Merge pull request Pennyw0rth#970 from Pennyw0rth/neff-fix-#967

Author: NeffIsBack

nxc/connection.py

@@ -135,6 +135,8 @@ def __init__(self, args, db, target):
         self.db = db
         self.logger = nxc_logger
         self.conn = None
+        self.output_file_template = None
+        self.output_filename = None
 
         # Authentication info
         self.password = ""
@@ -159,11 +161,6 @@ def __init__(self, args, db, target):
         self.local_ip = None
         self.dns_server = self.args.dns_server
 
-        # Construct the output file template using os.path.join for OS compatibility
-        base_log_dir = os.path.join(os.path.expanduser(NXC_PATH), "logs")
-        filename_pattern = f"{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-")
-        self.output_file_template = os.path.join(base_log_dir, "{output_folder}", filename_pattern)
-
         # DNS resolution
         dns_result = self.resolver(target)
         if dns_result:
@@ -243,6 +240,14 @@ def proto_flow(self):
         else:
             self.logger.debug("Created connection object")
             self.enum_host_info()
+
+            # Construct the output file template using os.path.join for OS compatibility
+            base_log_dir = os.path.join(NXC_PATH, "logs")
+            filename_pattern = f"{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-")
+            self.output_file_template = os.path.join(base_log_dir, "{output_folder}", filename_pattern)
+            # Default output filename for logs
+            self.output_filename = os.path.join(base_log_dir, filename_pattern)
+
             self.print_host_info()
             if self.login() or (self.username == "" and self.password == ""):
                 if hasattr(self.args, "module") and self.args.module:

nxc/helpers/pfx.py

@@ -488,8 +488,8 @@ def pfx_auth(self):
         return None
 
     username = self.args.username[0]
-    timestamp = datetime.datetime.now().strftime("%Y-%m-%d_%H%M%S").replace(":", "-")
-    log_ccache = os.path.normpath(os.path.expanduser(f"{NXC_PATH}/logs/{self.hostname}_{self.host}_{timestamp}-{username}.ccache"))
+    basename = f"{self.hostname}_{self.host}_{datetime.datetime.now().strftime('%Y-%m-%d_%H%M%S')}-{username}.ccache"
+    log_ccache = os.path.normpath(os.path.expanduser(f"{NXC_PATH}/logs/{basename}"))
 
     # Request a TGT with the cert data
     req = ini.build_asreq(self.domain, username)

nxc/modules/backup_operator.py

@@ -1,13 +1,11 @@
 import contextlib
-import os
-import datetime
+from time import sleep
 
 from impacket.examples.secretsdump import SAMHashes, LSASecrets, LocalOperations
 from impacket.smbconnection import SessionError
 from impacket.dcerpc.v5 import transport, rrp
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
 from nxc.helpers.misc import CATEGORY
-from nxc.paths import NXC_PATH
 
 
 class NXCModule:
@@ -62,7 +60,7 @@ def on_login(self, context, connection):
                 dce.disconnect()
 
         # copy remote file to local
-        log_path = os.path.expanduser(f"{NXC_PATH}/logs/{connection.hostname}_{connection.host}_{datetime.datetime.now().strftime('%Y-%m-%d_%H%M%S')}.".replace(":", "-"))
+        log_path = f"{connection.output_filename}."
         for hive in ["SAM", "SECURITY", "SYSTEM"]:
             connection.get_file_single(hive, log_path + hive)
 
@@ -100,6 +98,7 @@ def parse_sam(secret):
 
                 context.log.display(f"Cleaning dump with user {self.domain_admin} and hash {self.domain_admin_hash} on domain {connection.domain}")
                 connection.execute("del C:\\Windows\\sysvol\\sysvol\\SECURITY && del C:\\Windows\\sysvol\\sysvol\\SAM && del C:\\Windows\\sysvol\\sysvol\\SYSTEM")
+                sleep(0.2)
                 for hive in ["SAM", "SECURITY", "SYSTEM"]:
                     try:
                         out = connection.conn.listPath("SYSVOL", hive)

nxc/modules/ntds-dump-raw.py

@@ -115,8 +115,10 @@ def read_from_disk(self, offset, size):
         # scary base64 powershell code :)
         # This to read the PhysicalDrive0 file
         get_data_script = f"""powershell.exe -c "$base64Cmd = '{self.ps_script_b64}';$decodedCmd = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64Cmd)) + '; read_disk {offset} {fixed_size}'; Invoke-Expression $decodedCmd" """
-        if self.connection.__class__.__name__ == "wmi":  # noqa: SIM108
+        if self.connection.__class__.__name__ == "wmi":
             data_output = self.connection.execute_psh(get_data_script, True)
+        elif self.connection.__class__.__name__ == "smb":
+            data_output = self.execute(get_data_script, True, ["smbexec"])
         else:
             data_output = self.execute(get_data_script, True)
         self.logger.debug(f"{offset=},{size=},{fixed_size=}")
@@ -174,8 +176,11 @@ def main(self):
         if self.number_of_file_to_extract != 0:
             self.logger.fail("Unable to find all needed files, trying to work with what we have")
 
-        self.logger.success("Heads up, hashes on the way...")
-        self.dump_hashes()
+        if "SYSTEM" in self.extracted_files_location_local and self.extracted_files_location_local["SYSTEM"] != "":
+            self.logger.success("Heads up, hashes on the way...")
+            self.dump_hashes()
+        else:
+            self.logger.fail("SYSTEM file not found, unable to proceed with hash extraction")
 
     def dump_hashes(self):
         """Dumping NTDS and SAM hashes locally from the extracted files"""

nxc/modules/putty.py

@@ -154,13 +154,13 @@ def get_private_key_paths(self, all_users):
         return sessions
 
     def extract_session(self, sessions):
-        proxycreds_file = f"{NXC_PATH}/modules/PuTTY/putty_proxycreds_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-")
+        proxycreds_file = f"{NXC_PATH}/modules/PuTTY/putty_proxycreds_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}"
         for session in sessions:
             if session["private_key_path"]:
                 makedirs(f"{NXC_PATH}/modules/PuTTY", exist_ok=True)
                 share = session["private_key_path"].split(":")[0] + "$"
                 file_path = session["private_key_path"].split(":")[1]
-                download_path = f"{NXC_PATH}/modules/PuTTY/putty_{session['user']}_{session['session_name']}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}.sec".replace(":", "-")
+                download_path = f"{NXC_PATH}/modules/PuTTY/putty_{session['user']}_{session['session_name']}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}.sec"
 
                 buf = BytesIO()
                 with open(download_path, "wb") as file:

nxc/protocols/ldap.py

@@ -46,7 +46,7 @@
 from nxc.protocols.ldap.kerberos import KerberosAttacks
 from nxc.parsers.ldap_results import parse_result_attributes
 from nxc.helpers.ntlm_parser import parse_challenge
-from nxc.paths import CONFIG_PATH, NXC_PATH
+from nxc.paths import CONFIG_PATH
 
 ldap_error_status = {
     "1": "STATUS_NOT_SUPPORTED",
@@ -149,7 +149,6 @@ def __init__(self, args, db, host):
         self.targetDomain = ""
         self.remote_ops = None
         self.bootkey = None
-        self.output_filename = None
         self.smbv1 = None
         self.signing = False
         self.signing_required = None
@@ -333,9 +332,6 @@ def enum_host_info(self):
             self.kdcHost = result["host"] if result else None
             self.logger.info(f"Resolved domain: {self.domain} with dns, kdcHost: {self.kdcHost}")
 
-        filename = f"{self.hostname}_{self.host}".replace(":", "-")
-        self.output_filename = os.path.expanduser(os.path.join(NXC_PATH, "logs", filename))
-
         try:
             self.db.add_host(
                 self.host,
@@ -1681,11 +1677,9 @@ def bloodhound(self):
             self.logger.debug(f"BloodHound collection failed: {e.__class__.__name__} - {e}", exc_info=True)
             return
 
-        self.output_filename += f"_{timestamp}"
-
-        self.logger.highlight(f"Compressing output into {self.output_filename}bloodhound.zip")
+        self.logger.highlight(f"Compressing output into {self.output_filename}_bloodhound.zip")
         list_of_files = os.listdir(os.getcwd())
-        with ZipFile(self.output_filename + "bloodhound.zip", "w") as z:
+        with ZipFile(f"{self.output_filename}_bloodhound.zip", "w") as z:
             for each_file in list_of_files:
                 if each_file.startswith(self.output_filename.split("/")[-1]) and each_file.endswith("json"):
                     z.write(each_file)

nxc/protocols/rdp.py

@@ -54,7 +54,6 @@ def __init__(self, args, db, host):
         self.iosettings.video_bpp_max = 32
         # PIL produces incorrect picture for some reason?! TODO: check bug
         self.iosettings.video_out_format = VIDEO_FORMAT.PNG  #
-        self.output_filename = None
         self.domain = None
         self.server_os = None
         self.url = None
@@ -140,7 +139,6 @@ def create_conn_obj(self):
                         self.hostname = info_domain["computername"]
                         self.server_os = info_domain["os_guess"] + " Build " + str(info_domain["os_build"])
                         self.logger.extra["hostname"] = self.hostname
-                        self.output_filename = os.path.expanduser(f"{NXC_PATH}/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
                     break
 
         if self.args.domain:

nxc/protocols/smb.py

@@ -117,8 +117,6 @@ def __init__(self, args, db, host):
         self.nthash = ""
         self.remote_ops = None
         self.bootkey = None
-        self.output_file_template = None
-        self.output_filename = None
         self.smbv1 = None   # Check if SMBv1 is supported
         self.smbv3 = None   # Check if SMBv3 is supported
         self.is_timed_out = False

nxc/protocols/winrm.py

@@ -5,7 +5,6 @@
 import logging
 import xml.etree.ElementTree as ET
 
-from datetime import datetime
 from pypsrp.wsman import NAMESPACES
 from pypsrp.client import Client
 from pypsrp.powershell import PSDataStreams
@@ -19,7 +18,6 @@
 from nxc.helpers.misc import gen_random_string
 from nxc.helpers.ntlm_parser import parse_challenge
 from nxc.logger import NXCAdapter
-from nxc.paths import NXC_PATH
 
 urllib3.disable_warnings()
 
@@ -29,7 +27,6 @@ def __init__(self, args, db, host):
         self.domain = ""
         self.targedDomain = ""
         self.server_os = None
-        self.output_filename = None
         self.endpoint = None
         self.lmhash = ""
         self.nthash = ""
@@ -75,8 +72,6 @@ def enum_host_info(self):
         if self.args.local_auth:
             self.domain = self.hostname
 
-        self.output_filename = os.path.expanduser(f"{NXC_PATH}/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
-
     def print_host_info(self):
         self.logger.extra["protocol"] = "WINRM-SSL" if self.ssl else "WINRM"
         self.logger.extra["port"] = self.port

nxc/protocols/wmi.py

@@ -1,14 +1,11 @@
 import os
-
 from io import StringIO
-from datetime import datetime
 
 from nxc.helpers.ntlm_parser import parse_challenge
 from nxc.config import process_secret
 from nxc.connection import connection, dcom_FirewallChecker, requires_admin
 from nxc.logger import NXCAdapter
 from nxc.protocols.wmi import wmiexec, wmiexec_event
-from nxc.paths import NXC_PATH
 
 from impacket import ntlm
 from impacket.uuid import uuidtup_to_bin
@@ -141,8 +138,6 @@ def enum_host_info(self):
             self.kdcHost = result["host"] if result else None
             self.logger.info(f"Resolved domain: {self.domain} with dns, kdcHost: {self.kdcHost}")
 
-        self.output_filename = os.path.expanduser(f"{NXC_PATH}/logs/{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-"))
-
     def print_host_info(self):
         self.logger.extra["protocol"] = "RPC"
         self.logger.extra["port"] = "135"