pennyw0rth / netexec Goto Github PK

View Code? Open in Web Editor NEW

2.1K 20.0 221.0 11.75 MB

The Network Execution Tool

Home Page: https://netexec.wiki/

License: BSD 2-Clause "Simplified" License

Dockerfile 0.02% Makefile 0.02% Python 99.42% PowerShell 0.32% VBScript 0.21% Nix 0.01%

hacking pentest pentest-tool pentest-tools pentesting python python3 red-team active-directory infosec

netexec's Introduction

🚩 This is the open source repository of NetExec maintained by a community of passionate people

NetExec - The Network Execution Tool

This project was initially created in 2015 by @byt3bl33d3r, known as CrackMapExec. In 2019 @mpgn_x64 started maintaining the project for the next 4 years, adding a lot of great tools and features. In September 2023 he retired from maintaining the project.

Along with many other contributors, we (NeffIsBack, Marshall-Hallenbeck, and zblurx) developed new features, bug fixes, and helped maintain the original project CrackMapExec. During this time, with both a private and public repository, community contributions were not easily merged into the project. The 6-8 month discrepancy between the code bases caused many development issues and heavily reduced community-driven development. With the end of mpgn's maintainer role, we (the remaining most active contributors) decided to maintain the project together as a fully free and open source project under the new name NetExec 🚀 Going forward, our intent is to maintain a community-driven and maintained project with regular updates for everyone to use.

You are on the latest up-to-date repository of the project NetExec (nxc) ! 🎉

🚧 If you want to report a problem, open an Issue
🔀 If you want to contribute, open a Pull Request
💬 If you want to discuss, open a Discussion

Official Discord Channel

If you don't have a Github account, you can ask your questions on Discord!

Documentation, Tutorials, Examples

See the project's wiki (in development) for documentation and usage examples

Installation

Please see the installation instructions on the wiki (in development)

Linux

sudo apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExec

Development

Development guidelines and recommendations in development

Acknowledgments

All the hard work and development over the years from everyone in the CrackMapExec project

Code Contributors

Awesome code contributors of NetExec:

netexec's People

Contributors

Stargazers

Watchers

Forkers

xiaolichan yukar1z0e shad0wc0ntr0ller ludovicpatho stevesec ongyuann tednoob17 nusiloot robinfassinamoschiniforks marshall-hallenbeck bongobongoland gh-fml freeide seahop m00zh33 professor-hillman tehseensagar kahvi-0 gmh5225 mushfiqur47 shoxxdj killvxk oldsecureiqlab fengjixuchui dagda76 red-infosec wisdark pianomanx korang hotelzululima romanrii madalin-dogaru binz120 jimba86 ltungcul opthie ilightthings dv4d3r skellyb0n3s paulwhitinguvc n0viii adamkadaban 3v1lw1th1n an4kein dggsec apkc osbarcelos79 n844aa hutashan14 wanetty gerhardbotha97 techthiyanes shadoxys 000-jj-000 rayanlecat teutades dmore zha0 sec-fork nanaao kondeck2020 pentestical3 j4r0-code c0c0red sebrink sinw0lf byinarie ink-splatters tobey123 5l1v3r1 grayarch nuts7 penttools mishrasamiksha row3ll jarvarbin parth4git fdlucifer bodri82 ayushrakesh shresthasurav killer2op gfggithubleet cmjlove1 nikaiw noorahsmith superoldman96 xiaoheiccc cvlabsio adk9v2 naruto0o momika233 primody bkeath zpaav op0ssum icyperior termanix 0xfatamorgana leonteale

netexec's Issues

pipx installation fails "Package cannot be a url"

Describe the bug
Installation fails with pipx

To Reproduce
pipx install git+https://github.com/Pennyw0rth/NetExec
I get error "Package cannot be a url"

Additional context
pipx version 0.12.3.1
OS : Ubuntu 20.04.6 LTS

How to update via pipx?

How to update installed via pipx? When I use pipx install git+https://github.com/Pennyw0rth/NetExec to update, I will be prompted that netexec already exists.

'/tmp/msol.ps1' does not exist!

Describe the bug
I get error that the file does not exist, and my friend run this command from his workstation on the same server, and it worked for him

To Reproduce
Steps to reproduce the behavior i.e.:
Command: .\nxc.exe smb US-ADCONNECT -u us\helpdeskadmin -H 94b4a7961bb45377f6e7951b0d8630be -M msol
Resulted in:

SMB         192.168.1.209   445    US-ADCONNECT     [*] Windows 10.0 Build 17763 x64 (name:US-ADCONNECT) (domain:us.techcorp.local) (signing:False) (SMBv1:False)
SMB         192.168.1.209   445    US-ADCONNECT     [+] us\helpdeskadmin:94b4a7961bb45377f6e7951b0d8630be (Pwn3d!)
MSOL        192.168.1.209   445    US-ADCONNECT     [-] Impersonate file specified '/tmp/msol.ps1' does not exist!

NetExec info

OS: Windows server 2019
Version of nxc: 1.1.0

Implement Ruff Linter

We've used flake8 and black in the past, but Ruff seems to be the best way to easily and quickly lint for common mistakes.

We will not be checking for line length of 80 - this is annoying for everyone.

(Win Binary) Ctr + Z/C/X doesn't work

it's an old issue with the binary for windows, I think it's time to get it fixed!

(Win Binary) Issue with -x/-X

Simple -x commands work fine, however, slightly more complex commands fail. This is a Windows version issue.

For example, -x 'net group "Big Boys Group" Wannabe /add' is not going to work, it won't go thru:
nxc.exe: error: unrecognized arguments

-x 'net group Big Boys Group Wannabe /add' will go thru but will return
The group name could not be found.

I've tried running nxc.exe in both PS and cmd.
Btw, this issue was present in cme's binary for windows.

Veeam Module crashing

Describe the bug
Veeam Modul randomly crashes

To Reproduce
Uknown

Screenshots

ERROR    Exception while calling proto_flow() on target 999.999.999.999: not enough values to unpack (expected 2, got 1)                                                connection.py:115
                    ╭──────────────────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────────────────╮                  
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:113 in __init__                                                          │                  
                    │                                                                                                                                                            │                  
                    │   110 │   │   │   sleep(value)                                                                                                                             │                  
                    │   111 │   │                                                                                                                                                │                  
                    │   112 │   │   try:                                                                                                                                         │                  
                    │ ❱ 113 │   │   │   self.proto_flow()                                                                                                                        │                  
                    │   114 │   │   except Exception as e:                                                                                                                       │                  
                    │   115 │   │   │   self.logger.exception(f"Exception while calling proto_flow() on target                                                                   │                  
                    │       {self.host}: {e}")                                                                                                                                   │                  
                    │   116                                                                                                                                                      │                  
                    │                                                                                                                                                            │                  
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:163 in proto_flow                                                        │                  
                    │                                                                                                                                                            │                  
                    │   160 │   │   │   │   # because of null session                                                                                                            │                  
                    │   161 │   │   │   │   if self.login() or (self.username == "" and self.password == ""):                                                                    │                  
                    │   162 │   │   │   │   │   if hasattr(self.args, "module") and self.args.module:                                                                            │                  
                    │ ❱ 163 │   │   │   │   │   │   self.call_modules()                                                                                                          │                  
                    │   164 │   │   │   │   │   else:                                                                                                                            │                  
                    │   165 │   │   │   │   │   │   self.call_cmd_args()                                                                                                         │                  
                    │   166                                                                                                                                                      │                  
                    │                                                                                                                                                            │                  
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:201 in call_modules                                                      │                  
                    │                                                                                                                                                            │                  
                    │   198 │   │   │                                                                                                                                            │                  
                    │   199 │   │   │   if self.admin_privs and hasattr(module, "on_admin_login"):                                                                               │                  
                    │   200 │   │   │   │   self.logger.debug(f"Module {module.name} has on_admin_login method")                                                                 │                  
                    │ ❱ 201 │   │   │   │   module.on_admin_login(context, self)                                                                                                 │                  
                    │   202 │   │   │                                                                                                                                            │                  
                    │   203 │   │   │   if (not hasattr(module, "on_request") and not hasattr(module,                                                                            │                  
                    │       "has_response")) and hasattr(module, "on_shutdown"):                                                                                                 │                  
                    │   204 │   │   │   │   self.logger.debug(f"Module {module.name} has on_shutdown method")                                                                    │      
                    │                                                                                                                                                            │                  
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/modules/veeam_dump.py:170 in on_admin_login                                            │                  
                    │                                                                                                                                                            │                  
                    │   167 │   │   │   │   context.log.fail(f"Password contains whitespaces! The password for user                                                              │                  
                    │       \"{user}\" is: \"{password}\"")                                                                                                                      │                  
                    │   168 │                                                                                                                                                    │                  
                    │   169 │   def on_admin_login(self, context, connection):                                                                                                   │                  
                    │ ❱ 170 │   │   self.checkVeeamInstalled(context, connection)                                                                                                │                  
                    │   171                                                                                                                                                      │                  
                    │                                                                                                                                                            │                  
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/modules/veeam_dump.py:121 in checkVeeamInstalled                                       │                  
                    │                                                                                                                                                            │                  
                    │   118 │   │   if SqlDatabase and SqlInstance and SqlServer:                                                                                                │                  
                    │   119 │   │   │   context.log.success(f'Found Veeam DB "{SqlDatabase}" on SQL Server                                                                       │                  
                    │       "{SqlServer}\\{SqlInstance}"! Extracting stored credentials...')                                                                                     │                  
                    │   120 │   │   │   credentials = self.executePsMssql(context, connection, SqlDatabase,                                                                      │                  
                    │       SqlInstance, SqlServer)                                                                                                                              │                  
                    │ ❱ 121 │   │   │   self.printCreds(context, credentials)                                                                                                    │                  
                    │   122 │   │   elif PostgreSqlExec and PostgresUserForWindowsAuth and SqlDatabaseName:                                                                      │                  
                    │   123 │   │   │   context.log.success(f'Found Veeam DB "{SqlDatabaseName}" on an PostgreSQL                                                                │                  
                    │       Instance! Extracting stored credentials...')                                                                                                         │                  
                    │   124 │   │   │   credentials = self.executePsPostgreSql(context, connection, PostgreSqlExec,                                                              │                  
                    │       PostgresUserForWindowsAuth, SqlDatabaseName)                                                                                                         │                  
                    │                                                                                                                                                            │                  
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/modules/veeam_dump.py:163 in printCreds                                                │                  
                    │                                                                                                                                                            │                  
                    │   160 │   │   │   return                                                                                                                                   │                  
                    │   161 │   │                                                                                                                                                │                  
                    │   162 │   │   for account in output_stripped:                                                                                                              │                  
                    │ ❱ 163 │   │   │   user, password = account.split(" ", 1)                                                                                                   │                  
                    │   164 │   │   │   password = password.replace("WHITESPACE_ERROR", " ")                                                                                     │                  
                    │   165 │   │   │   context.log.highlight(user + ":" + f"{password}")                                                                                        │                  
                    │   166 │   │   │   if ' ' in password:                                                                                                                      │                  
                    ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    ValueError: not enough values to unpack (expected 2, got 1)

NetExec info

OS: kali-rolling
Version of nxc: github upstream
Installed from: pipx from github

Additional context
My best guess is that powershell returns an output string which the module can't properly interprete. I will add a general error handling to the powershell output.

Upgrade to python 3.9

Dropping py3.8 would enable updates for several packages. With that in mind we can also try to include the latest py3.12 version.

Bug when password spraying WinRM protocol

Describe the bug

When password spraying under WinRM and after finding a succesful combination, every other combination is marked as Pwn3d!.

To Reproduce

Command: netexec winrm <IP> -u username.list -p password.list --continue-on-success

Resulted in:

Expected behavior

To not have the Pwn3d tag if it is not even a correct combination.

NetExec info

OS: Linux parrot 6.1.0-1parrot1-amd64
Version of nxc: develop commit d1aec06
Installed from: cloning the repo and pipx to install

Investigate Usage of HTTP Server

I don't think we actually use the HTTP server anywhere. Its intended purpose seems to be catching responses for modules, but none of the modules have on_request or on_response functions, so we can probably remove this code.

Crash on ldap --dc-list

Describe the bug
NetExec is crashing on nxc ldap [ip] -u user -p password --dc-list with logging enabled through config

To Reproduce
Enable logging in nxc.conf
Command: nxc ldap [ip] -u user -p password --dc-list
Resulted in:

Somehow it cant handle the line with the ip output from the dcs. The Message is reported as:

Message: 'LDAP        [IP]  389    [HOSTNAME]       [HOSTNAME.DOMAIN] ='
Arguments: ('[IP_FROM_ONE_DC',)

NetExec info

OS: Kali latest rolling
Version of nxc: latest
Installed from: upstream git with pipx

Filter output for "pw3nd" when spray across big scopes

Hey,

it would be cool to get a filter like "--only-admin" when spaying vaild credentials over many hosts. In my PenTests i spray newly gathered creds a gsinst all clients to check for admin access.

Yes I could grep for it but with the filter the colors would stay and it's much nicer for Screenshots :)

New domain formatting with dot blocks socks authentications

Describe the bug
This issue is possibly already known, but I haven't seen it in the issue list.

The fact that the domain declaration now forces the presence of a dot for an FQDN format blocks the use of NetExec through a socks session set up with Impacket's ntlmrelayx.py.
ntlmrelayx.py setups socks sessions with the format DOMAIN/username and it now cannot be used with NetExec to authenticate.

To Reproduce
Setup proxy socks sessions with ntlmrelayx.py on SMB from a NTLM relay with a command like this:

ntlmrelayx.py -tf noSigning.txt -smb2support -socks

This result in sessions like this:

ntlmrelayx> socks
Protocol  Target        Username           AdminStatus  Port 
--------  ------------  -----------------  -----------  ----
SMB       <target>      DOMAIN/USER        FALSE        445  
SMB       <target>      DOMAIN/USER        FALSE        445  
SMB       <target>      DOMAIN/USER        FALSE        445  
SMB       <target>      DOMAIN/USER        FALSE        445  
SMB       <target>      DOMAIN/USER        FALSE        445  
SMB       <target>      DOMAIN/USER        FALSE        445

Now, we attempte to authenticate on the target with the credentials.

Command: proxychains4 -q poetry run netexec smb <target> -u USER -d DOMAIN -p password
Resulted in:

proxychains4 -q poetry run netexec smb <target> -u USER -d DOMAIN -p password
SMB         <target_IP>    445    <target>       [*] Windows 10.0 Build 19041 (name:<target>) (domain:DOMAIN) (signing:False) (SMBv1:False)
[12:29:08] ERROR    Domain DOMAIN for user USER need to be FQDN ex:domain.local, not domain                                     connection.py:372

And if we declare the domain as DOMAIN.local, ntlmrelayx.py drops an error for no available session.

[2023-10-16 12:30:01] [-] SOCKS: No session for DOMAIN.LOCAL/USER@<target_IP>(445) available

Expected behavior
NetExec should be able to handle this format of domain declaration to authenticate through a socks session opened with ntlmrelayx.py.

NetExec info

OS: Kali
Version of nxc: 1.0.0
Installed from: GitHub + Poetry

Additional context
As indicated in the error message, the problem comes from the line 372 in the connection.py file. Here are the lines 370, 371, 372 and 373:

        # Enforcing FQDN for SMB if not using local authentication. Related issues/PRs: #26, #28, #24, #38
        if self.args.protocol == 'smb' and not self.args.local_auth and "." not in domain and not self.args.laps and secret != "" and not (self.domain.upper() == self.hostname.upper()) :
            self.logger.error(f"Domain {domain} for user {username.rstrip()} need to be FQDN ex:domain.local, not domain")
            return False

For the moment, as a temporary workaround, these lines can be commented to perform a successful authentication through a socks.

RDP not working as expected

The RDP Password spray works but produces a lot of junk in between for some reason. This doesn't happen for smb or winrm

Any assistance would be highly appreciated!

No package metadata was found for netexec

Executing the latest build will fail with an PackageNotFoundError

To Reproduce
Download the latest build from actions: nxc-ubuntu-latest-3.11

Run it with the following command: ./nxc smb 10.10.121.244 -u 'test' -p 'test'
Resulted in:

Traceback (most recent call last):
  File "/usr/lib/python3.11/importlib/metadata/__init__.py", line 563, in from_name
    return next(cls.discover(name=name))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
StopIteration

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/sec/./nxc/__main__.py", line 3, in <module>
  File "/home/sec/./nxc/_bootstrap/__init__.py", line 253, in bootstrap
  File "/home/sec/./nxc/_bootstrap/__init__.py", line 38, in run
  File "/home/sec/.shiv/nxc_aecf6c0b8a0cbcd1f5679edf2b69e9c2008a4c3700c4a451aea1d3f78207456c/site-packages/nxc/netexec.py", line 80, in main
    args = gen_cli_args()
           ^^^^^^^^^^^^^^
  File "/home/sec/.shiv/nxc_aecf6c0b8a0cbcd1f5679edf2b69e9c2008a4c3700c4a451aea1d3f78207456c/site-packages/nxc/cli.py", line 15, in gen_cli_args
    VERSION = importlib.metadata.version("netexec")
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/importlib/metadata/__init__.py", line 1008, in version
    return distribution(distribution_name).version
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/importlib/metadata/__init__.py", line 981, in distribution
    return Distribution.from_name(distribution_name)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/importlib/metadata/__init__.py", line 565, in from_name
    raise PackageNotFoundError(name)
importlib.metadata.PackageNotFoundError: No package metadata was found for netexec

NetExec info

OS: Kali
Version of nxc [latest]
Installed from: Actions

(Win Binary) How to access / manage NXCDB

Do we need a different binary for that?

Move Setting Bloodhound Owned to Centralized Location

In #90 add_user_bh is called in a lot of places, but we should try to centralize this to a single place across protocols, since the current method is a bit messy (but necessary at the moment).

Module ms17-010 is falsely reporting "not vulnerable", despite the target being vulnerable.

Describe the bug
The module ms17-010 is always reporting "not vulnerable", despite the target being vulnerable.

This is because the module code itself is not working with python3, but the errors are being catched by the try/except/finally wrapper, more specifically the "except: return false" part.

To Reproduce

Tested with HackTheBox Machine "Blue"
Remove the try/except/finally block and look at the error messages

Expected behavior
The module should report vulnerable ms17-010 instances.

Screenshots
This screenshot was created after replacing line 437 with "raise" to propagate the error.

Additional information
The python code in the following link is a python3 conversion from the python2 code that was used for the module. The converted python3 version is working for me:
https://gist.github.com/mdawsonuk/caac9ec724abe4e70277c6a2478629da

(WIN BIN) aardwof missing

Traceback (most recent call last):
File "netexec.py", line 276, in
File "netexec.py", line 162, in main
File "loaders\protocolloader.py", line 18, in load_protocol
File "", line 940, in exec_module
File "", line 241, in _call_with_frames_removed
File "C:\Users\mrpoopypants\AppData\Local\Temp_MEI112922\nxc\protocols\rdp.py", line 18, in
from aardwolf.connection import RDPConnection
ModuleNotFoundError: No module named 'aardwolf'
[4176] Failed to execute script 'netexec' due to unhandled exception!

RDP module issues

@XiaoliChan

I know it's actually not the module problem but an issue with that particular host. However, maybe you have some ideas how to deal with this. Please, have a look. Cheers.

Module path checking broken on windows

On windows the path checking is broken atm resulting in:

[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\add-computer.py filename must match the module name add-computer
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\bh_owned.py filename must match the module name bh_owned
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\daclread.py filename must match the module name daclread
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\dfscoerce.py filename must match the module name dfscoerce
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\drop-sc.py filename must match the module name drop-sc
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\empire_exec.py filename must match the module name empire_exec
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\enum_av.py filename must match the module name enum_av
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\enum_dns.py filename must match the module name enum_dns
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\enum_trusts.py filename must match the module name enum_trusts
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\find-computer.py filename must match the module name find-computer
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\firefox.py filename must match the module name firefox
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\get-desc-users.py filename must match the module name get-desc-users
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\get-network.py filename must match the module name get-network
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\get-unixUserPassword.py filename must match the module name get-unixUserPassword
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\get-userPassword.py filename must match the module name get-userPassword
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\get_netconnections.py filename must match the module name get_netconnections
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\gpp_autologin.py filename must match the module name gpp_autologin
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\gpp_password.py filename must match the module name gpp_password
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\group-mem.py filename must match the module name group-mem
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\groupmembership.py filename must match the module name groupmembership
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\handlekatz.py filename must match the module name handlekatz
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\hash_spider.py filename must match the module name hash_spider
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\iis.py filename must match the module name iis
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\impersonate.py filename must match the module name impersonate
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\install_elevated.py filename must match the module name install_elevated
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\ioxidresolver.py filename must match the module name ioxidresolver
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\keepass_discover.py filename must match the module name keepass_discover
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\keepass_trigger.py filename must match the module name keepass_trigger
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\laps.py filename must match the module name laps
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\ldap-checker.py filename must match the module name ldap-checker
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\lsassy.py filename must match the module name lsassy
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\MAQ.py filename must match the module name MAQ
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\masky.py filename must match the module name masky
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\met_inject.py filename must match the module name met_inject
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\ms17-010.py filename must match the module name ms17-010
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\msol.py filename must match the module name msol
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\mssql_priv.py filename must match the module name mssql_priv
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\nanodump.py filename must match the module name nanodump
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\nopac.py filename must match the module name nopac
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\ntdsutil.py filename must match the module name ntdsutil
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\ntlmv1.py filename must match the module name ntlmv1
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\petitpotam.py filename must match the module name petitpotam
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\pi.py filename must match the module name pi
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\printnightmare.py filename must match the module name printnightmare
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\procdump.py filename must match the module name procdump
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\pso.py filename must match the module name pso
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\rdcman.py filename must match the module name rdcman
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\rdp.py filename must match the module name rdp
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\reg-query.py filename must match the module name reg-query
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\runasppl.py filename must match the module name runasppl
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\schtask_as.py filename must match the module name schtask_as
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\scuffy.py filename must match the module name scuffy
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\shadowcoerce.py filename must match the module name shadowcoerce
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\slinky.py filename must match the module name slinky
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\spider_plus.py filename must match the module name spider_plus
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\spooler.py filename must match the module name spooler
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\subnets.py filename must match the module name subnets
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\teams_localdb.py filename must match the module name teams_localdb
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\test_connection.py filename must match the module name test_connection
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\uac.py filename must match the module name uac
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\user-desc.py filename must match the module name user-desc
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\veeam.py filename must match the module name veeam
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\wcc.py filename must match the module name wcc
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\wdigest.py filename must match the module name wdigest
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\webdav.py filename must match the module name webdav
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\web_delivery.py filename must match the module name web_delivery
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\whoami.py filename must match the module name whoami
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\wifi.py filename must match the module name wifi
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\winscp.py filename must match the module name winscp
[-] C:\Users\ADMIN~1.SEC\AppData\Local\Temp\_MEI35202\nxc\modules\zerologon.py filename must match the module name zerologon
[10:06:21] ERROR    Module not found: lsassy                     netexec.py:189```


_Originally posted by @andretorresbr in https://github.com/Pennyw0rth/NetExec/discussions/127#discussioncomment-7939121_

IPv6 support on winrm

Bug
IPv6 support for the winrm service has been removed

Reproduce
Command: netexec winrm dead:beef::b885:d62a:d679:573f -u username -p password
Resulted in:

$ netexec winrm dead:beef::b885:d62a:d679:573f -u username -p password
[13:50:09] ERROR    Exception while calling proto_flow() on target dead:beef::b885:d62a:d679:573f: Failed to parse:                                        connection.py:115
                    https://dead:beef::b885:d62a:d679:573f:5986/wsman                                                                                                       
                    ╭──────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────╮                  
                    │ /usr/lib/python3/dist-packages/requests/models.py:434 in prepare_url                                                               │                  
                    │                                                                                                                                    │                  
                    │    431 │   │                                                                                                                       │                  
                    │    432 │   │   # Support for unicode domain names and paths.                                                                       │                  
                    │    433 │   │   try:                                                                                                                │                  
                    │ ❱  434 │   │   │   scheme, auth, host, port, path, query, fragment = parse_url(url)                                                │                  
                    │    435 │   │   except LocationParseError as e:                                                                                     │                  
                    │    436 │   │   │   raise InvalidURL(*e.args)                                                                                       │                  
                    │    437                                                                                                                             │                  
                    │                                                                                                                                    │                  
                    │ /usr/lib/python3/dist-packages/urllib3/util/url.py:397 in parse_url                                                                │                  
                    │                                                                                                                                    │                  
                    │   394 │   │   │   fragment = _encode_invalid_chars(fragment, FRAGMENT_CHARS)                                                       │                  
                    │   395 │                                                                                                                            │                  
                    │   396 │   except (ValueError, AttributeError):                                                                                     │                  
                    │ ❱ 397 │   │   return six.raise_from(LocationParseError(source_url), None)                                                          │                  
                    │   398 │                                                                                                                            │                  
                    │   399 │   # For the sake of backwards compatibility we put empty                                                                   │                  
                    │   400 │   # string values for path if there are any defined values                                                                 │                  
                    │ in raise_from:3                                                                                                                    │                  
                    ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    LocationParseError: Failed to parse: https://dead:beef::b885:d62a:d679:573f:5986/wsman                                                                  
                                                                                                                                                                            
                    During handling of the above exception, another exception occurred:                                                                                     
                                                                                                                                                                            
                    ╭──────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────╮                  
                    │ /home/kali/.local/lib/python3.11/site-packages/nxc/connection.py:113 in __init__                                                   │                  
                    │                                                                                                                                    │                  
                    │   110 │   │   │   sleep(value)                                                                                                     │                  
                    │   111 │   │                                                                                                                        │                  
                    │   112 │   │   try:                                                                                                                 │                  
                    │ ❱ 113 │   │   │   self.proto_flow()                                                                                                │                  
                    │   114 │   │   except Exception as e:                                                                                               │                  
                    │   115 │   │   │   self.logger.exception(f"Exception while calling proto_flow() on target                                           │                  
                    │       {self.host}: {e}")                                                                                                           │                  
                    │   116                                                                                                                              │                  
                    │                                                                                                                                    │                  
                    │ /home/kali/.local/lib/python3.11/site-packages/nxc/connection.py:157 in proto_flow                                                 │                  
                    │                                                                                                                                    │                  
                    │   154 │   def proto_flow(self):                                                                                                    │                  
                    │   155 │   │   self.logger.debug(f"Kicking off proto_flow")                                                                         │                  
                    │   156 │   │   self.proto_logger()                                                                                                  │                  
                    │ ❱ 157 │   │   if self.create_conn_obj():                                                                                           │                  
                    │   158 │   │   │   self.enum_host_info()                                                                                            │                  
                    │   159 │   │   │   if self.print_host_info():                                                                                       │                  
                    │   160 │   │   │   │   # because of null session                                                                                    │                  
                    │                                                                                                                                    │                  
                    │ /home/kali/.local/lib/python3.11/site-packages/nxc/protocols/winrm.py:208 in create_conn_obj                                       │                  
                    │                                                                                                                                    │                  
                    │   205 │   │   for url in endpoints:                                                                                                │                  
                    │   206 │   │   │   try:                                                                                                             │                  
                    │   207 │   │   │   │   self.logger.debug(f"winrm create_conn_obj() - Requesting URL: {url}")                                        │                  
                    │ ❱ 208 │   │   │   │   res = requests.post(url, verify=False, timeout=self.args.http_timeout)                                       │                  
                    │   209 │   │   │   │   self.logger.debug("winrm create_conn_obj() - Received response code:" f"                                     │                  
                    │       {res.status_code}")                                                                                                          │                  
                    │   210 │   │   │   │   self.endpoint = url                                                                                          │                  
                    │   211 │   │   │   │   if self.endpoint.startswith("https://"):                                                                     │                  
                    │                                                                                                                                    │                  
                    │ /usr/lib/python3/dist-packages/requests/api.py:115 in post                                                                         │                  
                    │                                                                                                                                    │                  
                    │   112 │   :rtype: requests.Response                                                                                                │                  
                    │   113 │   """                                                                                                                      │                  
                    │   114 │                                                                                                                            │                  
                    │ ❱ 115 │   return request("post", url, data=data, json=json, **kwargs)                                                              │                  
                    │   116                                                                                                                              │                  
                    │   117                                                                                                                              │                  
                    │   118 def put(url, data=None, **kwargs):                                                                                           │                  
                    │                                                                                                                                    │                  
                    │ /usr/lib/python3/dist-packages/requests/api.py:59 in request                                                                       │                  
                    │                                                                                                                                    │                  
                    │    56 │   # avoid leaving sockets open which can trigger a ResourceWarning in some                                                 │                  
                    │    57 │   # cases, and look like a memory leak in others.                                                                          │                  
                    │    58 │   with sessions.Session() as session:                                                                                      │                  
                    │ ❱  59 │   │   return session.request(method=method, url=url, **kwargs)                                                             │                  
                    │    60                                                                                                                              │                  
                    │    61                                                                                                                              │                  
                    │    62 def get(url, params=None, **kwargs):                                                                                         │                  
                    │                                                                                                                                    │                  
                    │ /usr/lib/python3/dist-packages/requests/sessions.py:575 in request                                                                 │                  
                    │                                                                                                                                    │                  
                    │   572 │   │   │   cookies=cookies,                                                                                                 │                  
                    │   573 │   │   │   hooks=hooks,                                                                                                     │                  
                    │   574 │   │   )                                                                                                                    │                  
                    │ ❱ 575 │   │   prep = self.prepare_request(req)                                                                                     │                  
                    │   576 │   │                                                                                                                        │                  
                    │   577 │   │   proxies = proxies or {}                                                                                              │                  
                    │   578                                                                                                                              │                  
                    │                                                                                                                                    │                  
                    │ /usr/lib/python3/dist-packages/requests/sessions.py:486 in prepare_request                                                         │                  
                    │                                                                                                                                    │                  
                    │   483 │   │   │   auth = get_netrc_auth(request.url)                                                                               │                  
                    │   484 │   │                                                                                                                        │                  
                    │   485 │   │   p = PreparedRequest()                                                                                                │                  
                    │ ❱ 486 │   │   p.prepare(                                                                                                           │                  
                    │   487 │   │   │   method=request.method.upper(),                                                                                   │                  
                    │   488 │   │   │   url=request.url,                                                                                                 │                  
                    │   489 │   │   │   files=request.files,                                                                                             │                  
                    │                                                                                                                                    │                  
                    │ /usr/lib/python3/dist-packages/requests/models.py:368 in prepare                                                                   │                  
                    │                                                                                                                                    │                  
                    │    365 │   │   """Prepares the entire request with the given parameters."""                                                        │                  
                    │    366 │   │                                                                                                                       │                  
                    │    367 │   │   self.prepare_method(method)                                                                                         │                  
                    │ ❱  368 │   │   self.prepare_url(url, params)                                                                                       │                  
                    │    369 │   │   self.prepare_headers(headers)                                                                                       │                  
                    │    370 │   │   self.prepare_cookies(cookies)                                                                                       │                  
                    │    371 │   │   self.prepare_body(data, files, json)                                                                                │                  
                    │                                                                                                                                    │                  
                    │ /usr/lib/python3/dist-packages/requests/models.py:436 in prepare_url                                                               │                  
                    │                                                                                                                                    │                  
                    │    433 │   │   try:                                                                                                                │                  
                    │    434 │   │   │   scheme, auth, host, port, path, query, fragment = parse_url(url)                                                │                  
                    │    435 │   │   except LocationParseError as e:                                                                                     │                  
                    │ ❱  436 │   │   │   raise InvalidURL(*e.args)                                                                                       │                  
                    │    437 │   │                                                                                                                       │                  
                    │    438 │   │   if not scheme:                                                                                                      │                  
                    │    439 │   │   │   raise MissingSchema(                                                                                            │                  
                    ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    InvalidURL: Failed to parse: https://dead:beef::b885:d62a:d679:573f:5986/wsman

Info

OS: Kali
Version: latest (just installed from github)
Installed from: github

More context
One possible solution I thought of would be to add a hostname, however, when referencing the hostname it tries to load the ipv6 address in the url, it will probably fail because you have to add [] in the ipv6 addresses, using the hostname in the url would also work

$ echo "dead:beef::b885:d62a:d679:573f hostnameipv6" | sudo tee -a /etc/hosts

$ netexec winrm hostnameipv6 -u username -p password
[13:22:48] ERROR    Exception while calling proto_flow() on target dead:beef::b885:d62a:d679:573f: Failed to parse:         connection.py:115
                    https://dead:beef::b885:d62a:d679:573f:5986/wsman                                                      
                    ╭───────────────────────── Traceback (most recent call last) ──────────────────────────╮
                    │ /usr/lib/python3/dist-packages/requests/models.py:434 in prepare_url                 │
                    │ ...[snip]...                                                                         │
                    ╰──────────────────────────────────────────────────────────────────────────────────────╯
                    LocationParseError: Failed to parse: https://dead:beef::b885:d62a:d679:573f:5986/wsman

Tracebacks when using Win binary

The latest .exe has nasty issue. It's impossible to use smb bruteforce because every single unsuccessful attempt also brings a lot of traceback information. It's big mess. As you can see, there's no STATUS_LOGON_FAILURE line

[20:32:29] ERROR Exception while calling proto_flow() on target 192.168.1.1: too many values to unpack (expected 2) connection.py:123
╭─────────────────────────────────────────────────────────── Traceback (most recent call last) ───────────────────────────────────────────────────────────╮
│ in login:3501 │
│ │
│ in login_extended:3436 │
│ │
│ in isValidAnswer:785 │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
SessionError: SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or
authentication information.

                During handling of the above exception, another exception occurred:

                ╭─────────────────────────────────────────────────────────── Traceback (most recent call last) ───────────────────────────────────────────────────────────╮
                │ in login:276                                                                                                                                            │
                │                                                                                                                                                         │
                │ in login:3505                                                                                                                                           │
                │                                                                                                                                                         │
                │ in login_extended:3436                                                                                                                                  │
                │                                                                                                                                                         │
                │ in isValidAnswer:785                                                                                                                                    │
                ╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
                SessionError: SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or
                authentication information.

                During handling of the above exception, another exception occurred:

                ╭─────────────────────────────────────────────────────────── Traceback (most recent call last) ───────────────────────────────────────────────────────────╮
                │ C:\Users\poop\AppData\Local\Temp\_MEI23722\nxc\protocols\smb.py:465 in plaintext_login                                                                   │
                │                                                                                                                                                         │
                │    462 │   │   │   self.domain = domain                                                                                                                 │
                │    463 │   │   │                                                                                                                                        │
                │    464 │   │   │   try:                                                                                                                                 │
                │ ❱  465 │   │   │   │   self.conn.login(self.username, self.password, domain)                                                                            │
                │    466 │   │   │   except UnicodeEncodeError:                                                                                                           │
                │    467 │   │   │   │   self.logger.error(f"UnicodeEncodeError on:                                                                                       │
                │        '{self.username}:{self.password}'. Trying again with a different encoding...")                                                                   │
                │    468 │   │   │   │   self.create_conn_obj()                                                                                                           │
                │                                                                                                                                                         │
                │ in login:280                                                                                                                                            │
                ╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
                SessionError: SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or
                authentication information.

                During handling of the above exception, another exception occurred:

                ╭─────────────────────────────────────────────────────────── Traceback (most recent call last) ───────────────────────────────────────────────────────────╮
                │ in __init__:121                                                                                                                                         │
                │                                                                                                                                                         │
                │ in proto_flow:168                                                                                                                                       │
                │                                                                                                                                                         │
                │ in login:465                                                                                                                                            │
                │                                                                                                                                                         │
                │ in try_credentials:407                                                                                                                                  │
                │                                                                                                                                                         │
                │ C:\Users\foo\AppData\Local\Temp\_MEI23722\nxc\protocols\smb.py:503 in plaintext_login                                                                   │
                │                                                                                                                                                         │
                │    500 │   │   │   │   self.create_conn_obj()                                                                                                           │
                │    501 │   │   │   return True                                                                                                                          │
                │    502 │   │   except SessionError as e:                                                                                                                │
                │ ❱  503 │   │   │   error, desc = e.getErrorString()                                                                                                     │
                │    504 │   │   │   self.logger.fail(                                                                                                                    │
                │    505 │   │   │   │   f'{domain}\\{self.username}:{process_secret(self.password)} {error}                                                              │
                │        {f"({desc})" if self.args.verbose else ""}',                                                                                                     │
                │    506 │   │   │   │   color="magenta" if error in smb_error_status else "red",                                                                         │
                ╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
                ValueError: too many values to unpack (expected 2)

^^^ that is just unsuccessful attempt.

Refactor Module hash_spider

hash_spider.py uses some global variables and other things that should be cleaned up and refactored.

Accounts with admin rights missing (Pwn3d) tag

I see this on a regular basis.
SMB finds an account but fails to tag it as Pwn3d, even though the account has admin rights.
Maybe I'm missing something.

Windows 10.0 Build 17763
The account is a local account, and the host is not part of any domain.

Option `--domain` does not override internal domain

Describe the bug
Usually the option --domain/-d should override the domain retreived by impacket. This is clearly not the case here

To Reproduce
Steps to reproduce the behavior i.e.:
Command: netexec smb -u username -p password --domain SOMETHING_INVALID
Successful login

Expected behavior
This should not result in a login, rather it should fail as this furthermore suggests that specifying the domain manually does not work.

NetExec info

OS: Kali rolling
Version of nxc: github-upstream
Installed from: pipx+github

Windows binary version: issues with --ntds option

Describe the bug
When I use --ntds option in the Windows compiled binary version (single .EXE file), the tools crashes with EOFError.

To Reproduce

Compile Windows single binary, as described in the documentation.
Run NetExec with --ntds option:

.\nxc.exe smb 192.168.144.1 -u syslogagent -H '58a478135a93ac3bf058a5ea0e8fdb71' -d gcbsec.local --ntds

Resulted in:

Expected behavior
NTDS.dit extraction

enum_trusts not working

enum_trusts not working on several DCs

.\nxc.exe ldap us-dc -u us\studentuser55 -p 7fySHxncnPQS3vrW -M enum_trusts

SMB         192.168.1.2     445    US-DC            [*] Windows 10.0 Build 17763 x64 (name:US-DC) (domain:us.techcorp.local) (signing:True) (SMBv1:False)
LDAP        192.168.1.2     389    US-DC            [+] us\studentuser55:7fySHxncnPQS3vrW
[02:47:14] ERROR    Exception while calling proto_flow() on target 192.168.1.2: Error in searchRequest -> referral: 0000202B: RefErr: DSID-0310084A, data 0, 1     connection.py:123
                    access points
                        ref 1: 'us'
                                                                                                                                                                                    
                    ╭──────────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────────╮
                    │ in __init__:121                                                                                                                            │
                    │                                                                                                                                            │
                    │ in proto_flow:171                                                                                                                          │
                    │                                                                                                                                            │
                    │ in call_modules:225                                                                                                                        │
                    │                                                                                                                                            │
                    │ C:\Users\STUDEN~1\AppData\Local\Temp\_MEI38962\nxc\modules\trust.py:25 in on_login                                                         │
                    │                                                                                                                                            │
                    │   22 │   │   attributes = ["flatName", "trustPartner", "trustDirection", "trustAttributes"]                                                │
                    │   23 │   │                                                                                                                                 │
                    │   24 │   │   context.log.debug(f"Search Filter={search_filter}")                                                                           │
                    │ ❱ 25 │   │   resp = connection.ldapConnection.search(searchBase=domain_dn,                                                                 │
                    │      searchFilter=search_filter, attributes=attributes, sizeLimit=0)                                                                       │
                    │   26 │   │                                                                                                                                 │
                    │   27 │   │   trusts = []                                                                                                                   │
                    │   28 │   │   context.log.debug(f"Total of records returned {len(resp)}")                                                                   │
                    │                                                                                                                                            │
                    │ in search:402                                                                                                                              │
                    ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
                    LDAPSearchError: Error in searchRequest -> referral: 0000202B: RefErr: DSID-0310084A, data 0, 1 access points
                            ref 1: 'us'

NetExec info

OS: Windows server 2019
Version of nxc: 1.1.0

Kerberoasting not returning any output

Describe the bug
When using the --kerberoasting flag the tool returns an error while using GetUserSPNs from Impacket does not.

To Reproduce
Steps to reproduce the behavior i.e.:
Command: nxc ldap 172.16.5.5 -u forend -p Klmcargo2 --kerberoasting kerberoasting
Resulted in:

NetExec info

OS: Parrot
Version of nxc: commit 470b4e8 dev branch
Installed from: cloning repo -> pipx

Compiled Versions Missing Required Module(s)

It appears that module(s) required for the LDAP protocol to run in the windows executable are not present.

Steps to reproduce the behavior:
Command: nxc.exe ldap 10.10.10.3
Resulted in:

Expected behavior
The netexec LDAP protocol to function without error.

NetExec info

OS: Windows 10, Kali
Version of nxc: 1.0.0
Installed from: Executable

ModuleNotFoundError: No module named 'bloodhound'

Describe the bug
When running the -L flag in ldap I get the following error message ModuleNotFoundError: No module named 'bloodhound'

To Reproduce
Steps to reproduce the behavior i.e.:
Command: ~/nxc-ubuntu-latest ldap dc01 -u 'user' -p 'password' -L
Resulted in:

Traceback (most recent call last):
  File "netexec.py", line 276, in <module>
  File "netexec.py", line 162, in main
  File "loaders/protocolloader.py", line 18, in load_protocol
  File "<frozen importlib._bootstrap_external>", line 940, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/tmp/_MEIHqKXxZ/nxc/protocols/ldap.py", line 17, in <module>
    from bloodhound.ad.authentication import ADAuthentication
ModuleNotFoundError: No module named 'bloodhound'
[2600402] Failed to execute script 'netexec' due to unhandled exception!...

Expected behavior
List of the available LDAP modules

Screenshots

NetExec info

OS: Kali
Version: 1.0.0 - A New Beginning
Installed from: binary from release

ssh connection shutdown with valid credential

Using ssh with valid credential on a server led to just EOF

This might have to do with the server using ssh-rsa /dss ?

2023-11-01 19:38:09,509 - DEBUG - Added file handler: <RotatingFileHandler /home/user/.nxc/logs/2023-11-01/log_2023-11-01-19-38-09.log (NOTSET)>
2023-11-01 19:38:09,512 - DEBUG - PYTHON VERSION: 3.11.6 (main, Oct  8 2023, 05:06:43) [GCC 13.2.0]
2023-11-01 19:38:09,513 - DEBUG - RUNNING ON: Linux Release: 6.5.0-10-generic
2023-11-01 19:38:09,514 - DEBUG - Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, protocol='ssh', target=['<redacted>'], cred_id=[], username=['<redacted>'], password=['<redacted>'], ignore_pw_decoding=False, kerberos=False, no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None, aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[], list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0', server_port=None, connectback_host=None, key_file=None, port=22, ssh_timeout=30, sudo_check=False, sudo_check_method='sudo-stdin', get_output_tries=5, codec='utf-8', no_output=False, execute=None)
2023-11-01 19:38:09,517 - DEBUG - Protocol: ssh
2023-11-01 19:38:09,518 - DEBUG - Protocol Path: /home/user/tools/NetExec/venv/lib/python3.11/site-packages/nxc/protocols/ssh.py
2023-11-01 19:38:09,519 - DEBUG - Protocol DB Path: /home/user/tools/NetExec/venv/lib/python3.11/site-packages/nxc/protocols/ssh/database.py
2023-11-01 19:38:09,672 - DEBUG - Protocol Object: <class 'protocol.ssh'>
2023-11-01 19:38:09,674 - DEBUG - Protocol DB Object: <class 'protocol.database'>
2023-11-01 19:38:09,675 - DEBUG - DB Path: /home/user/.nxc/workspaces/default/ssh.db
2023-11-01 19:38:09,689 - DEBUG - Creating ThreadPoolExecutor
2023-11-01 19:38:09,690 - DEBUG - Creating thread for <class 'protocol.ssh'>
2023-11-01 19:38:09,692 - INFO - Socket info: host=<redacted>, hostname=<redacted>, kerberos=False
2023-11-01 19:38:09,693 - DEBUG - Kicking off proto_flow
2023-11-01 19:38:09,853 - DEBUG - Remote version: SSH-2.0-OpenSSH_5.3
2023-11-01 19:38:09,856 - DEBUG - add_host(): Initial hosts results: [(19, '<redacted>', 22, 'SSH-2.0-OpenSSH_5.3', '')]
2023-11-01 19:38:09,857 - DEBUG - host: (19, '<redacted>', 22, 'SSH-2.0-OpenSSH_5.3', '')
2023-11-01 19:38:09,858 - DEBUG - host_data: {'id': 19, 'host': '<redacted>', 'port': 22, 'banner': 'SSH-2.0-OpenSSH_5.3', 'os': ''}
2023-11-01 19:38:09,859 - DEBUG - Hosts: [{'id': 19, 'host': '<redacted>', 'port': 22, 'banner': 'SSH-2.0-OpenSSH_5.3', 'os': ''}]
2023-11-01 19:38:09,861 - DEBUG - add_host() - Host IDs Updated: [19]
2023-11-01 19:38:09,897 - INFO - SSH         <redacted>   22     <redacted>    [*] SSH-2.0-OpenSSH_5.3
2023-11-01 19:38:09,898 - DEBUG - Trying to authenticate using plaintext over SSH
2023-11-01 19:38:09,899 - DEBUG - Logging <redacted> with username: <redacted>, password: <redacted>
2023-11-01 19:38:09,911 - INFO - SSH         <redacted>   22     <redacted>    [-] <redacted>:<redacted> Authentication failed: transport shut down or saw EOF

Inconsistency between --lsa via NTLM and Kerberos

It looks like there is some inconsistency between the result of the --lsa option when connecting via NTLM and Kerberos:

Below is the result when dumping lsa via a NTLM authentication:

And here is the result when dumping via Kerberos (-k):

The AES and DES keys for the DC$ account are not dumped.

I'll take a look at why ASAP.

Feature Dark Mode Addition

Feature request

The repository looks complete with the addition of the dark mode button in navbar

Proposal
Addition of the dark mode button

Kindly assign me this issue. @NeffIsBack

Issue with FQDN

No present in cme binary or linux version.

throws errors
ERROR Domain TestDomain for user TestAdmin need to be FQDN ex:domain.local, not domain

in other words it won't run unless I enter -d TestDomain.lan

ModuleNotFoundError: No module named 'aardwolf'

Describe the bug
When running the netexec.exe from the 9/19 nightly build, I'm getting "ModuleNotFoundError" regardless of which module I try to use (rdp, ldap, etc)

To Reproduce
Command: .\netexec.exe ldap azprts02.nsmg.com -u username -p 'Pa$$word'
Resulted in:

Traceback (most recent call last):
  File "netexec.py", line 276, in <module>
  File "netexec.py", line 162, in main
  File "loaders\protocolloader.py", line 18, in load_protocol
  File "<frozen importlib._bootstrap_external>", line 940, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\SHAWN~1.JON\AppData\Local\Temp\_MEI44402\nxc\protocols\ldap.py", line 17, in <module>
    from bloodhound.ad.authentication import ADAuthentication
ModuleNotFoundError: No module named 'bloodhound'
[22320] Failed to execute script 'netexec' due to unhandled exception!

Expected behavior

Screenshots
n/a

NetExec info

OS: Win10
Version of nxc: 1.0.0
Installed from: binary from build 11

Additional context
n/a

ModuleNotFoundError: No module named 'aardwolf'

Describe the bug
Using rdp throws a missing module error

To Reproduce
Steps to reproduce the behavior i.e.:
Command: ./nxc rdp -L
Resulted in:

Traceback (most recent call last):
  File "netexec.py", line 255, in <module>
  File "netexec.py", line 152, in main
  File "loaders/protocolloader.py", line 16, in load_protocol
  File "<frozen importlib._bootstrap_external>", line 940, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/tmp/_MEIPpQPnv/nxc/protocols/rdp.py", line 15, in <module>
    from aardwolf.connection import RDPConnection
ModuleNotFoundError: No module named 'aardwolf'
[3169] Failed to execute script 'netexec' due to unhandled exception!

Expected behavior
The available rdp modules should be listed (if any)

Screenshots

NetExec info

OS: Kali
Python: 3.11.6
Version of nxc: 1.1.0
Installed from: Using the standalone binary - https://github.com/Pennyw0rth/NetExec/releases/download/v1.1.0/nxc

It cannot be installed properly

My system is macOS 13.2.1, Python version 3.9.6, I didn't install with venv when installing (I don't think I need virtual space), it prompts two errors

ERROR: Failed building wheel for aardwolf
ERROR: Could not build wheels for aardwolf, which is required to install pyproject.toml-based projects

pip has been updated to the latest version, please how can I fix it

Can't dump hashes of usernames containing spaces

For instance, when using --ntds

If username is "User Name", I get the following line:

domain.local\User

that's it, nothing else :)

SSH password spray fails to work where hydra works with same inputs

Describe the bug
Using nxc ssh to password spray does not work where same data with hydra does
Reproduced this while hacking the Wifinetic machine on app.hackthebox.com

To Reproduce
Using the following two input files

pass.txt
VeRyUniUqWiFIPasswrd1!
badpassword
goodpassword

users.txt
olivia.walker17
netadmin
samantha.wood93

nxc

user@kali:~$ nxc ssh 10.10.11.247 -u users.txt -p pass.txt
SSH         10.10.11.247    22     10.10.11.247     [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9
SSH         10.10.11.247    22     10.10.11.247     [-] olivia.walker17:VeRyUniUqWiFIPasswrd1! Authentication failed.
SSH         10.10.11.247    22     10.10.11.247     [-] netadmin:VeRyUniUqWiFIPasswrd1! 'NoneType' object has no attribute 'auth_password'
SSH         10.10.11.247    22     10.10.11.247     [-] samantha.wood93:VeRyUniUqWiFIPasswrd1! 'NoneType' object has no attribute 'auth_password'
SSH         10.10.11.247    22     10.10.11.247     [-] olivia.walker17:badpassword 'NoneType' object has no attribute 'auth_password'
SSH         10.10.11.247    22     10.10.11.247     [-] netadmin:badpassword 'NoneType' object has no attribute 'auth_password'
SSH         10.10.11.247    22     10.10.11.247     [-] samantha.wood93:badpassword 'NoneType' object has no attribute 'auth_password'
SSH         10.10.11.247    22     10.10.11.247     [-] olivia.walker17:goodpassword 'NoneType' object has no attribute 'auth_password'
SSH         10.10.11.247    22     10.10.11.247     [-] netadmin:goodpassword 'NoneType' object has no attribute 'auth_password'
SSH         10.10.11.247    22     10.10.11.247     [-] samantha.wood93:goodpassword 'NoneType' object has no attribute 'auth_password'

Hydra

user@kali:~$ hydra -L users.txt -P pass.txt 10.10.11.247 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-11-09 19:03:40
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking ssh://10.10.11.247:22/
[22][ssh] host: 10.10.11.247   login: netadmin   password: VeRyUniUqWiFIPasswrd1!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-11-09 19:03:45

With --laps nxc still tries to add local creds to bloodhound

Describe the bug
NetExec tries to add creds retrieved by --laps to bloodhound because --local-auth is not set but we still do local-auth.
This will fail for obvious reasons.

Solution:
Add somewhere in laps_search in smb.py the line:
self.args.local_auth = True

Will commit the fix asap

Win Bin - Firefox not working anymore?

seeing this constantly whilst running --dpapi

Bug in WebDAV Module Exception Handler

Bug Description

When utilizing the SMB WebDAV module to scan a target, if the credentials are considered valid but are not permissive enough to enumerate shares, specifically the IPC$ share, a stack trace is thrown. Currently, the access denied error isn't handled gracefully by the module's exception handler.

Target Information

Windows Server 2019 Datacenter
Password protected sharing turned off
Promoted to a domain controller
No user accounts created besides default administrator account

Attacker Information

Ubuntu 22.04 LTS
Python 3.10.12
NetExec v1.0.0 installed from source with Poetry

To Reproduce

As a reminder, no accounts other than the default administrator account were created on the domain controller. The username and password shown are those actually used. No error occurs when an empty password is provided (see session recording below).

Command: nxc smb 10.0.0.5 -u username -p password -M webdav

Expected behavior

The exception handler should gracefully handle the error, very much like the --shares switch does (as seen in the session recording provided below). Here is an example of how I believe the error should be handled, the fix for which will be included in my pull request:

Session Recording

UnicodeEncodeError when password contains € symbol

Describe the bug

When the password contains a € symbol, authentication fails due to an encoding error.
It is possible to bypass this error by using the hash.

To Reproduce
Steps to reproduce the behavior i.e.:
Command: netexec smb -u user -p Mo€bius
Resulted in:

netexec smb 192.168.56.10 -u user -p Mo€bius 
SMB         192.168.56.10   445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:corpo.local) (signing:True) (SMBv1:False)
[06:02:29] ERROR    UnicodeEncodeError on: 'user:Mo€bius'. Trying again with a different encoding...                                                                                                                               smb.py:467
SMB         192.168.56.10   445    DC01             [-] corpo.local\MBO:Mo€bius STATUS_LOGON_FAILURE
...

Expected behavior
A valid connection is expected.

NetExec info

OS: Ubuntu 22.04.1 and kali 6.5.0-kali3-amd64
Version of nxc: 1.1.0 - nxc4u
Installed from: poetry and pipx

ldap-checker module not detecting LDAPS channel binding

Describe the bug
When I use the ldap-checker module, I'm getting an error when attempt to binds to LDAPS.

To Reproduce
Steps to reproduce the behavior i.e.:
Command: nxc ldap XX.YY.ZZ.ZZ --port 636 -u 'USER' -p pass.txt -d 'test.local' -M ldap-checker
Resulted in:

SMB         XX.YY.ZZ.ZZ     445    DCTEST1         [*] Windows 10.0 Build 17763 x64 (name:DCTEST1) (domain:test.local) (signing:True) (SMBv1:False)
LDAP        XX.YY.ZZ.ZZ     636    DCTEST1         [+] test.local\USER:XXXXXXXX 
LDAP-CHE... XX.YY.ZZ.ZZ     636    DCTEST1         LDAP Signing NOT Enforced!
LDAP-CHE... XX.YY.ZZ.ZZ     636    DCTEST1         [-] ERROR while connecting to test.local: an integer is required (got type NoneType)

Expected behavior
LDAPS bindings to check status of channel binding.

NetExec info

OS: Exegol on Manjaro host
Version of nxc: 1.1.0
Installed from: pipx installation

Module rdp hangs on Windows when ACTION=enable

Describe the bug
When running the rdp module, and specifying ACTION=enable on Windows, it hangs. This problem is exaserbated by not being able to properly ctrl-c on Windows (see #61).

To Reproduce
Command: netexec smb -u username -p password -m rdp -o ACTION=enable

Expected behavior
Command should execute and then exit.

NetExec info

OS: Windows
Version of nxc: develop branch (as of 10/12/2023)
Installed from: GitHub

git tags

Ref. byt3bl33d3r/CrackMapExec#800

If this become the official cme community fork, could you please recreate at least all previous git tags and create new git tags and github release for cme 6.0 and 6.1 please.

Error on SMB using wrong password

Describe the bug
I'm getting an error while trying to bruteforce passwords using a user list and the same list as passwords.
I'm working on the manager box from HTB but I've got the same issue on my home lab

To Reproduce
Steps to reproduce the behavior i.e.:
Command: netexec smb manager.htb -u users.txt -p users.txt
Resulted in:

┌──(fr3sh㉿DeathStar)-[~/Documents/Challenges/hackTheBox/Manager]
└─$ netexec smb manager.htb -u users.txt -p users.txt 
SMB         10.10.11.236    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
[15:20:39] ERROR    Exception while calling proto_flow() on target 10.10.11.236: too many values to unpack (expected 2)                                                      connection.py:123
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smbconnection.py:278 in login                                            │                  
                    │                                                                                                                                                      │                  
                    │   275 │   │   │   if self.getDialect() == smb.SMB_DIALECT:                                                                                           │                  
                    │   276 │   │   │   │   return self._SMBConnection.login(user, password, domain, lmhash, nthash,                                                       │                  
                    │       ntlmFallback)                                                                                                                                  │                  
                    │   277 │   │   │   else:                                                                                                                              │                  
                    │ ❱ 278 │   │   │   │   return self._SMBConnection.login(user, password, domain, lmhash, nthash)                                                       │                  
                    │   279 │   │   except (smb.SessionError, smb3.SessionError) as e:                                                                                     │                  
                    │   280 │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                                                                       │                  
                    │   281                                                                                                                                                │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smb3.py:1040 in login                                                    │                  
                    │                                                                                                                                                      │                  
                    │   1037 │   │   │   │   │   │   self._Session['SigningKey'] = crypto.KDF_CounterMode                                                                  │                  
                    │        (exportedSessionKey, b"SMB2AESCMAC\x00",                                                                                                      │                  
                    │   1038 │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │                                                                     │                  
                    │        b"SmbSign\x00", 128)                                                                                                                          │                  
                    │   1039 │   │   │   try:                                                                                                                              │                  
                    │ ❱ 1040 │   │   │   │   if packet.isValidAnswer(STATUS_SUCCESS):                                                                                      │                  
                    │   1041 │   │   │   │   │   sessionSetupResponse = SMB2SessionSetup_Response(packet['Data'])                                                          │                  
                    │   1042 │   │   │   │   │   self._Session['SessionFlags'] = sessionSetupResponse['SessionFlags']                                                      │                  
                    │   1043 │   │   │   │   │   self._Session['SessionID']    = packet['SessionID']                                                                       │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smb3structs.py:458 in isValidAnswer                                      │                  
                    │                                                                                                                                                      │                  
                    │    455 │   def isValidAnswer(self, status):                                                                                                          │                  
                    │    456 │   │   if self['Status'] != status:                                                                                                          │                  
                    │    457 │   │   │   from . import smb3                                                                                                                │                  
                    │ ❱  458 │   │   │   raise smb3.SessionError(self['Status'], self)                                                                                     │                  
                    │    459 │   │   return True                                                                                                                           │                  
                    │    460 │                                                                                                                                             │                  
                    │    461 │   def __init__(self, data = None):                                                                                                          │                  
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    SessionError: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication                               
                    information.)                                                                                                                                                             
                                                                                                                                                                                              
                    During handling of the above exception, another exception occurred:                                                                                                       
                                                                                                                                                                                              
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py:465 in plaintext_login                                       │                  
                    │                                                                                                                                                      │                  
                    │    462 │   │   │   self.domain = domain                                                                                                              │                  
                    │    463 │   │   │                                                                                                                                     │                  
                    │    464 │   │   │   try:                                                                                                                              │                  
                    │ ❱  465 │   │   │   │   self.conn.login(self.username, self.password, domain)                                                                         │                  
                    │    466 │   │   │   except UnicodeEncodeError:                                                                                                        │                  
                    │    467 │   │   │   │   self.logger.error(f"UnicodeEncodeError on:                                                                                    │                  
                    │        '{self.username}:{self.password}'. Trying again with a different encoding...")                                                                │                  
                    │    468 │   │   │   │   self.create_conn_obj()                                                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/impacket/smbconnection.py:280 in login                                            │                  
                    │                                                                                                                                                      │                  
                    │   277 │   │   │   else:                                                                                                                              │                  
                    │   278 │   │   │   │   return self._SMBConnection.login(user, password, domain, lmhash, nthash)                                                       │                  
                    │   279 │   │   except (smb.SessionError, smb3.SessionError) as e:                                                                                     │                  
                    │ ❱ 280 │   │   │   raise SessionError(e.get_error_code(), e.get_error_packet())                                                                       │                  
                    │   281 │                                                                                                                                              │                  
                    │   282 │   def kerberosLogin(self, user, password, domain='', lmhash='', nthash='', aesKey='',                                                        │                  
                    │       kdcHost=None, TGT=None,                                                                                                                        │                  
                    │   283 │   │   │   │   │     TGS=None, useCache=True):                                                                                                │                  
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    SessionError: SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or                         
                    authentication information.                                                                                                                                               
                                                                                                                                                                                              
                    During handling of the above exception, another exception occurred:                                                                                                       
                                                                                                                                                                                              
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:121 in __init__                                                 │                  
                    │                                                                                                                                                      │                  
                    │   118 │   │   │   sleep(value)                                                                                                                       │                  
                    │   119 │   │                                                                                                                                          │                  
                    │   120 │   │   try:                                                                                                                                   │                  
                    │ ❱ 121 │   │   │   self.proto_flow()                                                                                                                  │                  
                    │   122 │   │   except Exception as e:                                                                                                                 │                  
                    │   123 │   │   │   self.logger.exception(f"Exception while calling proto_flow() on target                                                             │                  
                    │       {self.host}: {e}")                                                                                                                             │                  
                    │   124                                                                                                                                                │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:168 in proto_flow                                               │                  
                    │                                                                                                                                                      │                  
                    │   165 │   │   if self.create_conn_obj():                                                                                                             │                  
                    │   166 │   │   │   self.logger.debug("Created connection object")                                                                                     │                  
                    │   167 │   │   │   self.enum_host_info()                                                                                                              │                  
                    │ ❱ 168 │   │   │   if self.print_host_info() and (self.login() or (self.username == "" and                                                            │                  
                    │       self.password == "")):                                                                                                                         │                  
                    │   169 │   │   │   │   if hasattr(self.args, "module") and self.args.module:                                                                          │                  
                    │   170 │   │   │   │   │   self.logger.debug("Calling modules")                                                                                       │                  
                    │   171 │   │   │   │   │   self.call_modules()                                                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:465 in login                                                    │                  
                    │                                                                                                                                                      │                  
                    │   462 │   │   if not self.args.no_bruteforce:                                                                                                        │                  
                    │   463 │   │   │   for secr_index, secr in enumerate(secret):                                                                                         │                  
                    │   464 │   │   │   │   for user_index, user in enumerate(username):                                                                                   │                  
                    │ ❱ 465 │   │   │   │   │   if self.try_credentials(domain[user_index], user, owned[user_index],                                                       │                  
                    │       secr, cred_type[secr_index], data[secr_index]):                                                                                                │                  
                    │   466 │   │   │   │   │   │   owned[user_index] = True                                                                                               │                  
                    │   467 │   │   │   │   │   │   if not self.args.continue_on_success:                                                                                  │                  
                    │   468 │   │   │   │   │   │   │   return True                                                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/connection.py:407 in try_credentials                                          │                  
                    │                                                                                                                                                      │                  
                    │   404 │   │   │   │   │   return self.kerberos_login(domain, username, secret, "", "",                                                               │                  
                    │       self.kdcHost, False)                                                                                                                           │                  
                    │   405 │   │   │   │   elif hasattr(self.args, "domain"):  # Some protocols don't use domain                                                          │                  
                    │       for login                                                                                                                                      │                  
                    │   406 │   │   │   │   │   self.logger.debug("Trying to authenticate using plaintext with                                                             │                  
                    │       domain")                                                                                                                                       │                  
                    │ ❱ 407 │   │   │   │   │   return self.plaintext_login(domain, username, secret)                                                                      │                  
                    │   408 │   │   │   │   elif self.args.protocol == "ssh":                                                                                              │                  
                    │   409 │   │   │   │   │   self.logger.debug("Trying to authenticate using plaintext over SSH")                                                       │                  
                    │   410 │   │   │   │   │   return self.plaintext_login(username, secret, data)                                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/fr3sh/.local/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py:503 in plaintext_login                                       │                  
                    │                                                                                                                                                      │                  
                    │    500 │   │   │   │   self.create_conn_obj()                                                                                                        │                  
                    │    501 │   │   │   return True                                                                                                                       │                  
                    │    502 │   │   except SessionError as e:                                                                                                             │                  
                    │ ❱  503 │   │   │   error, desc = e.getErrorString()                                                                                                  │                  
                    │    504 │   │   │   self.logger.fail(                                                                                                                 │                  
                    │    505 │   │   │   │   f'{domain}\\{self.username}:{process_secret(self.password)} {error}                                                           │                  
                    │        {f"({desc})" if self.args.verbose else ""}',                                                                                                  │                  
                    │    506 │   │   │   │   color="magenta" if error in smb_error_status else "red",                                                                      │                  
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    ValueError: too many values to unpack (expected 2)   
...

Expected behavior
Nice and clean output like with ldap which is working just fine

NetExec info
DEBUG PYTHON VERSION: 3.11.6 (main, Oct 8 2023, 05:06:43) [GCC 13.2.0]
DEBUG RUNNING ON: Linux Release: 6.5.0-kali3-amd64

Installed from: pipx

Remove DNS alias from crackmapexec.wiki -> netexec.wiki

Hello,

Please remove the DNS alias that's currently redirecting crackmapexec.wiki to netexec.wiki.

Thank you.

LAPS auth with smb currently crashing with `-id`

Describe the bug
Due to the current implementation of --laps it will crash when using credentials from the database.

To Reproduce
Steps to reproduce the behavior i.e.:
Command: netexec smb [ip] -id 1 --laps
Resulted in:
Exception, see screenshot

Expected behavior
Query laps password in ldap with user and password retrieved by the db.

Screenshots

NetExec info

OS: kali-rolling
Version of nx: latest
Installed from: github upstream

Additional Context
This is due to smb.py line 369 where laps_search is called with direct usernam&password from args and not from db

pennyw0rth / netexec Goto Github PK

netexec's Introduction

NetExec - The Network Execution Tool

Official Discord Channel

Documentation, Tutorials, Examples

Installation

Linux

Development

Acknowledgments

Code Contributors

netexec's People

Contributors

Stargazers

Watchers

Forkers

netexec's Issues

Recommend Projects

Recommend Topics

Recommend Org