Merge branch 'main' into dumpSecurityQuestionsModule

Author: NeffIsBack

nxc/connection.py

@@ -85,6 +85,8 @@ def get_host_addr_info(target, force_ipv6, dns_server, dns_tcp, dns_timeout):
 def requires_admin(func):
     def _decorator(self, *args, **kwargs):
         if self.admin_privs is False:
+            if hasattr(self.args, "exec_method") and self.args.exec_method == "mmcexec":
+                return func(self, *args, **kwargs)
             return None
         return func(self, *args, **kwargs)
 
@@ -146,6 +148,7 @@ def __init__(self, args, db, target):
         self.kdcHost = self.args.kdcHost
         self.port = self.args.port
         self.local_ip = None
+        self.dns_server = self.args.dns_server
 
         # DNS resolution
         dns_result = self.resolver(target)
@@ -541,7 +544,7 @@ def login(self):
 
         if hasattr(self.args, "laps") and self.args.laps:
             self.logger.debug("Trying to authenticate using LAPS")
-            username[0], secret[0], domain[0], ntlm_hash = laps_search(self, username, secret, cred_type, domain)
+            username[0], secret[0], domain[0] = laps_search(self, username, secret, cred_type, domain, self.dns_server)
             cred_type = ["plaintext"]
             if not (username[0] or secret[0] or domain[0]):
                 return False

nxc/modules/add-computer.py

@@ -102,8 +102,9 @@ def do_samr_add(self, context):
             None
         """
         string_binding = epm.hept_map(self.__host, samr.MSRPC_UUID_SAMR, protocol="ncacn_np")
+        string_binding = string_binding.replace(self.__host, self.__kdcHost) if self.__kdcHost is not None else string_binding
 
-        rpc_transport = transport.DCERPCTransportFactory(string_binding.replace(self.__host, self.__kdcHost))
+        rpc_transport = transport.DCERPCTransportFactory(string_binding)
         rpc_transport.setRemoteHost(self.__host)
 
         if hasattr(rpc_transport, "set_credentials"):

nxc/modules/enum_av.py

@@ -358,6 +358,27 @@ def LsarLookupNames(self, dce, policyHandle, service):
                 {"name": "sophoslivequery_*", "processes": [""]}
             ]
         },
+        {
+            "name": "Trellix Endpoint Detection and Response (EDR)",
+            "services": [
+                {"name": "McAfee Endpoint Security Platform Service", "description": "Trellix Core Service"},
+                {"name": "mfemactl", "description": "Trellix Management Service"},
+                {"name": "mfemms", "description": "McAfee Management Service"},
+                {"name": "mfefire", "description": "Trellix Firewall Core Service"},
+                {"name": "masvc", "description": "Trellix Agent Service"},
+                {"name": "macmnsvc", "description": "Trellix Agent Common Service"},
+                {"name": "mfetp", "description": "Trellix Endpoint Threat Prevention Service"},
+                {"name": "mfewc", "description": "Trellix Endpoint Security Web Control Service"}, 
+                {"name": "mfeaack", "description": "Trellix Anti-Malware Core Service"}
+            ],
+            "pipes": [
+                {"name": "TrellixEDR_Pipe_*", "processes": ["McAfeeEDR.exe"]},
+                {"name": "mfemactl_*", "processes": ["mfemactl.exe"]},
+                {"name": "mfefire_*", "processes": ["mfefire.exe"]},
+                {"name": "McAfeeAgent_Pipe_*", "processes": ["McAfeeAgent.exe"]},
+                {"name": "mfetp_*", "processes": ["mfetp.exe"]}
+            ]
+        },
         {
             "name": "Trend Micro Endpoint Security",
             "services": [

nxc/modules/laps.py

@@ -45,12 +45,12 @@ def on_login(self, context, connection):
                 values = {str(attr["type"]).lower(): attr["vals"][0] for attr in computer["attributes"]}
                 if "mslaps-encryptedpassword" in values:
                     msMCSAdmPwd = values["mslaps-encryptedpassword"]
-                    d = LAPSv2Extract(bytes(msMCSAdmPwd), connection.username if connection.username else "", connection.password if connection.password else "", connection.domain, connection.nthash if connection.nthash else "", connection.kerberos, connection.kdcHost, 339)
+                    d = LAPSv2Extract(bytes(msMCSAdmPwd), connection.username if connection.username else "", connection.password if connection.password else "", connection.domain, connection.nthash if connection.nthash else "", connection.kerberos, connection.kdcHost, 339, connection.dns_server)
                     try:
                         data = d.run()
                     except Exception as e:
-                        self.logger.fail(str(e))
-                        return
+                        context.log.fail(str(e))
+                        continue
                     r = json.loads(data)
                     laps_computers.append((str(values["samaccountname"]), r["n"], str(r["p"])))
                 elif "mslaps-password" in values:

nxc/protocols/ldap.py

@@ -172,12 +172,12 @@ def get_ldap_info(self, host):
                     self.logger.debug(f"ldap_connection: {ldap_connection}")
             except SysCallError as e:
                 if proto == "ldaps":
-                    self.logger.debug(f"LDAPs connection to {ldap_url} failed - {e}")
+                    self.logger.fail(f"LDAPs connection to {ldap_url} failed - {e}")
                     # https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority
-                    self.logger.debug("Even if the port is open, LDAPS may not be configured")
+                    self.logger.fail("Even if the port is open, LDAPS may not be configured")
                 else:
-                    self.logger.debug(f"LDAP connection to {ldap_url} failed: {e}")
-                return [None, None, None]
+                    self.logger.fail(f"LDAP connection to {ldap_url} failed: {e}")
+                exit(1)
 
             resp = ldap_connection.search(
                 scope=ldapasn1_impacket.Scope("baseObject"),
@@ -1419,6 +1419,7 @@ def bloodhound(self):
             auth.get_tgt()
         if self.args.use_kcache:
             self.logger.highlight("Using kerberos auth from ccache")
+            auth.load_ccache()
 
         timestamp = datetime.now().strftime("%Y-%m-%d_%H%M%S") + "_"
         bloodhound = BloodHound(ad, self.hostname, self.host, self.port)

nxc/protocols/ldap/laps.py

@@ -1,5 +1,3 @@
-import binascii
-import hashlib
 from json import loads
 from pyasn1.codec.der import decoder
 from pyasn1_modules import rfc5652
@@ -37,12 +35,13 @@ def __init__(self, host, port, hostname):
     def proto_logger(self, host, port, hostname):
         self.logger = NXCAdapter(extra={"protocol": "LDAP", "host": host, "port": port, "hostname": hostname})
 
-    def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
+    def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False, dns_server=""):
         lmhash = ""
         nthash = ""
 
-        if kdcHost is None:
-            kdcHost = domain
+        if kdcHost is None or domain not in kdcHost:
+            self.logger.fail("Please provide the FQDN of the domain controller with --kdcHost")
+            exit(1)
 
         # This checks to see if we didn't provide the LM Hash
         if ntlm_hash and ntlm_hash.find(":") != -1:
@@ -54,12 +53,13 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
         baseDN = ""
         domainParts = domain.split(".")
         for i in domainParts:
-            baseDN += f"dc={i},"
+            baseDN += f"DC={i},"
         # Remove last ','
         baseDN = baseDN[:-1]
 
         try:
-            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{kdcHost}", baseDN)
+            self.logger.info(f"Connecting to ldap://{kdcHost} - {baseDN} - {domain} [1]")
+            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{kdcHost}", baseDN, dns_server if dns_server else domain)
             ldap_connection.kerberosLogin(
                 username,
                 password,
@@ -78,7 +78,7 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
             if str(e).find("strongerAuthRequired") >= 0:
                 # We need to try SSL
                 try:
-                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{kdcHost}", baseDN)
+                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{kdcHost}", baseDN, dns_server if dns_server else domain)
                     ldap_connection.login(
                         username,
                         password,
@@ -105,18 +105,14 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
                     color="magenta" if error_code in ldap_error_status else "red",
                 )
             return False
-
         except OSError:
             self.logger.debug(f"{domain}\\{username}:{password if password else ntlm_hash} {'Error connecting to the domain, please add option --kdcHost with the FQDN of the domain controller'}")
             return False
         except KerberosError as e:
-            self.logger.fail(
-                f"{domain}\\{username}:{password if password else ntlm_hash} {e!s}",
-                color="red",
-            )
+            self.logger.fail(f"{domain}\\{username}:{password if password else ntlm_hash} {e!s}", color="red")
             return False
 
-    def auth_login(self, domain, username, password, ntlm_hash):
+    def auth_login(self, domain, username, password, ntlm_hash, dns_server):
         lmhash = ""
         nthash = ""
 
@@ -135,7 +131,7 @@ def auth_login(self, domain, username, password, ntlm_hash):
         base_dn = base_dn[:-1]
 
         try:
-            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{domain}", base_dn, domain)
+            ldap_connection = ldap_impacket.LDAPConnection(f"ldap://{domain}", base_dn, dns_server if dns_server else domain)
             ldap_connection.login(username, password, domain, lmhash, nthash)
 
             # Connect to LDAP
@@ -148,7 +144,7 @@ def auth_login(self, domain, username, password, ntlm_hash):
             if str(e).find("strongerAuthRequired") >= 0:
                 # We need to try SSL
                 try:
-                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{domain}", base_dn, domain)
+                    ldap_connection = ldap_impacket.LDAPConnection(f"ldaps://{domain}", base_dn, dns_server if dns_server else domain)
                     ldap_connection.login(username, password, domain, lmhash, nthash)
                     self.logger.extra["protocol"] = "LDAPS"
                     self.logger.extra["port"] = "636"
@@ -173,7 +169,7 @@ def auth_login(self, domain, username, password, ntlm_hash):
 
 
 class LAPSv2Extract:
-    def __init__(self, data, username, password, domain, ntlm_hash, do_kerberos, kdcHost, port):
+    def __init__(self, data, username, password, domain, ntlm_hash, do_kerberos, kdcHost, port, dns_server):
         if ntlm_hash.find(":") != -1:
             self.lmhash, self.nthash = ntlm_hash.split(":")
         else:
@@ -187,6 +183,7 @@ def __init__(self, data, username, password, domain, ntlm_hash, do_kerberos, kdc
         self.do_kerberos = do_kerberos
         self.kdcHost = kdcHost
         self.logger = None
+        self.dns_server = dns_server
         self.proto_logger(self.domain, port, self.domain)
 
     def proto_logger(self, host, port, hostname):
@@ -218,7 +215,7 @@ def run(self):
             gke = kds_cache[key_id["RootKeyId"]]
         else:
             # Connect on RPC over TCP to MS-GKDI to call opnum 0 GetKey
-            string_binding = hept_map(destHost=self.domain, remoteIf=MSRPC_UUID_GKDI, protocol="ncacn_ip_tcp")
+            string_binding = hept_map(destHost=self.domain if not self.dns_server else self.dns_server, remoteIf=MSRPC_UUID_GKDI, protocol="ncacn_ip_tcp")
             rpc_transport = transport.DCERPCTransportFactory(string_binding)
             if hasattr(rpc_transport, "set_credentials"):
                 rpc_transport.set_credentials(username=self.username, password=self.password, domain=self.domain, lmhash=self.lmhash, nthash=self.nthash)
@@ -263,7 +260,7 @@ def run(self):
         return plaintext[:-18].decode("utf-16le")
 
 
-def laps_search(self, username, password, cred_type, domain):
+def laps_search(self, username, password, cred_type, domain, dns_server):
     prev_protocol = self.logger.extra["protocol"]
     prev_port = self.logger.extra["port"]
     self.logger.extra["protocol"] = "LDAP"
@@ -274,7 +271,7 @@ def laps_search(self, username, password, cred_type, domain):
     if self.kerberos:
         if self.kdcHost is None:
             self.logger.fail("Add --kdcHost parameter to use laps with kerberos")
-            return None, None, None, None
+            return None, None, None
 
         connection = ldapco.kerberos_login(
             domain[0],
@@ -283,18 +280,20 @@ def laps_search(self, username, password, cred_type, domain):
             password[0] if cred_type[0] == "hash" else "",
             kdcHost=self.kdcHost,
             aesKey=self.aesKey,
+            dns_server=dns_server
         )
     else:
         connection = ldapco.auth_login(
             domain[0],
             username[0] if username else "",
             password[0] if cred_type[0] == "plaintext" else "",
             password[0] if cred_type[0] == "hash" else "",
+            dns_server
         )
     if not connection:
         self.logger.fail(f"LDAP connection failed with account {username[0]}")
 
-        return None, None, None, None
+        return None, None, None
 
     search_filter = "(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*))(name=" + self.hostname + "))"
     attributes = [
@@ -325,13 +324,14 @@ def laps_search(self, username, password, cred_type, domain):
                     password[0] if cred_type[0] == "hash" else "",
                     self.kerberos,
                     self.kdcHost,
-                    339
+                    339,
+                    dns_server
                 )
                 try:
                     data = d.run()
                 except Exception as e:
                     self.logger.fail(str(e))
-                    return None, None, None, None
+                    return None, None, None
                 r = loads(data)
                 msMCSAdmPwd = r["p"]
                 username_laps = r["n"]
@@ -346,21 +346,17 @@ def laps_search(self, username, password, cred_type, domain):
         self.logger.debug(f"Host: {sAMAccountName:<20} Password: {msMCSAdmPwd} {self.hostname}")
     else:
         self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
-        return None, None, None, None
+        return None, None, None
 
     if msMCSAdmPwd == "":
         self.logger.fail(f"msMCSAdmPwd or msLAPS-Password is empty or account cannot read LAPS property for {self.hostname}")
-        return None, None, None, None
-
-    hash_ntlm = None
-    if cred_type[0] == "hash":
-        hash_ntlm = hashlib.new("md4", msMCSAdmPwd.encode("utf-16le")).digest()
-        hash_ntlm = binascii.hexlify(hash_ntlm).decode()
+        return None, None, None
 
     username = username_laps if username_laps else self.args.laps
     password = msMCSAdmPwd
     domain = self.hostname
     self.args.local_auth = True
+    self.args.kerberos = False
     self.logger.extra["protocol"] = prev_protocol
     self.logger.extra["port"] = prev_port
-    return username, password, domain, hash_ntlm
+    return username, password, domain

nxc/protocols/ldap/proto_args.py

@@ -33,6 +33,6 @@ def proto_args(parser, parents):
 
     bgroup = ldap_parser.add_argument_group("Bloodhound Scan", "Options to play with Bloodhoud")
     bgroup.add_argument("--bloodhound", action="store_true", help="Perform a Bloodhound scan")
-    bgroup.add_argument("-c", "--collection", default="Collection", help="Which information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All. You can specify more than one by separating them with a comma")
+    bgroup.add_argument("-c", "--collection", default="Default", help="Which information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All. You can specify more than one by separating them with a comma")
 
     return parser