Merge pull request #152 from Pennyw0rth/neff-ldap-domain
commit
bfe7e46800
|
@ -254,9 +254,7 @@ class ldap(connection):
|
||||||
self.hostname = self.target
|
self.hostname = self.target
|
||||||
self.domain = self.targetDomain
|
self.domain = self.targetDomain
|
||||||
# smb no open, specify the domain
|
# smb no open, specify the domain
|
||||||
if self.args.no_smb:
|
if not self.args.no_smb:
|
||||||
self.domain = self.args.domain
|
|
||||||
else:
|
|
||||||
self.local_ip = self.conn.getSMBServer().get_socket().getsockname()[0]
|
self.local_ip = self.conn.getSMBServer().get_socket().getsockname()[0]
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
@ -267,8 +265,8 @@ class ldap(connection):
|
||||||
if "STATUS_NOT_SUPPORTED" in str(e):
|
if "STATUS_NOT_SUPPORTED" in str(e):
|
||||||
self.no_ntlm = True
|
self.no_ntlm = True
|
||||||
if not self.no_ntlm:
|
if not self.no_ntlm:
|
||||||
self.domain = self.conn.getServerDNSDomainName()
|
|
||||||
self.hostname = self.conn.getServerName()
|
self.hostname = self.conn.getServerName()
|
||||||
|
self.targetDomain = self.domain = self.conn.getServerDNSDomainName()
|
||||||
self.server_os = self.conn.getServerOS()
|
self.server_os = self.conn.getServerOS()
|
||||||
self.signing = self.conn.isSigningRequired() if self.smbv1 else self.conn._SMBConnection._Connection["RequireSigning"]
|
self.signing = self.conn.isSigningRequired() if self.smbv1 else self.conn._SMBConnection._Connection["RequireSigning"]
|
||||||
self.os_arch = self.get_os_arch()
|
self.os_arch = self.get_os_arch()
|
||||||
|
@ -276,18 +274,16 @@ class ldap(connection):
|
||||||
|
|
||||||
if not self.domain:
|
if not self.domain:
|
||||||
self.domain = self.hostname
|
self.domain = self.hostname
|
||||||
|
if self.args.domain:
|
||||||
|
self.domain = self.args.domain
|
||||||
|
if self.args.local_auth:
|
||||||
|
self.domain = self.hostname
|
||||||
|
|
||||||
try: # noqa: SIM105
|
try: # noqa: SIM105
|
||||||
# DC's seem to want us to logoff first, windows workstations sometimes reset the connection
|
# DC's seem to want us to logoff first, windows workstations sometimes reset the connection
|
||||||
self.conn.logoff()
|
self.conn.logoff()
|
||||||
except Exception:
|
except Exception:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
if self.args.domain:
|
|
||||||
self.domain = self.args.domain
|
|
||||||
if self.args.local_auth:
|
|
||||||
self.domain = self.hostname
|
|
||||||
|
|
||||||
# Re-connect since we logged off
|
# Re-connect since we logged off
|
||||||
self.create_conn_obj()
|
self.create_conn_obj()
|
||||||
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}".replace(":", "-"))
|
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}".replace(":", "-"))
|
||||||
|
@ -303,7 +299,7 @@ class ldap(connection):
|
||||||
self.logger.extra["port"] = "445" if not self.no_ntlm else "389"
|
self.logger.extra["port"] = "445" if not self.no_ntlm else "389"
|
||||||
signing = colored(f"signing:{self.signing}", host_info_colors[0], attrs=["bold"]) if self.signing else colored(f"signing:{self.signing}", host_info_colors[1], attrs=["bold"])
|
signing = colored(f"signing:{self.signing}", host_info_colors[0], attrs=["bold"]) if self.signing else colored(f"signing:{self.signing}", host_info_colors[1], attrs=["bold"])
|
||||||
smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"])
|
smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"])
|
||||||
self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.domain}) ({signing}) ({smbv1})")
|
self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.targetDomain}) ({signing}) ({smbv1})")
|
||||||
self.logger.extra["protocol"] = "LDAP"
|
self.logger.extra["protocol"] = "LDAP"
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
|
@ -1,16 +1,12 @@
|
||||||
from argparse import _StoreTrueAction
|
|
||||||
|
|
||||||
|
|
||||||
def proto_args(parser, std_parser, module_parser):
|
def proto_args(parser, std_parser, module_parser):
|
||||||
ldap_parser = parser.add_parser("ldap", help="own stuff using LDAP", parents=[std_parser, module_parser])
|
ldap_parser = parser.add_parser("ldap", help="own stuff using LDAP", parents=[std_parser, module_parser])
|
||||||
ldap_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
|
ldap_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
|
||||||
ldap_parser.add_argument("--port", type=int, choices={389, 636}, default=389, help="LDAP port (default: 389)")
|
ldap_parser.add_argument("--port", type=int, choices={389, 636}, default=389, help="LDAP port (default: 389)")
|
||||||
no_smb_arg = ldap_parser.add_argument("--no-smb", action=get_conditional_action(_StoreTrueAction), make_required=[], help="No smb connection")
|
ldap_parser.add_argument("--no-smb", action="store_true", help="No smb connection")
|
||||||
|
|
||||||
dgroup = ldap_parser.add_mutually_exclusive_group()
|
dgroup = ldap_parser.add_mutually_exclusive_group()
|
||||||
domain_arg = dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, default=None, help="domain to authenticate to")
|
dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, default=None, help="domain to authenticate to")
|
||||||
dgroup.add_argument("--local-auth", action="store_true", help="authenticate locally to each target")
|
dgroup.add_argument("--local-auth", action="store_true", help="authenticate locally to each target")
|
||||||
no_smb_arg.make_required = [domain_arg]
|
|
||||||
|
|
||||||
egroup = ldap_parser.add_argument_group("Retrevie hash on the remote DC", "Options to get hashes from Kerberos")
|
egroup = ldap_parser.add_argument_group("Retrevie hash on the remote DC", "Options to get hashes from Kerberos")
|
||||||
egroup.add_argument("--asreproast", help="Output AS_REP response to crack with hashcat to file")
|
egroup.add_argument("--asreproast", help="Output AS_REP response to crack with hashcat to file")
|
||||||
|
|
|
@ -31,7 +31,8 @@ from impacket.tds import (
|
||||||
class mssql(connection):
|
class mssql(connection):
|
||||||
def __init__(self, args, db, host):
|
def __init__(self, args, db, host):
|
||||||
self.mssql_instances = []
|
self.mssql_instances = []
|
||||||
self.domain = None
|
self.domain = ""
|
||||||
|
self.targetDomain = ""
|
||||||
self.server_os = None
|
self.server_os = None
|
||||||
self.hash = None
|
self.hash = None
|
||||||
self.os_arch = None
|
self.os_arch = None
|
||||||
|
@ -122,23 +123,19 @@ class mssql(connection):
|
||||||
return False
|
return False
|
||||||
else:
|
else:
|
||||||
ntlm_info = parse_challenge(challenge)
|
ntlm_info = parse_challenge(challenge)
|
||||||
self.domain = ntlm_info["domain"]
|
self.targetDomain = self.domain = ntlm_info["domain"]
|
||||||
self.hostname = ntlm_info["hostname"]
|
self.hostname = ntlm_info["hostname"]
|
||||||
self.server_os = ntlm_info["os_version"]
|
self.server_os = ntlm_info["os_version"]
|
||||||
self.logger.extra["hostname"] = self.hostname
|
self.logger.extra["hostname"] = self.hostname
|
||||||
self.db.add_host(self.host, self.hostname, self.domain, self.server_os, len(self.mssql_instances),)
|
self.db.add_host(self.host, self.hostname, self.targetDomain, self.server_os, len(self.mssql_instances),)
|
||||||
|
|
||||||
if self.args.domain:
|
if self.args.domain:
|
||||||
self.domain = self.args.domain
|
self.domain = self.args.domain
|
||||||
|
|
||||||
if self.args.local_auth:
|
if self.args.local_auth:
|
||||||
self.domain = self.hostname
|
self.domain = self.hostname
|
||||||
|
|
||||||
if self.domain is None:
|
|
||||||
self.domain = ""
|
|
||||||
|
|
||||||
def print_host_info(self):
|
def print_host_info(self):
|
||||||
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
|
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.targetDomain})")
|
||||||
return True
|
return True
|
||||||
|
|
||||||
@reconnect_mssql
|
@reconnect_mssql
|
||||||
|
|
|
@ -211,8 +211,23 @@ class smb(connection):
|
||||||
# no ntlm supported
|
# no ntlm supported
|
||||||
self.no_ntlm = True
|
self.no_ntlm = True
|
||||||
|
|
||||||
self.domain = self.conn.getServerDNSDomainName() if not self.no_ntlm else self.args.domain
|
# self.domain is the attribute we authenticate with
|
||||||
self.hostname = self.conn.getServerName() if not self.no_ntlm else self.host
|
# self.targetDomain is the attribute which gets displayed as host domain
|
||||||
|
if not self.no_ntlm:
|
||||||
|
self.hostname = self.conn.getServerName()
|
||||||
|
self.targetDomain = self.conn.getServerDNSDomainName()
|
||||||
|
if not self.targetDomain: # Not sure if that can even happen but now we are safe
|
||||||
|
self.targetDomain = self.hostname
|
||||||
|
else:
|
||||||
|
self.hostname = self.host
|
||||||
|
self.targetDomain = self.hostname
|
||||||
|
|
||||||
|
self.domain = self.targetDomain if not self.args.domain else self.args.domain
|
||||||
|
|
||||||
|
if self.args.local_auth:
|
||||||
|
self.domain = self.hostname
|
||||||
|
self.targetDomain = self.hostname
|
||||||
|
|
||||||
self.server_os = self.conn.getServerOS()
|
self.server_os = self.conn.getServerOS()
|
||||||
self.logger.extra["hostname"] = self.hostname
|
self.logger.extra["hostname"] = self.hostname
|
||||||
|
|
||||||
|
@ -227,9 +242,6 @@ class smb(connection):
|
||||||
self.os_arch = self.get_os_arch()
|
self.os_arch = self.get_os_arch()
|
||||||
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
|
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
|
||||||
|
|
||||||
if not self.domain:
|
|
||||||
self.domain = self.hostname
|
|
||||||
|
|
||||||
self.db.add_host(
|
self.db.add_host(
|
||||||
self.host,
|
self.host,
|
||||||
self.hostname,
|
self.hostname,
|
||||||
|
@ -245,15 +257,11 @@ class smb(connection):
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
self.logger.debug(f"Error logging off system: {e}")
|
self.logger.debug(f"Error logging off system: {e}")
|
||||||
|
|
||||||
if self.args.domain:
|
|
||||||
self.domain = self.args.domain
|
|
||||||
if self.args.local_auth:
|
|
||||||
self.domain = self.hostname
|
|
||||||
|
|
||||||
def print_host_info(self):
|
def print_host_info(self):
|
||||||
signing = colored(f"signing:{self.signing}", host_info_colors[0], attrs=["bold"]) if self.signing else colored(f"signing:{self.signing}", host_info_colors[1], attrs=["bold"])
|
signing = colored(f"signing:{self.signing}", host_info_colors[0], attrs=["bold"]) if self.signing else colored(f"signing:{self.signing}", host_info_colors[1], attrs=["bold"])
|
||||||
smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"])
|
smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"])
|
||||||
self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.domain}) ({signing}) ({smbv1})")
|
self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.targetDomain}) ({signing}) ({smbv1})")
|
||||||
return True
|
return True
|
||||||
|
|
||||||
def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
|
def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
|
||||||
|
|
|
@ -25,7 +25,8 @@ urllib3.disable_warnings()
|
||||||
|
|
||||||
class winrm(connection):
|
class winrm(connection):
|
||||||
def __init__(self, args, db, host):
|
def __init__(self, args, db, host):
|
||||||
self.domain = None
|
self.domain = ""
|
||||||
|
self.targedDomain = ""
|
||||||
self.server_os = None
|
self.server_os = None
|
||||||
self.output_filename = None
|
self.output_filename = None
|
||||||
self.endpoint = None
|
self.endpoint = None
|
||||||
|
@ -52,30 +53,24 @@ class winrm(connection):
|
||||||
|
|
||||||
def enum_host_info(self):
|
def enum_host_info(self):
|
||||||
ntlm_info = parse_challenge(base64.b64decode(self.challenge_header.split(" ")[1].replace(",", "")))
|
ntlm_info = parse_challenge(base64.b64decode(self.challenge_header.split(" ")[1].replace(",", "")))
|
||||||
self.domain = ntlm_info["domain"]
|
self.targetDomain = self.domain = ntlm_info["domain"]
|
||||||
self.hostname = ntlm_info["hostname"]
|
self.hostname = ntlm_info["hostname"]
|
||||||
self.server_os = ntlm_info["os_version"]
|
self.server_os = ntlm_info["os_version"]
|
||||||
self.logger.extra["hostname"] = self.hostname
|
self.logger.extra["hostname"] = self.hostname
|
||||||
|
|
||||||
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}")
|
self.db.add_host(self.host, self.port, self.hostname, self.targetDomain, self.server_os)
|
||||||
|
|
||||||
self.db.add_host(self.host, self.port, self.hostname, self.domain, self.server_os)
|
|
||||||
|
|
||||||
if self.args.domain:
|
if self.args.domain:
|
||||||
self.domain = self.args.domain
|
self.domain = self.args.domain
|
||||||
|
|
||||||
if self.args.local_auth:
|
if self.args.local_auth:
|
||||||
self.domain = self.hostname
|
self.domain = self.hostname
|
||||||
|
|
||||||
if self.domain is None:
|
|
||||||
self.domain = ""
|
|
||||||
|
|
||||||
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
|
self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
|
||||||
|
|
||||||
def print_host_info(self):
|
def print_host_info(self):
|
||||||
self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM"
|
self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM"
|
||||||
self.logger.extra["port"] = self.port
|
self.logger.extra["port"] = self.port
|
||||||
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
|
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.targetDomain})")
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,8 @@ MSRPC_UUID_PORTMAP = uuidtup_to_bin(("E1AF8308-5D1F-11C9-91A4-08002B14A0FA", "3.
|
||||||
|
|
||||||
class wmi(connection):
|
class wmi(connection):
|
||||||
def __init__(self, args, db, host):
|
def __init__(self, args, db, host):
|
||||||
self.domain = None
|
self.domain = ""
|
||||||
|
self.targetDomain = ""
|
||||||
self.hash = ""
|
self.hash = ""
|
||||||
self.lmhash = ""
|
self.lmhash = ""
|
||||||
self.nthash = ""
|
self.nthash = ""
|
||||||
|
@ -122,7 +123,7 @@ class wmi(connection):
|
||||||
response = MSRPCHeader(buffer)
|
response = MSRPCHeader(buffer)
|
||||||
bindResp = MSRPCBindAck(response.getData())
|
bindResp = MSRPCBindAck(response.getData())
|
||||||
ntlm_info = parse_challenge(bindResp["auth_data"])
|
ntlm_info = parse_challenge(bindResp["auth_data"])
|
||||||
self.domain = ntlm_info["domain"]
|
self.targetDomain = self.domain = ntlm_info["domain"]
|
||||||
self.hostname = ntlm_info["hostname"]
|
self.hostname = ntlm_info["hostname"]
|
||||||
self.server_os = ntlm_info["os_version"]
|
self.server_os = ntlm_info["os_version"]
|
||||||
self.logger.extra["hostname"] = self.hostname
|
self.logger.extra["hostname"] = self.hostname
|
||||||
|
@ -139,7 +140,7 @@ class wmi(connection):
|
||||||
def print_host_info(self):
|
def print_host_info(self):
|
||||||
self.logger.extra["protocol"] = "RPC"
|
self.logger.extra["protocol"] = "RPC"
|
||||||
self.logger.extra["port"] = "135"
|
self.logger.extra["port"] = "135"
|
||||||
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
|
self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.targetDomain})")
|
||||||
return True
|
return True
|
||||||
|
|
||||||
def check_if_admin(self):
|
def check_if_admin(self):
|
||||||
|
|
Loading…
Reference in New Issue