subnets module fails with PyAsn1Error when used over Kerberos #1116
Description
Describe the bug
The subnets module fails with PyAsn1Error when used over Kerberos. It works as expected with NTLM authentication.
To Reproduce
Running module using NTLM authentication works:
nxc ldap s200401.overwatch.htb -u 'sqlsvc' -p 'TI0LKcfHzZw1Vv' -M subnets --debug
[12:13:21] DEBUG NXC VERSION: 1.5.0 - Yippie-Ki-Yay - f363124e - 67 netexec.py:82
DEBUG PYTHON VERSION: 3.13.11 (main, Dec 8 2025, 11:43:54) [GCC 15.2.0] netexec.py:83
DEBUG RUNNING ON: Linux Release: 6.18.5+kali-amd64 netexec.py:84
DEBUG Passed args: Namespace(version=False, threads=256, timeout=None, jitter=None, no_progress=False, log=None, verbose=False, debug=True, force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, netexec.py:85
protocol='ldap', target=['s200401.overwatch.htb'], username=['sqlsvc'], password=['TI0LKcfHzZw1Vv'], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False, gfail_limit=None,
ufail_limit=None, fail_limit=None, kerberos=False, use_kcache=False, aesKey=None, kdcHost=None, pfx_cert=None, pfx_base64=None, pfx_pass=None, pem_cert=None, pem_key=None, module=['subnets'],
module_options=[], list_modules=None, show_module_options=False, hash=[], simple_bind=False, port=389, domain=None, asreproast=None, kerberoasting=None, kerberoast_account=None, no_preauth_targets=None,
base_dn=None, query=None, find_delegation=False, trusted_for_delegation=False, password_not_required=False, admin_count=False, users=None, users_export=None, groups=None, computers=False, dc_list=False,
get_sid=False, active_users=None, pso=False, pass_pol=False, gmsa=False, gmsa_convert_id=None, gmsa_decrypt_lsa=None, bloodhound=False, collection='Default')
DEBUG Protocol: ldap netexec.py:141
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/ldap.py netexec.py:144
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/ldap/database.py netexec.py:146
DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.ldap'>, type: <class 'type'> netexec.py:149
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:151
DEBUG DB Path: /home/kali/.nxc/workspaces/default/ldap.db netexec.py:154
[12:13:22] DEBUG Modules to be Loaded for sanity check: ['subnets'], <class 'list'> netexec.py:188
DEBUG Loading module for sanity check subnets at path /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/modules/subnets.py netexec.py:195
DEBUG Supported protocols: ['ldap'] moduleloader.py:67
DEBUG Protocol: ldap moduleloader.py:68
DEBUG Creating ThreadPoolExecutor netexec.py:45
DEBUG Creating thread for <class 'protocol.ldap'> netexec.py:48
INFO Socket info: host=10.129.4.168, hostname=s200401.overwatch.htb, kerberos=False, ipv6=False, link-local ipv6=False connection.py:174
DEBUG Kicking off proto_flow connection.py:238
INFO Connecting to ldap://10.129.4.168 with no baseDN ldap.py:178
DEBUG ldap_connection: <impacket.ldap.ldap.LDAPConnection object at 0x7fcb0d4b3cb0> ldap.py:182
DEBUG Created connection object connection.py:243
DEBUG Target: S200401.overwatch.htb; target_domain: overwatch.htb; base_dn: DC=overwatch,DC=htb ldap.py:290
[12:13:23] DEBUG LDAP signing is not enforced on 10.129.4.168 ldap.py:224
DEBUG Received SysCallError when trying to enumerate channel binding support: (104, 'ECONNRESET') ldap.py:258
INFO Resolved domain: overwatch.htb with dns, kdcHost: 10.129.4.168 ldap.py:336
DEBUG Update Hosts: [{'id': 9, 'ip': '10.129.4.168', 'hostname': 'S200401', 'domain': 'overwatch.htb', 'os': 'Windows Server 2022 Build 20348', 'signing_required': False, 'channel_binding': 'No TLS cert'}] database.py:95
DEBUG add_host() - Host IDs Updated: [9] database.py:105
DEBUG Printing host info for LDAP ldap.py:351
[12:13:23] INFO LDAP 10.129.4.168 389 S200401 Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb) (signing:None) (channel binding:No TLS cert) ldap.py:359
DEBUG Trying to authenticate using plaintext with domain connection.py:505
INFO Connecting to ldap://S200401.overwatch.htb - DC=overwatch,DC=htb - 10.129.4.168 [3] ldap.py:526
[12:13:24] DEBUG Search Filter=(userAccountControl:1.2.840.113556.1.4.803:=8192) ldap.py:735
DEBUG Search ldap.py:735
Filter=(|(objectSid=S-1-5-21-2797066498-1365161904-233915892-512)(objectSid=S-1-5-21-2797066498-1365161904-233915892-519)(objectSid=S-1-5-21-2797066498-1365161904-233915892-544)(objectSid=S-1-5-32-549)(obje
ctSid=S-1-5-32-551))
DEBUG Search Filter=(&(objectCategory=user)(sAMAccountName=sqlsvc)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Server Operators,CN=Builtin,DC=overwatch,DC=htb)(memberOf:1.2.840.113556.1.4.1941:=CN=Backup ldap.py:735
Operators,CN=Builtin,DC=overwatch,DC=htb)(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=overwatch,DC=htb)(memberOf:1.2.840.113556.1.4.1941:=CN=Enterprise
Admins,CN=Users,DC=overwatch,DC=htb)(primaryGroupID=512)(primaryGroupID=519)(primaryGroupID=544)(primaryGroupID=549)(primaryGroupID=551)))
[12:13:25] DEBUG Adding credential: overwatch.htb/sqlsvc:TI0LKcfHzZw1Vv ldap.py:530
DEBUG Adding credentials: [{'id': 7, 'domain': 'overwatch.htb', 'username': 'sqlsvc', 'password': 'TI0LKcfHzZw1Vv', 'credtype': 'plaintext', 'pillaged_from_hostid': None}] database.py:158
[12:13:25] INFO LDAP 10.129.4.168 389 S200401 overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv ldap.py:534
INFO Loading modules for target: 10.129.4.168 connection.py:597
DEBUG Supported protocols: ['ldap'] moduleloader.py:67
DEBUG Protocol: ldap moduleloader.py:68
DEBUG Calling modules connection.py:257
DEBUG Loading module subnets - <NXCModule.NXCModule object at 0x7fcb0d370590> connection.py:292
DEBUG Loading context for module subnets - <NXCModule.NXCModule object at 0x7fcb0d370590> connection.py:302
DEBUG Module subnets has on_login method connection.py:307
[12:13:25] INFO SUBNETS 10.129.4.168 389 S200401 Getting the Sites and Subnets from domain subnets.py:44
[12:13:25] INFO SUBNETS 10.129.4.168 389 S200401 Site "Default-First-Site-Name" subnets.py:75
DEBUG Closing connection to: s200401.overwatch.htb
Running module using Kerberos authentication results in stracktrace:
https://gist.github.com/seihtam/9c6fee5d2820388b84810bc94b4d4e55
The output was too big so created a gist. For some reason I can't run the command with --debug, then it just hangs forever at "Getting the Sites and Subnets from domain".
Expected behavior
The module should work the same over NTLM and Kerberos authentication.
NetExec info
- OS: Kali
- Version of nxc: 1.5.0 - Yippie-Ki-Yay - f363124 - 67
- Installed from: pipx