swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #218 from Pennyw0rth/neff-enum_av 

Fixing antivirus enumeration
main
Alex 2024-03-24 03:03:28 +01:00 committed by GitHub
parent 8940badc09 58c0529264
commit a6935b4d8d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
nxc/modules/enum_av.py
View File

@ -35,7 +35,7 @@ class NXCModule:
results = self._detect_installed_services(context, connection, target) results = self._detect_installed_services(context, connection, target)
self.detect_running_processes(context, connection, results) self.detect_running_processes(context, connection, results)
self.dump_results(results, connection.hostname, context) self.dump_results(results, context)
def _get_target(self, connection): def _get_target(self, connection):
return connection.host if not connection.kerberos else f"{connection.hostname}.{connection.domain}" return connection.host if not connection.kerberos else f"{connection.hostname}.{connection.domain}"
@ -58,18 +58,16 @@ class NXCModule:
dce, _ = lsa.connect() dce, _ = lsa.connect()
policyHandle = lsa.open_policy(dce) policyHandle = lsa.open_policy(dce)
try:
for product in conf["products"]: for product in conf["products"]:
for service in product["services"]: for service in product["services"]:
try:
lsa.LsarLookupNames(dce, policyHandle, service["name"]) lsa.LsarLookupNames(dce, policyHandle, service["name"])
context.log.info(f"Detected installed service on {connection.host}: {product['name']} {service['description']}") context.log.info(f"Detected installed service on {connection.host}: {product['name']} {service['description']}")
results.setdefault(product["name"], {"services": []})["services"].append(service) results.setdefault(product["name"], {"services": []})["services"].append(service)
except Exception: except Exception:
pass pass
except Exception as e: except Exception as e:
context.log.fail(str(e)) context.log.fail(str(e))
return results return results
def detect_running_processes(self, context, connection, results): def detect_running_processes(self, context, connection, results):
@ -80,13 +78,16 @@ class NXCModule:
for product in conf["products"]: for product in conf["products"]:
for pipe in product["pipes"]: for pipe in product["pipes"]:
if pathlib.PurePath(fl).match(pipe["name"]): if pathlib.PurePath(fl).match(pipe["name"]):
context.log.debug(f"{product['name']} running claim found on {connection.host} by existing pipe {fl} (likely processes: {pipe['processes']})") context.log.info(f"{product['name']} running claim found on {connection.host} by existing pipe {fl} (likely processes: {pipe['processes']})")
prod_results = results.setdefault(product["name"], {}) prod_results = results.setdefault(product["name"], {})
prod_results.setdefault("pipes", []).append(pipe) prod_results.setdefault("pipes", []).append(pipe)
except Exception as e: except Exception as e:
context.log.debug(str(e)) if "STATUS_ACCESS_DENIED" in str(e):
context.log.fail("Error STATUS_ACCESS_DENIED while enumerating pipes, probably due to using SMBv1")
else:
context.log.fail(str(e))
def dump_results(self, results, remoteName, context): def dump_results(self, results, context):
if not results: if not results:
context.log.highlight("Found NOTHING!") context.log.highlight("Found NOTHING!")
return return
@ -261,7 +262,10 @@ conf = {
{"name": "epfw", "description": "ESET"}, {"name": "epfw", "description": "ESET"},
{"name": "epfwlwf", "description": "ESET"}, {"name": "epfwlwf", "description": "ESET"},
{"name": "epfwwfp", "description": "ESET"}, {"name": "epfwwfp", "description": "ESET"},
{"name": "EraAgentSvc", "description": "ESET"}, {"name": "EraAgentSvc", "description": "ESET Management Agent service"},
{"name": "ERAAgent", "description": "ESET Management Agent service"},
{"name": "efwd", "description": "ESET Communication Forwarding Service"},
{"name": "ehttpsrv", "description": "ESET HTTP Server"},
], ],
"pipes": [{"name": "nod_scriptmon_pipe", "processes": [""]}], "pipes": [{"name": "nod_scriptmon_pipe", "processes": [""]}],
}, },

1
nxc/netexec.py
View File

@ -79,6 +79,7 @@ def main():
else: else:
nxc_logger.logger.setLevel(logging.ERROR) nxc_logger.logger.setLevel(logging.ERROR)
root_logger.setLevel(logging.ERROR) root_logger.setLevel(logging.ERROR)
logging.getLogger("neo4j").setLevel(logging.ERROR)
# if these are the same, it might double log to file (two FileHandlers will be added) # if these are the same, it might double log to file (two FileHandlers will be added)
# but this should never happen by accident # but this should never happen by accident