Merge branch 'main' into opsec

Author: NeffIsBack

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,3 +1,5 @@
+# ❗❗❗ Before filing this bug report, MAKE SURE you have already downloaded the newest version of NetExec from GitHub and installed it! Many issues have already been reported and fixed, _especially_ if you are running the native Kali version! Please delete this line before submitting your issue if you have done so.❗❗❗
+
 ---
 name: Bug report
 about: Create a report to help us improve
@@ -7,6 +9,8 @@ assignees: ''
 
 ---
 
+
+
 **Describe the bug**
 A clear and concise description of what the bug is.
 
@@ -30,7 +34,7 @@ If applicable, add screenshots to help explain your problem.
 
 **NetExec info**
  - OS: [e.g. Kali]
- - Version of nxc: [e.g. v1.5.2]
+ - Version of nxc: [e.g. v1.5.2] (run nxc --version and post the _exact_ string that is output)
  - Installed from: apt/github/pip/docker/...? Please try with latest release before opening an issue
 
 **Additional context**

nxc/modules/dump-computers.py

@@ -0,0 +1,68 @@
+from nxc.parsers.ldap_results import parse_result_attributes
+
+
+class NXCModule:
+    name = "dump-computers"
+    description = "Dumps all computers in the domain"
+    supported_protocols = ["ldap"]
+    opsec_safe = True
+    multiple_hosts = False
+
+    def options(self, context, module_options):
+        """
+        TYPE        Only dump NETBIOS or FQDN instead of 'FQDN (OS Version)'
+        OUTPUT      Output to file in addition to printing to console
+
+        Examples
+        --------
+        netexec ldap $DC-IP -u $username -p $password -M dump-computers
+        netexec ldap $DC-IP -u $username -p $password -M dump-computers -o TYPE=netbios
+        netexec ldap $DC-IP -u $username -p $password -M dump-computers -o TYPE=fqdn
+        netexec ldap $DC-IP -u $username -p $password -M dump-computers -o TYPE=netbios OUTPUT=<location>
+        """
+        self.output_file = None
+        self.netbios_only = False
+        self.fqdn_only = False
+
+        if "OUTPUT" in module_options:
+            self.output_file = module_options["OUTPUT"]
+        if "TYPE" in module_options:
+            if module_options["TYPE"].lower() == "netbios":
+                self.netbios_only = True
+            elif module_options["TYPE"].lower() == "fqdn":
+                self.fqdn_only = True
+
+    def on_login(self, context, connection):
+        resp = connection.search(
+            searchFilter="(objectCategory=computer)",
+            attributes=["dNSHostName", "operatingSystem"]
+        )
+        resp_parsed = parse_result_attributes(resp)
+
+        answers = []
+        context.log.debug(f"Total number of records returned: {len(resp_parsed)}")
+
+        for item in resp_parsed:
+            dns_host_name = item["dNSHostName"]
+            operating_system = item.get("operatingSystem", "Unknown OS")
+
+            if self.netbios_only:
+                netbios_name = dns_host_name.split(".")[0]
+                answer = netbios_name
+            elif self.fqdn_only:
+                answer = dns_host_name
+            else:
+                answer = f"{dns_host_name} ({operating_system})"
+            answers.append(answer)
+
+        context.log.success("Found the following computers:")
+        for answer in answers:
+            context.log.highlight(answer)
+
+        if self.output_file:
+            try:
+                with open(self.output_file, "w") as f:
+                    f.write("\n".join(answers) + "\n")
+                context.log.success(f"Results saved to {self.output_file}")
+            except Exception as e:
+                context.log.error(f"Failed to write to file {self.output_file}: {e}")

nxc/modules/wcc.py

@@ -178,6 +178,7 @@ def init_checks(self):
             ConfigCheck("CredentialGuard enabled", "Checks if CredentialGuard is enabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard", "EnableVirtualizationBasedSecurity", 1), ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa", "LsaCfgFlags", 1)]]),
             ConfigCheck("Lsass run as PPL", "Checks if lsass runs as a protected process", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa", "RunAsPPL", 1)]]),
             ConfigCheck("No Powershell v2", "Checks if powershell v2 is available", checker_args=[[self, ("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PSCompatibleVersion", "2.0", not_(operator.contains))]]),
+            ConfigCheck("LLMNR disabled", "Checks if LLMNR is disabled", checker_args=[[self, ("HKLM\\Software\\policies\\Microsoft\\Windows NT\\DNSClient", "EnableMulticast", 0)]]),
             ConfigCheck("LmCompatibilityLevel == 5", "Checks if LmCompatibilityLevel is set to 5", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa", "LmCompatibilityLevel", 5, operator.ge)]]),
             ConfigCheck("NBTNS disabled", "Checks if NBTNS is disabled on all interfaces", checkers=[self.check_nbtns]),
             ConfigCheck("mDNS disabled", "Checks if mDNS is disabled", checker_args=[[self, ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNScache\\Parameters", "EnableMDNS", 0)]]),
@@ -453,13 +454,21 @@ def check_wsus_running(self):
         return ok, reasons
 
     def check_nbtns(self):
+        adapters_key = "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}"
         key_name = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters\\Interfaces"
         subkeys = self.reg_get_subkeys(self.dce, self.connection, key_name)
         success = False
         reasons = []
         missing = 0
         nbtns_enabled = 0
+
         for subkey in subkeys:
+            # Ignore Microsoft Kernel Debug Network Adapter
+            kdnic_key = adapters_key + "\\0000"
+            kdnic_uuid = self.reg_query_value(self.dce, self.connection, kdnic_key, "NetCfgInstanceId")
+            if subkey.lower() == ("Tcpip_" + kdnic_uuid).replace("\x00", "").lower():
+                continue
+
             value = self.reg_query_value(self.dce, self.connection, key_name + "\\" + subkey, "NetbiosOptions")
             if isinstance(value, DCERPCSessionError):
                 if value.error_code == ERROR_OBJECT_NOT_FOUND:

tests/e2e_commands.txt

@@ -210,6 +210,7 @@ netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M subnets
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M user-desc
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M whoami
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M pso
+netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M dump-computers
 ##### WINRM
 netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS # need an extra space after this command due to regex
 netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig