From 2a5c01d6b6f151c845ff7900254b3626a4bfa794 Mon Sep 17 00:00:00 2001
From: Marshall Hallenbeck <Marshall.Hallenbeck@gmail.com>
Date: Fri, 22 Sep 2023 09:56:04 -0400
Subject: [PATCH] do some cleanup for hash_spider for #38

---
 nxc/modules/hash_spider.py | 47 ++++++++++++++++++++++----------------
 1 file changed, 27 insertions(+), 20 deletions(-)

diff --git a/nxc/modules/hash_spider.py b/nxc/modules/hash_spider.py
index 960b8687..59597b53 100644
--- a/nxc/modules/hash_spider.py
+++ b/nxc/modules/hash_spider.py
@@ -12,7 +12,6 @@ from lsassy.session import Session
 from lsassy.impacketfile import ImpacketFile
 
 credentials_data = []
-admin_results = []
 found_users = []
 reported_da = []
 
@@ -37,15 +36,15 @@ def neo4j_conn(context, connection, driver):
 
 
 def neo4j_local_admins(context, driver):
-    global admin_results
     try:
         session = driver.session()
         admins = session.run("MATCH (c:Computer) OPTIONAL MATCH (u1:User)-[:AdminTo]->(c) OPTIONAL MATCH (u2:User)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c) WITH COLLECT(u1) + COLLECT(u2) AS TempVar,c UNWIND TempVar AS Admins RETURN c.name AS COMPUTER, COUNT(DISTINCT(Admins)) AS ADMIN_COUNT,COLLECT(DISTINCT(Admins.name)) AS USERS ORDER BY ADMIN_COUNT DESC")  # This query pulls all PCs and their local admins from Bloodhound. Based on: https://github.com/xenoscr/Useful-BloodHound-Queries/blob/master/List-Queries.md and other similar posts
-        context.log.success("Admins and PCs obtained.")
-    except Exception:
-        context.log.fail("Could not pull admins")
-        exit()
-    admin_results = [record for record in admins.data()]
+        context.log.success("Admins and PCs obtained")
+    except Exception as e:
+        context.log.fail(f"Could not pull admins: {e}")
+        return None
+    results = [record for record in admins.data()]
+    return results
 
 
 def create_db(local_admins, dbconnection, cursor):
@@ -69,7 +68,7 @@ def create_db(local_admins, dbconnection, cursor):
             if user not in admin_users:
                 admin_users.append(user)
     for user in admin_users:
-        cursor.execute("""INSERT OR IGNORE INTO admin_users(username) VALUES(?)""", [user])
+        cursor.execute("INSERT OR IGNORE INTO admin_users(username) VALUES(?)", [user])
     dbconnection.commit()
 
 
@@ -113,7 +112,7 @@ def process_creds(context, connection, credentials_data, dbconnection, cursor, d
                 if path:
                     for key, value in path.items():
                         for item in value:
-                            if type(item) == dict:
+                            if isinstance(item, dict):
                                 if {item["name"]} not in reported_da:
                                     context.log.success(f"You have a valid path to DA as {item['name']}.")
                                     reported_da.append({item["name"]})
@@ -147,6 +146,7 @@ class NXCModule:
         self.reset = None
         self.reset_dumped = None
         self.method = None
+
     @staticmethod
     def save_credentials(context, connection, domain, username, password, lmhash, nthash):
         host_id = context.db.get_computers(connection.host)[0][0]
@@ -156,6 +156,7 @@ class NXCModule:
             credential_type = 'hash'
             password = ':'.join(h for h in [lmhash, nthash] if h is not None)
         context.db.add_credential(credential_type, domain, username, password, pillaged_from=host_id)
+
     def options(self, context, module_options):
         """
         METHOD              Method to use to dump lsass.exe with lsassy
@@ -220,17 +221,23 @@ class NXCModule:
                 cred["lmhash"],
                 cred["nthash"],
             ] not in credentials_unique:
-                credentials_unique.append(
-                    [
-                        cred["domain"],
-                        cred["username"],
-                        cred["password"],
-                        cred["lmhash"],
-                        cred["nthash"],
-                    ]
-                )
+                credentials_unique.append([
+                    cred["domain"],
+                    cred["username"],
+                    cred["password"],
+                    cred["lmhash"],
+                    cred["nthash"],
+                ])
                 credentials_output.append(cred)
-                self.save_credentials(context, connection, cred["domain"], cred["username"], cred["password"], cred["lmhash"], cred["nthash"])
+                self.save_credentials(
+                    context,
+                    connection,
+                    cred["domain"],
+                    cred["username"],
+                    cred["password"],
+                    cred["lmhash"],
+                    cred["nthash"]
+                )
         global credentials_data
         credentials_data = credentials_output
 
@@ -302,7 +309,7 @@ class NXCModule:
         neo4j_db = f"bolt://{neo4j_uri}:{neo4j_port}"
         driver = GraphDatabase.driver(neo4j_db, auth=basic_auth(neo4j_user, neo4j_pass), encrypted=False)
         neo4j_conn(context, connection, driver)
-        neo4j_local_admins(context, driver)
+        admin_results = neo4j_local_admins(context, driver)
         create_db(admin_results, dbconnection, cursor)
         initial_run(connection, cursor)
         context.log.display("Running lsassy")