: /home/jc/.cme/workspaces/default/smb.db                                                                          crackmapexec.py:156
[20:29:30] DEBUG    Using selector: EpollSelector                                                                                           selector_events.py:54
           DEBUG    Creating ThreadPoolExecutor                                                                                                crackmapexec.py:44
           DEBUG    Creating thread for <class 'protocol.smb'>                                                                                 crackmapexec.py:47
           DEBUG    Kicking off proto_flow                                                                                                      connection.py:125
           INFO     Error creating SMBv1 connection to 192.168.XXX.202: Error occurs while reading from remote(104)                                    smb.py:590
           DEBUG    Update Hosts: [{'id': 3, 'ip': '192.168.XXX.202', 'hostname': 'DOMAIN', 'domain': 'DOMAIN', 'os': 'Windows 10.0 Build 20348', database.py:258
                    'dc': None, 'smbv1': False, 'signing': False, 'spooler': None, 'zerologon': None, 'petitpotam': None}]                                       
           DEBUG    add_host() - Host IDs Updated: [3]                                                                                            database.py:268
           DEBUG    Error logging off system: Error occurs while reading from remote(104)                                                              smb.py:256
SMB         192.168.XXX.202 445    DOMAIN           [*] Windows 10.0 Build 20348 x64 (name:DOMAIN) (domain:DOMAIN) (signing:False) (SMBv1:False)
           INFO     SMB         192.168.XXX.202 445    DOMAIN           [*] Windows 10.0 Build 20348 x64 (name:DOMAIN) (domain:DOMAIN)              logger.py:159
                    (signing:False) (SMBv1:False)                                                                                                                
           INFO     Error creating SMBv1 connection to 192.168.XXX.202: Error occurs while reading from remote(104)                                    smb.py:590
[20:29:31] DEBUG    Adding credential: DOMAIN/user:password                                                                                  smb.py:464
           DEBUG    Adding credentials: [{'id': 1, 'domain': 'DOMAIN', 'username': 'user', 'password': 'password', 'credtype':          database.py:327
                    'plaintext', 'pillaged_from_hostid': None}]                                                                                                  
           DEBUG    smb hosts() - results: [(3, '192.168.XXX.202', 'DOMAIN', 'DOMAIN', 'Windows 10.0 Build 20348', None, False, False, None,      database.py:498
                    None, None)]                                                                                                                                 
SMB         192.168.XXX.202 445    DOMAIN           [+] DOMAIN\user:password 
           INFO     SMB         192.168.XXX.202 445    DOMAIN           [+] DOMAIN\user:password                                          logger.py:159
           DEBUG    Calling ps_execute()

I attached a screenshot showing the command execution without debug.

Expected behavior would be that the command gets executed and the result is then printed at the very end.

I am using version 6.0 on a Kali Linux system. I installed it as described in the documentation like this:

~ python3 -m pip install pipx

~ git clone https://github.com/mpgn/CrackMapExec

~ cd CrackMapExec

~ pipx install .

I made sure to run this by adapting the PATH variable. CME-Error

mpgn commented 1 year ago

The official repo as moved to https://github.com/mpgn/CrackMapExec, please open the issue on this repo :)