swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

do some cleanup for hash_spider for #38

main
Marshall Hallenbeck 2023-09-22 09:56:04 -04:00
parent 76bf3be084
commit 2a5c01d6b6
1 changed files with 27 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
nxc/modules/hash_spider.py
View File

@ -12,7 +12,6 @@ from lsassy.session import Session
from lsassy.impacketfile import ImpacketFile
credentials_data = []
admin_results = []
found_users = []
reported_da = []
@ -37,15 +36,15 @@ def neo4j_conn(context, connection, driver):
def neo4j_local_admins(context, driver):
global admin_results
try:
session = driver.session()
admins = session.run("MATCH (c:Computer) OPTIONAL MATCH (u1:User)-[:AdminTo]->(c) OPTIONAL MATCH (u2:User)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c) WITH COLLECT(u1) + COLLECT(u2) AS TempVar,c UNWIND TempVar AS Admins RETURN c.name AS COMPUTER, COUNT(DISTINCT(Admins)) AS ADMIN_COUNT,COLLECT(DISTINCT(Admins.name)) AS USERS ORDER BY ADMIN_COUNT DESC") # This query pulls all PCs and their local admins from Bloodhound. Based on: https://github.com/xenoscr/Useful-BloodHound-Queries/blob/master/List-Queries.md and other similar posts
context.log.success("Admins and PCs obtained.")
except Exception:
context.log.fail("Could not pull admins")
exit()
admin_results = [record for record in admins.data()]
context.log.success("Admins and PCs obtained")
except Exception as e:
context.log.fail(f"Could not pull admins: {e}")
return None
results = [record for record in admins.data()]
return results
def create_db(local_admins, dbconnection, cursor):
@ -69,7 +68,7 @@ def create_db(local_admins, dbconnection, cursor):
if user not in admin_users:
admin_users.append(user)
for user in admin_users:
cursor.execute("""INSERT OR IGNORE INTO admin_users(username) VALUES(?)""", [user])
cursor.execute("INSERT OR IGNORE INTO admin_users(username) VALUES(?)", [user])
dbconnection.commit()
@ -113,7 +112,7 @@ def process_creds(context, connection, credentials_data, dbconnection, cursor, d
if path:
for key, value in path.items():
for item in value:
if type(item) == dict:
if isinstance(item, dict):
if {item["name"]} not in reported_da:
context.log.success(f"You have a valid path to DA as {item['name']}.")
reported_da.append({item["name"]})
@ -147,6 +146,7 @@ class NXCModule:
self.reset = None
self.reset_dumped = None
self.method = None
@staticmethod
def save_credentials(context, connection, domain, username, password, lmhash, nthash):
host_id = context.db.get_computers(connection.host)[0][0]
@ -156,6 +156,7 @@ class NXCModule:
credential_type = 'hash'
password = ':'.join(h for h in [lmhash, nthash] if h is not None)
context.db.add_credential(credential_type, domain, username, password, pillaged_from=host_id)
def options(self, context, module_options):
"""
METHOD Method to use to dump lsass.exe with lsassy
@ -220,17 +221,23 @@ class NXCModule:
cred["lmhash"],
cred["nthash"],
] not in credentials_unique:
credentials_unique.append(
[
cred["domain"],
cred["username"],
cred["password"],
cred["lmhash"],
cred["nthash"],
]
)
credentials_unique.append([
cred["domain"],
cred["username"],
cred["password"],
cred["lmhash"],
cred["nthash"],
])
credentials_output.append(cred)
self.save_credentials(context, connection, cred["domain"], cred["username"], cred["password"], cred["lmhash"], cred["nthash"])
self.save_credentials(
context,
connection,
cred["domain"],
cred["username"],
cred["password"],
cred["lmhash"],
cred["nthash"]
)
global credentials_data
credentials_data = credentials_output
@ -302,7 +309,7 @@ class NXCModule:
neo4j_db = f"bolt://{neo4j_uri}:{neo4j_port}"
driver = GraphDatabase.driver(neo4j_db, auth=basic_auth(neo4j_user, neo4j_pass), encrypted=False)
neo4j_conn(context, connection, driver)
neo4j_local_admins(context, driver)
admin_results = neo4j_local_admins(context, driver)
create_db(admin_results, dbconnection, cursor)
initial_run(connection, cursor)
context.log.display("Running lsassy")