Merge branch 'main' into opsec

Marshall-Hallenbeck · web-flow · commit 9ad951c781cc · 2025-07-13T16:14:51.000-04:00
diff --git a/nxc/modules/get-info-users.py b/nxc/modules/get-info-users.py
@@ -0,0 +1,46 @@
+from nxc.parsers.ldap_results import parse_result_attributes
+
+
+class NXCModule:
+    """
+    Get the info field of users
+    Module by @sepauli
+    """
+    name = "get-info-users"
+    description = "Get the info field of all users. May contain password"
+    supported_protocols = ["ldap"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def options(self, context, module_options):
+        """FILTER    Apply the FILTER (grep-like) (default: '')"""
+        self.FILTER = ""
+        if "FILTER" in module_options:
+            self.FILTER = module_options["FILTER"]
+
+    def on_login(self, context, connection):
+        # Building the search filter
+        resp = connection.search(
+            searchFilter="(info=*)",
+            attributes=["sAMAccountName", "info"]
+        )
+
+        context.log.debug(f"Total of records returned {len(resp)}")
+        resp_parsed = parse_result_attributes(resp)
+        answers = [[x["sAMAccountName"], x["info"]] for x in resp_parsed]
+
+        answers = self.filter_answer(context, answers)
+        if answers:
+            context.log.success("Found following users: ")
+            for answer in answers:
+                context.log.highlight(f"User: {answer[0]:<20} Info: {answer[1]}")
+
+    def filter_answer(self, context, answers):
+        # No option to filter
+        if not self.FILTER:
+            context.log.debug("No filter option enabled")
+            return answers
+        # Filter
+        context.log.debug(f"Filter info field with: {self.FILTER}")
+        return [answer for answer in answers if self.FILTER in answer[1]]
+
diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py
@@ -664,7 +664,7 @@ def check_if_admin(self):
         resp = self.search(search_filter, attributes, sizeLimit=0, baseDN=self.baseDN)
         resp_parsed = parse_result_attributes(resp)
         answers = []
-        if resp and (self.password != "" or self.lmhash != "" or self.nthash != "" or self.aesKey != "") and self.username != "":
+        if resp and (self.password != "" or self.lmhash != "" or self.nthash != "" or self.aesKey != "" or self.use_kcache) and self.username != "":
             for item in resp_parsed:
                 self.sid_domain = "-".join(item["objectSid"].split("-")[:-1])
 
diff --git a/nxc/protocols/smb.py b/nxc/protocols/smb.py
@@ -688,7 +688,7 @@ def is_host_dc(self):
         from impacket.dcerpc.v5 import nrpc, epm
 
         self.logger.debug("Performing authentication attempts...")
-        
+
         # First check if port 135 is open
         if self._is_port_open(135):
             self.logger.debug("Port 135 is open, attempting MSRPC connection...")
@@ -964,7 +964,7 @@ def enumerate_sessions_info(self, sessions):
                     sessions[SessionId]["DisconnectTime"] = sessdata["LSMSessionInfoExPtr"]["LSM_SessionInfo_Level1"]["DisconnectTime"]
                     sessions[SessionId]["LogonTime"] = sessdata["LSMSessionInfoExPtr"]["LSM_SessionInfo_Level1"]["LogonTime"]
                     sessions[SessionId]["LastInputTime"] = sessdata["LSMSessionInfoExPtr"]["LSM_SessionInfo_Level1"]["LastInputTime"]
-            
+
             try:
                 with TSTS.RCMPublic(self.conn, self.host, self.kerberos) as rcm:
                     for SessionId in sessions:
@@ -1011,33 +1011,32 @@ def qwinsta(self):
             "WTS_SESSIONSTATE_LOCK": "Locked",
             "WTS_SESSIONSTATE_UNLOCK": "Unlocked",
         }
+
         sessions = self.get_session_list()
-        if not len(sessions):
+        if not sessions:
             return
+
         self.enumerate_sessions_info(sessions)
 
+        # Calculate max lengths for formatting
         maxSessionNameLen = max(len(sessions[i]["SessionName"]) + 1 for i in sessions)
-        maxSessionNameLen = maxSessionNameLen if len("SESSIONNAME") < maxSessionNameLen else len("SESSIONNAME") + 1
+        maxSessionNameLen = max(maxSessionNameLen, len("SESSIONNAME") + 1)
         maxUsernameLen = max(len(sessions[i]["Username"] + sessions[i]["Domain"]) + 1 for i in sessions) + 1
-        maxUsernameLen = maxUsernameLen if len("Username") < maxUsernameLen else len("Username") + 1
+        maxUsernameLen = max(maxUsernameLen, len("USERNAME") + 1)
         maxIdLen = max(len(str(i)) for i in sessions)
-        maxIdLen = maxIdLen if len("ID") < maxIdLen else len("ID") + 1
+        maxIdLen = max(maxIdLen, len("ID") + 1)
         maxStateLen = max(len(sessions[i]["state"]) + 1 for i in sessions)
-        maxStateLen = maxStateLen if len("STATE") < maxStateLen else len("STATE") + 1
-        maxRemoteIp = max(len(sessions[i]["RemoteIp"]) + 1 for i in sessions)
-        maxRemoteIp = maxRemoteIp if len("RemoteAddress") < maxRemoteIp else len("RemoteAddress") + 1
-        maxClientName = max(len(sessions[i]["ClientName"]) + 1 for i in sessions)
-        maxClientName = maxClientName if len("ClientName") < maxClientName else len("ClientName") + 1
-        template = ("{SESSIONNAME: <%d} "  # noqa: UP031
-                    "{USERNAME: <%d} "
-                    "{ID: <%d} "
+        maxStateLen = max(maxStateLen, len("STATE") + 1)
+
+        # Create the template for formatting
+        template = (f"{{SESSIONNAME: <{maxSessionNameLen}}} "
+                    f"{{USERNAME: <{maxUsernameLen}}} "
+                    f"{{ID: <{maxIdLen}}} "
                     "{IPv4: <16} "
-                    "{STATE: <%d} "
+                    f"{{STATE: <{maxStateLen}}} "
                     "{DSTATE: <9} "
                     "{CONNTIME: <20} "
-                    "{DISCTIME: <20} ") % (maxSessionNameLen, maxUsernameLen, maxIdLen, maxStateLen)
-
-        result = []
+                    "{DISCTIME: <20} ")
         header = template.format(
             SESSIONNAME="SESSIONNAME",
             USERNAME="USERNAME",
@@ -1048,7 +1047,6 @@ def qwinsta(self):
             CONNTIME="ConnectTime",
             DISCTIME="DisconnectTime",
         )
-
         header2 = template.replace(" <", "=<").format(
             SESSIONNAME="",
             USERNAME="",
@@ -1059,30 +1057,49 @@ def qwinsta(self):
             CONNTIME="",
             DISCTIME="",
         )
-        result.extend((header, header2))
+        result = [header, header2]
+
+        # Check if we need to filter for usernames
+        usernames = None
+        if self.args.qwinsta:
+            arg = self.args.qwinsta
+            if os.path.isfile(arg):
+                with open(arg) as f:
+                    usernames = [line.strip().lower() for line in f if line.strip()]
+            else:
+                usernames = [arg.lower()]
 
         for i in sessions:
+            username = sessions[i]["Username"]
+            domain = sessions[i]["Domain"]
+            user_full = f"{domain}\\{username}" if username else ""
+
+            # If usernames are provided, filter them
+            if usernames and username.lower() not in usernames:
+                continue
+
             connectTime = sessions[i]["ConnectTime"]
             connectTime = connectTime.strftime(r"%Y/%m/%d %H:%M:%S") if connectTime.year > 1601 else "None"
 
             disconnectTime = sessions[i]["DisconnectTime"]
             disconnectTime = disconnectTime.strftime(r"%Y/%m/%d %H:%M:%S") if disconnectTime.year > 1601 else "None"
-            userName = sessions[i]["Domain"] + "\\" + sessions[i]["Username"] if len(sessions[i]["Username"]) else ""
 
-            result.append(template.format(
+            row = template.format(
                 SESSIONNAME=sessions[i]["SessionName"],
-                USERNAME=userName,
+                USERNAME=user_full,
                 ID=i,
                 IPv4=sessions[i]["RemoteIp"],
                 STATE=sessions[i]["state"],
                 DSTATE=desktop_states[sessions[i]["flags"]],
                 CONNTIME=connectTime,
                 DISCTIME=disconnectTime,
-            ))
+            )
+            result.append(row)
 
-        self.logger.success("Enumerated qwinsta sessions")
-        for row in result:
-            self.logger.highlight(row)
+        if len(result) > 2:
+            self.logger.success("Enumerated qwinsta sessions")
+            for row in result:
+                self.logger.highlight(row)
 
     @requires_admin
     def tasklist(self):
@@ -1242,16 +1259,20 @@ def shares(self):
                     error = get_error_string(e)
                     self.logger.debug(f"Error adding share: {error}")
 
+        if self.args.filter_shares:
+            self.logger.display("[REMOVED] Use the --shares read,write options instead.")
+
         self.logger.display("Enumerated shares")
         self.logger.highlight(f"{'Share':<15} {'Permissions':<15} {'Remark'}")
         self.logger.highlight(f"{'-----':<15} {'-----------':<15} {'------'}")
+        
         for share in permissions:
             name = share["name"]
             remark = share["remark"]
-            perms = share["access"]
-            if self.args.filter_shares and not any(x in perms for x in self.args.filter_shares):
+            perms = ",".join(share["access"])
+            if self.args.shares and self.args.shares.lower() not in perms.lower():
                 continue
-            self.logger.highlight(f"{name:<15} {','.join(perms):<15} {remark}")
+            self.logger.highlight(f"{name:<15} {perms:<15} {remark}")
         return permissions
 
     def dir(self):
@@ -1531,16 +1552,16 @@ def rid_brute(self, max_rid=None):
             max_rid = int(self.args.rid_brute)
 
         KNOWN_PROTOCOLS = {
-            135: {"bindstr": rf"ncacn_ip_tcp:{self.host}"},
-            139: {"bindstr": rf"ncacn_np:{self.host}[\pipe\lsarpc]"},
-            445: {"bindstr": rf"ncacn_np:{self.host}[\pipe\lsarpc]"},
+            135: {"bindstr": rf"ncacn_ip_tcp:{self.remoteName}"},
+            139: {"bindstr": rf"ncacn_np:{self.remoteName}[\pipe\lsarpc]"},
+            445: {"bindstr": rf"ncacn_np:{self.remoteName}[\pipe\lsarpc]"},
         }
 
         try:
             string_binding = KNOWN_PROTOCOLS[self.port]["bindstr"]
             self.logger.debug(f"StringBinding {string_binding}")
             rpc_transport = transport.DCERPCTransportFactory(string_binding)
-            rpc_transport.setRemoteHost(self.host)
+            rpc_transport.setRemoteHost(self.remoteName)
 
             if hasattr(rpc_transport, "set_credentials"):
                 # This method exists only for selected protocol sequences.
diff --git a/nxc/protocols/smb/proto_args.py b/nxc/protocols/smb/proto_args.py
@@ -37,11 +37,11 @@ def proto_args(parser, parents):
     cred_gathering_group.add_argument("--user", dest="userntds", type=str, help="Dump selected user from DC")
 
     mapping_enum_group = smb_parser.add_argument_group("Mapping/Enumeration", "Options for Mapping/Enumerating")
-    mapping_enum_group.add_argument("--shares", action="store_true", help="Enumerate shares and access")
+    mapping_enum_group.add_argument("--shares", type=str, nargs="?", const="", help="Enumerate shares and access, filter on specified argument (read ; write ; read,write)")
     mapping_enum_group.add_argument("--dir", nargs="?", type=str, const="", help="List the content of a path (default path: '%(const)s')")
     mapping_enum_group.add_argument("--interfaces", action="store_true", help="Enumerate network interfaces")
     mapping_enum_group.add_argument("--no-write-check", action="store_true", help="Skip write check on shares (avoid leaving traces when missing delete permissions)")
-    mapping_enum_group.add_argument("--filter-shares", nargs="+", help="Filter share by access, option 'read' 'write' or 'read,write'")
+    mapping_enum_group.add_argument("--filter-shares", nargs="+", help="Filter share by access, option 'READ' 'WRITE' or 'READ,WRITE'")
     mapping_enum_group.add_argument("--smb-sessions", action="store_true", help="Enumerate active smb sessions")
     mapping_enum_group.add_argument("--disks", action="store_true", help="Enumerate disks")
     mapping_enum_group.add_argument("--loggedon-users-filter", action="store", help="only search for specific user, works with regex")
@@ -53,7 +53,7 @@ def proto_args(parser, parents):
     mapping_enum_group.add_argument("--local-groups", nargs="?", const="", metavar="GROUP", help="Enumerate local groups, if a group is specified then its members are Enumerated")
     mapping_enum_group.add_argument("--pass-pol", action="store_true", help="dump password policy")
     mapping_enum_group.add_argument("--rid-brute", nargs="?", type=int, const=4000, metavar="MAX_RID", help="Enumerate users by bruteforcing RIDs")
-    mapping_enum_group.add_argument("--qwinsta", action="store_true", help="Enumerate RDP connections")
+    mapping_enum_group.add_argument("--qwinsta", type=str, nargs="?", const="", help="Enumerate user sessions. If a username is given, filter for it; if a file is given, filter for listed usernames. If no value is given, list all.")
     mapping_enum_group.add_argument("--tasklist", type=str, nargs="?", const=True, help="Enumerate running processes and filter for the specified one if specified")
     mapping_enum_group.add_argument("--taskkill", type=str, help="Kills a specific PID or a proces name's PID's")
     
diff --git a/tests/e2e_commands.txt b/tests/e2e_commands.txt
@@ -201,6 +201,7 @@ netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -L
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M adcs
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M daclread -o TARGET=LOGIN_USERNAME ACTION=read
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M get-desc-users
+netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M get-info-users
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M get-network
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M groupmembership -o USER=LOGIN_USERNAME
 netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M laps
