Merge branch 'main' into main

Author: Marshall-Hallenbeck

.github/workflows/build-binaries.yml

@@ -20,7 +20,7 @@ jobs:
         python-version: ${{ matrix.python-version }}
     - name: Build Native Binary
       run: |
-        pip install pyinstaller
+        pip install pyinstaller pillow
         pip install .
         pyinstaller netexec.spec
     - name: Upload Windows Binary

.github/workflows/lint.yml

@@ -4,12 +4,14 @@ name: Lint Python code with ruff
 on:
   push:
   workflow_dispatch:
+  pull_request_review:
+    types: [submitted]
 
 jobs:
   lint:
     runs-on: ubuntu-latest
     if:
-      github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
+      github.event_name == 'push' || github.event.review.state == 'APPROVED' || github.event_name == 'workflow_dispatch'
 
     steps:
       - uses: actions/checkout@v4

netexec.spec

@@ -20,6 +20,7 @@ a = Analysis(
         'aardwolf.commons.target',
         'aardwolf.protocol.x224.constants',
         'impacket.examples.secretsdump',
+        'impacket.examples.regsecrets',
         'impacket.dcerpc.v5.lsat',
         'impacket.dcerpc.v5.transport',
         'impacket.dcerpc.v5.lsad',
@@ -47,7 +48,6 @@ a = Analysis(
         'nxc.helpers.ntlm_parser',
         'paramiko',
         'pypsrp.client',
-        'pywerview.cli.helpers',
         'pylnk3',
         'pypykatz',
         'pyNfsClient',

nxc/cli.py

@@ -24,7 +24,7 @@ def gen_cli_args():
         VERSION = importlib.metadata.version("netexec")
         COMMIT = ""
         DISTANCE = ""
-    CODENAME = "NeedForSpeed"
+    CODENAME = "SmoothOperator"
     nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT} - {DISTANCE}")
 
     generic_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
@@ -124,7 +124,7 @@ def gen_cli_args():
     except Exception as e:
         nxc_logger.exception(f"Error loading proto_args from proto_args.py file in protocol folder: {protocol} - {e}")
 
-    argcomplete.autocomplete(parser)
+    argcomplete.autocomplete(parser, always_complete_options=False)
     args = parser.parse_args()
 
     if len(sys.argv) == 1:

nxc/first_run.py

@@ -29,6 +29,17 @@ def first_run_setup(logger=nxc_logger):
             logger.display(f"Creating missing folder {folder}")
             mkdir(path_join(NXC_PATH, folder))
 
+    log_subfolders = (
+        "sam",
+        "lsa",
+        "ntds",
+        "dpapi",
+    )
+    for subfolder in log_subfolders:
+        if not exists(path_join(NXC_PATH, f"logs/{subfolder}")):
+            logger.display(f"Creating missing folder logs/{subfolder}")
+            mkdir(path_join(NXC_PATH, f"logs/{subfolder}"))
+
     initialize_db()
 
     if not exists(CONFIG_PATH):

nxc/modules/firefox.py

@@ -10,16 +10,23 @@ class NXCModule:
     """
 
     name = "firefox"
-    description = "Dump credentials from Firefox"
+    description = "[REMOVED] Dump credentials from Firefox"
     supported_protocols = ["smb"]
     opsec_safe = True  # Does the module touch disk?
     multiple_hosts = True  # Does it make sense to run this module on multiple hosts at a time?
 
     def options(self, context, module_options):
-        """COOKIES    Get also Firefox cookies"""
+        """
+        [REMOVED] use the --dpapi flag instead of the module firefox.
+
+        COOKIES    Get also Firefox cookies
+        """
         self.gather_cookies = "COOKIES" in module_options
 
     def on_admin_login(self, context, connection):
+        context.log.fail("[REMOVED] Use the --dpapi flag instead of the module firefox.")
+        return
+
         host = connection.host if not connection.kerberos else connection.hostname + "." + connection.domain
         domain = connection.domain
         username = connection.username

nxc/modules/get-desc-users.py

@@ -1,7 +1,7 @@
-from impacket.ldap import ldapasn1 as ldapasn1_impacket
 from impacket.ldap import ldap as ldap_impacket
 import re
 from nxc.logger import nxc_logger
+from nxc.parsers.ldap_results import parse_result_attributes
 
 
 class NXCModule:
@@ -55,24 +55,10 @@ def on_login(self, context, connection):
                 nxc_logger.debug(e)
                 return False
 
-        answers = []
         context.log.debug(f"Total of records returned {len(resp)}")
-        for item in resp:
-            if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
-                continue
-            sAMAccountName = ""
-            description = ""
-            try:
-                for attribute in item["attributes"]:
-                    if str(attribute["type"]) == "sAMAccountName":
-                        sAMAccountName = str(attribute["vals"][0])
-                    elif str(attribute["type"]) == "description":
-                        description = attribute["vals"][0]
-                if sAMAccountName != "" and description != "":
-                    answers.append([sAMAccountName, description])
-            except Exception as e:
-                context.log.debug("Exception:", exc_info=True)
-                context.log.debug(f"Skipping item, cannot process due to error {e!s}")
+        resp_parsed = parse_result_attributes(resp)
+        answers = [[x["sAMAccountName"], x.get("description")] for x in resp_parsed if x.get("description")]
+
         answers = self.filter_answer(context, answers)
         if len(answers) > 0:
             context.log.success("Found following users: ")
@@ -108,5 +94,5 @@ def filter_answer(self, context, answers):
                     answersFiltered.append([answer[0], description])
                 elif (self.FILTER != "" and conditionFilter) and (conditionPasswordPolicy == self.PASSWORDPOLICY):
                     context.log.highlight(f"'{self.FILTER}' found in user: '{answer[0]}' description: '{description}'")
-                    
+
         return answersFiltered

nxc/modules/group-mem.py

@@ -11,7 +11,7 @@ class NXCModule:
     """
 
     name = "group-mem"
-    description = "Retrieves all the members within a Group"
+    description = "[REMOVED] Retrieves all the members within a Group"
     supported_protocols = ["ldap"]
     opsec_safe = True
     multiple_hosts = False

nxc/modules/putty.py

@@ -69,19 +69,23 @@ def sid_to_name(self, all_users):
     def load_missing_users(self, unloaded_user_objects):
         """Load missing users into registry to access their registry keys."""
         for user_object in unloaded_user_objects:
-            # Extract profile Path of NTUSER.DAT
-            reg_handle = rrp.hOpenLocalMachine(self.rrp._RemoteOperations__rrp)["phKey"]
-            key_handle = rrp.hBaseRegOpenKey(self.rrp._RemoteOperations__rrp, reg_handle, f"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\{user_object}")["phkResult"]
-            user_profile_path = rrp.hBaseRegQueryValue(self.rrp._RemoteOperations__rrp, key_handle, "ProfileImagePath")[1].split("\x00")[:-1][0]
-            rrp.hBaseRegCloseKey(self.rrp._RemoteOperations__rrp, key_handle)
+            try:
+                # Extract profile Path of NTUSER.DAT
+                reg_handle = rrp.hOpenLocalMachine(self.rrp._RemoteOperations__rrp)["phKey"]
+                key_handle = rrp.hBaseRegOpenKey(self.rrp._RemoteOperations__rrp, reg_handle, f"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\{user_object}")["phkResult"]
+                user_profile_path = rrp.hBaseRegQueryValue(self.rrp._RemoteOperations__rrp, key_handle, "ProfileImagePath")[1].split("\x00")[:-1][0]
+                rrp.hBaseRegCloseKey(self.rrp._RemoteOperations__rrp, key_handle)
 
-            # Load Profile
-            reg_handle = rrp.hOpenUsers(self.rrp._RemoteOperations__rrp)["phKey"]
-            key_handle = rrp.hBaseRegOpenKey(self.rrp._RemoteOperations__rrp, reg_handle, "")["phkResult"]
+                # Load Profile
+                reg_handle = rrp.hOpenUsers(self.rrp._RemoteOperations__rrp)["phKey"]
+                key_handle = rrp.hBaseRegOpenKey(self.rrp._RemoteOperations__rrp, reg_handle, "")["phkResult"]
 
-            self.context.log.debug(f"LOAD USER INTO REGISTRY: {user_object}")
-            rrp.hBaseRegLoadKey(self.rrp._RemoteOperations__rrp, key_handle, user_object, f"{user_profile_path}\\NTUSER.DAT")
-            rrp.hBaseRegCloseKey(self.rrp._RemoteOperations__rrp, key_handle)
+                self.context.log.debug(f"LOAD USER INTO REGISTRY: {user_object}")
+                rrp.hBaseRegLoadKey(self.rrp._RemoteOperations__rrp, key_handle, user_object, f"{user_profile_path}\\NTUSER.DAT")
+                rrp.hBaseRegCloseKey(self.rrp._RemoteOperations__rrp, key_handle)
+            except rrp.DCERPCSessionError as e:
+                self.context.log.fail(f"Error loading user {user_object} into registry: {e}")
+                self.context.log.debug(traceback.format_exc())
 
     def unload_missing_users(self, unloaded_user_objects):
         """If some user were not logged in at the beginning we unload them from registry."""
@@ -92,7 +96,7 @@ def unload_missing_users(self, unloaded_user_objects):
             self.context.log.debug(f"UNLOAD USER FROM REGISTRY: {user_object}")
             try:
                 rrp.hBaseRegUnLoadKey(self.rrp._RemoteOperations__rrp, key_handle, user_object)
-            except Exception as e:
+            except rrp.DCERPCSessionError as e:
                 self.context.log.fail(f"Error unloading user {user_object} in registry: {e}")
                 self.context.log.debug(traceback.format_exc())
         rrp.hBaseRegCloseKey(self.rrp._RemoteOperations__rrp, key_handle)

nxc/modules/recent_files.py

@@ -0,0 +1,39 @@
+import pylnk3
+from io import BytesIO
+
+
+class NXCModule:
+    # Get a list of recently modified files via LNK's stored in AppData\Roaming\Microsoft\Windows\Recent
+    # Module by @Defte_
+
+    name = "recent_files"
+    description = "Extracts recently modified files"
+    supported_protocols = ["smb"]
+    opsec_safe = True
+    multiple_hosts = True
+    false_positive = [".", "..", "desktop.ini", "Public", "Default", "Default User", "All Users", ".NET v4.5", ".NET v4.5 Classic"]
+
+    def options(self, context, module_options):
+        """No options"""
+
+    def on_admin_login(self, context, connection):
+        lnks = []
+        for directory in connection.conn.listPath("C$", "Users\\*"):
+            if directory.get_longname() not in self.false_positive and directory.is_directory():
+                context.log.highlight(f"C:\\{directory.get_longname()}")
+                recent_files_dir = f"Users\\{directory.get_longname()}\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
+                for file in connection.conn.listPath("C$", f"{recent_files_dir}\\*"):
+                    file_path = f"{recent_files_dir}{file.get_longname()}"
+                    if file.get_longname() not in self.false_positive and not file.is_directory():
+                        file_path = f"{recent_files_dir}{file.get_longname()}"
+                        try:
+                            buf = BytesIO()
+                            connection.conn.getFile("C$", file_path, buf.write)
+                            buf.seek(0)
+                            lnk = pylnk3.parse(buf).path.strip()
+                            if lnk and lnk not in lnks:
+                                context.log.highlight(f"\t{lnk}")
+                                lnks.append(lnk)
+                        except Exception as e:
+                            # Sometimes PyLnk3 can't parse the lnk file...
+                            context.log.debug(f"Couldn't open {file_path} because of {e}")