Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix mmcexec method thanks to @ippsec AND a lot of other small things #361

Merged
merged 22 commits into from
Jul 6, 2024
Merged

Fix mmcexec method thanks to @ippsec AND a lot of other small things #361

merged 22 commits into from
Jul 6, 2024

Conversation

mpgn
Copy link
Collaborator

@mpgn mpgn commented Jun 30, 2024
edited
Loading

During @IppSec video about JAB Hackthebox Windows, he spotted a bug related to dcom exec.

https://youtu.be/tprP-GDW_6c?si=mjIlmENq92Kx_u6E&t=1659

To execute remote commands using dcom you don't need to be admin (or have the privilege to start a service) making the check (admin_require) not relevant for this method.
This PR fix the problem :)

Before:
image

After:

image

Command exec:

image

@mpgn mpgn added the bug-fix This Pull Request fixes a bug label Jun 30, 2024
@NeffIsBack
Copy link
Contributor

Also pushed a small fix for a bug with add-computer.py when the domain couldn't be resolved

@mpgn
Copy link
Collaborator Author

mpgn commented Jul 2, 2024

last commit fix a hugggggee stacktrace if port 636 is closed (aka ldaps not open)
image

@mpgn mpgn changed the title Fix mmcexec method thanks to @ippsec Fix mmcexec method thanks to @ippsec AND a lot of other small things Jul 4, 2024
@NeffIsBack
Copy link
Contributor

Updated lsassy to 3.1.12 as it fixes an issue where lsassy would hang on failure:
login-securite/lsassy#98

NeffIsBack
NeffIsBack reviewed Jul 5, 2024
View reviewed changes
nxc/protocols/smb.py Show resolved Hide resolved
nxc/protocols/smb.py Outdated Show resolved Hide resolved
@NeffIsBack
Copy link
Contributor

Previously --laps login was broken, now fixed with --kdcHost <FQDN of the dc>:
image

@NeffIsBack
Copy link
Contributor

Fixed authentication without NTLM being available:
image

If there is no NTLM we need a hostname for authentication.
For the records here:

NetExec/nxc/protocols/smb.py

Line 527 in ccbeb4e

self.remoteName,

self.remotename needs a valid hostname for kerberos auth afaik.

NeffIsBack
NeffIsBack approved these changes Jul 6, 2024
View reviewed changes
Copy link
Contributor

@NeffIsBack NeffIsBack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mpgn mpgn merged commit 71cb5e9 into main Jul 6, 2024
6 checks passed
@mpgn mpgn deleted the dcom_fix branch July 6, 2024 10:11
@mpgn mpgn added this to the v1.3.0 milestone Sep 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NeffIsBack NeffIsBack NeffIsBack approved these changes

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@Marshall-Hallenbeck Marshall-Hallenbeck Awaiting requested review from Marshall-Hallenbeck Marshall-Hallenbeck is a code owner

Assignees
No one assigned
Labels
bug-fix This Pull Request fixes a bug
Projects
None yet
Milestone
v1.3.0
Development

Successfully merging this pull request may close these issues.
2 participants
@mpgn @NeffIsBack