NetExec/nxc/modules/IOXIDResolver.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

# Credit to https://airbus-cyber-security.com/fr/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/
# Airbus CERT
# module by @mpgn_x64

from ipaddress import ip_address
from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
from impacket.dcerpc.v5.dcomrt import IObjectExporter


class NXCModule:
    name = "ioxidresolver"
    description = "This module helps you to identify hosts that have additional active interfaces"
    supported_protocols = ["smb", "wmi"]
    opsec_safe = True
    multiple_hosts = False

    def options(self, context, module_options):
        """ """

    def on_login(self, context, connection):
        authLevel = RPC_C_AUTHN_LEVEL_NONE

        stringBinding = r"ncacn_ip_tcp:%s" % connection.host
        rpctransport = transport.DCERPCTransportFactory(stringBinding)

        portmap = rpctransport.get_dce_rpc()
        portmap.set_auth_level(authLevel)
        portmap.connect()

        objExporter = IObjectExporter(portmap)
        bindings = objExporter.ServerAlive2()

        context.log.debug("[*] Retrieving network interface of " + connection.host)

        # NetworkAddr = bindings[0]['aNetworkAddr']
        for binding in bindings:
            NetworkAddr = binding["aNetworkAddr"]
            try:
                ip_address(NetworkAddr[:-1])
                context.log.highlight("Address: " + NetworkAddr)
            except Exception as e:
                context.log.debug(e)