Skip to content

Add User2User authentication#1078

Open
azoxlpf wants to merge 3 commits intoPennyw0rth:mainfrom
azoxlpf:feat/u2u-support
Open

Add User2User authentication#1078
azoxlpf wants to merge 3 commits intoPennyw0rth:mainfrom
azoxlpf:feat/u2u-support

Conversation

@azoxlpf
Copy link
Contributor

@azoxlpf azoxlpf commented Jan 21, 2026

Description

This PR adds User-to-User (U2U) authentication support to NetExec, enabling Resource-Based Constrained Delegation (RBCD) exploitation using normal user accounts that don't have a Service Principal Name (SPN) configured.

Traditional RBCD attacks via S4U2Self/S4U2Proxy fail with KDC_ERR_S_PRINCIPAL_UNKNOWN when attempting to use accounts without SPNs, as the KDC cannot select the correct encryption key for UPN-based tickets :

1

The U2U extension solves this limitation by requesting tickets encrypted with the user's TGT session key instead.

Based on research by James Forshaw : https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Deprecation of feature or functionality
  • This change requires a documentation update
  • This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Screenshots (if appropriate):

Generate a TGT and obtain the session key :

3

Change the user's NT hash with the session key :

4

Use the TGT for RBCD with S4U and U2U :

5

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

  • I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
  • New and existing e2e tests pass locally with my changes
  • If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

@mpgn
Copy link
Collaborator

mpgn commented Jan 21, 2026

What is the impacket equivalent of u2u ? getST.py ?

@azoxlpf
Copy link
Contributor Author

azoxlpf commented Jan 21, 2026

What is the impacket equivalent of u2u ? getST.py ?

Yes getST.py with -u2u

@NeffIsBack
Copy link
Member

NeffIsBack commented Jan 22, 2026

Very nice, thanks for the PR!

@NeffIsBack NeffIsBack added the enhancement New feature or request label Jan 22, 2026
mpgn
mpgn reviewed Feb 6, 2026
View reviewed changes
@mpgn
Copy link
Collaborator

mpgn commented Feb 6, 2026

Generate a TGT and obtain the session key :

interesting, does you domain force rc4 ?

@mpgn
Copy link
Collaborator

mpgn commented Feb 6, 2026

The auth part is working, nice but something is missing because if you try another command it stacktrace

image 
└─$ uv run netexec smb 10.2.10.11 --use-kcache --delegate administrator --u2u -x whoami
      Built netexec @ file:///home/kali/NetExec
Uninstalled 1 package in 0.21ms
Installed 1 package in 0.59ms
SMB         10.2.10.11      445    JOLLYROGER       [*] Windows Server 2022 Build 20348 x64 (name:JOLLYROGER) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB         10.2.10.11      445    JOLLYROGER       [+] PIRATES.BRB\administrator through S4U+U2U with ccache (Pwn3d!)
[15:22:14] ERROR    Exception while calling proto_flow() on target 10.2.10.11: SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O       connection.py:187
                    operation is not complete.                                                                                                                                                                                                                         
                    ╭────────────────────────────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────────────────────────────────────────╮                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/smbconnection.py:335 in kerberosLogin                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │    332 │   │   │   │   if self.getDialect() == smb.SMB_DIALECT:                                                                                                                                                               │                  
                    │    333 │   │   │   │   │   return self._SMBConnection.kerberos_login(user, password, domain,                                                                                                                                  │                  
                    │        lmhash, nthash, aesKey, kdcHost,                                                                                                                                                                                       │                  
                    │    334 │   │   │   │   │   │   │   │   │   │   │   │   │   │   │     TGT, TGS)                                                                                                                                                │                  
                    │ ❱  335 │   │   │   │   return self._SMBConnection.kerberosLogin(user, password, domain, lmhash,                                                                                                                               │                  
                    │        nthash, aesKey, kdcHost, TGT,                                                                                                                                                                                          │                  
                    │    336 │   │   │   │   │   │   │   │   │   │   │   │   │   │    TGS)                                                                                                                                                          │                  
                    │    337 │   │   │   except (smb.SessionError, smb3.SessionError) as e:                                                                                                                                                         │                  
                    │    338 │   │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                                                                                                                                           │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/smb3.py:833 in kerberosLogin                                                                                                                                   │                  
                    │                                                                                                                                                                                                                               │                  
                    │    830 │   │                                                                                                                                                                                                                  │                  
                    │    831 │   │   packetID = self.sendSMB(packet)                                                                                                                                                                                │                  
                    │    832 │   │   ans = self.recvSMB(packetID)                                                                                                                                                                                   │                  
                    │ ❱  833 │   │   if ans.isValidAnswer(STATUS_SUCCESS):                                                                                                                                                                          │                  
                    │    834 │   │   │   self._Session['SessionID']       = ans['SessionID']                                                                                                                                                        │                  
                    │    835 │   │   │   self._Session['SigningRequired'] = self._Connection['RequireSigning']                                                                                                                                      │                  
                    │    836 │   │   │   self._Session['UserCredentials'] = (user, password, domain, lmhash, nthash)                                                                                                                                │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/smb3structs.py:466 in isValidAnswer                                                                                                                            │                  
                    │                                                                                                                                                                                                                               │                  
                    │    463 │   def isValidAnswer(self, status):                                                                                                                                                                                   │                  
                    │    464 │   │   if self['Status'] != status:                                                                                                                                                                                   │                  
                    │    465 │   │   │   from . import smb3                                                                                                                                                                                         │                  
                    │ ❱  466 │   │   │   raise smb3.SessionError(self['Status'], self)                                                                                                                                                              │                  
                    │    467 │   │   return True                                                                                                                                                                                                    │                  
                    │    468 │                                                                                                                                                                                                                      │                  
                    │    469 │   def __init__(self, data = None):                                                                                                                                                                                   │                  
                    ╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    SessionError: SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)                                                              
                                                                                                                                                                                                                                                                       
                    During handling of the above exception, another exception occurred:                                                                                                                                                                                
                                                                                                                                                                                                                                                                       
                    ╭────────────────────────────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────────────────────────────────────────╮                  
                    │ /home/kali/NetExec/nxc/connection.py:177 in __init__                                                                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │   174 │   │   self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname},                                                                                                                                     │                  
                    │       kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local                                                                                                                                                               │                  
                    │       ipv6={self.is_link_local_ipv6}")                                                                                                                                                                                        │                  
                    │   175 │   │                                                                                                                                                                                                                   │                  
                    │   176 │   │   try:                                                                                                                                                                                                            │                  
                    │ ❱ 177 │   │   │   self.proto_flow()                                                                                                                                                                                           │                  
                    │   178 │   │   except FileNotFoundError as e:                                                                                                                                                                                  │                  
                    │   179 │   │   │   self.logger.error(f"File not found error on target {target}: {e}")                                                                                                                                          │                  
                    │   180 │   │   except Exception as e:                                                                                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/connection.py:261 in proto_flow                                                                                                                                                                        │                  
                    │                                                                                                                                                                                                                               │                  
                    │   258 │   │   │   │   │   self.call_modules()                                                                                                                                                                                 │                  
                    │   259 │   │   │   │   else:                                                                                                                                                                                                   │                  
                    │   260 │   │   │   │   │   self.logger.debug("Calling command arguments")                                                                                                                                                      │                  
                    │ ❱ 261 │   │   │   │   │   self.call_cmd_args()                                                                                                                                                                                │                  
                    │   262 │   │   │   self.disconnect()                                                                                                                                                                                           │                  
                    │   263 │                                                                                                                                                                                                                       │                  
                    │   264 │   def call_cmd_args(self):                                                                                                                                                                                            │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/connection.py:283 in call_cmd_args                                                                                                                                                                     │                  
                    │                                                                                                                                                                                                                               │                  
                    │   280 │   │   for attr, value in vars(self.args).items():                                                                                                                                                                     │                  
                    │   281 │   │   │   if hasattr(self, attr) and callable(getattr(self, attr)) and value is not                                                                                                                                   │                  
                    │       False and value is not None:                                                                                                                                                                                            │                  
                    │   282 │   │   │   │   self.logger.debug(f"Calling {attr}()")                                                                                                                                                                  │                  
                    │ ❱ 283 │   │   │   │   getattr(self, attr)()                                                                                                                                                                                   │                  
                    │   284 │                                                                                                                                                                                                                       │                  
                    │   285 │   def call_modules(self):                                                                                                                                                                                             │                  
                    │   286 │   │   """Calls modules and performs various actions based on the module's attributes.                                                                                                                                 │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/connection.py:96 in _decorator                                                                                                                                                                         │                  
                    │                                                                                                                                                                                                                               │                  
                    │    93 │   │   │   if hasattr(self.args, "exec_method") and self.args.exec_method == "mmcexec":                                                                                                                                │                  
                    │    94 │   │   │   │   return func(self, *args, **kwargs)                                                                                                                                                                      │                  
                    │    95 │   │   │   return None                                                                                                                                                                                                 │                  
                    │ ❱  96 │   │   return func(self, *args, **kwargs)                                                                                                                                                                              │                  
                    │    97 │                                                                                                                                                                                                                       │                  
                    │    98 │   return wraps(func)(_decorator)                                                                                                                                                                                      │                  
                    │    99                                                                                                                                                                                                                         │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/protocols/smb.py:935 in execute                                                                                                                                                                        │                  
                    │                                                                                                                                                                                                                               │                  
                    │    932 │   │   │   self.server.track_host(self.host)                                                                                                                                                                          │                  
                    │    933 │   │                                                                                                                                                                                                                  │                  
                    │    934 │   │   if "exec_method" in locals():                                                                                                                                                                                  │                  
                    │ ❱  935 │   │   │   output = exec_method.execute(payload, get_output)                                                                                                                                                          │                  
                    │    936 │   │   │   try:                                                                                                                                                                                                       │                  
                    │    937 │   │   │   │   if not isinstance(output, str):                                                                                                                                                                        │                  
                    │    938 │   │   │   │   │   output = output.decode(self.args.codec)                                                                                                                                                            │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/protocols/smb/atexec.py:70 in execute                                                                                                                                                                  │                  
                    │                                                                                                                                                                                                                               │                  
                    │    67 │                                                                                                                                                                                                                       │                  
                    │    68 │   def execute(self, command, output=False):                                                                                                                                                                           │                  
                    │    69 │   │   self.__retOutput = output                                                                                                                                                                                       │                  
                    │ ❱  70 │   │   self.execute_handler(command)                                                                                                                                                                                   │                  
                    │    71 │   │   return self.__outputBuffer                                                                                                                                                                                      │                  
                    │    72 │                                                                                                                                                                                                                       │                  
                    │    73 │   def output_callback(self, data):                                                                                                                                                                                    │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/protocols/smb/atexec.py:180 in execute_handler                                                                                                                                                         │                  
                    │                                                                                                                                                                                                                               │                  
                    │   177 │   │   │   dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)                                                                                                                                                                │                  
                    │   178 │   │                                                                                                                                                                                                                   │                  
                    │   179 │   │   dce.set_credentials(*self.__rpctransport.get_credentials())                                                                                                                                                     │                  
                    │ ❱ 180 │   │   dce.connect()                                                                                                                                                                                                   │                  
                    │   181 │   │                                                                                                                                                                                                                   │                  
                    │   182 │   │   xml = self.gen_xml(command)                                                                                                                                                                                     │                  
                    │   183 │   │   self.logger.debug(f"Task XML: {xml}")                                                                                                                                                                           │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/dcerpc/v5/rpcrt.py:1359 in connect                                                                                                                             │                  
                    │                                                                                                                                                                                                                               │                  
                    │   1356 │   │   self._ctx = ctx_id                                                                                                                                                                                             │                  
                    │   1357 │                                                                                                                                                                                                                      │                  
                    │   1358 │   def connect(self):                                                                                                                                                                                                 │                  
                    │ ❱ 1359 │   │   return self._transport.connect()                                                                                                                                                                               │                  
                    │   1360 │                                                                                                                                                                                                                      │                  
                    │   1361 │   def disconnect(self):                                                                                                                                                                                              │                  
                    │   1362 │   │   return self._transport.disconnect()                                                                                                                                                                            │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/dcerpc/v5/transport.py:521 in connect                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │   518 │   │   │   if self._doKerberos is False:                                                                                                                                                                               │                  
                    │   519 │   │   │   │   self.__smb_connection.login(self._username, self._password,                                                                                                                                             │                  
                    │       self._domain, self._lmhash, self._nthash)                                                                                                                                                                               │                  
                    │   520 │   │   │   else:                                                                                                                                                                                                       │                  
                    │ ❱ 521 │   │   │   │   self.__smb_connection.kerberosLogin(self._username, self._password,                                                                                                                                     │                  
                    │       self._domain, self._lmhash,                                                                                                                                                                                             │                  
                    │   522 │   │   │   │   │   │   │   │   │   │   │   │   │   self._nthash, self._aesKey,                                                                                                                                         │                  
                    │       kdcHost=self._kdcHost, TGT=self._TGT,                                                                                                                                                                                   │                  
                    │   523 │   │   │   │   │   │   │   │   │   │   │   │   │   TGS=self._TGS)                                                                                                                                                      │                  
                    │   524 │   │   self.__tid = self.__smb_connection.connectTree('IPC$')                                                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/smbconnection.py:338 in kerberosLogin                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │    335 │   │   │   │   return self._SMBConnection.kerberosLogin(user, password, domain, lmhash,                                                                                                                               │                  
                    │        nthash, aesKey, kdcHost, TGT,                                                                                                                                                                                          │                  
                    │    336 │   │   │   │   │   │   │   │   │   │   │   │   │   │    TGS)                                                                                                                                                          │                  
                    │    337 │   │   │   except (smb.SessionError, smb3.SessionError) as e:                                                                                                                                                         │                  
                    │ ❱  338 │   │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                                                                                                                                           │                  
                    │    339 │   │   │   except KerberosError as e:                                                                                                                                                                                 │                  
                    │    340 │   │   │   │   if e.getErrorCode() == constants.ErrorCodes.KDC_ERR_ETYPE_NOSUPP.value:                                                                                                                                │                  
                    │    341 │   │   │   │   │   # We might face this if the target does not support AES.                                                                                                                                           │                  
                    ╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    SessionError: SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.

@azoxlpf
Copy link
Contributor Author

azoxlpf commented Feb 6, 2026

Generate a TGT and obtain the session key :

interesting, does you domain force rc4 ?

No, the KDC encrypts the session key with AES about one in two times, it's pretty random. But to force RC4 encryption, we can authenticate with the NT hash :

image

@azoxlpf
Copy link
Contributor Author

azoxlpf commented Feb 6, 2026

The auth part is working, nice but something is missing because if you try another command it stacktrace
image

└─$ uv run netexec smb 10.2.10.11 --use-kcache --delegate administrator --u2u -x whoami
      Built netexec @ file:///home/kali/NetExec
Uninstalled 1 package in 0.21ms
Installed 1 package in 0.59ms
SMB         10.2.10.11      445    JOLLYROGER       [*] Windows Server 2022 Build 20348 x64 (name:JOLLYROGER) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB         10.2.10.11      445    JOLLYROGER       [+] PIRATES.BRB\administrator through S4U+U2U with ccache (Pwn3d!)
[15:22:14] ERROR    Exception while calling proto_flow() on target 10.2.10.11: SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O       connection.py:187
                    operation is not complete.                                                                                                                                                                                                                         
                    ╭────────────────────────────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────────────────────────────────────────╮                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/smbconnection.py:335 in kerberosLogin                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │    332 │   │   │   │   if self.getDialect() == smb.SMB_DIALECT:                                                                                                                                                               │                  
                    │    333 │   │   │   │   │   return self._SMBConnection.kerberos_login(user, password, domain,                                                                                                                                  │                  
                    │        lmhash, nthash, aesKey, kdcHost,                                                                                                                                                                                       │                  
                    │    334 │   │   │   │   │   │   │   │   │   │   │   │   │   │   │     TGT, TGS)                                                                                                                                                │                  
                    │ ❱  335 │   │   │   │   return self._SMBConnection.kerberosLogin(user, password, domain, lmhash,                                                                                                                               │                  
                    │        nthash, aesKey, kdcHost, TGT,                                                                                                                                                                                          │                  
                    │    336 │   │   │   │   │   │   │   │   │   │   │   │   │   │    TGS)                                                                                                                                                          │                  
                    │    337 │   │   │   except (smb.SessionError, smb3.SessionError) as e:                                                                                                                                                         │                  
                    │    338 │   │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                                                                                                                                           │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/smb3.py:833 in kerberosLogin                                                                                                                                   │                  
                    │                                                                                                                                                                                                                               │                  
                    │    830 │   │                                                                                                                                                                                                                  │                  
                    │    831 │   │   packetID = self.sendSMB(packet)                                                                                                                                                                                │                  
                    │    832 │   │   ans = self.recvSMB(packetID)                                                                                                                                                                                   │                  
                    │ ❱  833 │   │   if ans.isValidAnswer(STATUS_SUCCESS):                                                                                                                                                                          │                  
                    │    834 │   │   │   self._Session['SessionID']       = ans['SessionID']                                                                                                                                                        │                  
                    │    835 │   │   │   self._Session['SigningRequired'] = self._Connection['RequireSigning']                                                                                                                                      │                  
                    │    836 │   │   │   self._Session['UserCredentials'] = (user, password, domain, lmhash, nthash)                                                                                                                                │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/smb3structs.py:466 in isValidAnswer                                                                                                                            │                  
                    │                                                                                                                                                                                                                               │                  
                    │    463 │   def isValidAnswer(self, status):                                                                                                                                                                                   │                  
                    │    464 │   │   if self['Status'] != status:                                                                                                                                                                                   │                  
                    │    465 │   │   │   from . import smb3                                                                                                                                                                                         │                  
                    │ ❱  466 │   │   │   raise smb3.SessionError(self['Status'], self)                                                                                                                                                              │                  
                    │    467 │   │   return True                                                                                                                                                                                                    │                  
                    │    468 │                                                                                                                                                                                                                      │                  
                    │    469 │   def __init__(self, data = None):                                                                                                                                                                                   │                  
                    ╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    SessionError: SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)                                                              
                                                                                                                                                                                                                                                                       
                    During handling of the above exception, another exception occurred:                                                                                                                                                                                
                                                                                                                                                                                                                                                                       
                    ╭────────────────────────────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────────────────────────────────────────╮                  
                    │ /home/kali/NetExec/nxc/connection.py:177 in __init__                                                                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │   174 │   │   self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname},                                                                                                                                     │                  
                    │       kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local                                                                                                                                                               │                  
                    │       ipv6={self.is_link_local_ipv6}")                                                                                                                                                                                        │                  
                    │   175 │   │                                                                                                                                                                                                                   │                  
                    │   176 │   │   try:                                                                                                                                                                                                            │                  
                    │ ❱ 177 │   │   │   self.proto_flow()                                                                                                                                                                                           │                  
                    │   178 │   │   except FileNotFoundError as e:                                                                                                                                                                                  │                  
                    │   179 │   │   │   self.logger.error(f"File not found error on target {target}: {e}")                                                                                                                                          │                  
                    │   180 │   │   except Exception as e:                                                                                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/connection.py:261 in proto_flow                                                                                                                                                                        │                  
                    │                                                                                                                                                                                                                               │                  
                    │   258 │   │   │   │   │   self.call_modules()                                                                                                                                                                                 │                  
                    │   259 │   │   │   │   else:                                                                                                                                                                                                   │                  
                    │   260 │   │   │   │   │   self.logger.debug("Calling command arguments")                                                                                                                                                      │                  
                    │ ❱ 261 │   │   │   │   │   self.call_cmd_args()                                                                                                                                                                                │                  
                    │   262 │   │   │   self.disconnect()                                                                                                                                                                                           │                  
                    │   263 │                                                                                                                                                                                                                       │                  
                    │   264 │   def call_cmd_args(self):                                                                                                                                                                                            │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/connection.py:283 in call_cmd_args                                                                                                                                                                     │                  
                    │                                                                                                                                                                                                                               │                  
                    │   280 │   │   for attr, value in vars(self.args).items():                                                                                                                                                                     │                  
                    │   281 │   │   │   if hasattr(self, attr) and callable(getattr(self, attr)) and value is not                                                                                                                                   │                  
                    │       False and value is not None:                                                                                                                                                                                            │                  
                    │   282 │   │   │   │   self.logger.debug(f"Calling {attr}()")                                                                                                                                                                  │                  
                    │ ❱ 283 │   │   │   │   getattr(self, attr)()                                                                                                                                                                                   │                  
                    │   284 │                                                                                                                                                                                                                       │                  
                    │   285 │   def call_modules(self):                                                                                                                                                                                             │                  
                    │   286 │   │   """Calls modules and performs various actions based on the module's attributes.                                                                                                                                 │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/connection.py:96 in _decorator                                                                                                                                                                         │                  
                    │                                                                                                                                                                                                                               │                  
                    │    93 │   │   │   if hasattr(self.args, "exec_method") and self.args.exec_method == "mmcexec":                                                                                                                                │                  
                    │    94 │   │   │   │   return func(self, *args, **kwargs)                                                                                                                                                                      │                  
                    │    95 │   │   │   return None                                                                                                                                                                                                 │                  
                    │ ❱  96 │   │   return func(self, *args, **kwargs)                                                                                                                                                                              │                  
                    │    97 │                                                                                                                                                                                                                       │                  
                    │    98 │   return wraps(func)(_decorator)                                                                                                                                                                                      │                  
                    │    99                                                                                                                                                                                                                         │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/protocols/smb.py:935 in execute                                                                                                                                                                        │                  
                    │                                                                                                                                                                                                                               │                  
                    │    932 │   │   │   self.server.track_host(self.host)                                                                                                                                                                          │                  
                    │    933 │   │                                                                                                                                                                                                                  │                  
                    │    934 │   │   if "exec_method" in locals():                                                                                                                                                                                  │                  
                    │ ❱  935 │   │   │   output = exec_method.execute(payload, get_output)                                                                                                                                                          │                  
                    │    936 │   │   │   try:                                                                                                                                                                                                       │                  
                    │    937 │   │   │   │   if not isinstance(output, str):                                                                                                                                                                        │                  
                    │    938 │   │   │   │   │   output = output.decode(self.args.codec)                                                                                                                                                            │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/protocols/smb/atexec.py:70 in execute                                                                                                                                                                  │                  
                    │                                                                                                                                                                                                                               │                  
                    │    67 │                                                                                                                                                                                                                       │                  
                    │    68 │   def execute(self, command, output=False):                                                                                                                                                                           │                  
                    │    69 │   │   self.__retOutput = output                                                                                                                                                                                       │                  
                    │ ❱  70 │   │   self.execute_handler(command)                                                                                                                                                                                   │                  
                    │    71 │   │   return self.__outputBuffer                                                                                                                                                                                      │                  
                    │    72 │                                                                                                                                                                                                                       │                  
                    │    73 │   def output_callback(self, data):                                                                                                                                                                                    │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/nxc/protocols/smb/atexec.py:180 in execute_handler                                                                                                                                                         │                  
                    │                                                                                                                                                                                                                               │                  
                    │   177 │   │   │   dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)                                                                                                                                                                │                  
                    │   178 │   │                                                                                                                                                                                                                   │                  
                    │   179 │   │   dce.set_credentials(*self.__rpctransport.get_credentials())                                                                                                                                                     │                  
                    │ ❱ 180 │   │   dce.connect()                                                                                                                                                                                                   │                  
                    │   181 │   │                                                                                                                                                                                                                   │                  
                    │   182 │   │   xml = self.gen_xml(command)                                                                                                                                                                                     │                  
                    │   183 │   │   self.logger.debug(f"Task XML: {xml}")                                                                                                                                                                           │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/dcerpc/v5/rpcrt.py:1359 in connect                                                                                                                             │                  
                    │                                                                                                                                                                                                                               │                  
                    │   1356 │   │   self._ctx = ctx_id                                                                                                                                                                                             │                  
                    │   1357 │                                                                                                                                                                                                                      │                  
                    │   1358 │   def connect(self):                                                                                                                                                                                                 │                  
                    │ ❱ 1359 │   │   return self._transport.connect()                                                                                                                                                                               │                  
                    │   1360 │                                                                                                                                                                                                                      │                  
                    │   1361 │   def disconnect(self):                                                                                                                                                                                              │                  
                    │   1362 │   │   return self._transport.disconnect()                                                                                                                                                                            │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/dcerpc/v5/transport.py:521 in connect                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │   518 │   │   │   if self._doKerberos is False:                                                                                                                                                                               │                  
                    │   519 │   │   │   │   self.__smb_connection.login(self._username, self._password,                                                                                                                                             │                  
                    │       self._domain, self._lmhash, self._nthash)                                                                                                                                                                               │                  
                    │   520 │   │   │   else:                                                                                                                                                                                                       │                  
                    │ ❱ 521 │   │   │   │   self.__smb_connection.kerberosLogin(self._username, self._password,                                                                                                                                     │                  
                    │       self._domain, self._lmhash,                                                                                                                                                                                             │                  
                    │   522 │   │   │   │   │   │   │   │   │   │   │   │   │   self._nthash, self._aesKey,                                                                                                                                         │                  
                    │       kdcHost=self._kdcHost, TGT=self._TGT,                                                                                                                                                                                   │                  
                    │   523 │   │   │   │   │   │   │   │   │   │   │   │   │   TGS=self._TGS)                                                                                                                                                      │                  
                    │   524 │   │   self.__tid = self.__smb_connection.connectTree('IPC$')                                                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │ /home/kali/NetExec/.venv/lib/python3.13/site-packages/impacket/smbconnection.py:338 in kerberosLogin                                                                                                                          │                  
                    │                                                                                                                                                                                                                               │                  
                    │    335 │   │   │   │   return self._SMBConnection.kerberosLogin(user, password, domain, lmhash,                                                                                                                               │                  
                    │        nthash, aesKey, kdcHost, TGT,                                                                                                                                                                                          │                  
                    │    336 │   │   │   │   │   │   │   │   │   │   │   │   │   │    TGS)                                                                                                                                                          │                  
                    │    337 │   │   │   except (smb.SessionError, smb3.SessionError) as e:                                                                                                                                                         │                  
                    │ ❱  338 │   │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                                                                                                                                           │                  
                    │    339 │   │   │   except KerberosError as e:                                                                                                                                                                                 │                  
                    │    340 │   │   │   │   if e.getErrorCode() == constants.ErrorCodes.KDC_ERR_ETYPE_NOSUPP.value:                                                                                                                                │                  
                    │    341 │   │   │   │   │   # We might face this if the target does not support AES.                                                                                                                                           │                  
                    ╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    SessionError: SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.

Hmm, indeed some commands work but not others. I'll check that out

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mpgn mpgn mpgn left review comments

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@Marshall-Hallenbeck Marshall-Hallenbeck Awaiting requested review from Marshall-Hallenbeck Marshall-Hallenbeck is a code owner

@NeffIsBack NeffIsBack Awaiting requested review from NeffIsBack NeffIsBack is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@azoxlpf @mpgn @NeffIsBack