def get_groups(self):
if self.member_of:
return self.member_of
from wpc.group import group as Group # we have to import here to avoid circular import
g1 = []
g2 = []
try:
g1 = win32net.NetUserGetLocalGroups(wpc.conf.remote_server,
self.get_name(), 0)
except:
pass
try:
g2 = win32net.NetUserGetGroups(wpc.conf.remote_server,
self.get_name())
except:
pass
for g in g2:
g1.append(g[0])
for group in g1:
gsid, s, i = wpc.conf.cache.LookupAccountName(
wpc.conf.remote_server, group)
self.member_of.append(Group(gsid))
return self.member_of
def get_all(self):
if not self.groups:
try:
level = 0
resume = 0
while True:
grouplist, total, resume = win32net.NetGroupEnum(
wpc.conf.remote_server, level, resume, 999999)
for u in grouplist:
try:
sid, name, type = wpc.conf.cache.LookupAccountName(
wpc.conf.remote_server, u['name'])
self.groups.append(Group(sid))
except:
print("[E] failed to lookup sid of %s" %
Group['name'])
if resume == 0:
break
except pywintypes.error as e:
print("[E] %s: %s" % (e[1], e[2]))
try:
level = 0
resume = 0
while True:
grouplist, total, resume = win32net.NetLocalGroupEnum(
wpc.conf.remote_server, level, resume, 999999)
for u in grouplist:
try:
sid, name, type = wpc.conf.cache.LookupAccountName(
wpc.conf.remote_server, u['name'])
self.groups.append(Group(sid))
except:
print("[E] failed to lookup sid of %s" %
Group['name'])
if resume == 0:
break
except pywintypes.error as e:
print("[E] %s: %s" % (e[1], e[2]))
return self.groups
def define_trusted_principals():
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(
r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server")
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append(
"NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
for t in wpc.conf.trusted_principals_fq:
try:
sid, name, i = win32security.LookupAccountName(
wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
#print "[D] converting string sid"
#print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print
def define_trusted_principals(options):
exploitable_by_fq = []
ignore_principals = []
if options.exploitable_by_list:
exploitable_by_fq = options.exploitable_by_list
if options.exploitable_by_file:
try:
exploitable_by_fq = exploitable_by_fq + [
line.strip() for line in open(options.exploitable_by_file)
]
except:
print "[E] Error reading from file %s" % options.exploitablebyfile
sys.exit()
if options.ignore_principal_list:
ignore_principals = options.ignore_principal_list
if options.ignore_principal_file:
try:
ignore_principals = ignore_principals + [
line.strip() for line in open(options.ignoreprincipalfile)
]
except:
print "[E] Error reading from file %s" % options.ignoreprincipalfile
sys.exit()
# examine token, populate exploitable_by
if options.exploitable_by_me:
try:
p = process(os.getpid())
wpc.conf.exploitable_by.append(p.get_token().get_token_owner())
for g in p.get_token().get_token_groups():
if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1:
wpc.conf.exploitable_by.append(g[0])
except:
print "[E] Problem examining access token of current process"
sys.exit()
# check each of the supplied users in exploitable_by and exploitable_by resolve
if exploitable_by_fq or wpc.conf.exploitable_by:
wpc.conf.privesc_mode = "exploitable_by"
for t in exploitable_by_fq:
try:
sid, _, _ = win32security.LookupAccountName(
wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.exploitable_by.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Only reporting privesc issues for these users/groups:"
for p in wpc.conf.exploitable_by:
print "* " + p.get_fq_name()
return
else:
wpc.conf.privesc_mode = "report_untrusted"
# if user has specified list of trusted users, use only their list
if ignore_principals:
if options.ignorenoone:
wpc.conf.trusted_principals_fq = []
wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals
else:
# otherwise the user has not specified a list of trusted users. we intelligently tweak the list.
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(
r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server"
)
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append(
"NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
#print "[D] converting string sid"
#print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
# populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq
for t in wpc.conf.trusted_principals_fq:
try:
sid, _, _ = win32security.LookupAccountName(
wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print