def get_user_paths():
try:
keyh = win32api.RegOpenKeyEx(
win32con.HKEY_USERS, None, 0, win32con.KEY_ENUMERATE_SUB_KEYS
| win32con.KEY_QUERY_VALUE | win32con.KEY_READ)
except:
return 0
paths = []
subkeys = win32api.RegEnumKeyEx(keyh)
for subkey in subkeys:
try:
subkeyh = win32api.RegOpenKeyEx(
keyh, subkey[0] + "\\Environment", 0,
win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
| win32con.KEY_READ)
except:
pass
else:
try:
path, type = win32api.RegQueryValueEx(subkeyh, "PATH")
try:
user_sid = win32security.ConvertStringSidToSid(subkey[0])
except:
print "WARNING: Can't convert sid %s to name. Skipping." % subkey[
0]
continue
paths.append(user(user_sid), path)
except:
pass
return paths
def get_user_paths():
try:
keyh = win32api.RegOpenKeyEx(win32con.HKEY_USERS, None , 0, win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE | win32con.KEY_READ)
except:
return 0
paths = []
subkeys = win32api.RegEnumKeyEx(keyh)
for subkey in subkeys:
try:
subkeyh = win32api.RegOpenKeyEx(keyh, subkey[0] + "\\Environment" , 0, win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE | win32con.KEY_READ)
except:
pass
else:
try:
path, type = win32api.RegQueryValueEx(subkeyh, "PATH")
try:
user_sid = win32security.ConvertStringSidToSid(subkey[0])
except:
print "WARNING: Can't convert sid %s to name. Skipping." % subkey[0]
continue
paths.append(user(user_sid), path)
except:
pass
return paths
def get_members_except(self, ignore_principals):
#for i in ignore_principals:
# print "Ignoring: " + i.get_fq_name()
resume = 0
keepgoing = 1
members = []
principals = []
#print "group %s is type %s" % (self.get_fq_name(), self.get_type_string())
#while keepgoing:
#try:
# m, total, resume = win32net.NetLocalGroupGetMembers(wpc.conf.remote_server, self.get_name(), 2 , resume, win32netcon.MAX_PREFERRED_LENGTH)
#except:
# return []
#print m
#for member in m:
#members.append(member)
# print "[D] a"
for member in wpc.conf.cache.NetLocalGroupGetMembers(
wpc.conf.remote_server, self.get_name(), 2):
# print "[D] b"
#print "%s has member %s" % (self.get_fq_name(), member['domainandname'])
p = None
# print "[D] member[sid]: %s" % member['sid']
if wpc.conf.sid_is_group_type[member['sidusage']]:
# print "[D] b2"
p = group(member['sid'])
# print "[D] b21"
else:
# print "[D] b3"
p = user(member['sid'])
# print "[D] b31"
#for i in ignore_principals:
# print "checking if %s is %s" % (p.get_sid(), i.get_sid())
if not p.get_sid() in map(lambda x: x.get_sid(),
ignore_principals):
# print "%s is new" % p.get_sid()
principals.append(p)
#else:
# print "%s is NOT new" % p.get_sid()
if not resume:
keepgoing = 0
# TODO: should be able to list members of group "None"
# print "[D] c"
# TODO: make this an option
# TODO: If we also want to list members of subgroups recursively...
ignore_principals.extend(principals)
for p in principals:
# print "[D] d"
if p.is_group_type():
g = group(member['sid'])
# print "[D] %s has member %s (Group)" % (self.get_fq_name(), g.get_fq_name())
# principals.append(g)
for new_principals in g.get_members_except(ignore_principals):
principals.append(new_principals)
# print "[D] e"
return principals
def get_members_except(self, ignore_principals):
# for i in ignore_principals:
# print "Ignoring: " + i.get_fq_name()
resume = 0
keepgoing = 1
members = []
principals = []
# print "group %s is type %s" % (self.get_fq_name(), self.get_type_string())
# while keepgoing:
# try:
# m, total, resume = win32net.NetLocalGroupGetMembers(wpc.conf.remote_server, self.get_name(), 2 , resume, win32netcon.MAX_PREFERRED_LENGTH)
# except:
# return []
# print m
# for member in m:
# members.append(member)
# print "[D] a"
for member in wpc.conf.cache.NetLocalGroupGetMembers(wpc.conf.remote_server, self.get_name(), 2):
# print "[D] b"
# print "%s has member %s" % (self.get_fq_name(), member['domainandname'])
p = None
# print "[D] member[sid]: %s" % member['sid']
if wpc.conf.sid_is_group_type[member["sidusage"]]:
# print "[D] b2"
p = group(member["sid"])
# print "[D] b21"
else:
# print "[D] b3"
p = user(member["sid"])
# print "[D] b31"
# for i in ignore_principals:
# print "checking if %s is %s" % (p.get_sid(), i.get_sid())
if not p.get_sid() in map(lambda x: x.get_sid(), ignore_principals):
# print "%s is new" % p.get_sid()
principals.append(p)
# else:
# print "%s is NOT new" % p.get_sid()
if not resume:
keepgoing = 0
# TODO: should be able to list members of group "None"
# print "[D] c"
# TODO: make this an option
# TODO: If we also want to list members of subgroups recursively...
ignore_principals.extend(principals)
for p in principals:
# print "[D] d"
if p.is_group_type():
g = group(member["sid"])
# print "[D] %s has member %s (Group)" % (self.get_fq_name(), g.get_fq_name())
# principals.append(g)
for new_principals in g.get_members_except(ignore_principals):
principals.append(new_principals)
# print "[D] e"
return principals
def get_filtered(self, ):
if self.users == []:
#try:
level = 1
resume = 0
while True:
userlist, total, resume = win32net.NetUserEnum(wpc.conf.remote_server, level, 0, resume, 999999)
#print u
for u in userlist:
# self.users.append(user['name'])
#try:
sid, name, type = wpc.conf.cache.LookupAccountName(wpc.conf.remote_server, u['name'])
self.users.append(user(sid))
#except:
# print "[E] failed to lookup sid of %s" % user['name']
if resume == 0:
break
return self.users
def get_filtered(self, ):
if self.users == []:
#try:
level = 1
resume = 0
while True:
userlist, total, resume = win32net.NetUserEnum(
wpc.conf.remote_server, level, 0, resume, 999999)
#print u
for u in userlist:
# self.users.append(user['name'])
#try:
sid, name, type = wpc.conf.cache.LookupAccountName(
wpc.conf.remote_server, u['name'])
self.users.append(user(sid))
#except:
# print "[E] failed to lookup sid of %s" % user['name']
if resume == 0:
break
return self.users
def get_all(self):
if self.users == []:
try:
level = 0
resume = 0
while True:
userlist, total, resume = win32net.NetUserEnum(wpc.conf.remote_server, level, 0, resume, 999999)
#print u
for u in userlist:
# self.users.append(user['name'])
#try:
sid, name, type = wpc.conf.cache.LookupAccountName(wpc.conf.remote_server, u['name'])
self.users.append(user(sid))
#except:
# print "[E] failed to lookup sid of %s" % user['name']
if resume == 0:
break
except pywintypes.error as e:
print "[E] %s: %s" % (e[1], e[2])
return self.users
def get_all(self):
if self.users == []:
try:
level = 0
resume = 0
while True:
userlist, total, resume = win32net.NetUserEnum(
wpc.conf.remote_server, level, 0, resume, 999999)
#print u
for u in userlist:
# self.users.append(user['name'])
#try:
sid, name, type = wpc.conf.cache.LookupAccountName(
wpc.conf.remote_server, u['name'])
self.users.append(user(sid))
#except:
# print "[E] failed to lookup sid of %s" % user['name']
if resume == 0:
break
except pywintypes.error as e:
print "[E] %s: %s" % (e[1], e[2])
return self.users
def define_trusted_principals():
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(
r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server")
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append(
"NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
for t in wpc.conf.trusted_principals_fq:
try:
sid, name, i = win32security.LookupAccountName(
wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
#print "[D] converting string sid"
#print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print
def define_trusted_principals():
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server")
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append("NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
for t in wpc.conf.trusted_principals_fq:
try:
sid, name, i = win32security.LookupAccountName(wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
#print "[D] converting string sid"
#print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print
def define_trusted_principals(options):
exploitable_by_fq = []
ignore_principals = []
if options.exploitable_by_list:
exploitable_by_fq = options.exploitable_by_list
if options.exploitable_by_file:
try:
exploitable_by_fq = exploitable_by_fq + [line.strip() for line in open(options.exploitable_by_file)]
except:
print "[E] Error reading from file %s" % options.exploitablebyfile
sys.exit()
if options.ignore_principal_list:
ignore_principals = options.ignore_principal_list
if options.ignore_principal_file:
try:
ignore_principals = ignore_principals + [line.strip() for line in open(options.ignoreprincipalfile)]
except:
print "[E] Error reading from file %s" % options.ignoreprincipalfile
sys.exit()
# examine token, populate exploitable_by
if options.exploitable_by_me:
try:
p = process(os.getpid())
wpc.conf.exploitable_by.append(p.get_token().get_token_owner())
for g in p.get_token().get_token_groups():
if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1:
wpc.conf.exploitable_by.append(g[0])
except:
print "[E] Problem examining access token of current process"
sys.exit()
# check each of the supplied users in exploitable_by and exploitable_by resolve
if exploitable_by_fq or wpc.conf.exploitable_by:
wpc.conf.privesc_mode = "exploitable_by"
for t in exploitable_by_fq:
try:
sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t)
if sid:
p = principal(sid)
# print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
# print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.exploitable_by.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Only reporting privesc issues for these users/groups:"
for p in wpc.conf.exploitable_by:
print "* " + p.get_fq_name()
return
else:
wpc.conf.privesc_mode = "report_untrusted"
# if user has specified list of trusted users, use only their list
if ignore_principals:
if options.ignorenoone:
wpc.conf.trusted_principals_fq = []
wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals
else:
# otherwise the user has not specified a list of trusted users. we intelligently tweak the list.
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server")
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append("NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
# print "[D] converting string sid"
# print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
# populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq
for t in wpc.conf.trusted_principals_fq:
try:
sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t)
if sid:
p = principal(sid)
# print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
# print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print
def define_trusted_principals(options):
exploitable_by_fq = []
ignore_principals = []
if options.exploitable_by_list:
exploitable_by_fq = options.exploitable_by_list
if options.exploitable_by_file:
try:
exploitable_by_fq = exploitable_by_fq + [
line.strip() for line in open(options.exploitable_by_file)
]
except:
print "[E] Error reading from file %s" % options.exploitablebyfile
sys.exit()
if options.ignore_principal_list:
ignore_principals = options.ignore_principal_list
if options.ignore_principal_file:
try:
ignore_principals = ignore_principals + [
line.strip() for line in open(options.ignoreprincipalfile)
]
except:
print "[E] Error reading from file %s" % options.ignoreprincipalfile
sys.exit()
# examine token, populate exploitable_by
if options.exploitable_by_me:
try:
p = process(os.getpid())
wpc.conf.exploitable_by.append(p.get_token().get_token_owner())
for g in p.get_token().get_token_groups():
if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1:
wpc.conf.exploitable_by.append(g[0])
except:
print "[E] Problem examining access token of current process"
sys.exit()
# check each of the supplied users in exploitable_by and exploitable_by resolve
if exploitable_by_fq or wpc.conf.exploitable_by:
wpc.conf.privesc_mode = "exploitable_by"
for t in exploitable_by_fq:
try:
sid, _, _ = win32security.LookupAccountName(
wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.exploitable_by.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Only reporting privesc issues for these users/groups:"
for p in wpc.conf.exploitable_by:
print "* " + p.get_fq_name()
return
else:
wpc.conf.privesc_mode = "report_untrusted"
# if user has specified list of trusted users, use only their list
if ignore_principals:
if options.ignorenoone:
wpc.conf.trusted_principals_fq = []
wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals
else:
# otherwise the user has not specified a list of trusted users. we intelligently tweak the list.
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(
r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server"
)
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append(
"NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
#print "[D] converting string sid"
#print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
# populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq
for t in wpc.conf.trusted_principals_fq:
try:
sid, _, _ = win32security.LookupAccountName(
wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print