--gen-relay-list not working

[choket]

Describe the bug
The flag --gen-relay-list does not actually create a file with targets that have SMB signing disabled.

To Reproduce

I downloaded NetExec from the github repository and installed it using python3 -m pipx install .

Then, I run the command nxc smb 192.168.56.0/24 --gen-relay-list relay_targets.txt to generate a file with hosts that have SMB signing disabled. The tool correctly shows which hosts have SMB signing disabled, but it does not save them to a file.

Screenshots
If applicable, add screenshots to help explain your problem.

NetExec info

• OS: ParrotOs
• Version of nxc: 1.1.0 - nxc4u
• Installed from: GitHub with pipx

[NeffIsBack]

Weird, working on my side:

Can you show the --debug output?

[choket]

For simplicity's sake i ran it with just 1 host nxc --debug smb 192.168.56.23 --gen-relay-list targets.txt and I get the following output, but still no targets.txt file being created

[21:49:52] DEBUG    PYTHON VERSION: 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0]                                                                                       netexec.py:90
           DEBUG    RUNNING ON: Linux Release: 6.5.0-13parrot1-amd64                                                                                                        netexec.py:91
           DEBUG    Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, protocol='smb',             netexec.py:92
                    target=['192.168.56.23'], cred_id=[], username=[], password=[], ignore_pw_decoding=False, kerberos=False, no_bruteforce=False,
                    continue_on_success=False, use_kcache=False, log=None, aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None,
                    module_options=[], list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0', server_port=None, connectback_host=None,
                    hash=[], delegate=None, no_s4u2proxy=False, domain=None, local_auth=False, port=445, share='C$', smb_server_port=445, gen_relay_list='targets.txt',
                    smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, mkfile=None, pvk=None, enabled=False, userntds=None, shares=False,
                    no_write_check=False, filter_shares=None, sessions=False, disks=False, loggedon_users_filter=None, loggedon_users=False, users=None, groups=None,
                    computers=None, local_groups=None, pass_pol=False, rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.',
                    content=False, exclude_dirs='', pattern=None, regex=None, depth=None, only_files=False, put_file=None, get_file=None, append_host=False,
                    exec_method=None, dcom_timeout=5, get_output_tries=5, codec='utf-8', force_ps32=False, no_output=False, execute=None, ps_execute=None, obfs=False,
                    amsi_bypass=None, clear_obfscripts=False)
           DEBUG    Protocol: smb                                                                                                                                          netexec.py:146
           DEBUG    Protocol Path: /root/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py                                                       netexec.py:149
           DEBUG    Protocol DB Path: /root/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb/database.py                                           netexec.py:151
           DEBUG    Protocol Object: <class 'protocol.smb'>                                                                                                                netexec.py:154
           DEBUG    Protocol DB Object: <class 'protocol.database'>                                                                                                        netexec.py:156
           DEBUG    DB Path: /root/.nxc/workspaces/default/smb.db                                                                                                          netexec.py:159
           DEBUG    Using selector: EpollSelector                                                                                                                   selector_events.py:54
           DEBUG    Creating ThreadPoolExecutor                                                                                                                             netexec.py:43
           DEBUG    Creating thread for <class 'protocol.smb'>                                                                                                              netexec.py:46
           INFO     Socket info: host=192.168.56.23, hostname=192.168.56.23, kerberos=False, ipv6=False, link-local ipv6=False                                          connection.py:104
           DEBUG    Kicking off proto_flow                                                                                                                              connection.py:164
           DEBUG    Created connection object                                                                                                                           connection.py:167
           DEBUG    Update Hosts: [{'id': 24, 'ip': '192.168.56.23', 'hostname': 'BRAAVOS', 'domain': 'essos.local', 'os': 'Windows Server 2016 Standard Evaluation       database.py:280
                    14393', 'dc': None, 'smbv1': True, 'signing': False, 'spooler': None, 'zerologon': None, 'petitpotam': None}]
           DEBUG    add_host() - Host IDs Updated: [24]                                                                                                                   database.py:290
           DEBUG    Error logging off system: Error occurs while reading from remote(104)                                                                                      smb.py:246
SMB         192.168.56.23   445    BRAAVOS          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
           INFO     SMB         192.168.56.23   445    BRAAVOS          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local)           logger.py:121
                    (signing:False) (SMBv1:True)

[Marshall-Hallenbeck]

Just tested it. It looks like this functionality doesn't work if you don't supply a username and password, which is definitely a bug.
We updated cli.py in #188 to not submit NULL creds by default, since it wasn't apparent to the user we were doing that.

We'll have to fix this to properly write it out, and make sure other functionality didn't break because of it. Just goes to show even a small change can cause big issues 😟

@choket in the mean time, please explicitly set NULL credentials via -u '' -p ''

[choket]

Nice, thanks for the quick responses everyone!

[NeffIsBack]

@choket can you try #208? That probably (/hopefully) fixes the issue

[choket]

Yep, it works with that change.

[NeffIsBack]

This is resolved by #208