search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.54k stars 3.58k forks source link

Get wrong boolean value when using ExecQuery #768

Open jason21716 opened 4 years ago

jason21716 commented 4 years ago

Configuration

impacket version: 0.9.20 Python version: 3.7.4 Target OS: Win 10

Debug Output With Command String

I'm using wmiquery.py in example and exec WQL query *Select from Win32_Desktop, result is showed but all bool value is wrong, value False is show True* (Confidential Data is replace by )

python .\wmiquery.py winntdom/*******:*******@*******
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[!] Press help for extra shell commands
WQL> Select * from Win32_Desktop
| SettingID | Caption | Description | BorderWidth | CoolSwitch | CursorBlinkRate | DragFullWindows | GridGranularity | IconSpacing | IconTitleFaceName | IconTitleSize | IconTitleWrap | Name | Pattern | ScreenSaverActive | ScreenSaverExecutable | ScreenSaverSecure | ScreenSaverTimeout | Wallpaper | WallpaperTiled | WallpaperStretched |
| None | None | None | None | True | 500 | True | None | None | MS Shell Dlg | 8 | True | NT AUTHORITY\SYSTEM | (None) | True | None | True | None | (None) | True | True |
| None | None | None | None | True | 530 | True | None | None | Tahoma | 8 | True | NT AUTHORITY\LOCAL SERVICE | 0 | True | None | True | None | C:\Windows\Web\Wallpaper\Windows\img0.jpg | True | True |
| None | None | None | None | True | 530 | True | None | None | Tahoma | 8 | True | NT AUTHORITY\NETWORK SERVICE | 0 | True | None | True | None | C:\Windows\Web\Wallpaper\Windows\img0.jpg | True | True |
| None | None | None | None | True | 530 | True | None | None | Tahoma | 8 | True | WINNTDOM\******* | 0 | True | None | True | None | C:\Windows\Web\Wallpaper\Windows\img0.jpg | True | True |
| None | None | None | None | True | 530 | True | None | None | Tahoma | 8 | True | WINNTDOM\******* | 0 | True | None | True | None | C:\Windows\Web\Wallpaper\Windows\img0.jpg | True | True |
| None | None | None | None | True | 530 | True | None | None | Tahoma | 8 | True | WINNTDOM\******* | 0 | True | None | True | None | C:\Windows\Web\Wallpaper\Windows\img0.jpg | True | True |
| None | None | None | None | True | 530 | True | None | None | Tahoma | 8 | True | WINNTDOM\******* | 0 | True | None | True | None | C:\Windows\Web\Wallpaper\Windows\img0.jpg | True | True |
| None | None | None | None | True | 530 | True | None | None | Tahoma | 8 | True | WINNTDOM\******* | 0 | True | None | True | None | C:\Windows\Web\Wallpaper\Windows\img0.jpg | True | True |
| None | None | None | 1 | True | 530 | True | None | 43 | Microsoft JhengHei UI | 9 | True | WINNTDOM\******* | 0 | True | None | True | None | C:\Users\*******\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper | True | True |
| None | None | None | None | True | 530 | True | None | None | Tahoma | 8 | True | WINNTDOM\******* | 0 | True | None | True | None | C:\Windows\Web\Wallpaper\Windows\img0.jpg | True | True |
| None | None | None | None | True | 500 | True | None | None | MS Shell Dlg | 8 | True | .DEFAULT | (None) | True | None | True | None | (None) | True | True |
WQL>

In other wmi viewer, the field WallpaperStretched have half of all row with False.

image

PCAP

If applicable, add a packet capture to help explain your problem.

Additional context

Space for additional context, investigative results, suspected issue.

0xdeaddood commented 4 years ago

Hi @jason21716! Could you try to query the values separately? What do you get? I think it's a problem with the "select *" query.

jason21716 commented 4 years ago

Hi @0xdeaddood, I tried to select one column and yes, it shows the different result.

WQL> select * from Win32_Desktop where Name like 'WINNTDOM\\*********'
| SettingID | Caption | Description | BorderWidth | CoolSwitch | CursorBlinkRate | DragFullWindows | GridGranularity | IconSpacing | IconTitleFaceName | IconTitleSize | IconTitleWrap | Name | Pattern | ScreenSaverActive | ScreenSaverExecutable | ScreenSaverSecure | ScreenSaverTimeout | Wallpaper | WallpaperTiled | WallpaperStretched |
| None | None | None | 1 | True | 530 | True | None | 43 | Microsoft JhengHei UI | 9 | True | WINNTDOM\********* | 0 | True | None | True | None | C:\Users\*********\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper | True | True |
WQL> select Name, WallpaperTiled, WallPaperStretched from Win32_Desktop where Name like 'WINNTDOM\\*********'
| Name | WallpaperStretched | WallpaperTiled |
| WINNTDOM\********* | True | None |

That is a good workaround to solve my problem in a short time, thank you!