diff --git a/nxc/protocols/smb.py b/nxc/protocols/smb.py index 924d72db1..59b13dce0 100755 --- a/nxc/protocols/smb.py +++ b/nxc/protocols/smb.py @@ -318,7 +318,7 @@ def print_host_info(self): smbv1 = colored(f"SMBv1:{self.smbv1}", host_info_colors[2], attrs=["bold"]) if self.smbv1 else colored(f"SMBv1:{self.smbv1}", host_info_colors[3], attrs=["bold"]) self.logger.display(f"{self.server_os}{f' x{self.os_arch}' if self.os_arch else ''} (name:{self.hostname}) (domain:{self.targetDomain}) ({signing}) ({smbv1})") - if self.args.generate_hosts_file: + if self.args.generate_hosts_file or self.args.generate_krb5_file: from impacket.dcerpc.v5 import nrpc, epm self.logger.debug("Performing authentication attempts...") isdc = False @@ -328,9 +328,31 @@ def print_host_info(self): except DCERPCException: self.logger.debug("Error while connecting to host: DCERPCException, which means this is probably not a DC!") - with open(self.args.generate_hosts_file, "a+") as host_file: - host_file.write(f"{self.host} {self.hostname} {self.hostname}.{self.targetDomain} {self.targetDomain if isdc else ''}\n") - self.logger.debug(f"{self.host} {self.hostname} {self.hostname}.{self.targetDomain} {self.targetDomain if isdc else ''}") + if self.args.generate_hosts_file: + with open(self.args.generate_hosts_file, "a+") as host_file: + host_file.write(f"{self.host} {self.hostname} {self.hostname}.{self.targetDomain} {self.targetDomain if isdc else ''}\n") + self.logger.debug(f"{self.host} {self.hostname} {self.hostname}.{self.targetDomain} {self.targetDomain if isdc else ''}") + elif self.args.generate_krb5_file and isdc: + with open(self.args.generate_krb5_file, "w+") as host_file: + data = f""" +[libdefaults] + dns_lookup_kdc = false + dns_lookup_realm = false + default_realm = { self.domain.upper() } + +[realms] + { self.domain.upper() } = {{ + kdc = { self.hostname.lower() }.{ self.domain } + admin_server = { self.hostname.lower() }.{ self.domain } + default_domain = { self.domain } + }} + +[domain_realm] + .{ self.domain } = { self.domain.upper() } + { self.domain } = { self.domain.upper() } +""" + host_file.write(data) + self.logger.debug(data) return self.host, self.hostname, self.targetDomain diff --git a/nxc/protocols/smb/proto_args.py b/nxc/protocols/smb/proto_args.py index 52078a30f..8ce85dc82 100644 --- a/nxc/protocols/smb/proto_args.py +++ b/nxc/protocols/smb/proto_args.py @@ -21,6 +21,7 @@ def proto_args(parser, parents): smb_parser.add_argument("--smb-timeout", help="SMB connection timeout", type=int, default=2) smb_parser.add_argument("--laps", dest="laps", metavar="LAPS", type=str, help="LAPS authentification", nargs="?", const="administrator") smb_parser.add_argument("--generate-hosts-file", type=str, help="Generate a hosts file like from a range of IP") + smb_parser.add_argument("--generate-krb5-file", type=str, help="Generate a krb5 file like from a range of IP") self_delegate_arg.make_required = [delegate_arg] cred_gathering_group = smb_parser.add_argument_group("Credential Gathering", "Options for gathering credentials") diff --git a/tests/e2e_commands.txt b/tests/e2e_commands.txt index a1f4b1a55..edbbba191 100644 --- a/tests/e2e_commands.txt +++ b/tests/e2e_commands.txt @@ -2,6 +2,7 @@ netexec -h ##### SMB netexec smb TARGET_HOST --generate-hosts-file /tmp/hostsfile +netexec smb TARGET_HOST --generate-krb5-file /tmp/krb5conf netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS # need an extra space after this command due to regex netexec {DNS} smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --shares