Closed bashexplode closed 5 years ago
cobbr
commented
5 years ago Thanks for the report @bashexplode! I am unsure if I have fixed this or not in the new commit 886d6a0
Could you re-pull and re-test and let me know if it works for you now? If not, I'll continue to dig into this.
cobbr
commented
5 years ago Hey @bashexplode, I've been testing this some more.
I've noticed that I get this issue when the firewall is enabled on the remote system. Can you confirm that this issue is fixed when the remote system's firewall is disabled?
This is a known limitation of DCOM lateral movement, and not something I'll be able to address. Although I would like to capture the error output instead of printing it to the console screen.
cobbr
commented
5 years ago @bashexplode Closing this for now. If you are able to test and continue to experience issues, we can re-open.
This error I could not figure out.
The following is the error output from a Grunt implant (NET40 binary) of the DCOMCommand function that's supposed to be hooking into SharpSploit:
DCOM Failed: Retrieving the COM class factory for remote component with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} from machine DOMAINCOMPUTER.LAB failed due to the following error: 800706ba DOMAINCOMPUTER.LAB.DCOM Failed: Retrieving the COM class factory for remote component with CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880} from machine DOMAINCOMPUTER.LAB failed due to the following error: 800706ba DOMAINCOMPUTER.LAB.DCOM Failed: Retrieving the COM class factory for remote component with CLSID {49B2791A-B1AE-4C90-9B8E-E860BA07F889} from machine DOMAINCOMPUTER.LAB failed due to the following error: 800706ba DOMAINCOMPUTER.LAB.The curious issue here is that I used both a PowerShell script I created and my own compiled wrapper of SharpSploit to execute the same command via DCOM, and all three of those method objects worked against the same exact system (i.e. MMC20.Application, ShellWindows, ShellBrowserWindow). Happy to work with you on this one.