ntlm_reflection bug on non-windows target #1082
Description
Describe the bug
When using the ntlm_reflection module against certain SMB targets that appear to be NAS devices (or non-standard Windows SMB implementations), NetExec successfully authenticates (Guest) but then crashes with an unhandled RRP SessionError when attempting to query the registry for the UBR value.
The module appears to assume Windows registry availability and does not gracefully handle devices that expose SMB but do not support the Remote Registry Protocol (RRP).
To Reproduce
Steps to reproduce the behavior:
Command:
netexec smb <target> -u user -p pass -M ntlm_reflection
Resulted in:
SMB 172.23.10.90 445 NAS10 [+] domain.poop\user:fakepass (Guest)
[00:39:42] ERROR Exception while calling proto_flow() on target 172.23.10.90: RRP SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified. connection.py:187
╭──────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ────────────────────────────────────────────────────────────────────────╮
│ /home/mrpotatohead/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:177 in __init__ │
│ │
│ 174 │ │ self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname}, │
│ kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local │
│ ipv6={self.is_link_local_ipv6}") │
│ 175 │ │ │
│ 176 │ │ try: │
│ ❱ 177 │ │ │ self.proto_flow() │
│ 178 │ │ except FileNotFoundError as e: │
│ 179 │ │ │ self.logger.error(f"File not found error on target {target}: {e}") │
│ 180 │ │ except Exception as e: │
│ │
│ /home/mrpotatohead/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:258 in proto_flow │
│ │
│ 255 │ │ │ │ if hasattr(self.args, "module") and self.args.module: │
│ 256 │ │ │ │ │ self.load_modules() │
│ 257 │ │ │ │ │ self.logger.debug("Calling modules") │
│ ❱ 258 │ │ │ │ │ self.call_modules() │
│ 259 │ │ │ │ else: │
│ 260 │ │ │ │ │ self.logger.debug("Calling command arguments") │
│ 261 │ │ │ │ │ self.call_cmd_args() │
│ │
│ /home/mrpotatohead/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:308 in call_modules │
│ │
│ 305 │ │ │ │
│ 306 │ │ │ if hasattr(module, "on_login"): │
│ 307 │ │ │ │ self.logger.debug(f"Module {module.name} has on_login method") │
│ ❱ 308 │ │ │ │ module.on_login(context, self) │
│ 309 │ │ │ │
│ 310 │ │ │ if self.admin_privs and hasattr(module, "on_admin_login"): │
│ 311 │ │ │ │ self.logger.debug(f"Module {module.name} has on_admin_login method") │
│ │
│ /home/mrpotatohead/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/modules/ntlm_reflection.py:66 in on_login │
│ │
│ 63 │ │ │ # Reading UBR from registry │
│ 64 │ │ │ hRootKey = rrp.hOpenLocalMachine(dce)["phKey"] │
│ 65 │ │ │ hKey = rrp.hBaseRegOpenKey(dce, hRootKey, "SOFTWARE\\Microsoft\\Windows │
│ NT\\CurrentVersion")["phkResult"] │
│ ❱ 66 │ │ │ ubr = rrp.hBaseRegQueryValue(dce, hKey, "UBR")[1] │
│ 67 │ │ │ version_str = │
│ f"{connection.server_os_major}.{connection.server_os_minor}.{connection.server_os_build} │
│ .{ubr}" if ubr else None │
│ 68 │ │ │ dce.disconnect() │
│ 69 │ │ │ if not version_str: │
│ │
│ /home/mrpotatohead/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/impacket/dcerpc/v5/rrp.py:908 in hBaseRegQueryValue │
│ │
│ 905 │ │ │ request['lpData'] =b' ' * dataLen │
│ 906 │ │ │ request['lpcbData'] = dataLen │
│ 907 │ │ │ request['lpcbLen'] = dataLen │
│ ❱ 908 │ │ │ resp = dce.request(request) │
│ 909 │ │ except DCERPCSessionError as e: │
│ 910 │ │ │ if retries > 1: │
│ 911 │ │ │ │ LOG.debug('Too many retries when calling hBaseRegQueryValue, aborting') │
│ │
│ /home/mrpotatohead/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/impacket/dcerpc/v5/rpcrt.py:1436 in request │
│ │
│ 1433 │ │ │ │ │ exception = sessionErrorClass(error_code = error_code) │
│ 1434 │ │ │ │ else: │
│ 1435 │ │ │ │ │ exception = sessionErrorClass(packet = response, error_code = │
│ error_code) │
│ ❱ 1436 │ │ │ raise exception │
│ 1437 │ │ else: │
│ 1438 │ │ │ response = respClass(answer, isNDR64 = isNDR64) │
│ 1439 │ │ │ return response │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Expected behavior
The ntlm_reflection module should gracefully handle SMB targets that do not expose Windows registry services. Ideally, it should detect non-Windows or non-RRP-capable SMB implementations, skip registry-based OS/version detection, and avoid crashing the module execution.
Screenshots
N/A (CLI output only)
NetExec info
-
OS: Kali Linux
-
Version of nxc: v1.5.0 Commit : 08b43bf (installed via pipx, Python 3.13)