Merge branch 'main' into ntlm_reflection

Author: NeffIsBack

nxc/cli.py

@@ -76,13 +76,13 @@ def gen_cli_args():
     mgroup = module_parser.add_argument_group("Modules", "Options for nxc modules")
     mgroup.add_argument("-M", "--module", choices=get_module_names(), action="append", metavar="MODULE", help="module to use")
     mgroup.add_argument("-o", metavar="MODULE_OPTION", nargs="+", default=[], dest="module_options", help="module options")
-    mgroup.add_argument("-L", "--list-modules", action="store_true", help="list available modules")
+    mgroup.add_argument("-L", "--list-modules", nargs="?", type=str, const="", help="list available modules")
     mgroup.add_argument("--options", dest="show_module_options", action="store_true", help="display module options")
 
     subparsers = parser.add_subparsers(title="Available Protocols", dest="protocol")
 
     std_parser = argparse.ArgumentParser(add_help=False, parents=[generic_parser, output_parser, dns_parser], formatter_class=DisplayDefaultsNotNone)
-    std_parser.add_argument("target", nargs="+" if not (module_parser.parse_known_args()[0].list_modules or module_parser.parse_known_args()[0].show_module_options or generic_parser.parse_known_args()[0].version) else "*", type=str, help="the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, NMap XML or .Nessus file(s)")
+    std_parser.add_argument("target", nargs="+" if not (module_parser.parse_known_args()[0].list_modules is not None or module_parser.parse_known_args()[0].show_module_options or generic_parser.parse_known_args()[0].version) else "*", type=str, help="the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, NMap XML or .Nessus file(s)")
     credential_group = std_parser.add_argument_group("Authentication", "Options for authenticating")
     credential_group.add_argument("-u", "--username", metavar="USERNAME", dest="username", nargs="+", default=[], help="username(s) or file(s) containing usernames")
     credential_group.add_argument("-p", "--password", metavar="PASSWORD", dest="password", nargs="+", default=[], help="password(s) or file(s) containing passwords")

nxc/helpers/misc.py

@@ -1,10 +1,13 @@
+from enum import Enum
 import random
 import string
 import re
 import inspect
 import os
-
+from termcolor import colored
 from ipaddress import ip_address
+from nxc.logger import nxc_logger
+from time import strftime, gmtime
 
 
 def identify_target_file(target_file):
@@ -145,3 +148,97 @@ def detect_if_ip(target):
         return True
     except Exception:
         return False
+
+
+def d2b(a):
+    """
+    Function used to convert password property flags from decimal to binary
+    format for easier interpretation of individual flag bits.
+    """
+    tbin = []
+    while a:
+        tbin.append(a % 2)
+        a //= 2
+
+    t2bin = tbin[::-1]
+    if len(t2bin) != 8:
+        for _x in range(6 - len(t2bin)):
+            t2bin.insert(0, 0)
+    return "".join([str(g) for g in t2bin])
+
+
+def convert(low, high, lockout=False):
+    """
+    Convert Windows FILETIME (64-bit) values to human-readable time strings.
+
+    Windows stores time intervals as 64-bit values representing 100-nanosecond
+    intervals since January 1, 1601. This function converts these values to
+    readable format like "30 days 5 hours 15 minutes".
+
+    Args:
+        low (int): Low 32 bits of the FILETIME value
+        high (int): High 32 bits of the FILETIME value
+        lockout (bool): If True, treats the value as a lockout duration (simpler conversion)
+
+    Returns:
+        str: Human-readable time string (e.g., "42 days 5 hours 30 minutes") or
+             special values like "Not Set", "None", or "[-] Invalid TIME"
+    """
+    time = ""
+    tmp = 0
+
+    if (low == 0 and high == -0x8000_0000) or (low == 0 and high == -0x8000_0000_0000_0000):
+        return "Not Set"
+    if low == 0 and high == 0:
+        return "None"
+
+    if not lockout:
+        if low != 0:
+            high = abs(high + 1)
+        else:
+            high = abs(high)
+            low = abs(low)
+
+        tmp = low + (high << 32)  # convert to 64bit int
+        tmp *= 1e-7  # convert to seconds
+    else:
+        tmp = abs(high) * (1e-7)
+
+    try:
+        minutes = int(strftime("%M", gmtime(tmp)))
+        hours = int(strftime("%H", gmtime(tmp)))
+        days = int(strftime("%j", gmtime(tmp))) - 1
+    except ValueError:
+        return "[-] Invalid TIME"
+
+    if days > 1:
+        time += f"{days} days "
+    elif days == 1:
+        time += f"{days} day "
+    if hours > 1:
+        time += f"{hours} hours "
+    elif hours == 1:
+        time += f"{hours} hour "
+    if minutes > 1:
+        time += f"{minutes} minutes "
+    elif minutes == 1:
+        time += f"{minutes} minute "
+    return time
+
+
+def display_modules(args, modules):
+    for category, color in {CATEGORY.ENUMERATION: "green", CATEGORY.CREDENTIAL_DUMPING: "cyan", CATEGORY.PRIVILEGE_ESCALATION: "magenta"}.items():
+        # Add category filter for module listing
+        if args.list_modules and args.list_modules.lower() != category.name.lower():
+            continue
+        if len([module for module in modules.values() if module["category"] == category]) > 0:
+            nxc_logger.highlight(colored(f"{category.name}", color, attrs=["bold"]))
+        for name, props in sorted(modules.items()):
+            if props["category"] == category:
+                nxc_logger.display(f"{name:<25} {props['description']}")
+
+
+class CATEGORY(Enum):
+    ENUMERATION = "Enumeration"
+    CREDENTIAL_DUMPING = "Credential Dumping"
+    PRIVILEGE_ESCALATION = "Privilege Escalation"

nxc/loaders/moduleloader.py

@@ -30,6 +30,9 @@ def module_is_sane(self, module, module_path):
         elif not hasattr(module, "description"):
             self.logger.fail(f"{module_path} missing the description variable")
             module_error = True
+        elif not hasattr(module, "category"):
+            self.logger.fail(f"{module_path} missing the category variable")
+            module_error = True
         elif not hasattr(module, "supported_protocols"):
             self.logger.fail(f"{module_path} missing the supported_protocols variable")
             module_error = True
@@ -92,6 +95,7 @@ def get_module_info(self, module_path):
                     "description": module_spec.description,
                     "options": module_spec.options.__doc__,
                     "supported_protocols": module_spec.supported_protocols,
+                    "category": module_spec.category,
                     "requires_admin": bool(hasattr(module_spec, "on_admin_login") and callable(module_spec.on_admin_login)),
                 }
             }

nxc/modules/adcs.py

@@ -1,6 +1,7 @@
 import re
 from impacket.ldap import ldap, ldapasn1
 from impacket.ldap.ldap import LDAPSearchError
+from nxc.helpers.misc import CATEGORY
 
 
 class NXCModule:
@@ -13,6 +14,7 @@ class NXCModule:
     name = "adcs"
     description = "Find PKI Enrollment Services in Active Directory and Certificate Templates Names"
     supported_protocols = ["ldap"]
+    category = CATEGORY.ENUMERATION
 
     def __init__(self, context=None, module_options=None):
         self.context = context

nxc/modules/add-computer.py

@@ -3,6 +3,7 @@
 import sys
 from impacket.dcerpc.v5 import samr, epm, transport
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
+from nxc.helpers.misc import CATEGORY
 
 
 class NXCModule:
@@ -16,6 +17,7 @@ class NXCModule:
     name = "add-computer"
     description = "Adds or deletes a domain computer"
     supported_protocols = ["smb"]
+    category = CATEGORY.PRIVILEGE_ESCALATION
 
     def options(self, context, module_options):
         """

nxc/modules/aws-credentials.py

@@ -1,3 +1,6 @@
+from nxc.helpers.misc import CATEGORY
+
+
 class NXCModule:
     """
     Search for aws credentials files on linux and windows machines
@@ -8,6 +11,7 @@ class NXCModule:
     name = "aws-credentials"
     description = "Search for aws credentials files."
     supported_protocols = ["ssh", "smb", "winrm"]
+    category = CATEGORY.CREDENTIAL_DUMPING
 
     def __init__(self):
         self.search_path_linux = "'/home/' '/tmp/'"

nxc/modules/backup_operator.py

@@ -6,13 +6,15 @@
 from impacket.smbconnection import SessionError
 from impacket.dcerpc.v5 import transport, rrp
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
+from nxc.helpers.misc import CATEGORY
 from nxc.paths import NXC_PATH
 
 
 class NXCModule:
     name = "backup_operator"
     description = "Exploit user in backup operator group to dump NTDS @mpgn_x64"
     supported_protocols = ["smb"]
+    category = CATEGORY.PRIVILEGE_ESCALATION
 
     def __init__(self, context=None, module_options=None):
         self.context = context

nxc/modules/badsuccessor.py

@@ -1,4 +1,5 @@
 from impacket.ldap import ldaptypes
+from nxc.helpers.misc import CATEGORY
 from nxc.parsers.ldap_results import parse_result_attributes
 from ldap3.protocol.microsoft import security_descriptor_control
 
@@ -79,6 +80,7 @@ class NXCModule:
     name = "badsuccessor"
     description = "Check if vulnerable to bad successor attack (DMSA)"
     supported_protocols = ["ldap"]
+    category = CATEGORY.ENUMERATION
 
     def __init__(self):
         self.context = None

nxc/modules/bitlocker.py

@@ -3,12 +3,14 @@
 from impacket.dcerpc.v5.dtypes import NULL
 from impacket.dcerpc.v5.dcomrt import DCOMConnection
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+from nxc.helpers.misc import CATEGORY
 
 
 class NXCModule:
     name = "bitlocker"
     description = "Enumerating BitLocker Status on target(s) If it is enabled or disabled."
     supported_protocols = ["smb", "wmi"]
+    category = CATEGORY.ENUMERATION
 
     def __init__(self, context=None, module_options=None):
         self.context = context

nxc/modules/change-password.py

@@ -1,6 +1,7 @@
 import sys
 from impacket.dcerpc.v5 import samr, epm, transport
 from impacket.dcerpc.v5.rpcrt import DCERPCException
+from nxc.helpers.misc import CATEGORY
 
 
 class NXCModule:
@@ -12,6 +13,7 @@ class NXCModule:
     name = "change-password"
     description = "Change or reset user passwords via various protocols"
     supported_protocols = ["smb"]
+    category = CATEGORY.PRIVILEGE_ESCALATION
 
     def options(self, context, module_options):
         """