Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enum_trusts not working #144

Closed
ronen1n opened this issue Dec 13, 2023 · 4 comments · Fixed by #150
Closed

enum_trusts not working #144

ronen1n opened this issue Dec 13, 2023 · 4 comments · Fixed by #150
Labels
bug Something isn't working

Comments

@ronen1n
Copy link

ronen1n commented Dec 13, 2023

enum_trusts not working on several DCs

.\nxc.exe ldap us-dc -u us\studentuser55 -p 7fySHxncnPQS3vrW -M enum_trusts

SMB         192.168.1.2     445    US-DC            [*] Windows 10.0 Build 17763 x64 (name:US-DC) (domain:us.techcorp.local) (signing:True) (SMBv1:False)
LDAP        192.168.1.2     389    US-DC            [+] us\studentuser55:7fySHxncnPQS3vrW
[02:47:14] ERROR    Exception while calling proto_flow() on target 192.168.1.2: Error in searchRequest -> referral: 0000202B: RefErr: DSID-0310084A, data 0, 1     connection.py:123
                    access points
                        ref 1: 'us'
                                                                                                                                                                                    
                    ╭──────────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────────╮
                    │ in __init__:121                                                                                                                            │
                    │                                                                                                                                            │
                    │ in proto_flow:171                                                                                                                          │
                    │                                                                                                                                            │
                    │ in call_modules:225                                                                                                                        │
                    │                                                                                                                                            │
                    │ C:\Users\STUDEN~1\AppData\Local\Temp\_MEI38962\nxc\modules\trust.py:25 in on_login                                                         │
                    │                                                                                                                                            │
                    │   22 │   │   attributes = ["flatName", "trustPartner", "trustDirection", "trustAttributes"]                                                │
                    │   23 │   │                                                                                                                                 │
                    │   24 │   │   context.log.debug(f"Search Filter={search_filter}")                                                                           │
                    │ ❱ 25 │   │   resp = connection.ldapConnection.search(searchBase=domain_dn,                                                                 │
                    │      searchFilter=search_filter, attributes=attributes, sizeLimit=0)                                                                       │
                    │   26 │   │                                                                                                                                 │
                    │   27 │   │   trusts = []                                                                                                                   │
                    │   28 │   │   context.log.debug(f"Total of records returned {len(resp)}")                                                                   │
                    │                                                                                                                                            │
                    │ in search:402                                                                                                                              │
                    ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
                    LDAPSearchError: Error in searchRequest -> referral: 0000202B: RefErr: DSID-0310084A, data 0, 1 access points
                            ref 1: 'us'

NetExec info

  • OS: Windows server 2019
  • Version of nxc: 1.1.0
@NeffIsBack
Copy link
Contributor

Hi, thanks for the bug report. Is there any specific reason to use the us (I guess this is the NetBIOS domain name?) for logging in? Does this also happen with the fqdn?

@NeffIsBack NeffIsBack added the bug Something isn't working label Dec 17, 2023
@ronen1n
Copy link
Author

ronen1n commented Dec 17, 2023

Hi, thanks for the bug report. Is there any specific reason to use the us (I guess this is the NetBIOS domain name?) for logging in? Does this also happen with the fqdn?

My bad. It works without the US.
Thanks

NeffIsBack added a commit that referenced this issue Dec 18, 2023
@NeffIsBack
Remove domain DN from ldap query, fixes #144
14391af
@NeffIsBack NeffIsBack mentioned this issue Dec 18, 2023
Merged
@NeffIsBack
Copy link
Contributor

Still a good finding, with #150 it should work even with the NetBIOS domain name.

@NeffIsBack
Copy link
Contributor

NeffIsBack commented Dec 21, 2023
edited
Loading

Connect to their DC and query the trust :)

NeffIsBack added a commit that referenced this issue Dec 23, 2023
@NeffIsBack
Merge pull request #150 from Pennyw0rth/neff-enum_trusts
5e964bb 
Remove domain DN from ldap query, fixes #144
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove domain DN from ldap query, fixes #144 Pennyw0rth/NetExec
2 participants
@ronen1n @NeffIsBack