SAM History Dumping

smb: update proto args

tests: add --sam --history example

Author: Coontzy1

nxc/protocols/smb.py

@@ -1958,8 +1958,9 @@ def sam(self):
             host_id = self.db.get_hosts(filter_term=self.host)[0][0]
 
             def add_sam_hash(sam_hash, host_id):
-                add_sam_hash.sam_hashes += 1
                 self.logger.highlight(sam_hash)
+                if "_history" in sam_hash:
+                    return
                 username, _, lmhash, nthash, _, _, _ = sam_hash.split(":")
                 self.db.add_credential(
                     "hash",
@@ -1968,22 +1969,26 @@ def add_sam_hash(sam_hash, host_id):
                     f"{lmhash}:{nthash}",
                     pillaged_from=host_id,
                 )
+                add_sam_hash.sam_hashes += 1
 
             add_sam_hash.sam_hashes = 0
 
             if self.remote_ops and self.bootkey:
+                history = getattr(self.args, "history", False)
                 if self.args.sam == "regdump":
                     SAM = RegSecretsSAMHashes(
                         self.bootkey,
                         remoteOps=self.remote_ops,
                         perSecretCallback=lambda secret: add_sam_hash(secret, host_id),
+                        history=history,
                     )
                 else:
                     SAM_file_name = self.remote_ops.saveSAM()
                     SAM = SAMHashes(
                         SAM_file_name,
                         self.bootkey,
                         isRemote=True,
+                        history=history,
                         perSecretCallback=lambda secret: add_sam_hash(secret, host_id),
                     )
 

nxc/protocols/smb/proto_args.py

@@ -37,10 +37,9 @@ def proto_args(parser, parents):
     # NTDS options
     kerb_keys_arg = cred_gathering_group.add_argument("--kerberos-keys", action=get_conditional_action(_StoreTrueAction), make_required=[], help="Also dump Kerberos AES and DES keys from target DC (NTDS.dit)")
     exclusive = cred_gathering_group.add_mutually_exclusive_group()
-    history_arg = exclusive.add_argument("--history", action=get_conditional_action(_StoreTrueAction), make_required=[], help="Also retrieve password history from target DC (NTDS.dit)")
+    cred_gathering_group.add_argument("--history", action=get_conditional_action(_StoreTrueAction), make_required=[], help="Also retrieve password history (NTDS.dit or SAM)")
     enabled_arg = exclusive.add_argument("--enabled", action=get_conditional_action(_StoreTrueAction), make_required=[], help="Only dump enabled targets from DC (NTDS.dit)")
     kerb_keys_arg.make_required = [ntds_arg]
-    history_arg.make_required = [ntds_arg]
     enabled_arg.make_required = [ntds_arg]
     cred_gathering_group.add_argument("--user", dest="userntds", type=str, help="Dump selected user from DC (NTDS.dit)")
     cred_gathering_group.add_argument("--dpapi", choices={"cookies", "nosystem"}, nargs="*", help="dump DPAPI secrets from target systems, can dump cookies if you add 'cookies', will not dump SYSTEM dpapi if you add nosystem")

tests/e2e_commands.txt

@@ -26,6 +26,7 @@ netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --local-aut
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --delegate LOGIN_USERNAME
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --delegate LOGIN_USERNAME --self
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --sam
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --sam --history
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --ntds
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --ntds --history
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --ntds --enabled