NetExec Recycle bin module

Description

This PR adds the Recycle Bin module that will list files in the Recycle Bin. It will parse the associated metadata files in the Recycle Bin to display the "Original Location" of the deleted file, this can give a good indication whether or not the file is interesting or not. You can also download files using the module options.

I have a few things on my TODO list that I will implement as soon as I can as well as update the NetExec documentation.

Feel free to make any comments on the implementation/development as it's not my speciality 😆!

Type of change

[x] New feature (non-breaking change which adds functionality)
[x] This change requires a documentation update

How Has This Been Tested?

I have tested this module against my local Windows 11 VM (Microsoft Windows 11 Enterprise Evaluation) from my Kali VM running Python 3.12.8.

Screenshots:

Here is an example of deleted files in the Recycle Bin:

Pasted image 20250321181836

We can list files in the Recycle Bin with this command:

poetry run nxc smb 192.168.1.42 -u user -p potato -M recycle_bin

Pasted image 20250321180724

or download them with this command:

poetry run nxc smb 192.168.1.42 -u user -p potato -M recycle_bin -o DOWNLOAD=true

Pasted image 20250321183124

Checklist:

[x] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
[x] I have added or updated the tests/e2e_commands.txt file if necessary
[ ] New and existing e2e tests pass locally with my changes
[x] My code follows the style guidelines of this project (should be covered by Ruff above)
[x] I have performed a self-review of my own code
[x] I have commented my code, particularly in hard-to-understand areas
[x] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki/pull/39)

TODO:

[x] Implement the display of file deletion time to know when the file was deleted (this information should be in the metadata file but I couldn't parse it correctly)
[x] Handle directories in the Recycle Bin as well as single files
[x] Specify what files you want to download as a module option filter

Mar 21 '25 17:03 ledrypotato

Thanks for the PR!

If you still want to work on that module it's best to turn the PR into a "DRAFT", so that we know it is still worked on :)

Mar 24 '25 16:03 NeffIsBack

I have made all the changes that I had planned and also created a PR for the associated documentation for the NetExec wiki.

Here is an updated screenshot for the changes that handle displaying the deletion time of files, directories and using a filter to download specific files.

filter-on-filename

I have gone ahead and removed the draft tag from my PR :)

Apr 01 '25 00:04 ledrypotato

Any updates?

May 14 '25 19:05 ledrypotato

Hi, to be honest i lost a bit track of all currently open PRs. A few minutes ago i just merged #https://github.com/Pennyw0rth/NetExec/pull/463 which has the same purpose. However, your PR contains a few pretty cool features that the module from @Dfte does not. Could you integrate your Pull Request into the current recycle bin module?

May 15 '25 17:05 NeffIsBack

Hey, oh I didn't even realise there was a previous module for the Recycle Bin by @Dfte 😆 ! I will have to take a look and see how easy it is to integrate into that.

May 15 '25 18:05 ledrypotato

Fyi, until this has been resolved i will turn it into a DRAFT PR so that it is clear it isn't ready for review :)

Jul 03 '25 23:07 NeffIsBack

@ledrypotato have you had a chance to look at the other module and see if you can integrate anything?

Aug 23 '25 14:08 Marshall-Hallenbeck

@ledrypotato have you had a chance to look at the other module and see if you can integrate anything?

Hey, not yet unfortunately. I should have some more time beginning of next month.

Aug 26 '25 16:08 ledrypotato

Hi, I finally had some time to look at this merge.

To be honest I moved most of my code that I had into Dfte's module. I removed the registry key logic to fetch the username since we can get that information from the metadata file in the Recycle Bin (files that start with $I).

[x] I updated the e2e_commands.txt file
[x] I ran ruff against the code

Here is an updated screenshot of the output when specifying that you want to download files (-o DOWNLOAD=true) with a filter on the file name (FILTER=password).

poetry run nxc smb 192.168.1.42 -u user -p potato -M recyclebin -o DOWNLOAD=true FILTER=password

Most of the code I originally posted remains the same. I felt it was easier to keep what I already had than try and merge everything. That said I did review the original code to check if things were better in it. Perhaps the connection.spider is more efficient, I will let you decide as you are more familiar.

Feel free to give any feedback on what should be changed/optimized.

Sep 20 '25 10:09 ledrypotato

Only took a short look at the code, but looks mostly good from what i can tell 👍

Sep 25 '25 12:09 NeffIsBack

Yeah the logic remains the same. As a side note I personally prefer the naming convention with the underscore (recycle_bin) and it aligns with most other module names which are multiple words. I'll let you decide what suits best.

Sep 25 '25 13:09 ledrypotato

As a side note I personally prefer the naming convention with the underscore (recycle_bin) and it aligns with most other module names which are multiple words. I'll let you decide what suits best.

I don't mind either, but it is currently pretty mixed. Not sure what is better but at some point we'll probably enforce one of both, but i'll leave it as is now.

Sep 25 '25 16:09 NeffIsBack

I think underscore is easier to read and I was going to normalize it eventually, maybe after the module arg stuff.

Sep 25 '25 19:09 Marshall-Hallenbeck