search

byt3bl33d3r / ItWasAllADream

A PrintNightmare (CVE-2021-34527) Python Scanner. Scan entire subnets for hosts vulnerable to the PrintNightmare RCE
770 stars 118 forks source link

ERROR_BAD_NET_NAME - The network name cannot be found. #3

Open jaykijay opened 3 years ago

jaykijay commented 3 years ago

Hi, thanks for your work,

i always get the Error Message "ERROR_BAD_NET_NAME - The network name cannot be found."

Running it in debug mode shows me the IP it tries to connect, which is the right one and is reachable from the target Machine.

I tried running it with docker and in Dev Mode and get the same result sadly.

There is no Firewall in between and the target is vulnerable.

Do you have any idea?

byt3bl33d3r commented 3 years ago

We're you previously hosting an SMB server from the IP address it tries to connect?

shikatano commented 3 years ago

I received the ERROR_BAD_NET_NAME error when I already had smbd running. When I turned smbd off, it went away.

I also recevied a different error when I had impacket-smbserver running: Got unexpected response: RPRN SessionError: unknown error code: 0x180

smashsec commented 3 years ago

Running in docker the target host will try to connect back to the docker container IP using SMB and fails: [itwasalladream] DEBUG - Attempting DLL execution \\172.17.0.2\itwasalladream\bogus.dll. The target won't be able to resolve the docker container IP.

byt3bl33d3r commented 3 years ago

Yup and that's fine cause we're not actually exploiting anything. We just need to pass a UNC path to the RPC call in order to determine if it's exploitable based on the response of the RPC call. The UNC path doesn't need to point to a valid share/file as we can determine if its vulnerable regardless.

I can try to reproduce this in my lab but you might just want to try running it from a host where you haven't hosted an SMB server before.

smashsec commented 2 years ago

Yup and that's fine cause we're not actually exploiting anything. We just need to pass a UNC path to the RPC call in order to determine if it's exploitable based on the response of the RPC call. The UNC path doesn't need to point to a valid share/file as we can determine if its vulnerable regardless.

I can try to reproduce this in my lab but you might just want to try running it from a host where you haven't hosted an SMB server before.

Yes I can see the script checks for ERROR_BAD_NETPATH in the RPC exception and uses that to determine vulnerability. Would ERROR_BAD_NET_NAME also be a vulnerable case? I have seen that error before when using a bad share name.

In my case I am using Kali smbd service stopped. I am using ItWasAllADream via docker container. I will want a valid smbd share service available for actual exploitation during an engagement if this tool successfully finds a target.