Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pull Request: Add a Module to See Previous Logins #484

Open
quahac opened this issue Nov 6, 2024 · 4 comments
Open

Pull Request: Add a Module to See Previous Logins #484

quahac opened this issue Nov 6, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@quahac
Copy link

quahac commented Nov 6, 2024

The current NetExec tool does not allow users to quickly check past connections and their access rights. It relies only on the nxcdb or sqlite database files, like smb.db. Because of this limitation, users often have to try multiple login requests to find different login information, which can be time-consuming and inefficient.

I suggest creating a new module called Info to provide a faster way to check past connections. I have a working solution:
This module is designed to check the smb.db file for previously connected sessions. It verifies if the connection was established with System or Administrator rights when accessing the host.

Example Usage

┌──(root㉿X)-[~]
└─# nxc -t 512 smb 192.168.56.108
SMB         192.168.56.108  445    DC1              [*] Windows Server 2008 R2 Enterprise 7600 x64 (name:DC1) (domain:domain.com) (signing:True) (SMBv1:True)

┌──(root㉿X)-[~]
└─# nxc -t 512 smb 192.168.56.108 -M info <--
SMB         192.168.56.108  445    DC1              [*] Windows Server 2008 R2 Enterprise 7600 x64 (name:DC1) (domain:domain.com) (signing:True) (SMBv1:True)
INFO        192.168.56.108  445    DC1              [+] (Pwnd3!) domain.com\Administrator:password1 -id=393 <--

┌──(root㉿X)-[~]
└─# nxc -t 512 smb 192.168.56.108 -id=393 <--
SMB         192.168.56.108  445    DC1              [*] Windows Server 2008 R2 Enterprise 7600 x64 (name:DC1) (domain:domain.com) (signing:True) (SMBv1:True)
SMB         192.168.56.108  445    DC1              [+] domain.com\Administrator:password1 (Pwn3d!)

Example how it works
Script source:
https://github.com/quahac/Netexec-Module-Info
@NeffIsBack
Copy link
Contributor

Hi, this looks interesting. I would prefer having this as internal option, for example something like --db-ids perhaps?
Also we should probably directly connect to the db object in the protocol (self.conn.db) and use sqlalchemy to communicate with the database.

@ajanvrin take a look at this. That is something similar what you had in mind right?

@NeffIsBack NeffIsBack added the enhancement New feature or request label Nov 6, 2024
@quahac
Copy link
Author

quahac commented Nov 7, 2024

In my previous version of Crackmapexec, I included more functions, but I streamlined it to focus solely on smb.db on NetExec. I misused some internal options :-], which may inspire you to expand its functionality (or not)

https://github.com/quahac/CME-Module-info

crackmapexec smb 10.10.10.10 -M info --ntds      (Prints Administrator and krbtgt hashes)
    [+] NTDS: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-05-31_081331.ntds
    [+] NTDS: Administrator:500:111f37ed915c5716aad3b435b51404ee:eb37f9cd74303274cb923442a7348ef4:::    
    [+] NTDS: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f031bf1f16bba6f9de84dffcc164e0f8::: 
    [+] NTDS: LM Crack: [hashcat -m 3000 -a 3 /location] or [john --format=lm /location] detected 18x (Prints when available)
    [+] NTDS: NT Crack: [hashcat -m 1000 -a 3 /location] or [john --format=nt /location]

image

crackmapexec smb 10.10.10.10 -M info --sam       (Prints SAM file only local Administrator with valid password)
    [+] SAM: Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

image

crackmapexec smb 10.10.10.10 -M info --lsa
    [+] LSA: dpapi_machinekey:0x4e467fabe4afb57..ce3730
    [+] LSA: dpapi_userkey:0x0797f33ba6c6043ff7..1558bc
    [+] LSA: NL$KM:c53c6dcd9cff1a4cf8355c4f3c40..32d1be

image

crackmapexec smb 10.10.10.10 -M info --only-file        (Prints all LOG files location)
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-05-31_081331.ntds
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-21_113422.sam
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-23_180720.secrets
    [+] LOG: location: ...snip.. 

crackmapexec smb 10.10.10.10 -M info --only-file --sam
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-21_113422.sam

crackmapexec smb 10.10.10.10 -M info --only-file --lsa
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-23_180720.secrets

crackmapexec smb 10.10.10.10 -M info --only-file --ntds 
    [+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-05-31_081331.ntds

@NeffIsBack
Copy link
Contributor

Sounds good 👍 feel free to open up a PR so we can properly work on it

@Unreachabl
Copy link

In fact, this would really simplify the use of nxc. There are situations when one account has administrator rights on one of the hosts, but not on another. Currently, nxc does not allow you to separate one from the other, so you have to combine hosts into groups by credentials and run commands separately for each group (i.e. first for hosts with credentials -id 1, then on hosts with credentials -id 2, etc. For myself, I implemented this using bash, but it would be much more convenient if nxc selected credentials with administrator rights when authorizing on each host automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@quahac @NeffIsBack @Unreachabl