Closed n3rada closed 4 months ago
Can you re-run with --debug
and post the results?
Of course.
nxc --debug rdp 172.16.172.180 -u 'nina' -p 's3curepassw0rd!'
[20:50:56] DEBUG NXC VERSION: 1.1.0 - nxc4u - 25f0b59 cli.py:25
DEBUG PYTHON VERSION: 3.11.8 (main, Feb 7 2024, 21:52:08) [GCC 13.2.0] netexec.py:78
DEBUG RUNNING ON: Linux Release: 6.6.9-amd64 netexec.py:79
DEBUG Passed args: Namespace(threads=256, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, protocol='rdp', target=['172.16.172.180'], cred_id=[], username=['nina'], password=['s3curepassw0rd!'], ignore_pw_decoding=False, kerberos=False, netexec.py:80
no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None, aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[], list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0',
server_port=None, connectback_host=None, hash=[], port=3389, rdp_timeout=5, nla_screenshot=False, domain=None, local_auth=False, screenshot=False, screentime=10, res='1024x768')
DEBUG Protocol: rdp netexec.py:134
DEBUG Protocol Path: /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/rdp.py netexec.py:137
DEBUG Protocol DB Path: /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/rdp/database.py netexec.py:139
[20:50:57] DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.rdp'>, type: <class 'type'> netexec.py:142
DEBUG Protocol Object dir: ['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', netexec.py:143
'__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', 'call_cmd_args', 'call_modules', 'check_if_admin', 'check_nla', 'connect_rdp', 'create_conn_obj', 'enum_host_info', 'hash_login', 'inc_failed_login', 'kerberos_login',
'load_modules', 'login', 'mark_pwned', 'nla_screen', 'nla_screenshot', 'over_fail_limit', 'parse_credentials', 'plaintext_login', 'print_host_info', 'proto_args', 'proto_flow', 'proto_logger', 'query_db_creds', 'screen', 'screenshot', 'try_credentials']
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:145
DEBUG DB Path: /home/kali/.nxc/workspaces/default/rdp.db netexec.py:148
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG Creating ThreadPoolExecutor netexec.py:42
DEBUG Creating thread for <class 'protocol.rdp'> netexec.py:45
INFO Socket info: host=172.16.172.180, hostname=172.16.172.180, kerberos=False, ipv6=False, link-local ipv6=False connection.py:106
DEBUG Kicking off proto_flow connection.py:164
DEBUG Using selector: EpollSelector selector_events.py:54
[20:51:00] DEBUG Using selector: EpollSelector selector_events.py:54
[20:51:01] DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG hashlib using "pure" for "md4" hashlib.py:32
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG Created connection object connection.py:169
[20:51:01] INFO RDP 172.16.172.180 3389 DC01 Windows 10 or Windows Server 2016 Build 17763 (name:DC01) (domain:final.com) (nla:True) rdp.py:114
DEBUG Trying to authenticate using plaintext with domain connection.py:410
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG hashlib using "pure" for "md4" hashlib.py:32
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
[20:51:01] INFO RDP 172.16.172.180 3389 DC01 final.com\nina:s3curepassw0rd! rdp.py:299
DEBUG Calling command arguments connection.py:177
DEBUG Closing connection to: 172.16.172.180
And for the false elevated privilege:
nxc --debug rdp 172.16.172.183 -u 'nina' -p 's3curepassw0rd!'
[20:51:39] DEBUG NXC VERSION: 1.1.0 - nxc4u - 25f0b59 cli.py:25
DEBUG PYTHON VERSION: 3.11.8 (main, Feb 7 2024, 21:52:08) [GCC 13.2.0] netexec.py:78
DEBUG RUNNING ON: Linux Release: 6.6.9-amd64 netexec.py:79
DEBUG Passed args: Namespace(threads=256, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, protocol='rdp', target=['172.16.172.183'], cred_id=[], username=['nina'], password=['s3curepassw0rd!'], ignore_pw_decoding=False, kerberos=False, netexec.py:80
no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None, aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[], list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0',
server_port=None, connectback_host=None, hash=[], port=3389, rdp_timeout=5, nla_screenshot=False, domain=None, local_auth=False, screenshot=False, screentime=10, res='1024x768')
DEBUG Protocol: rdp netexec.py:134
DEBUG Protocol Path: /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/rdp.py netexec.py:137
DEBUG Protocol DB Path: /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/rdp/database.py netexec.py:139
DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.rdp'>, type: <class 'type'> netexec.py:142
DEBUG Protocol Object dir: ['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', netexec.py:143
'__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', 'call_cmd_args', 'call_modules', 'check_if_admin', 'check_nla', 'connect_rdp', 'create_conn_obj', 'enum_host_info', 'hash_login', 'inc_failed_login', 'kerberos_login',
'load_modules', 'login', 'mark_pwned', 'nla_screen', 'nla_screenshot', 'over_fail_limit', 'parse_credentials', 'plaintext_login', 'print_host_info', 'proto_args', 'proto_flow', 'proto_logger', 'query_db_creds', 'screen', 'screenshot', 'try_credentials']
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:145
DEBUG DB Path: /home/kali/.nxc/workspaces/default/rdp.db netexec.py:148
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG Creating ThreadPoolExecutor netexec.py:42
DEBUG Creating thread for <class 'protocol.rdp'> netexec.py:45
INFO Socket info: host=172.16.172.183, hostname=172.16.172.183, kerberos=False, ipv6=False, link-local ipv6=False connection.py:106
DEBUG Kicking off proto_flow connection.py:164
DEBUG Using selector: EpollSelector selector_events.py:54
[20:51:42] DEBUG Using selector: EpollSelector selector_events.py:54
[20:51:43] DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG hashlib using "pure" for "md4" hashlib.py:32
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG Created connection object connection.py:169
[20:51:43] INFO RDP 172.16.172.183 3389 JUMP03 Windows 10 or Windows Server 2016 Build 17763 (name:JUMP03) (domain:final.com) (nla:True) rdp.py:114
DEBUG Trying to authenticate using plaintext with domain connection.py:410
DEBUG Using selector: EpollSelector selector_events.py:54
[20:51:44] DEBUG hashlib using "pure" for "md4" hashlib.py:32
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hashlib using "builtin" for "md5" hashlib.py:37
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
DEBUG hmac using "builtin" for "md5" hmac.py:42
[20:51:44] INFO RDP 172.16.172.183 3389 JUMP03 final.com\nina:s3curepassw0rd! (Pwn3d!) rdp.py:291
DEBUG Calling command arguments connection.py:177
DEBUG Closing connection to: 172.16.172.183
Hmm looks like we need to improve the logging here, and also remove all that annoying hashing logging.
@n3rada I think you misinterpret the data.
Having a login success without pwn3d only means the account exist (same as proto smb)
Having the pwn3d means you can rdp and exec command.
I don't see anything wrong in this issue.
That is what I infered. But as the documentation said:
Authentication
Failed logins result in a [-]
Successful logins result in a [+] Domain\Username:Password
Local admin access results in a (Pwn3d!) added after the login confirmation, shown below.
That's why I firstly opened-up an issue. But as it is under the smb
part, now I deduce it was only for SMB protocol. But for consistency, you should have a proper explanation for each protocol or consistency through the Pwn3d!
result, what do you think?
Yes, the documentation is outdated on this point and need to be updated !!!
Documentation updated :)
Thanks a lot @mpgn!
Frop Linux machine:
netexec
says that a user has the right to connect through RDP protocol:Even if in reality it doesn't:
And, if RDP is truly accessible, it says
Pwn3d!
. Even if the user is just low-privileged: