Merge branch 'main' into main

Author: pol4ir

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: NetExec Wiki
+    url: https://www.netexec.wiki/
+    about: Check the wiki for usage guides and documentation before opening an issue.
+  - name: NetExec Discord
+    url: https://discord.com/invite/pjwUTQzg8R
+    about: Join the Discord for general questions and community support.

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,8 +1,9 @@
 ## Description
-
 Please include a summary of the change and which issue is fixed, or what the enhancement does.
 List any dependencies that are required for this change.
 
+If you have used AI in any form, please state the tool you used (e.g. Claude Code, Cursor, Amp) along with the extent that the work was AI-assisted. See the project's AI policy for more details: https://github.com/Pennyw0rth/NetExec/blob/main/AI_POLICY.md
+
 ## Type of change
 Insert an "x" inside the brackets for relevant items (do not delete options)
 
@@ -12,24 +13,28 @@ Insert an "x" inside the brackets for relevant items (do not delete options)
 - [ ] Deprecation of feature or functionality
 - [ ] This change requires a documentation update
 - [ ] This requires a third party update (such as Impacket, Dploot, lsassy, etc)
+- [ ] This PR was created with the assistance of AI (list what type of assistance, tool(s)/model(s) in the description)
 
 ## Setup guide for the review
 Please provide guidance on what setup is needed to test the introduced changes, such as your locally running machine Python version & OS, as well as the target(s) you tested against, including software versions.
 In particular:
 - Bug Fix: Please provide a short description on how to trigger the bug, to make the bug reproducable for the reviewer.
-- Added Feature/Enhancement: Please specify what setup is needed in order to test the changes. E.g. is additional software needed? GPO changes required? Specific registry settings that need to be changed?
+- Added Feature/Enhancement: Please specify what setup is needed in order to test the changes, such as:
+  - Is additional software needed?
+  - GPO changes required?
+  - Specific registry settings that need to be changed?
 
 ## Screenshots (if appropriate):
 Screenshots are always nice to have and can give a visual representation of the change.
-If appropriate include before and after screenshot(s) to show which results are to be expected.
+If appropriate, include before and after screenshot(s) to show which results are to be expected.
 
 ## Checklist:
 Insert an "x" inside the brackets for completed and relevant items (do not delete options)
 
-- [ ] I have ran Ruff against my changes (via poetry: `poetry run python -m ruff check . --preview`, use `--fix` to automatically fix what it can)
+- [ ] I have ran Ruff against my changes (poetry: `poetry run ruff check .`, use `--fix` to automatically fix what it can)
 - [ ] I have added or updated the `tests/e2e_commands.txt` file if necessary (new modules or features are _required_ to be added to the e2e tests)
-- [ ] New and existing e2e tests pass locally with my changes
 - [ ] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
-- [ ] I have performed a self-review of my own code
+- [ ] I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
+- [ ] I have performed a self-review of my own code (_not_ an AI review)
 - [ ] I have commented my code, particularly in hard-to-understand areas
 - [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

.github/workflows/pr-template-check.yml

@@ -0,0 +1,54 @@
+name: PR Template Check
+
+on:
+  pull_request:
+    types: [opened, edited]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  check-template:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Check PR description for template sections
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const body = context.payload.pull_request.body || '';
+            const requiredSections = [
+              '## Description',
+              '## Type of change',
+              '## Setup guide for the review',
+              '## Checklist'
+            ];
+
+            const missingSections = requiredSections.filter(
+              section => !body.includes(section)
+            );
+
+            if (missingSections.length === 0) return;
+
+            // Check if we already left a comment to avoid spamming
+            const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number
+            });
+
+            const botComment = comments.data.find(
+              c => c.user.type === 'Bot' && c.body.includes('<!-- pr-template-check -->')
+            );
+
+            if (botComment) return;
+
+            const missing = missingSections.map(s => `- ${s}`).join('\n');
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: `<!-- pr-template-check -->\nIt looks like the PR template may not have been filled out. The following sections appear to be missing:\n\n${missing}\n\nPlease edit your PR description to include them. The template helps reviewers understand and test your changes. Thanks!`
+            });

AI_POLICY.md

@@ -0,0 +1,77 @@
+# AI Usage Policy
+
+This policy was adapted from the [ghostty project](https://github.com/ghostty-org/ghostty/).
+The original version can be found [Ghostty's PR #10412](https://github.com/ghostty-org/ghostty/pull/10412).
+
+The NetExec project has strict rules for AI usage:
+
+- **All AI usage in any form must be disclosed.** You must state
+  the tool(s) and model(s) you used (e.g. Claude Code, Cursor, Opus 4.6,
+  Codex 5.2, etc) along with the extent that the work was AI-assisted.
+
+- **Pull requests created in any way by AI can only be for accepted issues.**
+  Drive-by pull requests that do not reference an accepted issue may be
+  rejected and closed. If AI isn't disclosed but a maintainer suspects its use,
+  the PR may be rejected and closed. If you want to share code for a
+  non-accepted issue, open a discussion or attach it to the existing issue.
+
+- **Pull requests created by AI must have been fully verified with
+  human use.** AI must not create hypothetically correct code that
+  hasn't been tested. Importantly, you must not allow AI to write
+  code for platforms or environments you don't have access to manually
+  test on.
+
+- **Issues and discussions can use AI assistance but must have a full
+  human-in-the-loop.** This means that any content generated with AI
+  must have been reviewed _and edited_ by a human before submission.
+  AI is very good at being overly verbose and including noise that
+  distracts from the main point. Humans must do their research and
+  trim this down.
+
+- **No AI-generated media is allowed (art, images, videos, audio, etc.).**
+  Text and code are the only acceptable AI-generated content, per the
+  other rules in this policy.
+
+- **Bad AI drivers will be banned** You've been warned. We love to help junior
+  developers learn and grow, but if you're interested in that then don't use
+  AI, and we'll help you.
+
+- **Official maintainers have the final say** We always strive to be helpful,
+  but there are limits. If you submit agregiously terrible AI generated code
+  with no review, we may ban you without word. We do not want to waste our
+  time reviewing slop if the contributor can't be bothered to review the work
+  themselves.
+
+These rules apply only to outside contributions to NetExec. Maintainers
+and trusted contributors are exempt from these rules and may use AI tools at
+their discretion; they've proven themselves trustworthy to apply good judgment.
+
+## There are Humans Here
+
+Please remember that NetExec is maintained by humans.
+
+Every discussion, issue, and pull request is read and reviewed by
+humans (and sometimes machines, too). It is a boundary point at which
+people interact with each other and the work done. It is rude and
+disrespectful to approach this boundary with low-effort, unqualified
+work, since it puts the burden of validation on the maintainers.
+
+In a perfect world, AI would produce high-quality, accurate work
+every time, but today that is simply not true. This is compounded by the fact
+that accessibility to AI is high, allowing low skilled individuals to think
+that they are contributing useful code. Even many skilled programmers do not
+understand how to use it effectively. This has opened up a waterfall of low
+quality contributions across the Open Source community, wasting resources.
+
+## AI is Welcome Here, Within Reason
+
+NetExec maintainers acknowledge AI as a productive tool to some workflows, and
+are open to leveraging this technology to improve NetExec; however, there are
+many low quality AI tools whose use results in pure slop being generated. The
+security communinity is not immune from AI psychosis, over-hype, or FOMO.
+As with any new technology, it is important to understand how it works and how
+to best use it, not blindly apply it to every use case with the hope that it
+will fix all your issues.
+
+We include this section to be transparent about the project's usage about
+AI for people who may disagree with it.

nxc/connection.py

@@ -22,6 +22,7 @@
 from nxc.helpers.pfx import pfx_auth
 
 from impacket.dcerpc.v5 import transport
+from impacket.krb5.ccache import CCache
 
 sem = BoundedSemaphore(1)
 global_failed_logins = 0
@@ -552,7 +553,7 @@ def login(self):
         if self.args.use_kcache:
             self.logger.debug("Trying to authenticate using Kerberos cache")
             with sem:
-                username = self.args.username[0] if len(self.args.username) else ""
+                username = self.args.username[0] if len(self.args.username) else CCache.parseFile()[1]
                 password = self.args.password[0] if len(self.args.password) else ""
                 self.kerberos_login(self.domain, username, password, "", "", self.kdcHost, True)
                 self.logger.info("Successfully authenticated using Kerberos cache")

nxc/modules/add-computer.py

@@ -175,11 +175,12 @@ def do_samr_add(self):
                 self.noLDAPRequired = True
                 self.context.log.highlight(f"Successfully added the machine account: '{self.__computerName}' with Password: '{self.__computerPassword}'")
                 self.context.db.add_credential("plaintext", self.__domain, self.__computerName, self.__computerPassword)
-            except samr.DCERPCSessionError as e:
+            except Exception as e:
                 self.context.log.debug(f"samrCreateUser2InDomain failed: {e}")
-                if "STATUS_ACCESS_DENIED" in str(e):
+                # See error codes at: https://github.com/fortra/impacket/blob/8c155a5b492e8b0f9d08e5ca82b72c91d76f5c7f/impacket/dcerpc/v5/samr.py#L2591
+                if "Authenticating account doesn't have the right to create a new machine account!" in str(e):
                     self.context.log.fail(f"The following user does not have the right to create a computer account: {self.__username}")
-                elif "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" in str(e):
+                elif "Authenticating account's machine account quota exceeded!" in str(e):
                     self.context.log.fail(f"The following user exceeded their machine account quota: {self.__username}")
                 return
 

nxc/modules/backup_operator.py

@@ -5,7 +5,7 @@
 from impacket.smbconnection import SessionError
 from impacket.dcerpc.v5 import transport, rrp
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
-from nxc.helpers.misc import CATEGORY
+from nxc.helpers.misc import CATEGORY, gen_random_string
 
 
 class NXCModule:
@@ -26,6 +26,8 @@ def options(self, context, module_options):
 
     def on_login(self, context, connection):
         connection.args.share = "SYSVOL"
+        rand_suffix = gen_random_string(8)
+
         # enable remote registry
         context.log.display("Triggering RemoteRegistry to start through named pipe...")
         connection.trigger_winreg()
@@ -43,7 +45,7 @@ def on_login(self, context, connection):
 
             for hive in ["HKLM\\SAM", "HKLM\\SYSTEM", "HKLM\\SECURITY"]:
                 hRootKey, subKey = self._strip_root_key(dce, hive)
-                outputFileName = f"\\\\{connection.host}\\SYSVOL\\{subKey}"
+                outputFileName = f"\\\\{connection.host}\\SYSVOL\\{subKey}_{rand_suffix}"
                 context.log.debug(f"Dumping {hive}, be patient it can take a while for large hives (e.g. HKLM\\SYSTEM)")
                 try:
                     ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, dwOptions=rrp.REG_OPTION_BACKUP_RESTORE | rrp.REG_OPTION_OPEN_LINK, samDesired=rrp.KEY_READ)
@@ -62,7 +64,7 @@ def on_login(self, context, connection):
         # copy remote file to local
         log_path = f"{connection.output_filename}."
         for hive in ["SAM", "SECURITY", "SYSTEM"]:
-            connection.get_file_single(hive, log_path + hive)
+            connection.get_file_single(f"{hive}_{rand_suffix}", log_path + hive)
 
         # read local file
         try:
@@ -97,24 +99,25 @@ def parse_sam(secret):
                     context.log.fail(f"Fail to dump the NTDS: {e!s}")
 
                 context.log.display(f"Cleaning dump with user {self.domain_admin} and hash {self.domain_admin_hash} on domain {connection.domain}")
-                connection.execute("del C:\\Windows\\sysvol\\sysvol\\SECURITY && del C:\\Windows\\sysvol\\sysvol\\SAM && del C:\\Windows\\sysvol\\sysvol\\SYSTEM")
+                connection.execute(f"del C:\\Windows\\sysvol\\sysvol\\SECURITY_{rand_suffix} && del C:\\Windows\\sysvol\\sysvol\\SAM_{rand_suffix} && del C:\\Windows\\sysvol\\sysvol\\SYSTEM_{rand_suffix}")
                 sleep(0.2)
                 for hive in ["SAM", "SECURITY", "SYSTEM"]:
+                    remote_name = f"{hive}_{rand_suffix}"
                     try:
-                        out = connection.conn.listPath("SYSVOL", hive)
+                        out = connection.conn.listPath("SYSVOL", remote_name)
                         if out:
                             self.deleted_files = False
-                            context.log.fail(f"Fail to remove the file {hive}, path: C:\\Windows\\sysvol\\sysvol\\{hive}")
+                            context.log.fail(f"Fail to remove the file {remote_name}, path: C:\\Windows\\sysvol\\sysvol\\{remote_name}")
                     except SessionError as e:
-                        context.log.debug(f"File {hive} successfully removed: {e}")
+                        context.log.debug(f"File {remote_name} successfully removed: {e}")
             else:
                 self.deleted_files = False
         else:
             self.deleted_files = False
 
         if not self.deleted_files:
             context.log.display("Use the domain admin account to clean the file on the remote host")
-            context.log.display("netexec smb dc_ip -u user -p pass -x \"del C:\\Windows\\sysvol\\sysvol\\SECURITY && del C:\\Windows\\sysvol\\sysvol\\SAM && del C:\\Windows\\sysvol\\sysvol\\SYSTEM\"")  # noqa: Q003
+            context.log.display(f"netexec smb dc_ip -u user -p pass -x \"del C:\\Windows\\sysvol\\sysvol\\SECURITY_{rand_suffix} && del C:\\Windows\\sysvol\\sysvol\\SAM_{rand_suffix} && del C:\\Windows\\sysvol\\sysvol\\SYSTEM_{rand_suffix}\"")  # noqa: Q003
         else:
             context.log.display("Successfully deleted dump files !")
 

nxc/modules/certipy-find.py

@@ -75,9 +75,12 @@ def on_login(self, context, connection):
             username=connection.username,
             password=connection.password,
             remote_name=connection.remoteName,
+            hashes=f"{connection.lmhash}:{connection.nthash}",
             lmhash=connection.lmhash,
             nthash=connection.nthash,
             do_kerberos=connection.kerberos,
+            aes=connection.aesKey,
+            dc_ip=connection.kdcHost,
             target_ip=connection.host,
             ldap_port=connection.port,
             ldap_scheme="ldaps" if connection.port == 636 else "ldap",

nxc/modules/coerce_plus.py

@@ -212,14 +212,14 @@ def on_login(self, context, connection):
             context.log.error("Invalid method, please check the method name.")
             return
 
-    @staticmethod
-    def get_dynamic_endpoint(interface: bytes, target: str, timeout: int = 5) -> str:
-        string_binding = rf"ncacn_ip_tcp:{target}[135]"
-        rpctransport = transport.DCERPCTransportFactory(string_binding)
-        rpctransport.set_connect_timeout(timeout)
-        dce = rpctransport.get_dce_rpc()
-        dce.connect()
-        return epm.hept_map(target, interface, protocol="ncacn_ip_tcp", dce=dce)
+
+def get_dynamic_endpoint(interface: bytes, target: str, timeout: int = 5) -> str:
+    string_binding = rf"ncacn_ip_tcp:{target}[135]"
+    rpctransport = transport.DCERPCTransportFactory(string_binding)
+    rpctransport.set_connect_timeout(timeout)
+    dce = rpctransport.get_dce_rpc()
+    dce.connect()
+    return epm.hept_map(target, interface, protocol="ncacn_ip_tcp", dce=dce)
 
 
 class ShadowCoerceTrigger:
@@ -541,7 +541,7 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
         # activates EFS
         # https://specterops.io/blog/2025/08/19/will-webclient-start/
         with contextlib.suppress(Exception):
-            NXCModule.get_dynamic_endpoint(uuidtup_to_bin(("df1941c5-fe89-4e79-bf10-463657acf44d", "0.0")), target, timeout=1)
+            get_dynamic_endpoint(uuidtup_to_bin(("df1941c5-fe89-4e79-bf10-463657acf44d", "0.0")), target, timeout=1)
 
         rpctransport = transport.DCERPCTransportFactory(binding_params[pipe]["stringBinding"])
         rpctransport.set_dport(445)
@@ -778,11 +778,12 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
                 "port": 445
             },
             "[dcerpc]": {
-                "stringBinding": NXCModule.get_dynamic_endpoint(uuidtup_to_bin(("12345678-1234-abcd-ef00-0123456789ab", "1.0")), target),
                 "MSRPC_UUID_RPRN": ("12345678-1234-abcd-ef00-0123456789ab", "1.0"),
                 "port": None
             }
         }
+        if pipe == "[dcerpc]":
+            binding_params["[dcerpc]"]["stringBinding"] = get_dynamic_endpoint(uuidtup_to_bin(("12345678-1234-abcd-ef00-0123456789ab", "1.0")), target)
         rpctransport = transport.DCERPCTransportFactory(binding_params[pipe]["stringBinding"])
         if binding_params[pipe]["port"] is not None:
             rpctransport.set_dport(binding_params[pipe]["port"])

nxc/modules/get-network.py

@@ -2,7 +2,6 @@
 # Credit to https://github.com/dirkjanm/adidnsdump @_dirkjan
 # module by @mpgn_x64
 import re
-import codecs
 import socket
 from datetime import datetime
 from struct import unpack
@@ -154,12 +153,12 @@ def on_login(self, context, connection):
 
         context.log.highlight(f"Found {len(outdata)} records")
         path = expanduser(f"{NXC_PATH}/logs/{connection.domain}_network_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}.log")
-        with codecs.open(path, "w", "utf-8") as outfile:
+        with open(path, "w") as outfile:
             for row in outdata:
                 if self.showhosts:
-                    outfile.write(f"{row['name'] + '.' + connection.domain}\n")
+                    outfile.write(f"{row['name'] + '.' + zone}\n")
                 elif self.showall:
-                    outfile.write(f"{row['name'] + '.' + connection.domain} \t {row['value']}\n")
+                    outfile.write(f"{row['name'] + '.' + zone} \t {row['value']}\n")
                 else:
                     outfile.write(f"{row['value']}\n")
         context.log.success(f"Dumped {len(outdata)} records to {path}")