NetExec: Error on SMB using wrong password
Describe the bug I’m getting an error while trying to bruteforce passwords using a user list and the same list as passwords. I’m working on the manager box from HTB but I’ve got the same issue on my home lab
To Reproduce
Steps to reproduce the behavior i.e.:
Command: netexec smb manager.htb -u users.txt -p users.txt
Resulted in:
┌──(fr3sh㉿DeathStar)-[~/Documents/Challenges/hackTheBox/Manager]
└─$ netexec smb manager.htb -u users.txt -p users.txt
SMB 10.10.11.236 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
[15:20:39] ERROR Exception while calling proto_flow() on target 10.10.11.236: too many values to unpack (expected 2) connection.py:123
╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮
│ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smbconnection.py:278 in login │
│ │
│ 275 │ │ │ if self.getDialect() == smb.SMB_DIALECT: │
│ 276 │ │ │ │ return self._SMBConnection.login(user, password, domain, lmhash, nthash, │
│ ntlmFallback) │
│ 277 │ │ │ else: │
│ ❱ 278 │ │ │ │ return self._SMBConnection.login(user, password, domain, lmhash, nthash) │
│ 279 │ │ except (smb.SessionError, smb3.SessionError) as e: │
│ 280 │ │ │ raise SessionError(e.get_error_code(), e.get_error_packet()) │
│ 281 │
│ │
│ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smb3.py:1040 in login │
│ │
│ 1037 │ │ │ │ │ │ self._Session['SigningKey'] = crypto.KDF_CounterMode │
│ (exportedSessionKey, b"SMB2AESCMAC\x00", │
│ 1038 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
│ b"SmbSign\x00", 128) │
│ 1039 │ │ │ try: │
│ ❱ 1040 │ │ │ │ if packet.isValidAnswer(STATUS_SUCCESS): │
│ 1041 │ │ │ │ │ sessionSetupResponse = SMB2SessionSetup_Response(packet['Data']) │
│ 1042 │ │ │ │ │ self._Session['SessionFlags'] = sessionSetupResponse['SessionFlags'] │
│ 1043 │ │ │ │ │ self._Session['SessionID'] = packet['SessionID'] │
│ │
│ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smb3structs.py:458 in isValidAnswer │
│ │
│ 455 │ def isValidAnswer(self, status): │
│ 456 │ │ if self['Status'] != status: │
│ 457 │ │ │ from . import smb3 │
│ ❱ 458 │ │ │ raise smb3.SessionError(self['Status'], self) │
│ 459 │ │ return True │
│ 460 │ │
│ 461 │ def __init__(self, data = None): │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
SessionError: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication
information.)
During handling of the above exception, another exception occurred:
╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮
│ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py:465 in plaintext_login │
│ │
│ 462 │ │ │ self.domain = domain │
│ 463 │ │ │ │
│ 464 │ │ │ try: │
│ ❱ 465 │ │ │ │ self.conn.login(self.username, self.password, domain) │
│ 466 │ │ │ except UnicodeEncodeError: │
│ 467 │ │ │ │ self.logger.error(f"UnicodeEncodeError on: │
│ '{self.username}:{self.password}'. Trying again with a different encoding...") │
│ 468 │ │ │ │ self.create_conn_obj() │
│ │
│ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smbconnection.py:280 in login │
│ │
│ 277 │ │ │ else: │
│ 278 │ │ │ │ return self._SMBConnection.login(user, password, domain, lmhash, nthash) │
│ 279 │ │ except (smb.SessionError, smb3.SessionError) as e: │
│ ❱ 280 │ │ │ raise SessionError(e.get_error_code(), e.get_error_packet()) │
│ 281 │ │
│ 282 │ def kerberosLogin(self, user, password, domain='', lmhash='', nthash='', aesKey='', │
│ kdcHost=None, TGT=None, │
│ 283 │ │ │ │ │ TGS=None, useCache=True): │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
SessionError: SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or
authentication information.
During handling of the above exception, another exception occurred:
╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮
│ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:121 in __init__ │
│ │
│ 118 │ │ │ sleep(value) │
│ 119 │ │ │
│ 120 │ │ try: │
│ ❱ 121 │ │ │ self.proto_flow() │
│ 122 │ │ except Exception as e: │
│ 123 │ │ │ self.logger.exception(f"Exception while calling proto_flow() on target │
│ {self.host}: {e}") │
│ 124 │
│ │
│ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:168 in proto_flow │
│ │
│ 165 │ │ if self.create_conn_obj(): │
│ 166 │ │ │ self.logger.debug("Created connection object") │
│ 167 │ │ │ self.enum_host_info() │
│ ❱ 168 │ │ │ if self.print_host_info() and (self.login() or (self.username == "" and │
│ self.password == "")): │
│ 169 │ │ │ │ if hasattr(self.args, "module") and self.args.module: │
│ 170 │ │ │ │ │ self.logger.debug("Calling modules") │
│ 171 │ │ │ │ │ self.call_modules() │
│ │
│ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:465 in login │
│ │
│ 462 │ │ if not self.args.no_bruteforce: │
│ 463 │ │ │ for secr_index, secr in enumerate(secret): │
│ 464 │ │ │ │ for user_index, user in enumerate(username): │
│ ❱ 465 │ │ │ │ │ if self.try_credentials(domain[user_index], user, owned[user_index], │
│ secr, cred_type[secr_index], data[secr_index]): │
│ 466 │ │ │ │ │ │ owned[user_index] = True │
│ 467 │ │ │ │ │ │ if not self.args.continue_on_success: │
│ 468 │ │ │ │ │ │ │ return True │
│ │
│ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:407 in try_credentials │
│ │
│ 404 │ │ │ │ │ return self.kerberos_login(domain, username, secret, "", "", │
│ self.kdcHost, False) │
│ 405 │ │ │ │ elif hasattr(self.args, "domain"): # Some protocols don't use domain │
│ for login │
│ 406 │ │ │ │ │ self.logger.debug("Trying to authenticate using plaintext with │
│ domain") │
│ ❱ 407 │ │ │ │ │ return self.plaintext_login(domain, username, secret) │
│ 408 │ │ │ │ elif self.args.protocol == "ssh": │
│ 409 │ │ │ │ │ self.logger.debug("Trying to authenticate using plaintext over SSH") │
│ 410 │ │ │ │ │ return self.plaintext_login(username, secret, data) │
│ │
│ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py:503 in plaintext_login │
│ │
│ 500 │ │ │ │ self.create_conn_obj() │
│ 501 │ │ │ return True │
│ 502 │ │ except SessionError as e: │
│ ❱ 503 │ │ │ error, desc = e.getErrorString() │
│ 504 │ │ │ self.logger.fail( │
│ 505 │ │ │ │ f'{domain}\\{self.username}:{process_secret(self.password)} {error} │
│ {f"({desc})" if self.args.verbose else ""}', │
│ 506 │ │ │ │ color="magenta" if error in smb_error_status else "red", │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
ValueError: too many values to unpack (expected 2)
...
Expected behavior Nice and clean output like with ldap which is working just fine
NetExec info DEBUG PYTHON VERSION: 3.11.6 (main, Oct 8 2023, 05:06:43) [GCC 13.2.0] DEBUG RUNNING ON: Linux Release: 6.5.0-kali3-amd64
- Installed from: pipx
About this issue
- Original URL
- State: closed
- Created 8 months ago
- Comments: 16 (2 by maintainers)
Commits related to this issue
- fix(smb errors): getErrorString only returns one item, not a tuple; fixes #117 — committed to Pennyw0rth/NetExec by Marshall-Hallenbeck 8 months ago
- Revert "fix(smb errors): getErrorString only returns one item, not a tuple; fixes #117" This reverts commit 1784d55baef313e430c4c6f52aaf1b2dbe54ec32. — committed to Pennyw0rth/NetExec by Marshall-Hallenbeck 8 months ago
I’ve uninstalled and reinstalled netexec using pipx and it’s working just fine. niTROCket51’s point was true when I fixed it manually, but with the reinstall it’s not so verbose :
@Marshall-Hallenbeck The fix works like a charm. Amazing response time. I’m impressed. BTW Great we have this fork. Huge thanks.
done @Marshall-Hallenbeck
https://github.com/Pennyw0rth/impacket/commit/32bed3268e48ee56eafee671be536637ba9d5083
Yeah this is a change from Impacket that broke it. Downgrading Impacket or using Poetry to use our pinned version should fix this.
I posted on their GitHub to see if this was intended or if they are going to revert, since it was handling nterrors for us.