NetExec
NetExec copied to clipboard
Pennyw0rth
Fix issues with kerberos and non NTLM domains
This is an issue from discord.
The problem is if we use flags like --use-kcache we need to use kerberos. Though, some checks are still done with if self.args.kerberos and not if self.kerberos which would be correctly set to true when using --use-kcache. Therefore, in non-NTLM environments the authentication does not work, because for example:
if self.args.kerberos:
self.host = self.hostname
is not triggered before, when actually self.kerberos by the self.args.use_kcache flag.
This PR should fix edge case issues, like these:
NTLM is not supported
nxc smb winterfell.north.sevenkingdoms.local --use-kcache -> fails (because of the aforementioned issue)
nxc smb winterfell.north.sevenkingdoms.local --use-kcache -k -> succeeds
When I try with -k flag, I get the required output:
netexec smb *********** -d ********** -u beatri**** -p '**********' -k --shares --debug
[00:28:56] DEBUG NXC VERSION: 1.2.0 - ItsAlwaysDNS - 54cad53 cli.py:26
DEBUG PYTHON VERSION: 3.11.9 (main, Apr 10 2024, 13:16:36) [GCC 13.2.0] netexec.py:80
DEBUG RUNNING ON: Linux Release: 6.8.11-amd64 netexec.py:81
DEBUG Passed args: Namespace(threads=256, timeout=None, jitter=None, verbose=False, debug=True, no_progress=False, log=None, force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, version=False, netexec.py:82
protocol='smb', target=['test.local'], username=['beatricemill'], password=['!!!!ilovegood17'], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False,
gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=True, use_kcache=False, aesKey=None, kdcHost=None, server='https', server_host='0.0.0.0', server_port=None, connectback_host=None,
module=None, module_options=[], list_modules=False, show_module_options=False, hash=[], delegate=None, no_s4u2proxy=False, domain='test.local', local_auth=False, port=445, share='C$',
smb_server_port=445, gen_relay_list=None, smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, sccm=None, mkfile=None, pvk=None, enabled=False, userntds=None, shares=True,
interfaces=False, no_write_check=False, filter_shares=None, sessions=False, disks=False, loggedon_users_filter=None, loggedon_users=False, users=None, groups=None, computers=None, local_groups=None,
pass_pol=False, rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='', depth=None, only_files=False, pattern=None, regex=None,
put_file=None, get_file=None, append_host=False, exec_method='wmiexec', dcom_timeout=5, get_output_tries=100, codec='utf-8', no_output=False, execute=None, ps_execute=None, obfs=False, amsi_bypass=None,
clear_obfscripts=False, force_ps32=False, no_encode=False)
DEBUG Protocol: smb netexec.py:136
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py netexec.py:139
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb/database.py netexec.py:141
[00:28:57] DEBUG Protocol Object: <class 'protocol.smb'>, type: <class 'type'> netexec.py:144
DEBUG Protocol Object dir: ['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', netexec.py:145
'__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__',
'call_cmd_args', 'call_modules', 'check_if_admin', 'computers', 'create_conn_obj', 'create_smbv1_conn', 'create_smbv3_conn', 'disks', 'domainfromdnshostname', 'domainfromdsn', 'dpapi',
'enable_remoteops', 'enum_host_info', 'execute', 'gen_relay_list', 'get_dc_ips', 'get_file', 'get_file_single', 'get_os_arch', 'groups', 'hash_login', 'inc_failed_login', 'interfaces',
'kerberos_login', 'load_modules', 'local_groups', 'loggedon_users', 'login', 'lsa', 'mark_guest', 'mark_pwned', 'ntds', 'over_fail_limit', 'parse_credentials', 'pass_pol', 'plaintext_login',
'print_host_info', 'proto_args', 'proto_flow', 'proto_logger', 'ps_execute', 'put_file', 'put_file_single', 'query_db_creds', 'resolver', 'rid_brute', 'sam', 'sccm', 'sessions', 'shares', 'spider',
'try_credentials', 'users', 'wmi']
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:147
DEBUG DB Path: /home/kali/.nxc/workspaces/default/smb.db netexec.py:150
DEBUG Creating ThreadPoolExecutor netexec.py:44
DEBUG Creating thread for <class 'protocol.smb'> netexec.py:47
INFO Socket info: host=test.local, hostname=test.local, kerberos=True, ipv6=False, link-local ipv6=False connection.py:163
DEBUG Kicking off proto_flow connection.py:219
INFO Error creating SMBv1 connection to test.local: Error occurs while reading from remote(104) smb.py:539
[00:28:58] DEBUG Created connection object connection.py:224
[00:28:59] DEBUG NTLM not supported smb.py:218
DEBUG Error getting server information... smb.py:258
DEBUG Server OS: None.None build None smb.py:264
DEBUG Update Hosts: [{'id': 7, 'ip': 'test.local', 'hostname': 'test.local', 'domain': 'test.local', 'os': '', 'dc': None, 'smbv1': False, 'signing': True, 'spooler': None, 'zerologon': None, database.py:280
'petitpotam': None}]
DEBUG add_host() - Host IDs Updated: [7] database.py:290
[00:29:00] DEBUG Error logging off system: SMB SessionError: code: 0xc0000203 - STATUS_USER_SESSION_DELETED - The remote user session has been deleted. smb.py:295
INFO Resolved domain: test.local with dns, kdcHost: 10.10.*.* smb.py:303
[00:29:00] INFO SMB test.local 445 test.local x64 (name:test.local) (domain:test.local) (signing:True) (SMBv1:False) smb.py:308
SMB test.local 445 test.local x64 (name:test.local) (domain:test.local) (signing:True) (SMBv1:False)
DEBUG Trying to authenticate using Kerberos connection.py:486
DEBUG KDC set to: 10.10.*.* smb.py:314
INFO Error creating SMBv1 connection to test.local: Error occurs while reading from remote(104) smb.py:539
[00:29:03] DEBUG Checking if user is admin on test.local smb.py:571
[00:29:05] INFO SMB test.local 445 test.local test.local\beatri****:********** smb.py:362
SMB test.local 445 test.local test.local\beatri****:**********
[00:29:05] DEBUG Calling command arguments connection.py:232
DEBUG Calling shares() connection.py:253
DEBUG domain: test.local smb.py:779
[00:29:07] INFO Shares returned: [<impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f576711a550>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f5767ba8450>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at smb.py:792
0x7f576711a790>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f576711a910>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f576711aa90>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at
0x7f576711ab10>]
DEBUG Error checking READ access on share ADMIN$: STATUS_ACCESS_DENIED smb.py:820
DEBUG Error checking WRITE access on share ADMIN$: STATUS_ACCESS_DENIED smb.py:829
DEBUG Error adding share: cannot access local variable 'user_id' where it is not associated with a value smb.py:846
DEBUG Error checking READ access on share C$: STATUS_ACCESS_DENIED smb.py:820
[00:29:08] DEBUG Error checking WRITE access on share C$: STATUS_ACCESS_DENIED smb.py:829
DEBUG Error adding share: cannot access local variable 'user_id' where it is not associated with a value smb.py:846
[00:29:09] DEBUG Error checking WRITE access on share IPC$: STATUS_PRIVILEGE_NOT_HELD smb.py:829
[00:29:12] DEBUG Error checking WRITE access on share NETLOGON: STATUS_ACCESS_DENIED smb.py:829
DEBUG Error adding share: cannot access local variable 'user_id' where it is not associated with a value smb.py:846
[00:29:17] DEBUG Error adding share: cannot access local variable 'user_id' where it is not associated with a value smb.py:846
[00:29:19] DEBUG Error checking WRITE access on share SYSVOL: STATUS_ACCESS_DENIED smb.py:829
DEBUG Error adding share: cannot access local variable 'user_id' where it is not associated with a value smb.py:846
[00:29:19] INFO SMB test.local 445 test.local Enumerated shares smb.py:848
SMB test.local 445 test.local Enumerated shares
[00:29:19] INFO SMB test.local 445 test.local Share Permissions Remark smb.py:849
SMB test.local 445 test.local Share Permissions Remark
[00:29:19] INFO SMB test.local 445 test.local ----- ----------- ------ smb.py:850
SMB test.local 445 test.local ----- ----------- ------
[00:29:19] INFO SMB test.local 445 test.local ADMIN$ Remote Admin smb.py:857
SMB test.local 445 test.local ADMIN$ Remote Admin
[00:29:19] INFO SMB test.local 445 test.local C$ Default share smb.py:857
SMB test.local 445 test.local C$ Default share
[00:29:19] INFO SMB test.local 445 test.local IPC$ READ Remote IPC smb.py:857
SMB test.local 445 test.local IPC$ READ Remote IPC
[00:29:19] INFO SMB test.local 445 test.local NETLOGON READ Logon server share smb.py:857
SMB test.local 445 test.local NETLOGON READ Logon server share
[00:29:19] INFO SMB test.local 445 test.local share READ,WRITE smb.py:857
SMB test.local 445 test.local share READ,WRITE
[00:29:19] INFO SMB test.local 445 test.local SYSVOL READ Logon server share smb.py:857
SMB test.local 445 test.local SYSVOL READ Logon server share
DEBUG Closing connection to: test.local connection.py:173
However, when I try with --use-kcache, it fails:
netexec smb *********** -d ********** -u beatri**** -p '**********' --use-kcache --shares --debug
[00:30:13] DEBUG NXC VERSION: 1.2.0 - ItsAlwaysDNS - 54cad53 cli.py:26
DEBUG PYTHON VERSION: 3.11.9 (main, Apr 10 2024, 13:16:36) [GCC 13.2.0] netexec.py:80
DEBUG RUNNING ON: Linux Release: 6.8.11-amd64 netexec.py:81
DEBUG Passed args: Namespace(threads=256, timeout=None, jitter=None, verbose=False, debug=True, no_progress=False, log=None, force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, version=False, netexec.py:82
protocol='smb', target=['test.local'], username=['beatricemill'], password=['!!!!ilovegood17'], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False,
gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False, use_kcache=True, aesKey=None, kdcHost=None, server='https', server_host='0.0.0.0', server_port=None, connectback_host=None,
module=None, module_options=[], list_modules=False, show_module_options=False, hash=[], delegate=None, no_s4u2proxy=False, domain='test.local', local_auth=False, port=445, share='C$',
smb_server_port=445, gen_relay_list=None, smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, sccm=None, mkfile=None, pvk=None, enabled=False, userntds=None, shares=True,
interfaces=False, no_write_check=False, filter_shares=None, sessions=False, disks=False, loggedon_users_filter=None, loggedon_users=False, users=None, groups=None, computers=None, local_groups=None,
pass_pol=False, rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='', depth=None, only_files=False, pattern=None, regex=None,
put_file=None, get_file=None, append_host=False, exec_method='wmiexec', dcom_timeout=5, get_output_tries=100, codec='utf-8', no_output=False, execute=None, ps_execute=None, obfs=False, amsi_bypass=None,
clear_obfscripts=False, force_ps32=False, no_encode=False)
DEBUG Protocol: smb netexec.py:136
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py netexec.py:139
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb/database.py netexec.py:141
[00:30:14] DEBUG Protocol Object: <class 'protocol.smb'>, type: <class 'type'> netexec.py:144
DEBUG Protocol Object dir: ['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', netexec.py:145
'__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__',
'call_cmd_args', 'call_modules', 'check_if_admin', 'computers', 'create_conn_obj', 'create_smbv1_conn', 'create_smbv3_conn', 'disks', 'domainfromdnshostname', 'domainfromdsn', 'dpapi',
'enable_remoteops', 'enum_host_info', 'execute', 'gen_relay_list', 'get_dc_ips', 'get_file', 'get_file_single', 'get_os_arch', 'groups', 'hash_login', 'inc_failed_login', 'interfaces',
'kerberos_login', 'load_modules', 'local_groups', 'loggedon_users', 'login', 'lsa', 'mark_guest', 'mark_pwned', 'ntds', 'over_fail_limit', 'parse_credentials', 'pass_pol', 'plaintext_login',
'print_host_info', 'proto_args', 'proto_flow', 'proto_logger', 'ps_execute', 'put_file', 'put_file_single', 'query_db_creds', 'resolver', 'rid_brute', 'sam', 'sccm', 'sessions', 'shares', 'spider',
'try_credentials', 'users', 'wmi']
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:147
DEBUG DB Path: /home/kali/.nxc/workspaces/default/smb.db netexec.py:150
DEBUG Creating ThreadPoolExecutor netexec.py:44
DEBUG Creating thread for <class 'protocol.smb'> netexec.py:47
INFO Socket info: host=10.10.*.*, hostname=test.local, kerberos=True, ipv6=False, link-local ipv6=False connection.py:163
DEBUG Kicking off proto_flow connection.py:219
INFO Error creating SMBv1 connection to 10.10.*.*: Error occurs while reading from remote(104) smb.py:539
[00:30:15] DEBUG Created connection object connection.py:224
DEBUG NTLM not supported smb.py:218
DEBUG NTLM authentication not available! Authentication will fail without a valid hostname and domain name smb.py:232
DEBUG Error getting server information... smb.py:258
DEBUG Server OS: None.None build None smb.py:264
[00:30:16] DEBUG Update Hosts: [{'id': 8, 'ip': '10.10.*.*', 'hostname': '10.10.*.*', 'domain': 'test.local', 'os': '', 'dc': None, 'smbv1': False, 'signing': True, 'spooler': None, 'zerologon': None, database.py:280
'petitpotam': None}]
DEBUG add_host() - Host IDs Updated: [8] database.py:290
DEBUG Error logging off system: SMB SessionError: code: 0xc0000203 - STATUS_USER_SESSION_DELETED - The remote user session has been deleted. smb.py:295
INFO Resolved domain: test.local with dns, kdcHost: 10.10.*.* smb.py:303
[00:30:16] INFO SMB 10.10.*.* 445 10.10.*.* x64 (name:10.10.*.*) (domain:10.10.*.*) (signing:True) (SMBv1:False) smb.py:308
SMB 10.10.*.* 445 10.10.*.* x64 (name:10.10.*.*) (domain:10.10.*.*) (signing:True) (SMBv1:False)
DEBUG Trying to authenticate using Kerberos cache connection.py:537
DEBUG KDC set to: 10.10.*.* smb.py:314
[00:30:17] INFO Error creating SMBv1 connection to 10.10.*.*: Error occurs while reading from remote(104) smb.py:539
[00:30:18] INFO SMB 10.10.*.* 445 10.10.*.* test.local\beatricemill from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN smb.py:397
SMB 10.10.*.* 445 10.10.*.* test.local\beatricemill from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN
[00:30:18] INFO Successfully authenticated using Kerberos cache connection.py:542
DEBUG Calling command arguments connection.py:232
DEBUG Calling shares() connection.py:253
DEBUG domain: test.local smb.py:779
[00:30:19] INFO SMB 10.10.*.* 445 10.10.*.* Error enumerating shares: STATUS_USER_SESSION_DELETED smb.py:795
SMB 10.10.*.* 445 10.10.*.* Error enumerating shares: STATUS_USER_SESSION_DELETED
[00:30:19] DEBUG Closing connection to: test.local
EDIT by @NeffIsBack:
- FYI, this was the original issue that has been fixed with the PR
- Formating
An issue with delegate also ?
We didn't test it, but it likely would be. If you wouldn't have NTLM and delegation. Just added it to be sure
Ah hmm maybe we should just change self.args.kerberos as well... For example laps login sets self.args.kerberos which would now break. Or we change the line in laps to self.kerberos
EDIT:
Looks like laps is the only place where we have to fix it, i will just change that