Move trigger_winreg to smb protocol

NeffIsBack · NeffIsBack · commit b3b38d9e2ab0 · 2025-09-09T18:41:30.000-04:00
diff --git a/nxc/modules/backup_operator.py b/nxc/modules/backup_operator.py
@@ -1,4 +1,3 @@
-import time
 import os
 import datetime
 
@@ -30,7 +29,7 @@ def on_login(self, context, connection):
         connection.args.share = "SYSVOL"
         # enable remote registry
         context.log.display("Triggering RemoteRegistry to start through named pipe...")
-        self.trigger_winreg(connection.conn, context)
+        connection.trigger_winreg()
         rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
         rpc.set_smb_connection(connection.conn)
         if connection.kerberos:
@@ -115,29 +114,3 @@ def parse_sam(secret):
             context.log.display("netexec smb dc_ip -u user -p pass -x \"del C:\\Windows\\sysvol\\sysvol\\SECURITY && del C:\\Windows\\sysvol\\sysvol\\SAM && del C:\\Windows\\sysvol\\sysvol\\SYSTEM\"")  # noqa: Q003
         else:
             context.log.display("Successfully deleted dump files !")
-
-    def trigger_winreg(self, connection, context):
-        # Original idea from https://twitter.com/splinter_code/status/1715876413474025704
-        # Basically triggers the RemoteRegistry to start without admin privs
-        tid = connection.connectTree("IPC$")
-        try:
-            connection.openFile(
-                tid,
-                r"\winreg",
-                0x12019F,
-                creationOption=0x40,
-                fileAttributes=0x80,
-            )
-        except SessionError as e:
-            # STATUS_PIPE_NOT_AVAILABLE error is expected
-            context.log.debug(str(e))
-        # Give remote registry time to start
-        time.sleep(1)
-
-    def _strip_root_key(self, dce, key_name):
-        # Let's strip the root key
-        key_name.split("\\")[0]
-        sub_key = "\\".join(key_name.split("\\")[1:])
-        ans = rrp.hOpenLocalMachine(dce)
-        h_root_key = ans["phKey"]
-        return h_root_key, sub_key
diff --git a/nxc/modules/ntlm_reflection.py b/nxc/modules/ntlm_reflection.py
@@ -50,7 +50,7 @@ def on_login(self, context, connection):
         self.context = context
         self.connection = connection
         if not connection.conn.isSigningRequired():  # Not vulnerable if SMB signing is enabled
-            self.trigger_winreg(connection.conn, context)
+            connection.trigger_winreg()
             rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
             rpc.set_smb_connection(connection.conn)
             if connection.kerberos:
@@ -80,29 +80,3 @@ def on_login(self, context, connection):
                     self.context.log.debug(f"Unexpected error: {e}")
             except (BrokenPipeError, ConnectionResetError, NetBIOSError, OSError) as e:
                 context.log.debug(f"ntlm_reflection: DCERPC transport error: {e.__class__.__name__}: {e}")
-
-    def trigger_winreg(self, connection, context):
-        # Original idea from https://twitter.com/splinter_code/status/1715876413474025704
-        # Basically triggers the RemoteRegistry to start without admin privs
-        try:
-            tid = connection.connectTree("IPC$")
-            try:
-                connection.openFile(
-                    tid,
-                    r"\winreg",
-                    0x12019F,
-                    creationOption=0x40,
-                    fileAttributes=0x80,
-                )
-            except SessionError as e:
-                # STATUS_PIPE_NOT_AVAILABLE error is expected
-                if "STATUS_PIPE_NOT_AVAILABLE" not in str(e):
-                    raise
-                else:
-                    context.log.debug(f"Received expected error while triggering winreg: {e}")
-            # Give remote registry time to start
-            time.sleep(1)
-            return True
-        except (SessionError, BrokenPipeError, ConnectionResetError, NetBIOSError, OSError) as e:
-            context.log.debug(f"Received unexpected error while triggering winreg: {e}")
-            return False
diff --git a/nxc/modules/sccm-recon6.py b/nxc/modules/sccm-recon6.py
@@ -1,9 +1,7 @@
 
-import time
 from impacket.dcerpc.v5 import transport, rrp
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
 from impacket.dcerpc.v5.rpcrt import DCERPCException
-from impacket.smbconnection import SessionError
 from nxc.helpers.misc import CATEGORY
 from impacket.smbconnection import SMBConnection
 
@@ -23,7 +21,7 @@ def on_login(self, context, connection):
         self.context = context
         self.connection = connection
 
-        self.trigger_winreg(connection.conn, context)
+        connection.trigger_winreg()
 
         rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
         rpc.set_smb_connection(connection.conn)
@@ -130,21 +128,3 @@ def EnumerateDB(self, dce, hRootKey):
                     self.context.log.display(f"       SMB signing: {new_conn.isSigningRequired()}")
                 else:
                     self.context.log.highlight(f"       SMB signing: {new_conn.isSigningRequired()} - TAKEOVER-2")
-
-    def trigger_winreg(self, connection, context):
-        # Original idea from https://twitter.com/splinter_code/status/1715876413474025704
-        # Basically triggers the RemoteRegistry to start without admin privs
-        tid = connection.connectTree("IPC$")
-        try:
-            connection.openFile(
-                tid,
-                r"\winreg",
-                0x12019F,
-                creationOption=0x40,
-                fileAttributes=0x80,
-            )
-        except SessionError as e:
-            # STATUS_PIPE_NOT_AVAILABLE error is expected
-            context.log.debug(str(e))
-        # Give remote registry time to start
-        time.sleep(1)
diff --git a/nxc/protocols/smb.py b/nxc/protocols/smb.py
@@ -735,6 +735,32 @@ def _is_port_open(self, port, timeout=1):
             self.logger.debug(f"Error checking port {port} on {self.host}: {e}")
             return False
 
+    def trigger_winreg(self):
+        # Original idea from https://twitter.com/splinter_code/status/1715876413474025704
+        # Basically triggers the RemoteRegistry to start without admin privs
+        try:
+            tid = self.conn.connectTree("IPC$")
+            try:
+                self.conn.openFile(
+                    tid,
+                    r"\winreg",
+                    0x12019F,
+                    creationOption=0x40,
+                    fileAttributes=0x80,
+                )
+            except SessionError as e:
+                # STATUS_PIPE_NOT_AVAILABLE error is expected
+                if "STATUS_PIPE_NOT_AVAILABLE" not in str(e):
+                    raise
+                else:
+                    self.logger.debug(f"Received expected error while triggering winreg: {e}")
+            # Give remote registry time to start
+            sleep(1)
+            return True
+        except (SessionError, BrokenPipeError, ConnectionResetError, NetBIOSError, OSError) as e:
+            self.logger.debug(f"Received unexpected error while triggering winreg: {e}")
+            return False
+
     @requires_admin
     def execute(self, payload=None, get_output=False, methods=None) -> str:
         """
