Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

netexec NETBIOS time out when checking for SMB shares or spidering #369

Closed
ArchyInUse opened this issue Jul 12, 2024 · 4 comments
Closed

netexec NETBIOS time out when checking for SMB shares or spidering #369

ArchyInUse opened this issue Jul 12, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@ArchyInUse
Copy link

Describe the bug
Whenever I try to list shares using --shares or -M spider_plus, netexec gives me a NETBIOS timeout error and does not show the shares, it recognizes the account is valid (and administrator in this instance) but crashes when trying to list shares, smbclient works for me, i can do everything I expect from --shares and -M spider_plus.
tested on both kali apt repo version and the newest release from the releases pages

To Reproduce
command: netexec smb <ip> -u <username> -p <password> (or -H <hash>, doesnt work for either) --shares (or -M spider_plus)

Expected behavior
A list of shares and permissions for those shares, or the spider module downloading the files in the shares.

Screenshots
image

NetExec info

  • OS: kali, if i recall correctly latest version or the version before the latest.
  • Version of nxc: 1.2.0 - ItsAlwaysDNS - kali (tested also on latest release of the nxc binary, 0.0.0 - ItsAlwaysDNS - 6858958)
  • Installed from: default install from kali, updated before testing, for the binary its just the latest.

Additional context
I will also need to test this on a fresh kali install (although I havent made many changes to mine) which I am in the process of testing now.
@Marshall-Hallenbeck
Copy link
Collaborator

@ArchyInUse Hey thanks for the bug report. Would you mind re-running with the --debug option, and posting the entire output?

From what I see right now, you should use --smb-timeout, not --timeout. It can be confusing, but the former is for the SMB connection, the latter is for the entire thread.

@Marshall-Hallenbeck Marshall-Hallenbeck added the bug Something isn't working label Jul 12, 2024
@ArchyInUse
Copy link
Author

Hey, first off I'd like to say thank you, the smb-timeout option does work!
as for the log I'm providing it as can be seen below, I've blanked out the IP and the domain as it's a part of a course I'm doing. If you need any more information please let me know :)

[16:11:38] DEBUG    NXC VERSION: 1.2.0 - ItsAlwaysDNS - kali                                                                                                                        cli.py:27
           DEBUG    PYTHON VERSION: 3.11.9 (main, Apr 10 2024, 13:16:36) [GCC 13.2.0]                                                                                           netexec.py:80
           DEBUG    RUNNING ON: Linux Release: 6.8.11-amd64                                                                                                                     netexec.py:81
           DEBUG    Passed args: Namespace(threads=256, timeout=None, jitter=None, verbose=False, debug=True, no_progress=False, log=None, force_ipv6=False, dns_server=None,   netexec.py:82
                    dns_tcp=False, dns_timeout=3, version=False, protocol='smb', target=['<IP>'], username=['generic.domain\\administrator'], password=[], cred_id=[],                 
                    ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False, gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False,                           
                    use_kcache=False, aesKey=None, kdcHost=None, server='https', server_host='0.0.0.0', server_port=None, connectback_host=None, module=None,                                
                    module_options=[], list_modules=False, show_module_options=False, hash=['<HASH>'], delegate=None, no_s4u2proxy=False,                          
                    domain=None, local_auth=False, port=445, share='C$', smb_server_port=445, gen_relay_list=None, smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None,                
                    dpapi=None, sccm=None, mkfile=None, pvk=None, enabled=False, userntds=None, shares=True, no_write_check=False, filter_shares=None, sessions=False,                       
                    disks=False, loggedon_users_filter=None, loggedon_users=False, users=None, groups=None, computers=None, local_groups=None, pass_pol=False, rid_brute=None,               
                    wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='', depth=None, only_files=False, pattern=None,                       
                    regex=None, put_file=None, get_file=None, append_host=False, exec_method='wmiexec', dcom_timeout=5, get_output_tries=100, codec='utf-8', no_output=False,                
                    execute=None, ps_execute=None, obfs=False, amsi_bypass=None, clear_obfscripts=False, force_ps32=False, no_encode=False)                                                  
           DEBUG    Protocol: smb                                                                                                                                              netexec.py:136
           DEBUG    Protocol Path: /usr/lib/python3/dist-packages/nxc/protocols/smb.py                                                                                         netexec.py:139
           DEBUG    Protocol DB Path: /usr/lib/python3/dist-packages/nxc/protocols/smb/database.py                                                                             netexec.py:141
           DEBUG    Protocol Object: <class 'protocol.smb'>, type: <class 'type'>                                                                                              netexec.py:144
           DEBUG    Protocol Object dir: ['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getstate__',  netexec.py:145
                    '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__',                 
                    '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', 'call_cmd_args', 'call_modules', 'check_if_admin', 'computers',                               
                    'create_conn_obj', 'create_smbv1_conn', 'create_smbv3_conn', 'disks', 'domainfromdnshostname', 'domainfromdsn', 'dpapi', 'enable_remoteops',                             
                    'enum_host_info', 'execute', 'gen_relay_list', 'get_dc_ips', 'get_file', 'get_file_single', 'get_os_arch', 'groups', 'hash_login', 'inc_failed_login',                   
                    'kerberos_login', 'load_modules', 'local_groups', 'loggedon_users', 'login', 'lsa', 'mark_pwned', 'ntds', 'over_fail_limit', 'parse_credentials',                        
                    'pass_pol', 'plaintext_login', 'print_host_info', 'proto_args', 'proto_flow', 'proto_logger', 'ps_execute', 'put_file', 'put_file_single',                               
                    'query_db_creds', 'resolver', 'rid_brute', 'sam', 'sccm', 'sessions', 'shares', 'spider', 'try_credentials', 'users', 'wmi']                                             
           DEBUG    Protocol DB Object: <class 'protocol.database'>                                                                                                            netexec.py:147
           DEBUG    DB Path: /root/.nxc/workspaces/default/smb.db                                                                                                              netexec.py:150
           DEBUG    Creating ThreadPoolExecutor                                                                                                                                 netexec.py:44
           DEBUG    Creating thread for <class 'protocol.smb'>                                                                                                                  netexec.py:47
           INFO     Socket info: host=<IP>, hostname=<IP>, kerberos=False, ipv6=False, link-local ipv6=False                                          connection.py:160
           DEBUG    Kicking off proto_flow                                                                                                                                  connection.py:216
[16:11:39] INFO     Error creating SMBv1 connection to <IP>: Error occurs while reading from remote(104)                                                                smb.py:502
           DEBUG    Created connection object                                                                                                                               connection.py:221
[16:11:40] DEBUG    Update Hosts: [{'id': 31, 'ip': '<IP>', 'hostname': 'MS01', 'domain': 'generic.domain', 'os': 'Windows 10 / Server 2019 Build 19041', 'dc': None,   database.py:280
                    'smbv1': False, 'signing': False, 'spooler': None, 'zerologon': None, 'petitpotam': None}]                                                                               
           DEBUG    add_host() - Host IDs Updated: [31]                                                                                                                       database.py:290
           DEBUG    Error logging off system: Error occurs while reading from remote(104)                                                                                          smb.py:259
           INFO     Resolved domain: generic.domain with dns, kdcHost: <DCIP>                                                                                                  smb.py:267
[16:11:40] INFO     SMB                      <IP> 445    MS01             Windows 10 / Server 2019 Build 19041 x64 (name:MS01) (domain:generic.domain) (signing:False)       smb.py:272
                    (SMBv1:False)                                                                                                                                                            
                    SMB                      <IP> 445    MS01             Windows 10 / Server 2019 Build 19041 x64 (name:MS01) (domain:generic.domain) (signing:False)                 
                    (SMBv1:False)                                                                                                                                                            
[16:11:41] INFO     Error creating SMBv1 connection to <IP>: Error occurs while reading from remote(104)                                                                smb.py:502
[16:11:43] DEBUG    Adding credentials: [{'id': 27, 'domain': 'generic.domain', 'username': 'administrator', 'password': '<HASH>', 'credtype': 'hash',   database.py:347
                    'pillaged_from_hostid': None}]                                                                                                                                           
           DEBUG    smb hosts() - results: [(31, '<IP>', 'MS01', 'generic.domain', 'Windows 10 / Server 2019 Build 19041', None, False, False, None, None, None)]       database.py:495
[16:11:43] INFO     SMB                      <IP> 445    MS01             generic.domain\administrator:<HASH> (Pwn3d!)                             smb.py:455
                    SMB                      <IP> 445    MS01             generic.domain\administrator:<HASH> (Pwn3d!)                                       
           DEBUG    smb hosts() - results: [(31, '<IP>', 'MS01', 'generic.domain', 'Windows 10 / Server 2019 Build 19041', None, False, False, None, None, None)]       database.py:495
           DEBUG    Calling command arguments                                                                                                                               connection.py:229
           DEBUG    Calling shares()                                                                                                                                        connection.py:250
           DEBUG    domain: generic.domain                                                                                                                                              smb.py:736
[16:11:45] INFO     Shares returned: [<impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f9cdd89f150>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f9cdd89fa10>,            smb.py:744
                    <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f9cdd89ee90>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f9cdd89c110>]                                        
[16:11:51] ERROR    Exception while calling proto_flow() on target <IP>: The NETBIOS connection with the remote host timed out.                                  connection.py:168
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────────────╮                  
                    │ /usr/lib/python3/dist-packages/impacket/nmb.py:984 in non_polling_read                                                                              │                  
                    │                                                                                                                                                     │                  
                    │    981 │   │   while bytes_left > 0:                                                                                                                │                  
                    │    982 │   │   │   self._sock.settimeout(timeout)                                                                                                   │                  
                    │    983 │   │   │   try:                                                                                                                             │                  
                    │ ❱  984 │   │   │   │   received = self._sock.recv(bytes_left)                                                                                       │                  
                    │    985 │   │   │   except socket.timeout:                                                                                                           │                  
                    │    986 │   │   │   │   raise NetBIOSTimeout                                                                                                         │                  
                    │    987 │   │   │   except Exception as ex:                                                                                                          │                  
                    ╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    TimeoutError: timed out                                                                                                                                                  
                                                                                                                                                                                             
                    During handling of the above exception, another exception occurred:                                                                                                      
                                                                                                                                                                                             
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────────────╮                  
                    │ /usr/lib/python3/dist-packages/nxc/connection.py:163 in __init__                                                                                    │                  
                    │                                                                                                                                                     │                  
                    │   160 │   │   self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname},                                                           │                  
                    │       kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local                                                                                     │                  
                    │       ipv6={self.is_link_local_ipv6}")                                                                                                              │                  
                    │   161 │   │                                                                                                                                         │                  
                    │   162 │   │   try:                                                                                                                                  │                  
                    │ ❱ 163 │   │   │   self.proto_flow()                                                                                                                 │                  
                    │   164 │   │   except Exception as e:                                                                                                                │                  
                    │   165 │   │   │   if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e):                                                                                  │                  
                    │   166 │   │   │   │   self.logger.error(f"Exception while calling proto_flow() on target                                                            │                  
                    │       {target}: {e}")                                                                                                                               │                  
                    │                                                                                                                                                     │                  
                    │ /usr/lib/python3/dist-packages/nxc/connection.py:230 in proto_flow                                                                                  │                  
                    │                                                                                                                                                     │                  
                    │   227 │   │   │   │   │   self.call_modules()                                                                                                       │                  
                    │   228 │   │   │   │   else:                                                                                                                         │                  
                    │   229 │   │   │   │   │   self.logger.debug("Calling command arguments")                                                                            │                  
                    │ ❱ 230 │   │   │   │   │   self.call_cmd_args()                                                                                                      │                  
                    │   231 │                                                                                                                                             │                  
                    │   232 │   def call_cmd_args(self):                                                                                                                  │                  
                    │   233 │   │   """Calls all the methods specified by the command line arguments                                                                      │                  
                    │                                                                                                                                                     │                  
                    │ /usr/lib/python3/dist-packages/nxc/connection.py:251 in call_cmd_args                                                                               │                  
                    │                                                                                                                                                     │                  
                    │   248 │   │   for attr, value in vars(self.args).items():                                                                                           │                  
                    │   249 │   │   │   if hasattr(self, attr) and callable(getattr(self, attr)) and value is not                                                         │                  
                    │       False and value is not None:                                                                                                                  │                  
                    │   250 │   │   │   │   self.logger.debug(f"Calling {attr}()")                                                                                        │                  
                    │ ❱ 251 │   │   │   │   getattr(self, attr)()                                                                                                         │                  
                    │   252 │                                                                                                                                             │                  
                    │   253 │   def call_modules(self):                                                                                                                   │                  
                    │   254 │   │   """Calls modules and performs various actions based on the module's attributes.                                                       │                  
                    │                                                                                                                                                     │                  
                    │ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:767 in shares                                                                                   │                  
                    │                                                                                                                                                     │                  
                    │    764 │   │   │   read = False                                                                                                                     │                  
                    │    765 │   │   │   write = False                                                                                                                    │                  
                    │    766 │   │   │   try:                                                                                                                             │                  
                    │ ❱  767 │   │   │   │   self.conn.listPath(share_name, "*")                                                                                          │                  
                    │    768 │   │   │   │   read = True                                                                                                                  │                  
                    │    769 │   │   │   │   share_info["access"].append("READ")                                                                                          │                  
                    │    770 │   │   │   except SessionError as e:                                                                                                        │                  
                    │                                                                                                                                                     │                  
                    │ /usr/lib/python3/dist-packages/impacket/smbconnection.py:400 in listPath                                                                            │                  
                    │                                                                                                                                                     │                  
                    │   397 │   │   """                                                                                                                                   │                  
                    │   398 │   │                                                                                                                                         │                  
                    │   399 │   │   try:                                                                                                                                  │                  
                    │ ❱ 400 │   │   │   return self._SMBConnection.list_path(shareName, path, password)                                                                   │                  
                    │   401 │   │   except (smb.SessionError, smb3.SessionError) as e:                                                                                    │                  
                    │   402 │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                                                                      │                  
                    │   403                                                                                                                                               │                  
                    │                                                                                                                                                     │                  
                    │ /usr/lib/python3/dist-packages/impacket/smb3.py:1823 in listPath                                                                                    │                  
                    │                                                                                                                                                     │                  
                    │   1820 │   │   finally:                                                                                                                             │                  
                    │   1821 │   │   │   if fileId is not None:                                                                                                           │                  
                    │   1822 │   │   │   │   self.close(treeId, fileId)                                                                                                   │                  
                    │ ❱ 1823 │   │   │   self.disconnectTree(treeId)                                                                                                      │                  
                    │   1824 │   │                                                                                                                                        │                  
                    │   1825 │   │   return files                                                                                                                         │                  
                    │   1826                                                                                                                                              │                  
                    │                                                                                                                                                     │                  
                    │ /usr/lib/python3/dist-packages/impacket/smb3.py:1224 in disconnectTree                                                                              │                  
                    │                                                                                                                                                     │                  
                    │   1221 │   │   treeDisconnect = SMB2TreeDisconnect()                                                                                                │                  
                    │   1222 │   │   packet['Data'] = treeDisconnect                                                                                                      │                  
                    │   1223 │   │   packetID = self.sendSMB(packet)                                                                                                      │                  
                    │ ❱ 1224 │   │   packet = self.recvSMB(packetID)                                                                                                      │                  
                    │   1225 │   │   if packet.isValidAnswer(STATUS_SUCCESS):                                                                                             │                  
                    │   1226 │   │   │   shareName = self._Session['TreeConnectTable'][treeId]['ShareName']                                                               │                  
                    │   1227 │   │   │   del(self._Session['TreeConnectTable'][shareName])                                                                                │                  
                    │                                                                                                                                                     │                  
                    │ /usr/lib/python3/dist-packages/impacket/smb3.py:512 in recvSMB                                                                                      │                  
                    │                                                                                                                                                     │                  
                    │    509 │   │   if packetID in self._Connection['OutstandingResponses']:                                                                             │                  
                    │    510 │   │   │   return self._Connection['OutstandingResponses'].pop(packetID)                                                                    │                  
                    │    511 │   │                                                                                                                                        │                  
                    │ ❱  512 │   │   data = self._NetBIOSSession.recv_packet(self._timeout)                                                                               │                  
                    │    513 │   │                                                                                                                                        │                  
                    │    514 │   │   if data.get_trailer().startswith(b'\xfdSMB'):                                                                                        │                  
                    │    515 │   │   │   # Packet is encrypted                                                                                                            │                  
                    │                                                                                                                                                     │                  
                    │ /usr/lib/python3/dist-packages/impacket/nmb.py:915 in recv_packet                                                                                   │                  
                    │                                                                                                                                                     │                  
                    │    912 │   │   self._sock.sendall(p.rawData())                                                                                                      │                  
                    │    913 │                                                                                                                                            │                  
                    │    914 │   def recv_packet(self, timeout = None):                                                                                                   │                  
                    │ ❱  915 │   │   data = self.__read(timeout)                                                                                                          │                  
                    │    916 │   │   NBSPacket = NetBIOSSessionPacket(data)                                                                                               │                  
                    │    917 │   │   if NBSPacket.get_type() == NETBIOS_SESSION_KEEP_ALIVE:                                                                               │                  
                    │    918 │   │   │   # Discard packet                                                                                                                 │                  
                    │                                                                                                                                                     │                  
                    │ /usr/lib/python3/dist-packages/impacket/nmb.py:1002 in __read                                                                                       │                  
                    │                                                                                                                                                     │                  
                    │    999 │   │   return bytes(data)                                                                                                                   │                  
                    │   1000 │                                                                                                                                            │                  
                    │   1001 │   def __read(self, timeout = None):                                                                                                        │                  
                    │ ❱ 1002 │   │   data = self.read_function(4, timeout)                                                                                                │                  
                    │   1003 │   │   type, flags, length = unpack('>ccH', data)                                                                                           │                  
                    │   1004 │   │   if ord(type) == NETBIOS_SESSION_MESSAGE:                                                                                             │                  
                    │   1005 │   │   │   length |= ord(flags) << 16                                                                                                       │                  
                    │                                                                                                                                                     │                  
                    │ /usr/lib/python3/dist-packages/impacket/nmb.py:986 in non_polling_read                                                                              │                  
                    │                                                                                                                                                     │                  
                    │    983 │   │   │   try:                                                                                                                             │                  
                    │    984 │   │   │   │   received = self._sock.recv(bytes_left)                                                                                       │                  
                    │    985 │   │   │   except socket.timeout:                                                                                                           │                  
                    │ ❱  986 │   │   │   │   raise NetBIOSTimeout                                                                                                         │                  
                    │    987 │   │   │   except Exception as ex:                                                                                                          │                  
                    │    988 │   │   │   │   raise NetBIOSError('Error occurs while reading from remote',                                                                 │                  
                    │        ERRCLASS_OS, ex.errno)                                                                                                                       │                  
                    │    989                                                                                                                                              │                  
                    ╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    NetBIOSTimeout: The NETBIOS connection with the remote host timed out.                                                                                                   
[16:11:52] DEBUG    Closing connection to: <IP>                                                                                                                  connection.py:170

@NeffIsBack
Copy link
Contributor

Oh that should be caught. Thanks for the report!

@NeffIsBack NeffIsBack mentioned this issue Jul 26, 2024
Merged
@NeffIsBack
Copy link
Contributor

Should be fixed with #387

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Marshall-Hallenbeck @ArchyInUse @NeffIsBack