anonymous login not working when using nxc smb --shares

[choket]

Describe the bug NetExec is not able to log in to shares that allow anonymous login and list shares.

To Reproduce

I am using the GOAD lab to recreate this issue. In that lab, the machine "CASTELBLACK" allows anonymous login and has a share which allows read access to anonymous users.

Using smbclient, I can log in anonymously, list shares and download files. However, when I use nxc, I get multiple errors. I tried running it without specifying creds, then specifying empty credentials.

Here is the output of nxc --debug smb 192.168.56.22 --shares

[15:37:44] DEBUG    PYTHON VERSION: 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0]                                                                                    netexec.py:90
           DEBUG    RUNNING ON: Linux Release: 6.5.0-13parrot1-amd64                                                                                                     netexec.py:91
           DEBUG    Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, protocol='smb',          netexec.py:92
                    target=['192.168.56.22'], cred_id=[], username=[], password=[], ignore_pw_decoding=False, kerberos=False, no_bruteforce=False,
                    continue_on_success=False, use_kcache=False, log=None, aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None,
                    module_options=[], list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0', server_port=None, connectback_host=None,
                    hash=[], delegate=None, no_s4u2proxy=False, domain=None, local_auth=False, port=445, share='C$', smb_server_port=445, gen_relay_list=None,
                    smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, mkfile=None, pvk=None, enabled=False, userntds=None, shares=True,
                    no_write_check=False, filter_shares=None, sessions=False, disks=False, loggedon_users_filter=None, loggedon_users=False, users=None, groups=None,
                    computers=None, local_groups=None, pass_pol=False, rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.',
                    content=False, exclude_dirs='', pattern=None, regex=None, depth=None, only_files=False, put_file=None, get_file=None, append_host=False,
                    exec_method=None, dcom_timeout=5, get_output_tries=5, codec='utf-8', force_ps32=False, no_output=False, execute=None, ps_execute=None, obfs=False,
                    amsi_bypass=None, clear_obfscripts=False)
           DEBUG    Protocol: smb                                                                                                                                       netexec.py:146
           DEBUG    Protocol Path: /root/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py                                                    netexec.py:149
           DEBUG    Protocol DB Path: /root/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb/database.py                                        netexec.py:151
           DEBUG    Protocol Object: <class 'protocol.smb'>                                                                                                             netexec.py:154
           DEBUG    Protocol DB Object: <class 'protocol.database'>                                                                                                     netexec.py:156
           DEBUG    DB Path: /root/.nxc/workspaces/default/smb.db                                                                                                       netexec.py:159
           DEBUG    Using selector: EpollSelector                                                                                                                selector_events.py:54
           DEBUG    Creating ThreadPoolExecutor                                                                                                                          netexec.py:43
           DEBUG    Creating thread for <class 'protocol.smb'>                                                                                                           netexec.py:46
           INFO     Socket info: host=192.168.56.22, hostname=192.168.56.22, kerberos=False, ipv6=False, link-local ipv6=False                                       connection.py:104
           DEBUG    Kicking off proto_flow                                                                                                                           connection.py:164
           INFO     Error creating SMBv1 connection to 192.168.56.22: Error occurs while reading from remote(104)                                                           smb.py:487
           DEBUG    Created connection object                                                                                                                        connection.py:167
           DEBUG    Update Hosts: [{'id': 23, 'ip': '192.168.56.22', 'hostname': 'CASTELBLACK', 'domain': 'north.sevenkingdoms.local', 'os': 'Windows 10 / Server 2019 database.py:280
                    Build 17763', 'dc': None, 'smbv1': False, 'signing': False, 'spooler': None, 'zerologon': None, 'petitpotam': None}]
           DEBUG    add_host() - Host IDs Updated: [23]                                                                                                                database.py:290
           DEBUG    Error logging off system: Error occurs while reading from remote(104)                                                                                   smb.py:246
SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
           INFO     SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK)                                  logger.py:121
                    (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
           DEBUG    Calling command arguments                                                                                                                        connection.py:174
           DEBUG    Calling shares()                                                                                                                                 connection.py:195
           DEBUG    domain: north.sevenkingdoms.local                                                                                                                       smb.py:703
SMB         192.168.56.22   445    CASTELBLACK      [-] Error enumerating shares: [Errno 32] Broken pipe
           INFO     SMB         192.168.56.22   445    CASTELBLACK      [-] Error enumerating shares: [Errno 32] Broken pipe                                             logger.py:121

And here is the output of nxc --debug smb 192.168.56.22 --shares -u '' -p ''

[15:38:43] DEBUG    PYTHON VERSION: 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0]                                                                                    netexec.py:90
           DEBUG    RUNNING ON: Linux Release: 6.5.0-13parrot1-amd64                                                                                                     netexec.py:91
           DEBUG    Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, protocol='smb',          netexec.py:92
                    target=['192.168.56.22'], cred_id=[], username=[''], password=[''], ignore_pw_decoding=False, kerberos=False, no_bruteforce=False,
                    continue_on_success=False, use_kcache=False, log=None, aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None,
                    module_options=[], list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0', server_port=None, connectback_host=None,
                    hash=[], delegate=None, no_s4u2proxy=False, domain=None, local_auth=False, port=445, share='C$', smb_server_port=445, gen_relay_list=None,
                    smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, mkfile=None, pvk=None, enabled=False, userntds=None, shares=True,
                    no_write_check=False, filter_shares=None, sessions=False, disks=False, loggedon_users_filter=None, loggedon_users=False, users=None, groups=None,
                    computers=None, local_groups=None, pass_pol=False, rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.',
                    content=False, exclude_dirs='', pattern=None, regex=None, depth=None, only_files=False, put_file=None, get_file=None, append_host=False,
                    exec_method=None, dcom_timeout=5, get_output_tries=5, codec='utf-8', force_ps32=False, no_output=False, execute=None, ps_execute=None, obfs=False,
                    amsi_bypass=None, clear_obfscripts=False)
           DEBUG    Protocol: smb                                                                                                                                       netexec.py:146
           DEBUG    Protocol Path: /root/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py                                                    netexec.py:149
           DEBUG    Protocol DB Path: /root/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb/database.py                                        netexec.py:151
           DEBUG    Protocol Object: <class 'protocol.smb'>                                                                                                             netexec.py:154
           DEBUG    Protocol DB Object: <class 'protocol.database'>                                                                                                     netexec.py:156
           DEBUG    DB Path: /root/.nxc/workspaces/default/smb.db                                                                                                       netexec.py:159
           DEBUG    Using selector: EpollSelector                                                                                                                selector_events.py:54
           DEBUG    Creating ThreadPoolExecutor                                                                                                                          netexec.py:43
           DEBUG    Creating thread for <class 'protocol.smb'>                                                                                                           netexec.py:46
           INFO     Socket info: host=192.168.56.22, hostname=192.168.56.22, kerberos=False, ipv6=False, link-local ipv6=False                                       connection.py:104
           DEBUG    Kicking off proto_flow                                                                                                                           connection.py:164
           INFO     Error creating SMBv1 connection to 192.168.56.22: Error occurs while reading from remote(104)                                                           smb.py:487
           DEBUG    Created connection object                                                                                                                        connection.py:167
           DEBUG    Update Hosts: [{'id': 23, 'ip': '192.168.56.22', 'hostname': 'CASTELBLACK', 'domain': 'north.sevenkingdoms.local', 'os': 'Windows 10 / Server 2019 database.py:280
                    Build 17763', 'dc': None, 'smbv1': False, 'signing': False, 'spooler': None, 'zerologon': None, 'petitpotam': None}]
           DEBUG    add_host() - Host IDs Updated: [23]                                                                                                                database.py:290
           DEBUG    Error logging off system: Error occurs while reading from remote(104)                                                                                   smb.py:246
SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
           INFO     SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK)                                  logger.py:121
                    (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
           DEBUG    Trying to authenticate using plaintext with domain                                                                                               connection.py:407
           INFO     Error creating SMBv1 connection to 192.168.56.22: Error occurs while reading from remote(104)                                                           smb.py:487
SMB         192.168.56.22   445    CASTELBLACK      [-] north.sevenkingdoms.local\: STATUS_ACCESS_DENIED
           INFO     SMB         192.168.56.22   445    CASTELBLACK      [-] north.sevenkingdoms.local\: STATUS_ACCESS_DENIED                                             logger.py:121
           DEBUG    Calling command arguments                                                                                                                        connection.py:174
           DEBUG    Calling shares()                                                                                                                                 connection.py:195
           DEBUG    domain: north.sevenkingdoms.local                                                                                                                       smb.py:703
SMB         192.168.56.22   445    CASTELBLACK      [-] Error enumerating shares: Error occurs while reading from remote(104)
           INFO     SMB         192.168.56.22   445    CASTELBLACK      [-] Error enumerating shares: Error occurs while reading from remote(104)                        logger.py:121

NetExec info

• OS: ParrotOs
• Version of nxc: 1.1.0 - nxc4u
• Installed from: GitHub with pipx

[Marshall-Hallenbeck]

@choket Specify the 'Anonymous' user (in reality it can be any user, but it cannot be '', which is NULL authentication, and different) and --local-auth:

[choket]

Yes, you are right, it does work when I specify a random username and password and --local-auth. Do you think that maybe this should be default behaviour when no additional arguments are specified? NetExec could try to do NULL session auth and anonymous login when only specified nxc smb <ip>

[choket]

Ideally there should be a single command to test for NULL sessions and anonymous login. Right now for every host you have to do nxc smb <ip> -u '' -p '' (maybe also --local-auth) to test for NULL sessions, but then you also have to do nxc smb <ip> -u asdf -p asdf --local-auth to test for anonymous login.

[Marshall-Hallenbeck]

So nxc used to send NULL auth by default, but it ended up causing problems while proxying, so we removed it recently with #188 and #190, but have a potential to reverse it in #208; however, I'm not a fan of doing things that aren't clear to the end user.

If we submit NULL authentication when no creds are defined by the user, that isn't clear, and is making unnecessary authentication requests against the host. The same goes for Anonymous login - what username do we send without a password, and does the user know that we are doing that? Maybe the user doesn't want to check for those things by default and we are creating OPSEC violations during testing by creating authentication failures.

We could definitely add in some flag like --null and --anonymous, but that's solved by just doing -u '' -p '' (for NULL), or passing in a list of a blank username and a random user (for both).

@NeffIsBack @mpgn maybe we should create a discussion thread in GitHub to figure this out?

[Marshall-Hallenbeck]

Here's an example of how you would test for both NULL sessions and Anonymous sessions (the Anonymous user can be any string): netexec smb 192.168.56.22 -u '' Anonymous -p '' --shares --local-auth

[choket]

My 2 cents:

• Have anonymous login and NULL auth as default when no other arguments are specified.
• Add additional arguments called --no-null and --no-anonymous which will stop nxc from doing null and anon login if a username and pass is not specified.
• In terms of OPSEC, you could randomize the username for anon login. But I don't think you should be too worried about OPSEC since this tools is not designed to be a red teaming tool.

I saw that this behaviour is described in the docs, but would also be nice to have instructions on how to do null and anon login in the command line help text. Adding --null and --anonymous flags could easily solve this.

Ultimately its up to you and other maintainers to decide how you want to proceed.

[NeffIsBack]

@choket we discussed it internal and will roll back the change with #208. Your idea with an --anonymous flag is interesting though. Especially combining it with null auth really could bring value as we would get more and more valid authentications. Maybe i'll add it when i got the time

[choket]

I'm a little confused, since @Marshall-Hallenbeck said in his previous comment that netexec smb 192.168.56.22 -u '' Anonymous -p '' --shares --local-auth would do BOTH anonymous auth and null session auth. Is this true, or do I need to run 2 commands, one with a random user and pass to do anon auth, and one with an empty user and pass to do null auth?

[NeffIsBack]

I may be wrong here, but from my understanding these are two separat things and also won't get executed at the same time per default. I need to dig deeper into that but from what I am aware of the default is only null auth.

[Marshall-Hallenbeck]

Yeah anonymous is different than NULL. Previously we sent NULL auth by default. My example was a way to do anonymous and NULL auth together, but we wouldn't default to sending anonymous auth.

[mpgn]

Yeah anonymous is different than NULL. Previously we sent NULL auth by default. My example was a way to do anonymous and NULL auth together, but we wouldn't default to sending anonymous auth.

empty array https://github.com/Pennyw0rth/NetExec/blob/main/nxc/cli.py#L64 not null by default ;)

[Marshall-Hallenbeck]

I'm pretty sure the empty array and empty string both translate to NULL login, since nothing is being defined.

[mpgn]

I'm pretty sure the empty array and empty string both translate to NULL login, since nothing is being defined.

Yes