Merge pull request Pennyw0rth#666 from termanix/dc-list

REopen Update --dc-list Now check trusted domains DCs

Author: NeffIsBack

nxc/modules/enum_trusts.py

@@ -1,4 +1,3 @@
-from impacket.ldap import ldapasn1 as ldapasn1_impacket
 
 
 class NXCModule:
@@ -8,7 +7,7 @@ class NXCModule:
     """
 
     name = "enum_trusts"
-    description = "Extract all Trust Relationships, Trusting Direction, and Trust Transitivity"
+    description = "[REMOVED] Extract all Trust Relationships, Trusting Direction, and Trust Transitivity"
     supported_protocols = ["ldap"]
     opsec_safe = True
     multiple_hosts = True
@@ -17,70 +16,4 @@ def options(self, context, module_options):
         pass
 
     def on_login(self, context, connection):
-        search_filter = "(&(objectClass=trustedDomain))"
-        attributes = ["flatName", "trustPartner", "trustDirection", "trustAttributes"]
-
-        context.log.debug(f"Search Filter={search_filter}")
-        resp = connection.ldap_connection.search(searchFilter=search_filter, attributes=attributes, sizeLimit=0)
-
-        trusts = []
-        context.log.debug(f"Total of records returned {len(resp)}")
-        for item in resp:
-            if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
-                continue
-            flat_name = ""
-            trust_partner = ""
-            trust_direction = ""
-            trust_transitive = []
-            try:
-                for attribute in item["attributes"]:
-                    if str(attribute["type"]) == "flatName":
-                        flat_name = str(attribute["vals"][0])
-                    elif str(attribute["type"]) == "trustPartner":
-                        trust_partner = str(attribute["vals"][0])
-                    elif str(attribute["type"]) == "trustDirection":
-                        if str(attribute["vals"][0]) == "1":
-                            trust_direction = "Inbound"
-                        elif str(attribute["vals"][0]) == "2":
-                            trust_direction = "Outbound"
-                        elif str(attribute["vals"][0]) == "3":
-                            trust_direction = "Bidirectional"
-                    elif str(attribute["type"]) == "trustAttributes":
-                        trust_attributes_value = int(attribute["vals"][0])
-                        if trust_attributes_value & 0x1:
-                            trust_transitive.append("Non-Transitive")
-                        if trust_attributes_value & 0x2:
-                            trust_transitive.append("Uplevel-Only")
-                        if trust_attributes_value & 0x4:
-                            trust_transitive.append("Quarantined Domain")
-                        if trust_attributes_value & 0x8:
-                            trust_transitive.append("Forest Transitive")
-                        if trust_attributes_value & 0x10:
-                            trust_transitive.append("Cross Organization")
-                        if trust_attributes_value & 0x20:
-                            trust_transitive.append("Within Forest")
-                        if trust_attributes_value & 0x40:
-                            trust_transitive.append("Treat as External")
-                        if trust_attributes_value & 0x80:
-                            trust_transitive.append("Uses RC4 Encryption")
-                        if trust_attributes_value & 0x100:
-                            trust_transitive.append("Cross Organization No TGT Delegation")
-                        if trust_attributes_value & 0x2000:
-                            trust_transitive.append("PAM Trust")
-                        if not trust_transitive:
-                            trust_transitive.append("Other")
-                trust_transitive = ", ".join(trust_transitive)
-
-                if flat_name and trust_partner and trust_direction and trust_transitive:
-                    trusts.append((flat_name, trust_partner, trust_direction, trust_transitive))
-            except Exception as e:
-                context.log.debug(f"Cannot process trust relationship due to error {e}")
-
-        if trusts:
-            context.log.success("Found the following trust relationships:")
-            for trust in trusts:
-                context.log.highlight(f"{trust[1]} -> {trust[2]} -> {trust[3]}")
-        else:
-            context.log.display("No trust relationships found")
-
-        return True
+        context.log.fail("[REMOVED] This module moved to the --dc-list LDAP flag.")

nxc/modules/pi.py

@@ -6,6 +6,11 @@
 
 
 class NXCModule:
+    """
+    Module for running system command as target PID user's
+    Module by @termanix
+    """
+
     name = "pi"
     description = "Run command as logged on users via Process Injection"
     supported_protocols = ["smb"]

nxc/protocols/ldap.py

@@ -762,51 +762,126 @@ def dc_list(self):
             resolv.nameservers = [self.host]
         resolv.timeout = self.args.dns_timeout
 
+        # Function to resolve and display hostnames
+        def resolve_and_display_hostname(name, domain_name=None):
+            prefix = f"[{domain_name}] " if domain_name else ""
+            try:
+                # Resolve using DNS server for A, AAAA, CNAME, PTR, and NS records
+                for record_type in ["A", "AAAA", "CNAME", "PTR", "NS"]:
+                    try:
+                        answers = resolv.resolve(name, record_type, tcp=self.args.dns_tcp)
+                        for rdata in answers:
+                            if record_type in ["A", "AAAA"]:
+                                ip_address = rdata.to_text()
+                                self.logger.highlight(f"{prefix}{name} = {colored(ip_address, host_info_colors[0])}")
+                                return
+                            elif record_type == "CNAME":
+                                self.logger.highlight(f"{prefix}{name} CNAME = {colored(rdata.to_text(), host_info_colors[0])}")
+                                return
+                            elif record_type == "PTR":
+                                self.logger.highlight(f"{prefix}{name} PTR = {colored(rdata.to_text(), host_info_colors[0])}")
+                                return
+                            elif record_type == "NS":
+                                self.logger.highlight(f"{prefix}{name} NS = {colored(rdata.to_text(), host_info_colors[0])}")
+                                return
+                    except resolver.NXDOMAIN:
+                        self.logger.fail(f"{prefix}{name} = Host not found (NXDOMAIN)")
+                    except resolver.Timeout:
+                        self.logger.fail(f"{prefix}{name} = Connection timed out")
+                    except resolver.NoAnswer:
+                        self.logger.fail(f"{prefix}{name} = DNS server did not respond")
+                    except Exception as e:
+                        self.logger.fail(f"{prefix}{name} encountered an unexpected error: {e}")
+            except Exception as e:
+                self.logger.fail(f"Skipping item(dNSHostName) {prefix}{name}, error: {e}")
+
+        # Find all domain controllers in the current domain
+        self.logger.info("Enumerating Domain Controllers in current domain...")
         search_filter = "(&(objectCategory=computer)(primaryGroupId=516))"
         attributes = ["dNSHostName"]
+        resp = self.search(search_filter, attributes)
+        resp_parse = parse_result_attributes(resp)
+        for item in resp_parse:
+            if "dNSHostName" in item:  # Get dNSHostName attribute
+                name = item["dNSHostName"]
+                resolve_and_display_hostname(name)
+
+        # Find all trusted domains
+        self.logger.info("Enumerating Trusted Domains...")
+        search_filter = "(objectClass=trustedDomain)"
+        attributes = ["name", "trustDirection", "trustType", "trustAttributes", "flatName"]
         resp = self.search(search_filter, attributes, 0)
-        resp_parsed = parse_result_attributes(resp)
+        trust_resp_parse = parse_result_attributes(resp)
 
-        for item in resp_parsed:
-            name = item.get("dNSHostName", "")  # Get dNSHostName attribute or empty string
+        for trust in trust_resp_parse:
             try:
-                # Resolve using DNS server for A, AAAA, CNAME, PTR, and NS records
-                if name:
-                    found_record = False  # Flag to check if any record is found
-
-                    for record_type in ["A", "AAAA", "CNAME", "PTR", "NS"]:
-                        if found_record:
-                            break  # If a record has been found, stop checking further
-
-                        try:
-                            answers = resolv.resolve(name, record_type, tcp=self.args.dns_tcp)
-                            for rdata in answers:
-                                if record_type in ["A", "AAAA"]:
-                                    ip_address = rdata.to_text()
-                                    self.logger.highlight(f"{name} = {colored(ip_address, host_info_colors[0])}")
-                                    found_record = True  # Set flag to true since a record is found
-                                elif record_type == "CNAME":
-                                    self.logger.highlight(f"{name} CNAME = {colored(rdata.to_text(), host_info_colors[0])}")
-                                    found_record = True
-                                elif record_type == "PTR":
-                                    self.logger.highlight(f"{name} PTR = {colored(rdata.to_text(), host_info_colors[0])}")
-                                    found_record = True
-                                elif record_type == "NS":
-                                    self.logger.highlight(f"{name} NS = {colored(rdata.to_text(), host_info_colors[0])}")
-                                    found_record = True
-                        except resolv.NXDOMAIN:
-                            self.logger.fail(f"{name} = Host not found (NXDOMAIN)")
-                        except resolv.Timeout:
-                            self.logger.fail(f"{name} = Connection timed out")
-                        except resolv.NoAnswer:
-                            self.logger.fail(f"{name} = DNS server did not respond")
-                        except Exception as e:
-                            self.logger.fail(f"{name} encountered an unexpected error: {e}")
-                else:
-                    self.logger.fail("dNSHostName value is empty, unable to process.")
+                trust_name = trust["name"]
+                trust_flat_name = trust["flatName"]
+                trust_direction = int(trust["trustDirection"])
+                trust_type = int(trust["trustType"])
+                trust_attributes = int(trust["trustAttributes"])
+                
+                # See: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c
+                trust_attribute_flags = {
+                    0x1:    "Non-Transitive",
+                    0x2:    "Uplevel-Only",
+                    0x4:    "Quarantined Domain",
+                    0x8:    "Forest Transitive",
+                    0x10:   "Cross Organization",
+                    0x20:   "Within Forest",
+                    0x40:   "Treat as External",
+                    0x80:   "Uses RC4 Encryption",
+                    0x200:  "Cross Organization No TGT Delegation",
+                    0x800:  "Cross Organization Enable TGT Delegation",
+                    0x2000: "PAM Trust"
+                }
+
+                # For check if multiple posibble flags, like Uplevel-Only, Treat as External
+                trust_attributes_text = ", ".join(
+                    text for flag, text in trust_attribute_flags.items()
+                    if trust_attributes & flag
+                ) or "Other"  # If Trust attrs not known
+
+                # Convert trust direction/type to human-readable format
+                direction_text = {
+                    0: "Disabled",
+                    1: "Inbound",
+                    2: "Outbound",
+                    3: "Bidirectional",
+                }[trust_direction]
+
+                trust_type_text = {
+                    1: "Windows NT",
+                    2: "Active Directory",
+                    3: "Kerberos",
+                    4: "Unknown",
+                    5: "Azure Active Directory",
+                }[trust_type]
+
+                self.logger.info(f"Processing trusted domain: {trust_name} ({trust_flat_name})")
+                self.logger.info(f"Trust type: {trust_type_text}, Direction: {direction_text}, Trust Attributes: {trust_attributes_text}")
+
             except Exception as e:
-                self.logger.fail("General Error:", exc_info=True)
-                self.logger.fail(f"Skipping item(dNSHostName) {name}, error: {e}")
+                self.logger.fail(f"Failed {e} in trust entry: {trust}")
+
+            # Only process if it's an Active Directory trust
+            if int(trust_type) == 2:
+                # Try to find domain controllers in trusted domain using DNS
+                # Check if we can resolve the trusted domain's DC using DNS
+                dc_dns_name = f"_ldap._tcp.dc._msdcs.{trust_name}"
+                try:
+                    srv_records = resolv.resolve(dc_dns_name, "SRV", tcp=self.args.dns_tcp)
+                    self.logger.info(f"Found domain controllers for trusted domain {trust_name} via DNS:")
+                    for srv in srv_records:
+                        dc_hostname = str(srv.target).rstrip(".")
+                        self.logger.success(f"Found DC in trusted domain: {colored(dc_hostname, host_info_colors[0], attrs=['bold'])}")
+                        self.logger.highlight(f"{trust_name} -> {direction_text} -> {trust_attributes_text}")
+                        resolve_and_display_hostname(dc_hostname)
+                except Exception as e:
+                    self.logger.fail(f"Failed to resolve DCs for {trust_name} via DNS: {e}")
+            else:
+                self.logger.display(f"Skipping non-Active Directory trust '{trust_name}' with type: {trust_type_text} and direction: {direction_text}")
+        self.logger.info("Domain Controller enumeration complete.")
 
     def active_users(self):
         if len(self.args.active_users) > 0: