def get_netsubnet(domain_controller, domain, user, password=str(),
lmhash=str(), nthash=str(), queried_domain=str(), queried_sitename=str(),
ads_path=str(), full_data=False):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_netsubnet(queried_domain=queried_domain,
queried_sitename=queried_sitename, ads_path=ads_path, full_data=full_data)
def get_netcomputer(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
do_kerberos=False,
do_tls=False,
queried_computername='*',
queried_spn=str(),
queried_os=str(),
queried_sp=str(),
queried_domain=str(),
ads_path=str(),
printers=False,
unconstrained=False,
ping=False,
full_data=False,
custom_filter=str(),
attributes=[]):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash, do_kerberos, do_tls)
return requester.get_netcomputer(queried_computername=queried_computername,
queried_spn=queried_spn,
queried_os=queried_os,
queried_sp=queried_sp,
queried_domain=queried_domain,
ads_path=ads_path,
printers=printers,
unconstrained=unconstrained,
ping=ping,
full_data=full_data,
custom_filter=custom_filter,
attributes=attributes)
def get_userevent(target_computername, domain, user, password=str(),
lmhash=str(), nthash=str(), event_type=['logon', 'tgt'],
date_start=5):
requester = NetRequester(target_computername, domain, user, password,
lmhash, nthash)
return requester.get_userevent(event_type=event_type,
date_start=date_start)
def get_netlocalgroup(target_computername, domain_controller, domain, user,
password=str(), lmhash=str(), nthash=str(), queried_groupname=str(),
list_groups=False, recurse=False):
requester = NetRequester(target_computername, domain, user, password,
lmhash, nthash, domain_controller)
return requester.get_netlocalgroup(queried_groupname=queried_groupname,
list_groups=list_groups, recurse=recurse)
def get_netlocalgroup(target_computername, domain_controller, domain, user,
password=str(), lmhash=str(), nthash=str(), queried_groupname=str(),
list_groups=False, recurse=False):
requester = NetRequester(target_computername, domain, user, password,
lmhash, nthash, domain_controller)
return requester.get_netlocalgroup(queried_groupname=queried_groupname,
list_groups=list_groups, recurse=recurse)
def get_netgroup(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
do_kerberos=False,
do_tls=False,
queried_groupname='*',
queried_sid=str(),
queried_username=str(),
queried_domain=str(),
ads_path=str(),
admin_count=False,
full_data=False,
custom_filter=str()):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash, do_kerberos, do_tls)
return requester.get_netgroup(queried_groupname=queried_groupname,
queried_sid=queried_sid,
queried_username=queried_username,
queried_domain=queried_domain,
ads_path=ads_path,
admin_count=admin_count,
full_data=full_data,
custom_filter=custom_filter)
def get_netuser(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
do_kerberos=False,
do_tls=False,
queried_username=str(),
queried_domain=str(),
ads_path=str(),
admin_count=False,
spn=False,
unconstrained=False,
allow_delegation=False,
preauth_notreq=False,
custom_filter=str(),
attributes=[]):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash, do_kerberos, do_tls)
return requester.get_netuser(queried_username=queried_username,
queried_domain=queried_domain,
ads_path=ads_path,
admin_count=admin_count,
spn=spn,
unconstrained=unconstrained,
allow_delegation=allow_delegation,
preauth_notreq=preauth_notreq,
custom_filter=custom_filter,
attributes=attributes)
def get_adobject(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
do_kerberos=False,
do_tls=False,
queried_domain=str(),
queried_sid=str(),
queried_name=str(),
queried_sam_account_name=str(),
ads_path=str(),
attributes=list(),
custom_filter=str()):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash, do_kerberos, do_tls)
return requester.get_adobject(
queried_domain=queried_domain,
queried_sid=queried_sid,
queried_name=queried_name,
queried_sam_account_name=queried_sam_account_name,
ads_path=ads_path,
attributes=attributes,
custom_filter=custom_filter)
def get_netsubnet(domain_controller, domain, user, password=str(),
lmhash=str(), nthash=str(), queried_domain=str(), queried_sitename=str(),
ads_path=str(), full_data=False):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_netsubnet(queried_domain=queried_domain,
queried_sitename=queried_sitename, ads_path=ads_path, full_data=full_data)
def get_netgroupmember(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
do_kerberos=False,
do_tls=False,
queried_groupname=str(),
queried_sid=str(),
queried_domain=str(),
ads_path=str(),
recurse=False,
use_matching_rule=False,
full_data=False,
custom_filter=str()):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash, do_kerberos, do_tls)
return requester.get_netgroupmember(queried_groupname=queried_groupname,
queried_sid=queried_sid,
queried_domain=queried_domain,
ads_path=ads_path,
recurse=recurse,
use_matching_rule=use_matching_rule,
full_data=full_data,
custom_filter=custom_filter)
def get_userevent(target_computername, domain, user, password=str(),
lmhash=str(), nthash=str(), event_type=['logon', 'tgt'],
date_start=5):
requester = NetRequester(target_computername, domain, user, password,
lmhash, nthash)
return requester.get_userevent(event_type=event_type,
date_start=date_start)
def get_objectacl(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
do_kerberos=False,
do_tls=False,
queried_domain=str(),
queried_sid=str(),
queried_name=str(),
queried_sam_account_name=str(),
ads_path=str(),
sacl=False,
rights_filter=str(),
resolve_sids=False,
resolve_guids=False,
custom_filter=str()):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash, do_kerberos, do_tls)
return requester.get_objectacl(
queried_domain=queried_domain,
queried_sid=queried_sid,
queried_name=queried_name,
queried_sam_account_name=queried_sam_account_name,
ads_path=ads_path,
sacl=sacl,
rights_filter=rights_filter,
resolve_sids=resolve_sids,
resolve_guids=resolve_guids,
custom_filter=custom_filter)
def get_netou(domain_controller, domain, user, password=str(), lmhash=str(),
nthash=str(), queried_domain=str(), queried_ouname='*', queried_guid=str(),
ads_path=str(), full_data=False):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_netou(queried_domain=queried_domain,
queried_ouname=queried_ouname, queried_guid=queried_guid, ads_path=ads_path,
full_data=full_data)
def get_netou(domain_controller, domain, user, password=str(), lmhash=str(),
nthash=str(), queried_domain=str(), queried_ouname='*', queried_guid=str(),
ads_path=str(), full_data=False):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_netou(queried_domain=queried_domain,
queried_ouname=queried_ouname, queried_guid=queried_guid, ads_path=ads_path,
full_data=full_data)
def __init__(self, target_computer, domain=str(), user=(), password=str(),
lmhash=str(), nthash=str(), domain_controller=str(), queried_domain=str()):
NetRequester.__init__(self, target_computer, domain, user, password,
lmhash, nthash, domain_controller)
self._target_domains = list()
self._target_computers = list()
self._target_users = list()
self._parent_pipes = list()
self._workers = list()
def get_netsite(domain_controller, domain, user, password=str(), lmhash=str(),
nthash=str(), queried_domain=str(), queried_sitename=str(),
queried_guid=str(), ads_path=str(), ads_prefix='CN=Sites,CN=Configuration',
full_data=False):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_netsite(queried_domain=queried_domain,
queried_sitename=queried_sitename, queried_guid=queried_guid,
ads_path=ads_path, ads_prefix=ads_prefix, full_data=full_data)
def get_netloggedon(target_computername,
domain,
user,
password=str(),
lmhash=str(),
nthash=str()):
requester = NetRequester(target_computername, domain, user, password,
lmhash, nthash)
return requester.get_netloggedon()
def get_netdomain(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str()):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash)
return requester.get_netdomain()
def get_localdisks(target_computername,
domain,
user,
password=str(),
lmhash=str(),
nthash=str()):
requester = NetRequester(target_computername, domain, user, password,
lmhash, nthash)
return requester.get_localdisks()
def get_netprocess(target_computername,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
do_kerberos=False):
requester = NetRequester(target_computername, domain, user, password,
lmhash, nthash, do_kerberos)
return requester.get_netprocess()
def get_adobject(domain_controller, domain, user, password=str(),
lmhash=str(), nthash=str(), queried_domain=str(), queried_sid=str(),
queried_name=str(), queried_sam_account_name=str(), ads_path=str(),
custom_filter=str()):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_adobject(queried_domain=queried_domain,
queried_sid=queried_sid, queried_name=queried_name,
queried_sam_account_name=queried_sam_account_name,
ads_path=ads_path, custom_filter=custom_filter)
def get_netuser(domain_controller, domain, user, password=str(), lmhash=str(),
nthash=str(), queried_username=str(), queried_domain=str(), ads_path=str(),
admin_count=False, spn=False, unconstrained=False, allow_delegation=False,
custom_filter=str()):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_netuser(queried_username=queried_username,
queried_domain=queried_domain, ads_path=ads_path, admin_count=admin_count,
spn=spn, unconstrained=unconstrained, allow_delegation=allow_delegation,
custom_filter=custom_filter)
def get_netgroup(domain_controller, domain, user, password=str(),
lmhash=str(), nthash=str(), queried_groupname='*', queried_sid=str(),
queried_username=str(), queried_domain=str(), ads_path=str(),
admin_count=False, full_data=False, custom_filter=str()):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_netgroup(queried_groupname=queried_groupname,
queried_sid=queried_sid, queried_username=queried_username,
queried_domain=queried_domain, ads_path=ads_path, admin_count=admin_count,
full_data=full_data, custom_filter=custom_filter)
def get_adobject(domain_controller, domain, user, password=str(),
lmhash=str(), nthash=str(), queried_domain=str(), queried_sid=str(),
queried_name=str(), queried_sam_account_name=str(), ads_path=str(),
custom_filter=str()):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_adobject(queried_domain=queried_domain,
queried_sid=queried_sid, queried_name=queried_name,
queried_sam_account_name=queried_sam_account_name,
ads_path=ads_path, custom_filter=custom_filter)
def get_netdomaintrust(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
queried_domain=str()):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash)
return requester.get_netdomaintrust(queried_domain=queried_domain)
def get_netgroupmember(domain_controller, domain, user, password=str(),
lmhash=str(), nthash=str(), queried_groupname=str(), queried_sid=str(),
queried_domain=str(), ads_path=str(), recurse=False, use_matching_rule=False,
full_data=False, custom_filter=str()):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_netgroupmember(queried_groupname=queried_groupname,
queried_sid=queried_sid, queried_domain=queried_domain,
ads_path=ads_path, recurse=recurse,
use_matching_rule=use_matching_rule,
full_data=full_data, custom_filter=custom_filter)
def get_netdomain(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
do_kerberos=False,
do_tls=False):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash, do_kerberos, do_tls)
return requester.get_netdomain()
def get_netcomputer(domain_controller, domain, user, password=str(),
lmhash=str(), nthash=str(), queried_computername='*', queried_spn=str(),
queried_os=str(), queried_sp=str(), queried_domain=str(), ads_path=str(),
printers=False, unconstrained=False, ping=False, full_data=False,
custom_filter=str()):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_netcomputer(queried_computername=queried_computername,
queried_spn=queried_spn, queried_os=queried_os, queried_sp=queried_sp,
queried_domain=queried_domain, ads_path=ads_path, printers=printers,
unconstrained=unconstrained, ping=ping, full_data=full_data,
custom_filter=custom_filter)
def get_netfileserver(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
queried_domain=str(),
target_users=list()):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash)
return requester.get_netfileserver(queried_domain=queried_domain,
target_users=target_users)
def get_dfsshare(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
version=['v1', 'v2'],
queried_domain=str(),
ads_path=str()):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash)
return requester.get_dfsshare(version=version,
queried_domain=queried_domain,
ads_path=ads_path)
def _hunt(self, target_computer):
# TODO: implement ping of target
results = list()
# First, we get every distant session on the target computer
distant_sessions = list()
with NetRequester(target_computer, self._domain, self._user,
self._password, self._lmhash,
self._nthash) as net_requester:
if not self._foreign_users:
distant_sessions += net_requester.get_netsession()
if not self._stealth:
distant_sessions += net_requester.get_netloggedon()
# For every session, we get information on the remote user
for session in distant_sessions:
try:
username = session.sesi10_username
userdomain = str()
session_from = session.sesi10_cname
if session_from.startswith('\\'):
session_from = session_from.lstrip('\\')
except AttributeError:
username = session.wkui1_username
userdomain = session.wkui1_logon_domain
session_from = str()
# If we found a user
if username:
# We see if it's in our target user group
for target_user in self._target_users:
if target_user.membername.lower() in username.lower():
# If we fall in this branch, we're looking for foreign users
# and found a user in the same domain
if self._domain_short_name and self._domain_short_name.lower(
) == userdomain.lower():
continue
attributes = dict()
if userdomain:
attributes['userdomain'] = userdomain
else:
attributes['userdomain'] = target_user.memberdomain
attributes['username'] = username
attributes['computername'] = target_computer
attributes['sessionfrom'] = session_from
if self._check_access:
with Misc(target_computer, self._domain,
self._user, self._password, self._lmhash,
self._nthash) as misc_requester:
attributes[
'localadmin'] = misc_requester.invoke_checklocaladminaccess(
)
else:
attributes['localadmin'] = str()
results.append(rpcobj.RPCObject(attributes))
return results
def get_netgpogroup(self, queried_gponame='*', queried_displayname=str(),
queried_domain=str(), ads_path=str(), resolve_sids=False):
results = list()
gpos = self.get_netgpo(queried_gponame=queried_gponame,
queried_displayname=queried_displayname,
queried_domain=queried_domain,
ads_path=ads_path)
for gpo in gpos:
gpo_display_name = gpo.displayname
groupsxml_path = '{}\\MACHINE\\Preferences\\Groups\\Groups.xml'.format(gpo.gpcfilesyspath)
gpttmpl_path = '{}\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf'.format(gpo.gpcfilesyspath)
results += self._get_groupsxml(groupsxml_path, gpo_display_name)
try:
results += self._get_groupsgpttmpl(gpttmpl_path, gpo_display_name)
except SessionError:
# If the GptTmpl file doesn't exist, we skip this
pass
if resolve_sids:
for gpo_group in results:
members = gpo_group.members
memberof = gpo_group.memberof
resolved_members = list()
resolved_memberof = list()
with NetRequester(self._domain_controller, self._domain, self._user,
self._password, self._lmhash, self._nthash) as net_requester:
for member in members:
try:
resolved_member = net_requester.get_adobject(queried_sid=member, queried_domain=queried_domain)[0]
resolved_member = resolved_member.distinguishedname.split(',')
resolved_member_domain = '.'.join(resolved_member[1:])
resolved_member = '{}\\{}'.format(resolved_member_domain, resolved_member[0])
resolved_member = resolved_member.replace('CN=', '').replace('DC=', '')
except IndexError:
resolved_member = member
finally:
resolved_members.append(resolved_member)
gpo_group.members = resolved_members
for member in memberof:
try:
resolved_member = net_requester.get_adobject(queried_sid=member, queried_domain=queried_domain)[0]
resolved_member = resolved_member.distinguishedname.split(',')[:2]
resolved_member = '{}\\{}'.format(resolved_member[1], resolved_member[0])
resolved_member = resolved_member.replace('CN=', '').replace('DC=', '')
except IndexError:
resolved_member = member
finally:
resolved_memberof.append(resolved_member)
gpo_group.memberof = memberof = resolved_memberof
return results
def get_domainpolicy(self, source='domain', queried_domain=str(),
resolve_sids=False):
if source == 'domain':
queried_gponame = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
elif source == 'dc':
queried_gponame = '{6AC1786C-016F-11D2-945F-00C04FB984F9}'
gpo = self.get_netgpo(queried_domain=queried_domain, queried_gponame=queried_gponame)[0]
gpttmpl_path = '{}\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf'.format(gpo.gpcfilesyspath)
gpttmpl = self.get_gpttmpl(gpttmpl_path)
if source == 'domain':
return gpttmpl
elif source == 'dc':
if not resolve_sids:
return gpttmpl
else:
import inspect
try:
privilege_rights_policy = gpttmpl.privilegerights
except AttributeError:
return gpttmpl
members = inspect.getmembers(privilege_rights_policy, lambda x: not(inspect.isroutine(x)))
with NetRequester(self._domain_controller, self._domain, self._user,
self._password, self._lmhash, self._nthash) as net_requester:
for member in members:
if member[0].startswith('_'):
continue
if not isinstance(member[1], list):
sids = [member[1]]
else:
sids = member[1]
resolved_sids = list()
for sid in sids:
if not sid:
continue
try:
resolved_sid = net_requester.get_adobject(queried_sid=sid, queried_domain=queried_domain)[0]
except IndexError:
resolved_sid = sid
else:
resolved_sid = resolved_sid.distinguishedname.split(',')[:2]
resolved_sid = '{}\\{}'.format(resolved_sid[1], resolved_sid[0])
resolved_sid = resolved_sid.replace('CN=', '')
resolved_sids.append(resolved_sid)
if len(resolved_sids) == 1:
resolved_sids = resolved_sids[0]
setattr(privilege_rights_policy, member[0], resolved_sids)
gpttmpl.privilegerights = privilege_rights_policy
return gpttmpl
def _build_target_users(self, queried_groupname=str(), target_server=str(),
queried_username=str(), queried_userfilter=str(),
queried_useradspath=str(), queried_userfile=None,
admin_count=False, allow_delegation=False,
show_all=False, foreign_users=False):
if show_all or foreign_users:
attributes = {'memberdomain': str(), 'membername': str()}
self._target_users.append(rpcobj.TargetUser(attributes))
elif target_server:
with NetRequester(target_server, domain, user, password, lmhash,
nthash, domain_controller) as target_server_requester:
for x in target_server_requester.get_netlocalgroup(recurse=True):
if x.isdomain and not x.isgroup:
attributes = {'memberdomain': x.name.split('/')[0].lower(),
'membername': x.name.split('/')[1].lower()}
self._target_users.append(rpcobj.TargetUser(attributes))
elif queried_userfile:
with queried_userfile as _:
for x in queried_userfile.readlines():
attributes = dict()
attributes['membername'] = x.rstrip('\n')
attributes['memberdomain'] = self._target_domains[0]
self._target_users.append(rpcobj.TargetUser(attributes))
elif queried_username:
attributes = dict()
attributes['membername'] = queried_username.lower()
attributes['memberdomain'] = self._target_domains[0]
self._target_users.append(rpcobj.TargetUser(attributes))
elif queried_useradspath or queried_userfilter or admin_count or allow_delegation:
for target_domain in self._target_domains:
for x in self.get_netuser(ads_path=queried_useradspath,
custom_filter=queried_userfilter,
admin_count=admin_count,
allow_delegation=allow_delegation,
queried_domain=target_domain):
attributes = dict()
attributes['memberdomain'] = target_domain
attributes['membername'] = x.samaccountname
self._target_users.append(rpcobj.TargetUser(attributes))
else:
for target_domain in self._target_domains:
self._target_users += self.get_netgroupmember(queried_domain=target_domain,
queried_groupname=queried_groupname,
recurse=True)
self._target_users = list(set(self._target_users))
if (not show_all) and (not foreign_users) and (not self._target_users):
raise ValueError('No users to search for')
def get_adserviceaccount(domain_controller,
domain,
user,
password=str(),
lmhash=str(),
nthash=str(),
do_kerberos=False,
do_tls=False,
queried_domain=str(),
queried_sid=str(),
queried_name=str(),
queried_sam_account_name=str(),
ads_path=str(),
resolve_sids=False):
requester = NetRequester(domain_controller, domain, user, password, lmhash,
nthash, do_kerberos, do_tls)
return requester.get_adserviceaccount(
queried_domain=queried_domain,
queried_sid=queried_sid,
queried_name=queried_name,
queried_sam_account_name=queried_sam_account_name,
ads_path=ads_path,
resolve_sids=resolve_sids)
def _hunt(self, target_computer):
results = list()
distant_processes = list()
with NetRequester(target_computer, self._domain, self._user,
self._password, self._lmhash,
self._nthash) as net_requester:
distant_events = net_requester.get_userevent(
date_start=self._search_days)
for event in distant_events:
if self._target_users:
for target_user in self._target_users:
if target_user.membername.lower() in event.username.lower(
):
results.append(event)
return results
def _hunt(self, target_computer):
results = list()
distant_processes = list()
with NetRequester(target_computer, self._domain, self._user,
self._password, self._lmhash,
self._nthash) as net_requester:
distant_processes = net_requester.get_netprocess()
for process in distant_processes:
if self._process_name:
for process_name in self._process_name:
if process_name.lower() in process.processname.lower():
results.append(process)
elif self._target_users:
for target_user in self._target_users:
if target_user.membername.lower() in process.user.lower():
results.append(process)
return results
def find_gpolocation(self,
queried_username=str(),
queried_groupname=str(),
queried_localgroup=str(),
queried_domain=str()):
results = list()
net_requester = NetRequester(self._domain_controller, self._domain,
self._user, self._password, self._lmhash,
self._nthash)
if queried_username:
try:
user = net_requester.get_netuser(
queried_username=queried_username,
queried_domain=queried_domain)[0]
except IndexError:
raise ValueError(
'Username \'{}\' was not found'.format(queried_username))
else:
target_sid = [user.objectsid]
object_sam_account_name = user.samaccountname
object_distinguished_name = user.distinguishedname
elif queried_groupname:
try:
group = net_requester.get_netgroup(
queried_groupname=queried_groupname,
queried_domain=queried_domain,
full_data=True)[0]
except IndexError:
raise ValueError('Group name \'{}\' was not found'.format(
queried_groupname))
else:
target_sid = [group.objectsid]
object_sam_account_name = group.samaccountname
object_distinguished_name = group.distinguishedname
else:
raise ValueError(
'You must specify either a username or a group name')
if 'admin' in queried_localgroup.lower():
local_sid = 'S-1-5-32-544'
elif 'rdp' in queried_localgroup.lower():
local_sid = 'S-1-5-32-555'
elif queried_localgroup.upper().startswith('S-1-5'):
local_sid = queried_localgroup
else:
raise ValueError('The queried local group must be in \'Administrators\', ' \
'\'RDP\', or a \'S-1-5\' type SID')
object_groups = net_requester.get_netgroup(
queried_username=object_sam_account_name,
queried_domain=queried_domain)
for object_group in object_groups:
try:
object_group_sid = net_requester.get_adobject(
queried_sam_account_name=object_group.samaccountname,
queried_domain=queried_domain)[0].objectsid
except IndexError:
# We may have the name of the group, but not its sam account name
try:
object_group_sid = net_requester.get_adobject(
queried_name=object_group.samaccountname,
queried_domain=queried_domain)[0].objectsid
except IndexError:
# Freak accident when someone is a member of a group, but
# we can't find the group in the AD
continue
target_sid.append(object_group_sid)
gpo_groups = list()
for gpo_group in self.get_netgpogroup(queried_domain=queried_domain):
try:
for member in gpo_group.members:
if not member.upper().startswith('S-1-5'):
try:
member = net_requester.get_adobject(
queried_sam_account_name=member,
queried_domain=queried_domain)[0].objectsid
except IndexError, AttributeError:
continue
if (member.upper() in target_sid) or (member.lower()
in target_sid):
if (local_sid.upper() in gpo_group.memberof) or \
(local_sid.lower() in gpo_group.memberof):
gpo_groups.append(gpo_group)
break
except AttributeError:
continue
for gpo_group in gpo_groups:
gpo_guid = gpo_group.gponame
ous = net_requester.get_netou(queried_domain=queried_domain,
queried_guid=gpo_guid,
full_data=True)
for ou in ous:
# TODO: support filters for GPO
ou_computers = [x.dnshostname for x in \
net_requester.get_netcomputer(queried_domain=queried_domain,
ads_path=ou.distinguishedname)]
gpo_location = GPOLocation(list())
setattr(gpo_location, 'objectname', object_distinguished_name)
setattr(gpo_location, 'gponame', gpo_group.gpodisplayname)
setattr(gpo_location, 'gpoguid', gpo_guid)
setattr(gpo_location, 'containername', ou.distinguishedname)
setattr(gpo_location, 'computers', ou_computers)
results.append(gpo_location)
return results
def get_netprocess(target_computername, domain, user, password=str(),
lmhash=str(), nthash=str()):
requester = NetRequester(target_computername, domain, user, password,
lmhash, nthash)
return requester.get_netprocess()
def get_netdomaincontroller(domain_controller, domain, user, password=str(),
lmhash=str(), nthash=str(), queried_domain=str()):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_netdomaincontroller(queried_domain=queried_domain)
def get_netfileserver(domain_controller, domain, user, password=str(),
lmhash=str(), nthash=str(), queried_domain=str(), target_users=list()):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_netfileserver(queried_domain=queried_domain,
target_users=target_users)
def get_dfsshare(domain_controller, domain, user, password=str(),
lmhash=str(), nthash=str(), version=['v1', 'v2'], queried_domain=str(),
ads_path=str()):
requester = NetRequester(domain_controller, domain, user, password,
lmhash, nthash)
return requester.get_dfsshare(version=version, queried_domain=queried_domain, ads_path=ads_path)
def find_gpolocation(self, queried_username=str(), queried_groupname=str(),
queried_localgroup=str(), queried_domain=str()):
results = list()
net_requester = NetRequester(self._domain_controller, self._domain, self._user,
self._password, self._lmhash, self._nthash)
if queried_username:
try:
user = net_requester.get_netuser(queried_username=queried_username,
queried_domain=queried_domain)[0]
except IndexError:
raise ValueError('Username \'{}\' was not found'.format(queried_username))
else:
target_sid = [user.objectsid]
object_sam_account_name = user.samaccountname
object_distinguished_name = user.distinguishedname
elif queried_groupname:
try:
group = net_requester.get_netgroup(queried_groupname=queried_groupname,
queried_domain=queried_domain,
full_data=True)[0]
except IndexError:
raise ValueError('Group name \'{}\' was not found'.format(queried_groupname))
else:
target_sid = [group.objectsid]
object_sam_account_name = group.samaccountname
object_distinguished_name = group.distinguishedname
else:
raise ValueError('You must specify either a username or a group name')
if 'admin' in queried_localgroup.lower():
local_sid = 'S-1-5-32-544'
elif 'rdp' in queried_localgroup.lower():
local_sid = 'S-1-5-32-555'
elif queried_localgroup.upper().startswith('S-1-5'):
local_sid = queried_localgroup
else:
raise ValueError('The queried local group must be in \'Administrators\', ' \
'\'RDP\', or a \'S-1-5\' type SID')
object_groups = net_requester.get_netgroup(queried_username=object_sam_account_name,
queried_domain=queried_domain)
for object_group in object_groups:
try:
object_group_sid = net_requester.get_adobject(queried_sam_account_name=object_group.samaccountname,
queried_domain=queried_domain)[0].objectsid
except IndexError:
# We may have the name of the group, but not its sam account name
object_group_sid = net_requester.get_adobject(queried_name=object_group.samaccountname,
queried_domain=queried_domain)[0].objectsid
target_sid.append(object_group_sid)
gpo_groups = list()
for gpo_group in self.get_netgpogroup():
try:
for member in gpo_group.members:
if not member.upper().startswith('S-1-5'):
try:
member = net_requester.get_adobject(queried_sam_account_name=member,
queried_domain=queried_domain)[0].objectsid
except IndexError, AttributeError:
continue
if (member.upper() in target_sid) or (member.lower() in target_sid):
if (local_sid.upper() in gpo_group.memberof) or \
(local_sid.lower() in gpo_group.memberof):
gpo_groups.append(gpo_group)
break
except AttributeError:
continue
for gpo_group in gpo_groups:
gpo_guid = gpo_group.gponame
ous = net_requester.get_netou(queried_domain=queried_domain,
queried_guid=gpo_guid, full_data=True)
for ou in ous:
# TODO: support filters for GPO
ou_computers = [x.dnshostname for x in \
net_requester.get_netcomputer(queried_domain=queried_domain,
ads_path=ou.distinguishedname)]
gpo_location = GPOLocation(list())
setattr(gpo_location, 'objectname', object_distinguished_name)
setattr(gpo_location, 'gponame', gpo_group.gpodisplayname)
setattr(gpo_location, 'gpoguid', gpo_guid)
setattr(gpo_location, 'containername', ou.distinguishedname)
setattr(gpo_location, 'computers', ou_computers)
results.append(gpo_location)
return results
def find_gpocomputeradmin(self, queried_computername=str(),
queried_ouname=str(), queried_domain=str(),
recurse=False):
results = list()
if (not queried_computername) and (not queried_ouname):
raise ValueError('You must specify either a computer name or an OU name')
net_requester = NetRequester(self._domain_controller, self._domain, self._user,
self._password, self._lmhash, self._nthash)
if queried_computername:
computers = net_requester.get_netcomputer(queried_computername=queried_computername,
queried_domain=queried_domain,
full_data=True)
if not computers:
raise ValueError('Computer {} not found'.format(queried_computername))
target_ous = list()
for computer in computers:
dn = computer.distinguishedname
for x in dn.split(','):
if x.startswith('OU='):
target_ous.append(dn[dn.find(x):])
else:
target_ous = [queried_ouname]
gpo_groups = list()
for target_ou in target_ous:
ous = net_requester.get_netou(ads_path=target_ou, queried_domain=queried_domain,
full_data=True)
for ou in ous:
for gplink in ou.gplink.strip('[]').split(']['):
gplink = gplink.split(';')[0]
gpo_groups = self.get_netgpogroup(queried_domain=queried_domain,
ads_path=gplink)
for gpo_group in gpo_groups:
for member in gpo_group.members:
obj = net_requester.get_adobject(queried_sid=member,
queried_domain=queried_domain)[0]
gpo_computer_admin = GPOComputerAdmin(list())
setattr(gpo_computer_admin, 'computername', queried_computername)
setattr(gpo_computer_admin, 'ou', target_ou)
setattr(gpo_computer_admin, 'gpodisplayname', gpo_group.gpodisplayname)
setattr(gpo_computer_admin, 'gpopath', gpo_group.gpopath)
setattr(gpo_computer_admin, 'objectname', obj.name)
setattr(gpo_computer_admin, 'objectdn', obj.distinguishedname)
setattr(gpo_computer_admin, 'objectsid', member)
setattr(gpo_computer_admin, 'isgroup', (obj.samaccounttype != '805306368'))
results.append(gpo_computer_admin)
if recurse and gpo_computer_admin.isgroup:
groups_to_resolve = [gpo_computer_admin.objectsid]
while groups_to_resolve:
group_to_resolve = groups_to_resolve.pop(0)
group_members = net_requester.get_netgroupmember(queried_sid=group_to_resolve,
full_data=True)
for group_member in group_members:
gpo_computer_admin = GPOComputerAdmin(list())
setattr(gpo_computer_admin, 'computername', queried_computername)
setattr(gpo_computer_admin, 'ou', target_ou)
setattr(gpo_computer_admin, 'gpodisplayname', gpo_group.gpodisplayname)
setattr(gpo_computer_admin, 'gpopath', gpo_group.gpopath)
setattr(gpo_computer_admin, 'objectname', group_member.samaccountname)
setattr(gpo_computer_admin, 'objectdn', group_member.distinguishedname)
setattr(gpo_computer_admin, 'objectsid', member)
setattr(gpo_computer_admin, 'isgroup', (group_member.samaccounttype != '805306368'))
results.append(gpo_computer_admin)
if gpo_computer_admin.isgroup:
groups_to_resolve.append(group_member.objectsid)
return results
