def get_sd(self):
import pywintypes
handle = None
try:
handle = self.get_objh()
except pywintypes.error as e:
#print "get_sd: can't get handle"
print("[E] %s: %s" % (e[1], e[2]))
return 0
#print "get_sd handle: %s" % handle
s = None
try:
s = win32security.GetKernelObjectSecurity(
self.get_objh(), win32security.OWNER_SECURITY_INFORMATION
| win32security.GROUP_SECURITY_INFORMATION
| win32security.DACL_SECURITY_INFORMATION)
#print "type: %s" % self.get_type().lower()
t = self.get_type().lower()
if t == "directory":
t = "directory_object"
s = SD(t, s)
except:
pass
# print "[E] can't get sd"
# print "get_sd: %s" % s
return s
def get_sd(self):
if not self.sd:
# Need a handle with generic_read
try:
secdesc = win32service.QueryServiceObjectSecurity(self.get_sh_read_control(),
win32security.OWNER_SECURITY_INFORMATION | win32security.DACL_SECURITY_INFORMATION)
self.sd = SD('service', secdesc)
except:
print("ERROR: OpenService failed for '%s' (%s)" % (self.get_description(), self.get_name()))
return self.sd
def get_sd(self):
if not self.sd:
try:
secdesc = win32security.GetSecurityInfo(
self.get_ph(), win32security.SE_KERNEL_OBJECT,
win32security.DACL_SECURITY_INFORMATION
| win32security.OWNER_SECURITY_INFORMATION
| win32security.GROUP_SECURITY_INFORMATION)
self.sd = SD('process', secdesc)
except:
pass
return self.sd
def get_sd(self):
if not self.sd:
try:
# TODO also get mandatory label
secdesc = win32security.GetSecurityInfo(
self.get_th(), win32security.SE_KERNEL_OBJECT,
win32security.DACL_SECURITY_INFORMATION
| win32security.OWNER_SECURITY_INFORMATION
| win32security.GROUP_SECURITY_INFORMATION)
self.sd = SD('token', secdesc)
except:
pass
return self.sd
def get_sd(self):
#print "[D] get_sd passed th: %s" % self.get_th()
if not self.sd:
try:
secdesc = win32security.GetSecurityInfo(
self.get_th(), win32security.SE_KERNEL_OBJECT,
win32security.DACL_SECURITY_INFORMATION
| win32security.OWNER_SECURITY_INFORMATION
| win32security.GROUP_SECURITY_INFORMATION)
#print "[D] secdesc: %s" % secdesc
self.sd = SD('thread', secdesc)
except:
pass
#print "[D] get_sd returning: %s" % self.sd
return self.sd
def get_info(self):
if not self.info:
try:
# For interactive users (users who are logged on locally to the machine), no special
# group membership is required to execute the NetShareGetInfo function. For non-interactive
# users, Administrator, Power User, Print Operator, or Server Operator group membership is
# required to successfully execute the NetShareEnum function at levels 2, 502, and 503. No
# special group membership is required for level 0 or level 1 calls.
shareinfo = win32net.NetShareGetInfo(wpc.conf.remote_server, self.get_name(), 502)
#print shareinfo
self.description = shareinfo['reserved']
self.passwd = shareinfo['passwd']
self.current_uses = shareinfo['current_uses']
self.max_uses = shareinfo['max_uses']
if shareinfo['path']:
# self.path = File(shareinfo['path'])
#else:
self.path = shareinfo['path']
self.type = shareinfo['type']
if shareinfo['security_descriptor']:
self.sd = SD('share', shareinfo['security_descriptor'])
else:
self.sd = None
self.permissions = shareinfo['permissions']
self.info = shareinfo
except pywintypes.error as e:
print("[E] %s: %s" % (e[1], e[2]))
try:
shareinfo = win32net.NetShareGetInfo(wpc.conf.remote_server, self.get_name(), 501)
self.description = shareinfo['remark']
self.type = shareinfo['type']
self.flags = shareinfo['flags']
self.info = shareinfo
except pywintypes.error as e:
print("[E] %s: %s" % (e[1], e[2]))
return self.info
def sd(self, type, name):
# TODO caching code here
return SD(type, name)
def dump_nt_objects(self):
#
# Windows stations and Desktops - TODO make is more OO: objects for windowstations and desktops.
#
win32con.WINSTA_ALL_ACCESS = 0x0000037f
print()
print("[-] Sessions")
print()
for session in win32ts.WTSEnumerateSessions(
win32ts.WTS_CURRENT_SERVER_HANDLE, 1, 0):
print("SessionId: %s" % session['SessionId'])
print("\tWinStationName: %s" % session['WinStationName'])
print("\tState: %s" % session['State'])
print()
session = win32ts.ProcessIdToSessionId(
win32process.GetCurrentProcessId())
print()
print("[-] Winstations in session %s" % session)
print()
for w in win32service.EnumWindowStations():
print("winstation: %s" % w)
print()
for w in win32service.EnumWindowStations():
print()
print("[-] Session %s, Winstation '%s'" % (session, w))
print()
# Get SD
try:
h = 0
h = win32service.OpenWindowStation(w, False,
win32con.READ_CONTROL)
s = win32security.GetKernelObjectSecurity(
h, win32security.OWNER_SECURITY_INFORMATION
| win32security.GROUP_SECURITY_INFORMATION
| win32security.DACL_SECURITY_INFORMATION)
s = SD('winstation', s)
print(s.as_text())
except pywintypes.error as details:
print("[E] Can't get READ_CONTROL winstation handle: %s" %
details)
# Get Desktops
h = 0
try:
h = win32service.OpenWindowStation(
w, False, win32con.WINSTA_ENUMDESKTOPS)
print("[-] Session %s, Winstation '%s' has these desktops:" %
(session, w))
for d in h.EnumDesktops():
print("\t%s" % d)
print()
except pywintypes.error as details:
print(
"[E] Can't get WINSTA_ENUMDESKTOPS winstation handle: %s" %
details)
if h:
h.SetProcessWindowStation()
for d in h.EnumDesktops():
print("[-] Session %s, Winstation '%s', Desktop '%s'" %
(session, w, d))
try:
hd = win32service.OpenDesktop(d, 0, False,
win32con.READ_CONTROL)
s = win32security.GetKernelObjectSecurity(
hd, win32security.OWNER_SECURITY_INFORMATION
| win32security.GROUP_SECURITY_INFORMATION
| win32security.DACL_SECURITY_INFORMATION)
s = SD('desktop', s)
print(s.as_text())
except pywintypes.error as details:
print("[E] Can't get READ_CONTROL desktop handle: %s" %
details)
print()
#
# Objects
#
print()
print("[-] Objects")
print()
root = NTObj("\\")
for child in root.get_all_child_objects():
print(child.as_text())
if (child.get_type() == "Semaphore" or child.get_type() == "Event"
or child.get_type() == "Mutant" or child.get_type()
== "Timer" or child.get_type() == "Section"
or child.get_type() == "Device" or child.get_type()
== "SymbolicLink" or child.get_type() == "Key"
or child.get_type() == "Directory") and child.get_sd():
print(child.get_sd().as_text())
else:
print("Skipping unknown object type: %s" % child.get_type())
print()