Skip to content

Impacket KeyError when running WMI after Zerologon #1774

New issue
New issue
Closed
Closed
Impacket KeyError when running WMI after Zerologon#1774
Assignees
cakekoa
Labels
BugAn error, flaw, misbehavior or failure in the Monkey or Monkey Island.Complexity: HighImpact: Lowsp/3
Milestone
v2.2.0
@mssalvatore

Description

@mssalvatore
mssalvatore
opened on Mar 10, 2022

Describe the bug

If the Zerologon exploiter is run before the WMI exploiter, errors occur in the the WMI exploiter when attempting to connect/disconnect to the victim using impacket. This doesn't appear to affect functionality, as the WMI exploiter is still able to authenticate to the victim when the correct credentials are used.

To Reproduce

Steps to reproduce the behavior:

  1. Configure a machine to be exploitable with Zerologon and WMI
  2. Configure Infection Monkey to use the Zerologon and WMI exploiters
  3. Run the monkey agent
  4. View errors in the logs.

Screenshots

image

Code that triggers errors

monkey/monkey/infection_monkey/exploit/tools/wmi_tools.py

Lines 52 to 75 in dd2168e

dcom = DCOMConnection(
host.ip_addr,
username=username,
password=password,
domain=domain,
lmhash=lmhash,
nthash=nthash,
oxidResolver=True,
)
try:
iInterface = dcom.CoCreateInstanceEx(
wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login
)
except Exception as exc:
try:
dcom.disconnect()
except KeyError:
logger.exception("Disconnecting the DCOMConnection failed")
if "rpc_s_access_denied" == exc.error_string:
raise AccessDeniedException(host, username, password, domain)
raise

Tasks

  • Investigate and maybe fix 0d - @cakekoa

Metadata

Metadata

Assignees

Labels

BugAn error, flaw, misbehavior or failure in the Monkey or Monkey Island.Complexity: HighImpact: Lowsp/3

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions