NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

refactor keepass_discover module

Open lodos2005 opened this issue 3 months ago • 2 comments

Description

This PR completely refactors the keepass_discover module, removing its dependency on PowerShell and introducing a more efficient, tiered search strategy.

  • Key Changes: Native Process Enumeration: Process discovery now uses impacket's TSTS.LegacyAPI instead of Get-Process.
  • Tiered File Search: A new fast search (FILES) checks only common KeePass installation and configuration directories. The existing deep search (DEEP_FILES) now uses the native connection.spider() method for a comprehensive scan.
  • Improved Module Options: DEFAULT: The new default option, combines process discovery with a fast file search. ALL: Combines process discovery with a deep file search for the most thorough scan.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] Deprecation of feature or functionality
  • [ ] This change requires a documentation update
  • [ ] This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Screenshots (if appropriate):

Screenshot 2025-09-11 at 02 13 54

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

  • [x] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • [ ] I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
  • [x] New and existing e2e tests pass locally with my changes
  • [ ] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

lodos2005 avatar Sep 10 '25 23:09 lodos2005

Nice! Thanks for the PR!

NeffIsBack avatar Sep 10 '25 23:09 NeffIsBack

Hey man! Thank you for the PR. I believe we should keep the Get-Process cmd thing because if RDP is not enabled on the remote host because if it's not, the named pipe won't be reachable.

This is the message I output with the --tasklist option:

image

So can you modify the PR to add this:

try:
     # get process via TST
except:
     #  If pipe not reachable (RDP disabled)
else:
    # Then get process via powershell / cmd

Dfte avatar Sep 28 '25 13:09 Dfte