Merge upstream changes

Author: Mercury0

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: NetExec Wiki
+    url: https://www.netexec.wiki/
+    about: Check the wiki for usage guides and documentation before opening an issue.
+  - name: NetExec Discord
+    url: https://discord.com/invite/pjwUTQzg8R
+    about: Join the Discord for general questions and community support.

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,8 +1,9 @@
 ## Description
-
 Please include a summary of the change and which issue is fixed, or what the enhancement does.
 List any dependencies that are required for this change.
 
+If you have used AI in any form, please state the tool you used (e.g. Claude Code, Cursor, Amp) along with the extent that the work was AI-assisted. See the project's AI policy for more details: https://github.com/Pennyw0rth/NetExec/blob/main/AI_POLICY.md
+
 ## Type of change
 Insert an "x" inside the brackets for relevant items (do not delete options)
 
@@ -12,24 +13,28 @@ Insert an "x" inside the brackets for relevant items (do not delete options)
 - [ ] Deprecation of feature or functionality
 - [ ] This change requires a documentation update
 - [ ] This requires a third party update (such as Impacket, Dploot, lsassy, etc)
+- [ ] This PR was created with the assistance of AI (list what type of assistance, tool(s)/model(s) in the description)
 
 ## Setup guide for the review
 Please provide guidance on what setup is needed to test the introduced changes, such as your locally running machine Python version & OS, as well as the target(s) you tested against, including software versions.
 In particular:
 - Bug Fix: Please provide a short description on how to trigger the bug, to make the bug reproducable for the reviewer.
-- Added Feature/Enhancement: Please specify what setup is needed in order to test the changes. E.g. is additional software needed? GPO changes required? Specific registry settings that need to be changed?
+- Added Feature/Enhancement: Please specify what setup is needed in order to test the changes, such as:
+  - Is additional software needed?
+  - GPO changes required?
+  - Specific registry settings that need to be changed?
 
 ## Screenshots (if appropriate):
 Screenshots are always nice to have and can give a visual representation of the change.
-If appropriate include before and after screenshot(s) to show which results are to be expected.
+If appropriate, include before and after screenshot(s) to show which results are to be expected.
 
 ## Checklist:
 Insert an "x" inside the brackets for completed and relevant items (do not delete options)
 
-- [ ] I have ran Ruff against my changes (via poetry: `poetry run python -m ruff check . --preview`, use `--fix` to automatically fix what it can)
+- [ ] I have ran Ruff against my changes (poetry: `poetry run ruff check .`, use `--fix` to automatically fix what it can)
 - [ ] I have added or updated the `tests/e2e_commands.txt` file if necessary (new modules or features are _required_ to be added to the e2e tests)
-- [ ] New and existing e2e tests pass locally with my changes
 - [ ] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
-- [ ] I have performed a self-review of my own code
+- [ ] I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
+- [ ] I have performed a self-review of my own code (_not_ an AI review)
 - [ ] I have commented my code, particularly in hard-to-understand areas
 - [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

.github/workflows/pr-template-check.yml

@@ -0,0 +1,54 @@
+name: PR Template Check
+
+on:
+  pull_request:
+    types: [opened, edited]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  check-template:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Check PR description for template sections
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const body = context.payload.pull_request.body || '';
+            const requiredSections = [
+              '## Description',
+              '## Type of change',
+              '## Setup guide for the review',
+              '## Checklist'
+            ];
+
+            const missingSections = requiredSections.filter(
+              section => !body.includes(section)
+            );
+
+            if (missingSections.length === 0) return;
+
+            // Check if we already left a comment to avoid spamming
+            const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number
+            });
+
+            const botComment = comments.data.find(
+              c => c.user.type === 'Bot' && c.body.includes('<!-- pr-template-check -->')
+            );
+
+            if (botComment) return;
+
+            const missing = missingSections.map(s => `- ${s}`).join('\n');
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: `<!-- pr-template-check -->\nIt looks like the PR template may not have been filled out. The following sections appear to be missing:\n\n${missing}\n\nPlease edit your PR description to include them. The template helps reviewers understand and test your changes. Thanks!`
+            });

AI_POLICY.md

@@ -0,0 +1,77 @@
+# AI Usage Policy
+
+This policy was adapted from the [ghostty project](https://github.com/ghostty-org/ghostty/).
+The original version can be found [Ghostty's PR #10412](https://github.com/ghostty-org/ghostty/pull/10412).
+
+The NetExec project has strict rules for AI usage:
+
+- **All AI usage in any form must be disclosed.** You must state
+  the tool(s) and model(s) you used (e.g. Claude Code, Cursor, Opus 4.6,
+  Codex 5.2, etc) along with the extent that the work was AI-assisted.
+
+- **Pull requests created in any way by AI can only be for accepted issues.**
+  Drive-by pull requests that do not reference an accepted issue may be
+  rejected and closed. If AI isn't disclosed but a maintainer suspects its use,
+  the PR may be rejected and closed. If you want to share code for a
+  non-accepted issue, open a discussion or attach it to the existing issue.
+
+- **Pull requests created by AI must have been fully verified with
+  human use.** AI must not create hypothetically correct code that
+  hasn't been tested. Importantly, you must not allow AI to write
+  code for platforms or environments you don't have access to manually
+  test on.
+
+- **Issues and discussions can use AI assistance but must have a full
+  human-in-the-loop.** This means that any content generated with AI
+  must have been reviewed _and edited_ by a human before submission.
+  AI is very good at being overly verbose and including noise that
+  distracts from the main point. Humans must do their research and
+  trim this down.
+
+- **No AI-generated media is allowed (art, images, videos, audio, etc.).**
+  Text and code are the only acceptable AI-generated content, per the
+  other rules in this policy.
+
+- **Bad AI drivers will be banned** You've been warned. We love to help junior
+  developers learn and grow, but if you're interested in that then don't use
+  AI, and we'll help you.
+
+- **Official maintainers have the final say** We always strive to be helpful,
+  but there are limits. If you submit agregiously terrible AI generated code
+  with no review, we may ban you without word. We do not want to waste our
+  time reviewing slop if the contributor can't be bothered to review the work
+  themselves.
+
+These rules apply only to outside contributions to NetExec. Maintainers
+and trusted contributors are exempt from these rules and may use AI tools at
+their discretion; they've proven themselves trustworthy to apply good judgment.
+
+## There are Humans Here
+
+Please remember that NetExec is maintained by humans.
+
+Every discussion, issue, and pull request is read and reviewed by
+humans (and sometimes machines, too). It is a boundary point at which
+people interact with each other and the work done. It is rude and
+disrespectful to approach this boundary with low-effort, unqualified
+work, since it puts the burden of validation on the maintainers.
+
+In a perfect world, AI would produce high-quality, accurate work
+every time, but today that is simply not true. This is compounded by the fact
+that accessibility to AI is high, allowing low skilled individuals to think
+that they are contributing useful code. Even many skilled programmers do not
+understand how to use it effectively. This has opened up a waterfall of low
+quality contributions across the Open Source community, wasting resources.
+
+## AI is Welcome Here, Within Reason
+
+NetExec maintainers acknowledge AI as a productive tool to some workflows, and
+are open to leveraging this technology to improve NetExec; however, there are
+many low quality AI tools whose use results in pure slop being generated. The
+security communinity is not immune from AI psychosis, over-hype, or FOMO.
+As with any new technology, it is important to understand how it works and how
+to best use it, not blindly apply it to every use case with the hope that it
+will fix all your issues.
+
+We include this section to be transparent about the project's usage about
+AI for people who may disagree with it.

nxc/modules/get-userPassword.py

@@ -41,6 +41,6 @@ def on_login(self, context, connection):
             resp_parsed = parse_result_attributes(resp)
             context.log.success("Found following users: ")
             for user in resp_parsed:
-                context.log.highlight(f"User: {user['sAMAccountName']} unixUserPassword: {user['userPassword']}")
+                context.log.highlight(f"User: {user['sAMAccountName']} userPassword: {user['userPassword']}")
         else:
-            context.log.fail("No unixUserPassword Found")
+            context.log.fail("No userPassword Found")

nxc/modules/snipped.py

@@ -1,6 +1,7 @@
 import ntpath
 import os
 from os.path import join, getsize, exists
+from pathlib import PurePosixPath
 from nxc.helpers.misc import CATEGORY
 from nxc.paths import NXC_PATH
 
@@ -84,9 +85,12 @@ def on_admin_login(self, context, connection):
                                 continue
 
                             remote_file_path = ntpath.join(screenshot_path, remote_file_name)
-                            sanitized_path = screenshot_path.replace("\\", "_").replace("/", "_")
-                            local_file_name = f"{folder_name}_{sanitized_path}_{remote_file_name}"
-                            local_file_path = join(user_output_dir, local_file_name)
+                            # replace \\ with underscores and ignore absolute path or path traversal attempts
+                            clean_screenshot_path = "_".join(p for p in PurePosixPath(screenshot_path.replace("\\", "/")).parts if p not in ("..", ".", "/"))
+                            clean_file = "_".join(p for p in PurePosixPath(remote_file_name.replace("\\", "/")).parts if p not in ("..", ".", "/"))
+
+                            local_file_path = join(user_output_dir, f"{clean_screenshot_path}_{clean_file}")
+                            context.log.debug(f"{local_file_path=}")
 
                             try:
                                 with open(local_file_path, "wb") as local_file:
@@ -107,7 +111,7 @@ def on_admin_login(self, context, connection):
                                 context.log.debug(f"Failed to download '{remote_file_path}' for user {folder_name}: {e}")
 
         if total_files_downloaded > 0 and host_output_path:
-            context.log.success(f"{total_files_downloaded} file(s) downloaded from host {connection.host} to {host_output_path}.")
+            context.log.success(f"{total_files_downloaded} file(s) downloaded from host {connection.host} to {host_output_path}/")
 
     def find_screenshots_folders(self, user_folder_name):
         """

nxc/modules/spider_plus.py

@@ -1,7 +1,8 @@
 import json
 import errno
-from os.path import abspath, join, split, exists, splitext, getsize, sep
+from os.path import abspath, join, exists, splitext, getsize
 from os import makedirs, remove, stat
+from pathlib import Path, PurePosixPath
 import time
 from nxc.helpers.misc import CATEGORY
 from nxc.paths import NXC_PATH
@@ -167,19 +168,15 @@ def read_chunk(self, remote_file, chunk_size=CHUNK_SIZE):
     def get_file_save_path(self, remote_file):
         r"""Processes the remote file path to extract the filename and the folder path where the file should be saved locally.
 
-        It converts forward slashes (/) and backslashes (\) in the remote file path to the appropriate path separator for the local file system.
-        The folder path and filename are then obtained separately.
+        Creates a PurePosixPath and replaces UNC parts, then cleans it of any path traversal (see issue #1120)
         """
-        # Remove the backslash before the remote host part and replace slashes with the appropriate path separator
-        remote_file_path = str(remote_file)[2:].replace("/", sep).replace("\\", sep)
-
-        # Split the path to obtain the folder path and the filename
-        folder, filename = split(remote_file_path)
-
-        # Join the output folder with the folder path to get the final local folder path
-        folder = join(self.output_folder, folder)
-
-        return folder, filename
+        self.logger.debug(f"Remote file: {remote_file}")
+        raw_path = PurePosixPath(remote_file._RemoteFile__share, remote_file._RemoteFile__fileName.replace("\\", "/"))
+        self.logger.debug(f"Raw path: {remote_file}")
+        clean_parts = [p for p in raw_path.parts if p not in ("..", ".")]
+        resolved = Path(self.output_folder).joinpath(self.host, *clean_parts)
+        self.logger.debug(f"Resolved path: {resolved}")
+        return str(resolved.parent), resolved.name
 
     def spider_shares(self):
         """Enumerates all available shares for the SMB connection, spiders through the readable shares, and saves the metadata of the shares to a JSON file"""

nxc/protocols/nfs.py

@@ -366,7 +366,7 @@ def get_file(self):
             curr_fh = mount_fh
             for sub_path in remote_file_path.lstrip("/").split("/"):
                 # Update the UID for the next object and get the handle
-                self.update_auth(mount_fh)
+                self.update_auth(curr_fh)
                 res = self.nfs3.lookup(curr_fh, sub_path, auth=self.auth)
 
                 # Check for a bad path
@@ -448,7 +448,7 @@ def put_file(self):
             curr_fh = mount_fh
             # If target dir is "" or "/" without filter we would get one item with [""]
             for sub_path in list(filter(None, remote_dir_path.lstrip("/").split("/"))):
-                self.update_auth(mount_fh)
+                self.update_auth(curr_fh)
                 res = self.nfs3.lookup(curr_fh, sub_path, auth=self.auth)
 
                 # If the path does not exist, create it

nxc/protocols/rdp.py

@@ -19,10 +19,13 @@
 from aardwolf.commons.target import RDPTarget
 from aardwolf.keyboard.layoutmanager import KeyboardLayoutManager
 from aardwolf.protocol.x224.constants import SUPP_PROTOCOLS
+from aardwolf.network.x224 import X224Network
+from aardwolf.network.tpkt import TPKTPacketizer
 from asyauth.common.credentials.ntlm import NTLMCredential
 from asyauth.common.credentials.kerberos import KerberosCredential
 from asyauth.common.constants import asyauthSecret
 from asysocks.unicomm.common.target import UniTarget, UniProto
+from asysocks.unicomm.client import UniClient
 
 
 class rdp(connection):
@@ -33,12 +36,10 @@ def __init__(self, args, db, host):
         self.iosettings.video_out_format = VIDEO_FORMAT.RAW
         self.iosettings.clipboard_use_pyperclip = False
         self.protoflags_nla = [
-            SUPP_PROTOCOLS.SSL | SUPP_PROTOCOLS.RDP,
             SUPP_PROTOCOLS.SSL,
             SUPP_PROTOCOLS.RDP,
         ]
         self.protoflags = [
-            SUPP_PROTOCOLS.SSL | SUPP_PROTOCOLS.RDP,
             SUPP_PROTOCOLS.SSL,
             SUPP_PROTOCOLS.RDP,
             SUPP_PROTOCOLS.SSL | SUPP_PROTOCOLS.HYBRID,
@@ -113,7 +114,7 @@ def create_conn_obj(self):
         self.target = RDPTarget(ip=self.host, domain="FAKE", port=self.port, timeout=self.args.rdp_timeout)
         self.auth = NTLMCredential(secret="pass", username="user", domain="FAKE", stype=asyauthSecret.PASS)
 
-        self.check_nla()
+        asyncio.run(self.check_nla())
 
         for proto in reversed(self.protoflags):
             try:
@@ -165,22 +166,26 @@ def create_conn_obj(self):
 
         return True
 
-    def check_nla(self):
+    async def check_nla(self):
         self.logger.debug(f"Checking NLA for {self.host}")
-        for proto in self.protoflags_nla:
-            try:
-                self.iosettings.supported_protocols = proto
-                self.conn = RDPConnection(
-                    iosettings=self.iosettings,
-                    target=self.target,
-                    credentials=self.auth,
-                )
-                asyncio.run(self.connect_rdp())
-                if proto.value == SUPP_PROTOCOLS.RDP or proto.value == SUPP_PROTOCOLS.SSL or proto.value == SUPP_PROTOCOLS.SSL | SUPP_PROTOCOLS.RDP:
-                    self.nla = False
-                    return
-            except Exception:
-                pass
+        try:
+            self.iosettings.supported_protocols = SUPP_PROTOCOLS.SSL
+            self.conn = RDPConnection(
+                iosettings=self.iosettings,
+                target=self.target,
+                credentials=None,
+            )
+            packetizer = TPKTPacketizer()
+            client = UniClient(self.target, packetizer)
+            self.conn._connection = await asyncio.wait_for(client.connect(), timeout=self.args.rdp_timeout)
+            self.conn._x224net = X224Network(self.conn._connection)
+            _, err = await asyncio.wait_for(self.conn._x224net.client_negotiate(0, SUPP_PROTOCOLS.SSL), timeout=self.args.rdp_timeout)
+            # If no error SSL supported if SSL_NOT_ALLOWED_BY_SERVER error, plain RDP supported
+            if err is None or "SSL_NOT_ALLOWED_BY_SERVER" in str(err):
+                self.nla = False
+                return
+        except Exception:
+            pass
 
     async def connect_rdp(self):
         _, err = await asyncio.wait_for(self.conn.connect(), timeout=self.args.rdp_timeout)