Merge branch 'Pennyw0rth:main' into module_snipped

Pennyw0rth · Nov 23, 2024 · ae35552 · ae35552
2 parents 969969b + 05ad3c6
commit ae35552
Show file tree

Hide file tree

Showing 14 changed files with 307 additions and 109 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,11 +1,3 @@
----
-name: Pull request
-about: Update code to fix a bug or add an enhancement/feature
-title: ''
-labels: ''
-assignees: ''
-
----
 ## Description
 
 Please include a summary of the change and which issue is fixed, or what the enhancement does.

diff --git a/nxc/helpers/args.py b/nxc/helpers/args.py
@@ -1,4 +1,5 @@
 from argparse import ArgumentDefaultsHelpFormatter, SUPPRESS, OPTIONAL, ZERO_OR_MORE
+from argparse import Action
 
 class DisplayDefaultsNotNone(ArgumentDefaultsHelpFormatter):
     def _get_help_string(self, action):
@@ -7,4 +8,18 @@ def _get_help_string(self, action):
             defaulting_nargs = [OPTIONAL, ZERO_OR_MORE]
             if (action.option_strings or action.nargs in defaulting_nargs) and action.default:  # Only add default info if it's not None
                 help_string += " (default: %(default)s)"  # NORUFF
-        return help_string
+        return help_string
+
+
+class DefaultTrackingAction(Action):
+    def __init__(self, option_strings, dest, default=None, required=False, **kwargs):
+        # Store the default value to check later
+        self.default_value = default
+        super().__init__(
+            option_strings, dest, default=default, required=required, **kwargs
+        )
+
+    def __call__(self, parser, namespace, values, option_string=None):
+        # Set an attribute to track whether the value was explicitly set
+        setattr(namespace, self.dest, values)
+        setattr(namespace, f"{self.dest}_explicitly_set", True)
diff --git a/nxc/modules/ioxidresolver.py b/nxc/modules/ioxidresolver.py
@@ -17,7 +17,8 @@ class NXCModule:
     multiple_hosts = True
 
     def options(self, context, module_options):
-        """No module options"""
+        """DIFFERENT show only ip address if different from target ip (Default: False)"""
+        self.pivot = module_options.get("DIFFERENT", "false").lower() in ["true", "1"]
 
     def on_login(self, context, connection):
         try:
@@ -37,7 +38,11 @@ def on_login(self, context, connection):
                 NetworkAddr = binding["aNetworkAddr"]
                 try:
                     ip_address(NetworkAddr[:-1])
-                    context.log.highlight(f"Address: {NetworkAddr}")
+                    if self.pivot:
+                        if NetworkAddr.rstrip("\x00") != connection.host:
+                            context.log.highlight(f"Address: {NetworkAddr}")
+                    else:
+                        context.log.highlight(f"Address: {NetworkAddr}")
                 except Exception as e:
                     context.log.debug(e)
         except DCERPCException as e:

diff --git a/nxc/modules/schtask_as.py b/nxc/modules/schtask_as.py
@@ -1,6 +1,7 @@
+import contextlib
 import os
 from time import sleep
-from datetime import datetime
+from datetime import datetime, timedelta
 from impacket.dcerpc.v5.dtypes import NULL
 from impacket.dcerpc.v5 import tsch, transport
 from nxc.helpers.misc import gen_random_string
@@ -91,6 +92,10 @@ def on_admin_login(self, context, connection):
         except Exception as e:
             if "SCHED_S_TASK_HAS_NOT_RUN" in str(e):
                 self.logger.fail("Task was not run, seems like the specified user has no active session on the target")
+                with contextlib.suppress(Exception):
+                    exec_method.deleteartifact()
+            else:
+                self.logger.fail(f"Failed to execute command: {e}")
 
 
 class TSCH_EXEC:
@@ -143,6 +148,18 @@ def __init__(self, target, share_name, username, password, domain, user, cmd, fi
             )
             self.__rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)
 
+    def deleteartifact(self):
+        dce = self.__rpctransport.get_dce_rpc()
+        if self.__doKerberos:
+            dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
+        dce.set_credentials(*self.__rpctransport.get_credentials())
+        dce.connect()
+        dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
+        dce.bind(tsch.MSRPC_UUID_TSCHS)
+        self.logger.display(f"Deleting task \\{self.task}")
+        tsch.hSchRpcDelete(dce, f"\\{self.task}")
+        dce.disconnect()
+
     def execute(self, command, output=False):
         self.__retOutput = output
         self.execute_handler(command)
@@ -151,24 +168,20 @@ def execute(self, command, output=False):
     def output_callback(self, data):
         self.__outputBuffer = data
 
-    def get_current_date(self):
-        # Get current date and time
-        now = datetime.now()
+    def get_end_boundary(self):
+        # Get current date and time + 5 minutes
+        end_boundary = datetime.now() + timedelta(minutes=5)
 
         # Format it to match the format in the XML: "YYYY-MM-DDTHH:MM:SS.ssssss"
-        return now.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3]
+        return end_boundary.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3]
 
     def gen_xml(self, command, fileless=False):
         xml = f"""<?xml version="1.0" encoding="UTF-16"?>
 <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
   <Triggers>
-    <CalendarTrigger>
-      <StartBoundary>{self.get_current_date()}</StartBoundary>
-      <Enabled>true</Enabled>
-      <ScheduleByDay>
-        <DaysInterval>1</DaysInterval>
-      </ScheduleByDay>
-    </CalendarTrigger>
+    <RegistrationTrigger>
+      <EndBoundary>{self.get_end_boundary()}</EndBoundary>
+    </RegistrationTrigger>
   </Triggers>
   <Principals>
     <Principal id="LocalSystem">
@@ -224,53 +237,58 @@ def gen_xml(self, command, fileless=False):
 
     def execute_handler(self, command, fileless=False):
         dce = self.__rpctransport.get_dce_rpc()
+
         if self.__doKerberos:
             dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
 
         dce.set_credentials(*self.__rpctransport.get_credentials())
         dce.connect()
-        tmpName = gen_random_string(8) if self.task is None else self.task
+        # Give self.task a random string as name if not already specified
+        self.task = gen_random_string(8) if self.task is None else self.task
         xml = self.gen_xml(command, fileless)
 
         self.logger.info(f"Task XML: {xml}")
-        taskCreated = False
-        self.logger.info(f"Creating task \\{tmpName}")
+        self.logger.info(f"Creating task \\{self.task}")
         try:
             # windows server 2003 has no MSRPC_UUID_TSCHS, if it bind, it will return abstract_syntax_not_supported
             dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
             dce.bind(tsch.MSRPC_UUID_TSCHS)
-            tsch.hSchRpcRegisterTask(dce, f"\\{tmpName}", xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
+            tsch.hSchRpcRegisterTask(dce, f"\\{self.task}", xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
         except Exception as e:
             if "ERROR_NONE_MAPPED" in str(e):
                 self.logger.fail(f"User {self.user} is not connected on the target, cannot run the task")
-            if e.error_code and hex(e.error_code) == "0x80070005":
-                self.logger.fail("Schtask_as: Create schedule task got blocked.")
-            if "ERROR_TRUSTED_DOMAIN_FAILURE" in str(e):
+                with contextlib.suppress(Exception):
+                    tsch.hSchRpcDelete(dce, f"\\{self.task}")
+            elif e.error_code and hex(e.error_code) == "0x80070005":
+                self.logger.fail("Create schedule task got blocked.")
+                with contextlib.suppress(Exception):
+                    tsch.hSchRpcDelete(dce, f"\\{self.task}")
+            elif "ERROR_TRUSTED_DOMAIN_FAILURE" in str(e):
                 self.logger.fail(f"User {self.user} does not exist in the domain.")
+                with contextlib.suppress(Exception):
+                    tsch.hSchRpcDelete(dce, f"\\{self.task}")
+            elif "SCHED_S_TASK_HAS_NOT_RUN" in str(e):
+                with contextlib.suppress(Exception):
+                    tsch.hSchRpcDelete(dce, f"\\{self.task}")
+            elif "ERROR_ALREADY_EXISTS" in str(e):
+                self.logger.fail(f"Create schedule task failed: {e}")
             else:
-                self.logger.fail(f"Schtask_as: Create schedule task failed: {e}")
+                self.logger.fail(f"Create schedule task failed: {e}")
+                with contextlib.suppress(Exception):
+                    tsch.hSchRpcDelete(dce, f"\\{self.task}")
             return
-        else:
-            taskCreated = True
-
-        self.logger.info(f"Running task \\{tmpName}")
-        tsch.hSchRpcRun(dce, f"\\{tmpName}")
 
         done = False
         while not done:
-            self.logger.debug(f"Calling SchRpcGetLastRunInfo for \\{tmpName}")
-            resp = tsch.hSchRpcGetLastRunInfo(dce, f"\\{tmpName}")
+            self.logger.debug(f"Calling SchRpcGetLastRunInfo for \\{self.task}")
+            resp = tsch.hSchRpcGetLastRunInfo(dce, f"\\{self.task}")
             if resp["pLastRuntime"]["wYear"] != 0:
                 done = True
             else:
                 sleep(2)
 
-        self.logger.info(f"Deleting task \\{tmpName}")
-        tsch.hSchRpcDelete(dce, f"\\{tmpName}")
-        taskCreated = False
-
-        if taskCreated is True:
-            tsch.hSchRpcDelete(dce, f"\\{tmpName}")
+        self.logger.info(f"Deleting task \\{self.task}")
+        tsch.hSchRpcDelete(dce, f"\\{self.task}")
 
         if self.__retOutput:
             if fileless:

diff --git a/nxc/modules/veeam.py b/nxc/modules/veeam.py
@@ -142,7 +142,7 @@ def printCreds(self, context, output):
             context.log.fail("Access denied! This is probably due to an AntiVirus software blocking the execution of the PowerShell script.")
 
         # Stripping whitespaces and newlines
-        output_stripped = [" ".join(line.split()) for line in output.split("\r\n") if line.strip()]
+        output_stripped = [line for line in output.replace("\r", "").split("\n") if line.strip()]
 
         # Error handling
         if "Can't connect to DB! Exiting..." in output_stripped or "No passwords found!" in output_stripped:
@@ -154,7 +154,8 @@ def printCreds(self, context, output):
         try:
             for account in output_stripped:
                 user, password = account.split(" ", 1)
-                password = password.replace("WHITESPACE_ERROR", " ")
+                password = password.strip().replace("WHITESPACE_ERROR", " ")
+                user = user.strip()
                 context.log.highlight(f"{user}:{password}")
                 if " " in password:
                     context.log.fail(f'Password contains whitespaces! The password for user "{user}" is: "{password}"')

diff --git a/nxc/parsers/ldap_results.py b/nxc/parsers/ldap_results.py
@@ -1,5 +1,6 @@
 from impacket.ldap import ldapasn1 as ldapasn1_impacket
 
+
 def parse_result_attributes(ldap_response):
     parsed_response = []
     for entry in ldap_response:
@@ -8,7 +9,15 @@ def parse_result_attributes(ldap_response):
             continue
         attribute_map = {}
         for attribute in entry["attributes"]:
-            val = [str(val).encode(val.encoding).decode("utf-8") for val in attribute["vals"].components]
-            attribute_map[str(attribute["type"])] = val if len(val) > 1 else val[0]
+            val_list = []
+            for val in attribute["vals"].components:
+                try:
+                    encoding = val.encoding
+                    val_decoded = str(val).encode(encoding).decode("utf-8")
+                except UnicodeDecodeError:
+                    # If we can't decode the value, we'll just return the bytes
+                    val_decoded = val.__bytes__()
+                val_list.append(val_decoded)
+            attribute_map[str(attribute["type"])] = val_list if len(val_list) > 1 else val_list[0]
         parsed_response.append(attribute_map)
-    return parsed_response
+    return parsed_response
diff --git a/nxc/parsers/nmap.py b/nxc/parsers/nmap.py
@@ -3,14 +3,16 @@
 
 # right now we are only referencing the port numbers, not the service name, but this should be sufficient for 99% cases
 protocol_dict = {
-    "Ftp": {"ports": [21], "services": ["Ftp"]},
+    "ftp": {"ports": [21], "services": ["ftp"]},
     "ssh": {"ports": [22, 2222], "services": ["ssh"]},
     "smb": {"ports": [139, 445], "services": ["netbios-ssn", "microsoft-ds"]},
     "ldap": {"ports": [389, 636], "services": ["ldap", "ldaps"]},
     "mssql": {"ports": [1433], "services": ["ms-sql-s"]},
     "rdp": {"ports": [3389], "services": ["ms-wbt-server"]},
     "winrm": {"ports": [5985, 5986], "services": ["wsman"]},
     "vnc": {"ports": [5900, 5901, 5902, 5903, 5904, 5905, 5906], "services": ["vnc"]},
+    "wmi": {"ports": [135], "services": ["msrpc"]},
+    "nfs": {"ports": [2049], "services": ["nfs"]},
 }
 
 

diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py
@@ -21,12 +21,14 @@
     UF_DONT_REQUIRE_PREAUTH,
     UF_TRUSTED_FOR_DELEGATION,
     UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION,
+    UF_SERVER_TRUST_ACCOUNT,
 )
 from impacket.dcerpc.v5.transport import DCERPCTransportFactory
 from impacket.krb5 import constants
 from impacket.krb5.kerberosv5 import getKerberosTGS, SessionKeyDecryptionError
 from impacket.krb5.types import Principal, KerberosException
 from impacket.ldap import ldap as ldap_impacket
+from impacket.ldap import ldaptypes
 from impacket.ldap import ldapasn1 as ldapasn1_impacket
 from impacket.ldap.ldap import LDAPFilterSyntaxError
 from impacket.smb import SMB_DIALECT
@@ -1084,6 +1086,107 @@ def query(self):
                     vals = vals.replace("SetOf: ", "")
                 self.logger.highlight(f"{attr:<20} {vals}")
 
+    def find_delegation(self):
+        def printTable(items, header):
+            colLen = []
+
+            # Calculating maximum lenght before parsing CN.
+            for i, col in enumerate(header):
+                rowMaxLen = max(len(row[1].split(",")[0].split("CN=")[-1]) for row in items) if i == 1 else max(len(str(row[i])) for row in items)
+                colLen.append(max(rowMaxLen, len(col)))
+
+            # Create the format string for each row
+            outputFormat = " ".join([f"{{{num}:{width}s}}" for num, width in enumerate(colLen)])
+
+            # Print header
+            self.logger.highlight(outputFormat.format(*header))
+            self.logger.highlight(" ".join(["-" * itemLen for itemLen in colLen]))
+
+            # Print rows
+            for row in items:
+                # Get first CN value.
+                if "CN=" in row[1]:
+                    row[1] = row[1].split(",")[0].split("CN=")[-1]
+
+                # Added join for DelegationRightsTo
+                row[3] = ", ".join(str(x) for x in row[3]) if isinstance(row[3], list) else row[3]
+
+                self.logger.highlight(outputFormat.format(*row))
+
+        # Building the search filter
+        search_filter = (f"(&(|(UserAccountControl:1.2.840.113556.1.4.803:={UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION})"
+                         f"(UserAccountControl:1.2.840.113556.1.4.803:={UF_TRUSTED_FOR_DELEGATION})"
+                         "(msDS-AllowedToDelegateTo=*)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))"
+                         f"(!(UserAccountControl:1.2.840.113556.1.4.803:={UF_ACCOUNTDISABLE})))")
+        # f"(!(UserAccountControl:1.2.840.113556.1.4.803:={UF_SERVER_TRUST_ACCOUNT})))")  This would filter out RBCD to DCs
+
+        attributes = ["sAMAccountName", "pwdLastSet", "userAccountControl", "objectCategory",
+                      "msDS-AllowedToActOnBehalfOfOtherIdentity", "msDS-AllowedToDelegateTo"]
+
+        resp = self.search(search_filter, attributes)
+        answers = []
+        self.logger.debug(f"Total of records returned {len(resp):d}")
+        resp_parse = parse_result_attributes(resp)
+
+        for item in resp_parse:
+            sAMAccountName = ""
+            userAccountControl = 0
+            delegation = ""
+            objectType = ""
+            rightsTo = []
+            protocolTransition = 0
+
+            try:
+                sAMAccountName = item["sAMAccountName"]
+
+                userAccountControl = int(item["userAccountControl"])
+                objectType = item.get("objectCategory")
+
+                # Filter out DCs, unconstrained delegation to DCs is not a useful information
+                if userAccountControl & UF_TRUSTED_FOR_DELEGATION and not userAccountControl & UF_SERVER_TRUST_ACCOUNT:
+                    delegation = "Unconstrained"
+                    rightsTo.append("N/A")
+                elif userAccountControl & UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION:
+                    delegation = "Constrained w/ Protocol Transition"
+                    protocolTransition = 1
+
+                if item.get("msDS-AllowedToDelegateTo") is not None:
+                    if protocolTransition == 0:
+                        delegation = "Constrained"
+                    rightsTo = item.get("msDS-AllowedToDelegateTo")
+
+                # Not an elif as an object could both have RBCD and another type of delegation
+                if item.get("msDS-AllowedToActOnBehalfOfOtherIdentity") is not None:
+                    databyte = item.get("msDS-AllowedToActOnBehalfOfOtherIdentity")
+                    rbcdRights = []
+                    rbcdObjType = []
+                    sd = ldaptypes.SR_SECURITY_DESCRIPTOR(data=bytes(databyte))
+                    if len(sd["Dacl"].aces) > 0:
+                        search_filter = "(&(|"
+                        for ace in sd["Dacl"].aces:
+                            search_filter += "(objectSid=" + ace["Ace"]["Sid"].formatCanonical() + ")"
+                        search_filter += f")(!(UserAccountControl:1.2.840.113556.1.4.803:={UF_ACCOUNTDISABLE})))"
+                        delegUserResp = self.search(search_filter, attributes=["sAMAccountName", "objectCategory"])
+                        delegUserResp_parse = parse_result_attributes(delegUserResp)
+
+                        for rbcd in delegUserResp_parse:
+                            rbcdRights.append(str(rbcd.get("sAMAccountName")))
+                            rbcdObjType.append(str(rbcd.get("objectCategory")))
+
+                        for rights, objType in zip(rbcdRights, rbcdObjType):
+                            answers.append([rights, objType, "Resource-Based Constrained", sAMAccountName])
+
+                if delegation in ["Unconstrained", "Constrained", "Constrained w/ Protocol Transition"]:
+                    answers.append([sAMAccountName, objectType, delegation, rightsTo])
+
+            except Exception as e:
+                self.logger.error(f"Skipping item, cannot process due to error {e}")
+
+        if answers:
+            printTable(answers, header=["AccountName", "AccountType", "DelegationType", "DelegationRightsTo"])
+        else:
+            self.logger.fail("No entries found!")
+
     def trusted_for_delegation(self):
         # Building the search filter
         searchFilter = "(userAccountControl:1.2.840.113556.1.4.803:=524288)"