Skip to content
This repository has been archived by the owner on Dec 6, 2023. It is now read-only.

Add qwinsta and tasklist modules (tstool.py) #615

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

snovvcrash
Copy link
Contributor

Hey @mpgn!

With the recent Impacket update I've started to use qwinsta and tasklist commands frequently from the newly introduced tstool.py example by @nopernik. So I'd like to bring them to CrackMapExec as two separate SMB modules.

Now, instead of doing -x qwinsta or -x tasklist, we can do this 🔽

qwinsta-tasklist

@mpgn mpgn added the module label Aug 21, 2022
@mpgn mpgn added the in review label Sep 8, 2022
@mpgn
Copy link
Contributor

mpgn commented Sep 9, 2022

Hello @snovvcrash I try the module tasklist but got a nice stacktrace

─(bonclay㉿kali)-[~/CrackMapExec]
└─$ poetry run crackmapexec smb 192.168.212.134 -u administrator -p October2022 -M qwinsta
SMB         192.168.212.134 445    DC01             [*] Windows 10.0 Build 20348 x64 (name:DC01) (domain:poudlard.wizard) (signing:True) (SMBv1:False)
SMB         192.168.212.134 445    DC01             [+] poudlard.wizard\administrator:October2022 (Pwn3d!)
QWINSTA     192.168.212.134 445    DC01             SESSIONNAME  USERNAME                ID  STATE         Desktop   ConnectTime          DisconnectTime       
QWINSTA     192.168.212.134 445    DC01             ============ ======================= === ============= ========= ==================== ==================== 
QWINSTA     192.168.212.134 445    DC01             Services                             0   Disconnected            None                 None                 
QWINSTA     192.168.212.134 445    DC01             Console      POUDLARD\Administrator  1   Active        Locked    2022/08/31 04:16:55  None                 
                                                                                                                                                                                                                                                                                  
┌──(bonclay㉿kali)-[~/CrackMapExec]
└─$ poetry run crackmapexec smb 192.168.212.134 -u administrator -p October2022 -M tasklist
SMB         192.168.212.134 445    DC01             [*] Windows 10.0 Build 20348 x64 (name:DC01) (domain:poudlard.wizard) (signing:True) (SMBv1:False)
SMB         192.168.212.134 445    DC01             [+] poudlard.wizard\administrator:October2022 (Pwn3d!)
Traceback (most recent call last):
  File "/home/bonclay/.cache/pypoetry/virtualenvs/crackmapexec-Ewx46vAT-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 522, in openFile
    return self._SMBConnection.create(treeId, pathName, desiredAccess, shareMode, creationOption,
  File "/home/bonclay/.cache/pypoetry/virtualenvs/crackmapexec-Ewx46vAT-py3.10/lib/python3.10/site-packages/impacket/smb3.py", line 1227, in create
    if ans.isValidAnswer(STATUS_SUCCESS):
  File "/home/bonclay/.cache/pypoetry/virtualenvs/crackmapexec-Ewx46vAT-py3.10/lib/python3.10/site-packages/impacket/smb3structs.py", line 458, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/bonclay/CrackMapExec/cme/crackmapexec.py", line 256, in main
    asyncio.run(
  File "/usr/lib/python3.10/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.10/asyncio/base_events.py", line 646, in run_until_complete
    return future.result()
  File "/home/bonclay/CrackMapExec/cme/crackmapexec.py", line 104, in start_threadpool
    await asyncio.gather(*jobs)
  File "/home/bonclay/CrackMapExec/cme/crackmapexec.py", line 68, in run_protocol
    await asyncio.wait_for(
  File "/usr/lib/python3.10/asyncio/tasks.py", line 408, in wait_for
    return await fut
  File "/usr/lib/python3.10/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/home/bonclay/CrackMapExec/cme/protocols/smb.py", line 138, in __init__
    connection.__init__(self, args, db, host)
  File "/home/bonclay/CrackMapExec/cme/connection.py", line 62, in __init__
    self.proto_flow()
  File "/home/bonclay/CrackMapExec/cme/connection.py", line 100, in proto_flow
    self.call_modules()
  File "/home/bonclay/CrackMapExec/cme/connection.py", line 129, in call_modules
    self.module.on_login(context, self)
  File "/home/bonclay/CrackMapExec/cme/modules/tasklist.py", line 79, in on_login
    with TSTS.LegacyAPI(connection.conn, connection.host) as lapi:
  File "/home/bonclay/.cache/pypoetry/virtualenvs/crackmapexec-Ewx46vAT-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/tsts.py", line 3767, in __init__
    super().__init__(smb, target_ip,
  File "/home/bonclay/.cache/pypoetry/virtualenvs/crackmapexec-Ewx46vAT-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/tsts.py", line 3674, in __init__
    self._bind()
  File "/home/bonclay/.cache/pypoetry/virtualenvs/crackmapexec-Ewx46vAT-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/tsts.py", line 3683, in _bind
    self._dce.connect()
  File "/home/bonclay/.cache/pypoetry/virtualenvs/crackmapexec-Ewx46vAT-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/rpcrt.py", line 803, in connect
    return self._transport.connect()
  File "/home/bonclay/.cache/pypoetry/virtualenvs/crackmapexec-Ewx46vAT-py3.10/lib/python3.10/site-packages/impacket/dcerpc/v5/transport.py", line 518, in connect
    self.__handle = self.__smb_connection.openFile(self.__tid, self.__filename)
  File "/home/bonclay/.cache/pypoetry/virtualenvs/crackmapexec-Ewx46vAT-py3.10/lib/python3.10/site-packages/impacket/smbconnection.py", line 526, in openFile
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

@mpgn
Copy link
Contributor

mpgn commented Sep 9, 2022

Well it's impacket related

image

@mpgn mpgn added the bug label Sep 9, 2022
@snovvcrash
Copy link
Contributor Author

Hey @mpgn, thanks for taking a look!

Yep, I've also experienced this issue on some boxes - that's tstool.py related. Also there's a bug when attempting to run the modules against a bunch of targets (e.g., /24 subnet) - it just hangs at some point. Dunno how it can be fixed actually, I assume async don't like them for some reason.

@mpgn mpgn removed the in review label Sep 18, 2022
@snovvcrash
Copy link
Contributor Author

snovvcrash commented Jun 18, 2023

@mpgn as a remark: the issue is relevant for servers where RDP is off. If RDP in on, everything's fine during my tests.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants