rename folders, files, functions, classes, etc to NetExec/nxc
parent
2f0b74a492
commit
7886ac1612
|
@ -11,27 +11,27 @@ build
|
|||
bin
|
||||
dist
|
||||
*.egg-info
|
||||
cme/data/powersploit/Recon/Dictionaries
|
||||
cme/data/powersploit/Exfiltration/NTFSParser
|
||||
cme/data/powersploit/CodeExecution/Invoke-ReflectivePEInjection_Resources
|
||||
cme/data/powersploit/Exfiltration/LogonUser
|
||||
cme/data/powersploit/Tests
|
||||
cme/data/netripper/DLL
|
||||
cme/data/netripper/Metasploit
|
||||
cme/data/netripper/NetRipper
|
||||
cme/data/netripper/Win32
|
||||
cme/data/netripper/Release
|
||||
cme/data/netripper/minhook
|
||||
cme/data/netripper/x64
|
||||
cme/data/netripper/*.pdf
|
||||
cme/data/netripper/*.sln
|
||||
cme/data/invoke-vnc/winvnc
|
||||
cme/data/invoke-vnc/vncdll
|
||||
cme/data/invoke-vnc/pebytes.ps1
|
||||
cme/data/invoke-vnc/ReflectiveDLLInjection
|
||||
cme/data/invoke-vnc/*.py
|
||||
cme/data/invoke-vnc/*.bat
|
||||
cme/data/invoke-vnc/*.msbuild
|
||||
cme/data/invoke-vnc/*.sln
|
||||
cme/data/RID-Hijacking/modules
|
||||
cme/data/RID-Hijacking/slides
|
||||
nxc/data/powersploit/Recon/Dictionaries
|
||||
nxc/data/powersploit/Exfiltration/NTFSParser
|
||||
nxc/data/powersploit/CodeExecution/Invoke-ReflectivePEInjection_Resources
|
||||
nxc/data/powersploit/Exfiltration/LogonUser
|
||||
nxc/data/powersploit/Tests
|
||||
nxc/data/netripper/DLL
|
||||
nxc/data/netripper/Metasploit
|
||||
nxc/data/netripper/NetRipper
|
||||
nxc/data/netripper/Win32
|
||||
nxc/data/netripper/Release
|
||||
nxc/data/netripper/minhook
|
||||
nxc/data/netripper/x64
|
||||
nxc/data/netripper/*.pdf
|
||||
nxc/data/netripper/*.sln
|
||||
nxc/data/invoke-vnc/winvnc
|
||||
nxc/data/invoke-vnc/vncdll
|
||||
nxc/data/invoke-vnc/pebytes.ps1
|
||||
nxc/data/invoke-vnc/ReflectiveDLLInjection
|
||||
nxc/data/invoke-vnc/*.py
|
||||
nxc/data/invoke-vnc/*.bat
|
||||
nxc/data/invoke-vnc/*.msbuild
|
||||
nxc/data/invoke-vnc/*.sln
|
||||
nxc/data/RID-Hijacking/modules
|
||||
nxc/data/RID-Hijacking/slides
|
|
@ -12,10 +12,10 @@ A clear and concise description of what the bug is.
|
|||
|
||||
**To Reproduce**
|
||||
Steps to reproduce the behavior i.e.:
|
||||
Command: `crackmapexec smb -u username -p password`
|
||||
Command: `netexec smb -u username -p password`
|
||||
Resulted in:
|
||||
```
|
||||
crackmapexec smb 10.10.10.10 -u username -p password -x "whoami"
|
||||
netexec smb 10.10.10.10 -u username -p password -x "whoami"
|
||||
SMB 10.10.10.10 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:domain) (signing:True) (SMBv1:False)
|
||||
SMB 10.10.10.10 445 DC01 [+] domain\username:password
|
||||
Traceback (most recent call last):
|
||||
|
@ -30,7 +30,7 @@ If applicable, add screenshots to help explain your problem.
|
|||
|
||||
**Crackmapexec info**
|
||||
- OS: [e.g. Kali]
|
||||
- Version of CME [e.g. v5.0.2]
|
||||
- Version of nxc [e.g. v5.0.2]
|
||||
- Installed from: apt/github/pip/docker/...? Please try with latest release before openning an issue
|
||||
|
||||
**Additional context**
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
name: CrackMapExec Tests
|
||||
name: NetExec Tests
|
||||
|
||||
on:
|
||||
pull_request_review:
|
||||
|
@ -6,7 +6,7 @@ on:
|
|||
|
||||
jobs:
|
||||
build:
|
||||
name: CrackMapExec Tests for Py${{ matrix.python-version }}
|
||||
name: NetExec Tests for Py${{ matrix.python-version }}
|
||||
runs-on: ${{ matrix.os }}
|
||||
strategy:
|
||||
max-parallel: 4
|
||||
|
@ -15,7 +15,7 @@ jobs:
|
|||
python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"]
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: CrackMapExec tests on ${{ matrix.os }}
|
||||
- name: NetExec tests on ${{ matrix.os }}
|
||||
uses: actions/setup-python@v4
|
||||
with:
|
||||
python-version: ${{ matrix.python-version }}
|
|
@ -1,11 +1,11 @@
|
|||
name: CrackMapExec Build Binaries
|
||||
name: NetExec Build Binaries
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: CrackMapExec Tests on ${{ matrix.os }}
|
||||
name: NetExec Tests on ${{ matrix.os }}
|
||||
runs-on: ${{ matrix.os }}
|
||||
strategy:
|
||||
max-parallel: 4
|
||||
|
@ -14,7 +14,7 @@ jobs:
|
|||
python-version: ["3.8", "3.9", "3.10", "3.11"]
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: CrackMapExec tests on ${{ matrix.os }}
|
||||
- name: NetExec tests on ${{ matrix.os }}
|
||||
uses: actions/setup-python@v4
|
||||
with:
|
||||
python-version: ${{ matrix.python-version }}
|
||||
|
@ -22,13 +22,13 @@ jobs:
|
|||
run: |
|
||||
pip install shiv
|
||||
python build_collector.py
|
||||
- name: Upload cme binary
|
||||
- name: Upload nxc binary
|
||||
uses: actions/upload-artifact@master
|
||||
with:
|
||||
name: cme-${{ matrix.os }}-${{ matrix.python-version }}
|
||||
path: bin/cme
|
||||
- name: Upload cmedb binary
|
||||
name: nxc-${{ matrix.os }}-${{ matrix.python-version }}
|
||||
path: bin/nxc
|
||||
- name: Upload nxcdb binary
|
||||
uses: actions/upload-artifact@master
|
||||
with:
|
||||
name: cmedb-${{ matrix.os }}-${{ matrix.python-version }}
|
||||
path: bin/cmedb
|
||||
name: nxcdb-${{ matrix.os }}-${{ matrix.python-version }}
|
||||
path: bin/nxcdb
|
|
@ -1,4 +1,4 @@
|
|||
data/cme.db
|
||||
data/nxc.db
|
||||
*.bak
|
||||
*.log
|
||||
.venv
|
||||
|
@ -36,7 +36,7 @@ var/
|
|||
# before PyInstaller builds the exe, so as to inject date/other infos into it.
|
||||
*.manifest
|
||||
*.spec
|
||||
!crackmapexec.spec
|
||||
!netexec.spec
|
||||
|
||||
# Installer logs
|
||||
pip-log.txt
|
||||
|
|
|
@ -4,7 +4,7 @@ ENV LANG=C.UTF-8
|
|||
ENV LC_ALL=C.UTF-8
|
||||
ENV PIP_NO_CACHE_DIR=off
|
||||
|
||||
WORKDIR /usr/src/crackmapexec
|
||||
WORKDIR /usr/src/netexec
|
||||
|
||||
RUN apt-get update && \
|
||||
apt-get install -y libffi-dev libxml2-dev libxslt-dev libssl-dev openssl autoconf g++ python3-dev curl git
|
||||
|
@ -19,4 +19,4 @@ RUN cargo --help
|
|||
COPY . .
|
||||
RUN pip install .
|
||||
|
||||
ENTRYPOINT [ "cme" ]
|
||||
ENTRYPOINT [ "nxc" ]
|
||||
|
|
2
Makefile
2
Makefile
|
@ -13,7 +13,7 @@ clean:
|
|||
find . -name '.pytest_cache' -exec rm -rf {} +
|
||||
|
||||
tests:
|
||||
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude cme/data/*
|
||||
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude nxc/data/*
|
||||
|
||||
requirements:
|
||||
poetry export --without-hashes -f requirements.txt -o requirements.txt
|
||||
|
|
|
@ -20,7 +20,6 @@ You are on the **latest up-to-date** repository of the project NetExec (nxc) !
|
|||
# Acknowledgments
|
||||
All the hard work and development over the years from everyone in the CrackMapExec project.
|
||||
|
||||
|
||||
# Documentation, Tutorials, Examples
|
||||
See the project's wiki (in development) for documentation and usage examples
|
||||
|
||||
|
|
|
@ -16,8 +16,8 @@ from shiv.builder import create_archive
|
|||
from shiv.cli import __version__ as VERSION
|
||||
|
||||
|
||||
def build_cme():
|
||||
print("building CME")
|
||||
def build_nxc():
|
||||
print("building nxc")
|
||||
try:
|
||||
shutil.rmtree("bin")
|
||||
shutil.rmtree("build")
|
||||
|
@ -28,7 +28,7 @@ def build_cme():
|
|||
print("remove useless files")
|
||||
os.mkdir("build")
|
||||
os.mkdir("bin")
|
||||
shutil.copytree("cme", "build/cme")
|
||||
shutil.copytree("nxc", "build/nxc")
|
||||
|
||||
except Exception as e:
|
||||
print(e)
|
||||
|
@ -53,7 +53,7 @@ def build_cme():
|
|||
|
||||
env = Environment(
|
||||
built_at=datetime.utcfromtimestamp(int(time.time())).strftime("%Y-%m-%d %H:%M:%S"),
|
||||
entry_point="cme.crackmapexec:main",
|
||||
entry_point="nxc.netexec:main",
|
||||
script=None,
|
||||
compile_pyc=False,
|
||||
extend_pythonpath=True,
|
||||
|
@ -61,7 +61,7 @@ def build_cme():
|
|||
)
|
||||
create_archive(
|
||||
[Path("build").absolute()],
|
||||
Path("bin/cme"),
|
||||
Path("bin/nxc"),
|
||||
"/usr/bin/env -S python -sE",
|
||||
"_bootstrap:bootstrap",
|
||||
env,
|
||||
|
@ -69,11 +69,11 @@ def build_cme():
|
|||
)
|
||||
|
||||
|
||||
def build_cmedb():
|
||||
print("building CMEDB")
|
||||
def build_nxcdb():
|
||||
print("building nxcDB")
|
||||
env = Environment(
|
||||
built_at=datetime.utcfromtimestamp(int(time.time())).strftime("%Y-%m-%d %H:%M:%S"),
|
||||
entry_point="cme.cmedb:main",
|
||||
entry_point="nxc.nxcdb:main",
|
||||
script=None,
|
||||
compile_pyc=False,
|
||||
extend_pythonpath=True,
|
||||
|
@ -81,7 +81,7 @@ def build_cmedb():
|
|||
)
|
||||
create_archive(
|
||||
[Path("build").absolute()],
|
||||
Path("bin/cmedb"),
|
||||
Path("bin/nxcdb"),
|
||||
"/usr/bin/env -S python -sE",
|
||||
"_bootstrap:bootstrap",
|
||||
env,
|
||||
|
@ -91,8 +91,8 @@ def build_cmedb():
|
|||
|
||||
if __name__ == "__main__":
|
||||
try:
|
||||
build_cme()
|
||||
build_cmedb()
|
||||
build_nxc()
|
||||
build_nxcdb()
|
||||
except:
|
||||
pass
|
||||
finally:
|
||||
|
|
|
@ -1,48 +0,0 @@
|
|||
# coding=utf-8
|
||||
import os
|
||||
from os.path import join as path_join
|
||||
import configparser
|
||||
from cme.paths import CME_PATH, DATA_PATH
|
||||
from cme.first_run import first_run_setup
|
||||
from cme.logger import cme_logger
|
||||
from ast import literal_eval
|
||||
|
||||
cme_default_config = configparser.ConfigParser()
|
||||
cme_default_config.read(path_join(DATA_PATH, "cme.conf"))
|
||||
|
||||
cme_config = configparser.ConfigParser()
|
||||
cme_config.read(os.path.join(CME_PATH, "cme.conf"))
|
||||
|
||||
if "CME" not in cme_config.sections():
|
||||
first_run_setup()
|
||||
cme_config.read(os.path.join(CME_PATH, "cme.conf"))
|
||||
|
||||
# Check if there are any missing options in the config file
|
||||
for section in cme_default_config.sections():
|
||||
for option in cme_default_config.options(section):
|
||||
if not cme_config.has_option(section, option):
|
||||
cme_logger.display(f"Adding missing option '{option}' in config section '{section}' to cme.conf")
|
||||
cme_config.set(section, option, cme_default_config.get(section, option))
|
||||
|
||||
with open(path_join(CME_PATH, "cme.conf"), "w") as config_file:
|
||||
cme_config.write(config_file)
|
||||
|
||||
#!!! THESE OPTIONS HAVE TO EXIST IN THE DEFAULT CONFIG FILE !!!
|
||||
cme_workspace = cme_config.get("CME", "workspace", fallback="default")
|
||||
pwned_label = cme_config.get("CME", "pwn3d_label", fallback="Pwn3d!")
|
||||
audit_mode = cme_config.get("CME", "audit_mode", fallback=False)
|
||||
reveal_chars_of_pwd = int(cme_config.get("CME", "reveal_chars_of_pwd", fallback=0))
|
||||
config_log = cme_config.getboolean("CME", "log_mode", fallback=False)
|
||||
ignore_opsec = cme_config.getboolean("CME", "ignore_opsec", fallback=False)
|
||||
host_info_colors = literal_eval(cme_config.get("CME", "host_info_colors", fallback=["green", "red", "yellow", "cyan"]))
|
||||
|
||||
|
||||
if len(host_info_colors) != 4:
|
||||
cme_logger.error("Config option host_info_colors must have 4 values! Using default values.")
|
||||
host_info_colors = cme_default_config.get("CME", "host_info_colors")
|
||||
|
||||
|
||||
# this should probably be put somewhere else, but if it's in the config helpers, there is a circular import
|
||||
def process_secret(text):
|
||||
hidden = text[:reveal_chars_of_pwd]
|
||||
return text if not audit_mode else hidden+audit_mode * 8
|
|
@ -1,3 +0,0 @@
|
|||
from rich.console import Console
|
||||
|
||||
cme_console = Console(soft_wrap=True, tab_size=4)
|
15
cme/paths.py
15
cme/paths.py
|
@ -1,15 +0,0 @@
|
|||
import os
|
||||
import sys
|
||||
import cme
|
||||
|
||||
CME_PATH = os.path.expanduser("~/.cme")
|
||||
TMP_PATH = os.path.join("/tmp", "cme_hosted")
|
||||
if os.name == "nt":
|
||||
TMP_PATH = os.getenv("LOCALAPPDATA") + "\\Temp\\cme_hosted"
|
||||
if hasattr(sys, "getandroidapilevel"):
|
||||
TMP_PATH = os.path.join("/data", "data", "com.termux", "files", "usr", "tmp", "cme_hosted")
|
||||
WS_PATH = os.path.join(CME_PATH, "workspaces")
|
||||
CERT_PATH = os.path.join(CME_PATH, "cme.pem")
|
||||
CONFIG_PATH = os.path.join(CME_PATH, "cme.conf")
|
||||
WORKSPACE_DIR = os.path.join(CME_PATH, "workspaces")
|
||||
DATA_PATH = os.path.join(os.path.dirname(cme.__file__), "data")
|
|
@ -12,7 +12,7 @@
|
|||
poetry2nix.overlay
|
||||
(final: prev: {
|
||||
# The application
|
||||
CrackMapExec = prev.poetry2nix.mkPoetryApplication {
|
||||
NetExec = prev.poetry2nix.mkPoetryApplication {
|
||||
projectDir = ./.;
|
||||
};
|
||||
})
|
||||
|
@ -26,11 +26,11 @@
|
|||
in
|
||||
{
|
||||
apps = {
|
||||
CrackMapExec = pkgs.CrackMapExec;
|
||||
NetExec = pkgs.NetExec;
|
||||
};
|
||||
|
||||
defaultApp = pkgs.CrackMapExec;
|
||||
defaultApp = pkgs.NetExec;
|
||||
|
||||
packages = { CrackMapExec = pkgs.CrackMapExec; };
|
||||
packages = { NetExec = pkgs.NetExec; };
|
||||
}));
|
||||
}
|
||||
|
|
|
@ -3,12 +3,12 @@
|
|||
block_cipher = None
|
||||
|
||||
|
||||
a = Analysis(['./cme/crackmapexec.py'],
|
||||
pathex=['./cme'],
|
||||
a = Analysis(['./nxc/netexec.py'],
|
||||
pathex=['./nxc'],
|
||||
binaries=[],
|
||||
datas=[('./cme/protocols', 'cme/protocols'),('./cme/data', 'cme/data'),('./cme/modules', 'cme/modules')],
|
||||
hiddenimports=['cme.protocols.mssql.mssqlexec', 'cme.connection', 'impacket.examples.secretsdump', 'impacket.dcerpc.v5.lsat', 'impacket.dcerpc.v5.transport', 'impacket.dcerpc.v5.lsad', 'cme.servers.smb', 'cme.protocols.smb.wmiexec', 'cme.protocols.smb.atexec', 'cme.protocols.smb.smbexec', 'cme.protocols.smb.mmcexec', 'cme.protocols.smb.smbspider', 'cme.protocols.smb.passpol', 'paramiko', 'pypsrp.client', 'pywerview.cli.helpers', 'impacket.tds', 'impacket.version', 'cme.helpers.bash', 'pylnk3', 'lsassy','win32timezone', 'impacket.tds', 'impacket.ldap.ldap', 'impacket.tds'],
|
||||
hookspath=['./cme/.hooks'],
|
||||
datas=[('./nxc/protocols', 'nxc/protocols'),('./nxc/data', 'nxc/data'),('./nxc/modules', 'nxc/modules')],
|
||||
hiddenimports=['nxc.protocols.mssql.mssqlexec', 'nxc.connection', 'impacket.examples.secretsdump', 'impacket.dcerpc.v5.lsat', 'impacket.dcerpc.v5.transport', 'impacket.dcerpc.v5.lsad', 'nxc.servers.smb', 'nxc.protocols.smb.wmiexec', 'nxc.protocols.smb.atexec', 'nxc.protocols.smb.smbexec', 'nxc.protocols.smb.mmcexec', 'nxc.protocols.smb.smbspider', 'nxc.protocols.smb.passpol', 'paramiko', 'pypsrp.client', 'pywerview.cli.helpers', 'impacket.tds', 'impacket.version', 'nxc.helpers.bash', 'pylnk3', 'lsassy','win32timezone', 'impacket.tds', 'impacket.ldap.ldap', 'impacket.tds'],
|
||||
hookspath=['./nxc/.hooks'],
|
||||
runtime_hooks=[],
|
||||
excludes=[],
|
||||
win_no_prefer_redirects=False,
|
||||
|
@ -23,7 +23,7 @@ exe = EXE(pyz,
|
|||
a.zipfiles,
|
||||
a.datas,
|
||||
[],
|
||||
name='crackmapexec',
|
||||
name='netexec',
|
||||
debug=False,
|
||||
bootloader_ignore_signals=False,
|
||||
strip=False,
|
||||
|
@ -31,4 +31,4 @@ exe = EXE(pyz,
|
|||
upx_exclude=[],
|
||||
runtime_tmpdir=None,
|
||||
console=True,
|
||||
icon='./cme/data/cme.ico' )
|
||||
icon='./nxc/data/nxc.ico' )
|
|
@ -4,29 +4,29 @@
|
|||
import argparse
|
||||
import sys
|
||||
from argparse import RawTextHelpFormatter
|
||||
from cme.loaders.protocolloader import ProtocolLoader
|
||||
from cme.helpers.logger import highlight
|
||||
from nxc.loaders.protocolloader import ProtocolLoader
|
||||
from nxc.helpers.logger import highlight
|
||||
from termcolor import colored
|
||||
from cme.logger import cme_logger
|
||||
from nxc.logger import nxc_logger
|
||||
import importlib.metadata
|
||||
|
||||
|
||||
def gen_cli_args():
|
||||
VERSION = importlib.metadata.version("crackmapexec")
|
||||
CODENAME = "John Wick"
|
||||
VERSION = importlib.metadata.version("netexec")
|
||||
CODENAME = "A New Beginning"
|
||||
|
||||
parser = argparse.ArgumentParser(description=f"""
|
||||
______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______
|
||||
/ || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / |
|
||||
| ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----'
|
||||
| | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | |
|
||||
| `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----.
|
||||
\______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______|
|
||||
_ _ _ _____
|
||||
| \ | | ___ | |_ | ____| __ __ ___ ___
|
||||
| \| | / _ \ | __| | _| \ \/ / / _ \ / __|
|
||||
| |\ | | __/ | |_ | |___ > < | __/ | (__
|
||||
|_| \_| \___| \__| |_____| /_/\_\ \___| \___|
|
||||
|
||||
A swiss army knife for pentesting networks
|
||||
Forged by @byt3bl33d3r and @mpgn_x64 using the powah of dank memes.
|
||||
The network execution tool
|
||||
Maintained as an open source project by @NeffIsBack, @MJHallenbeck, @_zblurx
|
||||
|
||||
For documentation and usage examples, visit: https://www.netexec.wiki/
|
||||
|
||||
{highlight('Version', 'red')} : {highlight(VERSION)}
|
||||
{highlight('Codename', 'red')}: {highlight(CODENAME)}
|
||||
""",
|
||||
|
@ -59,7 +59,7 @@ def gen_cli_args():
|
|||
)
|
||||
parser.add_argument("--verbose", action="store_true", help="enable verbose output")
|
||||
parser.add_argument("--debug", action="store_true", help="enable debug level information")
|
||||
parser.add_argument("--version", action="store_true", help="Display CME version")
|
||||
parser.add_argument("--version", action="store_true", help="Display nxc version")
|
||||
|
||||
# we do module arg parsing here so we can reference the module_list attribute below
|
||||
module_parser = argparse.ArgumentParser(add_help=False)
|
||||
|
@ -189,7 +189,7 @@ def gen_cli_args():
|
|||
protocol_object = p_loader.load_protocol(protocols[protocol]["argspath"])
|
||||
subparsers = protocol_object.proto_args(subparsers, std_parser, module_parser)
|
||||
except:
|
||||
cme_logger.exception(f"Error loading proto_args from proto_args.py file in protocol folder: {protocol}")
|
||||
nxc_logger.exception(f"Error loading proto_args from proto_args.py file in protocol folder: {protocol}")
|
||||
|
||||
if len(sys.argv) == 1:
|
||||
parser.print_help()
|
|
@ -0,0 +1,48 @@
|
|||
# coding=utf-8
|
||||
import os
|
||||
from os.path import join as path_join
|
||||
import configparser
|
||||
from nxc.paths import nxc_PATH, DATA_PATH
|
||||
from nxc.first_run import first_run_setup
|
||||
from nxc.logger import nxc_logger
|
||||
from ast import literal_eval
|
||||
|
||||
nxc_default_config = configparser.ConfigParser()
|
||||
nxc_default_config.read(path_join(DATA_PATH, "nxc.conf"))
|
||||
|
||||
nxc_config = configparser.ConfigParser()
|
||||
nxc_config.read(os.path.join(nxc_PATH, "nxc.conf"))
|
||||
|
||||
if "nxc" not in nxc_config.sections():
|
||||
first_run_setup()
|
||||
nxc_config.read(os.path.join(nxc_PATH, "nxc.conf"))
|
||||
|
||||
# Check if there are any missing options in the config file
|
||||
for section in nxc_default_config.sections():
|
||||
for option in nxc_default_config.options(section):
|
||||
if not nxc_config.has_option(section, option):
|
||||
nxc_logger.display(f"Adding missing option '{option}' in config section '{section}' to nxc.conf")
|
||||
nxc_config.set(section, option, nxc_default_config.get(section, option))
|
||||
|
||||
with open(path_join(nxc_PATH, "nxc.conf"), "w") as config_file:
|
||||
nxc_config.write(config_file)
|
||||
|
||||
#!!! THESE OPTIONS HAVE TO EXIST IN THE DEFAULT CONFIG FILE !!!
|
||||
nxc_workspace = nxc_config.get("nxc", "workspace", fallback="default")
|
||||
pwned_label = nxc_config.get("nxc", "pwn3d_label", fallback="Pwn3d!")
|
||||
audit_mode = nxc_config.get("nxc", "audit_mode", fallback=False)
|
||||
reveal_chars_of_pwd = int(nxc_config.get("nxc", "reveal_chars_of_pwd", fallback=0))
|
||||
config_log = nxc_config.getboolean("nxc", "log_mode", fallback=False)
|
||||
ignore_opsec = nxc_config.getboolean("nxc", "ignore_opsec", fallback=False)
|
||||
host_info_colors = literal_eval(nxc_config.get("nxc", "host_info_colors", fallback=["green", "red", "yellow", "cyan"]))
|
||||
|
||||
|
||||
if len(host_info_colors) != 4:
|
||||
nxc_logger.error("Config option host_info_colors must have 4 values! Using default values.")
|
||||
host_info_colors = nxc_default_config.get("nxc", "host_info_colors")
|
||||
|
||||
|
||||
# this should probably be put somewhere else, but if it's in the config helpers, there is a circular import
|
||||
def process_secret(text):
|
||||
hidden = text[:reveal_chars_of_pwd]
|
||||
return text if not audit_mode else hidden+audit_mode * 8
|
|
@ -11,10 +11,10 @@ from functools import wraps
|
|||
from time import sleep
|
||||
from ipaddress import ip_address
|
||||
|
||||
from cme.config import pwned_label
|
||||
from cme.helpers.logger import highlight
|
||||
from cme.logger import cme_logger, CMEAdapter
|
||||
from cme.context import Context
|
||||
from nxc.config import pwned_label
|
||||
from nxc.helpers.logger import highlight
|
||||
from nxc.logger import nxc_logger, NXCAdapter
|
||||
from nxc.context import Context
|
||||
|
||||
from impacket.dcerpc.v5 import transport
|
||||
|
||||
|
@ -86,7 +86,7 @@ class connection(object):
|
|||
self.use_kcache = None if not self.args.use_kcache else self.args.use_kcache
|
||||
self.failed_logins = 0
|
||||
self.local_ip = None
|
||||
self.logger = cme_logger
|
||||
self.logger = nxc_logger
|
||||
|
||||
try:
|
||||
self.host = gethost_addrinfo(self.hostname)
|
||||
|
@ -174,7 +174,7 @@ class connection(object):
|
|||
def call_modules(self):
|
||||
for module in self.module:
|
||||
self.logger.debug(f"Loading module {module.name} - {module}")
|
||||
module_logger = CMEAdapter(
|
||||
module_logger = NXCAdapter(
|
||||
extra={
|
||||
"module_name": module.name.upper(),
|
||||
"host": self.host,
|
|
@ -0,0 +1,3 @@
|
|||
from rich.console import Console
|
||||
|
||||
nxc_console = Console(soft_wrap=True, tab_size=4)
|
|
@ -11,11 +11,11 @@ class Context:
|
|||
setattr(self, key, value)
|
||||
|
||||
self.db = db
|
||||
self.log_folder_path = os.path.join(os.path.expanduser("~/.cme"), "logs")
|
||||
self.log_folder_path = os.path.join(os.path.expanduser("~/.nxc"), "logs")
|
||||
self.localip = None
|
||||
|
||||
self.conf = configparser.ConfigParser()
|
||||
self.conf.read(os.path.expanduser("~/.cme/cme.conf"))
|
||||
self.conf.read(os.path.expanduser("~/.nxc/nxc.conf"))
|
||||
|
||||
self.log = logger
|
||||
# self.log.debug = logging.debug
|
|
@ -1,4 +1,4 @@
|
|||
[CME]
|
||||
[nxc]
|
||||
workspace = default
|
||||
last_used_db = smb
|
||||
pwn3d_label = Pwn3d!
|
Before Width: | Height: | Size: 159 KiB After Width: | Height: | Size: 159 KiB |
|
@ -5,19 +5,19 @@ from os import mkdir
|
|||
from os.path import exists
|
||||
from os.path import join as path_join
|
||||
import shutil
|
||||
from cme.paths import CME_PATH, CONFIG_PATH, TMP_PATH, DATA_PATH
|
||||
from cme.cmedb import initialize_db
|
||||
from cme.logger import cme_logger
|
||||
from nxc.paths import nxc_PATH, CONFIG_PATH, TMP_PATH, DATA_PATH
|
||||
from nxc.nxcdb import initialize_db
|
||||
from nxc.logger import nxc_logger
|
||||
|
||||
|
||||
def first_run_setup(logger=cme_logger):
|
||||
def first_run_setup(logger=nxc_logger):
|
||||
if not exists(TMP_PATH):
|
||||
mkdir(TMP_PATH)
|
||||
|
||||
if not exists(CME_PATH):
|
||||
if not exists(nxc_PATH):
|
||||
logger.display("First time use detected")
|
||||
logger.display("Creating home directory structure")
|
||||
mkdir(CME_PATH)
|
||||
mkdir(nxc_PATH)
|
||||
|
||||
folders = (
|
||||
"logs",
|
||||
|
@ -28,16 +28,16 @@ def first_run_setup(logger=cme_logger):
|
|||
"screenshots",
|
||||
)
|
||||
for folder in folders:
|
||||
if not exists(path_join(CME_PATH, folder)):
|
||||
if not exists(path_join(nxc_PATH, folder)):
|
||||
logger.display(f"Creating missing folder {folder}")
|
||||
mkdir(path_join(CME_PATH, folder))
|
||||
mkdir(path_join(nxc_PATH, folder))
|
||||
|
||||
initialize_db(logger)
|
||||
|
||||
if not exists(CONFIG_PATH):
|
||||
logger.display("Copying default configuration file")
|
||||
default_path = path_join(DATA_PATH, "cme.conf")
|
||||
shutil.copy(default_path, CME_PATH)
|
||||
default_path = path_join(DATA_PATH, "nxc.conf")
|
||||
shutil.copy(default_path, nxc_PATH)
|
||||
|
||||
# if not exists(CERT_PATH):
|
||||
# logger.display('Generating SSL certificate')
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
import os
|
||||
from cme.paths import DATA_PATH
|
||||
from nxc.paths import DATA_PATH
|
||||
|
||||
|
||||
def get_script(path):
|
|
@ -6,7 +6,7 @@ from termcolor import colored
|
|||
|
||||
|
||||
def write_log(data, log_name):
|
||||
logs_dir = os.path.join(os.path.expanduser("~/.cme"), "logs")
|
||||
logs_dir = os.path.join(os.path.expanduser("~/.nxc"), "logs")
|
||||
with open(os.path.join(logs_dir, log_name), "w") as log_output:
|
||||
log_output.write(data)
|
||||
|
|
@ -21,7 +21,7 @@ References:
|
|||
- https://www.powershellgallery.com/packages/SDDLParser/0.5.0/Content/SDDLParserADObjects.ps1
|
||||
|
||||
|
||||
This library is, for the moment, not present in the Impacket version used by CrackMapExec, so I add it manually in helpers.
|
||||
This library is, for the moment, not present in the Impacket version used by NetExec, so I add it manually in helpers.
|
||||
"""
|
||||
|
||||
SCHEMA_OBJECTS = {
|
|
@ -6,9 +6,9 @@ from sys import exit
|
|||
from string import ascii_lowercase
|
||||
from random import choice, sample
|
||||
from subprocess import call
|
||||
from cme.helpers.misc import which
|
||||
from cme.logger import cme_logger
|
||||
from cme.paths import CME_PATH, DATA_PATH
|
||||
from nxc.helpers.misc import which
|
||||
from nxc.logger import nxc_logger
|
||||
from nxc.paths import nxc_PATH, DATA_PATH
|
||||
from base64 import b64encode
|
||||
|
||||
obfuscate_ps_scripts = False
|
||||
|
@ -30,24 +30,24 @@ def is_powershell_installed():
|
|||
|
||||
def obfs_ps_script(path_to_script):
|
||||
ps_script = path_to_script.split("/")[-1]
|
||||
obfs_script_dir = os.path.join(CME_PATH, "obfuscated_scripts")
|
||||
obfs_script_dir = os.path.join(nxc_PATH, "obfuscated_scripts")
|
||||
obfs_ps_script = os.path.join(obfs_script_dir, ps_script)
|
||||
|
||||
if is_powershell_installed() and obfuscate_ps_scripts:
|
||||
if os.path.exists(obfs_ps_script):
|
||||
cme_logger.display("Using cached obfuscated Powershell script")
|
||||
nxc_logger.display("Using cached obfuscated Powershell script")
|
||||
with open(obfs_ps_script, "r") as script:
|
||||
return script.read()
|
||||
|
||||
cme_logger.display("Performing one-time script obfuscation, go look at some memes cause this can take a bit...")
|
||||
nxc_logger.display("Performing one-time script obfuscation, go look at some memes cause this can take a bit...")
|
||||
|
||||
invoke_obfs_command = f"powershell -C 'Import-Module {get_ps_script('invoke-obfuscation/Invoke-Obfuscation.psd1')};Invoke-Obfuscation -ScriptPath {get_ps_script(path_to_script)} -Command \"TOKEN,ALL,1,OUT {obfs_ps_script}\" -Quiet'"
|
||||
cme_logger.debug(invoke_obfs_command)
|
||||
nxc_logger.debug(invoke_obfs_command)
|
||||
|
||||
with open(os.devnull, "w") as devnull:
|
||||
return_code = call(invoke_obfs_command, stdout=devnull, stderr=devnull, shell=True)
|
||||
|
||||
cme_logger.success("Script obfuscated successfully")
|
||||
nxc_logger.success("Script obfuscated successfully")
|
||||
|
||||
with open(obfs_ps_script, "r") as script:
|
||||
return script.read()
|
||||
|
@ -108,7 +108,7 @@ else
|
|||
else:
|
||||
command = amsi_bypass + ps_command
|
||||
|
||||
cme_logger.debug("Generated PS command:\n {}\n".format(command))
|
||||
nxc_logger.debug("Generated PS command:\n {}\n".format(command))
|
||||
|
||||
# We could obfuscate the initial launcher using Invoke-Obfuscation but because this function gets executed
|
||||
# concurrently it would spawn a local powershell process per host which isn't ideal, until I figure out a good way
|
||||
|
@ -118,7 +118,7 @@ else
|
|||
"""
|
||||
if is_powershell_installed():
|
||||
|
||||
temp = tempfile.NamedTemporaryFile(prefix='cme_',
|
||||
temp = tempfile.NamedTemporaryFile(prefix='nxc_',
|
||||
suffix='.ps1',
|
||||
dir='/tmp')
|
||||
temp.write(command)
|
||||
|
@ -130,11 +130,11 @@ else
|
|||
invoke_obfs_command = 'powershell -C \'Import-Module {};Invoke-Obfuscation -ScriptPath {} -Command "ENCODING,{}" -Quiet\''.format(get_ps_script('invoke-obfuscation/Invoke-Obfuscation.psd1'),
|
||||
temp.name,
|
||||
encoding)
|
||||
cme_logger.debug(invoke_obfs_command)
|
||||
nxc_logger.debug(invoke_obfs_command)
|
||||
out = check_output(invoke_obfs_command, shell=True).split('\n')[4].strip()
|
||||
|
||||
command = 'powershell.exe -exec bypass -noni -nop -w 1 -C "{}"'.format(out)
|
||||
cme_logger.debug('Command length: {}'.format(len(command)))
|
||||
nxc_logger.debug('Command length: {}'.format(len(command)))
|
||||
|
||||
if len(command) <= 8192:
|
||||
temp.close()
|
||||
|
@ -152,14 +152,14 @@ else
|
|||
break
|
||||
|
||||
if obfs_attempts == 4:
|
||||
cme_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.")
|
||||
nxc_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.")
|
||||
exit(1)
|
||||
|
||||
obfs_attempts += 1
|
||||
else:
|
||||
command = f"powershell.exe -noni -nop -w 1 -enc {encode_ps_command(command)}"
|
||||
if len(command) > 8191:
|
||||
cme_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.")
|
||||
nxc_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.")
|
||||
exit(1)
|
||||
|
||||
return command
|
||||
|
@ -253,7 +253,7 @@ $request.GetResponse()""".format(
|
|||
command=command,
|
||||
)
|
||||
|
||||
cme_logger.debug(f"Generated PS IEX Launcher:\n {launcher}\n")
|
||||
nxc_logger.debug(f"Generated PS IEX Launcher:\n {launcher}\n")
|
||||
|
||||
return launcher.strip()
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
import cme
|
||||
import nxc
|
||||
import importlib
|
||||
import traceback
|
||||
import sys
|
||||
|
@ -10,9 +10,9 @@ from os import listdir
|
|||
from os.path import dirname
|
||||
from os.path import join as path_join
|
||||
|
||||
from cme.context import Context
|
||||
from cme.logger import CMEAdapter
|
||||
from cme.paths import CME_PATH
|
||||
from nxc.context import Context
|
||||
from nxc.logger import NXCAdapter
|
||||
from nxc.paths import nxc_PATH
|
||||
|
||||
|
||||
class ModuleLoader:
|
||||
|
@ -60,8 +60,8 @@ class ModuleLoader:
|
|||
Load a module, initializing it and checking that it has the proper attributes
|
||||
"""
|
||||
try:
|
||||
spec = importlib.util.spec_from_file_location("CMEModule", module_path)
|
||||
module = spec.loader.load_module().CMEModule()
|
||||
spec = importlib.util.spec_from_file_location("nxcModule", module_path)
|
||||
module = spec.loader.load_module().nxcModule()
|
||||
|
||||
if self.module_is_sane(module, module_path):
|
||||
return module
|
||||
|
@ -82,9 +82,9 @@ class ModuleLoader:
|
|||
self.logger.debug(f"Protocol: {self.args.protocol}")
|
||||
if self.args.protocol in module.supported_protocols:
|
||||
try:
|
||||
module_logger = CMEAdapter(extra={"module_name": module.name.upper()})
|
||||
module_logger = NXCAdapter(extra={"module_name": module.name.upper()})
|
||||
except Exception as e:
|
||||
self.logger.fail(f"Error loading CMEAdaptor for module {module.name.upper()}: {e}")
|
||||
self.logger.fail(f"Error loading nxcAdaptor for module {module.name.upper()}: {e}")
|
||||
context = Context(self.db, module_logger, self.args)
|
||||
module_options = {}
|
||||
|
||||
|
@ -103,8 +103,8 @@ class ModuleLoader:
|
|||
Get the path, description, and options from a module
|
||||
"""
|
||||
try:
|
||||
spec = importlib.util.spec_from_file_location("CMEModule", module_path)
|
||||
module_spec = spec.loader.load_module().CMEModule
|
||||
spec = importlib.util.spec_from_file_location("nxcModule", module_path)
|
||||
module_spec = spec.loader.load_module().nxcModule
|
||||
|
||||
module = {
|
||||
f"{module_spec.name.lower()}": {
|
||||
|
@ -129,8 +129,8 @@ class ModuleLoader:
|
|||
"""
|
||||
modules = {}
|
||||
modules_paths = [
|
||||
path_join(dirname(cme.__file__), "modules"),
|
||||
path_join(CME_PATH, "modules"),
|
||||
path_join(dirname(nxc.__file__), "modules"),
|
||||
path_join(nxc_PATH, "modules"),
|
||||
]
|
||||
|
||||
for path in modules_paths:
|
|
@ -5,12 +5,12 @@ from importlib.machinery import SourceFileLoader
|
|||
from os import listdir
|
||||
from os.path import join as path_join
|
||||
from os.path import dirname, exists, expanduser
|
||||
import cme
|
||||
import nxc
|
||||
|
||||
|
||||
class ProtocolLoader:
|
||||
def __init__(self):
|
||||
self.cme_path = expanduser("~/.cme")
|
||||
self.nxc_path = expanduser("~/.nxc")
|
||||
|
||||
def load_protocol(self, protocol_path):
|
||||
loader = SourceFileLoader("protocol", protocol_path)
|
||||
|
@ -21,8 +21,8 @@ class ProtocolLoader:
|
|||
def get_protocols(self):
|
||||
protocols = {}
|
||||
protocol_paths = [
|
||||
path_join(dirname(cme.__file__), "protocols"),
|
||||
path_join(self.cme_path, "protocols"),
|
||||
path_join(dirname(nxc.__file__), "protocols"),
|
||||
path_join(self.nxc_path, "protocols"),
|
||||
]
|
||||
|
||||
for path in protocol_paths:
|
|
@ -6,28 +6,28 @@ from logging.handlers import RotatingFileHandler
|
|||
import os.path
|
||||
import sys
|
||||
import re
|
||||
from cme.helpers.misc import called_from_cmd_args
|
||||
from cme.console import cme_console
|
||||
from nxc.helpers.misc import called_from_cmd_args
|
||||
from nxc.console import nxc_console
|
||||
from termcolor import colored
|
||||
from datetime import datetime
|
||||
from rich.text import Text
|
||||
from rich.logging import RichHandler
|
||||
|
||||
|
||||
class CMEAdapter(logging.LoggerAdapter):
|
||||
class NXCAdapter(logging.LoggerAdapter):
|
||||
def __init__(self, extra=None):
|
||||
logging.basicConfig(
|
||||
format="%(message)s",
|
||||
datefmt="[%X]",
|
||||
handlers=[
|
||||
RichHandler(
|
||||
console=cme_console,
|
||||
console=nxc_console,
|
||||
rich_tracebacks=True,
|
||||
tracebacks_show_locals=False,
|
||||
)
|
||||
],
|
||||
)
|
||||
self.logger = logging.getLogger("cme")
|
||||
self.logger = logging.getLogger("nxc")
|
||||
self.extra = extra
|
||||
self.output_file = None
|
||||
|
||||
|
@ -55,7 +55,7 @@ class CMEAdapter(logging.LoggerAdapter):
|
|||
kwargs,
|
||||
)
|
||||
|
||||
# If the logger is being called from CMEServer
|
||||
# If the logger is being called from nxcServer
|
||||
if len(self.extra) == 2 and ("module_name" in self.extra.keys()) and ("host" in self.extra.keys()):
|
||||
return (
|
||||
f"{colored(self.extra['module_name'], 'cyan', attrs=['bold']):<24} {self.extra['host']:<39} {msg}",
|
||||
|
@ -75,7 +75,7 @@ class CMEAdapter(logging.LoggerAdapter):
|
|||
|
||||
def display(self, msg, *args, **kwargs):
|
||||
"""
|
||||
Display text to console, formatted for CME
|
||||
Display text to console, formatted for nxc
|
||||
"""
|
||||
try:
|
||||
if "protocol" in self.extra.keys() and not called_from_cmd_args():
|
||||
|
@ -85,7 +85,7 @@ class CMEAdapter(logging.LoggerAdapter):
|
|||
|
||||
msg, kwargs = self.format(f"{colored('[*]', 'blue', attrs=['bold'])} {msg}", kwargs)
|
||||
text = Text.from_ansi(msg)
|
||||
cme_console.print(text, *args, **kwargs)
|
||||
nxc_console.print(text, *args, **kwargs)
|
||||
self.log_console_to_file(text, *args, **kwargs)
|
||||
|
||||
def success(self, msg, color='green', *args, **kwargs):
|
||||
|
@ -100,7 +100,7 @@ class CMEAdapter(logging.LoggerAdapter):
|
|||
|
||||
msg, kwargs = self.format(f"{colored('[+]', color, attrs=['bold'])} {msg}", kwargs)
|
||||
text = Text.from_ansi(msg)
|
||||
cme_console.print(text, *args, **kwargs)
|
||||
nxc_console.print(text, *args, **kwargs)
|
||||
self.log_console_to_file(text, *args, **kwargs)
|
||||
|
||||
def highlight(self, msg, *args, **kwargs):
|
||||
|
@ -115,7 +115,7 @@ class CMEAdapter(logging.LoggerAdapter):
|
|||
|
||||
msg, kwargs = self.format(f"{colored(msg, 'yellow', attrs=['bold'])}", kwargs)
|
||||
text = Text.from_ansi(msg)
|
||||
cme_console.print(text, *args, **kwargs)
|
||||
nxc_console.print(text, *args, **kwargs)
|
||||
self.log_console_to_file(text, *args, **kwargs)
|
||||
|
||||
def fail(self, msg, color='red', *args, **kwargs):
|
||||
|
@ -129,7 +129,7 @@ class CMEAdapter(logging.LoggerAdapter):
|
|||
pass
|
||||
msg, kwargs = self.format(f"{colored('[-]', color, attrs=['bold'])} {msg}", kwargs)
|
||||
text = Text.from_ansi(msg)
|
||||
cme_console.print(text, *args, **kwargs)
|
||||
nxc_console.print(text, *args, **kwargs)
|
||||
self.log_console_to_file(text, *args, **kwargs)
|
||||
|
||||
def log_console_to_file(self, text, *args, **kwargs):
|
||||
|
@ -144,7 +144,7 @@ class CMEAdapter(logging.LoggerAdapter):
|
|||
for handler in self.logger.handlers:
|
||||
handler.handle(
|
||||
LogRecord(
|
||||
"cme",
|
||||
"nxc",
|
||||
20,
|
||||
"",
|
||||
kwargs,
|
||||
|
@ -181,11 +181,11 @@ class CMEAdapter(logging.LoggerAdapter):
|
|||
|
||||
@staticmethod
|
||||
def init_log_file():
|
||||
newpath = os.path.expanduser("~/.cme") + "/logs/" + datetime.now().strftime('%Y-%m-%d')
|
||||
newpath = os.path.expanduser("~/.nxc") + "/logs/" + datetime.now().strftime('%Y-%m-%d')
|
||||
if not os.path.exists(newpath):
|
||||
os.makedirs(newpath)
|
||||
log_filename = os.path.join(
|
||||
os.path.expanduser("~/.cme"),
|
||||
os.path.expanduser("~/.nxc"),
|
||||
"logs",
|
||||
datetime.now().strftime('%Y-%m-%d'),
|
||||
f"log_{datetime.now().strftime('%Y-%m-%d-%H-%M-%S')}.log",
|
||||
|
@ -205,5 +205,5 @@ class TermEscapeCodeFormatter(logging.Formatter):
|
|||
return super().format(record)
|
||||
|
||||
|
||||
# initialize the logger for all of CME - this is imported everywhere
|
||||
cme_logger = CMEAdapter()
|
||||
# initialize the logger for all of nxc - this is imported everywhere
|
||||
nxc_logger = NXCAdapter()
|
|
@ -11,7 +11,7 @@ from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
|
|||
from impacket.dcerpc.v5.dcomrt import IObjectExporter
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "ioxidresolver"
|
||||
description = "This module helps you to identify hosts that have additional active interfaces"
|
||||
supported_protocols = ["smb", "wmi"]
|
|
@ -2,12 +2,12 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Module by Shutdown and Podalirius
|
||||
|
||||
Initial module:
|
||||
https://github.com/ShutdownRepo/CrackMapExec-MachineAccountQuota
|
||||
https://github.com/ShutdownRepo/NetExec-MachineAccountQuota
|
||||
|
||||
Authors:
|
||||
Shutdown: @_nwodtuhs
|
|
@ -5,7 +5,7 @@ from impacket.ldap import ldap, ldapasn1
|
|||
from impacket.ldap.ldap import LDAPSearchError
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Find PKI Enrollment Services in Active Directory and Certificate Templates Names.
|
||||
|
|
@ -5,11 +5,11 @@
|
|||
import ldap3
|
||||
from impacket.dcerpc.v5 import samr, epm, transport
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
'''
|
||||
Module by CyberCelt: @Cyb3rC3lt
|
||||
Initial module:
|
||||
https://github.com/Cyb3rC3lt/CrackMapExec-Modules
|
||||
https://github.com/Cyb3rC3lt/NetExec-Modules
|
||||
Thanks to the guys at impacket for the original code
|
||||
'''
|
||||
|
||||
|
@ -26,9 +26,9 @@ class CMEModule:
|
|||
PASSWORD: Specify the PASSWORD option to supply a password for the Computer to be added
|
||||
DELETE: Specify DELETE to remove a Computer
|
||||
CHANGEPW: Specify CHANGEPW to modify a Computer password
|
||||
Usage: cme smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password1"
|
||||
cme smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" DELETE=True
|
||||
cme smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password2" CHANGEPW=True
|
||||
Usage: nxc smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password1"
|
||||
nxc smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" DELETE=True
|
||||
nxc smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password2" CHANGEPW=True
|
||||
'''
|
||||
|
||||
self.__baseDN = None
|
||||
|
@ -296,9 +296,9 @@ class CMEModule:
|
|||
['top', 'person', 'organizationalPerson', 'user', 'computer'], ucd)
|
||||
if result:
|
||||
context.log.highlight('Successfully added the machine account: "' + self.__computerName + '" with Password: "' + self.__computerPassword + '"')
|
||||
context.log.highlight(u'{}'.format('You can try to verify this with the CME command:'))
|
||||
context.log.highlight(u'{}'.format('You can try to verify this with the nxc command:'))
|
||||
context.log.highlight(u'{}'.format(
|
||||
'cme ldap ' + connection.host + ' -u ' + connection.username + ' -p ' + connection.password + ' -M group-mem -o GROUP="Domain Computers"'))
|
||||
'nxc ldap ' + connection.host + ' -u ' + connection.username + ' -p ' + connection.password + ' -M group-mem -o GROUP="Domain Computers"'))
|
||||
elif result == False and c.last_error == "entryAlreadyExists":
|
||||
context.log.highlight(u'{}'.format('The Computer account "' + self.__computerName + '" already exists'))
|
||||
elif not result:
|
|
@ -1,6 +1,6 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
|
||||
"""
|
||||
Checks for credentials in IIS Application Pool configuration files using appcmd.exe.
|
|
@ -11,7 +11,7 @@ from neo4j import GraphDatabase
|
|||
from neo4j.exceptions import AuthError, ServiceUnavailable
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "bh_owned"
|
||||
description = "Set pwned computer as owned in Bloodhound"
|
||||
supported_protocols = ["smb"]
|
|
@ -6,7 +6,7 @@ import datetime
|
|||
from enum import Enum
|
||||
from impacket.ldap import ldaptypes
|
||||
from impacket.uuid import bin_to_string
|
||||
from cme.helpers.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
|
||||
from nxc.helpers.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
|
||||
from ldap3.protocol.formatters.formatters import format_sid
|
||||
from ldap3.utils.conv import escape_filter_chars
|
||||
from ldap3.protocol.microsoft import security_descriptor_control
|
||||
|
@ -187,7 +187,7 @@ class ALLOWED_OBJECT_ACE_MASK_FLAGS(Enum):
|
|||
Self = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_SELF
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Module to read and backup the Discretionary Access Control List of one or multiple objects.
|
||||
This module is essentially inspired from the dacledit.py script of Impacket that we have coauthored, @_nwodtuhs and me.
|
|
@ -7,10 +7,10 @@ from impacket.dcerpc.v5.ndr import NDRCALL
|
|||
from impacket.dcerpc.v5.dtypes import ULONG, WSTR, DWORD
|
||||
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
||||
from impacket.uuid import uuidtup_to_bin
|
||||
from cme.logger import cme_logger
|
||||
from nxc.logger import nxc_logger
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "dfscoerce"
|
||||
description = "Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam"
|
||||
supported_protocols = ["smb"]
|
||||
|
@ -123,31 +123,31 @@ class TriggerAuth:
|
|||
|
||||
rpctransport.setRemoteHost(target)
|
||||
dce = rpctransport.get_dce_rpc()
|
||||
cme_logger.debug("[-] Connecting to %s" % r"ncacn_np:%s[\PIPE\netdfs]" % target)
|
||||
nxc_logger.debug("[-] Connecting to %s" % r"ncacn_np:%s[\PIPE\netdfs]" % target)
|
||||
try:
|
||||
dce.connect()
|
||||
except Exception as e:
|
||||
cme_logger.debug("Something went wrong, check error status => %s" % str(e))
|
||||
nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
|
||||
return
|
||||
try:
|
||||
dce.bind(uuidtup_to_bin(("4FC742E0-4A10-11CF-8273-00AA004AE673", "3.0")))
|
||||
except Exception as e:
|
||||
cme_logger.debug("Something went wrong, check error status => %s" % str(e))
|
||||
nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
|
||||
return
|
||||
cme_logger.debug("[+] Successfully bound!")
|
||||
nxc_logger.debug("[+] Successfully bound!")
|
||||
return dce
|
||||
|
||||
def NetrDfsRemoveStdRoot(self, dce, listener):
|
||||
cme_logger.debug("[-] Sending NetrDfsRemoveStdRoot!")
|
||||
nxc_logger.debug("[-] Sending NetrDfsRemoveStdRoot!")
|
||||
try:
|
||||
request = NetrDfsRemoveStdRoot()
|
||||
request["ServerName"] = "%s\x00" % listener
|
||||
request["RootShare"] = "test\x00"
|
||||
request["ApiFlags"] = 1
|
||||
if self.args.verbose:
|
||||
cme_logger.debug(request.dump())
|
||||
nxc_logger.debug(request.dump())
|
||||
# logger.debug(request.dump())
|
||||
resp = dce.request(request)
|
||||
|
||||
except Exception as e:
|
||||
cme_logger.debug(e)
|
||||
nxc_logger.debug(e)
|
|
@ -4,7 +4,7 @@
|
|||
import ntpath
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Technique discovered by @DTMSecurity and @domchell to remotely coerce an host to start WebClient service.
|
||||
https://dtm.uk/exploring-search-connectors-and-library-files-on-windows/
|
|
@ -11,7 +11,7 @@ from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
|||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
|
||||
Module by @byt3bl33d3r
|
||||
|
@ -75,7 +75,7 @@ class CMEModule:
|
|||
sys.exit(1)
|
||||
|
||||
data = {
|
||||
"name": "cme_ephemeral",
|
||||
"name": "nxc_ephemeral",
|
||||
"template": "multi_launcher",
|
||||
"options": {
|
||||
"Listener": module_options["LISTENER"],
|
|
@ -10,7 +10,7 @@ from impacket.dcerpc.v5 import transport
|
|||
import pathlib
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Uses LsarLookupNames and NamedPipes to gather information on all endpoint protection solutions installed on the the remote host(s)
|
||||
Module by @mpgn_x64
|
|
@ -2,10 +2,10 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
from datetime import datetime
|
||||
from cme.helpers.logger import write_log
|
||||
from nxc.helpers.logger import write_log
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Uses WMI to dump DNS from an AD DNS Server.
|
||||
Module by @fang0654
|
||||
|
@ -72,4 +72,4 @@ class CMEModule:
|
|||
|
||||
log_name = "DNS-Enum-{}-{}.log".format(connection.host, datetime.now().strftime("%Y-%m-%d_%H%M%S"))
|
||||
write_log(data, log_name)
|
||||
context.log.display(f"Saved raw output to ~/.cme/logs/{log_name}")
|
||||
context.log.display(f"Saved raw output to ~/.nxc/logs/{log_name}")
|
|
@ -2,7 +2,7 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Example
|
||||
Module by @yomama
|
|
@ -3,12 +3,12 @@
|
|||
import socket
|
||||
import sys
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
'''
|
||||
Module by CyberCelt: @Cyb3rC3lt
|
||||
|
||||
Initial module:
|
||||
https://github.com/Cyb3rC3lt/CrackMapExec-Modules
|
||||
https://github.com/Cyb3rC3lt/NetExec-Modules
|
||||
'''
|
||||
|
||||
name = 'find-computer'
|
||||
|
@ -21,8 +21,8 @@ class CMEModule:
|
|||
'''
|
||||
find-computer: Specify find-computer to call the module
|
||||
TEXT: Specify the TEXT option to enter your text to search for
|
||||
Usage: cme ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="server"
|
||||
cme ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="SQL"
|
||||
Usage: nxc ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="server"
|
||||
nxc ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="SQL"
|
||||
'''
|
||||
|
||||
self.TEXT = ''
|
|
@ -1,9 +1,9 @@
|
|||
#!/usr/bin/env python3
|
||||
from dploot.lib.target import Target
|
||||
from cme.protocols.smb.firefox import FirefoxTriage
|
||||
from nxc.protocols.smb.firefox import FirefoxTriage
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Firefox by @zblurx
|
||||
Inspired by firefox looting from DonPAPI
|
|
@ -4,10 +4,10 @@
|
|||
from impacket.ldap import ldapasn1 as ldapasn1_impacket
|
||||
from impacket.ldap import ldap as ldap_impacket
|
||||
import re
|
||||
from cme.logger import cme_logger
|
||||
from nxc.logger import nxc_logger
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Get description of users
|
||||
Module by @nodauf
|
||||
|
@ -56,7 +56,7 @@ class CMEModule:
|
|||
resp = e.getAnswers()
|
||||
pass
|
||||
else:
|
||||
cme_logger.debug(e)
|
||||
nxc_logger.debug(e)
|
||||
return False
|
||||
|
||||
answers = []
|
|
@ -2,11 +2,11 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
from datetime import datetime
|
||||
from cme.helpers.logger import write_log
|
||||
from nxc.helpers.logger import write_log
|
||||
import json
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Uses WMI to extract network connections, used to find multi-homed hosts.
|
||||
Module by @fang0654
|
||||
|
@ -37,4 +37,4 @@ class CMEModule:
|
|||
|
||||
log_name = "network-connections-{}-{}.log".format(connection.host, datetime.now().strftime("%Y-%m-%d_%H%M%S"))
|
||||
write_log(json.dumps(data), log_name)
|
||||
context.log.display(f"Saved raw output to ~/.cme/logs/{log_name}")
|
||||
context.log.display(f"Saved raw output to ~/.nxc/logs/{log_name}")
|
|
@ -5,7 +5,7 @@ import xml.etree.ElementTree as ET
|
|||
from io import BytesIO
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1
|
||||
Module by @byt3bl33d3r
|
|
@ -8,7 +8,7 @@ from binascii import unhexlify
|
|||
from io import BytesIO
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
|
||||
Module by @byt3bl33d3r
|
|
@ -3,12 +3,12 @@
|
|||
|
||||
from impacket.ldap import ldapasn1 as ldapasn1_impacket
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
'''
|
||||
Module by CyberCelt: @Cyb3rC3lt
|
||||
|
||||
Initial module:
|
||||
https://github.com/Cyb3rC3lt/CrackMapExec-Modules
|
||||
https://github.com/Cyb3rC3lt/NetExec-Modules
|
||||
'''
|
||||
|
||||
name = 'group-mem'
|
||||
|
@ -23,8 +23,8 @@ class CMEModule:
|
|||
'''
|
||||
group-mem: Specify group-mem to call the module
|
||||
GROUP: Specify the GROUP option to query for that group's members
|
||||
Usage: cme ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain admins"
|
||||
cme ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain controllers"
|
||||
Usage: nxc ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain admins"
|
||||
nxc ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain controllers"
|
||||
'''
|
||||
|
||||
self.GROUP = ''
|
|
@ -5,13 +5,13 @@ from impacket.ldap import ldapasn1 as ldapasn1_impacket
|
|||
from impacket.ldap import ldap as ldap_impacket
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Created as a contributtion from HackTheBox Academy team for CrackMapExec
|
||||
Created as a contributtion from HackTheBox Academy team for NetExec
|
||||
Reference: https://academy.hackthebox.com/module/details/84
|
||||
|
||||
Module by @juliourena
|
||||
Based on: https://github.com/juliourena/CrackMapExec/blob/master/cme/modules/get_description.py
|
||||
Based on: https://github.com/juliourena/NetExec/blob/master/nxc/modules/get_description.py
|
||||
"""
|
||||
|
||||
name = "groupmembership"
|
File diff suppressed because one or more lines are too long
|
@ -32,7 +32,7 @@ def neo4j_conn(context, connection, driver):
|
|||
context.log.fail("Error querying domain admins")
|
||||
context.log.debug(e)
|
||||
else:
|
||||
context.log.fail("BloodHound not marked enabled. Check cme.conf")
|
||||
context.log.fail("BloodHound not marked enabled. Check nxc.conf")
|
||||
exit(1)
|
||||
|
||||
|
||||
|
@ -134,7 +134,7 @@ def initial_run(connection, cursor):
|
|||
)
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "hash_spider"
|
||||
description = "Dump lsass recursively from a given hash using BH to find local admins"
|
||||
supported_protocols = ["smb"]
|
||||
|
@ -271,8 +271,8 @@ class CMEModule:
|
|||
exit()
|
||||
|
||||
def on_admin_login(self, context, connection):
|
||||
db_path = connection.config.get("CME", "workspace")
|
||||
# DB will be saved at ./CrackMapExec/hash_spider_default.sqlite3 if workspace in cme.conf is "default"
|
||||
db_path = connection.config.get("nxc", "workspace")
|
||||
# DB will be saved at ./NetExec/hash_spider_default.sqlite3 if workspace in nxc.conf is "default"
|
||||
db_name = f"hash_spider_{db_path}.sqlite3"
|
||||
dbconnection = connect(db_name, check_same_thread=False, isolation_level=None)
|
||||
|
File diff suppressed because one or more lines are too long
|
@ -6,7 +6,7 @@ from impacket.dcerpc.v5 import scmr
|
|||
from impacket.examples.secretsdump import RemoteOperations
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "install_elevated"
|
||||
description = "Checks for AlwaysInstallElevated"
|
||||
supported_protocols = ["smb"]
|
|
@ -1,7 +1,7 @@
|
|||
from csv import reader
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Search for KeePass-related files and process
|
||||
|
|
@ -7,10 +7,10 @@ from csv import reader
|
|||
from base64 import b64encode
|
||||
from io import BytesIO, StringIO
|
||||
from xml.etree import ElementTree
|
||||
from cme.helpers.powershell import get_ps_script
|
||||
from nxc.helpers.powershell import get_ps_script
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Make use of KeePass' trigger system to export the database in cleartext
|
||||
References: https://keepass.info/help/v2/triggers.html
|
|
@ -3,9 +3,9 @@
|
|||
import json
|
||||
|
||||
from impacket.ldap import ldapasn1 as ldapasn1_impacket
|
||||
from cme.protocols.ldap.laps import LDAPConnect, LAPSv2Extract
|
||||
from nxc.protocols.ldap.laps import LDAPConnect, LAPSv2Extract
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Module by technobro refactored by @mpgn (now compatible with LDAP protocol + filter by computer)
|
||||
|
|
@ -13,7 +13,7 @@ from asyauth.common.credentials.kerberos import KerberosCredential
|
|||
|
||||
from asysocks.unicomm.common.target import UniTarget, UniProto
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Checks whether LDAP signing and channelbinding are required.
|
||||
|
|
@ -11,10 +11,10 @@ from lsassy.impacketfile import ImpacketFile
|
|||
from lsassy.parser import Parser
|
||||
from lsassy.session import Session
|
||||
|
||||
from cme.helpers.bloodhound import add_user_bh
|
||||
from nxc.helpers.bloodhound import add_user_bh
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "lsassy"
|
||||
description = "Dump lsass and parse the result remotely with lsassy"
|
||||
supported_protocols = ["smb"]
|
|
@ -2,10 +2,10 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
from masky import Masky
|
||||
from cme.helpers.bloodhound import add_user_bh
|
||||
from nxc.helpers.bloodhound import add_user_bh
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "masky"
|
||||
description = "Remotely dump domain user credentials via an ADCS and a KDC"
|
||||
supported_protocols = ["smb"]
|
|
@ -4,7 +4,7 @@
|
|||
from sys import exit
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script
|
||||
Module by @byt3bl33d3r
|
||||
|
@ -32,7 +32,7 @@ class CMEModule:
|
|||
SSL Stager server use https or http (default: https)
|
||||
|
||||
multi/handler method that don't require RAND:
|
||||
Set LHOST and LPORT (called SRVHOST and SRVPORT in CME module options)
|
||||
Set LHOST and LPORT (called SRVHOST and SRVPORT in nxc module options)
|
||||
Set payload to one of the following (non-exhaustive list):
|
||||
windows/x64/powershell_reverse_tcp
|
||||
windows/x64/powershell_reverse_tcp_ssl
|
|
@ -9,7 +9,7 @@ import socket
|
|||
import struct
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "ms17-010"
|
||||
description = "MS17-010, /!\ not tested oustide home lab"
|
||||
supported_protocols = ["smb"]
|
|
@ -1,12 +1,12 @@
|
|||
# MSOL module for CME
|
||||
# MSOL module for nxc
|
||||
# Author of the module : https://twitter.com/Daahtk
|
||||
# Based on the article : https://blog.xpnsec.com/azuread-connect-for-redteam/
|
||||
from sys import exit
|
||||
from os import path
|
||||
from cme.helpers.powershell import get_ps_script
|
||||
from nxc.helpers.powershell import get_ps_script
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "msol"
|
||||
description = "Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server"
|
||||
supported_protocols = ["smb"]
|
|
@ -4,7 +4,7 @@
|
|||
# Romain de Reydellet (@pentest_soka)
|
||||
|
||||
|
||||
from cme.helpers.logger import highlight
|
||||
from nxc.helpers.logger import highlight
|
||||
|
||||
|
||||
class User:
|
||||
|
@ -21,7 +21,7 @@ class User:
|
|||
return f"User({self.username})"
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Enumerate MSSQL privileges and exploit them
|
||||
"""
|
||||
|
@ -92,7 +92,7 @@ class CMEModule:
|
|||
elif target_user.dbowner:
|
||||
self.do_dbowner_privesc(target_user.dbowner, exec_as)
|
||||
if self.is_admin_user(self.current_username):
|
||||
self.context.log.success(f"{self.current_username} is now a sysadmin! " + highlight("({})".format(self.context.conf.get("CME", "pwn3d_label"))))
|
||||
self.context.log.success(f"{self.current_username} is now a sysadmin! " + highlight("({})".format(self.context.conf.get("nxc", "pwn3d_label"))))
|
||||
|
||||
def build_exec_as_from_path(self, target_user):
|
||||
path = [target_user.username]
|
|
@ -1,6 +1,6 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# nanodump module for CME python3
|
||||
# nanodump module for nxc python3
|
||||
# author of the module : github.com/mpgn
|
||||
# nanodump: https://github.com/helpsystems/nanodump
|
||||
|
||||
|
@ -9,11 +9,11 @@ import sys
|
|||
import os
|
||||
from datetime import datetime
|
||||
from pypykatz.pypykatz import pypykatz
|
||||
from cme.helpers.bloodhound import add_user_bh
|
||||
from cme.protocols.mssql.mssqlexec import MSSQLEXEC
|
||||
from nxc.helpers.bloodhound import add_user_bh
|
||||
from nxc.protocols.mssql.mssqlexec import MSSQLEXEC
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "nanodump"
|
||||
description = "Get lsass dump using nanodump and parse the result with pypykatz"
|
||||
supported_protocols = ["smb", "mssql"]
|
||||
|
@ -36,7 +36,7 @@ class CMEModule:
|
|||
def options(self, context, module_options):
|
||||
"""
|
||||
TMP_DIR Path where process dump should be saved on target system (default: C:\\Windows\\Temp\\)
|
||||
NANO_PATH Path where nano.exe is on your system (default: /tmp/cme/)
|
||||
NANO_PATH Path where nano.exe is on your system (default: /tmp/nxc/)
|
||||
NANO_EXE_NAME Name of the nano executable (default: nano.exe)
|
||||
DIR_RESULT Location where the dmp are stored (default: DIR_RESULT = NANO_PATH)
|
||||
"""
|
||||
|
@ -60,13 +60,13 @@ class CMEModule:
|
|||
else:
|
||||
if sys.platform == "win32":
|
||||
appdata_path = os.getenv("APPDATA")
|
||||
if not os.path.exists(appdata_path + "\CME"):
|
||||
os.mkdir(appdata_path + "\CME")
|
||||
self.nano_path = appdata_path + "\CME\\"
|
||||
if not os.path.exists(appdata_path + "\nxc"):
|
||||
os.mkdir(appdata_path + "\nxc")
|
||||
self.nano_path = appdata_path + "\nxc\\"
|
||||
else:
|
||||
if not os.path.exists("/tmp/cme/"):
|
||||
os.mkdir("/tmp/cme/")
|
||||
self.nano_path = "/tmp/cme/"
|
||||
if not os.path.exists("/tmp/nxc/"):
|
||||
os.mkdir("/tmp/nxc/")
|
||||
self.nano_path = "/tmp/nxc/"
|
||||
|
||||
self.dir_result = self.nano_path
|
||||
|
|
@ -10,7 +10,7 @@ from impacket.krb5 import constants
|
|||
from impacket.krb5.types import Principal
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "nopac"
|
||||
description = "Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user"
|
||||
supported_protocols = ["smb"]
|
|
@ -5,11 +5,11 @@ import time
|
|||
|
||||
from impacket.examples.secretsdump import LocalOperations, NTDSHashes
|
||||
|
||||
from cme.helpers.logger import highlight
|
||||
from cme.helpers.misc import validate_ntlm
|
||||
from nxc.helpers.logger import highlight
|
||||
from nxc.helpers.misc import validate_ntlm
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Dump NTDS with ntdsutil
|
||||
Module by @zblurx
|
|
@ -6,7 +6,7 @@ from impacket.examples.secretsdump import RemoteOperations
|
|||
from impacket.dcerpc.v5.rrp import DCERPCSessionError
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Detect if the target's LmCompatibilityLevel will allow NTLMv1 authentication
|
||||
Module by @Tw1sm
|
|
@ -19,7 +19,7 @@ from impacket.dcerpc.v5.rpcrt import (
|
|||
from impacket.uuid import uuidtup_to_bin
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "petitpotam"
|
||||
description = "Module to check if the DC is vulnerable to PetitPotam, credit to @topotam"
|
||||
supported_protocols = ["smb"]
|
File diff suppressed because one or more lines are too long
|
@ -16,7 +16,7 @@ KNOWN_PROTOCOLS = {
|
|||
}
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Check if vulnerable to printnightmare
|
||||
Module by @mpgn_x64 based on https://github.com/ly4k/PrintNightmare
|
File diff suppressed because one or more lines are too long
|
@ -7,11 +7,11 @@ from math import fabs
|
|||
import re
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
'''
|
||||
Created by fplazar and wanetty
|
||||
Module by @gm_eduard and @ferranplaza
|
||||
Based on: https://github.com/juliourena/CrackMapExec/blob/master/cme/modules/get_description.py
|
||||
Based on: https://github.com/juliourena/NetExec/blob/master/nxc/modules/get_description.py
|
||||
'''
|
||||
|
||||
name = 'pso'
|
|
@ -7,10 +7,10 @@ from dploot.triage.backupkey import BackupkeyTriage
|
|||
from dploot.lib.target import Target
|
||||
from dploot.lib.smb import DPLootSMBConnection
|
||||
|
||||
from cme.helpers.logger import highlight
|
||||
from nxc.helpers.logger import highlight
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "rdcman"
|
||||
description = "Remotely dump Remote Desktop Connection Manager (sysinternals) credentials"
|
||||
supported_protocols = ["smb"]
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
from sys import exit
|
||||
|
||||
from cme.connection import dcom_FirewallChecker
|
||||
from nxc.connection import dcom_FirewallChecker
|
||||
|
||||
from impacket.dcerpc.v5 import rrp
|
||||
from impacket.examples.secretsdump import RemoteOperations
|
||||
|
@ -13,7 +13,7 @@ from impacket.dcerpc.v5.dtypes import NULL
|
|||
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "rdp"
|
||||
description = "Enables/Disables RDP"
|
||||
supported_protocols = ["smb" ,"wmi"]
|
||||
|
@ -31,9 +31,9 @@ class CMEModule:
|
|||
METHOD wmi(ncacn_ip_tcp)/smb(ncacn_np) (choices: wmi, smb, default is wmi)
|
||||
OLD For old version system (under NT6, like: server 2003)
|
||||
DCOM-TIMEOUT Set the Dcom connection timeout for WMI method (Default is 10 seconds)
|
||||
cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}
|
||||
cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=smb ACTION={enable, disable, enable-ram, disable-ram}
|
||||
cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=wmi ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}
|
||||
nxc smb 192.168.1.1 -u {user} -p {password} -M rdp -o ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}
|
||||
nxc smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=smb ACTION={enable, disable, enable-ram, disable-ram}
|
||||
nxc smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=wmi ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}
|
||||
"""
|
||||
if not "ACTION" in module_options:
|
||||
context.log.fail("ACTION option not specified!")
|
|
@ -6,7 +6,7 @@ from impacket.dcerpc.v5 import rrp
|
|||
from impacket.examples.secretsdump import RemoteOperations
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "reg-query"
|
||||
description = "Performs a registry query on the machine"
|
||||
supported_protocols = ["smb"]
|
|
@ -2,7 +2,7 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "runasppl"
|
||||
description = "Check if the registry value RunAsPPL is set or not"
|
||||
supported_protocols = ["smb"]
|
|
@ -80,7 +80,7 @@ def searchResEntry_to_dict(results):
|
|||
return data
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "get-network"
|
||||
description = ""
|
||||
supported_protocols = ["ldap"]
|
||||
|
@ -183,7 +183,7 @@ class CMEModule:
|
|||
)
|
||||
|
||||
context.log.highlight("Found %d records" % len(outdata))
|
||||
path = expanduser("~/.cme/logs/{}_network_{}.log".format(connection.domain, datetime.now().strftime("%Y-%m-%d_%H%M%S")))
|
||||
path = expanduser("~/.nxc/logs/{}_network_{}.log".format(connection.domain, datetime.now().strftime("%Y-%m-%d_%H%M%S")))
|
||||
with codecs.open(path, "w", "utf-8") as outfile:
|
||||
for row in outdata:
|
||||
if self.showhosts:
|
|
@ -5,7 +5,7 @@ import ntpath
|
|||
from sys import exit
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Original idea and PoC by Mubix "Rob" Fuller
|
||||
URL: https://room362.com/post/2016/smb-http-auth-capture-via-scf/
|
|
@ -14,10 +14,10 @@ from impacket.dcerpc.v5.rpcrt import (
|
|||
RPC_C_AUTHN_GSS_NEGOTIATE,
|
||||
)
|
||||
from impacket.smbconnection import SessionError
|
||||
from cme.logger import cme_logger
|
||||
from nxc.logger import nxc_logger
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
name = "shadowcoerce"
|
||||
description = "Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam"
|
||||
supported_protocols = ["smb"]
|
||||
|
@ -229,7 +229,7 @@ class CoerceAuth:
|
|||
rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
|
||||
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
|
||||
|
||||
cme_logger.info("Connecting to %s" % binding_params[pipe]["stringBinding"])
|
||||
nxc_logger.info("Connecting to %s" % binding_params[pipe]["stringBinding"])
|
||||
|
||||
try:
|
||||
dce.connect()
|
||||
|
@ -239,20 +239,20 @@ class CoerceAuth:
|
|||
dce.disconnect()
|
||||
return 1
|
||||
|
||||
cme_logger.debug("Something went wrong, check error status => %s" % str(e))
|
||||
nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
|
||||
|
||||
cme_logger.info("Connected!")
|
||||
cme_logger.info("Binding to %s" % binding_params[pipe]["UUID"][0])
|
||||
nxc_logger.info("Connected!")
|
||||
nxc_logger.info("Binding to %s" % binding_params[pipe]["UUID"][0])
|
||||
try:
|
||||
dce.bind(uuidtup_to_bin(binding_params[pipe]["UUID"]))
|
||||
except Exception as e:
|
||||
cme_logger.debug("Something went wrong, check error status => %s" % str(e))
|
||||
nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
|
||||
|
||||
cme_logger.info("Successfully bound!")
|
||||
nxc_logger.info("Successfully bound!")
|
||||
return dce
|
||||
|
||||
def IsPathShadowCopied(self, dce, listener):
|
||||
cme_logger.debug("Sending IsPathShadowCopied!")
|
||||
nxc_logger.debug("Sending IsPathShadowCopied!")
|
||||
try:
|
||||
request = IsPathShadowCopied()
|
||||
# only NETLOGON and SYSVOL were detected working here
|
||||
|
@ -261,14 +261,14 @@ class CoerceAuth:
|
|||
# request.dump()
|
||||
dce.request(request)
|
||||
except Exception as e:
|
||||
cme_logger.debug("Something went wrong, check error status => %s", str(e))
|
||||
cme_logger.debug("Attack may of may not have worked, check your listener...")
|
||||
nxc_logger.debug("Something went wrong, check error status => %s", str(e))
|
||||
nxc_logger.debug("Attack may of may not have worked, check your listener...")
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
def IsPathSupported(self, dce, listener):
|
||||
cme_logger.debug("Sending IsPathSupported!")
|
||||
nxc_logger.debug("Sending IsPathSupported!")
|
||||
try:
|
||||
request = IsPathSupported()
|
||||
# only NETLOGON and SYSVOL were detected working here
|
||||
|
@ -276,8 +276,8 @@ class CoerceAuth:
|
|||
request["ShareName"] = "\\\\%s\\NETLOGON\x00" % listener
|
||||
dce.request(request)
|
||||
except Exception as e:
|
||||
cme_logger.debug("Something went wrong, check error status => %s", str(e))
|
||||
cme_logger.debug("Attack may of may not have worked, check your listener...")
|
||||
nxc_logger.debug("Something went wrong, check error status => %s", str(e))
|
||||
nxc_logger.debug("Attack may of may not have worked, check your listener...")
|
||||
return False
|
||||
|
||||
return True
|
|
@ -6,7 +6,7 @@ import ntpath
|
|||
from sys import exit
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Original idea and PoC by Justin Angel (@4rch4ngel86)
|
||||
Module by @byt3bl33d3r
|
|
@ -6,7 +6,7 @@ import errno
|
|||
import os
|
||||
import time
|
||||
import traceback
|
||||
from cme.protocols.smb.remotefile import RemoteFile
|
||||
from nxc.protocols.smb.remotefile import RemoteFile
|
||||
from impacket.smb3structs import FILE_READ_DATA
|
||||
from impacket.smbconnection import SessionError
|
||||
|
||||
|
@ -497,7 +497,7 @@ class SMBSpiderPlus:
|
|||
self.logger.success("All files processed successfully.")
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Spider plus module
|
||||
Module by @vincd
|
||||
|
@ -517,7 +517,7 @@ class CMEModule:
|
|||
EXCLUDE_EXTS Case-insensitive extension filter to exclude (Default: ico,lnk)
|
||||
EXCLUDE_FILTER Case-insensitive filter to exclude folders/files (Default: print$,ipc$)
|
||||
MAX_FILE_SIZE Max file size to download (Default: 51200)
|
||||
OUTPUT_FOLDER Path of the local folder to save files (Default: /tmp/cme_spider_plus)
|
||||
OUTPUT_FOLDER Path of the local folder to save files (Default: /tmp/nxc_spider_plus)
|
||||
"""
|
||||
self.download_flag = False
|
||||
if any("DOWNLOAD" in key for key in module_options.keys()):
|
||||
|
@ -530,7 +530,7 @@ class CMEModule:
|
|||
self.exclude_filter = get_list_from_option(module_options.get("EXCLUDE_FILTER", "print$,ipc$"))
|
||||
self.exclude_filter = [d.lower() for d in self.exclude_filter] # force case-insensitive
|
||||
self.max_file_size = int(module_options.get("MAX_FILE_SIZE", 50 * 1024))
|
||||
self.output_folder = module_options.get("OUTPUT_FOLDER", os.path.join("/tmp", "cme_spider_plus"))
|
||||
self.output_folder = module_options.get("OUTPUT_FOLDER", os.path.join("/tmp", "nxc_spider_plus"))
|
||||
|
||||
|
||||
def on_login(self, context, connection):
|
|
@ -17,7 +17,7 @@ KNOWN_PROTOCOLS = {
|
|||
}
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
For printnightmare: detect if print spooler is enabled or not. Then use @cube0x0's project https://github.com/cube0x0/CVE-2021-1675 or Mimikatz from Benjamin Delpy
|
||||
Module by @mpgn_x64
|
|
@ -13,7 +13,7 @@ def searchResEntry_to_dict(results):
|
|||
return data
|
||||
|
||||
|
||||
class CMEModule:
|
||||
class nxcModule:
|
||||
"""
|
||||
Retrieves the different Sites and Subnets of an Active Directory
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue