From 68abd128e6f2cd239a50578391d18f6c65bdfcb0 Mon Sep 17 00:00:00 2001 From: TristanInSec Date: Sat, 16 May 2026 16:17:22 -0400 Subject: [PATCH 1/3] Sanitize NTLM hostname to prevent path traversal and DoS Strip non-alphanumeric characters (except hyphens and dots) from server-provided NTLM hostname before use in file paths or content. Prevents: - Path traversal via ../ in hostname (file creation outside ~/.nxc/logs/) - DoS via null byte (ValueError crash in open()) - DoS via { characters (KeyError crash in str.format()) - Newline injection in --generate-hosts-file output - Affects: SMB, RDP, VNC, WinRM, MSSQL credential dump and screenshot paths --- nxc/connection.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nxc/connection.py b/nxc/connection.py index f20d05ddaa..b4926a0472 100755 --- a/nxc/connection.py +++ b/nxc/connection.py @@ -1,5 +1,6 @@ from datetime import datetime import os +import re import random import sys import contextlib @@ -245,6 +246,7 @@ def proto_flow(self): else: self.logger.debug("Created connection object") self.enum_host_info() + self.hostname = re.sub(r'[^\w\-.]', '_', self.hostname) # Construct the output file template using os.path.join for OS compatibility base_log_dir = os.path.join(NXC_PATH, "logs") From 9c293a8eb9c70af105b4f1f280b264419e86827c Mon Sep 17 00:00:00 2001 From: TristanInSec Date: Mon, 18 May 2026 14:42:53 -0400 Subject: [PATCH 2/3] Warn when NTLM hostname is sanitized Log a warning showing the original and sanitized hostname so users are alerted to potential non-compliant implementations or rogue servers. --- nxc/connection.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nxc/connection.py b/nxc/connection.py index b4926a0472..17ff3cfc87 100755 --- a/nxc/connection.py +++ b/nxc/connection.py @@ -246,7 +246,10 @@ def proto_flow(self): else: self.logger.debug("Created connection object") self.enum_host_info() - self.hostname = re.sub(r'[^\w\-.]', '_', self.hostname) + sanitized = re.sub(r'[^\w\-.]', '_', self.hostname) + if sanitized != self.hostname: + self.logger.warning(f"Hostname contains invalid characters (received: {self.hostname!r}), sanitized to: {sanitized!r}") + self.hostname = sanitized # Construct the output file template using os.path.join for OS compatibility base_log_dir = os.path.join(NXC_PATH, "logs") From ccf36b492e7253d4a3ecc9c9edce3b9586a0f0ff Mon Sep 17 00:00:00 2001 From: TristanInSec Date: Sat, 23 May 2026 15:52:44 -0400 Subject: [PATCH 3/3] Use display() for sanitization notice so it shows at default verbosity --- nxc/connection.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nxc/connection.py b/nxc/connection.py index 17ff3cfc87..76a1392ee4 100755 --- a/nxc/connection.py +++ b/nxc/connection.py @@ -248,7 +248,7 @@ def proto_flow(self): self.enum_host_info() sanitized = re.sub(r'[^\w\-.]', '_', self.hostname) if sanitized != self.hostname: - self.logger.warning(f"Hostname contains invalid characters (received: {self.hostname!r}), sanitized to: {sanitized!r}") + self.logger.display(f"Hostname contains invalid characters (received: {self.hostname!r}), sanitized to: {sanitized!r}") self.hostname = sanitized # Construct the output file template using os.path.join for OS compatibility