Merge branch 'main' into marshall-pwsh-update

Signed-off-by: Marshall Hallenbeck <Marshall.Hallenbeck@gmail.com>

Author: Marshall-Hallenbeck

…/ISSUE_TEMPLATE/pull_request_template.md …EQUEST_TEMPLATE/pull_request_template.md.github/ISSUE_TEMPLATE/pull_request_template.md renamed to .github/PULL_REQUEST_TEMPLATE/pull_request_template.md .github/ISSUE_TEMPLATE/pull_request_template.md renamed to .github/PULL_REQUEST_TEMPLATE/pull_request_template.md

@@ -1,5 +1,6 @@
 data/nxc.db
 hash_spider_default.sqlite3
+hash_spider_testing.sqlite3
 *.bak
 *.log
 .venv

.gitignore

@@ -52,6 +52,12 @@ def gen_cli_args():
     parser.add_argument("--debug", action="store_true", help="enable debug level information")
     parser.add_argument("--version", action="store_true", help="Display nxc version")
 
+    dns_parser = parser.add_argument_group("DNS")
+    dns_parser.add_argument("-6", dest="force_ipv6", action="store_true", help="Enable force IPv6")
+    dns_parser.add_argument("--dns-server", action="store", help="Specify DNS server (default: Use hosts file & System DNS)")
+    dns_parser.add_argument("--dns-tcp", action="store_true", help="Use TCP instead of UDP for DNS queries")
+    dns_parser.add_argument("--dns-timeout", action="store", type=int, default=3, help="DNS query timeout in seconds (default: %(default)s)")
+
     # we do module arg parsing here so we can reference the module_list attribute below
     module_parser = argparse.ArgumentParser(add_help=False)
     mgroup = module_parser.add_mutually_exclusive_group()
@@ -78,7 +84,7 @@ def gen_cli_args():
     std_parser.add_argument("--use-kcache", action="store_true", help="Use Kerberos authentication from ccache file (KRB5CCNAME)")
     std_parser.add_argument("--log", metavar="LOG", help="Export result into a custom file")
     std_parser.add_argument("--aesKey", metavar="AESKEY", nargs="+", help="AES key to use for Kerberos Authentication (128 or 256 bits)")
-    std_parser.add_argument("--kdcHost", metavar="KDCHOST", help="FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter")
+    std_parser.add_argument("--kdcHost", metavar="KDCHOST", help="IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter")
 
     fail_group = std_parser.add_mutually_exclusive_group()
     fail_group.add_argument("--gfail-limit", metavar="LIMIT", type=int, help="max number of global failed login attempts")

nxc/cli.py

@@ -4,6 +4,7 @@
 from functools import wraps
 from time import sleep
 from ipaddress import ip_address
+from dns import resolver, rdatatype
 from socket import AF_UNSPEC, SOCK_DGRAM, IPPROTO_IP, AI_CANONNAME, getaddrinfo
 
 from nxc.config import pwned_label
@@ -22,23 +23,63 @@
 user_failed_logins = {}
 
 
-def gethost_addrinfo(hostname):
-    is_ipv6 = False
-    is_link_local_ipv6 = False
+def get_host_addr_info(target, force_ipv6, dns_server, dns_tcp, dns_timeout):
+    result = {
+        "host": "",
+        "is_ipv6": False,
+        "is_link_local_ipv6": False
+    }
     address_info = {"AF_INET6": "", "AF_INET": ""}
 
-    for res in getaddrinfo(hostname, None, AF_UNSPEC, SOCK_DGRAM, IPPROTO_IP, AI_CANONNAME):
-        af, _, _, canonname, sa = res
-        address_info[af.name] = sa[0]
+    try:
+        if ip_address(target).version == 4:
+            address_info["AF_INET"] = target
+        else:
+            address_info["AF_INET6"] = target
+    except Exception:
+        # If the target is not an IP address, we need to resolve it
+        if not (dns_server or dns_tcp):
+            for res in getaddrinfo(target, None, AF_UNSPEC, SOCK_DGRAM, IPPROTO_IP, AI_CANONNAME):
+                af, _, _, canonname, sa = res
+                address_info[af.name] = sa[0]
+
+            if address_info["AF_INET6"] and ip_address(address_info["AF_INET6"]).is_link_local:
+                address_info["AF_INET6"] = canonname
+                result["is_link_local_ipv6"] = True
+        else:
+            dnsresolver = resolver.Resolver()
+            dnsresolver.timeout = dns_timeout
+            dnsresolver.lifetime = dns_timeout
+
+            if dns_server:
+                dnsresolver.nameservers = [dns_server]
+
+            try:
+                answers_ipv4 = dnsresolver.resolve(target, rdatatype.A, raise_on_no_answer=False, tcp=dns_tcp)
+                address_info["AF_INET"] = answers_ipv4[0].address
+            except Exception:
+                pass
+
+            try:
+                answers_ipv6 = dnsresolver.resolve(target, rdatatype.AAAA, raise_on_no_answer=False, tcp=dns_tcp)
+                address_info["AF_INET6"] = answers_ipv6[0].address
+
+                if address_info["AF_INET6"] and ip_address(address_info["AF_INET6"]).is_link_local:
+                    result["is_link_local_ipv6"] = True
+            except Exception:
+                pass
+
+    if not (address_info["AF_INET"] or address_info["AF_INET6"]):
+        raise Exception(f"The DNS query name does not exist: {target}")
 
     # IPv4 preferred
-    if address_info["AF_INET"]:
-        host = address_info["AF_INET"]
+    if address_info["AF_INET"] and not force_ipv6:
+        result["host"] = address_info["AF_INET"]
     else:
-        is_ipv6 = True
-        host, is_link_local_ipv6 = (canonname, True) if ip_address(address_info["AF_INET6"]).is_link_local else (address_info["AF_INET6"], False)
+        result["is_ipv6"] = True
+        result["host"] = address_info["AF_INET6"]
 
-    return host, is_ipv6, is_link_local_ipv6
+    return result
 
 
 def requires_admin(func):
@@ -50,7 +91,7 @@ def _decorator(self, *args, **kwargs):
     return wraps(func)(_decorator)
 
 
-def dcom_FirewallChecker(iInterface, timeout):
+def dcom_FirewallChecker(iInterface, remoteHost, timeout):
     stringBindings = iInterface.get_cinstance().get_string_bindings()
     for strBinding in stringBindings:
         if strBinding["wTowerId"] == 7:
@@ -70,6 +111,7 @@ def dcom_FirewallChecker(iInterface, timeout):
         return True, None
     try:
         rpctransport = transport.DCERPCTransportFactory(stringBinding)
+        rpctransport.setRemoteHost(remoteHost)
         rpctransport.set_connect_timeout(timeout)
         rpctransport.connect()
         rpctransport.disconnect()
@@ -81,45 +123,67 @@ def dcom_FirewallChecker(iInterface, timeout):
 
 
 class connection:
-    def __init__(self, args, db, host):
-        self.domain = None
+    def __init__(self, args, db, target):
         self.args = args
         self.db = db
-        self.hostname = host
-        self.port = self.args.port
+        self.logger = nxc_logger
         self.conn = None
-        self.admin_privs = False
+
+        # Authentication info
         self.password = ""
         self.username = ""
         self.kerberos = bool(self.args.kerberos or self.args.use_kcache or self.args.aesKey)
         self.aesKey = None if not self.args.aesKey else self.args.aesKey[0]
-        self.kdcHost = None if not self.args.kdcHost else self.args.kdcHost
         self.use_kcache = None if not self.args.use_kcache else self.args.use_kcache
+        self.admin_privs = False
         self.failed_logins = 0
+
+        # Network info
+        self.domain = None
+        self.host = None            # IP address of the target. If kerberos this is the hostname
+        self.hostname = target      # Target info supplied by the user, may be an IP address or a hostname
+        self.remoteName = target    # hostname + domain, defaults to target if domain could not be resolved/not specified
+        self.kdcHost = self.args.kdcHost
+        self.port = self.args.port
         self.local_ip = None
-        self.logger = nxc_logger
 
-        try:
-            self.host, self.is_ipv6, self.is_link_local_ipv6 = gethost_addrinfo(self.hostname)
-            if self.args.kerberos:
-                self.host = self.hostname
-            self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname}, kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local ipv6={self.is_link_local_ipv6}")
-        except Exception as e:
-            self.logger.info(f"Error resolving hostname {self.hostname}: {e}")
+        # DNS resolution
+        dns_result = self.resolver(target)
+        if dns_result:
+            self.host, self.is_ipv6, self.is_link_local_ipv6 = dns_result["host"], dns_result["is_ipv6"], dns_result["is_link_local_ipv6"]
+        else:
             return
 
+        if self.args.kerberos:
+            self.host = self.hostname
+
+        self.logger.info(f"Socket info: host={self.host}, hostname={self.hostname}, kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local ipv6={self.is_link_local_ipv6}")
+
         try:
             self.proto_flow()
         except Exception as e:
             if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e):
-                self.logger.error(f"Exception while calling proto_flow() on target {self.host}: {e}")
+                self.logger.error(f"Exception while calling proto_flow() on target {target}: {e}")
             else:
-                self.logger.exception(f"Exception while calling proto_flow() on target {self.host}: {e}")
+                self.logger.exception(f"Exception while calling proto_flow() on target {target}: {e}")
         finally:
-            self.logger.debug(f"Closing connection to: {host}")
+            self.logger.debug(f"Closing connection to: {target}")
             with contextlib.suppress(Exception):
                 self.conn.close()
 
+    def resolver(self, target):
+        try:
+            return get_host_addr_info(
+                target=target,
+                force_ipv6=self.args.force_ipv6,
+                dns_server=self.args.dns_server,
+                dns_tcp=self.args.dns_tcp,
+                dns_timeout=self.args.dns_timeout
+            )
+        except Exception as e:
+            self.logger.info(f"Error resolving hostname {target}: {e}")
+            return None
+
     @staticmethod
     def proto_args(std_parser, module_parser):
         return

nxc/connection.py

@@ -93,7 +93,8 @@ def __init__(self, extra=None):
         self.logger = logging.getLogger("nxc")
         self.extra = extra
         self.output_file = None
-
+        
+        logging.getLogger("impacket").disabled = True
         logging.getLogger("pypykatz").disabled = True
         logging.getLogger("minidump").disabled = True
         logging.getLogger("lsassy").disabled = True

nxc/logger.py

@@ -1,7 +1,8 @@
 import ssl
 import ldap3
-from impacket.dcerpc.v5 import samr, epm, transport
 import sys
+from impacket.dcerpc.v5 import samr, epm, transport
+from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
 
 class NXCModule:
     """
@@ -61,11 +62,10 @@ def options(self, context, module_options):
     def on_login(self, context, connection):
         self.__domain = connection.domain
         self.__domainNetbios = connection.domain
-        self.__kdcHost = connection.hostname + "." + connection.domain
-        self.__target = self.__kdcHost
+        self.__kdcHost = connection.kdcHost
         self.__username = connection.username
         self.__password = connection.password
-        self.__targetIp = connection.host
+        self.__host = connection.host
         self.__port = context.smb_server_port
         self.__aesKey = context.aesKey
         self.__hashes = context.hash
@@ -101,15 +101,10 @@ def do_samr_add(self, context):
         -------
             None
         """
-        target = self.__targetIp or self.__target
-        string_binding = epm.hept_map(target, samr.MSRPC_UUID_SAMR, protocol="ncacn_np")
+        string_binding = epm.hept_map(self.__host, samr.MSRPC_UUID_SAMR, protocol="ncacn_np")
 
-        rpc_transport = transport.DCERPCTransportFactory(string_binding)
-        rpc_transport.set_dport(self.__port)
-
-        if self.__targetIp is not None:
-            rpc_transport.setRemoteHost(self.__targetIp)
-            rpc_transport.setRemoteName(self.__target)
+        rpc_transport = transport.DCERPCTransportFactory(string_binding.replace(self.__host, self.__kdcHost))
+        rpc_transport.setRemoteHost(self.__host)
 
         if hasattr(rpc_transport, "set_credentials"):
             # This method exists only for selected protocol sequences.
@@ -118,10 +113,13 @@ def do_samr_add(self, context):
         rpc_transport.set_kerberos(self.__doKerberos, self.__kdcHost)
 
         dce = rpc_transport.get_dce_rpc()
+        if self.__doKerberos:
+            dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
+
         dce.connect()
         dce.bind(samr.MSRPC_UUID_SAMR)
 
-        samr_connect_response = samr.hSamrConnect5(dce, f"\\\\{self.__target}\x00", samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN)
+        samr_connect_response = samr.hSamrConnect5(dce, f"\\\\{self.__kdcHost}\x00", samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN)
         serv_handle = samr_connect_response["ServerHandle"]
 
         samr_enum_response = samr.hSamrEnumerateDomainsInSamServer(dce, serv_handle)

nxc/modules/add-computer.py

@@ -2,7 +2,7 @@
 from impacket.dcerpc.v5 import transport
 from impacket.dcerpc.v5.ndr import NDRCALL
 from impacket.dcerpc.v5.dtypes import ULONG, WSTR, DWORD
-from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.dcerpc.v5.rpcrt import DCERPCException, RPC_C_AUTHN_GSS_NEGOTIATE
 from impacket.uuid import uuidtup_to_bin
 from nxc.logger import nxc_logger
 
@@ -33,9 +33,9 @@ def on_login(self, context, connection):
             domain=connection.domain,
             lmhash=connection.lmhash,
             nthash=connection.nthash,
-            target=connection.host if not connection.kerberos else connection.hostname + "." + connection.domain,
+            target=connection.host,
             doKerberos=connection.kerberos,
-            dcHost=connection.kdcHost,
+            kdcHost=connection.kdcHost,
             aesKey=connection.aesKey,
         )
 
@@ -95,8 +95,9 @@ class NetrDfsAddRootResponse(NDRCALL):
 
 
 class TriggerAuth:
-    def connect(self, username, password, domain, lmhash, nthash, aesKey, target, doKerberos, dcHost):
+    def connect(self, username, password, domain, lmhash, nthash, aesKey, target, doKerberos, kdcHost):
         rpctransport = transport.DCERPCTransportFactory(r"ncacn_np:%s[\PIPE\netdfs]" % target)
+        rpctransport.setRemoteHost(target)
         if hasattr(rpctransport, "set_credentials"):
             rpctransport.set_credentials(
                 username=username,
@@ -108,11 +109,12 @@ def connect(self, username, password, domain, lmhash, nthash, aesKey, target, do
             )
 
         if doKerberos:
-            rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
-        # if target:
+            rpctransport.set_kerberos(doKerberos, kdcHost)
 
-        rpctransport.setRemoteHost(target)
         dce = rpctransport.get_dce_rpc()
+        if doKerberos:
+            dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
+
         nxc_logger.debug("[-] Connecting to {}".format(r"ncacn_np:%s[\PIPE\netdfs]") % target)
         try:
             dce.connect()
@@ -134,8 +136,7 @@ def NetrDfsRemoveStdRoot(self, dce, listener):
             request["ServerName"] = f"{listener}\x00"
             request["RootShare"] = "test\x00"
             request["ApiFlags"] = 1
-            if self.args.verbose:
-                nxc_logger.debug(request.dump())
+            nxc_logger.debug(request.dump())
             dce.request(request)
 
         except Exception as e: