def test_hNetrWkstaUserEnum(self): dce, rpctransport = self.connect() resp = wkst.hNetrWkstaUserEnum(dce, 0) resp.dump() resp = wkst.hNetrWkstaUserEnum(dce, 1) resp.dump()
def enumLoggedIn(self): rpctransport = transport.SMBTransport(self.__addr, self.__port, r'\wkssvc', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, doKerberos=self.__doKerberos) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(wkst.MSRPC_UUID_WKST) try: resp = wkst.hNetrWkstaUserEnum(dce, 1) except Exception as e: raise e for session in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']: username = session['wkui1_username'][:-1] logonDomain = session['wkui1_logon_domain'][:-1] yield { 'username': username, 'domain': logonDomain, } dce.disconnect()
def sessions(self, targets): for target in targets: users = [] try: target_computer = target self._create_rpc_connection(target_computer) print target_computer print "-----------------" smb = SMBConnection('*SMBSERVER', target_computer, sess_port=445, timeout=5) smb.login(self._user, self._password, self._domain) try: sess = wkst.hNetrWkstaUserEnum(self._rpc_connection, 1) except DCERPCException, e: users = [] print colors.RD + " [-]" + colors.NRM + " User does not have access" continue for wksta_user in sess['UserInfo']['WkstaUserInfo']['Level1'][ 'Buffer']: userName = wksta_user['wkui1_username'][:-1] logonDomain = wksta_user['wkui1_logon_domain'][:-1] if "$" in userName: pass else: user = '******' % (logonDomain, userName) if user in users: pass else: users.append(user) print " Currently Logged On" print " -------------------" for user in users: print " " + colors.GRN + "[+] " + colors.NRM + user del users share = 'C$' path = '\\Users\\*' read = smb.listPath(share, path) print "\n Users Who Have Logged On" print " -------------------------" for r in read: if r.get_longname() == "Public" or r.get_longname( ) == "All Users" or r.get_longname( ) == "Default" or r.get_longname( ) == "Default User" or r.get_longname( ) == "." or r.get_longname() == "..": pass else: if r.is_directory(): print colors.GRN + " [+] " + colors.NRM + r.get_longname( ) + " lastlogon: " + time.ctime( float(r.get_mtime_epoch())) except UnboundLocalError as e: print target users = [] print e print colors.RD + " [-] " + colors.NRM + "User does not have access" continue
def enum_lusers(self, host): dce, rpctransport = self.connect(host, 'wkssvc') resp = wkst.hNetrWkstaUserEnum(dce, 1) lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'] self.__logger.success("Enumerating logged on users") for user in lusers: self.__logger.results(u'{}\\{} {} {}'.format( user['wkui1_logon_domain'], user['wkui1_username'], user['wkui1_logon_server'], user['wkui1_oth_domains']))
def enum_lusers(self, host): dce, rpctransport = self.connect(host, 'wkssvc') resp = wkst.hNetrWkstaUserEnum(dce, 1) lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'] print_succ("{}:{} Logged on users:".format(host, settings.args.port)) for user in lusers: print_att('{}\\{} {} {}'.format(user['wkui1_logon_domain'], user['wkui1_username'], user['wkui1_logon_server'], user['wkui1_oth_domains']))
def enum_lusers(self, host): dce, rpctransport = self.connect(host, 'wkssvc') resp = wkst.hNetrWkstaUserEnum(dce, 1) lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'] print_succ("{}:{} Logged on users:".format(host, settings.args.port)) for user in lusers: print_att(u'{}\\{} {} {}'.format(user['wkui1_logon_domain'], user['wkui1_username'], user['wkui1_logon_server'], user['wkui1_oth_domains']))
def enum_lusers(self, host): dce, rpctransport = self.connect(host, 'wkssvc') resp = wkst.hNetrWkstaUserEnum(dce, 1) lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'] self.__logger.success("Enumerating logged on users") for user in lusers: self.__logger.results(u'{}\\{} {} {}'.format(user['wkui1_logon_domain'], user['wkui1_username'], user['wkui1_logon_server'], user['wkui1_oth_domains']))
def get_netloggedon(self): try: resp = wkst.hNetrWkstaUserEnum(self._rpc_connection, 1) except DCERPCException: return list() results = list() for wksta_user in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']: results.append(rpcobj.WkstaUser(wksta_user)) return results
def enum_lusers(self): dce, rpctransport = self.connect('wkssvc') try: resp = wkst.hNetrWkstaUserEnum(dce, 1) lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'] except Exception: return self.logger.success("Enumerating logged on users") for user in lusers: self.logger.highlight(u'Username: {}\\{} {}'.format(user['wkui1_logon_domain'], user['wkui1_username'], 'LogonServer: {}'.format(user['wkui1_logon_server']) if user['wkui1_logon_server'] != '\x00' else ''))
def enum_lusers(self): dce, rpctransport = self.connect('wkssvc') try: resp = wkst.hNetrWkstaUserEnum(dce, 1) lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'] except Exception: return self.logger.success("Enumerating logged on users") for user in lusers: self.logger.highlight(u'Username: {}\\{} {}'.format( user['wkui1_logon_domain'], user['wkui1_username'], 'LogonServer: {}'.format(user['wkui1_logon_server']) if user['wkui1_logon_server'] != '\x00' else ''))
def rpc_get_loggedon(self): """ Query logged on users via RPC. Requires admin privs """ binding = r'ncacn_np:%s[\PIPE\wkssvc]' % self.addr loggedonusers = set() dce = self.dce_rpc_connect(binding, wkst.MSRPC_UUID_WKST) if dce is None: logging.warning('Connection failed: %s', binding) return try: # 1 means more detail, including the domain resp = wkst.hNetrWkstaUserEnum(dce, 1) for record in resp['UserInfo']['WkstaUserInfo']['Level1'][ 'Buffer']: # Skip computer accounts if record['wkui1_username'][-2] == '$': continue # Skip sessions for local accounts if record['wkui1_logon_domain'][:-1].upper( ) == self.samname.upper(): continue domain = record['wkui1_logon_domain'][:-1].upper() domain_entry = self.ad.get_domain_by_name(domain) if domain_entry is not None: domain = ADUtils.ldap2domain( domain_entry['attributes']['distinguishedName']) logging.debug( 'Found logged on user at %s: %s@%s' % (self.hostname, record['wkui1_username'][:-1], domain)) loggedonusers.add((record['wkui1_username'][:-1], domain)) except DCERPCException as e: if 'rpc_s_access_denied' in str(e): logging.debug( 'Access denied while enumerating LoggedOn on %s, probably no admin privs', self.hostname) else: logging.debug('Exception connecting to RPC: %s', e) except Exception as e: if 'connection reset' in str(e): logging.debug('Connection was reset: %s', e) else: raise e dce.disconnect() return list(loggedonusers)
def get_netloggedon(self): self.loggedon = {} self.create_rpc_con(r'\wkssvc') try: resp = wkst.hNetrWkstaUserEnum(self.rpc_connection, 1) except DCERPCException as e: return list() results = list() for wksta_user in resp['UserInfo']['WkstaUserInfo']['Level1'][ 'Buffer']: self.loggedon[wksta_user['wkui1_username'].strip('\x00')] = { 'domain': wksta_user['wkui1_logon_domain'].strip('\x00'), 'logon_srv': wksta_user['wkui1_logon_server'].strip('\x00'), 'user': wksta_user['wkui1_username'].strip('\x00'), } self.rpc_connection.disconnect()
def lookup(self, rpctransport, host, csv): dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(wkst.MSRPC_UUID_WKST) try: resp = wkst.hNetrWkstaUserEnum(dce, 1) except Exception, e: if str(e).find('Broken pipe') >= 0: # The connection timed-out. Let's try to bring it back next round logging.error('Connection failed - skipping host!') return elif str(e).upper().find('ACCESS_DENIED'): # We're not admin, bye logging.error( 'Access denied - you must be admin to enumerate sessions this way' ) dce.disconnect() return else: raise
def getLoggedIn(self, target): if self.__targets[target]['Admin'] is False: return if self.__targets[target]['WKST'] is None: stringWkstBinding = r'ncacn_np:%s[\PIPE\wkssvc]' % target rpctransportWkst = transport.DCERPCTransportFactory(stringWkstBinding) if hasattr(rpctransportWkst, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransportWkst.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey) rpctransportWkst.set_kerberos(self.__doKerberos, self.__kdcHost) dce = rpctransportWkst.get_dce_rpc() dce.connect() dce.bind(wkst.MSRPC_UUID_WKST) self.__maxConnections -= 1 else: dce = self.__targets[target]['WKST'] try: resp = wkst.hNetrWkstaUserEnum(dce,1) except Exception as e: if str(e).find('Broken pipe') >= 0: # The connection timed-out. Let's try to bring it back next round self.__targets[target]['WKST'] = None self.__maxConnections += 1 return elif str(e).upper().find('ACCESS_DENIED'): # We're not admin, bye dce.disconnect() self.__maxConnections += 1 self.__targets[target]['Admin'] = False return else: raise if self.__maxConnections < 0: # Can't keep this connection open. Closing it dce.disconnect() self.__maxConnections = 0 else: self.__targets[target]['WKST'] = dce # Let's see who looged in locally since last check tmpLoggedUsers = set() printCRLF = False for session in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']: userName = session['wkui1_username'][:-1] logonDomain = session['wkui1_logon_domain'][:-1] key = '%s\x01%s' % (userName, logonDomain) tmpLoggedUsers.add(key) if not(key in self.__targets[target]['LoggedIn']): self.__targets[target]['LoggedIn'].add(key) # Are we filtering users? if self.__filterUsers is not None: if userName in self.__filterUsers: print "%s: user %s\\%s logged in LOCALLY" % (target,logonDomain,userName) printCRLF=True else: print "%s: user %s\\%s logged in LOCALLY" % (target,logonDomain,userName) printCRLF=True # Let's see who logged out since last check for session in self.__targets[target]['LoggedIn'].copy(): userName, logonDomain = session.split('\x01') if session not in tmpLoggedUsers: self.__targets[target]['LoggedIn'].remove(session) # Are we filtering users? if self.__filterUsers is not None: if userName in self.__filterUsers: print "%s: user %s\\%s logged off LOCALLY" % (target,logonDomain,userName) printCRLF=True else: print "%s: user %s\\%s logged off LOCALLY" % (target,logonDomain,userName) printCRLF=True if printCRLF is True: print
def sessions(self, targets): for target in targets: users = [] try: target_computer = target self._create_rpc_connection(target_computer) print(target_computer) print("-----------------") smb = SMBConnection('*SMBSERVER', target_computer, sess_port=445, timeout=5) smb.login(self._user, self._password, self._domain) try: sess = wkst.hNetrWkstaUserEnum(self._rpc_connection, 1) except DCERPCException as e: users = [] print(colors.RD + " [-]" + colors.NRM + " User does not have access") continue for wksta_user in sess['UserInfo']['WkstaUserInfo']['Level1'][ 'Buffer']: userName = wksta_user['wkui1_username'][:-1] logonDomain = wksta_user['wkui1_logon_domain'][:-1] if "$" in userName: pass else: user = '******' % (logonDomain, userName) if user in users: pass else: users.append(user) print(" Currently Logged On") print(" -------------------") for user in users: print(" " + colors.GRN + "[+] " + colors.NRM + user) del users share = 'C$' path = '\\Users\\*' read = smb.listPath(share, path) print("\n Users Who Have Logged On") print(" -------------------------") for r in read: if r.get_longname() == "Public" or r.get_longname( ) == "All Users" or r.get_longname( ) == "Default" or r.get_longname( ) == "Default User" or r.get_longname( ) == "." or r.get_longname() == "..": pass else: if r.is_directory(): print(colors.GRN + " [+] " + colors.NRM + r.get_longname() + " lastlogon: " + time.ctime(float(r.get_mtime_epoch()))) except UnboundLocalError as e: print(target) users = [] print(e) print(colors.RD + " [-] " + colors.NRM + "User does not have access") continue except socket.error: users = [] print(colors.BLU + " [*] " + colors.NRM + "Host either not accessible or port 445 closed") continue except KeyboardInterrupt: return except SessionError: try: share = 'C$' path = '\\Documents and Settings\\*' read = smb.listPath(share, path) print("\nUsers who have logged on") print("--------------------------") for r in read: if r.get_longname() == "Public" or r.get_longname( ) == "All Users" or r.get_longname( ) == "Default" or r.get_longname( ) == "Default User" or r.get_longname( ) == "." or r.get_longname() == "..": pass else: if r.is_directory(): print(" [*] " + r.get_longname() + " lastlogon: " + time.ctime(float(r.get_mtime_epoch()))) except SessionError: continue
def getLoggedIn(self, target): if self.__targets[target]['Admin'] is False: return if self.__targets[target]['WKST'] is None: stringWkstBinding = r'ncacn_np:%s[\PIPE\wkssvc]' % target rpctransportWkst = transport.DCERPCTransportFactory( stringWkstBinding) if hasattr(rpctransportWkst, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransportWkst.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey) rpctransportWkst.set_kerberos(self.__doKerberos, self.__kdcHost) dce = rpctransportWkst.get_dce_rpc() dce.connect() dce.bind(wkst.MSRPC_UUID_WKST) self.__maxConnections -= 1 else: dce = self.__targets[target]['WKST'] try: resp = wkst.hNetrWkstaUserEnum(dce, 1) except Exception as e: if str(e).find('Broken pipe') >= 0: # The connection timed-out. Let's try to bring it back next round self.__targets[target]['WKST'] = None self.__maxConnections += 1 return elif str(e).upper().find('ACCESS_DENIED'): # We're not admin, bye dce.disconnect() self.__maxConnections += 1 self.__targets[target]['Admin'] = False return else: raise if self.__maxConnections < 0: # Can't keep this connection open. Closing it dce.disconnect() self.__maxConnections = 0 else: self.__targets[target]['WKST'] = dce # Let's see who looged in locally since last check tmpLoggedUsers = set() printCRLF = False for session in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']: userName = session['wkui1_username'][:-1] logonDomain = session['wkui1_logon_domain'][:-1] key = '%s\x01%s' % (userName, logonDomain) tmpLoggedUsers.add(key) if not (key in self.__targets[target]['LoggedIn']): self.__targets[target]['LoggedIn'].add(key) # Are we filtering users? if self.__filterUsers is not None: if userName in self.__filterUsers: print("%s: user %s\\%s logged in LOCALLY" % (target, logonDomain, userName)) printCRLF = True else: print("%s: user %s\\%s logged in LOCALLY" % (target, logonDomain, userName)) printCRLF = True # Let's see who logged out since last check for session in self.__targets[target]['LoggedIn'].copy(): userName, logonDomain = session.split('\x01') if session not in tmpLoggedUsers: self.__targets[target]['LoggedIn'].remove(session) # Are we filtering users? if self.__filterUsers is not None: if userName in self.__filterUsers: print("%s: user %s\\%s logged off LOCALLY" % (target, logonDomain, userName)) printCRLF = True else: print("%s: user %s\\%s logged off LOCALLY" % (target, logonDomain, userName)) printCRLF = True if printCRLF is True: print()