Example #1
0
    def enum_sessions(self):
        dce, rpctransport = self.connect('srvsvc')
        
        try:
            level = 502
            resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level)
            sessions  = resp['InfoStruct']['SessionInfo']['Level502']['Buffer']
        except Exception:
            pass

        try:
            level = 0
            resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level)
            sessions  = resp['InfoStruct']['SessionInfo']['Level0']['Buffer']
        except Exception:
            return

        self.logger.success("Enumerating active sessions")
        for session in sessions:
            if level == 502:
                if session['sesi502_cname'][:-1] != self.local_ip:
                    self.logger.highlight(u'\\\\{} {} [opens:{} time:{} idle:{}]'.format(session['sesi502_cname'], 
                                                                                        session['sesi502_username'],
                                                                                        session['sesi502_num_opens'],
                                                                                        session['sesi502_time'],
                                                                                        session['sesi502_idle_time']))

            elif level == 0:
                if session['sesi0_cname'][:-1] != self.local_ip:
                    self.logger.highlight(u'\\\\{}'.format(session['sesi0_cname']))
Example #2
0
    def enum_sessions(self):
        dce, rpctransport = self.connect('srvsvc')

        try:
            level = 502
            resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level)
            sessions = resp['InfoStruct']['SessionInfo']['Level502']['Buffer']
        except Exception:
            pass

        try:
            level = 0
            resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level)
            sessions = resp['InfoStruct']['SessionInfo']['Level0']['Buffer']
        except Exception:
            return

        self.logger.success("Enumerating active sessions")
        for session in sessions:
            if level == 502:
                if session['sesi502_cname'][:-1] != self.local_ip:
                    self.logger.highlight(
                        u'\\\\{} {} [opens:{} time:{} idle:{}]'.format(
                            session['sesi502_cname'],
                            session['sesi502_username'],
                            session['sesi502_num_opens'],
                            session['sesi502_time'],
                            session['sesi502_idle_time']))

            elif level == 0:
                if session['sesi0_cname'][:-1] != self.local_ip:
                    self.logger.highlight(u'\\\\{}'.format(
                        session['sesi0_cname']))
Example #3
0
    def test_hNetrSessionEnum(self):
        dce, rpctransport = self.connect()
        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 0)
        #resp.dump()

        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 1)
        #resp.dump()

        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 2)
        #resp.dump()

        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10)
        #resp.dump()

        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 502)
Example #4
0
    def test_hNetrSessionEnum(self):
        dce, rpctransport = self.connect()
        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 0)
        #resp.dump()

        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 1)
        #resp.dump()

        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 2)
        #resp.dump()

        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10)
        #resp.dump()

        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 502)
Example #5
0
    def rpc_get_sessions(self):
        binding = r'ncacn_np:%s[\PIPE\srvsvc]' % self.addr

        dce = self.dce_rpc_connect(binding, srvs.MSRPC_UUID_SRVS)

        if dce is None:
            return

        try:
            resp = srvs.hNetrSessionEnum(dce, '\x00', NULL, 10)
        except DCERPCException as e:
            if 'rpc_s_access_denied' in str(e):
                logging.debug('Access denied while enumerating Sessions on %s, likely a patched OS', self.hostname)
                return []
            else:
                raise
        except Exception as e:
            if str(e).find('Broken pipe') >= 0:
                return
            else:
                raise

        sessions = []

        for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
            userName = session['sesi10_username'][:-1]
            ip = session['sesi10_cname'][:-1]
            # Strip \\ from IPs
            if ip[:2] == '\\\\':
                ip = ip[2:]
            # Skip empty IPs
            if ip == '':
                continue
            # Skip our connection
            if userName == self.ad.auth.username:
                continue
            # Skip empty usernames
            if len(userName) == 0:
                continue
            # Skip machine accounts
            if userName[-1] == '$':
                continue
            # Skip local connections
            if ip in ['127.0.0.1', '[::1]']:
                continue
            # IPv6 address
            if ip[0] == '[' and ip[-1] == ']':
                ip = ip[1:-1]

            logging.info('User %s is logged in on %s from %s' % (userName, self.hostname, ip))

            sessions.append({'user': userName, 'source': ip, 'target': self.hostname})

        dce.disconnect()

        return sessions
Example #6
0
    def test_hNetrSessionDel(self):
        dce, rpctransport = self.connect()
        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 502)
        resp.dump()

        try:
            resp = srvs.hNetrSessionDel(dce, resp['InfoStruct']['SessionInfo']['Level502']['Buffer'][0]['sesi502_cname'], resp['InfoStruct']['SessionInfo']['Level502']['Buffer'][0]['sesi502_username'] )
            resp.dump()
        except Exception as e:
            if e.get_error_code() != 0x908:
                raise
Example #7
0
    def test_hNetrSessionDel(self):
        dce, rpctransport = self.connect()
        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 502)
        resp.dump()

        try:
            resp = srvs.hNetrSessionDel(dce, resp['InfoStruct']['SessionInfo']['Level502']['Buffer'][0]['sesi502_cname'], resp['InfoStruct']['SessionInfo']['Level502']['Buffer'][0]['sesi502_username'] )
            resp.dump()
        except Exception, e:
            if e.get_error_code() != 0x908:
                raise
Example #8
0
    def get_netsession(self):

        try:
            resp = srvs.hNetrSessionEnum(self._rpc_connection, '\x00', NULL, 10)
        except DCERPCException:
            return list()

        results = list()
        for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
            results.append(rpcobj.Session(session))

        return results
Example #9
0
    def get_netsession(self):

        try:
            resp = srvs.hNetrSessionEnum(self._rpc_connection, '\x00', NULL, 10)
        except DCERPCException:
            return list()

        results = list()
        for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
            results.append(rpcobj.Session(session))

        return results
Example #10
0
    def who(self):
        self.smb_transport('srvsvc')
        self.__dce = self.trans.get_dce_rpc()
        self.__dce.connect()
        self.__dce.bind(srvs.MSRPC_UUID_SRVS)
        resp = srvs.hNetrSessionEnum(self.__dce, NULL, NULL, 502)

        for session in resp['InfoStruct']['SessionInfo']['Level502']['Buffer']:
            print("Host: %15s, user: %5s, active: %5d, idle: %5d, type: %5s, transport: %s"
                  % (session['sesi502_cname'][:-1], session['sesi502_username'][:-1], session['sesi502_time'],
                     session['sesi502_idle_time'], session['sesi502_cltype_name'][:-1],
                     session['sesi502_transport'][:-1]))

        self.__dce.disconnect()
Example #11
0
    def do_who(self, line):
        if self.loggedIn is False:
            LOG.error("Not logged in")
            return
        rpctransport = transport.SMBTransport(self.smb.getRemoteHost(), filename = r'\srvsvc', smb_connection = self.smb)
        dce = rpctransport.get_dce_rpc()
        dce.connect()
        dce.bind(srvs.MSRPC_UUID_SRVS)
        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10)

        for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
            print(("host: %15s, user: %5s, active: %5d, idle: %5d" % (
            session['sesi10_cname'][:-1], session['sesi10_username'][:-1], session['sesi10_time'],
            session['sesi10_idle_time'])))
Example #12
0
    def do_who(self, line):
        if self.loggedIn is False:
            LOG.error("Not logged in")
            return
        rpctransport = transport.SMBTransport(self.smb.getRemoteHost(), filename = r'\srvsvc', smb_connection = self.smb)
        dce = rpctransport.get_dce_rpc()
        dce.connect()
        dce.bind(srvs.MSRPC_UUID_SRVS)
        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10)

        for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
            print("host: %15s, user: %5s, active: %5d, idle: %5d" % (
            session['sesi10_cname'][:-1], session['sesi10_username'][:-1], session['sesi10_time'],
            session['sesi10_idle_time']))
Example #13
0
    def enum_sessions(self, host):
        dce, rpctransport = self.connect(host, 'srvsvc')
        level = 502
        try:
            resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level)
            sessions  = resp['InfoStruct']['SessionInfo']['Level502']['Buffer']
        except Exception:
            level = 0
            resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level)
            sessions  = resp['InfoStruct']['SessionInfo']['Level0']['Buffer']

        print_succ("{}:{} Current active sessions:".format(host, settings.args.port))
        for session in sessions:
            if level == 502:
                if session['sesi502_cname'][:-1] != self.__local_ip:
                    print_att('\\\\{} {} [opens:{} time:{} idle:{}]'.format(session['sesi502_cname'], 
                                                                            session['sesi502_username'],
                                                                            session['sesi502_num_opens'],
                                                                            session['sesi502_time'],
                                                                            session['sesi502_idle_time']))

            elif level == 0:
                if session['sesi0_cname'][:-1] != self.__local_ip:
                    print_att('\\\\{}'.format(session['sesi0_cname']))
Example #14
0
    def enum_sessions(self, host):
        dce, rpctransport = self.connect(host, 'srvsvc')
        level = 502
        try:
            resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level)
            sessions = resp['InfoStruct']['SessionInfo']['Level502']['Buffer']
        except Exception:
            level = 0
            resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level)
            sessions = resp['InfoStruct']['SessionInfo']['Level0']['Buffer']

        print_succ("{}:{} Current active sessions:".format(
            host, settings.args.port))
        for session in sessions:
            if level == 502:
                if session['sesi502_cname'][:-1] != self.__local_ip:
                    print_att('\\\\{} {} [opens:{} time:{} idle:{}]'.format(
                        session['sesi502_cname'], session['sesi502_username'],
                        session['sesi502_num_opens'], session['sesi502_time'],
                        session['sesi502_idle_time']))

            elif level == 0:
                if session['sesi0_cname'][:-1] != self.__local_ip:
                    print_att('\\\\{}'.format(session['sesi0_cname']))
Example #15
0
    def get_netsessions(self):
        self.sessions = {}
        self.create_rpc_con(r'\srvsvc')
        try:
            resp = srvs.hNetrSessionEnum(self.rpc_connection, '\x00', NULL, 10)
        except DCERPCException:
            return list()

        for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
            self.sessions[session['sesi10_username'].strip('\x00')] = {
                'user': session['sesi10_username'].strip('\x00'),
                'host': session['sesi10_cname'].strip('\x00'),
                'time': session['sesi10_time'],
                'idle': session['sesi10_idle_time']
            }
        self.rpc_connection.disconnect()
Example #16
0
    def rpc_get_sessions(self):
        binding = r'ncacn_np:%s[\PIPE\srvsvc]' % self.hostname

        dce = self.dce_rpc_connect(binding, srvs.MSRPC_UUID_SRVS)

        if dce is None:
            logging.warning('Connection failed: %s' % binding)
            return

        try:
            resp = srvs.hNetrSessionEnum(dce, '\x00', NULL, 10)
        except Exception, e:
            if str(e).find('Broken pipe') >= 0:
                return
            else:
                raise
Example #17
0
    def currentSessions(self):  # Get available SMB sessions

        rpctransport = transport.SMBTransport(
            self.__smbConnection.getRemoteHost(),
            smb_connection=self.__smbConnection)
        dce = rpctransport.get_dce_rpc()
        dce.connect()
        dce.bind(srvs.MSRPC_UUID_SRVS)
        resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10)

        for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
            print(
                "host: %15s, user: %5s, active: %5d, idle: %5d" %
                (session['sesi10_cname'][:-1], session['sesi10_username'][:-1],
                 session['sesi10_time'], session['sesi10_idle_time']))

        dce.disconnect()
Example #18
0
    def getWho(self):
        """who is connected -> error
        """

        try:
            rpctransport = transport.SMBTransport(self.smbClient.getRemoteHost(), 
                                                  filename=r'\srvsvc', 
                                                  smb_connection=self.smbClient)
            dce = rpctransport.get_dce_rpc()
            dce.connect()                     
            dce.bind(srvs.MSRPC_UUID_SRVS)
            resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10)

        except Exception as e:
            logging.error("getWho: {}".format(str(e)))
            return

        for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
            print("host: %15s, user: %5s, active: %5d, idle: %5d" % (
                session['sesi10_cname'][:-1],
                session['sesi10_username'][:-1], 
                session['sesi10_time'],
                session['sesi10_idle_time']))
Example #19
0
    def enumSessions(self):
        rpctransport = transport.SMBTransport(self.__addr,
                                              self.__port,
                                              r'\srvsvc',
                                              self.__username,
                                              self.__password,
                                              self.__domain,
                                              self.__lmhash,
                                              self.__nthash,
                                              self.__aesKey,
                                              doKerberos=self.__doKerberos)

        dce = rpctransport.get_dce_rpc()

        dce.connect()
        dce.bind(srvs.MSRPC_UUID_SRVS)

        try:
            resp = srvs.hNetrSessionEnum(dce, '\x00', NULL, 10)
        except Exception as e:
            print("%s: %s\n%s" % (type(e), e, traceback.format_exc()))

        for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
            username = session['sesi10_username'][:-1]
            sourceIP = session['sesi10_cname'][:-1][2:]
            active_time = session['sesi10_time']
            idle_time = session['sesi10_idle_time']

            yield {
                'username': username,
                'source_ip': sourceIP,
                'active_time': active_time,
                'idle_time': idle_time,
            }

        dce.disconnect()
Example #20
0
    def getSessions(self, target):
        if self.__targets[target]['SRVS'] is None:
            stringSrvsBinding = r'ncacn_np:%s[\PIPE\srvsvc]' % target
            rpctransportSrvs = transport.DCERPCTransportFactory(
                stringSrvsBinding)
            if hasattr(rpctransportSrvs, 'set_credentials'):
                # This method exists only for selected protocol sequences.
                rpctransportSrvs.set_credentials(self.__username,
                                                 self.__password,
                                                 self.__domain, self.__lmhash,
                                                 self.__nthash, self.__aesKey)
                rpctransportSrvs.set_kerberos(self.__doKerberos,
                                              self.__kdcHost)

            dce = rpctransportSrvs.get_dce_rpc()
            dce.connect()
            dce.bind(srvs.MSRPC_UUID_SRVS)
            self.__maxConnections -= 1
        else:
            dce = self.__targets[target]['SRVS']

        try:
            resp = srvs.hNetrSessionEnum(dce, '\x00', NULL, 10)
        except Exception as e:
            if str(e).find('Broken pipe') >= 0:
                # The connection timed-out. Let's try to bring it back next round
                self.__targets[target]['SRVS'] = None
                self.__maxConnections += 1
                return
            else:
                raise

        if self.__maxConnections < 0:
            # Can't keep this connection open. Closing it
            dce.disconnect()
            self.__maxConnections = 0
        else:
            self.__targets[target]['SRVS'] = dce

        # Let's see who createad a connection since last check
        tmpSession = list()
        printCRLF = False
        for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
            userName = session['sesi10_username'][:-1]
            sourceIP = session['sesi10_cname'][:-1][2:]
            key = '%s\x01%s' % (userName, sourceIP)
            myEntry = '%s\x01%s' % (self.__username, myIP)
            tmpSession.append(key)
            if not (key in self.__targets[target]['Sessions']):
                # Skipping myself
                if key != myEntry:
                    self.__targets[target]['Sessions'].append(key)
                    # Are we filtering users?
                    if self.__filterUsers is not None:
                        if userName in self.__filterUsers:
                            print(
                                "%s: user %s logged from host %s - active: %d, idle: %d"
                                % (target, userName, sourceIP,
                                   session['sesi10_time'],
                                   session['sesi10_idle_time']))
                            printCRLF = True
                    else:
                        print(
                            "%s: user %s logged from host %s - active: %d, idle: %d"
                            % (target, userName, sourceIP,
                               session['sesi10_time'],
                               session['sesi10_idle_time']))
                        printCRLF = True

        # Let's see who deleted a connection since last check
        for nItem, session in enumerate(self.__targets[target]['Sessions']):
            userName, sourceIP = session.split('\x01')
            if session not in tmpSession:
                del (self.__targets[target]['Sessions'][nItem])
                # Are we filtering users?
                if self.__filterUsers is not None:
                    if userName in self.__filterUsers:
                        print("%s: user %s logged off from host %s" %
                              (target, userName, sourceIP))
                        printCRLF = True
                else:
                    print("%s: user %s logged off from host %s" %
                          (target, userName, sourceIP))
                    printCRLF = True

        if printCRLF is True:
            print()
Example #21
0
    def getSessions(self, target):
        if self.__targets[target]['SRVS'] is None:
            stringSrvsBinding = r'ncacn_np:%s[\PIPE\srvsvc]' % target
            rpctransportSrvs = transport.DCERPCTransportFactory(stringSrvsBinding)
            if hasattr(rpctransportSrvs, 'set_credentials'):
            # This method exists only for selected protocol sequences.
                rpctransportSrvs.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,
                                                 self.__nthash, self.__aesKey)
                rpctransportSrvs.set_kerberos(self.__doKerberos, self.__kdcHost)

            dce = rpctransportSrvs.get_dce_rpc()
            dce.connect()
            dce.bind(srvs.MSRPC_UUID_SRVS)
            self.__maxConnections -= 1
        else:
            dce = self.__targets[target]['SRVS']

        try:
            resp = srvs.hNetrSessionEnum(dce, '\x00', NULL, 10)
        except Exception as e:
            if str(e).find('Broken pipe') >= 0:
                # The connection timed-out. Let's try to bring it back next round
                self.__targets[target]['SRVS'] = None
                self.__maxConnections += 1
                return
            else:
                raise

        if self.__maxConnections < 0:
            # Can't keep this connection open. Closing it
            dce.disconnect()
            self.__maxConnections = 0
        else:
             self.__targets[target]['SRVS'] = dce

        # Let's see who createad a connection since last check
        tmpSession = list()
        printCRLF = False
        for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
            userName = session['sesi10_username'][:-1]
            sourceIP = session['sesi10_cname'][:-1][2:]
            key = '%s\x01%s' % (userName, sourceIP)
            myEntry = '%s\x01%s' % (self.__username, myIP)
            tmpSession.append(key)
            if not(key in self.__targets[target]['Sessions']):
                # Skipping myself
                if key != myEntry:
                    self.__targets[target]['Sessions'].append(key)
                    # Are we filtering users?
                    if self.__filterUsers is not None:
                        if userName in self.__filterUsers:
                            print "%s: user %s logged from host %s - active: %d, idle: %d" % (
                            target, userName, sourceIP, session['sesi10_time'], session['sesi10_idle_time'])
                            printCRLF = True
                    else:
                        print "%s: user %s logged from host %s - active: %d, idle: %d" % (
                        target, userName, sourceIP, session['sesi10_time'], session['sesi10_idle_time'])
                        printCRLF = True

        # Let's see who deleted a connection since last check
        for nItem, session in enumerate(self.__targets[target]['Sessions']):
            userName, sourceIP = session.split('\x01')
            if session not in tmpSession:
                del(self.__targets[target]['Sessions'][nItem])
                # Are we filtering users?
                if self.__filterUsers is not None:
                    if userName in self.__filterUsers:
                        print "%s: user %s logged off from host %s" % (target, userName, sourceIP)
                        printCRLF=True
                else:
                    print "%s: user %s logged off from host %s" % (target, userName, sourceIP)
                    printCRLF=True
                
        if printCRLF is True:
            print