def match_creds_to_hosts(host_list): # build vars smb_hosts = list() ssh_hosts = list() # auth ports smb_port = 135 ssh_port = 22 # validate ports are open and add hosts to proper list for host in host_list: smb_check = tcp_scan(host, smb_port) ssh_check = tcp_scan(host, ssh_port) if smb_check: smb_hosts.append(host) if ssh_check: ssh_hosts.append(host) # validate smb login credentials if smb_hosts: # query database for smb credentials smb_svc_accounts = session.query(SmbUser).all() smb_accounts = list() if smb_svc_accounts: # build a dictionary of smb accounts for u in smb_svc_accounts: smb_dict = {'id': u.id, 'username': u.username, 'password': decrypt_string(str.encode(u.encrypted_password), str.encode(u.encrypted_password_salt)), 'domain_name': u.domain_name} smb_accounts.append(smb_dict) # validate credentials using WMI for h in smb_hosts: for u in smb_accounts: cs_query = wmic_query(u['domain_name'], u['username'], u['password'], h, win32_computersystem) failed_login = {'[librpc/rpc/dcerpc_connect.c:828:dcerpc_pipe_connect_b_recv()]' ' failed NT status (c0000022) in dcerpc_pipe_connect_b_recv': '[wmi/wmic.c:196:main()] ERROR: Loin to remote object.'} error_login = {'[librpc/rpc/dcerpc_connect.c:828:dcerpc_pipe_connect_b_recv()] ' 'failed NT status (c0000017) in dcerpc_pipe_connect_b_recv': '[wmi/wmic.c:196:main()] ERROR: Login to remote object.'} connection_refused = {'[librpc/rpc/dcerpc_connect.c:828:dcerpc_pipe_connect_b_recv()]' ' failed NT status (c0000236) in dcerpc_pipe_connect_b_recv': '[wmi/wmic.c:196:main()] ERROR: Login to remote object.'} if cs_query[0] == connection_refused: print('connection refused from %s' % h) if cs_query[0] == error_login: print('error logging into %s' % h) if cs_query[0] == failed_login: print('failed login for %s' % h) elif cs_query[0] != connection_refused and cs_query[0] != error_login and cs_query[0] != failed_login: add_inventory_host = InventoryHost(ipv4_addr=h, smb_user_id=u['id']) session.add(add_inventory_host) session.commit() # validate ssh login credentials if ssh_hosts: # query database for ssh credentials linux_svc_accounts = session.query(LinuxUser).all() linux_accounts = list() if linux_svc_accounts: # build a dictionary of ssh accounts for u in linux_svc_accounts: linux_dict = {'id': u.id, 'username': u.username, 'password': decrypt_string(str.encode(u.encrypted_password), str.encode(u.encrypted_password_salt)), 'enable_password': decrypt_string(str.encode(u.encrypted_enable_password), str.encode(u.encrypted_enable_password_salt))} linux_accounts.append(linux_dict) for h in ssh_hosts: # validate credentials using ssh for u in linux_accounts: ssh_to_host = check_creds(h, u['username'], u['password'].decode("utf-8")) if ssh_to_host == 1: add_inventory_host = InventoryHost(ipv4_addr=h, linux_user_id=u['id']) session.add(add_inventory_host) session.commit() if ssh_to_host == 99: print('linux user not added to %s, bad ssh key' % h) add_inventory_host = InventoryHost(ipv4_addr=h, bad_ssh_key=True) session.add(add_inventory_host) session.commit()
def profile_windows_hosts(domain_name, username, password): hosts = session.query(InventoryHost).all() svcs = session.query(InventorySvc).all() windows_hosts = [] for h in hosts: for s in svcs: host = s.host.ipv4_addr if host == h.ipv4_addr: protocol = s.protocol portid = s.portid try: svc_name = s.name except AttributeError: svc_name = 'unknown' try: svc_product = s.svc_product except AttributeError: svc_product = 'unknown' try: extrainfo = s.extrainfo except AttributeError: extrainfo = 'unknown' try: product_id = s.product_id except AttributeError: product_id = 'unknown' if svc_name == 'msrpc' or svc_name == 'ldap' or svc_name == 'globalcatLDAPssl': windows_hosts.append(h.ipv4_addr) win_host_set = set(windows_hosts) for h in win_host_set: print(h) cs_query = wmic_query(domain_name, username, password, h, win32_computersystem) #os_query = wmic_query(domain_name, username, password, h, win32_operatingsystem) product_query = wmic_query(domain_name, username, password, h, win32_product) #process_query = wmic_query(domain_name, username, password, h, win32_process) #logonsession_query = wmic_query(domain_name, username, password, h, win32_logonsession) #loggedonuser_query = wmic_query(domain_name, username, password, h, win32_loggedonuser) #useraccount_query = wmic_query(domain_name, username, password, h, win32_useraccount) failed_login = search(r'(failed NT status)', str(cs_query)) error_login = search(r'(ERROR: Login to remote object)', str(cs_query)) if failed_login: print('credentials are wrong or %s is not a Windows host' % h) print('\n') elif error_login: print('error logging in, possible timeout..') print('\n') else: for e in cs_query: print('Hostname: %s' % e['DNSHostName']) print('Primary Owner: %s' % e['PrimaryOwnerName']) print('Manufacturer: %s' % e['Manufacturer']) print('Number of Logical Processors: %s' % e['NumberOfLogicalProcessors']) print('System Type: %s' % e['SystemType']) print('\n') #for e in os_query: # print('OS Name: %s' % e['Name']) # print('Version: %s' % e['Version']) # print('OS Type: %s' % e['OSType']) # print('OS Build Number: %s' % e['BuildNumber']) # print('CSD Version: %s' % e['CSDVersion']) # print('Service Pack Minor Version: %s' % e['ServicePackMinorVersion']) # print('OS Product Suite: %s' % e['OSProductSuite']) # print('OS Architecture: %s' % e['OSArchitecture']) # print('OS SKU: %s' % e['OperatingSystemSKU']) # print('Data Execution Prevention for 32Bit Applications: %s' % e['DataExecutionPrevention_32BitApplications']) # print('Data Execution Prevention Support Policy: %s' % e['DataExecutionPrevention_SupportPolicy']) # print('\n') for e in product_query: print(e['Name']) print('\n')