Fix AttributeError on NetBIOSTimeout in kerberos_login

[azoxlpf]

Description

During Kerberos auth (including S4U2self/S4U2proxy), a NetBIOSTimeout was caught by except (SessionError, Exception). The handler called e.getErrorString(), which only exists on SessionError, causing :

AttributeError: 'NetBIOSTimeout' object has no attribute 'getErrorString'

Fix : Catch connection-related exceptions (ConnectionResetError, NetBIOSTimeout, NetBIOSError, OSError) in a dedicated block that logs them with self.logger.fail(f"Connection Error: {e}").

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Screenshots (if appropriate):

Before :

After :

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• New and existing e2e tests pass locally with my changes
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Thanks for the bug fix PR! Any reason why you moved the OSError to the section that does not display the secret? If there is none I think we should keep the error structure similar to before.

[azoxlpf]

Thanks for the bug fix PR! Any reason why you moved the OSError to the section that does not display the secret? If there is none I think we should keep the error structure similar to before.

Thanks for the bug fix PR! Any reason why you moved the OSError to the section that does not display the secret? If there is none I think we should keep the error structure similar to before.

Thanks for the bug fix PR! Any reason why you moved the OSError to the section that does not display the secret? If there is none I think we should keep the error structure similar to before.

I hesitated about whether to keep OSError in the old block. In the end I moved it into the connection-error block because OSError usually indicates a connection/network failure (e.g. connection refused, timeout), not an auth result, the secret wasn’t really “used” in an auth attempt, so logging it doesn’t help imo. If you think it’s useful to keep the previous structure, I'll add it back.

[NeffIsBack]

Okay, yeah I think we should keep the old logging structure because there are a lot of places in nxc where things can fail and I think it helps to immediately being able to identify that this happened on the authentication call. So that you know that it was the authentication attempt that resulted in that error (usually an explicit reaction to the auth event and not really random).

[azoxlpf]

Okay, yeah I think we should keep the old logging structure because there are a lot of places in nxc where things can fail and I think it helps to immediately being able to identify that this happened on the authentication call. So that you know that it was the authentication attempt that resulted in that error (usually an explicit reaction to the auth event and not really random).

Done !

[NeffIsBack]

Following up on my previous comment, k think we should also display the auth when dealing with connection errors so it is immediately clear that the error originated from the authentication try. Something like "{auth_creds} {error}".

Maybe even combining it with impackets SessionError by doing something like if hasattr(e, getErrorString): desc=e.string; else: desc=""

[azoxlpf]

Oh, my bad I had misunderstood your feedback. I think It should be good now