PurpleSharp icon indicating copy to clipboard operation
PurpleSharp copied to clipboard

Published 20 hours ago verified publisher icon mvelazc0

Network path not found

Open JonathanAppriou opened this issue 3 years ago • 6 comments

Hi @mvelazc0 ,

I don't know why but, each time I try to execute a remote technique playbook, I have this problem :

image

All my machines are in the same network (AD Server, Windows Target and operator endpoint why PurpleSharp), I checked the network settings and tried without Windows Defender. But every time it doesn't work. Have you ever encountered this problem or know where it could come from?

Here is my playbook configuration :

image

JonathanAppriou avatar Feb 10 '22 14:02 JonathanAppriou

Hey @JonathanAppriou !

To troubleshoot this issue, lets try to execute one single technique on a remote host using the command line. The command line provides more debug logs that can help us determine the issue.

PurpleSharp.exe /rhost 192.168.38.3 /ruser admin /d mokoil.com /t T1059.001

Should look something like this:

image

Also, please confirm that

  • The 'mokoil.com\admin' domain user has administrative privileges on 192.168.38.3
  • There is network connectivity between the host where you are running PurpleSharp and the remote host.
  • There is no anti malware solution deleting the PurpleSharp binary when its being copied to 192.168.38.3

mvelazc0 avatar Feb 10 '22 15:02 mvelazc0

I found a solution : disable the Windows Firewall.

image

Is it expected that PurpleSharp does not work with Windows Firewall?

I have another mistake now:

image

It seems that RPC is not present on the target, but :

image

JonathanAppriou avatar Feb 10 '22 16:02 JonathanAppriou

@JonathanAppriou . Yes, disabling the Windows Firewall is necessary.

PurpleSharp connects to the remote endpoint on native service like SMB and RPC. If connections are being blocked by a Firewall, PurpleSharp will not be able to connect to the endpoint.

The RPC error you are seeing looks like a network error. I have seen it before.

Are you using the right Ip address ? In your first screenshot it was 192.168.38.3 but on the last one you are using 192.168.38.2

mvelazc0 avatar Feb 10 '22 20:02 mvelazc0

@mvelazc0

Okay, thanks a lot ! I had forgotten to disable the firewall on the attacking machine. So it work now.

I didn't think PurpleSharp needed to have firewall restrictions turned off. But now I understand.

Thank you for your time !

JonathanAppriou avatar Feb 11 '22 08:02 JonathanAppriou

I have another question :

When a want to use a technique, how can I know what objects are needed in the playbook (or arguments using command line) ?

For example, I want to use Brute Force technique in my playbook. Where can I found the arguments/objects needed ?

JonathanAppriou avatar Feb 11 '22 09:02 JonathanAppriou

@JonathanAppriou, I'm glad its working now !

That is a great question. I definitely need y to do a better job at documentation. Ideally, all the parameters would live here:

https://www.purplesharp.com/en/latest/techniques/techniques.html#brute-force-password-spraying

Right now, it does not have it.

For now, you can look at some playbook examples I have here:

https://github.com/mvelazc0/PurpleAD

Happy to jump on a call to talk about the specific parameters for your simulations also !

mvelazc0 avatar Feb 17 '22 18:02 mvelazc0