Merge branch 'main' into marshall-options-fix

Signed-off-by: Marshall Hallenbeck <Marshall.Hallenbeck@gmail.com>

Author: Marshall-Hallenbeck

nxc/cli.py

@@ -126,6 +126,10 @@ def gen_cli_args():
         print(f"{VERSION} - {CODENAME} - {COMMIT}")
         sys.exit(1)
 
+    # Multiply output_tries by 10 to enable more fine granural control, see exec methods
+    if hasattr(args, "get_output_tries"):
+        args.get_output_tries = args.get_output_tries * 10
+
     return args
 
 

nxc/modules/wcc.py

@@ -28,17 +28,6 @@
 REG_VALUE_TYPE_UNICODE_STRING_SEQUENCE = 7
 REG_VALUE_TYPE_64BIT_LE = 11
 
-# Setup file logger
-if "wcc_logger" not in globals():
-    wcc_logger = logging.getLogger("WCC")
-    wcc_logger.propagate = False
-    log_filename = nxc_logger.init_log_file()
-    log_filename = log_filename.replace("log_", "wcc_")
-    wcc_logger.setLevel(logging.INFO)
-    wcc_file_handler = logging.FileHandler(log_filename)
-    wcc_file_handler.setFormatter(logging.Formatter("%(asctime)s [%(levelname)s] %(message)s"))
-    wcc_logger.addHandler(wcc_file_handler)
-
 
 class ConfigCheck:
     """Class for performing the checks and holding the results"""
@@ -75,7 +64,7 @@ def run(self):
     def log(self, context):
         result = "passed" if self.ok else "did not pass"
         reasons = ", ".join(self.reasons)
-        wcc_logger.info(f'{self.connection.host}: Check "{self.name}" {result} because: {reasons}')
+        self.module.wcc_logger.info(f'{self.connection.host}: Check "{self.name}" {result} because: {reasons}')
         if self.module.quiet:
             return
 
@@ -99,6 +88,19 @@ class NXCModule:
     supported_protocols = ["smb"]
     opsec_safe = True
     multiple_hosts = True
+    
+    def __init__(self):
+        self.context = None
+        self.module_options = None
+        
+        self.wcc_logger = logging.getLogger("WCC")
+        self.wcc_logger.propagate = False
+        log_filename = nxc_logger.init_log_file()
+        log_filename = log_filename.replace("log_", "wcc_")
+        self.wcc_logger.setLevel(logging.INFO)
+        wcc_file_handler = logging.FileHandler(log_filename)
+        wcc_file_handler.setFormatter(logging.Formatter("%(asctime)s [%(levelname)s] %(message)s"))
+        self.wcc_logger.addHandler(wcc_file_handler)
 
     def options(self, context, module_options):
         """
@@ -156,15 +158,9 @@ def __init__(self, context, connection):
         self.dce = remoteOps._RemoteOperations__rrp
 
     def run(self):
-        # Prepare checks
         self.init_checks()
-
-        # Perform checks
         self.check_config()
-
-    # Check methods #
-    #################
-
+        
     def init_checks(self):
         # Declare the checks to do and how to do them
         self.checks = [
@@ -483,9 +479,6 @@ def check_applocker(self):
 
         return success, reasons
 
-    # Methods for getting values from the remote registry #
-    #######################################################
-
     def _open_root_key(self, dce, connection, root_key):
         ans = None
         retries = 1
@@ -595,9 +588,6 @@ def get_value(subkey_handle, dwIndex=0):
                     return data
             return DCERPCSessionError(error_code=ERROR_OBJECT_NOT_FOUND)
 
-    # Methods for getting values from SAMR and SCM #
-    ################################################
-
     def get_service(self, service_name, connection):
         """Get the service status and configuration for specified service"""
         remoteOps = RemoteOperations(smbConnection=connection.conn, doKerberos=False)
@@ -645,23 +635,15 @@ def ls(self, smb, path="\\", share="C$"):
             self.context.log.error(f"ls(): C:\\{path} {e}\n")
         return file_listing
 
-
-# Comparison operators #
-########################
-
-
 def le(reg_sz_string, number):
     return int(reg_sz_string[:-1]) <= number
 
-
 def in_(obj, seq):
     return obj in seq
 
-
 def startswith(string, start):
     return string.startswith(start)
 
-
 def not_(boolean_operator):
     def wrapper(*args, **kwargs):
         return not boolean_operator(*args, **kwargs)

nxc/protocols/ldap.py

@@ -28,6 +28,7 @@
 from impacket.krb5.types import Principal, KerberosException
 from impacket.ldap import ldap as ldap_impacket
 from impacket.ldap import ldapasn1 as ldapasn1_impacket
+from impacket.ldap.ldap import LDAPFilterSyntaxError
 from impacket.smb import SMB_DIALECT
 from impacket.smbconnection import SMBConnection, SessionError
 
@@ -1054,6 +1055,36 @@ def kerberoasting(self):
                 self.logger.highlight("No entries found!")
         self.logger.fail("Error with the LDAP account used")
 
+    def query(self):
+        """
+        Query the LDAP server with the specified filter and attributes.
+        Example usage:
+            --query "(sAMAccountName=Administrator)" "sAMAccountName pwdLastSet memberOf"
+        """
+        search_filter = self.args.query[0]
+        attributes = [attr.strip() for attr in self.args.query[1].split(" ")]
+        if len(attributes) == 1 and attributes[0] == "":
+            attributes = None
+        if not search_filter:
+            self.logger.fail("No filter specified")
+            return
+        self.logger.debug(f"Querying LDAP server with filter: {search_filter} and attributes: {attributes}")
+        try:
+            resp = self.search(search_filter, attributes, 0)
+        except LDAPFilterSyntaxError as e:
+            self.logger.fail(f"LDAP Filter Syntax Error: {e}")
+            return
+        for item in resp:
+            if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
+                continue
+            self.logger.success(f"Response for object: {item['objectName']}")
+            for attribute in item["attributes"]:
+                attr = f"{attribute['type']}:"
+                vals = str(attribute["vals"]).replace("\n", "")
+                if "SetOf: " in vals:
+                    vals = vals.replace("SetOf: ", "")
+                self.logger.highlight(f"{attr:<20} {vals}")
+
     def trusted_for_delegation(self):
         # Building the search filter
         searchFilter = "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

nxc/protocols/ldap/proto_args.py

@@ -16,6 +16,7 @@ def proto_args(parser, parents):
     egroup.add_argument("--kerberoasting", help="Output TGS ticket to crack with hashcat to file")
 
     vgroup = ldap_parser.add_argument_group("Retrieve useful information on the domain", "Options to to play with Kerberos")
+    vgroup.add_argument("--query", nargs=2, help="Query LDAP with a custom filter and attributes")
     vgroup.add_argument("--trusted-for-delegation", action="store_true", help="Get the list of users and computers with flag TRUSTED_FOR_DELEGATION")
     vgroup.add_argument("--password-not-required", action="store_true", help="Get the list of users with flag PASSWD_NOTREQD")
     vgroup.add_argument("--admin-count", action="store_true", help="Get objets that had the value adminCount=1")

nxc/protocols/smb.py

@@ -1126,7 +1126,8 @@ def wmi(self, wmi_query=None, namespace=None):
                     record = wmi_results.getProperties()
                     records.append(record)
                     for k, v in record.items():
-                        self.logger.highlight(f"{k} => {v['value']}")
+                        if k != "TimeGenerated":  # from the wcc module, but this is a small hack to get it to stop spamming - TODO: add in method to disable output for this function
+                            self.logger.highlight(f"{k} => {v['value']}")
                 except Exception as e:
                     if str(e).find("S_FALSE") < 0:
                         raise e

nxc/protocols/smb/atexec.py

@@ -133,7 +133,7 @@ def execute_handler(self, command, fileless=False):
 
         xml = self.gen_xml(command, fileless)
 
-        self.logger.info(f"Task XML: {xml}")
+        self.logger.debug(f"Task XML: {xml}")
         taskCreated = False
         self.logger.info(f"Creating task \\{tmpName}")
         try:
@@ -181,22 +181,35 @@ def execute_handler(self, command, fileless=False):
             else:
                 ":".join(map(str, self.__rpctransport.get_socket().getpeername()))
                 smbConnection = self.__rpctransport.get_smb_connection()
-                tries = 1
+
+                tries = 0
+                # Give the command a bit of time to execute before we try to read the output, 0.4 seconds was good in testing
+                sleep(0.4)
                 while True:
                     try:
                         self.logger.info(f"Attempting to read {self.__share}\\{self.__output_filename}")
                         smbConnection.getFile(self.__share, self.__output_filename, self.output_callback)
                         break
                     except Exception as e:
-                        if tries >= self.__tries:
+                        if tries > self.__tries:
                             self.logger.fail("ATEXEC: Could not retrieve output file, it may have been detected by AV. Please increase the number of tries with the option '--get-output-tries'. If it is still failing, try the 'wmi' protocol or another exec method")
                             break
-                        if str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
+                        if "STATUS_BAD_NETWORK_NAME" in str(e):
                             self.logger.fail(f"ATEXEC: Getting the output file failed - target has blocked access to the share: {self.__share} (but the command may have executed!)")
                             break
-                        if str(e).find("SHARING") > 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                            sleep(3)
+                        elif "STATUS_VIRUS_INFECTED" in str(e):
+                            self.logger.fail("Command did not run because a virus was detected")
+                            break
+                        # When executing powershell and the command is still running, we get a sharing violation
+                        # We can use that information to wait longer than if the file is not found (probably av or something)
+                        if "STATUS_SHARING_VIOLATION" in str(e):
+                            self.logger.info(f"File {self.__share}\\{self.__output_filename} is still in use with {self.__tries - tries} left, retrying...")
                             tries += 1
+                            sleep(1)
+                        elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                            self.logger.info(f"File {self.__share}\\{self.__output_filename} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                            tries += 10
+                            sleep(1)
                         else:
                             self.logger.debug(str(e))
 

nxc/protocols/smb/mmcexec.py

@@ -247,23 +247,35 @@ def get_output_remote(self):
         if self.__retOutput is False:
             self.__outputBuffer = ""
             return
-        tries = 1
+
+        tries = 0
+        # Give the command a bit of time to execute before we try to read the output, 0.4 seconds was good in testing
+        sleep(0.4)
         while True:
             try:
                 self.logger.info(f"Attempting to read {self.__share}\\{self.__output}")
                 self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)
                 break
             except Exception as e:
-                if tries >= self.__tries:
+                if tries > self.__tries:
                     self.logger.fail("MMCEXEC: Could not retrieve output file, it may have been detected by AV. Please increase the number of tries with the option '--get-output-tries'. If it is still failing, try the 'wmi' protocol or another exec method")
                     break
-                if str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
+                if "STATUS_BAD_NETWORK_NAME" in str(e):
                     self.logger.fail(f"MMCEXEC: Getting the output file failed - target has blocked access to the share: {self.__share} (but the command may have executed!)")
                     break
-                if str(e).find("STATUS_SHARING_VIOLATION") >= 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                    # Output not finished, let's wait
-                    sleep(2)
+                elif "STATUS_VIRUS_INFECTED" in str(e):
+                    self.logger.fail("Command did not run because a virus was detected")
+                    break
+                # When executing powershell and the command is still running, we get a sharing violation
+                # We can use that information to wait longer than if the file is not found (probably av or something)
+                if "STATUS_SHARING_VIOLATION" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} is still in use with {self.__tries - tries} left, retrying...")
                     tries += 1
+                    sleep(1)
+                elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                    tries += 10
+                    sleep(1)
                 else:
                     self.logger.debug(str(e))
 

nxc/protocols/smb/proto_args.py

@@ -69,7 +69,7 @@ def proto_args(parser, parents):
     cmd_exec_group = smb_parser.add_argument_group("Command Execution", "Options for executing commands")
     cmd_exec_group.add_argument("--exec-method", choices={"wmiexec", "mmcexec", "smbexec", "atexec"}, default="wmiexec", help="method to execute the command. Ignored if in MSSQL mode")
     cmd_exec_group.add_argument("--dcom-timeout", help="DCOM connection timeout", type=int, default=5)
-    cmd_exec_group.add_argument("--get-output-tries", help="Number of times atexec/smbexec/mmcexec tries to get results", type=int, default=5)
+    cmd_exec_group.add_argument("--get-output-tries", help="Number of times atexec/smbexec/mmcexec tries to get results", type=int, default=10)
     cmd_exec_group.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output. If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")
     cmd_exec_group.add_argument("--no-output", action="store_true", help="do not retrieve command output")
 

nxc/protocols/smb/smbexec.py

@@ -99,9 +99,7 @@ def execute_remote(self, data):
             batch_file.write(command)
 
         self.logger.debug("Hosting batch file with command: " + command)
-
         self.logger.debug("Command to execute: " + command)
-
         self.logger.debug(f"Remote service {self.__serviceName} created.")
 
         try:
@@ -138,23 +136,35 @@ def get_output_remote(self):
         if self.__retOutput is False:
             self.__outputBuffer = ""
             return
-        tries = 1
+
+        # TODO: It looks like the service is hanging anyway until the command is finished, so all this timeout logic is likely not needed
+        # Still adding this for now to keep the structure similar until we can confirm the above
+        tries = 0
         while True:
             try:
                 self.logger.info(f"Attempting to read {self.__share}\\{self.__output}")
                 self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)
                 break
             except Exception as e:
-                if tries >= self.__tries:
+                if tries > self.__tries:
                     self.logger.fail("SMBEXEC: Could not retrieve output file, it may have been detected by AV. Please increase the number of tries with the option '--get-output-tries'. If it is still failing, try the 'wmi' protocol or another exec method")
                     break
-                if str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
+                if "STATUS_BAD_NETWORK_NAME" in str(e):
                     self.logger.fail(f"SMBEXEC: Getting the output file failed - target has blocked access to the share: {self.__share} (but the command may have executed!)")
                     break
-                if str(e).find("STATUS_SHARING_VIOLATION") >= 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                    # Output not finished, let's wait
-                    sleep(2)
+                elif "STATUS_VIRUS_INFECTED" in str(e):
+                    self.logger.fail("Command did not run because a virus was detected")
+                    break
+                # When executing powershell and the command is still running, we get a sharing violation
+                # We can use that information to wait longer than if the file is not found (probably av or something)
+                if "STATUS_SHARING_VIOLATION" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} is still in use with {self.__tries - tries} left, retrying...")
                     tries += 1
+                    sleep(1)
+                elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                    tries += 10
+                    sleep(1)
                 else:
                     self.logger.debug(str(e))
 

nxc/protocols/smb/wmiexec.py

@@ -140,28 +140,36 @@ def get_output_remote(self):
             self.__outputBuffer = ""
             return
 
-        tries = 1
+        tries = 0
+        # Give the command a bit of time to execute before we try to read the output, 0.4 seconds was good in testing
+        sleep(0.4)
         while True:
             try:
                 self.logger.info(f"Attempting to read {self.__share}\\{self.__output}")
                 self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)
                 break
             except Exception as e:
-                if tries >= self.__tries:
+                if tries > self.__tries:
                     self.logger.fail("wmiexec: Could not retrieve output file, it may have been detected by AV. If it is still failing, try the 'wmi' protocol or another exec method")
                     break
-                elif str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
+                elif "STATUS_BAD_NETWORK_NAME" in str(e):
                     self.logger.fail(f"SMB connection: target has blocked {self.__share} access (maybe command executed!)")
                     break
-                elif str(e).find("STATUS_VIRUS_INFECTED") >= 0:
+                elif "STATUS_VIRUS_INFECTED" in str(e):
                     self.logger.fail("Command did not run because a virus was detected")
                     break
-                
-                if str(e).find("STATUS_SHARING_VIOLATION") >= 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                    sleep(2)
+                # When executing powershell and the command is still running, we get a sharing violation
+                # We can use that information to wait longer than if the file is not found (probably av or something)
+                elif "STATUS_SHARING_VIOLATION" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} is still in use with {self.__tries - tries} left, retrying...")
+                    sleep(1)
+                    tries += 1
+                elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                    tries += 10
+                    sleep(1)
                 else:
                     self.logger.debug(f"Exception when trying to read output file: {e}")
-                tries += 1
 
         if self.__outputBuffer:
             self.logger.debug(f"Deleting file {self.__share}\\{self.__output}")