SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

[archidote]

Hello, I got this error when I try to execute this command :

python3 noPac.py lgds.local/alex.henry:'123+aze' -dc-ip 192.168.130.100 -dc-host dc -shell --impersonate root2 -use-ldap

target system : Windows Server 2022 (Sept 2021)

Strange, because I have a smb share on this target lab.

Have you any idea to resolv this issue ?

Best regards,

[csandker]

This could indicate that AV stopped the command execution. Had the same issue today, worked after disabling Defender.
See also: fortra/impacket#777

[archidote]

Strange, because my AV was also disabled.

I will retry soon, and I send back my feedback.

[archidote]

Today, I have tried once again but I still get this error. Maybe it's not the AV who created the issue ? @csandker

[csandker]

Hey @archidote,

sorry for the late reply (not my repo, just trying to support here).
Can't really point out what killed it for you, without debugging your environment, but I might be able to provide some guidance on how to tackle this issue.

First of all this exploit uses impacket's smbexec to execute commands when the -shell argument is used. This is where your error occurred. My first guess would be it occurred somewhere along these lines:

noPac/utils/smbexec.py

Lines 143 to 152 in 152a315

	stringbinding = r'ncacn_np:%s[\pipe\svcctl]' % remoteName
	logging.debug('StringBinding %s'%stringbinding)
	rpctransport = transport.DCERPCTransportFactory(stringbinding)
	rpctransport.set_dport(self.__port)
	rpctransport.setRemoteHost(remoteHost)
	if hasattr(rpctransport, 'set_credentials'):
	# This method exists only for selected protocol sequences.
	rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,
	self.__nthash, self.__aesKey)
	rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)

With that being said there are two routes you can go from here:

• Stick to your exploit strategy and dig into the matter.
• Divide and conquer, meaning in this case: Use this exploit to get your desired service ticket, store it on disk and move on from there.

If you prefer to stick to strategy 1 (aka "dig into the matter"), here's what you could do.

• Review the linked code content (taken from impacket's smbexec) and rebuild this step by step
• Connect to the specified named pipe
• Authenticate using Username and Password (if you have those) for simplicity and leave any "exploit" code aside, connecting to this named pipe is not malicious and should always work
• Confirm your named pipe connection is not terminated by any software on the server
• Place in the remaining code to get your smbexec shell
• Swap to use a a Kerberos CIFS service ticket (you could use this very expoit - without the -shell param to get one for your target) and retry
• On this route you should either encounter that something on the server kills your named pipe connection while being non-malicious or everything works just fine. If the former, you'd have to dig on the server side, to figure what process kills this non-malicious connection. If everything worked fine until you put in smbexec command execution code I would look for anything AV related. If in doubt the only option you got is to dig deeper on the server side.

If you're happy to leave the "shell the target in a single line" path, I'd recommend you use this exploit to get a service ticket and start looking into how to use this with one of impacket's examples. Ì'd start with using smbexec.py "natively" from impacket with a CIFS ticket and if that also fails try and explore other options, such as secretsdump,py or wmiiexec.py. Important to note here that not all of these will work with CIFS tickets. But you can use this same exploit to get other tickets as well.

If really anything fails, I would:

• Review the service ticket you gained through this exploit by either using some python library to show the contents of your service ticket or use something like Rubeus /describe to view your ticket on a Windows box.
  I've build a python tool to do just that here: https://github.com/sse-secure-systems/AD-Trusts-Tooling#krbticketviewpy (feels wrong to promote your own stuff in this manner, but you hopefully can excuse that)

• Confirm your ticket was issued for the right target, with the right lifetime, the correct flags and the correct user

• If everything looks fine you could consider bringing the .ccache service ticket you currently have on disk onto a Windows computer and verify the ticket "works" with native Windows protocols.

• For that approach you can base64 encode your ticket and "inject" it using Rubeus with the /ticket: and /ptt flags.

• Once injected, you can confirm it's attached to your session using klist

• If that also shows your ticket is in place use something like dir \\TARGET\C$ to confirm you can access your target's C$ share (which requires admin privileges on the target)

If nothing else I hope this at least helps getting some steps forward.

[archidote]

Thank's for your answser, I will explore all the way that you have mentioned above.
I'll keep you posted
++

[archidote]

Hi, So I found the problem after deep investiguations.

I thinked that I turned off all the security assessments like firewall,defender etc. But in a sub sub menu, "Real time protection" was checked. As you can imagin, when I unchecked this asset, noPac.py run perfectly, and I got a shell.

Finally, My Windows Server 2022 datacenter .iso was released in october (I verified the build number : 20348.288), So CVE-2021-42278 was already patched...That's why I need to turned off all of security assessments

it's all my fault, computer science won again ^^

But If I use the scanner.py everything works as well I want. ^^

++
Archidote.

[CustosClarus]

I tried same Impacket v0.10.0

No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:        2022.2
Codename:       kali-rolling

in my case command
wmiexec.py server1.hacklab.local/administrator@192.168.0.104 works as expected however, smbexec command and end-system in windows 11 Dev eval version

smbexec.py server1/administrator:1qaz2wsxZZ@192.168.0.104
[-] SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

[CustosClarus]

I tried same Impacket v0.10.0

No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:        2022.2
Codename:       kali-rolling

in my case command wmiexec.py server1.hacklab.local/administrator@192.168.0.104 works as expected however, smbexec command and end-system in windows 11 Dev eval version

smbexec.py server1/administrator:1qaz2wsxZZ@192.168.0.104 [-] SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

I solved I had to turn of AV detection on windows 11 server.