Closed Alamot closed 6 years ago
asolino
commented
6 years ago Hey @Alamot:
Check this part of your report:
[-] Error uploading file tQDHbKwq.exe, aborting.....
[-] Error performing the installation, cleaning up: 'NoneType' object has no attribute 'split'I think psexec.py is connected to a previous RemComSvc instance that is still running in the target system.
Alamot
commented
6 years ago Yes. This happens after having performed a clean reset on the machine. That's why it's strange.
asolino
commented
6 years ago I don't think reboot will remove the target service.
Run:
services.py username:password@targetHost listand see if you have a service running that has four random letter. Most probably the last one listed. If so, run also:
services.py username:password@targetHost config -name <serviceName>That might help understanding what's going on.
Alamot
commented
6 years ago Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] Trying protocol 445/SMB...
[*] Listing services available on target
1394ohci - 1394 OHCI Compliant Host Controller - STOPPED
ACPI - Microsoft ACPI Driver - RUNNING
AcpiPmi - ACPI Power Meter Driver - STOPPED
adp94xx - adp94xx - STOPPED
adpahci - adpahci - STOPPED
adpu320 - adpu320 - STOPPED
ADWS - Active Directory Web Services - RUNNING
AeLookupSvc - Application Experience - RUNNING
AFD - Ancillary Function Driver for Winsock - RUNNING
agp440 - Intel AGP Bus Filter - STOPPED
ALG - Application Layer Gateway Service - STOPPED
aliide - aliide - STOPPED
amdide - amdide - STOPPED
AmdK8 - AMD K8 Processor Driver - STOPPED
AmdPPM - AMD Processor Driver - STOPPED
amdsata - amdsata - STOPPED
amdsbs - amdsbs - STOPPED
amdxata - amdxata - RUNNING
AppHostSvc - Application Host Helper Service - RUNNING
AppID - AppID Driver - STOPPED
AppIDSvc - Application Identity - STOPPED
Appinfo - Application Information - STOPPED
AppMgmt - Application Management - STOPPED
arc - arc - STOPPED
arcsas - arcsas - STOPPED
aspnet_state - ASP.NET State Service - STOPPED
AsyncMac - RAS Asynchronous Media Driver - RUNNING
atapi - IDE Channel - RUNNING
AudioEndpointBuilder - Windows Audio Endpoint Builder - STOPPED
AudioSrv - Windows Audio - STOPPED
b06bdrv - Broadcom NetXtreme II VBD - STOPPED
b57nd60a - Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0 - STOPPED
Beep - Beep - STOPPED
BFE - Base Filtering Engine - RUNNING
BITS - Background Intelligent Transfer Service - STOPPED
blbdrive - blbdrive - RUNNING
bowser - Browser Support Driver - RUNNING
BrFiltLo - Brother USB Mass-Storage Lower Filter Driver - STOPPED
BrFiltUp - Brother USB Mass-Storage Upper Filter Driver - STOPPED
Browser - Computer Browser - STOPPED
Brserid - Brother MFC Serial Port Interface Driver (WDM) - STOPPED
BrSerWdm - Brother WDM Serial driver - STOPPED
BrUsbMdm - Brother MFC USB Fax Only Modem - STOPPED
BrUsbSer - Brother MFC USB Serial WDM Driver - STOPPED
cdfs - CD/DVD File System Reader - STOPPED
cdrom - CD-ROM Driver - RUNNING
CertPropSvc - Certificate Propagation - STOPPED
CLFS - Common Log (CLFS) - RUNNING
clr_optimization_v2.0.50727_32 - Microsoft .NET Framework NGEN v2.0.50727_X86 - STOPPED
clr_optimization_v2.0.50727_64 - Microsoft .NET Framework NGEN v2.0.50727_X64 - STOPPED
clr_optimization_v4.0.30319_32 - Microsoft .NET Framework NGEN v4.0.30319_X86 - STOPPED
clr_optimization_v4.0.30319_64 - Microsoft .NET Framework NGEN v4.0.30319_X64 - STOPPED
CmBatt - Microsoft AC Adapter Driver - RUNNING
cmdide - cmdide - STOPPED
CNG - CNG - RUNNING
Compbatt - Microsoft Composite Battery Driver - RUNNING
CompositeBus - Composite Bus Enumerator Driver - RUNNING
COMSysApp - COM+ System Application - RUNNING
crcdisk - Crcdisk Filter Driver - STOPPED
CryptSvc - Cryptographic Services - RUNNING
DcomLaunch - DCOM Server Process Launcher - RUNNING
defragsvc - Disk Defragmenter - STOPPED
Dfs - DFS Namespace - RUNNING
DfsC - DFS Namespace Client Driver - RUNNING
DfsDriver - DFS Namespace Server Filter Driver - RUNNING
DFSR - DFS Replication - RUNNING
DfsrRo - DFS Replication ReadOnly Driver - RUNNING
Dhcp - DHCP Client - RUNNING
DiagTrack - Diagnostics Tracking Service - RUNNING
discache - System Attribute Cache - RUNNING
Disk - Disk Driver - RUNNING
dmvsc - dmvsc - STOPPED
DNS - DNS Server - RUNNING
Dnscache - DNS Client - RUNNING
dot3svc - Wired AutoConfig - STOPPED
DPS - Diagnostic Policy Service - RUNNING
DXGKrnl - LDDM Graphics Subsystem - RUNNING
E1G60 - Intel(R) PRO/1000 NDIS 6 Adapter Driver - RUNNING
EapHost - Extensible Authentication Protocol - STOPPED
ebdrv - Broadcom NetXtreme II 10 GigE VBD - STOPPED
EFS - Encrypting File System (EFS) - STOPPED
elxstor - elxstor - STOPPED
ErrDev - Microsoft Hardware Error Device Driver - STOPPED
eventlog - Windows Event Log - RUNNING
EventSystem - COM+ Event System - RUNNING
exfat - exFAT File System Driver - STOPPED
fastfat - FAT12/16/32 File System Driver - STOPPED
FCRegSvc - Microsoft Fibre Channel Platform Registration Service - STOPPED
fdc - Floppy Disk Controller Driver - RUNNING
fdPHost - Function Discovery Provider Host - STOPPED
FDResPub - Function Discovery Resource Publication - STOPPED
FileInfo - File Information FS MiniFilter - STOPPED
Filetrace - Filetrace - STOPPED
flpydisk - Floppy Disk Driver - RUNNING
FltMgr - FltMgr - RUNNING
FontCache - Windows Font Cache Service - RUNNING
FontCache3.0.0.0 - Windows Presentation Foundation Font Cache 3.0.0.0 - STOPPED
FsDepends - File System Dependency Minifilter - STOPPED
gagp30kx - Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms - STOPPED
gpsvc - Group Policy Client - RUNNING
HDAudBus - Microsoft UAA Bus Driver for High Definition Audio - STOPPED
HidBatt - HID UPS Battery Driver - STOPPED
hidserv - Human Interface Device Access - STOPPED
HidUsb - Microsoft HID Class Driver - STOPPED
hkmsvc - Health Key and Certificate Management - STOPPED
HpSAMD - HpSAMD - STOPPED
HTTP - HTTP - RUNNING
hwpolicy - Hardware Policy Driver - RUNNING
i8042prt - i8042 Keyboard and PS/2 Mouse Port Driver - RUNNING
iaStorV - iaStorV - STOPPED
idsvc - Windows CardSpace - STOPPED
IHXM - IHXM - RUNNING
iirsp - iirsp - STOPPED
IKEEXT - IKE and AuthIP IPsec Keying Modules - RUNNING
intelide - intelide - RUNNING
intelppm - Intel Processor Driver - RUNNING
ioatdma - Intel(R) QuickData Technology Device - STOPPED
IPBusEnum - PnP-X IP Bus Enumerator - STOPPED
IpFilterDriver - IP Traffic Filter Driver - STOPPED
iphlpsvc - IP Helper - RUNNING
IPMIDRV - IPMIDRV - STOPPED
IPNAT - IP Network Address Translator - STOPPED
isapnp - isapnp - STOPPED
iScsiPrt - iScsiPort Driver - STOPPED
IsmServ - Intersite Messaging - RUNNING
kbdclass - Keyboard Class Driver - RUNNING
kbdhid - Keyboard HID Driver - STOPPED
kdc - Kerberos Key Distribution Center - RUNNING
KeyIso - CNG Key Isolation - STOPPED
KSecDD - KSecDD - RUNNING
KSecPkg - KSecPkg - RUNNING
ksthunk - Kernel Streaming Thunks - STOPPED
KtmRm - KtmRm for Distributed Transaction Coordinator - STOPPED
LanmanServer - Server - RUNNING
LanmanWorkstation - Workstation - RUNNING
lltdio - Link-Layer Topology Discovery Mapper I/O Driver - RUNNING
lltdsvc - Link-Layer Topology Discovery Mapper - STOPPED
lmhosts - TCP/IP NetBIOS Helper - RUNNING
LSI_FC - LSI_FC - STOPPED
LSI_SAS - LSI_SAS - RUNNING
LSI_SAS2 - LSI_SAS2 - STOPPED
LSI_SCSI - LSI_SCSI - RUNNING
luafv - UAC File Virtualization - RUNNING
megasas - megasas - STOPPED
MegaSR - MegaSR - STOPPED
MMCSS - Multimedia Class Scheduler - STOPPED
Modem - Modem - STOPPED
monitor - Microsoft Monitor Class Function Driver Service - RUNNING
mouclass - Mouse Class Driver - RUNNING
mouhid - Mouse HID Driver - STOPPED
mountmgr - Mount Point Manager - RUNNING
mpio - mpio - STOPPED
mpsdrv - Windows Firewall Authorization Driver - RUNNING
MpsSvc - Windows Firewall - RUNNING
mrxsmb - SMB MiniRedirector Wrapper and Engine - RUNNING
mrxsmb10 - SMB 1.x MiniRedirector - RUNNING
mrxsmb20 - SMB 2.0 MiniRedirector - RUNNING
msahci - msahci - RUNNING
msdsm - msdsm - STOPPED
MSDTC - Distributed Transaction Coordinator - RUNNING
Msfs - Msfs - RUNNING
mshidkmdf - Pass-through HID to KMDF Filter Driver - STOPPED
msisadrv - msisadrv - RUNNING
MSiSCSI - Microsoft iSCSI Initiator Service - STOPPED
msiserver - Windows Installer - STOPPED
MsRPC - MsRPC - STOPPED
mssmbios - Microsoft System Management BIOS Driver - RUNNING
MSSQL$SQLEXPRESS - SQL Server (SQLEXPRESS) - RUNNING
MTConfig - Microsoft Input Configuration Driver - STOPPED
Mup - Mup - RUNNING
napagent - Network Access Protection Agent - STOPPED
NDIS - NDIS System Driver - RUNNING
NdisCap - NDIS Capture LightWeight Filter - STOPPED
NdisTapi - Remote Access NDIS TAPI Driver - RUNNING
Ndisuio - NDIS Usermode I/O Protocol - STOPPED
NdisWan - Remote Access NDIS WAN Driver - RUNNING
NDProxy - NDIS Proxy - RUNNING
NetBIOS - NetBIOS Interface - RUNNING
NetBT - NetBT - RUNNING
Netlogon - Netlogon - RUNNING
Netman - Network Connections - STOPPED
NetMsmqActivator - Net.Msmq Listener Adapter - STOPPED
NetPipeActivator - Net.Pipe Listener Adapter - STOPPED
netprofm - Network List Service - RUNNING
NetTcpActivator - Net.Tcp Listener Adapter - STOPPED
NetTcpPortSharing - Net.Tcp Port Sharing Service - STOPPED
nfrd960 - nfrd960 - STOPPED
NlaSvc - Network Location Awareness - RUNNING
Npfs - Npfs - RUNNING
nsi - Network Store Interface Service - RUNNING
nsiproxy - NSI proxy service driver. - RUNNING
NTDS - Active Directory Domain Services - RUNNING
NtFrs - File Replication - STOPPED
Ntfs - Ntfs - RUNNING
Null - Null - RUNNING
nvraid - nvraid - STOPPED
nvstor - nvstor - STOPPED
nv_agp - NVIDIA nForce AGP Bus Filter - STOPPED
ohci1394 - 1394 OHCI Compliant Host Controller (Legacy) - STOPPED
Parport - Parallel port driver - STOPPED
partmgr - Partition Manager - RUNNING
pci - PCI Bus Driver - RUNNING
pciide - pciide - STOPPED
pcmcia - pcmcia - STOPPED
pcw - Performance Counters for Windows Driver - RUNNING
PEAUTH - PEAUTH - RUNNING
PerfHost - Performance Counter DLL Host - STOPPED
pla - Performance Logs & Alerts - STOPPED
PlugPlay - Plug and Play - RUNNING
PolicyAgent - IPsec Policy Agent - RUNNING
Power - Power - RUNNING
PptpMiniport - WAN Miniport (PPTP) - RUNNING
Processor - Processor Driver - STOPPED
ProfSvc - User Profile Service - RUNNING
ProtectedStorage - Protected Storage - STOPPED
Psched - QoS Packet Scheduler - RUNNING
ql2300 - ql2300 - STOPPED
ql40xx - ql40xx - STOPPED
RasAcd - Remote Access Auto Connection Driver - STOPPED
RasAgileVpn - WAN Miniport (IKEv2) - RUNNING
RasAuto - Remote Access Auto Connection Manager - STOPPED
Rasl2tp - WAN Miniport (L2TP) - RUNNING
RasMan - Remote Access Connection Manager - STOPPED
RasPppoe - Remote Access PPPOE Driver - RUNNING
RasSstp - WAN Miniport (SSTP) - RUNNING
rdbss - Redirected Buffering Sub Sysytem - RUNNING
rdpbus - Remote Desktop Device Redirector Bus Driver - RUNNING
RDPCDD - RDPCDD - RUNNING
RDPDR - Terminal Server Device Redirector Driver - STOPPED
RDPENCDD - RDP Encoder Mirror Driver - RUNNING
RDPREFMP - Reflector Display Driver used to gain access to graphics data - RUNNING
RDPWD - RDP Winstation Driver - STOPPED
RemoteAccess - Routing and Remote Access - STOPPED
RemoteRegistry - Remote Registry - RUNNING
RpcEptMapper - RPC Endpoint Mapper - RUNNING
RpcLocator - Remote Procedure Call (RPC) Locator - STOPPED
RpcSs - Remote Procedure Call (RPC) - RUNNING
RsFx0300 - RsFx0300 Driver - STOPPED
RSoPProv - Resultant Set of Policy Provider - STOPPED
rspndr - Link-Layer Topology Discovery Responder - RUNNING
s3cap - s3cap - STOPPED
sacdrv - sacdrv - STOPPED
sacsvr - Special Administration Console Helper - STOPPED
SamSs - Security Accounts Manager - RUNNING
sbp2port - sbp2port - STOPPED
SCardSvr - Smart Card - STOPPED
scfilter - Smart card PnP Class Filter Driver - STOPPED
Schedule - Task Scheduler - RUNNING
SCPolicySvc - Smart Card Removal Policy - STOPPED
secdrv - Security Driver - STOPPED
seclogon - Secondary Logon - STOPPED
SENS - System Event Notification Service - RUNNING
Serenum - Serenum Filter Driver - STOPPED
Serial - Serial port driver - STOPPED
sermouse - Serial Mouse Driver - STOPPED
SessionEnv - Remote Desktop Configuration - STOPPED
sffdisk - SFF Storage Class Driver - STOPPED
sffp_mmc - SFF Storage Protocol Driver for MMC - STOPPED
sffp_sd - SFF Storage Protocol Driver for SDBus - STOPPED
sfloppy - High-Capacity Floppy Disk Drive - STOPPED
SharedAccess - Internet Connection Sharing (ICS) - STOPPED
ShellHWDetection - Shell Hardware Detection - RUNNING
SiSRaid2 - SiSRaid2 - STOPPED
SiSRaid4 - SiSRaid4 - STOPPED
Smb - Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session) - STOPPED
SNMPTRAP - SNMP Trap - STOPPED
spldr - Security Processor Loader Driver - RUNNING
Spooler - Print Spooler - RUNNING
sppsvc - Software Protection - RUNNING
sppuinotify - SPP Notification Service - STOPPED
SQLAgent$SQLEXPRESS - SQL Server Agent (SQLEXPRESS) - STOPPED
SQLBrowser - SQL Server Browser - STOPPED
SQLWriter - SQL Server VSS Writer - RUNNING
srv - Server SMB 1.xxx Driver - RUNNING
srv2 - Server SMB 2.xxx Driver - RUNNING
srvnet - srvnet - RUNNING
SSDPSRV - SSDP Discovery - STOPPED
SstpSvc - Secure Socket Tunneling Protocol Service - STOPPED
stexstor - stexstor - STOPPED
storflt - Disk Virtual Machine Bus Acceleration Filter Driver - RUNNING
storvsc - storvsc - STOPPED
storvsp - storvsp - STOPPED
swenum - Software Bus Driver - RUNNING
swprv - Microsoft Software Shadow Copy Provider - STOPPED
TapiSrv - Telephony - STOPPED
TBS - TPM Base Services - STOPPED
Tcpip - TCP/IP Protocol Driver - RUNNING
TCPIP6 - Microsoft IPv6 Protocol Driver - STOPPED
tcpipreg - TCP/IP Registry Compatibility - RUNNING
TDPIPE - TDPIPE - STOPPED
TDTCP - TDTCP - STOPPED
tdx - NetIO Legacy TDI Support Driver - RUNNING
TermDD - Terminal Device Driver - RUNNING
TermService - Remote Desktop Services - STOPPED
THREADORDER - Thread Ordering Server - STOPPED
TrkWks - Distributed Link Tracking Client - STOPPED
TrustedInstaller - Windows Modules Installer - STOPPED
tssecsrv - Remote Desktop Services Security Filter Driver - STOPPED
TsUsbFlt - TsUsbFlt - STOPPED
TsUsbGD - Remote Desktop Generic USB Device - STOPPED
tunnel - Microsoft Tunnel Miniport Adapter Driver - RUNNING
TZZW - TZZW - RUNNING
uagp35 - Microsoft AGPv3.5 Filter - STOPPED
udfs - udfs - STOPPED
UI0Detect - Interactive Services Detection - STOPPED
uliagpkx - Uli AGP Bus Filter - STOPPED
umbus - UMBus Enumerator Driver - RUNNING
UmPass - Microsoft UMPass Driver - STOPPED
UmRdpService - Remote Desktop Services UserMode Port Redirector - STOPPED
upnphost - UPnP Device Host - STOPPED
usbccgp - Microsoft USB Generic Parent Driver - STOPPED
usbehci - Microsoft USB 2.0 Enhanced Host Controller Miniport Driver - STOPPED
usbhub - Microsoft USB Standard Hub Driver - STOPPED
usbohci - Microsoft USB Open Host Controller Miniport Driver - STOPPED
usbprint - Microsoft USB PRINTER Class - STOPPED
USBSTOR - USB Mass Storage Driver - STOPPED
usbuhci - Microsoft USB Universal Host Controller Miniport Driver - STOPPED
UxSms - Desktop Window Manager Session Manager - RUNNING
VaultSvc - Credential Manager - STOPPED
vdrvroot - Microsoft Virtual Drive Enumerator Driver - RUNNING
vds - Virtual Disk - RUNNING
vga - vga - STOPPED
VgaSave - VgaSave - RUNNING
vhdmp - vhdmp - STOPPED
viaide - viaide - STOPPED
Vid - Vid - STOPPED
vm3dmp - vm3dmp - RUNNING
vmbus - vmbus - STOPPED
VMBusHID - VMBusHID - STOPPED
vmci - VMware VMCI Bus Driver - RUNNING
vmhgfs - VMware Host Guest Client Redirector - RUNNING
VMMEMCTL - Memory Control Driver - RUNNING
vmmouse - VMware Pointing Device - RUNNING
vmrawdsk - VMware Vista Physical Disk Helper - RUNNING
VMTools - VMware Tools - RUNNING
vmvss - VMware Snapshot Provider - STOPPED
vnetflt - vNetFilter - RUNNING
volmgr - Volume Manager Driver - RUNNING
volmgrx - Dynamic Volume Manager - RUNNING
volsnap - Storage volumes - RUNNING
vsepflt - VFileFilter - RUNNING
vsmraid - vsmraid - STOPPED
vsock - vSockets Driver - RUNNING
VSS - Volume Shadow Copy - STOPPED
W32Time - Windows Time - RUNNING
W3SVC - World Wide Web Publishing Service - RUNNING
WacomPen - Wacom Serial Pen HID Driver - STOPPED
WANARP - Remote Access IP ARP Driver - STOPPED
Wanarpv6 - Remote Access IPv6 ARP Driver - RUNNING
WAS - Windows Process Activation Service - RUNNING
WcsPlugInService - Windows Color System - STOPPED
Wd - Wd - STOPPED
Wdf01000 - Kernel Mode Driver Frameworks service - RUNNING
WdiServiceHost - Diagnostic Service Host - STOPPED
WdiSystemHost - Diagnostic System Host - RUNNING
Wecsvc - Windows Event Collector - STOPPED
wercplsupport - Problem Reports and Solutions Control Panel Support - STOPPED
WerSvc - Windows Error Reporting Service - STOPPED
WfpLwf - WFP Lightweight Filter - RUNNING
WIMMount - WIMMount - STOPPED
WinHttpAutoProxySvc - WinHTTP Web Proxy Auto-Discovery Service - RUNNING
Winmgmt - Windows Management Instrumentation - RUNNING
WinRM - Windows Remote Management (WS-Management) - RUNNING
WLMS - Windows Licensing Monitoring Service - RUNNING
WmiAcpi - Microsoft Windows Management Interface for ACPI - STOPPED
wmiApSrv - WMI Performance Adapter - STOPPED
WPDBusEnum - Portable Device Enumerator Service - STOPPED
ws2ifsl - Windows Socket 2.0 Non-IFS Service Provider Support Environment - RUNNING
wuauserv - Windows Update - RUNNING
WudfPf - User Mode Driver Frameworks Platform Driver - STOPPED
wudfsvc - Windows Driver Foundation - User-mode Driver Framework - STOPPED
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] Trying protocol 445/SMB...
[*] Querying service config for TZZW
TYPE : 16 - SERVICE_WIN32_OWN_PROCESS
START_TYPE : 2 - AUTO START
ERROR_CONTROL : 0 - IGNORE
BINARY_PATH_NAME : C:\Windows\EfuIvklz.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TZZW
DEPENDENCIES : /
SERVICE_START_NAME: LocalSystem
That's the one @Alamot
You should stop the service, remove the service and remove the file. You can do that this way:
services.py username:password@targetHost stop -name TZZW
services.py username:password@targetHost delete -name TZZWYou can remove the file by connecting to the C$ or ADMIN$ share using smbclient.py
Alamot
commented
6 years ago Thank you very much. So if this service is already running then a user can get system even if he cannot write to any share. Right?
asolino
commented
6 years ago Thank you very much. So if this service is already running then a user can get system even if he cannot write to any share. Right?
That is correct. The need for a writeable share is for copying the RemComSvc Windows Service file. Once it is running, all communication is done through Windows Named Pipes.
A simple user (Local Group Memberships, Remote Desktop Users, Global Group memberships Domain Users) with no permission to write in any shares, got nt system shell:
How is this possible?