def __fetchList(self, rpctransport): dce = rpctransport.get_dce_rpc() entries = [] dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] print('Found domain(s):') for domain in domains: print(" . %s" % domain['Name']) logging.info("Looking up users in domain %s" % domains[0]['Name']) resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] ) resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId']) domainHandle = resp['DomainHandle'] status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext) except DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId']) print("Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )) info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (user['Name'], user['RelativeId'], info['Buffer']['All']) entries.append(entry) samr.hSamrCloseHandle(dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except ListUsersException as e: logging.critical("Error listing users: %s" % e) dce.disconnect() return entries
def __fetchList(self, rpctransport): dce = rpctransport.get_dce_rpc() entries = [] dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] print 'Found domain(s):' for domain in domains: print " . %s" % domain['Name'] print "Looking up users in domain %s" % domains[0]['Name'] resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] ) resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId']) domainHandle = resp['DomainHandle'] done = False status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext) except Exception, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: r = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, user['RelativeId']) print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] ) info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (user['Name'], user['RelativeId'], info['Buffer']['All']) entries.append(entry) samr.hSamrCloseHandle(dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except ListUsersException, e: print "Error listing users: %s" % e
def __fetchList(self, rpctransport): dce = rpctransport.get_dce_rpc() entries = [] dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] print 'Found domain(s):' for domain in domains: print " . %s" % domain['Name'] print "Looking up users in domain %s" % domains[0]['Name'] resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] ) resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId']) domainHandle = resp['DomainHandle'] done = False status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext) except Exception, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: r = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, user['RelativeId']) print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] ) info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (user['Name'], user['RelativeId'], info['Buffer']['All']) entries.append(entry) samr.hSamrCloseHandle(dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except ListUsersException, e: print "Error listing users: %s" % e
def getDomainMachines(self): if self.__kdcHost is not None: domainController = self.__kdcHost elif self.__domain is not '': domainController = self.__domain else: raise Exception('A domain is needed!') logging.info('Getting machine\'s list from %s' % domainController) rpctransport = transport.SMBTransport(domainController, 445, r'\samr', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, doKerberos=self.__doKerberos, kdcHost = self.__kdcHost) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] logging.info("Looking up users in domain %s" % domains[0]['Name']) resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] ) resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId']) domainHandle = resp['DomainHandle'] status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, samr.USER_WORKSTATION_TRUST_ACCOUNT, enumerationContext=enumerationContext) except DCERPCException, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: self.__machinesList.append(user['Name'][:-1]) logging.debug('Machine name - rid: %s - %d'% (user['Name'], user['RelativeId'])) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except Exception as e: raise e dce.disconnect()
def getDomainMachines(self): if self.__kdcHost is not None: domainController = self.__kdcHost elif self.__domain is not '': domainController = self.__domain else: raise Exception('A domain is needed!') logging.info('Getting machine\'s list from %s' % domainController) rpctransport = transport.SMBTransport(domainController, 445, r'\samr', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, doKerberos=self.__doKerberos, kdcHost = self.__kdcHost) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] logging.info("Looking up users in domain %s" % domains[0]['Name']) resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] ) resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId']) domainHandle = resp['DomainHandle'] status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, samr.USER_WORKSTATION_TRUST_ACCOUNT, enumerationContext=enumerationContext) except DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: self.__machinesList.append(user['Name'][:-1]) logging.debug('Machine name - rid: %s - %d'% (user['Name'], user['RelativeId'])) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except Exception as e: raise e dce.disconnect()
def list_users(self, remote_name, remote_host): """ List users :param remote_name: (string) remote name to use in rpc connection string :param remote_host: (string) remote host to connect to :return: (list) List of users found, each item contains (userName, RelativeId, UserAllInfo) """ # Create an DCE/RPC session rpc_transport = self.__set_rpc_connection(remote_name, remote_host) dce = self.__dce_connect(rpc_transport) entries = [] try: # Obtain domain handle domain_handle = self.__obtain_domain_handle(dce) status = STATUS_MORE_ENTRIES enumeration_context = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain( dce, domain_handle, enumerationContext=enumeration_context) except DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise ListUsersException(e) for user in resp['Buffer']['Buffer']: # Get user information for each user r = samr.hSamrOpenUser(dce, domain_handle, samr.MAXIMUM_ALLOWED, user['RelativeId']) info = samr.hSamrQueryInformationUser2( dce, r['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (user['Name'], user['RelativeId'], info['Buffer']['All']) entries.append(entry) samr.hSamrCloseHandle(dce, r['UserHandle']) enumeration_context = resp['EnumerationContext'] status = resp['ErrorCode'] except ListUsersException as e: logging.critical("Error listing users: %s" % e) dce.disconnect() return entries
def getDomainUsers(self, enumerationContext=0): if self.__samr is None: self.connectSamr(self.getMachineNameAndDomain()[1]) try: resp = samr.hSamrEnumerateUsersInDomain(self.__samr, self.__domainHandle, userAccountControl=samr.USER_NORMAL_ACCOUNT | \ samr.USER_WORKSTATION_TRUST_ACCOUNT | \ samr.USER_SERVER_TRUST_ACCOUNT |\ samr.USER_INTERDOMAIN_TRUST_ACCOUNT, enumerationContext=enumerationContext) except DCERPCException, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet()
def getDomainUsers(self, enumerationContext=0): if self.__samr is None: self.connectSamr(self.getMachineNameAndDomain()[1]) try: resp = samr.hSamrEnumerateUsersInDomain(self.__samr, self.__domainHandle, userAccountControl=samr.USER_NORMAL_ACCOUNT | \ samr.USER_WORKSTATION_TRUST_ACCOUNT | \ samr.USER_SERVER_TRUST_ACCOUNT |\ samr.USER_INTERDOMAIN_TRUST_ACCOUNT, enumerationContext=enumerationContext) except DCERPCException, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet()
def __fetchList(self, rpctransport): dce = rpctransport.get_dce_rpc() entries = [] dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] print('Found domain(s):') for domain in domains: print(" . %s" % domain['Name']) logging.info("Looking up users in domain %s" % domains[0]['Name']) resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, domains[0]['Name']) resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp['DomainId']) domainHandle = resp['DomainHandle'] status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain( dce, domainHandle, enumerationContext=enumerationContext) except DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId']) print("Found user: %s, uid = %d" % (user['Name'], user['RelativeId'])) info = samr.hSamrQueryInformationUser2( dce, r['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (user['Name'], user['RelativeId'], info['Buffer']['All']) entries.append(entry) samr.hSamrCloseHandle(dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except ListUsersException as e: logging.critical("Error listing users: %s" % e) dce.disconnect() return entries
def fetchList(self, rpctransport): dce = DCERPC_v5(rpctransport) dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) # Setup Connection resp = samr.hSamrConnect2(dce) if resp['ErrorCode'] != 0: raise Exception('Connect error') resp2 = samr.hSamrEnumerateDomainsInSamServer( dce, serverHandle=resp['ServerHandle'], enumerationContext=0, preferedMaximumLength=500) if resp2['ErrorCode'] != 0: raise Exception('Connect error') resp3 = samr.hSamrLookupDomainInSamServer( dce, serverHandle=resp['ServerHandle'], name=resp2['Buffer']['Buffer'][0]['Name']) if resp3['ErrorCode'] != 0: raise Exception('Connect error') resp4 = samr.hSamrOpenDomain(dce, serverHandle=resp['ServerHandle'], desiredAccess=samr.MAXIMUM_ALLOWED, domainId=resp3['DomainId']) if resp4['ErrorCode'] != 0: raise Exception('Connect error') self.__domains = resp2['Buffer']['Buffer'] domainHandle = resp4['DomainHandle'] # End Setup status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain( dce, domainHandle, enumerationContext=enumerationContext) except DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: self.logger.error('Error enumerating domain user(s)') break resp = e.get_packet() self.logger.success('Enumerated domain user(s)') for user in resp['Buffer']['Buffer']: r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId']) info = samr.hSamrQueryInformationUser2( dce, r['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation) (username, uid, info_user) = (user['Name'], user['RelativeId'], info['Buffer']['All']) self.logger.highlight('{}\\{:<30} {}'.format( self.domain, user['Name'], info_user['AdminComment'])) self.users.append(user['Name']) samr.hSamrCloseHandle(dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] dce.disconnect()
def __samr_users(self, usrdomain=None): ''' Enumerate users on the system ''' self.__samr_domains(True) encoding = sys.getdefaultencoding() for domain_name, domain in self.domains_dict.items(): if usrdomain and usrdomain.upper() != domain_name.upper(): continue logger.info('Looking up users in domain %s' % domain_name) resp = samr.hSamrLookupDomainInSamServer(self.__dce, self.__mgr_handle, domain_name) resp = samr.hSamrOpenDomain(self.__dce, serverHandle=self.__mgr_handle, domainId=resp['DomainId']) self.__domain_context_handle = resp['DomainHandle'] status = STATUS_MORE_ENTRIES enum_context = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain( self.__dce, self.__domain_context_handle, enumerationContext=enum_context) except DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: r = samr.hSamrOpenUser(self.__dce, self.__domain_context_handle, samr.MAXIMUM_ALLOWED, user['RelativeId']) logger.debug('Found user %s (UID: %d)' % (user['Name'], user['RelativeId'])) info = samr.hSamrQueryInformationUser2( self.__dce, r['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (user['Name'], user['RelativeId'], info['Buffer']['All']) self.users_list.add(entry) samr.hSamrCloseHandle(self.__dce, r['UserHandle']) enum_context = resp['EnumerationContext'] status = resp['ErrorCode'] if self.users_list: num = len(self.users_list) logger.info('Retrieved %d user%s' % (num, 's' if num > 1 else '')) else: logger.info('No users enumerated') for entry in self.users_list: user, uid, info = entry print(user) print(' User ID: %d' % uid) print(' Group ID: %d' % info['PrimaryGroupId']) if info['UserAccountControl'] & samr.USER_ACCOUNT_DISABLED: account_disabled = 'True' else: account_disabled = 'False' print(' Enabled: %s' % account_disabled) try: print(' Logon count: %d' % info['LogonCount']) except ValueError: pass lastLogon = (info['LastLogon']['HighPart'] << 32) + info['LastLogon']['LowPart'] if lastLogon == 0: lastLogon = '<never>' else: lastLogon = str( datetime.fromtimestamp(self.getUnixTime(lastLogon))) try: print(' Last Logon: %s' % lastLogon) except ValueError: pass lastLogoff = (info['LastLogoff']['HighPart'] << 32) + info['LastLogoff']['LowPart'] if lastLogoff == 0: lastLogoff = '<never>' else: lastLogoff = str( datetime.fromtimestamp(self.getUnixTime(lastLogoff))) try: print(' Last Logoff: %s' % lastLogoff) except ValueError: pass pwdLastSet = (info['PasswordLastSet']['HighPart'] << 32) + info['PasswordLastSet']['LowPart'] if pwdLastSet == 0: pwdLastSet = '<never>' else: pwdLastSet = str( datetime.fromtimestamp(self.getUnixTime(pwdLastSet))) try: print(' Last password set: %s' % pwdLastSet) except ValueError: pass if info['PasswordExpired'] == 0: password_expired = 'False' elif info['PasswordExpired'] == 1: password_expired = 'True' try: print(' Password expired: %s' % password_expired) except ValueError: pass if info['UserAccountControl'] & samr.USER_DONT_EXPIRE_PASSWORD: dont_expire = 'True' else: dont_expire = 'False' try: print(' Password does not expire: %s' % dont_expire) except ValueError: pass pwdCanChange = (info['PasswordCanChange']['HighPart'] << 32) + info['PasswordCanChange']['LowPart'] if pwdCanChange == 0: pwdCanChange = '<never>' else: pwdCanChange = str( datetime.fromtimestamp(self.getUnixTime(pwdCanChange))) try: print(' Password can change: %s' % pwdCanChange) except ValueError: pass try: pwdMustChange = ( info['PasswordMustChange']['HighPart'] << 32) + info['PasswordMustChange']['LowPart'] if pwdMustChange == 0: pwdMustChange = '<never>' else: pwdMustChange = str( datetime.fromtimestamp( self.getUnixTime(pwdMustChange))) except: pwdMustChange = '<never>' try: print(' Password must change: %s' % pwdMustChange) except ValueError: pass try: print(' Bad password count: %d' % info['BadPasswordCount']) except ValueError: pass try: print(' Full name: %s' % info['FullName']) except ValueError: pass try: print(' Home directory: %s' % info['HomeDirectory']) except ValueError: pass try: print(' Home directory drive: %s' % info['HomeDirectoryDrive']) except ValueError: pass try: print(' Script path: %s' % info['ScriptPath']) except ValueError: pass try: print(' Profile path: %s' % info['ProfilePath']) except ValueError: pass try: print(' Admin comment: %s' % info['AdminComment']) except ValueError: pass try: print(' Workstations: %s' % info['WorkStations']) except ValueError: pass try: print(' User comment: %s' % info['UserComment']) except ValueError: pass self.users_list = set()
def __fetchUserList(self, rpctransport): dce = rpctransport.get_dce_rpc() domain = None entries = [] dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] domain = domains[0]['Name'] resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, domains[0]['Name']) resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp['DomainId']) domainHandle = resp['DomainHandle'] status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain( dce, domainHandle, enumerationContext=enumerationContext) except DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: try: r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId']) info = samr.hSamrQueryInformationUser2( dce, r['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (domain, user['Name'], user['RelativeId'], info['Buffer']['All']) yield entry samr.hSamrCloseHandle(dce, r['UserHandle']) except DCERPCSessionError: pass enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except ListUsersException as e: print("Error listing users: %s" % e) dce.disconnect()
def enumerate(dce, domain_handle): return samr.hSamrEnumerateUsersInDomain(dce, domain_handle)