Merge branch 'main' into dc-list

Signed-off-by: termanix <50464194+termanix@users.noreply.github.com>

Author: termanix

.github/workflows/build-binaries.yml

@@ -20,7 +20,7 @@ jobs:
         python-version: ${{ matrix.python-version }}
     - name: Build Native Binary
       run: |
-        pip install pyinstaller
+        pip install pyinstaller pillow
         pip install .
         pyinstaller netexec.spec
     - name: Upload Windows Binary

nxc/cli.py

@@ -24,7 +24,7 @@ def gen_cli_args():
         VERSION = importlib.metadata.version("netexec")
         COMMIT = ""
         DISTANCE = ""
-    CODENAME = "NeedForSpeed"
+    CODENAME = "SmoothOperator"
     nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT} - {DISTANCE}")
 
     generic_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
@@ -124,7 +124,7 @@ def gen_cli_args():
     except Exception as e:
         nxc_logger.exception(f"Error loading proto_args from proto_args.py file in protocol folder: {protocol} - {e}")
 
-    argcomplete.autocomplete(parser)
+    argcomplete.autocomplete(parser, always_complete_options=False)
     args = parser.parse_args()
 
     if len(sys.argv) == 1:

nxc/first_run.py

@@ -29,6 +29,17 @@ def first_run_setup(logger=nxc_logger):
             logger.display(f"Creating missing folder {folder}")
             mkdir(path_join(NXC_PATH, folder))
 
+    log_subfolders = (
+        "sam",
+        "lsa",
+        "ntds",
+        "dpapi",
+    )
+    for subfolder in log_subfolders:
+        if not exists(path_join(NXC_PATH, f"logs/{subfolder}")):
+            logger.display(f"Creating missing folder logs/{subfolder}")
+            mkdir(path_join(NXC_PATH, f"logs/{subfolder}"))
+
     initialize_db()
 
     if not exists(CONFIG_PATH):

nxc/modules/enum_av.py

@@ -289,6 +289,14 @@ def LsarLookupNames(self, dce, policyHandle, service):
                 {"name": "exploitProtectionIPC", "processes": ["AVKWCtlx64.exe"]}
             ]
         },
+        {
+        "name": "Ivanti Security",
+            "services": [
+                {"name": "STAgent$Shavlik Protect", "description": "Ivanti Security Controls Agent"},
+                {"name": "STDispatch$Shavlik Protect", "description": "Ivanti Security Controls Agent Dispatcher"}
+            ],
+            "pipes": []
+        },
         {
             "name": "Kaspersky Security for Windows Server",
             "services": [
@@ -335,6 +343,11 @@ def LsarLookupNames(self, dce, policyHandle, service):
             ],
             "pipes": []
         },
+        {
+            "name": "Rapid7",
+            "services": [{"name": "ir_agent", "description": "Rapid7 Insight Agent"}],
+            "pipes": []
+        },
         {
             "name": "Sophos Intercept X",
             "services": [
@@ -384,7 +397,10 @@ def LsarLookupNames(self, dce, policyHandle, service):
                 {"name": "Trend Micro Web Service Communicator", "description": "Trend Micro Web Service Communicator"},
                 {"name": "TMiACAgentSvc", "description": "Trend Micro Application Control Service (Agent)"},
                 {"name": "CETASvc", "description": "Trend Micro Cloud Endpoint Telemetry Service"},
-                {"name": "iVPAgent", "description": "Trend Micro Vulnerability Protection Service (Agent)"}
+                {"name": "iVPAgent", "description": "Trend Micro Vulnerability Protection Service (Agent)"},
+                {"name": "ds_agent", "description": "Trend Micro Deep Security Agent"},
+                {"name": "ds_monitor", "description": "Trend Micro Deep Security Monitor"},
+                {"name": "ds_notifier", "description": "Trend Micro Deep Security Notifier"}
             ],
             "pipes": [
                 {"name": "IPC_XBC_XBC_AGENT_PIPE_*", "processes": ["EndpointBasecamp.exe"]},

nxc/modules/get-desc-users.py

@@ -1,7 +1,7 @@
-from impacket.ldap import ldapasn1 as ldapasn1_impacket
 from impacket.ldap import ldap as ldap_impacket
 import re
 from nxc.logger import nxc_logger
+from nxc.parsers.ldap_results import parse_result_attributes
 
 
 class NXCModule:
@@ -55,24 +55,10 @@ def on_login(self, context, connection):
                 nxc_logger.debug(e)
                 return False
 
-        answers = []
         context.log.debug(f"Total of records returned {len(resp)}")
-        for item in resp:
-            if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
-                continue
-            sAMAccountName = ""
-            description = ""
-            try:
-                for attribute in item["attributes"]:
-                    if str(attribute["type"]) == "sAMAccountName":
-                        sAMAccountName = str(attribute["vals"][0])
-                    elif str(attribute["type"]) == "description":
-                        description = attribute["vals"][0]
-                if sAMAccountName != "" and description != "":
-                    answers.append([sAMAccountName, description])
-            except Exception as e:
-                context.log.debug("Exception:", exc_info=True)
-                context.log.debug(f"Skipping item, cannot process due to error {e!s}")
+        resp_parsed = parse_result_attributes(resp)
+        answers = [[x["sAMAccountName"], x.get("description")] for x in resp_parsed if x.get("description")]
+
         answers = self.filter_answer(context, answers)
         if len(answers) > 0:
             context.log.success("Found following users: ")
@@ -108,5 +94,5 @@ def filter_answer(self, context, answers):
                     answersFiltered.append([answer[0], description])
                 elif (self.FILTER != "" and conditionFilter) and (conditionPasswordPolicy == self.PASSWORDPOLICY):
                     context.log.highlight(f"'{self.FILTER}' found in user: '{answer[0]}' description: '{description}'")
-                    
+
         return answersFiltered

nxc/netexec.py

@@ -1,3 +1,4 @@
+# PYTHON_ARGCOMPLETE_OK
 import sys
 from nxc.helpers.logger import highlight
 from nxc.helpers.misc import identify_target_file

nxc/parsers/ldap_results.py

@@ -1,4 +1,5 @@
 from impacket.ldap import ldapasn1 as ldapasn1_impacket
+from uuid import UUID
 
 
 def parse_result_attributes(ldap_response):
@@ -11,16 +12,43 @@ def parse_result_attributes(ldap_response):
         for attribute in entry["attributes"]:
             val_list = []
             for val in attribute["vals"].components:
-                try:
-                    encoding = val.encoding
-                    val_decoded = str(val).encode(encoding).decode("utf-8")
-                except UnicodeDecodeError:
-                    # If we can't decode the value, we'll just return the bytes
-                    val_decoded = val.__bytes__()
+                # Typical Byte objects we know how to decode
+                if str(attribute["type"]) == "objectGUID":
+                    val_decoded = UUID(bytes=val.__bytes__())
+                elif str(attribute["type"]) == "objectSid":
+                    val_decoded = sid_to_str(val.__bytes__())
+                else:
+                    # For the rest we try to decode the value with its encoding
+                    try:
+                        encoding = val.encoding
+                        val_decoded = str(val).encode(encoding).decode("utf-8")
+                    except UnicodeDecodeError:
+                        # If we can't decode the value, we'll just return the bytes
+                        val_decoded = val.__bytes__()
                 val_list.append(val_decoded)
             if len(val_list) == 1:
                 attribute_map[str(attribute["type"])] = val_list[0]
             else:
                 attribute_map[str(attribute["type"])] = val_list
         parsed_response.append(attribute_map)
     return parsed_response
+
+
+def sid_to_str(sid):
+    try:
+        # revision
+        revision = int(sid[0])
+        # count of sub authorities
+        sub_authorities = int(sid[1])
+        # big endian
+        identifier_authority = int.from_bytes(sid[2:8], byteorder="big")
+        # If true then it is represented in hex
+        if identifier_authority >= 2**32:
+            identifier_authority = hex(identifier_authority)
+
+        # loop over the count of small endians
+        sub_authority = "-" + "-".join([str(int.from_bytes(sid[8 + (i * 4): 12 + (i * 4)], byteorder="little")) for i in range(sub_authorities)])
+        return "S-" + str(revision) + "-" + str(identifier_authority) + sub_authority
+    except Exception:
+        pass
+    return sid

nxc/protocols/ldap/proto_args.py

@@ -20,7 +20,7 @@ def proto_args(parser, parents):
     vgroup.add_argument("--find-delegation", action="store_true", help="Finds delegation relationships within an Active Directory domain. (Enabled Accounts only)")
     vgroup.add_argument("--trusted-for-delegation", action="store_true", help="Get the list of users and computers with flag TRUSTED_FOR_DELEGATION")
     vgroup.add_argument("--password-not-required", action="store_true", help="Get the list of users with flag PASSWD_NOTREQD")
-    vgroup.add_argument("--admin-count", action="store_true", help="Get objets that had the value adminCount=1")
+    vgroup.add_argument("--admin-count", action="store_true", help="Get user that had the value adminCount=1")
     vgroup.add_argument("--users", nargs="*", help="Enumerate domain users")
     vgroup.add_argument("--users-export", help="Enumerate domain users and export them to the specified file")
     vgroup.add_argument("--groups", nargs="?", const="", help="Enumerate domain groups, if a group is specified than its members are enumerated")

nxc/protocols/nfs.py

@@ -262,7 +262,7 @@ def shares(self):
 
                         read_perm, write_perm, exec_perm = self.get_permissions(file_handle)
                         self.mount.umnt(self.auth)
-                        self.logger.highlight(f"{self.auth['uid']:<11}{'r' if read_perm else '-'}{'w' if write_perm else '-'}{('x' if exec_perm else '-'):<7}{convert_size(used_space) + "/" + convert_size(total_space):<16} {share:<30} {', '.join(network) if network else 'No network':<15}")
+                        self.logger.highlight(f"{self.auth['uid']:<11}{'r' if read_perm else '-'}{'w' if write_perm else '-'}{('x' if exec_perm else '-'):<7}{convert_size(used_space) + '/' + convert_size(total_space):<16} {share:<30} {', '.join(network) if network else 'No network':<15}")
                 except Exception as e:
                     self.logger.fail(f"Failed to list share: {share} - {e}")