blacklanternsecurity
diff --git a/‎nxc/connection.py‎
Lines changed: 7 additions & 1 deletion b/‎nxc/connection.py‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎nxc/modules/add-computer.py‎
Lines changed: 2 additions & 1 deletion b/‎nxc/modules/add-computer.py‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎nxc/modules/bitlocker.py‎
Lines changed: 131 additions & 0 deletions b/‎nxc/modules/bitlocker.py‎
Lines changed: 131 additions & 0 deletions
diff --git a/‎nxc/modules/enum_av.py‎
Lines changed: 21 additions & 0 deletions b/‎nxc/modules/enum_av.py‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎nxc/modules/handlekatz.py‎
Lines changed: 1 addition & 1 deletion b/‎nxc/modules/handlekatz.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎nxc/modules/hyperv-host.py‎
Lines changed: 53 additions & 0 deletions b/‎nxc/modules/hyperv-host.py‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎nxc/modules/ioxidresolver.py‎
Lines changed: 26 additions & 25 deletions b/‎nxc/modules/ioxidresolver.py‎
Lines changed: 26 additions & 25 deletions
diff --git a/‎nxc/modules/laps.py‎
Lines changed: 3 additions & 3 deletions b/‎nxc/modules/laps.py‎
Lines changed: 3 additions & 3 deletions
@@ -85,6 +85,8 @@ def get_host_addr_info(target, force_ipv6, dns_server, dns_tcp, dns_timeout):
 def requires_admin(func):
     def _decorator(self, *args, **kwargs):
         if self.admin_privs is False:
+            if hasattr(self.args, "exec_method") and self.args.exec_method == "mmcexec":
+                return func(self, *args, **kwargs)
             return None
         return func(self, *args, **kwargs)
 
@@ -146,6 +148,7 @@ def __init__(self, args, db, target):
         self.kdcHost = self.args.kdcHost
         self.port = self.args.port
         self.local_ip = None
+        self.dns_server = self.args.dns_server
 
         # DNS resolution
         dns_result = self.resolver(target)
@@ -164,6 +167,9 @@ def __init__(self, args, db, target):
         except Exception as e:
             if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e):
                 self.logger.error(f"Exception while calling proto_flow() on target {target}: {e}")
+            # Catching impacket SMB specific exceptions, which should not be imported due to performance reasons
+            elif e.__class__.__name__ in ["NetBIOSTimeout", "NetBIOSError"]:
+                self.logger.error(f"{e.__class__.__name__} on target {target}: {e}")
             else:
                 self.logger.exception(f"Exception while calling proto_flow() on target {target}: {e}")
         finally:
@@ -541,7 +547,7 @@ def login(self):
 
         if hasattr(self.args, "laps") and self.args.laps:
             self.logger.debug("Trying to authenticate using LAPS")
-            username[0], secret[0], domain[0], ntlm_hash = laps_search(self, username, secret, cred_type, domain)
+            username[0], secret[0], domain[0] = laps_search(self, username, secret, cred_type, domain, self.dns_server)
             cred_type = ["plaintext"]
             if not (username[0] or secret[0] or domain[0]):
                 return False
 
@@ -102,8 +102,9 @@ def do_samr_add(self, context):
             None
         """
         string_binding = epm.hept_map(self.__host, samr.MSRPC_UUID_SAMR, protocol="ncacn_np")
+        string_binding = string_binding.replace(self.__host, self.__kdcHost) if self.__kdcHost is not None else string_binding
 
-        rpc_transport = transport.DCERPCTransportFactory(string_binding.replace(self.__host, self.__kdcHost))
+        rpc_transport = transport.DCERPCTransportFactory(string_binding)
         rpc_transport.setRemoteHost(self.__host)
 
         if hasattr(rpc_transport, "set_credentials"):
 
@@ -0,0 +1,131 @@
+import re
+from impacket.dcerpc.v5.dcom import wmi
+from impacket.dcerpc.v5.dtypes import NULL
+from impacket.dcerpc.v5.dcomrt import DCOMConnection
+from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+
+class NXCModule:
+    name = "bitlocker"
+    description = "Enumerating BitLocker Status on target(s) If it is enabled or disabled."
+    supported_protocols = ["smb", "wmi"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self, context=None, module_options=None):
+        self.context = context
+        self.module_options = module_options
+
+    def options(self, context, module_options):
+        """ 
+        USAGE:
+        
+        NetExec smb <IP> -u <username> -p <password> -M bitlocker
+        NetExec wmi <IP> -u <username> -p <password> -M bitlocker (Better option to use on real life.)
+        """
+
+    def on_admin_login(self, context, connection):
+        if context.protocol == "smb":
+            bitlocker_smb = BitLockerSMB(context, connection)
+            bitlocker_smb.check_bitlocker_status()
+        elif context.protocol == "wmi":
+            bitlocker_wmi = BitLockerWMI(context, connection)
+            bitlocker_wmi.check_bitlocker_status()
+
+
+class BitLockerSMB:
+    def __init__(self, context, connection):
+        self.context = context
+        self.connection = connection
+
+    def check_bitlocker_status(self):
+        # PowerShell command to check BitLocker volumes status.
+        check_bitlocker_command_str = 'powershell.exe "Get-BitLockerVolume | Select-Object MountPoint, EncryptionMethod, ProtectionStatus"'
+
+        try:
+            # Executing the PowerShell command to get BitLocker volumes status.
+            check_bitlocker_command_str_output = self.connection.execute(check_bitlocker_command_str, True)
+            
+            if "'Get-BitLockerVolume' is not recognized" in check_bitlocker_command_str_output:
+                self.context.log.fail("BitLockerVolume not found on target.")
+                return
+
+            # Splitting the output into lines.
+            lines = str(check_bitlocker_command_str_output).splitlines()
+            data_lines = [line for line in lines if re.match(r"\w:", line)]
+            
+            for line in data_lines:
+                # Checking every line for starting with drive
+                if line[1] == ":": 
+                    parts = line.split()
+                    MountPoint, EncryptionMethod, protection_status = parts[0], parts[1], parts[2]
+
+                    # Checking if BitLocker is enabled.
+                    if protection_status == "On":
+                        self.context.log.highlight(f"BitLocker is enabled on drive {MountPoint} (Encryption Method: {EncryptionMethod})")
+                    else:
+                        self.context.log.highlight(f"BitLocker is disabled on drive {MountPoint}")
+        except Exception as e:
+            self.context.log.exception(f"Exception occurred: {e}")
+
+
+class BitLockerWMI:
+    def __init__(self, context, connection):
+        self.context = context
+        self.connection = connection
+
+    def check_bitlocker_status(self):
+        try:
+            # Create a DCOM connection
+            dcom_conn = DCOMConnection(
+                self.connection.host,
+                self.connection.username,
+                self.connection.password,
+                self.connection.domain,
+                self.connection.lmhash,
+                self.connection.nthash,
+                oxidResolver=True,
+                doKerberos=self.connection.kerberos,
+                kdcHost=self.connection.kdcHost)
+                
+            try:
+                # CoCreateInstanceEx for WMI login
+                i_interface = dcom_conn.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)
+                iWbemLevel1Login = wmi.IWbemLevel1Login(i_interface)
+
+                # Specify the namespace for BitLocker
+                bitlockerNamespace = "root\\CIMv2\\Security\\MicrosoftVolumeEncryption"
+                
+                # NTLM login for WMI
+                iWbemServices = iWbemLevel1Login.NTLMLogin(bitlockerNamespace, NULL, NULL)
+
+                # Set authentication level
+                iWbemServices.get_dce_rpc().set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
+
+                # Query to get BitLocker status
+                classQuery = "SELECT DriveLetter, ProtectionStatus, EncryptionMethod FROM Win32_EncryptableVolume"
+                iEnumWbemClassObject = iWbemServices.ExecQuery(classQuery)
+                encryptionTypeMapping = {0: "None", 1: "AES_256_WITH_DIFFUSER", 2: "AES_256_WITH_DIFFUSER", 3: "AES_128", 4: "AES_256", 5: "HARDWARE_ENCRYPTION", 6: "XTS_AES_128", 7: "XTS_AES_256"}
+                
+                try:
+                    while True:
+                        iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff, 1)
+                        encryptionMethod = int(iWbemClassObject[0].EncryptionMethod)
+                        if iWbemClassObject[0].ProtectionStatus == 1:
+                            self.context.log.highlight(f"BitLocker is enabled on drive {iWbemClassObject[0].DriveLetter} (Encryption Method: {encryptionTypeMapping.get(encryptionMethod, 'Unknown')})")
+                        else:
+                            if encryptionMethod == 0:  # Should be 0 if disabled
+                                self.context.log.highlight(f"BitLocker is disabled on drive {iWbemClassObject[0].DriveLetter}")
+                except Exception:
+                    pass  # Using pass because if try to log or printing, getting "WMI Session Error: code: 0x1 - WBEM_S_FALSE"
+
+                # Release resources
+                iWbemLevel1Login.RemRelease()
+                iWbemServices.RemRelease()
+                dcom_conn.disconnect()
+            except Exception as e:
+                if "WBEM_E_INVALID_NAMESPACE" in str(e):
+                    self.context.log.fail("BitLockerNamespace not found on target.")
+                    dcom_conn.disconnect()
+        except Exception as e:
+            self.context.log.error(f"Error occurred during BitLocker check: {e}")
+            dcom_conn.disconnect()
@@ -358,6 +358,27 @@ def LsarLookupNames(self, dce, policyHandle, service):
                 {"name": "sophoslivequery_*", "processes": [""]}
             ]
         },
+        {
+            "name": "Trellix Endpoint Detection and Response (EDR)",
+            "services": [
+                {"name": "McAfee Endpoint Security Platform Service", "description": "Trellix Core Service"},
+                {"name": "mfemactl", "description": "Trellix Management Service"},
+                {"name": "mfemms", "description": "McAfee Management Service"},
+                {"name": "mfefire", "description": "Trellix Firewall Core Service"},
+                {"name": "masvc", "description": "Trellix Agent Service"},
+                {"name": "macmnsvc", "description": "Trellix Agent Common Service"},
+                {"name": "mfetp", "description": "Trellix Endpoint Threat Prevention Service"},
+                {"name": "mfewc", "description": "Trellix Endpoint Security Web Control Service"}, 
+                {"name": "mfeaack", "description": "Trellix Anti-Malware Core Service"}
+            ],
+            "pipes": [
+                {"name": "TrellixEDR_Pipe_*", "processes": ["McAfeeEDR.exe"]},
+                {"name": "mfemactl_*", "processes": ["mfemactl.exe"]},
+                {"name": "mfefire_*", "processes": ["mfefire.exe"]},
+                {"name": "McAfeeAgent_Pipe_*", "processes": ["McAfeeAgent.exe"]},
+                {"name": "mfetp_*", "processes": ["mfetp.exe"]}
+            ]
+        },
         {
             "name": "Trend Micro Endpoint Security",
             "services": [
 
@@ -7,7 +7,7 @@
 import sys
 
 from nxc.helpers.bloodhound import add_user_bh
-import pypykatz
+from pypykatz.pypykatz import pypykatz
 
 
 class NXCModule:
 
@@ -0,0 +1,53 @@
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.dcerpc.v5 import rrp
+from impacket.examples.secretsdump import RemoteOperations
+
+
+class NXCModule:
+    """Module by @joaovarelas"""
+
+    name = "hyperv-host"
+    description = "Performs a registry query on the VM to lookup its HyperV Host"
+    supported_protocols = ["smb"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self, context=None, module_options=None):
+        self.context = context
+        self.module_options = module_options
+
+    def options(self, context, module_options):
+        """"""
+
+    def on_admin_login(self, context, connection):
+        self.context = context
+
+        path = "SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters"
+        key = "HostName"
+
+        try:
+            remote_ops = RemoteOperations(connection.conn, False)
+            remote_ops.enableRegistry()
+
+            ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
+            reg_handle = ans["phKey"]
+
+            # Query
+            try:
+                ans = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, path)
+                key_handle = ans["phkResult"]
+
+                data_type, reg_value = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, key)
+                self.context.log.highlight(f"{key}: {reg_value}")
+
+                rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
+
+            except DCERPCException as e:
+                self.context.log.debug(f"Registry key {path}\\{key} does not exist: {e}")
+
+        except DCERPCException as e:
+            self.context.log.fail(f"DCERPC Error while querying registry: {e}")
+        except Exception as e:
+            self.context.log.fail(f"Error while querying registry: {e}")
+        finally:
+            remote_ops.finish()
@@ -1,10 +1,11 @@
 # Credit to https://airbus-cyber-security.com/fr/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/
 # Airbus CERT
 # module by @mpgn_x64
+# updated by @NeffIsBack
 
 from ipaddress import ip_address
 from impacket.dcerpc.v5 import transport
-from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
+from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE, DCERPCException
 from impacket.dcerpc.v5.dcomrt import IObjectExporter
 
 
@@ -13,31 +14,31 @@ class NXCModule:
     description = "This module helps you to identify hosts that have additional active interfaces"
     supported_protocols = ["smb", "wmi"]
     opsec_safe = True
-    multiple_hosts = False
+    multiple_hosts = True
 
     def options(self, context, module_options):
-        """ """
+        """No module options"""
 
     def on_login(self, context, connection):
-        authLevel = RPC_C_AUTHN_LEVEL_NONE
-
-        stringBinding = r"ncacn_ip_tcp:%s" % connection.host
-        rpctransport = transport.DCERPCTransportFactory(stringBinding)
-        rpctransport.setRemoteHost(connection.host)
-
-        portmap = rpctransport.get_dce_rpc()
-        portmap.set_auth_level(authLevel)
-        portmap.connect()
-
-        objExporter = IObjectExporter(portmap)
-        bindings = objExporter.ServerAlive2()
-
-        context.log.debug("[*] Retrieving network interface of " + connection.host)
-
-        for binding in bindings:
-            NetworkAddr = binding["aNetworkAddr"]
-            try:
-                ip_address(NetworkAddr[:-1])
-                context.log.highlight("Address: " + NetworkAddr)
-            except Exception as e:
-                context.log.debug(e)
+        try:
+            rpctransport = transport.DCERPCTransportFactory(f"ncacn_ip_tcp:{connection.host}")
+            rpctransport.setRemoteHost(connection.host)
+
+            portmap = rpctransport.get_dce_rpc()
+            portmap.set_auth_level(RPC_C_AUTHN_LEVEL_NONE)
+            portmap.connect()
+
+            objExporter = IObjectExporter(portmap)
+            bindings = objExporter.ServerAlive2()
+
+            context.log.debug(f"Retrieving network interface of {connection.host}")
+
+            for binding in bindings:
+                NetworkAddr = binding["aNetworkAddr"]
+                try:
+                    ip_address(NetworkAddr[:-1])
+                    context.log.highlight(f"Address: {NetworkAddr}")
+                except Exception as e:
+                    context.log.debug(e)
+        except DCERPCException as e:
+            context.log.error(f"DCERPCException error: {e}")
@@ -45,12 +45,12 @@ def on_login(self, context, connection):
                 values = {str(attr["type"]).lower(): attr["vals"][0] for attr in computer["attributes"]}
                 if "mslaps-encryptedpassword" in values:
                     msMCSAdmPwd = values["mslaps-encryptedpassword"]
-                    d = LAPSv2Extract(bytes(msMCSAdmPwd), connection.username if connection.username else "", connection.password if connection.password else "", connection.domain, connection.nthash if connection.nthash else "", connection.kerberos, connection.kdcHost, 339)
+                    d = LAPSv2Extract(bytes(msMCSAdmPwd), connection.username if connection.username else "", connection.password if connection.password else "", connection.domain, connection.nthash if connection.nthash else "", connection.kerberos, connection.kdcHost, 339, connection.dns_server)
                     try:
                         data = d.run()
                     except Exception as e:
-                        self.logger.fail(str(e))
-                        return
+                        context.log.fail(str(e))
+                        continue
                     r = json.loads(data)
                     laps_computers.append((str(values["samaccountname"]), r["n"], str(r["p"])))
                 elif "mslaps-password" in values: