Giters

login-securite / lsassy

Extract credentials from lsass remotely

Home Page:https://en.hackndo.com/remote-lsass-dump-passwords/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Impacket RPC Access Denied

Dviros opened this issue · comments

commented

Hi! Thanks for this :)

Having errors on the 2 methods in your tool, probably something related to the environment (using Detectionlab).
Tried to disable RPC restriction, disabled the FW:
https://help.pdq.com/hc/en-us/articles/220533007
https://support.microsoft.com/en-ae/help/895085/you-receive-an-access-is-denied-error-message-on-a-windows-server-2003
https://support.microsoft.com/en-ca/help/2623670/access-denied-or-other-errors-when-you-access-or-work-with-files-and-f
Nothing so far. Any idea?

Again, Thanks!

Rundll32:
root@kali:~/Desktop# lsassy windomain.local/vagrant:vagrant@192.168.239.137
[+] Authenticated
[*] Using DLL Method (default)
Traceback (most recent call last):
File "/usr/local/bin/lsassy", line 10, in
sys.exit(run())
File "/usr/local/lib/python3.7/dist-packages/lsassy/main.py", line 79, in run
file_path = dumper.dump("dll")
File "/usr/local/lib/python3.7/dist-packages/lsassy/dumper.py", line 27, in dump
self.dlldump()
File "/usr/local/lib/python3.7/dist-packages/lsassy/dumper.py", line 51, in dlldump
TASK_EXEC(self._conn, self._log).execute(command)
File "/usr/local/lib/python3.7/dist-packages/lsassy/taskexe.py", line 28, in execute
tsch.hSchRpcRegisterTask(dce, '\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/tsch.py", line 637, in hSchRpcRegisterTask
return dce.request(request)
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
answer = self.recv()
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1320, in recv
raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied

Procdump:
oot@kali:~/Desktop# lsassy -p procdump64.exe windomain.local/vagrant:vagrant@192.168.239.137
[+] Authenticated
[*] Using Procdump Method
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 812, in putFile
return self._SMBConnection.stor_file(shareName, pathName, callback)
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1565, in storeFile
treeId = self.connectTree(shareName)
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 858, in connectTree
if packet.isValidAnswer(STATUS_SUCCESS):
File "/usr/lib/python3/dist-packages/impacket/smb3structs.py", line 437, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.7/dist-packages/lsassy/impacketconnection.py", line 132, in putFile
self.conn.putFile(share_name, path_name, callback)
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 816, in putFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/bin/lsassy", line 10, in
sys.exit(run())
File "/usr/local/lib/python3.7/dist-packages/lsassy/main.py", line 77, in run
file_path = dumper.dump("procdump")
File "/usr/local/lib/python3.7/dist-packages/lsassy/dumper.py", line 29, in dump
self.procdump(exec_methods)
File "/usr/local/lib/python3.7/dist-packages/lsassy/dumper.py", line 67, in procdump
self._conn.putFile(self._share, self._tmp_dir + self._procdump, procdump.read)
File "/usr/local/lib/python3.7/dist-packages/lsassy/impacketconnection.py", line 135, in putFile
raise Exception("An error occured while uploading %s on %s share : %s" % (path_name, share_name, e))
Exception: An error occured while uploading \Windows\Temp\procdump.exe on C$ share : SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

commented

Are you able to run smbclient.py from impacket and access C$ share ?

smbclient.py windomain.local/vagrant:vagrant@192.168.239.137
# use C$
# ls
commented

I'll check it today. Thanks :)

commented

F* me. permissions.
User was not a local admin. 🤦‍♂