Closed choket closed 4 months ago
@choket Specify the 'Anonymous' user (in reality it can be any user, but it cannot be ''
, which is NULL authentication, and different) and --local-auth
:
Yes, you are right, it does work when I specify a random username and password and --local-auth
. Do you think that maybe this should be default behaviour when no additional arguments are specified? NetExec could try to do NULL session auth and anonymous login when only specified nxc smb <ip>
Ideally there should be a single command to test for NULL sessions and anonymous login. Right now for every host you have to do nxc smb <ip> -u '' -p ''
(maybe also --local-auth
) to test for NULL sessions, but then you also have to do nxc smb <ip> -u asdf -p asdf --local-auth
to test for anonymous login.
So nxc used to send NULL auth by default, but it ended up causing problems while proxying, so we removed it recently with #188 and #190, but have a potential to reverse it in #208; however, I'm not a fan of doing things that aren't clear to the end user.
If we submit NULL authentication when no creds are defined by the user, that isn't clear, and is making unnecessary authentication requests against the host. The same goes for Anonymous login - what username do we send without a password, and does the user know that we are doing that? Maybe the user doesn't want to check for those things by default and we are creating OPSEC violations during testing by creating authentication failures.
We could definitely add in some flag like --null
and --anonymous
, but that's solved by just doing -u '' -p ''
(for NULL), or passing in a list of a blank username and a random user (for both).
@NeffIsBack @mpgn maybe we should create a discussion thread in GitHub to figure this out?
Here's an example of how you would test for both NULL sessions and Anonymous sessions (the Anonymous user can be any string):
netexec smb 192.168.56.22 -u '' Anonymous -p '' --shares --local-auth
My 2 cents:
--no-null
and --no-anonymous
which will stop nxc from doing null and anon login if a username and pass is not specified.I saw that this behaviour is described in the docs, but would also be nice to have instructions on how to do null and anon login in the command line help text. Adding --null
and --anonymous
flags could easily solve this.
Ultimately its up to you and other maintainers to decide how you want to proceed.
@choket we discussed it internal and will roll back the change with #208.
Your idea with an --anonymous
flag is interesting though. Especially combining it with null auth really could bring value as we would get more and more valid authentications. Maybe i'll add it when i got the time
I'm a little confused, since @Marshall-Hallenbeck said in his previous comment that netexec smb 192.168.56.22 -u '' Anonymous -p '' --shares --local-auth
would do BOTH anonymous auth and null session auth. Is this true, or do I need to run 2 commands, one with a random user and pass to do anon auth, and one with an empty user and pass to do null auth?
I may be wrong here, but from my understanding these are two separat things and also won't get executed at the same time per default. I need to dig deeper into that but from what I am aware of the default is only null auth.
Yeah anonymous is different than NULL. Previously we sent NULL auth by default. My example was a way to do anonymous and NULL auth together, but we wouldn't default to sending anonymous auth.
Yeah anonymous is different than NULL. Previously we sent NULL auth by default. My example was a way to do anonymous and NULL auth together, but we wouldn't default to sending anonymous auth.
empty array https://github.com/Pennyw0rth/NetExec/blob/main/nxc/cli.py#L64 not null by default ;)
I'm pretty sure the empty array and empty string both translate to NULL login, since nothing is being defined.
I'm pretty sure the empty array and empty string both translate to NULL login, since nothing is being defined.
Yes
Describe the bug NetExec is not able to log in to shares that allow anonymous login and list shares.
To Reproduce
I am using the GOAD lab to recreate this issue. In that lab, the machine "CASTELBLACK" allows anonymous login and has a share which allows read access to anonymous users.
Using smbclient, I can log in anonymously, list shares and download files. However, when I use nxc, I get multiple errors. I tried running it without specifying creds, then specifying empty credentials.
Here is the output of
nxc --debug smb 192.168.56.22 --shares
And here is the output of
nxc --debug smb 192.168.56.22 --shares -u '' -p ''
NetExec info