def test_hNetrWkstaUserEnum(self):
dce, rpctransport = self.connect()
resp = wkst.hNetrWkstaUserEnum(dce, 0)
resp.dump()
resp = wkst.hNetrWkstaUserEnum(dce, 1)
resp.dump()
def test_hNetrWkstaUserEnum(self):
dce, rpctransport = self.connect()
resp = wkst.hNetrWkstaUserEnum(dce, 0)
resp.dump()
resp = wkst.hNetrWkstaUserEnum(dce, 1)
resp.dump()
def enumLoggedIn(self):
rpctransport = transport.SMBTransport(self.__addr,
self.__port,
r'\wkssvc',
self.__username,
self.__password,
self.__domain,
self.__lmhash,
self.__nthash,
self.__aesKey,
doKerberos=self.__doKerberos)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(wkst.MSRPC_UUID_WKST)
try:
resp = wkst.hNetrWkstaUserEnum(dce, 1)
except Exception as e:
raise e
for session in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']:
username = session['wkui1_username'][:-1]
logonDomain = session['wkui1_logon_domain'][:-1]
yield {
'username': username,
'domain': logonDomain,
}
dce.disconnect()
def sessions(self, targets):
for target in targets:
users = []
try:
target_computer = target
self._create_rpc_connection(target_computer)
print target_computer
print "-----------------"
smb = SMBConnection('*SMBSERVER',
target_computer,
sess_port=445,
timeout=5)
smb.login(self._user, self._password, self._domain)
try:
sess = wkst.hNetrWkstaUserEnum(self._rpc_connection, 1)
except DCERPCException, e:
users = []
print colors.RD + " [-]" + colors.NRM + " User does not have access"
continue
for wksta_user in sess['UserInfo']['WkstaUserInfo']['Level1'][
'Buffer']:
userName = wksta_user['wkui1_username'][:-1]
logonDomain = wksta_user['wkui1_logon_domain'][:-1]
if "$" in userName:
pass
else:
user = '******' % (logonDomain, userName)
if user in users:
pass
else:
users.append(user)
print " Currently Logged On"
print " -------------------"
for user in users:
print " " + colors.GRN + "[+] " + colors.NRM + user
del users
share = 'C$'
path = '\\Users\\*'
read = smb.listPath(share, path)
print "\n Users Who Have Logged On"
print " -------------------------"
for r in read:
if r.get_longname() == "Public" or r.get_longname(
) == "All Users" or r.get_longname(
) == "Default" or r.get_longname(
) == "Default User" or r.get_longname(
) == "." or r.get_longname() == "..":
pass
else:
if r.is_directory():
print colors.GRN + " [+] " + colors.NRM + r.get_longname(
) + " lastlogon: " + time.ctime(
float(r.get_mtime_epoch()))
except UnboundLocalError as e:
print target
users = []
print e
print colors.RD + " [-] " + colors.NRM + "User does not have access"
continue
def enum_lusers(self, host):
dce, rpctransport = self.connect(host, 'wkssvc')
resp = wkst.hNetrWkstaUserEnum(dce, 1)
lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']
self.__logger.success("Enumerating logged on users")
for user in lusers:
self.__logger.results(u'{}\\{} {} {}'.format(
user['wkui1_logon_domain'], user['wkui1_username'],
user['wkui1_logon_server'], user['wkui1_oth_domains']))
def enum_lusers(self, host):
dce, rpctransport = self.connect(host, 'wkssvc')
resp = wkst.hNetrWkstaUserEnum(dce, 1)
lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']
print_succ("{}:{} Logged on users:".format(host, settings.args.port))
for user in lusers:
print_att('{}\\{} {} {}'.format(user['wkui1_logon_domain'],
user['wkui1_username'],
user['wkui1_logon_server'],
user['wkui1_oth_domains']))
def enum_lusers(self, host):
dce, rpctransport = self.connect(host, 'wkssvc')
resp = wkst.hNetrWkstaUserEnum(dce, 1)
lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']
print_succ("{}:{} Logged on users:".format(host, settings.args.port))
for user in lusers:
print_att(u'{}\\{} {} {}'.format(user['wkui1_logon_domain'],
user['wkui1_username'],
user['wkui1_logon_server'],
user['wkui1_oth_domains']))
def enum_lusers(self, host):
dce, rpctransport = self.connect(host, 'wkssvc')
resp = wkst.hNetrWkstaUserEnum(dce, 1)
lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']
self.__logger.success("Enumerating logged on users")
for user in lusers:
self.__logger.results(u'{}\\{} {} {}'.format(user['wkui1_logon_domain'],
user['wkui1_username'],
user['wkui1_logon_server'],
user['wkui1_oth_domains']))
def get_netloggedon(self):
try:
resp = wkst.hNetrWkstaUserEnum(self._rpc_connection, 1)
except DCERPCException:
return list()
results = list()
for wksta_user in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']:
results.append(rpcobj.WkstaUser(wksta_user))
return results
def get_netloggedon(self):
try:
resp = wkst.hNetrWkstaUserEnum(self._rpc_connection, 1)
except DCERPCException:
return list()
results = list()
for wksta_user in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']:
results.append(rpcobj.WkstaUser(wksta_user))
return results
def enum_lusers(self):
dce, rpctransport = self.connect('wkssvc')
try:
resp = wkst.hNetrWkstaUserEnum(dce, 1)
lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']
except Exception:
return
self.logger.success("Enumerating logged on users")
for user in lusers:
self.logger.highlight(u'Username: {}\\{} {}'.format(user['wkui1_logon_domain'],
user['wkui1_username'],
'LogonServer: {}'.format(user['wkui1_logon_server']) if user['wkui1_logon_server'] != '\x00' else ''))
def enum_lusers(self):
dce, rpctransport = self.connect('wkssvc')
try:
resp = wkst.hNetrWkstaUserEnum(dce, 1)
lusers = resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']
except Exception:
return
self.logger.success("Enumerating logged on users")
for user in lusers:
self.logger.highlight(u'Username: {}\\{} {}'.format(
user['wkui1_logon_domain'], user['wkui1_username'],
'LogonServer: {}'.format(user['wkui1_logon_server'])
if user['wkui1_logon_server'] != '\x00' else ''))
def rpc_get_loggedon(self):
"""
Query logged on users via RPC.
Requires admin privs
"""
binding = r'ncacn_np:%s[\PIPE\wkssvc]' % self.addr
loggedonusers = set()
dce = self.dce_rpc_connect(binding, wkst.MSRPC_UUID_WKST)
if dce is None:
logging.warning('Connection failed: %s', binding)
return
try:
# 1 means more detail, including the domain
resp = wkst.hNetrWkstaUserEnum(dce, 1)
for record in resp['UserInfo']['WkstaUserInfo']['Level1'][
'Buffer']:
# Skip computer accounts
if record['wkui1_username'][-2] == '$':
continue
# Skip sessions for local accounts
if record['wkui1_logon_domain'][:-1].upper(
) == self.samname.upper():
continue
domain = record['wkui1_logon_domain'][:-1].upper()
domain_entry = self.ad.get_domain_by_name(domain)
if domain_entry is not None:
domain = ADUtils.ldap2domain(
domain_entry['attributes']['distinguishedName'])
logging.debug(
'Found logged on user at %s: %s@%s' %
(self.hostname, record['wkui1_username'][:-1], domain))
loggedonusers.add((record['wkui1_username'][:-1], domain))
except DCERPCException as e:
if 'rpc_s_access_denied' in str(e):
logging.debug(
'Access denied while enumerating LoggedOn on %s, probably no admin privs',
self.hostname)
else:
logging.debug('Exception connecting to RPC: %s', e)
except Exception as e:
if 'connection reset' in str(e):
logging.debug('Connection was reset: %s', e)
else:
raise e
dce.disconnect()
return list(loggedonusers)
def get_netloggedon(self):
self.loggedon = {}
self.create_rpc_con(r'\wkssvc')
try:
resp = wkst.hNetrWkstaUserEnum(self.rpc_connection, 1)
except DCERPCException as e:
return list()
results = list()
for wksta_user in resp['UserInfo']['WkstaUserInfo']['Level1'][
'Buffer']:
self.loggedon[wksta_user['wkui1_username'].strip('\x00')] = {
'domain': wksta_user['wkui1_logon_domain'].strip('\x00'),
'logon_srv': wksta_user['wkui1_logon_server'].strip('\x00'),
'user': wksta_user['wkui1_username'].strip('\x00'),
}
self.rpc_connection.disconnect()
def lookup(self, rpctransport, host, csv):
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(wkst.MSRPC_UUID_WKST)
try:
resp = wkst.hNetrWkstaUserEnum(dce, 1)
except Exception, e:
if str(e).find('Broken pipe') >= 0:
# The connection timed-out. Let's try to bring it back next round
logging.error('Connection failed - skipping host!')
return
elif str(e).upper().find('ACCESS_DENIED'):
# We're not admin, bye
logging.error(
'Access denied - you must be admin to enumerate sessions this way'
)
dce.disconnect()
return
else:
raise
def getLoggedIn(self, target):
if self.__targets[target]['Admin'] is False:
return
if self.__targets[target]['WKST'] is None:
stringWkstBinding = r'ncacn_np:%s[\PIPE\wkssvc]' % target
rpctransportWkst = transport.DCERPCTransportFactory(stringWkstBinding)
if hasattr(rpctransportWkst, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransportWkst.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,
self.__nthash, self.__aesKey)
rpctransportWkst.set_kerberos(self.__doKerberos, self.__kdcHost)
dce = rpctransportWkst.get_dce_rpc()
dce.connect()
dce.bind(wkst.MSRPC_UUID_WKST)
self.__maxConnections -= 1
else:
dce = self.__targets[target]['WKST']
try:
resp = wkst.hNetrWkstaUserEnum(dce,1)
except Exception as e:
if str(e).find('Broken pipe') >= 0:
# The connection timed-out. Let's try to bring it back next round
self.__targets[target]['WKST'] = None
self.__maxConnections += 1
return
elif str(e).upper().find('ACCESS_DENIED'):
# We're not admin, bye
dce.disconnect()
self.__maxConnections += 1
self.__targets[target]['Admin'] = False
return
else:
raise
if self.__maxConnections < 0:
# Can't keep this connection open. Closing it
dce.disconnect()
self.__maxConnections = 0
else:
self.__targets[target]['WKST'] = dce
# Let's see who looged in locally since last check
tmpLoggedUsers = set()
printCRLF = False
for session in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']:
userName = session['wkui1_username'][:-1]
logonDomain = session['wkui1_logon_domain'][:-1]
key = '%s\x01%s' % (userName, logonDomain)
tmpLoggedUsers.add(key)
if not(key in self.__targets[target]['LoggedIn']):
self.__targets[target]['LoggedIn'].add(key)
# Are we filtering users?
if self.__filterUsers is not None:
if userName in self.__filterUsers:
print "%s: user %s\\%s logged in LOCALLY" % (target,logonDomain,userName)
printCRLF=True
else:
print "%s: user %s\\%s logged in LOCALLY" % (target,logonDomain,userName)
printCRLF=True
# Let's see who logged out since last check
for session in self.__targets[target]['LoggedIn'].copy():
userName, logonDomain = session.split('\x01')
if session not in tmpLoggedUsers:
self.__targets[target]['LoggedIn'].remove(session)
# Are we filtering users?
if self.__filterUsers is not None:
if userName in self.__filterUsers:
print "%s: user %s\\%s logged off LOCALLY" % (target,logonDomain,userName)
printCRLF=True
else:
print "%s: user %s\\%s logged off LOCALLY" % (target,logonDomain,userName)
printCRLF=True
if printCRLF is True:
print
def sessions(self, targets):
for target in targets:
users = []
try:
target_computer = target
self._create_rpc_connection(target_computer)
print(target_computer)
print("-----------------")
smb = SMBConnection('*SMBSERVER',
target_computer,
sess_port=445,
timeout=5)
smb.login(self._user, self._password, self._domain)
try:
sess = wkst.hNetrWkstaUserEnum(self._rpc_connection, 1)
except DCERPCException as e:
users = []
print(colors.RD + " [-]" + colors.NRM +
" User does not have access")
continue
for wksta_user in sess['UserInfo']['WkstaUserInfo']['Level1'][
'Buffer']:
userName = wksta_user['wkui1_username'][:-1]
logonDomain = wksta_user['wkui1_logon_domain'][:-1]
if "$" in userName:
pass
else:
user = '******' % (logonDomain, userName)
if user in users:
pass
else:
users.append(user)
print(" Currently Logged On")
print(" -------------------")
for user in users:
print(" " + colors.GRN + "[+] " + colors.NRM + user)
del users
share = 'C$'
path = '\\Users\\*'
read = smb.listPath(share, path)
print("\n Users Who Have Logged On")
print(" -------------------------")
for r in read:
if r.get_longname() == "Public" or r.get_longname(
) == "All Users" or r.get_longname(
) == "Default" or r.get_longname(
) == "Default User" or r.get_longname(
) == "." or r.get_longname() == "..":
pass
else:
if r.is_directory():
print(colors.GRN + " [+] " + colors.NRM +
r.get_longname() + " lastlogon: " +
time.ctime(float(r.get_mtime_epoch())))
except UnboundLocalError as e:
print(target)
users = []
print(e)
print(colors.RD + " [-] " + colors.NRM +
"User does not have access")
continue
except socket.error:
users = []
print(colors.BLU + " [*] " + colors.NRM +
"Host either not accessible or port 445 closed")
continue
except KeyboardInterrupt:
return
except SessionError:
try:
share = 'C$'
path = '\\Documents and Settings\\*'
read = smb.listPath(share, path)
print("\nUsers who have logged on")
print("--------------------------")
for r in read:
if r.get_longname() == "Public" or r.get_longname(
) == "All Users" or r.get_longname(
) == "Default" or r.get_longname(
) == "Default User" or r.get_longname(
) == "." or r.get_longname() == "..":
pass
else:
if r.is_directory():
print(" [*] " + r.get_longname() +
" lastlogon: " +
time.ctime(float(r.get_mtime_epoch())))
except SessionError:
continue
def getLoggedIn(self, target):
if self.__targets[target]['Admin'] is False:
return
if self.__targets[target]['WKST'] is None:
stringWkstBinding = r'ncacn_np:%s[\PIPE\wkssvc]' % target
rpctransportWkst = transport.DCERPCTransportFactory(
stringWkstBinding)
if hasattr(rpctransportWkst, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransportWkst.set_credentials(self.__username,
self.__password,
self.__domain, self.__lmhash,
self.__nthash, self.__aesKey)
rpctransportWkst.set_kerberos(self.__doKerberos,
self.__kdcHost)
dce = rpctransportWkst.get_dce_rpc()
dce.connect()
dce.bind(wkst.MSRPC_UUID_WKST)
self.__maxConnections -= 1
else:
dce = self.__targets[target]['WKST']
try:
resp = wkst.hNetrWkstaUserEnum(dce, 1)
except Exception as e:
if str(e).find('Broken pipe') >= 0:
# The connection timed-out. Let's try to bring it back next round
self.__targets[target]['WKST'] = None
self.__maxConnections += 1
return
elif str(e).upper().find('ACCESS_DENIED'):
# We're not admin, bye
dce.disconnect()
self.__maxConnections += 1
self.__targets[target]['Admin'] = False
return
else:
raise
if self.__maxConnections < 0:
# Can't keep this connection open. Closing it
dce.disconnect()
self.__maxConnections = 0
else:
self.__targets[target]['WKST'] = dce
# Let's see who looged in locally since last check
tmpLoggedUsers = set()
printCRLF = False
for session in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']:
userName = session['wkui1_username'][:-1]
logonDomain = session['wkui1_logon_domain'][:-1]
key = '%s\x01%s' % (userName, logonDomain)
tmpLoggedUsers.add(key)
if not (key in self.__targets[target]['LoggedIn']):
self.__targets[target]['LoggedIn'].add(key)
# Are we filtering users?
if self.__filterUsers is not None:
if userName in self.__filterUsers:
print("%s: user %s\\%s logged in LOCALLY" %
(target, logonDomain, userName))
printCRLF = True
else:
print("%s: user %s\\%s logged in LOCALLY" %
(target, logonDomain, userName))
printCRLF = True
# Let's see who logged out since last check
for session in self.__targets[target]['LoggedIn'].copy():
userName, logonDomain = session.split('\x01')
if session not in tmpLoggedUsers:
self.__targets[target]['LoggedIn'].remove(session)
# Are we filtering users?
if self.__filterUsers is not None:
if userName in self.__filterUsers:
print("%s: user %s\\%s logged off LOCALLY" %
(target, logonDomain, userName))
printCRLF = True
else:
print("%s: user %s\\%s logged off LOCALLY" %
(target, logonDomain, userName))
printCRLF = True
if printCRLF is True:
print()
