Python Misc 예제들

예제 #1

파일: helpers.py 프로젝트: cys3c/pywerview

def invoke_checklocaladminaccess(target_computername,
                                 domain,
                                 user,
                                 password=str(),
                                 lmhash=str(),
                                 nthash=str()):
    misc = Misc(target_computername, domain, user, password, lmhash, nthash)

    return misc.invoke_checklocaladminaccess()

예제 #2

파일: hunting.py 프로젝트: x-crypt/pywerview

    def _hunt(self, target_computer):
        # TODO: implement ping of target
        results = list()
        # First, we get every distant session on the target computer
        distant_sessions = list()
        with NetRequester(target_computer, self._domain, self._user,
                          self._password, self._lmhash,
                          self._nthash) as net_requester:
            if not self._foreign_users:
                distant_sessions += net_requester.get_netsession()
            if not self._stealth:
                distant_sessions += net_requester.get_netloggedon()

        # For every session, we get information on the remote user
        for session in distant_sessions:
            try:
                username = session.sesi10_username
                userdomain = str()
                session_from = session.sesi10_cname
                if session_from.startswith('\\'):
                    session_from = session_from.lstrip('\\')
            except AttributeError:
                username = session.wkui1_username
                userdomain = session.wkui1_logon_domain
                session_from = str()

            # If we found a user
            if username:
                # We see if it's in our target user group
                for target_user in self._target_users:
                    if target_user.membername.lower() in username.lower():

                        # If we fall in this branch, we're looking for foreign users
                        # and found a user in the same domain
                        if self._domain_short_name and self._domain_short_name.lower(
                        ) == userdomain.lower():
                            continue

                        attributes = dict()
                        if userdomain:
                            attributes['userdomain'] = userdomain
                        else:
                            attributes['userdomain'] = target_user.memberdomain
                        attributes['username'] = username
                        attributes['computername'] = target_computer
                        attributes['sessionfrom'] = session_from

                        if self._check_access:
                            with Misc(target_computer, self._domain,
                                      self._user, self._password, self._lmhash,
                                      self._nthash) as misc_requester:
                                attributes[
                                    'localadmin'] = misc_requester.invoke_checklocaladminaccess(
                                    )
                        else:
                            attributes['localadmin'] = str()

                        results.append(rpcobj.RPCObject(attributes))

        return results

예제 #3

파일: hunting.py 프로젝트: DidierA/pywerview

    def invoke_userhunter(self,
                          queried_computername=list(),
                          queried_computerfile=None,
                          queried_computerfilter=str(),
                          queried_computeradspath=str(),
                          unconstrained=False,
                          queried_groupname=str(),
                          target_server=str(),
                          queried_username=str(),
                          queried_userfilter=str(),
                          queried_useradspath=str(),
                          queried_userfile=None,
                          threads=1,
                          admin_count=False,
                          allow_delegation=False,
                          stop_on_success=False,
                          check_access=False,
                          queried_domain=str(),
                          stealth=False,
                          stealth_source=['dfs', 'dc', 'file'],
                          show_all=False,
                          foreign_users=False):

        self._build_target_domains(queried_domain)

        self._build_target_computers(
            queried_computername=queried_computername,
            queried_computerfile=queried_computerfile,
            queried_computerfilter=queried_computerfilter,
            queried_computeradspath=queried_computeradspath,
            unconstrained=unconstrained,
            stealth=stealth,
            stealth_source=stealth_source)

        self._build_target_users(queried_groupname=queried_groupname,
                                 target_server=target_server,
                                 queried_username=queried_username,
                                 queried_userfilter=queried_userfilter,
                                 queried_useradspath=queried_useradspath,
                                 queried_userfile=queried_userfile,
                                 admin_count=admin_count,
                                 allow_delegation=allow_delegation,
                                 show_all=show_all,
                                 foreign_users=foreign_users)

        if foreign_users:
            with Misc(self._domain_controller, self._domain, self._user,
                      self._password, self._lmhash,
                      self._nthash) as misc_requester:
                domain_sid = misc_requester.get_domainsid(queried_domain)
                domain_short_name = misc_requester.convert_sidtont4(
                    domain_sid).split('\\')[0]
        else:
            domain_short_name = None

        self._build_workers(threads, UserHunterWorker,
                            (foreign_users, stealth, self._target_users,
                             domain_short_name, check_access))
        return self._process_workers()

예제 #4

파일: helpers.py 프로젝트: the-useless-one/pywerview

def invoke_checklocaladminaccess(target_computername, domain, user, password=str(),
                                 lmhash=str(), nthash=str()):
    misc = Misc(target_computername, domain, user, password, lmhash, nthash)

    return misc.invoke_checklocaladminaccess()

예제 #5

파일: hunting.py 프로젝트: cys3c/pywerview

    def invoke_userhunter(self, queried_computername=list(), queried_computerfile=None,
            queried_computeradspath=str(), unconstrained=False, queried_groupname=str(),
            target_server=str(), queried_username=str(), queried_useradspath=str(),
            queried_userfile=None, threads=1, verbose=False, admin_count=False,
            allow_delegation=False, stop_on_success=False, check_access=False,
            queried_domain=str(), stealth=False, stealth_source=['dfs', 'dc', 'file'],
            show_all=False, foreign_users=False):

        # TODO: implement forest search
        if not queried_domain:
            queried_domain = self._domain

        target_domains = [queried_domain]

        # First, we build the target servers
        if queried_computerfile:
            with queried_computerfile as _:
                queried_computername = [x.rstrip('\n') for x in queried_computerfile.readlines()]

        if not queried_computername:
            if stealth:
                for target_domain in target_domains:
                    for source in stealth_source:
                        if source == 'dfs':
                            queried_computername += [x.remoteservername \
                                    for x in self.get_dfsshare(queried_domain=target_domain)]
                        elif source == 'dc':
                            queried_computername += [x.dnshostname \
                                    for x in self.get_netdomaincontroller(queried_domain=target_domain)]
                        elif source == 'file':
                            queried_computername += [x.dnshostname \
                                    for x in self.get_netfileserver(queried_domain=target_domain)]
            else:
                for target_domain in target_domains:
                    queried_computername = [x.dnshostname for x in self.get_netcomputer(
                        queried_domain=target_domain, unconstrained=unconstrained,
                        ads_path=queried_computeradspath)]

        # TODO: automatically convert server names to IP address (DNS, LLMNR, NBT-NS, etc.)
        queried_computername = list(set(queried_computername))
        random.shuffle(queried_computername)

        # Now, we build the target users
        target_users = list()
        domain_short_name = None
        if show_all or foreign_users:
            attributes = {'memberdomain': str(), 'membername': str()}
            target_users.append(rpcobj.TargetUser(attributes))
            if foreign_users:
                with Misc(domain_controller, domain, user, password, lmhash, nthash) as misc_requester:
                    domain_sid = misc_requester.get_domainsid()
                    domain_short_name = misc_requester.convert_sidtont4(domain_sid).split('\\')[0]
        elif target_server:
            with NetRequester(target_server, domain, user, password, lmhash,
                              nthash, domain_controller) as target_server_requester:
                for x in target_server_requester.get_netlocalgroup(recurse=True):
                    if x.isdomain and not x.isgroup:
                        attributes = {'memberdomain': x.name.split('/')[0].lower(),
                                'membername': x.name.split('/')[1].lower()}

                        target_users.append(rpcobj.TargetUser(attributes))
        elif queried_userfile:
            with queried_userfile as _:
                for x in queried_userfile.readlines():
                    attributes = dict()
                    attributes['membername'] = x.rstrip('\n')
                    attributes['memberdomain'] = target_domains[0]

                    target_users.append(rpcobj.TargetUser(attributes))
        elif queried_username:
            attributes = dict()
            attributes['membername'] = queried_username.lower()
            attributes['memberdomain'] = target_domains[0]

            target_users.append(rpcobj.TargetUser(attributes))
        elif queried_useradspath or admin_count or allow_delegation:
            for target_domain in target_domains:
                for x in self.get_netuser(ads_path=queried_useradspath,
                                          admin_count=admin_count,
                                          allow_delegation=allow_delegation,
                                          queried_domain=target_domain):
                            attributes = dict()
                            attributes['memberdomain'] = target_domain
                            attributes['membername'] = x.samaccountname

                            target_users.append(rpcobj.TargetUser(attributes))
        else:
            for target_domain in target_domains:
                target_users += self.get_netgroupmember(queried_domain=target_domain,
                                                        queried_groupname=queried_groupname)

        target_users = list(set(target_users))

        if (not show_all) and (not foreign_users) and (not target_users):
            raise ValueError('No users to search for')

        results, workers = list(), list()
        parent_pipes, worker_pipes = list(), list()

        for i in xrange(threads):
            parent_pipe, worker_pipe = multiprocessing.Pipe()
            parent_pipes.append(parent_pipe)
            worker_pipes.append(worker_pipe)
            worker = UserHunterWorker(worker_pipe, self._domain, self._user,
                                            self._password, self._lmhash, self._nthash,
                                            foreign_users, verbose, stealth, target_users,
                                            domain_short_name, check_access)

            worker.start()
            workers.append(worker)

        jobs_done, total_jobs = 0, len(queried_computername)
        try:
            while jobs_done < total_jobs:
                if queried_computername:
                    write_watch_list = parent_pipes
                else:
                    write_watch_list = list()
                rlist, wlist, _ = select.select(parent_pipes, write_watch_list, list())

                for readable in rlist:
                    jobs_done += 1 
                    result = readable.recv()
                    for session in result:
                        yield session
                for writable in wlist:
                    try:
                        target_computer = queried_computername.pop(0)
                        writable.send(target_computer)
                    except IndexError:
                        pass
        except KeyboardInterrupt:
            pass
        finally:
            for worker in workers:
                worker.terminate()