Skip to content

Commit aa5dc32

Browse files
author
Aurélien CHALOT
committed
Fix false assumption over smb signing
1 parent 0278b81 commit aa5dc32

1 file changed

Lines changed: 32 additions & 30 deletions

File tree

nxc/modules/ntlm_reflection.py

Lines changed: 32 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -48,34 +48,36 @@ def is_vulnerable(self, major, minor, build, ubr):
4848
def on_login(self, context, connection):
4949
self.context = context
5050
self.connection = connection
51-
if not connection.conn.isSigningRequired(): # Not vulnerable if SMB signing is enabled
52-
connection.trigger_winreg()
53-
rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
54-
rpc.set_smb_connection(connection.conn)
55-
if connection.kerberos:
56-
rpc.set_kerberos(connection.kerberos, kdcHost=connection.kdcHost)
57-
dce = rpc.get_dce_rpc()
58-
if connection.kerberos:
59-
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
60-
try:
61-
dce.connect()
62-
dce.bind(rrp.MSRPC_UUID_RRP)
63-
# Reading UBR from registry
64-
hRootKey = rrp.hOpenLocalMachine(dce)["phKey"]
65-
hKey = rrp.hBaseRegOpenKey(dce, hRootKey, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion")["phkResult"]
66-
ubr = rrp.hBaseRegQueryValue(dce, hKey, "UBR")[1]
67-
version_str = f"{connection.server_os_major}.{connection.server_os_minor}.{connection.server_os_build}.{ubr}" if ubr else None
68-
dce.disconnect()
69-
if not version_str:
70-
self.context.log.info("Could not determine OS version from registry")
71-
return
72-
vuln = self.is_vulnerable(connection.server_os_major, connection.server_os_minor, connection.server_os_build, ubr)
73-
if vuln:
74-
context.log.highlight(f"VULNERABLE to {self.name}! {connection.server_os} ({version_str})")
75-
except SessionError as e:
76-
if "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
77-
self.context.log.info(f"RemoteRegistry is probably deactivated: {e}")
51+
connection.trigger_winreg()
52+
rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
53+
rpc.set_smb_connection(connection.conn)
54+
if connection.kerberos:
55+
rpc.set_kerberos(connection.kerberos, kdcHost=connection.kdcHost)
56+
dce = rpc.get_dce_rpc()
57+
if connection.kerberos:
58+
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
59+
try:
60+
dce.connect()
61+
dce.bind(rrp.MSRPC_UUID_RRP)
62+
# Reading UBR from registry
63+
hRootKey = rrp.hOpenLocalMachine(dce)["phKey"]
64+
hKey = rrp.hBaseRegOpenKey(dce, hRootKey, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion")["phkResult"]
65+
ubr = rrp.hBaseRegQueryValue(dce, hKey, "UBR")[1]
66+
version_str = f"{connection.server_os_major}.{connection.server_os_minor}.{connection.server_os_build}.{ubr}" if ubr else None
67+
dce.disconnect()
68+
if not version_str:
69+
self.context.log.info("Could not determine OS version from registry")
70+
return
71+
vuln = self.is_vulnerable(connection.server_os_major, connection.server_os_minor, connection.server_os_build, ubr)
72+
if vuln:
73+
if not connection.conn.isSigningRequired(): # Not vulnerable if SMB signing is enabled
74+
context.log.highlight(f"VULNERABLE (can relay SMB to any protocols on {self.context.log.extra['host']})")
7875
else:
79-
self.context.log.debug(f"Unexpected error: {e}")
80-
except (BrokenPipeError, ConnectionResetError, NetBIOSError, OSError) as e:
81-
context.log.debug(f"ntlm_reflection: DCERPC transport error: {e.__class__.__name__}: {e}")
76+
context.log.highlight(f"VULNERABLE (can relay SMB to any others protocols except SMB on {self.context.log.extra['host']})")
77+
except SessionError as e:
78+
if "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
79+
self.context.log.info(f"RemoteRegistry is probably deactivated: {e}")
80+
else:
81+
self.context.log.debug(f"Unexpected error: {e}")
82+
except (BrokenPipeError, ConnectionResetError, NetBIOSError, OSError) as e:
83+
context.log.debug(f"ntlm_reflection: DCERPC transport error: {e.__class__.__name__}: {e}")

0 commit comments

Comments
 (0)