From 76f23d422d15fd3a15e374b386cd03561d792d65 Mon Sep 17 00:00:00 2001 From: XiaoliChan <30458572+XiaoliChan@users.noreply.github.com> Date: Sat, 11 Nov 2023 20:49:33 +0800 Subject: [PATCH 1/4] [winrm] better output Signed-off-by: XiaoliChan <30458572+XiaoliChan@users.noreply.github.com> --- nxc/protocols/winrm.py | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/nxc/protocols/winrm.py b/nxc/protocols/winrm.py index 17c8bb9c..fa4eb6ac 100644 --- a/nxc/protocols/winrm.py +++ b/nxc/protocols/winrm.py @@ -35,17 +35,20 @@ class winrm(connection): self.lmhash = "" self.nthash = "" self.ssl = False + self.auth_type = None connection.__init__(self, args, db, host) def proto_logger(self): + # Reason why default is SMB/445, because default is enumerate over SMB. + # For more details, please check the function "print_host_info" logging.getLogger("pypsrp").disabled = True logging.getLogger("pypsrp.wsman").disabled = True self.logger = NXCAdapter( extra={ - "protocol": "WINRM", + "protocol": "SMB", "host": self.host, - "port": "5985", + "port": "445", "hostname": self.hostname, } ) @@ -180,9 +183,17 @@ class winrm(connection): return True def print_host_info(self): + if not self.args.domain: + self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})") + self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM" self.logger.extra["port"] = self.port - self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})") + winrm_info = "{} {} {}".format( + self.endpoint, + f"(auth type:{self.auth_type})", + f"(domain:{self.domain})" if self.args.domain else "", + ) + self.logger.display(winrm_info) if self.args.laps: return self.laps_search(self.args.username, self.args.password, self.args.hash, self.domain) @@ -211,6 +222,7 @@ class winrm(connection): self.logger.debug(f"Requesting URL: {endpoints[protocol]['url']}") res = requests.post(endpoints[protocol]["url"], verify=False, timeout=self.args.http_timeout) self.logger.debug(f"Received response code: {res.status_code}") + self.auth_type = res.headers["WWW-Authenticate"] if "WWW-Authenticate" in res.headers else "NOAUTH" self.endpoint = endpoints[protocol]["url"] self.ssl = endpoints[protocol]["ssl"] return True From f8982a8d65da54e22eb57f0a63eb0b5d0003dc6b Mon Sep 17 00:00:00 2001 From: Alexander Neff Date: Sat, 9 Dec 2023 18:53:46 +0100 Subject: [PATCH 2/4] Move detailed information to info logging output --- nxc/protocols/winrm.py | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/nxc/protocols/winrm.py b/nxc/protocols/winrm.py index fa4eb6ac..d9d4e300 100644 --- a/nxc/protocols/winrm.py +++ b/nxc/protocols/winrm.py @@ -183,17 +183,11 @@ class winrm(connection): return True def print_host_info(self): - if not self.args.domain: - self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})") + self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})") self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM" self.logger.extra["port"] = self.port - winrm_info = "{} {} {}".format( - self.endpoint, - f"(auth type:{self.auth_type})", - f"(domain:{self.domain})" if self.args.domain else "", - ) - self.logger.display(winrm_info) + self.logger.info(f"Connection information: {self.endpoint} (auth type:{self.auth_type}) (domain:{self.domain if self.args.domain else ''})") if self.args.laps: return self.laps_search(self.args.username, self.args.password, self.args.hash, self.domain) From afd568cf9421e66bc74279500c98b320dca372b1 Mon Sep 17 00:00:00 2001 From: Alexander Neff Date: Sun, 10 Dec 2023 15:59:34 +0100 Subject: [PATCH 3/4] Fix correct protocol and port display output --- nxc/protocols/winrm.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/nxc/protocols/winrm.py b/nxc/protocols/winrm.py index d9d4e300..e4544179 100644 --- a/nxc/protocols/winrm.py +++ b/nxc/protocols/winrm.py @@ -183,10 +183,15 @@ class winrm(connection): return True def print_host_info(self): - self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})") + if self.args.no_smb: + self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM" + self.logger.extra["port"] = self.port + self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})") + else: + self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})") + self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM" + self.logger.extra["port"] = self.port - self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM" - self.logger.extra["port"] = self.port self.logger.info(f"Connection information: {self.endpoint} (auth type:{self.auth_type}) (domain:{self.domain if self.args.domain else ''})") if self.args.laps: From a347fcc208c0b9c134338b8804fd19a69b84d278 Mon Sep 17 00:00:00 2001 From: 0xlazy Date: Wed, 13 Dec 2023 15:01:47 +0100 Subject: [PATCH 4/4] Fix: iis module cmd exec quotes --- nxc/modules/appcmd.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nxc/modules/appcmd.py b/nxc/modules/appcmd.py index 9a739268..5df93cc2 100644 --- a/nxc/modules/appcmd.py +++ b/nxc/modules/appcmd.py @@ -37,7 +37,7 @@ class NXCModule: return def execute_appcmd(self, context, connection): - command = "powershell -c 'C:\\windows\\system32\\inetsrv\\appcmd.exe list apppool /@t:*'" + command = 'powershell -c "C:\\windows\\system32\\inetsrv\\appcmd.exe list apppool /@t:*"' context.log.info("Checking For Hidden Credentials With Appcmd.exe") output = connection.execute(command, True)