Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module to lookup hostname of Hyper-V host - 'hyperv-host.py' #374

Merged
merged 8 commits into from
Aug 24, 2024
53 changes: 53 additions & 0 deletions nxc/modules/hyperv-host.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations


class NXCModule:
NeffIsBack marked this conversation as resolved.
Show resolved Hide resolved
name = "hyperv-host"
description = "Performs a registry query on the VM to lookup its HyperV Host"
supported_protocols = ["smb"]
opsec_safe = True
multiple_hosts = True

def __init__(self, context=None, module_options=None):
self.context = context
self.module_options = module_options


def options(self, context, module_options):
""""""


def on_admin_login(self, context, connection):
self.context = context

path = "SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters"
key = "HostName"

remote_ops = RemoteOperations(connection.conn, False)
remote_ops.enableRegistry()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, missed it in the first review, but this should be wrapped inside the try...except block as well.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is why:
image


try:
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
reg_handle = ans["phKey"]

ans = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, path)
key_handle = ans["phkResult"]

# Query
try:
data_type, reg_value = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, key)
self.context.log.highlight(f"{key}: {reg_value}")
except Exception:
self.context.log.fail(f"Registry key {path}\\{key} does not exist")
return

rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
except DCERPCException as e:
self.context.log.fail(f"DCERPC Error while querying or modifying registry: {e}")
except Exception as e:
self.context.log.fail(f"Error while querying or modifying registry: {e}")
NeffIsBack marked this conversation as resolved.
Show resolved Hide resolved
finally:
remote_ops.finish()