feat(smbtakeover): add smbtakeover.py module

[sttlr]

Description

Added smbtakeover.py module to unbind/rebind SMB port 445/tcp. Useful when conducting NTLM relay attacks.

Usually Windows hosts already use port 445/tcp for SMB. And to conduct an NTLM relay attack you'd need port 445 to be available to bind to it. There are ways to do it via loading a driver, loading a module into LSASS, rebooting the target machine - which are all bad for OPSEC.

This module solves this problem in an OPSEC safe way.

Original research - https://specterops.io/blog/2024/08/01/relay-your-heart-away-an-opsec-conscious-approach-to-445-takeover/
Original code - https://github.com/zyn3rgy/smbtakeover

Used Gemini Pro to generate the NXCModule class. Validated after it.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)
• This PR was created with the assistance of AI (list what type of assistance, tool(s)/model(s) in the description)

Setup guide for the review

NOTE: User running the module has to have Administrator level access on the machine (to start/stop the services).
NOTE: WMI ports need to be accessible (check firewall).

I used Kaiju chain from Vulnlab to validate the module.

Screenshots (if appropriate):

Unbinding and then rebinding works ok.

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (poetry: poetry run ruff check ., use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
• I have performed a self-review of my own code (not an AI review)
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Thanks for the PR.

This code looks much better than #1152, but there are still a few things to do.

[sttlr]

Now

[azoxlpf]

Please drop the dynamic mangled-name hasattr check: initialize self.__dcom = None before the try and gate on if self.__dcom and self.__context_protocol != "wmi". Same behavior, easier to maintain.

[azoxlpf]

Consider a dict mapping name -> WMI class name plus table = mapping.get(name) instead of chained if/elif, less redundant and simpler to maintain if you add more entries later

[azoxlpf]

The final success message is shown even when a WMI step failed, which can incorrectly suggest that port 445 has been properly released or restored. The success message should only be displayed if the entire sequence completes successfully