Merge branch 'main' into regsecret

mpgn · web-flow · commit 1fe387e8f9bf · 2025-03-15T23:01:05.000+01:00
diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py
@@ -259,7 +259,8 @@ def enum_host_info(self):
             ntlm_info = parse_challenge(ntlm_challenge)
             self.server_os = ntlm_info["os_version"]
 
-        if not self.kdcHost and self.domain and self.domain == self.remoteName:
+        # using kdcHost is buggy on impacket when using trust relation between ad so we kdcHost must stay to none if targetdomain is not equal to domain
+        if not self.kdcHost and self.domain and self.domain == self.targetDomain:
             result = self.resolver(self.domain)
             self.kdcHost = result["host"] if result else None
             self.logger.info(f"Resolved domain: {self.domain} with dns, kdcHost: {self.kdcHost}")
@@ -805,6 +806,7 @@ def active_users(self):
     def asreproast(self):
         if self.password == "" and self.nthash == "" and self.kerberos is False:
             return False
+
         # Building the search filter
         search_filter = "(&(UserAccountControl:1.2.840.113556.1.4.803:=%d)(!(UserAccountControl:1.2.840.113556.1.4.803:=%d))(!(objectCategory=computer)))" % (UF_DONT_REQUIRE_PREAUTH, UF_ACCOUNTDISABLE)
         attributes = [
diff --git a/nxc/protocols/ldap/kerberos.py b/nxc/protocols/ldap/kerberos.py
@@ -28,6 +28,7 @@ def __init__(self, connection):
         self.username = connection.username
         self.password = connection.password
         self.domain = connection.domain
+        self.host = connection.host
         self.targetDomain = connection.targetDomain
         self.hash = connection.hash
         self.lmhash = ""
@@ -223,6 +224,10 @@ def get_tgt_asroast(self, userName, requestPAC=True):
 
         message = encoder.encode(as_req)
 
+        # If kdcHost isn't set, use the target IP for DNS resolution
+        if not self.kdcHost:
+            self.kdcHost = self.host
+
         try:
             r = sendReceive(message, domain, self.kdcHost)
         except KerberosError as e:
diff --git a/nxc/protocols/smb.py b/nxc/protocols/smb.py
@@ -313,10 +313,6 @@ def enum_host_info(self):
             self.kdcHost = result["host"] if result else None
             self.logger.info(f"Resolved domain: {self.domain} with dns, kdcHost: {self.kdcHost}")
 
-        # If we want to authenticate we should create another connection object, because we already logged in
-        if self.args.username or self.args.cred_id or self.kerberos or self.args.use_kcache:
-            self.create_conn_obj()
-
     def print_host_info(self):
         signing = colored(f"signing:{self.signing}", host_info_colors[0], attrs=["bold"]) if self.signing else colored(f"signing:{self.signing}", host_info_colors[1], attrs=["bold"])
         smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"])
@@ -362,6 +358,8 @@ def print_host_info(self):
 
     def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
         self.logger.debug(f"KDC set to: {kdcHost}")
+        # Re-connect since we logged off
+        self.create_conn_obj()
         lmhash = ""
         nthash = ""
 
@@ -419,7 +417,6 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
             if self.args.continue_on_success and self.signing:
                 with contextlib.suppress(Exception):
                     self.conn.logoff()
-                self.create_conn_obj()
             return True
         except SessionKeyDecryptionError:
             # success for now, since it's a vulnerability - previously was an error
@@ -452,6 +449,7 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
 
     def plaintext_login(self, domain, username, password):
         # Re-connect since we logged off
+        self.create_conn_obj()
         try:
             self.password = password
             self.username = username
@@ -484,7 +482,6 @@ def plaintext_login(self, domain, username, password):
             if self.args.continue_on_success and self.signing:
                 with contextlib.suppress(Exception):
                     self.conn.logoff()
-                self.create_conn_obj()
             return True
         except SessionError as e:
             error, desc = e.getErrorString()
@@ -497,15 +494,14 @@ def plaintext_login(self, domain, username, password):
                 return False
         except (ConnectionResetError, NetBIOSTimeout, NetBIOSError) as e:
             self.logger.fail(f"Connection Error: {e}")
-            self.create_conn_obj()
             return False
         except BrokenPipeError:
             self.logger.fail("Broken Pipe Error while attempting to login")
-            self.create_conn_obj()
             return False
 
     def hash_login(self, domain, username, ntlm_hash):
         # Re-connect since we logged off
+        self.create_conn_obj()
         lmhash = ""
         nthash = ""
         try:
@@ -548,7 +544,6 @@ def hash_login(self, domain, username, ntlm_hash):
             if self.args.continue_on_success and self.signing:
                 with contextlib.suppress(Exception):
                     self.conn.logoff()
-                self.create_conn_obj()
             return True
         except SessionError as e:
             error, desc = e.getErrorString()
@@ -562,11 +557,9 @@ def hash_login(self, domain, username, ntlm_hash):
                 return False
         except (ConnectionResetError, NetBIOSTimeout, NetBIOSError) as e:
             self.logger.fail(f"Connection Error: {e}")
-            self.create_conn_obj()
             return False
         except BrokenPipeError:
             self.logger.fail("Broken Pipe Error while attempting to login")
-            self.create_conn_obj()
             return False
 
     def create_smbv1_conn(self, check=False):
