Merge branch 'main' into patch-8

Author: mpgn

nxc/connection.py

@@ -384,7 +384,7 @@ def parse_credentials(self):
             if isfile(user):
                 with open(user) as user_file:
                     for line in user_file:
-                        if "\\" in line:
+                        if "\\" in line and len(line.split("\\")) == 2:
                             domain_single, username_single = line.split("\\")
                         else:
                             domain_single = self.args.domain if hasattr(self.args, "domain") and self.args.domain else self.domain

nxc/modules/adcs.py

@@ -49,10 +49,10 @@ def on_login(self, context, connection):
 
         try:
             sc = ldap.SimplePagedResultsControl()
-            base_dn_root = connection.ldapConnection._baseDN if self.base_dn is None else self.base_dn
+            base_dn_root = connection.ldap_connection._baseDN if self.base_dn is None else self.base_dn
 
             if self.server is None:
-                connection.ldapConnection.search(
+                connection.ldap_connection.search(
                     searchFilter=search_filter,
                     attributes=[],
                     sizeLimit=0,
@@ -61,7 +61,7 @@ def on_login(self, context, connection):
                     searchBase="CN=Configuration," + base_dn_root,
                 )
             else:
-                connection.ldapConnection.search(
+                connection.ldap_connection.search(
                     searchFilter=search_filter + base_dn_root + ")",
                     attributes=["certificateTemplates"],
                     sizeLimit=0,

nxc/modules/daclread.py

@@ -274,8 +274,8 @@ def on_login(self, context, connection):
         self.context = context
         """On a successful LDAP login we perform a search for the targets' SID, their Security Descriptors and the principal's SID if there is one specified"""
         context.log.highlight("Be careful, this module cannot read the DACLS recursively.")
-        self.baseDN = connection.ldapConnection._baseDN
-        self.ldap_session = connection.ldapConnection
+        self.baseDN = connection.ldap_connection._baseDN
+        self.ldap_session = connection.ldap_connection
 
         # Searching for the principal SID
         if self.principal_sAMAccountName is not None:

nxc/modules/enum_impersonate.py

@@ -0,0 +1,46 @@
+class NXCModule:
+    """
+    Enumerate SQL Server users with impersonation rights
+    Module by deathflamingo
+    """
+
+    name = "enum_impersonate"
+    description = "Enumerate users with impersonation privileges"
+    supported_protocols = ["mssql"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self):
+        self.mssql_conn = None
+        self.context = None
+
+    def on_login(self, context, connection):
+        self.context = context
+        self.mssql_conn = connection.conn
+        impersonate_users = self.get_impersonate_users()
+        if impersonate_users:
+            self.context.log.success("Users with impersonation rights:")
+            for user in impersonate_users:
+                self.context.log.display(f"  - {user}")
+        else:
+            self.context.log.fail("No users with impersonation rights found.")
+
+    def get_impersonate_users(self) -> list:
+        """
+        Fetches a list of users with impersonation rights.
+
+        Returns
+        -------
+        list: List of user names.
+        """
+        query = """
+        SELECT DISTINCT b.name
+        FROM sys.server_permissions a
+        INNER JOIN sys.server_principals b
+        ON a.grantor_principal_id = b.principal_id
+        WHERE a.permission_name LIKE 'IMPERSONATE%'
+        """
+        res = self.mssql_conn.sql_query(query)
+        return [user["name"] for user in res] if res else []
+    def options(self, context, module_options):
+        pass

nxc/modules/enum_links.py

@@ -0,0 +1,53 @@
+class NXCModule:
+    """
+    Enumerate SQL Server linked servers
+    Module by deathflamingo, NeffIsBack
+    """
+
+    name = "enum_links"
+    description = "Enumerate linked SQL Servers and their login configurations."
+    supported_protocols = ["mssql"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self):
+        self.mssql_conn = None
+        self.context = None
+
+    def options(self, context, module_options):
+        pass
+
+    def on_login(self, context, connection):
+        self.context = context
+        self.mssql_conn = connection.conn
+        linked_servers = self.get_linked_servers()
+        if linked_servers:
+            self.context.log.success("Linked servers found:")
+            for server in linked_servers:
+                self.context.log.display(f"  - {server}")
+        else:
+            self.context.log.fail("No linked servers found.")
+
+    def on_admin_login(self, context, connection):
+        res = self.mssql_conn.sql_query("EXEC sp_helplinkedsrvlogin")
+        srvs = [srv for srv in res if srv["Local Login"] != "NULL"]
+        if not srvs:
+            self.context.log.fail("No linked servers found.")
+            return
+        self.context.log.success("Linked servers found:")
+        for srv in srvs:
+            self.context.log.display(f"Linked server: {srv['Linked Server']}")
+            self.context.log.display(f"  - Local login: {srv['Local Login']}")
+            self.context.log.display(f"  - Remote login: {srv['Remote Login']}")
+
+    def get_linked_servers(self) -> list:
+        """
+        Fetches a list of linked servers.
+
+        Returns
+        -------
+        list: List of linked server names.
+        """
+        query = "EXEC sp_linkedservers;"
+        res = self.mssql_conn.sql_query(query)
+        return [server["SRV_NAME"] for server in res] if res else []

nxc/modules/enum_logins.py

@@ -0,0 +1,40 @@
+class NXCModule:
+    """
+    Enumerate SQL Server logins
+    Module by deathflamingo
+    """
+
+    name = "enum_logins"
+    description = "Enumerate SQL Server logins"
+    supported_protocols = ["mssql"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self):
+        self.mssql_conn = None
+        self.context = None
+
+    def on_login(self, context, connection):
+        self.context = context
+        self.mssql_conn = connection.conn
+        logins = self.get_logins()
+        if logins:
+            self.context.log.success("Logins found:")
+            for login in logins:
+                self.context.log.display(f"  - {login}")
+        else:
+            self.context.log.fail("No logins found.")
+
+    def get_logins(self) -> list:
+        """
+        Fetches a list of SQL Server logins.
+
+        Returns
+        -------
+        list: List of login names.
+        """
+        query = "SELECT name FROM sys.server_principals WHERE type_desc = 'SQL_LOGIN';"
+        res = self.mssql_conn.sql_query(query)
+        return [login["name"] for login in res] if res else []
+    def options(self, context, module_options):
+        pass

nxc/modules/enum_trusts.py

@@ -21,7 +21,7 @@ def on_login(self, context, connection):
         attributes = ["flatName", "trustPartner", "trustDirection", "trustAttributes"]
 
         context.log.debug(f"Search Filter={search_filter}")
-        resp = connection.ldapConnection.search(searchFilter=search_filter, attributes=attributes, sizeLimit=0)
+        resp = connection.ldap_connection.search(searchFilter=search_filter, attributes=attributes, sizeLimit=0)
 
         trusts = []
         context.log.debug(f"Total of records returned {len(resp)}")

nxc/modules/exec_on_link.py

@@ -0,0 +1,42 @@
+class NXCModule:
+    """
+    Execute commands on linked servers
+    Module by deathflamingo
+    """
+
+    name = "exec_on_link"
+    description = "Execute commands on a SQL Server linked server"
+    supported_protocols = ["mssql"]
+    opsec_safe = False
+    multiple_hosts = False
+
+    def __init__(self):
+        self.mssql_conn = None
+        self.context = None
+        self.linked_server = None
+        self.command = None
+
+    def options(self, context, module_options):
+        """
+        LINKED_SERVER: The name of the linked server to execute the command on.
+        COMMAND: The command to execute on the linked server.
+        """
+        if "LINKED_SERVER" in module_options:
+            self.linked_server = module_options["LINKED_SERVER"]
+        if "COMMAND" in module_options:
+            self.command = module_options["COMMAND"]
+
+    def on_login(self, context, connection):
+        self.context = context
+        self.mssql_conn = connection.conn
+        if not self.linked_server or not self.command:
+            self.context.log.fail("Please specify both LINKED_SERVER and COMMAND options.")
+            return
+
+        self.execute_on_link()
+
+    def execute_on_link(self):
+        """Executes the specified command on the linked server."""
+        query = f"EXEC ('{self.command}') AT [{self.linked_server}];"
+        result = self.mssql_conn.sql_query(query)
+        self.context.log.display(f"Command output: {result}")

nxc/modules/find-computer.py

@@ -39,7 +39,7 @@ def on_login(self, context, connection):
 
         try:
             context.log.debug(f"Search Filter={search_filter}")
-            resp = connection.ldapConnection.search(searchFilter=search_filter, attributes=["dNSHostName", "operatingSystem"], sizeLimit=0)
+            resp = connection.ldap_connection.search(searchFilter=search_filter, attributes=["dNSHostName", "operatingSystem"], sizeLimit=0)
         except LDAPSearchError as e:
             if e.getErrorString().find("sizeLimitExceeded") >= 0:
                 context.log.debug("sizeLimitExceeded exception caught, giving up and processing the data received")

nxc/modules/get-desc-users.py

@@ -40,7 +40,7 @@ def on_login(self, context, connection):
 
         try:
             context.log.debug(f"Search Filter={searchFilter}")
-            resp = connection.ldapConnection.search(
+            resp = connection.ldap_connection.search(
                 searchFilter=searchFilter,
                 attributes=["sAMAccountName", "description"],
                 sizeLimit=0,