Merge branch 'main' into marshall-db-ip-fix

Author: Marshall-Hallenbeck

.github/workflows/test.yml

@@ -19,7 +19,9 @@ jobs:
       - uses: actions/checkout@v4
       - name: Install poetry
         run: |
-          pipx install poetry==1.8.4
+          pipx install poetry
+          poetry --version
+          poetry env info
       - name: NetExec set up python ${{ matrix.python-version }} on ${{ matrix.os }}
         uses: actions/setup-python@v5
         with:
@@ -29,11 +31,6 @@ jobs:
       - name: Install with pipx
         run: |
           pipx install . --python python${{ matrix.python-version }}
-      - name: Install poetry
-        run: |
-          pipx install poetry --python python${{ matrix.python-version }}
-          poetry --version
-          poetry env info
       - name: Install libraries with dev group
         run: |
           poetry install --with dev
@@ -48,4 +45,4 @@ jobs:
           poetry run netexec mssql 127.0.0.1
           poetry run netexec ssh 127.0.0.1
           poetry run netexec ftp 127.0.0.1
-          poetry run netexec smb 127.0.0.1 -M veeam
+          poetry run netexec smb 127.0.0.1 -L

nxc/cli.py

@@ -19,11 +19,13 @@ def gen_cli_args():
 
     try:
         VERSION, COMMIT = importlib.metadata.version("netexec").split("+")
+        DISTANCE, COMMIT = COMMIT.split(".")
     except ValueError:
         VERSION = importlib.metadata.version("netexec")
         COMMIT = ""
+        DISTANCE = ""
     CODENAME = "NeedForSpeed"
-    nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT}")
+    nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT} - {DISTANCE}")
 
     generic_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
     generic_group = generic_parser.add_argument_group("Generic", "Generic options for nxc across protocols")
@@ -130,7 +132,7 @@ def gen_cli_args():
         sys.exit(1)
 
     if args.version:
-        print(f"{VERSION} - {CODENAME} - {COMMIT}")
+        print(f"{VERSION} - {CODENAME} - {COMMIT} - {DISTANCE}")
         sys.exit(1)
 
     # Multiply output_tries by 10 to enable more fine granural control, see exec methods

nxc/modules/remote-uac.py

@@ -0,0 +1,65 @@
+from impacket.dcerpc.v5 import rrp
+from impacket.examples.secretsdump import RemoteOperations
+
+
+class NXCModule:
+    """Module by @Defte_"""
+    name = "remote-uac"
+    description = "Enable or disable remote UAC"
+    supported_protocols = ["smb"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self, context=None, module_options=None):
+        self.context = context
+        self.module_options = module_options
+        self.action = None
+
+    def options(self, context, module_options):
+        """
+        Enables UAC (prevent non RID500 account to get high priv token remotely)
+        Disables UAC (allow non RID500 account to get high priv token remotely)
+
+        ACTION:     "enable" or "disable" (required)
+        """
+        if "ACTION" not in module_options:
+            context.log.fail("ACTION option not specified!")
+            return
+
+        if module_options["ACTION"].lower() not in ["enable", "disable"]:
+            context.log.fail("ACTION must be either enable, disable or query")
+            return
+        self.action = module_options["ACTION"].lower()
+
+    def on_admin_login(self, context, connection):
+        try:
+            remoteOps = RemoteOperations(connection.conn, False)
+            remoteOps.enableRegistry()
+            if remoteOps._RemoteOperations__rrp:
+                ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
+                regHandle = ans["phKey"]
+
+                keyHandle = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")["phkResult"]
+
+                # Checks if the key already exists or not
+                try:
+                    rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, "LocalAccountTokenFilterPolicy\x00")
+                except Exception as e:
+                    if "ERROR_FILE_NOT_FOUND" in str(e):
+                        context.log.debug("Registry key 'LocalAccountTokenFilterPolicy' does not exist, creating it")
+                        ans = rrp.hBaseRegCreateKey(remoteOps._RemoteOperations__rrp, keyHandle, "LocalAccountTokenFilterPolicy\x00")
+
+                # Disable remote UAC
+                if self.action == "disable":
+                    rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, "LocalAccountTokenFilterPolicy\x00", rrp.REG_DWORD, 1)
+                    context.log.highlight("Remote UAC disabled")
+
+                # Enable remote UAC
+                if self.action == "enable":
+                    rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, "LocalAccountTokenFilterPolicy\x00", rrp.REG_DWORD, 0)
+                    context.log.highlight("Remote UAC enabled")
+
+        except Exception as e:
+            context.log.debug(f"Error {e}")
+        finally:
+            remoteOps.finish()

nxc/protocols/ldap.py

@@ -3,6 +3,7 @@
 import hashlib
 import hmac
 import os
+from errno import EHOSTUNREACH
 from binascii import hexlify
 from datetime import datetime
 from re import sub, I
@@ -209,7 +210,11 @@ def create_conn_obj(self):
             self.logger.debug(f"{e} on host {self.host}")
             return False
         except OSError as e:
-            self.logger.error(f"Error getting ldap info {e}")
+            if e.errno == EHOSTUNREACH:
+                self.logger.info(f"Error connecting to {self.host} - {e}")
+                return False
+            else:
+                self.logger.error(f"Error getting ldap info {e}")
 
         self.logger.debug(f"Target: {target}; target_domain: {target_domain}; base_dn: {base_dn}")
         self.target = target