Nmap Development mailing list archives

Re: smb-psexec against Windows 7 Enterprise (32bit)

From: Mark Baseggio <mark () baseggio ca>
Date: Fri, 23 Aug 2013 13:24:53 -0400

Looks like disabling UAC has no effect, still get the following error:

Host script results:
| smb-psexec:
|_  ERROR: Couldn't start the service on the remote machine:
NT_STATUS_WERR_ACCESS_DENIED (svcctl.startservicew)

I went to Control Panel\All Control Panel Items\User Accounts and changed
UAC to never notify as per this video:
http://windows.microsoft.com/en-ca/windows7/turn-user-account-control-on-or-off

Something else must be going on here, psexec.py output on the same host for
proof that I'm not insane :)

$ psexec.py testuser:password@192.168.2.28 cmd.exe
Impacket v0.9.10 - Copyright 2002-2013 Core Security Technologies

Trying protocol 445/SMB...

[*] Requesting shares on 192.168.2.28.....
[*] Found writable share ADMIN$
[*] Uploading file EWmjDazr.exe
[*] Opening SVCManager on 192.168.2.28.....
[*] Creating service zGVU on 192.168.2.28.....
[*] Starting service zGVU.....
[!] Press help for extra shell commands

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

Any ideas?

Thanks
Mark



On Mon, Aug 19, 2013 at 6:59 PM, Ron <ron () skullsecurity net> wrote:

I'm not sure - I have never troubleshot it. If I had to guess, it's
because I'm trying to open a handle with more permissions than
necessary, so UAC blocks me and it doesn't block others.

Ron

On 2013-08-19 18:50, Mark Baseggio wrote:

Hi Ron,

I will give it a try. Just out of curiosity, is there a reason why a tool
like psexec.py would work without UAC disabled while smb-psexec does not?

Thanks very much
Mark


On Sat, Aug 17, 2013 at 9:54 AM, Ron <ron () skullsecurity net> wrote:

Enabling the ADMIN$ share shouldn't be necessary, it can use any share.

I found that UAC caused my smb-psexec script to fail, but not others. I
never did troubleshoot why. Can you try disabling UAC and seeing if it
helps?

If not, we'll have to dig deeper. :)

Ron

On 2013-08-17 08:42, Mark Baseggio wrote:

Thanks for the response. I had already enabled the ADMIN$ share by

adding

the LocalAccountTokenFilterPolicy key.

I tested other utils, such as psexec.py from the Impacket Python

library

and it works great so I have been working under the assumption that

this

must be an issue with the smb-psexec script. Is there something that

nmap's

smb-psexec needs to have enabled that other versions of psexec might

not?


Thanks,
Mark


On Sat, Aug 17, 2013 at 12:22 AM, Ron <ron () skullsecurity net> wrote:

I'm reasonably sure this is an issue with UAC. Can you try

disabling

UAC

and seeing if that works?

Ron

On 2013-08-16 20:50, David Fifield wrote:

On Mon, Aug 12, 2013 at 06:19:32PM -0400, Mark Baseggio wrote:

I have been playing with smb-exec and some VMs, trying to get

just

the

default configuration working to no avail. I was hoping someone

could

possibly shed some light on the situation. I have included the

full

debug

output of the command, I am beginning to think that something

is

broken

because of all the "Invalid NTLM challenge message: unexpected

signature"

messages.

As you will see, smb-psexec finds a writeable share, but then

is

unable to

launch the service. If you have any ideas or know what the

issue

is I'd

appreciate your help.


Ron, I think we talked about the state of SMB scripts lately. Is
smb-psexec likely to work in this configuration?

David Fifield

--snip--
$ nmap -d -n -p445 --script smb-psexec
--script-args=smbuser=testuser,smbpass=password 192.168.2.28

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-12 23:11 ric
Winpcap present, dynamic linked to: WinPcap version 4.1.2

(packet.dll

version 4.1.0.2001), based on libpcap version 1.0 branch

1_0_rel0b

(20091008)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2.
NSE: Script Arguments seen from CLI:

smbuser=testuser,smbpass=password

NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating ARP Ping Scan at 23:11
Scanning 192.168.2.28 [1 port]
Packet capture filter (device eth0): arp and arp[18:4] =

0x10BF48BA and

arp[22:2] = 0xED97
Completed ARP Ping Scan at 23:11, 0.12s elapsed (1 total hosts)
Overall sending rates: 8.06 packets / s, 338.71 bytes / s.
Initiating SYN Stealth Scan at 23:11
Scanning 192.168.2.28 [1 port]
Packet capture filter (device eth0): dst host 192.168.2.12 and

(icmp or

icmp6 or ((tcp or udp or sctp) and (src host 192.168.2.28)))
Discovered open port 445/tcp on 192.168.2.28
Completed SYN Stealth Scan at 23:11, 0.00s elapsed (1 total

ports)

Overall sending rates: 1000.00 packets / s, 44000.00 bytes / s.
NSE: Script scanning 192.168.2.28.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting smb-psexec against 192.168.2.28.
Initiating NSE at 23:11
NSE: smb-psexec: Looking for the service file: nmap_service or
nmap_service.exe
NSE: smb-psexec: Attempting to find file: nmap_service
NSE: smb-psexec: Attempting to find file: default
NSE: smb-psexec: Attempting to load config file: C:\Program

Files

(x86)\Nmap/nselib/data/psexec/default.lua
NSE: SMB: Attempting to log into the system to enumerate shares
NSE: SMB: Added account '' to account list
NSE: SMB: Added account 'guest' to account list
NSE: SMB: Added account 'testuser' to account list
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Found 3 shares, will attempt to find more information
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Trying a random share to see if server responds

properly:

nmap-share-test
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Trying a random share to see if server responds

properly:

nmap-share-test
NSE: SMB: Getting information for share: ADMIN$
NSE: SMB: Checking if share ADMIN$ can be read by the current

user

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Checking if share ADMIN$ can be read by the anonymous

user

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Checking if share ADMIN$ can be written by the

current

user

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Checking if share ADMIN$ can be written by the

anonymous

user

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Getting information for share: C$
NSE: SMB: Checking if share C$ can be read by the current user
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Checking if share C$ can be read by the anonymous

user

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Checking if share C$ can be written by the current

user

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Checking if share C$ can be written by the anonymous

user

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Getting information for share: IPC$
NSE: SMB: Checking if share IPC$ can be read by the current

user

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Checking if share IPC$ can be read by the anonymous

user

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Checking if share IPC$ can be written by the current

user

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Checking if share IPC$ can be written by the

anonymous

user

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: smb-psexec: Found usable share ADMIN$ (C:\Windows) (all

writable

shares: ADMIN$, C$)
NSE: smb-psexec: Generated static service name: 1c59c462
NSE: smb-psexec: Generated static service name: 1c59c462
NSE: smb-psexec: Generated static service filename:

80422d23.out.tmp

NSE: smb-psexec: Generated static output filename: b3880403.out
NSE: smb-psexec: Verifying uploadable executables exist
NSE: smb-psexec: Timeout waiting for a response is 38 seconds
NSE: smb-psexec: Replacing variables in the modules' fields
NSE: smb-psexec: Entering cleanup() -- errors here can

generally be

ignored

NSE: Stopping service: 1c59c462
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: smb-psexec: [cleanup] Couldn't stop service:
NT_STATUS_SERVICE_DOES_NOT_EXIST (svcctl.openservicew)
NSE: Deleting service: 1c59c462
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: smb-psexec: [cleanup] Couldn't delete service:
NT_STATUS_SERVICE_DOES_NOT_EXIST (svcctl.openservicew)
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Couldn't delete ADMIN$\b3883143.txt:
NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete ADMIN$\b3880403.out:
NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete ADMIN$\80422d23.out.tmp:
NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Couldn't delete C$\b3883143.txt:

NT_STATUS_OBJECT_NAME_NOT_FOUND

NSE: SMB: Couldn't delete C$\b3880403.out:

NT_STATUS_OBJECT_NAME_NOT_FOUND

NSE: SMB: Couldn't delete C$\80422d23.out.tmp:
NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: smb-psexec: Leaving cleanup()
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: smb-psexec: Uploading: C:\Program Files
(x86)\Nmap/nselib/data/psexec/nmap_service.exe =>

\\ADMIN$\b3883143.txt

NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: smb-psexec: Service file successfully uploaded!
NSE: smb-psexec: Attempting to upload the modules
NSE: smb-psexec: Modules successfully uploaded!
NSE: Creating service: 1c59c462 (C:\Windows\b3883143.txt)
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: Starting service: 1c59c462
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: Opening the remote service manager
NSE: smb-psexec: Couldn't start the service:

NT_STATUS_WERR_ACCESS_DENIED

(svcctl.startservicew)
NSE: smb-psexec: Entering cleanup() -- errors here can

generally be

ignored

NSE: Stopping service: 1c59c462
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: smb-psexec: [cleanup] Couldn't stop service:
NT_STATUS_SERVICE_NOT_ACTIVE (svcctl.controlservice)
NSE: Deleting service: 1c59c462
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Couldn't delete ADMIN$\b3880403.out:
NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete ADMIN$\80422d23.out.tmp:
NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Couldn't delete C$\b3883143.txt:

NT_STATUS_OBJECT_NAME_NOT_FOUND

NSE: SMB: Couldn't delete C$\b3880403.out:

NT_STATUS_OBJECT_NAME_NOT_FOUND

NSE: SMB: Couldn't delete C$\80422d23.out.tmp:
NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: smb-psexec: Leaving cleanup()
NSE: Finished smb-psexec against 192.168.2.28.
Completed NSE at 23:11, 0.49s elapsed
Nmap scan report for 192.168.2.28
Host is up, received arp-response (0.0010s latency).
Scanned at 2013-08-12 23:11:26 ric for 1s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack
MAC Address: 00:0C:29:95:E2:95 (VMware)

Host script results:
| smb-psexec:
|_  ERROR: Couldn't start the service on the remote machine:
NT_STATUS_WERR_ACCESS_DENIED (svcctl.startservicew)
Final times for host: srtt: 1000 rttvar: 3750  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read from C:\Program Files (x86)\Nmap: nmap-mac-prefixes

nmap-payloads

nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 1.80 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
--snip--

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

smb-psexec against Windows 7 Enterprise (32bit) Mark Baseggio (Aug 13)
- Re: smb-psexec against Windows 7 Enterprise (32bit) David Fifield (Aug 16)
  - Re: smb-psexec against Windows 7 Enterprise (32bit) Ron (Aug 16)
    - Re: smb-psexec against Windows 7 Enterprise (32bit) Mark Baseggio (Aug 17)
    - Re: smb-psexec against Windows 7 Enterprise (32bit) Ron (Aug 17)
    - Re: smb-psexec against Windows 7 Enterprise (32bit) Mark Baseggio (Aug 19)
    - Re: smb-psexec against Windows 7 Enterprise (32bit) Ron (Aug 19)
    - Re: smb-psexec against Windows 7 Enterprise (32bit) Mark Baseggio (Aug 23)