Skip to content

Commit e16a66a

Browse files
Marshall-HallenbeckMarshall-Hallenbeck
committed
refactor(smb args): update smb arg parsing naming to make sense
1 parent 70a99a7 commit e16a66a

1 file changed

Lines changed: 57 additions & 51 deletions

File tree

nxc/protocols/smb/proto_args.py

Lines changed: 57 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,18 @@
1-
from argparse import _StoreTrueAction
1+
from argparse import _StoreTrueAction, HelpFormatter
2+
from nxc.helpers.args import DisplayDefaultsNotNone
23

34

45
def proto_args(parser, parents):
56
smb_parser = parser.add_parser("smb", help="own stuff using SMB", parents=parents)
67
smb_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
8+
79
delegate_arg = smb_parser.add_argument("--delegate", action="store", help="Impersonate user with S4U2Self + S4U2Proxy")
810
self_delegate_arg = smb_parser.add_argument("--self", dest="no_s4u2proxy", action=get_conditional_action(_StoreTrueAction), make_required=[], help="Only do S4U2Self, no S4U2Proxy (use with delegate)")
11+
912
dgroup = smb_parser.add_mutually_exclusive_group()
1013
dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, help="domain to authenticate to")
1114
dgroup.add_argument("--local-auth", action="store_true", help="authenticate locally to each target")
15+
1216
smb_parser.add_argument("--port", type=int, choices={445, 139}, default=445, help="SMB port (default: 445)")
1317
smb_parser.add_argument("--share", metavar="SHARE", default="C$", help="specify a share (default: C$)")
1418
smb_parser.add_argument("--smb-server-port", default="445", help="specify a server port for SMB", type=int)
@@ -17,66 +21,68 @@ def proto_args(parser, parents):
1721
smb_parser.add_argument("--laps", dest="laps", metavar="LAPS", type=str, help="LAPS authentification", nargs="?", const="administrator")
1822
self_delegate_arg.make_required = [delegate_arg]
1923

20-
cgroup = smb_parser.add_argument_group("Credential Gathering", "Options for gathering credentials")
21-
cgroup.add_argument("--sam", action="store_true", help="dump SAM hashes from target systems")
22-
cgroup.add_argument("--lsa", action="store_true", help="dump LSA secrets from target systems")
23-
cgroup.add_argument("--ntds", choices={"vss", "drsuapi"}, nargs="?", const="drsuapi", help="dump the NTDS.dit from target DCs using the specifed method\n(default: drsuapi)")
24-
cgroup.add_argument("--dpapi", choices={"cookies", "nosystem"}, nargs="*", help='dump DPAPI secrets from target systems, can dump cookies if you add "cookies", will not dump SYSTEM dpapi if you add nosystem\n')
25-
cgroup.add_argument("--mkfile", action="store", help="DPAPI option. File with masterkeys in form of {GUID}:SHA1")
26-
cgroup.add_argument("--pvk", action="store", help="DPAPI option. File with domain backupkey")
27-
cgroup.add_argument("--enabled", action="store_true", help="Only dump enabled targets from DC")
28-
cgroup.add_argument("--user", dest="userntds", type=str, help="Dump selected user from DC")
24+
cred_gathering_group = smb_parser.add_argument_group("Credential Gathering", "Options for gathering credentials")
25+
cred_gathering_group.add_argument("--sam", action="store_true", help="dump SAM hashes from target systems")
26+
cred_gathering_group.add_argument("--lsa", action="store_true", help="dump LSA secrets from target systems")
27+
cred_gathering_group.add_argument("--ntds", choices={"vss", "drsuapi"}, nargs="?", const="drsuapi", help="dump the NTDS.dit from target DCs using the specifed method\n(default: drsuapi)")
28+
cred_gathering_group.add_argument("--dpapi", choices={"cookies", "nosystem"}, nargs="*", help='dump DPAPI secrets from target systems, can dump cookies if you add "cookies", will not dump SYSTEM dpapi if you add nosystem\n')
29+
cred_gathering_group.add_argument("--mkfile", action="store", help="DPAPI option. File with masterkeys in form of {GUID}:SHA1")
30+
cred_gathering_group.add_argument("--pvk", action="store", help="DPAPI option. File with domain backupkey")
31+
cred_gathering_group.add_argument("--enabled", action="store_true", help="Only dump enabled targets from DC")
32+
cred_gathering_group.add_argument("--user", dest="userntds", type=str, help="Dump selected user from DC")
2933

30-
egroup = smb_parser.add_argument_group("Mapping/Enumeration", "Options for Mapping/Enumerating")
31-
egroup.add_argument("--shares", action="store_true", help="enumerate shares and access")
32-
egroup.add_argument("--no-write-check", action="store_true", help="Skip write check on shares (avoid leaving traces when missing delete permissions)")
33-
34-
egroup.add_argument("--filter-shares", nargs="+", help="Filter share by access, option 'read' 'write' or 'read,write'")
35-
egroup.add_argument("--sessions", action="store_true", help="enumerate active sessions")
36-
egroup.add_argument("--disks", action="store_true", help="enumerate disks")
37-
egroup.add_argument("--loggedon-users-filter", action="store", help="only search for specific user, works with regex")
38-
egroup.add_argument("--loggedon-users", action="store_true", help="enumerate logged on users")
39-
egroup.add_argument("--users", nargs="*", metavar="USER", help="enumerate domain users, if a user is specified than only its information is queried.")
40-
egroup.add_argument("--groups", nargs="?", const="", metavar="GROUP", help="enumerate domain groups, if a group is specified than its members are enumerated")
41-
egroup.add_argument("--computers", nargs="?", const="", metavar="COMPUTER", help="enumerate computer users")
42-
egroup.add_argument("--local-groups", nargs="?", const="", metavar="GROUP", help="enumerate local groups, if a group is specified then its members are enumerated")
43-
egroup.add_argument("--pass-pol", action="store_true", help="dump password policy")
44-
egroup.add_argument("--rid-brute", nargs="?", type=int, const=4000, metavar="MAX_RID", help="enumerate users by bruteforcing RID's (default: 4000)")
45-
egroup.add_argument("--wmi", metavar="QUERY", type=str, help="issues the specified WMI query")
46-
egroup.add_argument("--wmi-namespace", metavar="NAMESPACE", default="root\\cimv2", help="WMI Namespace (default: root\\cimv2)")
34+
mapping_enum_group = smb_parser.add_argument_group("Mapping/Enumeration", "Options for Mapping/Enumerating")
35+
mapping_enum_group.add_argument("--shares", action="store_true", help="enumerate shares and access")
36+
mapping_enum_group.add_argument("--no-write-check", action="store_true", help="Skip write check on shares (avoid leaving traces when missing delete permissions)")
37+
mapping_enum_group.add_argument("--filter-shares", nargs="+", help="Filter share by access, option 'read' 'write' or 'read,write'")
38+
mapping_enum_group.add_argument("--sessions", action="store_true", help="enumerate active sessions")
39+
mapping_enum_group.add_argument("--disks", action="store_true", help="enumerate disks")
40+
mapping_enum_group.add_argument("--loggedon-users-filter", action="store", help="only search for specific user, works with regex")
41+
mapping_enum_group.add_argument("--loggedon-users", action="store_true", help="enumerate logged on users")
42+
mapping_enum_group.add_argument("--users", nargs="*", metavar="USER", help="enumerate domain users, if a user is specified than only its information is queried.")
43+
mapping_enum_group.add_argument("--groups", nargs="?", const="", metavar="GROUP", help="enumerate domain groups, if a group is specified than its members are enumerated")
44+
mapping_enum_group.add_argument("--computers", nargs="?", const="", metavar="COMPUTER", help="enumerate computer users")
45+
mapping_enum_group.add_argument("--local-groups", nargs="?", const="", metavar="GROUP", help="enumerate local groups, if a group is specified then its members are enumerated")
46+
mapping_enum_group.add_argument("--pass-pol", action="store_true", help="dump password policy")
47+
mapping_enum_group.add_argument("--rid-brute", nargs="?", type=int, const=4000, metavar="MAX_RID", help="enumerate users by bruteforcing RID's (default: 4000)")
48+
49+
wmi_group = smb_parser.add_argument_group("WMI", "Options for WMI Queries")
50+
wmi_group.add_argument("--wmi", metavar="QUERY", type=str, help="issues the specified WMI query")
51+
wmi_group.add_argument("--wmi-namespace", metavar="NAMESPACE", default="root\\cimv2", help="WMI Namespace (default: root\\cimv2)")
4752

48-
sgroup = smb_parser.add_argument_group("Spidering", "Options for spidering shares")
49-
sgroup.add_argument("--spider", metavar="SHARE", type=str, help="share to spider")
50-
sgroup.add_argument("--spider-folder", metavar="FOLDER", default=".", type=str, help="folder to spider (default: root share directory)")
51-
sgroup.add_argument("--content", action="store_true", help="enable file content searching")
52-
sgroup.add_argument("--exclude-dirs", type=str, metavar="DIR_LIST", default="", help="directories to exclude from spidering")
53-
segroup = sgroup.add_mutually_exclusive_group()
53+
spidering_group = smb_parser.add_argument_group("Spidering", "Options for spidering shares")
54+
spidering_group.add_argument("--spider", metavar="SHARE", type=str, help="share to spider")
55+
spidering_group.add_argument("--spider-folder", metavar="FOLDER", default=".", type=str, help="folder to spider (default: root share directory)")
56+
spidering_group.add_argument("--content", action="store_true", help="enable file content searching")
57+
spidering_group.add_argument("--exclude-dirs", type=str, metavar="DIR_LIST", default="", help="directories to exclude from spidering")
58+
spidering_group.add_argument("--depth", type=int, default=None, help="max spider recursion depth (default: infinity & beyond)")
59+
spidering_group.add_argument("--only-files", action="store_true", help="only spider files")
60+
segroup = spidering_group.add_mutually_exclusive_group()
5461
segroup.add_argument("--pattern", nargs="+", help="pattern(s) to search for in folders, filenames and file content")
5562
segroup.add_argument("--regex", nargs="+", help="regex(s) to search for in folders, filenames and file content")
56-
sgroup.add_argument("--depth", type=int, default=None, help="max spider recursion depth (default: infinity & beyond)")
57-
sgroup.add_argument("--only-files", action="store_true", help="only spider files")
5863

59-
tgroup = smb_parser.add_argument_group("Files", "Options for put and get remote files")
60-
tgroup.add_argument("--put-file", action="append", nargs=2, metavar="FILE", help="Put a local file into remote target, ex: whoami.txt \\\\Windows\\\\Temp\\\\whoami.txt")
61-
tgroup.add_argument("--get-file", action="append", nargs=2, metavar="FILE", help="Get a remote file, ex: \\\\Windows\\\\Temp\\\\whoami.txt whoami.txt")
62-
tgroup.add_argument("--append-host", action="store_true", help="append the host to the get-file filename")
64+
files_group = smb_parser.add_argument_group("Files", "Options for remote file interaction")
65+
files_group.add_argument("--put-file", action="append", nargs=2, metavar="FILE", help="Put a local file into remote target, ex: whoami.txt \\\\Windows\\\\Temp\\\\whoami.txt")
66+
files_group.add_argument("--get-file", action="append", nargs=2, metavar="FILE", help="Get a remote file, ex: \\\\Windows\\\\Temp\\\\whoami.txt whoami.txt")
67+
files_group.add_argument("--append-host", action="store_true", help="append the host to the get-file filename")
6368

64-
cegroup = smb_parser.add_argument_group("Command Execution", "Options for executing commands")
65-
cegroup.add_argument("--exec-method", choices={"wmiexec", "mmcexec", "smbexec", "atexec"}, default=None, help="method to execute the command. Ignored if in MSSQL mode (default: wmiexec)")
66-
cegroup.add_argument("--dcom-timeout", help="DCOM connection timeout, default is 5 secondes", type=int, default=5)
67-
cegroup.add_argument("--get-output-tries", help="Number of times atexec/smbexec/mmcexec tries to get results, default is 5", type=int, default=5)
68-
cegroup.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output (default: utf-8). If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")
69-
cegroup.add_argument("--force-ps32", action="store_true", help="force the PowerShell command to run in a 32-bit process")
70-
cegroup.add_argument("--no-output", action="store_true", help="do not retrieve command output")
69+
cmd_exec_group = smb_parser.add_argument_group("Command Execution", "Options for executing commands")
70+
cmd_exec_group.add_argument("--exec-method", choices={"wmiexec", "mmcexec", "smbexec", "atexec"}, default=None, help="method to execute the command. Ignored if in MSSQL mode (default: wmiexec)")
71+
cmd_exec_group.add_argument("--dcom-timeout", help="DCOM connection timeout, default is 5 secondes", type=int, default=5)
72+
cmd_exec_group.add_argument("--get-output-tries", help="Number of times atexec/smbexec/mmcexec tries to get results, default is 5", type=int, default=5)
73+
cmd_exec_group.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output (default: utf-8). If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")
74+
cmd_exec_group.add_argument("--no-output", action="store_true", help="do not retrieve command output")
7175
# command execution method
72-
cemgroup = cgroup.add_mutually_exclusive_group()
76+
cemgroup = cmd_exec_group.add_mutually_exclusive_group()
7377
cemgroup.add_argument("-x", metavar="COMMAND", dest="execute", help="execute the specified CMD command")
7478
cemgroup.add_argument("-X", metavar="PS_COMMAND", dest="ps_execute", help="execute the specified PowerShell command")
7579

76-
psgroup = smb_parser.add_argument_group("Powershell Obfuscation", "Options for PowerShell script obfuscation")
77-
psgroup.add_argument("--obfs", action="store_true", help="Obfuscate PowerShell scripts")
78-
psgroup.add_argument("--amsi-bypass", nargs=1, metavar="FILE", help="File with a custom AMSI bypass")
79-
psgroup.add_argument("--clear-obfscripts", action="store_true", help="Clear all cached obfuscated PowerShell scripts")
80+
posh_group = smb_parser.add_argument_group("Powershell Obfuscation", "Options for PowerShell script obfuscation")
81+
posh_group.add_argument("--obfs", action="store_true", help="Obfuscate PowerShell scripts")
82+
posh_group.add_argument("--amsi-bypass", nargs=1, metavar="FILE", help="File with a custom AMSI bypass")
83+
posh_group.add_argument("--clear-obfscripts", action="store_true", help="Clear all cached obfuscated PowerShell scripts")
84+
posh_group.add_argument("--force-ps32", action="store_true", help="force PowerShell commands to run in a 32-bit process (may not apply to modules)")
85+
8086

8187
return parser
8288

0 commit comments

Comments
 (0)