Skip to content

Feature(audit-mode): redact SAM/LSA/NTDS, DPAPI/SCCM and Kerberos/GMSA secrets when audit_mode is enabled#1319

Open
Goultarde wants to merge 6 commits into
Pennyw0rth:mainfrom
Goultarde:feature/audit-mode-hide-dumps
Open

Feature(audit-mode): redact SAM/LSA/NTDS, DPAPI/SCCM and Kerberos/GMSA secrets when audit_mode is enabled#1319
Goultarde wants to merge 6 commits into
Pennyw0rth:mainfrom
Goultarde:feature/audit-mode-hide-dumps

Conversation

@Goultarde

@Goultarde Goultarde commented Jul 17, 2026

Copy link
Copy Markdown

Description

audit_mode (set via nxc.conf) already masked most single-value secrets (process_secret), but a bunch of dump outputs still printed credential material in full even with the option turned on:

  • SAM/LSA/NTDS dumps (--sam, --lsa, --ntds), including GMSA LSA secrets
  • DPAPI/SCCM loot (--dpapi, --sccm): NAA accounts, task sequence secrets, collection variables, browser/vault credentials
  • LDAP-side Kerberoasting and AS-REP roasting hashes
  • GMSA NTLM/AES keys read from LDAP

This is meant for demos/screenshots/audit reports where you want to show that a secret was recovered without leaking the actual value.

Changes:

  • Added process_secret_dump() in nxc/config.py: splits a dump line on a separator and redacts everything past the first keep fields (so username/RID/tag stays visible, the actual secret gets masked), falling back to process_secret() for lines with no separator.
  • Wired process_secret_dump() into the SAM/LSA/NTDS dump paths and the SCCM/DPAPI credential lines in nxc/protocols/smb.py.
  • Wired process_secret()/process_secret_dump() into the Kerberoasting/AS-REP roasting and GMSA key output in nxc/protocols/ldap.py.
  • When audit_mode is disabled (the default), all of this is a no-op: process_secret/process_secret_dump return the line unchanged.

Type of change

  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Deprecation of feature or functionality
  • This change requires a documentation update
  • This requires a third party update (such as Impacket, Dploot, lsassy, etc)
  • This PR was created with the assistance of AI (Claude Code, used to draft the redaction logic and wire it into the SMB/LDAP dump paths; reviewed and tested manually)

Setup guide for the review

Enable audit mode in ~/.nxc/nxc.conf under the [nxc] section (audit_mode = X, any masking character/string), then run against a target with recoverable secrets:

  • --sam, --lsa, --ntds on a domain controller or local machine
  • --dpapi / --sccm wmi on a host with SCCM/DPAPI secrets
  • LDAP --kerberoasting / --asreproast / --gmsa against the domain

Compare output with audit_mode disabled: usernames/RIDs/tags stay visible, but the actual hash/password/secret value should be masked with the configured character. With audit_mode disabled (default), output should be byte-for-byte identical to before this change.

Screenshots (if appropriate):

SAM/LSA/NTDS:
image

DPAPI/SCCM:
image

Kerberoasting and AS-REP roasting:
image

gmsa:
image

Checklist:

  • I have ran Ruff against my changes (poetry: poetry run ruff check ., use --fix to automatically fix what it can)
  • I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
  • If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
  • I have performed a self-review of my own code (not an AI review)
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

Audit mode already masked login credentials but not those coming from --sam, --lsa and --ntds. Reuses the same mechanism (audit_mode) to keep only the identifier (username, secret name, GMSA ID) and mask the rest of the line shown on screen. The database and export files still keep the full data.
Adds a keep parameter to process_secret_dump so the NTDS callback can preserve domain\username:rid while still masking the LM/NT hashes in audit mode.
Reuses process_secret_dump on the highlighted hashcat-format hash lines, keeping the identifying part (user@domain for AS-REP, user/realm/SPN for Kerberoasting) visible while masking the crackable checksum/data.
Same masking as the LSA GMSA output: --gmsa, --gmsa-convert-id and --gmsa-decrypt-lsa now mask the derived NTLM, AES128 and AES256 keys via process_secret while keeping the account name and read-permission list visible.
Masks password/token/cookie_value in the credential, browser, vault and Firefox DPAPI callbacks via process_secret, keeping the identifying fields (winuser, url/target/resource, username) visible on screen and in the export file. The database still stores the full unredacted secrets.
Masks the NAA account password, task sequence secret and collection variable value via process_secret, keeping the identifying fields (username, variable name, tag) visible. The database still stores the full unredacted secrets.
@NeffIsBack

Copy link
Copy Markdown
Member

Thanks for the PR!

@NeffIsBack NeffIsBack added the enhancement New feature or request label Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants