Open quahac opened 1 day ago
NeffIsBack
commented
1 day ago Hi, this looks interesting. I would prefer having this as internal option, for example something like --db-ids perhaps?
Also we should probably directly connect to the db object in the protocol (self.conn.db) and use sqlalchemy to communicate with the database.
@ajanvrin take a look at this. That is something similar what you had in mind right?
quahac
commented
1 day ago In my previous version of Crackmapexec, I included more functions, but I streamlined it to focus solely on smb.db on NetExec. I misused some internal options :-], which may inspire you to expand its functionality (or not)
https://github.com/quahac/CME-Module-info
crackmapexec smb 10.10.10.10 -M info --ntds (Prints Administrator and krbtgt hashes)
[+] NTDS: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-05-31_081331.ntds
[+] NTDS: Administrator:500:111f37ed915c5716aad3b435b51404ee:eb37f9cd74303274cb923442a7348ef4:::
[+] NTDS: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f031bf1f16bba6f9de84dffcc164e0f8:::
[+] NTDS: LM Crack: [hashcat -m 3000 -a 3 /location] or [john --format=lm /location] detected 18x (Prints when available)
[+] NTDS: NT Crack: [hashcat -m 1000 -a 3 /location] or [john --format=nt /location] 
crackmapexec smb 10.10.10.10 -M info --sam (Prints SAM file only local Administrator with valid password)
[+] SAM: Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c::: 
crackmapexec smb 10.10.10.10 -M info --lsa
[+] LSA: dpapi_machinekey:0x4e467fabe4afb57..ce3730
[+] LSA: dpapi_userkey:0x0797f33ba6c6043ff7..1558bc
[+] LSA: NL$KM:c53c6dcd9cff1a4cf8355c4f3c40..32d1be
crackmapexec smb 10.10.10.10 -M info --only-file (Prints all LOG files location)
[+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-05-31_081331.ntds
[+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-21_113422.sam
[+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-23_180720.secrets
[+] LOG: location: ...snip..
crackmapexec smb 10.10.10.10 -M info --only-file --sam
[+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-21_113422.sam
crackmapexec smb 10.10.10.10 -M info --only-file --lsa
[+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-06-23_180720.secrets
crackmapexec smb 10.10.10.10 -M info --only-file --ntds
[+] LOG: location: /root/.cme/logs/TEST-PC_192.168.56.113_2022-05-31_081331.ntdsSounds good 👍 feel free to open up a PR so we can properly work on it
Unreachabl
commented
12 hours ago In fact, this would really simplify the use of nxc. There are situations when one account has administrator rights on one of the hosts, but not on another. Currently, nxc does not allow you to separate one from the other, so you have to combine hosts into groups by credentials and run commands separately for each group (i.e. first for hosts with credentials -id 1, then on hosts with credentials -id 2, etc. For myself, I implemented this using bash, but it would be much more convenient if nxc selected credentials with administrator rights when authorizing on each host automatically.
The current
NetExectool does not allow users to quickly check past connections and their access rights. It relies only on thenxcdbor sqlite database files, likesmb.db. Because of this limitation, users often have to try multiple login requests to find different login information, which can be time-consuming and inefficient.I suggest creating a new module called
Infoto provide a faster way to check past connections. I have a working solution: This module is designed to check thesmb.dbfile for previously connected sessions. It verifies if the connection was established with System or Administrator rights when accessing the host.Example Usage