swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #152 from Pennyw0rth/neff-ldap-domain

main
Alex 2024-03-25 12:37:04 +01:00 committed by GitHub
parent 2e311a150b e691e350a9
commit bfe7e46800
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 41 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
nxc/protocols/ldap.py
View File

@ -254,9 +254,7 @@ class ldap(connection):
self.hostname = self.target self.hostname = self.target
self.domain = self.targetDomain self.domain = self.targetDomain
# smb no open, specify the domain # smb no open, specify the domain
if self.args.no_smb: if not self.args.no_smb:
self.domain = self.args.domain
else:
self.local_ip = self.conn.getSMBServer().get_socket().getsockname()[0] self.local_ip = self.conn.getSMBServer().get_socket().getsockname()[0]
try: try:
@ -267,8 +265,8 @@ class ldap(connection):
if "STATUS_NOT_SUPPORTED" in str(e): if "STATUS_NOT_SUPPORTED" in str(e):
self.no_ntlm = True self.no_ntlm = True
if not self.no_ntlm: if not self.no_ntlm:
self.domain = self.conn.getServerDNSDomainName()
self.hostname = self.conn.getServerName() self.hostname = self.conn.getServerName()
self.targetDomain = self.domain = self.conn.getServerDNSDomainName()
self.server_os = self.conn.getServerOS() self.server_os = self.conn.getServerOS()
self.signing = self.conn.isSigningRequired() if self.smbv1 else self.conn._SMBConnection._Connection["RequireSigning"] self.signing = self.conn.isSigningRequired() if self.smbv1 else self.conn._SMBConnection._Connection["RequireSigning"]
self.os_arch = self.get_os_arch() self.os_arch = self.get_os_arch()
@ -276,18 +274,16 @@ class ldap(connection):
if not self.domain: if not self.domain:
self.domain = self.hostname self.domain = self.hostname
if self.args.domain:
self.domain = self.args.domain
if self.args.local_auth:
self.domain = self.hostname
try: # noqa: SIM105 try: # noqa: SIM105
# DC's seem to want us to logoff first, windows workstations sometimes reset the connection # DC's seem to want us to logoff first, windows workstations sometimes reset the connection
self.conn.logoff() self.conn.logoff()
except Exception: except Exception:
pass pass
if self.args.domain:
self.domain = self.args.domain
if self.args.local_auth:
self.domain = self.hostname
# Re-connect since we logged off # Re-connect since we logged off
self.create_conn_obj() self.create_conn_obj()
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}".replace(":", "-")) self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}".replace(":", "-"))
@ -303,7 +299,7 @@ class ldap(connection):
self.logger.extra["port"] = "445" if not self.no_ntlm else "389" self.logger.extra["port"] = "445" if not self.no_ntlm else "389"
signing = colored(f"signing:{self.signing}", host_info_colors[0], attrs=["bold"]) if self.signing else colored(f"signing:{self.signing}", host_info_colors[1], attrs=["bold"]) signing = colored(f"signing:{self.signing}", host_info_colors[0], attrs=["bold"]) if self.signing else colored(f"signing:{self.signing}", host_info_colors[1], attrs=["bold"])
smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"]) smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"])
self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.domain}) ({signing}) ({smbv1})") self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.targetDomain}) ({signing}) ({smbv1})")
self.logger.extra["protocol"] = "LDAP" self.logger.extra["protocol"] = "LDAP"
return True return True

8
nxc/protocols/ldap/proto_args.py
View File

@ -1,16 +1,12 @@
from argparse import _StoreTrueAction
def proto_args(parser, std_parser, module_parser): def proto_args(parser, std_parser, module_parser):
ldap_parser = parser.add_parser("ldap", help="own stuff using LDAP", parents=[std_parser, module_parser]) ldap_parser = parser.add_parser("ldap", help="own stuff using LDAP", parents=[std_parser, module_parser])
ldap_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes") ldap_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
ldap_parser.add_argument("--port", type=int, choices={389, 636}, default=389, help="LDAP port (default: 389)") ldap_parser.add_argument("--port", type=int, choices={389, 636}, default=389, help="LDAP port (default: 389)")
no_smb_arg = ldap_parser.add_argument("--no-smb", action=get_conditional_action(_StoreTrueAction), make_required=[], help="No smb connection") ldap_parser.add_argument("--no-smb", action="store_true", help="No smb connection")
dgroup = ldap_parser.add_mutually_exclusive_group() dgroup = ldap_parser.add_mutually_exclusive_group()
domain_arg = dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, default=None, help="domain to authenticate to") dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, default=None, help="domain to authenticate to")
dgroup.add_argument("--local-auth", action="store_true", help="authenticate locally to each target") dgroup.add_argument("--local-auth", action="store_true", help="authenticate locally to each target")
no_smb_arg.make_required = [domain_arg]
egroup = ldap_parser.add_argument_group("Retrevie hash on the remote DC", "Options to get hashes from Kerberos") egroup = ldap_parser.add_argument_group("Retrevie hash on the remote DC", "Options to get hashes from Kerberos")
egroup.add_argument("--asreproast", help="Output AS_REP response to crack with hashcat to file") egroup.add_argument("--asreproast", help="Output AS_REP response to crack with hashcat to file")

13
nxc/protocols/mssql.py
View File

@ -31,7 +31,8 @@ from impacket.tds import (
class mssql(connection): class mssql(connection):
def __init__(self, args, db, host): def __init__(self, args, db, host):
self.mssql_instances = [] self.mssql_instances = []
self.domain = None self.domain = ""
self.targetDomain = ""
self.server_os = None self.server_os = None
self.hash = None self.hash = None
self.os_arch = None self.os_arch = None
@ -122,23 +123,19 @@ class mssql(connection):
return False return False
else: else:
ntlm_info = parse_challenge(challenge) ntlm_info = parse_challenge(challenge)
self.domain = ntlm_info["domain"] self.targetDomain = self.domain = ntlm_info["domain"]
self.hostname = ntlm_info["hostname"] self.hostname = ntlm_info["hostname"]
self.server_os = ntlm_info["os_version"] self.server_os = ntlm_info["os_version"]
self.logger.extra["hostname"] = self.hostname self.logger.extra["hostname"] = self.hostname
self.db.add_host(self.host, self.hostname, self.domain, self.server_os, len(self.mssql_instances),) self.db.add_host(self.host, self.hostname, self.targetDomain, self.server_os, len(self.mssql_instances),)
if self.args.domain: if self.args.domain:
self.domain = self.args.domain self.domain = self.args.domain
if self.args.local_auth: if self.args.local_auth:
self.domain = self.hostname self.domain = self.hostname
if self.domain is None:
self.domain = ""
def print_host_info(self): def print_host_info(self):
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})") self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.targetDomain})")
return True return True
@reconnect_mssql @reconnect_mssql

28
nxc/protocols/smb.py
View File

@ -211,8 +211,23 @@ class smb(connection):
# no ntlm supported # no ntlm supported
self.no_ntlm = True self.no_ntlm = True
self.domain = self.conn.getServerDNSDomainName() if not self.no_ntlm else self.args.domain # self.domain is the attribute we authenticate with
self.hostname = self.conn.getServerName() if not self.no_ntlm else self.host # self.targetDomain is the attribute which gets displayed as host domain
if not self.no_ntlm:
self.hostname = self.conn.getServerName()
self.targetDomain = self.conn.getServerDNSDomainName()
if not self.targetDomain: # Not sure if that can even happen but now we are safe
self.targetDomain = self.hostname
else:
self.hostname = self.host
self.targetDomain = self.hostname
self.domain = self.targetDomain if not self.args.domain else self.args.domain
if self.args.local_auth:
self.domain = self.hostname
self.targetDomain = self.hostname
self.server_os = self.conn.getServerOS() self.server_os = self.conn.getServerOS()
self.logger.extra["hostname"] = self.hostname self.logger.extra["hostname"] = self.hostname
@ -227,9 +242,6 @@ class smb(connection):
self.os_arch = self.get_os_arch() self.os_arch = self.get_os_arch()
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-")) self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
if not self.domain:
self.domain = self.hostname
self.db.add_host( self.db.add_host(
self.host, self.host,
self.hostname, self.hostname,
@ -245,15 +257,11 @@ class smb(connection):
except Exception as e: except Exception as e:
self.logger.debug(f"Error logging off system: {e}") self.logger.debug(f"Error logging off system: {e}")
if self.args.domain:
self.domain = self.args.domain
if self.args.local_auth:
self.domain = self.hostname
def print_host_info(self): def print_host_info(self):
signing = colored(f"signing:{self.signing}", host_info_colors[0], attrs=["bold"]) if self.signing else colored(f"signing:{self.signing}", host_info_colors[1], attrs=["bold"]) signing = colored(f"signing:{self.signing}", host_info_colors[0], attrs=["bold"]) if self.signing else colored(f"signing:{self.signing}", host_info_colors[1], attrs=["bold"])
smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"]) smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"])
self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.domain}) ({signing}) ({smbv1})") self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.targetDomain}) ({signing}) ({smbv1})")
return True return True
def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False): def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):

15
nxc/protocols/winrm.py
View File

@ -25,7 +25,8 @@ urllib3.disable_warnings()
class winrm(connection): class winrm(connection):
def __init__(self, args, db, host): def __init__(self, args, db, host):
self.domain = None self.domain = ""
self.targedDomain = ""
self.server_os = None self.server_os = None
self.output_filename = None self.output_filename = None
self.endpoint = None self.endpoint = None
@ -52,30 +53,24 @@ class winrm(connection):
def enum_host_info(self): def enum_host_info(self):
ntlm_info = parse_challenge(base64.b64decode(self.challenge_header.split(" ")[1].replace(",", ""))) ntlm_info = parse_challenge(base64.b64decode(self.challenge_header.split(" ")[1].replace(",", "")))
self.domain = ntlm_info["domain"] self.targetDomain = self.domain = ntlm_info["domain"]
self.hostname = ntlm_info["hostname"] self.hostname = ntlm_info["hostname"]
self.server_os = ntlm_info["os_version"] self.server_os = ntlm_info["os_version"]
self.logger.extra["hostname"] = self.hostname self.logger.extra["hostname"] = self.hostname
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}") self.db.add_host(self.host, self.port, self.hostname, self.targetDomain, self.server_os)
self.db.add_host(self.host, self.port, self.hostname, self.domain, self.server_os)
if self.args.domain: if self.args.domain:
self.domain = self.args.domain self.domain = self.args.domain
if self.args.local_auth: if self.args.local_auth:
self.domain = self.hostname self.domain = self.hostname
if self.domain is None:
self.domain = ""
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-")) self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
def print_host_info(self): def print_host_info(self):
self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM" self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM"
self.logger.extra["port"] = self.port self.logger.extra["port"] = self.port
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})") self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.targetDomain})")
return True return True

7
nxc/protocols/wmi.py
View File

@ -24,7 +24,8 @@ MSRPC_UUID_PORTMAP = uuidtup_to_bin(("E1AF8308-5D1F-11C9-91A4-08002B14A0FA", "3.
class wmi(connection): class wmi(connection):
def __init__(self, args, db, host): def __init__(self, args, db, host):
self.domain = None self.domain = ""
self.targetDomain = ""
self.hash = "" self.hash = ""
self.lmhash = "" self.lmhash = ""
self.nthash = "" self.nthash = ""
@ -122,7 +123,7 @@ class wmi(connection):
response = MSRPCHeader(buffer) response = MSRPCHeader(buffer)
bindResp = MSRPCBindAck(response.getData()) bindResp = MSRPCBindAck(response.getData())
ntlm_info = parse_challenge(bindResp["auth_data"]) ntlm_info = parse_challenge(bindResp["auth_data"])
self.domain = ntlm_info["domain"] self.targetDomain = self.domain = ntlm_info["domain"]
self.hostname = ntlm_info["hostname"] self.hostname = ntlm_info["hostname"]
self.server_os = ntlm_info["os_version"] self.server_os = ntlm_info["os_version"]
self.logger.extra["hostname"] = self.hostname self.logger.extra["hostname"] = self.hostname
@ -139,7 +140,7 @@ class wmi(connection):
def print_host_info(self): def print_host_info(self):
self.logger.extra["protocol"] = "RPC" self.logger.extra["protocol"] = "RPC"
self.logger.extra["port"] = "135" self.logger.extra["port"] = "135"
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})") self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.targetDomain})")
return True return True
def check_if_admin(self): def check_if_admin(self):