resolve conflicts

Author: azoxlpf

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: NetExec Wiki
+    url: https://www.netexec.wiki/
+    about: Check the wiki for usage guides and documentation before opening an issue.
+  - name: NetExec Discord
+    url: https://discord.com/invite/pjwUTQzg8R
+    about: Join the Discord for general questions and community support.

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,8 +1,9 @@
 ## Description
-
 Please include a summary of the change and which issue is fixed, or what the enhancement does.
 List any dependencies that are required for this change.
 
+If you have used AI in any form, please state the tool you used (e.g. Claude Code, Cursor, Amp) along with the extent that the work was AI-assisted. See the project's AI policy for more details: https://github.com/Pennyw0rth/NetExec/blob/main/AI_POLICY.md
+
 ## Type of change
 Insert an "x" inside the brackets for relevant items (do not delete options)
 
@@ -12,24 +13,28 @@ Insert an "x" inside the brackets for relevant items (do not delete options)
 - [ ] Deprecation of feature or functionality
 - [ ] This change requires a documentation update
 - [ ] This requires a third party update (such as Impacket, Dploot, lsassy, etc)
+- [ ] This PR was created with the assistance of AI (list what type of assistance, tool(s)/model(s) in the description)
 
 ## Setup guide for the review
 Please provide guidance on what setup is needed to test the introduced changes, such as your locally running machine Python version & OS, as well as the target(s) you tested against, including software versions.
 In particular:
 - Bug Fix: Please provide a short description on how to trigger the bug, to make the bug reproducable for the reviewer.
-- Added Feature/Enhancement: Please specify what setup is needed in order to test the changes. E.g. is additional software needed? GPO changes required? Specific registry settings that need to be changed?
+- Added Feature/Enhancement: Please specify what setup is needed in order to test the changes, such as:
+  - Is additional software needed?
+  - GPO changes required?
+  - Specific registry settings that need to be changed?
 
 ## Screenshots (if appropriate):
 Screenshots are always nice to have and can give a visual representation of the change.
-If appropriate include before and after screenshot(s) to show which results are to be expected.
+If appropriate, include before and after screenshot(s) to show which results are to be expected.
 
 ## Checklist:
 Insert an "x" inside the brackets for completed and relevant items (do not delete options)
 
-- [ ] I have ran Ruff against my changes (via poetry: `poetry run python -m ruff check . --preview`, use `--fix` to automatically fix what it can)
+- [ ] I have ran Ruff against my changes (poetry: `poetry run ruff check .`, use `--fix` to automatically fix what it can)
 - [ ] I have added or updated the `tests/e2e_commands.txt` file if necessary (new modules or features are _required_ to be added to the e2e tests)
-- [ ] New and existing e2e tests pass locally with my changes
 - [ ] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
-- [ ] I have performed a self-review of my own code
+- [ ] I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
+- [ ] I have performed a self-review of my own code (_not_ an AI review)
 - [ ] I have commented my code, particularly in hard-to-understand areas
 - [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

.github/workflows/pr-template-check.yml

@@ -0,0 +1,54 @@
+name: PR Template Check
+
+on:
+  pull_request:
+    types: [opened, edited]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  check-template:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Check PR description for template sections
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const body = context.payload.pull_request.body || '';
+            const requiredSections = [
+              '## Description',
+              '## Type of change',
+              '## Setup guide for the review',
+              '## Checklist'
+            ];
+
+            const missingSections = requiredSections.filter(
+              section => !body.includes(section)
+            );
+
+            if (missingSections.length === 0) return;
+
+            // Check if we already left a comment to avoid spamming
+            const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number
+            });
+
+            const botComment = comments.data.find(
+              c => c.user.type === 'Bot' && c.body.includes('<!-- pr-template-check -->')
+            );
+
+            if (botComment) return;
+
+            const missing = missingSections.map(s => `- ${s}`).join('\n');
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: `<!-- pr-template-check -->\nIt looks like the PR template may not have been filled out. The following sections appear to be missing:\n\n${missing}\n\nPlease edit your PR description to include them. The template helps reviewers understand and test your changes. Thanks!`
+            });

AI_POLICY.md

@@ -0,0 +1,77 @@
+# AI Usage Policy
+
+This policy was adapted from the [ghostty project](https://github.com/ghostty-org/ghostty/).
+The original version can be found [Ghostty's PR #10412](https://github.com/ghostty-org/ghostty/pull/10412).
+
+The NetExec project has strict rules for AI usage:
+
+- **All AI usage in any form must be disclosed.** You must state
+  the tool(s) and model(s) you used (e.g. Claude Code, Cursor, Opus 4.6,
+  Codex 5.2, etc) along with the extent that the work was AI-assisted.
+
+- **Pull requests created in any way by AI can only be for accepted issues.**
+  Drive-by pull requests that do not reference an accepted issue may be
+  rejected and closed. If AI isn't disclosed but a maintainer suspects its use,
+  the PR may be rejected and closed. If you want to share code for a
+  non-accepted issue, open a discussion or attach it to the existing issue.
+
+- **Pull requests created by AI must have been fully verified with
+  human use.** AI must not create hypothetically correct code that
+  hasn't been tested. Importantly, you must not allow AI to write
+  code for platforms or environments you don't have access to manually
+  test on.
+
+- **Issues and discussions can use AI assistance but must have a full
+  human-in-the-loop.** This means that any content generated with AI
+  must have been reviewed _and edited_ by a human before submission.
+  AI is very good at being overly verbose and including noise that
+  distracts from the main point. Humans must do their research and
+  trim this down.
+
+- **No AI-generated media is allowed (art, images, videos, audio, etc.).**
+  Text and code are the only acceptable AI-generated content, per the
+  other rules in this policy.
+
+- **Bad AI drivers will be banned** You've been warned. We love to help junior
+  developers learn and grow, but if you're interested in that then don't use
+  AI, and we'll help you.
+
+- **Official maintainers have the final say** We always strive to be helpful,
+  but there are limits. If you submit agregiously terrible AI generated code
+  with no review, we may ban you without word. We do not want to waste our
+  time reviewing slop if the contributor can't be bothered to review the work
+  themselves.
+
+These rules apply only to outside contributions to NetExec. Maintainers
+and trusted contributors are exempt from these rules and may use AI tools at
+their discretion; they've proven themselves trustworthy to apply good judgment.
+
+## There are Humans Here
+
+Please remember that NetExec is maintained by humans.
+
+Every discussion, issue, and pull request is read and reviewed by
+humans (and sometimes machines, too). It is a boundary point at which
+people interact with each other and the work done. It is rude and
+disrespectful to approach this boundary with low-effort, unqualified
+work, since it puts the burden of validation on the maintainers.
+
+In a perfect world, AI would produce high-quality, accurate work
+every time, but today that is simply not true. This is compounded by the fact
+that accessibility to AI is high, allowing low skilled individuals to think
+that they are contributing useful code. Even many skilled programmers do not
+understand how to use it effectively. This has opened up a waterfall of low
+quality contributions across the Open Source community, wasting resources.
+
+## AI is Welcome Here, Within Reason
+
+NetExec maintainers acknowledge AI as a productive tool to some workflows, and
+are open to leveraging this technology to improve NetExec; however, there are
+many low quality AI tools whose use results in pure slop being generated. The
+security communinity is not immune from AI psychosis, over-hype, or FOMO.
+As with any new technology, it is important to understand how it works and how
+to best use it, not blindly apply it to every use case with the hope that it
+will fix all your issues.
+
+We include this section to be transparent about the project's usage about
+AI for people who may disagree with it.

netexec.spec

@@ -49,7 +49,7 @@ a = Analysis(
         'nxc.helpers.bloodhound',
         'nxc.helpers.even6_parser',
         'nxc.helpers.msada_guids',
-        'nxc.helpers.ntlm_parser',
+        'nxc.helpers.negotiate_parser',
         'paramiko',
         'pefile',
         'pypsrp.client',

nxc/connection.py

@@ -5,7 +5,7 @@
 import contextlib
 
 from os.path import isfile
-from threading import BoundedSemaphore
+from threading import BoundedSemaphore, Lock
 from functools import wraps
 from time import sleep
 from ipaddress import ip_address
@@ -22,8 +22,10 @@
 from nxc.helpers.pfx import pfx_auth
 
 from impacket.dcerpc.v5 import transport
+from impacket.krb5.ccache import CCache
 
 sem = BoundedSemaphore(1)
+fail_lock = Lock()
 global_failed_logins = 0
 user_failed_logins = {}
 
@@ -314,26 +316,28 @@ def call_modules(self):
     def inc_failed_login(self, username):
         global global_failed_logins, user_failed_logins
 
-        if username not in user_failed_logins:
-            user_failed_logins[username] = 0
+        with fail_lock:
+            if username not in user_failed_logins:
+                user_failed_logins[username] = 0
 
-        user_failed_logins[username] += 1
-        global_failed_logins += 1
-        self.failed_logins += 1
+            user_failed_logins[username] += 1
+            global_failed_logins += 1
+            self.failed_logins += 1
 
     def over_fail_limit(self, username):
         global global_failed_logins, user_failed_logins
 
-        if global_failed_logins == self.args.gfail_limit:
-            return True
+        with fail_lock:
+            if global_failed_logins == self.args.gfail_limit:
+                return True
 
-        if self.failed_logins == self.args.fail_limit:
-            return True
+            if self.failed_logins == self.args.fail_limit:
+                return True
 
-        if username in user_failed_logins and self.args.ufail_limit == user_failed_logins[username]:  # noqa: SIM103
-            return True
+            if username in user_failed_logins and self.args.ufail_limit == user_failed_logins[username]:  # noqa: SIM103
+                return True
 
-        return False
+            return False
 
     def query_db_creds(self):
         """Queries the database for credentials to be used for authentication.
@@ -480,8 +484,6 @@ def try_credentials(self, domain, username, owned, secret, cred_type, data=None)
             - NTLM-hash (/kerberos)
             - AES-key
         """
-        if self.over_fail_limit(username):
-            return False
         if self.args.continue_on_success and owned:
             return False
 
@@ -497,6 +499,8 @@ def try_credentials(self, domain, username, owned, secret, cred_type, data=None)
             sleep(value)
 
         with sem:
+            if self.over_fail_limit(username):
+                return False
             if cred_type == "plaintext":
                 if self.kerberos:
                     self.logger.debug("Trying to authenticate using Kerberos")
@@ -552,7 +556,7 @@ def login(self):
         if self.args.use_kcache:
             self.logger.debug("Trying to authenticate using Kerberos cache")
             with sem:
-                username = self.args.username[0] if len(self.args.username) else ""
+                username = self.args.username[0] if len(self.args.username) else CCache.parseFile()[1]
                 password = self.args.password[0] if len(self.args.password) else ""
                 self.kerberos_login(self.domain, username, password, "", "", self.kdcHost, True)
                 self.logger.info("Successfully authenticated using Kerberos cache")

nxc/helpers/negotiate_parser.py

@@ -0,0 +1,92 @@
+# Parsing helpers for auth negotiation: NTLM challenges and TDS ERROR/INFO on MSSQL LOGIN7.
+# Original NTLM parsing from: https://github.com/fortra/impacket/blob/master/examples/DumpNTLMInfo.py#L568
+
+import struct
+
+from impacket import ntlm
+from impacket.smb3 import WIN_VERSIONS
+from impacket.tds import TDS_ERROR_TOKEN, TDS_INFO_TOKEN, TDS_INFO_ERROR
+import contextlib
+
+
+def parse_challenge(challange):
+    target_info = {
+        "hostname": None,
+        "domain": None,
+        "os_version": None
+    }
+    challange = ntlm.NTLMAuthChallenge(challange)
+    av_pairs = ntlm.AV_PAIRS(challange["TargetInfoFields"][:challange["TargetInfoFields_len"]])
+    if av_pairs[ntlm.NTLMSSP_AV_HOSTNAME] is not None:
+        with contextlib.suppress(Exception):
+            target_info["hostname"] = av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1].decode("utf-16le")
+    if av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME] is not None:
+        with contextlib.suppress(Exception):
+            target_info["domain"] = av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME][1].decode("utf-16le")
+    if "Version" in challange.fields:
+        version = challange["Version"]
+        if len(version) >= 4:
+            major_version = version[0]
+            minor_version = version[1]
+            product_build = struct.unpack("<H", version[2:4])[0]
+            if product_build in WIN_VERSIONS:
+                target_info["os_version"] = f"{WIN_VERSIONS[product_build]} Build {product_build}"
+            else:
+                target_info["os_version"] = f"{major_version}.{minor_version} Build {product_build}"
+    return target_info
+
+
+def decode_tds_info_error_msgtext(data, offset):
+    """Extract MsgText from a TDS ERROR (0xAA) or INFO (0xAB) token at *offset*.
+
+    Official spec: [MS-TDS] Tabular Data Stream Protocol (Microsoft Learn).
+    Token layout per MS-TDS 2.2.7.9 (INFO) / 2.2.7.10 (ERROR):
+        TokenType   BYTE        0xAA | 0xAB
+        Length      USHORT LE   byte count of the remaining fields
+        Number      LONG LE     error / info number
+        State       BYTE
+        Class       BYTE        severity
+        MsgText     US_VARCHAR  (2-byte LE length prefix + UTF-16LE)
+        ...         (ServerName, ProcName, LineNumber follow but are unused here)
+
+    The minimum *Length* value for a valid token is 8: Number(4) + State(1) +
+    Class(1) + MsgText length prefix(2, may be zero-length string).
+
+    References (Microsoft Learn, MS-TDS):
+        INFO: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/284bb815-d083-4ed5-b33a-bdc2492e322b
+        ERROR: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/9805e9fa-1f8b-4cf8-8f78-8d2602228635
+        Data packet stream tokens: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/f79bb5b8-5919-439a-a696-48064b78b091
+    """
+    remaining = len(data) - offset
+    if remaining < 3 or data[offset] not in (TDS_ERROR_TOKEN, TDS_INFO_TOKEN):
+        return None
+
+    # Length (USHORT LE) after TokenType, see MS-TDS INFO/ERROR links in docstring
+    payload_len = int.from_bytes(data[offset + 1 : offset + 3], "little")
+
+    if payload_len < 8 or remaining < 3 + payload_len:
+        return None
+    try:
+        token = TDS_INFO_ERROR(data[offset:])
+        text = token["MsgText"].decode("utf-16le").strip()
+    except Exception:
+        return None
+    return text or None
+
+
+def login7_integrated_auth_error_message(packet_data, data_after_login_header):
+    """Scan raw LOGIN7 response buffers for the first ERROR/INFO message.
+
+    When a server does not support Integrated Windows Authentication it replies
+    to the LOGIN7 NTLMSSP negotiate with a TDS error token instead of an
+    NTLMSSP challenge.  This helper locates the first ERROR (0xAA) or INFO
+    (0xAB) token in either the full packet or the payload after the 3-byte
+    LOGIN7 response header and returns its MsgText.
+    """
+    token_markers = (TDS_ERROR_TOKEN, TDS_INFO_TOKEN)
+    for buf in filter(None, (packet_data, data_after_login_header)):
+        for offset in (i for i in range(len(buf)) if buf[i] in token_markers):
+            msg = decode_tds_info_error_msgtext(buf, offset)
+            if msg:
+                return msg
+    return None