search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
12.99k stars 3.5k forks source link

Impacket-net access denied when specifying user #1706

Closed Signum21 closed 4 months ago

Signum21 commented 4 months ago

Configuration

impacket version: Impacket v0.11.0 Python version: Python 3.11.7 Target OS: Windows Server 2019

Debug Output With Command String

Not working example specifying username

impacket-net -debug 'thm.corp/TABATHA_BRITT:marlboro(1985)@thm.corp' user -name TABATHA_BRITT

Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
Traceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/net.py", line 549, in <module>
    net.run(address, options.target_ip)
  File "/usr/share/doc/python3-impacket/examples/net.py", line 370, in run
    info = actionObject.Query(self.__options.name)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/doc/python3-impacket/examples/net.py", line 158, in Query
    user_handle = self._get_user_handle(domain_handle, name)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/doc/python3-impacket/examples/net.py", line 105, in _get_user_handle
    response = samr.hSamrOpenUser(self._dce, domain_handle, samr.USER_ALL_ACCESS, user_rid)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/samr.py", line 2487, in hSamrOpenUser
    return dce.request(request)
           ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 880, in request
    raise exception
impacket.dcerpc.v5.samr.DCERPCSessionError: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[-] SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

Working example without specifying username

impacket-net -debug 'thm.corp/TABATHA_BRITT:marlboro(1985)@thm.corp' user

Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Enumerating users ..
  1. Administrator (500)
  2. Guest (501)
  3. krbtgt (502)
  <snip>

PCAP

None

Additional context

Tested on https://tryhackme.com/room/resetui

gabrielg5 commented 4 months ago

Hi @Signum21, thanks for your report!

Tried in my environment here and was able to replicate the issue when the user with which I'm authenticating is not administrator. Tried with administrator, and the example worked fine.

Checking the net.py implementation I found that we are asking a different DesiredAccess for that call. https://github.com/fortra/impacket/blob/fa59178fe5631100d5ccaf5d71132310699e02cf/examples/net.py#L103-L106 (While for the other objects we are asking for samr.MAXIMUM_ALLOWED)

Later today will create a PR changing the needed access and will let you know so you can also validate those changes.

thank you!