Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PTH Fails for Group Enumeration with SMB #562

Open
kreed-kl opened this issue Feb 10, 2025 · 0 comments · May be fixed by #563
Open

PTH Fails for Group Enumeration with SMB #562

kreed-kl opened this issue Feb 10, 2025 · 0 comments · May be fixed by #563

Comments

@kreed-kl
Copy link

Describe the bug
When running nxc smb ... --groups, passing an NT hash via -H will
result in a usage error, despite that being supported for other
subcommands like --users.

This is due to the Pywerview library's behavior when given an NT hash by
itself - it expects to find LM:NT, not simply NT. This is not called for
most nxc smb ... commands, but is for --groups. The CLI utility
bundled with Pywerview compensates by prepending a dummy LM: before
calling the library, but NetExec does not do so. Using options such as --users,
takes a different code path that does not reference the block of code in requester.py
that is used for --groups.

The following was tested with NetExec 1.3.0 (NeedForSpeed - Kali Linux)
and PywerView 0.3.3.

To Reproduce
Steps to reproduce the behavior:
Command: netexec smb <TARGET> -u <USERNAME> -H <HASH> --groups
Resulted in:

SMB         <IP REDACTED>    445    <HOST REDACTED>     [-] Error enumerating domain group using dc ip <IP REDACTED>: NTLM needs domain\username and a password

Expected behavior
The command should successfully enumerate groups as it does when enumerating users
(i.e. --users).

NetExec info

  • OS: Kali
  • Version of nxc: NetExec 1.3.0 (NeedForSpeed - Kali Linux)
  • Installed from: Apt package manager - netexec/kali-rolling,now 1.3.0-0kali2

Additional context
A workaround for the problem is to supply a generic LM hash or random
combination of hex characters 32 bytes in length before the NT hash.
Both of the following commands results in successful enumeration of groups:

nxc smb <TARGET> -u "Administrator" -H "aad3b435b51404eeaad3b435b51404ee:<NTHASH>" --groups"

nxc smb <TARGET> -u "Administrator" -H "abcdabcdabcdabcdabcdabcdabcdabcd:<NTHASH>" --groups

This works because connection.py validates the NTLM hash by looking at the length.

As another workaround, we can do similar to what Pywerview's own CLI does,
by checking each provided hash argument; if it is a plain single hash,
prepend a dummy LM: to the string. With this in
place, --users and other methods still work fine (they will use the
NT half of an LM:NT argument), and --groups works as well.
A proof-of-concept fix will be submitted as a PR.
kreed-kl added a commit to kreed-kl/NetExec that referenced this issue Feb 10, 2025
@kreed-kl
PTH Fix for Group Enumeration with SMB
ca831d7 
This PR contains a new function in connection.py.

Closes Pennyw0rth#562
@kreed-kl kreed-kl linked a pull request Feb 10, 2025 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

PTH Fix for Group Enumeration with SMB kreed-kl/NetExec
1 participant
@kreed-kl