Merge branch 'Pennyw0rth:main' into pre2k-module-adjustment

Author: ledrypotato

nxc/connection.py

@@ -5,7 +5,7 @@
 import contextlib
 
 from os.path import isfile
-from threading import BoundedSemaphore
+from threading import BoundedSemaphore, Lock
 from functools import wraps
 from time import sleep
 from ipaddress import ip_address
@@ -25,6 +25,7 @@
 from impacket.krb5.ccache import CCache
 
 sem = BoundedSemaphore(1)
+fail_lock = Lock()
 global_failed_logins = 0
 user_failed_logins = {}
 
@@ -315,26 +316,28 @@ def call_modules(self):
     def inc_failed_login(self, username):
         global global_failed_logins, user_failed_logins
 
-        if username not in user_failed_logins:
-            user_failed_logins[username] = 0
+        with fail_lock:
+            if username not in user_failed_logins:
+                user_failed_logins[username] = 0
 
-        user_failed_logins[username] += 1
-        global_failed_logins += 1
-        self.failed_logins += 1
+            user_failed_logins[username] += 1
+            global_failed_logins += 1
+            self.failed_logins += 1
 
     def over_fail_limit(self, username):
         global global_failed_logins, user_failed_logins
 
-        if global_failed_logins == self.args.gfail_limit:
-            return True
+        with fail_lock:
+            if global_failed_logins == self.args.gfail_limit:
+                return True
 
-        if self.failed_logins == self.args.fail_limit:
-            return True
+            if self.failed_logins == self.args.fail_limit:
+                return True
 
-        if username in user_failed_logins and self.args.ufail_limit == user_failed_logins[username]:  # noqa: SIM103
-            return True
+            if username in user_failed_logins and self.args.ufail_limit == user_failed_logins[username]:  # noqa: SIM103
+                return True
 
-        return False
+            return False
 
     def query_db_creds(self):
         """Queries the database for credentials to be used for authentication.
@@ -481,8 +484,6 @@ def try_credentials(self, domain, username, owned, secret, cred_type, data=None)
             - NTLM-hash (/kerberos)
             - AES-key
         """
-        if self.over_fail_limit(username):
-            return False
         if self.args.continue_on_success and owned:
             return False
 
@@ -498,6 +499,8 @@ def try_credentials(self, domain, username, owned, secret, cred_type, data=None)
             sleep(value)
 
         with sem:
+            if self.over_fail_limit(username):
+                return False
             if cred_type == "plaintext":
                 if self.kerberos:
                     self.logger.debug("Trying to authenticate using Kerberos")

nxc/modules/get-scriptpath.py

@@ -0,0 +1,66 @@
+import json
+from nxc.helpers.misc import CATEGORY
+from nxc.parsers.ldap_results import parse_result_attributes
+
+
+class NXCModule:
+    """
+    Get the scriptPath attribute of users
+
+    Module by @wyndoo
+    """
+    name = "get-scriptpath"
+    description = "Get the scriptPath attribute of all users."
+    supported_protocols = ["ldap"]
+    category = CATEGORY.ENUMERATION
+
+    def options(self, context, module_options):
+        """
+        FILTER        Apply the FILTER (grep-like) (default: '')
+        OUTPUTFILE    Path to a file to save the results (default: None)
+        """
+        self.filter = ""
+        self.outputfile = None
+
+        if "FILTER" in module_options:
+            self.filter = module_options["FILTER"]
+
+        if "OUTPUTFILE" in module_options:
+            self.outputfile = module_options["OUTPUTFILE"]
+
+    def on_login(self, context, connection):
+        # Building the search filter
+        resp = connection.search(
+            searchFilter="(scriptPath=*)",
+            attributes=["sAMAccountName", "scriptPath"]
+        )
+
+        context.log.debug(f"Total of records returned {len(resp)}")
+        answers = parse_result_attributes(resp)
+        context.log.debug(f"Filtering for scriptPath containing: {self.filter}")
+        filtered_answers = list(filter(lambda x: self.filter in x["scriptPath"], answers))
+
+        if filtered_answers:
+            context.log.success("Found the following attributes: ")
+            for answer in filtered_answers:
+                context.log.highlight(f"User: {answer['sAMAccountName']:<20} ScriptPath: {answer['scriptPath']}")
+
+            # Save the results to a file
+            if self.outputfile:
+                self.save_to_file(context, filtered_answers)
+        else:
+            context.log.fail("No results found after filtering.")
+
+    def save_to_file(self, context, answers):
+        """Save the results to a JSON file."""
+        try:
+            # Format answers as a list of dictionaries for JSON output
+            json_data = [{"sAMAccountName": answer["sAMAccountName"], "scriptPath": answer["scriptPath"]} for answer in answers]
+
+            # Save the JSON data to the specified file
+            with open(self.outputfile, "w") as f:
+                json.dump(json_data, f, indent=4)
+            context.log.success(f"Results successfully saved to {self.outputfile}")
+
+        except Exception as e:
+            context.log.error(f"Failed to save results to file: {e}")

nxc/protocols/mssql.py

@@ -423,6 +423,9 @@ def handle_mssql_reply(self):
 
     def rid_brute(self, max_rid=None):
         entries = []
+        if self.conn.lastError:
+            self.logger.fail(f"Cannot perform RID bruteforce due to invalid connection: {self.conn.lastError}")
+            return entries
         if not max_rid:
             max_rid = int(self.args.rid_brute)
 
@@ -435,6 +438,7 @@ def rid_brute(self, max_rid=None):
             domain_sid = SID(bytes.fromhex(raw_domain_sid.decode())).formatCanonical()[:-4]
         except Exception as e:
             self.logger.fail(f"Error parsing SID. Not domain joined?: {e}")
+            return entries
 
         so_far = 0
         simultaneous = 1000

nxc/protocols/mssql/mssqlexec.py

@@ -10,18 +10,18 @@ def __init__(self, connection, logger):
         self.backuped_options = {}
 
     def execute(self, command):
-        result = None
+        result = ""
 
         self.backup_and_enable("advanced options")
         self.backup_and_enable("xp_cmdshell")
 
         try:
             cmd = f"exec master..xp_cmdshell '{command}'"
             self.logger.debug(f"Attempting to execute query: {cmd}")
-            result = self.mssql_conn.sql_query(cmd)
-            self.logger.debug(f"Raw results from query: {result}")
-            if result:
-                result = "\n".join(line["output"] for line in result if line["output"] != "NULL")
+            raw = self.mssql_conn.sql_query(cmd)
+            self.logger.debug(f"Raw results from query: {raw}")
+            if raw:
+                result = "\n".join(line["output"] for line in raw if line["output"] != "NULL")
                 self.logger.debug(f"Concatenated result together for easier parsing: {result}")
                 # if you prepend SilentlyContinue it will still output the error, but it will still continue on (so it's not silent...)
                 if "Preparing modules for first use" in result and "Completed" not in result:

tests/e2e_commands.txt

@@ -234,6 +234,7 @@ netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M user-de
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M whoami
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M dump-computers
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M raisechild
+netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M get-scriptpath
 ##### WINRM
 netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS # need an extra space after this command due to regex
 netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig