Merge pull request Pennyw0rth#755 from Pennyw0rth/mssql

Update mssql enum login

Author: mpgn

nxc/modules/enum_logins.py

@@ -1,11 +1,11 @@
 class NXCModule:
     """
-    Enumerate SQL Server logins
-    Module by deathflamingo
+    Enumerate SQL Server logins (SQL, Domain, Local users)
+    Module by deathflamingo, modified by mpgn
     """
 
     name = "enum_logins"
-    description = "Enumerate SQL Server logins"
+    description = "Enumerate SQL Server logins (SQL, Domain, Local users)"
     supported_protocols = ["mssql"]
     opsec_safe = True
     multiple_hosts = True
@@ -17,25 +17,69 @@ def __init__(self):
     def on_login(self, context, connection):
         self.context = context
         self.mssql_conn = connection.conn
+
         logins = self.get_logins()
         if logins:
-            self.context.log.success("Logins found:")
-            for login in logins:
-                self.context.log.display(f"  - {login}")
+            self.context.log.display("Enumerated logins")
+            self.context.log.highlight(f"{'Login Name':<35} {'Type':<15} {'Status'}")
+            self.context.log.highlight(f"{'----------':<35} {'----':<15} {'------'}")
+            for login_name, login_type, status in logins:
+                self.context.log.highlight(f"{login_name:<35} {login_type:<15} {status}")
         else:
             self.context.log.fail("No logins found.")
 
+    def get_domain_name(self) -> str:
+        query = "SELECT DEFAULT_DOMAIN() as domain_name;"
+        try:
+            res = self.mssql_conn.sql_query(query)
+            if res and res[0].get("domain_name"):
+                return res[0]["domain_name"].upper()
+            return ""
+        except Exception as e:
+            self.context.log.debug(f"Error querying domain name: {e}")
+            return ""
+
     def get_logins(self) -> list:
-        """
-        Fetches a list of SQL Server logins.
+        domain_name = self.get_domain_name()
+        domain_prefix = f"{domain_name}\\" if domain_name else ""
 
-        Returns
-        -------
-        list: List of login names.
+        query = f"""
+        SELECT 
+            name,
+            type,
+            type_desc,
+            CASE type_desc 
+                WHEN 'SQL_LOGIN' THEN 'SQL User'
+                WHEN 'WINDOWS_LOGIN' THEN 
+                    CASE 
+                        WHEN name LIKE '{domain_prefix}%' THEN 'Domain User'
+                        WHEN name LIKE '%\\%' THEN 'Local User'
+                        ELSE 'Local User'
+                    END
+                WHEN 'WINDOWS_GROUP' THEN 'Windows Group'
+                WHEN 'CERTIFICATE_MAPPED_LOGIN' THEN 'Certificate Login'
+                WHEN 'ASYMMETRIC_KEY_MAPPED_LOGIN' THEN 'Asymmetric Key Login'
+                ELSE type_desc
+            END as login_type,
+            is_disabled,
+            create_date
+        FROM sys.server_principals 
+        WHERE type IN ('S', 'U', 'G', 'C', 'K')
+        AND name NOT LIKE '##%'
+        ORDER BY login_type, name;
         """
-        query = "SELECT name FROM sys.server_principals WHERE type_desc = 'SQL_LOGIN';"
-        res = self.mssql_conn.sql_query(query)
-        return [login["name"] for login in res] if res else []
+        try:
+            res = self.mssql_conn.sql_query(query)
+            if res:
+                logins = []
+                for login in res:
+                    status = "DISABLED" if login.get("is_disabled") else "ENABLED"
+                    logins.append((login["name"], login["login_type"], status))
+                return logins
+            return []
+        except Exception as e:
+            self.context.log.fail(f"Error querying logins: {e}")
+            return []
 
     def options(self, context, module_options):
         pass

nxc/modules/link_xpcmd.py

@@ -31,5 +31,21 @@ def on_login(self, context, connection):
             return
 
         self.context.log.display(f"Running command on {self.linked_server}: {self.command}")
-        result = self.mssql_conn.sql_query(f"EXEC ('xp_cmdshell ''{self.command}''') AT [{self.linked_server}]")
-        self.context.log.success(f"Command output: {result}")
+        query = f"EXEC ('xp_cmdshell ''{self.command}''') AT [{self.linked_server}]"
+        result = self.mssql_conn.sql_query(query)
+        
+        if result:
+            output_lines = []
+            for row in result:
+                output_value = row.get("output")
+                if output_value and output_value != "NULL":
+                    output_lines.append(str(output_value))
+            
+            if output_lines:
+                self.context.log.success("Executed command via linked server")
+                for line in output_lines:
+                    self.context.log.highlight(line.strip())
+            else:
+                self.context.log.display("Command executed but returned no output")
+        else:
+            self.context.log.fail("No result returned from query")