Connection reset when attempting WMI execution

[chr0n1k]

Steps to reproduce

1. ...install bleeding edge of CME
2. ...attack target

Command string used

cme --verbose smb 192.168.1.252 -u administrator -p XXXXXX -x whoami

CME verbose output (using the --verbose flag)

DEBUG StringBinding: \\WINTERFELL[\PIPE\atsvc]
DEBUG StringBinding: \\WINTERFELL[\pipe\SessEnvPublicRpc]
DEBUG StringBinding: WINTERFELL[49667]
DEBUG StringBinding: 192.168.1.252[49667]
DEBUG StringBinding chosen: ncacn_ip_tcp:192.168.1.252[49667]
DEBUG Error executing command via wmiexec, traceback:
DEBUG Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb.py", line 394, in execute
exec_method = WMIEXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.conn, self.hash, self.args.share)
File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/protocols/smb/wmiexec.py", line 42, in init
iWbemServices= iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/dcom/wmi.py", line 3155, in NTLMLogin
resp = self.request(request, iid = self._iid, uuid = self.get_iPid())
File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/dcomrt.py", line 1307, in request
self.connect(iid)
File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/dcomrt.py", line 1284, in connect
dce.connect()
File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/rpcrt.py", line 801, in connect
return self._transport.connect()
File "/usr/local/lib/python2.7/dist-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/dcerpc/v5/transport.py", line 302, in connect
raise DCERPCException("Could not connect: %s" % msg)
DCERPCException: Could not connect: [Errno 110] Connection timed out

CME Version (cme --version)

4.0.1dev - Bug Pr0n

OS

kali-rolling 2020.1

Target OS

Windows 10 18362 x64

Detailed issue explanation

When the firewall is on on the target and a cmd is executed on it, it cannot execute the command using wmiexec. But if the firewall is off then the command runs successfully.

[mpgn]

Hello,

I'm not sure how this is related to a Firewall issue since you pass the first connection.
The version of impacket you are using is very old (march 2019), please update cme to the latest version so you can use the latest version of impacket (python3) and maybe we will find the problem.

[chr0n1k]

Hi @mpgn I have done a git pull and rebuilt cme. Still shows as version 4.0.1dev - Bug Pr0n. I have the latest impacket installed in a separate location from the one that comes with cme. I believe with the git pull the one within the cme directory should also get updated. Is there a way to verify that or know which is the latest cme build?

[mpgn]

Can you check again with version 5 ? It's working fine on my side

[mpgn]

Closing since no update, I will re-open with more info.