NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

Pull Request: Add a Module to See Previous Logins

Open quahac opened this issue 1 year ago • 5 comments

The current NetExec tool does not allow users to quickly check past connections and their access rights. It relies only on the nxcdb or sqlite database files, like smb.db. Because of this limitation, users often have to try multiple login requests to find different login information, which can be time-consuming and inefficient.

I suggest creating a new module called Info to provide a faster way to check past connections. I have a working solution: This module is designed to check the smb.db file for previously connected sessions. It verifies if the connection was established with System or Administrator rights when accessing the host.

Example Usage

┌──(root㉿X)-[~]
└─# nxc -t 512 smb 192.168.56.108
SMB         192.168.56.108  445    DC1              [*] Windows Server 2008 R2 Enterprise 7600 x64 (name:DC1) (domain:domain.com) (signing:True) (SMBv1:True)

┌──(root㉿X)-[~]
└─# nxc -t 512 smb 192.168.56.108 -M info <--
SMB         192.168.56.108  445    DC1              [*] Windows Server 2008 R2 Enterprise 7600 x64 (name:DC1) (domain:domain.com) (signing:True) (SMBv1:True)
INFO        192.168.56.108  445    DC1              [+] (Pwnd3!) domain.com\Administrator:password1 -id=393 <--

┌──(root㉿X)-[~]
└─# nxc -t 512 smb 192.168.56.108 -id=393 <--
SMB         192.168.56.108  445    DC1              [*] Windows Server 2008 R2 Enterprise 7600 x64 (name:DC1) (domain:domain.com) (signing:True) (SMBv1:True)
SMB         192.168.56.108  445    DC1              [+] domain.com\Administrator:password1 (Pwn3d!)

Example how it works Script source: https://github.com/quahac/Netexec-Module-Info

quahac avatar Nov 06 '24 16:11 quahac

Hi, this looks interesting. I would prefer having this as internal option, for example something like --db-ids perhaps? Also we should probably directly connect to the db object in the protocol (self.conn.db) and use sqlalchemy to communicate with the database.

@ajanvrin take a look at this. That is something similar what you had in mind right?

NeffIsBack avatar Nov 06 '24 22:11 NeffIsBack

In my previous version of Crackmapexec, I included more functions, but I streamlined it to focus solely on smb.db on NetExec. I misused some internal options :-], which may inspire you to expand its functionality (or not)

https://github.com/quahac/CME-Module-info

crackmapexec smb 10.10.10.10 -M info --ntds      (Prints Administrator and krbtgt hashes)
    [+] NTDS: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-05-31_081331.ntds
    [+] NTDS: Administrator:500:111f37ed915c5716aad3b435b51404ee:eb37f9cd74303274cb923442a7348ef4:::    
    [+] NTDS: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f031bf1f16bba6f9de84dffcc164e0f8::: 
    [+] NTDS: LM Crack: [hashcat -m 3000 -a 3 /location] or [john --format=lm /location] detected 18x (Prints when available)
    [+] NTDS: NT Crack: [hashcat -m 1000 -a 3 /location] or [john --format=nt /location]

image

crackmapexec smb 10.10.10.10 -M info --sam       (Prints SAM file only local Administrator with valid password)
    [+] SAM: Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

image

crackmapexec smb 10.10.10.10 -M info --lsa
    [+] LSA: dpapi_machinekey:0x4e467fabe4afb57..ce3730
    [+] LSA: dpapi_userkey:0x0797f33ba6c6043ff7..1558bc
    [+] LSA: NL$KM:c53c6dcd9cff1a4cf8355c4f3c40..32d1be

image

crackmapexec smb 10.10.10.10 -M info --only-file        (Prints all LOG files location)
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-05-31_081331.ntds
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-21_113422.sam
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-23_180720.secrets
    [+] LOG: location: ...snip.. 

crackmapexec smb 10.10.10.10 -M info --only-file --sam
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-21_113422.sam

crackmapexec smb 10.10.10.10 -M info --only-file --lsa
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-23_180720.secrets

crackmapexec smb 10.10.10.10 -M info --only-file --ntds 
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-05-31_081331.ntds

quahac avatar Nov 07 '24 08:11 quahac

Sounds good 👍 feel free to open up a PR so we can properly work on it

NeffIsBack avatar Nov 07 '24 12:11 NeffIsBack

In fact, this would really simplify the use of nxc. There are situations when one account has administrator rights on one of the hosts, but not on another. Currently, nxc does not allow you to separate one from the other, so you have to combine hosts into groups by credentials and run commands separately for each group (i.e. first for hosts with credentials -id 1, then on hosts with credentials -id 2, etc. For myself, I implemented this using bash, but it would be much more convenient if nxc selected credentials with administrator rights when authorizing on each host automatically.

Unreachabl avatar Nov 07 '24 21:11 Unreachabl

Hello , thanks for such great tool like nxc. I was try to found saved , valid creds in nxcdb - but there was empty. is it possible to made a some kind in build credDB ? with grouping by net mask and protocol inside . THX

SantaLaMuerte avatar Feb 18 '25 21:02 SantaLaMuerte