Merge branch 'Pennyw0rth:main' into dc-list

Author: termanix

nxc/connection.py

@@ -389,7 +389,7 @@ def parse_credentials(self):
                         if "\\" in line and len(line.split("\\")) == 2:
                             domain_single, username_single = line.split("\\")
                         else:
-                            domain_single = self.args.domain if hasattr(self.args, "domain") and self.args.domain else self.domain
+                            domain_single = self.args.domain if hasattr(self.args, "domain") and self.args.domain is not None else self.domain
                             username_single = line
                         domain.append(domain_single)
                         username.append(username_single.strip())
@@ -398,7 +398,7 @@ def parse_credentials(self):
                 if "\\" in user:
                     domain_single, username_single = user.split("\\")
                 else:
-                    domain_single = self.args.domain if hasattr(self.args, "domain") and self.args.domain else self.domain
+                    domain_single = self.args.domain if hasattr(self.args, "domain") and self.args.domain is not None else self.domain
                     username_single = user
                 domain.append(domain_single)
                 username.append(username_single)

nxc/helpers/pfx.py

@@ -503,7 +503,8 @@ def pfx_auth(self):
         return None
 
     username = self.args.username[0]
-    log_ccache = os.path.expanduser(f"{NXC_PATH}/logs/{self.hostname}_{self.host}_{datetime.datetime.now().strftime('%Y-%m-%d_%H%M%S')}-{username}.ccache".replace(":", "-"))
+    timestamp = datetime.datetime.now().strftime("%Y-%m-%d_%H%M%S").replace(":", "-")
+    log_ccache = os.path.normpath(os.path.expanduser(f"{NXC_PATH}/logs/{self.hostname}_{self.host}_{timestamp}-{username}.ccache"))
 
     # Request a TGT with the cert data
     req = ini.build_asreq(self.domain, username)

nxc/modules/schtask_as.py

@@ -1,5 +1,5 @@
-import contextlib
 import os
+import contextlib
 from time import sleep
 from datetime import datetime, timedelta
 from impacket.dcerpc.v5.dtypes import NULL
@@ -13,20 +13,35 @@ class NXCModule:
     """
     Execute a scheduled task remotely as a already connected user by @Defte_
     Thanks @Shad0wC0ntr0ller for the idea of removing the hardcoded date that could be used as an IOC
+    Modified by @Defte_ so that output on multiples lines are printed correctly (28/04/2025)
+    Modified by @Defte_ so that we can upload a custom binary to execute using the BINARY option (28/04/2025)
     """
 
     def options(self, context, module_options):
         r"""
+        BINARY         Upload the binary to be executed by CMD
         CMD            Command to execute
         USER           User to execute command as
         TASK           OPTIONAL: Set a name for the scheduled task name
         FILE           OPTIONAL: Set a name for the command output file
         LOCATION       OPTIONAL: Set a location for the command output file (e.g. '\tmp\')
+
+        Example:
+        -------
+        nxc smb <ip> -u <user> -p <password> -M schtask_as -o USER=Administrator CMD=whoami
+        nxc smb <ip> -u <user> -p <password> -M schtask_as -o USER=Administrator CMD='bin.exe --option' BINARY=bin.exe
         """
-        self.cmd = self.user = self.task = self.file = self.location = self.time = None
+        self.cmd = self.binary = self.user = self.task = self.file = self.location = self.time = None
+        self.share = "C$"
+        self.tmp_dir = "C:\\Windows\\Temp\\"
+        self.tmp_share = self.tmp_dir.split(":")[1]
+
         if "CMD" in module_options:
             self.cmd = module_options["CMD"]
 
+        if "BINARY" in module_options:
+            self.binary = module_options["BINARY"]
+
         if "USER" in module_options:
             self.user = module_options["USER"]
 
@@ -47,13 +62,32 @@ def options(self, context, module_options):
 
     def on_admin_login(self, context, connection):
         self.logger = context.log
+
         if self.cmd is None:
             self.logger.fail("You need to specify a CMD to run")
             return 1
+
         if self.user is None:
             self.logger.fail("You need to specify a USER to run the command as")
             return 1
 
+        if self.binary:
+            if not os.path.isfile(self.binary):
+                self.logger.fail(f"Cannot find {self.binary}")
+                return 1
+            else:
+                self.logger.display(f"Uploading {self.binary}")
+                with open(self.binary, "rb") as binary_to_upload:
+                    try:
+                        self.binary_name = os.path.basename(self.binary)
+                        connection.conn.putFile(self.share, f"{self.tmp_share}{self.binary_name}", binary_to_upload.read)
+                        self.logger.success(f"Binary {self.binary_name} successfully uploaded in {self.tmp_share}{self.binary_name}")
+                    except Exception as e:
+                        self.logger.fail(f"Error writing file to share {self.tmp_share}: {e}")
+                        return 1
+
+        # Returnes self.cmd or \Windows\temp\BinToExecute.exe depending if BINARY=BinToExecute.exe
+        self.cmd = self.cmd if not self.binary else f"{self.tmp_share}{self.cmd}"
         self.logger.display("Connecting to the remote Service control endpoint")
         try:
             exec_method = TSCH_EXEC(
@@ -87,7 +121,8 @@ def on_admin_login(self, context, connection):
                 # Required to decode specific French characters otherwise it'll print b"<result>"
                 output = output.decode("cp437")
             if output:
-                self.logger.highlight(output)
+                for line in output.splitlines():
+                    self.logger.highlight(line.rstrip())
 
         except Exception as e:
             if "SCHED_S_TASK_HAS_NOT_RUN" in str(e):
@@ -96,6 +131,13 @@ def on_admin_login(self, context, connection):
                     exec_method.deleteartifact()
             else:
                 self.logger.fail(f"Failed to execute command: {e}")
+        finally:
+            if self.binary:
+                try:
+                    connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.binary_name}")
+                    context.log.success(f"Binary {self.binary_name} successfully deleted")
+                except Exception as e:
+                    context.log.fail(f"Error deleting {self.binary_name} on {self.share}: {e}")
 
 
 class TSCH_EXEC:

nxc/protocols/mssql.py

@@ -89,7 +89,7 @@ def check_if_admin(self):
         else:
             if is_admin:
                 self.admin_privs = True
-    
+
     @reconnect_mssql
     def enum_host_info(self):
         challenge = None
@@ -102,7 +102,7 @@ def enum_host_info(self):
             login["ClientPID"] = random.randint(0, 1024)
             login["PacketSize"] = self.conn.packetSize
             login["OptionFlags2"] = tds.TDS_INIT_LANG_FATAL | tds.TDS_ODBC_ON | tds.TDS_INTEGRATED_SECURITY_ON
-            
+
             # NTLMSSP Negotiate
             auth = ntlm.getNTLMSSPType1("", "")
             login["SSPI"] = auth.getData()
@@ -144,16 +144,7 @@ def print_host_info(self):
         self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.targetDomain})")
 
     @reconnect_mssql
-    def kerberos_login(
-        self,
-        domain,
-        username,
-        password="",
-        ntlm_hash="",
-        aesKey="",
-        kdcHost="",
-        useCache=False,
-    ):
+    def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
         self.username = username
         self.password = password
         self.domain = domain
@@ -200,29 +191,21 @@ def kerberos_login(
             return False
         except Exception:
             error_msg = self.handle_mssql_reply()
-            self.logger.fail("{}\\{}:{} {}".format(self.domain, self.username, kerb_pass, error_msg if error_msg else ""))
+            self.logger.fail(f"{self.domain}\\{self.username}:{used_ccache} {error_msg if error_msg else ''}")
             return False
 
     @reconnect_mssql
     def plaintext_login(self, domain, username, password):
         self.password = password
         self.username = username
         self.domain = domain
-        
+
         try:
-            res = self.conn.login(
-                None,
-                self.username,
-                self.password,
-                self.domain,
-                None,
-                not self.args.local_auth,
-            )
+            res = self.conn.login(None, self.username, self.password, self.domain, None, not self.args.local_auth)
             if res is not True:
                 raise
             self.check_if_admin()
-            out = f"{self.domain}\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}"
-            self.logger.success(out)
+            self.logger.success(f"{self.domain}\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}")
             if not self.args.local_auth and self.username != "":
                 add_user_bh(self.username, self.domain, self.logger, self.config)
             if self.admin_privs:
@@ -233,7 +216,7 @@ def plaintext_login(self, domain, username, password):
             return False
         except Exception:
             error_msg = self.handle_mssql_reply()
-            self.logger.fail("{}\\{}:{} {}".format(self.domain, self.username, process_secret(self.password), error_msg if error_msg else ""))
+            self.logger.fail(f"{self.domain}\\{self.username}:{process_secret(self.password)} {error_msg if error_msg else ''}")
             return False
 
     @reconnect_mssql
@@ -242,26 +225,18 @@ def hash_login(self, domain, username, ntlm_hash):
         self.domain = domain
         self.lmhash = ""
         self.nthash = ""
-        
+
         if ntlm_hash.find(":") != -1:
             self.lmhash, self.nthash = ntlm_hash.split(":")
         else:
             self.nthash = ntlm_hash
 
         try:
-            res = self.conn.login(
-                None,
-                self.username,
-                "",
-                self.domain,
-                f"{self.lmhash}:{self.nthash}",
-                not self.args.local_auth,
-            )
+            res = self.conn.login(None, self.username, "", self.domain, f"{self.lmhash}:{self.nthash}", not self.args.local_auth)
             if res is not True:
                 raise
             self.check_if_admin()
-            out = f"{self.domain}\\{self.username}:{process_secret(self.nthash)} {self.mark_pwned()}"
-            self.logger.success(out)
+            self.logger.success(f"{self.domain}\\{self.username}:{process_secret(self.nthash)} {self.mark_pwned()}")
             if not self.args.local_auth and self.username != "":
                 add_user_bh(self.username, self.domain, self.logger, self.config)
             if self.admin_privs:
@@ -272,7 +247,7 @@ def hash_login(self, domain, username, ntlm_hash):
             return False
         except Exception:
             error_msg = self.handle_mssql_reply()
-            self.logger.fail("{}\\{}:{} {}".format(self.domain, self.username, process_secret(self.nthash), error_msg if error_msg else ""))
+            self.logger.fail(f"{self.domain}\\{self.username}:{process_secret(self.nthash)} {error_msg if error_msg else ''}")
             return False
 
     def mssql_query(self):
@@ -305,10 +280,10 @@ def execute(self, payload=None, get_output=False):
         if not payload:
             self.logger.error("No command to execute specified!")
             return None
-        
+
         get_output = True if not self.args.no_output else get_output
         self.logger.debug(f"{get_output=}")
-        
+
         try:
             exec_method = MSSQLEXEC(self.conn, self.logger)
             output = exec_method.execute(payload)
@@ -317,7 +292,7 @@ def execute(self, payload=None, get_output=False):
             self.logger.fail(f"Execute command failed, error: {e!s}")
             return False
         else:
-            self.logger.success("Executed command via mssqlexec")   
+            self.logger.success("Executed command via mssqlexec")
             if output:
                 output_lines = StringIO(output).readlines()
                 for line in output_lines:
@@ -330,24 +305,24 @@ def ps_execute(self, payload=None, get_output=False, methods=None, force_ps32=Fa
         if not payload:
             self.logger.error("No command to execute specified!")
             return None
-        
+
         response = []
         obfs = obfs if obfs else self.args.obfs
         encode = encode if encode else not self.args.no_encode
         force_ps32 = force_ps32 if force_ps32 else self.args.force_ps32
         get_output = True if not self.args.no_output else get_output
-                
+
         self.logger.debug(f"Starting PS execute: {payload=} {get_output=} {methods=} {force_ps32=} {obfs=} {encode=}")
         amsi_bypass = self.args.amsi_bypass[0] if self.args.amsi_bypass else None
         self.logger.debug(f"AMSI Bypass: {amsi_bypass}")
-        
+
         if os.path.isfile(payload):
             self.logger.debug(f"File payload set: {payload}")
             with open(payload) as commands:
                 response = [self.execute(create_ps_command(c.strip(), force_ps32=force_ps32, obfs=obfs, custom_amsi=amsi_bypass, encode=encode), get_output) for c in commands]
         else:
             response = [self.execute(create_ps_command(payload, force_ps32=force_ps32, obfs=obfs, custom_amsi=amsi_bypass, encode=encode), get_output)]
-            
+
         self.logger.debug(f"ps_execute response: {response}")
         return response
 
@@ -368,7 +343,7 @@ def put_file(self):
                 self.logger.fail(f"Error during upload : {e}")
 
     @requires_admin
-    def get_file(self): 
+    def get_file(self):
         remote_path = self.args.get_file[0]
         download_path = self.args.get_file[1]
         self.logger.display(f'Copying "{remote_path}" to "{download_path}"')

poetry.lock

@@ -32,7 +32,7 @@ dependencies = [
     "neo4j>=5.0.0",
     "paramiko>=3.3.1",
     "pyasn1-modules>=0.3.0",
-    "pylnk3>=0.4.2",
+    "pylnk3>=0.4.3",
     "pypsrp>=0.8.1",
     "pypykatz>=0.6.8",
     "python-dateutil>=2.8.2",