NetExec
NetExec copied to clipboard
Pennyw0rth
Potential Dependency Downgrades for Netexec's Kali Package
Hey,
Could the following dependencies be downgraded to versions available in Kali Linux/Debian to facilitate the build and distribution of netexec?
| Package Name | Version Required | Version Available |
|---|---|---|
| python3-aardwolf | 0.2.7 | 0.2.2-0kali1 |
| python3-aiosqlite | 0.19.0 | 0.17.0-2 |
| python3-asyauth | 0.0.14 | 0.0.9-0kali2 |
| python3-libnmap | 0.7.3 | 0.7.2-1 |
| python3-lsassy | 3.1.8 | 3.1.6-0kali1 |
| python3-masky | 0.2.0 | 0.1.1-0kali2 |
| python3-minikerberos | 0.4.1 | 0.4.0-0kali1 |
| python3-paramiko | 3.3.1 | 2.12.0-2 |
| python3-pyasn1-modules | 0.3.0 | 0.2.8-1 |
| python3-pypykatz | 0.6.8 | 0.6.6-0kali1 |
| python3-sqlalchemy | 2.0.4 | 1.4.50+ds1-1 |
| python3-termcolor | 2.0.1 | 1.1.0-4 |
In the table above, the packages that have kali in them, i.e., 0kali1, are maintained by the Kali Team, while the rest are provided/available in Kali by Debian (upstream).
In theory, a ticket could be opened for all of them at their respective provided for a version bump. However, many other packages might depend on the specific version(s) of each respective package, thus preventing an upgrade to the library in question (for a long time) - such as sqlalchemy.
As a result, would it be possible to build and use netexec (with no compromise of functionality) using the versions available in Kali/Debian? If so, could a downgrade be made to facilitate this?
Beyond what's listed in the table above, #205 is pending the switch from impacket to impacket-nxc (or whatever applicable name) to be packaged. Other than that, the other dependencies (that are not listed here) are at the required versions, if not higher.
If an upgrade is not possible for a specific package, I will contact the package's maintainers and see if an upgrade is possible.
Thanks in advance.
Why do you prefer to install the dependencies via the apt package over the pip install ?
(no offense in this question at all)
Why do you prefer to install the dependencies via the apt package over the pip install ?
(no offense in this question at all)
Because I am packaging netexec for Kali, Debian's packaging guidelines require you to use python3-libraryname packages to build and deploy the package.
Submitted to following upgrade requests to Kali:
- python3-asysocks: https://bugs.kali.org/view.php?id=8672
- python3-asyauth: https://bugs.kali.org/view.php?id=8673
- python3-masky: https://bugs.kali.org/view.php?id=8677
- python3-minikerberos: https://bugs.kali.org/view.php?id=8678
- python3-lsassy: https://bugs.kali.org/view.php?id=8679
- python3-pypykatz: https://bugs.kali.org/view.php?id=8680
Quoting my reply in #216:
msldapis a dependency ofpypykatz, which requiresmsldap>=0.5.7,<=0.6.0for0.6.9. I have relayed to Sophie Brun that they should considermsldap>=0.5.10,<=0.6.0instead, giving consideration to this ticket.Reference: https://bugs.kali.org/view.php?id=8680#c19062
Pinned dependencies and updated lock file: https://github.com/Pennyw0rth/NetExec/tree/kali-packaging
Although already in the poetry install process aardwolf 0.2.2 crashes. Has maybe something to do with this commit and rust, but can't fix it at the moment. Working though with the next version aardwolf=0.2.6 and its dependency asyauth=0.0.12
https://github.com/skelsec/aardwolf/commit/820dd5b2656d6cf6203e5a058e18c9adc4a28c84
With keeping the following packages as-is and downgrading the rest as requested it seems to work smoothly so far:
- aardwolf = 0.2.6
- asyauth = 0.0.13 (dependency of aardwolf)
- sqlalchemy = 2.0.4
Commit: 35fe8b33e686122e3ba95c5ffe43a5b3fa0429a6 should be stable (so far)
Kali should upgrade and netexec shouldn't downgrade anything that we don't have deep knowledge off what trade of is done for each package we downgrade, my two cents. Especially with skelsec packages which are all linked together and many fix are done at each version. Same with masky etc etc
Kali should upgrade and netexec shouldn't downgrade anything that we don't have deep knowledge off what trade of is done for each package we downgrade, my two cents. Especially with skelsec packages which are all linked together and many fix are done at each version. Same with masky etc etc
As discussed in Discord, the following packages will be upgraded, as they are maintained by Kali:
python3-asysauth: https://bugs.kali.org/view.php?id=8673python3-asysocks: https://bugs.kali.org/view.php?id=8672python3-masky: https://bugs.kali.org/view.php?id=8677python3-lsassy: https://bugs.kali.org/view.php?id=8679 (Already upgraded, currently v3.1.9 is available in Kali repositories)python3-pypykatz: https://bugs.kali.org/view.php?id=8680 (python3-msldaphas been upgraded to0.5.10)python3-minikerberos: https://bugs.kali.org/view.php?id=8678python3-aardwolf: https://bugs.kali.org/view.php?id=8692
In general, I've asked the team to update these packages to the latest version available, with the exception of msldap.
Beyond the ones I pointed out, the following require downgrade tests:
python3-aiosqlitepython3-libnmappython3-paramikopython3-pyasn1-modulespython3-termcolor
As discussed with @NeffIsBack, python3-sqlalchemy should be the last package to be downgraded, as that seems to have the most issues. The Debian packages are harder to request upgrades for, because they may be tied to many more packages than they are in Kali. For example, sqlalchemy is still 1.4.50+ds1-1 in Debian Testing i.e. kali-rolling, despite 2.0.19+ds1-1 being implemented in Debian Experimental. However, the maintainers have not pushed this to Testing because over 290 packages rely on sqlalchemy (on Debian side), (compared to 87 in Kali), and with major changes to the APIs, this will break a lot of those 290 packages.
@Arszilla the packages in the kali-packaging branch should match the versions requested now. Can you test that and also update the table from the initial issue text? I think its good to track the current state there.
The only thing missing is an update from impacket on kali & testing right?
I will be testing a new build ASAP, probably once all the tickets I've raised in Kali side are closed, which I hope will be later this week if the team has time to upgrade them.
Beyond that, if all Debian-based dependencies have been downgraded (with the exception of impacket), including sqlalchemy, then yes, we will need Debian to update their package to reflect the latest state of the repository, which would then be reflected to Kali as soon as it moved from Debian Unstable to Debian Testing (sid).
So a status update: I have not had a chance to check the kali-packaging branch, as I am waiting on the following packages to be updated:
- https://bugs.kali.org/view.php?id=8680
- https://bugs.kali.org/view.php?id=8680
- https://bugs.kali.org/view.php?id=8672
- https://bugs.kali.org/view.php?id=8677
- https://bugs.kali.org/view.php?id=8678
- https://bugs.kali.org/view.php?id=8692
- impacket (by Debian)
However, I was informed earlier today that the Kali Team may fork impacket off of Debian and update it to the current state of the repository to get NetExec packaged, because its been nearly a month since I submitted a ticket to Debian's bug tracker (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067093)
Once Kali Team updates the packages they maintain and there's some more clarity/certainty surrounding impacket, I'll be updating this issue again and testing the packaging once more.
Quick update:
impackethas been forked and upgraded to package to version0.11.0+git20240410.ae3b5db-0kali1. It should be noted that Debian prefers to wait for a new upstream release with the changes.- pypykatz: https://bugs.kali.org/view.php?id=8680 is now done.
v0.6.9is inkali-dev.
The following are still pending upgrades before I can resume packaging:
- aardwolf: https://bugs.kali.org/view.php?id=8692
- asyauth: https://bugs.kali.org/view.php?id=8673
- asysocks: https://bugs.kali.org/view.php?id=8672
- masky: https://bugs.kali.org/view.php?id=8677
- minikerberos: https://bugs.kali.org/view.php?id=8678
@NeffIsBack as requested, below is a list of the state of all dependencies of NetExec (based on kali-packaging branch):
| Package | Version Required | Version Available | Status |
|---|---|---|---|
| aardwolf | 0.2.8 | 0.2.2-0kali1 | ✅ |
| aioconsole | 0.6.2 | 0.7.0-0kali1 | ✅ |
| aiosqlite | 0.17.0 | 0.17.0-2 | ⬇️✅ |
| argcomplete | 3.1.4 | 3.1.4-1 | ✅ |
| asyauth | 0.0.20 | 0.0.20-0kali1 | ✅ |
| beautifulsoup4 | 4.11 (< 5) | 4.12.3-1 | ✅ |
| bloodhound | 1.7.2 | 1.7.2-0kali2 | ✅ |
| dploot | 2.2.1 | 2.6.2-0kali1 | ✅ |
| dsinternals | 1.2.4 | 1.2.4+git20230301.edb3fc8-0kali1 | ✅ |
| impacket | Current Git with NetExec Patches | 0.11.0+git20240410.ae3b5db-0kali1 | ✅ |
| lsassy | 3.1.10 | 3.1.9-0kali1 | ✅ |
| masky | 0.2.0 | 0.2.0-0kali1 | ✅ |
| minikerberos | 0.4.1 | 0.4.4-0kali1 | ✅ |
| msgpack | 1.0.0 | 1.0.3-3+b1 | ✅ |
| msldap | 0.5.10 | 0.5.10-0kali1 | ✅ |
| neo4j | 5.0.0 | 5.2.1-0kali1 | ✅ |
| paramiko | 2.12.0 | 2.12.0-2 | ⬇️✅ |
| pyasn1-modules | 0.2.8 | 0.2.8-1 | ⬇️✅ |
| pylnk3 | 0.4.2 | 0.4.2-0kali2 | ✅ |
| pypsrp | 0.8.1 | 0.8.1-0kali2 | ✅ |
| pypykatz | 0.6.6 | 0.6.6-0kali1 | ⬇️✅ |
| python-dateutil | 2.8.2 | 2.9.0-2 | ✅ |
| python-libnmap | 0.7.2 | 0.7.3-1 | ✅ |
| python | 3.8.0 | 3.11.6-1 | ✅ |
| pywerview | 0.3.3 | 0.3.3-0kali1 | ✅ |
| requests | 2.27.1 | 2.31.0+dfsg-1 | ✅ |
| rich | 13.3.5 | 13.7.1-1 | ✅ |
| sqlalchemy | 1.4.50 | 1.4.50+ds1-1 | ⬇️✅ |
| termcolor | 1.1.0 | 2.4.0-1 | ✅ |
| terminaltables | 3.1.0 | 3.1.10-4 | ✅ |
| xmltodict | 0.13.0 | 0.13.0-1 | ✅ |
Do note that I wrote the "Version Required" as a "minimum version required" basically. Only bs4 (beautifulsoup) had a version restriction.
EDIT by @NeffIsBack: Updated, added "⬇️" as in "this was downgraded to match kali packages.
EDIT as of 2024-04-20 @ 15:30 GMT +3 All of the dependencies listed above have been met.
EDIT by @NeffIsBack 2024-04-24:
Added msldap = "^0.5.10" to reflect the latest changes in #269
@Arszilla gonna update your comment from now on to reflect the latest changes here
@Marshall-Hallenbeck we should make sure ssh works on this branch as we had to downgrade paramiko a major version.
I've updated https://github.com/Pennyw0rth/NetExec/issues/211#issuecomment-2053766376 as all the dependencies have been met. Right now, I am able to build netexec without any issues.
I will wait till all the dependencies are available in kali-rolling (as they are available in kali-dev currently). Once they are available, I'll distribute the .deb to some people to get people to test if there are any issues between kali-packaging and main branches.
I've updated https://github.com/Pennyw0rth/NetExec/issues/211#issuecomment-2053766376 as all the dependencies have been met. Right now, I am able to build netexec without any issues. However, the version of dependencies listed for the built binary is based on the statements that can be found in pyproject.toml. Thus we end up with netexec requiring python3-sqlalchemy = 1.4.50, instead of >= 1.4.50 (because the version available in Debian is 1.4.50+ds1-1, which will not match 1.4.50
https://github.com/Pennyw0rth/NetExec/blob/bc50a2ce87ac89a3d42e922c25c2b02cf9a2aaf8/pyproject.toml#L59
Can this be changed to be ">=1.4.50, @NeffIsBack?
EDIT
Also, please update pyproject.toml to have LF line terminators, not CRLF. Because currently, when I generate a patch based off of pyproject.toml, I get the following:
$ file pyproject.toml
pyproject.toml: ASCII text, with CRLF line terminators
$ file debian/patches/fix-sqlalchemy-version.patch
debian/patches/fix-sqlalchemy-version.patch: unified diff output, ASCII text, with CRLF, LF line terminators
@Arszilla updated the sqlalchemy to ^1.4.50 so we don't end up with 2.x which would break the stuff again.
I will change the CRLF to LF in #269 and when that's merged i will update the kali-packaging branch with it. This PR will pin crucial packages in the main branch to minimum the version which is available in kali.
