WINRM with NTLM disabled fails

[1upbyte]

Describe the bug

When executing nxc winrm against a domain that has NTLM authentication disabled, Netexec throws an error.

To Reproduce

I encountered this error in the Vintage machine on HTB. As of writing it is still an active machine, so I do not want to put exact commands in this report. I'd be happy to share more privately / when the machine is retired.

nxc winrm --use-kcache -k -dc-host DC01.EXAMPLE.COM nxc winrm --use-kcache -k DC01.EXAMPLE.COM

Both resulted in:

Exception: ("Unpacked data doesn't match constant value 'b')\\xea\\xdbz\\xba,'' should be ''NTLMSSP\\x00''", 'When unpacking field \' | "NTLMSSP\x00 | b\')\\xea\\xdbz\\xba,\'[:8]\'') 

Expected behavior

A logon attempt be made. In my example, these are valid credentials. They work great with: nxc ldap --use-kcache -k -dc-host DC01.EXAMPLE.COM nxc ldap --use-kcache -k DC01.EXAMPLE.COM nxc smb --use-kcache -k DC01.EXAMPLE.COM

NetExec info

• OS: Debian 12
• Version of nxc: 1.3.0
• Installed from: pipx

Additional context This appears to be an issue in Impacket, but it seems it was fixed with the addition of the -dc-host flag. As demonstrated above, the issue persists today regardless.

[NeffIsBack]

This is because winrm currently does not support kerberos auth. Perhaps we integrate https://github.com/Pennyw0rth/NetExec/pull/103 some day, but preferably when we have a way to not require the krb5 apt package