Closed ArchyInUse closed 3 months ago
Marshall-Hallenbeck
commented
4 months ago @ArchyInUse Hey thanks for the bug report. Would you mind re-running with the --debug option, and posting the entire output?
From what I see right now, you should use --smb-timeout, not --timeout. It can be confusing, but the former is for the SMB connection, the latter is for the entire thread.
ArchyInUse
commented
4 months ago Hey, first off I'd like to say thank you, the smb-timeout option does work! as for the log I'm providing it as can be seen below, I've blanked out the IP and the domain as it's a part of a course I'm doing. If you need any more information please let me know :)
[16:11:38] DEBUG NXC VERSION: 1.2.0 - ItsAlwaysDNS - kali cli.py:27
DEBUG PYTHON VERSION: 3.11.9 (main, Apr 10 2024, 13:16:36) [GCC 13.2.0] netexec.py:80
DEBUG RUNNING ON: Linux Release: 6.8.11-amd64 netexec.py:81
DEBUG Passed args: Namespace(threads=256, timeout=None, jitter=None, verbose=False, debug=True, no_progress=False, log=None, force_ipv6=False, dns_server=None, netexec.py:82
dns_tcp=False, dns_timeout=3, version=False, protocol='smb', target=['<IP>'], username=['generic.domain\\administrator'], password=[], cred_id=[],
ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False, gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False,
use_kcache=False, aesKey=None, kdcHost=None, server='https', server_host='0.0.0.0', server_port=None, connectback_host=None, module=None,
module_options=[], list_modules=False, show_module_options=False, hash=['<HASH>'], delegate=None, no_s4u2proxy=False,
domain=None, local_auth=False, port=445, share='C$', smb_server_port=445, gen_relay_list=None, smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None,
dpapi=None, sccm=None, mkfile=None, pvk=None, enabled=False, userntds=None, shares=True, no_write_check=False, filter_shares=None, sessions=False,
disks=False, loggedon_users_filter=None, loggedon_users=False, users=None, groups=None, computers=None, local_groups=None, pass_pol=False, rid_brute=None,
wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='', depth=None, only_files=False, pattern=None,
regex=None, put_file=None, get_file=None, append_host=False, exec_method='wmiexec', dcom_timeout=5, get_output_tries=100, codec='utf-8', no_output=False,
execute=None, ps_execute=None, obfs=False, amsi_bypass=None, clear_obfscripts=False, force_ps32=False, no_encode=False)
DEBUG Protocol: smb netexec.py:136
DEBUG Protocol Path: /usr/lib/python3/dist-packages/nxc/protocols/smb.py netexec.py:139
DEBUG Protocol DB Path: /usr/lib/python3/dist-packages/nxc/protocols/smb/database.py netexec.py:141
DEBUG Protocol Object: <class 'protocol.smb'>, type: <class 'type'> netexec.py:144
DEBUG Protocol Object dir: ['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getstate__', netexec.py:145
'__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__',
'__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', 'call_cmd_args', 'call_modules', 'check_if_admin', 'computers',
'create_conn_obj', 'create_smbv1_conn', 'create_smbv3_conn', 'disks', 'domainfromdnshostname', 'domainfromdsn', 'dpapi', 'enable_remoteops',
'enum_host_info', 'execute', 'gen_relay_list', 'get_dc_ips', 'get_file', 'get_file_single', 'get_os_arch', 'groups', 'hash_login', 'inc_failed_login',
'kerberos_login', 'load_modules', 'local_groups', 'loggedon_users', 'login', 'lsa', 'mark_pwned', 'ntds', 'over_fail_limit', 'parse_credentials',
'pass_pol', 'plaintext_login', 'print_host_info', 'proto_args', 'proto_flow', 'proto_logger', 'ps_execute', 'put_file', 'put_file_single',
'query_db_creds', 'resolver', 'rid_brute', 'sam', 'sccm', 'sessions', 'shares', 'spider', 'try_credentials', 'users', 'wmi']
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:147
DEBUG DB Path: /root/.nxc/workspaces/default/smb.db netexec.py:150
DEBUG Creating ThreadPoolExecutor netexec.py:44
DEBUG Creating thread for <class 'protocol.smb'> netexec.py:47
INFO Socket info: host=<IP>, hostname=<IP>, kerberos=False, ipv6=False, link-local ipv6=False connection.py:160
DEBUG Kicking off proto_flow connection.py:216
[16:11:39] INFO Error creating SMBv1 connection to <IP>: Error occurs while reading from remote(104) smb.py:502
DEBUG Created connection object connection.py:221
[16:11:40] DEBUG Update Hosts: [{'id': 31, 'ip': '<IP>', 'hostname': 'MS01', 'domain': 'generic.domain', 'os': 'Windows 10 / Server 2019 Build 19041', 'dc': None, database.py:280
'smbv1': False, 'signing': False, 'spooler': None, 'zerologon': None, 'petitpotam': None}]
DEBUG add_host() - Host IDs Updated: [31] database.py:290
DEBUG Error logging off system: Error occurs while reading from remote(104) smb.py:259
INFO Resolved domain: generic.domain with dns, kdcHost: <DCIP> smb.py:267
[16:11:40] INFO SMB <IP> 445 MS01 Windows 10 / Server 2019 Build 19041 x64 (name:MS01) (domain:generic.domain) (signing:False) smb.py:272
(SMBv1:False)
SMB <IP> 445 MS01 Windows 10 / Server 2019 Build 19041 x64 (name:MS01) (domain:generic.domain) (signing:False)
(SMBv1:False)
[16:11:41] INFO Error creating SMBv1 connection to <IP>: Error occurs while reading from remote(104) smb.py:502
[16:11:43] DEBUG Adding credentials: [{'id': 27, 'domain': 'generic.domain', 'username': 'administrator', 'password': '<HASH>', 'credtype': 'hash', database.py:347
'pillaged_from_hostid': None}]
DEBUG smb hosts() - results: [(31, '<IP>', 'MS01', 'generic.domain', 'Windows 10 / Server 2019 Build 19041', None, False, False, None, None, None)] database.py:495
[16:11:43] INFO SMB <IP> 445 MS01 generic.domain\administrator:<HASH> (Pwn3d!) smb.py:455
SMB <IP> 445 MS01 generic.domain\administrator:<HASH> (Pwn3d!)
DEBUG smb hosts() - results: [(31, '<IP>', 'MS01', 'generic.domain', 'Windows 10 / Server 2019 Build 19041', None, False, False, None, None, None)] database.py:495
DEBUG Calling command arguments connection.py:229
DEBUG Calling shares() connection.py:250
DEBUG domain: generic.domain smb.py:736
[16:11:45] INFO Shares returned: [<impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f9cdd89f150>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f9cdd89fa10>, smb.py:744
<impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f9cdd89ee90>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f9cdd89c110>]
[16:11:51] ERROR Exception while calling proto_flow() on target <IP>: The NETBIOS connection with the remote host timed out. connection.py:168
╭───────────────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/impacket/nmb.py:984 in non_polling_read │
│ │
│ 981 │ │ while bytes_left > 0: │
│ 982 │ │ │ self._sock.settimeout(timeout) │
│ 983 │ │ │ try: │
│ ❱ 984 │ │ │ │ received = self._sock.recv(bytes_left) │
│ 985 │ │ │ except socket.timeout: │
│ 986 │ │ │ │ raise NetBIOSTimeout │
│ 987 │ │ │ except Exception as ex: │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
TimeoutError: timed out
During handling of the above exception, another exception occurred:
╭───────────────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────────────╮
│ /usr/lib/python3/dist-packages/nxc/connection.py:163 in __init__ │
│ │
│ 160 │ │ self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname}, │
│ kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local │
│ ipv6={self.is_link_local_ipv6}") │
│ 161 │ │ │
│ 162 │ │ try: │
│ ❱ 163 │ │ │ self.proto_flow() │
│ 164 │ │ except Exception as e: │
│ 165 │ │ │ if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e): │
│ 166 │ │ │ │ self.logger.error(f"Exception while calling proto_flow() on target │
│ {target}: {e}") │
│ │
│ /usr/lib/python3/dist-packages/nxc/connection.py:230 in proto_flow │
│ │
│ 227 │ │ │ │ │ self.call_modules() │
│ 228 │ │ │ │ else: │
│ 229 │ │ │ │ │ self.logger.debug("Calling command arguments") │
│ ❱ 230 │ │ │ │ │ self.call_cmd_args() │
│ 231 │ │
│ 232 │ def call_cmd_args(self): │
│ 233 │ │ """Calls all the methods specified by the command line arguments │
│ │
│ /usr/lib/python3/dist-packages/nxc/connection.py:251 in call_cmd_args │
│ │
│ 248 │ │ for attr, value in vars(self.args).items(): │
│ 249 │ │ │ if hasattr(self, attr) and callable(getattr(self, attr)) and value is not │
│ False and value is not None: │
│ 250 │ │ │ │ self.logger.debug(f"Calling {attr}()") │
│ ❱ 251 │ │ │ │ getattr(self, attr)() │
│ 252 │ │
│ 253 │ def call_modules(self): │
│ 254 │ │ """Calls modules and performs various actions based on the module's attributes. │
│ │
│ /usr/lib/python3/dist-packages/nxc/protocols/smb.py:767 in shares │
│ │
│ 764 │ │ │ read = False │
│ 765 │ │ │ write = False │
│ 766 │ │ │ try: │
│ ❱ 767 │ │ │ │ self.conn.listPath(share_name, "*") │
│ 768 │ │ │ │ read = True │
│ 769 │ │ │ │ share_info["access"].append("READ") │
│ 770 │ │ │ except SessionError as e: │
│ │
│ /usr/lib/python3/dist-packages/impacket/smbconnection.py:400 in listPath │
│ │
│ 397 │ │ """ │
│ 398 │ │ │
│ 399 │ │ try: │
│ ❱ 400 │ │ │ return self._SMBConnection.list_path(shareName, path, password) │
│ 401 │ │ except (smb.SessionError, smb3.SessionError) as e: │
│ 402 │ │ │ raise SessionError(e.get_error_code(), e.get_error_packet()) │
│ 403 │
│ │
│ /usr/lib/python3/dist-packages/impacket/smb3.py:1823 in listPath │
│ │
│ 1820 │ │ finally: │
│ 1821 │ │ │ if fileId is not None: │
│ 1822 │ │ │ │ self.close(treeId, fileId) │
│ ❱ 1823 │ │ │ self.disconnectTree(treeId) │
│ 1824 │ │ │
│ 1825 │ │ return files │
│ 1826 │
│ │
│ /usr/lib/python3/dist-packages/impacket/smb3.py:1224 in disconnectTree │
│ │
│ 1221 │ │ treeDisconnect = SMB2TreeDisconnect() │
│ 1222 │ │ packet['Data'] = treeDisconnect │
│ 1223 │ │ packetID = self.sendSMB(packet) │
│ ❱ 1224 │ │ packet = self.recvSMB(packetID) │
│ 1225 │ │ if packet.isValidAnswer(STATUS_SUCCESS): │
│ 1226 │ │ │ shareName = self._Session['TreeConnectTable'][treeId]['ShareName'] │
│ 1227 │ │ │ del(self._Session['TreeConnectTable'][shareName]) │
│ │
│ /usr/lib/python3/dist-packages/impacket/smb3.py:512 in recvSMB │
│ │
│ 509 │ │ if packetID in self._Connection['OutstandingResponses']: │
│ 510 │ │ │ return self._Connection['OutstandingResponses'].pop(packetID) │
│ 511 │ │ │
│ ❱ 512 │ │ data = self._NetBIOSSession.recv_packet(self._timeout) │
│ 513 │ │ │
│ 514 │ │ if data.get_trailer().startswith(b'\xfdSMB'): │
│ 515 │ │ │ # Packet is encrypted │
│ │
│ /usr/lib/python3/dist-packages/impacket/nmb.py:915 in recv_packet │
│ │
│ 912 │ │ self._sock.sendall(p.rawData()) │
│ 913 │ │
│ 914 │ def recv_packet(self, timeout = None): │
│ ❱ 915 │ │ data = self.__read(timeout) │
│ 916 │ │ NBSPacket = NetBIOSSessionPacket(data) │
│ 917 │ │ if NBSPacket.get_type() == NETBIOS_SESSION_KEEP_ALIVE: │
│ 918 │ │ │ # Discard packet │
│ │
│ /usr/lib/python3/dist-packages/impacket/nmb.py:1002 in __read │
│ │
│ 999 │ │ return bytes(data) │
│ 1000 │ │
│ 1001 │ def __read(self, timeout = None): │
│ ❱ 1002 │ │ data = self.read_function(4, timeout) │
│ 1003 │ │ type, flags, length = unpack('>ccH', data) │
│ 1004 │ │ if ord(type) == NETBIOS_SESSION_MESSAGE: │
│ 1005 │ │ │ length |= ord(flags) << 16 │
│ │
│ /usr/lib/python3/dist-packages/impacket/nmb.py:986 in non_polling_read │
│ │
│ 983 │ │ │ try: │
│ 984 │ │ │ │ received = self._sock.recv(bytes_left) │
│ 985 │ │ │ except socket.timeout: │
│ ❱ 986 │ │ │ │ raise NetBIOSTimeout │
│ 987 │ │ │ except Exception as ex: │
│ 988 │ │ │ │ raise NetBIOSError('Error occurs while reading from remote', │
│ ERRCLASS_OS, ex.errno) │
│ 989 │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
NetBIOSTimeout: The NETBIOS connection with the remote host timed out.
[16:11:52] DEBUG Closing connection to: <IP> connection.py:170
NeffIsBack
commented
4 months ago Oh that should be caught. Thanks for the report!
NeffIsBack
commented
3 months ago Should be fixed with #387
Describe the bug Whenever I try to list shares using --shares or -M spider_plus, netexec gives me a NETBIOS timeout error and does not show the shares, it recognizes the account is valid (and administrator in this instance) but crashes when trying to list shares, smbclient works for me, i can do everything I expect from --shares and -M spider_plus. tested on both kali apt repo version and the newest release from the releases pages
To Reproduce command:
netexec smb <ip> -u <username> -p <password> (or -H <hash>, doesnt work for either) --shares (or -M spider_plus)Expected behavior A list of shares and permissions for those shares, or the spider module downloading the files in the shares.
Screenshots
NetExec info
Additional context I will also need to test this on a fresh kali install (although I havent made many changes to mine) which I am in the process of testing now.