def Print(self, indent=""): if self.KerberosNewerKeys != None: print "{0}Kerberos newer keys".format(indent) self.KerberosNewerKeys.Print(indent + " ") if self.KerberosKeys != None: print "{0}Kerberos keys".format(indent) self.KerberosKeys.Print(indent + " ") if self.WDigestHashes != None: print "{0}WDigest hashes".format(indent) for h in self.WDigestHashes: print "{0} {1}".format(indent, hexlify(h)) if self.Packages != None: print "{0}Packages".format(indent) for p in self.Packages: print "{0} {1}".format(indent, p) if self.Password != None: print "{0}Password: {1}".format(indent, self.Password) print "Debug: " print dump(self.Text, 16, 16)
def Print(self, indent=""): if self.KerberosNewerKeys != None: print "{0}Kerberos newer keys".format(indent) self.KerberosNewerKeys.Print(indent + " ") if self.KerberosKeys != None: print "{0}Kerberos keys".format(indent) self.KerberosKeys.Print(indent + " ") if self.WDigestHashes != None: print "{0}WDigest hashes".format(indent) for h in self.WDigestHashes: print "{0} {1}".format(indent, hexlify(h)) if self.Packages != None: print "{0}Packages".format(indent) for p in self.Packages: print "{0} {1}".format(indent, p) if self.Password != None: print "{0}Password: {1}".format(indent, self.Password) print "Debug: " print dump(self.Text,16,16)
def ParseUserProperty(self, text, offset): if len(text[offset:offset + 2]) != 2: return NameLength = unpack('H', text[offset:offset + 2])[0] offset += 2 if len(text[offset:offset + 2]) != 2: return ValueLength = unpack('H', text[offset:offset + 2])[0] offset += 2 if len(text[offset:offset + 2]) != 2: return reserved = unpack('H', text[offset:offset + 2])[0] offset += 2 if len(text[offset:offset + 2]) != 2: return Name = text[offset:offset + NameLength].decode('utf-16') offset += NameLength if len(text[offset:offset + ValueLength]) != ValueLength: return if Name == u"Primary:Kerberos-Newer-Keys": self.KerberosNewerKeys = self.ParseKerberosNewerKeysPropertyValue( unhexlify(text[offset:offset + ValueLength])) elif Name == u"Primary:Kerberos": self.KerberosKeys = self.ParseKerberosPropertyValue( unhexlify(text[offset:offset + ValueLength])) elif Name == u"Primary:WDigest": self.WDigestHashes = self.ParseWDigestPropertyValue( unhexlify(text[offset:offset + ValueLength])) elif Name == u"Packages": self.Packages = unhexlify( text[offset:offset + ValueLength]).decode('utf-16').split("\x00") elif Name == u"Primary:CLEARTEXT": try: self.Password = unicode( unhexlify( text[offset:offset + ValueLength]).decode('utf-16')).encode('utf8') except: self.Password = dump( unhexlify(text[offset:offset + ValueLength]), 16, 16) else: print Name return offset + ValueLength
def ParseUserProperty(self, text, offset): if len(text[offset : offset + 2]) != 2: return NameLength = unpack("H", text[offset : offset + 2])[0] offset += 2 if len(text[offset : offset + 2]) != 2: return ValueLength = unpack("H", text[offset : offset + 2])[0] offset += 2 if len(text[offset : offset + 2]) != 2: return reserved = unpack("H", text[offset : offset + 2])[0] offset += 2 if len(text[offset : offset + 2]) != 2: return Name = text[offset : offset + NameLength].decode("utf-16") offset += NameLength if len(text[offset : offset + ValueLength]) != ValueLength: return if Name == u"Primary:Kerberos-Newer-Keys": self.KerberosNewerKeys = self.ParseKerberosNewerKeysPropertyValue( unhexlify(text[offset : offset + ValueLength]) ) elif Name == u"Primary:Kerberos": self.KerberosKeys = self.ParseKerberosPropertyValue(unhexlify(text[offset : offset + ValueLength])) elif Name == u"Primary:WDigest": self.WDigestHashes = self.ParseWDigestPropertyValue(unhexlify(text[offset : offset + ValueLength])) elif Name == u"Packages": self.Packages = unhexlify(text[offset : offset + ValueLength]).decode("utf-16").split("\x00") elif Name == u"Primary:CLEARTEXT": try: self.Password = unicode(unhexlify(text[offset : offset + ValueLength]).decode("utf-16")).encode("utf8") except: self.Password = dump(unhexlify(text[offset : offset + ValueLength]), 16, 16) else: print Name return offset + ValueLength
def processComputer(computer): global csvoutfile global pwdump global pwdformat global pwhdump global bitldump global suppcreddump sys.stdout.write(str(computer)) # The main computer record if csvoutfile != "": write_csv([ computer.RecordId, computer.Name, computer.DNSHostName, str(computer.GUID), str(computer.SID), computer.OSName, computer.OSVersion, dsGetDSTimeStampStr(computer.WhenCreated), dsGetDSTimeStampStr(computer.WhenChanged), "", "", "", "", "", "", str(computer.DialInAccessPermission) ]) if pwdump == True: sys.stdout.write("\nPassword hashes:") (lm, nt) = computer.getPasswordHashes() if nt != '': if pwdformat == 'john': sys.stdout.write( "\n\t" + format_john(computer.Name, computer.SID, nt, 'NT')) ntof.writelines( format_john(computer.Name, computer.SID, nt, 'NT') + "\n") if lm != '': if pwdformat == 'john': sys.stdout.write( "\n\t" + format_john(computer.Name, computer.SID, lm, 'LM')) lmof.writelines( format_john(computer.Name, computer.SID, lm, 'LM') + "\n") if pwdformat == 'ophc': sys.stdout.write( "\n\t" + format_ophc(computer.Name, computer.SID, lm, nt)) ntof.writelines( format_ophc(computer.Name, computer.SID, lm, nt) + "\n") if pwhdump == True: sys.stdout.write("\nPassword history:") lmhistory = None nthistory = None (lmhistory, nthistory) = computer.getPasswordHistory() if nthistory != None: if pwdformat == 'john': hashid = 0 for nthash in nthistory: sys.stdout.write( "\n\t" + format_john(computer.Name + "_nthistory" + str(hashid), computer.SID, nthash, 'NT')) ntof.writelines( format_john(computer.Name + "_nthistory" + str(hashid), nthash, computer.SID, 'NT') + "\n") hashid += 1 if lmhistory != None: hashid = 0 for lmhash in lmhistory: sys.stdout.write("\n\t" + format_john( computer.Name + "_lmhistory" + str(hashid), computer.SID, lmhash, 'LM')) lmof.writelines( format_john( computer.Name + "_lmhistory" + str(hashid), computer.SID, lmhash, 'LM') + "\n") hashid += 1 if pwdformat == 'ophc': if lmhistory != None: for hashid in range(0, len(lmhistory)): sys.stdout.write("\n\t" + format_ophc( computer.Name + "_history" + str(hashid), computer. SID, lmhistory[hashid], nthistory[hashid])) ntof.writelines( format_ophc( computer.Name + "_history" + str(hashid), computer.SID, lmhistory[hashid], nthistory[hashid]) + "\n") if bitldump == True: sys.stdout.write("\nRecovery information:") for rinfo in computer.getRecoveryInformations(db): sys.stdout.write("\n\t" + rinfo.Name) sys.stdout.write("\n\tRecovery GUID: " + str(rinfo.RecoveryGUID)) sys.stdout.write("\n\tVolume GUID: " + str(rinfo.VolumeGUID)) sys.stdout.write("\n\tCreated: " + dsGetDSTimeStampStr(rinfo.WhenCreated)) sys.stdout.write("\n\tChanged: " + dsGetDSTimeStampStr(rinfo.WhenChanged)) sys.stdout.write("\n\tRecovery password: "******"\n\tFVE Key package:\n" + dump(unhexlify(rinfo.FVEKeyPackage), 16, 16)) sys.stdout.write("\n\n") if csvoutfile != "": write_csv([ computer.RecordId, computer.Name, computer.DNSHostName, str(computer.GUID), str(computer.SID), computer.OSName, computer.OSVersion, dsGetDSTimeStampStr(computer.WhenCreated), dsGetDSTimeStampStr(computer.WhenChanged), rinfo.Name, str(rinfo.RecoveryGUID), str(rinfo.VolumeGUID), dsGetDSTimeStampStr(rinfo.WhenCreated), dsGetDSTimeStampStr(rinfo.WhenChanged), rinfo.RecoveryPassword ]) if suppcreddump == True: creds = None creds = computer.getSupplementalCredentials() if creds != None: sys.stdout.write("\nSupplemental credentials:\n") creds.Print(" ") sys.stdout.write("\n") sys.stdout.flush()
def processUser(user): sys.stdout.write(str(user)) sys.stdout.flush() str_anc = "" str_uac = "" if csvoutfile != "": for uac in user.getUserAccountControl(): str_uac = str_uac + uac + "|" for ancestor in user.getAncestors(db): str_anc = str_anc + ancestor.Name + "|" if csvoutfile != "": write_csv([user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName, user.getSAMAccountType(), str(user.GUID), str(user.SID), dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged), dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet), dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp), dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc, str(user.DialInAccessPermission), "", "", "", "" ]) if pwdump == True: sys.stdout.write("\nPassword hashes:") (lm, nt) = user.getPasswordHashes() if nt != '': if pwdformat == 'john': sys.stdout.write("\n\t" + format_john(user.SAMAccountName,str(user.SID),nt,'NT')) ntof.writelines(format_john(user.SAMAccountName, str(user.SID), nt, 'NT') + "\n") if lm != '': if pwdformat == 'john': sys.stdout.write("\n\t" + format_john(user.SAMAccountName,str(user.SID),lm,'LM')) lmof.writelines(format_john(user.SAMAccountName, str(user.SID), lm, 'LM') + "\n") if pwdformat == 'ocl': sys.stdout.write("\n\t" + format_ocl(user.SAMAccountName, lm)) lmof.writelines(format_ocl(user.SAMAccountName, lm) + "\n") if pwdformat == 'ophc': if lm != '': sys.stdout.write("\n\t" + format_ophc(user.SAMAccountName,str(user.SID),lm,nt)) ntof.writelines(format_ophc(user.SAMAccountName, str(user.SID), lm, nt) + "\n") else: sys.stdout.write("\n\t" + format_ophc(user.SAMAccountName,str(user.SID),"",nt)) ntof.writelines(format_ophc(user.SAMAccountName, str(user.SID), "", nt) + "\n") if pwdformat == 'ocl': sys.stdout.write("\n\t" + format_ocl(user.SAMAccountName, nt)) ntof.writelines(format_ocl(user.SAMAccountName, nt) + "\n") if pwhdump == True: sys.stdout.write("\nPassword history:") lmhistory = None nthistory = None (lmhistory, nthistory) = user.getPasswordHistory() if nthistory != None: if pwdformat == 'john': hashid = 0 for nthash in nthistory: sys.stdout.write("\n\t" + format_john(user.SAMAccountName + "_nthistory" + str(hashid), str(user.SID), nthash, 'NT')) ntof.writelines(format_john(user.SAMAccountName + "_nthistory" + str(hashid), str(user.SID), nthash, 'NT') + "\n") hashid += 1 if lmhistory != None: hashid = 0 for lmhash in lmhistory: sys.stdout.write("\n\t" + format_john(user.SAMAccountName + "_lmhistory" + str(hashid), str(user.SID), lmhash, 'LM')) lmof.writelines(format_john(user.SAMAccountName + "_lmhistory" + str(hashid), str(user.SID), lmhash, 'LM') + "\n") hashid += 1 if pwdformat == 'ocl': hashid = 0 for nthash in nthistory: sys.stdout.write("\n\t" + format_ocl(user.SAMAccountName + "_nthistory" + str(hashid), nthash)) ntof.writelines(format_ocl(user.SAMAccountName + "_nthistory" + str(hashid), nthash) + "\n") hashid += 1 if lmhistory != None: hashid = 0 for lmhash in lmhistory: sys.stdout.write("\n\t" + format_ocl(user.SAMAccountName + "_lmhistory" + str(hashid), lmhash)) lmof.writelines(format_ocl(user.SAMAccountName + "_lmhistory" + str(hashid), lmhash) + "\n") hashid += 1 if pwdformat == 'ophc': if lmhistory != None: for hashid in range(0,len(nthistory) - 1): sys.stdout.write("\n\t" + format_ophc(user.SAMAccountName + "_history" + str(hashid), str(user.SID), lmhistory[hashid], nthistory[hashid])) ntof.writelines(format_ophc(user.SAMAccountName + "_history" + str(hashid), str(user.SID), lmhistory[hashid], nthistory[hashid]) + "\n") if certdump == True and user.Certificate != "": sys.stdout.write("\nCertificate:\n") sys.stdout.write(dump(user.Certificate,16,16)) if suppcreddump == True: creds = None creds = user.getSupplementalCredentials() if creds != None: sys.stdout.write("\nSupplemental credentials:\n") creds.Print(" ") if grpdump == True: sys.stdout.write("\nMember of:") if user.PrimaryGroupID != -1: for g in groups: if g.SID.RID == user.PrimaryGroupID: if csvoutfile != "": write_csv([user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName, user.getSAMAccountType(), str(user.GUID), str(user.SID), dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged), dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet), dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp), dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc, str(user.DialInAccessPermission), g.Name, str(g.SID), "Y", "" ]) sys.stdout.write("\n\t%s (%s) (P)" % (g.Name, str(g.SID))) grouplist = user.getMemberOf() for groupdata in grouplist: (groupid, deltime) = groupdata group = None try: group = dsGroup(db, groupid) except: sys.stderr.write("\n[!] Unable to instantiate group object (record id: %d)" % groupid) continue if deltime == -1: if csvoutfile != "": write_csv([user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName, user.getSAMAccountType(), str(user.GUID), str(user.SID), dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged), dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet), dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp), dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc, str(user.DialInAccessPermission), group.Name, str(group.SID), "N", "" ]) sys.stdout.write("\n\t%s (%s)" % (group.Name, group.SID)) else: if csvoutfile != "": write_csv([user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName, user.getSAMAccountType(), str(user.GUID), str(user.SID), dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged), dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet), dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp), dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc, str(user.DialInAccessPermission), group.Name, str(group.SID), "Y", dsGetDSTimeStampStr(dsConvertToDSTimeStamp(deltime)) ]) sys.stdout.write("\n\t%s (%s) - Deleted: %s" % (group.Name, group.SID, dsGetDSTimeStampStr(dsConvertToDSTimeStamp(deltime)))) sys.stdout.write("\n") sys.stdout.flush()
def processComputer(computer): global csvoutfile global pwdump global pwdformat global pwhdump global bitldump global suppcreddump sys.stdout.write(str(computer)) # The main computer record if csvoutfile != "": write_csv([computer.RecordId, computer.Name, computer.DNSHostName, str(computer.GUID), str(computer.SID), computer.OSName, computer.OSVersion, "=\"" + dsGetDSTimeStampStr(computer.WhenCreated) + "\"", "=\"" + dsGetDSTimeStampStr(computer.WhenChanged) + "\"", "", "", "", "", "", "", str(computer.DialInAccessPermission) ]) if pwdump == True: sys.stdout.write("\nPassword hashes:") (lm, nt) = computer.getPasswordHashes() if nt != '': if pwdformat == 'john': sys.stdout.write("\n\t" + format_john(computer.Name,computer.SID,nt,'NT')) ntof.writelines(format_john(computer.Name, computer.SID, nt, 'NT') + "\n") if lm != '': if pwdformat == 'john': sys.stdout.write("\n\t" + format_john(computer.Name,computer.SID,lm,'LM')) lmof.writelines(format_john(computer.Name, computer.SID, lm, 'LM') + "\n") if pwdformat == 'ophc': sys.stdout.write("\n\t" + format_ophc(computer.Name,computer.SID, lm, nt)) ntof.writelines(format_ophc(computer.Name,computer.SID, lm, nt) + "\n") if pwhdump == True: sys.stdout.write("\nPassword history:") lmhistory = None nthistory = None (lmhistory, nthistory) = computer.getPasswordHistory() if nthistory != None: if pwdformat == 'john': hashid = 0 for nthash in nthistory: sys.stdout.write("\n\t" + format_john(computer.Name + "_nthistory" + str(hashid),computer.SID, nthash, 'NT')) ntof.writelines(format_john(computer.Name + "_nthistory" + str(hashid), nthash,computer.SID, 'NT') + "\n") hashid += 1 if lmhistory != None: hashid = 0 for lmhash in lmhistory: sys.stdout.write("\n\t" + format_john(computer.Name + "_lmhistory" + str(hashid),computer.SID, lmhash, 'LM')) lmof.writelines(format_john(computer.Name + "_lmhistory" + str(hashid),computer.SID, lmhash, 'LM') + "\n") hashid += 1 if pwdformat == 'ophc': if lmhistory != None: for hashid in range(0,len(lmhistory)): sys.stdout.write("\n\t" + format_ophc(computer.Name + "_history" + str(hashid),computer.SID, lmhistory[hashid], nthistory[hashid])) ntof.writelines(format_ophc(computer.Name + "_history" + str(hashid), computer.SID, lmhistory[hashid], nthistory[hashid]) + "\n") if bitldump == True: sys.stdout.write("\nRecovery information:") for rinfo in computer.getRecoveryInformations(db): sys.stdout.write("\n\t" + rinfo.Name) sys.stdout.write("\n\tRecovery GUID: " + str(rinfo.RecoveryGUID)) sys.stdout.write("\n\tVolume GUID: " + str(rinfo.VolumeGUID)) sys.stdout.write("\n\tWhen created: " + dsGetDSTimeStampStr(rinfo.WhenCreated)) sys.stdout.write("\n\tWhen changed: " + dsGetDSTimeStampStr(rinfo.WhenChanged)) sys.stdout.write("\n\tRecovery password: "******"\n\tFVE Key package:\n" + dump(unhexlify(rinfo.FVEKeyPackage),16, 16)) sys.stdout.write("\n\n") if csvoutfile != "": write_csv([computer.RecordId, computer.Name, computer.DNSHostName, str(computer.GUID), str(computer.SID), computer.OSName, computer.OSVersion, "=\"" + dsGetDSTimeStampStr(computer.WhenCreated) + "\"", "=\"" + dsGetDSTimeStampStr(computer.WhenChanged) + "\"", rinfo.Name, str(rinfo.RecoveryGUID), str(rinfo.VolumeGUID), "=\"" + dsGetDSTimeStampStr(rinfo.WhenCreated) + "\"", "=\"" +dsGetDSTimeStampStr(rinfo.WhenChanged) + "\"", rinfo.RecoveryPassword ]) if suppcreddump == True: creds = None creds = computer.getSupplementalCredentials() if creds != None: sys.stdout.write("\nSupplemental credentials:\n") creds.Print(" ") sys.stdout.write("\n") sys.stdout.flush()
(pagesize, ) = unpack('I', header[236:240]) (wmajorversion, ) = unpack('I', header[216:220]) (wminorversion, ) = unpack('I', header[220:224]) (wbuildnumber, ) = unpack('I', header[224:228]) (wservicepack, ) = unpack('I', header[228:232]) print "Header checksum: %s" % hexlify(header[:4][::-1]) print "Signature: %s" % hexlify(header[4:8][::-1]) print "File format version: %s" % hexlify(header[8:12][::-1]) print "File type: %s" % hexlify(header[12:16][::-1]) print "Page size: %d bytes" % pagesize print "DB time: %s" % hexlify(header[16:24][::-1]) print "Windows version: %d.%d (%d) Service pack %d" % ( wmajorversion, wminorversion, wbuildnumber, wservicepack) print "Creation time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr( header[24:52][4:12]) print "Attach time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr( header[72:80]) if unpack("B", header[88:96][:1]) == (0, ): print "Detach time: database is in dirty state" else: print "Detach time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr( header[88:96]) print "Consistent time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr( header[64:72]) print "Recovery time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr( header[244:252]) print "Header dump (first 672 bytes):" print dump(header[:672], 16, 4) f.close()
(pagesize, ) = unpack('I', header[236:240]) (wmajorversion, ) = unpack('I', header[216:220]) (wminorversion, ) = unpack('I', header[220:224]) (wbuildnumber, ) = unpack('I', header[224:228]) (wservicepack, ) = unpack('I', header[228:232]) print "Header checksum: %s" % hexlify(header[:4][::-1]) print "Signature: %s" % hexlify(header[4:8][::-1]) print "File format version: %s" % hexlify(header[8:12][::-1]) print "File type: %s" % hexlify(header[12:16][::-1]) print "Page size: %d bytes" % pagesize print "DB time: %s" % hexlify(header[16:24][::-1]) print "Windows version: %d.%d (%d) Service pack %d" % ( wmajorversion, wminorversion, wbuildnumber, wservicepack ) print "Creation time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(header[24:52][4:12]) print "Attach time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(header[72:80]) if unpack("B", header[88:96][:1]) == (0, ): print "Detach time: database is in dirty state" else: print "Detach time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(header[88:96]) print "Consistent time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(header[64:72]) print "Recovery time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(header[244:252]) print "Header dump (first 672 bytes):" print dump(header[:672], 16, 4) f.close()
def processUser(user): sys.stdout.write(str(user)) sys.stdout.flush() str_anc = "" str_uac = "" if csvoutfile != "": for uac in user.getUserAccountControl(): str_uac = str_uac + uac + "|" for ancestor in user.getAncestors(db): str_anc = str_anc + ancestor.Name + "|" if csvoutfile != "": write_csv([ user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName, user.getSAMAccountType(), str(user.GUID), str(user.SID), dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged), dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet), dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp), dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc, str(user.DialInAccessPermission), "", "", "", "" ]) if pwdump == True: sys.stdout.write("\nPassword hashes:") (lm, nt) = user.getPasswordHashes() if nt != '': if pwdformat == 'john': sys.stdout.write( "\n\t" + format_john(user.SAMAccountName, str(user.SID), nt, 'NT')) ntof.writelines( format_john(user.SAMAccountName, str(user.SID), nt, 'NT') + "\n") if lm != '': if pwdformat == 'john': sys.stdout.write("\n\t" + format_john( user.SAMAccountName, str(user.SID), lm, 'LM')) lmof.writelines( format_john(user.SAMAccountName, str(user.SID), lm, 'LM') + "\n") if pwdformat == 'ocl': sys.stdout.write("\n\t" + format_ocl(user.SAMAccountName, lm)) lmof.writelines(format_ocl(user.SAMAccountName, lm) + "\n") if pwdformat == 'ophc': if lm != '': sys.stdout.write("\n\t" + format_ophc( user.SAMAccountName, str(user.SID), lm, nt)) ntof.writelines( format_ophc(user.SAMAccountName, str(user.SID), lm, nt) + "\n") else: sys.stdout.write("\n\t" + format_ophc( user.SAMAccountName, str(user.SID), "", nt)) ntof.writelines( format_ophc(user.SAMAccountName, str(user.SID), "", nt) + "\n") if pwdformat == 'ocl': sys.stdout.write("\n\t" + format_ocl(user.SAMAccountName, nt)) ntof.writelines(format_ocl(user.SAMAccountName, nt) + "\n") if pwhdump == True: sys.stdout.write("\nPassword history:") lmhistory = None nthistory = None (lmhistory, nthistory) = user.getPasswordHistory() if nthistory != None: if pwdformat == 'john': hashid = 0 for nthash in nthistory: sys.stdout.write("\n\t" + format_john( user.SAMAccountName + "_nthistory" + str(hashid), str(user.SID), nthash, 'NT')) ntof.writelines( format_john( user.SAMAccountName + "_nthistory" + str(hashid), str(user.SID), nthash, 'NT') + "\n") hashid += 1 if lmhistory != None: hashid = 0 for lmhash in lmhistory: sys.stdout.write("\n\t" + format_john( user.SAMAccountName + "_lmhistory" + str(hashid), str(user.SID), lmhash, 'LM')) lmof.writelines( format_john( user.SAMAccountName + "_lmhistory" + str(hashid), str(user.SID), lmhash, 'LM') + "\n") hashid += 1 if pwdformat == 'ocl': hashid = 0 for nthash in nthistory: sys.stdout.write("\n\t" + format_ocl( user.SAMAccountName + "_nthistory" + str(hashid), nthash)) ntof.writelines( format_ocl( user.SAMAccountName + "_nthistory" + str(hashid), nthash) + "\n") hashid += 1 if lmhistory != None: hashid = 0 for lmhash in lmhistory: sys.stdout.write("\n\t" + format_ocl( user.SAMAccountName + "_lmhistory" + str(hashid), lmhash)) lmof.writelines( format_ocl( user.SAMAccountName + "_lmhistory" + str(hashid), lmhash) + "\n") hashid += 1 if pwdformat == 'ophc': if lmhistory != None: for hashid in range(0, len(nthistory) - 1): sys.stdout.write("\n\t" + format_ophc( user.SAMAccountName + "_history" + str(hashid), str(user.SID), lmhistory[hashid], nthistory[hashid])) ntof.writelines( format_ophc( user.SAMAccountName + "_history" + str(hashid), str(user.SID), lmhistory[hashid], nthistory[hashid]) + "\n") if certdump == True and user.Certificate != "": sys.stdout.write("\nCertificate:\n") sys.stdout.write(dump(user.Certificate, 16, 16)) if suppcreddump == True: creds = None creds = user.getSupplementalCredentials() if creds != None: sys.stdout.write("\nSupplemental credentials:\n") creds.Print(" ") if grpdump == True: sys.stdout.write("\nMember of:") if user.PrimaryGroupID != -1: for g in groups: if g.SID.RID == user.PrimaryGroupID: if csvoutfile != "": write_csv([ user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName, user.getSAMAccountType(), str(user.GUID), str(user.SID), dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged), dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet), dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp), dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc, str(user.DialInAccessPermission), g.Name, str(g.SID), "Y", "" ]) sys.stdout.write("\n\t%s (%s) (P)" % (g.Name, str(g.SID))) grouplist = user.getMemberOf() for groupdata in grouplist: (groupid, deltime) = groupdata group = None try: group = dsGroup(db, groupid) except: sys.stderr.write( "\n[!] Unable to instantiate group object (record id: %d)" % groupid) continue if deltime == -1: if csvoutfile != "": write_csv([ user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName, user.getSAMAccountType(), str(user.GUID), str(user.SID), dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged), dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet), dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp), dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc, str(user.DialInAccessPermission), group.Name, str(group.SID), "N", "" ]) sys.stdout.write("\n\t%s (%s)" % (group.Name, group.SID)) else: if csvoutfile != "": write_csv([ user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName, user.getSAMAccountType(), str(user.GUID), str(user.SID), dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged), dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet), dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp), dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc, str(user.DialInAccessPermission), group.Name, str(group.SID), "Y", dsGetDSTimeStampStr(dsConvertToDSTimeStamp(deltime)) ]) sys.stdout.write( "\n\t%s (%s) - Deleted: %s" % (group.Name, group.SID, dsGetDSTimeStampStr(dsConvertToDSTimeStamp(deltime)))) sys.stdout.write("\n") sys.stdout.flush()