Skip to content

feat(smb): add generic --export flag for enumeration commands#1101

Open
H1DroZz wants to merge 3 commits intoPennyw0rth:mainfrom
H1DroZz:feature/rid-users-export
Open

feat(smb): add generic --export flag for enumeration commands#1101
H1DroZz wants to merge 3 commits intoPennyw0rth:mainfrom
H1DroZz:feature/rid-users-export

Conversation

@H1DroZz
Copy link

@H1DroZz H1DroZz commented Feb 9, 2026
edited
Loading

  • Add --export argument in proto_args.py
  • Add export logic in rid_brute() and users() in smb.py
  • Filter SidTypeUser entries and exclude machine accounts (ending with $)
  • Add E2E tests

Description

This PR implements a generic --export FILE flag for the SMB protocol, addressing the feedback from #1101 where a command-specific --rid-users-export argument was rejected in favor of a more extensible approach.

The --export flag can be combined with any supported enumeration command to write results to a file, without adding new --x-export arguments for each command.

Currently supported commands:

  • --rid-brute --export exports SidTypeUser entries (machine accounts excluded, sorted alphabetically)
  • --users --export enumerated domain users

Deprecation:

  • --users-exportis now deprecated in favor of --users --export for consistency
  • Backward compatibility is maintained: --users-export still works but displays a deprecation warning

This PR was created with the assistance of Claude Code (claude-sonnet-4-6). The AI assisted with code implementation, reviewing existing patterns in the codebase, and structuring the changes. All code was tested, reviewed and validated manually.

Type of change

  • New feature (non-breaking change which adds functionality)
  • Deprecation of feature or functionality

Setup guide for the review

Python: 3.10+
OS: Linux
Target: Windows Domain Controller

Testing the new option:

# Export users from RID bruteforce
nxc smb <target> -u <user> -p <password> --rid-brute --export /tmp/users.txt

# Export users from SAMR enumeration
nxc smb <target> -u <user> -p <password> --users --export /tmp/users.txt

# Anonymous enumeration (if allowed)
nxc smb <target> -u '' -p '' --rid-brute --export /tmp/users.txt

# Verify output
cat /tmp/users.txt

Expected output:

SMB    10.x.x.x  445  DC01  [*] Windows Server 2019 ...
SMB    10.x.x.x  445  DC01  [+] DOMAIN\user:password
SMB    10.x.x.x  445  DC01  498: DOMAIN\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB    10.x.x.x  445  DC01  500: DOMAIN\Administrator (SidTypeUser)
...
SMB    10.x.x.x  445  DC01  [+] Exported 15 users to /tmp/users.txt

File content (only SidTypeUser, sorted):

Administrator
Guest
john.doe
jane.smith
krbtgt
...

Screenshots (if appropriate):

Users

nxc smb 10.129.234.63 -u 'ibryant' -p 'Ph4nt0m@5t4rt!' --users --export users.txt
SMB         10.129.234.63   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.63   445    DC               [+] phantom.vl\ibryant:Ph4nt0m@5t4rt!
SMB         10.129.234.63   445    DC               -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         10.129.234.63   445    DC               Administrator                 2025-08-14 13:32:09 0       Built-in account for administering the computer/domain
SMB         10.129.234.63   445    DC               Guest                         2024-07-04 14:35:21 0       Built-in account for guest access to the computer/domain
SMB         10.129.234.63   445    DC               krbtgt                        2024-07-04 13:15:32 0       Key Distribution Center Service Account
SMB         10.129.234.63   445    DC               svc_sspr                      2024-07-04 13:25:04 0
SMB         10.129.234.63   445    DC               rnichols                      2024-07-04 13:29:01 0
SMB         10.129.234.63   445    DC               pharrison                     2024-07-04 13:29:01 0
SMB         10.129.234.63   445    DC               wsilva                        2024-07-04 13:29:01 0
SMB         10.129.234.63   445    DC               elynch                        2024-07-04 13:29:01 0
SMB         10.129.234.63   445    DC               nhamilton                     2024-07-04 13:29:01 0
SMB         10.129.234.63   445    DC               lstanley                      2024-07-04 13:29:02 0
SMB         10.129.234.63   445    DC               bbarnes                       2024-07-04 13:29:02 0
SMB         10.129.234.63   445    DC               cjones                        2024-07-04 13:29:02 0
SMB         10.129.234.63   445    DC               agarcia                       2024-07-04 13:29:02 0
SMB         10.129.234.63   445    DC               ppayne                        2024-07-04 13:29:02 0
SMB         10.129.234.63   445    DC               ibryant                       2024-07-06 18:15:21 0
SMB         10.129.234.63   445    DC               ssteward                      2024-07-04 13:29:02 0
SMB         10.129.234.63   445    DC               wstewart                      2024-07-04 13:29:02 0
SMB         10.129.234.63   445    DC               vhoward                       2024-07-04 13:29:02 0
SMB         10.129.234.63   445    DC               crose                         2024-07-04 13:29:03 0
SMB         10.129.234.63   445    DC               twright                       2024-07-04 13:29:03 0
SMB         10.129.234.63   445    DC               fhanson                       2024-07-04 13:29:03 0
SMB         10.129.234.63   445    DC               cferguson                     2024-07-04 13:29:03 0
SMB         10.129.234.63   445    DC               alucas                        2024-07-06 10:44:53 0
SMB         10.129.234.63   445    DC               ebryant                       2024-07-04 13:29:03 0
SMB         10.129.234.63   445    DC               vlynch                        2024-07-04 13:29:03 0
SMB         10.129.234.63   445    DC               ghall                         2024-07-04 13:29:03 0
SMB         10.129.234.63   445    DC               ssimpson                      2024-07-04 13:29:03 0
SMB         10.129.234.63   445    DC               ccooper                       2024-07-04 13:29:03 0
SMB         10.129.234.63   445    DC               vcunningham                   2024-07-04 13:29:03 0
SMB         10.129.234.63   445    DC               [*] Enumerated 29 local users: PHANTOM
SMB         10.129.234.63   445    DC               [*] Writing 29 local users to users.txt

Rid-Brute

nxc smb 10.129.234.63 -u 'Guest' -p '' --rid-brute --export rid_users.txt
SMB         10.129.234.63   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.63   445    DC               [+] phantom.vl\Guest:
SMB         10.129.234.63   445    DC               498: PHANTOM\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.234.63   445    DC               500: PHANTOM\Administrator (SidTypeUser)
SMB         10.129.234.63   445    DC               501: PHANTOM\Guest (SidTypeUser)
SMB         10.129.234.63   445    DC               502: PHANTOM\krbtgt (SidTypeUser)
SMB         10.129.234.63   445    DC               512: PHANTOM\Domain Admins (SidTypeGroup)
SMB         10.129.234.63   445    DC               513: PHANTOM\Domain Users (SidTypeGroup)
SMB         10.129.234.63   445    DC               514: PHANTOM\Domain Guests (SidTypeGroup)
SMB         10.129.234.63   445    DC               515: PHANTOM\Domain Computers (SidTypeGroup)
SMB         10.129.234.63   445    DC               516: PHANTOM\Domain Controllers (SidTypeGroup)
SMB         10.129.234.63   445    DC               517: PHANTOM\Cert Publishers (SidTypeAlias)
SMB         10.129.234.63   445    DC               518: PHANTOM\Schema Admins (SidTypeGroup)
SMB         10.129.234.63   445    DC               519: PHANTOM\Enterprise Admins (SidTypeGroup)
SMB         10.129.234.63   445    DC               520: PHANTOM\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.234.63   445    DC               521: PHANTOM\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.234.63   445    DC               522: PHANTOM\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.234.63   445    DC               525: PHANTOM\Protected Users (SidTypeGroup)
SMB         10.129.234.63   445    DC               526: PHANTOM\Key Admins (SidTypeGroup)
SMB         10.129.234.63   445    DC               527: PHANTOM\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.234.63   445    DC               553: PHANTOM\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.234.63   445    DC               571: PHANTOM\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.234.63   445    DC               572: PHANTOM\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.234.63   445    DC               1000: PHANTOM\DC$ (SidTypeUser)
SMB         10.129.234.63   445    DC               1101: PHANTOM\DnsAdmins (SidTypeAlias)
SMB         10.129.234.63   445    DC               1102: PHANTOM\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.234.63   445    DC               1103: PHANTOM\svc_sspr (SidTypeUser)
SMB         10.129.234.63   445    DC               1104: PHANTOM\TechSupports (SidTypeGroup)
SMB         10.129.234.63   445    DC               1105: PHANTOM\Server Admins (SidTypeGroup)
SMB         10.129.234.63   445    DC               1106: PHANTOM\ICT Security (SidTypeGroup)
SMB         10.129.234.63   445    DC               1107: PHANTOM\DevOps (SidTypeGroup)
SMB         10.129.234.63   445    DC               1108: PHANTOM\Accountants (SidTypeGroup)
SMB         10.129.234.63   445    DC               1109: PHANTOM\FinManagers (SidTypeGroup)
SMB         10.129.234.63   445    DC               1110: PHANTOM\EmployeeRelations (SidTypeGroup)
SMB         10.129.234.63   445    DC               1111: PHANTOM\HRManagers (SidTypeGroup)
SMB         10.129.234.63   445    DC               1112: PHANTOM\rnichols (SidTypeUser)
SMB         10.129.234.63   445    DC               1113: PHANTOM\pharrison (SidTypeUser)
SMB         10.129.234.63   445    DC               1114: PHANTOM\wsilva (SidTypeUser)
SMB         10.129.234.63   445    DC               1115: PHANTOM\elynch (SidTypeUser)
SMB         10.129.234.63   445    DC               1116: PHANTOM\nhamilton (SidTypeUser)
SMB         10.129.234.63   445    DC               1117: PHANTOM\lstanley (SidTypeUser)
SMB         10.129.234.63   445    DC               1118: PHANTOM\bbarnes (SidTypeUser)
SMB         10.129.234.63   445    DC               1119: PHANTOM\cjones (SidTypeUser)
SMB         10.129.234.63   445    DC               1120: PHANTOM\agarcia (SidTypeUser)
SMB         10.129.234.63   445    DC               1121: PHANTOM\ppayne (SidTypeUser)
SMB         10.129.234.63   445    DC               1122: PHANTOM\ibryant (SidTypeUser)
SMB         10.129.234.63   445    DC               1123: PHANTOM\ssteward (SidTypeUser)
SMB         10.129.234.63   445    DC               1124: PHANTOM\wstewart (SidTypeUser)
SMB         10.129.234.63   445    DC               1125: PHANTOM\vhoward (SidTypeUser)
SMB         10.129.234.63   445    DC               1126: PHANTOM\crose (SidTypeUser)
SMB         10.129.234.63   445    DC               1127: PHANTOM\twright (SidTypeUser)
SMB         10.129.234.63   445    DC               1128: PHANTOM\fhanson (SidTypeUser)
SMB         10.129.234.63   445    DC               1129: PHANTOM\cferguson (SidTypeUser)
SMB         10.129.234.63   445    DC               1130: PHANTOM\alucas (SidTypeUser)
SMB         10.129.234.63   445    DC               1131: PHANTOM\ebryant (SidTypeUser)
SMB         10.129.234.63   445    DC               1132: PHANTOM\vlynch (SidTypeUser)
SMB         10.129.234.63   445    DC               1133: PHANTOM\ghall (SidTypeUser)
SMB         10.129.234.63   445    DC               1134: PHANTOM\ssimpson (SidTypeUser)
SMB         10.129.234.63   445    DC               1135: PHANTOM\ccooper (SidTypeUser)
SMB         10.129.234.63   445    DC               1136: PHANTOM\vcunningham (SidTypeUser)
SMB         10.129.234.63   445    DC               1137: PHANTOM\SSPR Service (SidTypeGroup)
SMB         10.129.234.63   445    DC               [+] Exported 29 users to rid_users.txt

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

  • I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
  • New and existing e2e tests pass locally with my changes
  • If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

@H1DroZz
feat(smb): add --rid-users-export option to export RID enumerated users
ef5d522 
- Add --rid-users-export argument in proto_args.py
- Implement rid_users_export() method in smb.py
- Filter and export only SidTypeUser entries
- Add E2E test
@NeffIsBack
Copy link
Member

NeffIsBack commented Feb 10, 2026

Hi and thanks for the PR.

I don't think we should add even more --...export args, specifically naming the --users-export arg was probably already going in the wrong direction. In contrast, we should just implement an --export flag that just takes the output of the previously ran commands (that are supported) and dump it to file. How that should look like in detail remains to be figured out, maybe a decorator or something similar.

@NeffIsBack
Copy link
Member

NeffIsBack commented Mar 17, 2026

@H1DroZz do you have the time to implement that change?

@H1DroZz
feat(smb): add generic --export flag for supported enumeration commands
561ff22 
Add --export FILE argument to SMB protocol that works alongside
--rid-brute and --users, replacing the need for command-specific
export flags. Filters SidTypeUser entries (excluding machine accounts)
when exporting from --rid-brute.
@H1DroZz
Copy link
Author

H1DroZz commented Mar 17, 2026

@H1DroZz do you have the time to implement that change?

Hello, it's done.

Following your feedback, I replaced --rid-users-export with a generic --export flag that works alongside both --rid-brute and --users.

While implementing this, I noticed --users-export follows the same pattern you pointed out. Would you like me to deprecate it in favor of --export as well, or would you prefer to keep it for backward compatibility?

Have a nice day

@H1DroZz H1DroZz changed the title feat(smb): add --rid-users-export option to export RID enumerated users feat(smb): add generic --export flag for enumeration commands Mar 17, 2026
@NeffIsBack
Copy link
Member

NeffIsBack commented Mar 17, 2026

While implementing this, I noticed --users-export follows the same pattern you pointed out. Would you like me to deprecate it in favor of --export as well, or would you prefer to keep it for backward compatibility?

Have a nice day

Yes please, we should deprecate the --users-export afterwards.

Thanks you too :)

@H1DroZz
Copy link
Author

H1DroZz commented Mar 19, 2026

Hello @NeffIsBack I've implemented the deprecation of --users-export as requested. The flag still works for backward compatibility but now displays a deprecation warning directing users to --users --export.

Let me know if this approach looks good to you or if you'd like any adjustments!

Have a nice day

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@Marshall-Hallenbeck Marshall-Hallenbeck Awaiting requested review from Marshall-Hallenbeck Marshall-Hallenbeck is a code owner

@NeffIsBack NeffIsBack Awaiting requested review from NeffIsBack NeffIsBack is a code owner

@mpgn mpgn Awaiting requested review from mpgn mpgn is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

waiting for response

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@H1DroZz @NeffIsBack