def _hunt(self, target_computer):
# TODO: implement ping of target
results = list()
# First, we get every distant session on the target computer
distant_sessions = list()
with NetRequester(target_computer, self._domain, self._user,
self._password, self._lmhash,
self._nthash) as net_requester:
if not self._foreign_users:
distant_sessions += net_requester.get_netsession()
if not self._stealth:
distant_sessions += net_requester.get_netloggedon()
# For every session, we get information on the remote user
for session in distant_sessions:
try:
username = session.sesi10_username
userdomain = str()
session_from = session.sesi10_cname
if session_from.startswith('\\'):
session_from = session_from.lstrip('\\')
except AttributeError:
username = session.wkui1_username
userdomain = session.wkui1_logon_domain
session_from = str()
# If we found a user
if username:
# We see if it's in our target user group
for target_user in self._target_users:
if target_user.membername.lower() in username.lower():
# If we fall in this branch, we're looking for foreign users
# and found a user in the same domain
if self._domain_short_name and self._domain_short_name.lower(
) == userdomain.lower():
continue
attributes = dict()
if userdomain:
attributes['userdomain'] = userdomain
else:
attributes['userdomain'] = target_user.memberdomain
attributes['username'] = username
attributes['computername'] = target_computer
attributes['sessionfrom'] = session_from
if self._check_access:
with Misc(target_computer, self._domain,
self._user, self._password, self._lmhash,
self._nthash) as misc_requester:
attributes[
'localadmin'] = misc_requester.invoke_checklocaladminaccess(
)
else:
attributes['localadmin'] = str()
results.append(rpcobj.RPCObject(attributes))
return results
def get_netlocalgroup(self,
queried_groupname=str(),
list_groups=False,
recurse=False):
from impacket.nt_errors import STATUS_MORE_ENTRIES
results = list()
resp = samr.hSamrConnect(self._rpc_connection)
server_handle = resp['ServerHandle']
# We first list every domain in the SAM
resp = samr.hSamrEnumerateDomainsInSamServer(self._rpc_connection,
server_handle)
domains = resp['Buffer']['Buffer']
domain_handles = dict()
for local_domain in domains:
resp = samr.hSamrLookupDomainInSamServer(self._rpc_connection,
server_handle,
local_domain['Name'])
domain_sid = 'S-1-5-{}'.format('-'.join(
str(x) for x in resp['DomainId']['SubAuthority']))
resp = samr.hSamrOpenDomain(self._rpc_connection,
serverHandle=server_handle,
domainId=resp['DomainId'])
domain_handles[domain_sid] = resp['DomainHandle']
# If we list the groups
if list_groups:
# We browse every domain
for domain_sid, domain_handle in domain_handles.items():
# We enumerate local groups in every domain
enumeration_context = 0
groups = list()
while True:
resp = samr.hSamrEnumerateAliasesInDomain(
self._rpc_connection,
domain_handle,
enumerationContext=enumeration_context)
groups += resp['Buffer']['Buffer']
enumeration_context = resp['EnumerationContext']
if resp['ErrorCode'] != STATUS_MORE_ENTRIES:
break
# We get information on every group
for group in groups:
resp = samr.hSamrRidToSid(self._rpc_connection,
domain_handle,
rid=group['RelativeId'])
sid = 'S-1-5-{}'.format('-'.join(
str(x) for x in resp['Sid']['SubAuthority']))
resp = samr.hSamrOpenAlias(self._rpc_connection,
domain_handle,
aliasId=group['RelativeId'])
alias_handle = resp['AliasHandle']
resp = samr.hSamrQueryInformationAlias(
self._rpc_connection, alias_handle)
final_group = rpcobj.Group(resp['Buffer']['General'])
final_group.add_attributes({
'server': self._target_computer,
'sid': sid
})
results.append(final_group)
samr.hSamrCloseHandle(self._rpc_connection, alias_handle)
samr.hSamrCloseHandle(self._rpc_connection, domain_handle)
# If we query a group
else:
queried_group_rid = None
queried_group_domain_handle = None
# If the user is looking for a particular group
if queried_groupname:
# We look for it in every domain
for _, domain_handle in domain_handles.items():
try:
resp = samr.hSamrLookupNamesInDomain(
self._rpc_connection, domain_handle,
[queried_groupname])
queried_group_rid = resp['RelativeIds']['Element'][0][
'Data']
queried_group_domain_handle = domain_handle
break
except (DCERPCSessionError, KeyError, IndexError):
continue
else:
raise ValueError(
'The group \'{}\' was not found on the target server'.
format(queried_groupname))
# Otherwise, we look for the local Administrators group
else:
queried_group_rid = 544
resp = samr.hSamrLookupDomainInSamServer(
self._rpc_connection, server_handle, 'BUILTIN')
resp = samr.hSamrOpenDomain(self._rpc_connection,
serverHandle=server_handle,
domainId=resp['DomainId'])
queried_group_domain_handle = resp['DomainHandle']
# We get a handle on the group, and list its members
try:
group = samr.hSamrOpenAlias(self._rpc_connection,
queried_group_domain_handle,
aliasId=queried_group_rid)
resp = samr.hSamrGetMembersInAlias(self._rpc_connection,
group['AliasHandle'])
except DCERPCSessionError:
raise ValueError(
'The name \'{}\' is not a valid group on the target server'
.format(queried_groupname))
# For every user, we look for information in every local domain
for member in resp['Members']['Sids']:
attributes = dict()
member_rid = member['SidPointer']['SubAuthority'][-1]
member_sid = 'S-1-5-{}'.format('-'.join(
str(x) for x in member['SidPointer']['SubAuthority']))
attributes['server'] = self._target_computer
attributes['sid'] = member_sid
for domain_sid, domain_handle in domain_handles.items():
# We've found a local member
if member_sid.startswith(domain_sid):
attributes['isdomain'] = False
resp = samr.hSamrQueryInformationDomain(
self._rpc_connection, domain_handle)
member_domain = resp['Buffer']['General2']['I1'][
'DomainName']
try:
resp = samr.hSamrOpenUser(self._rpc_connection,
domain_handle,
userId=member_rid)
member_handle = resp['UserHandle']
attributes['isgroup'] = False
resp = samr.hSamrQueryInformationUser(
self._rpc_connection, member_handle)
attributes['name'] = '{}/{}'.format(
member_domain,
resp['Buffer']['General']['UserName'])
except DCERPCSessionError:
resp = samr.hSamrOpenAlias(self._rpc_connection,
domain_handle,
aliasId=member_rid)
member_handle = resp['AliasHandle']
attributes['isgroup'] = True
resp = samr.hSamrQueryInformationAlias(
self._rpc_connection, member_handle)
attributes['name'] = '{}/{}'.format(
member_domain,
resp['Buffer']['General']['Name'])
attributes['lastlogin'] = str()
break
# It's a domain member
else:
attributes['isdomain'] = True
if self._ldap_connection is not None:
try:
ad_object = self.get_adobject(
queried_sid=member_sid)[0]
member_dn = ad_object.distinguishedname
member_domain = member_dn[member_dn.
index('DC='):].replace(
'DC=', '').replace(
',', '.')
try:
attributes['name'] = '{}/{}'.format(
member_domain, ad_object.samaccountname)
except AttributeError:
# Here, the member is a foreign security principal
# TODO: resolve it properly
attributes['name'] = '{}/{}'.format(
member_domain, ad_object.objectsid)
attributes['isgroup'] = ad_object.isgroup
try:
attributes['lastlogin'] = ad_object.lastlogon
except AttributeError:
attributes['lastlogin'] = str()
except IndexError:
# We did not manage to resolve this SID against the DC
attributes['isdomain'] = False
attributes['isgroup'] = False
attributes['name'] = attributes['sid']
attributes['lastlogin'] = str()
else:
attributes['isgroup'] = False
attributes['name'] = str()
attributes['lastlogin'] = str()
results.append(rpcobj.RPCObject(attributes))
# If we recurse and the member is a domain group, we query every member
# TODO: implement check on self._domain_controller here?
if self._ldap_connection and self._domain_controller and recurse and attributes[
'isdomain'] and attributes['isgroup']:
for domain_member in self.get_netgroupmember(
full_data=True,
recurse=True,
queried_sid=attributes['sid']):
domain_member_attributes = dict()
domain_member_attributes['isdomain'] = True
member_dn = domain_member.distinguishedname
member_domain = member_dn[member_dn.
index('DC='):].replace(
'DC=',
'').replace(',', '.')
domain_member_attributes['name'] = '{}/{}'.format(
member_domain, domain_member.samaccountname)
domain_member_attributes[
'isgroup'] = domain_member.isgroup
domain_member_attributes['isdomain'] = True
domain_member_attributes['server'] = attributes['name']
domain_member_attributes[
'sid'] = domain_member.objectsid
try:
domain_member_attributes[
'lastlogin'] = ad_object.lastlogon
except AttributeError:
domain_member_attributes['lastlogin'] = str()
results.append(
rpcobj.RPCObject(domain_member_attributes))
return results
