Closed BlWasp closed 10 months ago
Since I have encounter this issue during a real pentest, I have obfuscated all the sensitive values (domain, username, IP address, etc...). I hope the explains are still clear.
Yeah, we need to change the rule if option -d is used
Too fast. Thanks for the precision.
Ok, it's working fine, you simply provide a password which is not necessary as the user is already authenticated into the socks In fact, you relay a user auth but you already know the password of the user, it doesn't make sense to me
use -p ''
@BlWasp to give you an update, the fqdn check will be removed in #88 while improving NetBIOS name handling
Hello guys, sorry for the delay. Thanks @mpgn for the verification. Just, it could be interesting to write a specific error message for this use case, since it was possible to specify a random password on the previous versions of the tool when using it through a socks. Just to indicate that -p '' should be specified
But effectively if, as mentionned by @NeffIsBack , the check will be removed in the PR, maybe it's not necessary.
Resolved with #88
Describe the bug This issue is possibly already known, but I haven't seen it in the issue list.
The fact that the domain declaration now forces the presence of a dot for an FQDN format blocks the use of NetExec through a socks session set up with Impacket's
ntlmrelayx.py
.ntlmrelayx.py
setups socks sessions with the formatDOMAIN/username
and it now cannot be used with NetExec to authenticate.To Reproduce Setup proxy socks sessions with
ntlmrelayx.py
on SMB from a NTLM relay with a command like this:ntlmrelayx.py -tf noSigning.txt -smb2support -socks
This result in sessions like this:
Now, we attempte to authenticate on the target with the credentials.
Command:
proxychains4 -q poetry run netexec smb <target> -u USER -d DOMAIN -p password
Resulted in:And if we declare the domain as
DOMAIN.local
,ntlmrelayx.py
drops an error for no available session.Expected behavior NetExec should be able to handle this format of domain declaration to authenticate through a socks session opened with
ntlmrelayx.py
.NetExec info
Additional context As indicated in the error message, the problem comes from the line 372 in the
connection.py
file. Here are the lines 370, 371, 372 and 373:For the moment, as a temporary workaround, these lines can be commented to perform a successful authentication through a socks.