112 lines
4.4 KiB
Python
112 lines
4.4 KiB
Python
|
#Stolen from Impacket
|
||
|
|
||
|
import logging
|
||
|
from impacket.dcerpc.v5.rpcrt import DCERPC_v5
|
||
|
from impacket.dcerpc.v5 import transport, samr
|
||
|
from impacket.dcerpc.v5.samr import DCERPCSessionError
|
||
|
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
||
|
from impacket.nt_errors import STATUS_MORE_ENTRIES
|
||
|
from impacket import ntlm
|
||
|
|
||
|
class UserSamrDump:
|
||
|
|
||
|
KNOWN_PROTOCOLS = {
|
||
|
'139/SMB': (r'ncacn_np:%s[\pipe\samr]', 139),
|
||
|
'445/SMB': (r'ncacn_np:%s[\pipe\samr]', 445),
|
||
|
}
|
||
|
|
||
|
def __init__(self, connection):
|
||
|
self.logger = connection.logger
|
||
|
self.addr = connection.host
|
||
|
self.protocol = connection.args.port
|
||
|
self.username = connection.username
|
||
|
self.password = connection.password
|
||
|
self.domain = connection.domain
|
||
|
self.hash = connection.hash
|
||
|
self.lmhash = ''
|
||
|
self.nthash = ''
|
||
|
self.aesKey = None
|
||
|
self.doKerberos = False
|
||
|
self.protocols = UserSamrDump.KNOWN_PROTOCOLS.keys()
|
||
|
self.users = []
|
||
|
|
||
|
if self.hash is not None:
|
||
|
if self.hash.find(':') != -1:
|
||
|
self.lmhash, self.nthash = self.hash.split(':')
|
||
|
else:
|
||
|
self.nthash = self.hash
|
||
|
|
||
|
if self.password is None:
|
||
|
self.password = ''
|
||
|
|
||
|
def dump(self):
|
||
|
|
||
|
# Try all requested protocols until one works.
|
||
|
for protocol in self.protocols:
|
||
|
try:
|
||
|
protodef = UserSamrDump.KNOWN_PROTOCOLS[protocol]
|
||
|
port = protodef[1]
|
||
|
except KeyError:
|
||
|
logging.debug("Invalid Protocol '{}'".format(protocol))
|
||
|
logging.debug("Trying protocol {}".format(protocol))
|
||
|
rpctransport = transport.SMBTransport(self.addr, port, r'\samr', self.username, self.password, self.domain,
|
||
|
self.lmhash, self.nthash, self.aesKey, doKerberos = self.doKerberos)
|
||
|
try:
|
||
|
self.fetchList(rpctransport)
|
||
|
except Exception as e:
|
||
|
logging.debug('Protocol failed: {}'.format(e))
|
||
|
return self.users
|
||
|
|
||
|
def fetchList(self, rpctransport):
|
||
|
dce = DCERPC_v5(rpctransport)
|
||
|
dce.connect()
|
||
|
dce.bind(samr.MSRPC_UUID_SAMR)
|
||
|
|
||
|
# Setup Connection
|
||
|
resp = samr.hSamrConnect2(dce)
|
||
|
if resp['ErrorCode'] != 0:
|
||
|
raise Exception('Connect error')
|
||
|
|
||
|
resp2 = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle=resp['ServerHandle'],
|
||
|
enumerationContext=0,
|
||
|
preferedMaximumLength=500)
|
||
|
if resp2['ErrorCode'] != 0:
|
||
|
raise Exception('Connect error')
|
||
|
|
||
|
resp3 = samr.hSamrLookupDomainInSamServer(dce, serverHandle=resp['ServerHandle'],
|
||
|
name=resp2['Buffer']['Buffer'][0]['Name'])
|
||
|
if resp3['ErrorCode'] != 0:
|
||
|
raise Exception('Connect error')
|
||
|
|
||
|
resp4 = samr.hSamrOpenDomain(dce, serverHandle=resp['ServerHandle'],
|
||
|
desiredAccess=samr.MAXIMUM_ALLOWED,
|
||
|
domainId=resp3['DomainId'])
|
||
|
if resp4['ErrorCode'] != 0:
|
||
|
raise Exception('Connect error')
|
||
|
|
||
|
self.__domains = resp2['Buffer']['Buffer']
|
||
|
domainHandle = resp4['DomainHandle']
|
||
|
# End Setup
|
||
|
|
||
|
status = STATUS_MORE_ENTRIES
|
||
|
enumerationContext = 0
|
||
|
while status == STATUS_MORE_ENTRIES:
|
||
|
try:
|
||
|
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
|
||
|
except DCERPCException as e:
|
||
|
if str(e).find('STATUS_MORE_ENTRIES') < 0:
|
||
|
raise
|
||
|
resp = e.get_packet()
|
||
|
for user in resp['Buffer']['Buffer']:
|
||
|
r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId'])
|
||
|
info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
|
||
|
(username, uid, info_user) = (user['Name'], user['RelativeId'], info['Buffer']['All'])
|
||
|
self.logger.highlight('{}\\{:<30} {}'.format(self.domain, user['Name'], info_user['AdminComment']))
|
||
|
self.users.append(user['Name'])
|
||
|
samr.hSamrCloseHandle(dce, r['UserHandle'])
|
||
|
|
||
|
enumerationContext = resp['EnumerationContext']
|
||
|
status = resp['ErrorCode']
|
||
|
|
||
|
dce.disconnect()
|