Marshall-Hallenbeck
commented
4 months ago Can you re-run with --debug and post the results?
Closed n3rada closed 4 months ago
Marshall-Hallenbeck
commented
4 months ago Can you re-run with --debug and post the results?
n3rada
commented
4 months ago Of course.
nxc --debug rdp 172.16.172.180 -u 'nina' -p 's3curepassw0rd!'
[20:50:56] DEBUG NXC VERSION: 1.1.0 - nxc4u - 25f0b59 cli.py:25
DEBUG PYTHON VERSION: 3.11.8 (main, Feb 7 2024, 21:52:08) [GCC 13.2.0] netexec.py:78
DEBUG RUNNING ON: Linux Release: 6.6.9-amd64 netexec.py:79
DEBUG Passed args: Namespace(threads=256, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, protocol='rdp', target=['172.16.172.180'], cred_id=[], username=['nina'], password=['s3curepassw0rd!'], ignore_pw_decoding=False, kerberos=False, netexec.py:80
no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None, aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[], list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0',
server_port=None, connectback_host=None, hash=[], port=3389, rdp_timeout=5, nla_screenshot=False, domain=None, local_auth=False, screenshot=False, screentime=10, res='1024x768')
DEBUG Protocol: rdp netexec.py:134
DEBUG Protocol Path: /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/rdp.py netexec.py:137
DEBUG Protocol DB Path: /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/rdp/database.py netexec.py:139
[20:50:57] DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.rdp'>, type: <class 'type'> netexec.py:142
DEBUG Protocol Object dir: ['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', netexec.py:143
'__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', 'call_cmd_args', 'call_modules', 'check_if_admin', 'check_nla', 'connect_rdp', 'create_conn_obj', 'enum_host_info', 'hash_login', 'inc_failed_login', 'kerberos_login',
'load_modules', 'login', 'mark_pwned', 'nla_screen', 'nla_screenshot', 'over_fail_limit', 'parse_credentials', 'plaintext_login', 'print_host_info', 'proto_args', 'proto_flow', 'proto_logger', 'query_db_creds', 'screen', 'screenshot', 'try_credentials']
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:145
DEBUG DB Path: /home/kali/.nxc/workspaces/default/rdp.db netexec.py:148
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG Creating ThreadPoolExecutor netexec.py:42
DEBUG Creating thread for <class 'protocol.rdp'> netexec.py:45
INFO Socket info: host=172.16.172.180, hostname=172.16.172.180, kerberos=False, ipv6=False, link-local ipv6=False connection.py:106
DEBUG Kicking off proto_flow connection.py:164
DEBUG Using selector: EpollSelector selector_events.py:54
[20:51:00] DEBUG Using selector: EpollSelector selector_events.py:54
[20:51:01] DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG hashlib using "pure" for "md4" hashlib.py:32
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG Created connection object connection.py:169
[20:51:01] INFO RDP 172.16.172.180 3389 DC01 Windows 10 or Windows Server 2016 Build 17763 (name:DC01) (domain:final.com) (nla:True) rdp.py:114
DEBUG Trying to authenticate using plaintext with domain connection.py:410
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG hashlib using "pure" for "md4" hashlib.py:32
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
[20:51:01] INFO RDP 172.16.172.180 3389 DC01 final.com\nina:s3curepassw0rd! rdp.py:299
DEBUG Calling command arguments connection.py:177
DEBUG Closing connection to: 172.16.172.180 And for the false elevated privilege:
nxc --debug rdp 172.16.172.183 -u 'nina' -p 's3curepassw0rd!'
[20:51:39] DEBUG NXC VERSION: 1.1.0 - nxc4u - 25f0b59 cli.py:25
DEBUG PYTHON VERSION: 3.11.8 (main, Feb 7 2024, 21:52:08) [GCC 13.2.0] netexec.py:78
DEBUG RUNNING ON: Linux Release: 6.6.9-amd64 netexec.py:79
DEBUG Passed args: Namespace(threads=256, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, protocol='rdp', target=['172.16.172.183'], cred_id=[], username=['nina'], password=['s3curepassw0rd!'], ignore_pw_decoding=False, kerberos=False, netexec.py:80
no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None, aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[], list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0',
server_port=None, connectback_host=None, hash=[], port=3389, rdp_timeout=5, nla_screenshot=False, domain=None, local_auth=False, screenshot=False, screentime=10, res='1024x768')
DEBUG Protocol: rdp netexec.py:134
DEBUG Protocol Path: /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/rdp.py netexec.py:137
DEBUG Protocol DB Path: /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/rdp/database.py netexec.py:139
DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.rdp'>, type: <class 'type'> netexec.py:142
DEBUG Protocol Object dir: ['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', netexec.py:143
'__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', 'call_cmd_args', 'call_modules', 'check_if_admin', 'check_nla', 'connect_rdp', 'create_conn_obj', 'enum_host_info', 'hash_login', 'inc_failed_login', 'kerberos_login',
'load_modules', 'login', 'mark_pwned', 'nla_screen', 'nla_screenshot', 'over_fail_limit', 'parse_credentials', 'plaintext_login', 'print_host_info', 'proto_args', 'proto_flow', 'proto_logger', 'query_db_creds', 'screen', 'screenshot', 'try_credentials']
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:145
DEBUG DB Path: /home/kali/.nxc/workspaces/default/rdp.db netexec.py:148
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG Creating ThreadPoolExecutor netexec.py:42
DEBUG Creating thread for <class 'protocol.rdp'> netexec.py:45
INFO Socket info: host=172.16.172.183, hostname=172.16.172.183, kerberos=False, ipv6=False, link-local ipv6=False connection.py:106
DEBUG Kicking off proto_flow connection.py:164
DEBUG Using selector: EpollSelector selector_events.py:54
[20:51:42] DEBUG Using selector: EpollSelector selector_events.py:54
[20:51:43] DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG hashlib using "pure" for "md4" hashlib.py:32
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG Created connection object connection.py:169
[20:51:43] INFO RDP 172.16.172.183 3389 JUMP03 Windows 10 or Windows Server 2016 Build 17763 (name:JUMP03) (domain:final.com) (nla:True) rdp.py:114
DEBUG Trying to authenticate using plaintext with domain connection.py:410
DEBUG Using selector: EpollSelector selector_events.py:54
[20:51:44] DEBUG hashlib using "pure" for "md4" hashlib.py:32
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
[20:51:44] INFO RDP 172.16.172.183 3389 JUMP03 final.com\nina:s3curepassw0rd! (Pwn3d!) rdp.py:291
DEBUG Calling command arguments connection.py:177
DEBUG Closing connection to: 172.16.172.183 Hmm looks like we need to improve the logging here, and also remove all that annoying hashing logging.
mpgn
commented
4 months ago @n3rada I think you misinterpret the data.
Having a login success without pwn3d only means the account exist (same as proto smb)
Having the pwn3d means you can rdp and exec command.
I don't see anything wrong in this issue.
n3rada
commented
4 months ago That is what I infered. But as the documentation said:
Authentication
Failed logins result in a [-]
Successful logins result in a [+] Domain\Username:Password
Local admin access results in a (Pwn3d!) added after the login confirmation, shown below.That's why I firstly opened-up an issue. But as it is under the smb part, now I deduce it was only for SMB protocol. But for consistency, you should have a proper explanation for each protocol or consistency through the Pwn3d! result, what do you think?
mpgn
commented
4 months ago Yes, the documentation is outdated on this point and need to be updated !!!
mpgn
commented
4 months ago Documentation updated :)
n3rada
commented
4 months ago Thanks a lot @mpgn!
Frop Linux machine:
netexecsays that a user has the right to connect through RDP protocol:Even if in reality it doesn't:
And, if RDP is truly accessible, it says
Pwn3d!. Even if the user is just low-privileged: