Resolve merge conflicts and sync fork with upstream

Author: Mercury0

netexec.spec

@@ -19,6 +19,7 @@ a = Analysis(
         'aardwolf.commons.iosettings',
         'aardwolf.commons.target',
         'aardwolf.protocol.x224.constants',
+        'certipy',
         'impacket.examples.secretsdump',
         'impacket.examples.regsecrets',
         'impacket.dcerpc.v5.lsat',
@@ -48,6 +49,7 @@ a = Analysis(
         'nxc.helpers.msada_guids',
         'nxc.helpers.ntlm_parser',
         'paramiko',
+        'pefile',
         'pypsrp.client',
         'pylnk3',
         'pypykatz',

nxc/connection.py

@@ -136,6 +136,8 @@ def __init__(self, args, db, target):
         self.db = db
         self.logger = nxc_logger
         self.conn = None
+        self.output_file_template = None
+        self.output_filename = None
 
         # Authentication info
         self.password = ""
@@ -160,11 +162,6 @@ def __init__(self, args, db, target):
         self.local_ip = None
         self.dns_server = self.args.dns_server
 
-        # Construct the output file template using os.path.join for OS compatibility
-        base_log_dir = os.path.join(os.path.expanduser(NXC_PATH), "logs")
-        filename_pattern = f"{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-")
-        self.output_file_template = os.path.join(base_log_dir, "{output_folder}", filename_pattern)
-
         # DNS resolution
         dns_result = self.resolver(target)
         if dns_result:
@@ -244,6 +241,14 @@ def proto_flow(self):
         else:
             self.logger.debug("Created connection object")
             self.enum_host_info()
+
+            # Construct the output file template using os.path.join for OS compatibility
+            base_log_dir = os.path.join(NXC_PATH, "logs")
+            filename_pattern = f"{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-")
+            self.output_file_template = os.path.join(base_log_dir, "{output_folder}", filename_pattern)
+            # Default output filename for logs
+            self.output_filename = os.path.join(base_log_dir, filename_pattern)
+
             self.print_host_info()
             if self.login() or (self.username == "" and self.password == ""):
                 if hasattr(self.args, "module") and self.args.module:
@@ -324,7 +329,7 @@ def over_fail_limit(self, username):
         if self.failed_logins == self.args.fail_limit:
             return True
 
-        if username in user_failed_logins and self.args.ufail_limit == user_failed_logins[username]:
+        if username in user_failed_logins and self.args.ufail_limit == user_failed_logins[username]:  # noqa: SIM103
             return True
 
         return False

nxc/data/procdump/procdump.exe

@@ -4,6 +4,7 @@
 import uuid
 
 from datetime import datetime
+from nxc.logger import nxc_logger
 
 
 class Substitution:
@@ -45,7 +46,7 @@ def xml(self, template=None):
         elif self._type == 0xf:
             return str(uuid.UUID(bytes_le=value.data))
         else:
-            print("Unknown value type", hex(value.type))
+            nxc_logger.display(f"Unknown value type {hex(value.type)}")
 
 
 class Value:
@@ -70,7 +71,7 @@ def __init__(self, buf, offset):
         elif next_token[0] == 0x0e:
             self._value = Substitution(buf, offset + 1 + self._name.length)
         else:
-            print("Unknown attribute next_token", hex(next_token[0]), hex(offset + 1 + self._name.length))
+            nxc_logger.display(f"Unknown attribute next_token {hex(next_token[0])} {hex(offset + 1 + self._name.length)}")
 
         self.length = 1 + self._name.length + self._value.length
 
@@ -123,7 +124,7 @@ def __init__(self, buf, offset):
                     elif next_token == 0x0e or next_token == 0x0d:
                         element = Substitution(buf, ofs)
                     else:
-                        print("Unknown intern next_token", hex(next_token), hex(ofs))
+                        nxc_logger.display(f"Unknown intern next_token {hex(next_token)} {hex(ofs)}")
                         break
 
                     self._children.append(element)
@@ -135,7 +136,7 @@ def __init__(self, buf, offset):
                 ofs += 1
                 break
             else:
-                print("Unknown element next_token", hex(next_token), hex(ofs))
+                nxc_logger.display(f"Unknown element next_token {hex(next_token)} {hex(ofs)}")
                 break
 
         self.length = ofs - offset
@@ -181,7 +182,7 @@ def __init__(self, buf, offset):
 
             self.length = 22 + self._xml.length + 5 + num_values * 4 + values_length
         else:
-            print("Unknown template token", hex(next_token))
+            nxc_logger.display(f"Unknown template token {hex(next_token)}")
 
     def xml(self, template=None):
         return self._xml.xml(self)
@@ -196,7 +197,7 @@ def __init__(self, buf, offset):
         elif next_token == 0x01 or next_token == 0x41:
             self._element = Element(buf, offset + 4)
         else:
-            print("Unknown binxml token", hex(next_token))
+            nxc_logger.display(f"Unknown binxml token {hex(next_token)}")
 
         self.length = 4 + self._element.length
 

nxc/helpers/even6_parser.py

@@ -129,8 +129,8 @@ def sign_authpack(self, data, wrap_signed=False):
     def setup(self, dh_params=None):
         self.issuer = self.certificate.issuer.native["common_name"]
         if dh_params is None:
-            print("Generating DH params...")
-            print("DH params generated.")
+            nxc_logger.display("Generating DH params...")
+            nxc_logger.display("DH params generated.")
         else:
             if isinstance(dh_params, dict):
                 self.diffie = DirtyDH.from_dict(dh_params)
@@ -488,8 +488,8 @@ def pfx_auth(self):
         return None
 
     username = self.args.username[0]
-    timestamp = datetime.datetime.now().strftime("%Y-%m-%d_%H%M%S").replace(":", "-")
-    log_ccache = os.path.normpath(os.path.expanduser(f"{NXC_PATH}/logs/{self.hostname}_{self.host}_{timestamp}-{username}.ccache"))
+    basename = f"{self.hostname}_{self.host}_{datetime.datetime.now().strftime('%Y-%m-%d_%H%M%S')}-{username}.ccache"
+    log_ccache = os.path.normpath(os.path.expanduser(f"{NXC_PATH}/logs/{basename}"))
 
     # Request a TGT with the cert data
     req = ini.build_asreq(self.domain, username)

nxc/helpers/pfx.py

@@ -101,6 +101,7 @@ def __init__(self, extra=None, merge_extra=False):
         logging.getLogger("minidump").disabled = True
         logging.getLogger("lsassy").disabled = True
         logging.getLogger("dploot").disabled = True
+        logging.getLogger("certipy").disabled = True
         logging.getLogger("aardwolf").disabled = True
         logging.getLogger("unicrypto").disabled = True
         logging.getLogger("asyncio").setLevel(logging.ERROR)
@@ -178,7 +179,7 @@ def add_file_log(self, log_file=None):
         file_creation = False
 
         if not os.path.isfile(output_file):
-            open(output_file, "x")
+            open(output_file, "x")  # noqa: SIM115
             file_creation = True
 
         file_handler = RotatingFileHandler(output_file, maxBytes=100000, encoding="utf-8")

nxc/logger.py

@@ -1,13 +1,11 @@
 import contextlib
-import os
-import datetime
+from time import sleep
 
 from impacket.examples.secretsdump import SAMHashes, LSASecrets, LocalOperations
 from impacket.smbconnection import SessionError
 from impacket.dcerpc.v5 import transport, rrp
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
 from nxc.helpers.misc import CATEGORY
-from nxc.paths import NXC_PATH
 
 
 class NXCModule:
@@ -62,7 +60,7 @@ def on_login(self, context, connection):
                 dce.disconnect()
 
         # copy remote file to local
-        log_path = os.path.expanduser(f"{NXC_PATH}/logs/{connection.hostname}_{connection.host}_{datetime.datetime.now().strftime('%Y-%m-%d_%H%M%S')}.".replace(":", "-"))
+        log_path = f"{connection.output_filename}."
         for hive in ["SAM", "SECURITY", "SYSTEM"]:
             connection.get_file_single(hive, log_path + hive)
 
@@ -100,6 +98,7 @@ def parse_sam(secret):
 
                 context.log.display(f"Cleaning dump with user {self.domain_admin} and hash {self.domain_admin_hash} on domain {connection.domain}")
                 connection.execute("del C:\\Windows\\sysvol\\sysvol\\SECURITY && del C:\\Windows\\sysvol\\sysvol\\SAM && del C:\\Windows\\sysvol\\sysvol\\SYSTEM")
+                sleep(0.2)
                 for hive in ["SAM", "SECURITY", "SYSTEM"]:
                     try:
                         out = connection.conn.listPath("SYSVOL", hive)
@@ -118,3 +117,11 @@ def parse_sam(secret):
             context.log.display("netexec smb dc_ip -u user -p pass -x \"del C:\\Windows\\sysvol\\sysvol\\SECURITY && del C:\\Windows\\sysvol\\sysvol\\SAM && del C:\\Windows\\sysvol\\sysvol\\SYSTEM\"")  # noqa: Q003
         else:
             context.log.display("Successfully deleted dump files !")
+
+    def _strip_root_key(self, dce, key_name):
+        # Let's strip the root key
+        key_name.split("\\")[0]
+        sub_key = "\\".join(key_name.split("\\")[1:])
+        ans = rrp.hOpenLocalMachine(dce)
+        h_root_key = ans["phKey"]
+        return h_root_key, sub_key

nxc/modules/backup_operator.py

@@ -0,0 +1,119 @@
+#!/usr/bin/env python3
+import json
+from os import makedirs
+from certipy.commands.find import Find
+from certipy.lib.target import Target, DnsResolver
+from certipy.lib.formatting import pretty_print
+from datetime import datetime
+
+from nxc.helpers.misc import CATEGORY
+from nxc.paths import NXC_PATH
+
+
+class NXCModule:
+    """Module made by: @NeffIsBack, @gatariee"""
+    name = "certipy-find"
+    description = "certipy find command with options to export the result to text/csv/json. Default: Show only vulnerable templates"
+    supported_protocols = ["ldap"]
+    category = CATEGORY.ENUMERATION
+
+    def __init__(self, context=None, module_options=None):
+        self.context = context
+        self.module_options = module_options
+
+    def options(self, context, module_options):
+        """
+        VULN        Show only vulnerable configurations (Default: True)
+        ENABLED     Show only enabled templates
+
+        Export options:
+        TEXT        Export results to a plain text file
+        CSV         Export results to a CSV file
+        JSON        Export results to a JSON file
+        """
+        self.vuln = True
+        self.enabled = False
+        self.output_path = f"{NXC_PATH}/modules/certipy-find"
+        self.json = False
+        self.csv = False
+        self.text = False
+
+        if "VULN" in module_options:
+            self.vuln = module_options["VULN"].lower() in ["true", "1", "yes"]
+        if "ENABLED" in module_options:
+            self.enabled = module_options["ENABLED"].lower() in ["true", "1", "yes"]
+
+        # Export options
+        if "JSON" in module_options:
+            self.json = module_options["JSON"].lower() in ["true", "1", "yes"]
+        if "CSV" in module_options:
+            self.csv = module_options["CSV"].lower() in ["true", "1", "yes"]
+        if "TEXT" in module_options:
+            self.text = module_options["TEXT"].lower() in ["true", "1", "yes"]
+
+    def on_login(self, context, connection):
+        resolv = DnsResolver.create(connection.args.dns_server if connection.args.dns_server else connection.host)
+        target = Target(
+            resolver=resolv,
+            domain=connection.domain,
+            username=connection.username,
+            password=connection.password,
+            lmhash=connection.lmhash,
+            nthash=connection.nthash,
+            target_ip=connection.host,
+            ldap_port=connection.port,
+            ldap_scheme="ldaps" if connection.port == 636 else "ldap",
+            ldap_signing=connection.signing_required,
+            ldap_channel_binding=connection.cbt_status in ["Always", "When Supported"],
+        )
+
+        finder = Find(
+            target=target,
+            json=self.json,
+            csv=self.csv,
+            text=self.text,
+            output_path=self.output_path,
+            stdout=True,
+            vulnerable=self.vuln,
+            enabled=self.enabled,
+        )
+
+        # Get templates and CAs
+        templates = finder.get_certificate_templates()
+        cas = finder.get_certificate_authorities()
+        finder._link_cas_and_templates(cas, templates)
+
+        # Get OIDs
+        oids = finder.get_issuance_policies()
+
+        # Process information
+        finder._link_templates_and_policies(templates, oids)
+        finder._process_ca_properties(cas)
+        finder._process_template_properties(templates)
+
+        output = finder.get_output_for_text_and_json(templates, cas, oids)
+        pretty_print(output, print_func=context.log.highlight)
+
+        # Save to disk if any export option specified
+        if self.json or self.csv or self.text:
+            makedirs(self.output_path, exist_ok=True)
+
+        filename = f"certipy_{connection.hostname}_{connection.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-")
+        if self.json:
+            with open(f"{self.output_path}/{filename}.json", "w") as f:
+                json.dump(
+                    output,
+                    f,
+                    indent=2,
+                    default=str,
+                )
+        if self.csv:
+            template_output = finder.get_template_output_for_csv(output)
+            ca_output = finder.get_ca_output_for_csv(output)
+            with open(f"{self.output_path}/{filename}-templates.csv", "w") as f:
+                f.write(template_output)
+            with open(f"{self.output_path}/{filename}-cas.csv", "w") as f:
+                f.write(ca_output)
+        if self.text:
+            with open(f"{self.output_path}/{filename}.txt", "w") as f:
+                pretty_print(output, print_func=lambda x: f.write(x + "\n"))

nxc/modules/certipy-find.py

@@ -249,7 +249,7 @@ def options(self, context, module_options):
                 context.log.debug("There is a target specified!")
                 if isfile(module_options[option]):
                     try:
-                        target_file = open(module_options[option])
+                        target_file = open(module_options[option])  # noqa: SIM115
                         for line in target_file:
                             context.log.debug(f"Adding target from file: {line}")
                             self.targets.append((line.strip(), SEARCH_FILTERS[option]))

nxc/modules/daclread.py

@@ -4,7 +4,7 @@
 
 class NXCModule:
     name = "dump-computers"
-    description = "Dumps all computers in the domain"
+    description = "Dumps FQDN and OS of all computers in the domain"
     supported_protocols = ["ldap"]
     category = CATEGORY.ENUMERATION
 
@@ -43,8 +43,11 @@ def on_login(self, context, connection):
         context.log.debug(f"Total number of records returned: {len(resp_parsed)}")
 
         for item in resp_parsed:
-            dns_host_name = item["dNSHostName"]
+            dns_host_name = item.get("dNSHostName")
             operating_system = item.get("operatingSystem", "Unknown OS")
+            if not dns_host_name:
+                context.log.debug(f"Skipping computer without dNSHostName: {item.get('cn', '<unknown>')}")
+                continue
 
             if self.netbios_only:
                 netbios_name = dns_host_name.split(".")[0]