Skip to content

new module: smb > presence #561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 36 commits into
base: main
Choose a base branch
from

Conversation

crosscutsaw
Copy link
Contributor

Description

during my engagements, i hunt a lot of local administrators. both local administrator and local administrator privileged domain user. before seeking tokens, lsass dump or process injection; i always do "-x 'dir c:\users'" and "-x tasklist /v" for getting first level user information. if there is a domain admin user then the scenario is completed. but if not, there is a lot of work. grepping "-x tasklist /v" is time consuming and not a meta.

this module first executes 'net group "domain admins" /domain' and 'net group "enterprise admins" /domain'. then seeks domain level admin users in c:\users and tasklist /v command output. also:

-it seeks only dotted administrator folders in c:\users. ie. domainname.administrator (built in administrator will be not shown on dc -- we don't need it tho..)
-it seeks both dotted and non dotted domain level admin users in c:\users. ie. domainname.emreadmin and emreadmin.
-it seeks only domain named tasks in tasklist for administrator. ie. domainname\administrator is shown, localmachinename\administrator is not shown.

please note that i need help to improve this module. this is as far as i could get with my current knowledge.

Type of change

  • New feature (non-breaking change which adds functionality)

How Has This Been Tested?

tested on a dummy domain, a domain controller and a domain client machine.

Screenshots (if appropriate):

domain admin and enterprise admin users:
1

check on client with local admin creds:
2

opening a cmd as domain admin:
3

check again:
4

check after creating folder with admin name:
5

check on dc with domain admin creds:
6dc

Checklist:

  • I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • I have added or updated the tests/e2e_commands.txt file if necessary
  • New and existing e2e tests pass locally with my changes
  • My code follows the style guidelines of this project (should be covered by Ruff above)
  • If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

high privilege smb module that traces domain level admin presences in target
@NeffIsBack
Copy link
Member

Quite a nice module, thanks for the contribution! Gonna take a closer look at it when i got the time

@crosscutsaw
Copy link
Contributor Author

9f9ed93

added legacy windows support, changed logging style and tried to group hosts in latest update.

presence

Copy link
Member

@NeffIsBack NeffIsBack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really like the idea of the module, but i think we should try to accomplish it without command execution if possible. That way AVs will not detect/stop the execution that easy. Especially task listing is often kinda risky.

If you need help feel free to dm me or someone else on discord/twitter or reach out on here.

@crosscutsaw
Copy link
Contributor Author

4992c45

image

updated module with every request resolved. also, thank you for the help!

@crosscutsaw crosscutsaw requested a review from NeffIsBack May 17, 2025 19:14
Copy link
Member

@NeffIsBack NeffIsBack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you finished please check if your code matches the formatting/style guidelines: poetry run ruff check . --preview

@crosscutsaw
Copy link
Contributor Author

fce0ed7

done.

@crosscutsaw crosscutsaw requested a review from NeffIsBack May 18, 2025 06:53
NeffIsBack
NeffIsBack previously approved these changes May 27, 2025
Copy link
Member

@NeffIsBack NeffIsBack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As imo you would use this module when scanning large ranges looking for Tier 0 Admins on non-Tier 0 systems i reduced the amount of log statements a bit. E.g. the queried administrators are now only visible with the --verbose flag.

LGTM:
image

NeffIsBack
NeffIsBack previously approved these changes May 27, 2025
@NeffIsBack
Copy link
Member

Fyi, also fixed a minor logging bug in the change-password module

@crosscutsaw
Copy link
Contributor Author

looks good, i will def need to try on a real world pentest. i hold the original in my arsenal. :))

thank you for your extended support on this. really appreciated.

@NeffIsBack
Copy link
Member

Thanks for the work!
If you find differences between the original version and this one please let me know and we fix it!

NeffIsBack
NeffIsBack previously approved these changes May 29, 2025
Copy link
Member

@NeffIsBack NeffIsBack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the ability to enumerate scheduled tasks where the logonType is Password. Therefore, these users will have the password in dpapi:
image

@NeffIsBack
Copy link
Member

I will hide non admins behind the --verbose flag as the module explicitly is for searching domain/enterprise admins
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants