PTH Fix for Group Enumeration with SMB

[kreed-kl]

This PR contains a new function in connection.py.

Closes #562

Description

When using NetExec with the SMB protocol for enumeration, either a plaintext
password or a hash can be passed to authenticate to the target.
Attempting to enumerate groups with the --groups option and passing an NT hash
returns with errors. While passing a plaintext password will enumerate groups with
nxc smb <TARGET> -u "Administrator" -p <PASS> --groups, attempting to
pass an NT hash does not:

nxc smb <TARGET> -u "Administrator" -H "<NTHASH>" --groups

SMB         <IP REDACTED>    445    <HOST REDACTED>     [-] Error enumerating domain group using dc ip <IP REDACTED>: NTLM needs domain\username and a password

The issue is in Pywerview's requester.py, however, a fix can be made
in connection.py. A function called pad_lm() was created to add the
LM hash aad3b435b51404eeaad3b435b51404ee if only an NT hash is given.

The issue can be read here:
#562

Type of change

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

This was tested with NetExec 1.3.0 (NeedForSpeed - Kali Linux)
and PywerView 0.3.3 against a Windows Server 2022 box.
Various commands were used with the password and hash options, and all were
also used with the --debug option appended:

netexec smb <TARGET> -u <USERNAME> -H <NTHASH> --groups
netexec smb <TARGET> -u <USERNAME> -P <PASS> --groups
netexec smb <TARGET> -u <USERNAME> -H "<aad3b435b51404eeaad3b435b51404ee:NTHASH>" --groups
netexec smb <TARGET> -u <USERNAME> -H <NTHASH> --users
netexec smb <TARGET> -u <USERNAME> -P <PASS> --users
netexec smb <TARGET> -u <USERNAME> -H <NTHASH> --shares
netexec smb <TARGET> -u <USERNAME> -P <PASS> --shares
netexec smb <TARGET> -u <USERNAME> -H <NTHASH> --sessions
netexec smb <TARGET> -u <USERNAME> -P <PASS> --sessions

Checklist:

• My code follows the style guidelines of this project (should be covered by Ruff above)
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas

[NeffIsBack]

Thanks for the bug report and fix! I will take a look at it soon

[NeffIsBack]

Hi, imo this should be done on the pywerview side of things, as adding "wrong" hashes seems risky, when also dealing with at the same time impacket. I have opened a PR to pywerview to address the issue: the-useless-one/pywerview#69

[mpgn]

Even fixing on pywerview is a problem since we can't update the version 🙃

We should probably get rid of this code since it should be done using ldap proto

[NeffIsBack]

Even fixing on pywerview is a problem since we can't update the version 🙃

Tried the latest version and it looked like it was working, do you know where this info is from?

But yes, using ldap would probably a lot easier and it is doing that in the background anyway

[mpgn]

Tried the latest version and it looked like it was working, do you know where this info is from?

since v0.4 pywerview need gssapi kbr5 lib (not installed by default) to support kerberos, when installing nxc without this apt package you can have a nice suprise :) We already try :

https://github.com/Pennyw0rth/NetExec/blob/main/pyproject.toml#L62