Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

smb2 blank credentials issue. #933

Open
gatsu38 opened this issue Feb 24, 2024 · 3 comments
Open

smb2 blank credentials issue. #933

gatsu38 opened this issue Feb 24, 2024 · 3 comments

Comments

@gatsu38
Copy link

gatsu38 commented Feb 24, 2024

Using smb2 Hydra successfully discerns between valid and non valid passwords, with the exception of blank ones, in the latter always returns a false positive, even for non existing accounts. A different SPNEGO message is shown if using hydra or smbclient, which authenticates correctly. Furthermore the -e n switch has a bug on it's own.

smbclient -L 192.168.47.1 -U "John%" -d7 INFO: Current debug levels: all: 7 tdb: 7 printdrivers: 7 lanman: 7 smb: 7 rpc_parse: 7 rpc_srv: 7 rpc_cli: 7 passdb: 7 sam: 7 auth: 7 winbind: 7 vfs: 7 idmap: 7 quota: 7 acls: 7 locking: 7 msdfs: 7 dmapi: 7 registry: 7 scavenger: 7 dns: 7 ldb: 7 tevent: 7 auth_audit: 7 auth_json_audit: 7 kerberos: 7 drs_repl: 7 smb2: 7 smb2_credits: 7 dsdb_audit: 7 dsdb_json_audit: 7 dsdb_password_audit: 7 dsdb_password_json_audit: 7 dsdb_transaction_audit: 7 dsdb_transaction_json_audit: 7 dsdb_group_audit: 7 dsdb_group_json_audit: 7 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 7 tdb: 7 printdrivers: 7 lanman: 7 smb: 7 rpc_parse: 7 rpc_srv: 7 rpc_cli: 7 passdb: 7 sam: 7 auth: 7 winbind: 7 vfs: 7 idmap: 7 quota: 7 acls: 7 locking: 7 msdfs: 7 dmapi: 7 registry: 7 scavenger: 7 dns: 7 ldb: 7 tevent: 7 auth_audit: 7 auth_json_audit: 7 kerberos: 7 drs_repl: 7 smb2: 7 smb2_credits: 7 dsdb_audit: 7 dsdb_json_audit: 7 dsdb_password_audit: 7 dsdb_password_json_audit: 7 dsdb_transaction_audit: 7 dsdb_transaction_json_audit: 7 dsdb_group_audit: 7 dsdb_group_json_audit: 7 Processing section "[global]" doing parameter workgroup = WORKGROUP doing parameter server string = %h server (Samba, Ubuntu) doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter logging = file doing parameter panic action = /usr/share/samba/panic-action %d doing parameter server role = standalone server doing parameter obey pam restrictions = yes doing parameter unix password sync = yes doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . doing parameter pam password change = yes doing parameter map to guest = bad user doing parameter usershare allow guests = yes pm_process() returned Yes lp_servicenumber: couldn't find homes added interface ens33 ip=192.168.47.133 bcast=192.168.47.255 netmask=255.255.255.0 Client started (version 4.15.13-Ubuntu). Connecting to 192.168.47.1 at port 445 socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0 session request ok negotiated dialect[SMB3_11] against server[192.168.47.1] cli_session_setup_spnego_send: Connect to 192.168.47.1 as John@WORKGROUP using SPNEGO GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 Cannot do GSE to an IP address Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x628a8215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_SERVER NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). session setup failed: NT_STATUS_ACCOUNT_RESTRICTION

Please note that the account restriction error does confirm the validity of the credential but doesn't allow access to the shares due to other windows restrictions

hydra -vvv -d -l John -p "" 192.168.47.1 -m workgroup:{WORKGROUP} smb2 Hydra v9.6dev (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

[DEBUG] Output color flag is 1
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-24 11:47:18
[DEBUG] cmdline: ./hydra -vvv -d -l John -p -m workgroup:{WORKGROUP} 192.168.47.1 smb2
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking smb2://192.168.47.1:445/workgroup:{WORKGROUP}
[VERBOSE] Resolving addresses ...
[DEBUG] resolving 192.168.47.1
[VERBOSE] resolving done
[VERBOSE] Set workgroup to: WORKGROUP
[DEBUG] Code: attack Time: 1708742838
[DEBUG] Options: mode 0 ssl 0 restore 0 showAttempt 0 tasks 1 max_use 1 tnp 0 tpsal 0 tprl 0 exit_found 0 miscptr workgroup:{WORKGROUP service smb2
[DEBUG] Brains: active 0 targets 1 finished 0 todo_all 1 todo 1 sent 0 found 0 countlogin 1 sizelogin 5 countpass 1 sizepass 1
[DEBUG] Target 0 - target 192.168.47.1 ip 192.168.47.1 login_no 0 pass_no 0 sent 0 pass_state 0 redo_state 0 (0 redos) use_count 0 failed 0 done 0 fail_count 0 login_ptr John pass_ptr
[DEBUG] Task 0 - pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ptr (null)
[DEBUG] Tasks 1 inactive 0 active
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 5900
[DEBUG] head_no 0 has pid 5900
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin John, tpass , logincnt 0/1, passcnt 0/1, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin John, cpass , tlogin -p, tpass , redo 0
[ATTEMPT] target 192.168.47.1 - login "John" - pass "" - 1 of 1 [child 0] (0/0)
INFO: Current debug levels:
all: 7
tdb: 7
printdrivers: 7
lanman: 7
smb: 7
rpc_parse: 7
rpc_srv: 7
rpc_cli: 7
passdb: 7
sam: 7
auth: 7
winbind: 7
vfs: 7
idmap: 7
quota: 7
acls: 7
locking: 7
msdfs: 7
dmapi: 7
registry: 7
scavenger: 7
dns: 7
ldb: 7
tevent: 7
auth_audit: 7
auth_json_audit: 7
kerberos: 7
drs_repl: 7
smb2: 7
smb2_credits: 7
dsdb_audit: 7
dsdb_json_audit: 7
dsdb_password_audit: 7
dsdb_password_json_audit: 7
dsdb_transaction_audit: 7
dsdb_transaction_json_audit: 7
dsdb_group_audit: 7
dsdb_group_json_audit: 7
Using netbios name MASTERING-VIRTUAL-MACHINE.
Using workgroup WORKGROUP.
[INFO] Connecting to: smb://192.168.47.1/IPC$ with WORKGROUP\John%
parsed path: fname='smb://192.168.47.1/IPC$' server='192.168.47.1' share='IPC$' path='' options=''
SMBC_check_options(): server='192.168.47.1' share='IPC$' path='' options=''
SMBC_server: server_n=[192.168.47.1] server=[192.168.47.1]
-> server_n=[192.168.47.1] server=[192.168.47.1]
Connecting to 192.168.47.1 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
cli_session_setup_spnego_send: Connect to 192.168.47.1 as John@WORKGROUP using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_SERVER
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
gensec_update_done: ntlmssp[0x55ae039e8490]: NT_STATUS_WRONG_CREDENTIAL_HANDLE
gensec_spnego_client_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_CREDENTIAL_HANDLE
gensec_update_done: spnego[0x55ae039e3a20]: NT_STATUS_WRONG_CREDENTIAL_HANDLE
SPNEGO login failed: The supplied credential handle does not match the credential that is associated with the security context.
cli_session_setup_spnego_send: Connect to 192.168.47.1 as (null) using SPNEGO
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_SERVER
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - using NTLM1
SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.
Performing aggressive shutdown.
Context 0x55ae039d2800 successfully freed
Freeing parametrics:
[DEBUG] head_no[0] read F
[445][smb2] host: 192.168.47.1 login: John
[DEBUG] head_no[0] read n
[STATUS] attack finished for 192.168.47.1 (waiting for children to complete tests)
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] all targets done and all heads finished
[DEBUG] while loop left with 1
1 of 1 target successfully completed, 1 valid password found
[DEBUG] killing all remaining children now that might be stuck
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-24 11:47:18

If instead of the -p ""we use -e n switch:

hydra -vvv -d -l John -e n 192.168.47.1 -m workgroup:{WORKGROUP} smb2 Hydra v9.6dev (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

[DEBUG] Output color flag is 1
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-24 11:46:15
[DEBUG] cmdline: ./hydra -vvv -d -l John -e n -m workgroup:{WORKGROUP} 192.168.47.1 smb2
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking smb2://192.168.47.1:445/workgroup:{WORKGROUP}
[VERBOSE] Resolving addresses ...
[DEBUG] resolving 192.168.47.1
[VERBOSE] resolving done
[VERBOSE] Set workgroup to: WORKGROUP
[DEBUG] Code: attack Time: 1708742775
[DEBUG] Options: mode 16 ssl 0 restore 0 showAttempt 0 tasks 1 max_use 1 tnp 1 tpsal 0 tprl 0 exit_found 0 miscptr workgroup:{WORKGROUP service smb2
[DEBUG] Brains: active 0 targets 1 finished 0 todo_all 1 todo 1 sent 0 found 0 countlogin 1 sizelogin 5 countpass 1 sizepass 1
[DEBUG] Target 0 - target 192.168.47.1 ip 192.168.47.1 login_no 0 pass_no 0 sent 0 pass_state 0 redo_state 0 (0 redos) use_count 0 failed 0 done 0 fail_count 0 login_ptr John pass_ptr
[DEBUG] Task 0 - pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ptr (null)
[DEBUG] Tasks 1 inactive 0 active
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 5781
[DEBUG] head_no 0 has pid 5781
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin John, tpass , logincnt 0/1, passcnt 0/1, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 2, clogin John, cpass , tlogin John, tpass , redo 0
[ATTEMPT] target 192.168.47.1 - login "John" - pass "" - 1 of 1 [child 0] (0/0)
INFO: Current debug levels:
all: 7
tdb: 7
printdrivers: 7
lanman: 7
smb: 7
rpc_parse: 7
rpc_srv: 7
rpc_cli: 7
passdb: 7
sam: 7
auth: 7
winbind: 7
vfs: 7
idmap: 7
quota: 7
acls: 7
locking: 7
msdfs: 7
dmapi: 7
registry: 7
scavenger: 7
dns: 7
ldb: 7
tevent: 7
auth_audit: 7
auth_json_audit: 7
kerberos: 7
drs_repl: 7
smb2: 7
smb2_credits: 7
dsdb_audit: 7
dsdb_json_audit: 7
dsdb_password_audit: 7
dsdb_password_json_audit: 7
dsdb_transaction_audit: 7
dsdb_transaction_json_audit: 7
dsdb_group_audit: 7
dsdb_group_json_audit: 7
Using netbios name MASTERING-VIRTUAL-MACHINE.
Using workgroup WORKGROUP.
[INFO] Connecting to: smb://192.168.47.1/IPC$ with WORKGROUP\John%
parsed path: fname='smb://192.168.47.1/IPC$' server='192.168.47.1' share='IPC$' path='' options=''
SMBC_check_options(): server='192.168.47.1' share='IPC$' path='' options=''
SMBC_server: server_n=[192.168.47.1] server=[192.168.47.1]
-> server_n=[192.168.47.1] server=[192.168.47.1]
Connecting to 192.168.47.1 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
cli_session_setup_spnego_send: Connect to 192.168.47.1 as John@WORKGROUP using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_SERVER
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
gensec_update_done: ntlmssp[0x557254ed2490]: NT_STATUS_WRONG_CREDENTIAL_HANDLE
gensec_spnego_client_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_CREDENTIAL_HANDLE
gensec_update_done: spnego[0x557254ecda20]: NT_STATUS_WRONG_CREDENTIAL_HANDLE
SPNEGO login failed: The supplied credential handle does not match the credential that is associated with the security context.
cli_session_setup_spnego_send: Connect to 192.168.47.1 as (null) using SPNEGO
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_SERVER
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - using NTLM1
SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.
Performing aggressive shutdown.
Context 0x557254ebc800 successfully freed
Freeing parametrics:
[DEBUG] head_no[0] read F
[445][smb2] host: 192.168.47.1 login: John
[DEBUG] skipping username John
[DEBUG] head_no[0] read n
[STATUS] attack finished for 192.168.47.1 (waiting for children to complete tests)
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] all targets done and all heads finished
[DEBUG] while loop left with 1
1 of 1 target successfully completed, 1 valid password found
[DEBUG] killing all remaining children now that might be stuck
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-24 11:46:15

This is the Session id of the smb2 session setup request's header, identical for both hydra -p and smbclient:
Session Id: 0x0001640004000061 Acct:John Domain:WORKGROUP Host:MASTERING-VIRTUAL-MACHINE

This is the Session id but for hydra -e n
Session Id: 0x0001640004000065 Acct: Domain: Host:

I am using:
Hydra v9.6dev compiled from github with libsmbclient 2:4.15.13 on ubuntu 22.04.1

Thanks for your time and interest

@vanhauser-thc
Copy link
Owner

Thank you for your report. Can you send a pr with a fix? If not please provide the output I need to implement it

@gatsu38
Copy link
Author

gatsu38 commented Feb 25, 2024

I am sorry I am not skilled enough to fix this. I am not sure what you mean with "output" other than the one I already posted.

@DaddyBigFish
Copy link

if you have a blank line in a password file, hysdra assumes blank is success, and doesn't continue looking for real passwords, so just false positive is "", remove the "" line from the password file and it finds as it should... still a bug and would be best fixes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants