feat(smb): check if successful login is guest privs

Author: Marshall-Hallenbeck

nxc/connection.py

@@ -412,12 +412,21 @@ def parse_credentials(self):
             for ntlm_hash in self.args.hash:
                 if isfile(ntlm_hash):
                     with open(ntlm_hash) as ntlm_hash_file:
-                        for line in ntlm_hash_file:
-                            secret.append(line.strip())
-                            cred_type.append("hash")
+                        for i, line in enumerate(ntlm_hash_file):
+                            if len(line) != 16 and len(line) != 32:
+                                self.logger.fail(f"Invalid NTLM hash length on line {i+1}: {line}")
+                                continue
+                            else:
+                                secret.append(line.strip())
+                                cred_type.append("hash")
                 else:
-                    secret.append(ntlm_hash)
-                    cred_type.append("hash")
+                    if len(ntlm_hash) != 16 and len(ntlm_hash) != 32:
+                        self.logger.fail(f"Invalid NTLM hash length {len(ntlm_hash)}, authentication not sent")
+                        exit(1)
+                    else:
+                        secret.append(ntlm_hash)
+                        cred_type.append("hash")
+            self.logger.debug(secret)
 
         # Parse AES keys
         if self.args.aesKey:
@@ -554,7 +563,7 @@ def login(self):
                         return True
 
     def mark_pwned(self):
-        return highlight(f"({pwned_label})" if self.admin_privs else "")
+        return highlight(f" ({pwned_label})" if self.admin_privs else "")
 
     def load_modules(self):
         self.logger.info(f"Loading modules for target: {self.host}")

nxc/protocols/smb.py

@@ -161,6 +161,7 @@ def __init__(self, args, db, host):
         self.no_da = None
         self.no_ntlm = False
         self.protocol = "SMB"
+        self.is_guest = None
 
         connection.__init__(self, args, db, host)
 
@@ -375,7 +376,9 @@ def plaintext_login(self, domain, username, password):
             self.domain = domain
 
             self.conn.login(self.username, self.password, domain)
-
+            self.logger.debug(f"Logged in with password to SMB with {domain}/{self.username}")
+            self.is_guest = bool(self.conn.isGuestSession())
+            self.logger.debug(f"{self.is_guest=}")
             self.check_if_admin()
             self.logger.debug(f"Adding credential: {domain}/{self.username}:{self.password}")
             self.db.add_credential("plaintext", domain, self.username, self.password)
@@ -384,7 +387,7 @@ def plaintext_login(self, domain, username, password):
 
             self.db.add_loggedin_relation(user_id, host_id)
 
-            out = f"{domain}\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}"
+            out = f"{domain}\\{self.username}:{process_secret(self.password)}{self.mark_guest()}{self.mark_pwned()}"
             self.logger.success(out)
 
             if not self.args.local_auth and self.username != "":
@@ -444,14 +447,16 @@ def hash_login(self, domain, username, ntlm_hash):
                 self.nthash = nthash
 
             self.conn.login(self.username, "", domain, lmhash, nthash)
-
+            self.logger.debug(f"Logged in with hash to SMB with {domain}/{self.username}")
+            self.is_guest = bool(self.conn.isGuestSession())
+            self.logger.debug(f"{self.is_guest=}")
             self.check_if_admin()
-            user_id = self.db.add_credential("hash", domain, self.username, nthash)
+            user_id = self.db.add_credential("hash", domain, self.username, self.hash)
             host_id = self.db.get_hosts(self.host)[0].id
 
             self.db.add_loggedin_relation(user_id, host_id)
 
-            out = f"{domain}\\{self.username}:{process_secret(self.hash)} {self.mark_pwned()}"
+            out = f"{domain}\\{self.username}:{process_secret(self.hash)}{self.mark_guest()}{self.mark_pwned()}"
             self.logger.success(out)
 
             if not self.args.local_auth and self.username != "":
@@ -531,6 +536,7 @@ def create_conn_obj(self):
         return bool(self.create_smbv1_conn() or self.create_smbv3_conn())
 
     def check_if_admin(self):
+        self.logger.debug(f"Checking if user is admin on {self.host}")
         rpctransport = SMBTransport(self.conn.getRemoteHost(), 445, r"\svcctl", smb_connection=self.conn)
         dce = rpctransport.get_dce_rpc()
         try:
@@ -544,6 +550,7 @@ def check_if_admin(self):
                 # 0xF003F - SC_MANAGER_ALL_ACCESS
                 # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
                 scmr.hROpenSCManagerW(dce, f"{self.host}\x00", "ServicesActive\x00", 0xF003F)
+                self.logger.debug(f"User is admin on {self.host}!")
                 self.admin_privs = True
             except scmr.DCERPCException:
                 self.admin_privs = False
@@ -1774,3 +1781,6 @@ def add_ntds_hash(ntds_hash, host_id):
         except Exception as e:
             self.logger.debug(f"Error calling remote_ops.finish(): {e}")
         NTDS.finish()
+
+    def mark_guest(self):
+        return highlight(f" {highlight('(Guest)')}" if self.is_guest else "")