Network path not found

Question

Network path not found

JonathanAppriou opened this issue 3 years ago · comments

I don't know why but, each time I try to execute a remote technique playbook, I have this problem :

All my machines are in the same network (AD Server, Windows Target and operator endpoint why PurpleSharp), I checked the network settings and tried without Windows Defender. But every time it doesn't work. Have you ever encountered this problem or know where it could come from?

Here is my playbook configuration :

mvelazco · Answer 1 · Thu Feb 10 2022 23:20:00 GMT+0800 (China Standard Time)

Hey @JonathanAppriou !

To troubleshoot this issue, lets try to execute one single technique on a remote host using the command line. The command line provides more debug logs that can help us determine the issue.

PurpleSharp.exe /rhost 192.168.38.3 /ruser admin /d mokoil.com /t T1059.001

Should look something like this:

Also, please confirm that

The 'mokoil.com\admin' domain user has administrative privileges on 192.168.38.3
There is network connectivity between the host where you are running PurpleSharp and the remote host.
There is no anti malware solution deleting the PurpleSharp binary when its being copied to 192.168.38.3

JonathanAppriou · Answer 2 · Fri Feb 11 2022 00:24:37 GMT+0800 (China Standard Time)

I found a solution : disable the Windows Firewall.

Is it expected that PurpleSharp does not work with Windows Firewall?

I have another mistake now:

It seems that RPC is not present on the target, but :

mvelazco · Answer 3 · Fri Feb 11 2022 04:18:37 GMT+0800 (China Standard Time)

@JonathanAppriou . Yes, disabling the Windows Firewall is necessary.

PurpleSharp connects to the remote endpoint on native service like SMB and RPC. If connections are being blocked by a Firewall, PurpleSharp will not be able to connect to the endpoint.

The RPC error you are seeing looks like a network error. I have seen it before.

Are you using the right Ip address ? In your first screenshot it was 192.168.38.3 but on the last one you are using 192.168.38.2

JonathanAppriou · Answer 4 · Fri Feb 11 2022 16:43:56 GMT+0800 (China Standard Time)

@mvelazc0

Okay, thanks a lot ! I had forgotten to disable the firewall on the attacking machine. So it work now.

I didn't think PurpleSharp needed to have firewall restrictions turned off. But now I understand.

Thank you for your time !

JonathanAppriou · Answer 5 · Fri Feb 11 2022 17:30:07 GMT+0800 (China Standard Time)

I have another question :

When a want to use a technique, how can I know what objects are needed in the playbook (or arguments using command line) ?

For example, I want to use Brute Force technique in my playbook. Where can I found the arguments/objects needed ?

mvelazco · Answer 6 · Fri Feb 18 2022 02:46:14 GMT+0800 (China Standard Time)

@JonathanAppriou, I'm glad its working now !

That is a great question. I definitely need y to do a better job at documentation. Ideally, all the parameters would live here:

https://www.purplesharp.com/en/latest/techniques/techniques.html#brute-force-password-spraying

Right now, it does not have it.

For now, you can look at some playbook examples I have here:

https://github.com/mvelazc0/PurpleAD

Happy to jump on a call to talk about the specific parameters for your simulations also !