Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SMB: incorrect share permissions #182

Open
s4n-cz opened this issue Feb 17, 2024 · 25 comments
Open

SMB: incorrect share permissions #182

s4n-cz opened this issue Feb 17, 2024 · 25 comments
Labels
bug Something isn't working

Comments

@s4n-cz
Copy link

s4n-cz commented Feb 17, 2024

Describe the bug
Working on Proving Grounds machine Craft2 from Offsec , I encountered a situation when NetExec reported share permissions as READ only, even though WRITE was allowed (and actually required for exploitation).

To Reproduce
List SMB shares:

┌──(kali㉿kali)-[~/craft2]
└─$ nxc smb 192.168.229.188 -u thecybergeek -p winniethepooh --shares                               
SMB         192.168.229.188 445    CRAFT2           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
SMB         192.168.229.188 445    CRAFT2           [+] CRAFT2\thecybergeek:winniethepooh 
SMB         192.168.229.188 445    CRAFT2           [*] Enumerated shares
SMB         192.168.229.188 445    CRAFT2           Share           Permissions     Remark
SMB         192.168.229.188 445    CRAFT2           -----           -----------     ------
SMB         192.168.229.188 445    CRAFT2           ADMIN$                          Remote Admin
SMB         192.168.229.188 445    CRAFT2           C$                              Default share
SMB         192.168.229.188 445    CRAFT2           IPC$            READ            Remote IPC
SMB         192.168.229.188 445    CRAFT2           WebApp          READ

Share WebApp has only permission READ listed. We can however upload a file in this share:

┌──(kali㉿kali)-[~/craft2]
└─$ echo test > test.txt    
                                                                                                                                                               
┌──(kali㉿kali)-[~/craft2]
└─$ nxc smb 192.168.229.188 -u thecybergeek -p winniethepooh --share WebApp --put-file test.txt '\\test.txt'
SMB         192.168.229.188 445    CRAFT2           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
SMB         192.168.229.188 445    CRAFT2           [+] CRAFT2\thecybergeek:winniethepooh 
SMB         192.168.229.188 445    CRAFT2           [*] Copying test.txt to \\test.txt
SMB         192.168.229.188 445    CRAFT2           [+] Created file test.txt on \\WebApp\\\test.txt
                                                                                                                                                               
┌──(kali㉿kali)-[~/craft2]
└─$ nxc smb 192.168.229.188 -u thecybergeek -p winniethepooh --share WebApp --get-file '\\test.txt' verify.txt
SMB         192.168.229.188 445    CRAFT2           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
SMB         192.168.229.188 445    CRAFT2           [+] CRAFT2\thecybergeek:winniethepooh 
SMB         192.168.229.188 445    CRAFT2           [*] Copying "\\test.txt" to "verify.txt"
SMB         192.168.229.188 445    CRAFT2           [+] File "\\test.txt" was downloaded to "verify.txt"
                                                                                                                                                               
┌──(kali㉿kali)-[~/craft2]
└─$ cat verify.txt 
test

Expected behavior
Correctly recognize share permissions.

NetExec info

  • OS: Kali
  • Version of nxc: 1.1.0
  • Installed from: github (pipx install git+https://github.com/Pennyw0rth/NetExec
@Marshall-Hallenbeck
Copy link
Collaborator

@tstdin I don't have an Offsec subscription, is this something you are able to assist us with fixing?

@NeffIsBack NeffIsBack added the bug Something isn't working label Feb 17, 2024
@s4n-cz
Copy link
Author

s4n-cz commented Feb 17, 2024

@Marshall-Hallenbeck Yes, I can try. Let me know what information would help.

@Marshall-Hallenbeck
Copy link
Collaborator

@tstdin Are you able to create a folder inside the WebApp share, or just a file?

I also noticed that the output for fetching a file doesn't prepend the share name, so we should probably fix that as well.

@s4n-cz
Copy link
Author

s4n-cz commented Feb 17, 2024

Yes, creating folder works fine.

$ smbclient -U thecybergeek \\\\192.168.229.188\\WebApp
Password for [WORKGROUP\thecybergeek]:
smb: \> mkdir test
smb: \> cd test
smb: \test\> put test.txt 
putting file test.txt as \test\test.txt (0.1 kb/s) (average 0.1 kb/s)
smb: \test\> ls
  .                                   D        0  Sat Feb 17 16:00:25 2024
  ..                                  D        0  Sat Feb 17 16:00:25 2024
  test.txt                            A        5  Sat Feb 17 16:00:25 2024

@NeffIsBack
Copy link
Contributor

That is indeed weird, netexec checks the read/write permissions with listing and creating/deleting a folder. Can you provide an output with nxc --debug?

@s4n-cz
Copy link
Author

s4n-cz commented Feb 17, 2024 

$ nxc --debug smb 192.168.229.188 -u thecybergeek -p winniethepooh --shares
[19:04:34] DEBUG    PYTHON VERSION: 3.11.7 (main, Dec  8 2023, 14:22:46) [GCC 13.2.0]                                                             netexec.py:89
           DEBUG    RUNNING ON: Linux Release: 6.6.9-amd64                                                                                        netexec.py:90
           DEBUG    Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False,   netexec.py:91
                    protocol='smb', target=['192.168.229.188'], cred_id=[], username=['thecybergeek'], password=['winniethepooh'],                             
                    ignore_pw_decoding=False, kerberos=False, no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None,                      
                    aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[],                            
                    list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0', server_port=None,                                    
                    connectback_host=None, hash=[], delegate=None, no_s4u2proxy=False, domain=None, local_auth=False, port=445, share='C$',                    
                    smb_server_port=445, gen_relay_list=None, smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, mkfile=None,              
                    pvk=None, enabled=False, userntds=None, shares=True, no_write_check=False, filter_shares=None, sessions=False, disks=False,                
                    loggedon_users_filter=None, loggedon_users=False, users=None, groups=None, computers=None, local_groups=None, pass_pol=False,              
                    rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='',                     
                    pattern=None, regex=None, depth=None, only_files=False, put_file=None, get_file=None, append_host=False, exec_method=None,                 
                    dcom_timeout=5, get_output_tries=5, codec='utf-8', force_ps32=False, no_output=False, execute=None, ps_execute=None,                       
                    obfs=False, amsi_bypass=None, clear_obfscripts=False)                                                                                      
           DEBUG    Protocol: smb                                                                                                                netexec.py:145
           DEBUG    Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py                  netexec.py:148
           DEBUG    Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb/database.py      netexec.py:150
           DEBUG    Protocol Object: <class 'protocol.smb'>                                                                                      netexec.py:153
           DEBUG    Protocol DB Object: <class 'protocol.database'>                                                                              netexec.py:155
           DEBUG    DB Path: /home/kali/.nxc/workspaces/default/smb.db                                                                           netexec.py:158
           DEBUG    Using selector: EpollSelector                                                                                         selector_events.py:54
           DEBUG    Creating ThreadPoolExecutor                                                                                                   netexec.py:47
           DEBUG    Creating thread for <class 'protocol.smb'>                                                                                    netexec.py:50
           INFO     Socket info: host=192.168.229.188, hostname=192.168.229.188, kerberos=False, ipv6=False, link-local ipv6=False            connection.py:104
           DEBUG    Kicking off proto_flow                                                                                                    connection.py:164
           INFO     Error creating SMBv1 connection to 192.168.229.188: Error occurs while reading from remote(104)                                  smb.py:487
           DEBUG    Created connection object                                                                                                 connection.py:167
           DEBUG    Update Hosts: [{'id': 3, 'ip': '192.168.229.188', 'hostname': 'CRAFT2', 'domain': 'CRAFT2', 'os': 'Windows 10 / Server 2019 database.py:280
                    Build 17763', 'dc': None, 'smbv1': False, 'signing': False, 'spooler': None, 'zerologon': None, 'petitpotam': None}]                       
           DEBUG    add_host() - Host IDs Updated: [3]                                                                                          database.py:290
           DEBUG    Error logging off system: Error occurs while reading from remote(104)                                                            smb.py:246
SMB         192.168.229.188 445    CRAFT2           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
           INFO     SMB         192.168.229.188 445    CRAFT2           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2)                logger.py:121
                    (domain:CRAFT2) (signing:False) (SMBv1:False)                                                                                              
           DEBUG    Trying to authenticate using plaintext with domain                                                                        connection.py:407
           INFO     Error creating SMBv1 connection to 192.168.229.188: Error occurs while reading from remote(104)                                  smb.py:487
[19:04:35] DEBUG    Adding credential: CRAFT2/thecybergeek:winniethepooh                                                                             smb.py:365
           DEBUG    Adding credentials: [{'id': 2, 'domain': 'CRAFT2', 'username': 'thecybergeek', 'password': 'winniethepooh', 'credtype':     database.py:347
                    'plaintext', 'pillaged_from_hostid': None}]                                                                                                
           DEBUG    smb hosts() - results: [(3, '192.168.229.188', 'CRAFT2', 'CRAFT2', 'Windows 10 / Server 2019 Build 17763', None, False,     database.py:495
                    False, None, None, None)]                                                                                                                  
SMB         192.168.229.188 445    CRAFT2           [+] CRAFT2\thecybergeek:winniethepooh 
           INFO     SMB         192.168.229.188 445    CRAFT2           [+] CRAFT2\thecybergeek:winniethepooh                                     logger.py:121
           DEBUG    Calling command arguments                                                                                                 connection.py:174
           DEBUG    Calling shares()                                                                                                          connection.py:195
           DEBUG    domain: CRAFT2                                                                                                                   smb.py:703
[19:04:36] INFO     Shares returned: [<impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7fddeb67fcd0>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object  smb.py:711
                    at 0x7fddeb67fe50>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7fddeb67ffd0>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1                 
                    object at 0x7fddeb68c190>]                                                                                                                 
           DEBUG    Error checking READ access on share: STATUS_ACCESS_DENIED                                                                        smb.py:739
           DEBUG    Error checking WRITE access on share: STATUS_ACCESS_DENIED                                                                       smb.py:749
           DEBUG    Error checking READ access on share: STATUS_ACCESS_DENIED                                                                        smb.py:739
           DEBUG    Error checking WRITE access on share: STATUS_ACCESS_DENIED                                                                       smb.py:749
           DEBUG    Error checking WRITE access on share: STATUS_PRIVILEGE_NOT_HELD                                                                  smb.py:749
           DEBUG    Error checking WRITE access on share: STATUS_ACCESS_DENIED                                                                       smb.py:749
SMB         192.168.229.188 445    CRAFT2           [*] Enumerated shares
           INFO     SMB         192.168.229.188 445    CRAFT2           [*] Enumerated shares                                                     logger.py:121
SMB         192.168.229.188 445    CRAFT2           Share           Permissions     Remark
           INFO     SMB         192.168.229.188 445    CRAFT2           Share           Permissions     Remark                                    logger.py:121
SMB         192.168.229.188 445    CRAFT2           -----           -----------     ------
           INFO     SMB         192.168.229.188 445    CRAFT2           -----           -----------     ------                                    logger.py:121
SMB         192.168.229.188 445    CRAFT2           ADMIN$                          Remote Admin
           INFO     SMB         192.168.229.188 445    CRAFT2           ADMIN$                          Remote Admin                              logger.py:121
SMB         192.168.229.188 445    CRAFT2           C$                              Default share
           INFO     SMB         192.168.229.188 445    CRAFT2           C$                              Default share                             logger.py:121
SMB         192.168.229.188 445    CRAFT2           IPC$            READ            Remote IPC
           INFO     SMB         192.168.229.188 445    CRAFT2           IPC$            READ            Remote IPC                                logger.py:121
SMB         192.168.229.188 445    CRAFT2           WebApp          READ            
           INFO     SMB         192.168.229.188 445    CRAFT2           WebApp          READ                                                      logger.py:121

@NeffIsBack
Copy link
Contributor

Could it be, that you are using an account that is local admin and try to create a directory/file in a place where you would need Admin privileges, so UAC is preventing the write access?

That would not explain why smbclient is able to do it tho.

@s4n-cz
Copy link
Author

s4n-cz commented Feb 17, 2024

Adding more context.

User:

PS C:\xampp\htdocs> whoami /all
whoami /all

USER INFORMATION
----------------

User Name           SID                                         
=================== ============================================
craft2\thecybergeek S-1-5-21-537427935-490066102-1511301751-1001


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Upload directory permissions:

PS C:\xampp\htdocs> icacls .
icacls .
. CRAFT2\apache:(OI)(CI)(F)
  CRAFT2\apache:(I)(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(F)
  BUILTIN\Users:(I)(OI)(CI)(RX)
  BUILTIN\Users:(I)(CI)(AD)
  BUILTIN\Users:(I)(CI)(WD)
  CREATOR OWNER:(I)(OI)(CI)(IO)(F)

@mpgn
Copy link
Collaborator

mpgn commented Feb 17, 2024

Can you run smbclient with debug flag @tstdin ?

@s4n-cz
Copy link
Author

s4n-cz commented Feb 17, 2024 

$ smbclient -d 5 -U thecybergeek \\\\192.168.229.188\\WebApp
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter client min protocol = LANMAN1
doing parameter workgroup = WORKGROUP
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter server role = standalone server
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
added interface eth0 ip=192.168.124.56 bcast=192.168.124.255 netmask=255.255.255.0
Password for [WORKGROUP\thecybergeek]:
Client started (version 4.19.4-Debian).
Connecting to 192.168.229.188 at port 445
Connecting to 192.168.229.188 at port 139
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=46080, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
 session request ok
 negotiated dialect[SMB3_11] against server[192.168.229.188]
cli_session_setup_spnego_send: Connect to 192.168.229.188 as thecybergeek@WORKGROUP using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Cannot do GSE to an IP address
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_SERVER
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
 session setup ok
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
 tconx ok
Try "help" to get a list of possible commands.
smb: \>

@s4n-cz
Copy link
Author

s4n-cz commented Feb 17, 2024

Additional details:

PS C:\> Get-SmbServerConfiguration

AnnounceComment                 : 
AnnounceServer                  : False
AsynchronousCredits             : 512
AuditSmb1Access                 : False
AutoDisconnectTimeout           : 15
AutoShareServer                 : True
AutoShareWorkstation            : True
CachedOpenLimit                 : 10
DurableHandleV2TimeoutInSeconds : 180
EnableAuthenticateUserSharing   : False
EnableDownlevelTimewarp         : False
EnableForcedLogoff              : True
EnableLeasing                   : True
EnableMultiChannel              : True
EnableOplocks                   : True
EnableSecuritySignature         : False
EnableSMB1Protocol              : False
EnableSMB2Protocol              : True
EnableStrictNameChecking        : True
EncryptData                     : False
IrpStackSize                    : 15
KeepAliveTime                   : 2
MaxChannelPerSession            : 32
MaxMpxCount                     : 50
MaxSessionPerConnection         : 16384
MaxThreadsPerQueue              : 20
MaxWorkItems                    : 1
NullSessionPipes                : 
NullSessionShares               : 
OplockBreakWait                 : 35
PendingClientTimeoutInSeconds   : 120
RejectUnencryptedAccess         : True
RequireSecuritySignature        : False
ServerHidden                    : True
Smb2CreditsMax                  : 8192
Smb2CreditsMin                  : 512
SmbServerNameHardeningLevel     : 0
TreatHostAsStableStorage        : False
ValidateAliasNotCircular        : True
ValidateShareScope              : True
ValidateShareScopeNotAliased    : True
ValidateTargetName              : True

PS C:\> Get-SmbShare    

Name   ScopeName Path            Description  
----   --------- ----            -----------  
ADMIN$ *         C:\Windows      Remote Admin 
C$     *         C:\             Default share
IPC$   *                         Remote IPC   
WebApp *         C:\xampp\htdocs

PS C:\> Get-SmbShare -Name "WebApp" |Format-List -Property *

PresetPathAcl         : System.Security.AccessControl.DirectorySecurity
ShareState            : Online
AvailabilityType      : NonClustered
ShareType             : FileSystemDirectory
FolderEnumerationMode : Unrestricted
CachingMode           : Manual
LeasingMode           : Full
SmbInstance           : Default
CATimeout             : 0
ConcurrentUserLimit   : 0
ContinuouslyAvailable : False
CurrentUsers          : 1
Description           : 
EncryptData           : False
IdentityRemoting      : False
Infrastructure        : False
Name                  : WebApp
Path                  : C:\xampp\htdocs
Scoped                : False
ScopeName             : *
SecurityDescriptor    : O:SYG:SYD:(A;;FA;;;BA)(A;;0x1301bf;;;BU)
ShadowCopy            : False
Special               : False
Temporary             : False
Volume                : \\?\Volume{1035ea41-fdc8-4bce-b377-1a91433daebb}\
PSComputerName        : 
CimClass              : ROOT/Microsoft/Windows/SMB:MSFT_SmbShare
CimInstanceProperties : {AvailabilityType, CachingMode, CATimeout, ConcurrentUserLimit...}
CimSystemProperties   : Microsoft.Management.Infrastructure.CimSystemProperties

PS C:\> Get-Acl -Path C:\xampp\htdocs | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::C:\xampp\htdocs
Owner  : BUILTIN\Administrators
Group  : CRAFT2\None
Access : CRAFT2\apache Allow  FullControl
         CRAFT2\apache Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         BUILTIN\Users Allow  AppendData
         BUILTIN\Users Allow  CreateFiles
         CREATOR OWNER Allow  268435456
Audit  : 
Sddl   : O:BAG:S-1-5-21-537427935-490066102-1511301751-513D:AI(A;OICI;FA;;;S-1-5-21-537427935-490066102-1511301751-1000
         )(A;OICIID;FA;;;S-1-5-21-537427935-490066102-1511301751-1000)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1
         200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)(A;OICIIOID;GA;;;CO)

@mpgn
Copy link
Collaborator

mpgn commented Feb 17, 2024
edited

I think I understand why, can you delete the directory you just created ?

We check if you can create and delete, but if delete fails, then it's like create didn't work either

try:
    self.conn.createDirectory(share_name, temp_dir)
    self.conn.deleteDirectory(share_name, temp_dir)
    write = True
    share_info["access"].append("WRITE")
except SessionError as e:
    error = get_error_string(e)
    self.logger.debug(f"Error checking WRITE access on share: {error}")

So my guess, you can create but not delete which seem about what we saw on the get acl output

         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         BUILTIN\Users Allow  AppendData
         BUILTIN\Users Allow  CreateFiles

So yep, this is a bug, congratz for the finding ! 🎉

https://github.com/Pennyw0rth/NetExec/blob/fe179b006a7bdca7887af67e60b0afe80e4fd9f2/nxc/protocols/smb.py#L743C20-L744C68

@s4n-cz
Copy link
Author

s4n-cz commented Feb 17, 2024

@mpgn Weirdly, I am actually able to successfully delete the directory using smbclient.

@NeffIsBack
Copy link
Contributor

Is the setup something we can easily recreate for testing?

@s4n-cz
Copy link
Author

s4n-cz commented Feb 17, 2024

I don't think so. I can try to give you more details regarding the error, but sadly without having subscription from Offsec, you probably cannot have access to the machine 😮‍💨

I did a small change to print more details:
image

[...]
           INFO     Creating directory \tiTVMWUhOn in share WebApp                                                                                   smb.py:743
           DEBUG    Error checking WRITE access on share: STATUS_ACCESS_DENIED                                                                       smb.py:752
╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/site-packages/impa │
│ cket/smbconnection.py:652 in createDirectory                                                     │
│                                                                                                  │
│   649 │   │   :raise SessionError: if error                                                      │
│   650 │   │   """                                                                                │
│   651 │   │   try:                                                                               │
│ ❱ 652 │   │   │   return self._SMBConnection.mkdir(shareName, pathName)                          │
│   653 │   │   except (smb.SessionError, smb3.SessionError) as e:                                 │
│   654 │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                   │
│   655                                                                                            │
│                                                                                                  │
│ ╭────────────────────────────────── locals ───────────────────────────────────╮                  │
│ │  pathName = '\\tiTVMWUhOn'                                                  │                  │
│ │      self = <impacket.smbconnection.SMBConnection object at 0x7f0064eaca10> │                  │
│ │ shareName = 'WebApp'                                                        │                  │
│ ╰─────────────────────────────────────────────────────────────────────────────╯                  │
│                                                                                                  │
│ /home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/site-packages/impa │
│ cket/smb3.py:1789 in mkdir                                                                       │
│                                                                                                  │
│   1786 │   │                                                                                     │
│   1787 │   │   fileId = None                                                                     │
│   1788 │   │   try:                                                                              │
│ ❱ 1789 │   │   │   fileId = self.create(treeId, pathName, GENERIC_ALL, FILE_SHARE_READ | FILE_S  │
│   1790 │   │   │   │   │   │   │   │    FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, FIL  │
│   1791 │   │   finally:                                                                          │
│   1792 │   │   │   if fileId is not None:                                                        │
│                                                                                                  │
│ ╭───────────────────────── locals ──────────────────────────╮                                    │
│ │    fileId = None                                          │                                    │
│ │  password = None                                          │                                    │
│ │  pathName = 'tiTVMWUhOn'                                  │                                    │
│ │      self = <impacket.smb3.SMB3 object at 0x7f0065d69910> │                                    │
│ │ shareName = 'WebApp'                                      │                                    │
│ │    treeId = 9                                             │                                    │
│ ╰───────────────────────────────────────────────────────────╯                                    │
│                                                                                                  │
│ /home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/site-packages/impa │
│ cket/smb3.py:1261 in create                                                                      │
│                                                                                                  │
│   1258 │   │                                                                                     │
│   1259 │   │   packetID = self.sendSMB(packet)                                                   │
│   1260 │   │   ans = self.recvSMB(packetID)                                                      │
│ ❱ 1261 │   │   if ans.isValidAnswer(STATUS_SUCCESS):                                             │
│   1262 │   │   │   createResponse = SMB2Create_Response(ans['Data'])                             │
│   1263 │   │   │                                                                                 │
│   1264 │   │   │   openFile = copy.deepcopy(OPEN)                                                │
│                                                                                                  │
│ ╭───────────────────────────────────── locals ─────────────────────────────────────╮             │
│ │                 ans = <impacket.smb3structs.SMB2Packet object at 0x7f0064efd550> │             │
│ │      createContexts = None                                                       │             │
│ │ creationDisposition = 2                                                          │             │
│ │     creationOptions = 33                                                         │             │
│ │       desiredAccess = 268435456                                                  │             │
│ │      fileAttributes = 0                                                          │             │
│ │           fileEntry = {                                                          │             │
│ │                       │   'OpenTable': [],                                       │             │
│ │                       │   'LeaseKey': b"!\x91\xd5_H\xa0@*B^\x824\xd8]\x94'",     │             │
│ │                       │   'LeaseState': 0,                                       │             │
│ │                       │   'LeaseEpoch': 0                                        │             │
│ │                       }                                                          │             │
│ │            fileName = 'tiTVMWUhOn'                                               │             │
│ │  impersonationLevel = 2                                                          │             │
│ │         oplockLevel = 0                                                          │             │
│ │              packet = <impacket.smb3structs.SMB3Packet object at 0x7f006444bb50> │             │
│ │            packetID = 91                                                         │             │
│ │            pathName = '\\\\192.168.229.188\\tiTVMWUhOn'                          │             │
│ │       securityFlags = 0                                                          │             │
│ │                self = <impacket.smb3.SMB3 object at 0x7f0065d69910>              │             │
│ │           shareMode = 7                                                          │             │
│ │          smb2Create = <impacket.smb3structs.SMB2Create object at 0x7f0064eede50> │             │
│ │              treeId = 9                                                          │             │
│ ╰──────────────────────────────────────────────────────────────────────────────────╯             │
│                                                                                                  │
│ /home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/site-packages/impa │
│ cket/smb3structs.py:458 in isValidAnswer                                                         │
│                                                                                                  │
│    455 │   def isValidAnswer(self, status):                                                      │
│    456 │   │   if self['Status'] != status:                                                      │
│    457 │   │   │   from . import smb3                                                            │
│ ❱  458 │   │   │   raise smb3.SessionError(self['Status'], self)                                 │
│    459 │   │   return True                                                                       │
│    460 │                                                                                         │
│    461 │   def __init__(self, data = None):                                                      │
│                                                                                                  │
│ ╭─────────────────────────────────────────── locals ───────────────────────────────────────────╮ │
│ │   self = <impacket.smb3structs.SMB2Packet object at 0x7f0064efd550>                          │ │
│ │   smb3 = <module 'impacket.smb3' from                                                        │ │
│ │          '/home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/sit… │ │
│ │ status = 0                                                                                   │ │
│ ╰──────────────────────────────────────────────────────────────────────────────────────────────╯ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

During handling of the above exception, another exception occurred:

╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /home/kali/craft2/NetExec/nxc/protocols/smb.py:744 in shares                                     │
│                                                                                                  │
│    741 │   │   │   if not self.args.no_write_check:                                              │
│    742 │   │   │   │   try:                                                                      │
│    743 │   │   │   │   │   self.logger.info(f"Creating directory {temp_dir} in share {share_nam  │
│ ❱  744 │   │   │   │   │   self.conn.createDirectory(share_name, temp_dir)                       │
│    745 │   │   │   │   │   self.logger.info(f"Deleting directory {temp_dir} in share {share_nam  │
│    746 │   │   │   │   │   self.conn.deleteDirectory(share_name, temp_dir)                       │
│    747 │   │   │   │   │   write = True                                                          │
│                                                                                                  │
│ ╭────────────────────────────────────── locals ───────────────────────────────────────╮          │
│ │      Console = <class 'rich.console.Console'>                                       │          │
│ │            e = SessionError()                                                       │          │
│ │        error = 'STATUS_ACCESS_DENIED'                                               │          │
│ │  permissions = [                                                                    │          │
│ │                │   {'name': 'ADMIN$', 'remark': 'Remote Admin', 'access': []},      │          │
│ │                │   {'name': 'C$', 'remark': 'Default share', 'access': []},         │          │
│ │                │   {'name': 'IPC$', 'remark': 'Remote IPC', 'access': ['READ']}     │          │
│ │                ]                                                                    │          │
│ │         read = True                                                                 │          │
│ │         self = <protocol.smb object at 0x7f0064eacf90>                              │          │
│ │        share = <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f006451c7d0>      │          │
│ │   share_info = {'name': 'WebApp', 'remark': '', 'access': ['READ']}                 │          │
│ │   share_name = 'WebApp'                                                             │          │
│ │ share_remark = ''                                                                   │          │
│ │       shares = [                                                                    │          │
│ │                │   <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f006451c350>, │          │
│ │                │   <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f006451c4d0>, │          │
│ │                │   <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f006451c650>, │          │
│ │                │   <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f006451c7d0>  │          │
│ │                ]                                                                    │          │
│ │     temp_dir = '\\tiTVMWUhOn'                                                       │          │
│ │      user_id = 2                                                                    │          │
│ │        write = False                                                                │          │
│ ╰─────────────────────────────────────────────────────────────────────────────────────╯          │
│                                                                                                  │
│ /home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/site-packages/impa │
│ cket/smbconnection.py:654 in createDirectory                                                     │
│                                                                                                  │
│   651 │   │   try:                                                                               │
│   652 │   │   │   return self._SMBConnection.mkdir(shareName, pathName)                          │
│   653 │   │   except (smb.SessionError, smb3.SessionError) as e:                                 │
│ ❱ 654 │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                   │
│   655 │                                                                                          │
│   656 │   def deleteDirectory(self, shareName, pathName):                                        │
│   657 │   │   """                                                                                │
│                                                                                                  │
│ ╭────────────────────────────────── locals ───────────────────────────────────╮                  │
│ │  pathName = '\\tiTVMWUhOn'                                                  │                  │
│ │      self = <impacket.smbconnection.SMBConnection object at 0x7f0064eaca10> │                  │
│ │ shareName = 'WebApp'                                                        │                  │
│ ╰─────────────────────────────────────────────────────────────────────────────╯                  │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
SMB         192.168.229.188 445    CRAFT2           [*] Enumerated shares
           INFO     SMB         192.168.229.188 445    CRAFT2           [*] Enumerated shares                                                     logger.py:121
SMB         192.168.229.188 445    CRAFT2           Share           Permissions     Remark
           INFO     SMB         192.168.229.188 445    CRAFT2           Share           Permissions     Remark                                    logger.py:121
SMB         192.168.229.188 445    CRAFT2           -----           -----------     ------
           INFO     SMB         192.168.229.188 445    CRAFT2           -----           -----------     ------                                    logger.py:121
SMB         192.168.229.188 445    CRAFT2           ADMIN$                          Remote Admin
           INFO     SMB         192.168.229.188 445    CRAFT2           ADMIN$                          Remote Admin                              logger.py:121
SMB         192.168.229.188 445    CRAFT2           C$                              Default share
           INFO     SMB         192.168.229.188 445    CRAFT2           C$                              Default share                             logger.py:121
SMB         192.168.229.188 445    CRAFT2           IPC$            READ            Remote IPC
           INFO     SMB         192.168.229.188 445    CRAFT2           IPC$            READ            Remote IPC                                logger.py:121
SMB         192.168.229.188 445    CRAFT2           WebApp          READ            
           INFO     SMB         192.168.229.188 445    CRAFT2           WebApp          READ                                                      logger.py:121

@s4n-cz
Copy link
Author

s4n-cz commented Feb 17, 2024

I did more testing with Impacket and found out it cannot create a directory in the share:

$ impacket-smbclient CRAFT2/thecybergeek:winniethepooh@192.168.229.188
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands

# shares
ADMIN$
C$
IPC$
WebApp
# use WebApp
# mkdir foo
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

@s4n-cz
Copy link
Author

s4n-cz commented Feb 17, 2024

In has no issues with files:

# rm test.txt
# put test.txt
# cat test.txt
test

@NeffIsBack
Copy link
Contributor

Okay so overall you can create files but not directories right? That would explain why it only displays it as readable

@NeffIsBack
Copy link
Contributor

Can you try with the following and send the debug output?
pipx install git+https://github.com/Pennyw0rth/NetExec@neff-fix-share-privs

@s4n-cz
Copy link
Author

s4n-cz commented Feb 18, 2024
edited

Okay so overall you can create files but not directories right? That would explain why it only displays it as readable

Only with Impacket. Smbclient is capable of creating both, files and directories (#182 (comment)).

Can you try with the following and send the debug output? pipx install git+https://github.com/Pennyw0rth/NetExec@neff-fix-share-privs

It fails already during self.conn.createDirectory(share_name, temp_dir), so this modification does not change the result.

$ nxc --debug smb 192.168.186.188 -u thecybergeek -p winniethepooh --shares
[09:09:50] DEBUG    PYTHON VERSION: 3.11.7 (main, Dec  8 2023, 14:22:46) [GCC 13.2.0]                                                             netexec.py:84
           DEBUG    RUNNING ON: Linux Release: 6.6.9-amd64                                                                                        netexec.py:85
           DEBUG    Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False,   netexec.py:86
                    protocol='smb', target=['192.168.186.188'], cred_id=[], username=['thecybergeek'], password=['winniethepooh'],                             
                    ignore_pw_decoding=False, kerberos=False, no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None,                      
                    aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[],                            
                    list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0', server_port=None,                                    
                    connectback_host=None, hash=[], delegate=None, no_s4u2proxy=False, domain=None, local_auth=False, port=445, share='C$',                    
                    smb_server_port=445, gen_relay_list=None, smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, mkfile=None,              
                    pvk=None, enabled=False, userntds=None, shares=True, no_write_check=False, filter_shares=None, sessions=False, disks=False,                
                    loggedon_users_filter=None, loggedon_users=False, users=None, groups=None, computers=None, local_groups=None, pass_pol=False,              
                    rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='',                     
                    pattern=None, regex=None, depth=None, only_files=False, put_file=None, get_file=None, append_host=False, exec_method=None,                 
                    dcom_timeout=5, get_output_tries=5, codec='utf-8', force_ps32=False, no_output=False, execute=None, ps_execute=None,                       
                    obfs=False, amsi_bypass=None, clear_obfscripts=False)                                                                                      
           DEBUG    Protocol: smb                                                                                                                netexec.py:140
           DEBUG    Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py                  netexec.py:143
           DEBUG    Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb/database.py      netexec.py:145
           DEBUG    Protocol Object: <class 'protocol.smb'>                                                                                      netexec.py:148
           DEBUG    Protocol DB Object: <class 'protocol.database'>                                                                              netexec.py:150
           DEBUG    DB Path: /home/kali/.nxc/workspaces/default/smb.db                                                                           netexec.py:153
           DEBUG    Using selector: EpollSelector                                                                                         selector_events.py:54
           DEBUG    Creating ThreadPoolExecutor                                                                                                   netexec.py:42
           DEBUG    Creating thread for <class 'protocol.smb'>                                                                                    netexec.py:45
           INFO     Socket info: host=192.168.186.188, hostname=192.168.186.188, kerberos=False, ipv6=False, link-local ipv6=False            connection.py:104
           DEBUG    Kicking off proto_flow                                                                                                    connection.py:164
           INFO     Error creating SMBv1 connection to 192.168.186.188: Error occurs while reading from remote(104)                                  smb.py:487
           DEBUG    Created connection object                                                                                                 connection.py:167
[09:09:51] DEBUG    Update Hosts: [{'ip': '192.168.186.188', 'hostname': 'CRAFT2', 'domain': 'CRAFT2', 'os': 'Windows 10 / Server 2019 Build    database.py:280
                    17763', 'dc': None, 'smbv1': False, 'signing': False, 'spooler': None, 'zerologon': None, 'petitpotam': None}]                             
           DEBUG    Error logging off system: Error occurs while reading from remote(104)                                                            smb.py:246
SMB         192.168.186.188 445    CRAFT2           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
           INFO     SMB         192.168.186.188 445    CRAFT2           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2)                logger.py:121
                    (domain:CRAFT2) (signing:False) (SMBv1:False)                                                                                              
           DEBUG    Trying to authenticate using plaintext with domain                                                                        connection.py:407
           INFO     Error creating SMBv1 connection to 192.168.186.188: Error occurs while reading from remote(104)                                  smb.py:487
           DEBUG    Adding credential: CRAFT2/thecybergeek:winniethepooh                                                                             smb.py:365
           DEBUG    Adding credentials: [{'id': 2, 'domain': 'CRAFT2', 'username': 'thecybergeek', 'password': 'winniethepooh', 'credtype':     database.py:347
                    'plaintext', 'pillaged_from_hostid': None}]                                                                                                
           DEBUG    smb hosts() - results: [(4, '192.168.186.188', 'CRAFT2', 'CRAFT2', 'Windows 10 / Server 2019 Build 17763', None, False,     database.py:495
                    False, None, None, None)]                                                                                                                  
           DEBUG    Inserting loggedin_relations: {'userid': 2, 'hostid': 4}                                                                    database.py:816
           DEBUG    Checking if relation was added: [(3, 2, 4)]                                                                                 database.py:822
SMB         192.168.186.188 445    CRAFT2           [+] CRAFT2\thecybergeek:winniethepooh 
           INFO     SMB         192.168.186.188 445    CRAFT2           [+] CRAFT2\thecybergeek:winniethepooh                                     logger.py:121
           DEBUG    Calling command arguments                                                                                                 connection.py:174
           DEBUG    Calling shares()                                                                                                          connection.py:195
           DEBUG    domain: CRAFT2                                                                                                                   smb.py:703
           INFO     Shares returned: [<impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f495e215e50>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object  smb.py:711
                    at 0x7f495e215fd0>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f495e216150>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1                 
                    object at 0x7f495e2162d0>]                                                                                                                 
           DEBUG    Error checking READ access on share: STATUS_ACCESS_DENIED                                                                        smb.py:739
           DEBUG    Error checking WRITE access on share ADMIN$: STATUS_ACCESS_DENIED                                                                smb.py:748
           DEBUG    Error checking READ access on share: STATUS_ACCESS_DENIED                                                                        smb.py:739
           DEBUG    Error checking WRITE access on share C$: STATUS_ACCESS_DENIED                                                                    smb.py:748
           DEBUG    Error checking WRITE access on share IPC$: STATUS_PRIVILEGE_NOT_HELD                                                             smb.py:748
[09:09:52] DEBUG    Error checking WRITE access on share WebApp: STATUS_ACCESS_DENIED                                                                smb.py:748
SMB         192.168.186.188 445    CRAFT2           [*] Enumerated shares
           INFO     SMB         192.168.186.188 445    CRAFT2           [*] Enumerated shares                                                     logger.py:121
SMB         192.168.186.188 445    CRAFT2           Share           Permissions     Remark
           INFO     SMB         192.168.186.188 445    CRAFT2           Share           Permissions     Remark                                    logger.py:121
SMB         192.168.186.188 445    CRAFT2           -----           -----------     ------
           INFO     SMB         192.168.186.188 445    CRAFT2           -----           -----------     ------                                    logger.py:121
SMB         192.168.186.188 445    CRAFT2           ADMIN$                          Remote Admin
           INFO     SMB         192.168.186.188 445    CRAFT2           ADMIN$                          Remote Admin                              logger.py:121
SMB         192.168.186.188 445    CRAFT2           C$                              Default share
           INFO     SMB         192.168.186.188 445    CRAFT2           C$                              Default share                             logger.py:121
SMB         192.168.186.188 445    CRAFT2           IPC$            READ            Remote IPC
           INFO     SMB         192.168.186.188 445    CRAFT2           IPC$            READ            Remote IPC                                logger.py:121
SMB         192.168.186.188 445    CRAFT2           WebApp          READ            
           INFO     SMB         192.168.186.188 445    CRAFT2           WebApp          READ                                                      logger.py:121

@mpgn
Copy link
Collaborator

mpgn commented Feb 18, 2024

Then it's a bug in impacket 🥲

@s4n-cz
Copy link
Author

s4n-cz commented Feb 18, 2024

I will create a separate issue there. Nevertheless, the change in neff-fix-share-privs probably makes sense to merge as it can help in different scenarios.

@s4n-cz s4n-cz mentioned this issue Feb 18, 2024
Open
@whlpentest
Copy link

I have the same issue, any update?!
Thank you.

@Marshall-Hallenbeck
Copy link
Collaborator

@NeffIsBack was the neff-fix-share-privs not merged?

@whlpentest This looks like an error in Impacket, so we're reliant on them fixing it. Their ticket is linked above.

@NeffIsBack
Copy link
Contributor

NeffIsBack commented May 15, 2024
edited

@Marshall-Hallenbeck yes it was and it did improve the check, but i think didn't fully solve the root problem. Still no idea what that could be.

@whlpentest can you provide a full debug log and also the different result from your other method (smbclient or what you used)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Marshall-Hallenbeck @mpgn @s4n-cz @NeffIsBack @whlpentest