Merge branch 'Pennyw0rth:main' into main

Author: aconite33

netexec.spec

@@ -33,7 +33,6 @@ a = Analysis(
         'impacket.ldap.ldap',
         'jwt',
         'nxc.connection',
-        'nxc.servers.smb',
         'nxc.protocols.smb.wmiexec',
         'nxc.protocols.smb.atexec',
         'nxc.protocols.smb.smbexec',

nxc/cli.py

@@ -16,7 +16,7 @@
 
 def gen_cli_args():
     setup_debug_logging()
-    
+
     try:
         VERSION, COMMIT = importlib.metadata.version("netexec").split("+")
         DISTANCE, COMMIT = COMMIT.split(".")
@@ -26,28 +26,28 @@ def gen_cli_args():
         DISTANCE = ""
     CODENAME = "SmoothOperator"
     nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT} - {DISTANCE}")
-    
+
     generic_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
     generic_group = generic_parser.add_argument_group("Generic", "Generic options for nxc across protocols")
     generic_group.add_argument("--version", action="store_true", help="Display nxc version")
     generic_group.add_argument("-t", "--threads", type=int, dest="threads", default=256, help="set how many concurrent threads to use")
     generic_group.add_argument("--timeout", default=None, type=int, help="max timeout in seconds of each thread")
     generic_group.add_argument("--jitter", metavar="INTERVAL", type=str, help="sets a random delay between each authentication")
-    
+
     output_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
     output_group = output_parser.add_argument_group("Output", "Options to set verbosity levels and control output")
     output_group.add_argument("--verbose", action="store_true", help="enable verbose output")
     output_group.add_argument("--debug", action="store_true", help="enable debug level information")
     output_group.add_argument("--no-progress", action="store_true", help="do not displaying progress bar during scan")
     output_group.add_argument("--log", metavar="LOG", help="export result into a custom file")
-    
+
     dns_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
     dns_group = dns_parser.add_argument_group("DNS")
     dns_group.add_argument("-6", dest="force_ipv6", action="store_true", help="Enable force IPv6")
     dns_group.add_argument("--dns-server", action="store", help="Specify DNS server (default: Use hosts file & System DNS)")
     dns_group.add_argument("--dns-tcp", action="store_true", help="Use TCP instead of UDP for DNS queries")
     dns_group.add_argument("--dns-timeout", action="store", type=int, default=3, help="DNS query timeout in seconds")
-    
+
     parser = argparse.ArgumentParser(
         description=rf"""
      .   .
@@ -107,12 +107,6 @@ def gen_cli_args():
     certificate_group.add_argument("--pfx-pass", metavar="PFXPASS", help="Password of the pfx certificate")
     certificate_group.add_argument("--pem-cert", metavar="PEMCERT", help="Use certificate authentication from PEM file")
     certificate_group.add_argument("--pem-key", metavar="PEMKEY", help="Private key for the PEM format")
-    
-    server_group = std_parser.add_argument_group("Servers", "Options for nxc servers")
-    server_group.add_argument("--server", choices={"http", "https"}, default="https", help="use the selected server")
-    server_group.add_argument("--server-host", type=str, default="0.0.0.0", metavar="HOST", help="IP to bind the server to")
-    server_group.add_argument("--server-port", metavar="PORT", type=int, help="start the server on the specified port")
-    server_group.add_argument("--connectback-host", type=str, metavar="CHOST", help="IP for the remote system to connect back to")    
 
     p_loader = ProtocolLoader()
     protocols = p_loader.get_protocols()

nxc/connection.py

@@ -284,11 +284,6 @@ def call_modules(self):
             context = Context(self.db, module_logger, self.args)
             context.localip = self.local_ip
 
-            if hasattr(module, "on_request") or hasattr(module, "has_response"):
-                self.logger.debug(f"Module {module.name} has on_request or has_response methods")
-                self.server.connection = self
-                self.server.context.localip = self.local_ip
-
             if hasattr(module, "on_login"):
                 self.logger.debug(f"Module {module.name} has on_login method")
                 module.on_login(context, self)
@@ -297,10 +292,6 @@ def call_modules(self):
                 self.logger.debug(f"Module {module.name} has on_admin_login method")
                 module.on_admin_login(context, self)
 
-            if (not hasattr(module, "on_request") and not hasattr(module, "has_response")) and hasattr(module, "on_shutdown"):
-                self.logger.debug(f"Module {module.name} has on_shutdown method")
-                module.on_shutdown(context, self)
-
     def inc_failed_login(self, username):
         global global_failed_logins
         global user_failed_logins

nxc/logger.py

@@ -118,10 +118,6 @@ def format(self, msg, *args, **kwargs):  # noqa: A003
         if len(self.extra) == 1 and ("module_name" in self.extra):
             return (f"{colored(self.extra['module_name'], 'cyan', attrs=['bold']):<64} {msg}", kwargs)
 
-        # If the logger is being called from nxcServer
-        if len(self.extra) == 2 and ("module_name" in self.extra) and ("host" in self.extra):
-            return (f"{colored(self.extra['module_name'], 'cyan', attrs=['bold']):<24} {self.extra['host']:<39} {msg}", kwargs)
-
         # If the logger is being called from a protocol
         module_name = colored(self.extra["module_name"], "cyan", attrs=["bold"]) if "module_name" in self.extra else colored(self.extra["protocol"], "blue", attrs=["bold"])
 

nxc/modules/example_module.py

@@ -48,18 +48,3 @@ def on_admin_login(self, context, connection):
         Required if on_login is not present
         This gets called on each authenticated connection with  Administrative privileges
         """
-
-    def on_request(self, context, request):
-        """Optional.
-        If the payload needs to retrieve additional files, add this function to the module
-        """
-
-    def on_response(self, context, response):
-        """Optional.
-        If the payload sends back its output to our server, add this function to the module to handle its output
-        """
-
-    def on_shutdown(self, context, connection):
-        """Optional.
-        Do something on shutdown
-        """

nxc/modules/wcc.py

@@ -123,8 +123,6 @@ def on_admin_login(self, context, connection):
         self.results.setdefault(connection.host, {"checks": []})
         self.context = context
         HostChecker(context, connection).run()
-
-    def on_shutdown(self, context, connection):
         if self.output is not None:
             self.export_results()
 

nxc/netexec.py

@@ -94,9 +94,7 @@ def main():
         nxc_logger.error("KRB5CCNAME environment variable is not set")
         exit(1)
 
-    module_server = None
     targets = []
-    server_port_dict = {"http": 80, "https": 443, "smb": 445}
 
     if hasattr(args, "cred_id") and args.cred_id:
         for cred_id in args.cred_id:
@@ -203,13 +201,6 @@ def main():
                 if ans.lower() not in ["y", "yes", ""]:
                     exit(1)
 
-            if hasattr(module, "on_request") or hasattr(module, "has_response"):
-                if hasattr(module, "required_server"):
-                    args.server = module.required_server
-
-                if not args.server_port:
-                    args.server_port = server_port_dict[args.server]
-
             # Add modules paths to the protocol object so it can load them itself
             proto_module_paths.append(modules[m]["path"])
         protocol_object.module_paths = proto_module_paths
@@ -227,8 +218,6 @@ def main():
     except KeyboardInterrupt:
         nxc_logger.debug("Got keyboard interrupt")
     finally:
-        if module_server:
-            module_server.shutdown()
         db_engine.dispose()
 
 

nxc/protocols/ldap.py

@@ -25,6 +25,7 @@
 )
 from impacket.krb5 import constants
 from impacket.krb5.kerberosv5 import getKerberosTGS, SessionKeyDecryptionError
+from impacket.krb5.ccache import CCache
 from impacket.krb5.types import Principal, KerberosException
 from impacket.ldap import ldap as ldap_impacket
 from impacket.ldap import ldaptypes
@@ -232,7 +233,6 @@ def get_ldap_username(self):
     def enum_host_info(self):
         self.hostname = self.target.split(".")[0].upper() if "." in self.target else self.target
         self.remoteName = self.target
-        self.domain = self.targetDomain
 
         ntlm_challenge = None
         bindRequest = ldapasn1_impacket.BindRequest()
@@ -250,6 +250,14 @@ def enum_host_info(self):
             ntlm_info = parse_challenge(ntlm_challenge)
             self.server_os = ntlm_info["os_version"]
 
+        if self.args.domain:
+            self.domain = self.args.domain
+        elif self.args.use_kcache:  # Fixing domain trust, just pull the auth domain out of the ticket
+            self.domain = CCache.parseFile()[0]
+            self.username = CCache.parseFile()[1]
+        else:
+            self.domain = self.targetDomain
+
         # using kdcHost is buggy on impacket when using trust relation between ad so we kdcHost must stay to none if targetdomain is not equal to domain
         if not self.kdcHost and self.domain and self.domain == self.targetDomain:
             result = self.resolver(self.domain)
@@ -276,15 +284,15 @@ def print_host_info(self):
         self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain})")
 
     def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
-        self.username = username
+        self.username = username if not self.username else self.username    # With ccache we get the username from the ticket
         self.password = password
         self.domain = domain
         self.kdcHost = kdcHost
         self.aesKey = aesKey
 
         lmhash = ""
         nthash = ""
-        self.username = username
+
         # This checks to see if we didn't provide the LM Hash
         if ntlm_hash.find(":") != -1:
             lmhash, nthash = ntlm_hash.split(":")

nxc/protocols/smb.py

@@ -43,7 +43,6 @@
 from nxc.protocols.smb.dpapi import collect_masterkeys_from_target, get_domain_backup_key, upgrade_to_dploot_connection
 from nxc.protocols.smb.firefox import FirefoxCookie, FirefoxData, FirefoxTriage
 from nxc.protocols.smb.kerberos import kerberos_login_with_S4U
-from nxc.servers.smb import NXCSMBServer
 from nxc.protocols.smb.wmiexec import WMIEXEC
 from nxc.protocols.smb.atexec import TSCH_EXEC
 from nxc.protocols.smb.smbexec import SMBEXEC
@@ -65,14 +64,12 @@
 
 from time import time, ctime
 from datetime import datetime
-from functools import wraps
 from traceback import format_exc
 import logging
 from termcolor import colored
 import contextlib
 
 smb_share_name = gen_random_string(5).upper()
-smb_server = None
 
 smb_error_status = [
     "STATUS_ACCOUNT_DISABLED",
@@ -103,50 +100,6 @@ def get_error_string(exception):
     else:
         return str(exception)
 
-
-def requires_smb_server(func):
-    def _decorator(self, *args, **kwargs):
-        global smb_server
-        global smb_share_name
-
-        get_output = False
-        payload = None
-        methods = []
-
-        with contextlib.suppress(IndexError):
-            payload = args[0]
-        with contextlib.suppress(IndexError):
-            get_output = args[1]
-        with contextlib.suppress(IndexError):
-            methods = args[2]
-
-        if "payload" in kwargs:
-            payload = kwargs["payload"]
-        if "get_output" in kwargs:
-            get_output = kwargs["get_output"]
-        if "methods" in kwargs:
-            methods = kwargs["methods"]
-        if not payload and self.args.execute and not self.args.no_output:
-            get_output = True
-        if (get_output or (methods and ("smbexec" in methods))) and not smb_server:
-            self.logger.debug("Starting SMB server")
-            smb_server = NXCSMBServer(
-                self.nxc_logger,
-                smb_share_name,
-                listen_port=self.args.smb_server_port,
-                verbose=self.args.verbose,
-            )
-            smb_server.start()
-
-        output = func(self, *args, **kwargs)
-        if smb_server is not None:
-            smb_server.shutdown()
-            smb_server = None
-        return output
-
-    return wraps(func)(_decorator)
-
-
 class smb(connection):
     def __init__(self, args, db, host):
         self.domain = None