Merge pull request Pennyw0rth#918 from azoxlpf/fix/ntlm_reflection-transport-error

catch BrokenPipe and transport errors to prevent session crash

Author: NeffIsBack

nxc/modules/backup_operator.py

@@ -1,4 +1,4 @@
-import time
+import contextlib
 import os
 import datetime
 
@@ -30,18 +30,19 @@ def on_login(self, context, connection):
         connection.args.share = "SYSVOL"
         # enable remote registry
         context.log.display("Triggering RemoteRegistry to start through named pipe...")
-        self.trigger_winreg(connection.conn, context)
+        connection.trigger_winreg()
         rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
         rpc.set_smb_connection(connection.conn)
         if connection.kerberos:
             rpc.set_kerberos(connection.kerberos, kdcHost=connection.kdcHost)
         dce = rpc.get_dce_rpc()
         if connection.kerberos:
             dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
-        dce.connect()
-        dce.bind(rrp.MSRPC_UUID_RRP)
 
         try:
+            dce.connect()
+            dce.bind(rrp.MSRPC_UUID_RRP)
+
             for hive in ["HKLM\\SAM", "HKLM\\SYSTEM", "HKLM\\SECURITY"]:
                 hRootKey, subKey = self._strip_root_key(dce, hive)
                 outputFileName = f"\\\\{connection.host}\\SYSVOL\\{subKey}"
@@ -54,9 +55,11 @@ def on_login(self, context, connection):
                     context.log.fail(f"Couldn't save {hive}: {e} on path {outputFileName}")
                     return
         except (Exception, KeyboardInterrupt) as e:
-            context.log.fail(str(e))
+            context.log.fail(f"Unexpected error: {e}")
+            return
         finally:
-            dce.disconnect()
+            with contextlib.suppress(Exception):
+                dce.disconnect()
 
         # copy remote file to local
         log_path = os.path.expanduser(f"{NXC_PATH}/logs/{connection.hostname}_{connection.host}_{datetime.datetime.now().strftime('%Y-%m-%d_%H%M%S')}.".replace(":", "-"))
@@ -115,29 +118,3 @@ def parse_sam(secret):
             context.log.display("netexec smb dc_ip -u user -p pass -x \"del C:\\Windows\\sysvol\\sysvol\\SECURITY && del C:\\Windows\\sysvol\\sysvol\\SAM && del C:\\Windows\\sysvol\\sysvol\\SYSTEM\"")  # noqa: Q003
         else:
             context.log.display("Successfully deleted dump files !")
-
-    def trigger_winreg(self, connection, context):
-        # Original idea from https://twitter.com/splinter_code/status/1715876413474025704
-        # Basically triggers the RemoteRegistry to start without admin privs
-        tid = connection.connectTree("IPC$")
-        try:
-            connection.openFile(
-                tid,
-                r"\winreg",
-                0x12019F,
-                creationOption=0x40,
-                fileAttributes=0x80,
-            )
-        except SessionError as e:
-            # STATUS_PIPE_NOT_AVAILABLE error is expected
-            context.log.debug(str(e))
-        # Give remote registry time to start
-        time.sleep(1)
-
-    def _strip_root_key(self, dce, key_name):
-        # Let's strip the root key
-        key_name.split("\\")[0]
-        sub_key = "\\".join(key_name.split("\\")[1:])
-        ans = rrp.hOpenLocalMachine(dce)
-        h_root_key = ans["phKey"]
-        return h_root_key, sub_key

nxc/modules/ntlm_reflection.py

@@ -1,12 +1,13 @@
-import time
 from impacket.dcerpc.v5 import transport, rrp
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
 from impacket.smbconnection import SessionError
 from nxc.helpers.misc import CATEGORY
+from impacket.nmb import NetBIOSError
 
 
 class NXCModule:
     # https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
+    # Modified by azoxlpf to handle BrokenPipe/transport errors gracefully
     name = "ntlm_reflection"
     description = "Attempt to check if the OS is vulnerable to CVE-2025-33073 (NTLM Reflection attack)"
     supported_protocols = ["smb"]
@@ -48,7 +49,7 @@ def on_login(self, context, connection):
         self.context = context
         self.connection = connection
         if not connection.conn.isSigningRequired():  # Not vulnerable if SMB signing is enabled
-            self.trigger_winreg(connection.conn, context)
+            connection.trigger_winreg()
             rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
             rpc.set_smb_connection(connection.conn)
             if connection.kerberos:
@@ -76,21 +77,5 @@ def on_login(self, context, connection):
                     self.context.log.info(f"RemoteRegistry is probably deactivated: {e}")
                 else:
                     self.context.log.debug(f"Unexpected error: {e}")
-
-    def trigger_winreg(self, connection, context):
-        # Original idea from https://twitter.com/splinter_code/status/1715876413474025704
-        # Basically triggers the RemoteRegistry to start without admin privs
-        tid = connection.connectTree("IPC$")
-        try:
-            connection.openFile(
-                tid,
-                r"\winreg",
-                0x12019F,
-                creationOption=0x40,
-                fileAttributes=0x80,
-            )
-        except SessionError as e:
-            # STATUS_PIPE_NOT_AVAILABLE error is expected
-            context.log.debug(str(e))
-        # Give remote registry time to start
-        time.sleep(1)
+            except (BrokenPipeError, ConnectionResetError, NetBIOSError, OSError) as e:
+                context.log.debug(f"ntlm_reflection: DCERPC transport error: {e.__class__.__name__}: {e}")

nxc/modules/sccm-recon6.py

@@ -1,9 +1,8 @@
 
-import time
+import contextlib
 from impacket.dcerpc.v5 import transport, rrp
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
 from impacket.dcerpc.v5.rpcrt import DCERPCException
-from impacket.smbconnection import SessionError
 from nxc.helpers.misc import CATEGORY
 from impacket.smbconnection import SMBConnection
 
@@ -23,7 +22,7 @@ def on_login(self, context, connection):
         self.context = context
         self.connection = connection
 
-        self.trigger_winreg(connection.conn, context)
+        connection.trigger_winreg()
 
         rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
         rpc.set_smb_connection(connection.conn)
@@ -33,14 +32,15 @@ def on_login(self, context, connection):
         dce = rpc.get_dce_rpc()
         if connection.kerberos:
             dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
-        dce.connect()
-        dce.bind(rrp.MSRPC_UUID_RRP)
-
-        # Open HKEY_LOCAL_MACHINE
-        ans = rrp.hOpenLocalMachine(dce)
-        hRootKey = ans["phKey"]
 
         try:
+            dce.connect()
+            dce.bind(rrp.MSRPC_UUID_RRP)
+
+            # Open HKEY_LOCAL_MACHINE
+            ans = rrp.hOpenLocalMachine(dce)
+            hRootKey = ans["phKey"]
+
             self.EnumerateSS(dce, hRootKey)
             try:
                 self.EnumerateDB(dce, hRootKey)
@@ -51,8 +51,11 @@ def on_login(self, context, connection):
                 self.context.log.info(f"Probably not a primary site server or a distribution point: {e}")
             else:
                 self.context.log.fail(f"Unexpected error: {e}")
-
-        dce.disconnect()
+        except Exception as e:
+            self.context.log.fail(f"Unexpected error: {e}")
+        finally:
+            with contextlib.suppress(Exception):
+                dce.disconnect()
 
     def EnumerateSS(self, dce, hRootKey):
         # Open the target registry key
@@ -130,21 +133,3 @@ def EnumerateDB(self, dce, hRootKey):
                     self.context.log.display(f"       SMB signing: {new_conn.isSigningRequired()}")
                 else:
                     self.context.log.highlight(f"       SMB signing: {new_conn.isSigningRequired()} - TAKEOVER-2")
-
-    def trigger_winreg(self, connection, context):
-        # Original idea from https://twitter.com/splinter_code/status/1715876413474025704
-        # Basically triggers the RemoteRegistry to start without admin privs
-        tid = connection.connectTree("IPC$")
-        try:
-            connection.openFile(
-                tid,
-                r"\winreg",
-                0x12019F,
-                creationOption=0x40,
-                fileAttributes=0x80,
-            )
-        except SessionError as e:
-            # STATUS_PIPE_NOT_AVAILABLE error is expected
-            context.log.debug(str(e))
-        # Give remote registry time to start
-        time.sleep(1)

nxc/protocols/smb.py

@@ -735,6 +735,32 @@ def _is_port_open(self, port, timeout=1):
             self.logger.debug(f"Error checking port {port} on {self.host}: {e}")
             return False
 
+    def trigger_winreg(self):
+        # Original idea from https://twitter.com/splinter_code/status/1715876413474025704
+        # Basically triggers the RemoteRegistry to start without admin privs
+        try:
+            tid = self.conn.connectTree("IPC$")
+            try:
+                self.conn.openFile(
+                    tid,
+                    r"\winreg",
+                    0x12019F,
+                    creationOption=0x40,
+                    fileAttributes=0x80,
+                )
+            except SessionError as e:
+                # STATUS_PIPE_NOT_AVAILABLE error is expected
+                if "STATUS_PIPE_NOT_AVAILABLE" not in str(e):
+                    raise
+                else:
+                    self.logger.debug(f"Received expected error while triggering winreg: {e}")
+            # Give remote registry time to start
+            sleep(1)
+            return True
+        except (SessionError, BrokenPipeError, ConnectionResetError, NetBIOSError, OSError) as e:
+            self.logger.debug(f"Received unexpected error while triggering winreg: {e}")
+            return False
+
     @requires_admin
     def execute(self, payload=None, get_output=False, methods=None) -> str:
         """