Merge branch 'main' into sepauli/fix-keepass_trigger

Author: NeffIsBack

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,18 @@
+---
+name: Feature request
+about: Request a new feature or enhancement
+title: ''
+labels: ''
+assignees: ''
+
+---
+**Please Describe The Problem To Be Solved**
+(Replace This Text: Please present a concise description of the problem to be addressed by this feature request. Please be clear what parts of the problem are considered to be in-scope and out-of-scope.)
+
+**(Optional): Suggest A Solution**
+(Replace This Text: A concise description of your preferred solution. Things to address include:
+* Details of the technical implementation
+* Tradeoffs made in design decisions
+* Caveats and considerations for the future
+
+If there are multiple solutions, please present each one separately. Save comparisons for the very end.)

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md

@@ -0,0 +1,44 @@
+---
+name: Pull request
+about: Update code to fix a bug or add an enhancement/feature
+title: ''
+labels: ''
+assignees: ''
+
+---
+## Description
+
+Please include a summary of the change and which issue is fixed, or what the enhancement does.
+Please also include relevant motivation and context.
+List any dependencies that are required for this change.
+
+## Type of change
+Please delete options that are not relevant.
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] This change requires a documentation update
+- [ ] This requires a third party update (such as Impacket, Dploot, lsassy, etc)
+
+## How Has This Been Tested?
+Please describe the tests that you ran to verify your changes (e2e, single commands, etc)
+Please also list any relevant details for your test configuration, such as your locally running machine Python version & OS, as well as the target(s) you tested against, including software versions
+
+If you are using poetry, you can easily run tests via:
+`poetry run python tests/e2e_tests.py -t $TARGET -u $USER -p $PASSWORD`
+There are additional options like `--errors` to display ALL errors (some may not be failures), `--poetry` (output will include the poetry run prepended), `--line-num $START-$END $SINGLE` for only running a subset
+
+## Screenshots (if appropriate):
+Screenshots are always nice to have and can give a visual representation of the change.
+If appropriate include before and after screenshot(s) to show which results are to be expected.
+
+## Checklist:
+
+- [ ] I have ran Ruff against my changes (via poetry: `poetry run python -m ruff check . --preview`, use `--fix` to automatically fix what it can)
+- [ ] I have added or updated the tests/e2e_commands.txt file if necessary
+- [ ] New and existing e2e tests pass locally with my changes
+- [ ] My code follows the style guidelines of this project (should be covered by Ruff above)
+- [ ] If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
+- [ ] I have performed a self-review of my own code
+- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

.github/workflows/test.yml

@@ -26,6 +26,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
           cache: poetry
           cache-dependency-path: poetry.lock
+      - name: Install with pipx
+        run: |
+          pipx install . --python python${{ matrix.python-version }}
       - name: Install poetry
         run: |
           pipx install poetry --python python${{ matrix.python-version }}
@@ -45,4 +48,4 @@ jobs:
           poetry run netexec mssql 127.0.0.1
           poetry run netexec ssh 127.0.0.1
           poetry run netexec ftp 127.0.0.1
-          poetry run netexec smb 127.0.0.1 -M veeam
+          poetry run netexec smb 127.0.0.1 -M veeam

.gitignore

@@ -1,5 +1,6 @@
 data/nxc.db
 hash_spider_default.sqlite3
+hash_spider_testing.sqlite3
 *.bak
 *.log
 .venv

netexec.spec

@@ -42,6 +42,7 @@ a = Analysis(
         'nxc.helpers.bash',
         'nxc.helpers.bloodhound',
         'nxc.helpers.msada_guids',
+        'nxc.helpers.ntlm_parser',
         'paramiko',
         'pypsrp.client',
         'pywerview.cli.helpers',

nxc/cli.py

@@ -46,7 +46,7 @@ def gen_cli_args():
 
     parser.add_argument("-t", type=int, dest="threads", default=256, help="set how many concurrent threads to use (default: 256)")
     parser.add_argument("--timeout", default=None, type=int, help="max timeout in seconds of each thread (default: None)")
-    parser.add_argument("--jitter", metavar="INTERVAL", type=str, help="sets a random delay between each connection (default: None)")
+    parser.add_argument("--jitter", metavar="INTERVAL", type=str, help="sets a random delay between each authentication (default: None)")
     parser.add_argument("--no-progress", action="store_true", help="Not displaying progress bar during scan")
     parser.add_argument("--verbose", action="store_true", help="enable verbose output")
     parser.add_argument("--debug", action="store_true", help="enable debug level information")

nxc/connection.py

@@ -8,6 +8,7 @@
 
 from nxc.config import pwned_label
 from nxc.helpers.logger import highlight
+from nxc.loaders.moduleloader import ModuleLoader
 from nxc.logger import nxc_logger, NXCAdapter
 from nxc.context import Context
 from nxc.protocols.ldap.laps import laps_search
@@ -107,18 +108,6 @@ def __init__(self, args, db, host):
             self.logger.info(f"Error resolving hostname {self.hostname}: {e}")
             return
 
-        if args.jitter:
-            jitter = args.jitter
-            if "-" in jitter:
-                start, end = jitter.split("-")
-                jitter = (int(start), int(end))
-            else:
-                jitter = (0, int(jitter))
-
-            value = random.choice(range(jitter[0], jitter[1]))
-            self.logger.debug(f"Doin' the jitterbug for {value} second(s)")
-            sleep(value)
-
         try:
             self.proto_flow()
         except Exception as e:
@@ -150,16 +139,7 @@ def create_conn_obj(self):
     def check_if_admin(self):
         return
 
-    def kerberos_login(
-        self,
-        domain,
-        username,
-        password="",
-        ntlm_hash="",
-        aesKey="",
-        kdcHost="",
-        useCache=False,
-    ):
+    def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
         return
 
     def plaintext_login(self, domain, username, password):
@@ -178,6 +158,7 @@ def proto_flow(self):
             self.enum_host_info()
             if self.print_host_info() and (self.login() or (self.username == "" and self.password == "")):
                 if hasattr(self.args, "module") and self.args.module:
+                    self.load_modules()
                     self.logger.debug("Calling modules")
                     self.call_modules()
                 else:
@@ -211,7 +192,7 @@ def call_modules(self):
         It iterates over the modules specified in the command line arguments.
         For each module, it loads the module and creates a context object, then calls functions based on the module's attributes.
         """
-        for module in self.module:
+        for module in self.modules:
             self.logger.debug(f"Loading module {module.name} - {module}")
             module_logger = NXCAdapter(
                 extra={
@@ -395,7 +376,9 @@ def parse_credentials(self):
         return domain, username, owned, secret, cred_type, [None] * len(secret)
 
     def try_credentials(self, domain, username, owned, secret, cred_type, data=None):
-        """Try to login using the specified credentials and protocol.
+        """
+        Try to login using the specified credentials and protocol.
+        With  --jitter an authentication throttle can be applied.
 
         Possible login methods are:
             - plaintext (/kerberos)
@@ -408,6 +391,18 @@ def try_credentials(self, domain, username, owned, secret, cred_type, data=None)
             return False
         if hasattr(self.args, "delegate") and self.args.delegate:
             self.args.kerberos = True
+
+        if self.args.jitter:
+            jitter = self.args.jitter
+            if "-" in jitter:
+                start, end = jitter.split("-")
+                jitter = (int(start), int(end))
+            else:
+                jitter = (0, int(jitter))
+            value = jitter[0] if jitter[0] == jitter[1] else random.choice(range(jitter[0], jitter[1]))
+            self.logger.debug(f"Throttle authentications: sleeping {value} second(s)")
+            sleep(value)
+
         with sem:
             if cred_type == "plaintext":
                 if self.args.kerberos:
@@ -496,3 +491,12 @@ def login(self):
 
     def mark_pwned(self):
         return highlight(f"({pwned_label})" if self.admin_privs else "")
+
+    def load_modules(self):
+        self.logger.info(f"Loading modules for target: {self.host}")
+        loader = ModuleLoader(self.args, self.db, self.logger)
+        self.modules = []
+
+        for module_path in self.module_paths:
+            module = loader.init_module(module_path)
+            self.modules.append(module)

nxc/helpers/bloodhound.py

@@ -52,10 +52,8 @@ def add_user_bh(user, domain, logger, config):
                         _add_with_domain(user_info, domain, tx, logger)
         except AuthError:
             logger.fail(f"Provided Neo4J credentials ({config.get('BloodHound', 'bh_user')}:{config.get('BloodHound', 'bh_pass')}) are not valid.")
-            exit()
         except ServiceUnavailable:
             logger.fail(f"Neo4J does not seem to be available on {uri}.")
-            exit()
         except Exception as e:
             logger.fail(f"Unexpected error with Neo4J: {e}")
         finally:

nxc/logger.py

@@ -30,7 +30,7 @@ def setup_debug_logging():
         root_logger.setLevel(logging.INFO)
     elif debug_args.debug:
         nxc_logger.logger.setLevel(logging.DEBUG)
-        root_logger.setLevel(logging.DEBUG)
+        root_logger.setLevel(logging.INFO)
     else:
         nxc_logger.logger.setLevel(logging.ERROR)
         root_logger.setLevel(logging.ERROR)
@@ -53,13 +53,15 @@ def __init__(self, formatter=None, *args, **kwargs):
 
     def emit(self, record):
         """Overrides the emit method of the RichHandler class so we can set the proper pathname and lineno"""
+        # for some reason in RDP, the exc_text is None which leads to a KeyError in Python logging
+        record.exc_text = record.getMessage() if record.exc_text is None else record.exc_text
+        
         if hasattr(record, "caller_frame"):
             frame_info = inspect.getframeinfo(record.caller_frame)
             record.pathname = frame_info.filename
             record.lineno = frame_info.lineno
         super().emit(record)
 
-
 def no_debug(func):
     """Stops logging non-debug messages when we are in debug mode
     It creates a temporary logger and logs the message to the console and file

nxc/modules/adcs.py

@@ -27,7 +27,6 @@ def options(self, context, module_options):
         SERVER             PKI Enrollment Server to enumerate templates for. Default is None, use CN name
         BASE_DN            The base domain name for the LDAP query
         """
-        self.context = context
         self.regex = re.compile("(https?://.+)")
 
         self.server = None
@@ -39,6 +38,7 @@ def options(self, context, module_options):
 
     def on_login(self, context, connection):
         """On a successful LDAP login we perform a search for all PKI Enrollment Server or Certificate Templates Names."""
+        self.context = context
         if self.server is None:
             search_filter = "(objectClass=pKIEnrollmentService)"
         else: