search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.29k stars 3.54k forks source link

Use psexec.py to remotely connect to the windows_server_2003 device. If the connection fails, an error message is displayed #1506

Open dew0105 opened 1 year ago

dew0105 commented 1 year ago

Configuration

impacket version: v0.9.15 Python version: Python 2.7.5 Target OS: windows_server_2003

Debug Output With Command String

i.e.
root@isomp:/opt/pyenv/bin# python psexec.py -debug domain/administrator:admin@1234@172.16.10.224 Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Trying protocol 445/SMB...

----connectTree----\172.16.10.224\IPC$ [] Requesting shares on 172.16.10.224..... ----connectTree----\172.16.10.224\IPC$ [] Found writable share C$ [] Found writable share C$ [] install shares: [] C$ [] Uploading file sbr_BzggXFEU.exe [] Opening SVCManager on 172.16.10.224..... ----connectTree----\172.16.10.224\IPC$ [] Creating service sbr_QHVs on 172.16.10.224..... [] Starting service sbr_QHVs..... ----connectTree----\172.16.10.224\IPC$ [-] Pipe not ready, aborting -------------ERROR---------------- Traceback (most recent call last): File "psexec.py", line 168, in doStuff fid_main = self.openPipe(s,tid,'\RemCom_communicaton',0x12019f) File "psexec.py", line 113, in openPipe s.waitNamedPipe(tid,pipe) File "/opt/pyenv/lib/python2.7/site-packages/impacket/smbconnection.py", line 628, in waitNamedPipe raise SessionError(e.get_error_code()) SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.) [] Opening SVCManager on 172.16.10.224..... ----connectTree----\172.16.10.224\IPC$ [] Stoping service sbr_QHVs..... [] Removing service sbr_QHVs..... [*] Removing file sbr_BzggXFEU.exe..... root@isomp:/opt/pyenv/bin#

iamkissos commented 2 months ago

It seems that the named pipe created by the PSExec Service (RemCom_communicaton) does not exist!...
First, have you tried listing the current named pipes on the machine locally?
If the named pipe is listening locally, it might mean the SMB client does some funny business...

This could also be a case of bad named pipe creation by the PSExec Service itself.. Whenever we create a named pipe we specify certain parameters for the pipe itself.

Just an example I found online: 

hPipe = CreateNamedPipe(TEXT("\\\\.\\pipe\\Pipe"),
                            PIPE_ACCESS_DUPLEX,
                            PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT,   // FILE_FLAG_FIRST_PIPE_INSTANCE is not needed but forces CreateNamedPipe(..) to fail if the pipe already exists...
                            1,
                            1024 * 16,
                            1024 * 16,
                            NMPWAIT_USE_DEFAULT_WAIT,
                            NULL);

I assume the error could be caused by supplying an unsupported parameter in older windows versions.
Have you tried compiling the service binary on the server itself and seeing if it runs properly?
If you encounter an error while running the service binary manually it might shed some light on the situation.

These pages might be useful to debug the named pipe creation:

In any case I believe the issue is windows-version related so this might be a head-scratcher...
Best Of Luck!