def __fetchList(self, rpctransport):
dce = rpctransport.get_dce_rpc()
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
print('Found domain(s):')
for domain in domains:
print(" . %s" % domain['Name'])
logging.info("Looking up users in domain %s" % domains[0]['Name'])
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )
resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
domainHandle = resp['DomainHandle']
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId'])
print("Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] ))
info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException as e:
logging.critical("Error listing users: %s" % e)
dce.disconnect()
return entries
def __fetchList(self, rpctransport):
dce = rpctransport.get_dce_rpc()
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
print 'Found domain(s):'
for domain in domains:
print " . %s" % domain['Name']
print "Looking up users in domain %s" % domains[0]['Name']
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )
resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
domainHandle = resp['DomainHandle']
done = False
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
except Exception, e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, user['RelativeId'])
print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )
info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException, e:
print "Error listing users: %s" % e
def __fetchList(self, rpctransport):
dce = rpctransport.get_dce_rpc()
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
print 'Found domain(s):'
for domain in domains:
print " . %s" % domain['Name']
print "Looking up users in domain %s" % domains[0]['Name']
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )
resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
domainHandle = resp['DomainHandle']
done = False
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
except Exception, e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, user['RelativeId'])
print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )
info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException, e:
print "Error listing users: %s" % e
def getDomainMachines(self):
if self.__kdcHost is not None:
domainController = self.__kdcHost
elif self.__domain is not '':
domainController = self.__domain
else:
raise Exception('A domain is needed!')
logging.info('Getting machine\'s list from %s' % domainController)
rpctransport = transport.SMBTransport(domainController, 445, r'\samr', self.__username, self.__password,
self.__domain, self.__lmhash, self.__nthash, self.__aesKey,
doKerberos=self.__doKerberos, kdcHost = self.__kdcHost)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
logging.info("Looking up users in domain %s" % domains[0]['Name'])
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )
resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
domainHandle = resp['DomainHandle']
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, samr.USER_WORKSTATION_TRUST_ACCOUNT,
enumerationContext=enumerationContext)
except DCERPCException, e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
self.__machinesList.append(user['Name'][:-1])
logging.debug('Machine name - rid: %s - %d'% (user['Name'], user['RelativeId']))
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except Exception as e:
raise e
dce.disconnect()
def getDomainMachines(self):
if self.__kdcHost is not None:
domainController = self.__kdcHost
elif self.__domain is not '':
domainController = self.__domain
else:
raise Exception('A domain is needed!')
logging.info('Getting machine\'s list from %s' % domainController)
rpctransport = transport.SMBTransport(domainController, 445, r'\samr', self.__username, self.__password,
self.__domain, self.__lmhash, self.__nthash, self.__aesKey,
doKerberos=self.__doKerberos, kdcHost = self.__kdcHost)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
logging.info("Looking up users in domain %s" % domains[0]['Name'])
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )
resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
domainHandle = resp['DomainHandle']
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, samr.USER_WORKSTATION_TRUST_ACCOUNT,
enumerationContext=enumerationContext)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
self.__machinesList.append(user['Name'][:-1])
logging.debug('Machine name - rid: %s - %d'% (user['Name'], user['RelativeId']))
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except Exception as e:
raise e
dce.disconnect()
def list_users(self, remote_name, remote_host):
"""
List users
:param remote_name: (string) remote name to use in rpc connection string
:param remote_host: (string) remote host to connect to
:return: (list) List of users found, each item contains (userName, RelativeId, UserAllInfo)
"""
# Create an DCE/RPC session
rpc_transport = self.__set_rpc_connection(remote_name, remote_host)
dce = self.__dce_connect(rpc_transport)
entries = []
try:
# Obtain domain handle
domain_handle = self.__obtain_domain_handle(dce)
status = STATUS_MORE_ENTRIES
enumeration_context = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(
dce,
domain_handle,
enumerationContext=enumeration_context)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise ListUsersException(e)
for user in resp['Buffer']['Buffer']:
# Get user information for each user
r = samr.hSamrOpenUser(dce, domain_handle,
samr.MAXIMUM_ALLOWED,
user['RelativeId'])
info = samr.hSamrQueryInformationUser2(
dce, r['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'],
info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumeration_context = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException as e:
logging.critical("Error listing users: %s" % e)
dce.disconnect()
return entries
def getDomainUsers(self, enumerationContext=0):
if self.__samr is None:
self.connectSamr(self.getMachineNameAndDomain()[1])
try:
resp = samr.hSamrEnumerateUsersInDomain(self.__samr, self.__domainHandle,
userAccountControl=samr.USER_NORMAL_ACCOUNT | \
samr.USER_WORKSTATION_TRUST_ACCOUNT | \
samr.USER_SERVER_TRUST_ACCOUNT |\
samr.USER_INTERDOMAIN_TRUST_ACCOUNT,
enumerationContext=enumerationContext)
except DCERPCException, e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
def getDomainUsers(self, enumerationContext=0):
if self.__samr is None:
self.connectSamr(self.getMachineNameAndDomain()[1])
try:
resp = samr.hSamrEnumerateUsersInDomain(self.__samr, self.__domainHandle,
userAccountControl=samr.USER_NORMAL_ACCOUNT | \
samr.USER_WORKSTATION_TRUST_ACCOUNT | \
samr.USER_SERVER_TRUST_ACCOUNT |\
samr.USER_INTERDOMAIN_TRUST_ACCOUNT,
enumerationContext=enumerationContext)
except DCERPCException, e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
def __fetchList(self, rpctransport):
dce = rpctransport.get_dce_rpc()
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
print('Found domain(s):')
for domain in domains:
print(" . %s" % domain['Name'])
logging.info("Looking up users in domain %s" % domains[0]['Name'])
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,
domains[0]['Name'])
resp = samr.hSamrOpenDomain(dce,
serverHandle=serverHandle,
domainId=resp['DomainId'])
domainHandle = resp['DomainHandle']
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(
dce,
domainHandle,
enumerationContext=enumerationContext)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle,
samr.MAXIMUM_ALLOWED,
user['RelativeId'])
print("Found user: %s, uid = %d" %
(user['Name'], user['RelativeId']))
info = samr.hSamrQueryInformationUser2(
dce, r['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'],
info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException as e:
logging.critical("Error listing users: %s" % e)
dce.disconnect()
return entries
def fetchList(self, rpctransport):
dce = DCERPC_v5(rpctransport)
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
# Setup Connection
resp = samr.hSamrConnect2(dce)
if resp['ErrorCode'] != 0:
raise Exception('Connect error')
resp2 = samr.hSamrEnumerateDomainsInSamServer(
dce,
serverHandle=resp['ServerHandle'],
enumerationContext=0,
preferedMaximumLength=500)
if resp2['ErrorCode'] != 0:
raise Exception('Connect error')
resp3 = samr.hSamrLookupDomainInSamServer(
dce,
serverHandle=resp['ServerHandle'],
name=resp2['Buffer']['Buffer'][0]['Name'])
if resp3['ErrorCode'] != 0:
raise Exception('Connect error')
resp4 = samr.hSamrOpenDomain(dce,
serverHandle=resp['ServerHandle'],
desiredAccess=samr.MAXIMUM_ALLOWED,
domainId=resp3['DomainId'])
if resp4['ErrorCode'] != 0:
raise Exception('Connect error')
self.__domains = resp2['Buffer']['Buffer']
domainHandle = resp4['DomainHandle']
# End Setup
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(
dce, domainHandle, enumerationContext=enumerationContext)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
self.logger.error('Error enumerating domain user(s)')
break
resp = e.get_packet()
self.logger.success('Enumerated domain user(s)')
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED,
user['RelativeId'])
info = samr.hSamrQueryInformationUser2(
dce, r['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
(username, uid, info_user) = (user['Name'], user['RelativeId'],
info['Buffer']['All'])
self.logger.highlight('{}\\{:<30} {}'.format(
self.domain, user['Name'], info_user['AdminComment']))
self.users.append(user['Name'])
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
dce.disconnect()
def __samr_users(self, usrdomain=None):
'''
Enumerate users on the system
'''
self.__samr_domains(True)
encoding = sys.getdefaultencoding()
for domain_name, domain in self.domains_dict.items():
if usrdomain and usrdomain.upper() != domain_name.upper():
continue
logger.info('Looking up users in domain %s' % domain_name)
resp = samr.hSamrLookupDomainInSamServer(self.__dce,
self.__mgr_handle,
domain_name)
resp = samr.hSamrOpenDomain(self.__dce,
serverHandle=self.__mgr_handle,
domainId=resp['DomainId'])
self.__domain_context_handle = resp['DomainHandle']
status = STATUS_MORE_ENTRIES
enum_context = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(
self.__dce,
self.__domain_context_handle,
enumerationContext=enum_context)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(self.__dce,
self.__domain_context_handle,
samr.MAXIMUM_ALLOWED,
user['RelativeId'])
logger.debug('Found user %s (UID: %d)' %
(user['Name'], user['RelativeId']))
info = samr.hSamrQueryInformationUser2(
self.__dce, r['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'],
info['Buffer']['All'])
self.users_list.add(entry)
samr.hSamrCloseHandle(self.__dce, r['UserHandle'])
enum_context = resp['EnumerationContext']
status = resp['ErrorCode']
if self.users_list:
num = len(self.users_list)
logger.info('Retrieved %d user%s' %
(num, 's' if num > 1 else ''))
else:
logger.info('No users enumerated')
for entry in self.users_list:
user, uid, info = entry
print(user)
print(' User ID: %d' % uid)
print(' Group ID: %d' % info['PrimaryGroupId'])
if info['UserAccountControl'] & samr.USER_ACCOUNT_DISABLED:
account_disabled = 'True'
else:
account_disabled = 'False'
print(' Enabled: %s' % account_disabled)
try:
print(' Logon count: %d' % info['LogonCount'])
except ValueError:
pass
lastLogon = (info['LastLogon']['HighPart'] <<
32) + info['LastLogon']['LowPart']
if lastLogon == 0:
lastLogon = '<never>'
else:
lastLogon = str(
datetime.fromtimestamp(self.getUnixTime(lastLogon)))
try:
print(' Last Logon: %s' % lastLogon)
except ValueError:
pass
lastLogoff = (info['LastLogoff']['HighPart'] <<
32) + info['LastLogoff']['LowPart']
if lastLogoff == 0:
lastLogoff = '<never>'
else:
lastLogoff = str(
datetime.fromtimestamp(self.getUnixTime(lastLogoff)))
try:
print(' Last Logoff: %s' % lastLogoff)
except ValueError:
pass
pwdLastSet = (info['PasswordLastSet']['HighPart'] <<
32) + info['PasswordLastSet']['LowPart']
if pwdLastSet == 0:
pwdLastSet = '<never>'
else:
pwdLastSet = str(
datetime.fromtimestamp(self.getUnixTime(pwdLastSet)))
try:
print(' Last password set: %s' % pwdLastSet)
except ValueError:
pass
if info['PasswordExpired'] == 0:
password_expired = 'False'
elif info['PasswordExpired'] == 1:
password_expired = 'True'
try:
print(' Password expired: %s' % password_expired)
except ValueError:
pass
if info['UserAccountControl'] & samr.USER_DONT_EXPIRE_PASSWORD:
dont_expire = 'True'
else:
dont_expire = 'False'
try:
print(' Password does not expire: %s' % dont_expire)
except ValueError:
pass
pwdCanChange = (info['PasswordCanChange']['HighPart'] <<
32) + info['PasswordCanChange']['LowPart']
if pwdCanChange == 0:
pwdCanChange = '<never>'
else:
pwdCanChange = str(
datetime.fromtimestamp(self.getUnixTime(pwdCanChange)))
try:
print(' Password can change: %s' % pwdCanChange)
except ValueError:
pass
try:
pwdMustChange = (
info['PasswordMustChange']['HighPart'] <<
32) + info['PasswordMustChange']['LowPart']
if pwdMustChange == 0:
pwdMustChange = '<never>'
else:
pwdMustChange = str(
datetime.fromtimestamp(
self.getUnixTime(pwdMustChange)))
except:
pwdMustChange = '<never>'
try:
print(' Password must change: %s' % pwdMustChange)
except ValueError:
pass
try:
print(' Bad password count: %d' %
info['BadPasswordCount'])
except ValueError:
pass
try:
print(' Full name: %s' % info['FullName'])
except ValueError:
pass
try:
print(' Home directory: %s' % info['HomeDirectory'])
except ValueError:
pass
try:
print(' Home directory drive: %s' %
info['HomeDirectoryDrive'])
except ValueError:
pass
try:
print(' Script path: %s' % info['ScriptPath'])
except ValueError:
pass
try:
print(' Profile path: %s' % info['ProfilePath'])
except ValueError:
pass
try:
print(' Admin comment: %s' % info['AdminComment'])
except ValueError:
pass
try:
print(' Workstations: %s' % info['WorkStations'])
except ValueError:
pass
try:
print(' User comment: %s' % info['UserComment'])
except ValueError:
pass
self.users_list = set()
def __fetchUserList(self, rpctransport):
dce = rpctransport.get_dce_rpc()
domain = None
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
domain = domains[0]['Name']
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,
domains[0]['Name'])
resp = samr.hSamrOpenDomain(dce,
serverHandle=serverHandle,
domainId=resp['DomainId'])
domainHandle = resp['DomainHandle']
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(
dce,
domainHandle,
enumerationContext=enumerationContext)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
try:
r = samr.hSamrOpenUser(dce, domainHandle,
samr.MAXIMUM_ALLOWED,
user['RelativeId'])
info = samr.hSamrQueryInformationUser2(
dce, r['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (domain, user['Name'], user['RelativeId'],
info['Buffer']['All'])
yield entry
samr.hSamrCloseHandle(dce, r['UserHandle'])
except DCERPCSessionError:
pass
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException as e:
print("Error listing users: %s" % e)
dce.disconnect()
def enumerate(dce, domain_handle):
return samr.hSamrEnumerateUsersInDomain(dce, domain_handle)
