impacket icon indicating copy to clipboard operation
impacket copied to clipboard

Published 20 hours ago verified publisher icon fortra

NTLMRelayx self.client.entries IndexError: list index out of range

Open spookey0188 opened this issue 2 years ago • 9 comments

Configuration

impacket version: v0.10.1.dev1+20220720.103933.3c6713e3 Python version: 3.9 Target OS: Kali

Debug Output With Command String

python3 ntlmrelayx.py -6 -t ldaps://[DC] -wh attack-wpad --no-dump --add-computer

[*] HTTPD(80): Authenticating against ldaps://[ip] as / SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
Exception in thread Thread-36:
Traceback (most recent call last):
  File "/usr/lib/python3.9/threading.py", line 973, in _bootstrap_inner
    self.run()
  File "/home/user/.local/lib/python3.9/site-packages/impacket/examples/ntlmrelayx/attacks/ldapattack.py", line 802, in run userSid, privs = self.validatePrivileges(self.username, domainDumper)
  File "/home/user/.local/lib/python3.9/site-packages/impacket/examples/ntlmrelayx/attacks/ldapattack.py", line 485, in validatePrivileges
    user = self.client.entries[0]
IndexError: list index out of range

Additional context

Error happened to me on ver 0.9.24 and dev 0.10.1.dev1.

Image+Pasted+at+2022-9-26+22-52

spookey0188 avatar Sep 27 '22 04:09 spookey0188

Having the same issue on my end, assuming from the line

"Authenticating against ldaps://[ip] as / SUCCEED"

There should be a username instead of "/" but ntlm relayx cant seem to gather it or some security mesure prevents it. And ideas how to resolve the isssue? ------- edit Checking upon wireshark, it seems like the authentication comes as / null, probably due to the coercing method used.

mehmethafif avatar Jul 27 '23 09:07 mehmethafif

Any update on this? Ive got the same issue and cant resolve it. Very sad, as WebDAV relay is still quite strong.

breachr avatar Jan 03 '24 12:01 breachr

Any update for this?

nickvourd avatar Feb 17 '24 10:02 nickvourd

I am also interested in this error. Did anyone find a solution?

ricardojoserf avatar Mar 06 '24 10:03 ricardojoserf

I don't think this is error of ntlmrelayx! I think it's error of security protection which exists in the environment. Like EPA, SMB signing required etc. something other is blocking the authentication!

nickvourd avatar Mar 06 '24 11:03 nickvourd

I don't think this is error of ntlmrelayx! I think it's error of security protection which exists in the environment. Like EPA, SMB signing required etc. something other is blocking the authentication!

That makes sensei. Thank you!

ricardojoserf avatar Mar 06 '24 14:03 ricardojoserf

Yeap, think about it worked for me in an attack like LDAP signing not enforced + WebDAV service enabled + Coerce authentication (PetitPotam or PrinterBug) + Shadow Credentials or RBCD !

nickvourd avatar Mar 06 '24 18:03 nickvourd

I don't think this error is caused by SMB signing or any other kind of protections.

I am running ntlmrelayx in a lab environment when I can always initiate the same HTTP request to the listening server.

When I run the command ntlmrelayx.py -t ldap://192.168.56.10 I get the same error as OP.

But, when I run the command ntlmrelayx.py -t ldap://192.168.56.10 -i and initiate the same HTTP request from the victim to the server running ntlmrelayx, an interactive LDAP shell is successfully started. Then after I connect to the LDAP shell and run dump, ntlmrelayx successfully dumps the LDAP info.

choket avatar Mar 14 '24 20:03 choket

Interesting! Honestly I run coerce to relay from HTTP to LDAP/S only with RBCD or Shadow credentials attacks. Thanks for letting me know this...

nickvourd avatar Mar 14 '24 22:03 nickvourd