Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passwordspraying over SMB does not close connections after failed attempt #401

Open
FallenHero66 opened this issue Aug 19, 2024 · 5 comments
Open

Passwordspraying over SMB does not close connections after failed attempt #401

FallenHero66 opened this issue Aug 19, 2024 · 5 comments
Labels
investigation

Comments

@FallenHero66
Copy link

Describe the bug
nxc smb does not seem to close the connection after a login attempt. This means, that when running nxc smb through a socks proxy, the socks proxy will eventually die due to too many concurrent connections.

To Reproduce

  1. Set up a socks proxy on your victim machine (i.e. using meterpreter or mythic)
  2. Route traffic to the socks proxy from your attacker machine (i.e. using Proxifier on Windows)
  3. Run netexec smb target_computer -u user_list.txt -p password (with user list containing many users, e.g. 64)
  4. The amount of working connections depend on your socks proxy, but in my case, after 32 concurrent connections (and working login attempts via smb), the socks proxy tunnel dies.

Expected behavior
After a login attempt via SMB, the connection closes, preventing too many concurrent connections.

NetExec info

  • OS: Windows
  • Version of nxc: 1.2.0
  • Installed from: github
@NeffIsBack
Copy link
Contributor

Thanks for the report!

How do you execute nxc? Using proxychains? And this occurs when several, separat commands have been executed in a row?

@FallenHero66
Copy link
Author

FallenHero66 commented Aug 20, 2024
edited
Loading

Hey there!
Thanks for the quick response.

For this assessment, we have a windows machine with Proxifier, not proxychains. We're using SOCKS5. Proxifier is set to do DNS over the proxy, the rest is basically set up to only route traffic intended for the customer's domain through the proxy.
In Proxifier, we can see that with every login attempt over smb, nxc opens multiple connections (I believe 2 per login attempt, one of which might be the DNS request, not sure...) through the socks proxy and does not close any of them until the spray ends.
So for example, we run nxc smb hostname -u users.txt -p Summer2013! only once, and it fills up the complete log of proxifier until the socks proxy breaks. Here's a screenshot of this behaviour:

nxc smb connections flooding

@NeffIsBack
Copy link
Contributor

There was a line that was recently added to explicitly close the SMB connection after the protocol instance finished, but I remember we had issues with proxys before...

Can you try to limit the concurrent connections (-t/--threads) to something that works with your proxy? The default is 256 so you can scan an entire /24 range at once.

@FallenHero66
Copy link
Author

FallenHero66 commented Aug 20, 2024
edited
Loading

Sadly, even setting -t 10 opens way too many connections (i aborted after 20)
I suppose I can work around it by segmenting my input file into max. 10 users or something similar

@NeffIsBack
Copy link
Contributor

Hmm that is weird, gonna take a look at it when I got more time

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FallenHero66 @NeffIsBack