NetExec/nxc/protocols/smb/samruser.py

129 lines
4.5 KiB
Python
Raw Normal View History

2023-05-02 15:17:59 +00:00
# Stolen from Impacket
2023-04-07 17:12:56 +00:00
from impacket.dcerpc.v5 import transport, samr
from impacket.dcerpc.v5.rpcrt import DCERPCException
2023-04-07 17:12:56 +00:00
from impacket.dcerpc.v5.rpcrt import DCERPC_v5
from impacket.nt_errors import STATUS_MORE_ENTRIES
class UserSamrDump:
KNOWN_PROTOCOLS = {
2023-05-02 15:17:59 +00:00
"139/SMB": (r"ncacn_np:%s[\pipe\samr]", 139),
"445/SMB": (r"ncacn_np:%s[\pipe\samr]", 445),
}
def __init__(self, connection):
self.logger = connection.logger
2023-05-08 18:39:36 +00:00
self.addr = connection.host if not connection.kerberos else connection.hostname + "." + connection.domain
self.protocol = connection.args.port
self.username = connection.username
self.password = connection.password
self.domain = connection.domain
self.hash = connection.hash
2023-05-02 15:17:59 +00:00
self.lmhash = ""
self.nthash = ""
2023-07-03 17:18:33 +00:00
self.aesKey = connection.aesKey
2023-02-02 19:43:04 +00:00
self.doKerberos = connection.kerberos
self.protocols = UserSamrDump.KNOWN_PROTOCOLS.keys()
self.users = []
if self.hash is not None:
2023-05-02 15:17:59 +00:00
if self.hash.find(":") != -1:
self.lmhash, self.nthash = self.hash.split(":")
else:
self.nthash = self.hash
2023-05-02 15:17:59 +00:00
if self.password is None:
2023-05-02 15:17:59 +00:00
self.password = ""
def dump(self):
# Try all requested protocols until one works.
for protocol in self.protocols:
try:
protodef = UserSamrDump.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
2023-09-20 15:59:16 +00:00
except KeyError:
self.logger.debug(f"Invalid Protocol '{protocol}'")
self.logger.debug(f"Trying protocol {protocol}")
rpctransport = transport.SMBTransport(
self.addr,
port,
r"\samr",
self.username,
self.password,
self.domain,
self.lmhash,
self.nthash,
self.aesKey,
2023-05-02 15:17:59 +00:00
doKerberos=self.doKerberos,
)
try:
self.fetchList(rpctransport)
2023-02-02 19:43:04 +00:00
break
except Exception as e:
self.logger.debug(f"Protocol failed: {e}")
return self.users
def fetchList(self, rpctransport):
dce = DCERPC_v5(rpctransport)
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
# Setup Connection
resp = samr.hSamrConnect2(dce)
if resp["ErrorCode"] != 0:
raise Exception("Connect error")
2023-05-02 15:17:59 +00:00
resp2 = samr.hSamrEnumerateDomainsInSamServer(
dce,
serverHandle=resp["ServerHandle"],
enumerationContext=0,
preferedMaximumLength=500,
)
if resp2["ErrorCode"] != 0:
raise Exception("Connect error")
2023-05-02 15:17:59 +00:00
resp3 = samr.hSamrLookupDomainInSamServer(
dce,
serverHandle=resp["ServerHandle"],
name=resp2["Buffer"]["Buffer"][0]["Name"],
)
if resp3["ErrorCode"] != 0:
raise Exception("Connect error")
2023-05-02 15:17:59 +00:00
resp4 = samr.hSamrOpenDomain(
dce,
serverHandle=resp["ServerHandle"],
desiredAccess=samr.MAXIMUM_ALLOWED,
domainId=resp3["DomainId"],
)
if resp4["ErrorCode"] != 0:
raise Exception("Connect error")
self.__domains = resp2["Buffer"]["Buffer"]
domainHandle = resp4["DomainHandle"]
# End Setup
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
2023-05-08 18:39:36 +00:00
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext=enumerationContext)
except DCERPCException as e:
if str(e).find("STATUS_MORE_ENTRIES") < 0:
self.logger.fail("Error enumerating domain user(s)")
2023-05-02 15:17:59 +00:00
break
resp = e.get_packet()
self.logger.success("Enumerated domain user(s)")
for user in resp["Buffer"]["Buffer"]:
2023-05-08 18:39:36 +00:00
r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user["RelativeId"])
info_user = samr.hSamrQueryInformationUser2(dce, r["UserHandle"], samr.USER_INFORMATION_CLASS.UserAllInformation)["Buffer"]["All"]["AdminComment"]
self.logger.highlight(f"{self.domain}\\{user['Name']:<30} {info_user}")
self.users.append(user["Name"])
samr.hSamrCloseHandle(dce, r["UserHandle"])
enumerationContext = resp["EnumerationContext"]
status = resp["ErrorCode"]
dce.disconnect()