NTLMRelayx self.client.entries IndexError: list index out of range

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.

https://www.coresecurity.com

Other

13.3k stars 3.54k forks source link

NTLMRelayx self.client.entries IndexError: list index out of range #1412

Open spookey0188 opened 1 year ago

spookey0188 commented 1 year ago

Configuration

impacket version: v0.10.1.dev1+20220720.103933.3c6713e3 Python version: 3.9 Target OS: Kali

Debug Output With Command String

python3 ntlmrelayx.py -6 -t ldaps://[DC] -wh attack-wpad --no-dump --add-computer

[*] HTTPD(80): Authenticating against ldaps://[ip] as / SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
Exception in thread Thread-36:
Traceback (most recent call last):
  File "/usr/lib/python3.9/threading.py", line 973, in _bootstrap_inner
    self.run()
  File "/home/user/.local/lib/python3.9/site-packages/impacket/examples/ntlmrelayx/attacks/ldapattack.py", line 802, in run userSid, privs = self.validatePrivileges(self.username, domainDumper)
  File "/home/user/.local/lib/python3.9/site-packages/impacket/examples/ntlmrelayx/attacks/ldapattack.py", line 485, in validatePrivileges
    user = self.client.entries[0]
IndexError: list index out of range

Additional context

Error happened to me on ver 0.9.24 and dev 0.10.1.dev1.

Image+Pasted+at+2022-9-26+22-52

mehmethafif commented 1 year ago

Having the same issue on my end, assuming from the line

"Authenticating against ldaps://[ip] as / SUCCEED"

There should be a username instead of "/" but ntlm relayx cant seem to gather it or some security mesure prevents it. And ideas how to resolve the isssue? ------- edit Checking upon wireshark, it seems like the authentication comes as / null, probably due to the coercing method used.

breachr commented 8 months ago

Any update on this? Ive got the same issue and cant resolve it. Very sad, as WebDAV relay is still quite strong.

nickvourd commented 7 months ago

Any update for this?

ricardojoserf commented 6 months ago

I am also interested in this error. Did anyone find a solution?

nickvourd commented 6 months ago

I don't think this is error of ntlmrelayx! I think it's error of security protection which exists in the environment. Like EPA, SMB signing required etc. something other is blocking the authentication!

ricardojoserf commented 6 months ago

I don't think this is error of ntlmrelayx! I think it's error of security protection which exists in the environment. Like EPA, SMB signing required etc. something other is blocking the authentication!

That makes sensei. Thank you!

nickvourd commented 6 months ago

Yeap, think about it worked for me in an attack like LDAP signing not enforced + WebDAV service enabled + Coerce authentication (PetitPotam or PrinterBug) + Shadow Credentials or RBCD !

choket commented 6 months ago

I don't think this error is caused by SMB signing or any other kind of protections.

I am running ntlmrelayx in a lab environment when I can always initiate the same HTTP request to the listening server.

When I run the command ntlmrelayx.py -t ldap://192.168.56.10 I get the same error as OP.

But, when I run the command ntlmrelayx.py -t ldap://192.168.56.10 -i and initiate the same HTTP request from the victim to the server running ntlmrelayx, an interactive LDAP shell is successfully started. Then after I connect to the LDAP shell and run dump, ntlmrelayx successfully dumps the LDAP info.

nickvourd commented 6 months ago

Interesting! Honestly I run coerce to relay from HTTP to LDAP/S only with RBCD or Shadow credentials attacks. Thanks for letting me know this...