search

mitre / caldera

Automated Adversary Emulation Platform
https://caldera.mitre.org
Apache License 2.0
5.64k stars 1.07k forks source link

asyncio error when running an ability that uses crackmapexec #2199

Closed Bros10 closed 3 years ago

Bros10 commented 3 years ago

Hi, I've came across this error: image While attempting to run any crackmapexec commands via an ability, what doesn't make sense is about a week ago all these abilities worked perfectly. Since then I've not changed the command ran nor the machine that the agent is deployed on and still this error appears. I've tried with an elevated agent and still no success.

I know that crackmapexec still works fine as copying and pasting the command onto the actual machine it runs perfectly, so it seems to be an issue with the agent used.

uruwhy commented 3 years ago

@Bros10 Could you provide the caldera version you used to successfully run the ability in the past, as well as the caldera version that caused this error?

uruwhy commented 3 years ago

If possible, could you also share the ability YAML file you used to create the ability? Feel free to strip out any personal information if needed.

Bros10 commented 3 years ago

@Bros10 Could you provide the caldera version you used to successfully run the ability in the past, as well as the caldera version that caused this error?

May be a stupid question, but is there a nice way to check exactly what version of CALDERA I'm running? I am pretty sure it's 3.0.0 though

Bros10 commented 3 years ago

If possible, could you also share the ability YAML file you used to create the ability? Feel free to strip out any personal information if needed.

- id: 5927c6bc-71dc-4c32-b681-6dfe3f487512
  name: LDAP Password spraying against a single user or a list of valid users
  description: Using cme to find valid creds
  tactic: discovery
  technique:
    attack_id: T1018
    name: Remote System Discovery
  platforms:
    linux:
      sh:
        command: crackmapexec ldap 192.168.10.18 -u Administrator -p top_100_passwords.txt
        payloads:
        - top_100_passwords.txt
        - users.txt
        cleanup: rm top_100_passwords.txt
Bros10 commented 3 years ago

Something to note is that there is no crackmapexec payload due to the fact that I am deploying and running this operation on a kali machine. Which is seen as the "compromised" or "rogue" machine within a network.

Bros10 commented 3 years ago

On the exact machine I've deployed the agent on with the same privilege: 

┌──(root💀kali)-[/home/kali/Exploits]
└─# crackmapexec ldap 192.168.10.18 -u Administrator -p top_100_passwords.txt
LDAP        192.168.10.18   389    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:******) (signing:True) (SMBv1:False)
LDAP        192.168.10.18   389    DC01             [-] *******\Administrator:12345
LDAP        192.168.10.18   389    DC01             [-] *******\Administrator:123456

Note: This ability did work a few days ago, I've made no changes to CALDERA nor the ability nor the kali machine nor the agent nor the target machine.

Bros10 commented 3 years ago

Another thing to note is that this ability still works fine: 

- id: e15295c2-f1f8-49b1-8968-b14963ee4a7e
  name: AS-Reproast
  description: Grabbing hashes using asreproast
  tactic: credential-access
  technique:
    attack_id: T1557.001
    name: 'Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
  platforms:
    linux:
      sh:
        command: crackmapexec ldap 192.168.10.18 -u users.txt -p '' --asreproast /tmp/output.txt
          2>/dev/null > /tmp/asep.txt; cat /tmp/asep.txt
        payloads:
        - users.txt
        cleanup: rm users.txt
        parsers:
          data.parsers.asrep:
          - source: remote.asrep.hash

Even though it uses the same tool

uruwhy commented 3 years ago

May be a stupid question, but is there a nice way to check exactly what version of CALDERA I'm running? I am pretty sure it's 3.0.0 though

Not a silly question at all. You can get the git commit hash by running the git rev-parse HEAD command from within your main CALDERA installation directory. This will allow us to determine exactly which version of CALDERA you're using, in case we need that information for more in-depth debugging

uruwhy commented 3 years ago

On the exact machine I've deployed the agent on with the same privilege:

┌──(root💀kali)-[/home/kali/Exploits]
└─# crackmapexec ldap 192.168.10.18 -u Administrator -p top_100_passwords.txt
LDAP        192.168.10.18   389    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:******) (signing:True) (SMBv1:False)
LDAP        192.168.10.18   389    DC01             [-] *******\Administrator:12345
LDAP        192.168.10.18   389    DC01             [-] *******\Administrator:123456

Note: This ability did work a few days ago, I've made no changes to CALDERA nor the ability nor the kali machine nor the agent nor the target machine.

Just a few sanity checks:

  1. Have you changed the CALDERA version or updated any CALDERA files since the last time the ability worked successfully?
  2. Were you running this ability with the sandcat agent?
  3. Is the top_100_passwords.txt file included in the payloads directory within CALDERA? Or is it expected to be in agent's working directory?
github-actions[bot] commented 3 years ago

This issue is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 5 days