Merge branch 'main' into Update_active_users

2024-03-24 10:41:37 +03:00 · 2024-03-24 10:41:37 +03:00 · e31742ec67
parent 6c3746643e a6935b4d8d
commit e31742ec67
6 changed files with 54 additions and 34 deletions
--- a/nxc/data/nxc.conf
+++ b/nxc/data/nxc.conf
@ -13,7 +13,7 @@ bh_enabled = False
 bh_uri = 127.0.0.1
 bh_port = 7687
 bh_user = neo4j
-bh_pass = neo4j
+bh_pass = bloodhoundcommunityedition

 [Empire]
 api_host = 127.0.0.1
--- a/nxc/helpers/bloodhound.py
+++ b/nxc/helpers/bloodhound.py
@ -52,14 +52,14 @@ def add_user_bh(user, domain, logger, config):
                        _add_with_domain(user_info, domain, tx, logger)
        except AuthError:
            logger.fail(f"Provided Neo4J credentials ({config.get('BloodHound', 'bh_user')}:{config.get('BloodHound', 'bh_pass')}) are not valid.")
-            return
+            exit()
        except ServiceUnavailable:
            logger.fail(f"Neo4J does not seem to be available on {uri}.")
-            return
+            exit()
        except Exception as e:
            logger.fail(f"Unexpected error with Neo4J: {e}")
-            return
-        driver.close()
+        finally:
+            driver.close()


 def _add_with_domain(user_info, domain, tx, logger):
--- a/nxc/modules/enum_av.py
+++ b/nxc/modules/enum_av.py
@ -35,7 +35,7 @@ class NXCModule:
        results = self._detect_installed_services(context, connection, target)
        self.detect_running_processes(context, connection, results)

-        self.dump_results(results, connection.hostname, context)
+        self.dump_results(results, context)

    def _get_target(self, connection):
        return connection.host if not connection.kerberos else f"{connection.hostname}.{connection.domain}"
@ -58,18 +58,16 @@ class NXCModule:

            dce, _ = lsa.connect()
            policyHandle = lsa.open_policy(dce)
-            try:
-                for product in conf["products"]:
-                    for service in product["services"]:
+            for product in conf["products"]:
+                for service in product["services"]:
+                    try:
                        lsa.LsarLookupNames(dce, policyHandle, service["name"])
                        context.log.info(f"Detected installed service on {connection.host}: {product['name']} {service['description']}")
                        results.setdefault(product["name"], {"services": []})["services"].append(service)
-            except Exception:
-                pass
-
+                    except Exception:
+                        pass
        except Exception as e:
            context.log.fail(str(e))
-
        return results

    def detect_running_processes(self, context, connection, results):
@ -80,13 +78,16 @@ class NXCModule:
                for product in conf["products"]:
                    for pipe in product["pipes"]:
                        if pathlib.PurePath(fl).match(pipe["name"]):
-                            context.log.debug(f"{product['name']} running claim found on {connection.host} by existing pipe {fl} (likely processes: {pipe['processes']})")
+                            context.log.info(f"{product['name']} running claim found on {connection.host} by existing pipe {fl} (likely processes: {pipe['processes']})")
                            prod_results = results.setdefault(product["name"], {})
                            prod_results.setdefault("pipes", []).append(pipe)
        except Exception as e:
-            context.log.debug(str(e))
+            if "STATUS_ACCESS_DENIED" in str(e):
+                context.log.fail("Error STATUS_ACCESS_DENIED while enumerating pipes, probably due to using SMBv1")
+            else:
+                context.log.fail(str(e))

-    def dump_results(self, results, remoteName, context):
+    def dump_results(self, results, context):
        if not results:
            context.log.highlight("Found NOTHING!")
            return
@ -261,7 +262,10 @@ conf = {
                {"name": "epfw", "description": "ESET"},
                {"name": "epfwlwf", "description": "ESET"},
                {"name": "epfwwfp", "description": "ESET"},
-                {"name": "EraAgentSvc", "description": "ESET"},
+                {"name": "EraAgentSvc", "description": "ESET Management Agent service"},
+                {"name": "ERAAgent", "description": "ESET Management Agent service"},
+                {"name": "efwd", "description": "ESET Communication Forwarding Service"},
+                {"name": "ehttpsrv", "description": "ESET HTTP Server"},
            ],
            "pipes": [{"name": "nod_scriptmon_pipe", "processes": [""]}],
        },
--- a/nxc/modules/hash_spider.py
+++ b/nxc/modules/hash_spider.py
@ -146,7 +146,7 @@ class NXCModule:

    @staticmethod
    def save_credentials(context, connection, domain, username, password, lmhash, nthash):
-        host_id = context.db.get_computers(connection.host)[0][0]
+        host_id = context.db.get_hosts(connection.host)[0][0]
        if password is not None:
            credential_type = "plaintext"
        else:
--- a/nxc/modules/ldap-checker.py
+++ b/nxc/modules/ldap-checker.py
@ -39,10 +39,15 @@ class NXCModule:
        async def run_ldaps_noEPA(target, credential):
            ldapsClientConn = MSLDAPClientConnection(target, credential)
            _, err = await ldapsClientConn.connect()
+            
+            # Required step to try to bind without channel binding
+            ldapsClientConn.cb_data = None
+
            if err is not None:
                context.log.fail("ERROR while connecting to " + str(connection.domain) + ": " + str(err))
                sys.exit()
-            _, err = await ldapsClientConn.bind()
+
+            valid, err = await ldapsClientConn.bind()
            if "data 80090346" in str(err):
                return True  # channel binding IS enforced
            elif "data 52e" in str(err):
@ -114,19 +119,30 @@ class NXCModule:
        # requirements are enforced based on potential errors
        # during the bind attempt.
        async def run_ldap(target, credential):
-            ldapsClientConn = MSLDAPClientConnection(target, credential)
-            _, err = await ldapsClientConn.connect()
-            if err is None:
-                _, err = await ldapsClientConn.bind()
-                if "stronger" in str(err):
-                    return True  # because LDAP server signing requirements ARE enforced
-                elif ("data 52e") in str(err):
-                    context.log.fail("Not connected... exiting")
-                    sys.exit()
-                elif err is None:
+            try:
+                ldapsClientConn = MSLDAPClientConnection(target, credential)
+                ldapsClientConn._disable_signing = True
+                _, err = await ldapsClientConn.connect()
+                if err is not None:
+                    context.log.fail(str(err))
                    return False
-            else:
-                context.log.fail(str(err))
+                
+                _, err = await ldapsClientConn.bind()
+                if err is not None:
+                    errstr = str(err).lower()
+                    if "stronger" in errstr:
+                        return True 
+                        # because LDAP server signing requirements ARE enforced
+                    else:
+                        context.log.fail(str(err))
+                else:
+                    # LDAPS bind successful
+                    return False 
+                    # because LDAP server signing requirements are not enforced
+            except Exception as e:
+                context.log.debug(str(e))
+                return False
+              

        # Run trough all our code blocks to determine LDAP signing and channel binding settings.
        stype = asyauthSecret.PASS if not connection.nthash else asyauthSecret.NT
@ -148,9 +164,8 @@ class NXCModule:
                stype=stype,
            )

-        target = MSLDAPTarget(connection.host, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain)
+        target = MSLDAPTarget(connection.host, 389, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain)
        ldapIsProtected = asyncio.run(run_ldap(target, credential))
-
        if ldapIsProtected is False:
            context.log.highlight("LDAP Signing NOT Enforced!")
        elif ldapIsProtected is True:
@ -162,7 +177,7 @@ class NXCModule:
        if DoesLdapsCompleteHandshake(connection.host) is True:
            target = MSLDAPTarget(connection.host, 636, UniProto.CLIENT_SSL_TCP, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain)
            ldapsChannelBindingAlwaysCheck = asyncio.run(run_ldaps_noEPA(target, credential))
-            target = MSLDAPTarget(connection.host, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain)
+            target = MSLDAPTarget(connection.host, 636, UniProto.CLIENT_SSL_TCP, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain)
            ldapsChannelBindingWhenSupportedCheck = asyncio.run(run_ldaps_withEPA(target, credential))
            if ldapsChannelBindingAlwaysCheck is False and ldapsChannelBindingWhenSupportedCheck is True:
                context.log.highlight('LDAPS Channel Binding is set to "When Supported"')
--- a/nxc/netexec.py
+++ b/nxc/netexec.py
@ -79,6 +79,7 @@ def main():
    else:
        nxc_logger.logger.setLevel(logging.ERROR)
        root_logger.setLevel(logging.ERROR)
+    logging.getLogger("neo4j").setLevel(logging.ERROR)

    # if these are the same, it might double log to file (two FileHandlers will be added)
    # but this should never happen by accident