search

m8sec / ActiveReign

A Network Enumeration and Attack Toolset for Windows Active Directory Environments.
GNU General Public License v3.0
244 stars 44 forks source link

Intermittent Errors - ironkatz module #3

Closed n8zwn closed 4 years ago

n8zwn commented 4 years ago

Here is some errors that I have seen when running ironkatz, it is worth noting that in the for loop that these errors did not stop it from going on to the next host:

The command as I was running it:

activereign enum -u user -p password --local-auth -M ironkatz $ip

I also ran it in a for loop because when I fed it the target file with 930 IPs, it got stuck and never finished. 


  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/ops/enum/code_execution.py", line 10, in execute
    self.result = self.exec_obj.execute(self.command)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 61, in execute
    self.create_wmi_con()
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 53, in create_wmi_con
    iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1057, in CoCreateInstanceEx
    iInterface = scm.RemoteCreateInstance(clsid, iid)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1836, in RemoteCreateInstance
    resp = self.__portmap.request(request)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/ops/enum/code_execution.py", line 10, in execute
    self.result = self.exec_obj.execute(self.command)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 61, in execute
    self.create_wmi_con()
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 53, in create_wmi_con
    iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1057, in CoCreateInstanceEx
    iInterface = scm.RemoteCreateInstance(clsid, iid)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1836, in RemoteCreateInstance
    resp = self.__portmap.request(request)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/ops/enum/code_execution.py", line 10, in execute
    self.result = self.exec_obj.execute(self.command)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 61, in execute
    self.create_wmi_con()
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 53, in create_wmi_con
    iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1057, in CoCreateInstanceEx
    iInterface = scm.RemoteCreateInstance(clsid, iid)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1836, in RemoteCreateInstance
    resp = self.__portmap.request(request)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/ops/enum/code_execution.py", line 10, in execute
    self.result = self.exec_obj.execute(self.command)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 61, in execute
    self.create_wmi_con()
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 53, in create_wmi_con
    iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1057, in CoCreateInstanceEx
    iInterface = scm.RemoteCreateInstance(clsid, iid)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1836, in RemoteCreateInstance
    resp = self.__portmap.request(request)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/ops/enum/code_execution.py", line 10, in execute
    self.result = self.exec_obj.execute(self.command)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 61, in execute
    self.create_wmi_con()
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 53, in create_wmi_con
    iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1057, in CoCreateInstanceEx
    iInterface = scm.RemoteCreateInstance(clsid, iid)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1836, in RemoteCreateInstance
    resp = self.__portmap.request(request)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/ops/enum/code_execution.py", line 10, in execute
    self.result = self.exec_obj.execute(self.command)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 61, in execute
    self.create_wmi_con()
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 53, in create_wmi_con
    iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1057, in CoCreateInstanceEx
    iInterface = scm.RemoteCreateInstance(clsid, iid)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1836, in RemoteCreateInstance
    resp = self.__portmap.request(request)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/ops/enum/code_execution.py", line 10, in execute
    self.result = self.exec_obj.execute(self.command)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 61, in execute
    self.create_wmi_con()
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 53, in create_wmi_con
    iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1057, in CoCreateInstanceEx
    iInterface = scm.RemoteCreateInstance(clsid, iid)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1836, in RemoteCreateInstance
    resp = self.__portmap.request(request)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/ops/enum/code_execution.py", line 10, in execute
    self.result = self.exec_obj.execute(self.command)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 61, in execute
    self.create_wmi_con()
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 53, in create_wmi_con
    iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1057, in CoCreateInstanceEx
    iInterface = scm.RemoteCreateInstance(clsid, iid)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1836, in RemoteCreateInstance
    resp = self.__portmap.request(request)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/ops/enum/code_execution.py", line 10, in execute
    self.result = self.exec_obj.execute(self.command)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 61, in execute
    self.create_wmi_con()
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 53, in create_wmi_con
    iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1057, in CoCreateInstanceEx
    iInterface = scm.RemoteCreateInstance(clsid, iid)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1836, in RemoteCreateInstance
    resp = self.__portmap.request(request)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/ops/enum/code_execution.py", line 10, in execute
    self.result = self.exec_obj.execute(self.command)
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 61, in execute
    self.create_wmi_con()
  File "/home/user/.local/lib/python3.6/site-packages/ar3/core/wmiexec.py", line 53, in create_wmi_con
    iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1057, in CoCreateInstanceEx
    iInterface = scm.RemoteCreateInstance(clsid, iid)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1836, in RemoteCreateInstance
    resp = self.__portmap.request(request)
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    answer = self.recv()
  File "/home/user/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied```
n8zwn commented 4 years ago

I thought I should mention that the credentials are valid and if I run the psexec module in metasploit, then execute mimikatz that I don't see any errors, which then pulls the clear text creds. These errors happen in the mimikatz module as well.

m8sec commented 4 years ago

Hi @n8zwn,

Often times I have found the issue with the mimikatz/ironkatz payloads is the timeout. The payload is not given enough time to download & execute before the results are checked by AR3. However, I would expect the error to be returned in PowerShell not the Python code (specifically in the Impacket library).

What version of Impacket are you using? pip3 freeze|grep impacket

For example, I am using a Kali Linux OS with: Screen Shot 2019-09-26 at 8 57 38 AM

I have just tested both the ironkatz and mimikatz payloads successfully on a Windows 2012r2, but still working on compatibility with more OS versions. (Was debating releasing a compatibility worksheet outlining AR3 features and OS versions they have been tested against)

n8zwn commented 4 years ago
Screen Shot 2019-09-26 at 9 48 49 AM
n8zwn commented 4 years ago

I saw you are using 3.7 so I will do some additional testing with that version. Also, this is a great tool so I appreciate you being so responsive!

n8zwn commented 4 years ago

Looks like the error does not happen anymore after changing my version of python. Not getting anything back, but that could be due to the timeout. I know that at least a 30 second wait did not get the data back. I will close this out

m8sec commented 4 years ago

I'm glad the error has gone away! However, I agree, we will have to put in some more work to perfect the mimikatz/ironkatz modules.