Feature(audit-mode): redact SAM/LSA/NTDS, DPAPI/SCCM and Kerberos/GMSA secrets when audit_mode is enabled#1319
Open
Goultarde wants to merge 6 commits into
Open
Conversation
Audit mode already masked login credentials but not those coming from --sam, --lsa and --ntds. Reuses the same mechanism (audit_mode) to keep only the identifier (username, secret name, GMSA ID) and mask the rest of the line shown on screen. The database and export files still keep the full data.
Adds a keep parameter to process_secret_dump so the NTDS callback can preserve domain\username:rid while still masking the LM/NT hashes in audit mode.
Reuses process_secret_dump on the highlighted hashcat-format hash lines, keeping the identifying part (user@domain for AS-REP, user/realm/SPN for Kerberoasting) visible while masking the crackable checksum/data.
Same masking as the LSA GMSA output: --gmsa, --gmsa-convert-id and --gmsa-decrypt-lsa now mask the derived NTLM, AES128 and AES256 keys via process_secret while keeping the account name and read-permission list visible.
Masks password/token/cookie_value in the credential, browser, vault and Firefox DPAPI callbacks via process_secret, keeping the identifying fields (winuser, url/target/resource, username) visible on screen and in the export file. The database still stores the full unredacted secrets.
Masks the NAA account password, task sequence secret and collection variable value via process_secret, keeping the identifying fields (username, variable name, tag) visible. The database still stores the full unredacted secrets.
Goultarde
requested review from
Marshall-Hallenbeck,
NeffIsBack,
mpgn and
zblurx
as code owners
July 17, 2026 01:43
Member
|
Thanks for the PR! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
audit_mode(set vianxc.conf) already masked most single-value secrets (process_secret), but a bunch of dump outputs still printed credential material in full even with the option turned on:--sam,--lsa,--ntds), including GMSA LSA secrets--dpapi,--sccm): NAA accounts, task sequence secrets, collection variables, browser/vault credentialsThis is meant for demos/screenshots/audit reports where you want to show that a secret was recovered without leaking the actual value.
Changes:
process_secret_dump()innxc/config.py: splits a dump line on a separator and redacts everything past the firstkeepfields (so username/RID/tag stays visible, the actual secret gets masked), falling back toprocess_secret()for lines with no separator.process_secret_dump()into the SAM/LSA/NTDS dump paths and the SCCM/DPAPI credential lines innxc/protocols/smb.py.process_secret()/process_secret_dump()into the Kerberoasting/AS-REP roasting and GMSA key output innxc/protocols/ldap.py.audit_modeis disabled (the default), all of this is a no-op:process_secret/process_secret_dumpreturn the line unchanged.Type of change
Setup guide for the review
Enable audit mode in
~/.nxc/nxc.confunder the[nxc]section (audit_mode = X, any masking character/string), then run against a target with recoverable secrets:--sam,--lsa,--ntdson a domain controller or local machine--dpapi/--sccm wmion a host with SCCM/DPAPI secrets--kerberoasting/--asreproast/--gmsaagainst the domainCompare output with
audit_modedisabled: usernames/RIDs/tags stay visible, but the actual hash/password/secret value should be masked with the configured character. Withaudit_modedisabled (default), output should be byte-for-byte identical to before this change.Screenshots (if appropriate):
SAM/LSA/NTDS:

DPAPI/SCCM:

Kerberoasting and AS-REP roasting:

gmsa:

Checklist:
poetry run ruff check ., use--fixto automatically fix what it can)tests/e2e_commands.txtfile if necessary (new modules or features are required to be added to the e2e tests)