Current master: Indexing SMB shares triggers stacktrace on exit and on export to CSV
sandervandegeijn opened this issue · 11 comments
Describe the bug
Indexed 2500+ hosts successfully, then it gives the stack trace below. This happens after the last host in the list. Command executed:
crackmapexec smb hosts.up -u user -p pass --shares
hosts.up contains one ip per line.
Traceback (most recent call last):
File "/usr/local/bin/crackmapexec", line 8, in <module>
sys.exit(main())
^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/crackmapexec.py", line 257, in main
asyncio.run(
File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/crackmapexec.py", line 105, in start_threadpool
await asyncio.gather(*jobs)
File "/usr/local/lib/python3.11/site-packages/cme/crackmapexec.py", line 69, in run_protocol
await asyncio.wait_for(
File "/usr/local/lib/python3.11/asyncio/tasks.py", line 442, in wait_for
return await fut
^^^^^^^^^
File "/usr/local/lib/python3.11/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/protocols/smb.py", line 143, in __init__
connection.__init__(self, args, db, host)
File "/usr/local/lib/python3.11/site-packages/cme/connection.py", line 65, in __init__
self.proto_flow()
File "/usr/local/lib/python3.11/site-packages/cme/connection.py", line 101, in proto_flow
if self.login() or (self.username == '' and self.password == ''):
^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/connection.py", line 300, in login
elif self.plaintext_login(self.domain, user, password): return True
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/protocols/smb.py", line 450, in plaintext_login
self.conn.login(self.username, self.password, domain)
File "/usr/local/lib/python3.11/site-packages/impacket/smbconnection.py", line 276, in login
return self._SMBConnection.login(user, password, domain, lmhash, nthash, ntlmFallback)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/impacket/smb.py", line 3494, in login
self.login_extended(user, password, domain, lmhash, nthash, use_ntlmv2 = True)
File "/usr/local/lib/python3.11/site-packages/impacket/smb.py", line 3402, in login_extended
type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, respToken['ResponseToken'], user, password, domain, lmhash, nthash, use_ntlmv2 = use_ntlmv2)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/impacket/ntlm.py", line 634, in getNTLMSSPType3
ntResponse, lmResponse, sessionBaseKey = computeResponse(ntlmChallenge['flags'], ntlmChallenge['challenge'],
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/impacket/ntlm.py", line 42, in computeResponse
return computeResponseNTLMv2(flags, serverChallenge, clientChallenge, serverName, domain, user, password,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/impacket/ntlm.py", line 907, in computeResponseNTLMv2
av_pairs = AV_PAIRS(serverName)
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/impacket/ntlm.py", line 210, in __init__
self.fromString(data)
File "/usr/local/lib/python3.11/site-packages/impacket/ntlm.py", line 233, in fromString
fType = struct.unpack('<H',tInfo[:struct.calcsize('<H')])[0]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The shares seem to be in the database, so I tried to export it:
cmedb (default)(smb) > export shares detailed shares.csv
Traceback (most recent call last):
File "/usr/local/bin/cmedb", line 8, in <module>
sys.exit(main())
^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/cmedb.py", line 400, in main
cmedbnav = CMEDBMenu(config_path)
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/cmedb.py", line 300, in __init__
self.do_proto(self.db)
File "/usr/local/lib/python3.11/site-packages/cme/cmedb.py", line 326, in do_proto
proto_menu.cmdloop()
File "/usr/local/lib/python3.11/cmd.py", line 138, in cmdloop
stop = self.onecmd(line)
^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/cmd.py", line 217, in onecmd
return func(arg)
^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/cmedb.py", line 137, in do_export
entry.append(self.db.get_computers(share[1])[0][2])
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
IndexError: list index out of range
To Reproduce
Steps to reproduce the behavior:
see above
Expected behavior
Don't trigger the error
Screenshots
If applicable, add screenshots to help explain your problem.
Crackmapexec info
Master [d2ea13f]
Built a docker container from the Docker file on RHEL7.
Additional context
Don't know if this is the same error:
SMB 10.1.1.1 445 SERVER [-] Connection Error: The NETBIOS connection with the remote host timed out.
Traceback (most recent call last):
File "/usr/local/bin/cme", line 8, in <module>
sys.exit(main())
^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/crackmapexec.py", line 257, in main
asyncio.run(
File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/crackmapexec.py", line 105, in start_threadpool
await asyncio.gather(*jobs)
File "/usr/local/lib/python3.11/site-packages/cme/crackmapexec.py", line 69, in run_protocol
await asyncio.wait_for(
File "/usr/local/lib/python3.11/asyncio/tasks.py", line 442, in wait_for
return await fut
^^^^^^^^^
File "/usr/local/lib/python3.11/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/protocols/smb.py", line 143, in __init__
connection.__init__(self, args, db, host)
File "/usr/local/lib/python3.11/site-packages/cme/connection.py", line 65, in __init__
self.proto_flow()
File "/usr/local/lib/python3.11/site-packages/cme/connection.py", line 101, in proto_flow
if self.login() or (self.username == '' and self.password == ''):
^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/connection.py", line 300, in login
elif self.plaintext_login(self.domain, user, password): return True
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/cme/protocols/smb.py", line 450, in plaintext_login
self.conn.login(self.username, self.password, domain)
File "/usr/local/lib/python3.11/site-packages/impacket/smbconnection.py", line 278, in login
return self._SMBConnection.login(user, password, domain, lmhash, nthash)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/impacket/smb3.py", line 952, in login
packetID = self.sendSMB(packet)
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/impacket/smb3.py", line 455, in sendSMB
self._NetBIOSSession.send_packet(data)
File "/usr/local/lib/python3.11/site-packages/impacket/nmb.py", line 912, in send_packet
self._sock.sendall(p.rawData())
BrokenPipeError: [Errno 32] Broken pipe
@ict-one-nl is there anyway you can share the data of the last share line? I can guess what the issue is, but without the actual data (or a representation of the data, filtered to protect sensitive information) it's hard to be exact.
Sorry for the slow response - been on holiday and forgot afterwards. What data would you need? I'll see if I can make it happen.
@ict-one-nl that's alright. Would it be possible for you to run cmedb
and check if the host it is trying to print a share for actually exists in the CME DB?
I'm having difficulty to pinpoint the data where it hurts, to diagnose I need to do this locally but that would alert the SOC. I'll try to have another go next week during business hours if I find the time. Did come across another stack trace.
ERROR:asyncio:Exception in callback BaseSelectorEventLoop._add_reader(0, <bound method...rt fd=0 idle>>)
handle: <Handle BaseSelectorEventLoop._add_reader(0, <bound method...rt fd=0 idle>>)>
Traceback (most recent call last):
File "/usr/local/lib/python3.11/asyncio/selector_events.py", line 265, in _add_reader
key = self._selector.get_key(fd)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/selectors.py", line 192, in get_key
raise KeyError("{!r} is not registered".format(fileobj)) from None
KeyError: '0 is not registered'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/asyncio/events.py", line 80, in _run
self._context.run(self._callback, *self._args)
File "/usr/local/lib/python3.11/asyncio/selector_events.py", line 267, in _add_reader
self._selector.register(fd, selectors.EVENT_READ,
File "/usr/local/lib/python3.11/selectors.py", line 359, in register
self._selector.register(key.fd, poller_events)
PermissionError: [Errno 1] Operation not permitted
Do you have access to the sponsored version? There will soon be a fix for the export.
The crash is likely caused when an error occures while adding a host to the database. Therefore the export of the shares crashes when trying to access the corresponding (missing) host.
The new error seems to be caused by an external package, not sure if we can do something about it. But the sponsored version has better error handling over all, maybe that helps.
Not yet... I'm considering it, need to get approval (working for a university). That's just a question of pressing the buy link on https://porchetta.industries/subscriptions?selected=year right? :)
We will push the private version soon on the public repo if you want to wait
Will the public and the private version merge? Not that we're not willing to pay, two separate things :)
yes, it will be merged together
Okay, will retest after the merge. :)