def enum_sessions(self): dce, rpctransport = self.connect('srvsvc') try: level = 502 resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level) sessions = resp['InfoStruct']['SessionInfo']['Level502']['Buffer'] except Exception: pass try: level = 0 resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level) sessions = resp['InfoStruct']['SessionInfo']['Level0']['Buffer'] except Exception: return self.logger.success("Enumerating active sessions") for session in sessions: if level == 502: if session['sesi502_cname'][:-1] != self.local_ip: self.logger.highlight(u'\\\\{} {} [opens:{} time:{} idle:{}]'.format(session['sesi502_cname'], session['sesi502_username'], session['sesi502_num_opens'], session['sesi502_time'], session['sesi502_idle_time'])) elif level == 0: if session['sesi0_cname'][:-1] != self.local_ip: self.logger.highlight(u'\\\\{}'.format(session['sesi0_cname']))
def enum_sessions(self): dce, rpctransport = self.connect('srvsvc') try: level = 502 resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level) sessions = resp['InfoStruct']['SessionInfo']['Level502']['Buffer'] except Exception: pass try: level = 0 resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level) sessions = resp['InfoStruct']['SessionInfo']['Level0']['Buffer'] except Exception: return self.logger.success("Enumerating active sessions") for session in sessions: if level == 502: if session['sesi502_cname'][:-1] != self.local_ip: self.logger.highlight( u'\\\\{} {} [opens:{} time:{} idle:{}]'.format( session['sesi502_cname'], session['sesi502_username'], session['sesi502_num_opens'], session['sesi502_time'], session['sesi502_idle_time'])) elif level == 0: if session['sesi0_cname'][:-1] != self.local_ip: self.logger.highlight(u'\\\\{}'.format( session['sesi0_cname']))
def test_hNetrSessionEnum(self): dce, rpctransport = self.connect() resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 0) #resp.dump() resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 1) #resp.dump() resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 2) #resp.dump() resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10) #resp.dump() resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 502)
def rpc_get_sessions(self): binding = r'ncacn_np:%s[\PIPE\srvsvc]' % self.addr dce = self.dce_rpc_connect(binding, srvs.MSRPC_UUID_SRVS) if dce is None: return try: resp = srvs.hNetrSessionEnum(dce, '\x00', NULL, 10) except DCERPCException as e: if 'rpc_s_access_denied' in str(e): logging.debug('Access denied while enumerating Sessions on %s, likely a patched OS', self.hostname) return [] else: raise except Exception as e: if str(e).find('Broken pipe') >= 0: return else: raise sessions = [] for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']: userName = session['sesi10_username'][:-1] ip = session['sesi10_cname'][:-1] # Strip \\ from IPs if ip[:2] == '\\\\': ip = ip[2:] # Skip empty IPs if ip == '': continue # Skip our connection if userName == self.ad.auth.username: continue # Skip empty usernames if len(userName) == 0: continue # Skip machine accounts if userName[-1] == '$': continue # Skip local connections if ip in ['127.0.0.1', '[::1]']: continue # IPv6 address if ip[0] == '[' and ip[-1] == ']': ip = ip[1:-1] logging.info('User %s is logged in on %s from %s' % (userName, self.hostname, ip)) sessions.append({'user': userName, 'source': ip, 'target': self.hostname}) dce.disconnect() return sessions
def test_hNetrSessionDel(self): dce, rpctransport = self.connect() resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 502) resp.dump() try: resp = srvs.hNetrSessionDel(dce, resp['InfoStruct']['SessionInfo']['Level502']['Buffer'][0]['sesi502_cname'], resp['InfoStruct']['SessionInfo']['Level502']['Buffer'][0]['sesi502_username'] ) resp.dump() except Exception as e: if e.get_error_code() != 0x908: raise
def test_hNetrSessionDel(self): dce, rpctransport = self.connect() resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 502) resp.dump() try: resp = srvs.hNetrSessionDel(dce, resp['InfoStruct']['SessionInfo']['Level502']['Buffer'][0]['sesi502_cname'], resp['InfoStruct']['SessionInfo']['Level502']['Buffer'][0]['sesi502_username'] ) resp.dump() except Exception, e: if e.get_error_code() != 0x908: raise
def get_netsession(self): try: resp = srvs.hNetrSessionEnum(self._rpc_connection, '\x00', NULL, 10) except DCERPCException: return list() results = list() for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']: results.append(rpcobj.Session(session)) return results
def who(self): self.smb_transport('srvsvc') self.__dce = self.trans.get_dce_rpc() self.__dce.connect() self.__dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrSessionEnum(self.__dce, NULL, NULL, 502) for session in resp['InfoStruct']['SessionInfo']['Level502']['Buffer']: print("Host: %15s, user: %5s, active: %5d, idle: %5d, type: %5s, transport: %s" % (session['sesi502_cname'][:-1], session['sesi502_username'][:-1], session['sesi502_time'], session['sesi502_idle_time'], session['sesi502_cltype_name'][:-1], session['sesi502_transport'][:-1])) self.__dce.disconnect()
def do_who(self, line): if self.loggedIn is False: LOG.error("Not logged in") return rpctransport = transport.SMBTransport(self.smb.getRemoteHost(), filename = r'\srvsvc', smb_connection = self.smb) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10) for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']: print(("host: %15s, user: %5s, active: %5d, idle: %5d" % ( session['sesi10_cname'][:-1], session['sesi10_username'][:-1], session['sesi10_time'], session['sesi10_idle_time'])))
def do_who(self, line): if self.loggedIn is False: LOG.error("Not logged in") return rpctransport = transport.SMBTransport(self.smb.getRemoteHost(), filename = r'\srvsvc', smb_connection = self.smb) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10) for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']: print("host: %15s, user: %5s, active: %5d, idle: %5d" % ( session['sesi10_cname'][:-1], session['sesi10_username'][:-1], session['sesi10_time'], session['sesi10_idle_time']))
def enum_sessions(self, host): dce, rpctransport = self.connect(host, 'srvsvc') level = 502 try: resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level) sessions = resp['InfoStruct']['SessionInfo']['Level502']['Buffer'] except Exception: level = 0 resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level) sessions = resp['InfoStruct']['SessionInfo']['Level0']['Buffer'] print_succ("{}:{} Current active sessions:".format(host, settings.args.port)) for session in sessions: if level == 502: if session['sesi502_cname'][:-1] != self.__local_ip: print_att('\\\\{} {} [opens:{} time:{} idle:{}]'.format(session['sesi502_cname'], session['sesi502_username'], session['sesi502_num_opens'], session['sesi502_time'], session['sesi502_idle_time'])) elif level == 0: if session['sesi0_cname'][:-1] != self.__local_ip: print_att('\\\\{}'.format(session['sesi0_cname']))
def enum_sessions(self, host): dce, rpctransport = self.connect(host, 'srvsvc') level = 502 try: resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level) sessions = resp['InfoStruct']['SessionInfo']['Level502']['Buffer'] except Exception: level = 0 resp = srvs.hNetrSessionEnum(dce, NULL, NULL, level) sessions = resp['InfoStruct']['SessionInfo']['Level0']['Buffer'] print_succ("{}:{} Current active sessions:".format( host, settings.args.port)) for session in sessions: if level == 502: if session['sesi502_cname'][:-1] != self.__local_ip: print_att('\\\\{} {} [opens:{} time:{} idle:{}]'.format( session['sesi502_cname'], session['sesi502_username'], session['sesi502_num_opens'], session['sesi502_time'], session['sesi502_idle_time'])) elif level == 0: if session['sesi0_cname'][:-1] != self.__local_ip: print_att('\\\\{}'.format(session['sesi0_cname']))
def get_netsessions(self): self.sessions = {} self.create_rpc_con(r'\srvsvc') try: resp = srvs.hNetrSessionEnum(self.rpc_connection, '\x00', NULL, 10) except DCERPCException: return list() for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']: self.sessions[session['sesi10_username'].strip('\x00')] = { 'user': session['sesi10_username'].strip('\x00'), 'host': session['sesi10_cname'].strip('\x00'), 'time': session['sesi10_time'], 'idle': session['sesi10_idle_time'] } self.rpc_connection.disconnect()
def rpc_get_sessions(self): binding = r'ncacn_np:%s[\PIPE\srvsvc]' % self.hostname dce = self.dce_rpc_connect(binding, srvs.MSRPC_UUID_SRVS) if dce is None: logging.warning('Connection failed: %s' % binding) return try: resp = srvs.hNetrSessionEnum(dce, '\x00', NULL, 10) except Exception, e: if str(e).find('Broken pipe') >= 0: return else: raise
def currentSessions(self): # Get available SMB sessions rpctransport = transport.SMBTransport( self.__smbConnection.getRemoteHost(), smb_connection=self.__smbConnection) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10) for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']: print( "host: %15s, user: %5s, active: %5d, idle: %5d" % (session['sesi10_cname'][:-1], session['sesi10_username'][:-1], session['sesi10_time'], session['sesi10_idle_time'])) dce.disconnect()
def getWho(self): """who is connected -> error """ try: rpctransport = transport.SMBTransport(self.smbClient.getRemoteHost(), filename=r'\srvsvc', smb_connection=self.smbClient) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10) except Exception as e: logging.error("getWho: {}".format(str(e))) return for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']: print("host: %15s, user: %5s, active: %5d, idle: %5d" % ( session['sesi10_cname'][:-1], session['sesi10_username'][:-1], session['sesi10_time'], session['sesi10_idle_time']))
def enumSessions(self): rpctransport = transport.SMBTransport(self.__addr, self.__port, r'\srvsvc', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, doKerberos=self.__doKerberos) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) try: resp = srvs.hNetrSessionEnum(dce, '\x00', NULL, 10) except Exception as e: print("%s: %s\n%s" % (type(e), e, traceback.format_exc())) for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']: username = session['sesi10_username'][:-1] sourceIP = session['sesi10_cname'][:-1][2:] active_time = session['sesi10_time'] idle_time = session['sesi10_idle_time'] yield { 'username': username, 'source_ip': sourceIP, 'active_time': active_time, 'idle_time': idle_time, } dce.disconnect()
def getSessions(self, target): if self.__targets[target]['SRVS'] is None: stringSrvsBinding = r'ncacn_np:%s[\PIPE\srvsvc]' % target rpctransportSrvs = transport.DCERPCTransportFactory( stringSrvsBinding) if hasattr(rpctransportSrvs, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransportSrvs.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey) rpctransportSrvs.set_kerberos(self.__doKerberos, self.__kdcHost) dce = rpctransportSrvs.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) self.__maxConnections -= 1 else: dce = self.__targets[target]['SRVS'] try: resp = srvs.hNetrSessionEnum(dce, '\x00', NULL, 10) except Exception as e: if str(e).find('Broken pipe') >= 0: # The connection timed-out. Let's try to bring it back next round self.__targets[target]['SRVS'] = None self.__maxConnections += 1 return else: raise if self.__maxConnections < 0: # Can't keep this connection open. Closing it dce.disconnect() self.__maxConnections = 0 else: self.__targets[target]['SRVS'] = dce # Let's see who createad a connection since last check tmpSession = list() printCRLF = False for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']: userName = session['sesi10_username'][:-1] sourceIP = session['sesi10_cname'][:-1][2:] key = '%s\x01%s' % (userName, sourceIP) myEntry = '%s\x01%s' % (self.__username, myIP) tmpSession.append(key) if not (key in self.__targets[target]['Sessions']): # Skipping myself if key != myEntry: self.__targets[target]['Sessions'].append(key) # Are we filtering users? if self.__filterUsers is not None: if userName in self.__filterUsers: print( "%s: user %s logged from host %s - active: %d, idle: %d" % (target, userName, sourceIP, session['sesi10_time'], session['sesi10_idle_time'])) printCRLF = True else: print( "%s: user %s logged from host %s - active: %d, idle: %d" % (target, userName, sourceIP, session['sesi10_time'], session['sesi10_idle_time'])) printCRLF = True # Let's see who deleted a connection since last check for nItem, session in enumerate(self.__targets[target]['Sessions']): userName, sourceIP = session.split('\x01') if session not in tmpSession: del (self.__targets[target]['Sessions'][nItem]) # Are we filtering users? if self.__filterUsers is not None: if userName in self.__filterUsers: print("%s: user %s logged off from host %s" % (target, userName, sourceIP)) printCRLF = True else: print("%s: user %s logged off from host %s" % (target, userName, sourceIP)) printCRLF = True if printCRLF is True: print()
def getSessions(self, target): if self.__targets[target]['SRVS'] is None: stringSrvsBinding = r'ncacn_np:%s[\PIPE\srvsvc]' % target rpctransportSrvs = transport.DCERPCTransportFactory(stringSrvsBinding) if hasattr(rpctransportSrvs, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransportSrvs.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey) rpctransportSrvs.set_kerberos(self.__doKerberos, self.__kdcHost) dce = rpctransportSrvs.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) self.__maxConnections -= 1 else: dce = self.__targets[target]['SRVS'] try: resp = srvs.hNetrSessionEnum(dce, '\x00', NULL, 10) except Exception as e: if str(e).find('Broken pipe') >= 0: # The connection timed-out. Let's try to bring it back next round self.__targets[target]['SRVS'] = None self.__maxConnections += 1 return else: raise if self.__maxConnections < 0: # Can't keep this connection open. Closing it dce.disconnect() self.__maxConnections = 0 else: self.__targets[target]['SRVS'] = dce # Let's see who createad a connection since last check tmpSession = list() printCRLF = False for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']: userName = session['sesi10_username'][:-1] sourceIP = session['sesi10_cname'][:-1][2:] key = '%s\x01%s' % (userName, sourceIP) myEntry = '%s\x01%s' % (self.__username, myIP) tmpSession.append(key) if not(key in self.__targets[target]['Sessions']): # Skipping myself if key != myEntry: self.__targets[target]['Sessions'].append(key) # Are we filtering users? if self.__filterUsers is not None: if userName in self.__filterUsers: print "%s: user %s logged from host %s - active: %d, idle: %d" % ( target, userName, sourceIP, session['sesi10_time'], session['sesi10_idle_time']) printCRLF = True else: print "%s: user %s logged from host %s - active: %d, idle: %d" % ( target, userName, sourceIP, session['sesi10_time'], session['sesi10_idle_time']) printCRLF = True # Let's see who deleted a connection since last check for nItem, session in enumerate(self.__targets[target]['Sessions']): userName, sourceIP = session.split('\x01') if session not in tmpSession: del(self.__targets[target]['Sessions'][nItem]) # Are we filtering users? if self.__filterUsers is not None: if userName in self.__filterUsers: print "%s: user %s logged off from host %s" % (target, userName, sourceIP) printCRLF=True else: print "%s: user %s logged off from host %s" % (target, userName, sourceIP) printCRLF=True if printCRLF is True: print