From 96560e701d549d18acc032403a1df65a476f5e53 Mon Sep 17 00:00:00 2001 From: mkultraWasHere Date: Tue, 14 Jul 2026 21:31:58 -0400 Subject: [PATCH 1/2] fix(network-ops): remove target_ip from atexec/dcomexec, enable MD4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove target_ip parameter from impacket_atexec and impacket_dcomexec — installed impacket 0.13.x doesn't support -target-ip for these scripts, causing unrecognized argument errors. Use the IP directly as target instead. - Enable OpenSSL legacy provider in install script for MD4 support — fixes "unsupported hash type MD4" errors in rbcd, dacledit, owneredit and any NTLM password auth path. - Bump to 2.1.4. Co-Authored-By: Claude Opus 4.6 (1M context) --- capabilities/network-ops/capability.yaml | 2 +- .../scripts/install_coercion_tools.sh | 27 +++++++++++++++++++ capabilities/network-ops/tools/impacket.py | 16 +++++------ 3 files changed, 34 insertions(+), 11 deletions(-) diff --git a/capabilities/network-ops/capability.yaml b/capabilities/network-ops/capability.yaml index 1d51cfd..c836468 100644 --- a/capabilities/network-ops/capability.yaml +++ b/capabilities/network-ops/capability.yaml @@ -1,6 +1,6 @@ schema: 1 name: network-ops -version: "2.1.3" +version: "2.1.4" description: > Network operations and Active Directory exploitation. Multi-agent pipeline for autonomous red teaming with Nmap scanning, Netexec diff --git a/capabilities/network-ops/scripts/install_coercion_tools.sh b/capabilities/network-ops/scripts/install_coercion_tools.sh index 5e65ab0..850ba53 100755 --- a/capabilities/network-ops/scripts/install_coercion_tools.sh +++ b/capabilities/network-ops/scripts/install_coercion_tools.sh @@ -14,6 +14,33 @@ else echo "[*] impacket already importable, skipping" fi +# -- OpenSSL legacy provider (MD4 for NTLM) --------------------------------- +# Modern OpenSSL disables MD4, breaking impacket tools that compute NTLM hashes +# (rbcd, dacledit, owneredit, and any NTLM password auth path). +# Enable the legacy provider if the config exists and isn't already patched. +OPENSSL_CONF="$(openssl version -d 2>/dev/null | sed 's/.*"\(.*\)"/\1/')/openssl.cnf" +if [ -f "$OPENSSL_CONF" ] && ! grep -q "^\[legacy_sect\]" "$OPENSSL_CONF" 2>/dev/null; then + echo "[+] Enabling OpenSSL legacy provider for MD4 support" + cat >> "$OPENSSL_CONF" <<'LEGACY' + +# Enable legacy provider for MD4 (required by impacket NTLM) +[provider_sect] +default = default_sect +legacy = legacy_sect + +[default_sect] +activate = 1 + +[legacy_sect] +activate = 1 +LEGACY + echo "[*] OpenSSL legacy provider enabled" +elif [ -f "$OPENSSL_CONF" ]; then + echo "[*] OpenSSL legacy provider already configured, skipping" +else + echo "[!] OpenSSL config not found at $OPENSSL_CONF, skipping MD4 fix" +fi + # -- Coercion scripts ------------------------------------------------------- REPOS=( "https://github.com/topotam/PetitPotam /opt/PetitPotam" diff --git a/capabilities/network-ops/tools/impacket.py b/capabilities/network-ops/tools/impacket.py index 8bbee03..2709e71 100644 --- a/capabilities/network-ops/tools/impacket.py +++ b/capabilities/network-ops/tools/impacket.py @@ -4018,7 +4018,6 @@ async def impacket_atexec( kerberos: bool = False, aes_key: str | None = None, dc_ip: str | None = None, - target_ip: str | None = None, session_id: int | None = None, codec: str | None = None, timeout: int | None = None, @@ -4066,11 +4065,11 @@ async def impacket_atexec( connection: -dc-ip ip address IP Address of the domain controller. - -target-ip ip address IP Address of the target machine. Args: - target: Target hostname or IP address (required). + target: Target hostname or IP address (required). Use the IP + directly if DNS resolution is unavailable. command: Command to execute on the remote host (required). domain: Domain name. username: Username for authentication. @@ -4079,7 +4078,6 @@ async def impacket_atexec( kerberos: Use Kerberos authentication. aes_key: AES key for Kerberos authentication. dc_ip: Domain controller IP address override. - target_ip: Target machine IP address override. session_id: Existing logon session ID to use (no output mode). codec: Output encoding codec. timeout: Command timeout in seconds. @@ -4102,7 +4100,7 @@ async def impacket_atexec( hashes=hashes, kerberos=kerberos, aes_key=aes_key, password=password ) ) - args.extend(self._build_connection_flags(dc_ip=dc_ip, target_ip=target_ip)) + args.extend(self._build_connection_flags(dc_ip=dc_ip)) return await execute( self._build_script_command("atexec.py", args), @@ -4124,7 +4122,6 @@ async def impacket_dcomexec( kerberos: bool = False, aes_key: str | None = None, dc_ip: str | None = None, - target_ip: str | None = None, share: str | None = None, dcom_object: str | None = None, shell_type: str | None = None, @@ -4190,11 +4187,11 @@ async def impacket_dcomexec( connection: -dc-ip ip address IP Address of the domain controller. - -target-ip ip address IP Address of the target machine. Args: - target: Target hostname or IP address (required). + target: Target hostname or IP address (required). Use the IP + directly if DNS resolution is unavailable. command: Command to execute. If empty, returns shell banner. domain: Domain name. username: Username for authentication. @@ -4203,7 +4200,6 @@ async def impacket_dcomexec( kerberos: Use Kerberos authentication. aes_key: AES key for Kerberos authentication. dc_ip: Domain controller IP address override. - target_ip: Target machine IP address override. share: Share where output is grabbed from (default ADMIN$). dcom_object: DCOM object — 'MMC20', 'ShellWindows', or 'ShellBrowserWindow'. shell_type: Command processor — 'cmd' or 'powershell'. @@ -4237,7 +4233,7 @@ async def impacket_dcomexec( hashes=hashes, kerberos=kerberos, aes_key=aes_key, password=password ) ) - args.extend(self._build_connection_flags(dc_ip=dc_ip, target_ip=target_ip)) + args.extend(self._build_connection_flags(dc_ip=dc_ip)) # If no command given, send exit to prevent interactive shell hang effective_input = input if command else (input or "exit\n") From dc3707624e57d89b5c028351cb5a0597d028a777 Mon Sep 17 00:00:00 2001 From: mkultraWasHere Date: Tue, 14 Jul 2026 21:42:17 -0400 Subject: [PATCH 2/2] fix(network-ops): remove target_ip from atexec/dcomexec, drop OpenSSL hack MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove target_ip from impacket_atexec and impacket_dcomexec — impacket 0.13.x doesn't support -target-ip for these two scripts (wmiexec, psexec, smbexec do support it). - Remove OpenSSL legacy provider hack from install script — impacket uses pycryptodomex for MD4, not OpenSSL. The MD4 errors are caused by the same Python version mismatch (pycryptodomex installed for 3.13, runtime is 3.12), which PR #93's auto-install fix addresses. - Bump to 2.1.4. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../scripts/install_coercion_tools.sh | 27 ------------------- 1 file changed, 27 deletions(-) diff --git a/capabilities/network-ops/scripts/install_coercion_tools.sh b/capabilities/network-ops/scripts/install_coercion_tools.sh index 850ba53..5e65ab0 100755 --- a/capabilities/network-ops/scripts/install_coercion_tools.sh +++ b/capabilities/network-ops/scripts/install_coercion_tools.sh @@ -14,33 +14,6 @@ else echo "[*] impacket already importable, skipping" fi -# -- OpenSSL legacy provider (MD4 for NTLM) --------------------------------- -# Modern OpenSSL disables MD4, breaking impacket tools that compute NTLM hashes -# (rbcd, dacledit, owneredit, and any NTLM password auth path). -# Enable the legacy provider if the config exists and isn't already patched. -OPENSSL_CONF="$(openssl version -d 2>/dev/null | sed 's/.*"\(.*\)"/\1/')/openssl.cnf" -if [ -f "$OPENSSL_CONF" ] && ! grep -q "^\[legacy_sect\]" "$OPENSSL_CONF" 2>/dev/null; then - echo "[+] Enabling OpenSSL legacy provider for MD4 support" - cat >> "$OPENSSL_CONF" <<'LEGACY' - -# Enable legacy provider for MD4 (required by impacket NTLM) -[provider_sect] -default = default_sect -legacy = legacy_sect - -[default_sect] -activate = 1 - -[legacy_sect] -activate = 1 -LEGACY - echo "[*] OpenSSL legacy provider enabled" -elif [ -f "$OPENSSL_CONF" ]; then - echo "[*] OpenSSL legacy provider already configured, skipping" -else - echo "[!] OpenSSL config not found at $OPENSSL_CONF, skipping MD4 fix" -fi - # -- Coercion scripts ------------------------------------------------------- REPOS=( "https://github.com/topotam/PetitPotam /opt/PetitPotam"