byt3bl33d3r/CrackMapExec

No output when using usernames and passwords for any protocol - Kali 2021-2022 version <=5.4-5.1.0

javalogicuser opened this issue · 4 comments

Steps to reproduce

──(venv)(root㉿kali)-[/opt]
└─# cme winrm -u /home/kali/usernames.txt -p /home/kali/passwords.txt -d domain.local

-- No output given, cannot do any password spraying across domain/network
-- crackmapexec or cme doesn't give any output, just moves to the next line

┌──(venv)(root㉿kali)-[/opt]

┌──(venv)(root㉿kali)-[/opt]
└─# cme --verbose winrm -u /home/kali/HTB/ZEPHYR/usernames.txt -p /home/kali/HTB/ZEPHYR/passwords.txt -d zsm.local /home/kali/HTB/ZEPHYR/192.168.210-hosts.txt
DEBUG Passed args:
{'aesKey': None,
'connectback_host': None,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'domain': 'zsm.local',
'execute': None,
'export': None,
'fail_limit': None,
'gfail_limit': None,
'hash': [],
'jitter': None,
'kdcHost': None,
'kerberos': False,
'list_modules': False,
'local_auth': False,
'module': None,
'module_options': [],
'no_bruteforce': False,
'no_output': False,
'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'],
'port': 0,
'protocol': 'winrm',
'ps_execute': None,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'show_module_options': False,
'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'],
'threads': 100,
'timeout': None,
'ufail_limit': None,
'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'],
'verbose': True}
DEBUG Using selector: EpollSelector
DEBUG Running
DEBUG Started thread poller
DEBUG Starting new HTTPS connection (1): 192.168.210.1:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.11:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.12:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.13:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.14:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.10:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.15:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.100:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.16:5986
DEBUG Starting new HTTP connection (1): 192.168.210.11:5985
DEBUG Starting new HTTP connection (1): 192.168.210.1:5985
DEBUG Starting new HTTP connection (1): 192.168.210.12:5985
DEBUG Starting new HTTP connection (1): 192.168.210.10:5985
DEBUG Starting new HTTP connection (1): 192.168.210.14:5985
DEBUG Starting new HTTP connection (1): 192.168.210.13:5985
DEBUG Starting new HTTP connection (1): 192.168.210.15:5985
DEBUG Starting new HTTP connection (1): 192.168.210.100:5985
DEBUG Starting new HTTP connection (1): 192.168.210.16:5985
DEBUG Stopped thread poller

CME Version (cme --version)

5.4, 5.3, 5.23, 5.1.0

OS

─# uname -a && cat /etc/issue
Linux kali 6.0.0-kali6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.12-1kali1 (2022-12-19) x86_64 GNU/Linux
Kali GNU/Linux Rolling \n \l

Target OS

Windows

-- No output given, cannot do any password spraying across domain/network
-- crackmapexec or cme doesn't give any output, just moves to the next line
-- using RDP, SMB, WINRM, SSH

The target must be specified behind the protocol. Can you retest that with smb(/and the other)?
For your winrm call I am not sure what breaks the connection, as it actually accepts the specified targets.

I've tried both ways, with multiple protocols, with the outcome being the same, no output. I'm trying to get it to read the targets in from a txt file, is that not correct? All the examples I've seen do it this way. Here's the output when I specify the hosts at the beginning:

┌──(root㉿kali)-[/opt]
└─# ./cme --verbose -t 200 winrm /home/kali/HTB/ZEPHYR/192.168.210-hosts.txt -u /home/kali/HTB/ZEPHYR/usernames.txt -p /home/kali/HTB/ZEPHYR/passwords.txt
DEBUG:root:Passed args:
{'aesKey': None,
'connectback_host': None,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'domain': None,
'execute': None,
'export': None,
'fail_limit': None,
'gfail_limit': None,
'hash': [],
'ignore_ssl_cert': False,
'jitter': None,
'kdcHost': None,
'kerberos': False,
'laps': None,
'list_modules': False,
'local_auth': False,
'lsa': False,
'module': None,
'module_options': [],
'no_bruteforce': False,
'no_output': False,
'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'],
'port': 0,
'protocol': 'winrm',
'ps_execute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'show_module_options': False,
'ssl': False,
'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'],
'threads': 200,
'timeout': None,
'ufail_limit': None,
'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'],
'verbose': True}
DEBUG Passed args:
{'aesKey': None,
'connectback_host': None,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'domain': None,
'execute': None,
'export': None,
'fail_limit': None,
'gfail_limit': None,
'hash': [],
'ignore_ssl_cert': False,
'jitter': None,
'kdcHost': None,
'kerberos': False,
'laps': None,
'list_modules': False,
'local_auth': False,
'lsa': False,
'module': None,
'module_options': [],
'no_bruteforce': False,
'no_output': False,
'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'],
'port': 0,
'protocol': 'winrm',
'ps_execute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'show_module_options': False,
'ssl': False,
'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'],
'threads': 200,
'timeout': None,
'ufail_limit': None,
'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'],
'verbose': True}
DEBUG:asyncio:Using selector: EpollSelector
DEBUG Using selector: EpollSelector
DEBUG:root:Running
DEBUG Running
DEBUG:root:Started thread poller
DEBUG Started thread poller
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.1:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.1:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.11:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.11:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.12:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.10:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.13:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.15:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.14:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.16:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.100:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.12:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.10:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.13:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.15:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.14:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.16:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.100:5986
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.1:5985
DEBUG Starting new HTTP connection (1): 192.168.210.1:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.10:5985
DEBUG Starting new HTTP connection (1): 192.168.210.10:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.15:5985
DEBUG Starting new HTTP connection (1): 192.168.210.15:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.16:5985
DEBUG Starting new HTTP connection (1): 192.168.210.16:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.14:5985
DEBUG Starting new HTTP connection (1): 192.168.210.14:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.12:5985
DEBUG Starting new HTTP connection (1): 192.168.210.12:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.13:5985
DEBUG Starting new HTTP connection (1): 192.168.210.13:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.11:5985
DEBUG Starting new HTTP connection (1): 192.168.210.11:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.100:5985
DEBUG Starting new HTTP connection (1): 192.168.210.100:5985
DEBUG:root:Stopped thread poller
DEBUG Stopped thread poller

Not sure what to check...SMB is the same way...thanks for looking into this.

The target must be specified behind the protocol. Can you retest that with smb(/and the other)? For your winrm call I am not sure what breaks the connection, as it actually accepts the specified targets.

The command should be working as specified. In the debug args the target/username/password files are also present.

As even cme shutdowns properly ("Stopped thread poller") it really looks like your hosts are not reachable. Can you check if the protocol specified is enabled on the targets? Also can you give me a verbose run with SMB? I am more familiar with the SMB implementation.

mpgn commented

Hello,

Thanks for the issue, it is now fixed on the last public release of CrackMapExec https://github.com/mpgn/CrackMapExec v6.0.0

Regards,

mpgn