net.py can't create a new user when utilizing it through a session from ntlmrelayx

[enj5oy]

Configuration

impacket version: v0.12.0.dev1+20230817.32422.a769683f
Python version: 3.10
Target OS: Windows Server 2016

After this command user created with hash 31d6cfe0d16ae931b73c59d7e0c089c0 and user is disabled

[NtAlexio2]

Please paste debug output as explained in issue template.

[enj5oy]

@NtAlexio2

[NtAlexio2]

unfortunately I couldn't simulate your situation but the bug is about session_key in (line 2973 in samr.py). By default this key is set while authenticating. I'm not sure how did you get session from ntlmrelayx. could you explain more about your session? I just tested with -k in combination with getTGT.py and it worked without any problem:

┌──(kali㉿kali)-[~/Downloads/impacket-master]
└─$ proxychains python examples/net.py -dc-ip 192.168.8.1 -k -no-pass contoso.local/administrator@victimhost.contoso.local user -create newAdmin -newPasswd Passw0rd
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  192.168.8.12:1080  ...  contoso.local:445   ...  OK
[proxychains] Strict chain  ...  192.168.8.12:1080  ...  192.168.8.1:88      ...  OK
[*] Creating user account 'newAdmin'
[+] user account created succesfully: newAdmin:Passw0rd

[enj5oy]

@NtAlexio2 I start ntlmrelayx

Then i coerce authentication from domain admin to attacker host

Then i run net.py through proxychains

[gabrielg5]

Hey,

I was able to replay the issue in my environment. Haven't made much progress yet finding a solution but writing down what I've been checking

Test 1
Trying user account creation with net.py both "using Kerberos authentication" and "directly passing credentials as a command parameter". Both worked fine, user is created ok and no exceptions are shown

Test 2
Triggered ntlmrelayx with -socks. Coerced connection to relay from a workstation
Launch net.py with proxychains to create a user. Boom!

Error is in session_key as stated by @NtAlexio2 in a previous comment. When creating a user, that property is used (and needs to not be empty as it's being manipulated - splitted - in the process)

When launching net.py with a relayed connection, session_key is empty.
When launching net.py with other auth methods, it is not empty. This is why Test 1 is working fine.

Checked other examples and are performing the same as net.py
session_key is empty when relayed and not-empty when not relayed. But they are not doing anything with it, that's why those examples do not fail.

Still have not found why it's not the same or if that property is being manipulated in any of those scenarios and causing this misbehavior