New domain formatting with dot blocks socks authentications

[BlWasp]

Describe the bug This issue is possibly already known, but I haven't seen it in the issue list.

The fact that the domain declaration now forces the presence of a dot for an FQDN format blocks the use of NetExec through a socks session set up with Impacket's ntlmrelayx.py. ntlmrelayx.py setups socks sessions with the format DOMAIN/username and it now cannot be used with NetExec to authenticate.

To Reproduce Setup proxy socks sessions with ntlmrelayx.py on SMB from a NTLM relay with a command like this:

ntlmrelayx.py -tf noSigning.txt -smb2support -socks

This result in sessions like this:

ntlmrelayx> socks
Protocol  Target        Username           AdminStatus  Port 
--------  ------------  -----------------  -----------  ----
SMB       <target>      DOMAIN/USER        FALSE        445  
SMB       <target>      DOMAIN/USER        FALSE        445  
SMB       <target>      DOMAIN/USER        FALSE        445  
SMB       <target>      DOMAIN/USER        FALSE        445  
SMB       <target>      DOMAIN/USER        FALSE        445  
SMB       <target>      DOMAIN/USER        FALSE        445 

Now, we attempte to authenticate on the target with the credentials.

Command: proxychains4 -q poetry run netexec smb <target> -u USER -d DOMAIN -p password Resulted in:

proxychains4 -q poetry run netexec smb <target> -u USER -d DOMAIN -p password
SMB         <target_IP>    445    <target>       [*] Windows 10.0 Build 19041 (name:<target>) (domain:DOMAIN) (signing:False) (SMBv1:False)
[12:29:08] ERROR    Domain DOMAIN for user USER need to be FQDN ex:domain.local, not domain                                     connection.py:372

And if we declare the domain as DOMAIN.local, ntlmrelayx.py drops an error for no available session.

[2023-10-16 12:30:01] [-] SOCKS: No session for DOMAIN.LOCAL/USER@<target_IP>(445) available

Expected behavior NetExec should be able to handle this format of domain declaration to authenticate through a socks session opened with ntlmrelayx.py.

NetExec info

• OS: Kali
• Version of nxc: 1.0.0
• Installed from: GitHub + Poetry

Additional context As indicated in the error message, the problem comes from the line 372 in the connection.py file. Here are the lines 370, 371, 372 and 373:

        # Enforcing FQDN for SMB if not using local authentication. Related issues/PRs: #26, #28, #24, #38
        if self.args.protocol == 'smb' and not self.args.local_auth and "." not in domain and not self.args.laps and secret != "" and not (self.domain.upper() == self.hostname.upper()) :
            self.logger.error(f"Domain {domain} for user {username.rstrip()} need to be FQDN ex:domain.local, not domain")
            return False

For the moment, as a temporary workaround, these lines can be commented to perform a successful authentication through a socks.

[BlWasp]

Since I have encounter this issue during a real pentest, I have obfuscated all the sensitive values (domain, username, IP address, etc...). I hope the explains are still clear.

[mpgn]

Yeah, we need to change the rule if option -d is used

60

[BlWasp]

Too fast. Thanks for the precision.

[mpgn]

Ok, it's working fine, you simply provide a password which is not necessary as the user is already authenticated into the socks In fact, you relay a user auth but you already know the password of the user, it doesn't make sense to me

use -p ''

[NeffIsBack]

@BlWasp to give you an update, the fqdn check will be removed in #88 while improving NetBIOS name handling

[BlWasp]

Hello guys, sorry for the delay. Thanks @mpgn for the verification. Just, it could be interesting to write a specific error message for this use case, since it was possible to specify a random password on the previous versions of the tool when using it through a socks. Just to indicate that -p '' should be specified

But effectively if, as mentionned by @NeffIsBack , the check will be removed in the PR, maybe it's not necessary.

[NeffIsBack]

Resolved with #88