Merge branch 'main' into be

Signed-off-by: mpgn <5891788+mpgn@users.noreply.github.com>

Author: mpgn

nxc/helpers/misc.py

@@ -4,6 +4,7 @@
 import inspect
 import os
 
+from ipaddress import ip_address
 
 def identify_target_file(target_file):
     with open(target_file) as target_file_handle:
@@ -78,7 +79,6 @@ def _access_check(fn, mode):
                 if _access_check(name, mode):
                     return name
 
-
 def get_bloodhound_info():
     """
     Detect which BloodHound package is installed (regular or CE) and its version.
@@ -135,3 +135,11 @@ def get_bloodhound_info():
             pass
 
     return package_name, version, is_ce
+
+def detect_if_ip(target):
+    try:
+        ip_address(target)
+        return True
+    except Exception:
+        return False
+

nxc/modules/eventlog_creds.py

@@ -20,13 +20,13 @@ def __init__(self):
         self.context = None
         self.module_options = None
         self.method = "execute"
-        self.limit = 1000
+        self.limit = None
 
     def options(self, context, module_options):
         """ 
-        METHOD         EventLog method (Execute or RPCCALL)
+        METHOD         EventLog method (Execute or RPCCALL), default: execute
         M              Alias for METHOD
-        LIMIT          Limit of the number of records to be fetched
+        LIMIT          Limit of the number of records to be fetched, default: unlimited
         L              Alias for LIMIT
         """
         if "METHOD" in module_options:
@@ -41,8 +41,6 @@ def options(self, context, module_options):
     def find_credentials(self, content, context):
         # remove unnecessary words
         content = content.replace("\r\n", "\n")
-        content = content.replace("/add", "")
-        content = content.replace("/active:yes", "")
 
         # sort and unique lines
         content = "\n".join(sorted(set(content.split("\n"))))
@@ -66,9 +64,16 @@ def find_credentials(self, content, context):
         # Extracting credentials
         for line in content.split("\n"):
             for reg in regexps:
-                # verbose context.log.debug("Line: " + line)
-                # verbose context.log.debug("Reg: " + reg)
-                match = re.search(reg, line, re.IGNORECASE)
+                # Remove unnecessary words
+                line_stripped = line.replace("/add", "") \
+                    .replace("/active:yes", "") \
+                    .replace("/delete", "") \
+                    .replace("/domain", "") \
+                # Remove command lines that were executed with nxc
+                line_stripped = re.sub(r"1> \\Windows\\Temp\\[\w]{6} 2>&1", "", line_stripped)
+
+                # Use regex to find credentials
+                match = re.search(reg, line_stripped, re.IGNORECASE)
                 if match:
                     # eleminate false positives
                     # C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay
@@ -92,11 +97,12 @@ def find_credentials(self, content, context):
 
     def on_admin_login(self, context, connection):
         content = ""
-        if self.method[:1].lower() == "e":
+        if self.method.lower().startswith("e"):
+            limit_str = f"/c:{self.limit}" if self.limit is not None else ""
             # https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4688
             commands = [
-                f'wevtutil qe Security /c:{self.limit} /f:text /rd:true /q:"*[System[(EventID=4688)]]" |findstr "Command Line"',
-                f'wevtutil qe Microsoft-Windows-Sysmon/Operational /c:{self.limit} /f:text  /rd:true /q:"*[System[(EventID=1)]]" |findstr "ParentCommandLine"'
+                f'wevtutil qe Microsoft-Windows-Sysmon/Operational {limit_str} /f:text  /rd:true /q:"*[System[(EventID=1)]]" | findstr "ParentCommandLine"',
+                f'wevtutil qe Security {limit_str} /f:text /rd:true /q:"*[System[(EventID=4688)]]" | findstr "Command Line"',
             ]
             for command in commands:
                 context.log.debug("Execute Command: " + command)
@@ -127,7 +133,6 @@ def on_admin_login(self, context, connection):
                         content += "CommandLine: " + match.group("CommandLine") + "\n"
                 except Exception as e:
                     context.log.error(f"Error: {e}")
-                    continue
 
         self.find_credentials(content, context)
 
@@ -182,7 +187,7 @@ def query(self, path, query, limit):
 
 
 class MSEven6Result:
-    def __init__(self, conn, handle, limit):
+    def __init__(self, conn, handle, limit=None):
         self._conn = conn
         self._handle = handle
         self._hardlimit = limit
@@ -192,11 +197,12 @@ def __iter__(self):
         return self
 
     def __next__(self):
-        self._hardlimit -= 1
-        if self._hardlimit < 0:
-            raise StopIteration
+        if self._hardlimit is not None:
+            self._hardlimit -= 1
+            if self._hardlimit < 0:
+                raise StopIteration
         if self._resp is not None and self._resp["NumActualRecords"] == 0:
-            return None
+            raise StopIteration
 
         if self._resp is None or self._index == self._resp["NumActualRecords"]:
             req = even6.EvtRpcQueryNext()

nxc/protocols/ldap/resolution.py

@@ -0,0 +1,63 @@
+from re import sub, I
+from errno import EHOSTUNREACH, ETIMEDOUT, ENETUNREACH
+from OpenSSL.SSL import SysCallError
+
+from impacket.ldap import ldap as ldap_impacket
+from impacket.ldap import ldapasn1 as ldapasn1_impacket
+
+from nxc.parsers.ldap_results import parse_result_attributes
+from nxc.logger import nxc_logger
+
+class LDAPResolution:
+
+    def __init__(self, host):
+        self.host = host
+
+    def get_resolution(self):
+        target = ""
+        target_domain = ""
+        base_dn = ""
+        try:
+            ldap_url = f"ldap://{self.host}"
+            nxc_logger.info(f"Connecting to {ldap_url} with no baseDN")
+            try:
+                self.ldap_connection = ldap_impacket.LDAPConnection(ldap_url, dstIp=self.host)
+                if self.ldap_connection:
+                    nxc_logger.debug(f"ldap_connection: {self.ldap_connection}")
+            except SysCallError as e:
+                nxc_logger.fail(f"LDAP connection to {ldap_url} failed: {e}")
+                return False
+
+            resp = self.ldap_connection.search(
+                scope=ldapasn1_impacket.Scope("baseObject"),
+                attributes=["defaultNamingContext", "dnsHostName"],
+                sizeLimit=0,
+            )
+            resp_parsed = parse_result_attributes(resp)[0]
+
+            target = resp_parsed["dnsHostName"]
+            base_dn = resp_parsed["defaultNamingContext"]
+            target_domain = sub(
+                ",DC=",
+                ".",
+                base_dn[base_dn.lower().find("dc="):],
+                flags=I,
+            )[3:]
+            # Extract machine name from target (hostname part of FQDN)
+            if target:
+                machine_name = target.split(".")[0]
+                nxc_logger.debug(f"Extracted machine name: {machine_name}")
+
+            self.ldap_connection.close()
+        except ConnectionRefusedError as e:
+            nxc_logger.debug(f"{e} on host {self.host}")
+            return False
+        except OSError as e:
+            if e.errno in (EHOSTUNREACH, ENETUNREACH, ETIMEDOUT):
+                nxc_logger.info(f"Error connecting to {self.host} - {e}")
+                return False
+            else:
+                nxc_logger.error(f"Error getting ldap info {e}")
+
+        nxc_logger.debug(f"Target: {machine_name}.{target_domain}; target_domain: {target_domain}; base_dn: {base_dn}")
+        return machine_name, target_domain

nxc/protocols/smb.py

@@ -55,6 +55,8 @@
 from nxc.helpers.logger import highlight
 from nxc.helpers.bloodhound import add_user_bh
 from nxc.helpers.powershell import create_ps_command
+from nxc.helpers.misc import detect_if_ip
+from nxc.protocols.ldap.resolution import LDAPResolution
 
 from dploot.triage.vaults import VaultsTriage
 from dploot.triage.browser import BrowserTriage, LoginData, GoogleRefreshToken, Cookie
@@ -125,6 +127,7 @@ def __init__(self, args, db, host):
         self.no_ntlm = False
         self.protocol = "SMB"
         self.is_guest = None
+        self.isdc = False
 
         connection.__init__(self, args, db, host)
 
@@ -185,20 +188,30 @@ def enum_host_info(self):
             if not self.targetDomain:   # Not sure if that can even happen but now we are safe
                 self.targetDomain = self.hostname
         else:
-            # If we can't authenticate with NTLM and the target is supplied as a FQDN we must parse it
             try:
-                import socket
-                socket.inet_aton(self.host)
-                self.logger.debug("NTLM authentication not available! Authentication will fail without a valid hostname and domain name")
-                self.hostname = self.host
-                self.targetDomain = self.host
+                # If we know the host is a DC we can still get the hostname over LDAP if NTLM is not available
+                if self.is_host_dc() and detect_if_ip(self.host):
+                    self.hostname, self.domain = LDAPResolution(self.host).get_resolution()
+                    self.targetDomain = self.domain
+                # If we can't authenticate with NTLM and the target is supplied as a FQDN we must parse it
+                else:
+                    # Check if the host is a valid IP address, if not we parse the FQDN in the Exception
+                    import socket
+                    socket.inet_aton(self.host)
+                    self.logger.debug("NTLM authentication not available! Authentication will fail without a valid hostname and domain name")
+                    self.hostname = self.host
+                    self.targetDomain = self.host
             except OSError:
                 if self.host.count(".") >= 1:
                     self.hostname = self.host.split(".")[0]
                     self.targetDomain = ".".join(self.host.split(".")[1:])
                 else:
                     self.hostname = self.host
                     self.targetDomain = self.host
+            except Exception as e:
+                self.logger.debug(f"Error getting hostname from LDAP: {e}")
+                self.hostname = self.host
+                self.targetDomain = self.host
 
         if self.args.domain:
             self.domain = self.args.domain
@@ -283,21 +296,12 @@ def print_host_info(self):
         self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.targetDomain}) ({signing}) ({smbv1}) {ntlm}")
 
         if self.args.generate_hosts_file or self.args.generate_krb5_file:
-            from impacket.dcerpc.v5 import nrpc, epm
-            self.logger.debug("Performing authentication attempts...")
-            isdc = False
-            try:
-                epm.hept_map(self.host, nrpc.MSRPC_UUID_NRPC, protocol="ncacn_ip_tcp")
-                isdc = True
-            except DCERPCException:
-                self.logger.debug("Error while connecting to host: DCERPCException, which means this is probably not a DC!")
-
             if self.args.generate_hosts_file:
                 with open(self.args.generate_hosts_file, "a+") as host_file:
-                    dc_part = f" {self.targetDomain}" if isdc else ""
+                    dc_part = f" {self.targetDomain}" if self.isdc else ""
                     host_file.write(f"{self.host}     {self.hostname}.{self.targetDomain}{dc_part} {self.hostname}\n")
-                    self.logger.debug(f"{self.host}    {self.hostname}.{self.targetDomain}{dc_part} {self.hostname}")
-            elif self.args.generate_krb5_file and isdc:
+                    self.logger.debug(f"Line added to {self.args.generate_hosts_file} {self.host}    {self.hostname}.{self.targetDomain}{dc_part} {self.hostname}")
+            elif self.args.generate_krb5_file and self.isdc:
                 with open(self.args.generate_krb5_file, "w+") as host_file:
                     data = f"""
 [libdefaults]
@@ -658,6 +662,18 @@ def generate_tgt(self):
         except Exception as e:
             self.logger.fail(f"Failed to get TGT: {e}")
 
+    def is_host_dc(self):
+        from impacket.dcerpc.v5 import nrpc, epm
+        self.logger.debug("Performing authentication attempts...")
+        try:
+            epm.hept_map(self.host, nrpc.MSRPC_UUID_NRPC, protocol="ncacn_ip_tcp")
+            self.isdc = True
+            return True
+        except DCERPCException:
+            self.logger.debug("Error while connecting to host: DCERPCException, which means this is probably not a DC!")
+        self.isdc = False
+        return False
+
     @requires_admin
     def execute(self, payload=None, get_output=False, methods=None) -> str:
         """