def get_netsubnet(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_domain=str(), queried_sitename=str(), ads_path=str(), full_data=False): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_netsubnet(queried_domain=queried_domain, queried_sitename=queried_sitename, ads_path=ads_path, full_data=full_data)
def get_netcomputer(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), do_kerberos=False, do_tls=False, queried_computername='*', queried_spn=str(), queried_os=str(), queried_sp=str(), queried_domain=str(), ads_path=str(), printers=False, unconstrained=False, ping=False, full_data=False, custom_filter=str(), attributes=[]): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash, do_kerberos, do_tls) return requester.get_netcomputer(queried_computername=queried_computername, queried_spn=queried_spn, queried_os=queried_os, queried_sp=queried_sp, queried_domain=queried_domain, ads_path=ads_path, printers=printers, unconstrained=unconstrained, ping=ping, full_data=full_data, custom_filter=custom_filter, attributes=attributes)
def get_userevent(target_computername, domain, user, password=str(), lmhash=str(), nthash=str(), event_type=['logon', 'tgt'], date_start=5): requester = NetRequester(target_computername, domain, user, password, lmhash, nthash) return requester.get_userevent(event_type=event_type, date_start=date_start)
def get_netlocalgroup(target_computername, domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_groupname=str(), list_groups=False, recurse=False): requester = NetRequester(target_computername, domain, user, password, lmhash, nthash, domain_controller) return requester.get_netlocalgroup(queried_groupname=queried_groupname, list_groups=list_groups, recurse=recurse)
def get_netgroup(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), do_kerberos=False, do_tls=False, queried_groupname='*', queried_sid=str(), queried_username=str(), queried_domain=str(), ads_path=str(), admin_count=False, full_data=False, custom_filter=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash, do_kerberos, do_tls) return requester.get_netgroup(queried_groupname=queried_groupname, queried_sid=queried_sid, queried_username=queried_username, queried_domain=queried_domain, ads_path=ads_path, admin_count=admin_count, full_data=full_data, custom_filter=custom_filter)
def get_netuser(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), do_kerberos=False, do_tls=False, queried_username=str(), queried_domain=str(), ads_path=str(), admin_count=False, spn=False, unconstrained=False, allow_delegation=False, preauth_notreq=False, custom_filter=str(), attributes=[]): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash, do_kerberos, do_tls) return requester.get_netuser(queried_username=queried_username, queried_domain=queried_domain, ads_path=ads_path, admin_count=admin_count, spn=spn, unconstrained=unconstrained, allow_delegation=allow_delegation, preauth_notreq=preauth_notreq, custom_filter=custom_filter, attributes=attributes)
def get_adobject(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), do_kerberos=False, do_tls=False, queried_domain=str(), queried_sid=str(), queried_name=str(), queried_sam_account_name=str(), ads_path=str(), attributes=list(), custom_filter=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash, do_kerberos, do_tls) return requester.get_adobject( queried_domain=queried_domain, queried_sid=queried_sid, queried_name=queried_name, queried_sam_account_name=queried_sam_account_name, ads_path=ads_path, attributes=attributes, custom_filter=custom_filter)
def get_netgroupmember(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), do_kerberos=False, do_tls=False, queried_groupname=str(), queried_sid=str(), queried_domain=str(), ads_path=str(), recurse=False, use_matching_rule=False, full_data=False, custom_filter=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash, do_kerberos, do_tls) return requester.get_netgroupmember(queried_groupname=queried_groupname, queried_sid=queried_sid, queried_domain=queried_domain, ads_path=ads_path, recurse=recurse, use_matching_rule=use_matching_rule, full_data=full_data, custom_filter=custom_filter)
def get_objectacl(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), do_kerberos=False, do_tls=False, queried_domain=str(), queried_sid=str(), queried_name=str(), queried_sam_account_name=str(), ads_path=str(), sacl=False, rights_filter=str(), resolve_sids=False, resolve_guids=False, custom_filter=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash, do_kerberos, do_tls) return requester.get_objectacl( queried_domain=queried_domain, queried_sid=queried_sid, queried_name=queried_name, queried_sam_account_name=queried_sam_account_name, ads_path=ads_path, sacl=sacl, rights_filter=rights_filter, resolve_sids=resolve_sids, resolve_guids=resolve_guids, custom_filter=custom_filter)
def get_netou(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_domain=str(), queried_ouname='*', queried_guid=str(), ads_path=str(), full_data=False): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_netou(queried_domain=queried_domain, queried_ouname=queried_ouname, queried_guid=queried_guid, ads_path=ads_path, full_data=full_data)
def __init__(self, target_computer, domain=str(), user=(), password=str(), lmhash=str(), nthash=str(), domain_controller=str(), queried_domain=str()): NetRequester.__init__(self, target_computer, domain, user, password, lmhash, nthash, domain_controller) self._target_domains = list() self._target_computers = list() self._target_users = list() self._parent_pipes = list() self._workers = list()
def get_netsite(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_domain=str(), queried_sitename=str(), queried_guid=str(), ads_path=str(), ads_prefix='CN=Sites,CN=Configuration', full_data=False): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_netsite(queried_domain=queried_domain, queried_sitename=queried_sitename, queried_guid=queried_guid, ads_path=ads_path, ads_prefix=ads_prefix, full_data=full_data)
def get_netloggedon(target_computername, domain, user, password=str(), lmhash=str(), nthash=str()): requester = NetRequester(target_computername, domain, user, password, lmhash, nthash) return requester.get_netloggedon()
def get_netdomain(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_netdomain()
def get_localdisks(target_computername, domain, user, password=str(), lmhash=str(), nthash=str()): requester = NetRequester(target_computername, domain, user, password, lmhash, nthash) return requester.get_localdisks()
def get_netprocess(target_computername, domain, user, password=str(), lmhash=str(), nthash=str(), do_kerberos=False): requester = NetRequester(target_computername, domain, user, password, lmhash, nthash, do_kerberos) return requester.get_netprocess()
def get_adobject(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_domain=str(), queried_sid=str(), queried_name=str(), queried_sam_account_name=str(), ads_path=str(), custom_filter=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_adobject(queried_domain=queried_domain, queried_sid=queried_sid, queried_name=queried_name, queried_sam_account_name=queried_sam_account_name, ads_path=ads_path, custom_filter=custom_filter)
def get_netuser(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_username=str(), queried_domain=str(), ads_path=str(), admin_count=False, spn=False, unconstrained=False, allow_delegation=False, custom_filter=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_netuser(queried_username=queried_username, queried_domain=queried_domain, ads_path=ads_path, admin_count=admin_count, spn=spn, unconstrained=unconstrained, allow_delegation=allow_delegation, custom_filter=custom_filter)
def get_netgroup(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_groupname='*', queried_sid=str(), queried_username=str(), queried_domain=str(), ads_path=str(), admin_count=False, full_data=False, custom_filter=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_netgroup(queried_groupname=queried_groupname, queried_sid=queried_sid, queried_username=queried_username, queried_domain=queried_domain, ads_path=ads_path, admin_count=admin_count, full_data=full_data, custom_filter=custom_filter)
def get_netdomaintrust(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_domain=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_netdomaintrust(queried_domain=queried_domain)
def get_netgroupmember(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_groupname=str(), queried_sid=str(), queried_domain=str(), ads_path=str(), recurse=False, use_matching_rule=False, full_data=False, custom_filter=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_netgroupmember(queried_groupname=queried_groupname, queried_sid=queried_sid, queried_domain=queried_domain, ads_path=ads_path, recurse=recurse, use_matching_rule=use_matching_rule, full_data=full_data, custom_filter=custom_filter)
def get_netdomain(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), do_kerberos=False, do_tls=False): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash, do_kerberos, do_tls) return requester.get_netdomain()
def get_netcomputer(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_computername='*', queried_spn=str(), queried_os=str(), queried_sp=str(), queried_domain=str(), ads_path=str(), printers=False, unconstrained=False, ping=False, full_data=False, custom_filter=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_netcomputer(queried_computername=queried_computername, queried_spn=queried_spn, queried_os=queried_os, queried_sp=queried_sp, queried_domain=queried_domain, ads_path=ads_path, printers=printers, unconstrained=unconstrained, ping=ping, full_data=full_data, custom_filter=custom_filter)
def get_netfileserver(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_domain=str(), target_users=list()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_netfileserver(queried_domain=queried_domain, target_users=target_users)
def get_dfsshare(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), version=['v1', 'v2'], queried_domain=str(), ads_path=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_dfsshare(version=version, queried_domain=queried_domain, ads_path=ads_path)
def _hunt(self, target_computer): # TODO: implement ping of target results = list() # First, we get every distant session on the target computer distant_sessions = list() with NetRequester(target_computer, self._domain, self._user, self._password, self._lmhash, self._nthash) as net_requester: if not self._foreign_users: distant_sessions += net_requester.get_netsession() if not self._stealth: distant_sessions += net_requester.get_netloggedon() # For every session, we get information on the remote user for session in distant_sessions: try: username = session.sesi10_username userdomain = str() session_from = session.sesi10_cname if session_from.startswith('\\'): session_from = session_from.lstrip('\\') except AttributeError: username = session.wkui1_username userdomain = session.wkui1_logon_domain session_from = str() # If we found a user if username: # We see if it's in our target user group for target_user in self._target_users: if target_user.membername.lower() in username.lower(): # If we fall in this branch, we're looking for foreign users # and found a user in the same domain if self._domain_short_name and self._domain_short_name.lower( ) == userdomain.lower(): continue attributes = dict() if userdomain: attributes['userdomain'] = userdomain else: attributes['userdomain'] = target_user.memberdomain attributes['username'] = username attributes['computername'] = target_computer attributes['sessionfrom'] = session_from if self._check_access: with Misc(target_computer, self._domain, self._user, self._password, self._lmhash, self._nthash) as misc_requester: attributes[ 'localadmin'] = misc_requester.invoke_checklocaladminaccess( ) else: attributes['localadmin'] = str() results.append(rpcobj.RPCObject(attributes)) return results
def get_netgpogroup(self, queried_gponame='*', queried_displayname=str(), queried_domain=str(), ads_path=str(), resolve_sids=False): results = list() gpos = self.get_netgpo(queried_gponame=queried_gponame, queried_displayname=queried_displayname, queried_domain=queried_domain, ads_path=ads_path) for gpo in gpos: gpo_display_name = gpo.displayname groupsxml_path = '{}\\MACHINE\\Preferences\\Groups\\Groups.xml'.format(gpo.gpcfilesyspath) gpttmpl_path = '{}\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf'.format(gpo.gpcfilesyspath) results += self._get_groupsxml(groupsxml_path, gpo_display_name) try: results += self._get_groupsgpttmpl(gpttmpl_path, gpo_display_name) except SessionError: # If the GptTmpl file doesn't exist, we skip this pass if resolve_sids: for gpo_group in results: members = gpo_group.members memberof = gpo_group.memberof resolved_members = list() resolved_memberof = list() with NetRequester(self._domain_controller, self._domain, self._user, self._password, self._lmhash, self._nthash) as net_requester: for member in members: try: resolved_member = net_requester.get_adobject(queried_sid=member, queried_domain=queried_domain)[0] resolved_member = resolved_member.distinguishedname.split(',') resolved_member_domain = '.'.join(resolved_member[1:]) resolved_member = '{}\\{}'.format(resolved_member_domain, resolved_member[0]) resolved_member = resolved_member.replace('CN=', '').replace('DC=', '') except IndexError: resolved_member = member finally: resolved_members.append(resolved_member) gpo_group.members = resolved_members for member in memberof: try: resolved_member = net_requester.get_adobject(queried_sid=member, queried_domain=queried_domain)[0] resolved_member = resolved_member.distinguishedname.split(',')[:2] resolved_member = '{}\\{}'.format(resolved_member[1], resolved_member[0]) resolved_member = resolved_member.replace('CN=', '').replace('DC=', '') except IndexError: resolved_member = member finally: resolved_memberof.append(resolved_member) gpo_group.memberof = memberof = resolved_memberof return results
def get_domainpolicy(self, source='domain', queried_domain=str(), resolve_sids=False): if source == 'domain': queried_gponame = '{31B2F340-016D-11D2-945F-00C04FB984F9}' elif source == 'dc': queried_gponame = '{6AC1786C-016F-11D2-945F-00C04FB984F9}' gpo = self.get_netgpo(queried_domain=queried_domain, queried_gponame=queried_gponame)[0] gpttmpl_path = '{}\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf'.format(gpo.gpcfilesyspath) gpttmpl = self.get_gpttmpl(gpttmpl_path) if source == 'domain': return gpttmpl elif source == 'dc': if not resolve_sids: return gpttmpl else: import inspect try: privilege_rights_policy = gpttmpl.privilegerights except AttributeError: return gpttmpl members = inspect.getmembers(privilege_rights_policy, lambda x: not(inspect.isroutine(x))) with NetRequester(self._domain_controller, self._domain, self._user, self._password, self._lmhash, self._nthash) as net_requester: for member in members: if member[0].startswith('_'): continue if not isinstance(member[1], list): sids = [member[1]] else: sids = member[1] resolved_sids = list() for sid in sids: if not sid: continue try: resolved_sid = net_requester.get_adobject(queried_sid=sid, queried_domain=queried_domain)[0] except IndexError: resolved_sid = sid else: resolved_sid = resolved_sid.distinguishedname.split(',')[:2] resolved_sid = '{}\\{}'.format(resolved_sid[1], resolved_sid[0]) resolved_sid = resolved_sid.replace('CN=', '') resolved_sids.append(resolved_sid) if len(resolved_sids) == 1: resolved_sids = resolved_sids[0] setattr(privilege_rights_policy, member[0], resolved_sids) gpttmpl.privilegerights = privilege_rights_policy return gpttmpl
def _build_target_users(self, queried_groupname=str(), target_server=str(), queried_username=str(), queried_userfilter=str(), queried_useradspath=str(), queried_userfile=None, admin_count=False, allow_delegation=False, show_all=False, foreign_users=False): if show_all or foreign_users: attributes = {'memberdomain': str(), 'membername': str()} self._target_users.append(rpcobj.TargetUser(attributes)) elif target_server: with NetRequester(target_server, domain, user, password, lmhash, nthash, domain_controller) as target_server_requester: for x in target_server_requester.get_netlocalgroup(recurse=True): if x.isdomain and not x.isgroup: attributes = {'memberdomain': x.name.split('/')[0].lower(), 'membername': x.name.split('/')[1].lower()} self._target_users.append(rpcobj.TargetUser(attributes)) elif queried_userfile: with queried_userfile as _: for x in queried_userfile.readlines(): attributes = dict() attributes['membername'] = x.rstrip('\n') attributes['memberdomain'] = self._target_domains[0] self._target_users.append(rpcobj.TargetUser(attributes)) elif queried_username: attributes = dict() attributes['membername'] = queried_username.lower() attributes['memberdomain'] = self._target_domains[0] self._target_users.append(rpcobj.TargetUser(attributes)) elif queried_useradspath or queried_userfilter or admin_count or allow_delegation: for target_domain in self._target_domains: for x in self.get_netuser(ads_path=queried_useradspath, custom_filter=queried_userfilter, admin_count=admin_count, allow_delegation=allow_delegation, queried_domain=target_domain): attributes = dict() attributes['memberdomain'] = target_domain attributes['membername'] = x.samaccountname self._target_users.append(rpcobj.TargetUser(attributes)) else: for target_domain in self._target_domains: self._target_users += self.get_netgroupmember(queried_domain=target_domain, queried_groupname=queried_groupname, recurse=True) self._target_users = list(set(self._target_users)) if (not show_all) and (not foreign_users) and (not self._target_users): raise ValueError('No users to search for')
def get_adserviceaccount(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), do_kerberos=False, do_tls=False, queried_domain=str(), queried_sid=str(), queried_name=str(), queried_sam_account_name=str(), ads_path=str(), resolve_sids=False): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash, do_kerberos, do_tls) return requester.get_adserviceaccount( queried_domain=queried_domain, queried_sid=queried_sid, queried_name=queried_name, queried_sam_account_name=queried_sam_account_name, ads_path=ads_path, resolve_sids=resolve_sids)
def _hunt(self, target_computer): results = list() distant_processes = list() with NetRequester(target_computer, self._domain, self._user, self._password, self._lmhash, self._nthash) as net_requester: distant_events = net_requester.get_userevent( date_start=self._search_days) for event in distant_events: if self._target_users: for target_user in self._target_users: if target_user.membername.lower() in event.username.lower( ): results.append(event) return results
def _hunt(self, target_computer): results = list() distant_processes = list() with NetRequester(target_computer, self._domain, self._user, self._password, self._lmhash, self._nthash) as net_requester: distant_processes = net_requester.get_netprocess() for process in distant_processes: if self._process_name: for process_name in self._process_name: if process_name.lower() in process.processname.lower(): results.append(process) elif self._target_users: for target_user in self._target_users: if target_user.membername.lower() in process.user.lower(): results.append(process) return results
def find_gpolocation(self, queried_username=str(), queried_groupname=str(), queried_localgroup=str(), queried_domain=str()): results = list() net_requester = NetRequester(self._domain_controller, self._domain, self._user, self._password, self._lmhash, self._nthash) if queried_username: try: user = net_requester.get_netuser( queried_username=queried_username, queried_domain=queried_domain)[0] except IndexError: raise ValueError( 'Username \'{}\' was not found'.format(queried_username)) else: target_sid = [user.objectsid] object_sam_account_name = user.samaccountname object_distinguished_name = user.distinguishedname elif queried_groupname: try: group = net_requester.get_netgroup( queried_groupname=queried_groupname, queried_domain=queried_domain, full_data=True)[0] except IndexError: raise ValueError('Group name \'{}\' was not found'.format( queried_groupname)) else: target_sid = [group.objectsid] object_sam_account_name = group.samaccountname object_distinguished_name = group.distinguishedname else: raise ValueError( 'You must specify either a username or a group name') if 'admin' in queried_localgroup.lower(): local_sid = 'S-1-5-32-544' elif 'rdp' in queried_localgroup.lower(): local_sid = 'S-1-5-32-555' elif queried_localgroup.upper().startswith('S-1-5'): local_sid = queried_localgroup else: raise ValueError('The queried local group must be in \'Administrators\', ' \ '\'RDP\', or a \'S-1-5\' type SID') object_groups = net_requester.get_netgroup( queried_username=object_sam_account_name, queried_domain=queried_domain) for object_group in object_groups: try: object_group_sid = net_requester.get_adobject( queried_sam_account_name=object_group.samaccountname, queried_domain=queried_domain)[0].objectsid except IndexError: # We may have the name of the group, but not its sam account name try: object_group_sid = net_requester.get_adobject( queried_name=object_group.samaccountname, queried_domain=queried_domain)[0].objectsid except IndexError: # Freak accident when someone is a member of a group, but # we can't find the group in the AD continue target_sid.append(object_group_sid) gpo_groups = list() for gpo_group in self.get_netgpogroup(queried_domain=queried_domain): try: for member in gpo_group.members: if not member.upper().startswith('S-1-5'): try: member = net_requester.get_adobject( queried_sam_account_name=member, queried_domain=queried_domain)[0].objectsid except IndexError, AttributeError: continue if (member.upper() in target_sid) or (member.lower() in target_sid): if (local_sid.upper() in gpo_group.memberof) or \ (local_sid.lower() in gpo_group.memberof): gpo_groups.append(gpo_group) break except AttributeError: continue for gpo_group in gpo_groups: gpo_guid = gpo_group.gponame ous = net_requester.get_netou(queried_domain=queried_domain, queried_guid=gpo_guid, full_data=True) for ou in ous: # TODO: support filters for GPO ou_computers = [x.dnshostname for x in \ net_requester.get_netcomputer(queried_domain=queried_domain, ads_path=ou.distinguishedname)] gpo_location = GPOLocation(list()) setattr(gpo_location, 'objectname', object_distinguished_name) setattr(gpo_location, 'gponame', gpo_group.gpodisplayname) setattr(gpo_location, 'gpoguid', gpo_guid) setattr(gpo_location, 'containername', ou.distinguishedname) setattr(gpo_location, 'computers', ou_computers) results.append(gpo_location) return results
def get_netprocess(target_computername, domain, user, password=str(), lmhash=str(), nthash=str()): requester = NetRequester(target_computername, domain, user, password, lmhash, nthash) return requester.get_netprocess()
def get_netdomaincontroller(domain_controller, domain, user, password=str(), lmhash=str(), nthash=str(), queried_domain=str()): requester = NetRequester(domain_controller, domain, user, password, lmhash, nthash) return requester.get_netdomaincontroller(queried_domain=queried_domain)
def find_gpolocation(self, queried_username=str(), queried_groupname=str(), queried_localgroup=str(), queried_domain=str()): results = list() net_requester = NetRequester(self._domain_controller, self._domain, self._user, self._password, self._lmhash, self._nthash) if queried_username: try: user = net_requester.get_netuser(queried_username=queried_username, queried_domain=queried_domain)[0] except IndexError: raise ValueError('Username \'{}\' was not found'.format(queried_username)) else: target_sid = [user.objectsid] object_sam_account_name = user.samaccountname object_distinguished_name = user.distinguishedname elif queried_groupname: try: group = net_requester.get_netgroup(queried_groupname=queried_groupname, queried_domain=queried_domain, full_data=True)[0] except IndexError: raise ValueError('Group name \'{}\' was not found'.format(queried_groupname)) else: target_sid = [group.objectsid] object_sam_account_name = group.samaccountname object_distinguished_name = group.distinguishedname else: raise ValueError('You must specify either a username or a group name') if 'admin' in queried_localgroup.lower(): local_sid = 'S-1-5-32-544' elif 'rdp' in queried_localgroup.lower(): local_sid = 'S-1-5-32-555' elif queried_localgroup.upper().startswith('S-1-5'): local_sid = queried_localgroup else: raise ValueError('The queried local group must be in \'Administrators\', ' \ '\'RDP\', or a \'S-1-5\' type SID') object_groups = net_requester.get_netgroup(queried_username=object_sam_account_name, queried_domain=queried_domain) for object_group in object_groups: try: object_group_sid = net_requester.get_adobject(queried_sam_account_name=object_group.samaccountname, queried_domain=queried_domain)[0].objectsid except IndexError: # We may have the name of the group, but not its sam account name object_group_sid = net_requester.get_adobject(queried_name=object_group.samaccountname, queried_domain=queried_domain)[0].objectsid target_sid.append(object_group_sid) gpo_groups = list() for gpo_group in self.get_netgpogroup(): try: for member in gpo_group.members: if not member.upper().startswith('S-1-5'): try: member = net_requester.get_adobject(queried_sam_account_name=member, queried_domain=queried_domain)[0].objectsid except IndexError, AttributeError: continue if (member.upper() in target_sid) or (member.lower() in target_sid): if (local_sid.upper() in gpo_group.memberof) or \ (local_sid.lower() in gpo_group.memberof): gpo_groups.append(gpo_group) break except AttributeError: continue for gpo_group in gpo_groups: gpo_guid = gpo_group.gponame ous = net_requester.get_netou(queried_domain=queried_domain, queried_guid=gpo_guid, full_data=True) for ou in ous: # TODO: support filters for GPO ou_computers = [x.dnshostname for x in \ net_requester.get_netcomputer(queried_domain=queried_domain, ads_path=ou.distinguishedname)] gpo_location = GPOLocation(list()) setattr(gpo_location, 'objectname', object_distinguished_name) setattr(gpo_location, 'gponame', gpo_group.gpodisplayname) setattr(gpo_location, 'gpoguid', gpo_guid) setattr(gpo_location, 'containername', ou.distinguishedname) setattr(gpo_location, 'computers', ou_computers) results.append(gpo_location) return results
def find_gpocomputeradmin(self, queried_computername=str(), queried_ouname=str(), queried_domain=str(), recurse=False): results = list() if (not queried_computername) and (not queried_ouname): raise ValueError('You must specify either a computer name or an OU name') net_requester = NetRequester(self._domain_controller, self._domain, self._user, self._password, self._lmhash, self._nthash) if queried_computername: computers = net_requester.get_netcomputer(queried_computername=queried_computername, queried_domain=queried_domain, full_data=True) if not computers: raise ValueError('Computer {} not found'.format(queried_computername)) target_ous = list() for computer in computers: dn = computer.distinguishedname for x in dn.split(','): if x.startswith('OU='): target_ous.append(dn[dn.find(x):]) else: target_ous = [queried_ouname] gpo_groups = list() for target_ou in target_ous: ous = net_requester.get_netou(ads_path=target_ou, queried_domain=queried_domain, full_data=True) for ou in ous: for gplink in ou.gplink.strip('[]').split(']['): gplink = gplink.split(';')[0] gpo_groups = self.get_netgpogroup(queried_domain=queried_domain, ads_path=gplink) for gpo_group in gpo_groups: for member in gpo_group.members: obj = net_requester.get_adobject(queried_sid=member, queried_domain=queried_domain)[0] gpo_computer_admin = GPOComputerAdmin(list()) setattr(gpo_computer_admin, 'computername', queried_computername) setattr(gpo_computer_admin, 'ou', target_ou) setattr(gpo_computer_admin, 'gpodisplayname', gpo_group.gpodisplayname) setattr(gpo_computer_admin, 'gpopath', gpo_group.gpopath) setattr(gpo_computer_admin, 'objectname', obj.name) setattr(gpo_computer_admin, 'objectdn', obj.distinguishedname) setattr(gpo_computer_admin, 'objectsid', member) setattr(gpo_computer_admin, 'isgroup', (obj.samaccounttype != '805306368')) results.append(gpo_computer_admin) if recurse and gpo_computer_admin.isgroup: groups_to_resolve = [gpo_computer_admin.objectsid] while groups_to_resolve: group_to_resolve = groups_to_resolve.pop(0) group_members = net_requester.get_netgroupmember(queried_sid=group_to_resolve, full_data=True) for group_member in group_members: gpo_computer_admin = GPOComputerAdmin(list()) setattr(gpo_computer_admin, 'computername', queried_computername) setattr(gpo_computer_admin, 'ou', target_ou) setattr(gpo_computer_admin, 'gpodisplayname', gpo_group.gpodisplayname) setattr(gpo_computer_admin, 'gpopath', gpo_group.gpopath) setattr(gpo_computer_admin, 'objectname', group_member.samaccountname) setattr(gpo_computer_admin, 'objectdn', group_member.distinguishedname) setattr(gpo_computer_admin, 'objectsid', member) setattr(gpo_computer_admin, 'isgroup', (group_member.samaccounttype != '805306368')) results.append(gpo_computer_admin) if gpo_computer_admin.isgroup: groups_to_resolve.append(group_member.objectsid) return results