search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.6k stars 3.59k forks source link

DCOM SessionError 0x800706ba when using mmcexec and volumeshadowcopy #1774

Open aceman2221 opened 4 months ago

aceman2221 commented 4 months ago

Configuration

impacket version: 0.12 Python version: 3.11 Target OS: kali Linux

Debug Output With Command String

i.e. 

sudo impacket-secretsdump domain/Administrator:'Welcome01!'@ip  -use-vss  -just-dc -exec-method mmcexec  -debug 
Impacket v0.12.0.dev1+20230803.144057.e2092339 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20230803.144057.e2092339-py3.11.egg/impacket
[+] Service RemoteRegistry is already running
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0x1903527255f1f0e727245ab062d54957
[+] Checking NoLMHash Policy
[+] LMHashes are NOT being stored
[*] Searching for NTDS.dit
[*] Registry says NTDS.dit is at C:\Windows\NTDS\ntds.dit. Calling vssadmin to get a copy. This might take some time
[*] Using mmcexec method for remote execution
[+] ExecuteRemote command: %COMSPEC% /Q /c echo %COMSPEC% /C vssadmin list shadows /for=C: ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
Traceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/secretsdump.py", line 266, in dump
    NTDSFileName = self.__remoteOps.saveNTDS()
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20230803.144057.e2092339-py3.11.egg/impacket/examples/secretsdump.py", line 1123, in saveNTDS
    shadow, shadowFor, shadowId = self.__getLastVSS(forDrive=ntdsDrive)
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20230803.144057.e2092339-py3.11.egg/impacket/examples/secretsdump.py", line 1047, in __getLastVSS
    self.__executeRemote(command)
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20230803.144057.e2092339-py3.11.egg/impacket/examples/secretsdump.py", line 1034, in __executeRemote
    self.__mmcExec(command)
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20230803.144057.e2092339-py3.11.egg/impacket/examples/secretsdump.py", line 942, in __mmcExec
    iInterface = dcom.CoCreateInstanceEx(string_to_bin('49B2791A-B1AE-4C90-9B8E-E860BA07F889'), IID_IDispatch)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20230803.144057.e2092339-py3.11.egg/impacket/dcerpc/v5/dcomrt.py", line 1076, in CoCreateInstanceEx
    iInterface = scm.RemoteCreateInstance(clsid, iid)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20230803.144057.e2092339-py3.11.egg/impacket/dcerpc/v5/dcomrt.py", line 1854, in RemoteCreateInstance
    resp = self.__portmap.request(request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20230803.144057.e2092339-py3.11.egg/impacket/dcerpc/v5/rpcrt.py", line 880, in request
    raise exception
impacket.dcerpc.v5.dcomrt.DCERPCSessionError: DCOM SessionError: unknown error code: 0x800706ba
[-] DCOM SessionError: unknown error code: 0x800706ba
[*] Cleaning up...

Additional context

I suspect the issue is similar to [#1039]

anadrianmanrique commented 4 months ago

can you provide specs of the target system in order to replicate the issue on our side? thanks

aceman2221 commented 4 months ago

Target OS is Windows Server 2016 which is configured to be a DC.

aceman2221 commented 4 months ago

I've tried to add a call to the dcom.disconnect function in mmcexec module but that didn't work either