Merge pull request Pennyw0rth#317 from Pennyw0rth/neff-command-execution

Marshall-Hallenbeck · web-flow · commit db41c0893a47 · 2024-05-22T15:05:38.000-05:00
Improving execution speed and misc command execution improvements
diff --git a/nxc/cli.py b/nxc/cli.py
@@ -112,6 +112,10 @@ def gen_cli_args():
         print(f"{VERSION} - {CODENAME} - {COMMIT}")
         sys.exit(1)
 
+    # Multiply output_tries by 10 to enable more fine granural control, see exec methods
+    if hasattr(args, "get_output_tries"):
+        args.get_output_tries = args.get_output_tries * 10
+
     return args
 
 
diff --git a/nxc/protocols/smb/atexec.py b/nxc/protocols/smb/atexec.py
@@ -133,7 +133,7 @@ def execute_handler(self, command, fileless=False):
 
         xml = self.gen_xml(command, fileless)
 
-        self.logger.info(f"Task XML: {xml}")
+        self.logger.debug(f"Task XML: {xml}")
         taskCreated = False
         self.logger.info(f"Creating task \\{tmpName}")
         try:
@@ -181,22 +181,35 @@ def execute_handler(self, command, fileless=False):
             else:
                 ":".join(map(str, self.__rpctransport.get_socket().getpeername()))
                 smbConnection = self.__rpctransport.get_smb_connection()
-                tries = 1
+
+                tries = 0
+                # Give the command a bit of time to execute before we try to read the output, 0.4 seconds was good in testing
+                sleep(0.4)
                 while True:
                     try:
                         self.logger.info(f"Attempting to read {self.__share}\\{self.__output_filename}")
                         smbConnection.getFile(self.__share, self.__output_filename, self.output_callback)
                         break
                     except Exception as e:
-                        if tries >= self.__tries:
+                        if tries > self.__tries:
                             self.logger.fail("ATEXEC: Could not retrieve output file, it may have been detected by AV. Please increase the number of tries with the option '--get-output-tries'. If it is still failing, try the 'wmi' protocol or another exec method")
                             break
-                        if str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
+                        if "STATUS_BAD_NETWORK_NAME" in str(e):
                             self.logger.fail(f"ATEXEC: Getting the output file failed - target has blocked access to the share: {self.__share} (but the command may have executed!)")
                             break
-                        if str(e).find("SHARING") > 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                            sleep(3)
+                        elif "STATUS_VIRUS_INFECTED" in str(e):
+                            self.logger.fail("Command did not run because a virus was detected")
+                            break
+                        # When executing powershell and the command is still running, we get a sharing violation
+                        # We can use that information to wait longer than if the file is not found (probably av or something)
+                        if "STATUS_SHARING_VIOLATION" in str(e):
+                            self.logger.info(f"File {self.__share}\\{self.__output_filename} is still in use with {self.__tries - tries} left, retrying...")
                             tries += 1
+                            sleep(1)
+                        elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                            self.logger.info(f"File {self.__share}\\{self.__output_filename} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                            tries += 10
+                            sleep(1)
                         else:
                             self.logger.debug(str(e))
 
diff --git a/nxc/protocols/smb/mmcexec.py b/nxc/protocols/smb/mmcexec.py
@@ -247,23 +247,35 @@ def get_output_remote(self):
         if self.__retOutput is False:
             self.__outputBuffer = ""
             return
-        tries = 1
+
+        tries = 0
+        # Give the command a bit of time to execute before we try to read the output, 0.4 seconds was good in testing
+        sleep(0.4)
         while True:
             try:
                 self.logger.info(f"Attempting to read {self.__share}\\{self.__output}")
                 self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)
                 break
             except Exception as e:
-                if tries >= self.__tries:
+                if tries > self.__tries:
                     self.logger.fail("MMCEXEC: Could not retrieve output file, it may have been detected by AV. Please increase the number of tries with the option '--get-output-tries'. If it is still failing, try the 'wmi' protocol or another exec method")
                     break
-                if str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
+                if "STATUS_BAD_NETWORK_NAME" in str(e):
                     self.logger.fail(f"MMCEXEC: Getting the output file failed - target has blocked access to the share: {self.__share} (but the command may have executed!)")
                     break
-                if str(e).find("STATUS_SHARING_VIOLATION") >= 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                    # Output not finished, let's wait
-                    sleep(2)
+                elif "STATUS_VIRUS_INFECTED" in str(e):
+                    self.logger.fail("Command did not run because a virus was detected")
+                    break
+                # When executing powershell and the command is still running, we get a sharing violation
+                # We can use that information to wait longer than if the file is not found (probably av or something)
+                if "STATUS_SHARING_VIOLATION" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} is still in use with {self.__tries - tries} left, retrying...")
                     tries += 1
+                    sleep(1)
+                elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                    tries += 10
+                    sleep(1)
                 else:
                     self.logger.debug(str(e))
 
diff --git a/nxc/protocols/smb/proto_args.py b/nxc/protocols/smb/proto_args.py
@@ -9,11 +9,11 @@ def proto_args(parser, std_parser, module_parser):
     dgroup = smb_parser.add_mutually_exclusive_group()
     dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, help="domain to authenticate to")
     dgroup.add_argument("--local-auth", action="store_true", help="authenticate locally to each target")
-    smb_parser.add_argument("--port", type=int, choices={445, 139}, default=445, help="SMB port (default: 445)")
-    smb_parser.add_argument("--share", metavar="SHARE", default="C$", help="specify a share (default: C$)")
+    smb_parser.add_argument("--port", type=int, choices={445, 139}, default=445, help="SMB port (default: %(default)s)")
+    smb_parser.add_argument("--share", metavar="SHARE", default="C$", help="specify a share (default: %(default)s)")
     smb_parser.add_argument("--smb-server-port", default="445", help="specify a server port for SMB", type=int)
     smb_parser.add_argument("--gen-relay-list", metavar="OUTPUT_FILE", help="outputs all hosts that don't require SMB signing to the specified file")
-    smb_parser.add_argument("--smb-timeout", help="SMB connection timeout, default 2 secondes", type=int, default=2)
+    smb_parser.add_argument("--smb-timeout", help="SMB connection timeout, default %(default)s secondes", type=int, default=2)
     smb_parser.add_argument("--laps", dest="laps", metavar="LAPS", type=str, help="LAPS authentification", nargs="?", const="administrator")
     self_delegate_arg.make_required = [delegate_arg]
 
@@ -45,7 +45,7 @@ def proto_args(parser, std_parser, module_parser):
     egroup.add_argument("--pass-pol", action="store_true", help="dump password policy")
     egroup.add_argument("--rid-brute", nargs="?", type=int, const=4000, metavar="MAX_RID", help="enumerate users by bruteforcing RID's (default: 4000)")
     egroup.add_argument("--wmi", metavar="QUERY", type=str, help="issues the specified WMI query")
-    egroup.add_argument("--wmi-namespace", metavar="NAMESPACE", default="root\\cimv2", help="WMI Namespace (default: root\\cimv2)")
+    egroup.add_argument("--wmi-namespace", metavar="NAMESPACE", default="root\\cimv2", help="WMI Namespace (default: %(default)s)")
 
     sgroup = smb_parser.add_argument_group("Spidering", "Options for spidering shares")
     sgroup.add_argument("--spider", metavar="SHARE", type=str, help="share to spider")
@@ -65,9 +65,9 @@ def proto_args(parser, std_parser, module_parser):
 
     cgroup = smb_parser.add_argument_group("Command Execution", "Options for executing commands")
     cgroup.add_argument("--exec-method", choices={"wmiexec", "mmcexec", "smbexec", "atexec"}, default=None, help="method to execute the command. Ignored if in MSSQL mode (default: wmiexec)")
-    cgroup.add_argument("--dcom-timeout", help="DCOM connection timeout, default is 5 secondes", type=int, default=5)
-    cgroup.add_argument("--get-output-tries", help="Number of times atexec/smbexec/mmcexec tries to get results, default is 5", type=int, default=5)
-    cgroup.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output (default: utf-8). If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")
+    cgroup.add_argument("--dcom-timeout", help="DCOM connection timeout, default is %(default)s secondes", type=int, default=5)
+    cgroup.add_argument("--get-output-tries", help="Number of times atexec/smbexec/mmcexec tries to get results, default is %(default)s", type=int, default=10)
+    cgroup.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output (default: %(default)s). If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")
     cgroup.add_argument("--no-output", action="store_true", help="do not retrieve command output")
     
     cegroup = cgroup.add_mutually_exclusive_group()
diff --git a/nxc/protocols/smb/smbexec.py b/nxc/protocols/smb/smbexec.py
@@ -99,9 +99,7 @@ def execute_remote(self, data):
             batch_file.write(command)
 
         self.logger.debug("Hosting batch file with command: " + command)
-
         self.logger.debug("Command to execute: " + command)
-
         self.logger.debug(f"Remote service {self.__serviceName} created.")
 
         try:
@@ -138,23 +136,35 @@ def get_output_remote(self):
         if self.__retOutput is False:
             self.__outputBuffer = ""
             return
-        tries = 1
+
+        # TODO: It looks like the service is hanging anyway until the command is finished, so all this timeout logic is likely not needed
+        # Still adding this for now to keep the structure similar until we can confirm the above
+        tries = 0
         while True:
             try:
                 self.logger.info(f"Attempting to read {self.__share}\\{self.__output}")
                 self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)
                 break
             except Exception as e:
-                if tries >= self.__tries:
+                if tries > self.__tries:
                     self.logger.fail("SMBEXEC: Could not retrieve output file, it may have been detected by AV. Please increase the number of tries with the option '--get-output-tries'. If it is still failing, try the 'wmi' protocol or another exec method")
                     break
-                if str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
+                if "STATUS_BAD_NETWORK_NAME" in str(e):
                     self.logger.fail(f"SMBEXEC: Getting the output file failed - target has blocked access to the share: {self.__share} (but the command may have executed!)")
                     break
-                if str(e).find("STATUS_SHARING_VIOLATION") >= 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                    # Output not finished, let's wait
-                    sleep(2)
+                elif "STATUS_VIRUS_INFECTED" in str(e):
+                    self.logger.fail("Command did not run because a virus was detected")
+                    break
+                # When executing powershell and the command is still running, we get a sharing violation
+                # We can use that information to wait longer than if the file is not found (probably av or something)
+                if "STATUS_SHARING_VIOLATION" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} is still in use with {self.__tries - tries} left, retrying...")
                     tries += 1
+                    sleep(1)
+                elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                    tries += 10
+                    sleep(1)
                 else:
                     self.logger.debug(str(e))
 
diff --git a/nxc/protocols/smb/wmiexec.py b/nxc/protocols/smb/wmiexec.py
@@ -140,28 +140,36 @@ def get_output_remote(self):
             self.__outputBuffer = ""
             return
 
-        tries = 1
+        tries = 0
+        # Give the command a bit of time to execute before we try to read the output, 0.4 seconds was good in testing
+        sleep(0.4)
         while True:
             try:
                 self.logger.info(f"Attempting to read {self.__share}\\{self.__output}")
                 self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)
                 break
             except Exception as e:
-                if tries >= self.__tries:
+                if tries > self.__tries:
                     self.logger.fail("wmiexec: Could not retrieve output file, it may have been detected by AV. If it is still failing, try the 'wmi' protocol or another exec method")
                     break
-                elif str(e).find("STATUS_BAD_NETWORK_NAME") > 0:
+                elif "STATUS_BAD_NETWORK_NAME" in str(e):
                     self.logger.fail(f"SMB connection: target has blocked {self.__share} access (maybe command executed!)")
                     break
-                elif str(e).find("STATUS_VIRUS_INFECTED") >= 0:
+                elif "STATUS_VIRUS_INFECTED" in str(e):
                     self.logger.fail("Command did not run because a virus was detected")
                     break
-                
-                if str(e).find("STATUS_SHARING_VIOLATION") >= 0 or str(e).find("STATUS_OBJECT_NAME_NOT_FOUND") >= 0:
-                    sleep(2)
+                # When executing powershell and the command is still running, we get a sharing violation
+                # We can use that information to wait longer than if the file is not found (probably av or something)
+                elif "STATUS_SHARING_VIOLATION" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} is still in use with {self.__tries - tries} left, retrying...")
+                    sleep(1)
+                    tries += 1
+                elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
+                    self.logger.info(f"File {self.__share}\\{self.__output} not found with {self.__tries - tries} left, deducting 10 tries and retrying...")
+                    tries += 10
+                    sleep(1)
                 else:
                     self.logger.debug(f"Exception when trying to read output file: {e}")
-                tries += 1
 
         if self.__outputBuffer:
             self.logger.debug(f"Deleting file {self.__share}\\{self.__output}")
diff --git a/tests/e2e_commands.txt b/tests/e2e_commands.txt
@@ -21,8 +21,14 @@ netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --ntds
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --lsa
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --dpapi
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -x ipconfig
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -x ipconfig --exec-method atexec
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -x ipconfig --exec-method smbexec
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -x ipconfig --exec-method mmcexec
 ##### SMB PowerShell
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --exec-method atexec
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --exec-method smbexec
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --exec-method mmcexec
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --obfs
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs
@@ -36,9 +42,9 @@ netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs --no-encode
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --obfs --amsi-bypass tests/data/test_amsi_bypass.txt --no-encode
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs --amsi-bypass tests/data/test_amsi_bypass.txt --no-encode
-netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --exec-method atexec
-netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --exec-method smbexec
-netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --exec-method mmcexec
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs --amsi-bypass tests/data/test_amsi_bypass.txt --no-encode --exec-method atexec
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs --amsi-bypass tests/data/test_amsi_bypass.txt --no-encode --exec-method smbexec
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs --amsi-bypass tests/data/test_amsi_bypass.txt --no-encode --exec-method mmcexec
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --clear-obfscripts # current we don't really use?
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --wmi "select Name from win32_computersystem"
 netexec --jitter 2 smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS
