Merge branch 'main' into sepauli/fix-keepass_trigger

Author: NeffIsBack

netexec.spec

@@ -67,8 +67,10 @@ a = Analysis(
         'dploot.triage.browser',
         'dploot.triage.credentials',
         'dploot.triage.masterkeys',
+        'dploot.triage.mobaxterm',
         'dploot.triage.backupkey',
         'dploot.triage.wifi',
+        'dploot.triage.sccm',
         'dploot.lib.target',
         'dploot.lib.smb',
         'pyasn1_modules.rfc5652',

nxc/cli.py

@@ -9,6 +9,7 @@
 from nxc.paths import NXC_PATH
 from nxc.loaders.protocolloader import ProtocolLoader
 from nxc.helpers.logger import highlight
+from nxc.helpers.args import DisplayDefaultsNotNone
 from nxc.logger import nxc_logger, setup_debug_logging
 import importlib.metadata
 
@@ -21,10 +22,31 @@ def gen_cli_args():
     except ValueError:
         VERSION = importlib.metadata.version("netexec")
         COMMIT = ""
-    CODENAME = "nxc4u"
+    CODENAME = "ItsAlwaysDNS"
     nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT}")
-
-    parser = argparse.ArgumentParser(description=rf"""
+    
+    generic_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
+    generic_group = generic_parser.add_argument_group("Generic", "Generic options for nxc across protocols")
+    generic_group.add_argument("-t", "--threads", type=int, dest="threads", default=256, help="set how many concurrent threads to use")
+    generic_group.add_argument("--timeout", default=None, type=int, help="max timeout in seconds of each thread")
+    generic_group.add_argument("--jitter", metavar="INTERVAL", type=str, help="sets a random delay between each authentication")
+    
+    output_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
+    output_group = output_parser.add_argument_group("Output", "Options to set verbosity levels and control output")
+    output_group.add_argument("--verbose", action="store_true", help="enable verbose output")
+    output_group.add_argument("--debug", action="store_true", help="enable debug level information")
+    output_group.add_argument("--no-progress", action="store_true", help="do not displaying progress bar during scan")
+    output_group.add_argument("--log", metavar="LOG", help="export result into a custom file")
+    
+    dns_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
+    dns_group = dns_parser.add_argument_group("DNS")
+    dns_group.add_argument("-6", dest="force_ipv6", action="store_true", help="Enable force IPv6")
+    dns_group.add_argument("--dns-server", action="store", help="Specify DNS server (default: Use hosts file & System DNS)")
+    dns_group.add_argument("--dns-tcp", action="store_true", help="Use TCP instead of UDP for DNS queries")
+    dns_group.add_argument("--dns-timeout", action="store", type=int, default=3, help="DNS query timeout in seconds")
+    
+    parser = argparse.ArgumentParser(
+        description=rf"""
      .   .
     .|   |.     _   _          _     _____
     ||   ||    | \ | |   ___  | |_  | ____| __  __   ___    ___
@@ -42,56 +64,55 @@ def gen_cli_args():
     {highlight('Version', 'red')} : {highlight(VERSION)}
     {highlight('Codename', 'red')}: {highlight(CODENAME)}
     {highlight('Commit', 'red')}  : {highlight(COMMIT)}
-    """, formatter_class=RawTextHelpFormatter)
-
-    parser.add_argument("-t", type=int, dest="threads", default=256, help="set how many concurrent threads to use (default: 256)")
-    parser.add_argument("--timeout", default=None, type=int, help="max timeout in seconds of each thread (default: None)")
-    parser.add_argument("--jitter", metavar="INTERVAL", type=str, help="sets a random delay between each authentication (default: None)")
-    parser.add_argument("--no-progress", action="store_true", help="Not displaying progress bar during scan")
-    parser.add_argument("--verbose", action="store_true", help="enable verbose output")
-    parser.add_argument("--debug", action="store_true", help="enable debug level information")
+    """,
+        formatter_class=RawTextHelpFormatter,
+        parents=[generic_parser, output_parser, dns_parser]
+    )
+
     parser.add_argument("--version", action="store_true", help="Display nxc version")
 
     # we do module arg parsing here so we can reference the module_list attribute below
-    module_parser = argparse.ArgumentParser(add_help=False)
-    mgroup = module_parser.add_mutually_exclusive_group()
+    module_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
+    mgroup = module_parser.add_argument_group("Modules", "Options for nxc modules")
     mgroup.add_argument("-M", "--module", choices=get_module_names(), action="append", metavar="MODULE", help="module to use")
-    module_parser.add_argument("-o", metavar="MODULE_OPTION", nargs="+", default=[], dest="module_options", help="module options")
-    module_parser.add_argument("-L", "--list-modules", action="store_true", help="list available modules")
-    module_parser.add_argument("--options", dest="show_module_options", action="store_true", help="display module options")
-    module_parser.add_argument("--server", choices={"http", "https"}, default="https", help="use the selected server (default: https)")
-    module_parser.add_argument("--server-host", type=str, default="0.0.0.0", metavar="HOST", help="IP to bind the server to (default: 0.0.0.0)")
-    module_parser.add_argument("--server-port", metavar="PORT", type=int, help="start the server on the specified port")
-    module_parser.add_argument("--connectback-host", type=str, metavar="CHOST", help="IP for the remote system to connect back to (default: same as server-host)")
+    mgroup.add_argument("-o", metavar="MODULE_OPTION", nargs="+", default=[], dest="module_options", help="module options")
+    mgroup.add_argument("-L", "--list-modules", action="store_true", help="list available modules")
+    mgroup.add_argument("--options", dest="show_module_options", action="store_true", help="display module options")
 
-    subparsers = parser.add_subparsers(title="protocols", dest="protocol", description="available protocols")
+    subparsers = parser.add_subparsers(title="Available Protocols", dest="protocol")
 
-    std_parser = argparse.ArgumentParser(add_help=False)
+    std_parser = argparse.ArgumentParser(add_help=False, parents=[generic_parser, output_parser, dns_parser], formatter_class=DisplayDefaultsNotNone)
     std_parser.add_argument("target", nargs="+" if not (module_parser.parse_known_args()[0].list_modules or module_parser.parse_known_args()[0].show_module_options) else "*", type=str, help="the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, NMap XML or .Nessus file(s)")
-    std_parser.add_argument("-id", metavar="CRED_ID", nargs="+", default=[], type=str, dest="cred_id", help="database credential ID(s) to use for authentication")
-    std_parser.add_argument("-u", metavar="USERNAME", dest="username", nargs="+", default=[], help="username(s) or file(s) containing usernames")
-    std_parser.add_argument("-p", metavar="PASSWORD", dest="password", nargs="+", default=[], help="password(s) or file(s) containing passwords")
-    std_parser.add_argument("--ignore-pw-decoding", action="store_true", help="Ignore non UTF-8 characters when decoding the password file")
-    std_parser.add_argument("-k", "--kerberos", action="store_true", help="Use Kerberos authentication")
-    std_parser.add_argument("--no-bruteforce", action="store_true", help="No spray when using file for username and password (user1 => password1, user2 => password2")
-    std_parser.add_argument("--continue-on-success", action="store_true", help="continues authentication attempts even after successes")
-    std_parser.add_argument("--use-kcache", action="store_true", help="Use Kerberos authentication from ccache file (KRB5CCNAME)")
-    std_parser.add_argument("--log", metavar="LOG", help="Export result into a custom file")
-    std_parser.add_argument("--aesKey", metavar="AESKEY", nargs="+", help="AES key to use for Kerberos Authentication (128 or 256 bits)")
-    std_parser.add_argument("--kdcHost", metavar="KDCHOST", help="FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter")
-
-    fail_group = std_parser.add_mutually_exclusive_group()
-    fail_group.add_argument("--gfail-limit", metavar="LIMIT", type=int, help="max number of global failed login attempts")
-    fail_group.add_argument("--ufail-limit", metavar="LIMIT", type=int, help="max number of failed login attempts per username")
-    fail_group.add_argument("--fail-limit", metavar="LIMIT", type=int, help="max number of failed login attempts per host")
+    credential_group = std_parser.add_argument_group("Authentication", "Options for authenticating")
+    credential_group.add_argument("-u", "--username", metavar="USERNAME", dest="username", nargs="+", default=[], help="username(s) or file(s) containing usernames")
+    credential_group.add_argument("-p", "--password", metavar="PASSWORD", dest="password", nargs="+", default=[], help="password(s) or file(s) containing passwords")
+    credential_group.add_argument("-id", metavar="CRED_ID", nargs="+", default=[], type=str, dest="cred_id", help="database credential ID(s) to use for authentication")
+    credential_group.add_argument("--ignore-pw-decoding", action="store_true", help="Ignore non UTF-8 characters when decoding the password file")
+    credential_group.add_argument("--no-bruteforce", action="store_true", help="No spray when using file for username and password (user1 => password1, user2 => password2)")
+    credential_group.add_argument("--continue-on-success", action="store_true", help="continues authentication attempts even after successes")
+    credential_group.add_argument("--gfail-limit", metavar="LIMIT", type=int, help="max number of global failed login attempts")
+    credential_group.add_argument("--ufail-limit", metavar="LIMIT", type=int, help="max number of failed login attempts per username")
+    credential_group.add_argument("--fail-limit", metavar="LIMIT", type=int, help="max number of failed login attempts per host")
+
+    kerberos_group = std_parser.add_argument_group("Kerberos", "Options for Kerberos authentication")
+    kerberos_group.add_argument("-k", "--kerberos", action="store_true", help="Use Kerberos authentication")
+    kerberos_group.add_argument("--use-kcache", action="store_true", help="Use Kerberos authentication from ccache file (KRB5CCNAME)")
+    kerberos_group.add_argument("--aesKey", metavar="AESKEY", nargs="+", help="AES key to use for Kerberos Authentication (128 or 256 bits)")
+    kerberos_group.add_argument("--kdcHost", metavar="KDCHOST", help="FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter")
+    
+    server_group = std_parser.add_argument_group("Servers", "Options for nxc servers")
+    server_group.add_argument("--server", choices={"http", "https"}, default="https", help="use the selected server")
+    server_group.add_argument("--server-host", type=str, default="0.0.0.0", metavar="HOST", help="IP to bind the server to")
+    server_group.add_argument("--server-port", metavar="PORT", type=int, help="start the server on the specified port")
+    server_group.add_argument("--connectback-host", type=str, metavar="CHOST", help="IP for the remote system to connect back to")    
 
     p_loader = ProtocolLoader()
     protocols = p_loader.get_protocols()
 
     try:
         for protocol in protocols:
             protocol_object = p_loader.load_protocol(protocols[protocol]["argspath"])
-            subparsers = protocol_object.proto_args(subparsers, std_parser, module_parser)
+            subparsers = protocol_object.proto_args(subparsers, [std_parser, module_parser])
     except Exception as e:
         nxc_logger.exception(f"Error loading proto_args from proto_args.py file in protocol folder: {protocol} - {e}")
 
@@ -106,6 +127,10 @@ def gen_cli_args():
         print(f"{VERSION} - {CODENAME} - {COMMIT}")
         sys.exit(1)
 
+    # Multiply output_tries by 10 to enable more fine granural control, see exec methods
+    if hasattr(args, "get_output_tries"):
+        args.get_output_tries = args.get_output_tries * 10
+
     return args
 
 

nxc/connection.py

@@ -4,6 +4,7 @@
 from functools import wraps
 from time import sleep
 from ipaddress import ip_address
+from dns import resolver, rdatatype
 from socket import AF_UNSPEC, SOCK_DGRAM, IPPROTO_IP, AI_CANONNAME, getaddrinfo
 
 from nxc.config import pwned_label
@@ -22,23 +23,63 @@
 user_failed_logins = {}
 
 
-def gethost_addrinfo(hostname):
-    is_ipv6 = False
-    is_link_local_ipv6 = False
+def get_host_addr_info(target, force_ipv6, dns_server, dns_tcp, dns_timeout):
+    result = {
+        "host": "",
+        "is_ipv6": False,
+        "is_link_local_ipv6": False
+    }
     address_info = {"AF_INET6": "", "AF_INET": ""}
 
-    for res in getaddrinfo(hostname, None, AF_UNSPEC, SOCK_DGRAM, IPPROTO_IP, AI_CANONNAME):
-        af, _, _, canonname, sa = res
-        address_info[af.name] = sa[0]
+    try:
+        if ip_address(target).version == 4:
+            address_info["AF_INET"] = target
+        else:
+            address_info["AF_INET6"] = target
+    except Exception:
+        # If the target is not an IP address, we need to resolve it
+        if not (dns_server or dns_tcp):
+            for res in getaddrinfo(target, None, AF_UNSPEC, SOCK_DGRAM, IPPROTO_IP, AI_CANONNAME):
+                af, _, _, canonname, sa = res
+                address_info[af.name] = sa[0]
+
+            if address_info["AF_INET6"] and ip_address(address_info["AF_INET6"]).is_link_local:
+                address_info["AF_INET6"] = canonname
+                result["is_link_local_ipv6"] = True
+        else:
+            dnsresolver = resolver.Resolver()
+            dnsresolver.timeout = dns_timeout
+            dnsresolver.lifetime = dns_timeout
+
+            if dns_server:
+                dnsresolver.nameservers = [dns_server]
+
+            try:
+                answers_ipv4 = dnsresolver.resolve(target, rdatatype.A, raise_on_no_answer=False, tcp=dns_tcp)
+                address_info["AF_INET"] = answers_ipv4[0].address
+            except Exception:
+                pass
+
+            try:
+                answers_ipv6 = dnsresolver.resolve(target, rdatatype.AAAA, raise_on_no_answer=False, tcp=dns_tcp)
+                address_info["AF_INET6"] = answers_ipv6[0].address
+
+                if address_info["AF_INET6"] and ip_address(address_info["AF_INET6"]).is_link_local:
+                    result["is_link_local_ipv6"] = True
+            except Exception:
+                pass
+
+    if not (address_info["AF_INET"] or address_info["AF_INET6"]):
+        raise Exception(f"The DNS query name does not exist: {target}")
 
     # IPv4 preferred
-    if address_info["AF_INET"]:
-        host = address_info["AF_INET"]
+    if address_info["AF_INET"] and not force_ipv6:
+        result["host"] = address_info["AF_INET"]
     else:
-        is_ipv6 = True
-        host, is_link_local_ipv6 = (canonname, True) if ip_address(address_info["AF_INET6"]).is_link_local else (address_info["AF_INET6"], False)
+        result["is_ipv6"] = True
+        result["host"] = address_info["AF_INET6"]
 
-    return host, is_ipv6, is_link_local_ipv6
+    return result
 
 
 def requires_admin(func):
@@ -50,7 +91,7 @@ def _decorator(self, *args, **kwargs):
     return wraps(func)(_decorator)
 
 
-def dcom_FirewallChecker(iInterface, timeout):
+def dcom_FirewallChecker(iInterface, remoteHost, timeout):
     stringBindings = iInterface.get_cinstance().get_string_bindings()
     for strBinding in stringBindings:
         if strBinding["wTowerId"] == 7:
@@ -70,6 +111,7 @@ def dcom_FirewallChecker(iInterface, timeout):
         return True, None
     try:
         rpctransport = transport.DCERPCTransportFactory(stringBinding)
+        rpctransport.setRemoteHost(remoteHost)
         rpctransport.set_connect_timeout(timeout)
         rpctransport.connect()
         rpctransport.disconnect()
@@ -81,45 +123,67 @@ def dcom_FirewallChecker(iInterface, timeout):
 
 
 class connection:
-    def __init__(self, args, db, host):
-        self.domain = None
+    def __init__(self, args, db, target):
         self.args = args
         self.db = db
-        self.hostname = host
-        self.port = self.args.port
+        self.logger = nxc_logger
         self.conn = None
-        self.admin_privs = False
+
+        # Authentication info
         self.password = ""
         self.username = ""
         self.kerberos = bool(self.args.kerberos or self.args.use_kcache or self.args.aesKey)
         self.aesKey = None if not self.args.aesKey else self.args.aesKey[0]
-        self.kdcHost = None if not self.args.kdcHost else self.args.kdcHost
         self.use_kcache = None if not self.args.use_kcache else self.args.use_kcache
+        self.admin_privs = False
         self.failed_logins = 0
+
+        # Network info
+        self.domain = None
+        self.host = None            # IP address of the target. If kerberos this is the hostname
+        self.hostname = target      # Target info supplied by the user, may be an IP address or a hostname
+        self.remoteName = target    # hostname + domain, defaults to target if domain could not be resolved/not specified
+        self.kdcHost = self.args.kdcHost
+        self.port = self.args.port
         self.local_ip = None
-        self.logger = nxc_logger
 
-        try:
-            self.host, self.is_ipv6, self.is_link_local_ipv6 = gethost_addrinfo(self.hostname)
-            if self.args.kerberos:
-                self.host = self.hostname
-            self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname}, kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local ipv6={self.is_link_local_ipv6}")
-        except Exception as e:
-            self.logger.info(f"Error resolving hostname {self.hostname}: {e}")
+        # DNS resolution
+        dns_result = self.resolver(target)
+        if dns_result:
+            self.host, self.is_ipv6, self.is_link_local_ipv6 = dns_result["host"], dns_result["is_ipv6"], dns_result["is_link_local_ipv6"]
+        else:
             return
 
+        if self.args.kerberos:
+            self.host = self.hostname
+
+        self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname}, kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local ipv6={self.is_link_local_ipv6}")
+
         try:
             self.proto_flow()
         except Exception as e:
             if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e):
-                self.logger.error(f"Exception while calling proto_flow() on target {self.host}: {e}")
+                self.logger.error(f"Exception while calling proto_flow() on target {target}: {e}")
             else:
-                self.logger.exception(f"Exception while calling proto_flow() on target {self.host}: {e}")
+                self.logger.exception(f"Exception while calling proto_flow() on target {target}: {e}")
         finally:
-            self.logger.debug(f"Closing connection to: {host}")
+            self.logger.debug(f"Closing connection to: {target}")
             with contextlib.suppress(Exception):
                 self.conn.close()
 
+    def resolver(self, target):
+        try:
+            return get_host_addr_info(
+                target=target,
+                force_ipv6=self.args.force_ipv6,
+                dns_server=self.args.dns_server,
+                dns_tcp=self.args.dns_tcp,
+                dns_timeout=self.args.dns_timeout
+            )
+        except Exception as e:
+            self.logger.info(f"Error resolving hostname {target}: {e}")
+            return None
+
     @staticmethod
     def proto_args(std_parser, module_parser):
         return