Closed YildirimMesut closed 3 months ago
YildirimMesut
commented
4 months ago I also tried NetBiosOverTCP but, I got "A connection must be successfully established before attempting login". And I know, Ofcourse, this is perfectly normal because I didnt check for status before trying to login.
TalAloni
commented
4 months ago Hi, this is not a support forum and I don't have the time to help people figure out what mistake they made when using the library.
When people get a login failure, 99.9% of the time it's either invalid credentials or lack of permissions. ( Did you specify the correct domain? )
Regarding "A connection must be successfully established before attempting login", this is because your code does not check the value returned from the Connect method.
Closing the issue. figure this out. If you can prove that this is a bug with the library - then open an issue.
YildirimMesut
commented
3 months ago Hi, Sorry but I'm definetly sure there is a bug with the library. I tried this code and also netexec program with same credentials (this is a test enviroment so don't worry about credentials). As you can see my credentials are correct but I still get STATUS_LOGON_FAILURE. On the other hand, I can list shares with netexec without any problem. Also, if you want, you can try it yourself (https://tryhackme.com/r/room/enterprise). (Note: I tried this in 3 different AD enviroments, 2 different accounts and 2 different computers but result always same.)
YildirimMesut
commented
3 months ago and also, if you want I can provide wireshark results of these connections. Just let me know if you want. Thanks in advance for your time.
TalAloni
commented
3 months ago Thanks for setting up a lab, I will test in the coming days and report back.
TalAloni
commented
3 months ago Apparently this server requires signing but expects guest sessions to not sign requests, I'll have to check the specifications to determine if the library handles this correctly.
TalAloni
commented
3 months ago I am now under the impression that the server does not behave according to the specifications, The server sets SMB2_NEGOTIATE_SIGNING_REQUIRED bit in the Negotiate response, and sets the SMB2_SESSION_FLAG_IS_GUEST bit in the session setup response.
If the SecurityMode field in the SMB2 header of the response has the SMB2_NEGOTIATE_SIGNING_REQUIRED bit set, the client MUST set Connection.RequireSigning to TRUE
If the global setting RequireMessageSigning is set to TRUE or Connection.RequireSigning is set to TRUE then Session.SigningRequired MUST be set to TRUE, otherwise Session.SigningRequired MUST be set to FALSE
If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response and if Session.SigningRequired is TRUE, this indicates a SESSION_SETUP failure and the connection MUST be terminated.
YildirimMesut
commented
3 months ago Sorry for the late answer, I was sick. I guess it's default windows smb. Btw, you can RDP this machine with this credentials bitbucket:littleredbucket . And also, if you think there is a problem with server, I also tried the code in a real corporate enviroment with default smb settings but result was same. Here, you can find smb configuration and system information of this lab.:
PS C:\temp> Get-SmbServerConfiguration
AnnounceComment :
AnnounceServer : False
AsynchronousCredits : 512
AuditSmb1Access : False
AutoDisconnectTimeout : 15
AutoShareServer : True
AutoShareWorkstation : True
CachedOpenLimit : 10
DurableHandleV2TimeoutInSeconds : 180
EnableAuthenticateUserSharing : False
EnableDownlevelTimewarp : False
EnableForcedLogoff : True
EnableLeasing : True
EnableMultiChannel : True
EnableOplocks : True
EnableSecuritySignature : True
EnableSMB1Protocol : False
EnableSMB2Protocol : True
EnableStrictNameChecking : True
EncryptData : False
IrpStackSize : 15
KeepAliveTime : 2
MaxChannelPerSession : 32
MaxMpxCount : 50
MaxSessionPerConnection : 16384
MaxThreadsPerQueue : 20
MaxWorkItems : 1
NullSessionPipes : ,netlogon,samr,lsarpc
NullSessionShares : Users
OplockBreakWait : 35
PendingClientTimeoutInSeconds : 120
RejectUnencryptedAccess : True
RequireSecuritySignature : True
ServerHidden : True
Smb2CreditsMax : 8192
Smb2CreditsMin : 512
SmbServerNameHardeningLevel : 0
TreatHostAsStableStorage : False
ValidateAliasNotCircular : True
ValidateShareScope : True
ValidateShareScopeNotAliased : True
ValidateTargetName : True
PS C:\temp> systeminfo
Host Name: LAB-DC
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-70000-00000-AA467
Original Install Date: 3/11/2021, 1:23:37 PM
System Boot Time: 7/18/2024, 7:52:12 AM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2300 Mhz
BIOS Version: Xen 4.11.amazon, 8/24/2006
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,048 MB
Available Physical Memory: 277 MB
Virtual Memory: Max Size: 2,432 MB
Virtual Memory: Available: 548 MB
Virtual Memory: In Use: 1,884 MB
Page File Location(s): C:\pagefile.sys
Domain: LAB.ENTERPRISE.THM
Logon Server: \\LAB-DC
Hotfix(s): 6 Hotfix(s) Installed.
[01]: KB4601558
[02]: KB4512577
[03]: KB4577586
[04]: KB4580325
[05]: KB5000859
[06]: KB5000822
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Ethernet
DHCP Enabled: Yes
DHCP Server: 10.10.0.1
IP address(es)
[01]: 10.10.176.26
[02]: fe80::c0c0:1222:40f4:42df
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.I've requested a clarification from Microsoft
TalAloni
commented
3 months ago Fixed in v1.5.3.1. The library now will handle signing correctly when authenticated as a guest. Thanks for the assistance in resolving this issue.
YildirimMesut
commented
3 months ago Hi, I'm sorry but I'm still having the same issue. Am I doing something wrong? Still getting Status_Logon_Failure as you see:
TalAloni
commented
3 months ago I am using the latest v1.5.3.1 and I am able to successfully login using the same credentials. Please note that 'lab.enterprise.thm\nik' is not a guest user, so the issue that was addressed in v1.5.3.1 does not apply and it should work with earlier versions as well.
I suspect that you have a misaligned clock or other issue on this specific workstation preventing you from logging-in. it works for me.
I'm attacking a packet capture with the latest v1.5.3.2 demonstrating that Login works successfully with my library.
YildirimMesut
commented
1 month ago Hello, I am truly very, very sorry for bothering you. Believe me, I unfortunately have no other option. Since you sent the file, I’ve been reviewing it, running tests on different computers and in different lab environments, but the issue just won't resolve, and I keep getting the status_logon_failure error.
I also tested it on computers without any timestamp discrepancies, but the result is the same. I thought maybe the problem is with my computer, so I compiled the application and tested it on other machines, but the result never changed. Once again, I sincerely apologize for bothering you, but I would be really grateful if you could help.
I compared the file you sent with my own, and while I'm not very familiar with Wireshark, I honestly couldn't see much difference between the files. Still, you can find my pcap file attached. Please don't misunderstand me, but if you offer paid consulting services, we can also discuss that for this issue.
Again, I'm so very sorry for bothering you, but I would be truly grateful if you could help. Thank you in advance, and I wish you a good day. smb-client-mine.zip
TalAloni
commented
1 month ago I saw that the server support guest authentication, are you able to authenticate as guest? I do provide paid consulting, email me for additional details.
YildirimMesut
commented
1 month ago
yes, I can authenticate as guest
TalAloni
commented
1 month ago and if you try other non-guest accounts (similar to 'nik') - does it fail as well? Are you on the latest v1.5.3.5?
YildirimMesut
commented
1 month ago
I tried another non-guest account and get same result, but I rdp into this machine and transfered my smb-client.exe file into smb server and I run it with same account and I can list smb shares. this is weird. I cant understand the problem. Is it about timestamp?
YildirimMesut
commented
1 month ago I'm not sure but I guess I need to synchronize timestamps and I need to use ntp port of remote server to synchronize timestamps. Am I right? btw yes, I'm using the latest version of library.
TalAloni
commented
1 month ago The clock does not have to be super-accurate, but you need to avoid a misadjusted clock.
YildirimMesut
commented
1 month ago I'm really about to lose my mind; I just can't understand it. I actually tried it in the same AD environment before, and there was no time difference, yet it still didn't work.
YildirimMesut
commented
1 month ago Okey, I'm not sure but I guess I found something, this is when I try to login with smblibrary:
and this is what happens when I try to login using netexec (another smb client program):
What do you think? I'm not sure if this is the problem. These are the event log files:
event-log-differences.zip
TalAloni
commented
1 month ago It doesn't tell me anything other than that one was a success and one a failure. I don't see why I would be able to connect as 'lab.enterprise.thm\nik' and you wouldn't. Are you certain that there is only a single server involved? no weird NAT rules? (load balancing? / port 139 goes one way and port 445 goes another way?)
YildirimMesut
commented
1 month ago Believe me, I don't understand either. You had already connected to the lab environment, and there are no extra rules. I also can connect with other smb-client tools like netexec or impacket. I also set time zones same with server but nothing changed. Additionally, I thought there might be an issue with my computer, so I connected to the TryHackMe lab from another computer, opened Visual Studio, and wrote this code:
using SMBLibrary.Client;
using SMBLibrary;
using System.Net;
class test
{
static void Main()
{
SMB2Client client = new SMB2Client(); // SMB2Client can be used as well
bool isConnected = client.Connect(IPAddress.Parse("10.10.220.81"), SMBTransportType.DirectTCPTransport);
if (isConnected)
{
NTStatus status = client.Login("lab.enterprise.thm", "nik", "ToastyBoi!",AuthenticationMethod.NtlmV2);
if (status == NTStatus.STATUS_SUCCESS)
{
List<string> shares = client.ListShares(out status);
foreach (var share in shares)
{
Console.WriteLine(share);
}
client.Logoff();
}
else
{
Console.WriteLine(status.ToString());
}
client.Disconnect();
}
}
}Result was same, STATUS_LOGON_FAILURE. and this is the systeminfo result of client:
Host Name: DESKTOP-04M0GGB
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.19045 N/A Build 19045
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Cihan
Registered Organization:
Product ID: 00326-10000-00000-AA351
Original Install Date: 2.06.2023, 00:44:06
System Boot Time: 25.09.2024, 10:25:45
System Manufacturer: ASUSTeK COMPUTER INC.
System Model: ROG Strix G733QS_G733QS
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 80 Stepping 0 AuthenticAMD ~3301 Mhz
BIOS Version: American Megatrends International, LLC. G733QS.331, 24.02.2023
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: tr;Türkçe
Input Locale: tr;Türkçe
Time Zone: (UTC+03:00) İstanbul
Total Physical Memory: 32.175 MB
Available Physical Memory: 18.820 MB
Virtual Memory: Max Size: 37.039 MB
Virtual Memory: Available: 21.045 MB
Virtual Memory: In Use: 15.994 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\DESKTOP-04M0GGB
Hotfix(s): 23 Hotfix(s) Installed.
[01]: KB5042097
[02]: KB5027122
[03]: KB5011048
[04]: KB5011071
[05]: KB5015684
[06]: KB5043064
[07]: KB5014032
[08]: KB5025315
[09]: KB5026879
[10]: KB5028318
[11]: KB5028380
[12]: KB5029709
[13]: KB5031539
[14]: KB5032392
[15]: KB5032907
[16]: KB5034224
[17]: KB5036447
[18]: KB5037018
[19]: KB5037240
[20]: KB5037995
[21]: KB5039336
[22]: KB5041579
[23]: KB5043935
Network Card(s): 5 NIC(s) Installed.
[01]: Realtek PCIe GbE Family Controller
Connection Name: Ethernet
Status: Media disconnected
[02]: MediaTek Wi-Fi 6 MT7921 Wireless LAN Card
Connection Name: Wi-Fi
DHCP Enabled: Yes
DHCP Server: 172.20.10.1
IP address(es)
[01]: 172.20.10.3
[02]: fe80::cd67:7221:d7d7:c63
[03]: Wintun Userspace Tunnel
Connection Name: OpenVPN Wintun
Status: Media disconnected
[04]: TAP-Windows Adapter V9
Connection Name: OpenVPN TAP-Windows6
Status: Media disconnected
[05]: OpenVPN Data Channel Offload
Connection Name: OpenVPN Data Channel Offload
Status: Media disconnected
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.I work on this issue all the day :( and also, you sent me your wireshark file before. If you want to take a look, here is my file: smb-client-mine.zip
Hi, I know this problem is not about the program but I couldn't solve the issue so I'm looking for an advice. This is the code I use:
I can visit the specified smb share in file explorer but, I always get STATUS_LOGON_FAILURE message when I use this code. I'm definetly sure my credentials are correct. I thought maybe problem is about firewall, EDR or etc. (I'm developing this program for the company I work). So, what's the problem? What do you think about this situation and What should I check? Thanks in advance.