Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error on SMB using wrong password #117

Closed
fredtep opened this issue Nov 13, 2023 · 16 comments · Fixed by #119
Closed

Error on SMB using wrong password #117

fredtep opened this issue Nov 13, 2023 · 16 comments · Fixed by #119
Labels
bug Something isn't working

Comments

@fredtep
Copy link

fredtep commented Nov 13, 2023

Describe the bug
I'm getting an error while trying to bruteforce passwords using a user list and the same list as passwords.
I'm working on the manager box from HTB but I've got the same issue on my home lab

To Reproduce
Steps to reproduce the behavior i.e.:
Command: netexec smb manager.htb -u users.txt -p users.txt
Resulted in:

┌──(fr3sh㉿DeathStar)-[~/Documents/Challenges/hackTheBox/Manager]
└─$ netexec smb manager.htb -u users.txt -p users.txt 
SMB         10.10.11.236    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
[15:20:39] ERROR    Exception while calling proto_flow() on target 10.10.11.236: too many values to unpack (expected 2)                                                      connection.py:123
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smbconnection.py:278 in login                                            │                  
                    │                                                                                                                                                      │                  
                    │   275 │   │   │   if self.getDialect() == smb.SMB_DIALECT:                                                                                           │                  
                    │   276 │   │   │   │   return self._SMBConnection.login(user, password, domain, lmhash, nthash,                                                       │                  
                    │       ntlmFallback)                                                                                                                                  │                  
                    │   277 │   │   │   else:                                                                                                                              │                  
                    │ ❱ 278 │   │   │   │   return self._SMBConnection.login(user, password, domain, lmhash, nthash)                                                       │                  
                    │   279 │   │   except (smb.SessionError, smb3.SessionError) as e:                                                                                     │                  
                    │   280 │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                                                                       │                  
                    │   281                                                                                                                                                │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smb3.py:1040 in login                                                    │                  
                    │                                                                                                                                                      │                  
                    │   1037 │   │   │   │   │   │   self._Session['SigningKey'] = crypto.KDF_CounterMode                                                                  │                  
                    │        (exportedSessionKey, b"SMB2AESCMAC\x00",                                                                                                      │                  
                    │   1038 │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │                                                                     │                  
                    │        b"SmbSign\x00", 128)                                                                                                                          │                  
                    │   1039 │   │   │   try:                                                                                                                              │                  
                    │ ❱ 1040 │   │   │   │   if packet.isValidAnswer(STATUS_SUCCESS):                                                                                      │                  
                    │   1041 │   │   │   │   │   sessionSetupResponse = SMB2SessionSetup_Response(packet['Data'])                                                          │                  
                    │   1042 │   │   │   │   │   self._Session['SessionFlags'] = sessionSetupResponse['SessionFlags']                                                      │                  
                    │   1043 │   │   │   │   │   self._Session['SessionID']    = packet['SessionID']                                                                       │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smb3structs.py:458 in isValidAnswer                                      │                  
                    │                                                                                                                                                      │                  
                    │    455 │   def isValidAnswer(self, status):                                                                                                          │                  
                    │    456 │   │   if self['Status'] != status:                                                                                                          │                  
                    │    457 │   │   │   from . import smb3                                                                                                                │                  
                    │ ❱  458 │   │   │   raise smb3.SessionError(self['Status'], self)                                                                                     │                  
                    │    459 │   │   return True                                                                                                                           │                  
                    │    460 │                                                                                                                                             │                  
                    │    461 │   def __init__(self, data = None):                                                                                                          │                  
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    SessionError: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication                               
                    information.)                                                                                                                                                             
                                                                                                                                                                                              
                    During handling of the above exception, another exception occurred:                                                                                                       
                                                                                                                                                                                              
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py:465 in plaintext_login                                       │                  
                    │                                                                                                                                                      │                  
                    │    462 │   │   │   self.domain = domain                                                                                                              │                  
                    │    463 │   │   │                                                                                                                                     │                  
                    │    464 │   │   │   try:                                                                                                                              │                  
                    │ ❱  465 │   │   │   │   self.conn.login(self.username, self.password, domain)                                                                         │                  
                    │    466 │   │   │   except UnicodeEncodeError:                                                                                                        │                  
                    │    467 │   │   │   │   self.logger.error(f"UnicodeEncodeError on:                                                                                    │                  
                    │        '{self.username}:{self.password}'. Trying again with a different encoding...")                                                                │                  
                    │    468 │   │   │   │   self.create_conn_obj()                                                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smbconnection.py:280 in login                                            │                  
                    │                                                                                                                                                      │                  
                    │   277 │   │   │   else:                                                                                                                              │                  
                    │   278 │   │   │   │   return self._SMBConnection.login(user, password, domain, lmhash, nthash)                                                       │                  
                    │   279 │   │   except (smb.SessionError, smb3.SessionError) as e:                                                                                     │                  
                    │ ❱ 280 │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                                                                       │                  
                    │   281 │                                                                                                                                              │                  
                    │   282 │   def kerberosLogin(self, user, password, domain='', lmhash='', nthash='', aesKey='',                                                        │                  
                    │       kdcHost=None, TGT=None,                                                                                                                        │                  
                    │   283 │   │   │   │   │     TGS=None, useCache=True):                                                                                                │                  
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    SessionError: SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or                         
                    authentication information.                                                                                                                                               
                                                                                                                                                                                              
                    During handling of the above exception, another exception occurred:                                                                                                       
                                                                                                                                                                                              
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:121 in __init__                                                 │                  
                    │                                                                                                                                                      │                  
                    │   118 │   │   │   sleep(value)                                                                                                                       │                  
                    │   119 │   │                                                                                                                                          │                  
                    │   120 │   │   try:                                                                                                                                   │                  
                    │ ❱ 121 │   │   │   self.proto_flow()                                                                                                                  │                  
                    │   122 │   │   except Exception as e:                                                                                                                 │                  
                    │   123 │   │   │   self.logger.exception(f"Exception while calling proto_flow() on target                                                             │                  
                    │       {self.host}: {e}")                                                                                                                             │                  
                    │   124                                                                                                                                                │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:168 in proto_flow                                               │                  
                    │                                                                                                                                                      │                  
                    │   165 │   │   if self.create_conn_obj():                                                                                                             │                  
                    │   166 │   │   │   self.logger.debug("Created connection object")                                                                                     │                  
                    │   167 │   │   │   self.enum_host_info()                                                                                                              │                  
                    │ ❱ 168 │   │   │   if self.print_host_info() and (self.login() or (self.username == "" and                                                            │                  
                    │       self.password == "")):                                                                                                                         │                  
                    │   169 │   │   │   │   if hasattr(self.args, "module") and self.args.module:                                                                          │                  
                    │   170 │   │   │   │   │   self.logger.debug("Calling modules")                                                                                       │                  
                    │   171 │   │   │   │   │   self.call_modules()                                                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:465 in login                                                    │                  
                    │                                                                                                                                                      │                  
                    │   462 │   │   if not self.args.no_bruteforce:                                                                                                        │                  
                    │   463 │   │   │   for secr_index, secr in enumerate(secret):                                                                                         │                  
                    │   464 │   │   │   │   for user_index, user in enumerate(username):                                                                                   │                  
                    │ ❱ 465 │   │   │   │   │   if self.try_credentials(domain[user_index], user, owned[user_index],                                                       │                  
                    │       secr, cred_type[secr_index], data[secr_index]):                                                                                                │                  
                    │   466 │   │   │   │   │   │   owned[user_index] = True                                                                                               │                  
                    │   467 │   │   │   │   │   │   if not self.args.continue_on_success:                                                                                  │                  
                    │   468 │   │   │   │   │   │   │   return True                                                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:407 in try_credentials                                          │                  
                    │                                                                                                                                                      │                  
                    │   404 │   │   │   │   │   return self.kerberos_login(domain, username, secret, "", "",                                                               │                  
                    │       self.kdcHost, False)                                                                                                                           │                  
                    │   405 │   │   │   │   elif hasattr(self.args, "domain"):  # Some protocols don't use domain                                                          │                  
                    │       for login                                                                                                                                      │                  
                    │   406 │   │   │   │   │   self.logger.debug("Trying to authenticate using plaintext with                                                             │                  
                    │       domain")                                                                                                                                       │                  
                    │ ❱ 407 │   │   │   │   │   return self.plaintext_login(domain, username, secret)                                                                      │                  
                    │   408 │   │   │   │   elif self.args.protocol == "ssh":                                                                                              │                  
                    │   409 │   │   │   │   │   self.logger.debug("Trying to authenticate using plaintext over SSH")                                                       │                  
                    │   410 │   │   │   │   │   return self.plaintext_login(username, secret, data)                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py:503 in plaintext_login                                       │                  
                    │                                                                                                                                                      │                  
                    │    500 │   │   │   │   self.create_conn_obj()                                                                                                        │                  
                    │    501 │   │   │   return True                                                                                                                       │                  
                    │    502 │   │   except SessionError as e:                                                                                                             │                  
                    │ ❱  503 │   │   │   error, desc = e.getErrorString()                                                                                                  │                  
                    │    504 │   │   │   self.logger.fail(                                                                                                                 │                  
                    │    505 │   │   │   │   f'{domain}\\{self.username}:{process_secret(self.password)} {error}                                                           │                  
                    │        {f"({desc})" if self.args.verbose else ""}',                                                                                                  │                  
                    │    506 │   │   │   │   color="magenta" if error in smb_error_status else "red",                                                                      │                  
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    ValueError: too many values to unpack (expected 2)   
...

Expected behavior
Nice and clean output like with ldap which is working just fine

NetExec info
DEBUG PYTHON VERSION: 3.11.6 (main, Oct 8 2023, 05:06:43) [GCC 13.2.0]
DEBUG RUNNING ON: Linux Release: 6.5.0-kali3-amd64

  • Installed from: pipx
@Marshall-Hallenbeck
Copy link
Collaborator

@fredtep which branch did you pull from? We're about to merge develop into main and remove the old develop branch since its confusing for people. Can you try the 1.1.0 tag? This functionality works for me: https://github.com/Pennyw0rth/NetExec/tree/v1.1.0

@Marshall-Hallenbeck
Copy link
Collaborator

main branch should be the same as v1.1.0 tag, so feel free to try either of those please! I tested this across several hosts in my lab and didn't have any errors.

@fredtep
Copy link
Author

fredtep commented Nov 13, 2023

I used pipx to install netexec :
pipx install git+https://github.com/Pennyw0rth/NetExec

Just now, I tried to install it using the following

git clone https://github.com/Pennyw0rth/NetExec.git
cd NetExec   
virtualenv venv
source ./venv/bin/activate
pip install .

But I get the same error

@Marshall-Hallenbeck
Copy link
Collaborator

Hmm yeah I see this if installing with pipx/pip, but not if ran through Poetry.

@fredtep in the meantime can you use Poetry?

@Marshall-Hallenbeck Marshall-Hallenbeck added the bug Something isn't working label Nov 13, 2023
@int3x
Copy link

int3x commented Nov 13, 2023

Seeing the same error.
The violating line is:

NetExec/nxc/protocols/smb.py

Line 503 in 8879ccc

error, desc = e.getErrorString()

If you don't mind a temporary kludge, this worked for me:

-            error, desc = e.getErrorString()
+            error, desc = e.getErrorString(), ''

@XiaoliChan
Copy link
Contributor

Can't reproduce

Marshall-Hallenbeck added a commit that referenced this issue Nov 13, 2023
@Marshall-Hallenbeck
fix(smb errors): getErrorString only returns one item, not a tuple; f…
1784d55 
…ixes #117
@Marshall-Hallenbeck Marshall-Hallenbeck mentioned this issue Nov 13, 2023
Merged
@Marshall-Hallenbeck
Copy link
Collaborator

@fredtep Can you test if #119 fixes this? If so we can merge and push a hotfix (v1.1.1)

@fredtep
Copy link
Author

fredtep commented Nov 13, 2023

@Marshall-Hallenbeck The fix works like a charm.
Amazing response time. I'm impressed.
BTW Great we have this fork. Huge thanks.

@int3x
Copy link

int3x commented Nov 13, 2023
edited
Loading

I'm not familiar with the codebase, but wouldn't this make brute-forcing very verbose?
Instead of

SMB         192.168.56.11   445    DC01             [-] coral.local\hledger:coral STATUS_LOGON_FAILURE 
SMB         192.168.56.11   445    DC01             [-] coral.local\cbale:coral STATUS_LOGON_FAILURE

the current patch would show

SMB         192.168.56.11   445    DC01             [-] coral.local\hledger:coral SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or authentication information.
SMB         192.168.56.11   445    DC01             [-] coral.local\cbale:coral SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or authentication information.

And now the code would produce errors in verbose mode?

@NeffIsBack
Copy link
Contributor

NeffIsBack commented Nov 13, 2023
edited
Loading

Yep that does not look right, we need to test it and see why this behaves like that and we this error only occurs now and not before

@Marshall-Hallenbeck Marshall-Hallenbeck mentioned this issue Nov 13, 2023
Merged
@Marshall-Hallenbeck
Copy link
Collaborator

Yeah this is a change from Impacket that broke it. Downgrading Impacket or using Poetry to use our pinned version should fix this.

I posted on their GitHub to see if this was intended or if they are going to revert, since it was handling nterrors for us.

@mpgn
Copy link
Collaborator

mpgn commented Nov 13, 2023

this one ? Pennyw0rth/impacket@33058eb

@Marshall-Hallenbeck
Copy link
Collaborator

Marshall-Hallenbeck commented Nov 13, 2023
edited
Loading

this one ? Pennyw0rth/impacket@33058eb

Ah darn, ours is synced up to their main... I didn't pull that down, so we should revert ours to fix this for now.

@mpgn
Copy link
Collaborator

mpgn commented Nov 13, 2023

done @Marshall-Hallenbeck

Pennyw0rth/impacket@32bed32

@Marshall-Hallenbeck
Copy link
Collaborator

@fredtep Can you try reinstalling NetExec from main? It should properly pull down our version of Impacket that doesn't introduce this bug.

Marshall-Hallenbeck added a commit that referenced this issue Nov 13, 2023
@Marshall-Hallenbeck
Revert "fix(smb errors): getErrorString only returns one item, not a …
9b619b8 
…tuple; fixes #117"

This reverts commit 1784d55.
@fredtep
Copy link
Author

fredtep commented Nov 13, 2023

I've uninstalled and reinstalled netexec using pipx and it's working just fine.
niTROCket51's point was true when I fixed it manually, but with the reinstall it's not so verbose :

2023-11-13_21-25

@mpgn mpgn closed this as completed Nov 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(smb errors): getErrorString only returns one item, not a tuple Pennyw0rth/NetExec
6 participants
@Marshall-Hallenbeck @mpgn @fredtep @XiaoliChan @int3x @NeffIsBack