blacklanternsecurity · Mercury0 · May 19, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 24, 2025
diff --git a/netexec.spec b/netexec.spec
@@ -49,7 +49,7 @@ a = Analysis(
         'nxc.helpers.bloodhound',
         'nxc.helpers.even6_parser',
         'nxc.helpers.msada_guids',
-        'nxc.helpers.ntlm_parser',
+        'nxc.helpers.negotiate_parser',
         'paramiko',
         'pefile',
         'pypsrp.client',

diff --git a/nxc/connection.py b/nxc/connection.py
@@ -5,7 +5,7 @@
 import contextlib
 
 from os.path import isfile
-from threading import BoundedSemaphore
+from threading import BoundedSemaphore, Lock
 from functools import wraps
 from time import sleep
 from ipaddress import ip_address
@@ -23,8 +23,10 @@
 from nxc.helpers.pfx import pfx_auth
 
 from impacket.dcerpc.v5 import transport
+from impacket.krb5.ccache import CCache
 
 sem = BoundedSemaphore(1)
+fail_lock = Lock()
 global_failed_logins = 0
 user_failed_logins = {}
 
@@ -315,26 +317,28 @@ def call_modules(self):
     def inc_failed_login(self, username):
         global global_failed_logins, user_failed_logins
 
-        if username not in user_failed_logins:
-            user_failed_logins[username] = 0
+        with fail_lock:
+            if username not in user_failed_logins:
+                user_failed_logins[username] = 0
 
-        user_failed_logins[username] += 1
-        global_failed_logins += 1
-        self.failed_logins += 1
+            user_failed_logins[username] += 1
+            global_failed_logins += 1
+            self.failed_logins += 1
 
     def over_fail_limit(self, username):
         global global_failed_logins, user_failed_logins
 
-        if global_failed_logins == self.args.gfail_limit:
-            return True
+        with fail_lock:
+            if global_failed_logins == self.args.gfail_limit:
+                return True
 
-        if self.failed_logins == self.args.fail_limit:
-            return True
+            if self.failed_logins == self.args.fail_limit:
+                return True
 
-        if username in user_failed_logins and self.args.ufail_limit == user_failed_logins[username]:  # noqa: SIM103
-            return True
+            if username in user_failed_logins and self.args.ufail_limit == user_failed_logins[username]:  # noqa: SIM103
+                return True
 
-        return False
+            return False
 
     def query_db_creds(self):
         """Queries the database for credentials to be used for authentication.
@@ -481,8 +485,6 @@ def try_credentials(self, domain, username, owned, secret, cred_type, data=None)
             - NTLM-hash (/kerberos)
             - AES-key
         """
-        if self.over_fail_limit(username):
-            return False
         if self.args.continue_on_success and owned:
             return False
 
@@ -498,6 +500,8 @@ def try_credentials(self, domain, username, owned, secret, cred_type, data=None)
             sleep(value)
 
         with sem:
+            if self.over_fail_limit(username):
+                return False
             if cred_type == "plaintext":
                 if self.kerberos:
                     self.logger.debug("Trying to authenticate using Kerberos")
@@ -553,7 +557,7 @@ def login(self):
         if self.args.use_kcache:
             self.logger.debug("Trying to authenticate using Kerberos cache")
             with sem:
-                username = self.args.username[0] if len(self.args.username) else ""
+                username = self.args.username[0] if len(self.args.username) else CCache.parseFile()[1]
                 password = self.args.password[0] if len(self.args.password) else ""
                 self.kerberos_login(self.domain, username, password, "", "", self.kdcHost, True)
                 self.logger.info("Successfully authenticated using Kerberos cache")

diff --git a/nxc/helpers/negotiate_parser.py b/nxc/helpers/negotiate_parser.py
@@ -0,0 +1,92 @@
+# Parsing helpers for auth negotiation: NTLM challenges and TDS ERROR/INFO on MSSQL LOGIN7.
+# Original NTLM parsing from: https://github.com/fortra/impacket/blob/master/examples/DumpNTLMInfo.py#L568
+
+import struct
+
+from impacket import ntlm
+from impacket.smb3 import WIN_VERSIONS
+from impacket.tds import TDS_ERROR_TOKEN, TDS_INFO_TOKEN, TDS_INFO_ERROR
+import contextlib
+
+
+def parse_challenge(challange):
+    target_info = {
+        "hostname": None,
+        "domain": None,
+        "os_version": None
+    }
+    challange = ntlm.NTLMAuthChallenge(challange)
+    av_pairs = ntlm.AV_PAIRS(challange["TargetInfoFields"][:challange["TargetInfoFields_len"]])
+    if av_pairs[ntlm.NTLMSSP_AV_HOSTNAME] is not None:
+        with contextlib.suppress(Exception):
+            target_info["hostname"] = av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1].decode("utf-16le")
+    if av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME] is not None:
+        with contextlib.suppress(Exception):
+            target_info["domain"] = av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME][1].decode("utf-16le")
+    if "Version" in challange.fields:
+        version = challange["Version"]
+        if len(version) >= 4:
+            major_version = version[0]
+            minor_version = version[1]
+            product_build = struct.unpack("<H", version[2:4])[0]
+            if product_build in WIN_VERSIONS:
+                target_info["os_version"] = f"{WIN_VERSIONS[product_build]} Build {product_build}"
+            else:
+                target_info["os_version"] = f"{major_version}.{minor_version} Build {product_build}"
+    return target_info
+
+
+def decode_tds_info_error_msgtext(data, offset):
+    """Extract MsgText from a TDS ERROR (0xAA) or INFO (0xAB) token at *offset*.
+
+    Official spec: [MS-TDS] Tabular Data Stream Protocol (Microsoft Learn).
+    Token layout per MS-TDS 2.2.7.9 (INFO) / 2.2.7.10 (ERROR):
+        TokenType   BYTE        0xAA | 0xAB
+        Length      USHORT LE   byte count of the remaining fields
+        Number      LONG LE     error / info number
+        State       BYTE
+        Class       BYTE        severity
+        MsgText     US_VARCHAR  (2-byte LE length prefix + UTF-16LE)
+        ...         (ServerName, ProcName, LineNumber follow but are unused here)
+
+    The minimum *Length* value for a valid token is 8: Number(4) + State(1) +
+    Class(1) + MsgText length prefix(2, may be zero-length string).
+
+    References (Microsoft Learn, MS-TDS):
+        INFO: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/284bb815-d083-4ed5-b33a-bdc2492e322b
+        ERROR: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/9805e9fa-1f8b-4cf8-8f78-8d2602228635
+        Data packet stream tokens: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/f79bb5b8-5919-439a-a696-48064b78b091
+    """
+    remaining = len(data) - offset
+    if remaining < 3 or data[offset] not in (TDS_ERROR_TOKEN, TDS_INFO_TOKEN):
+        return None
+
+    # Length (USHORT LE) after TokenType, see MS-TDS INFO/ERROR links in docstring
+    payload_len = int.from_bytes(data[offset + 1 : offset + 3], "little")
+
+    if payload_len < 8 or remaining < 3 + payload_len:
+        return None
+    try:
+        token = TDS_INFO_ERROR(data[offset:])
+        text = token["MsgText"].decode("utf-16le").strip()
+    except Exception:
+        return None
+    return text or None
+
+
+def login7_integrated_auth_error_message(packet_data, data_after_login_header):
+    """Scan raw LOGIN7 response buffers for the first ERROR/INFO message.
+
+    When a server does not support Integrated Windows Authentication it replies
+    to the LOGIN7 NTLMSSP negotiate with a TDS error token instead of an
+    NTLMSSP challenge.  This helper locates the first ERROR (0xAA) or INFO
+    (0xAB) token in either the full packet or the payload after the 3-byte
+    LOGIN7 response header and returns its MsgText.
+    """
+    token_markers = (TDS_ERROR_TOKEN, TDS_INFO_TOKEN)
+    for buf in filter(None, (packet_data, data_after_login_header)):
+        for offset in (i for i in range(len(buf)) if buf[i] in token_markers):
+            msg = decode_tds_info_error_msgtext(buf, offset)
+            if msg:
+                return msg
+    return None
diff --git a/nxc/helpers/ntlm_parser.py b/nxc/helpers/ntlm_parser.py
diff --git a/nxc/helpers/pfx.py b/nxc/helpers/pfx.py
@@ -495,6 +495,10 @@ def pfx_auth(self):
     req = ini.build_asreq(self.domain, username)
     self.logger.info("Requesting TGT")
 
+    if not self.kdcHost:
+        self.logger.fail(f"Could not resolve KDC host for domain {self.domain}. Use --kdcHost to specify the domain controller IP")
+        return False
+
     sock = KerberosClientSocket(KerberosTarget(self.kdcHost))
     try:
         res = sock.sendrecv(req)