blacklanternsecurity
diff --git a/‎nxc/config.py‎
Lines changed: 1 addition & 1 deletion b/‎nxc/config.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎nxc/data/nxc.conf‎
Lines changed: 1 addition & 0 deletions b/‎nxc/data/nxc.conf‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎nxc/modules/badsuccessor.py‎
Lines changed: 14 additions & 21 deletions b/‎nxc/modules/badsuccessor.py‎
Lines changed: 14 additions & 21 deletions
diff --git a/‎nxc/modules/coerce_plus.py‎
Lines changed: 16 additions & 24 deletions b/‎nxc/modules/coerce_plus.py‎
Lines changed: 16 additions & 24 deletions
diff --git a/‎nxc/modules/efsr_spray.py‎
Lines changed: 3 additions & 94 deletions b/‎nxc/modules/efsr_spray.py‎
Lines changed: 3 additions & 94 deletions
diff --git a/‎nxc/modules/example_module.py‎
Lines changed: 1 addition & 0 deletions b/‎nxc/modules/example_module.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎nxc/modules/gpp_password.py‎
Lines changed: 5 additions & 4 deletions b/‎nxc/modules/gpp_password.py‎
Lines changed: 5 additions & 4 deletions
@@ -37,7 +37,7 @@
 reveal_chars_of_pwd = int(nxc_config.get("nxc", "reveal_chars_of_pwd", fallback=0))
 config_log = nxc_config.getboolean("nxc", "log_mode", fallback=False)
 host_info_colors = literal_eval(nxc_config.get("nxc", "host_info_colors", fallback=["green", "red", "yellow", "cyan"]))
-
+check_guest_account = nxc_config.getboolean("nxc", "check_guest_account", fallback=False)
 
 if len(host_info_colors) != 4:
     nxc_logger.error("Config option host_info_colors must have 4 values! Using default values.")
 
@@ -6,6 +6,7 @@ audit_mode =
 reveal_chars_of_pwd = 0
 log_mode = False
 host_info_colors = ["green", "red", "yellow", "cyan"]
+check_guest_account = False
 
 [BloodHound]
 bh_enabled = False
 
@@ -94,19 +94,18 @@ def is_excluded_sid(self, sid, domain_sid):
             return True
         return any(sid.startswith(domain_sid) and sid.endswith(suffix) for suffix in EXCLUDED_SIDS_SUFFIXES)
 
-    def get_domain_sid(self, ldap_session, base_dn):
+    def get_domain_sid(self):
         """Retrieve the domain SID from the domain object in LDAP"""
-        r = ldap_session.search(
-            searchBase=base_dn,
+        r = self.connection.search(
             searchFilter="(objectClass=domain)",
             attributes=["objectSid"]
         )
         parsed = parse_result_attributes(r)
         if parsed and "objectSid" in parsed[0]:
             return parsed[0]["objectSid"]
 
-    def find_bad_successor_ous(self, ldap_session, entries, base_dn):
-        domain_sid = self.get_domain_sid(ldap_session, base_dn)
+    def find_bad_successor_ous(self, entries):
+        domain_sid = self.get_domain_sid()
         results = {}
         parsed = parse_result_attributes(entries)
         for entry in parsed:
@@ -146,24 +145,21 @@ def find_bad_successor_ous(self, ldap_session, entries, base_dn):
                     results.setdefault(owner_sid, []).append(dn)
         return results
 
-    def resolve_sid_to_name(self, ldap_session, sid, base_dn):
+    def resolve_sid_to_name(self, sid):
         """
         Resolves a SID to a samAccountName using LDAP
 
         Args:
         ----
-            ldap_session: The LDAP connection
             sid: The SID to resolve
-            base_dn: The base DN for the LDAP search
 
         Returns:
         -------
             str: The samAccountName if found, otherwise the original SID
         """
         try:
             search_filter = f"(objectSid={sid})"
-            response = ldap_session.search(
-                searchBase=base_dn,
+            response = self.connection.search(
                 searchFilter=search_filter,
                 attributes=["sAMAccountName"]
             )
@@ -176,9 +172,10 @@ def resolve_sid_to_name(self, ldap_session, sid, base_dn):
             return sid
 
     def on_login(self, context, connection):
+        self.connection = connection
+
         # Check for a domain controller with Windows Server 2025
-        resp = connection.ldap_connection.search(
-            searchBase=connection.ldap_connection._baseDN,
+        resp = self.connection.search(
             searchFilter="(&(objectCategory=computer)(primaryGroupId=516))",
             attributes=["operatingSystem", "dNSHostName"]
         )
@@ -194,27 +191,23 @@ def on_login(self, context, connection):
 
         # Enumerate dMSA objects
         controls = security_descriptor_control(sdflags=0x07)  # OWNER_SECURITY_INFORMATION
-        resp = connection.ldap_connection.search(
-            searchBase=connection.ldap_connection._baseDN,
+        resp = self.connection.search(
             searchFilter="(objectClass=organizationalUnit)",
             attributes=["distinguishedName", "nTSecurityDescriptor"],
-            searchControls=controls)  # Fixed parameter name
+            searchControls=controls
+        )
 
         context.log.debug(f"Found {len(resp)} entries")
 
-        results = self.find_bad_successor_ous(connection.ldap_connection, resp, connection.ldap_connection._baseDN)
+        results = self.find_bad_successor_ous(resp)
 
         if results:
             context.log.success(f"Found {len(results)} results")
         else:
             context.log.highlight("No account found")
 
         for sid, ous in results.items():
-            samaccountname = self.resolve_sid_to_name(
-                connection.ldap_connection,
-                sid,
-                connection.ldap_connection._baseDN
-            )
+            samaccountname = self.resolve_sid_to_name(sid)
 
             for ou in ous:
                 if sid == samaccountname:
 
@@ -1,11 +1,10 @@
-from impacket import uuid
 from impacket.dcerpc.v5 import transport, rprn, even, epm
 from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray, NDRPOINTERNULL
 from impacket.dcerpc.v5.dtypes import LPBYTE, USHORT, LPWSTR, DWORD, ULONG, NULL, WSTR, LONG, BOOL, PCHAR, RPC_SID
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_LEVEL_PKT_PRIVACY
-
 from impacket.uuid import uuidtup_to_bin
 from nxc.helpers.misc import CATEGORY
+import contextlib
 
 
 class NXCModule:
@@ -213,6 +212,15 @@ def on_login(self, context, connection):
             context.log.error("Invalid method, please check the method name.")
             return
 
+    @staticmethod
+    def get_dynamic_endpoint(interface: bytes, target: str, timeout: int = 5) -> str:
+        string_binding = rf"ncacn_ip_tcp:{target}[135]"
+        rpctransport = transport.DCERPCTransportFactory(string_binding)
+        rpctransport.set_connect_timeout(timeout)
+        dce = rpctransport.get_dce_rpc()
+        dce.connect()
+        return epm.hept_map(target, interface, protocol="ncacn_ip_tcp", dce=dce)
+
 
 class ShadowCoerceTrigger:
     def __init__(self, context):
@@ -530,6 +538,11 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
             },
         }
 
+        # activates EFS
+        # https://specterops.io/blog/2025/08/19/will-webclient-start/
+        with contextlib.suppress(Exception):
+            NXCModule.get_dynamic_endpoint(uuidtup_to_bin(("df1941c5-fe89-4e79-bf10-463657acf44d", "0.0")), target, timeout=1)
+
         rpctransport = transport.DCERPCTransportFactory(binding_params[pipe]["stringBinding"])
         rpctransport.set_dport(445)
 
@@ -757,27 +770,6 @@ class PrinterBugTrigger:
     def __init__(self, context):
         self.context = context
 
-    def get_dynamic_endpoint(self, interface: bytes, target: str, timeout: int = 5) -> str:
-        string_binding = rf"ncacn_ip_tcp:{target}[135]"
-        rpctransport = transport.DCERPCTransportFactory(string_binding)
-        rpctransport.set_connect_timeout(timeout)
-        dce = rpctransport.get_dce_rpc()
-        self.context.log.debug(f"Trying to resolve dynamic endpoint {uuid.bin_to_string(interface)!r}")
-        try:
-            dce.connect()
-        except Exception as e:
-            self.context.log.warning(f"Failed to connect to endpoint mapper: {e}")
-            raise e
-        try:
-            endpoint = epm.hept_map(target, interface, protocol="ncacn_ip_tcp", dce=dce)
-            self.context.log.debug(
-                f"Resolved dynamic endpoint {uuid.bin_to_string(interface)!r} to {endpoint!r}"
-            )
-            return endpoint
-        except Exception as e:
-            self.context.log.debug(f"Failed to resolve dynamic endpoint {uuid.bin_to_string(interface)!r}")
-            raise e
-
     def connect(self, username, password, domain, lmhash, nthash, aesKey, target, doKerberos, dcHost, pipe):
         binding_params = {
             "spoolss": {
@@ -786,7 +778,7 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
                 "port": 445
             },
             "[dcerpc]": {
-                "stringBinding": self.get_dynamic_endpoint(uuidtup_to_bin(("12345678-1234-abcd-ef00-0123456789ab", "1.0")), target),
+                "stringBinding": NXCModule.get_dynamic_endpoint(uuidtup_to_bin(("12345678-1234-abcd-ef00-0123456789ab", "1.0")), target),
                 "MSRPC_UUID_RPRN": ("12345678-1234-abcd-ef00-0123456789ab", "1.0"),
                 "port": None
             }
 
@@ -1,31 +1,10 @@
-import ntpath
-from nxc.helpers.misc import CATEGORY, gen_random_string
 from nxc.context import Context
-from impacket.smb3structs import FILE_SHARE_WRITE, FILE_SHARE_DELETE, FILE_ATTRIBUTE_ENCRYPTED
-from impacket.smbconnection import SessionError, SMBConnection
-
-
-def get_error_string(exception):
-    if hasattr(exception, "getErrorString"):
-        try:
-            es = exception.getErrorString()
-        except KeyError:
-            return f"Could not get nt error code {exception.getErrorCode()} from impacket: {exception}"
-        if type(es) is tuple:
-            return es[0]
-        else:
-            return es
-    else:
-        return str(exception)
+from nxc.helpers.misc import CATEGORY
 
 
 class NXCModule:
-    """EFSR Spray Module
-    Module by @rtpt-romankarwacik
-    """
-
     name = "efsr_spray"
-    description = "Tries to activate the EFSR service by creating a file with the encryption attribute on some available share."
+    description = "[REMOVED] Tries to activate the EFSR service by creating a file with the encryption attribute on some available share."
     supported_protocols = ["smb"]
     excluded_shares = ["SYSVOL"]
     category = CATEGORY.PRIVILEGE_ESCALATION
@@ -36,76 +15,6 @@ def options(self, context: Context, module_options: dict[str, str]):
         SHARE_NAME     If set, ONLY this share will be used
         EXCLUDED_SHARES List of share names which will not be used, seperated by comma
         """
-        self.file_name = module_options.get("FILE_NAME", ntpath.normpath("\\" + gen_random_string() + ".txt"))
-        self.share_name = module_options.get("SHARE_NAME")
-        if module_options.get("EXCLUDED_SHARES"):
-            self.excluded_shares += module_options.get("EXCLUDED_SHARES", "").split(",")
 
     def on_login(self, context: Context, connection):
-        conn: SMBConnection = connection.conn  # Because typing is broken due to smb being a folder and a file >:(
-
-        try:
-            shares = conn.listShares()
-        except SessionError as e:
-            error = get_error_string(e)
-            context.log.fail(f"Error enumerating shares: {error}", color="magenta")
-            return
-
-        # Check if named pipe is already available
-        try:
-            named_pipe_names = [f.get_shortname() for f in conn.listPath("IPC$", "*")]
-            if "efsrpc" in named_pipe_names:
-                context.log.highlight("efsrpc named pipe is already available!")
-                # if it is already activated we just skip this computer
-                return
-        except SessionError as e:
-            error = get_error_string(e)
-            context.log.fail(f"Error enumerating named pipes: {error}", color="magenta")
-            return
-
-        # Write an encrypted file on the share root.
-        # This will likely fail with STATUS_ACCESS_DENIED if we do not have the permission to create encrypted files,
-        # but this does not matter as the service will be activated nevertheless if we have WRITE or MODIFY access
-        for share in shares:
-            share_name = share["shi1_netname"][:-1]
-            if self.share_name is not None and self.share_name != share_name:
-                continue
-
-            if share_name in self.excluded_shares:
-                continue
-
-            try:
-                context.log.debug(f"Connecting to share {share_name}...")
-                tid = conn.connectTree(share_name)
-            except SessionError as e:
-                context.log.debug(f"Could not connect to share {share_name}: {e}")
-                continue
-            try:
-                context.log.debug(f"Creating file in {share_name}...")
-                fid = conn.createFile(tid, self.file_name,
-                                      desiredAccess=FILE_SHARE_WRITE,
-                                      shareMode=FILE_SHARE_DELETE,
-                                      fileAttributes=FILE_ATTRIBUTE_ENCRYPTED)
-                conn.closeFile(tid, fid)
-                try:
-                    # this can happen when we have special permissions to create encrypted files
-                    conn.deleteFile(share_name, self.file_name)
-                except SessionError as e:
-                    error = get_error_string(e)
-                    if error == "STATUS_OBJECT_NAME_NOT_FOUND":
-                        pass
-                    context.log.fail(f"Error DELETING created temp file {self.file_name} on share {share_name}: {error}")
-            except SessionError as e:
-                context.log.debug(f"Error writing encrypted file on share {share_name}: {get_error_string(e)} (This does not necessarily mean that the attack failed!)")
-
-        try:
-            tid = conn.connectTree("IPC$")
-            conn.waitNamedPipe(tid, "efsrpc", 10)
-            context.log.highlight("Successfully activated efsrpc named pipe!")
-        except SessionError as e:
-            error = get_error_string(e)
-            if error == "STATUS_OBJECT_NAME_NOT_FOUND":
-                context.log.debug("efsrpc pipe was not activated.")
-            else:
-                context.log.fail(f"Error waiting for named pipe: {error}", color="magenta")
-            return
+        context.log.fail('[REMOVED] This module has been made obsolete and EFS will be activated automatically by "coerce_plus"')
@@ -21,6 +21,7 @@ def options(self, context, module_options):
         """Required.
         Module options get parsed here. Additionally, put the modules usage here as well
         """
+        # Put "No options available" in the docstring if there are no options for the module
 
     def on_login(self, context, connection):
         """Concurrent.
 
@@ -18,17 +18,18 @@ class NXCModule:
     category = CATEGORY.CREDENTIAL_DUMPING
 
     def options(self, context, module_options):
-        """ """
+        """No options available"""
 
     def on_login(self, context, connection):
         shares = connection.shares()
         for share in shares:
-            if share["name"] == "SYSVOL" and "READ" in share["access"]:
+            if share["name"].lower() == "sysvol" and "READ" in share["access"]:
+                sysvol = share["name"]
                 context.log.success("Found SYSVOL share")
                 context.log.display("Searching for potential XML files containing passwords")
 
                 paths = connection.spider(
-                    "SYSVOL",
+                    sysvol,
                     pattern=[
                         "Groups.xml",
                         "Services.xml",
@@ -43,7 +44,7 @@ def on_login(self, context, connection):
                     context.log.display(f"Found {path}")
 
                     buf = BytesIO()
-                    connection.conn.getFile("SYSVOL", path, buf.write)
+                    connection.conn.getFile(sysvol, path, buf.write)
                     xml = ET.fromstring(buf.getvalue())
                     sections = []