Merge pull request Pennyw0rth#935 from Dfte/ntlmreflection_path

NeffIsBack · web-flow · commit 08207eef1857 · 2025-09-27T10:55:20.000-04:00
[NTLM reflection] Fix false assumption over smb signing
diff --git a/nxc/modules/ntlm_reflection.py b/nxc/modules/ntlm_reflection.py
@@ -8,6 +8,7 @@
 class NXCModule:
     # https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
     # Modified by azoxlpf to handle BrokenPipe/transport errors gracefully
+    # Modified by Defte following the discovery of ctjf (https://github.com/Pennyw0rth/NetExec/issues/928) and the research done along side with @NeffIsBack and I
     name = "ntlm_reflection"
     description = "Attempt to check if the OS is vulnerable to CVE-2025-33073 (NTLM Reflection attack)"
     supported_protocols = ["smb"]
@@ -48,34 +49,36 @@ def is_vulnerable(self, major, minor, build, ubr):
     def on_login(self, context, connection):
         self.context = context
         self.connection = connection
-        if not connection.conn.isSigningRequired():  # Not vulnerable if SMB signing is enabled
-            connection.trigger_winreg()
-            rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
-            rpc.set_smb_connection(connection.conn)
-            if connection.kerberos:
-                rpc.set_kerberos(connection.kerberos, kdcHost=connection.kdcHost)
-            dce = rpc.get_dce_rpc()
-            if connection.kerberos:
-                dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
-            try:
-                dce.connect()
-                dce.bind(rrp.MSRPC_UUID_RRP)
-                # Reading UBR from registry
-                hRootKey = rrp.hOpenLocalMachine(dce)["phKey"]
-                hKey = rrp.hBaseRegOpenKey(dce, hRootKey, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion")["phkResult"]
-                ubr = rrp.hBaseRegQueryValue(dce, hKey, "UBR")[1]
-                version_str = f"{connection.server_os_major}.{connection.server_os_minor}.{connection.server_os_build}.{ubr}" if ubr else None
-                dce.disconnect()
-                if not version_str:
-                    self.context.log.info("Could not determine OS version from registry")
-                    return
-                vuln = self.is_vulnerable(connection.server_os_major, connection.server_os_minor, connection.server_os_build, ubr)
-                if vuln:
-                    context.log.highlight(f"VULNERABLE to {self.name}! {connection.server_os} ({version_str})")
-            except SessionError as e:
-                if "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
-                    self.context.log.info(f"RemoteRegistry is probably deactivated: {e}")
+        connection.trigger_winreg()
+        rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
+        rpc.set_smb_connection(connection.conn)
+        if connection.kerberos:
+            rpc.set_kerberos(connection.kerberos, kdcHost=connection.kdcHost)
+        dce = rpc.get_dce_rpc()
+        if connection.kerberos:
+            dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
+        try:
+            dce.connect()
+            dce.bind(rrp.MSRPC_UUID_RRP)
+            # Reading UBR from registry
+            hRootKey = rrp.hOpenLocalMachine(dce)["phKey"]
+            hKey = rrp.hBaseRegOpenKey(dce, hRootKey, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion")["phkResult"]
+            ubr = rrp.hBaseRegQueryValue(dce, hKey, "UBR")[1]
+            version_str = f"{connection.server_os_major}.{connection.server_os_minor}.{connection.server_os_build}.{ubr}" if ubr else None
+            dce.disconnect()
+            if not version_str:
+                self.context.log.info("Could not determine OS version from registry")
+                return
+            vuln = self.is_vulnerable(connection.server_os_major, connection.server_os_minor, connection.server_os_build, ubr)
+            if vuln:
+                if not connection.conn.isSigningRequired():  # Not vulnerable if SMB signing is enabled
+                    context.log.highlight(f"VULNERABLE (can relay SMB to any protocol on {self.context.log.extra['host']})")
                 else:
-                    self.context.log.debug(f"Unexpected error: {e}")
-            except (BrokenPipeError, ConnectionResetError, NetBIOSError, OSError) as e:
-                context.log.debug(f"ntlm_reflection: DCERPC transport error: {e.__class__.__name__}: {e}")
+                    context.log.highlight(f"VULNERABLE (can relay SMB to other protocols except SMB on {self.context.log.extra['host']})")
+        except SessionError as e:
+            if "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                self.context.log.info(f"RemoteRegistry is probably deactivated: {e}")
+            else:
+                self.context.log.debug(f"Unexpected error: {e}")
+        except (BrokenPipeError, ConnectionResetError, NetBIOSError, OSError) as e:
+            context.log.debug(f"ntlm_reflection: DCERPC transport error: {e.__class__.__name__}: {e}")
