Packet sniffing error detected - System.ArgumentException

[Acebond]

Hello,
I'm running the latest version on Windows 7 x64, and am getting this error:

Running with
.\Inveigh.exe -HTTPPorts 10080 -mdns y -nbns y

[*] Press ESC to enter/exit interactive console
[+] [15:19:02] LLMNR(A) request [REDACTED] from 10.7.27.18 [response sent]
[+] [15:19:02] LLMNR(A) request [REDACTED] from 10.7.27.18 [response sent]
[-] [15:19:02] LLMNR(AAAA) request [REDACTED] from 10.7.27.18 [type ignored]
[-] [15:19:02] LLMNR(AAAA) request [REDACTED] from 10.7.27.18 [type ignored]
[.] [15:19:02] TCP(445) SYN packet from 10.7.27.18:65371
[.] [15:19:02] SMB1(445) negotiation request detected from 10.7.27.18:65371
[.] [15:19:02] SMB2+(445) negotiation request detected from 10.7.27.18:65371
[+] [15:19:02] SMB(445) NTLM challenge [ADC486A5AB9FF8CC] sent to 10.7.27.18:65371
[-] [15:19:02] Packet sniffing error detected - System.ArgumentException: Offset and length were out of bounds for the a
rray or count is greater than the number of elements from index to the end of the source collection.
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at Quiddity.Support.ASN1.GetTagBytes(Byte[] data, Int32& index, Int32 length, Byte tag, Byte& tagDecoded)
   at Quiddity.Support.ASN1.GetTagBytes(Int32 tag, Byte[] data)
   at Quiddity.NTLM.NTLMResponse.Decode(Byte[] data)
   at Quiddity.NTLM.NTLMResponse..ctor(Byte[] data)
   at Inveigh.Sniffer.ProcessSMB(Byte[] data, String clientIP, String listenerIP, String clientPort, String listenerPort
)
   at Inveigh.Sniffer.Start(String protocol, String snifferIP, Boolean isIPV6)
[-] [15:19:02] Packet sniffing error detected - System.IO.EndOfStreamException: Unable to read beyond the end of the str
eam.
   at System.IO.__Error.EndOfFile()
   at System.IO.BinaryReader.FillBuffer(Int32 numBytes)
   at System.IO.BinaryReader.ReadUInt16()
   at Quiddity.NTLM.NTLMHelper.ReadBytes(Byte[] data, Int32 offset)
   at Inveigh.Sniffer.ProcessSMB(Byte[] data, String clientIP, String listenerIP, String clientPort, String listenerPort
)
   at Inveigh.Sniffer.Start(String protocol, String snifferIP, Boolean isIPV6)
[.] [15:19:02] SMB1(445) negotiation request detected from 10.7.27.18:65372
[.] [15:19:02] SMB2+(445) negotiation request detected from 10.7.27.18:65372
[+] [15:19:02] SMB(445) NTLM challenge [B0D50469185CF3D0] sent to 10.70.151.129:65372
[-] [15:19:02] Packet sniffing error detected - System.ArgumentException: Offset and length were out of bounds for the a
rray or count is greater than the number of elements from index to the end of the source collection.
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at Quiddity.Support.ASN1.GetTagBytes(Byte[] data, Int32& index, Int32 length, Byte tag, Byte& tagDecoded)
   at Quiddity.Support.ASN1.GetTagBytes(Byte[] data, Int32& index, Int32 length, Byte tag, Byte& tagDecoded)
   at Quiddity.Support.ASN1.GetTagBytes(Int32 tag, Byte[] data)
   at Quiddity.NTLM.NTLMResponse.Decode(Byte[] data)
   at Quiddity.NTLM.NTLMResponse..ctor(Byte[] data)
   at Inveigh.Sniffer.ProcessSMB(Byte[] data, String clientIP, String listenerIP, String clientPort, String listenerPort
)
   at Inveigh.Sniffer.Start(String protocol, String snifferIP, Boolean isIPV6)
[+] [15:19:03] NBNS(00) request [80-01662PL] from 10.7.27.18 [response sent]
[+] [15:19:03] NBNS(00) request [80-01662PL] from 10.7.27.18 [response sent]
[-] [15:19:03] Packet sniffing error detected - System.IO.EndOfStreamException: Unable to read beyond the end of the str
eam.
   at System.IO.__Error.EndOfFile()
   at System.IO.BinaryReader.FillBuffer(Int32 numBytes)
   at System.IO.BinaryReader.ReadUInt16()
   at Quiddity.NTLM.NTLMHelper.ReadBytes(Byte[] data, Int32 offset)
   at Inveigh.Sniffer.ProcessSMB(Byte[] data, String clientIP, String listenerIP, String clientPort, String listenerPort
)
   at Inveigh.Sniffer.Start(String protocol, String snifferIP, Boolean isIPV6)
[+] [15:19:03] NBNS(00) request [80-01662PL] from 10.7.27.18 [response sent]
[+] [15:19:03] NBNS(00) request [80-01662PL] from 10.7.27.18 [response sent]
PS C:\Users\pentest>

If there is additional information you want let me know.

[Kevin-Robertson]

Thanks! I have not tested through Windows 7 at all. I'll test it if I get an opportunity. It looks like something is going on with the ASN.1 code, which is still pretty crude.

[Altominded]

Any updates on this? I am having the same issue

[init5-SF]

Having the exact same issue here, Windows Server 2022

[Kevin-Robertson]

I just posted some NTLM parsing changes. I'm not sure if it will help with the issues here. The problem I observed was with non-windows SMB clients.