def fetchList(self, rpctransport):
dce = DCERPC_v5(rpctransport)
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
# Setup Connection
resp = samr.hSamrConnect2(dce)
if resp['ErrorCode'] != 0:
raise Exception('Connect error')
resp2 = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle=resp['ServerHandle'],
enumerationContext=0,
preferedMaximumLength=500)
if resp2['ErrorCode'] != 0:
raise Exception('Connect error')
resp3 = samr.hSamrLookupDomainInSamServer(dce, serverHandle=resp['ServerHandle'],
name=resp2['Buffer']['Buffer'][0]['Name'])
if resp3['ErrorCode'] != 0:
raise Exception('Connect error')
resp4 = samr.hSamrOpenDomain(dce, serverHandle=resp['ServerHandle'],
desiredAccess=samr.MAXIMUM_ALLOWED,
domainId=resp3['DomainId'])
if resp4['ErrorCode'] != 0:
raise Exception('Connect error')
self.__domains = resp2['Buffer']['Buffer']
domainHandle = resp4['DomainHandle']
# End Setup
re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle,
domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation)
self.__min_pass_len = re['Buffer']['Password']['MinPasswordLength'] or "None"
self.__pass_hist_len = re['Buffer']['Password']['PasswordHistoryLength'] or "None"
self.__max_pass_age = convert(int(re['Buffer']['Password']['MaxPasswordAge']['LowPart']), int(re['Buffer']['Password']['MaxPasswordAge']['HighPart']))
self.__min_pass_age = convert(int(re['Buffer']['Password']['MinPasswordAge']['LowPart']), int(re['Buffer']['Password']['MinPasswordAge']['HighPart']))
self.__pass_prop = d2b(re['Buffer']['Password']['PasswordProperties'])
re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle,
domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation)
self.__rst_accnt_lock_counter = convert(0, re['Buffer']['Lockout']['LockoutObservationWindow'], lockout=True)
self.__lock_accnt_dur = convert(0, re['Buffer']['Lockout']['LockoutDuration'], lockout=True)
self.__accnt_lock_thres = re['Buffer']['Lockout']['LockoutThreshold'] or "None"
re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle,
domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLogoffInformation)
self.__force_logoff_time = convert(re['Buffer']['Logoff']['ForceLogoff']['LowPart'], re['Buffer']['Logoff']['ForceLogoff']['HighPart'])
self.pass_pol = {'min_pass_len': self.__min_pass_len, 'pass_hist_len': self.__pass_hist_len,
'max_pass_age': self.__max_pass_age, 'min_pass_age': self.__min_pass_age,
'pass_prop': self.__pass_prop, 'rst_accnt_lock_counter': self.__rst_accnt_lock_counter,
'lock_accnt_dur': self.__lock_accnt_dur, 'accnt_lock_thres': self.__accnt_lock_thres,
'force_logoff_time': self.__force_logoff_time}
def fetchList(self, rpctransport):
dce = DCERPC_v5(rpctransport)
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
# Setup Connection
resp = samr.hSamrConnect2(dce)
if resp['ErrorCode'] != 0:
raise Exception('Connect error')
resp2 = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle=resp['ServerHandle'],
enumerationContext=0,
preferedMaximumLength=500)
if resp2['ErrorCode'] != 0:
raise Exception('Connect error')
resp3 = samr.hSamrLookupDomainInSamServer(dce, serverHandle=resp['ServerHandle'],
name=resp2['Buffer']['Buffer'][0]['Name'])
if resp3['ErrorCode'] != 0:
raise Exception('Connect error')
resp4 = samr.hSamrOpenDomain(dce, serverHandle=resp['ServerHandle'],
desiredAccess=samr.MAXIMUM_ALLOWED,
domainId=resp3['DomainId'])
if resp4['ErrorCode'] != 0:
raise Exception('Connect error')
self.__domains = resp2['Buffer']['Buffer']
domainHandle = resp4['DomainHandle']
# End Setup
re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle,
domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation)
self.__min_pass_len = re['Buffer']['Password']['MinPasswordLength'] or "None"
self.__pass_hist_len = re['Buffer']['Password']['PasswordHistoryLength'] or "None"
self.__max_pass_age = convert(int(re['Buffer']['Password']['MaxPasswordAge']['LowPart']), int(re['Buffer']['Password']['MaxPasswordAge']['HighPart']))
self.__min_pass_age = convert(int(re['Buffer']['Password']['MinPasswordAge']['LowPart']), int(re['Buffer']['Password']['MinPasswordAge']['HighPart']))
self.__pass_prop = d2b(re['Buffer']['Password']['PasswordProperties'])
re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle,
domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation)
self.__rst_accnt_lock_counter = convert(0, re['Buffer']['Lockout']['LockoutObservationWindow'], lockout=True)
self.__lock_accnt_dur = convert(0, re['Buffer']['Lockout']['LockoutDuration'], lockout=True)
self.__accnt_lock_thres = re['Buffer']['Lockout']['LockoutThreshold'] or "None"
re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle,
domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLogoffInformation)
self.__force_logoff_time = convert(re['Buffer']['Logoff']['ForceLogoff']['LowPart'], re['Buffer']['Logoff']['ForceLogoff']['HighPart'])
self.pass_pol = {'min_pass_len': self.__min_pass_len, 'pass_hist_len': self.__pass_hist_len,
'max_pass_age': self.__max_pass_age, 'min_pass_age': self.__min_pass_age,
'pass_prop': self.__pass_prop, 'rst_accnt_lock_counter': self.__rst_accnt_lock_counter,
'lock_accnt_dur': self.__lock_accnt_dur, 'accnt_lock_thres': self.__accnt_lock_thres,
'force_logoff_time': self.__force_logoff_time}
def get_pass_pol(self, host, rpctransport, dce, domainHandle):
resp = samr.hSamrQueryInformationDomain(dce, domainHandle, samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation)
min_pass_len = resp['Buffer']['Password']['MinPasswordLength']
pass_hst_len = resp['Buffer']['Password']['PasswordHistoryLength']
self.__logger.results('Minimum password length: {}'.format(min_pass_len))
self.__logger.results('Password history length: {}'.format(pass_hst_len))
max_pass_age = self.convert(resp['Buffer']['Password']['MaxPasswordAge']['LowPart'],
resp['Buffer']['Password']['MaxPasswordAge']['HighPart'],
1)
min_pass_age = self.convert(resp['Buffer']['Password']['MinPasswordAge']['LowPart'],
resp['Buffer']['Password']['MinPasswordAge']['HighPart'],
1)
self.__logger.results('Maximum password age: {}'.format(max_pass_age))
self.__logger.results('Minimum password age: {}'.format(min_pass_age))
resp = samr.hSamrQueryInformationDomain2(dce, domainHandle,samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation)
lock_threshold = int(resp['Buffer']['Lockout']['LockoutThreshold'])
self.__logger.results("Account lockout threshold: {}".format(lock_threshold))
lock_duration = None
if lock_threshold != 0: lock_duration = int(resp['Buffer']['Lockout']['LockoutDuration']) / -600000000
self.__logger.results("Account lockout duration: {}".format(lock_duration))
def get_pass_pol(self, host, rpctransport, dce, domainHandle):
try:
resp = samr.hSamrQueryInformationDomain(
dce, domainHandle,
samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation)
min_pass_len = resp['Buffer']['Password']['MinPasswordLength']
pass_hst_len = resp['Buffer']['Password']['PasswordHistoryLength']
self.logger.highlight(
'Minimum password length: {}'.format(min_pass_len))
self.logger.highlight(
'Password history length: {}'.format(pass_hst_len))
max_pass_age = self.convert(
resp['Buffer']['Password']['MaxPasswordAge']['LowPart'],
resp['Buffer']['Password']['MaxPasswordAge']['HighPart'], 1)
min_pass_age = self.convert(
resp['Buffer']['Password']['MinPasswordAge']['LowPart'],
resp['Buffer']['Password']['MinPasswordAge']['HighPart'], 1)
self.logger.highlight(
'Maximum password age: {}'.format(max_pass_age))
self.logger.highlight(
'Minimum password age: {}'.format(min_pass_age))
resp = samr.hSamrQueryInformationDomain2(
dce, domainHandle,
samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation)
lock_threshold = int(resp['Buffer']['Lockout']['LockoutThreshold'])
self.logger.highlight(
"Account lockout threshold: {}".format(lock_threshold))
lock_duration = None
if lock_threshold != 0:
lock_duration = int(
resp['Buffer']['Lockout']['LockoutDuration']) / -600000000
self.logger.highlight(
"Account lockout duration: {}".format(lock_duration))
except Exception as e:
self.logger.error("{}".format(e))
def __samr_pswpolicy(self, usrdomain=None):
self.__samr_domains(False)
for domain_name, domain in self.domains_dict.items():
if usrdomain and usrdomain.upper() != domain_name.upper():
continue
print('Looking up password policy in domain %s' % domain_name)
resp = samr.hSamrLookupDomainInSamServer(
self.__dce, serverHandle=self.__mgr_handle, name=domain_name)
if resp['ErrorCode'] != 0:
raise Exception('Connect error')
resp = samr.hSamrOpenDomain(self.__dce,
serverHandle=self.__mgr_handle,
desiredAccess=samr.MAXIMUM_ALLOWED,
domainId=resp['DomainId'])
if resp['ErrorCode'] != 0:
raise Exception('Connect error')
domainHandle = resp['DomainHandle']
# End Setup
domain_passwd = samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation
re = samr.hSamrQueryInformationDomain2(
self.__dce,
domainHandle=domainHandle,
domainInformationClass=domain_passwd)
self.__min_pass_len = (
re['Buffer']['Password']['MinPasswordLength'] or "None")
pass_hist_len = re['Buffer']['Password']['PasswordHistoryLength']
self.__pass_hist_len = pass_hist_len or "None"
self.__max_pass_age = convert(
int(re['Buffer']['Password']['MaxPasswordAge']['LowPart']),
int(re['Buffer']['Password']['MaxPasswordAge']['HighPart']))
self.__min_pass_age = convert(
int(re['Buffer']['Password']['MinPasswordAge']['LowPart']),
int(re['Buffer']['Password']['MinPasswordAge']['HighPart']))
self.__pass_prop = d2b(
re['Buffer']['Password']['PasswordProperties'])
domain_lockout = samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation
re = samr.hSamrQueryInformationDomain2(
self.__dce,
domainHandle=domainHandle,
domainInformationClass=domain_lockout)
self.__rst_accnt_lock_counter = convert(
0,
re['Buffer']['Lockout']['LockoutObservationWindow'],
lockout=True)
self.__lock_accnt_dur = convert(
0, re['Buffer']['Lockout']['LockoutDuration'], lockout=True)
self.__accnt_lock_thres = re['Buffer']['Lockout'][
'LockoutThreshold'] or "None"
domain_logoff = samr.DOMAIN_INFORMATION_CLASS.DomainLogoffInformation
re = samr.hSamrQueryInformationDomain2(
self.__dce,
domainHandle=domainHandle,
domainInformationClass=domain_logoff)
self.__force_logoff_time = convert(
re['Buffer']['Logoff']['ForceLogoff']['LowPart'],
re['Buffer']['Logoff']['ForceLogoff']['HighPart'])
self.print_friendly()
def enumPasswordPolicy(self):
rpctransport = transport.SMBTransport(self.__addr,
self.__port,
r'\samr',
self.__username,
self.__password,
self.__domain,
self.__lmhash,
self.__nthash,
self.__aesKey,
doKerberos=self.__doKerberos)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
domain = domains[0]["Name"]
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,
domains[0]['Name'])
resp = samr.hSamrOpenDomain(dce,
serverHandle=serverHandle,
domainId=resp['DomainId'])
domainHandle = resp['DomainHandle']
if self.__host_domain == "":
domain = "WORKGROUP"
else:
domain = self.__host_domain
resp = samr.hSamrQueryInformationDomain(
dce, domainHandle,
samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation)
pass_complexity = resp['Buffer']['Password']['PasswordProperties']
min_pass_len = resp['Buffer']['Password']['MinPasswordLength']
pass_hst_len = resp['Buffer']['Password']['PasswordHistoryLength']
max_pass_age = self.__convert(
resp['Buffer']['Password']['MaxPasswordAge']['LowPart'],
resp['Buffer']['Password']['MaxPasswordAge']['HighPart'], 1)
min_pass_age = self.__convert(
resp['Buffer']['Password']['MinPasswordAge']['LowPart'],
resp['Buffer']['Password']['MinPasswordAge']['HighPart'], 1)
resp = samr.hSamrQueryInformationDomain2(
dce, domainHandle,
samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation)
lock_threshold = int(resp['Buffer']['Lockout']['LockoutThreshold'])
lock_duration = None
if lock_threshold != 0:
lock_duration = int(
resp['Buffer']['Lockout']['LockoutDuration']) / -600000000
dce.disconnect()
return {
'complexity': pass_complexity,
'minimum_length': min_pass_len,
'history_length': pass_hst_len,
'maximum_age': max_pass_age,
'minimum_age': min_pass_age,
'lock_threshold': lock_threshold,
'lock_duration': lock_duration,
}
def enumerate_password_policy(self, dce, domain_handle):
# This method is a refactored and cleaned up version of polenum.py. I had a hard time finding the true
# author of polenum.py to give credit.. Give me a shout if you're out there!
domain_passwd = samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation
resp = samr.hSamrQueryInformationDomain2(
dce,
domainHandle=domain_handle,
domainInformationClass=domain_passwd)
policy = resp['Buffer']['Password']
minimum_len = policy['MinPasswordLength'] or "None"
history = policy['PasswordHistoryLength'] or "None"
maximum_age = self.convert_policy(
int(policy['MaxPasswordAge']['LowPart']),
int(policy['MaxPasswordAge']['HighPart']))
minimum_pass_age = self.convert_policy(
int(policy['MinPasswordAge']['LowPart']),
int(policy['MinPasswordAge']['HighPart']))
password_props = policy['PasswordProperties']
complexity_binary = []
while password_props:
complexity_binary.append(password_props % 2)
password_props /= 2
com_binary = complexity_binary[::-1]
if len(com_binary) != 8:
for x in xrange(6 - len(com_binary)):
com_binary.insert(0, 0)
password_props = ''.join([str(value) for value in com_binary])
domain_lockout = samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation
resp = samr.hSamrQueryInformationDomain2(
dce,
domainHandle=domain_handle,
domainInformationClass=domain_lockout)
lockout = resp['Buffer']['Lockout']
lockout_observation = self.convert_policy(
0, lockout['LockoutObservationWindow'], lockout=True)
lockout_duration = self.convert_policy(0,
lockout['LockoutDuration'],
lockout=True)
lockout_threshold = lockout['LockoutThreshold'] or "None"
domain_logoff = samr.DOMAIN_INFORMATION_CLASS.DomainLogoffInformation
resp = samr.hSamrQueryInformationDomain2(
dce,
domainHandle=domain_handle,
domainInformationClass=domain_logoff)
logoff = resp['Buffer']['Logoff']['ForceLogoff']
logoff_time = self.convert_policy(logoff['LowPart'],
logoff['HighPart'])
domain_complexity = {
5: 'Domain Password Complex:',
4: 'Domain Password No Anon Change:',
3: 'Domain Password No Clear Change:',
2: 'Domain Password Lockout Admins:',
1: 'Domain Password Store Cleartext:',
0: 'Domain Refuse Password Change:'
}
self.log.info(
"\n\t[+] Minimum password length: {0}".format(minimum_len))
self.log.info("\t[+] Password history length: {0}".format(history))
self.log.info("\t[+] Maximum password age: {0}".format(maximum_age))
self.log.info("\t[+] Password Complexity Flags: {0}\n".format(
password_props or "None"))
for i, a in enumerate(password_props):
self.log.info("\t\t[+] {0} {1}".format(domain_complexity[i],
str(a)))
self.log.info(
"\n\t[+] Minimum password age: {0}".format(minimum_pass_age))
self.log.info("\t[+] Reset Account Lockout Counter: {0}".format(
lockout_observation))
self.log.info(
"\t[+] Locked Account Duration: {0}".format(lockout_duration))
self.log.info(
"\t[+] Account Lockout Threshold: {0}".format(lockout_threshold))
self.log.info("\t[+] Forced Log off Time: {0}\n".format(logoff_time))
