NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

[DNS] Add DNS args

Open XiaoliChan opened this issue 1 year ago • 27 comments

Changelog:

  • Fixed #184
  • Fixed lots of connection stuff which is use kdcHost
  • Allow using force IPv6 with -6
  • Allow specify DNS server with --dns-server
  • Allow using tcp DNS query with --dns-tcp
  • Set DNS query timeout with --dns-timeout
  • Auto resolve DC IP and set it as kdcHost, which means you can play with kerberos stuff without set /etc/hosts files

image

XiaoliChan avatar Mar 04 '24 14:03 XiaoliChan

awesome, you did it ! 🎉

mpgn avatar Mar 04 '24 16:03 mpgn

image

mpgn avatar Mar 04 '24 20:03 mpgn

Before image

After image

mpgn avatar Mar 04 '24 20:03 mpgn

Tested working for me

┌──(babadmin㉿kakali) - 23:44:04 - [/tmp/NetExec]
└─$ poetry run nxc --dns-server 172.16.188.10 ldap 172.16.188.10 -u wario -p XXXXX --users
SMB         172.16.188.10   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:company.com) (signing:True) (SMBv1:False)
LDAP        172.16.188.10   389    DC01             [+] company.com\wario:XXXXX
LDAP        172.16.188.10   389    DC01             [*] Total of records returned 13
LDAP        172.16.188.10   389    DC01             Administrator                  Built-in account for administering the computer/domain
LDAP        172.16.188.10   389    DC01             Guest                          Built-in account for guest access to the computer/domain
LDAP        172.16.188.10   389    DC01             company                        company
LDAP        172.16.188.10   389    DC01             krbtgt                         Key Distribution Center Service Account
LDAP        172.16.188.10   389    DC01             leon
LDAP        172.16.188.10   389    DC01             joe
LDAP        172.16.188.10   389    DC01             peach
LDAP        172.16.188.10   389    DC01             mario
LDAP        172.16.188.10   389    DC01             wario
LDAP        172.16.188.10   389    DC01             yoshi

bmigette avatar Mar 04 '24 22:03 bmigette

@mpgn current is not ready, I want to play with kdchost, it would be useful

XiaoliChan avatar Mar 05 '24 00:03 XiaoliChan

This is amazing! It finally solves the dns problem, even without setting a dns server! @bmigette can you try if that also works for you without setting it manually?

image

NeffIsBack avatar Mar 05 '24 01:03 NeffIsBack

With this PR, now we can play with Kerberos more easily than before (except DCOM) image

image

XiaoliChan avatar Mar 05 '24 11:03 XiaoliChan

MSSQL Current is not changed, will change it after #136 is merged

XiaoliChan avatar Mar 05 '24 11:03 XiaoliChan

@XiaoliChan yo this is awesome!

Marshall-Hallenbeck avatar Mar 05 '24 16:03 Marshall-Hallenbeck

Now mssql is support with DNS

Before: image

After: image

XiaoliChan avatar Mar 09 '24 10:03 XiaoliChan

MMCExec(DCOMExec) is not working with kerberos: https://github.com/fortra/impacket/issues/1611

XiaoliChan avatar Mar 09 '24 14:03 XiaoliChan

@bmigette Can you test this pr again?

XiaoliChan avatar Mar 09 '24 15:03 XiaoliChan

Hi @XiaoliChan, sure I can test the LDAP part again.Im not home right now but will do Monday or Tuesday. Thanks a lot for your work, that looks very nice :)

bmigette avatar Mar 09 '24 15:03 bmigette

SMB: image

RDP: image

WMI: image

MSSQL (with PR https://github.com/Pennyw0rth/impacket/pull/9 merge): image

LDAP: image

XiaoliChan avatar Mar 10 '24 04:03 XiaoliChan

@mpgn The e2e command is added

XiaoliChan avatar Mar 12 '24 09:03 XiaoliChan

@XiaoliChan Tested the last commit from your DNS Branch with ldap:

┌──(babadmin㉿kakali) - 10:09:26 - [/tmp/NetExec]
└─$ git log -n 1
commit 059013a0ab5d2f4cbea2fb72d16babfdebfc9883 (HEAD -> dns, origin/dns)
Author: XiaoliChan <[email protected]>
Date:   Tue Mar 12 16:36:06 2024 +0800

    [lib] update impacket

    Signed-off-by: XiaoliChan <[email protected]>

┌──(babadmin㉿kakali) - 10:08:36 - [/tmp/NetExec]
└─$ sudo poetry run nxc --dns-server 172.16.112.6 ldap 172.16.112.6 -u administrator -p 'XXXXXXXX' --users
[*] First time use detected
[*] Creating home directory structure
[*] Creating missing folder logs
[*] Creating missing folder modules
[*] Creating missing folder protocols
[*] Creating missing folder workspaces
[*] Creating missing folder obfuscated_scripts
[*] Creating missing folder screenshots
[*] Creating default workspace
[*] Initializing MSSQL protocol database
[*] Initializing FTP protocol database
[*] Initializing SSH protocol database
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing WMI protocol database
[*] Initializing VNC protocol database
[*] Initializing WINRM protocol database
[*] Initializing LDAP protocol database
[*] Copying default configuration file

SMB         172.16.112.6    445    DC02             [*] Windows Server 2022 Build 20348 x64 (name:DC02) (domain:company.com) (signing:True) (SMBv1:False)
LDAP        172.16.112.6    389    DC02             [+] company.com\administrator:xxxx (Pwn3d!)
LDAP        172.16.112.6    389    DC02             [*] Total of records returned 19
LDAP        172.16.112.6    389    DC02             Administrator                  Built-in account for administering the computer/domain
LDAP        172.16.112.6    389    DC02             Guest                          Built-in account for guest access to the computer/domain
LDAP        172.16.112.6    389    DC02             krbtgt                         Key Distribution Center Service Account
LDAP        172.16.112.6    389    DC02             maildmz
LDAP        172.16.112.6    389    DC02             jim
LDAP        172.16.112.6    389    DC02             michelle
LDAP        172.16.112.6    389    DC02             andrea
LDAP        172.16.112.6    389    DC02             mountuser
LDAP        172.16.112.6    389    DC02             iis_service
LDAP        172.16.112.6    389    DC02             internaladmin
LDAP        172.16.112.6    389    DC02             larry
LDAP        172.16.112.6    389    DC02             jenny
LDAP        172.16.112.6    389    DC02             brad
LDAP        172.16.112.6    389    DC02             anna
LDAP        172.16.112.6    389    DC02             dan
LDAP        172.16.112.6    389    DC02             milana

All seems good to me :)

bmigette avatar Mar 12 '24 09:03 bmigette

@bmigette The DNS arg doesn't need sudo privilege, anyway, thanks for your test!

XiaoliChan avatar Mar 12 '24 09:03 XiaoliChan

@bmigette The DNS arg doesn't need sudo privilege, anyway, thanks for your test!

I had to use sudo because poetry install didn't work for some reason with my user and didn't wanted to troubleshoot that :)

bmigette avatar Mar 12 '24 09:03 bmigette

Even without the dns server option it should work now, the dns option is only usefull if you use the fqdn of the server, it makes no sens to use it with an ip @bmigette 😉

mpgn avatar Mar 12 '24 10:03 mpgn

Yeah we need several refactors of variable names, etc. The core of CME mostly copy pasted from Impacket, which was written in Python 2, so it's been like a decade of poor naming conventions. I fully support renaming to sane (any Pythonic) variable/class names whenever we can.

Marshall-Hallenbeck avatar Mar 28 '24 21:03 Marshall-Hallenbeck

@XiaoliChan Can you also add the --dns-tcp and --dns-timeout to the e2e tests? Since it's reliant on the DNS option you'll probably have to do some hackery to test them with and without those options...

Marshall-Hallenbeck avatar Apr 20 '24 17:04 Marshall-Hallenbeck

@NeffIsBack I started looking at renaming the variables and unfortunately it's just everywhere. I think we should create an issue to fix the naming conventions everywhere, and just merge this PR as it.

Marshall-Hallenbeck avatar May 07 '24 18:05 Marshall-Hallenbeck

Then let's rename the newly created variables to use the old ones. I just don't want to have duplicate variables.

NeffIsBack avatar May 07 '24 18:05 NeffIsBack

Then let's rename the newly created variables to use the old ones. I just don't want to have duplicate variables.

~~There's so many that overlap I'm just going to try to do as many as I can.~~

Not going to update it myself. I'll fix it across the project after this is merged.

Marshall-Hallenbeck avatar May 07 '24 18:05 Marshall-Hallenbeck

@XiaoliChan i removed the remoteHost variable for now and made some formatting changes. Can you check if everything looks good to you? Also using wmi and kerberos always shows a successful login, despite providing wrong credentials: image

NeffIsBack avatar May 12 '24 22:05 NeffIsBack

@Marshall-Hallenbeck can you run the test suite against the PR? Just to make sure there didn't something which i missed with the manual review & testing. The last fix (see above) can be tested manually when fixed.

NeffIsBack avatar May 12 '24 22:05 NeffIsBack

I ran it before, but I can run it again. Just gotta make sure the new test cases are in the e2e tests.

Marshall-Hallenbeck avatar May 12 '24 22:05 Marshall-Hallenbeck

Fixed some final stuff and running tests now

Marshall-Hallenbeck avatar May 17 '24 23:05 Marshall-Hallenbeck

I think 95ac1af00a056f44d5ca9abe9dd7165395a038a8 destroyed the normal login 😅 image

NeffIsBack avatar May 18 '24 01:05 NeffIsBack

I think 95ac1af destroyed the normal login 😅 image

Yeah it did... lemme try to fix it lol.

Marshall-Hallenbeck avatar May 19 '24 20:05 Marshall-Hallenbeck