Potential Dependency Downgrades for Netexec's Kali Package

[Arszilla]

Hey,

Could the following dependencies be downgraded to versions available in Kali Linux/Debian to facilitate the build and distribution of netexec?

Package Name	Version Required	Version Available
python3-aardwolf	0.2.7	0.2.2-0kali1
python3-aiosqlite	0.19.0	0.17.0-2
python3-asyauth	0.0.14	0.0.9-0kali2
python3-libnmap	0.7.3	0.7.2-1
python3-lsassy	3.1.8	3.1.6-0kali1
python3-masky	0.2.0	0.1.1-0kali2
python3-minikerberos	0.4.1	0.4.0-0kali1
python3-paramiko	3.3.1	2.12.0-2
python3-pyasn1-modules	0.3.0	0.2.8-1
python3-pypykatz	0.6.8	0.6.6-0kali1
python3-sqlalchemy	2.0.4	1.4.50+ds1-1
python3-termcolor	2.0.1	1.1.0-4

In the table above, the packages that have kali in them, i.e., 0kali1, are maintained by the Kali Team, while the rest are provided/available in Kali by Debian (upstream).

In theory, a ticket could be opened for all of them at their respective provided for a version bump. However, many other packages might depend on the specific version(s) of each respective package, thus preventing an upgrade to the library in question (for a long time) - such as sqlalchemy.

As a result, would it be possible to build and use netexec (with no compromise of functionality) using the versions available in Kali/Debian? If so, could a downgrade be made to facilitate this?

Beyond what's listed in the table above, #205 is pending the switch from impacket to impacket-nxc (or whatever applicable name) to be packaged. Other than that, the other dependencies (that are not listed here) are at the required versions, if not higher.

If an upgrade is not possible for a specific package, I will contact the package's maintainers and see if an upgrade is possible.

Thanks in advance.

[mlec1]

Why do you prefer to install the dependencies via the apt package over the pip install ?

(no offense in this question at all)

[Arszilla]

Why do you prefer to install the dependencies via the apt package over the pip install ?

(no offense in this question at all)

Because I am packaging netexec for Kali, Debian's packaging guidelines require you to use python3-libraryname packages to build and deploy the package.

[Arszilla]

Submitted to following upgrade requests to Kali:

• python3-asysocks: https://bugs.kali.org/view.php?id=8672
• python3-asyauth: https://bugs.kali.org/view.php?id=8673
• python3-masky: https://bugs.kali.org/view.php?id=8677
• python3-minikerberos: https://bugs.kali.org/view.php?id=8678
• python3-lsassy: https://bugs.kali.org/view.php?id=8679
• python3-pypykatz: https://bugs.kali.org/view.php?id=8680

[zblurx]

Hey @Arszilla, can we upgrade msldap to 0.5.10 ? Needed for #216

[Arszilla]

Quoting my reply in #216:

msldap is a dependency of pypykatz, which requires msldap>=0.5.7,<=0.6.0 for 0.6.9. I have relayed to Sophie Brun that they should consider msldap>=0.5.10,<=0.6.0 instead, giving consideration to this ticket.

Reference: https://bugs.kali.org/view.php?id=8680#c19062

[NeffIsBack]

Pinned dependencies and updated lock file:
https://github.com/Pennyw0rth/NetExec/tree/kali-packaging

Although already in the poetry install process aardwolf 0.2.2 crashes. Has maybe something to do with this commit and rust, but can't fix it at the moment. Working though with the next version aardwolf=0.2.6 and its dependency asyauth=0.0.12
skelsec/aardwolf@820dd5b

[NeffIsBack]

With the old sqlalchemy netexec crashes:

[NeffIsBack]

With keeping the following packages as-is and downgrading the rest as requested it seems to work smoothly so far:

• aardwolf = 0.2.6
• asyauth = 0.0.13 (dependency of aardwolf)
• sqlalchemy = 2.0.4

Commit: 35fe8b3 should be stable (so far)

[mpgn]

Kali should upgrade and netexec shouldn't downgrade anything that we don't have deep knowledge off what trade of is done for each package we downgrade, my two cents.
Especially with skelsec packages which are all linked together and many fix are done at each version.
Same with masky etc etc

[Arszilla]

Kali should upgrade and netexec shouldn't downgrade anything that we don't have deep knowledge off what trade of is done for each package we downgrade, my two cents. Especially with skelsec packages which are all linked together and many fix are done at each version. Same with masky etc etc

As discussed in Discord, the following packages will be upgraded, as they are maintained by Kali:

• python3-asysauth: https://bugs.kali.org/view.php?id=8673
• python3-asysocks: https://bugs.kali.org/view.php?id=8672
• python3-masky: https://bugs.kali.org/view.php?id=8677
• python3-lsassy: https://bugs.kali.org/view.php?id=8679 (Already upgraded, currently v3.1.9 is available in Kali repositories)
• python3-pypykatz: https://bugs.kali.org/view.php?id=8680 (python3-msldap has been upgraded to 0.5.10)
• python3-minikerberos: https://bugs.kali.org/view.php?id=8678
• python3-aardwolf: https://bugs.kali.org/view.php?id=8692

In general, I've asked the team to update these packages to the latest version available, with the exception of msldap.

Beyond the ones I pointed out, the following require downgrade tests:

• python3-aiosqlite
• python3-libnmap
• python3-paramiko
• python3-pyasn1-modules
• python3-termcolor

As discussed with @NeffIsBack, python3-sqlalchemy should be the last package to be downgraded, as that seems to have the most issues. The Debian packages are harder to request upgrades for, because they may be tied to many more packages than they are in Kali. For example, sqlalchemy is still 1.4.50+ds1-1 in Debian Testing i.e. kali-rolling, despite 2.0.19+ds1-1 being implemented in Debian Experimental. However, the maintainers have not pushed this to Testing because over 290 packages rely on sqlalchemy (on Debian side), (compared to 87 in Kali), and with major changes to the APIs, this will break a lot of those 290 packages.

[NeffIsBack]

@Arszilla the packages in the kali-packaging branch should match the versions requested now. Can you test that and also update the table from the initial issue text? I think its good to track the current state there.

The only thing missing is an update from impacket on kali & testing right?

[Arszilla]

I will be testing a new build ASAP, probably once all the tickets I've raised in Kali side are closed, which I hope will be later this week if the team has time to upgrade them.

Beyond that, if all Debian-based dependencies have been downgraded (with the exception of impacket), including sqlalchemy, then yes, we will need Debian to update their package to reflect the latest state of the repository, which would then be reflected to Kali as soon as it moved from Debian Unstable to Debian Testing (sid).

[Arszilla]

So a status update: I have not had a chance to check the kali-packaging branch, as I am waiting on the following packages to be updated:

• https://bugs.kali.org/view.php?id=8680
• https://bugs.kali.org/view.php?id=8680
• https://bugs.kali.org/view.php?id=8672
• https://bugs.kali.org/view.php?id=8677
• https://bugs.kali.org/view.php?id=8678
• https://bugs.kali.org/view.php?id=8692
• impacket (by Debian)

However, I was informed earlier today that the Kali Team may fork impacket off of Debian and update it to the current state of the repository to get NetExec packaged, because its been nearly a month since I submitted a ticket to Debian's bug tracker (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067093)

Once Kali Team updates the packages they maintain and there's some more clarity/certainty surrounding impacket, I'll be updating this issue again and testing the packaging once more.

[Arszilla]

Quick update:

• impacket has been forked and upgraded to package to version 0.11.0+git20240410.ae3b5db-0kali1. It should be noted that Debian prefers to wait for a new upstream release with the changes.
• pypykatz: https://bugs.kali.org/view.php?id=8680 is now done. v0.6.9 is in kali-dev.

The following are still pending upgrades before I can resume packaging:

• aardwolf: https://bugs.kali.org/view.php?id=8692
• asyauth: https://bugs.kali.org/view.php?id=8673
• asysocks: https://bugs.kali.org/view.php?id=8672
• masky: https://bugs.kali.org/view.php?id=8677
• minikerberos: https://bugs.kali.org/view.php?id=8678

[zblurx]

@Arszilla also dploot upgrade: https://bugs.kali.org/view.php?id=8714

[Arszilla]

@NeffIsBack as requested, below is a list of the state of all dependencies of NetExec (based on kali-packaging branch):

Package	Version Required	Version Available	Status
aardwolf	0.2.8	0.2.2-0kali1	✅
aioconsole	0.6.2	0.7.0-0kali1	✅
aiosqlite	0.17.0	0.17.0-2	⬇️✅
argcomplete	3.1.4	3.1.4-1	✅
asyauth	0.0.20	0.0.20-0kali1	✅
beautifulsoup4	4.11 (< 5)	4.12.3-1	✅
bloodhound	1.7.2	1.7.2-0kali2	✅
dploot	2.2.1	2.6.2-0kali1	✅
dsinternals	1.2.4	1.2.4+git20230301.edb3fc8-0kali1	✅
impacket	Current Git with NetExec Patches	0.11.0+git20240410.ae3b5db-0kali1	✅
lsassy	3.1.10	3.1.9-0kali1	✅
masky	0.2.0	0.2.0-0kali1	✅
minikerberos	0.4.1	0.4.4-0kali1	✅
msgpack	1.0.0	1.0.3-3+b1	✅
msldap	0.5.10	0.5.10-0kali1	✅
neo4j	5.0.0	5.2.1-0kali1	✅
paramiko	2.12.0	2.12.0-2	⬇️✅
pyasn1-modules	0.2.8	0.2.8-1	⬇️✅
pylnk3	0.4.2	0.4.2-0kali2	✅
pypsrp	0.8.1	0.8.1-0kali2	✅
pypykatz	0.6.6	0.6.6-0kali1	⬇️✅
python-dateutil	2.8.2	2.9.0-2	✅
python-libnmap	0.7.2	0.7.3-1	✅
python	3.8.0	3.11.6-1	✅
pywerview	0.3.3	0.3.3-0kali1	✅
requests	2.27.1	2.31.0+dfsg-1	✅
rich	13.3.5	13.7.1-1	✅
sqlalchemy	1.4.50	1.4.50+ds1-1	⬇️✅
termcolor	1.1.0	2.4.0-1	✅
terminaltables	3.1.0	3.1.10-4	✅
xmltodict	0.13.0	0.13.0-1	✅

Do note that I wrote the "Version Required" as a "minimum version required" basically. Only bs4 (beautifulsoup) had a version restriction.

EDIT by @NeffIsBack:
Updated, added "⬇️" as in "this was downgraded to match kali packages.

EDIT as of 2024-04-20 @ 15:30 GMT +3
All of the dependencies listed above have been met.

EDIT by @NeffIsBack 2024-04-24:
Added msldap = "^0.5.10" to reflect the latest changes in #269

[NeffIsBack]

@Arszilla gonna update your comment from now on to reflect the latest changes here

[NeffIsBack]

@Marshall-Hallenbeck we should make sure ssh works on this branch as we had to downgrade paramiko a major version.

[Arszilla]

I've updated #211 (comment) as all the dependencies have been met. Right now, I am able to build netexec without any issues.

I will wait till all the dependencies are available in kali-rolling (as they are available in kali-dev currently). Once they are available, I'll distribute the .deb to some people to get people to test if there are any issues between kali-packaging and main branches.

[Arszilla]

I've updated #211 (comment) as all the dependencies have been met. Right now, I am able to build netexec without any issues. However, the version of dependencies listed for the built binary is based on the statements that can be found in pyproject.toml. Thus we end up with netexec requiring python3-sqlalchemy = 1.4.50, instead of >= 1.4.50 (because the version available in Debian is 1.4.50+ds1-1, which will not match 1.4.50

NetExec/pyproject.toml

Line 59 in bc50a2c

sqlalchemy = "1.4.50"

Can this be changed to be ">=1.4.50, @NeffIsBack?

EDIT

Also, please update pyproject.toml to have LF line terminators, not CRLF. Because currently, when I generate a patch based off of pyproject.toml, I get the following:

$ file pyproject.toml
pyproject.toml: ASCII text, with CRLF line terminators
$ file debian/patches/fix-sqlalchemy-version.patch
debian/patches/fix-sqlalchemy-version.patch: unified diff output, ASCII text, with CRLF, LF line terminators

[NeffIsBack]

@Arszilla updated the sqlalchemy to ^1.4.50 so we don't end up with 2.x which would break the stuff again.
I will change the CRLF to LF in #269 and when that's merged i will update the kali-packaging branch with it. This PR will pin crucial packages in the main branch to minimum the version which is available in kali.

[Marshall-Hallenbeck]

NetExec has been released on Kali!