rename folders, files, functions, classes, etc to NetExec/nxc

main
Marshall Hallenbeck 2023-09-14 17:07:15 -04:00
parent 2f0b74a492
commit 7886ac1612
193 changed files with 975 additions and 3800 deletions

View File

@ -11,27 +11,27 @@ build
bin
dist
*.egg-info
cme/data/powersploit/Recon/Dictionaries
cme/data/powersploit/Exfiltration/NTFSParser
cme/data/powersploit/CodeExecution/Invoke-ReflectivePEInjection_Resources
cme/data/powersploit/Exfiltration/LogonUser
cme/data/powersploit/Tests
cme/data/netripper/DLL
cme/data/netripper/Metasploit
cme/data/netripper/NetRipper
cme/data/netripper/Win32
cme/data/netripper/Release
cme/data/netripper/minhook
cme/data/netripper/x64
cme/data/netripper/*.pdf
cme/data/netripper/*.sln
cme/data/invoke-vnc/winvnc
cme/data/invoke-vnc/vncdll
cme/data/invoke-vnc/pebytes.ps1
cme/data/invoke-vnc/ReflectiveDLLInjection
cme/data/invoke-vnc/*.py
cme/data/invoke-vnc/*.bat
cme/data/invoke-vnc/*.msbuild
cme/data/invoke-vnc/*.sln
cme/data/RID-Hijacking/modules
cme/data/RID-Hijacking/slides
nxc/data/powersploit/Recon/Dictionaries
nxc/data/powersploit/Exfiltration/NTFSParser
nxc/data/powersploit/CodeExecution/Invoke-ReflectivePEInjection_Resources
nxc/data/powersploit/Exfiltration/LogonUser
nxc/data/powersploit/Tests
nxc/data/netripper/DLL
nxc/data/netripper/Metasploit
nxc/data/netripper/NetRipper
nxc/data/netripper/Win32
nxc/data/netripper/Release
nxc/data/netripper/minhook
nxc/data/netripper/x64
nxc/data/netripper/*.pdf
nxc/data/netripper/*.sln
nxc/data/invoke-vnc/winvnc
nxc/data/invoke-vnc/vncdll
nxc/data/invoke-vnc/pebytes.ps1
nxc/data/invoke-vnc/ReflectiveDLLInjection
nxc/data/invoke-vnc/*.py
nxc/data/invoke-vnc/*.bat
nxc/data/invoke-vnc/*.msbuild
nxc/data/invoke-vnc/*.sln
nxc/data/RID-Hijacking/modules
nxc/data/RID-Hijacking/slides

View File

@ -12,10 +12,10 @@ A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior i.e.:
Command: `crackmapexec smb -u username -p password`
Command: `netexec smb -u username -p password`
Resulted in:
```
crackmapexec smb 10.10.10.10 -u username -p password -x "whoami"
netexec smb 10.10.10.10 -u username -p password -x "whoami"
SMB 10.10.10.10 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:domain) (signing:True) (SMBv1:False)
SMB 10.10.10.10 445 DC01 [+] domain\username:password
Traceback (most recent call last):
@ -30,7 +30,7 @@ If applicable, add screenshots to help explain your problem.
**Crackmapexec info**
- OS: [e.g. Kali]
- Version of CME [e.g. v5.0.2]
- Version of nxc [e.g. v5.0.2]
- Installed from: apt/github/pip/docker/...? Please try with latest release before openning an issue
**Additional context**

View File

@ -1,4 +1,4 @@
name: CrackMapExec Tests
name: NetExec Tests
on:
pull_request_review:
@ -6,7 +6,7 @@ on:
jobs:
build:
name: CrackMapExec Tests for Py${{ matrix.python-version }}
name: NetExec Tests for Py${{ matrix.python-version }}
runs-on: ${{ matrix.os }}
strategy:
max-parallel: 4
@ -15,7 +15,7 @@ jobs:
python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"]
steps:
- uses: actions/checkout@v3
- name: CrackMapExec tests on ${{ matrix.os }}
- name: NetExec tests on ${{ matrix.os }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}

View File

@ -1,11 +1,11 @@
name: CrackMapExec Build Binaries
name: NetExec Build Binaries
on:
workflow_dispatch:
jobs:
build:
name: CrackMapExec Tests on ${{ matrix.os }}
name: NetExec Tests on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
max-parallel: 4
@ -14,7 +14,7 @@ jobs:
python-version: ["3.8", "3.9", "3.10", "3.11"]
steps:
- uses: actions/checkout@v3
- name: CrackMapExec tests on ${{ matrix.os }}
- name: NetExec tests on ${{ matrix.os }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
@ -22,13 +22,13 @@ jobs:
run: |
pip install shiv
python build_collector.py
- name: Upload cme binary
- name: Upload nxc binary
uses: actions/upload-artifact@master
with:
name: cme-${{ matrix.os }}-${{ matrix.python-version }}
path: bin/cme
- name: Upload cmedb binary
name: nxc-${{ matrix.os }}-${{ matrix.python-version }}
path: bin/nxc
- name: Upload nxcdb binary
uses: actions/upload-artifact@master
with:
name: cmedb-${{ matrix.os }}-${{ matrix.python-version }}
path: bin/cmedb
name: nxcdb-${{ matrix.os }}-${{ matrix.python-version }}
path: bin/nxcdb

4
.gitignore vendored
View File

@ -1,4 +1,4 @@
data/cme.db
data/nxc.db
*.bak
*.log
.venv
@ -36,7 +36,7 @@ var/
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
!crackmapexec.spec
!netexec.spec
# Installer logs
pip-log.txt

View File

@ -4,7 +4,7 @@ ENV LANG=C.UTF-8
ENV LC_ALL=C.UTF-8
ENV PIP_NO_CACHE_DIR=off
WORKDIR /usr/src/crackmapexec
WORKDIR /usr/src/netexec
RUN apt-get update && \
apt-get install -y libffi-dev libxml2-dev libxslt-dev libssl-dev openssl autoconf g++ python3-dev curl git
@ -19,4 +19,4 @@ RUN cargo --help
COPY . .
RUN pip install .
ENTRYPOINT [ "cme" ]
ENTRYPOINT [ "nxc" ]

View File

@ -13,7 +13,7 @@ clean:
find . -name '.pytest_cache' -exec rm -rf {} +
tests:
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude cme/data/*
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude nxc/data/*
requirements:
poetry export --without-hashes -f requirements.txt -o requirements.txt

View File

@ -20,7 +20,6 @@ You are on the **latest up-to-date** repository of the project NetExec (nxc) !
# Acknowledgments
All the hard work and development over the years from everyone in the CrackMapExec project.
# Documentation, Tutorials, Examples
See the project's wiki (in development) for documentation and usage examples

View File

@ -16,8 +16,8 @@ from shiv.builder import create_archive
from shiv.cli import __version__ as VERSION
def build_cme():
print("building CME")
def build_nxc():
print("building nxc")
try:
shutil.rmtree("bin")
shutil.rmtree("build")
@ -28,7 +28,7 @@ def build_cme():
print("remove useless files")
os.mkdir("build")
os.mkdir("bin")
shutil.copytree("cme", "build/cme")
shutil.copytree("nxc", "build/nxc")
except Exception as e:
print(e)
@ -53,7 +53,7 @@ def build_cme():
env = Environment(
built_at=datetime.utcfromtimestamp(int(time.time())).strftime("%Y-%m-%d %H:%M:%S"),
entry_point="cme.crackmapexec:main",
entry_point="nxc.netexec:main",
script=None,
compile_pyc=False,
extend_pythonpath=True,
@ -61,7 +61,7 @@ def build_cme():
)
create_archive(
[Path("build").absolute()],
Path("bin/cme"),
Path("bin/nxc"),
"/usr/bin/env -S python -sE",
"_bootstrap:bootstrap",
env,
@ -69,11 +69,11 @@ def build_cme():
)
def build_cmedb():
print("building CMEDB")
def build_nxcdb():
print("building nxcDB")
env = Environment(
built_at=datetime.utcfromtimestamp(int(time.time())).strftime("%Y-%m-%d %H:%M:%S"),
entry_point="cme.cmedb:main",
entry_point="nxc.nxcdb:main",
script=None,
compile_pyc=False,
extend_pythonpath=True,
@ -81,7 +81,7 @@ def build_cmedb():
)
create_archive(
[Path("build").absolute()],
Path("bin/cmedb"),
Path("bin/nxcdb"),
"/usr/bin/env -S python -sE",
"_bootstrap:bootstrap",
env,
@ -91,8 +91,8 @@ def build_cmedb():
if __name__ == "__main__":
try:
build_cme()
build_cmedb()
build_nxc()
build_nxcdb()
except:
pass
finally:

View File

@ -1,48 +0,0 @@
# coding=utf-8
import os
from os.path import join as path_join
import configparser
from cme.paths import CME_PATH, DATA_PATH
from cme.first_run import first_run_setup
from cme.logger import cme_logger
from ast import literal_eval
cme_default_config = configparser.ConfigParser()
cme_default_config.read(path_join(DATA_PATH, "cme.conf"))
cme_config = configparser.ConfigParser()
cme_config.read(os.path.join(CME_PATH, "cme.conf"))
if "CME" not in cme_config.sections():
first_run_setup()
cme_config.read(os.path.join(CME_PATH, "cme.conf"))
# Check if there are any missing options in the config file
for section in cme_default_config.sections():
for option in cme_default_config.options(section):
if not cme_config.has_option(section, option):
cme_logger.display(f"Adding missing option '{option}' in config section '{section}' to cme.conf")
cme_config.set(section, option, cme_default_config.get(section, option))
with open(path_join(CME_PATH, "cme.conf"), "w") as config_file:
cme_config.write(config_file)
#!!! THESE OPTIONS HAVE TO EXIST IN THE DEFAULT CONFIG FILE !!!
cme_workspace = cme_config.get("CME", "workspace", fallback="default")
pwned_label = cme_config.get("CME", "pwn3d_label", fallback="Pwn3d!")
audit_mode = cme_config.get("CME", "audit_mode", fallback=False)
reveal_chars_of_pwd = int(cme_config.get("CME", "reveal_chars_of_pwd", fallback=0))
config_log = cme_config.getboolean("CME", "log_mode", fallback=False)
ignore_opsec = cme_config.getboolean("CME", "ignore_opsec", fallback=False)
host_info_colors = literal_eval(cme_config.get("CME", "host_info_colors", fallback=["green", "red", "yellow", "cyan"]))
if len(host_info_colors) != 4:
cme_logger.error("Config option host_info_colors must have 4 values! Using default values.")
host_info_colors = cme_default_config.get("CME", "host_info_colors")
# this should probably be put somewhere else, but if it's in the config helpers, there is a circular import
def process_secret(text):
hidden = text[:reveal_chars_of_pwd]
return text if not audit_mode else hidden+audit_mode * 8

View File

@ -1,3 +0,0 @@
from rich.console import Console
cme_console = Console(soft_wrap=True, tab_size=4)

View File

@ -1,15 +0,0 @@
import os
import sys
import cme
CME_PATH = os.path.expanduser("~/.cme")
TMP_PATH = os.path.join("/tmp", "cme_hosted")
if os.name == "nt":
TMP_PATH = os.getenv("LOCALAPPDATA") + "\\Temp\\cme_hosted"
if hasattr(sys, "getandroidapilevel"):
TMP_PATH = os.path.join("/data", "data", "com.termux", "files", "usr", "tmp", "cme_hosted")
WS_PATH = os.path.join(CME_PATH, "workspaces")
CERT_PATH = os.path.join(CME_PATH, "cme.pem")
CONFIG_PATH = os.path.join(CME_PATH, "cme.conf")
WORKSPACE_DIR = os.path.join(CME_PATH, "workspaces")
DATA_PATH = os.path.join(os.path.dirname(cme.__file__), "data")

View File

@ -12,7 +12,7 @@
poetry2nix.overlay
(final: prev: {
# The application
CrackMapExec = prev.poetry2nix.mkPoetryApplication {
NetExec = prev.poetry2nix.mkPoetryApplication {
projectDir = ./.;
};
})
@ -26,11 +26,11 @@
in
{
apps = {
CrackMapExec = pkgs.CrackMapExec;
NetExec = pkgs.NetExec;
};
defaultApp = pkgs.CrackMapExec;
defaultApp = pkgs.NetExec;
packages = { CrackMapExec = pkgs.CrackMapExec; };
packages = { NetExec = pkgs.NetExec; };
}));
}

View File

@ -3,12 +3,12 @@
block_cipher = None
a = Analysis(['./cme/crackmapexec.py'],
pathex=['./cme'],
a = Analysis(['./nxc/netexec.py'],
pathex=['./nxc'],
binaries=[],
datas=[('./cme/protocols', 'cme/protocols'),('./cme/data', 'cme/data'),('./cme/modules', 'cme/modules')],
hiddenimports=['cme.protocols.mssql.mssqlexec', 'cme.connection', 'impacket.examples.secretsdump', 'impacket.dcerpc.v5.lsat', 'impacket.dcerpc.v5.transport', 'impacket.dcerpc.v5.lsad', 'cme.servers.smb', 'cme.protocols.smb.wmiexec', 'cme.protocols.smb.atexec', 'cme.protocols.smb.smbexec', 'cme.protocols.smb.mmcexec', 'cme.protocols.smb.smbspider', 'cme.protocols.smb.passpol', 'paramiko', 'pypsrp.client', 'pywerview.cli.helpers', 'impacket.tds', 'impacket.version', 'cme.helpers.bash', 'pylnk3', 'lsassy','win32timezone', 'impacket.tds', 'impacket.ldap.ldap', 'impacket.tds'],
hookspath=['./cme/.hooks'],
datas=[('./nxc/protocols', 'nxc/protocols'),('./nxc/data', 'nxc/data'),('./nxc/modules', 'nxc/modules')],
hiddenimports=['nxc.protocols.mssql.mssqlexec', 'nxc.connection', 'impacket.examples.secretsdump', 'impacket.dcerpc.v5.lsat', 'impacket.dcerpc.v5.transport', 'impacket.dcerpc.v5.lsad', 'nxc.servers.smb', 'nxc.protocols.smb.wmiexec', 'nxc.protocols.smb.atexec', 'nxc.protocols.smb.smbexec', 'nxc.protocols.smb.mmcexec', 'nxc.protocols.smb.smbspider', 'nxc.protocols.smb.passpol', 'paramiko', 'pypsrp.client', 'pywerview.cli.helpers', 'impacket.tds', 'impacket.version', 'nxc.helpers.bash', 'pylnk3', 'lsassy','win32timezone', 'impacket.tds', 'impacket.ldap.ldap', 'impacket.tds'],
hookspath=['./nxc/.hooks'],
runtime_hooks=[],
excludes=[],
win_no_prefer_redirects=False,
@ -23,7 +23,7 @@ exe = EXE(pyz,
a.zipfiles,
a.datas,
[],
name='crackmapexec',
name='netexec',
debug=False,
bootloader_ignore_signals=False,
strip=False,
@ -31,4 +31,4 @@ exe = EXE(pyz,
upx_exclude=[],
runtime_tmpdir=None,
console=True,
icon='./cme/data/cme.ico' )
icon='./nxc/data/nxc.ico' )

View File

@ -4,32 +4,32 @@
import argparse
import sys
from argparse import RawTextHelpFormatter
from cme.loaders.protocolloader import ProtocolLoader
from cme.helpers.logger import highlight
from nxc.loaders.protocolloader import ProtocolLoader
from nxc.helpers.logger import highlight
from termcolor import colored
from cme.logger import cme_logger
from nxc.logger import nxc_logger
import importlib.metadata
def gen_cli_args():
VERSION = importlib.metadata.version("crackmapexec")
CODENAME = "John Wick"
VERSION = importlib.metadata.version("netexec")
CODENAME = "A New Beginning"
parser = argparse.ArgumentParser(description=f"""
______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______
/ || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / |
| ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----'
| | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | |
| `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----.
\______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______|
_ _ _ _____
| \ | | ___ | |_ | ____| __ __ ___ ___
| \| | / _ \ | __| | _| \ \/ / / _ \ / __|
| |\ | | __/ | |_ | |___ > < | __/ | (__
|_| \_| \___| \__| |_____| /_/\_\ \___| \___|
A swiss army knife for pentesting networks
Forged by @byt3bl33d3r and @mpgn_x64 using the powah of dank memes.
Maintained as an open source project by @NeffIsBack, @MJHallenbeck, @_zblurx
The network execution tool
Maintained as an open source project by @NeffIsBack, @MJHallenbeck, @_zblurx
{highlight('Version', 'red')} : {highlight(VERSION)}
{highlight('Codename', 'red')}: {highlight(CODENAME)}
""",
For documentation and usage examples, visit: https://www.netexec.wiki/
{highlight('Version', 'red')} : {highlight(VERSION)}
{highlight('Codename', 'red')}: {highlight(CODENAME)}
""",
formatter_class=RawTextHelpFormatter,
)
@ -59,7 +59,7 @@ def gen_cli_args():
)
parser.add_argument("--verbose", action="store_true", help="enable verbose output")
parser.add_argument("--debug", action="store_true", help="enable debug level information")
parser.add_argument("--version", action="store_true", help="Display CME version")
parser.add_argument("--version", action="store_true", help="Display nxc version")
# we do module arg parsing here so we can reference the module_list attribute below
module_parser = argparse.ArgumentParser(add_help=False)
@ -189,7 +189,7 @@ def gen_cli_args():
protocol_object = p_loader.load_protocol(protocols[protocol]["argspath"])
subparsers = protocol_object.proto_args(subparsers, std_parser, module_parser)
except:
cme_logger.exception(f"Error loading proto_args from proto_args.py file in protocol folder: {protocol}")
nxc_logger.exception(f"Error loading proto_args from proto_args.py file in protocol folder: {protocol}")
if len(sys.argv) == 1:
parser.print_help()

48
nxc/config.py Normal file
View File

@ -0,0 +1,48 @@
# coding=utf-8
import os
from os.path import join as path_join
import configparser
from nxc.paths import nxc_PATH, DATA_PATH
from nxc.first_run import first_run_setup
from nxc.logger import nxc_logger
from ast import literal_eval
nxc_default_config = configparser.ConfigParser()
nxc_default_config.read(path_join(DATA_PATH, "nxc.conf"))
nxc_config = configparser.ConfigParser()
nxc_config.read(os.path.join(nxc_PATH, "nxc.conf"))
if "nxc" not in nxc_config.sections():
first_run_setup()
nxc_config.read(os.path.join(nxc_PATH, "nxc.conf"))
# Check if there are any missing options in the config file
for section in nxc_default_config.sections():
for option in nxc_default_config.options(section):
if not nxc_config.has_option(section, option):
nxc_logger.display(f"Adding missing option '{option}' in config section '{section}' to nxc.conf")
nxc_config.set(section, option, nxc_default_config.get(section, option))
with open(path_join(nxc_PATH, "nxc.conf"), "w") as config_file:
nxc_config.write(config_file)
#!!! THESE OPTIONS HAVE TO EXIST IN THE DEFAULT CONFIG FILE !!!
nxc_workspace = nxc_config.get("nxc", "workspace", fallback="default")
pwned_label = nxc_config.get("nxc", "pwn3d_label", fallback="Pwn3d!")
audit_mode = nxc_config.get("nxc", "audit_mode", fallback=False)
reveal_chars_of_pwd = int(nxc_config.get("nxc", "reveal_chars_of_pwd", fallback=0))
config_log = nxc_config.getboolean("nxc", "log_mode", fallback=False)
ignore_opsec = nxc_config.getboolean("nxc", "ignore_opsec", fallback=False)
host_info_colors = literal_eval(nxc_config.get("nxc", "host_info_colors", fallback=["green", "red", "yellow", "cyan"]))
if len(host_info_colors) != 4:
nxc_logger.error("Config option host_info_colors must have 4 values! Using default values.")
host_info_colors = nxc_default_config.get("nxc", "host_info_colors")
# this should probably be put somewhere else, but if it's in the config helpers, there is a circular import
def process_secret(text):
hidden = text[:reveal_chars_of_pwd]
return text if not audit_mode else hidden+audit_mode * 8

View File

@ -11,10 +11,10 @@ from functools import wraps
from time import sleep
from ipaddress import ip_address
from cme.config import pwned_label
from cme.helpers.logger import highlight
from cme.logger import cme_logger, CMEAdapter
from cme.context import Context
from nxc.config import pwned_label
from nxc.helpers.logger import highlight
from nxc.logger import nxc_logger, NXCAdapter
from nxc.context import Context
from impacket.dcerpc.v5 import transport
@ -86,7 +86,7 @@ class connection(object):
self.use_kcache = None if not self.args.use_kcache else self.args.use_kcache
self.failed_logins = 0
self.local_ip = None
self.logger = cme_logger
self.logger = nxc_logger
try:
self.host = gethost_addrinfo(self.hostname)
@ -174,7 +174,7 @@ class connection(object):
def call_modules(self):
for module in self.module:
self.logger.debug(f"Loading module {module.name} - {module}")
module_logger = CMEAdapter(
module_logger = NXCAdapter(
extra={
"module_name": module.name.upper(),
"host": self.host,

3
nxc/console.py Normal file
View File

@ -0,0 +1,3 @@
from rich.console import Console
nxc_console = Console(soft_wrap=True, tab_size=4)

View File

@ -11,11 +11,11 @@ class Context:
setattr(self, key, value)
self.db = db
self.log_folder_path = os.path.join(os.path.expanduser("~/.cme"), "logs")
self.log_folder_path = os.path.join(os.path.expanduser("~/.nxc"), "logs")
self.localip = None
self.conf = configparser.ConfigParser()
self.conf.read(os.path.expanduser("~/.cme/cme.conf"))
self.conf.read(os.path.expanduser("~/.nxc/nxc.conf"))
self.log = logger
# self.log.debug = logging.debug

View File

@ -1,4 +1,4 @@
[CME]
[nxc]
workspace = default
last_used_db = smb
pwn3d_label = Pwn3d!

View File

Before

Width:  |  Height:  |  Size: 159 KiB

After

Width:  |  Height:  |  Size: 159 KiB

View File

@ -5,19 +5,19 @@ from os import mkdir
from os.path import exists
from os.path import join as path_join
import shutil
from cme.paths import CME_PATH, CONFIG_PATH, TMP_PATH, DATA_PATH
from cme.cmedb import initialize_db
from cme.logger import cme_logger
from nxc.paths import nxc_PATH, CONFIG_PATH, TMP_PATH, DATA_PATH
from nxc.nxcdb import initialize_db
from nxc.logger import nxc_logger
def first_run_setup(logger=cme_logger):
def first_run_setup(logger=nxc_logger):
if not exists(TMP_PATH):
mkdir(TMP_PATH)
if not exists(CME_PATH):
if not exists(nxc_PATH):
logger.display("First time use detected")
logger.display("Creating home directory structure")
mkdir(CME_PATH)
mkdir(nxc_PATH)
folders = (
"logs",
@ -28,16 +28,16 @@ def first_run_setup(logger=cme_logger):
"screenshots",
)
for folder in folders:
if not exists(path_join(CME_PATH, folder)):
if not exists(path_join(nxc_PATH, folder)):
logger.display(f"Creating missing folder {folder}")
mkdir(path_join(CME_PATH, folder))
mkdir(path_join(nxc_PATH, folder))
initialize_db(logger)
if not exists(CONFIG_PATH):
logger.display("Copying default configuration file")
default_path = path_join(DATA_PATH, "cme.conf")
shutil.copy(default_path, CME_PATH)
default_path = path_join(DATA_PATH, "nxc.conf")
shutil.copy(default_path, nxc_PATH)
# if not exists(CERT_PATH):
# logger.display('Generating SSL certificate')

View File

@ -1,7 +1,7 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
from cme.paths import DATA_PATH
from nxc.paths import DATA_PATH
def get_script(path):

View File

@ -6,7 +6,7 @@ from termcolor import colored
def write_log(data, log_name):
logs_dir = os.path.join(os.path.expanduser("~/.cme"), "logs")
logs_dir = os.path.join(os.path.expanduser("~/.nxc"), "logs")
with open(os.path.join(logs_dir, log_name), "w") as log_output:
log_output.write(data)

View File

@ -21,7 +21,7 @@ References:
- https://www.powershellgallery.com/packages/SDDLParser/0.5.0/Content/SDDLParserADObjects.ps1
This library is, for the moment, not present in the Impacket version used by CrackMapExec, so I add it manually in helpers.
This library is, for the moment, not present in the Impacket version used by NetExec, so I add it manually in helpers.
"""
SCHEMA_OBJECTS = {

View File

@ -6,9 +6,9 @@ from sys import exit
from string import ascii_lowercase
from random import choice, sample
from subprocess import call
from cme.helpers.misc import which
from cme.logger import cme_logger
from cme.paths import CME_PATH, DATA_PATH
from nxc.helpers.misc import which
from nxc.logger import nxc_logger
from nxc.paths import nxc_PATH, DATA_PATH
from base64 import b64encode
obfuscate_ps_scripts = False
@ -30,24 +30,24 @@ def is_powershell_installed():
def obfs_ps_script(path_to_script):
ps_script = path_to_script.split("/")[-1]
obfs_script_dir = os.path.join(CME_PATH, "obfuscated_scripts")
obfs_script_dir = os.path.join(nxc_PATH, "obfuscated_scripts")
obfs_ps_script = os.path.join(obfs_script_dir, ps_script)
if is_powershell_installed() and obfuscate_ps_scripts:
if os.path.exists(obfs_ps_script):
cme_logger.display("Using cached obfuscated Powershell script")
nxc_logger.display("Using cached obfuscated Powershell script")
with open(obfs_ps_script, "r") as script:
return script.read()
cme_logger.display("Performing one-time script obfuscation, go look at some memes cause this can take a bit...")
nxc_logger.display("Performing one-time script obfuscation, go look at some memes cause this can take a bit...")
invoke_obfs_command = f"powershell -C 'Import-Module {get_ps_script('invoke-obfuscation/Invoke-Obfuscation.psd1')};Invoke-Obfuscation -ScriptPath {get_ps_script(path_to_script)} -Command \"TOKEN,ALL,1,OUT {obfs_ps_script}\" -Quiet'"
cme_logger.debug(invoke_obfs_command)
nxc_logger.debug(invoke_obfs_command)
with open(os.devnull, "w") as devnull:
return_code = call(invoke_obfs_command, stdout=devnull, stderr=devnull, shell=True)
cme_logger.success("Script obfuscated successfully")
nxc_logger.success("Script obfuscated successfully")
with open(obfs_ps_script, "r") as script:
return script.read()
@ -108,7 +108,7 @@ else
else:
command = amsi_bypass + ps_command
cme_logger.debug("Generated PS command:\n {}\n".format(command))
nxc_logger.debug("Generated PS command:\n {}\n".format(command))
# We could obfuscate the initial launcher using Invoke-Obfuscation but because this function gets executed
# concurrently it would spawn a local powershell process per host which isn't ideal, until I figure out a good way
@ -118,7 +118,7 @@ else
"""
if is_powershell_installed():
temp = tempfile.NamedTemporaryFile(prefix='cme_',
temp = tempfile.NamedTemporaryFile(prefix='nxc_',
suffix='.ps1',
dir='/tmp')
temp.write(command)
@ -130,11 +130,11 @@ else
invoke_obfs_command = 'powershell -C \'Import-Module {};Invoke-Obfuscation -ScriptPath {} -Command "ENCODING,{}" -Quiet\''.format(get_ps_script('invoke-obfuscation/Invoke-Obfuscation.psd1'),
temp.name,
encoding)
cme_logger.debug(invoke_obfs_command)
nxc_logger.debug(invoke_obfs_command)
out = check_output(invoke_obfs_command, shell=True).split('\n')[4].strip()
command = 'powershell.exe -exec bypass -noni -nop -w 1 -C "{}"'.format(out)
cme_logger.debug('Command length: {}'.format(len(command)))
nxc_logger.debug('Command length: {}'.format(len(command)))
if len(command) <= 8192:
temp.close()
@ -152,14 +152,14 @@ else
break
if obfs_attempts == 4:
cme_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.")
nxc_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.")
exit(1)
obfs_attempts += 1
else:
command = f"powershell.exe -noni -nop -w 1 -enc {encode_ps_command(command)}"
if len(command) > 8191:
cme_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.")
nxc_logger.error(f"Command exceeds maximum length of 8191 chars (was {len(command)}). exiting.")
exit(1)
return command
@ -253,7 +253,7 @@ $request.GetResponse()""".format(
command=command,
)
cme_logger.debug(f"Generated PS IEX Launcher:\n {launcher}\n")
nxc_logger.debug(f"Generated PS IEX Launcher:\n {launcher}\n")
return launcher.strip()

View File

@ -1,7 +1,7 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import cme
import nxc
import importlib
import traceback
import sys
@ -10,9 +10,9 @@ from os import listdir
from os.path import dirname
from os.path import join as path_join
from cme.context import Context
from cme.logger import CMEAdapter
from cme.paths import CME_PATH
from nxc.context import Context
from nxc.logger import NXCAdapter
from nxc.paths import nxc_PATH
class ModuleLoader:
@ -60,8 +60,8 @@ class ModuleLoader:
Load a module, initializing it and checking that it has the proper attributes
"""
try:
spec = importlib.util.spec_from_file_location("CMEModule", module_path)
module = spec.loader.load_module().CMEModule()
spec = importlib.util.spec_from_file_location("nxcModule", module_path)
module = spec.loader.load_module().nxcModule()
if self.module_is_sane(module, module_path):
return module
@ -82,9 +82,9 @@ class ModuleLoader:
self.logger.debug(f"Protocol: {self.args.protocol}")
if self.args.protocol in module.supported_protocols:
try:
module_logger = CMEAdapter(extra={"module_name": module.name.upper()})
module_logger = NXCAdapter(extra={"module_name": module.name.upper()})
except Exception as e:
self.logger.fail(f"Error loading CMEAdaptor for module {module.name.upper()}: {e}")
self.logger.fail(f"Error loading nxcAdaptor for module {module.name.upper()}: {e}")
context = Context(self.db, module_logger, self.args)
module_options = {}
@ -103,8 +103,8 @@ class ModuleLoader:
Get the path, description, and options from a module
"""
try:
spec = importlib.util.spec_from_file_location("CMEModule", module_path)
module_spec = spec.loader.load_module().CMEModule
spec = importlib.util.spec_from_file_location("nxcModule", module_path)
module_spec = spec.loader.load_module().nxcModule
module = {
f"{module_spec.name.lower()}": {
@ -129,8 +129,8 @@ class ModuleLoader:
"""
modules = {}
modules_paths = [
path_join(dirname(cme.__file__), "modules"),
path_join(CME_PATH, "modules"),
path_join(dirname(nxc.__file__), "modules"),
path_join(nxc_PATH, "modules"),
]
for path in modules_paths:

View File

@ -5,12 +5,12 @@ from importlib.machinery import SourceFileLoader
from os import listdir
from os.path import join as path_join
from os.path import dirname, exists, expanduser
import cme
import nxc
class ProtocolLoader:
def __init__(self):
self.cme_path = expanduser("~/.cme")
self.nxc_path = expanduser("~/.nxc")
def load_protocol(self, protocol_path):
loader = SourceFileLoader("protocol", protocol_path)
@ -21,8 +21,8 @@ class ProtocolLoader:
def get_protocols(self):
protocols = {}
protocol_paths = [
path_join(dirname(cme.__file__), "protocols"),
path_join(self.cme_path, "protocols"),
path_join(dirname(nxc.__file__), "protocols"),
path_join(self.nxc_path, "protocols"),
]
for path in protocol_paths:

View File

@ -6,28 +6,28 @@ from logging.handlers import RotatingFileHandler
import os.path
import sys
import re
from cme.helpers.misc import called_from_cmd_args
from cme.console import cme_console
from nxc.helpers.misc import called_from_cmd_args
from nxc.console import nxc_console
from termcolor import colored
from datetime import datetime
from rich.text import Text
from rich.logging import RichHandler
class CMEAdapter(logging.LoggerAdapter):
class NXCAdapter(logging.LoggerAdapter):
def __init__(self, extra=None):
logging.basicConfig(
format="%(message)s",
datefmt="[%X]",
handlers=[
RichHandler(
console=cme_console,
console=nxc_console,
rich_tracebacks=True,
tracebacks_show_locals=False,
)
],
)
self.logger = logging.getLogger("cme")
self.logger = logging.getLogger("nxc")
self.extra = extra
self.output_file = None
@ -55,7 +55,7 @@ class CMEAdapter(logging.LoggerAdapter):
kwargs,
)
# If the logger is being called from CMEServer
# If the logger is being called from nxcServer
if len(self.extra) == 2 and ("module_name" in self.extra.keys()) and ("host" in self.extra.keys()):
return (
f"{colored(self.extra['module_name'], 'cyan', attrs=['bold']):<24} {self.extra['host']:<39} {msg}",
@ -75,7 +75,7 @@ class CMEAdapter(logging.LoggerAdapter):
def display(self, msg, *args, **kwargs):
"""
Display text to console, formatted for CME
Display text to console, formatted for nxc
"""
try:
if "protocol" in self.extra.keys() and not called_from_cmd_args():
@ -85,7 +85,7 @@ class CMEAdapter(logging.LoggerAdapter):
msg, kwargs = self.format(f"{colored('[*]', 'blue', attrs=['bold'])} {msg}", kwargs)
text = Text.from_ansi(msg)
cme_console.print(text, *args, **kwargs)
nxc_console.print(text, *args, **kwargs)
self.log_console_to_file(text, *args, **kwargs)
def success(self, msg, color='green', *args, **kwargs):
@ -100,7 +100,7 @@ class CMEAdapter(logging.LoggerAdapter):
msg, kwargs = self.format(f"{colored('[+]', color, attrs=['bold'])} {msg}", kwargs)
text = Text.from_ansi(msg)
cme_console.print(text, *args, **kwargs)
nxc_console.print(text, *args, **kwargs)
self.log_console_to_file(text, *args, **kwargs)
def highlight(self, msg, *args, **kwargs):
@ -115,7 +115,7 @@ class CMEAdapter(logging.LoggerAdapter):
msg, kwargs = self.format(f"{colored(msg, 'yellow', attrs=['bold'])}", kwargs)
text = Text.from_ansi(msg)
cme_console.print(text, *args, **kwargs)
nxc_console.print(text, *args, **kwargs)
self.log_console_to_file(text, *args, **kwargs)
def fail(self, msg, color='red', *args, **kwargs):
@ -129,7 +129,7 @@ class CMEAdapter(logging.LoggerAdapter):
pass
msg, kwargs = self.format(f"{colored('[-]', color, attrs=['bold'])} {msg}", kwargs)
text = Text.from_ansi(msg)
cme_console.print(text, *args, **kwargs)
nxc_console.print(text, *args, **kwargs)
self.log_console_to_file(text, *args, **kwargs)
def log_console_to_file(self, text, *args, **kwargs):
@ -144,7 +144,7 @@ class CMEAdapter(logging.LoggerAdapter):
for handler in self.logger.handlers:
handler.handle(
LogRecord(
"cme",
"nxc",
20,
"",
kwargs,
@ -181,11 +181,11 @@ class CMEAdapter(logging.LoggerAdapter):
@staticmethod
def init_log_file():
newpath = os.path.expanduser("~/.cme") + "/logs/" + datetime.now().strftime('%Y-%m-%d')
newpath = os.path.expanduser("~/.nxc") + "/logs/" + datetime.now().strftime('%Y-%m-%d')
if not os.path.exists(newpath):
os.makedirs(newpath)
log_filename = os.path.join(
os.path.expanduser("~/.cme"),
os.path.expanduser("~/.nxc"),
"logs",
datetime.now().strftime('%Y-%m-%d'),
f"log_{datetime.now().strftime('%Y-%m-%d-%H-%M-%S')}.log",
@ -205,5 +205,5 @@ class TermEscapeCodeFormatter(logging.Formatter):
return super().format(record)
# initialize the logger for all of CME - this is imported everywhere
cme_logger = CMEAdapter()
# initialize the logger for all of nxc - this is imported everywhere
nxc_logger = NXCAdapter()

View File

@ -11,7 +11,7 @@ from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
from impacket.dcerpc.v5.dcomrt import IObjectExporter
class CMEModule:
class nxcModule:
name = "ioxidresolver"
description = "This module helps you to identify hosts that have additional active interfaces"
supported_protocols = ["smb", "wmi"]

View File

@ -2,12 +2,12 @@
# -*- coding: utf-8 -*-
class CMEModule:
class nxcModule:
"""
Module by Shutdown and Podalirius
Initial module:
https://github.com/ShutdownRepo/CrackMapExec-MachineAccountQuota
https://github.com/ShutdownRepo/NetExec-MachineAccountQuota
Authors:
Shutdown: @_nwodtuhs

View File

@ -5,7 +5,7 @@ from impacket.ldap import ldap, ldapasn1
from impacket.ldap.ldap import LDAPSearchError
class CMEModule:
class nxcModule:
"""
Find PKI Enrollment Services in Active Directory and Certificate Templates Names.

View File

@ -5,11 +5,11 @@
import ldap3
from impacket.dcerpc.v5 import samr, epm, transport
class CMEModule:
class nxcModule:
'''
Module by CyberCelt: @Cyb3rC3lt
Initial module:
https://github.com/Cyb3rC3lt/CrackMapExec-Modules
https://github.com/Cyb3rC3lt/NetExec-Modules
Thanks to the guys at impacket for the original code
'''
@ -26,9 +26,9 @@ class CMEModule:
PASSWORD: Specify the PASSWORD option to supply a password for the Computer to be added
DELETE: Specify DELETE to remove a Computer
CHANGEPW: Specify CHANGEPW to modify a Computer password
Usage: cme smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password1"
cme smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" DELETE=True
cme smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password2" CHANGEPW=True
Usage: nxc smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password1"
nxc smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" DELETE=True
nxc smb $DC-IP -u Username -p Password -M add-computer -o NAME="BADPC" PASSWORD="Password2" CHANGEPW=True
'''
self.__baseDN = None
@ -296,9 +296,9 @@ class CMEModule:
['top', 'person', 'organizationalPerson', 'user', 'computer'], ucd)
if result:
context.log.highlight('Successfully added the machine account: "' + self.__computerName + '" with Password: "' + self.__computerPassword + '"')
context.log.highlight(u'{}'.format('You can try to verify this with the CME command:'))
context.log.highlight(u'{}'.format('You can try to verify this with the nxc command:'))
context.log.highlight(u'{}'.format(
'cme ldap ' + connection.host + ' -u ' + connection.username + ' -p ' + connection.password + ' -M group-mem -o GROUP="Domain Computers"'))
'nxc ldap ' + connection.host + ' -u ' + connection.username + ' -p ' + connection.password + ' -M group-mem -o GROUP="Domain Computers"'))
elif result == False and c.last_error == "entryAlreadyExists":
context.log.highlight(u'{}'.format('The Computer account "' + self.__computerName + '" already exists'))
elif not result:

View File

@ -1,6 +1,6 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
class CMEModule:
class nxcModule:
"""
Checks for credentials in IIS Application Pool configuration files using appcmd.exe.

View File

@ -11,7 +11,7 @@ from neo4j import GraphDatabase
from neo4j.exceptions import AuthError, ServiceUnavailable
class CMEModule:
class nxcModule:
name = "bh_owned"
description = "Set pwned computer as owned in Bloodhound"
supported_protocols = ["smb"]

View File

@ -6,7 +6,7 @@ import datetime
from enum import Enum
from impacket.ldap import ldaptypes
from impacket.uuid import bin_to_string
from cme.helpers.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
from nxc.helpers.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
from ldap3.protocol.formatters.formatters import format_sid
from ldap3.utils.conv import escape_filter_chars
from ldap3.protocol.microsoft import security_descriptor_control
@ -187,7 +187,7 @@ class ALLOWED_OBJECT_ACE_MASK_FLAGS(Enum):
Self = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_SELF
class CMEModule:
class nxcModule:
"""
Module to read and backup the Discretionary Access Control List of one or multiple objects.
This module is essentially inspired from the dacledit.py script of Impacket that we have coauthored, @_nwodtuhs and me.

View File

@ -7,10 +7,10 @@ from impacket.dcerpc.v5.ndr import NDRCALL
from impacket.dcerpc.v5.dtypes import ULONG, WSTR, DWORD
from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.uuid import uuidtup_to_bin
from cme.logger import cme_logger
from nxc.logger import nxc_logger
class CMEModule:
class nxcModule:
name = "dfscoerce"
description = "Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam"
supported_protocols = ["smb"]
@ -123,31 +123,31 @@ class TriggerAuth:
rpctransport.setRemoteHost(target)
dce = rpctransport.get_dce_rpc()
cme_logger.debug("[-] Connecting to %s" % r"ncacn_np:%s[\PIPE\netdfs]" % target)
nxc_logger.debug("[-] Connecting to %s" % r"ncacn_np:%s[\PIPE\netdfs]" % target)
try:
dce.connect()
except Exception as e:
cme_logger.debug("Something went wrong, check error status => %s" % str(e))
nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
return
try:
dce.bind(uuidtup_to_bin(("4FC742E0-4A10-11CF-8273-00AA004AE673", "3.0")))
except Exception as e:
cme_logger.debug("Something went wrong, check error status => %s" % str(e))
nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
return
cme_logger.debug("[+] Successfully bound!")
nxc_logger.debug("[+] Successfully bound!")
return dce
def NetrDfsRemoveStdRoot(self, dce, listener):
cme_logger.debug("[-] Sending NetrDfsRemoveStdRoot!")
nxc_logger.debug("[-] Sending NetrDfsRemoveStdRoot!")
try:
request = NetrDfsRemoveStdRoot()
request["ServerName"] = "%s\x00" % listener
request["RootShare"] = "test\x00"
request["ApiFlags"] = 1
if self.args.verbose:
cme_logger.debug(request.dump())
nxc_logger.debug(request.dump())
# logger.debug(request.dump())
resp = dce.request(request)
except Exception as e:
cme_logger.debug(e)
nxc_logger.debug(e)

View File

@ -4,7 +4,7 @@
import ntpath
class CMEModule:
class nxcModule:
"""
Technique discovered by @DTMSecurity and @domchell to remotely coerce an host to start WebClient service.
https://dtm.uk/exploring-search-connectors-and-library-files-on-windows/

View File

@ -11,7 +11,7 @@ from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class CMEModule:
class nxcModule:
"""
Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
Module by @byt3bl33d3r
@ -75,7 +75,7 @@ class CMEModule:
sys.exit(1)
data = {
"name": "cme_ephemeral",
"name": "nxc_ephemeral",
"template": "multi_launcher",
"options": {
"Listener": module_options["LISTENER"],

View File

@ -10,7 +10,7 @@ from impacket.dcerpc.v5 import transport
import pathlib
class CMEModule:
class nxcModule:
"""
Uses LsarLookupNames and NamedPipes to gather information on all endpoint protection solutions installed on the the remote host(s)
Module by @mpgn_x64

View File

@ -2,10 +2,10 @@
# -*- coding: utf-8 -*-
from datetime import datetime
from cme.helpers.logger import write_log
from nxc.helpers.logger import write_log
class CMEModule:
class nxcModule:
"""
Uses WMI to dump DNS from an AD DNS Server.
Module by @fang0654
@ -72,4 +72,4 @@ class CMEModule:
log_name = "DNS-Enum-{}-{}.log".format(connection.host, datetime.now().strftime("%Y-%m-%d_%H%M%S"))
write_log(data, log_name)
context.log.display(f"Saved raw output to ~/.cme/logs/{log_name}")
context.log.display(f"Saved raw output to ~/.nxc/logs/{log_name}")

View File

@ -2,7 +2,7 @@
# -*- coding: utf-8 -*-
class CMEModule:
class nxcModule:
"""
Example
Module by @yomama

View File

@ -3,12 +3,12 @@
import socket
import sys
class CMEModule:
class nxcModule:
'''
Module by CyberCelt: @Cyb3rC3lt
Initial module:
https://github.com/Cyb3rC3lt/CrackMapExec-Modules
https://github.com/Cyb3rC3lt/NetExec-Modules
'''
name = 'find-computer'
@ -21,8 +21,8 @@ class CMEModule:
'''
find-computer: Specify find-computer to call the module
TEXT: Specify the TEXT option to enter your text to search for
Usage: cme ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="server"
cme ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="SQL"
Usage: nxc ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="server"
nxc ldap $DC-IP -u Username -p Password -M find-computer -o TEXT="SQL"
'''
self.TEXT = ''

View File

@ -1,9 +1,9 @@
#!/usr/bin/env python3
from dploot.lib.target import Target
from cme.protocols.smb.firefox import FirefoxTriage
from nxc.protocols.smb.firefox import FirefoxTriage
class CMEModule:
class nxcModule:
"""
Firefox by @zblurx
Inspired by firefox looting from DonPAPI

View File

@ -4,10 +4,10 @@
from impacket.ldap import ldapasn1 as ldapasn1_impacket
from impacket.ldap import ldap as ldap_impacket
import re
from cme.logger import cme_logger
from nxc.logger import nxc_logger
class CMEModule:
class nxcModule:
"""
Get description of users
Module by @nodauf
@ -56,7 +56,7 @@ class CMEModule:
resp = e.getAnswers()
pass
else:
cme_logger.debug(e)
nxc_logger.debug(e)
return False
answers = []

View File

@ -2,11 +2,11 @@
# -*- coding: utf-8 -*-
from datetime import datetime
from cme.helpers.logger import write_log
from nxc.helpers.logger import write_log
import json
class CMEModule:
class nxcModule:
"""
Uses WMI to extract network connections, used to find multi-homed hosts.
Module by @fang0654
@ -37,4 +37,4 @@ class CMEModule:
log_name = "network-connections-{}-{}.log".format(connection.host, datetime.now().strftime("%Y-%m-%d_%H%M%S"))
write_log(json.dumps(data), log_name)
context.log.display(f"Saved raw output to ~/.cme/logs/{log_name}")
context.log.display(f"Saved raw output to ~/.nxc/logs/{log_name}")

View File

@ -5,7 +5,7 @@ import xml.etree.ElementTree as ET
from io import BytesIO
class CMEModule:
class nxcModule:
"""
Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1
Module by @byt3bl33d3r

View File

@ -8,7 +8,7 @@ from binascii import unhexlify
from io import BytesIO
class CMEModule:
class nxcModule:
"""
Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
Module by @byt3bl33d3r

View File

@ -3,12 +3,12 @@
from impacket.ldap import ldapasn1 as ldapasn1_impacket
class CMEModule:
class nxcModule:
'''
Module by CyberCelt: @Cyb3rC3lt
Initial module:
https://github.com/Cyb3rC3lt/CrackMapExec-Modules
https://github.com/Cyb3rC3lt/NetExec-Modules
'''
name = 'group-mem'
@ -23,8 +23,8 @@ class CMEModule:
'''
group-mem: Specify group-mem to call the module
GROUP: Specify the GROUP option to query for that group's members
Usage: cme ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain admins"
cme ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain controllers"
Usage: nxc ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain admins"
nxc ldap $DC-IP -u Username -p Password -M group-mem -o GROUP="domain controllers"
'''
self.GROUP = ''

View File

@ -5,13 +5,13 @@ from impacket.ldap import ldapasn1 as ldapasn1_impacket
from impacket.ldap import ldap as ldap_impacket
class CMEModule:
class nxcModule:
"""
Created as a contributtion from HackTheBox Academy team for CrackMapExec
Created as a contributtion from HackTheBox Academy team for NetExec
Reference: https://academy.hackthebox.com/module/details/84
Module by @juliourena
Based on: https://github.com/juliourena/CrackMapExec/blob/master/cme/modules/get_description.py
Based on: https://github.com/juliourena/NetExec/blob/master/nxc/modules/get_description.py
"""
name = "groupmembership"

File diff suppressed because one or more lines are too long

View File

@ -32,7 +32,7 @@ def neo4j_conn(context, connection, driver):
context.log.fail("Error querying domain admins")
context.log.debug(e)
else:
context.log.fail("BloodHound not marked enabled. Check cme.conf")
context.log.fail("BloodHound not marked enabled. Check nxc.conf")
exit(1)
@ -134,7 +134,7 @@ def initial_run(connection, cursor):
)
class CMEModule:
class nxcModule:
name = "hash_spider"
description = "Dump lsass recursively from a given hash using BH to find local admins"
supported_protocols = ["smb"]
@ -271,8 +271,8 @@ class CMEModule:
exit()
def on_admin_login(self, context, connection):
db_path = connection.config.get("CME", "workspace")
# DB will be saved at ./CrackMapExec/hash_spider_default.sqlite3 if workspace in cme.conf is "default"
db_path = connection.config.get("nxc", "workspace")
# DB will be saved at ./NetExec/hash_spider_default.sqlite3 if workspace in nxc.conf is "default"
db_name = f"hash_spider_{db_path}.sqlite3"
dbconnection = connect(db_name, check_same_thread=False, isolation_level=None)

File diff suppressed because one or more lines are too long

View File

@ -6,7 +6,7 @@ from impacket.dcerpc.v5 import scmr
from impacket.examples.secretsdump import RemoteOperations
class CMEModule:
class nxcModule:
name = "install_elevated"
description = "Checks for AlwaysInstallElevated"
supported_protocols = ["smb"]

View File

@ -1,7 +1,7 @@
from csv import reader
class CMEModule:
class nxcModule:
"""
Search for KeePass-related files and process

View File

@ -7,10 +7,10 @@ from csv import reader
from base64 import b64encode
from io import BytesIO, StringIO
from xml.etree import ElementTree
from cme.helpers.powershell import get_ps_script
from nxc.helpers.powershell import get_ps_script
class CMEModule:
class nxcModule:
"""
Make use of KeePass' trigger system to export the database in cleartext
References: https://keepass.info/help/v2/triggers.html

View File

@ -3,9 +3,9 @@
import json
from impacket.ldap import ldapasn1 as ldapasn1_impacket
from cme.protocols.ldap.laps import LDAPConnect, LAPSv2Extract
from nxc.protocols.ldap.laps import LDAPConnect, LAPSv2Extract
class CMEModule:
class nxcModule:
"""
Module by technobro refactored by @mpgn (now compatible with LDAP protocol + filter by computer)

View File

@ -13,7 +13,7 @@ from asyauth.common.credentials.kerberos import KerberosCredential
from asysocks.unicomm.common.target import UniTarget, UniProto
class CMEModule:
class nxcModule:
"""
Checks whether LDAP signing and channelbinding are required.

View File

@ -11,10 +11,10 @@ from lsassy.impacketfile import ImpacketFile
from lsassy.parser import Parser
from lsassy.session import Session
from cme.helpers.bloodhound import add_user_bh
from nxc.helpers.bloodhound import add_user_bh
class CMEModule:
class nxcModule:
name = "lsassy"
description = "Dump lsass and parse the result remotely with lsassy"
supported_protocols = ["smb"]

View File

@ -2,10 +2,10 @@
# -*- coding: utf-8 -*-
from masky import Masky
from cme.helpers.bloodhound import add_user_bh
from nxc.helpers.bloodhound import add_user_bh
class CMEModule:
class nxcModule:
name = "masky"
description = "Remotely dump domain user credentials via an ADCS and a KDC"
supported_protocols = ["smb"]

View File

@ -4,7 +4,7 @@
from sys import exit
class CMEModule:
class nxcModule:
"""
Downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script
Module by @byt3bl33d3r
@ -32,7 +32,7 @@ class CMEModule:
SSL Stager server use https or http (default: https)
multi/handler method that don't require RAND:
Set LHOST and LPORT (called SRVHOST and SRVPORT in CME module options)
Set LHOST and LPORT (called SRVHOST and SRVPORT in nxc module options)
Set payload to one of the following (non-exhaustive list):
windows/x64/powershell_reverse_tcp
windows/x64/powershell_reverse_tcp_ssl

View File

@ -9,7 +9,7 @@ import socket
import struct
class CMEModule:
class nxcModule:
name = "ms17-010"
description = "MS17-010, /!\ not tested oustide home lab"
supported_protocols = ["smb"]

View File

@ -1,12 +1,12 @@
# MSOL module for CME
# MSOL module for nxc
# Author of the module : https://twitter.com/Daahtk
# Based on the article : https://blog.xpnsec.com/azuread-connect-for-redteam/
from sys import exit
from os import path
from cme.helpers.powershell import get_ps_script
from nxc.helpers.powershell import get_ps_script
class CMEModule:
class nxcModule:
name = "msol"
description = "Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server"
supported_protocols = ["smb"]

View File

@ -4,7 +4,7 @@
# Romain de Reydellet (@pentest_soka)
from cme.helpers.logger import highlight
from nxc.helpers.logger import highlight
class User:
@ -21,7 +21,7 @@ class User:
return f"User({self.username})"
class CMEModule:
class nxcModule:
"""
Enumerate MSSQL privileges and exploit them
"""
@ -92,7 +92,7 @@ class CMEModule:
elif target_user.dbowner:
self.do_dbowner_privesc(target_user.dbowner, exec_as)
if self.is_admin_user(self.current_username):
self.context.log.success(f"{self.current_username} is now a sysadmin! " + highlight("({})".format(self.context.conf.get("CME", "pwn3d_label"))))
self.context.log.success(f"{self.current_username} is now a sysadmin! " + highlight("({})".format(self.context.conf.get("nxc", "pwn3d_label"))))
def build_exec_as_from_path(self, target_user):
path = [target_user.username]

View File

@ -1,6 +1,6 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# nanodump module for CME python3
# nanodump module for nxc python3
# author of the module : github.com/mpgn
# nanodump: https://github.com/helpsystems/nanodump
@ -9,11 +9,11 @@ import sys
import os
from datetime import datetime
from pypykatz.pypykatz import pypykatz
from cme.helpers.bloodhound import add_user_bh
from cme.protocols.mssql.mssqlexec import MSSQLEXEC
from nxc.helpers.bloodhound import add_user_bh
from nxc.protocols.mssql.mssqlexec import MSSQLEXEC
class CMEModule:
class nxcModule:
name = "nanodump"
description = "Get lsass dump using nanodump and parse the result with pypykatz"
supported_protocols = ["smb", "mssql"]
@ -36,7 +36,7 @@ class CMEModule:
def options(self, context, module_options):
"""
TMP_DIR Path where process dump should be saved on target system (default: C:\\Windows\\Temp\\)
NANO_PATH Path where nano.exe is on your system (default: /tmp/cme/)
NANO_PATH Path where nano.exe is on your system (default: /tmp/nxc/)
NANO_EXE_NAME Name of the nano executable (default: nano.exe)
DIR_RESULT Location where the dmp are stored (default: DIR_RESULT = NANO_PATH)
"""
@ -60,13 +60,13 @@ class CMEModule:
else:
if sys.platform == "win32":
appdata_path = os.getenv("APPDATA")
if not os.path.exists(appdata_path + "\CME"):
os.mkdir(appdata_path + "\CME")
self.nano_path = appdata_path + "\CME\\"
if not os.path.exists(appdata_path + "\nxc"):
os.mkdir(appdata_path + "\nxc")
self.nano_path = appdata_path + "\nxc\\"
else:
if not os.path.exists("/tmp/cme/"):
os.mkdir("/tmp/cme/")
self.nano_path = "/tmp/cme/"
if not os.path.exists("/tmp/nxc/"):
os.mkdir("/tmp/nxc/")
self.nano_path = "/tmp/nxc/"
self.dir_result = self.nano_path

View File

@ -10,7 +10,7 @@ from impacket.krb5 import constants
from impacket.krb5.types import Principal
class CMEModule:
class nxcModule:
name = "nopac"
description = "Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user"
supported_protocols = ["smb"]

View File

@ -5,11 +5,11 @@ import time
from impacket.examples.secretsdump import LocalOperations, NTDSHashes
from cme.helpers.logger import highlight
from cme.helpers.misc import validate_ntlm
from nxc.helpers.logger import highlight
from nxc.helpers.misc import validate_ntlm
class CMEModule:
class nxcModule:
"""
Dump NTDS with ntdsutil
Module by @zblurx

View File

@ -6,7 +6,7 @@ from impacket.examples.secretsdump import RemoteOperations
from impacket.dcerpc.v5.rrp import DCERPCSessionError
class CMEModule:
class nxcModule:
"""
Detect if the target's LmCompatibilityLevel will allow NTLMv1 authentication
Module by @Tw1sm

View File

@ -19,7 +19,7 @@ from impacket.dcerpc.v5.rpcrt import (
from impacket.uuid import uuidtup_to_bin
class CMEModule:
class nxcModule:
name = "petitpotam"
description = "Module to check if the DC is vulnerable to PetitPotam, credit to @topotam"
supported_protocols = ["smb"]

File diff suppressed because one or more lines are too long

View File

@ -16,7 +16,7 @@ KNOWN_PROTOCOLS = {
}
class CMEModule:
class nxcModule:
"""
Check if vulnerable to printnightmare
Module by @mpgn_x64 based on https://github.com/ly4k/PrintNightmare

File diff suppressed because one or more lines are too long

View File

@ -7,11 +7,11 @@ from math import fabs
import re
class CMEModule:
class nxcModule:
'''
Created by fplazar and wanetty
Module by @gm_eduard and @ferranplaza
Based on: https://github.com/juliourena/CrackMapExec/blob/master/cme/modules/get_description.py
Based on: https://github.com/juliourena/NetExec/blob/master/nxc/modules/get_description.py
'''
name = 'pso'

View File

@ -7,10 +7,10 @@ from dploot.triage.backupkey import BackupkeyTriage
from dploot.lib.target import Target
from dploot.lib.smb import DPLootSMBConnection
from cme.helpers.logger import highlight
from nxc.helpers.logger import highlight
class CMEModule:
class nxcModule:
name = "rdcman"
description = "Remotely dump Remote Desktop Connection Manager (sysinternals) credentials"
supported_protocols = ["smb"]

View File

@ -3,7 +3,7 @@
from sys import exit
from cme.connection import dcom_FirewallChecker
from nxc.connection import dcom_FirewallChecker
from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations
@ -13,7 +13,7 @@ from impacket.dcerpc.v5.dtypes import NULL
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY
class CMEModule:
class nxcModule:
name = "rdp"
description = "Enables/Disables RDP"
supported_protocols = ["smb" ,"wmi"]
@ -31,9 +31,9 @@ class CMEModule:
METHOD wmi(ncacn_ip_tcp)/smb(ncacn_np) (choices: wmi, smb, default is wmi)
OLD For old version system (under NT6, like: server 2003)
DCOM-TIMEOUT Set the Dcom connection timeout for WMI method (Default is 10 seconds)
cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}
cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=smb ACTION={enable, disable, enable-ram, disable-ram}
cme smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=wmi ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}
nxc smb 192.168.1.1 -u {user} -p {password} -M rdp -o ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}
nxc smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=smb ACTION={enable, disable, enable-ram, disable-ram}
nxc smb 192.168.1.1 -u {user} -p {password} -M rdp -o METHOD=wmi ACTION={enable, disable, enable-ram, disable-ram} {OLD=true} {DCOM-TIMEOUT=5}
"""
if not "ACTION" in module_options:
context.log.fail("ACTION option not specified!")

View File

@ -6,7 +6,7 @@ from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations
class CMEModule:
class nxcModule:
name = "reg-query"
description = "Performs a registry query on the machine"
supported_protocols = ["smb"]

View File

@ -2,7 +2,7 @@
# -*- coding: utf-8 -*-
class CMEModule:
class nxcModule:
name = "runasppl"
description = "Check if the registry value RunAsPPL is set or not"
supported_protocols = ["smb"]

View File

@ -80,7 +80,7 @@ def searchResEntry_to_dict(results):
return data
class CMEModule:
class nxcModule:
name = "get-network"
description = ""
supported_protocols = ["ldap"]
@ -183,7 +183,7 @@ class CMEModule:
)
context.log.highlight("Found %d records" % len(outdata))
path = expanduser("~/.cme/logs/{}_network_{}.log".format(connection.domain, datetime.now().strftime("%Y-%m-%d_%H%M%S")))
path = expanduser("~/.nxc/logs/{}_network_{}.log".format(connection.domain, datetime.now().strftime("%Y-%m-%d_%H%M%S")))
with codecs.open(path, "w", "utf-8") as outfile:
for row in outdata:
if self.showhosts:

View File

@ -5,7 +5,7 @@ import ntpath
from sys import exit
class CMEModule:
class nxcModule:
"""
Original idea and PoC by Mubix "Rob" Fuller
URL: https://room362.com/post/2016/smb-http-auth-capture-via-scf/

View File

@ -14,10 +14,10 @@ from impacket.dcerpc.v5.rpcrt import (
RPC_C_AUTHN_GSS_NEGOTIATE,
)
from impacket.smbconnection import SessionError
from cme.logger import cme_logger
from nxc.logger import nxc_logger
class CMEModule:
class nxcModule:
name = "shadowcoerce"
description = "Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam"
supported_protocols = ["smb"]
@ -229,7 +229,7 @@ class CoerceAuth:
rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
cme_logger.info("Connecting to %s" % binding_params[pipe]["stringBinding"])
nxc_logger.info("Connecting to %s" % binding_params[pipe]["stringBinding"])
try:
dce.connect()
@ -239,20 +239,20 @@ class CoerceAuth:
dce.disconnect()
return 1
cme_logger.debug("Something went wrong, check error status => %s" % str(e))
nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
cme_logger.info("Connected!")
cme_logger.info("Binding to %s" % binding_params[pipe]["UUID"][0])
nxc_logger.info("Connected!")
nxc_logger.info("Binding to %s" % binding_params[pipe]["UUID"][0])
try:
dce.bind(uuidtup_to_bin(binding_params[pipe]["UUID"]))
except Exception as e:
cme_logger.debug("Something went wrong, check error status => %s" % str(e))
nxc_logger.debug("Something went wrong, check error status => %s" % str(e))
cme_logger.info("Successfully bound!")
nxc_logger.info("Successfully bound!")
return dce
def IsPathShadowCopied(self, dce, listener):
cme_logger.debug("Sending IsPathShadowCopied!")
nxc_logger.debug("Sending IsPathShadowCopied!")
try:
request = IsPathShadowCopied()
# only NETLOGON and SYSVOL were detected working here
@ -261,14 +261,14 @@ class CoerceAuth:
# request.dump()
dce.request(request)
except Exception as e:
cme_logger.debug("Something went wrong, check error status => %s", str(e))
cme_logger.debug("Attack may of may not have worked, check your listener...")
nxc_logger.debug("Something went wrong, check error status => %s", str(e))
nxc_logger.debug("Attack may of may not have worked, check your listener...")
return False
return True
def IsPathSupported(self, dce, listener):
cme_logger.debug("Sending IsPathSupported!")
nxc_logger.debug("Sending IsPathSupported!")
try:
request = IsPathSupported()
# only NETLOGON and SYSVOL were detected working here
@ -276,8 +276,8 @@ class CoerceAuth:
request["ShareName"] = "\\\\%s\\NETLOGON\x00" % listener
dce.request(request)
except Exception as e:
cme_logger.debug("Something went wrong, check error status => %s", str(e))
cme_logger.debug("Attack may of may not have worked, check your listener...")
nxc_logger.debug("Something went wrong, check error status => %s", str(e))
nxc_logger.debug("Attack may of may not have worked, check your listener...")
return False
return True

View File

@ -6,7 +6,7 @@ import ntpath
from sys import exit
class CMEModule:
class nxcModule:
"""
Original idea and PoC by Justin Angel (@4rch4ngel86)
Module by @byt3bl33d3r

View File

@ -6,7 +6,7 @@ import errno
import os
import time
import traceback
from cme.protocols.smb.remotefile import RemoteFile
from nxc.protocols.smb.remotefile import RemoteFile
from impacket.smb3structs import FILE_READ_DATA
from impacket.smbconnection import SessionError
@ -497,7 +497,7 @@ class SMBSpiderPlus:
self.logger.success("All files processed successfully.")
class CMEModule:
class nxcModule:
"""
Spider plus module
Module by @vincd
@ -517,7 +517,7 @@ class CMEModule:
EXCLUDE_EXTS Case-insensitive extension filter to exclude (Default: ico,lnk)
EXCLUDE_FILTER Case-insensitive filter to exclude folders/files (Default: print$,ipc$)
MAX_FILE_SIZE Max file size to download (Default: 51200)
OUTPUT_FOLDER Path of the local folder to save files (Default: /tmp/cme_spider_plus)
OUTPUT_FOLDER Path of the local folder to save files (Default: /tmp/nxc_spider_plus)
"""
self.download_flag = False
if any("DOWNLOAD" in key for key in module_options.keys()):
@ -530,7 +530,7 @@ class CMEModule:
self.exclude_filter = get_list_from_option(module_options.get("EXCLUDE_FILTER", "print$,ipc$"))
self.exclude_filter = [d.lower() for d in self.exclude_filter] # force case-insensitive
self.max_file_size = int(module_options.get("MAX_FILE_SIZE", 50 * 1024))
self.output_folder = module_options.get("OUTPUT_FOLDER", os.path.join("/tmp", "cme_spider_plus"))
self.output_folder = module_options.get("OUTPUT_FOLDER", os.path.join("/tmp", "nxc_spider_plus"))
def on_login(self, context, connection):

View File

@ -17,7 +17,7 @@ KNOWN_PROTOCOLS = {
}
class CMEModule:
class nxcModule:
"""
For printnightmare: detect if print spooler is enabled or not. Then use @cube0x0's project https://github.com/cube0x0/CVE-2021-1675 or Mimikatz from Benjamin Delpy
Module by @mpgn_x64

View File

@ -13,7 +13,7 @@ def searchResEntry_to_dict(results):
return data
class CMEModule:
class nxcModule:
"""
Retrieves the different Sites and Subnets of an Active Directory

Some files were not shown because too many files have changed in this diff Show More