Merge pull request #3 from blacklanternsecurity/upstream-merge-backup

Resolve upstream merge conflicts / Ruff linting fixes / Updates to LDAP protocol

Author: aconite33

netexec.spec

@@ -27,6 +27,7 @@ a = Analysis(
         'impacket.dcerpc.v5.gkdi',
         'impacket.dcerpc.v5.rprn',
         'impacket.dcerpc.v5.even',
+        'impacket.dcerpc.v5.even6',
         'impacket.dpapi_ng',
         'impacket.tds',
         'impacket.version',
@@ -43,6 +44,7 @@ a = Analysis(
         'nxc.parsers.ldap_results',
         'nxc.helpers.bash',
         'nxc.helpers.bloodhound',
+        'nxc.helpers.even6_parser',
         'nxc.helpers.msada_guids',
         'nxc.helpers.ntlm_parser',
         'paramiko',

nxc/config.py

@@ -18,6 +18,11 @@
 
 # Check if there are any missing options in the config file
 for section in nxc_default_config.sections():
+    if not nxc_config.has_section(section):
+        nxc_logger.display(f"Adding missing section '{section}' to nxc.conf")
+        nxc_config.add_section(section)
+        with open(path_join(NXC_PATH, "nxc.conf"), "w") as config_file:
+            nxc_config.write(config_file)
     for option in nxc_default_config.options(section):
         if not nxc_config.has_option(section, option):
             nxc_logger.display(f"Adding missing option '{option}' in config section '{section}' to nxc.conf")

nxc/connection.py

@@ -294,8 +294,7 @@ def call_modules(self):
                 module.on_admin_login(context, self)
 
     def inc_failed_login(self, username):
-        global global_failed_logins
-        global user_failed_logins
+        global global_failed_logins, user_failed_logins
 
         if username not in user_failed_logins:
             user_failed_logins[username] = 0
@@ -305,8 +304,7 @@ def inc_failed_login(self, username):
         self.failed_logins += 1
 
     def over_fail_limit(self, username):
-        global global_failed_logins
-        global user_failed_logins
+        global global_failed_logins, user_failed_logins
 
         if global_failed_logins == self.args.gfail_limit:
             return True

nxc/data/nxc.conf

@@ -16,6 +16,9 @@ bh_port = 7687
 bh_user = neo4j
 bh_pass = bloodhoundcommunityedition
 
+[BloodHound-CE]
+bhce_enabled = True
+
 [Empire]
 api_host = 127.0.0.1
 api_port = 1337

nxc/database.py

@@ -111,6 +111,7 @@ def initialize_db():
     # Even if the default workspace exists, we still need to check if every protocol has a database (in case of a new protocol)
     init_protocol_dbs("default")
 
+
 def format_host_query(q, filter_term, HostsTable):
     """One annoying thing is that if you search for an ip such as '10.10.10.5',
     it will return 10.10.10.5 and 10.10.10.52, so we have to check if its an ip address first
@@ -141,6 +142,7 @@ def format_host_query(q, filter_term, HostsTable):
 
     return q
 
+
 class BaseDB:
     def __init__(self, db_engine):
         self.db_engine = db_engine

nxc/helpers/args.py

@@ -1,6 +1,7 @@
 from argparse import ArgumentDefaultsHelpFormatter, SUPPRESS, OPTIONAL, ZERO_OR_MORE
 from argparse import Action
 
+
 class DisplayDefaultsNotNone(ArgumentDefaultsHelpFormatter):
     def _get_help_string(self, action):
         help_string = action.help

nxc/helpers/even6_parser.py

@@ -5,6 +5,7 @@
 
 from datetime import datetime
 
+
 class Substitution:
     def __init__(self, buf, offset):
         (sub_token, sub_id, sub_type) = struct.unpack_from("<BHB", buf, offset)
@@ -46,6 +47,7 @@ def xml(self, template=None):
         else:
             print("Unknown value type", hex(value.type))
 
+
 class Value:
     def __init__(self, buf, offset):
         token, string_type, length = struct.unpack_from("<BBH", buf, offset)
@@ -56,6 +58,7 @@ def __init__(self, buf, offset):
     def xml(self, template=None):
         return self._val
 
+
 class Attribute:
     def __init__(self, buf, offset):
         struct.unpack_from("<B", buf, offset)
@@ -75,13 +78,15 @@ def xml(self, template=None):
         val = self._value.xml(template)
         return None if val is None else f'{self._name.val}="{val}"'
 
+
 class Name:
     def __init__(self, buf, offset):
         hashs, length = struct.unpack_from("<HH", buf, offset)
 
         self.val = buf[offset + 4:offset + 4 + length * 2].decode("utf16")
         self.length = 4 + (length + 1) * 2
 
+
 class Element:
     def __init__(self, buf, offset):
         token, dependency_id, length = struct.unpack_from("<BHI", buf, offset)
@@ -151,6 +156,7 @@ def xml(self, template=None):
             children = (x.xml(template) for x in self._children)
             return "<{}{}>{}</{}>".format(self._name.val, attrs, "".join(children), self._name.val)
 
+
 class ValueSpec:
     def __init__(self, buf, offset, value_offset):
         self.length, self.type, value_eof = struct.unpack_from("<HBB", buf, offset)
@@ -159,6 +165,7 @@ def __init__(self, buf, offset, value_offset):
         if self.type == 0x21:
             self.template = BinXML(buf, value_offset)
 
+
 class TemplateInstance:
     def __init__(self, buf, offset):
         token, unknown0, guid, length, next_token = struct.unpack_from("<BB16sIB", buf, offset)
@@ -179,6 +186,7 @@ def __init__(self, buf, offset):
     def xml(self, template=None):
         return self._xml.xml(self)
 
+
 class BinXML:
     def __init__(self, buf, offset):
         header_token, major_version, minor_version, flags, next_token = struct.unpack_from("<BBBBB", buf, offset)
@@ -195,6 +203,7 @@ def __init__(self, buf, offset):
     def xml(self, template=None):
         return self._element.xml(template)
 
+
 class ResultSet:
     def __init__(self, buf):
         total_size, header_size, event_offset, bookmark_offset, binxml_size = struct.unpack_from("<IIIII", buf)

nxc/helpers/misc.py

@@ -4,6 +4,8 @@
 import inspect
 import os
 
+from ipaddress import ip_address
+
 
 def identify_target_file(target_file):
     with open(target_file) as target_file_handle:
@@ -22,7 +24,7 @@ def gen_random_string(length=10):
 
 
 def validate_ntlm(data):
-    allowed = re.compile("^[0-9a-f]{32}", re.IGNORECASE)
+    allowed = re.compile(r"^[0-9a-f]{32}", re.IGNORECASE)
     return bool(allowed.match(data))
 
 
@@ -40,7 +42,7 @@ def called_from_cmd_args():
 # Stolen from https://github.com/pydanny/whichcraft/
 def which(cmd, mode=os.F_OK | os.X_OK, path=None):
     """Find the path which conforms to the given mode on the PATH for a command.
-    
+
     Given a command, mode, and a PATH string, return the path which conforms to the given mode on the PATH, or None if there is no such file.
     `mode` defaults to os.F_OK | os.X_OK. `path` defaults to the result of os.environ.get("PATH"), or can be overridden with a custom search path.
     Note: This function was backported from the Python 3 source code.
@@ -77,3 +79,70 @@ def _access_check(fn, mode):
                 name = os.path.join(p, thefile)
                 if _access_check(name, mode):
                     return name
+
+
+def get_bloodhound_info():
+    """
+    Detect which BloodHound package is installed (regular or CE) and its version.
+
+    Returns
+    -------
+        tuple: (package_name, version, is_ce)
+            - package_name: Name of the installed package ('bloodhound', 'bloodhound-ce', or None)
+            - version: Version string of the installed package (or None if not installed)
+            - is_ce: Boolean indicating if it's the Community Edition
+    """
+    import importlib.metadata
+    import importlib.util
+
+    # First check if any BloodHound package is available to import
+    if importlib.util.find_spec("bloodhound") is None:
+        return None, None, False
+
+    # Try to get version info from both possible packages
+    version = None
+    package_name = None
+    is_ce = False
+
+    # Check for bloodhound-ce first
+    try:
+        version = importlib.metadata.version("bloodhound-ce")
+        package_name = "bloodhound-ce"
+        is_ce = True
+    except importlib.metadata.PackageNotFoundError:
+        # Check for regular bloodhound
+        try:
+            version = importlib.metadata.version("bloodhound")
+            package_name = "bloodhound"
+
+            # Even when installed as 'bloodhound', check if it's actually the CE version
+            if version and ("ce" in version.lower() or "community" in version.lower()):
+                is_ce = True
+        except importlib.metadata.PackageNotFoundError:
+            # No bloodhound package found via metadata
+            pass
+
+    # In case we can import it but metadata is not working, check the module itself
+    if not version:
+        try:
+            import bloodhound
+            version = getattr(bloodhound, "__version__", "unknown")
+            package_name = "bloodhound"
+
+            # Check if it's CE based on version string
+            if "ce" in version.lower() or "community" in version.lower():
+                is_ce = True
+                package_name = "bloodhound-ce"
+        except ImportError:
+            pass
+
+    return package_name, version, is_ce
+
+
+def detect_if_ip(target):
+    try:
+        ip_address(target)
+        return True
+    except Exception:
+        return False
+

nxc/helpers/pfx.py

@@ -30,7 +30,6 @@
 import secrets
 import hashlib
 import datetime
-import logging
 import random
 import base64
 
@@ -47,8 +46,7 @@
 from minikerberos.pkinit import PKINIT, DirtyDH
 from minikerberos.protocol.constants import NAME_TYPE, PaDataType
 from minikerberos.protocol.encryption import Enctype, _enctype_table, Key
-from minikerberos.protocol.asn1_structs import KDC_REQ_BODY, PrincipalName, KDCOptions, EncASRepPart, AS_REQ, PADATA_TYPE, \
-    PA_PAC_REQUEST
+from minikerberos.protocol.asn1_structs import KDC_REQ_BODY, PrincipalName, KDCOptions, EncASRepPart, AS_REQ, PADATA_TYPE, PA_PAC_REQUEST
 from minikerberos.protocol.rfc4556 import PKAuthenticator, AuthPack, PA_PK_AS_REP, KDCDHKeyInfo, PA_PK_AS_REQ
 
 from pyasn1.codec.der import decoder, encoder
@@ -70,6 +68,7 @@
 from impacket.krb5.ccache import CCache as impacket_CCache
 
 from nxc.paths import NXC_PATH
+from nxc.logger import nxc_logger
 
 
 class myPKINIT(PKINIT):
@@ -304,8 +303,8 @@ def truncate_key(value, keysize):
 
         key = Key(cipher.enctype, t_key)
         enc_data = as_rep["enc-part"]["cipher"]
-        logging.info("AS-REP encryption key (you might need this later):")
-        logging.info(hexlify(t_key).decode("utf-8"))
+        nxc_logger.info("AS-REP encryption key (you might need this later):")
+        nxc_logger.info(hexlify(t_key).decode("utf-8"))
         dec_data = cipher.decrypt(key, 3, enc_data)
         encasrep = EncASRepPart.load(dec_data).native
         cipher = _enctype_table[int(encasrep["key"]["keytype"])]
@@ -327,34 +326,27 @@ def printPac(self, data, key=None):
         for _bufferN in range(pacType["cBuffers"]):
             infoBuffer = PAC_INFO_BUFFER(buff)
             data = pacType["Buffers"][infoBuffer["Offset"] - 8:][:infoBuffer["cbBufferSize"]]
-            if logging.getLogger().level == logging.DEBUG:
-                print("TYPE 0x%x" % infoBuffer["ulType"])
+            nxc_logger.debug(f"TYPE 0x{infoBuffer['ulType']}")
             if infoBuffer["ulType"] == 2:
                 found = True
                 credinfo = PAC_CREDENTIAL_INFO(data)
-                if logging.getLogger().level == logging.DEBUG:
-                    credinfo.dump()
                 newCipher = _enctype_table[credinfo["EncryptionType"]]
                 out = newCipher.decrypt(key, 16, credinfo["SerializedData"])
                 type1 = TypeSerialization1(out)
                 # I'm skipping here 4 bytes with its the ReferentID for the pointer
                 newdata = out[len(type1) + 4:]
                 pcc = PAC_CREDENTIAL_DATA(newdata)
-                if logging.getLogger().level == logging.DEBUG:
-                    pcc.dump()
                 for cred in pcc["Credentials"]:
                     credstruct = NTLM_SUPPLEMENTAL_CREDENTIAL(b"".join(cred["Credentials"]))
-                    if logging.getLogger().level == logging.DEBUG:
-                        credstruct.dump()
 
-                    logging.info("Recovered NT Hash")
-                    logging.info(hexlify(credstruct["NtPassword"]).decode("utf-8"))
+                    nxc_logger.info("Recovered NT Hash")
+                    nxc_logger.info(hexlify(credstruct["NtPassword"]).decode("utf-8"))
                     nthash = hexlify(credstruct["NtPassword"]).decode("utf-8")
 
             buff = buff[len(infoBuffer):]
 
         if not found:
-            logging.info("Did not find the PAC_CREDENTIAL_INFO in the PAC. Are you sure your TGT originated from a PKINIT operation?")
+            nxc_logger.info("Did not find the PAC_CREDENTIAL_INFO in the PAC. Are you sure your TGT originated from a PKINIT operation?")
         return nthash
 
     def __init__(self, username, domain, kdcHost, key, tgt):
@@ -399,10 +391,8 @@ def dump(self):
         authenticator["cusec"] = now.microsecond
         authenticator["ctime"] = KerberosTime.to_asn1(now)
 
-        if logging.getLogger().level == logging.DEBUG:
-            logging.debug("AUTHENTICATOR")
-            print(authenticator.prettyPrint())
-            print("\n")
+        nxc_logger.debug("AUTHENTICATOR")
+        nxc_logger.debug(authenticator.prettyPrint() + "\n")
 
         encodedAuthenticator = encoder.encode(authenticator)
 
@@ -452,23 +442,18 @@ def dump(self):
 
         myTicket = ticket.to_asn1(TicketAsn1())
         seq_set_iter(reqBody, "additional-tickets", (myTicket,))
-        if logging.getLogger().level == logging.DEBUG:
-            logging.debug("Final TGS")
-            print(tgsReq.prettyPrint())
-        if logging.getLogger().level == logging.DEBUG:
-            logging.debug("Final TGS")
-            print(tgsReq.prettyPrint())
+        nxc_logger.debug("Final TGS")
+        nxc_logger.debug(tgsReq.prettyPrint())
 
         message = encoder.encode(tgsReq)
-        logging.info("Requesting ticket to self with PAC")
+        nxc_logger.info("Requesting ticket to self with PAC")
 
         r = sendReceive(message, self.__domain, self.__kdcHost)
 
         tgs = decoder.decode(r, asn1Spec=TGS_REP())[0]
 
-        if logging.getLogger().level == logging.DEBUG:
-            logging.debug("TGS_REP")
-            print(tgs.prettyPrint())
+        nxc_logger.debug("TGS_REP")
+        nxc_logger.debug(tgs.prettyPrint())
 
         cipherText = tgs["ticket"]["enc-part"]["cipher"]