ValueError: file descriptor cannot be a negative integer (-1) - Can't figure out the issue

[m0nk3y-s3c]

[] Spoofing arp replies... [] Turning on IP forwarding... [] Set iptables rules for SYN packets... [] Waiting for a SYN packet to the original destination... [+] Got it! Original destination is 1xx.xx.xx.xxx [] Clone the x509 certificate of the original destination... [] Adjust the iptables rule for all packets... [*] Run RDP proxy... Listening for new connection Connection received from 1xx.xx.xx.xxx:18885 Downgrading authentication options from 11 to 3 Listening for new connection Enable SSL Connection lost Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner self.run() File "/opt/Seth/seth/main.py", line 47, in run self.forward_data() File "/opt/Seth/seth/main.py", line 155, in forwarddata readable, , _ = select.select([self.lsock, self.rsock], [], []) ValueError: file descriptor cannot be a negative integer (-1) Connection received from 1xx.xx.xx.xxx:18887 Downgrading authentication options from 11 to 3 Listening for new connection Enable SSL Connection lost Exception in thread Thread-2: Traceback (most recent call last): File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner self.run() File "/opt/Seth/seth/main.py", line 47, in run self.forward_data() File "/opt/Seth/seth/main.py", line 155, in forwarddata readable, , _ = select.select([self.lsock, self.rsock], [], []) ValueError: file descriptor cannot be a negative integer (-1)

Any idea what it may be? Thanks

[seajaysec]

Just wanted to share that I have this identical error. Unable to resolve it.

[ospf10]

+1. Also having this issue.

Connection received from 10.104.11.6:10458 Listening for new connection From client: 0300002c27e00000000000436f6f6b69653a206d737473686173683d647261676f730d0a010008000b000000 Downgrading authentication options from 11 to 3 From client: (modified) 0300002c27e00000000000436f6f6b69653a206d737473686173683d647261676f730d0a0100080003000000 From server: 030000130ed00000123400020f080002000000 Enable SSL Connection lost Exception in thread Thread-2: Traceback (most recent call last): File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner self.run() File "/opt/Seth/seth/main.py", line 47, in run self.forward_data() File "/opt/Seth/seth/main.py", line 155, in forwarddata readable, , _ = select.select([self.lsock, self.rsock], [], []) ValueError: file descriptor cannot be a negative integer (-1)

[altjx]

+1 same here.

I was just getting ready to create an issue as well. Not quite sure what's causing this. Tried dissecting the code and doing it all manually as much as possible.

[tijldeneut]

Hi, also wondering why I'm seeing this issue. Happens when intercepting connections from Win10 v1803 to Server 2016 end also to Server 2019 with NLA disabled and enabled. In all cases the error message was the same. I should look into it, because my own research (with a script created before Seth) does work in these cases: https://github.com/tijldeneut/Security/blob/master/rdpstrip.py Regards

[AdrianVollmer]

Thanks for reporting!

Since everybody seems to suddenly have this issue, I'm inclined to believe it has to do with a recent update, maybe to openssl. Can everybody please include their output of openssl version and python3 --version as well as the name of the linux distribution you are using?

[tijldeneut]

Hi,

openssl version

OpenSSL 1.1.1a 20 Nov 2018

python3 --version

Python 3.6.8 I am on Kali Rolling

Seems to have something to do with the way the connection closes (Windows creates several client connections and terminates some of them before continuing. The way this happens messes up you workers I think….

[AdrianVollmer]

I'm having this issue right now as well. Versions are the same as @tijldeneut as I am also using the latest Kali

[tijldeneut]

I tried it on Debian 7, 8 and 9 with exactly the same results...

[ospf10]

same here.

openssl version

OpenSSL 1.1.1a 20 Nov 2018 python3 --version

Python 3.6.8 I am on Kali Rolling

[AdrianVollmer]

So I think this is because Kali recently got an OpenSSL version where RC4 is not compiled in. For a reason which I forgot right now, I decided to prefer RC4 is the server supports it. I think the attack worked better that way in some cases.

The latest commit introduces a check first whether the local openssl version supports RC4

[seajaysec]

Cool! Thanks so much for looking into this. I'll give the update a test when I have a chance.