NetExec: Error on SMB using wrong password

Describe the bug I’m getting an error while trying to bruteforce passwords using a user list and the same list as passwords. I’m working on the manager box from HTB but I’ve got the same issue on my home lab

To Reproduce Steps to reproduce the behavior i.e.: Command: netexec smb manager.htb -u users.txt -p users.txt Resulted in:

┌──(fr3sh㉿DeathStar)-[~/Documents/Challenges/hackTheBox/Manager]
└─$ netexec smb manager.htb -u users.txt -p users.txt 
SMB         10.10.11.236    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
[15:20:39] ERROR    Exception while calling proto_flow() on target 10.10.11.236: too many values to unpack (expected 2)                                                      connection.py:123
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smbconnection.py:278 in login                                            │                  
                    │                                                                                                                                                      │                  
                    │   275 │   │   │   if self.getDialect() == smb.SMB_DIALECT:                                                                                           │                  
                    │   276 │   │   │   │   return self._SMBConnection.login(user, password, domain, lmhash, nthash,                                                       │                  
                    │       ntlmFallback)                                                                                                                                  │                  
                    │   277 │   │   │   else:                                                                                                                              │                  
                    │ ❱ 278 │   │   │   │   return self._SMBConnection.login(user, password, domain, lmhash, nthash)                                                       │                  
                    │   279 │   │   except (smb.SessionError, smb3.SessionError) as e:                                                                                     │                  
                    │   280 │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                                                                       │                  
                    │   281                                                                                                                                                │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smb3.py:1040 in login                                                    │                  
                    │                                                                                                                                                      │                  
                    │   1037 │   │   │   │   │   │   self._Session['SigningKey'] = crypto.KDF_CounterMode                                                                  │                  
                    │        (exportedSessionKey, b"SMB2AESCMAC\x00",                                                                                                      │                  
                    │   1038 │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │                                                                     │                  
                    │        b"SmbSign\x00", 128)                                                                                                                          │                  
                    │   1039 │   │   │   try:                                                                                                                              │                  
                    │ ❱ 1040 │   │   │   │   if packet.isValidAnswer(STATUS_SUCCESS):                                                                                      │                  
                    │   1041 │   │   │   │   │   sessionSetupResponse = SMB2SessionSetup_Response(packet['Data'])                                                          │                  
                    │   1042 │   │   │   │   │   self._Session['SessionFlags'] = sessionSetupResponse['SessionFlags']                                                      │                  
                    │   1043 │   │   │   │   │   self._Session['SessionID']    = packet['SessionID']                                                                       │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smb3structs.py:458 in isValidAnswer                                      │                  
                    │                                                                                                                                                      │                  
                    │    455 │   def isValidAnswer(self, status):                                                                                                          │                  
                    │    456 │   │   if self['Status'] != status:                                                                                                          │                  
                    │    457 │   │   │   from . import smb3                                                                                                                │                  
                    │ ❱  458 │   │   │   raise smb3.SessionError(self['Status'], self)                                                                                     │                  
                    │    459 │   │   return True                                                                                                                           │                  
                    │    460 │                                                                                                                                             │                  
                    │    461 │   def __init__(self, data = None):                                                                                                          │                  
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    SessionError: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication                               
                    information.)                                                                                                                                                             
                                                                                                                                                                                              
                    During handling of the above exception, another exception occurred:                                                                                                       
                                                                                                                                                                                              
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py:465 in plaintext_login                                       │                  
                    │                                                                                                                                                      │                  
                    │    462 │   │   │   self.domain = domain                                                                                                              │                  
                    │    463 │   │   │                                                                                                                                     │                  
                    │    464 │   │   │   try:                                                                                                                              │                  
                    │ ❱  465 │   │   │   │   self.conn.login(self.username, self.password, domain)                                                                         │                  
                    │    466 │   │   │   except UnicodeEncodeError:                                                                                                        │                  
                    │    467 │   │   │   │   self.logger.error(f"UnicodeEncodeError on:                                                                                    │                  
                    │        '{self.username}:{self.password}'. Trying again with a different encoding...")                                                                │                  
                    │    468 │   │   │   │   self.create_conn_obj()                                                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smbconnection.py:280 in login                                            │                  
                    │                                                                                                                                                      │                  
                    │   277 │   │   │   else:                                                                                                                              │                  
                    │   278 │   │   │   │   return self._SMBConnection.login(user, password, domain, lmhash, nthash)                                                       │                  
                    │   279 │   │   except (smb.SessionError, smb3.SessionError) as e:                                                                                     │                  
                    │ ❱ 280 │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                                                                       │                  
                    │   281 │                                                                                                                                              │                  
                    │   282 │   def kerberosLogin(self, user, password, domain='', lmhash='', nthash='', aesKey='',                                                        │                  
                    │       kdcHost=None, TGT=None,                                                                                                                        │                  
                    │   283 │   │   │   │   │     TGS=None, useCache=True):                                                                                                │                  
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    SessionError: SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or                         
                    authentication information.                                                                                                                                               
                                                                                                                                                                                              
                    During handling of the above exception, another exception occurred:                                                                                                       
                                                                                                                                                                                              
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:121 in __init__                                                 │                  
                    │                                                                                                                                                      │                  
                    │   118 │   │   │   sleep(value)                                                                                                                       │                  
                    │   119 │   │                                                                                                                                          │                  
                    │   120 │   │   try:                                                                                                                                   │                  
                    │ ❱ 121 │   │   │   self.proto_flow()                                                                                                                  │                  
                    │   122 │   │   except Exception as e:                                                                                                                 │                  
                    │   123 │   │   │   self.logger.exception(f"Exception while calling proto_flow() on target                                                             │                  
                    │       {self.host}: {e}")                                                                                                                             │                  
                    │   124                                                                                                                                                │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:168 in proto_flow                                               │                  
                    │                                                                                                                                                      │                  
                    │   165 │   │   if self.create_conn_obj():                                                                                                             │                  
                    │   166 │   │   │   self.logger.debug("Created connection object")                                                                                     │                  
                    │   167 │   │   │   self.enum_host_info()                                                                                                              │                  
                    │ ❱ 168 │   │   │   if self.print_host_info() and (self.login() or (self.username == "" and                                                            │                  
                    │       self.password == "")):                                                                                                                         │                  
                    │   169 │   │   │   │   if hasattr(self.args, "module") and self.args.module:                                                                          │                  
                    │   170 │   │   │   │   │   self.logger.debug("Calling modules")                                                                                       │                  
                    │   171 │   │   │   │   │   self.call_modules()                                                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:465 in login                                                    │                  
                    │                                                                                                                                                      │                  
                    │   462 │   │   if not self.args.no_bruteforce:                                                                                                        │                  
                    │   463 │   │   │   for secr_index, secr in enumerate(secret):                                                                                         │                  
                    │   464 │   │   │   │   for user_index, user in enumerate(username):                                                                                   │                  
                    │ ❱ 465 │   │   │   │   │   if self.try_credentials(domain[user_index], user, owned[user_index],                                                       │                  
                    │       secr, cred_type[secr_index], data[secr_index]):                                                                                                │                  
                    │   466 │   │   │   │   │   │   owned[user_index] = True                                                                                               │                  
                    │   467 │   │   │   │   │   │   if not self.args.continue_on_success:                                                                                  │                  
                    │   468 │   │   │   │   │   │   │   return True                                                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:407 in try_credentials                                          │                  
                    │                                                                                                                                                      │                  
                    │   404 │   │   │   │   │   return self.kerberos_login(domain, username, secret, "", "",                                                               │                  
                    │       self.kdcHost, False)                                                                                                                           │                  
                    │   405 │   │   │   │   elif hasattr(self.args, "domain"):  # Some protocols don't use domain                                                          │                  
                    │       for login                                                                                                                                      │                  
                    │   406 │   │   │   │   │   self.logger.debug("Trying to authenticate using plaintext with                                                             │                  
                    │       domain")                                                                                                                                       │                  
                    │ ❱ 407 │   │   │   │   │   return self.plaintext_login(domain, username, secret)                                                                      │                  
                    │   408 │   │   │   │   elif self.args.protocol == "ssh":                                                                                              │                  
                    │   409 │   │   │   │   │   self.logger.debug("Trying to authenticate using plaintext over SSH")                                                       │                  
                    │   410 │   │   │   │   │   return self.plaintext_login(username, secret, data)                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py:503 in plaintext_login                                       │                  
                    │                                                                                                                                                      │                  
                    │    500 │   │   │   │   self.create_conn_obj()                                                                                                        │                  
                    │    501 │   │   │   return True                                                                                                                       │                  
                    │    502 │   │   except SessionError as e:                                                                                                             │                  
                    │ ❱  503 │   │   │   error, desc = e.getErrorString()                                                                                                  │                  
                    │    504 │   │   │   self.logger.fail(                                                                                                                 │                  
                    │    505 │   │   │   │   f'{domain}\\{self.username}:{process_secret(self.password)} {error}                                                           │                  
                    │        {f"({desc})" if self.args.verbose else ""}',                                                                                                  │                  
                    │    506 │   │   │   │   color="magenta" if error in smb_error_status else "red",                                                                      │                  
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    ValueError: too many values to unpack (expected 2)   
...

Expected behavior Nice and clean output like with ldap which is working just fine

NetExec info DEBUG PYTHON VERSION: 3.11.6 (main, Oct 8 2023, 05:06:43) [GCC 13.2.0] DEBUG RUNNING ON: Linux Release: 6.5.0-kali3-amd64

  • Installed from: pipx

About this issue

  • Original URL
  • State: closed
  • Created 8 months ago
  • Comments: 16 (2 by maintainers)

Commits related to this issue

Most upvoted comments

I’ve uninstalled and reinstalled netexec using pipx and it’s working just fine. niTROCket51’s point was true when I fixed it manually, but with the reinstall it’s not so verbose :

2023-11-13_21-25

@Marshall-Hallenbeck The fix works like a charm. Amazing response time. I’m impressed. BTW Great we have this fork. Huge thanks.

Yeah this is a change from Impacket that broke it. Downgrading Impacket or using Poetry to use our pinned version should fix this.

I posted on their GitHub to see if this was intended or if they are going to revert, since it was handling nterrors for us.