Fix issues with kerberos and non NTLM domains #393
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ly use kerberos (e.g. --use-kcache)
NeffIsBack
requested review from
zblurx,
Marshall-Hallenbeck and
mpgn
as code owners
|
When I try with -k flag, I get the required output: netexec smb *********** -d ********** -u beatri**** -p '**********' -k --shares --debug
[00:28:56] DEBUG NXC VERSION: 1.2.0 - ItsAlwaysDNS - 54cad53 cli.py:26
DEBUG PYTHON VERSION: 3.11.9 (main, Apr 10 2024, 13:16:36) [GCC 13.2.0] netexec.py:80
DEBUG RUNNING ON: Linux Release: 6.8.11-amd64 netexec.py:81
DEBUG Passed args: Namespace(threads=256, timeout=None, jitter=None, verbose=False, debug=True, no_progress=False, log=None, force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, version=False, netexec.py:82
protocol='smb', target=['test.local'], username=['beatricemill'], password=['!!!!ilovegood17'], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False,
gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=True, use_kcache=False, aesKey=None, kdcHost=None, server='https', server_host='0.0.0.0', server_port=None, connectback_host=None,
module=None, module_options=[], list_modules=False, show_module_options=False, hash=[], delegate=None, no_s4u2proxy=False, domain='test.local', local_auth=False, port=445, share='C$',
smb_server_port=445, gen_relay_list=None, smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, sccm=None, mkfile=None, pvk=None, enabled=False, userntds=None, shares=True,
interfaces=False, no_write_check=False, filter_shares=None, sessions=False, disks=False, loggedon_users_filter=None, loggedon_users=False, users=None, groups=None, computers=None, local_groups=None,
pass_pol=False, rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='', depth=None, only_files=False, pattern=None, regex=None,
put_file=None, get_file=None, append_host=False, exec_method='wmiexec', dcom_timeout=5, get_output_tries=100, codec='utf-8', no_output=False, execute=None, ps_execute=None, obfs=False, amsi_bypass=None,
clear_obfscripts=False, force_ps32=False, no_encode=False)
DEBUG Protocol: smb netexec.py:136
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py netexec.py:139
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb/database.py netexec.py:141
[00:28:57] DEBUG Protocol Object: <class 'protocol.smb'>, type: <class 'type'> netexec.py:144
DEBUG Protocol Object dir: ['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', netexec.py:145
'__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__',
'call_cmd_args', 'call_modules', 'check_if_admin', 'computers', 'create_conn_obj', 'create_smbv1_conn', 'create_smbv3_conn', 'disks', 'domainfromdnshostname', 'domainfromdsn', 'dpapi',
'enable_remoteops', 'enum_host_info', 'execute', 'gen_relay_list', 'get_dc_ips', 'get_file', 'get_file_single', 'get_os_arch', 'groups', 'hash_login', 'inc_failed_login', 'interfaces',
'kerberos_login', 'load_modules', 'local_groups', 'loggedon_users', 'login', 'lsa', 'mark_guest', 'mark_pwned', 'ntds', 'over_fail_limit', 'parse_credentials', 'pass_pol', 'plaintext_login',
'print_host_info', 'proto_args', 'proto_flow', 'proto_logger', 'ps_execute', 'put_file', 'put_file_single', 'query_db_creds', 'resolver', 'rid_brute', 'sam', 'sccm', 'sessions', 'shares', 'spider',
'try_credentials', 'users', 'wmi']
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:147
DEBUG DB Path: /home/kali/.nxc/workspaces/default/smb.db netexec.py:150
DEBUG Creating ThreadPoolExecutor netexec.py:44
DEBUG Creating thread for <class 'protocol.smb'> netexec.py:47
INFO Socket info: host=test.local, hostname=test.local, kerberos=True, ipv6=False, link-local ipv6=False connection.py:163
DEBUG Kicking off proto_flow connection.py:219
INFO Error creating SMBv1 connection to test.local: Error occurs while reading from remote(104) smb.py:539
[00:28:58] DEBUG Created connection object connection.py:224
[00:28:59] DEBUG NTLM not supported smb.py:218
DEBUG Error getting server information... smb.py:258
DEBUG Server OS: None.None build None smb.py:264
DEBUG Update Hosts: [{'id': 7, 'ip': 'test.local', 'hostname': 'test.local', 'domain': 'test.local', 'os': '', 'dc': None, 'smbv1': False, 'signing': True, 'spooler': None, 'zerologon': None, database.py:280
'petitpotam': None}]
DEBUG add_host() - Host IDs Updated: [7] database.py:290
[00:29:00] DEBUG Error logging off system: SMB SessionError: code: 0xc0000203 - STATUS_USER_SESSION_DELETED - The remote user session has been deleted. smb.py:295
INFO Resolved domain: test.local with dns, kdcHost: 10.10.*.* smb.py:303
[00:29:00] INFO SMB test.local 445 test.local x64 (name:test.local) (domain:test.local) (signing:True) (SMBv1:False) smb.py:308
SMB test.local 445 test.local x64 (name:test.local) (domain:test.local) (signing:True) (SMBv1:False)
DEBUG Trying to authenticate using Kerberos connection.py:486
DEBUG KDC set to: 10.10.*.* smb.py:314
INFO Error creating SMBv1 connection to test.local: Error occurs while reading from remote(104) smb.py:539
[00:29:03] DEBUG Checking if user is admin on test.local smb.py:571
[00:29:05] INFO SMB test.local 445 test.local test.local\beatri****:********** smb.py:362
SMB test.local 445 test.local test.local\beatri****:**********
[00:29:05] DEBUG Calling command arguments connection.py:232
DEBUG Calling shares() connection.py:253
DEBUG domain: test.local smb.py:779
[00:29:07] INFO Shares returned: [<impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f576711a550>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f5767ba8450>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at smb.py:792
0x7f576711a790>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f576711a910>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f576711aa90>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at
0x7f576711ab10>]
DEBUG Error checking READ access on share ADMIN$: STATUS_ACCESS_DENIED smb.py:820
DEBUG Error checking WRITE access on share ADMIN$: STATUS_ACCESS_DENIED smb.py:829
DEBUG Error adding share: cannot access local variable 'user_id' where it is not associated with a value smb.py:846
DEBUG Error checking READ access on share C$: STATUS_ACCESS_DENIED smb.py:820
[00:29:08] DEBUG Error checking WRITE access on share C$: STATUS_ACCESS_DENIED smb.py:829
DEBUG Error adding share: cannot access local variable 'user_id' where it is not associated with a value smb.py:846
[00:29:09] DEBUG Error checking WRITE access on share IPC$: STATUS_PRIVILEGE_NOT_HELD smb.py:829
[00:29:12] DEBUG Error checking WRITE access on share NETLOGON: STATUS_ACCESS_DENIED smb.py:829
DEBUG Error adding share: cannot access local variable 'user_id' where it is not associated with a value smb.py:846
[00:29:17] DEBUG Error adding share: cannot access local variable 'user_id' where it is not associated with a value smb.py:846
[00:29:19] DEBUG Error checking WRITE access on share SYSVOL: STATUS_ACCESS_DENIED smb.py:829
DEBUG Error adding share: cannot access local variable 'user_id' where it is not associated with a value smb.py:846
[00:29:19] INFO SMB test.local 445 test.local Enumerated shares smb.py:848
SMB test.local 445 test.local Enumerated shares
[00:29:19] INFO SMB test.local 445 test.local Share Permissions Remark smb.py:849
SMB test.local 445 test.local Share Permissions Remark
[00:29:19] INFO SMB test.local 445 test.local ----- ----------- ------ smb.py:850
SMB test.local 445 test.local ----- ----------- ------
[00:29:19] INFO SMB test.local 445 test.local ADMIN$ Remote Admin smb.py:857
SMB test.local 445 test.local ADMIN$ Remote Admin
[00:29:19] INFO SMB test.local 445 test.local C$ Default share smb.py:857
SMB test.local 445 test.local C$ Default share
[00:29:19] INFO SMB test.local 445 test.local IPC$ READ Remote IPC smb.py:857
SMB test.local 445 test.local IPC$ READ Remote IPC
[00:29:19] INFO SMB test.local 445 test.local NETLOGON READ Logon server share smb.py:857
SMB test.local 445 test.local NETLOGON READ Logon server share
[00:29:19] INFO SMB test.local 445 test.local share READ,WRITE smb.py:857
SMB test.local 445 test.local share READ,WRITE
[00:29:19] INFO SMB test.local 445 test.local SYSVOL READ Logon server share smb.py:857
SMB test.local 445 test.local SYSVOL READ Logon server share
DEBUG Closing connection to: test.local connection.py:173However, when I try with --use-kcache, it fails: netexec smb *********** -d ********** -u beatri**** -p '**********' --use-kcache --shares --debug
[00:30:13] DEBUG NXC VERSION: 1.2.0 - ItsAlwaysDNS - 54cad53 cli.py:26
DEBUG PYTHON VERSION: 3.11.9 (main, Apr 10 2024, 13:16:36) [GCC 13.2.0] netexec.py:80
DEBUG RUNNING ON: Linux Release: 6.8.11-amd64 netexec.py:81
DEBUG Passed args: Namespace(threads=256, timeout=None, jitter=None, verbose=False, debug=True, no_progress=False, log=None, force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, version=False, netexec.py:82
protocol='smb', target=['test.local'], username=['beatricemill'], password=['!!!!ilovegood17'], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False,
gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False, use_kcache=True, aesKey=None, kdcHost=None, server='https', server_host='0.0.0.0', server_port=None, connectback_host=None,
module=None, module_options=[], list_modules=False, show_module_options=False, hash=[], delegate=None, no_s4u2proxy=False, domain='test.local', local_auth=False, port=445, share='C$',
smb_server_port=445, gen_relay_list=None, smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, sccm=None, mkfile=None, pvk=None, enabled=False, userntds=None, shares=True,
interfaces=False, no_write_check=False, filter_shares=None, sessions=False, disks=False, loggedon_users_filter=None, loggedon_users=False, users=None, groups=None, computers=None, local_groups=None,
pass_pol=False, rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='', depth=None, only_files=False, pattern=None, regex=None,
put_file=None, get_file=None, append_host=False, exec_method='wmiexec', dcom_timeout=5, get_output_tries=100, codec='utf-8', no_output=False, execute=None, ps_execute=None, obfs=False, amsi_bypass=None,
clear_obfscripts=False, force_ps32=False, no_encode=False)
DEBUG Protocol: smb netexec.py:136
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py netexec.py:139
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb/database.py netexec.py:141
[00:30:14] DEBUG Protocol Object: <class 'protocol.smb'>, type: <class 'type'> netexec.py:144
DEBUG Protocol Object dir: ['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', netexec.py:145
'__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__',
'call_cmd_args', 'call_modules', 'check_if_admin', 'computers', 'create_conn_obj', 'create_smbv1_conn', 'create_smbv3_conn', 'disks', 'domainfromdnshostname', 'domainfromdsn', 'dpapi',
'enable_remoteops', 'enum_host_info', 'execute', 'gen_relay_list', 'get_dc_ips', 'get_file', 'get_file_single', 'get_os_arch', 'groups', 'hash_login', 'inc_failed_login', 'interfaces',
'kerberos_login', 'load_modules', 'local_groups', 'loggedon_users', 'login', 'lsa', 'mark_guest', 'mark_pwned', 'ntds', 'over_fail_limit', 'parse_credentials', 'pass_pol', 'plaintext_login',
'print_host_info', 'proto_args', 'proto_flow', 'proto_logger', 'ps_execute', 'put_file', 'put_file_single', 'query_db_creds', 'resolver', 'rid_brute', 'sam', 'sccm', 'sessions', 'shares', 'spider',
'try_credentials', 'users', 'wmi']
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:147
DEBUG DB Path: /home/kali/.nxc/workspaces/default/smb.db netexec.py:150
DEBUG Creating ThreadPoolExecutor netexec.py:44
DEBUG Creating thread for <class 'protocol.smb'> netexec.py:47
INFO Socket info: host=10.10.*.*, hostname=test.local, kerberos=True, ipv6=False, link-local ipv6=False connection.py:163
DEBUG Kicking off proto_flow connection.py:219
INFO Error creating SMBv1 connection to 10.10.*.*: Error occurs while reading from remote(104) smb.py:539
[00:30:15] DEBUG Created connection object connection.py:224
DEBUG NTLM not supported smb.py:218
DEBUG NTLM authentication not available! Authentication will fail without a valid hostname and domain name smb.py:232
DEBUG Error getting server information... smb.py:258
DEBUG Server OS: None.None build None smb.py:264
[00:30:16] DEBUG Update Hosts: [{'id': 8, 'ip': '10.10.*.*', 'hostname': '10.10.*.*', 'domain': 'test.local', 'os': '', 'dc': None, 'smbv1': False, 'signing': True, 'spooler': None, 'zerologon': None, database.py:280
'petitpotam': None}]
DEBUG add_host() - Host IDs Updated: [8] database.py:290
DEBUG Error logging off system: SMB SessionError: code: 0xc0000203 - STATUS_USER_SESSION_DELETED - The remote user session has been deleted. smb.py:295
INFO Resolved domain: test.local with dns, kdcHost: 10.10.*.* smb.py:303
[00:30:16] INFO SMB 10.10.*.* 445 10.10.*.* x64 (name:10.10.*.*) (domain:10.10.*.*) (signing:True) (SMBv1:False) smb.py:308
SMB 10.10.*.* 445 10.10.*.* x64 (name:10.10.*.*) (domain:10.10.*.*) (signing:True) (SMBv1:False)
DEBUG Trying to authenticate using Kerberos cache connection.py:537
DEBUG KDC set to: 10.10.*.* smb.py:314
[00:30:17] INFO Error creating SMBv1 connection to 10.10.*.*: Error occurs while reading from remote(104) smb.py:539
[00:30:18] INFO SMB 10.10.*.* 445 10.10.*.* test.local\beatricemill from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN smb.py:397
SMB 10.10.*.* 445 10.10.*.* test.local\beatricemill from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN
[00:30:18] INFO Successfully authenticated using Kerberos cache connection.py:542
DEBUG Calling command arguments connection.py:232
DEBUG Calling shares() connection.py:253
DEBUG domain: test.local smb.py:779
[00:30:19] INFO SMB 10.10.*.* 445 10.10.*.* Error enumerating shares: STATUS_USER_SESSION_DELETED smb.py:795
SMB 10.10.*.* 445 10.10.*.* Error enumerating shares: STATUS_USER_SESSION_DELETED
[00:30:19] DEBUG Closing connection to: test.localEDIT by @NeffIsBack:
|
|
An issue with delegate also ? |
We didn't test it, but it likely would be. If you wouldn't have NTLM and delegation. Just added it to be sure |
|
Ah hmm maybe we should just change EDIT: |
|
Should be fixed now |
|
|
|
|
NeffIsBack
changed the title
|
Have you try on other protocol than smb with kerberos ? |
|
All working as intended: |
mpgn
approved these changes
Aug 30, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an issue from discord.
The problem is if we use flags like
--use-kcachewe need to use kerberos. Though, some checks are still done withif self.args.kerberosand notif self.kerberoswhich would be correctly set totruewhen using--use-kcache. Therefore, in non-NTLM environments the authentication does not work, because for example:is not triggered before, when actually
self.kerberosby theself.args.use_kcacheflag.This PR should fix edge case issues, like these:
NTLM is not supported
nxc smb winterfell.north.sevenkingdoms.local --use-kcache-> fails (because of the aforementioned issue)nxc smb winterfell.north.sevenkingdoms.local --use-kcache -k-> succeeds