Merge branch 'main' into neff-add-certipy-find

Author: NeffIsBack

nxc/cli.py

@@ -76,13 +76,13 @@ def gen_cli_args():
     mgroup = module_parser.add_argument_group("Modules", "Options for nxc modules")
     mgroup.add_argument("-M", "--module", choices=get_module_names(), action="append", metavar="MODULE", help="module to use")
     mgroup.add_argument("-o", metavar="MODULE_OPTION", nargs="+", default=[], dest="module_options", help="module options")
-    mgroup.add_argument("-L", "--list-modules", action="store_true", help="list available modules")
+    mgroup.add_argument("-L", "--list-modules", nargs="?", type=str, const="", help="list available modules")
     mgroup.add_argument("--options", dest="show_module_options", action="store_true", help="display module options")
 
     subparsers = parser.add_subparsers(title="Available Protocols", dest="protocol")
 
     std_parser = argparse.ArgumentParser(add_help=False, parents=[generic_parser, output_parser, dns_parser], formatter_class=DisplayDefaultsNotNone)
-    std_parser.add_argument("target", nargs="+" if not (module_parser.parse_known_args()[0].list_modules or module_parser.parse_known_args()[0].show_module_options or generic_parser.parse_known_args()[0].version) else "*", type=str, help="the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, NMap XML or .Nessus file(s)")
+    std_parser.add_argument("target", nargs="+" if not (module_parser.parse_known_args()[0].list_modules is not None or module_parser.parse_known_args()[0].show_module_options or generic_parser.parse_known_args()[0].version) else "*", type=str, help="the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, NMap XML or .Nessus file(s)")
     credential_group = std_parser.add_argument_group("Authentication", "Options for authenticating")
     credential_group.add_argument("-u", "--username", metavar="USERNAME", dest="username", nargs="+", default=[], help="username(s) or file(s) containing usernames")
     credential_group.add_argument("-p", "--password", metavar="PASSWORD", dest="password", nargs="+", default=[], help="password(s) or file(s) containing passwords")

nxc/config.py

@@ -37,7 +37,7 @@
 reveal_chars_of_pwd = int(nxc_config.get("nxc", "reveal_chars_of_pwd", fallback=0))
 config_log = nxc_config.getboolean("nxc", "log_mode", fallback=False)
 host_info_colors = literal_eval(nxc_config.get("nxc", "host_info_colors", fallback=["green", "red", "yellow", "cyan"]))
-
+check_guest_account = nxc_config.getboolean("nxc", "check_guest_account", fallback=False)
 
 if len(host_info_colors) != 4:
     nxc_logger.error("Config option host_info_colors must have 4 values! Using default values.")

nxc/data/nxc.conf

@@ -6,6 +6,7 @@ audit_mode =
 reveal_chars_of_pwd = 0
 log_mode = False
 host_info_colors = ["green", "red", "yellow", "cyan"]
+check_guest_account = False
 
 [BloodHound]
 bh_enabled = False

nxc/helpers/args.py

@@ -24,3 +24,18 @@ def __call__(self, parser, namespace, values, option_string=None):
         # Set an attribute to track whether the value was explicitly set
         setattr(namespace, self.dest, values)
         setattr(namespace, f"{self.dest}_explicitly_set", True)
+
+
+def get_conditional_action(baseAction):
+    class ConditionalAction(baseAction):
+        def __init__(self, option_strings, dest, **kwargs):
+            x = kwargs.pop("make_required", [])
+            super().__init__(option_strings, dest, **kwargs)
+            self.make_required = x
+
+        def __call__(self, parser, namespace, values, option_string=None):
+            for x in self.make_required:
+                x.required = True
+            super().__call__(parser, namespace, values, option_string)
+
+    return ConditionalAction

nxc/helpers/misc.py

@@ -1,10 +1,13 @@
+from enum import Enum
 import random
 import string
 import re
 import inspect
 import os
-
+from termcolor import colored
 from ipaddress import ip_address
+from nxc.logger import nxc_logger
+from time import strftime, gmtime
 
 
 def identify_target_file(target_file):
@@ -145,3 +148,97 @@ def detect_if_ip(target):
         return True
     except Exception:
         return False
+
+
+def d2b(a):
+    """
+    Function used to convert password property flags from decimal to binary
+    format for easier interpretation of individual flag bits.
+    """
+    tbin = []
+    while a:
+        tbin.append(a % 2)
+        a //= 2
+
+    t2bin = tbin[::-1]
+    if len(t2bin) != 8:
+        for _x in range(6 - len(t2bin)):
+            t2bin.insert(0, 0)
+    return "".join([str(g) for g in t2bin])
+
+
+def convert(low, high, lockout=False):
+    """
+    Convert Windows FILETIME (64-bit) values to human-readable time strings.
+
+    Windows stores time intervals as 64-bit values representing 100-nanosecond
+    intervals since January 1, 1601. This function converts these values to
+    readable format like "30 days 5 hours 15 minutes".
+
+    Args:
+        low (int): Low 32 bits of the FILETIME value
+        high (int): High 32 bits of the FILETIME value
+        lockout (bool): If True, treats the value as a lockout duration (simpler conversion)
+
+    Returns:
+        str: Human-readable time string (e.g., "42 days 5 hours 30 minutes") or
+             special values like "Not Set", "None", or "[-] Invalid TIME"
+    """
+    time = ""
+    tmp = 0
+
+    if (low == 0 and high == -0x8000_0000) or (low == 0 and high == -0x8000_0000_0000_0000):
+        return "Not Set"
+    if low == 0 and high == 0:
+        return "None"
+
+    if not lockout:
+        if low != 0:
+            high = abs(high + 1)
+        else:
+            high = abs(high)
+            low = abs(low)
+
+        tmp = low + (high << 32)  # convert to 64bit int
+        tmp *= 1e-7  # convert to seconds
+    else:
+        tmp = abs(high) * (1e-7)
+
+    try:
+        minutes = int(strftime("%M", gmtime(tmp)))
+        hours = int(strftime("%H", gmtime(tmp)))
+        days = int(strftime("%j", gmtime(tmp))) - 1
+    except ValueError:
+        return "[-] Invalid TIME"
+
+    if days > 1:
+        time += f"{days} days "
+    elif days == 1:
+        time += f"{days} day "
+    if hours > 1:
+        time += f"{hours} hours "
+    elif hours == 1:
+        time += f"{hours} hour "
+    if minutes > 1:
+        time += f"{minutes} minutes "
+    elif minutes == 1:
+        time += f"{minutes} minute "
+    return time
+
+
+def display_modules(args, modules):
+    for category, color in {CATEGORY.ENUMERATION: "green", CATEGORY.CREDENTIAL_DUMPING: "cyan", CATEGORY.PRIVILEGE_ESCALATION: "magenta"}.items():
+        # Add category filter for module listing
+        if args.list_modules and args.list_modules.lower() != category.name.lower():
+            continue
+        if len([module for module in modules.values() if module["category"] == category]) > 0:
+            nxc_logger.highlight(colored(f"{category.name}", color, attrs=["bold"]))
+        for name, props in sorted(modules.items()):
+            if props["category"] == category:
+                nxc_logger.display(f"{name:<25} {props['description']}")
+
+
+class CATEGORY(Enum):
+    ENUMERATION = "Enumeration"
+    CREDENTIAL_DUMPING = "Credential Dumping"
+    PRIVILEGE_ESCALATION = "Privilege Escalation"

nxc/loaders/moduleloader.py

@@ -8,6 +8,7 @@
 from os.path import join as path_join
 
 from nxc.context import Context
+from nxc.helpers.misc import CATEGORY
 from nxc.logger import NXCAdapter
 from nxc.paths import NXC_PATH
 
@@ -30,6 +31,9 @@ def module_is_sane(self, module, module_path):
         elif not hasattr(module, "description"):
             self.logger.fail(f"{module_path} missing the description variable")
             module_error = True
+        elif not hasattr(module, "category") or module.category not in [CATEGORY.ENUMERATION, CATEGORY.CREDENTIAL_DUMPING, CATEGORY.PRIVILEGE_ESCALATION]:
+            self.logger.fail(f"{module_path} missing the category variable or invalid category")
+            module_error = True
         elif not hasattr(module, "supported_protocols"):
             self.logger.fail(f"{module_path} missing the supported_protocols variable")
             module_error = True
@@ -92,6 +96,7 @@ def get_module_info(self, module_path):
                     "description": module_spec.description,
                     "options": module_spec.options.__doc__,
                     "supported_protocols": module_spec.supported_protocols,
+                    "category": module_spec.category,
                     "requires_admin": bool(hasattr(module_spec, "on_admin_login") and callable(module_spec.on_admin_login)),
                 }
             }

nxc/logger.py

@@ -102,6 +102,9 @@ def __init__(self, extra=None, merge_extra=False):
         logging.getLogger("lsassy").disabled = True
         logging.getLogger("dploot").disabled = True
         logging.getLogger("certipy").disabled = True
+        logging.getLogger("aardwolf").disabled = True
+        logging.getLogger("unicrypto").disabled = True
+        logging.getLogger("asyncio").setLevel(logging.ERROR)
         logging.getLogger("neo4j").setLevel(logging.ERROR)
 
     def format(self, msg, *args, **kwargs):

nxc/modules/adcs.py

@@ -1,6 +1,7 @@
 import re
 from impacket.ldap import ldap, ldapasn1
 from impacket.ldap.ldap import LDAPSearchError
+from nxc.helpers.misc import CATEGORY
 
 
 class NXCModule:
@@ -13,6 +14,7 @@ class NXCModule:
     name = "adcs"
     description = "Find PKI Enrollment Services in Active Directory and Certificate Templates Names"
     supported_protocols = ["ldap"]
+    category = CATEGORY.ENUMERATION
 
     def __init__(self, context=None, module_options=None):
         self.context = context

nxc/modules/add-computer.py

@@ -3,6 +3,7 @@
 import sys
 from impacket.dcerpc.v5 import samr, epm, transport
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
+from nxc.helpers.misc import CATEGORY
 
 
 class NXCModule:
@@ -16,6 +17,7 @@ class NXCModule:
     name = "add-computer"
     description = "Adds or deletes a domain computer"
     supported_protocols = ["smb"]
+    category = CATEGORY.PRIVILEGE_ESCALATION
 
     def options(self, context, module_options):
         """

nxc/modules/aws-credentials.py

@@ -1,3 +1,6 @@
+from nxc.helpers.misc import CATEGORY
+
+
 class NXCModule:
     """
     Search for aws credentials files on linux and windows machines
@@ -8,6 +11,7 @@ class NXCModule:
     name = "aws-credentials"
     description = "Search for aws credentials files."
     supported_protocols = ["ssh", "smb", "winrm"]
+    category = CATEGORY.CREDENTIAL_DUMPING
 
     def __init__(self):
         self.search_path_linux = "'/home/' '/tmp/'"