new module: smb > presence

[crosscutsaw]

Description

during my engagements, i hunt a lot of local administrators. both local administrator and local administrator privileged domain user. before seeking tokens, lsass dump or process injection; i always do "-x 'dir c:\users'" and "-x tasklist /v" for getting first level user information. if there is a domain admin user then the scenario is completed. but if not, there is a lot of work. grepping "-x tasklist /v" is time consuming and not a meta.

this module first executes 'net group "domain admins" /domain' and 'net group "enterprise admins" /domain'. then seeks domain level admin users in c:\users and tasklist /v command output. also:

-it seeks only dotted administrator folders in c:\users. ie. domainname.administrator (built in administrator will be not shown on dc -- we don't need it tho..)
-it seeks both dotted and non dotted domain level admin users in c:\users. ie. domainname.emreadmin and emreadmin.
-it seeks only domain named tasks in tasklist for administrator. ie. domainname\administrator is shown, localmachinename\administrator is not shown.

please note that i need help to improve this module. this is as far as i could get with my current knowledge.

Type of change

• New feature (non-breaking change which adds functionality)

How Has This Been Tested?

tested on a dummy domain, a domain controller and a domain client machine.

Screenshots (if appropriate):

domain admin and enterprise admin users:

check on client with local admin creds:

opening a cmd as domain admin:

check again:

check after creating folder with admin name:

check on dc with domain admin creds:

Checklist:

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary
• New and existing e2e tests pass locally with my changes
• My code follows the style guidelines of this project (should be covered by Ruff above)
• If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Quite a nice module, thanks for the contribution! Gonna take a closer look at it when i got the time

[crosscutsaw]

9f9ed93

added legacy windows support, changed logging style and tried to group hosts in latest update.

[NeffIsBack]

Really like the idea of the module, but i think we should try to accomplish it without command execution if possible. That way AVs will not detect/stop the execution that easy. Especially task listing is often kinda risky.

If you need help feel free to dm me or someone else on discord/twitter or reach out on here.

[crosscutsaw]

4992c45

updated module with every request resolved. also, thank you for the help!

[NeffIsBack]

When you finished please check if your code matches the formatting/style guidelines: poetry run ruff check . --preview

[crosscutsaw]

fce0ed7

done.

[NeffIsBack]

As imo you would use this module when scanning large ranges looking for Tier 0 Admins on non-Tier 0 systems i reduced the amount of log statements a bit. E.g. the queried administrators are now only visible with the --verbose flag.

LGTM:

[NeffIsBack]

Fyi, also fixed a minor logging bug in the change-password module

[crosscutsaw]

looks good, i will def need to try on a real world pentest. i hold the original in my arsenal. :))

thank you for your extended support on this. really appreciated.

[NeffIsBack]

Thanks for the work!
If you find differences between the original version and this one please let me know and we fix it!

[NeffIsBack]

Added the ability to enumerate scheduled tasks where the logonType is Password. Therefore, these users will have the password in dpapi:

[NeffIsBack]

I will hide non admins behind the --verbose flag as the module explicitly is for searching domain/enterprise admins