Merge main into passwords_dump_update

Author: NeffIsBack

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,10 @@
+**Please Describe The Problem To Be Solved**
+(Replace This Text: Please present a concise description of the problem to be addressed by this feature request. Please be clear what parts of the problem are considered to be in-scope and out-of-scope.)
+
+**(Optional): Suggest A Solution**
+(Replace This Text: A concise description of your preferred solution. Things to address include:
+* Details of the technical implementation
+* Tradeoffs made in design decisions
+* Caveats and considerations for the future
+
+If there are multiple solutions, please present each one separately. Save comparisons for the very end.)

netexec.spec

@@ -38,6 +38,7 @@ a = Analysis(
         'nxc.protocols.smb.smbspider',
         'nxc.protocols.smb.passpol',
         'nxc.protocols.mssql.mssqlexec',
+        'nxc.parsers.ldap_results',
         'nxc.helpers.bash',
         'nxc.helpers.bloodhound',
         'nxc.helpers.msada_guids',
@@ -71,6 +72,7 @@ a = Analysis(
         'dploot.lib.smb',
         'pyasn1_modules.rfc5652',
         'unicrypto.backends.pycryptodomex',
+        'dateutil.relativedelta',
         'sspilib.raw._text',
      ],
      hookspath=['./nxc/.hooks'],

nxc/connection.py

@@ -8,12 +8,14 @@
 
 from nxc.config import pwned_label
 from nxc.helpers.logger import highlight
+from nxc.loaders.moduleloader import ModuleLoader
 from nxc.logger import nxc_logger, NXCAdapter
 from nxc.context import Context
 from nxc.protocols.ldap.laps import laps_search
 
 from impacket.dcerpc.v5 import transport
 import sys
+import contextlib
 
 sem = BoundedSemaphore(1)
 global_failed_logins = 0
@@ -125,6 +127,10 @@ def __init__(self, args, db, host):
                 self.logger.error(f"Exception while calling proto_flow() on target {self.host}: {e}")
             else:
                 self.logger.exception(f"Exception while calling proto_flow() on target {self.host}: {e}")
+        finally:
+            self.logger.debug(f"Closing connection to: {host}")
+            with contextlib.suppress(Exception):
+                self.conn.close()
 
     @staticmethod
     def proto_args(std_parser, module_parser):
@@ -145,16 +151,7 @@ def create_conn_obj(self):
     def check_if_admin(self):
         return
 
-    def kerberos_login(
-        self,
-        domain,
-        username,
-        password="",
-        ntlm_hash="",
-        aesKey="",
-        kdcHost="",
-        useCache=False,
-    ):
+    def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
         return
 
     def plaintext_login(self, domain, username, password):
@@ -173,6 +170,7 @@ def proto_flow(self):
             self.enum_host_info()
             if self.print_host_info() and (self.login() or (self.username == "" and self.password == "")):
                 if hasattr(self.args, "module") and self.args.module:
+                    self.load_modules()
                     self.logger.debug("Calling modules")
                     self.call_modules()
                 else:
@@ -206,7 +204,7 @@ def call_modules(self):
         It iterates over the modules specified in the command line arguments.
         For each module, it loads the module and creates a context object, then calls functions based on the module's attributes.
         """
-        for module in self.module:
+        for module in self.modules:
             self.logger.debug(f"Loading module {module.name} - {module}")
             module_logger = NXCAdapter(
                 extra={
@@ -491,3 +489,12 @@ def login(self):
 
     def mark_pwned(self):
         return highlight(f"({pwned_label})" if self.admin_privs else "")
+
+    def load_modules(self):
+        self.logger.info(f"Loading modules for target: {self.host}")
+        loader = ModuleLoader(self.args, self.db, self.logger)
+        self.modules = []
+
+        for module_path in self.module_paths:
+            module = loader.init_module(module_path)
+            self.modules.append(module)

nxc/modules/adcs.py

@@ -27,7 +27,6 @@ def options(self, context, module_options):
         SERVER             PKI Enrollment Server to enumerate templates for. Default is None, use CN name
         BASE_DN            The base domain name for the LDAP query
         """
-        self.context = context
         self.regex = re.compile("(https?://.+)")
 
         self.server = None
@@ -39,6 +38,7 @@ def options(self, context, module_options):
 
     def on_login(self, context, connection):
         """On a successful LDAP login we perform a search for all PKI Enrollment Server or Certificate Templates Names."""
+        self.context = context
         if self.server is None:
             search_filter = "(objectClass=pKIEnrollmentService)"
         else:

nxc/modules/add-computer.py

@@ -3,7 +3,6 @@
 from impacket.dcerpc.v5 import samr, epm, transport
 import sys
 
-
 class NXCModule:
     """
     Module by CyberCelt: @Cyb3rC3lt
@@ -41,6 +40,7 @@ def options(self, context, module_options):
 
         if "CHANGEPW" in module_options and ("NAME" not in module_options or "PASSWORD" not in module_options):
             context.log.error("NAME  and PASSWORD options are required!")
+            sys.exit(1)
         elif "CHANGEPW" in module_options:
             self.__noAdd = True
 
@@ -87,8 +87,7 @@ def on_login(self, context, connection):
         # If SAMR fails now try over LDAPS
         if not self.noLDAPRequired:
             self.do_ldaps_add(connection, context)
-        else:
-            sys.exit(1)
+            
 
     def do_samr_add(self, context):
         """
@@ -178,7 +177,6 @@ def do_samr_add(self, context):
                     samr.hSamrLookupNamesInDomain(dce, domain_handle, [self.__computerName])
                     self.noLDAPRequired = True
                     context.log.highlight("{}".format('Computer account already exists with the name: "' + self.__computerName + '"'))
-                    sys.exit(1)
                 except samr.DCERPCSessionError as e:
                     if e.error_code != 0xC0000073:
                         raise

nxc/modules/daclread.py

@@ -221,8 +221,6 @@ def options(self, context, module_options):
 
         Based on the work of @_nwodtuhs and @BlWasp_.
         """
-        self.context = context
-
         context.log.debug(f"module_options: {module_options}")
 
         if not module_options:
@@ -273,6 +271,7 @@ def options(self, context, module_options):
         self.filename = None
 
     def on_login(self, context, connection):
+        self.context = context
         """On a successful LDAP login we perform a search for the targets' SID, their Security Descriptors and the principal's SID if there is one specified"""
         context.log.highlight("Be careful, this module cannot read the DACLS recursively.")
         self.baseDN = connection.ldapConnection._baseDN

nxc/modules/ldap-checker.py

@@ -92,11 +92,12 @@ async def run_ldaps_withEPA(target, credential):
         def DoesLdapsCompleteHandshake(dcIp):
             s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
             s.settimeout(5)
-            ssl_sock = ssl.wrap_socket(
+            ssl_context = ssl.create_default_context()
+            ssl_context.check_hostname = False
+            ssl_sock = ssl_context.wrap_socket(
                 s,
-                cert_reqs=ssl.CERT_OPTIONAL,
-                suppress_ragged_eofs=False,
                 do_handshake_on_connect=False,
+                suppress_ragged_eofs=False,
             )
             ssl_sock.connect((dcIp, 636))
             try:

nxc/modules/lsassy.py

@@ -64,7 +64,7 @@ def on_admin_login(self, context, connection):
             context.log.fail("Unable to dump lsass")
             return False
 
-        parsed = Parser(file).parse()
+        parsed = Parser(host, file).parse()
         if parsed is None:
             context.log.fail("Unable to parse lsass dump")
             return False

nxc/modules/msol.py

@@ -3,7 +3,7 @@
 # Based on the article : https://blog.xpnsec.com/azuread-connect-for-redteam/
 from sys import exit
 from os import path
-import sys
+from nxc.paths import TMP_PATH
 from nxc.helpers.powershell import get_ps_script
 
 
@@ -49,14 +49,14 @@ def exec_script(self, _, connection):
 
     def on_admin_login(self, context, connection):
         if self.use_embedded:
-            file_to_upload = "/tmp/msol.ps1"
+            file_to_upload = f"{TMP_PATH}/msol.ps1"
 
             try:
                 with open(file_to_upload, "w") as msol:
                     msol.write(self.msol_embedded)
             except FileNotFoundError:
                 context.log.fail(f"Impersonate file specified '{file_to_upload}' does not exist!")
-                sys.exit(1)
+                exit(1)
 
         else:
             if path.isfile(self.MSOL_PS1):

nxc/modules/mssql_priv.py

@@ -42,12 +42,12 @@ def options(self, context, module_options):
             - rollback (remove sysadmin privilege)
         """
         self.action = None
-        self.context = context
 
         if "ACTION" in module_options:
             self.action = module_options["ACTION"]
 
     def on_login(self, context, connection):
+        self.context = context
         # get mssql connection
         self.mssql_conn = connection.conn
         # fetch the current user
@@ -441,13 +441,11 @@ def is_admin_user(self, username) -> bool:
         :rtype: bool
         """
         res = self.query_and_get_output(f"SELECT IS_SRVROLEMEMBER('sysadmin', '{username}')")
-        try:
-            if int(res):
-                self.admin_privs = True
-                return True
-            else:
-                return False
-        except Exception:
+        is_admin = res[0][""]
+        if is_admin:
+            self.admin_privs = True
+            return True
+        else:
             return False
 
     def revert_context(self, exec_as):