ntlm_reflection module DCERPCException stacktrace #1114
Description
Describe the bug
Using the ntlm_reflection module with a guest user results in "DCERPCException" stacktrace.
To Reproduce
Command: nxc smb S200401.overwatch.htb -u 'guest' -p '' -M ntlm_reflection --debug
Resulted in:
[11:37:35] DEBUG NXC VERSION: 1.5.0 - Yippie-Ki-Yay - f363124e - 67 netexec.py:82
DEBUG PYTHON VERSION: 3.13.11 (main, Dec 8 2025, 11:43:54) [GCC 15.2.0] netexec.py:83
DEBUG RUNNING ON: Linux Release: 6.18.5+kali-amd64 netexec.py:84
DEBUG Passed args: Namespace(version=False, threads=256, timeout=None, jitter=None, no_progress=False, log=None, verbose=False, debug=True, force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, netexec.py:85
protocol='smb', target=['S200401.overwatch.htb'], username=['guest'], password=[''], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False, gfail_limit=None,
ufail_limit=None, fail_limit=None, kerberos=False, use_kcache=False, aesKey=None, kdcHost=None, pfx_cert=None, pfx_base64=None, pfx_pass=None, pem_cert=None, pem_key=None, module=['ntlm_reflection'],
module_options=[], list_modules=None, show_module_options=False, hash=[], delegate=None, delegate_spn=None, generate_st=None, no_s4u2proxy=False, domain=None, local_auth=False, port=445, share='C$',
smb_server_port=445, no_smbv1=False, no_admin_check=False, gen_relay_list=None, smb_timeout=2, laps=None, generate_hosts_file=None, generate_krb5_file=None, generate_tgt=None, sam=None, lsa=None,
ntds=None, kerberos_keys=False, history=False, enabled=False, userntds=None, dpapi=None, sccm=None, mkfile=None, pvk=None, list_snapshots=None, shares=None, exclude_shares=None, dir=None,
interfaces=False, no_write_check=False, filter_shares=None, disks=False, users=None, users_export=None, groups=None, local_groups=None, computers=None, pass_pol=False, rid_brute=None, smb_sessions=False,
reg_sessions=None, loggedon_users=None, loggedon_users_filter=None, qwinsta=None, tasklist=None, taskkill=None, wmi_query=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False,
exclude_dirs='', depth=None, only_files=False, silent=False, pattern=None, regex=None, put_file=None, get_file=None, append_host=False, exec_method='wmiexec', dcom_timeout=5, get_output_tries=100,
codec='utf-8', no_output=False, execute=None, ps_execute=None, obfs=False, amsi_bypass=None, clear_obfscripts=False, force_ps32=False, no_encode=False)
DEBUG Protocol: smb netexec.py:141
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/smb.py netexec.py:144
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/smb/database.py netexec.py:146
[11:37:36] DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.smb'>, type: <class 'type'> netexec.py:149
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:151
DEBUG DB Path: /home/kali/.nxc/workspaces/default/smb.db netexec.py:154
DEBUG Modules to be Loaded for sanity check: ['ntlm_reflection'], <class 'list'> netexec.py:188
DEBUG Loading module for sanity check ntlm_reflection at path /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/modules/ntlm_reflection.py netexec.py:195
DEBUG Supported protocols: ['smb'] moduleloader.py:67
DEBUG Protocol: smb moduleloader.py:68
DEBUG Creating ThreadPoolExecutor netexec.py:45
DEBUG Creating thread for <class 'protocol.smb'> netexec.py:48
INFO Socket info: host=10.129.4.168, hostname=S200401.overwatch.htb, kerberos=False, ipv6=False, link-local ipv6=False connection.py:174
DEBUG Kicking off proto_flow connection.py:238
INFO Creating SMBv1 connection to 10.129.4.168 smb.py:555
[11:37:37] INFO SMBv1 disabled on 10.129.4.168 smb.py:578
INFO Creating SMBv3 connection to 10.129.4.168 smb.py:586
DEBUG Created connection object connection.py:243
DEBUG Server OS: Windows Server 2022 Build 20348 10.0 build 20348 smb.py:255
[11:37:38] DEBUG Update Hosts: [{'id': 10, 'ip': '10.129.4.168', 'hostname': 'S200401', 'domain': 'overwatch.htb', 'os': 'Windows Server 2022 Build 20348', 'dc': None, 'smbv1': None, 'signing': True, 'spooler': None, database.py:273
'zerologon': None, 'petitpotam': None}]
DEBUG add_host() - Host IDs Updated: [10] database.py:283
INFO Resolved domain: overwatch.htb with dns, kdcHost: 10.129.4.168 smb.py:291
[11:37:38] INFO SMB 10.129.4.168 445 S200401 Windows Server 2022 Build 20348 x64 (name:S200401) (domain:overwatch.htb) (signing:True) (SMBv1:None) (Null Auth:True) smb.py:299
DEBUG Trying to authenticate using plaintext with domain connection.py:505
INFO Creating SMBv1 connection to 10.129.4.168 smb.py:555
INFO SMBv1 disabled on 10.129.4.168 smb.py:578
INFO Creating SMBv3 connection to 10.129.4.168 smb.py:586
[11:37:39] DEBUG Logged in with password to SMB with overwatch.htb/guest smb.py:445
DEBUG self.is_guest=False smb.py:447
DEBUG Checking if user is admin on 10.129.4.168 smb.py:634
[11:37:40] DEBUG Adding credential: overwatch.htb/guest: smb.py:451
DEBUG Adding credentials: [{'id': 5, 'domain': 'overwatch.htb', 'username': 'guest', 'password': '', 'credtype': 'plaintext', 'pillaged_from_hostid': None}] database.py:340
DEBUG Using 'ip' column for filtering database.py:116
DEBUG filter_term is an IP address: 10.129.4.168 database.py:127
DEBUG smb hosts() - results: [(10, '10.129.4.168', 'S200401', 'overwatch.htb', 'Windows Server 2022 Build 20348', None, None, True, None, None, None)] database.py:489
[11:37:40] INFO SMB 10.129.4.168 445 S200401 overwatch.htb\guest: smb.py:458
INFO Loading modules for target: 10.129.4.168 connection.py:597
DEBUG Supported protocols: ['smb'] moduleloader.py:67
DEBUG Protocol: smb moduleloader.py:68
DEBUG Calling modules connection.py:257
DEBUG Loading module ntlm_reflection - <NXCModule.NXCModule object at 0x7f89a7e80590> connection.py:292
DEBUG Loading context for module ntlm_reflection - <NXCModule.NXCModule object at 0x7f89a7e80590> connection.py:302
DEBUG Module ntlm_reflection has on_login method connection.py:307
[11:37:43] ERROR Exception while calling proto_flow() on target S200401.overwatch.htb: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied connection.py:187
╭───────────────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────────────────────────────╮
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:177 in __init__ │
│ │
│ 174 │ │ self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname}, │
│ kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local │
│ ipv6={self.is_link_local_ipv6}") │
│ 175 │ │ │
│ 176 │ │ try: │
│ ❱ 177 │ │ │ self.proto_flow() │
│ 178 │ │ except FileNotFoundError as e: │
│ 179 │ │ │ self.logger.error(f"File not found error on target {target}: {e}") │
│ 180 │ │ except Exception as e: │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:258 in proto_flow │
│ │
│ 255 │ │ │ │ if hasattr(self.args, "module") and self.args.module: │
│ 256 │ │ │ │ │ self.load_modules() │
│ 257 │ │ │ │ │ self.logger.debug("Calling modules") │
│ ❱ 258 │ │ │ │ │ self.call_modules() │
│ 259 │ │ │ │ else: │
│ 260 │ │ │ │ │ self.logger.debug("Calling command arguments") │
│ 261 │ │ │ │ │ self.call_cmd_args() │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:308 in call_modules │
│ │
│ 305 │ │ │ │
│ 306 │ │ │ if hasattr(module, "on_login"): │
│ 307 │ │ │ │ self.logger.debug(f"Module {module.name} has on_login method") │
│ ❱ 308 │ │ │ │ module.on_login(context, self) │
│ 309 │ │ │ │
│ 310 │ │ │ if self.admin_privs and hasattr(module, "on_admin_login"): │
│ 311 │ │ │ │ self.logger.debug(f"Module {module.name} has on_admin_login method") │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/modules/ntlm_reflection.py:65 in on_login │
│ │
│ 62 │ │ │ dce.bind(rrp.MSRPC_UUID_RRP) │
│ 63 │ │ │ # Reading UBR from registry │
│ 64 │ │ │ hRootKey = rrp.hOpenLocalMachine(dce)["phKey"] │
│ ❱ 65 │ │ │ hKey = rrp.hBaseRegOpenKey(dce, hRootKey, "SOFTWARE\\Microsoft\\Windows │
│ NT\\CurrentVersion")["phkResult"] │
│ 66 │ │ │ ubr = rrp.hBaseRegQueryValue(dce, hKey, "UBR")[1] │
│ 67 │ │ │ version_str = │
│ f"{connection.server_os_major}.{connection.server_os_minor}.{connection.server_os_build} │
│ .{ubr}" if ubr else None │
│ 68 │ │ │ dce.disconnect() │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/impacket/dcerpc/v5/rrp.py:885 in hBaseRegOpenKey │
│ │
│ 882 │ request['lpSubKey'] = checkNullString(lpSubKey) │
│ 883 │ request['dwOptions'] = dwOptions │
│ 884 │ request['samDesired'] = samDesired │
│ ❱ 885 │ return dce.request(request) │
│ 886 │
│ 887 def hBaseRegQueryInfoKey(dce, hKey): │
│ 888 │ request = BaseRegQueryInfoKey() │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/impacket/dcerpc/v5/rpcrt.py:1436 in request │
│ │
│ 1433 │ │ │ │ │ exception = sessionErrorClass(error_code = error_code) │
│ 1434 │ │ │ │ else: │
│ 1435 │ │ │ │ │ exception = sessionErrorClass(packet = response, error_code = │
│ error_code) │
│ ❱ 1436 │ │ │ raise exception │
│ 1437 │ │ else: │
│ 1438 │ │ │ response = respClass(answer, isNDR64 = isNDR64) │
│ 1439 │ │ │ return response │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
DEBUG Closing connection to: S200401.overwatch.htb
Expected behavior
Error without a stacktrace.
NetExec info
- OS: Kali
- Version of nxc: 1.5.0 - Yippie-Ki-Yay - f363124 - 67
- Installed from: pipx