Resolve dependency conflicts, regenerate lockfile, and sync with upstream

Author: Mercury0

.github/workflows/build-binaries.yml

@@ -27,7 +27,7 @@ jobs:
       if: runner.os == 'windows'
       uses: actions/upload-artifact@v4
       with:
-        name: nxc.exe
+        name: nxc-windows.exe
         path: dist/nxc.exe
     - name: Upload Nix/OSx Binary
       if: runner.os != 'windows'

netexec.spec

@@ -19,7 +19,9 @@ a = Analysis(
         'aardwolf.commons.iosettings',
         'aardwolf.commons.target',
         'aardwolf.protocol.x224.constants',
-        'certipy',
+        'certipy.commands.find',
+        'certipy.lib.formatting',
+        'certipy.lib.target',
         'impacket.examples.secretsdump',
         'impacket.examples.regsecrets',
         'impacket.dcerpc.v5.lsat',

nxc/cli.py

@@ -27,18 +27,19 @@ def gen_cli_args():
     CODENAME = "BLS"
 
     generic_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
-    generic_group = generic_parser.add_argument_group("Generic", "Generic options for nxc across protocols")
+    generic_group = generic_parser.add_argument_group("Generic Options")
     generic_group.add_argument("--version", action="store_true", help="Display nxc version")
     generic_group.add_argument("-t", "--threads", type=int, dest="threads", default=256, help="set how many concurrent threads to use")
     generic_group.add_argument("--timeout", default=None, type=int, help="max timeout in seconds of each thread")
     generic_group.add_argument("--jitter", metavar="INTERVAL", type=str, help="sets a random delay between each authentication")
 
     output_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
-    output_group = output_parser.add_argument_group("Output", "Options to set verbosity levels and control output")
-    output_group.add_argument("--verbose", action="store_true", help="enable verbose output")
-    output_group.add_argument("--debug", action="store_true", help="enable debug level information")
+    output_group = output_parser.add_argument_group("Output Options")
     output_group.add_argument("--no-progress", action="store_true", help="do not displaying progress bar during scan")
     output_group.add_argument("--log", metavar="LOG", help="export result into a custom file")
+    log_level = output_group.add_mutually_exclusive_group()
+    log_level.add_argument("--verbose", action="store_true", help="enable verbose output")
+    log_level.add_argument("--debug", action="store_true", help="enable debug level information")
 
     dns_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
     dns_group = dns_parser.add_argument_group("DNS")
@@ -73,7 +74,7 @@ def gen_cli_args():
 
     # we do module arg parsing here so we can reference the module_list attribute below
     module_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
-    mgroup = module_parser.add_argument_group("Modules", "Options for nxc modules")
+    mgroup = module_parser.add_argument_group("Modules")
     mgroup.add_argument("-M", "--module", choices=get_module_names(), action="append", metavar="MODULE", help="module to use")
     mgroup.add_argument("-o", metavar="MODULE_OPTION", nargs="+", default=[], dest="module_options", help="module options")
     mgroup.add_argument("-L", "--list-modules", nargs="?", type=str, const="", help="list available modules")
@@ -83,7 +84,7 @@ def gen_cli_args():
 
     std_parser = argparse.ArgumentParser(add_help=False, parents=[generic_parser, output_parser, dns_parser], formatter_class=DisplayDefaultsNotNone)
     std_parser.add_argument("target", nargs="+" if not (module_parser.parse_known_args()[0].list_modules is not None or module_parser.parse_known_args()[0].show_module_options or generic_parser.parse_known_args()[0].version) else "*", type=str, help="the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, NMap XML or .Nessus file(s)")
-    credential_group = std_parser.add_argument_group("Authentication", "Options for authenticating")
+    credential_group = std_parser.add_argument_group("Authentication")
     credential_group.add_argument("-u", "--username", metavar="USERNAME", dest="username", nargs="+", default=[], help="username(s) or file(s) containing usernames")
     credential_group.add_argument("-p", "--password", metavar="PASSWORD", dest="password", nargs="+", default=[], help="password(s) or file(s) containing passwords")
     credential_group.add_argument("-id", metavar="CRED_ID", nargs="+", default=[], type=str, dest="cred_id", help="database credential ID(s) to use for authentication")
@@ -94,13 +95,13 @@ def gen_cli_args():
     credential_group.add_argument("--ufail-limit", metavar="LIMIT", type=int, help="max number of failed login attempts per username")
     credential_group.add_argument("--fail-limit", metavar="LIMIT", type=int, help="max number of failed login attempts per host")
 
-    kerberos_group = std_parser.add_argument_group("Kerberos", "Options for Kerberos authentication")
+    kerberos_group = std_parser.add_argument_group("Kerberos Authentication")
     kerberos_group.add_argument("-k", "--kerberos", action="store_true", help="Use Kerberos authentication")
     kerberos_group.add_argument("--use-kcache", action="store_true", help="Use Kerberos authentication from ccache file (KRB5CCNAME)")
     kerberos_group.add_argument("--aesKey", metavar="AESKEY", nargs="+", help="AES key to use for Kerberos Authentication (128 or 256 bits)")
     kerberos_group.add_argument("--kdcHost", metavar="KDCHOST", help="FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter")
 
-    certificate_group = std_parser.add_argument_group("Certificate", "Options for certificate authentication")
+    certificate_group = std_parser.add_argument_group("Certificate Authentication")
     certificate_group.add_argument("--pfx-cert", metavar="PFXCERT", help="Use certificate authentication from pfx file .pfx")
     certificate_group.add_argument("--pfx-base64", metavar="PFXB64", help="Use certificate authentication from pfx file encoded in base64")
     certificate_group.add_argument("--pfx-pass", metavar="PFXPASS", help="Password of the pfx certificate")

nxc/connection.py

@@ -176,6 +176,8 @@ def __init__(self, args, db, target):
 
         try:
             self.proto_flow()
+        except FileNotFoundError as e:
+            self.logger.error(f"File not found error on target {target}: {e}")
         except Exception as e:
             if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e):
                 self.logger.error(f"Exception while calling proto_flow() on target {target}: {e}")

nxc/database.py

@@ -1,18 +1,21 @@
 import configparser
 import ipaddress
+import platform
 import shutil
 import sys
 from os import mkdir
 from os.path import exists
 from os.path import join as path_join
 from pathlib import Path
-from sqlite3 import connect
 from threading import Lock
 
-from sqlalchemy import create_engine, MetaData, func
-from sqlalchemy.exc import IllegalStateChangeError
+from sqlalchemy import Table, create_engine, MetaData, func
+from sqlalchemy.exc import (
+    IllegalStateChangeError,
+    NoInspectionAvailable,
+    NoSuchTableError,
+)
 from sqlalchemy.orm import sessionmaker, scoped_session
-
 from nxc.loaders.protocolloader import ProtocolLoader
 from nxc.logger import nxc_logger
 from nxc.paths import WORKSPACE_DIR
@@ -57,25 +60,15 @@ def init_protocol_dbs(workspace_name, p_loader=None):
     if p_loader is None:
         p_loader = ProtocolLoader()
     protocols = p_loader.get_protocols()
-
     for protocol in protocols:
         protocol_object = p_loader.load_protocol(protocols[protocol]["dbpath"])
         proto_db_path = path_join(WORKSPACE_DIR, workspace_name, f"{protocol}.db")
 
         if not exists(proto_db_path):
             print(f"[*] Initializing {protocol.upper()} protocol database")
-            conn = connect(proto_db_path)
-            c = conn.cursor()
-
-            # try to prevent some weird sqlite I/O errors
-            c.execute("PRAGMA journal_mode = OFF")
-            c.execute("PRAGMA foreign_keys = 1")
-
-            protocol_object.database.db_schema(c)
-
-            # commit the changes and close everything off
-            conn.commit()
-            conn.close()
+            db_engine = create_db_engine(proto_db_path)
+            protocol_object.database.db_schema(db_engine)
+            db_engine.dispose()
 
 
 def create_workspace(workspace_name, p_loader=None):
@@ -155,6 +148,44 @@ def __init__(self, db_engine):
     def reflect_tables(self):
         raise NotImplementedError("Reflect tables not implemented")
 
+    def reflect_table(self, table):
+        with self.db_engine.connect():
+            try:
+                reflected_table = Table(table.__tablename__, self.metadata, autoload_with=self.db_engine)
+
+                # Check for column addition / deletion
+                reflected_columns = set(reflected_table.columns.keys())
+                orm_columns = {column.name for column in table.__table__.columns}
+                if reflected_columns != orm_columns:
+                    raise ValueError(f"Schema mismatch detected! ORM columns: {orm_columns}, Reflected columns: {reflected_columns}")
+
+                # Check for constraint changes
+                reflected_constraints = [(type(c), c.columns.keys()) for c in reflected_table._sorted_constraints]
+                orm_constraints = [(type(c), c.columns.keys()) for c in table.__table__._sorted_constraints]
+                if reflected_constraints != orm_constraints:
+                    raise ValueError(f"Schema mismatch detected! ORM constraints: {orm_constraints}, Reflected constraints: {reflected_constraints}")
+
+                return reflected_table
+            except (NoInspectionAvailable, NoSuchTableError, ValueError) as e:
+                commands_platform = {
+                    "Windows": [
+                        f"cmd /c copy {self.db_path} %USERPROFILE%\\nxc_{self.protocol.lower()}.bak",
+                        f"del {self.db_path}"
+                    ],
+                    "Linux": [
+                        f"cp {self.db_path} ~/nxc_{self.protocol.lower()}.bak",
+                        f"rm -f {self.db_path}"
+                    ]
+                }
+                copy_command = commands_platform["Windows"][0] if platform.system() == "Windows" else commands_platform["Linux"][0]
+                delete_command = commands_platform["Windows"][1] if platform.system() == "Windows" else commands_platform["Linux"][1]
+                nxc_logger.fail(f"Schema mismatch detected for table '{table.__tablename__}' in protocol '{self.protocol}'")
+                nxc_logger.debug(e)
+                nxc_logger.fail("This is probably because a newer version of nxc is being run on an old DB schema.")
+                nxc_logger.fail(f"Optionally save the old DB data (`{copy_command}`)")
+                nxc_logger.fail(f"Then remove the {self.protocol} DB (`{delete_command}`) and run nxc to initialize the new DB")
+                sys.exit()
+
     def shutdown_db(self):
         try:
             self.sess.close()

nxc/logger.py

@@ -106,6 +106,7 @@ def __init__(self, extra=None, merge_extra=False):
         logging.getLogger("unicrypto").disabled = True
         logging.getLogger("asyncio").setLevel(logging.ERROR)
         logging.getLogger("neo4j").setLevel(logging.ERROR)
+        logging.getLogger("pypsrp").setLevel(logging.ERROR)
 
     def format(self, msg, *args, **kwargs):
         """Format msg for output
@@ -179,7 +180,11 @@ def add_file_log(self, log_file=None):
         file_creation = False
 
         if not os.path.isfile(output_file):
-            open(output_file, "x")  # noqa: SIM115
+            try:
+                open(output_file, "x")  # noqa: SIM115
+            except FileNotFoundError:
+                print(f"{colored('[-]', 'red', attrs=['bold'])} Log file path does not exist: {os.path.dirname(output_file)}")
+                exit(1)
             file_creation = True
 
         file_handler = RotatingFileHandler(output_file, maxBytes=100000, encoding="utf-8")