Closed bongobongoland closed 10 months ago
bongobongoland
commented
11 months ago Additional info: DCs do not allow to log in(say manually via RDP) using full FQDN, only domain without .lan is allowed. but NXC requires (for unknown reason) FQDN. Hence, it can log in.
Marshall-Hallenbeck
commented
11 months ago @bongobongoland can you provide logs with --debug so we can see what's going on?
bongobongoland
commented
11 months ago PS C:\nxc> .\nxc.exe --debug smb 192.168.0.123 -u administrator -p 'test@123'
[09:02:14] DEBUG Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, protocol='smb', netexec.py:99
target=['192.168.0.123'], cred_id=[], username=['administrator'], password=['test@123'], ignore_pw_decoding=False, kerberos=False,
no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None, aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None,
fail_limit=None, module=None, module_options=[], list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0',
server_port=None, connectback_host=None, hash=[], domain=None, local_auth=False, port=445, share='C$', smb_server_port=445,
gen_relay_list=None, smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, mkfile=None, pvk=None, enabled=False,
userntds=None, shares=False, no_write_check=False, filter_shares=None, sessions=False, disks=False, loggedon_users_filter=None,
loggedon_users=False, users=None, groups=None, computers=None, local_groups=None, pass_pol=False, rid_brute=None, wmi=None,
wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='', pattern=None, regex=None, depth=None,
only_files=False, put_file=None, get_file=None, append_host=False, exec_method=None, dcom_timeout=5, get_output_tries=5, codec='utf-8',
force_ps32=False, no_output=False, execute=None, ps_execute=None, obfs=False, amsi_bypass=None, clear_obfscripts=False)
DEBUG Protocol: smb netexec.py:155
DEBUG Protocol Path: C:\Users\poop\AppData\Local\Temp\_MEI154482\nxc\protocols\smb.py netexec.py:158
DEBUG Protocol DB Path: C:\Users\poop\AppData\Local\Temp\_MEI154482\nxc\protocols\smb\database.py netexec.py:160
[09:02:16] DEBUG Protocol Object: <class 'protocol.smb'> netexec.py:163
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:165
DEBUG DB Path: C:\Users\poop/.nxc\workspaces\default\smb.db netexec.py:168
DEBUG Using proactor: IocpProactor proactor_events.py:633
DEBUG Creating ThreadPoolExecutor netexec.py:56
DEBUG Creating thread for <class 'protocol.smb'> netexec.py:59
INFO Socket info: host=192.168.0.123, hostname=192.168.0.123, kerberos=False connection.py:95
DEBUG Kicking off proto_flow connection.py:155
[09:02:17] INFO Error creating SMBv1 connection to 192.168.0.123: Error occurs while reading from remote(10054) smb.py:604
[09:02:24] DEBUG Update Hosts: [{'id': 9, 'ip': '192.168.0.123', 'hostname': 'VM123', 'domain': 'corp', 'os': 'Windows 10.0 Build 17763', 'dc': database.py:283
None, 'smbv1': False, 'signing': True, 'spooler': None, 'zerologon': None, 'petitpotam': None}]
DEBUG add_host() - Host IDs Updated: [9] database.py:293
[09:02:25] DEBUG Error logging off system: Error occurs while reading from remote(10054) smb.py:257
SMB 192.168.0.123 445 VM123 [*] Windows 10.0 Build 17763 x64 (name:VM123) (domain:corp) (signing:True) (SMBv1:False)
INFO SMB 192.168.0.123 445 VM123 [*] Windows 10.0 Build 17763 x64 (name:VM123) (domain:corp) (signing:True) logger.py:159
(SMBv1:False)
ERROR Domain corp for user administrator need to be FQDN ex:domain.local, not domain connection.py:372
PS C:\nxc>the domain is "corp" not corp.local or corp.gov.kp or whatever. so the host's full name is vm123.corp
Marshall-Hallenbeck
commented
11 months ago @NeffIsBack this has to do with the code added here (I think you did it originally): https://github.com/Pennyw0rth/NetExec/blob/main/nxc/connection.py#L370
NeffIsBack
commented
11 months ago @NeffIsBack this has to do with the code added here (I think you did it originally): https://github.com/Pennyw0rth/NetExec/blob/main/nxc/connection.py#L370
Originally this was done by mpgn, because of problems with netbios domain names inside impacket and the bloodhound extension. For example adding users to bloodhound is a mess because bloodhound requires fqdn. One of the remaining open issues: https://github.com/byt3bl33d3r/CrackMapExec/issues/529
@bongobongoland whats the FQDN of your domain?
Marshall-Hallenbeck
commented
11 months ago The whole domain is just "corp" there's no TLD.
mpgn
commented
10 months ago This kind of domain are not very common, did it work with-d corp.local @bongobongoland ?
bongobongoland
commented
10 months ago This kind of domain are not very common, did it work with
-d corp.local@bongobongoland ?
hi. no, doesn't work, because in the AD that's how it's defined: corp there's no tld.
XiaoliChan
commented
10 months ago @bongobongoland Can you try with impacket's script DumpNTLMInfo.py 192.168.0.123 ?
bongobongoland
commented
10 months ago I'll try if I get chance
XiaoliChan
commented
10 months ago ~I think is something wrong when getting SMB ntlm info~
NeffIsBack
commented
10 months ago Resolved with #88
No present in cme binary or linux version.
throws errors ERROR Domain TestDomain for user TestAdmin need to be FQDN ex:domain.local, not domain
in other words it won't run unless I enter -d TestDomain.lan