Merge pull request Pennyw0rth#739 from Pennyw0rth/fix_is_dc

mpgn · web-flow · commit f227432e7d17 · 2025-06-17T13:54:08.000+02:00
Fix function to check if hosts is a dc or not
diff --git a/nxc/protocols/smb.py b/nxc/protocols/smb.py
@@ -663,17 +663,65 @@ def generate_tgt(self):
         except Exception as e:
             self.logger.fail(f"Failed to get TGT: {e}")
 
+    def check_dc_ports(self, timeout=1):
+        """Check multiple DC-specific ports in case first check fails"""
+        import socket
+        dc_ports = [88, 389, 636, 3268, 9389]  # Kerberos, LDAP, LDAPS, Global Catalog, ADWS
+        open_ports = 0
+
+        for port in dc_ports:
+            try:
+                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+                sock.settimeout(timeout)
+                result = sock.connect_ex((self.host, port))
+                if result == 0:
+                    self.logger.debug(f"Port {port} is open on {self.host}")
+                    open_ports += 1
+                sock.close()
+            except Exception:
+                pass
+        # If 3 or more DC ports are open, likely a DC
+        return open_ports >= 3
+
     def is_host_dc(self):
         from impacket.dcerpc.v5 import nrpc, epm
+
         self.logger.debug("Performing authentication attempts...")
+        
+        # First check if port 135 is open
+        if self._is_port_open(135):
+            self.logger.debug("Port 135 is open, attempting MSRPC connection...")
+            try:
+                epm.hept_map(self.host, nrpc.MSRPC_UUID_NRPC, protocol="ncacn_ip_tcp")
+                self.isdc = True
+                return True
+            except DCERPCException:
+                self.logger.debug("Error while connecting to host: DCERPCException, which means this is probably not a DC!")
+            except TimeoutError:
+                self.logger.debug("Timeout while connecting to host: likely not a DC or host is unreachable.")
+            except Exception as e:
+                self.logger.debug(f"Error while connecting to host: {e}")
+            self.isdc = False
+            return False
+        else:
+            self.logger.debug("Port 135 is closed, skipping MSRPC check...")
+            # Fallback to checking DC ports
+            if self.check_dc_ports():
+                self.logger.debug("Host appears to be a DC (multiple DC ports open)")
+                self.isdc = True
+                return True
+
+    def _is_port_open(self, port, timeout=1):
+        """Check if a specific port is open on the target host."""
+        import socket
         try:
-            epm.hept_map(self.host, nrpc.MSRPC_UUID_NRPC, protocol="ncacn_ip_tcp")
-            self.isdc = True
-            return True
-        except DCERPCException:
-            self.logger.debug("Error while connecting to host: DCERPCException, which means this is probably not a DC!")
-        self.isdc = False
-        return False
+            with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+                sock.settimeout(timeout)
+                result = sock.connect_ex((self.host, port))
+                return result == 0
+        except Exception as e:
+            self.logger.debug(f"Error checking port {port} on {self.host}: {e}")
+            return False
 
     @requires_admin
     def execute(self, payload=None, get_output=False, methods=None) -> str:
