Merge branch 'main' into ModulesEnumeration

2023-12-16 18:42:25 +01:00 · 2023-12-16 18:42:25 +01:00 · c1d253800b
parent 847f8c43a4 ef4f2df92c
commit c1d253800b
2 changed files with 17 additions and 6 deletions
--- a/nxc/modules/appcmd.py
+++ b/nxc/modules/appcmd.py
@ -37,7 +37,7 @@ class NXCModule:
            return

    def execute_appcmd(self, context, connection):
-        command = "powershell -c 'C:\\windows\\system32\\inetsrv\\appcmd.exe list apppool /@t:*'"
+        command = 'powershell -c "C:\\windows\\system32\\inetsrv\\appcmd.exe list apppool /@t:*"'
        context.log.info("Checking For Hidden Credentials With Appcmd.exe")
        output = connection.execute(command, True)

--- a/nxc/protocols/winrm.py
+++ b/nxc/protocols/winrm.py
@ -35,17 +35,20 @@ class winrm(connection):
        self.lmhash = ""
        self.nthash = ""
        self.ssl = False
+        self.auth_type = None

        connection.__init__(self, args, db, host)

    def proto_logger(self):
+        # Reason why default is SMB/445, because default is enumerate over SMB.
+        # For more details, please check the function "print_host_info" 
        logging.getLogger("pypsrp").disabled = True
        logging.getLogger("pypsrp.wsman").disabled = True
        self.logger = NXCAdapter(
            extra={
-                "protocol": "WINRM",
+                "protocol": "SMB",
                "host": self.host,
-                "port": "5985",
+                "port": "445",
                "hostname": self.hostname,
            }
        )
@ -180,9 +183,16 @@ class winrm(connection):
        return True

    def print_host_info(self):
-        self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM"
-        self.logger.extra["port"] = self.port
-        self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
+        if self.args.no_smb:
+            self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM"
+            self.logger.extra["port"] = self.port
+            self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
+        else:
+            self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
+            self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM"
+            self.logger.extra["port"] = self.port
+        
+        self.logger.info(f"Connection information: {self.endpoint} (auth type:{self.auth_type}) (domain:{self.domain if self.args.domain else ''})")

        if self.args.laps:
            return self.laps_search(self.args.username, self.args.password, self.args.hash, self.domain)
@ -211,6 +221,7 @@ class winrm(connection):
                self.logger.debug(f"Requesting URL: {endpoints[protocol]['url']}")
                res = requests.post(endpoints[protocol]["url"], verify=False, timeout=self.args.http_timeout) 
                self.logger.debug(f"Received response code: {res.status_code}")
+                self.auth_type = res.headers["WWW-Authenticate"] if "WWW-Authenticate" in res.headers else "NOAUTH"
                self.endpoint = endpoints[protocol]["url"]
                self.ssl = endpoints[protocol]["ssl"]
                return True