Merge branch 'main' into cleanup

Author: mpgn

nxc/connection.py

@@ -384,7 +384,7 @@ def parse_credentials(self):
                         if "\\" in line and len(line.split("\\")) == 2:
                             domain_single, username_single = line.split("\\")
                         else:
-                            domain_single = self.args.domain if hasattr(self.args, "domain") and self.args.domain else self.domain
+                            domain_single = self.args.domain if hasattr(self.args, "domain") and self.args.domain is not None else self.domain
                             username_single = line
                         domain.append(domain_single)
                         username.append(username_single.strip())
@@ -393,7 +393,7 @@ def parse_credentials(self):
                 if "\\" in user:
                     domain_single, username_single = user.split("\\")
                 else:
-                    domain_single = self.args.domain if hasattr(self.args, "domain") and self.args.domain else self.domain
+                    domain_single = self.args.domain if hasattr(self.args, "domain") and self.args.domain is not None else self.domain
                     username_single = user
                 domain.append(domain_single)
                 username.append(username_single)

nxc/helpers/pfx.py

@@ -503,7 +503,8 @@ def pfx_auth(self):
         return None
 
     username = self.args.username[0]
-    log_ccache = os.path.expanduser(f"{NXC_PATH}/logs/{self.hostname}_{self.host}_{datetime.datetime.now().strftime('%Y-%m-%d_%H%M%S')}-{username}.ccache".replace(":", "-"))
+    timestamp = datetime.datetime.now().strftime("%Y-%m-%d_%H%M%S").replace(":", "-")
+    log_ccache = os.path.normpath(os.path.expanduser(f"{NXC_PATH}/logs/{self.hostname}_{self.host}_{timestamp}-{username}.ccache"))
 
     # Request a TGT with the cert data
     req = ini.build_asreq(self.domain, username)

nxc/modules/change-password.py

@@ -0,0 +1,151 @@
+import sys
+from impacket.dcerpc.v5 import samr, epm, transport
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+
+class NXCModule:
+    """
+    Module for changing or resetting user passwords
+    Module by Fagan Afandiyev, termanix and NeffIsBack
+    """
+
+    name = "change-password"
+    description = "Change or reset user passwords via various protocols"
+    supported_protocols = ["smb"]
+    opsec_safe = True
+    multiple_hosts = False
+
+    def options(self, context, module_options):
+        """
+        Required (one of):
+        NEWPASS     The new password of the user.
+        NEWNTHASH   The new NT hash of the user.
+
+        Optional:
+        USER        The user account if the target is not the current user.
+
+        Examples
+        --------
+        If STATUS_PASSWORD_MUST_CHANGE or STATUS_PASSWORD_EXPIRED (Change password for current user)
+            netexec smb <DC_IP> -u username -p oldpass -M change-password -o NEWNTHASH='nthash'
+            netexec smb <DC_IP> -u username -H oldnthash -M change-password -o NEWPASS='newpass'
+
+        If want to change other user's password (with forcechangepassword priv or admin rights)
+            netexec smb <DC_IP> -u username -p password -M change-password -o USER='target_user' NEWPASS='target_user_newpass'
+            netexec smb <DC_IP> -u username -p password -M change-password -o USER='target_user' NEWNTHASH='target_user_newnthash'
+        """
+        self.context = context
+        self.newpass = module_options.get("NEWPASS")
+        self.newhash = module_options.get("NEWNTHASH")
+        self.target_user = module_options.get("USER")
+
+        if not self.newpass and not self.newhash:
+            context.log.fail("Either NEWPASS or NEWNTHASH is required!")
+            sys.exit(1)
+
+    def authenticate(self, context, connection, protocol, anonymous=False):
+        # Authenticate to the target using DCE/RPC with either user credentials or a null session. Establishes a connection and binds to the SAMR service.
+        try:
+            # Map to the SAMR endpoint on the target
+            string_binding = epm.hept_map(connection.host, samr.MSRPC_UUID_SAMR, protocol=protocol)
+            rpctransport = transport.DCERPCTransportFactory(string_binding)
+            rpctransport.setRemoteHost(connection.host)
+
+            if anonymous:
+                rpctransport.set_credentials("", "", "", "", "", "")
+                rpctransport.set_kerberos(False, None)
+                context.log.info("Connecting with null session credentials.")
+            else:
+                rpctransport.set_credentials(
+                    connection.username,
+                    connection.password,
+                    connection.domain,
+                    connection.lmhash,
+                    connection.nthash,
+                    aesKey=connection.aesKey,
+                )
+                context.log.info(f"Connecting as {connection.domain}\\{connection.username}")
+
+            # Connect to the DCE/RPC endpoint and bind to the SAMR service
+            dce = rpctransport.get_dce_rpc()
+            dce.connect()
+            context.log.info("[+] Successfully connected to DCE/RPC")
+            dce.bind(samr.MSRPC_UUID_SAMR)
+            context.log.info("[+] Successfully bound to SAMR")
+            return dce
+        except DCERPCException as e:
+            context.log.fail(f"DCE/RPC Exception: {e!s}")
+            raise
+
+    def on_login(self, context, connection):
+        target_username = self.target_user or connection.username
+        target_domain = connection.domain
+
+        # Grab all creds from the connection to use for authentication
+        self.oldpass = connection.password
+        self.oldhash = connection.nthash
+
+        new_lmhash, new_nthash = "", ""
+
+        # Parse new hash values if provided
+        if self.newhash:
+            try:
+                new_lmhash, new_nthash = self.newhash.split(":")
+            except ValueError:
+                new_nthash = self.newhash
+
+        try:
+            self.anonymous = False
+            self.dce = self.authenticate(context, connection, protocol="ncacn_np", anonymous=self.anonymous)
+        except Exception as e:
+            # Handle specific errors like password expiration or must be change
+            if "STATUS_PASSWORD_MUST_CHANGE" in str(e) or "STATUS_PASSWORD_EXPIRED" in str(e):
+                context.log.warning("Password must be changed. Trying with null session.")
+                self.anonymous = True
+                self.dce = self.authenticate(context, connection, protocol="ncacn_ip_tcp", anonymous=self.anonymous)
+            elif "STATUS_LOGON_FAILURE" in str(e):
+                context.log.fail("Authentication failure: wrong credentials.")
+                return False
+            else:
+                raise
+
+        try:
+            # Perform the SMB SAMR password change
+            self._smb_samr_change(context, connection, target_username, target_domain, self.oldhash, self.newpass, new_nthash)
+        except Exception as e:
+            context.log.fail(f"Password change failed: {e}")
+
+    def _smb_samr_change(self, context, connection, target_username, target_domain, oldHash, newPassword, newHash):
+        try:
+            # Reset the password for a different user
+            if target_username != connection.username:
+                user_handle = self._hSamrOpenUser(connection, target_username)
+                samr.hSamrSetNTInternal1(self.dce, user_handle, newPassword, newHash)
+                context.log.success(f"Successfully changed password for {target_username}")
+            else:
+                # Change password for the current user
+                if newPassword:
+                    # Change the password with new password
+                    samr.hSamrUnicodeChangePasswordUser2(self.dce, "\x00", target_username, self.oldpass, newPassword, "", oldHash)
+                else:
+                    # Change the password with new hash
+                    user_handle = self._hSamrOpenUser(connection, target_username)
+                    samr.hSamrChangePasswordUser(self.dce, user_handle, self.oldpass, "", oldHash, "aad3b435b51404eeaad3b435b51404ee", newHash)
+                    context.log.highlight("Note: Target user must change password at next logon.")
+                context.log.success(f"Successfully changed password for {target_username}")
+        except Exception as e:
+            context.log.fail(f"SMB-SAMR password change failed: {e}")
+        finally:
+            self.dce.disconnect()
+
+    def _hSamrOpenUser(self, connection, username):
+        """Get handle to the user object"""
+        try:
+            # Connect to the target server and retrieve handles
+            server_handle = samr.hSamrConnect(self.dce, connection.host + "\x00")["ServerHandle"]
+            domain_sid = samr.hSamrLookupDomainInSamServer(self.dce, server_handle, connection.domain)["DomainId"]
+            domain_handle = samr.hSamrOpenDomain(self.dce, server_handle, domainId=domain_sid)["DomainHandle"]
+            user_rid = samr.hSamrLookupNamesInDomain(self.dce, domain_handle, (username,))["RelativeIds"]["Element"][0]
+            return samr.hSamrOpenUser(self.dce, domain_handle, userId=user_rid)["UserHandle"]
+        except Exception as e:
+            self.context.log.fail(f"Failed to open user: {e}")

nxc/modules/schtask_as.py

@@ -1,5 +1,5 @@
-import contextlib
 import os
+import contextlib
 from time import sleep
 from datetime import datetime, timedelta
 from impacket.dcerpc.v5.dtypes import NULL
@@ -13,20 +13,35 @@ class NXCModule:
     """
     Execute a scheduled task remotely as a already connected user by @Defte_
     Thanks @Shad0wC0ntr0ller for the idea of removing the hardcoded date that could be used as an IOC
+    Modified by @Defte_ so that output on multiples lines are printed correctly (28/04/2025)
+    Modified by @Defte_ so that we can upload a custom binary to execute using the BINARY option (28/04/2025)
     """
 
     def options(self, context, module_options):
         r"""
+        BINARY         Upload the binary to be executed by CMD
         CMD            Command to execute
         USER           User to execute command as
         TASK           OPTIONAL: Set a name for the scheduled task name
         FILE           OPTIONAL: Set a name for the command output file
         LOCATION       OPTIONAL: Set a location for the command output file (e.g. '\tmp\')
+
+        Example:
+        -------
+        nxc smb <ip> -u <user> -p <password> -M schtask_as -o USER=Administrator CMD=whoami
+        nxc smb <ip> -u <user> -p <password> -M schtask_as -o USER=Administrator CMD='bin.exe --option' BINARY=bin.exe
         """
-        self.cmd = self.user = self.task = self.file = self.location = self.time = None
+        self.cmd = self.binary = self.user = self.task = self.file = self.location = self.time = None
+        self.share = "C$"
+        self.tmp_dir = "C:\\Windows\\Temp\\"
+        self.tmp_share = self.tmp_dir.split(":")[1]
+
         if "CMD" in module_options:
             self.cmd = module_options["CMD"]
 
+        if "BINARY" in module_options:
+            self.binary = module_options["BINARY"]
+
         if "USER" in module_options:
             self.user = module_options["USER"]
 
@@ -47,13 +62,32 @@ def options(self, context, module_options):
 
     def on_admin_login(self, context, connection):
         self.logger = context.log
+
         if self.cmd is None:
             self.logger.fail("You need to specify a CMD to run")
             return 1
+
         if self.user is None:
             self.logger.fail("You need to specify a USER to run the command as")
             return 1
 
+        if self.binary:
+            if not os.path.isfile(self.binary):
+                self.logger.fail(f"Cannot find {self.binary}")
+                return 1
+            else:
+                self.logger.display(f"Uploading {self.binary}")
+                with open(self.binary, "rb") as binary_to_upload:
+                    try:
+                        self.binary_name = os.path.basename(self.binary)
+                        connection.conn.putFile(self.share, f"{self.tmp_share}{self.binary_name}", binary_to_upload.read)
+                        self.logger.success(f"Binary {self.binary_name} successfully uploaded in {self.tmp_share}{self.binary_name}")
+                    except Exception as e:
+                        self.logger.fail(f"Error writing file to share {self.tmp_share}: {e}")
+                        return 1
+
+        # Returnes self.cmd or \Windows\temp\BinToExecute.exe depending if BINARY=BinToExecute.exe
+        self.cmd = self.cmd if not self.binary else f"{self.tmp_share}{self.cmd}"
         self.logger.display("Connecting to the remote Service control endpoint")
         try:
             exec_method = TSCH_EXEC(
@@ -87,7 +121,8 @@ def on_admin_login(self, context, connection):
                 # Required to decode specific French characters otherwise it'll print b"<result>"
                 output = output.decode("cp437")
             if output:
-                self.logger.highlight(output)
+                for line in output.splitlines():
+                    self.logger.highlight(line.rstrip())
 
         except Exception as e:
             if "SCHED_S_TASK_HAS_NOT_RUN" in str(e):
@@ -96,6 +131,13 @@ def on_admin_login(self, context, connection):
                     exec_method.deleteartifact()
             else:
                 self.logger.fail(f"Failed to execute command: {e}")
+        finally:
+            if self.binary:
+                try:
+                    connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.binary_name}")
+                    context.log.success(f"Binary {self.binary_name} successfully deleted")
+                except Exception as e:
+                    context.log.fail(f"Error deleting {self.binary_name} on {self.share}: {e}")
 
 
 class TSCH_EXEC: