Merge pull request #533 from Pennyw0rth/pfx

add certificate authentication aka pass-the-cert

.github/workflows/test.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   build:
     name: Test for Py${{ matrix.python-version }}
-    if: github.event.review.state == 'APPROVED'
+    if: github.event.review.state == 'APPROVED' || github.event_name == 'workflow_dispatch'
     runs-on: ${{ matrix.os }}
     strategy:
       max-parallel: 5
@@ -19,7 +19,7 @@ jobs:
       - uses: actions/checkout@v4
       - name: Install poetry
         run: |
-          pipx install poetry
+          pipx install poetry==1.8.4
       - name: NetExec set up python ${{ matrix.python-version }} on ${{ matrix.os }}
         uses: actions/setup-python@v5
         with:

nxc/cli.py

@@ -98,6 +98,13 @@ def gen_cli_args():
     kerberos_group.add_argument("--use-kcache", action="store_true", help="Use Kerberos authentication from ccache file (KRB5CCNAME)")
     kerberos_group.add_argument("--aesKey", metavar="AESKEY", nargs="+", help="AES key to use for Kerberos Authentication (128 or 256 bits)")
     kerberos_group.add_argument("--kdcHost", metavar="KDCHOST", help="FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter")
+
+    certificate_group = std_parser.add_argument_group("Certificate", "Options for certificate authentication")
+    certificate_group.add_argument("--pfx-cert", metavar="PFXCERT", help="Use certificate authentication from pfx file .pfx")
+    certificate_group.add_argument("--pfx-base64", metavar="PFXB64", help="Use certificate authentication from pfx file encoded in base64")
+    certificate_group.add_argument("--pfx-pass", metavar="PFXPASS", help="Password of the pfx certificate")
+    certificate_group.add_argument("--cert-pem", metavar="CERTPEM", help="Use certificate authentication from PEM file")
+    certificate_group.add_argument("--key-pem", metavar="KEYPEM", help="Private key for the PEM format")
 
     server_group = std_parser.add_argument_group("Servers", "Options for nxc servers")
     server_group.add_argument("--server", choices={"http", "https"}, default="https", help="use the selected server")

nxc/connection.py

@@ -1,4 +1,7 @@
 import random
+import sys
+import contextlib
+
 from os.path import isfile
 from threading import BoundedSemaphore
 from functools import wraps
@@ -13,10 +16,9 @@
 from nxc.logger import nxc_logger, NXCAdapter
 from nxc.context import Context
 from nxc.protocols.ldap.laps import laps_search
+from nxc.helpers.pfx import pfx_auth
 
 from impacket.dcerpc.v5 import transport
-import sys
-import contextlib
 
 sem = BoundedSemaphore(1)
 global_failed_logins = 0
@@ -548,6 +550,14 @@ def login(self):
                 self.logger.info("Successfully authenticated using Kerberos cache")
                 return True
 
+        if self.args.pfx_cert or self.args.pfx_base64 or self.args.cert_pem:
+            self.logger.debug("Trying to authenticate using Certificate pfx")
+            if not self.args.username:
+                self.logger.fail("You must specify a username when using certificate authentication")
+                return False
+            with sem:
+                return pfx_auth(self)
+
         if hasattr(self.args, "laps") and self.args.laps:
             self.logger.debug("Trying to authenticate using LAPS")
             username[0], secret[0], domain[0] = laps_search(self, username, secret, cred_type, domain, self.dns_server)