No output when using usernames and passwords for any protocol - Kali 2021-2022 version <=5.4-5.1.0
javalogicuser opened this issue · 4 comments
Steps to reproduce
──(venv)(root㉿kali)-[/opt]
└─# cme winrm -u /home/kali/usernames.txt -p /home/kali/passwords.txt -d domain.local
-- No output given, cannot do any password spraying across domain/network
-- crackmapexec or cme doesn't give any output, just moves to the next line
┌──(venv)(root㉿kali)-[/opt]
┌──(venv)(root㉿kali)-[/opt]
└─# cme --verbose winrm -u /home/kali/HTB/ZEPHYR/usernames.txt -p /home/kali/HTB/ZEPHYR/passwords.txt -d zsm.local /home/kali/HTB/ZEPHYR/192.168.210-hosts.txt
DEBUG Passed args:
{'aesKey': None,
'connectback_host': None,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'domain': 'zsm.local',
'execute': None,
'export': None,
'fail_limit': None,
'gfail_limit': None,
'hash': [],
'jitter': None,
'kdcHost': None,
'kerberos': False,
'list_modules': False,
'local_auth': False,
'module': None,
'module_options': [],
'no_bruteforce': False,
'no_output': False,
'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'],
'port': 0,
'protocol': 'winrm',
'ps_execute': None,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'show_module_options': False,
'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'],
'threads': 100,
'timeout': None,
'ufail_limit': None,
'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'],
'verbose': True}
DEBUG Using selector: EpollSelector
DEBUG Running
DEBUG Started thread poller
DEBUG Starting new HTTPS connection (1): 192.168.210.1:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.11:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.12:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.13:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.14:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.10:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.15:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.100:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.16:5986
DEBUG Starting new HTTP connection (1): 192.168.210.11:5985
DEBUG Starting new HTTP connection (1): 192.168.210.1:5985
DEBUG Starting new HTTP connection (1): 192.168.210.12:5985
DEBUG Starting new HTTP connection (1): 192.168.210.10:5985
DEBUG Starting new HTTP connection (1): 192.168.210.14:5985
DEBUG Starting new HTTP connection (1): 192.168.210.13:5985
DEBUG Starting new HTTP connection (1): 192.168.210.15:5985
DEBUG Starting new HTTP connection (1): 192.168.210.100:5985
DEBUG Starting new HTTP connection (1): 192.168.210.16:5985
DEBUG Stopped thread poller
CME Version (cme --version)
5.4, 5.3, 5.23, 5.1.0
OS
─# uname -a && cat /etc/issue
Linux kali 6.0.0-kali6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.12-1kali1 (2022-12-19) x86_64 GNU/Linux
Kali GNU/Linux Rolling \n \l
Target OS
Windows
-- No output given, cannot do any password spraying across domain/network
-- crackmapexec or cme doesn't give any output, just moves to the next line
-- using RDP, SMB, WINRM, SSH
The target must be specified behind the protocol. Can you retest that with smb(/and the other)?
For your winrm call I am not sure what breaks the connection, as it actually accepts the specified targets.
I've tried both ways, with multiple protocols, with the outcome being the same, no output. I'm trying to get it to read the targets in from a txt file, is that not correct? All the examples I've seen do it this way. Here's the output when I specify the hosts at the beginning:
┌──(root㉿kali)-[/opt]
└─# ./cme --verbose -t 200 winrm /home/kali/HTB/ZEPHYR/192.168.210-hosts.txt -u /home/kali/HTB/ZEPHYR/usernames.txt -p /home/kali/HTB/ZEPHYR/passwords.txt
DEBUG:root:Passed args:
{'aesKey': None,
'connectback_host': None,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'domain': None,
'execute': None,
'export': None,
'fail_limit': None,
'gfail_limit': None,
'hash': [],
'ignore_ssl_cert': False,
'jitter': None,
'kdcHost': None,
'kerberos': False,
'laps': None,
'list_modules': False,
'local_auth': False,
'lsa': False,
'module': None,
'module_options': [],
'no_bruteforce': False,
'no_output': False,
'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'],
'port': 0,
'protocol': 'winrm',
'ps_execute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'show_module_options': False,
'ssl': False,
'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'],
'threads': 200,
'timeout': None,
'ufail_limit': None,
'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'],
'verbose': True}
DEBUG Passed args:
{'aesKey': None,
'connectback_host': None,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'domain': None,
'execute': None,
'export': None,
'fail_limit': None,
'gfail_limit': None,
'hash': [],
'ignore_ssl_cert': False,
'jitter': None,
'kdcHost': None,
'kerberos': False,
'laps': None,
'list_modules': False,
'local_auth': False,
'lsa': False,
'module': None,
'module_options': [],
'no_bruteforce': False,
'no_output': False,
'password': ['/home/kali/HTB/ZEPHYR/passwords.txt'],
'port': 0,
'protocol': 'winrm',
'ps_execute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'show_module_options': False,
'ssl': False,
'target': ['/home/kali/HTB/ZEPHYR/192.168.210-hosts.txt'],
'threads': 200,
'timeout': None,
'ufail_limit': None,
'username': ['/home/kali/HTB/ZEPHYR/usernames.txt'],
'verbose': True}
DEBUG:asyncio:Using selector: EpollSelector
DEBUG Using selector: EpollSelector
DEBUG:root:Running
DEBUG Running
DEBUG:root:Started thread poller
DEBUG Started thread poller
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.1:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.1:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.11:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.11:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.12:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.10:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.13:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.15:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.14:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.16:5986
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.210.100:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.12:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.10:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.13:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.15:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.14:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.16:5986
DEBUG Starting new HTTPS connection (1): 192.168.210.100:5986
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.1:5985
DEBUG Starting new HTTP connection (1): 192.168.210.1:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.10:5985
DEBUG Starting new HTTP connection (1): 192.168.210.10:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.15:5985
DEBUG Starting new HTTP connection (1): 192.168.210.15:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.16:5985
DEBUG Starting new HTTP connection (1): 192.168.210.16:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.14:5985
DEBUG Starting new HTTP connection (1): 192.168.210.14:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.12:5985
DEBUG Starting new HTTP connection (1): 192.168.210.12:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.13:5985
DEBUG Starting new HTTP connection (1): 192.168.210.13:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.11:5985
DEBUG Starting new HTTP connection (1): 192.168.210.11:5985
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.210.100:5985
DEBUG Starting new HTTP connection (1): 192.168.210.100:5985
DEBUG:root:Stopped thread poller
DEBUG Stopped thread poller
Not sure what to check...SMB is the same way...thanks for looking into this.
The target must be specified behind the protocol. Can you retest that with smb(/and the other)? For your winrm call I am not sure what breaks the connection, as it actually accepts the specified targets.
The command should be working as specified. In the debug args the target/username/password files are also present.
As even cme shutdowns properly ("Stopped thread poller") it really looks like your hosts are not reachable. Can you check if the protocol specified is enabled on the targets? Also can you give me a verbose run with SMB? I am more familiar with the SMB implementation.
Hello,
Thanks for the issue, it is now fixed on the last public release of CrackMapExec https://github.com/mpgn/CrackMapExec v6.0.0
Regards,
mpgn