def get_entity(dce, domain_handle, samr_obj):
resp = samr.hSamrOpenUser(dce,
domain_handle,
userId=samr_obj['RelativeId'])
info = samr.hSamrQueryInformationUser2(
dce, resp['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
user = User(samr_obj['Name'], samr_obj['RelativeId'],
info['Buffer']['All'])
samr.hSamrCloseHandle(dce, resp['UserHandle'])
return user
def __fetchlist(self, rpctransport):
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
self.log.info('[+] Found domain: {0}'.format(domains[0]['Name']))
self.log.info("[*] Enumerating RID {0} in the {1} domain..\n".format(self.rid, domains[0]['Name']))
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, domains[0]['Name'])
resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp['DomainId'])
domainHandle = resp['DomainHandle']
request = samr.SamrOpenGroup()
request['DomainHandle'] = domainHandle
request['DesiredAccess'] = samr.MAXIMUM_ALLOWED
request['GroupId'] = self.rid
try:
resp = dce.request(request)
except samr.DCERPCSessionError:
raise
request = samr.SamrGetMembersInGroup()
request['GroupHandle'] = resp['GroupHandle']
resp = dce.request(request)
rids = resp.fields['Members'].fields['Data'].fields['Members'].fields['Data'].fields['Data']
mutex = Lock()
for rid in rids:
try:
resp = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, rid.fields['Data'])
rid_data = samr.hSamrQueryInformationUser2(dce, resp['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation)
except samr.DCERPCSessionError as e:
# Occasionally an ACCESS_DENIED is rasied even though the user has permissions?
# Other times a STATUS_NO_SUCH_USER is raised when a rid apparently doesn't exist, even though it reported back as existing.
self.log.debug(e)
continue
if self.fqdn:
rid_data = rid_data['Buffer']['All']['UserName'].replace('$', '') + '.' + self.fqdn
else:
rid_data = rid_data['Buffer']['All']['UserName'].replace('$', '')
samr.hSamrCloseHandle(dce, resp['UserHandle'])
if self.dns_lookup:
# Threading because DNS lookups are slow
t = Thread(target=self.get_ip, args=(rid_data, mutex,))
t.start()
else:
self.log.info(rid_data)
self.data.append(rid_data)
dce.disconnect()
def enumerate_users_in_group(self, dce, domain_handle):
request = samr.SamrOpenGroup()
request['DomainHandle'] = domain_handle
request['DesiredAccess'] = samr.MAXIMUM_ALLOWED
request['GroupId'] = self.rid
try:
resp = dce.request(request)
except samr.DCERPCSessionError:
raise
request = samr.SamrGetMembersInGroup()
request['GroupHandle'] = resp['GroupHandle']
resp = dce.request(request)
self.log.info(
'[*] Group RID detected. Enumerating users/hosts in group..\n')
try:
rids = resp['Members']['Members']
except AttributeError:
self.log.info('[-] No users in group')
return
mutex = Lock()
for rid in rids:
try:
resp = samr.hSamrOpenUser(dce, domain_handle,
samr.MAXIMUM_ALLOWED, rid['Data'])
rid_data = samr.hSamrQueryInformationUser2(
dce, resp['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
except samr.DCERPCSessionError as e:
# Occasionally an ACCESS_DENIED is rasied even though the user has permissions?
# Other times a STATUS_NO_SUCH_USER is raised when a rid apparently doesn't exist, even though it reported back as existing.
self.log.debug(e)
continue
if self.fqdn:
rid_data = rid_data['Buffer']['All']['UserName'].replace(
'$', '') + '.' + self.fqdn
else:
rid_data = rid_data['Buffer']['All']['UserName'].replace(
'$', '')
samr.hSamrCloseHandle(dce, resp['UserHandle'])
if self.dns_lookup:
# Threading because DNS lookups are slow
t = Thread(target=self.get_ip, args=(
rid_data,
mutex,
))
t.start()
else:
self.log.info(rid_data)
self.data.append(rid_data)
def __fetchList(self, rpctransport):
dce = rpctransport.get_dce_rpc()
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
print('Found domain(s):')
for domain in domains:
print(" . %s" % domain['Name'])
logging.info("Looking up users in domain %s" % domains[0]['Name'])
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )
resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
domainHandle = resp['DomainHandle']
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId'])
print("Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] ))
info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException as e:
logging.critical("Error listing users: %s" % e)
dce.disconnect()
return entries
def __fetchList(self, rpctransport):
dce = rpctransport.get_dce_rpc()
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
print 'Found domain(s):'
for domain in domains:
print " . %s" % domain['Name']
print "Looking up users in domain %s" % domains[0]['Name']
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )
resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
domainHandle = resp['DomainHandle']
done = False
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
except Exception, e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, user['RelativeId'])
print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )
info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException, e:
print "Error listing users: %s" % e
def __fetchList(self, rpctransport):
dce = rpctransport.get_dce_rpc()
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
print 'Found domain(s):'
for domain in domains:
print " . %s" % domain['Name']
print "Looking up users in domain %s" % domains[0]['Name']
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )
resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
domainHandle = resp['DomainHandle']
done = False
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
except Exception, e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, user['RelativeId'])
print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )
info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException, e:
print "Error listing users: %s" % e
def list_users(self, remote_name, remote_host):
"""
List users
:param remote_name: (string) remote name to use in rpc connection string
:param remote_host: (string) remote host to connect to
:return: (list) List of users found, each item contains (userName, RelativeId, UserAllInfo)
"""
# Create an DCE/RPC session
rpc_transport = self.__set_rpc_connection(remote_name, remote_host)
dce = self.__dce_connect(rpc_transport)
entries = []
try:
# Obtain domain handle
domain_handle = self.__obtain_domain_handle(dce)
status = STATUS_MORE_ENTRIES
enumeration_context = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(
dce,
domain_handle,
enumerationContext=enumeration_context)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise ListUsersException(e)
for user in resp['Buffer']['Buffer']:
# Get user information for each user
r = samr.hSamrOpenUser(dce, domain_handle,
samr.MAXIMUM_ALLOWED,
user['RelativeId'])
info = samr.hSamrQueryInformationUser2(
dce, r['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'],
info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumeration_context = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException as e:
logging.critical("Error listing users: %s" % e)
dce.disconnect()
return entries
def __fetchList(self, rpctransport):
dce = rpctransport.get_dce_rpc()
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
print('Found domain(s):')
for domain in domains:
print(" . %s" % domain['Name'])
logging.info("Looking up users in domain %s" % domains[0]['Name'])
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,
domains[0]['Name'])
resp = samr.hSamrOpenDomain(dce,
serverHandle=serverHandle,
domainId=resp['DomainId'])
domainHandle = resp['DomainHandle']
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(
dce,
domainHandle,
enumerationContext=enumerationContext)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle,
samr.MAXIMUM_ALLOWED,
user['RelativeId'])
print("Found user: %s, uid = %d" %
(user['Name'], user['RelativeId']))
info = samr.hSamrQueryInformationUser2(
dce, r['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'],
info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException as e:
logging.critical("Error listing users: %s" % e)
dce.disconnect()
return entries
class SAMRGroupDump:
def __init__(self, username, password, domain, target, rid, dns_lookup,
output):
self.username = username
self.password = password
self.domain = domain
self.port = 445
self.target = target
self.rid = rid
self.dns_lookup = dns_lookup
self.log = logging.getLogger('')
self.output_file = ""
self.data = []
if output:
if not (output).endswith(".txt"):
output += ".txt"
self.output_file = output
@classmethod
def from_args(cls, args):
return cls(args.username, args.password, args.domain, args.target,
args.rid, args.dns_lookup, args.output)
def dump(self):
self.log.info('[*] Retrieving endpoint list from {0}'.format(
self.target))
stringbinding = r'ncacn_np:{0}[\pipe\samr]'.format(self.target)
logging.debug('StringBinding {0}'.format(stringbinding))
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(self.port)
rpctransport.setRemoteHost(self.target)
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(self.username, self.password,
self.domain)
self.__fetchlist(rpctransport)
def __fetchlist(self, rpctransport):
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
self.log.info('[+] Found domain: {0}'.format(domains[0]['Name']))
self.log.info("[*] Enumerating RID {0} in the {1} domain..\n".format(
self.rid, domains[0]['Name']))
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,
domains[0]['Name'])
resp = samr.hSamrOpenDomain(dce,
serverHandle=serverHandle,
domainId=resp['DomainId'])
domainHandle = resp['DomainHandle']
request = samr.SamrOpenGroup()
request['DomainHandle'] = domainHandle
request['DesiredAccess'] = samr.MAXIMUM_ALLOWED
request['GroupId'] = self.rid
try:
resp = dce.request(request)
except Exception, e:
if 'STATUS_NO_SUCH_DOMAIN' in str(e):
raise
request = samr.SamrGetMembersInGroup()
request['GroupHandle'] = resp['GroupHandle']
resp = dce.request(request)
domain_computers = resp.fields['Members'].fields['Data'].fields[
'Members'].fields['Data'].fields['Data']
mutex = Lock()
for host in domain_computers:
resp = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED,
host.fields['Data'])
rid_data = samr.hSamrQueryInformationUser2(
dce, resp['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
rid_data = rid_data['Buffer']['All']['UserName'].replace('$', '')
samr.hSamrCloseHandle(dce, resp['UserHandle'])
if self.dns_lookup:
# Threading because DNS lookups are slow
t = Thread(target=self.get_ip, args=(
rid_data,
mutex,
))
t.start()
else:
self.log.info(rid_data)
self.data.append(rid_data)
dce.disconnect()
def fetchList(self, rpctransport):
dce = DCERPC_v5(rpctransport)
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
# Setup Connection
resp = samr.hSamrConnect2(dce)
if resp['ErrorCode'] != 0:
raise Exception('Connect error')
resp2 = samr.hSamrEnumerateDomainsInSamServer(
dce,
serverHandle=resp['ServerHandle'],
enumerationContext=0,
preferedMaximumLength=500)
if resp2['ErrorCode'] != 0:
raise Exception('Connect error')
resp3 = samr.hSamrLookupDomainInSamServer(
dce,
serverHandle=resp['ServerHandle'],
name=resp2['Buffer']['Buffer'][0]['Name'])
if resp3['ErrorCode'] != 0:
raise Exception('Connect error')
resp4 = samr.hSamrOpenDomain(dce,
serverHandle=resp['ServerHandle'],
desiredAccess=samr.MAXIMUM_ALLOWED,
domainId=resp3['DomainId'])
if resp4['ErrorCode'] != 0:
raise Exception('Connect error')
self.__domains = resp2['Buffer']['Buffer']
domainHandle = resp4['DomainHandle']
# End Setup
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(
dce, domainHandle, enumerationContext=enumerationContext)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
self.logger.error('Error enumerating domain user(s)')
break
resp = e.get_packet()
self.logger.success('Enumerated domain user(s)')
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED,
user['RelativeId'])
info = samr.hSamrQueryInformationUser2(
dce, r['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
(username, uid, info_user) = (user['Name'], user['RelativeId'],
info['Buffer']['All'])
self.logger.highlight('{}\\{:<30} {}'.format(
self.domain, user['Name'], info_user['AdminComment']))
self.users.append(user['Name'])
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
dce.disconnect()
def __samr_users(self, usrdomain=None):
'''
Enumerate users on the system
'''
self.__samr_domains(True)
encoding = sys.getdefaultencoding()
for domain_name, domain in self.domains_dict.items():
if usrdomain and usrdomain.upper() != domain_name.upper():
continue
logger.info('Looking up users in domain %s' % domain_name)
resp = samr.hSamrLookupDomainInSamServer(self.__dce,
self.__mgr_handle,
domain_name)
resp = samr.hSamrOpenDomain(self.__dce,
serverHandle=self.__mgr_handle,
domainId=resp['DomainId'])
self.__domain_context_handle = resp['DomainHandle']
status = STATUS_MORE_ENTRIES
enum_context = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(
self.__dce,
self.__domain_context_handle,
enumerationContext=enum_context)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(self.__dce,
self.__domain_context_handle,
samr.MAXIMUM_ALLOWED,
user['RelativeId'])
logger.debug('Found user %s (UID: %d)' %
(user['Name'], user['RelativeId']))
info = samr.hSamrQueryInformationUser2(
self.__dce, r['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'],
info['Buffer']['All'])
self.users_list.add(entry)
samr.hSamrCloseHandle(self.__dce, r['UserHandle'])
enum_context = resp['EnumerationContext']
status = resp['ErrorCode']
if self.users_list:
num = len(self.users_list)
logger.info('Retrieved %d user%s' %
(num, 's' if num > 1 else ''))
else:
logger.info('No users enumerated')
for entry in self.users_list:
user, uid, info = entry
print(user)
print(' User ID: %d' % uid)
print(' Group ID: %d' % info['PrimaryGroupId'])
if info['UserAccountControl'] & samr.USER_ACCOUNT_DISABLED:
account_disabled = 'True'
else:
account_disabled = 'False'
print(' Enabled: %s' % account_disabled)
try:
print(' Logon count: %d' % info['LogonCount'])
except ValueError:
pass
lastLogon = (info['LastLogon']['HighPart'] <<
32) + info['LastLogon']['LowPart']
if lastLogon == 0:
lastLogon = '<never>'
else:
lastLogon = str(
datetime.fromtimestamp(self.getUnixTime(lastLogon)))
try:
print(' Last Logon: %s' % lastLogon)
except ValueError:
pass
lastLogoff = (info['LastLogoff']['HighPart'] <<
32) + info['LastLogoff']['LowPart']
if lastLogoff == 0:
lastLogoff = '<never>'
else:
lastLogoff = str(
datetime.fromtimestamp(self.getUnixTime(lastLogoff)))
try:
print(' Last Logoff: %s' % lastLogoff)
except ValueError:
pass
pwdLastSet = (info['PasswordLastSet']['HighPart'] <<
32) + info['PasswordLastSet']['LowPart']
if pwdLastSet == 0:
pwdLastSet = '<never>'
else:
pwdLastSet = str(
datetime.fromtimestamp(self.getUnixTime(pwdLastSet)))
try:
print(' Last password set: %s' % pwdLastSet)
except ValueError:
pass
if info['PasswordExpired'] == 0:
password_expired = 'False'
elif info['PasswordExpired'] == 1:
password_expired = 'True'
try:
print(' Password expired: %s' % password_expired)
except ValueError:
pass
if info['UserAccountControl'] & samr.USER_DONT_EXPIRE_PASSWORD:
dont_expire = 'True'
else:
dont_expire = 'False'
try:
print(' Password does not expire: %s' % dont_expire)
except ValueError:
pass
pwdCanChange = (info['PasswordCanChange']['HighPart'] <<
32) + info['PasswordCanChange']['LowPart']
if pwdCanChange == 0:
pwdCanChange = '<never>'
else:
pwdCanChange = str(
datetime.fromtimestamp(self.getUnixTime(pwdCanChange)))
try:
print(' Password can change: %s' % pwdCanChange)
except ValueError:
pass
try:
pwdMustChange = (
info['PasswordMustChange']['HighPart'] <<
32) + info['PasswordMustChange']['LowPart']
if pwdMustChange == 0:
pwdMustChange = '<never>'
else:
pwdMustChange = str(
datetime.fromtimestamp(
self.getUnixTime(pwdMustChange)))
except:
pwdMustChange = '<never>'
try:
print(' Password must change: %s' % pwdMustChange)
except ValueError:
pass
try:
print(' Bad password count: %d' %
info['BadPasswordCount'])
except ValueError:
pass
try:
print(' Full name: %s' % info['FullName'])
except ValueError:
pass
try:
print(' Home directory: %s' % info['HomeDirectory'])
except ValueError:
pass
try:
print(' Home directory drive: %s' %
info['HomeDirectoryDrive'])
except ValueError:
pass
try:
print(' Script path: %s' % info['ScriptPath'])
except ValueError:
pass
try:
print(' Profile path: %s' % info['ProfilePath'])
except ValueError:
pass
try:
print(' Admin comment: %s' % info['AdminComment'])
except ValueError:
pass
try:
print(' Workstations: %s' % info['WorkStations'])
except ValueError:
pass
try:
print(' User comment: %s' % info['UserComment'])
except ValueError:
pass
self.users_list = set()
def __fetchUserList(self, rpctransport):
dce = rpctransport.get_dce_rpc()
domain = None
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
domain = domains[0]['Name']
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,
domains[0]['Name'])
resp = samr.hSamrOpenDomain(dce,
serverHandle=serverHandle,
domainId=resp['DomainId'])
domainHandle = resp['DomainHandle']
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(
dce,
domainHandle,
enumerationContext=enumerationContext)
except DCERPCException as e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
try:
r = samr.hSamrOpenUser(dce, domainHandle,
samr.MAXIMUM_ALLOWED,
user['RelativeId'])
info = samr.hSamrQueryInformationUser2(
dce, r['UserHandle'],
samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (domain, user['Name'], user['RelativeId'],
info['Buffer']['All'])
yield entry
samr.hSamrCloseHandle(dce, r['UserHandle'])
except DCERPCSessionError:
pass
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException as e:
print("Error listing users: %s" % e)
dce.disconnect()
