Exemple #1
0
def get_user_paths():
    try:
        keyh = win32api.RegOpenKeyEx(
            win32con.HKEY_USERS, None, 0, win32con.KEY_ENUMERATE_SUB_KEYS
            | win32con.KEY_QUERY_VALUE | win32con.KEY_READ)
    except:
        return 0
    paths = []
    subkeys = win32api.RegEnumKeyEx(keyh)
    for subkey in subkeys:
        try:
            subkeyh = win32api.RegOpenKeyEx(
                keyh, subkey[0] + "\\Environment", 0,
                win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
                | win32con.KEY_READ)
        except:
            pass
        else:
            try:
                path, type = win32api.RegQueryValueEx(subkeyh, "PATH")
                try:
                    user_sid = win32security.ConvertStringSidToSid(subkey[0])
                except:
                    print "WARNING: Can't convert sid %s to name.  Skipping." % subkey[
                        0]
                    continue

                paths.append(user(user_sid), path)
            except:
                pass
    return paths
Exemple #2
0
def get_user_paths():
    try:
        keyh = win32api.RegOpenKeyEx(win32con.HKEY_USERS, None , 0, win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE | win32con.KEY_READ)
    except:
        return 0
    paths = []
    subkeys = win32api.RegEnumKeyEx(keyh)
    for subkey in subkeys:
        try:
            subkeyh = win32api.RegOpenKeyEx(keyh, subkey[0] + "\\Environment" , 0, win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE | win32con.KEY_READ)
        except:
            pass
        else:
            try:
                path, type = win32api.RegQueryValueEx(subkeyh, "PATH")
                try:
                    user_sid  = win32security.ConvertStringSidToSid(subkey[0])
                except:
                    print "WARNING: Can't convert sid %s to name.  Skipping." % subkey[0]
                    continue

                paths.append(user(user_sid), path)
            except:
                pass
    return paths
    def get_members_except(self, ignore_principals):
        #for i in ignore_principals:
        #    print "Ignoring: " + i.get_fq_name()
        resume = 0
        keepgoing = 1
        members = []
        principals = []
        #print "group %s is type %s" % (self.get_fq_name(), self.get_type_string())
        #while keepgoing:
        #try:
        #    m, total, resume = win32net.NetLocalGroupGetMembers(wpc.conf.remote_server, self.get_name(), 2 , resume, win32netcon.MAX_PREFERRED_LENGTH)
        #except:
        #    return []
        #print m
        #for member in m:
        #members.append(member)
        #        print "[D] a"
        for member in wpc.conf.cache.NetLocalGroupGetMembers(
                wpc.conf.remote_server, self.get_name(), 2):
            #            print "[D] b"
            #print "%s has member %s" % (self.get_fq_name(), member['domainandname'])
            p = None
            #            print "[D] member[sid]: %s" % member['sid']
            if wpc.conf.sid_is_group_type[member['sidusage']]:
                #                print "[D] b2"
                p = group(member['sid'])
#                print "[D] b21"
            else:
                #                print "[D] b3"
                p = user(member['sid'])
#                print "[D] b31"

#for i in ignore_principals:
#    print "checking if %s is %s" % (p.get_sid(), i.get_sid())
            if not p.get_sid() in map(lambda x: x.get_sid(),
                                      ignore_principals):
                #    print "%s is new" % p.get_sid()
                principals.append(p)
            #else:
            #    print "%s is NOT new" % p.get_sid()
        if not resume:
            keepgoing = 0

        # TODO: should be able to list members of group "None"
#        print "[D] c"

# TODO: make this an option
# TODO: If we also want to list members of subgroups recursively...
        ignore_principals.extend(principals)
        for p in principals:
            #           print "[D] d"
            if p.is_group_type():
                g = group(member['sid'])
                #                print "[D] %s has member %s (Group)" % (self.get_fq_name(), g.get_fq_name())
                #                principals.append(g)
                for new_principals in g.get_members_except(ignore_principals):
                    principals.append(new_principals)
#        print "[D] e"

        return principals
    def get_members_except(self, ignore_principals):
        # for i in ignore_principals:
        #    print "Ignoring: " + i.get_fq_name()
        resume = 0
        keepgoing = 1
        members = []
        principals = []
        # print "group %s is type %s" % (self.get_fq_name(), self.get_type_string())
        # while keepgoing:
        # try:
        #    m, total, resume = win32net.NetLocalGroupGetMembers(wpc.conf.remote_server, self.get_name(), 2 , resume, win32netcon.MAX_PREFERRED_LENGTH)
        # except:
        #    return []
        # print m
        # for member in m:
        # members.append(member)
        #        print "[D] a"
        for member in wpc.conf.cache.NetLocalGroupGetMembers(wpc.conf.remote_server, self.get_name(), 2):
            #            print "[D] b"
            # print "%s has member %s" % (self.get_fq_name(), member['domainandname'])
            p = None
            #            print "[D] member[sid]: %s" % member['sid']
            if wpc.conf.sid_is_group_type[member["sidusage"]]:
                #                print "[D] b2"
                p = group(member["sid"])
            #                print "[D] b21"
            else:
                #                print "[D] b3"
                p = user(member["sid"])
            #                print "[D] b31"

            # for i in ignore_principals:
            #    print "checking if %s is %s" % (p.get_sid(), i.get_sid())
            if not p.get_sid() in map(lambda x: x.get_sid(), ignore_principals):
                #    print "%s is new" % p.get_sid()
                principals.append(p)
            # else:
            #    print "%s is NOT new" % p.get_sid()
        if not resume:
            keepgoing = 0

        # TODO: should be able to list members of group "None"
        #        print "[D] c"

        # TODO: make this an option
        # TODO: If we also want to list members of subgroups recursively...
        ignore_principals.extend(principals)
        for p in principals:
            #           print "[D] d"
            if p.is_group_type():
                g = group(member["sid"])
                #                print "[D] %s has member %s (Group)" % (self.get_fq_name(), g.get_fq_name())
                #                principals.append(g)
                for new_principals in g.get_members_except(ignore_principals):
                    principals.append(new_principals)
        #        print "[D] e"

        return principals
Exemple #5
0
 def get_filtered(self, ):
     if self.users == []:
         #try:
             level = 1
             resume = 0
             while True:
                 userlist, total, resume = win32net.NetUserEnum(wpc.conf.remote_server, level, 0, resume, 999999)
                 #print u
                 for u in userlist:
                     # self.users.append(user['name'])
                     #try:
                         sid, name, type = wpc.conf.cache.LookupAccountName(wpc.conf.remote_server, u['name'])
                         self.users.append(user(sid))
                     #except:
                     #    print "[E] failed to lookup sid of %s" % user['name']
                 if resume == 0:
                     break
     return self.users
Exemple #6
0
 def get_filtered(self, ):
     if self.users == []:
         #try:
         level = 1
         resume = 0
         while True:
             userlist, total, resume = win32net.NetUserEnum(
                 wpc.conf.remote_server, level, 0, resume, 999999)
             #print u
             for u in userlist:
                 # self.users.append(user['name'])
                 #try:
                 sid, name, type = wpc.conf.cache.LookupAccountName(
                     wpc.conf.remote_server, u['name'])
                 self.users.append(user(sid))
             #except:
             #    print "[E] failed to lookup sid of %s" % user['name']
             if resume == 0:
                 break
     return self.users
 def get_all(self):
     if self.users == []:
         try:
             level = 0
             resume = 0
             while True:
                 userlist, total, resume = win32net.NetUserEnum(wpc.conf.remote_server, level, 0, resume, 999999)
                 #print u
                 for u in userlist:
                     # self.users.append(user['name'])
                     #try:
                         sid, name, type = wpc.conf.cache.LookupAccountName(wpc.conf.remote_server, u['name'])
                         self.users.append(user(sid))
                     #except:
                     #    print "[E] failed to lookup sid of %s" % user['name']
                 if resume == 0:
                     break
         except pywintypes.error as e:
             print "[E] %s: %s" % (e[1], e[2])
     return self.users
 def get_all(self):
     if self.users == []:
         try:
             level = 0
             resume = 0
             while True:
                 userlist, total, resume = win32net.NetUserEnum(
                     wpc.conf.remote_server, level, 0, resume, 999999)
                 #print u
                 for u in userlist:
                     # self.users.append(user['name'])
                     #try:
                     sid, name, type = wpc.conf.cache.LookupAccountName(
                         wpc.conf.remote_server, u['name'])
                     self.users.append(user(sid))
                 #except:
                 #    print "[E] failed to lookup sid of %s" % user['name']
                 if resume == 0:
                     break
         except pywintypes.error as e:
             print "[E] %s: %s" % (e[1], e[2])
     return self.users
Exemple #9
0
def define_trusted_principals():
    # Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
    # See http://support.microsoft.com/kb/238965 for details
    r = regkey(
        r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server")

    if r.is_present():
        v = r.get_value("TSUserEnabled")
        if v is None:
            print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
        elif v != 0:
            print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
            wpc.conf.trusted_principals_fq.append(
                "NT AUTHORITY\TERMINAL SERVER USER")
        else:
            print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
    else:
        print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
    print

    for t in wpc.conf.trusted_principals_fq:
        try:
            sid, name, i = win32security.LookupAccountName(
                wpc.conf.remote_server, t)
            if sid:
                p = principal(sid)
                #print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
                #print "[D] Added trusted principal %s.  is group? %s" % (p.get_fq_name(), p.is_group_type())
                if p.is_group_type():
                    p = Group(p.get_sid())
                #    for m in p.get_members():
                #        print "Member: %s" % m.get_fq_name()
                else:
                    p = user(p.get_sid())
                #    print p.get_groups()

                wpc.conf.trusted_principals.append(p)

            else:
                print "[E] can't look up sid for " + t
        except:
            pass

    # TODO we only want to ignore this if it doesn't resolve
    try:
        # Server Operators group
        #print "[D] converting string sid"
        #print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
        p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))

    except:
        wpc.conf.trusted_principals.append(p)

    # TODO this always ignored power users.  not what we want.
    # only want to ignore when group doesn't exist.
    try:
        p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
        wpc.conf.trusted_principals.append(p)
    except:
        pass

    print "Considering these users to be trusted:"
    for p in wpc.conf.trusted_principals:
        print "* " + p.get_fq_name()
    print
Exemple #10
0
def define_trusted_principals():
    # Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
    # See http://support.microsoft.com/kb/238965 for details
    r = regkey(r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server")

    if r.is_present():
        v = r.get_value("TSUserEnabled")
        if v is None:
            print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
        elif v != 0:
            print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
            wpc.conf.trusted_principals_fq.append("NT AUTHORITY\TERMINAL SERVER USER")
        else:
            print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
    else:
        print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
    print

    for t in wpc.conf.trusted_principals_fq:
        try:
            sid, name, i = win32security.LookupAccountName(wpc.conf.remote_server, t)
            if sid:
                p = principal(sid)
                #print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
                #print "[D] Added trusted principal %s.  is group? %s" % (p.get_fq_name(), p.is_group_type())
                if p.is_group_type():
                    p = Group(p.get_sid())
                #    for m in p.get_members():
                #        print "Member: %s" % m.get_fq_name()
                else:
                    p = user(p.get_sid())
                #    print p.get_groups()

                wpc.conf.trusted_principals.append(p)

            else:
                print "[E] can't look up sid for " + t
        except:
            pass

    # TODO we only want to ignore this if it doesn't resolve
    try:
        # Server Operators group
        #print "[D] converting string sid"
        #print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
        p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))

    except:
        wpc.conf.trusted_principals.append(p)

    # TODO this always ignored power users.  not what we want.
    # only want to ignore when group doesn't exist.
    try:
        p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
        wpc.conf.trusted_principals.append(p)
    except:
        pass

    print "Considering these users to be trusted:"
    for p in wpc.conf.trusted_principals:
        print "* " + p.get_fq_name()
    print
Exemple #11
0
def define_trusted_principals(options):
    exploitable_by_fq = []
    ignore_principals = []
    if options.exploitable_by_list:
        exploitable_by_fq = options.exploitable_by_list
    if options.exploitable_by_file:
        try:
            exploitable_by_fq = exploitable_by_fq + [line.strip() for line in open(options.exploitable_by_file)]
        except:
            print "[E] Error reading from file %s" % options.exploitablebyfile
            sys.exit()
    if options.ignore_principal_list:
        ignore_principals = options.ignore_principal_list
    if options.ignore_principal_file:
        try:
            ignore_principals = ignore_principals + [line.strip() for line in open(options.ignoreprincipalfile)]
        except:
            print "[E] Error reading from file %s" % options.ignoreprincipalfile
            sys.exit()

    # examine token, populate exploitable_by
    if options.exploitable_by_me:
        try:
            p = process(os.getpid())
            wpc.conf.exploitable_by.append(p.get_token().get_token_owner())
            for g in p.get_token().get_token_groups():
                if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1:
                    wpc.conf.exploitable_by.append(g[0])
        except:
            print "[E] Problem examining access token of current process"
            sys.exit()

    # check each of the supplied users in exploitable_by and exploitable_by resolve

    if exploitable_by_fq or wpc.conf.exploitable_by:
        wpc.conf.privesc_mode = "exploitable_by"
        for t in exploitable_by_fq:
            try:
                sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t)
                if sid:
                    p = principal(sid)
                    # print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
                    # print "[D] Added trusted principal %s.  is group? %s" % (p.get_fq_name(), p.is_group_type())
                    if p.is_group_type():
                        p = Group(p.get_sid())
                    #    for m in p.get_members():
                    #        print "Member: %s" % m.get_fq_name()
                    else:
                        p = user(p.get_sid())
                    #    print p.get_groups()

                    wpc.conf.exploitable_by.append(p)

                else:
                    print "[E] can't look up sid for " + t
            except:
                pass

        print "Only reporting privesc issues for these users/groups:"
        for p in wpc.conf.exploitable_by:
            print "* " + p.get_fq_name()
        return
    else:
        wpc.conf.privesc_mode = "report_untrusted"

    # if user has specified list of trusted users, use only their list
    if ignore_principals:
        if options.ignorenoone:
            wpc.conf.trusted_principals_fq = []
        wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals
    else:
        # otherwise the user has not specified a list of trusted users.  we intelligently tweak the list.
        # Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
        # See http://support.microsoft.com/kb/238965 for details
        r = regkey(r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server")

        if r.is_present():
            v = r.get_value("TSUserEnabled")
            if v is None:
                print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
            elif v != 0:
                print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
                wpc.conf.trusted_principals_fq.append("NT AUTHORITY\TERMINAL SERVER USER")
            else:
                print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
        else:
            print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
        print

        # TODO we only want to ignore this if it doesn't resolve
        try:
            # Server Operators group
            # print "[D] converting string sid"
            # print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
            p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))

        except:
            wpc.conf.trusted_principals.append(p)

        # TODO this always ignored power users.  not what we want.
        # only want to ignore when group doesn't exist.
        try:
            p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
            wpc.conf.trusted_principals.append(p)
        except:
            pass

    # populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq
    for t in wpc.conf.trusted_principals_fq:
        try:
            sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t)
            if sid:
                p = principal(sid)
                # print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
                # print "[D] Added trusted principal %s.  is group? %s" % (p.get_fq_name(), p.is_group_type())
                if p.is_group_type():
                    p = Group(p.get_sid())
                #    for m in p.get_members():
                #        print "Member: %s" % m.get_fq_name()
                else:
                    p = user(p.get_sid())
                #    print p.get_groups()

                wpc.conf.trusted_principals.append(p)

            else:
                print "[E] can't look up sid for " + t
        except:
            pass

    print "Considering these users to be trusted:"
    for p in wpc.conf.trusted_principals:
        print "* " + p.get_fq_name()
    print
Exemple #12
0
def define_trusted_principals(options):
    exploitable_by_fq = []
    ignore_principals = []
    if options.exploitable_by_list:
        exploitable_by_fq = options.exploitable_by_list
    if options.exploitable_by_file:
        try:
            exploitable_by_fq = exploitable_by_fq + [
                line.strip() for line in open(options.exploitable_by_file)
            ]
        except:
            print "[E] Error reading from file %s" % options.exploitablebyfile
            sys.exit()
    if options.ignore_principal_list:
        ignore_principals = options.ignore_principal_list
    if options.ignore_principal_file:
        try:
            ignore_principals = ignore_principals + [
                line.strip() for line in open(options.ignoreprincipalfile)
            ]
        except:
            print "[E] Error reading from file %s" % options.ignoreprincipalfile
            sys.exit()

    # examine token, populate exploitable_by
    if options.exploitable_by_me:
        try:
            p = process(os.getpid())
            wpc.conf.exploitable_by.append(p.get_token().get_token_owner())
            for g in p.get_token().get_token_groups():
                if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1:
                    wpc.conf.exploitable_by.append(g[0])
        except:
            print "[E] Problem examining access token of current process"
            sys.exit()

    # check each of the supplied users in exploitable_by and exploitable_by resolve

    if exploitable_by_fq or wpc.conf.exploitable_by:
        wpc.conf.privesc_mode = "exploitable_by"
        for t in exploitable_by_fq:
            try:
                sid, _, _ = win32security.LookupAccountName(
                    wpc.conf.remote_server, t)
                if sid:
                    p = principal(sid)
                    #print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
                    #print "[D] Added trusted principal %s.  is group? %s" % (p.get_fq_name(), p.is_group_type())
                    if p.is_group_type():
                        p = Group(p.get_sid())
                    #    for m in p.get_members():
                    #        print "Member: %s" % m.get_fq_name()
                    else:
                        p = user(p.get_sid())
                    #    print p.get_groups()

                    wpc.conf.exploitable_by.append(p)

                else:
                    print "[E] can't look up sid for " + t
            except:
                pass

        print "Only reporting privesc issues for these users/groups:"
        for p in wpc.conf.exploitable_by:
            print "* " + p.get_fq_name()
        return
    else:
        wpc.conf.privesc_mode = "report_untrusted"

    # if user has specified list of trusted users, use only their list
    if ignore_principals:
        if options.ignorenoone:
            wpc.conf.trusted_principals_fq = []
        wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals
    else:
        # otherwise the user has not specified a list of trusted users.  we intelligently tweak the list.
        # Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
        # See http://support.microsoft.com/kb/238965 for details
        r = regkey(
            r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server"
        )

        if r.is_present():
            v = r.get_value("TSUserEnabled")
            if v is None:
                print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
            elif v != 0:
                print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
                wpc.conf.trusted_principals_fq.append(
                    "NT AUTHORITY\TERMINAL SERVER USER")
            else:
                print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
        else:
            print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
        print

        # TODO we only want to ignore this if it doesn't resolve
        try:
            # Server Operators group
            #print "[D] converting string sid"
            #print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
            p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))

        except:
            wpc.conf.trusted_principals.append(p)

        # TODO this always ignored power users.  not what we want.
        # only want to ignore when group doesn't exist.
        try:
            p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
            wpc.conf.trusted_principals.append(p)
        except:
            pass

    # populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq
    for t in wpc.conf.trusted_principals_fq:
        try:
            sid, _, _ = win32security.LookupAccountName(
                wpc.conf.remote_server, t)
            if sid:
                p = principal(sid)
                #print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
                #print "[D] Added trusted principal %s.  is group? %s" % (p.get_fq_name(), p.is_group_type())
                if p.is_group_type():
                    p = Group(p.get_sid())
                #    for m in p.get_members():
                #        print "Member: %s" % m.get_fq_name()
                else:
                    p = user(p.get_sid())
                #    print p.get_groups()

                wpc.conf.trusted_principals.append(p)

            else:
                print "[E] can't look up sid for " + t
        except:
            pass

    print "Considering these users to be trusted:"
    for p in wpc.conf.trusted_principals:
        print "* " + p.get_fq_name()
    print