Merge pull request Pennyw0rth#333 from Pennyw0rth/marshall-guest-login

Add output if a successful authentication is via Guest privileges

Author: NeffIsBack

nxc/connection.py

@@ -412,12 +412,22 @@ def parse_credentials(self):
             for ntlm_hash in self.args.hash:
                 if isfile(ntlm_hash):
                     with open(ntlm_hash) as ntlm_hash_file:
-                        for line in ntlm_hash_file:
-                            secret.append(line.strip())
-                            cred_type.append("hash")
+                        for i, line in enumerate(ntlm_hash_file):
+                            line = line.strip()
+                            if len(line) != 32 and len(line) != 65:
+                                self.logger.fail(f"Invalid NTLM hash length on line {(i + 1)} (len {len(line)}): {line}")
+                                continue
+                            else:
+                                secret.append(line)
+                                cred_type.append("hash")
                 else:
-                    secret.append(ntlm_hash)
-                    cred_type.append("hash")
+                    if len(ntlm_hash) != 32 and len(ntlm_hash) != 65:
+                        self.logger.fail(f"Invalid NTLM hash length {len(ntlm_hash)}, authentication not sent")
+                        exit(1)
+                    else:
+                        secret.append(ntlm_hash)
+                        cred_type.append("hash")
+            self.logger.debug(secret)
 
         # Parse AES keys
         if self.args.aesKey:

nxc/protocols/smb.py

@@ -161,6 +161,7 @@ def __init__(self, args, db, host):
         self.no_da = None
         self.no_ntlm = False
         self.protocol = "SMB"
+        self.is_guest = None
 
         connection.__init__(self, args, db, host)
 
@@ -375,7 +376,9 @@ def plaintext_login(self, domain, username, password):
             self.domain = domain
 
             self.conn.login(self.username, self.password, domain)
-
+            self.logger.debug(f"Logged in with password to SMB with {domain}/{self.username}")
+            self.is_guest = bool(self.conn.isGuestSession())
+            self.logger.debug(f"{self.is_guest=}")
             self.check_if_admin()
             self.logger.debug(f"Adding credential: {domain}/{self.username}:{self.password}")
             self.db.add_credential("plaintext", domain, self.username, self.password)
@@ -384,7 +387,7 @@ def plaintext_login(self, domain, username, password):
 
             self.db.add_loggedin_relation(user_id, host_id)
 
-            out = f"{domain}\\{self.username}:{process_secret(self.password)} {self.mark_pwned()}"
+            out = f"{domain}\\{self.username}:{process_secret(self.password)} {self.mark_guest()}{self.mark_pwned()}"
             self.logger.success(out)
 
             if not self.args.local_auth and self.username != "":
@@ -444,14 +447,16 @@ def hash_login(self, domain, username, ntlm_hash):
                 self.nthash = nthash
 
             self.conn.login(self.username, "", domain, lmhash, nthash)
-
+            self.logger.debug(f"Logged in with hash to SMB with {domain}/{self.username}")
+            self.is_guest = bool(self.conn.isGuestSession())
+            self.logger.debug(f"{self.is_guest=}")
             self.check_if_admin()
-            user_id = self.db.add_credential("hash", domain, self.username, nthash)
+            user_id = self.db.add_credential("hash", domain, self.username, self.hash)
             host_id = self.db.get_hosts(self.host)[0].id
 
             self.db.add_loggedin_relation(user_id, host_id)
 
-            out = f"{domain}\\{self.username}:{process_secret(self.hash)} {self.mark_pwned()}"
+            out = f"{domain}\\{self.username}:{process_secret(self.hash)} {self.mark_guest()}{self.mark_pwned()}"
             self.logger.success(out)
 
             if not self.args.local_auth and self.username != "":
@@ -531,6 +536,7 @@ def create_conn_obj(self):
         return bool(self.create_smbv1_conn() or self.create_smbv3_conn())
 
     def check_if_admin(self):
+        self.logger.debug(f"Checking if user is admin on {self.host}")
         rpctransport = SMBTransport(self.conn.getRemoteHost(), 445, r"\svcctl", smb_connection=self.conn)
         dce = rpctransport.get_dce_rpc()
         try:
@@ -544,6 +550,7 @@ def check_if_admin(self):
                 # 0xF003F - SC_MANAGER_ALL_ACCESS
                 # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
                 scmr.hROpenSCManagerW(dce, f"{self.host}\x00", "ServicesActive\x00", 0xF003F)
+                self.logger.debug(f"User is admin on {self.host}!")
                 self.admin_privs = True
             except scmr.DCERPCException:
                 self.admin_privs = False
@@ -1774,3 +1781,6 @@ def add_ntds_hash(ntds_hash, host_id):
         except Exception as e:
             self.logger.debug(f"Error calling remote_ops.finish(): {e}")
         NTDS.finish()
+
+    def mark_guest(self):
+        return highlight(f"{highlight('(Guest)')}" if self.is_guest else "")

tests/data/test_hashes.txt

@@ -0,0 +1,6 @@
+DEADBEEFDEADBEEFDEADBEEFDEADBEEF
+DEADBEEFDEADBEEFDEADBEEFDEADBEEF:DEADBEEFDEADBEEFDEADBEEFDEADBEEF
+TooShort
+ToooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooLong
+fc525c9683e8fe067095ba2ddc971889
+aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889