NetExec
NetExec copied to clipboard
Pennyw0rth
Nonresponsive RDP
Describe the bug Using RDP protocol doesn't work, it simply freezes and stays that way, no error messages or anything
To Reproduce
Command: netexec rdp 10.129.229.244 -u 'helen' -p RedRiot88 --debug
Resulted in:
[23:44:55] DEBUG NXC VERSION: 1.4.0 - SmoothOperator - 9668cbce - 7 cli.py:28
DEBUG PYTHON VERSION: 3.13.2 (main, Mar 13 2025, 14:29:07) [GCC 14.2.0] netexec.py:81
DEBUG RUNNING ON: Linux Release: 6.12.20-amd64 netexec.py:82
DEBUG Passed args: Namespace(version=False, threads=256, timeout=None, jitter=None, verbose=False, debug=True, no_progress=False, log=None, force_ipv6=False, netexec.py:83
dns_server=None, dns_tcp=False, dns_timeout=3, protocol='rdp', target=['10.129.229.244'], username=['helen'], password=['RedRiot88'], cred_id=[],
ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False, gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False,
use_kcache=False, aesKey=None, kdcHost=None, pfx_cert=None, pfx_base64=None, pfx_pass=None, pem_cert=None, pem_key=None, server='https',
server_host='0.0.0.0', server_port=None, connectback_host=None, module=None, module_options=[], list_modules=False, show_module_options=False, hash=[],
port=3389, rdp_timeout=5, nla_screenshot=False, domain=None, local_auth=False, screenshot=False, screentime=10, res='1024x768')
DEBUG Protocol: rdp netexec.py:137
DEBUG Protocol Path: /root/.local/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/rdp.py netexec.py:140
DEBUG Protocol DB Path: /root/.local/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/rdp/database.py netexec.py:142
DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.rdp'>, type: <class 'type'> netexec.py:145
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:147
DEBUG DB Path: /root/.nxc/workspaces/default/rdp.db netexec.py:150
DEBUG Using selector: EpollSelector selector_events.py:64
DEBUG Creating ThreadPoolExecutor netexec.py:45
DEBUG Creating thread for <class 'protocol.rdp'> netexec.py:48
INFO Socket info: host=10.129.229.244, hostname=10.129.229.244, kerberos=False, ipv6=False, link-local ipv6=False connection.py:165
DEBUG Kicking off proto_flow connection.py:227
DEBUG Checking NLA for 10.129.229.244 rdp.py:171
DEBUG Using selector: EpollSelector selector_events.py:64
^C^C[00:23:28] DEBUG Got keyboard interrupt netexec.py:228
Expected behavior Should show the PWNED prefix, the account does have RDP privs
Screenshots
NetExec info
- OS: Kali
- Version of nxc: 1.4.0 - SmoothOperator - 9668cbce - 7
- Installed from:
pipx install git+https://github.com/Pennyw0rth/NetExec
Hey, thanks for the report. Do you have any more information about the server you're trying to connect to?
Sure, it's a HTB server, I can access it normally via xfreerdp and rdesktop
Host Name: SRV01
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA832
Original Install Date: 5/13/2024, 6:05:31 AM
System Boot Time: 4/24/2025, 12:43:36 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: VMware, Inc. VMW71.00V.24224532.B64.2408191458, 8/19/2024
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,964 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,728 MB
Virtual Memory: In Use: 1,071 MB
Page File Location(s): C:\pagefile.sys
Domain: inlanefreight.local
Logon Server: \\DC01
Hotfix(s): 5 Hotfix(s) Installed.
[01]: KB5009472
[02]: KB4535680
[03]: KB4589208
[04]: KB5010427
[05]: KB5009642
Network Card(s): 2 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.229.244
[02]: fe80::1d67:f4df:b695:3ea8
[03]: dead:beef::1d67:f4df:b695:3ea8
[02]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet1
DHCP Enabled: No
IP address(es)
[01]: 172.20.0.51
[02]: fe80::1045:9ef3:da61:8e25
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
I have faced this exact same behavior as well.
It doesn't happen for all Windows servers, but for some server it just hangs exactly at the same position for me:
Using selector: Epollselector
That is very weird, because it stops right before the asynchronous execution. My first guess would be that something in the rdp protocol/library is interfering with pythons async execution engine. This only happens with the RDP protocol right?
@NeffIsBack now that you mentioned it, I respawned the lab and tried SMB instead of RDP and got this result:
2 STATUS_NO_LOGON_SERVERS errors, then a freeze just like RDP
Here's the same attempt with --debug
└─# netexec smb 10.129.170.206 -u helen -p RedRiot88 --debug
[21:10:56] DEBUG NXC VERSION: 1.4.0 - SmoothOperator - c1984139 - 48 cli.py:28
DEBUG PYTHON VERSION: 3.13.2 (main, Mar 13 2025, 14:29:07) [GCC 14.2.0] netexec.py:81
DEBUG RUNNING ON: Linux Release: 6.12.20-amd64 netexec.py:82
DEBUG Passed args: Namespace(version=False, threads=256, timeout=None, jitter=None, verbose=False, debug=True, no_progress=False, log=None, force_ipv6=False, netexec.py:83
dns_server=None, dns_tcp=False, dns_timeout=3, protocol='smb', target=['10.129.170.206'], username=['helen'], password=['RedRiot88'], cred_id=[],
ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False, gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False,
use_kcache=False, aesKey=None, kdcHost=None, pfx_cert=None, pfx_base64=None, pfx_pass=None, pem_cert=None, pem_key=None, server='https',
server_host='0.0.0.0', server_port=None, connectback_host=None, module=None, module_options=[], list_modules=False, show_module_options=False, hash=[],
delegate=None, no_s4u2proxy=False, domain=None, local_auth=False, port=445, share='C$', smb_server_port=445, no_smbv1=False, gen_relay_list=None,
smb_timeout=2, laps=None, generate_hosts_file=None, generate_krb5_file=None, generate_tgt=None, sam=None, lsa=None, ntds=None, dpapi=None, sccm=None,
mkfile=None, pvk=None, enabled=False, userntds=None, shares=False, dir=None, interfaces=False, no_write_check=False, filter_shares=None, smb_sessions=False,
disks=False, loggedon_users_filter=None, loggedon_users=None, users=None, users_export=None, groups=None, computers=None, local_groups=None, pass_pol=False,
rid_brute=None, qwinsta=False, tasklist=False, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='',
depth=None, only_files=False, pattern=None, regex=None, put_file=None, get_file=None, append_host=False, exec_method='wmiexec', dcom_timeout=5,
get_output_tries=100, codec='utf-8', no_output=False, execute=None, ps_execute=None, obfs=False, amsi_bypass=None, clear_obfscripts=False, force_ps32=False,
no_encode=False)
DEBUG Protocol: smb netexec.py:137
DEBUG Protocol Path: /root/.local/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/smb.py netexec.py:140
DEBUG Protocol DB Path: /root/.local/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/smb/database.py netexec.py:142
DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.smb'>, type: <class 'type'> netexec.py:145
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:147
DEBUG DB Path: /root/.nxc/workspaces/default/smb.db netexec.py:150
DEBUG Using selector: EpollSelector selector_events.py:64
DEBUG Creating ThreadPoolExecutor netexec.py:45
DEBUG Creating thread for <class 'protocol.smb'> netexec.py:48
INFO Socket info: host=10.129.170.206, hostname=10.129.170.206, kerberos=False, ipv6=False, link-local ipv6=False connection.py:165
DEBUG Kicking off proto_flow connection.py:227
INFO Creating SMBv3 connection to 10.129.170.206 smb.py:611
[21:10:57] DEBUG Created connection object connection.py:232
DEBUG Server OS: Windows 10 / Server 2019 Build 17763 10.0 build 17763 smb.py:280
DEBUG Error logging off system: Error occurs while reading from remote(104) smb.py:299
INFO Creating SMBv1 connection to 10.129.170.206 smb.py:580
[21:10:58] INFO SMBv1 disabled on 10.129.170.206 smb.py:603
DEBUG Update Hosts: [{'ip': '10.129.170.206', 'hostname': 'SRV01', 'domain': 'inlanefreight.local', 'os': 'Windows 10 / Server 2019 Build 17763', 'dc': None, database.py:255
'smbv1': False, 'signing': False, 'spooler': None, 'zerologon': None, 'petitpotam': None}]
DEBUG Error adding host 10.129.170.206 into db: (sqlite3.OperationalError) ON CONFLICT clause does not match any PRIMARY KEY or UNIQUE constraint smb.py:315
[SQL: INSERT INTO hosts (ip, hostname, domain, os, dc, smbv1, signing, spooler, zerologon, petitpotam) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ON CONFLICT (ip)
DO UPDATE SET ip = excluded.ip, hostname = excluded.hostname, domain = excluded.domain, os = excluded.os, dc = excluded.dc, smbv1 = excluded.smbv1, signing =
excluded.signing, spooler = excluded.spooler, zerologon = excluded.zerologon, petitpotam = excluded.petitpotam]
[parameters: ('10.129.170.206', 'SRV01', 'inlanefreight.local', 'Windows 10 / Server 2019 Build 17763', None, 0, 0, None, None, None)]
(Background on this error at: https://sqlalche.me/e/20/e3q8)
[21:10:59] INFO Error resolving hostname inlanefreight.local: [Errno -2] Name or service not known connection.py:192
INFO Resolved domain: inlanefreight.local with dns, kdcHost: None smb.py:324
[21:10:59] INFO SMB 10.129.170.206 445 SRV01 Windows 10 / Server 2019 Build 17763 x64 (name:SRV01) (domain:inlanefreight.local) (signing:False) smb.py:330
(SMBv1:False)
DEBUG Trying to authenticate using plaintext with domain connection.py:497
INFO Creating SMBv3 connection to 10.129.170.206 smb.py:611
[21:11:00] DEBUG Logged in with password to SMB with inlanefreight.local/helen smb.py:470
DEBUG self.is_guest=False smb.py:472
DEBUG Checking if user is admin on 10.129.170.206 smb.py:651
DEBUG Adding credential: inlanefreight.local/helen:RedRiot88 smb.py:476
I also noticed that one Ctrl+C isn't enough to gracefully stop execution:
The HTB VMs are triggering the freeze somehow, I tried against a local VM and it works fine (not a WS 2019 though)
If you want to give it a test yourself, you can reproduce this in the HTB CAPE certification path, this module: https://academy.hackthebox.com/module/263/section/3086
But that's independent from the RDP freeze right?
The freeze in SMB might be due to a recent change in the smb database which is a bit buggy with sqlalchemy. Try to remove the smb.db in the nxc folder and that should be fixed
That is very weird, because it stops right before the asynchronous execution. My first guess would be that something in the rdp protocol/library is interfering with pythons async execution engine. This only happens with the RDP protocol right?
Yes, in my experience, only with RDP protocol.
Here, i have example for you, the pane on top is Server 2019, a domain joined machine (hung on Using selector). The one on the bottom is local VM running windows 10.
I can RDP into this domain joined machine with xfreerdp3, no problem.
Hmm okay, but this is probably also not a public VM i can access somewhere right? I don't have access to the CAPE lab on htb
Unfortunately yes, the One that hung for me in top pane is Altered Security CRTE lab.
But that's independent from the RDP freeze right?
The freeze in SMB might be due to a recent change in the smb database which is a bit buggy with sqlalchemy. Try to remove the smb.db in the nxc folder and that should be fixed
You're right, deleting smb.db solved the smb freeze, but the RDP issue remains.
If you need any kind of information from the target server i.e. banners, registry values, etc. Let me know, happy to help!
@NeffIsBack I'm having the same RDP error. It occurs at the same step when running nxc from Windows and Linux in my environment. Windows hangs after "Checking NLA" with Using proactor: IocpProactor. Linux hangs after "Checking NLA" with Using selector: EpollSelector.
@NeffIsBack I'm having the same RDP error. It occurs at the same step when running nxc from Windows and Linux in my environment. Windows hangs after "Checking NLA" with
Using proactor: IocpProactor. Linux hangs after "Checking NLA" withUsing selector: EpollSelector.
Which version are you on? Have you tried removing the database file?
Which version are you on? Have you tried removing the database file?
v1.4.0, removing and restarting with a new database resulted in the same error. This is a similar situation to w3soul's error where the target machine is part of a private lab.
Which version are you on? Have you tried removing the database file?
v1.4.0, removing and restarting with a new database resulted in the same error. This is a similar situation to w3soul's error where the target machine is part of a private lab.
I meant the exact version. Try it with the latest commits from github. There was an issue with the database near the release. When you upgraded the version try removing the smb.db file once so you have a fresh database.
Which version are you on? Have you tried removing the database file?
v1.4.0, removing and restarting with a new database resulted in the same error. This is a similar situation to w3soul's error where the target machine is part of a private lab.
I meant the exact version. Try it with the latest commits from github. There was an issue with the database near the release. When you upgraded the version try removing the smb.db file once so you have a fresh database.
Ok, I don't have access to the specific lab right now but I will in a few weeks so I'll check then. I haven't experienced the error on other labs so it seems situational.
Just tried using the latest commit:
Version : 1.4.0
Codename: SmoothOperator
Commit : a8183f88
I can confirm that the issue still exists