def fetchList(self, rpctransport): dce = DCERPC_v5(rpctransport) dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) # Setup Connection resp = samr.hSamrConnect2(dce) if resp['ErrorCode'] != 0: raise Exception('Connect error') resp2 = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle=resp['ServerHandle'], enumerationContext=0, preferedMaximumLength=500) if resp2['ErrorCode'] != 0: raise Exception('Connect error') resp3 = samr.hSamrLookupDomainInSamServer(dce, serverHandle=resp['ServerHandle'], name=resp2['Buffer']['Buffer'][0]['Name']) if resp3['ErrorCode'] != 0: raise Exception('Connect error') resp4 = samr.hSamrOpenDomain(dce, serverHandle=resp['ServerHandle'], desiredAccess=samr.MAXIMUM_ALLOWED, domainId=resp3['DomainId']) if resp4['ErrorCode'] != 0: raise Exception('Connect error') self.__domains = resp2['Buffer']['Buffer'] domainHandle = resp4['DomainHandle'] # End Setup re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle, domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation) self.__min_pass_len = re['Buffer']['Password']['MinPasswordLength'] or "None" self.__pass_hist_len = re['Buffer']['Password']['PasswordHistoryLength'] or "None" self.__max_pass_age = convert(int(re['Buffer']['Password']['MaxPasswordAge']['LowPart']), int(re['Buffer']['Password']['MaxPasswordAge']['HighPart'])) self.__min_pass_age = convert(int(re['Buffer']['Password']['MinPasswordAge']['LowPart']), int(re['Buffer']['Password']['MinPasswordAge']['HighPart'])) self.__pass_prop = d2b(re['Buffer']['Password']['PasswordProperties']) re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle, domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation) self.__rst_accnt_lock_counter = convert(0, re['Buffer']['Lockout']['LockoutObservationWindow'], lockout=True) self.__lock_accnt_dur = convert(0, re['Buffer']['Lockout']['LockoutDuration'], lockout=True) self.__accnt_lock_thres = re['Buffer']['Lockout']['LockoutThreshold'] or "None" re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle, domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLogoffInformation) self.__force_logoff_time = convert(re['Buffer']['Logoff']['ForceLogoff']['LowPart'], re['Buffer']['Logoff']['ForceLogoff']['HighPart']) self.pass_pol = {'min_pass_len': self.__min_pass_len, 'pass_hist_len': self.__pass_hist_len, 'max_pass_age': self.__max_pass_age, 'min_pass_age': self.__min_pass_age, 'pass_prop': self.__pass_prop, 'rst_accnt_lock_counter': self.__rst_accnt_lock_counter, 'lock_accnt_dur': self.__lock_accnt_dur, 'accnt_lock_thres': self.__accnt_lock_thres, 'force_logoff_time': self.__force_logoff_time}
def fetchList(self, rpctransport): dce = DCERPC_v5(rpctransport) dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) # Setup Connection resp = samr.hSamrConnect2(dce) if resp['ErrorCode'] != 0: raise Exception('Connect error') resp2 = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle=resp['ServerHandle'], enumerationContext=0, preferedMaximumLength=500) if resp2['ErrorCode'] != 0: raise Exception('Connect error') resp3 = samr.hSamrLookupDomainInSamServer(dce, serverHandle=resp['ServerHandle'], name=resp2['Buffer']['Buffer'][0]['Name']) if resp3['ErrorCode'] != 0: raise Exception('Connect error') resp4 = samr.hSamrOpenDomain(dce, serverHandle=resp['ServerHandle'], desiredAccess=samr.MAXIMUM_ALLOWED, domainId=resp3['DomainId']) if resp4['ErrorCode'] != 0: raise Exception('Connect error') self.__domains = resp2['Buffer']['Buffer'] domainHandle = resp4['DomainHandle'] # End Setup re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle, domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation) self.__min_pass_len = re['Buffer']['Password']['MinPasswordLength'] or "None" self.__pass_hist_len = re['Buffer']['Password']['PasswordHistoryLength'] or "None" self.__max_pass_age = convert(int(re['Buffer']['Password']['MaxPasswordAge']['LowPart']), int(re['Buffer']['Password']['MaxPasswordAge']['HighPart'])) self.__min_pass_age = convert(int(re['Buffer']['Password']['MinPasswordAge']['LowPart']), int(re['Buffer']['Password']['MinPasswordAge']['HighPart'])) self.__pass_prop = d2b(re['Buffer']['Password']['PasswordProperties']) re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle, domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation) self.__rst_accnt_lock_counter = convert(0, re['Buffer']['Lockout']['LockoutObservationWindow'], lockout=True) self.__lock_accnt_dur = convert(0, re['Buffer']['Lockout']['LockoutDuration'], lockout=True) self.__accnt_lock_thres = re['Buffer']['Lockout']['LockoutThreshold'] or "None" re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle, domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLogoffInformation) self.__force_logoff_time = convert(re['Buffer']['Logoff']['ForceLogoff']['LowPart'], re['Buffer']['Logoff']['ForceLogoff']['HighPart']) self.pass_pol = {'min_pass_len': self.__min_pass_len, 'pass_hist_len': self.__pass_hist_len, 'max_pass_age': self.__max_pass_age, 'min_pass_age': self.__min_pass_age, 'pass_prop': self.__pass_prop, 'rst_accnt_lock_counter': self.__rst_accnt_lock_counter, 'lock_accnt_dur': self.__lock_accnt_dur, 'accnt_lock_thres': self.__accnt_lock_thres, 'force_logoff_time': self.__force_logoff_time}
def get_pass_pol(self, host, rpctransport, dce, domainHandle): resp = samr.hSamrQueryInformationDomain(dce, domainHandle, samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation) min_pass_len = resp['Buffer']['Password']['MinPasswordLength'] pass_hst_len = resp['Buffer']['Password']['PasswordHistoryLength'] self.__logger.results('Minimum password length: {}'.format(min_pass_len)) self.__logger.results('Password history length: {}'.format(pass_hst_len)) max_pass_age = self.convert(resp['Buffer']['Password']['MaxPasswordAge']['LowPart'], resp['Buffer']['Password']['MaxPasswordAge']['HighPart'], 1) min_pass_age = self.convert(resp['Buffer']['Password']['MinPasswordAge']['LowPart'], resp['Buffer']['Password']['MinPasswordAge']['HighPart'], 1) self.__logger.results('Maximum password age: {}'.format(max_pass_age)) self.__logger.results('Minimum password age: {}'.format(min_pass_age)) resp = samr.hSamrQueryInformationDomain2(dce, domainHandle,samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation) lock_threshold = int(resp['Buffer']['Lockout']['LockoutThreshold']) self.__logger.results("Account lockout threshold: {}".format(lock_threshold)) lock_duration = None if lock_threshold != 0: lock_duration = int(resp['Buffer']['Lockout']['LockoutDuration']) / -600000000 self.__logger.results("Account lockout duration: {}".format(lock_duration))
def get_pass_pol(self, host, rpctransport, dce, domainHandle): try: resp = samr.hSamrQueryInformationDomain( dce, domainHandle, samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation) min_pass_len = resp['Buffer']['Password']['MinPasswordLength'] pass_hst_len = resp['Buffer']['Password']['PasswordHistoryLength'] self.logger.highlight( 'Minimum password length: {}'.format(min_pass_len)) self.logger.highlight( 'Password history length: {}'.format(pass_hst_len)) max_pass_age = self.convert( resp['Buffer']['Password']['MaxPasswordAge']['LowPart'], resp['Buffer']['Password']['MaxPasswordAge']['HighPart'], 1) min_pass_age = self.convert( resp['Buffer']['Password']['MinPasswordAge']['LowPart'], resp['Buffer']['Password']['MinPasswordAge']['HighPart'], 1) self.logger.highlight( 'Maximum password age: {}'.format(max_pass_age)) self.logger.highlight( 'Minimum password age: {}'.format(min_pass_age)) resp = samr.hSamrQueryInformationDomain2( dce, domainHandle, samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation) lock_threshold = int(resp['Buffer']['Lockout']['LockoutThreshold']) self.logger.highlight( "Account lockout threshold: {}".format(lock_threshold)) lock_duration = None if lock_threshold != 0: lock_duration = int( resp['Buffer']['Lockout']['LockoutDuration']) / -600000000 self.logger.highlight( "Account lockout duration: {}".format(lock_duration)) except Exception as e: self.logger.error("{}".format(e))
def __samr_pswpolicy(self, usrdomain=None): self.__samr_domains(False) for domain_name, domain in self.domains_dict.items(): if usrdomain and usrdomain.upper() != domain_name.upper(): continue print('Looking up password policy in domain %s' % domain_name) resp = samr.hSamrLookupDomainInSamServer( self.__dce, serverHandle=self.__mgr_handle, name=domain_name) if resp['ErrorCode'] != 0: raise Exception('Connect error') resp = samr.hSamrOpenDomain(self.__dce, serverHandle=self.__mgr_handle, desiredAccess=samr.MAXIMUM_ALLOWED, domainId=resp['DomainId']) if resp['ErrorCode'] != 0: raise Exception('Connect error') domainHandle = resp['DomainHandle'] # End Setup domain_passwd = samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation re = samr.hSamrQueryInformationDomain2( self.__dce, domainHandle=domainHandle, domainInformationClass=domain_passwd) self.__min_pass_len = ( re['Buffer']['Password']['MinPasswordLength'] or "None") pass_hist_len = re['Buffer']['Password']['PasswordHistoryLength'] self.__pass_hist_len = pass_hist_len or "None" self.__max_pass_age = convert( int(re['Buffer']['Password']['MaxPasswordAge']['LowPart']), int(re['Buffer']['Password']['MaxPasswordAge']['HighPart'])) self.__min_pass_age = convert( int(re['Buffer']['Password']['MinPasswordAge']['LowPart']), int(re['Buffer']['Password']['MinPasswordAge']['HighPart'])) self.__pass_prop = d2b( re['Buffer']['Password']['PasswordProperties']) domain_lockout = samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation re = samr.hSamrQueryInformationDomain2( self.__dce, domainHandle=domainHandle, domainInformationClass=domain_lockout) self.__rst_accnt_lock_counter = convert( 0, re['Buffer']['Lockout']['LockoutObservationWindow'], lockout=True) self.__lock_accnt_dur = convert( 0, re['Buffer']['Lockout']['LockoutDuration'], lockout=True) self.__accnt_lock_thres = re['Buffer']['Lockout'][ 'LockoutThreshold'] or "None" domain_logoff = samr.DOMAIN_INFORMATION_CLASS.DomainLogoffInformation re = samr.hSamrQueryInformationDomain2( self.__dce, domainHandle=domainHandle, domainInformationClass=domain_logoff) self.__force_logoff_time = convert( re['Buffer']['Logoff']['ForceLogoff']['LowPart'], re['Buffer']['Logoff']['ForceLogoff']['HighPart']) self.print_friendly()
def enumPasswordPolicy(self): rpctransport = transport.SMBTransport(self.__addr, self.__port, r'\samr', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, doKerberos=self.__doKerberos) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] domain = domains[0]["Name"] resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, domains[0]['Name']) resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp['DomainId']) domainHandle = resp['DomainHandle'] if self.__host_domain == "": domain = "WORKGROUP" else: domain = self.__host_domain resp = samr.hSamrQueryInformationDomain( dce, domainHandle, samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation) pass_complexity = resp['Buffer']['Password']['PasswordProperties'] min_pass_len = resp['Buffer']['Password']['MinPasswordLength'] pass_hst_len = resp['Buffer']['Password']['PasswordHistoryLength'] max_pass_age = self.__convert( resp['Buffer']['Password']['MaxPasswordAge']['LowPart'], resp['Buffer']['Password']['MaxPasswordAge']['HighPart'], 1) min_pass_age = self.__convert( resp['Buffer']['Password']['MinPasswordAge']['LowPart'], resp['Buffer']['Password']['MinPasswordAge']['HighPart'], 1) resp = samr.hSamrQueryInformationDomain2( dce, domainHandle, samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation) lock_threshold = int(resp['Buffer']['Lockout']['LockoutThreshold']) lock_duration = None if lock_threshold != 0: lock_duration = int( resp['Buffer']['Lockout']['LockoutDuration']) / -600000000 dce.disconnect() return { 'complexity': pass_complexity, 'minimum_length': min_pass_len, 'history_length': pass_hst_len, 'maximum_age': max_pass_age, 'minimum_age': min_pass_age, 'lock_threshold': lock_threshold, 'lock_duration': lock_duration, }
def enumerate_password_policy(self, dce, domain_handle): # This method is a refactored and cleaned up version of polenum.py. I had a hard time finding the true # author of polenum.py to give credit.. Give me a shout if you're out there! domain_passwd = samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation resp = samr.hSamrQueryInformationDomain2( dce, domainHandle=domain_handle, domainInformationClass=domain_passwd) policy = resp['Buffer']['Password'] minimum_len = policy['MinPasswordLength'] or "None" history = policy['PasswordHistoryLength'] or "None" maximum_age = self.convert_policy( int(policy['MaxPasswordAge']['LowPart']), int(policy['MaxPasswordAge']['HighPart'])) minimum_pass_age = self.convert_policy( int(policy['MinPasswordAge']['LowPart']), int(policy['MinPasswordAge']['HighPart'])) password_props = policy['PasswordProperties'] complexity_binary = [] while password_props: complexity_binary.append(password_props % 2) password_props /= 2 com_binary = complexity_binary[::-1] if len(com_binary) != 8: for x in xrange(6 - len(com_binary)): com_binary.insert(0, 0) password_props = ''.join([str(value) for value in com_binary]) domain_lockout = samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation resp = samr.hSamrQueryInformationDomain2( dce, domainHandle=domain_handle, domainInformationClass=domain_lockout) lockout = resp['Buffer']['Lockout'] lockout_observation = self.convert_policy( 0, lockout['LockoutObservationWindow'], lockout=True) lockout_duration = self.convert_policy(0, lockout['LockoutDuration'], lockout=True) lockout_threshold = lockout['LockoutThreshold'] or "None" domain_logoff = samr.DOMAIN_INFORMATION_CLASS.DomainLogoffInformation resp = samr.hSamrQueryInformationDomain2( dce, domainHandle=domain_handle, domainInformationClass=domain_logoff) logoff = resp['Buffer']['Logoff']['ForceLogoff'] logoff_time = self.convert_policy(logoff['LowPart'], logoff['HighPart']) domain_complexity = { 5: 'Domain Password Complex:', 4: 'Domain Password No Anon Change:', 3: 'Domain Password No Clear Change:', 2: 'Domain Password Lockout Admins:', 1: 'Domain Password Store Cleartext:', 0: 'Domain Refuse Password Change:' } self.log.info( "\n\t[+] Minimum password length: {0}".format(minimum_len)) self.log.info("\t[+] Password history length: {0}".format(history)) self.log.info("\t[+] Maximum password age: {0}".format(maximum_age)) self.log.info("\t[+] Password Complexity Flags: {0}\n".format( password_props or "None")) for i, a in enumerate(password_props): self.log.info("\t\t[+] {0} {1}".format(domain_complexity[i], str(a))) self.log.info( "\n\t[+] Minimum password age: {0}".format(minimum_pass_age)) self.log.info("\t[+] Reset Account Lockout Counter: {0}".format( lockout_observation)) self.log.info( "\t[+] Locked Account Duration: {0}".format(lockout_duration)) self.log.info( "\t[+] Account Lockout Threshold: {0}".format(lockout_threshold)) self.log.info("\t[+] Forced Log off Time: {0}\n".format(logoff_time))