Make execution methods more efficient and wait powershell execution if detectable

NeffIsBack · NeffIsBack · commit 4ffcc83bcc02 · 2024-05-20T10:50:48.000-04:00
diff --git a/nxc/cli.py b/nxc/cli.py
@@ -106,6 +106,10 @@ def gen_cli_args():
         print(f"{VERSION} - {CODENAME} - {COMMIT}")
         sys.exit(1)
 
+    # Multiply output_tries by 10 to enable more fine granural control, see exec methods
+    if hasattr(args, "get_output_tries"):
+        args.get_output_tries = args.get_output_tries * 10
+
     return args
 
 
diff --git a/nxc/protocols/smb/atexec.py b/nxc/protocols/smb/atexec.py
@@ -131,7 +131,7 @@ def execute_handler(self, command, fileless=False):
 
         xml = self.gen_xml(command, fileless)
 
-        self.logger.info(f"Task XML: {xml}")
+        self.logger.debug(f"Task XML: {xml}")
         taskCreated = False
         self.logger.info(f"Creating task \\{tmpName}")
         try:
@@ -179,22 +179,32 @@ def execute_handler(self, command, fileless=False):
             else:
                 ":".join(map(str, self.__rpctransport.get_socket().getpeername()))
                 smbConnection = self.__rpctransport.get_smb_connection()
-                tries = 1
+
+                tries = 0
+                # Give the command a bit of time to execute before we try to read the output, 0.4 seconds was good in testing
+                sleep(0.4)
                 while True:
                     try:
                         self.logger.info(f"Attempting to read {self.__share}\\{self.__output_filename}")
                         smbConnection.getFile(self.__share, self.__output_filename, self.output_callback)
                         break
                     except Exception as e:
-                        if tries >= self.__tries:
+                        if tries > self.__tries:
                             self.logger.fail("ATEXEC: Could not retrieve output file, it may have been detected by AV. Please increase the number of tries with the option '--get-output-tries'. If it is still failing, try the 'wmi' protocol or another exec method")
                             break
                         if str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
                             self.logger.fail(f"ATEXEC: Getting the output file failed - target has blocked access to the share: {self.__share} (but the command may have executed!)")
                             break
-                        if str(e).find("SHARING") > 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                            sleep(3)
+                        # When executing powershell and the command is still running, we get a sharing violation
+                        # We can use that information to wait longer than if the file is not found (probably av or something)
+                        if "STATUS_SHARING_VIOLATION" in str(e):
+                            self.logger.info(f"File {self.__share}\\{self.__output_filename} is still in use with {self.__tries - tries} left, retrying...")
                             tries += 1
+                            sleep(1)
+                        elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                            self.logger.info(f"File {self.__share}\\{self.__output_filename} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                            tries += 10
+                            sleep(1)
                         else:
                             self.logger.debug(str(e))
 
diff --git a/nxc/protocols/smb/mmcexec.py b/nxc/protocols/smb/mmcexec.py
@@ -242,23 +242,32 @@ def get_output_remote(self):
         if self.__retOutput is False:
             self.__outputBuffer = ""
             return
-        tries = 1
+
+        tries = 0
+        # Give the command a bit of time to execute before we try to read the output, 0.4 seconds was good in testing
+        sleep(0.4)
         while True:
             try:
                 self.logger.info(f"Attempting to read {self.__share}\\{self.__output}")
                 self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)
                 break
             except Exception as e:
-                if tries >= self.__tries:
+                if tries > self.__tries:
                     self.logger.fail("MMCEXEC: Could not retrieve output file, it may have been detected by AV. Please increase the number of tries with the option '--get-output-tries'. If it is still failing, try the 'wmi' protocol or another exec method")
                     break
                 if str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
                     self.logger.fail(f"MMCEXEC: Getting the output file failed - target has blocked access to the share: {self.__share} (but the command may have executed!)")
                     break
-                if str(e).find("STATUS_SHARING_VIOLATION") >= 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                    # Output not finished, let's wait
-                    sleep(2)
+                # When executing powershell and the command is still running, we get a sharing violation
+                # We can use that information to wait longer than if the file is not found (probably av or something)
+                if "STATUS_SHARING_VIOLATION" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} is still in use with {self.__tries - tries} left, retrying...")
                     tries += 1
+                    sleep(1)
+                elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                    tries += 10
+                    sleep(1)
                 else:
                     self.logger.debug(str(e))
 
diff --git a/nxc/protocols/smb/proto_args.py b/nxc/protocols/smb/proto_args.py
@@ -43,7 +43,7 @@ def proto_args(parser, std_parser, module_parser):
     egroup.add_argument("--computers", nargs="?", const="", metavar="COMPUTER", help="enumerate computer users")
     egroup.add_argument("--local-groups", nargs="?", const="", metavar="GROUP", help="enumerate local groups, if a group is specified then its members are enumerated")
     egroup.add_argument("--pass-pol", action="store_true", help="dump password policy")
-    egroup.add_argument("--rid-brute", nargs="?", type=int, default=4000, metavar="MAX_RID", help="enumerate users by bruteforcing RID's (default: %(default)s)")
+    egroup.add_argument("--rid-brute", nargs="?", type=int, const=4000, metavar="MAX_RID", help="enumerate users by bruteforcing RID's (default: 4000)")
     egroup.add_argument("--wmi", metavar="QUERY", type=str, help="issues the specified WMI query")
     egroup.add_argument("--wmi-namespace", metavar="NAMESPACE", default="root\\cimv2", help="WMI Namespace (default: %(default)s)")
 
@@ -66,7 +66,7 @@ def proto_args(parser, std_parser, module_parser):
     cgroup = smb_parser.add_argument_group("Command Execution", "Options for executing commands")
     cgroup.add_argument("--exec-method", choices={"wmiexec", "mmcexec", "smbexec", "atexec"}, default=None, help="method to execute the command. Ignored if in MSSQL mode (default: wmiexec)")
     cgroup.add_argument("--dcom-timeout", help="DCOM connection timeout, default is %(default)s secondes", type=int, default=5)
-    cgroup.add_argument("--get-output-tries", help="Number of times atexec/smbexec/mmcexec tries to get results, default is %(default)s", type=int, default=5)
+    cgroup.add_argument("--get-output-tries", help="Number of times atexec/smbexec/mmcexec tries to get results, default is %(default)s", type=int, default=10)
     cgroup.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output (default: %(default)s). If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")
     cgroup.add_argument("--force-ps32", action="store_true", help="force the PowerShell command to run in a 32-bit process")
     cgroup.add_argument("--no-output", action="store_true", help="do not retrieve command output")
diff --git a/nxc/protocols/smb/smbexec.py b/nxc/protocols/smb/smbexec.py
@@ -98,9 +98,7 @@ def execute_remote(self, data):
             batch_file.write(command)
 
         self.logger.debug("Hosting batch file with command: " + command)
-
         self.logger.debug("Command to execute: " + command)
-
         self.logger.debug(f"Remote service {self.__serviceName} created.")
 
         try:
@@ -137,23 +135,32 @@ def get_output_remote(self):
         if self.__retOutput is False:
             self.__outputBuffer = ""
             return
-        tries = 1
+
+        # TODO: It looks like the service is hanging anyway until the command is finished, so all this timeout logic is likely not needed
+        # Still adding this for now to keep the structure similar until we can confirm the above
+        tries = 0
         while True:
             try:
                 self.logger.info(f"Attempting to read {self.__share}\\{self.__output}")
                 self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)
                 break
             except Exception as e:
-                if tries >= self.__tries:
+                if tries > self.__tries:
                     self.logger.fail("SMBEXEC: Could not retrieve output file, it may have been detected by AV. Please increase the number of tries with the option '--get-output-tries'. If it is still failing, try the 'wmi' protocol or another exec method")
                     break
                 if str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
                     self.logger.fail(f"SMBEXEC: Getting the output file failed - target has blocked access to the share: {self.__share} (but the command may have executed!)")
                     break
-                if str(e).find("STATUS_SHARING_VIOLATION") >= 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                    # Output not finished, let's wait
-                    sleep(2)
+                # When executing powershell and the command is still running, we get a sharing violation
+                # We can use that information to wait longer than if the file is not found (probably av or something)
+                if "STATUS_SHARING_VIOLATION" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} is still in use with {self.__tries - tries} left, retrying...")
                     tries += 1
+                    sleep(1)
+                elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                    tries += 10
+                    sleep(1)
                 else:
                     self.logger.debug(str(e))
 
diff --git a/nxc/protocols/smb/wmiexec.py b/nxc/protocols/smb/wmiexec.py
@@ -138,22 +138,31 @@ def get_output_remote(self):
             self.__outputBuffer = ""
             return
 
-        tries = 1
+        tries = 0
+        # Give the command a bit of time to execute before we try to read the output, 0.4 seconds was good in testing
+        sleep(0.4)
         while True:
             try:
                 self.logger.info(f"Attempting to read {self.__share}\\{self.__output}")
                 self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)
                 break
             except Exception as e:
-                if tries >= self.__tries:
+                if tries > self.__tries:
                     self.logger.fail("WMIEXEC: Could not retrieve output file, it may have been detected by AV. If it is still failing, try the 'wmi' protocol or another exec method")
                     break
                 if str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
                     self.logger.fail(f"SMB connection: target has blocked {self.__share} access (maybe command executed!)")
                     break
-                if str(e).find("STATUS_SHARING_VIOLATION") >= 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                    sleep(2)
+                # When executing powershell and the command is still running, we get a sharing violation
+                # We can use that information to wait longer than if the file is not found (probably av or something)
+                if "STATUS_SHARING_VIOLATION" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} is still in use with {self.__tries - tries} left, retrying...")
                     tries += 1
+                    sleep(1)
+                elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                    tries += 10
+                    sleep(1)
                 else:
                     self.logger.debug(str(e))
 
