Merge pull request Pennyw0rth#463 from Dfte/SMB]-Add-the-recyclebin-module

NeffIsBack · web-flow · commit 9829b08628cf · 2025-05-15T19:09:11.000+02:00
Add option to  --spider and add recyclebin.py module
diff --git a/nxc/modules/get_netconnections.py b/nxc/modules/get_netconnections.py
@@ -17,7 +17,7 @@ class NXCModule:
     multiple_hosts = True
 
     def options(self, context, module_options):
-        """No options"""
+        """No options available"""
 
     def on_admin_login(self, context, connection):
         data = []
diff --git a/nxc/modules/recyclebin.py b/nxc/modules/recyclebin.py
@@ -0,0 +1,101 @@
+from os import makedirs
+from nxc.paths import NXC_PATH
+from os.path import join, abspath
+from impacket.dcerpc.v5 import rrp
+from impacket.dcerpc.v5.rrp import DCERPCSessionError
+from impacket.examples.secretsdump import RemoteOperations
+
+
+class NXCModule:
+    # Module by @Defte_
+    # Dumps files from recycle bins
+
+    name = "recyclebin"
+    description = "Lists and exports users' recycle bins"
+    supported_protocols = ["smb"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def options(self, context, module_options):
+        """No options available"""
+
+    def on_admin_login(self, context, connection):
+        false_positive_users = [".", "..", "desktop.ini", "Public", "Default", "Default User", "All Users", ".NET v4.5", ".NET v4.5 Classic"]
+        found = 0
+        try:
+            remote_ops = RemoteOperations(connection.conn, connection.kerberos)
+            remote_ops.enableRegistry()
+
+            for sid_directory in connection.conn.listPath("C$", "$Recycle.Bin\\*"):
+                try:
+                    if sid_directory.get_longname() and sid_directory.get_longname() not in false_positive_users:
+
+                        # Extracts the username from the SID
+                        reg_handle = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)["phKey"]
+                        key_handle = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, f"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\{sid_directory.get_longname()}")["phkResult"]
+                        username = None
+                        try:
+                            _, profileimagepath = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, "ProfileImagePath\x00")
+                            # Get username and remove embedded null byte
+                            username = profileimagepath.split("\\")[-1].rstrip("\x00")
+                        except rrp.DCERPCSessionError as e:
+                            context.log.debug(f"Couldn't get username from SID {e} on host {connection.host}")
+
+                        # Lists for any file or directory in the recycle bin
+                        spider_folder = f"$Recycle.Bin\\{sid_directory.get_longname()}\\"
+                        paths = connection.spider(
+                            "C$",
+                            folder=spider_folder,
+                            regex=[r"(.*)"],
+                            silent=True
+                        )
+
+                        false_positive = (".", "..", "desktop.ini")
+                        filtered_file_paths = [path for path in paths if not path.endswith(false_positive)]
+                        if filtered_file_paths:
+                            if username is not None:
+                                context.log.highlight(f"CONTENT FOUND {sid_directory.get_longname()} ({username})")
+                            else:
+                                context.log.highlight(f"CONTENT FOUND {sid_directory.get_longname()}")
+
+                            for path in filtered_file_paths:
+                                # Returned path look like:
+                                # $Recycle.Bin\S-1-5-21-4140170355-2927207985-2497279808-500\/$I87021Q.txt
+                                # Or
+                                # $Recycle.Bin\S-1-5-21-4140170355-2927207985-2497279808-500\/$R87021Q.txt
+                                # $I files are metadata while $R are actual files so we split the path from the SID
+                                # And check that the filename contains $R only to prevent downloading useless stuff
+
+                                if "$R" in path.split(sid_directory.get_longname())[1] and not path.endswith(false_positive):
+                                    # Create the export path
+                                    export_path = join(NXC_PATH, "modules", "recyclebin")
+                                    makedirs(export_path, exist_ok=True)
+
+                                    # Formatting the destination filename
+                                    file_path = path.split("$")[-1].replace("/", "_")
+                                    filename = f"{connection.host}_{username if username else sid_directory.get_longname()}_recyclebin_{file_path}"
+                                    dest_path = abspath(join(export_path, filename))
+                                    try:
+                                        with open(dest_path, "wb+") as file:
+                                            connection.conn.getFile("C$", path, file.write)
+                                    except Exception as e:
+                                        if "STATUS_FILE_IS_A_DIRECTORY" in str(e):
+                                            context.log.debug(f"Couldn't open {dest_path} because of {e}")
+                                        else:
+                                            context.log.fail(f"Failed to write recyclebin file to {filename}: {e}")
+                                    else:
+                                        context.log.highlight(f"\t{dest_path}")
+                                        found += 1
+                except DCERPCSessionError as e:
+                    if "ERROR_FILE_NOT_FOUND" in str(e):
+                        continue
+                    else:
+                        context.log.fail(f"Error opening {sid_directory.get_longname()} on host {connection.host} because of {e}")
+                        continue
+            if found > 0:
+                context.log.highlight(f"Recycle bin's content downloaded to {export_path}")
+        except DCERPCSessionError as e:
+            context.log.exception(e)
+            context.log.fail(f"Error connecting to RemoteRegistry {e} on host {connection.host}")
+        finally:
+            remote_ops.finish()
diff --git a/nxc/modules/veeam.py b/nxc/modules/veeam.py
@@ -25,7 +25,7 @@ def __init__(self):
             self.psScriptPostgresql = psFile.read()
 
     def options(self, context, module_options):
-        """No options"""
+        """No options available"""
 
     def checkVeeamInstalled(self, context, connection):
         context.log.display("Looking for Veeam installation...")
diff --git a/nxc/protocols/smb.py b/nxc/protocols/smb.py
@@ -1376,6 +1376,7 @@ def spider(
         depth=None,
         content=False,
         only_files=True,
+        silent=True
     ):
         if exclude_dirs is None:
             exclude_dirs = []
@@ -1384,8 +1385,8 @@ def spider(
         if pattern is None:
             pattern = []
         spider = SMBSpider(self.conn, self.logger)
-
-        self.logger.display("Started spidering")
+        if not silent:
+            self.logger.display("Started spidering")
         start_time = time()
         if not share:
             spider.spider(
@@ -1397,11 +1398,12 @@ def spider(
                 self.args.depth,
                 self.args.content,
                 self.args.only_files,
+                self.args.silent
             )
         else:
-            spider.spider(share, folder, pattern, regex, exclude_dirs, depth, content, only_files)
-
-        self.logger.display(f"Done spidering (Completed in {time() - start_time})")
+            spider.spider(share, folder, pattern, regex, exclude_dirs, depth, content, only_files, silent)
+        if not silent:
+            self.logger.display(f"Done spidering (Completed in {time() - start_time})")
 
         return spider.results
 
diff --git a/nxc/protocols/smb/proto_args.py b/nxc/protocols/smb/proto_args.py
@@ -67,6 +67,7 @@ def proto_args(parser, parents):
     spidering_group.add_argument("--exclude-dirs", type=str, metavar="DIR_LIST", default="", help="directories to exclude from spidering")
     spidering_group.add_argument("--depth", type=int, help="max spider recursion depth")
     spidering_group.add_argument("--only-files", action="store_true", help="only spider files")
+    spidering_group.add_argument("--silent", action="store_true", help="Do not print found files/directories", default=False)
     segroup = spidering_group.add_mutually_exclusive_group()
     segroup.add_argument("--pattern", nargs="+", help="pattern(s) to search for in folders, filenames and file content")
     segroup.add_argument("--regex", nargs="+", help="regex(s) to search for in folders, filenames and file content")
diff --git a/nxc/protocols/smb/smbspider.py b/nxc/protocols/smb/smbspider.py
@@ -19,6 +19,7 @@ def __init__(self, smbconnection, logger):
         self.onlyfiles = True
         self.content = False
         self.results = []
+        self.silent = False
 
     def spider(
         self,
@@ -30,6 +31,7 @@ def spider(
         depth=None,
         content=False,
         onlyfiles=True,
+        silent=False
     ):
         if exclude_dirs is None:
             exclude_dirs = []
@@ -48,6 +50,7 @@ def spider(
         self.exclude_dirs = exclude_dirs
         self.content = content
         self.onlyfiles = onlyfiles
+        self.silent = silent
 
         if share == "*":
             self.logger.display("Enumerating shares for spidering")
@@ -66,7 +69,8 @@ def spider(
                 self.logger.fail(f"Error enumerating shares: {e}")
         else:
             self.share = share
-            self.logger.display(f"Spidering {folder}")
+            if not self.silent:
+                self.logger.display(f"Spidering {folder}")
             self._spider(folder, depth)
 
         return self.results
@@ -114,9 +118,9 @@ def dir_list(self, files, path):
             if self.pattern:
                 for pattern in self.pattern:
                     if bytes(result.get_longname().lower(), "utf8").find(bytes(pattern.lower(), "utf8")) != -1:
-                        if not self.onlyfiles and result.is_directory():
+                        if not self.onlyfiles and result.is_directory() and not self.silent:
                             self.logger.highlight(f"//{self.smbconnection.getRemoteHost()}/{self.share}/{path}{result.get_longname()} [dir]")
-                        else:
+                        elif not self.silent:
                             self.logger.highlight(
                                 "//{}/{}/{}{} [lastm:'{}' size:{}]".format(
                                     self.smbconnection.getRemoteHost(),
@@ -131,9 +135,9 @@ def dir_list(self, files, path):
             if self.regex:
                 for regex in self.regex:
                     if regex.findall(bytes(result.get_longname(), "utf8")):
-                        if not self.onlyfiles and result.is_directory():
+                        if not self.onlyfiles and result.is_directory() and not self.silent:
                             self.logger.highlight(f"//{self.smbconnection.getRemoteHost()}/{self.share}/{path}{result.get_longname()} [dir]")
-                        else:
+                        elif not self.silent:
                             self.logger.highlight(
                                 "//{}/{}/{}{} [lastm:'{}' size:{}]".format(
                                     self.smbconnection.getRemoteHost(),
@@ -149,7 +153,6 @@ def dir_list(self, files, path):
             if self.content and not result.is_directory():
                 self.search_content(path, result)
 
-
     def search_content(self, path, result):
         path = path.replace("*", "")
         try:
@@ -176,34 +179,36 @@ def search_content(self, path, result):
                 if self.pattern:
                     for pattern in self.pattern:
                         if contents.lower().find(bytes(pattern.lower(), "utf8")) != -1:
-                            self.logger.highlight(
-                                "//{}/{}/{}{} [lastm:'{}' size:{} offset:{} pattern:'{}']".format(
-                                    self.smbconnection.getRemoteHost(),
-                                    self.share,
-                                    path,
-                                    result.get_longname(),
-                                    "n\\a" if not self.get_lastm_time(result) else self.get_lastm_time(result),
-                                    result.get_filesize(),
-                                    rfile.tell(),
-                                    pattern,
+                            if not self.silent:
+                                self.logger.highlight(
+                                    "//{}/{}/{}{} [lastm:'{}' size:{} offset:{} pattern:'{}']".format(
+                                        self.smbconnection.getRemoteHost(),
+                                        self.share,
+                                        path,
+                                        result.get_longname(),
+                                        "n\\a" if not self.get_lastm_time(result) else self.get_lastm_time(result),
+                                        result.get_filesize(),
+                                        rfile.tell(),
+                                        pattern,
+                                    )
                                 )
-                            )
                             self.results.append(f"{path}{result.get_longname()}")
                 if self.regex:
                     for regex in self.regex:
                         if regex.findall(contents):
-                            self.logger.highlight(
-                                "//{}/{}/{}{} [lastm:'{}' size:{} offset:{} regex:'{}']".format(
-                                    self.smbconnection.getRemoteHost(),
-                                    self.share,
-                                    path,
-                                    result.get_longname(),
-                                    "n\\a" if not self.get_lastm_time(result) else self.get_lastm_time(result),
-                                    result.get_filesize(),
-                                    rfile.tell(),
-                                    regex.pattern,
+                            if not self.silent:
+                                self.logger.highlight(
+                                    "//{}/{}/{}{} [lastm:'{}' size:{} offset:{} regex:'{}']".format(
+                                        self.smbconnection.getRemoteHost(),
+                                        self.share,
+                                        path,
+                                        result.get_longname(),
+                                        "n\\a" if not self.get_lastm_time(result) else self.get_lastm_time(result),
+                                        result.get_filesize(),
+                                        rfile.tell(),
+                                        regex.pattern,
+                                    )
                                 )
-                            )
                             self.results.append(f"{path}{result.get_longname()}")
 
             rfile.close()
@@ -219,4 +224,3 @@ def search_content(self, path, result):
     def get_lastm_time(self, result_obj):
         with contextlib.suppress(Exception):
             return strftime("%Y-%m-%d %H:%M", localtime(result_obj.get_mtime_epoch()))
-
