2023-05-02 15:17:59 +00:00
|
|
|
# Stolen from Impacket
|
2021-06-24 18:37:54 +00:00
|
|
|
|
2023-04-07 17:12:56 +00:00
|
|
|
from impacket.dcerpc.v5 import transport, samr
|
2021-06-24 18:37:54 +00:00
|
|
|
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
2023-04-07 17:12:56 +00:00
|
|
|
from impacket.dcerpc.v5.rpcrt import DCERPC_v5
|
2021-06-24 18:37:54 +00:00
|
|
|
from impacket.nt_errors import STATUS_MORE_ENTRIES
|
2023-03-30 20:36:58 +00:00
|
|
|
|
2021-06-24 18:37:54 +00:00
|
|
|
|
|
|
|
class UserSamrDump:
|
2023-10-17 18:49:51 +00:00
|
|
|
KNOWN_PROTOCOLS = {
|
2023-05-02 15:17:59 +00:00
|
|
|
"139/SMB": (r"ncacn_np:%s[\pipe\samr]", 139),
|
|
|
|
"445/SMB": (r"ncacn_np:%s[\pipe\samr]", 445),
|
2021-06-24 18:37:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
def __init__(self, connection):
|
2023-05-09 13:50:56 +00:00
|
|
|
self.logger = connection.logger
|
2023-05-08 18:39:36 +00:00
|
|
|
self.addr = connection.host if not connection.kerberos else connection.hostname + "." + connection.domain
|
2021-06-24 18:37:54 +00:00
|
|
|
self.protocol = connection.args.port
|
|
|
|
self.username = connection.username
|
|
|
|
self.password = connection.password
|
|
|
|
self.domain = connection.domain
|
|
|
|
self.hash = connection.hash
|
2023-05-02 15:17:59 +00:00
|
|
|
self.lmhash = ""
|
|
|
|
self.nthash = ""
|
2023-07-03 17:18:33 +00:00
|
|
|
self.aesKey = connection.aesKey
|
2023-02-02 19:43:04 +00:00
|
|
|
self.doKerberos = connection.kerberos
|
2021-06-24 18:37:54 +00:00
|
|
|
self.protocols = UserSamrDump.KNOWN_PROTOCOLS.keys()
|
|
|
|
self.users = []
|
|
|
|
|
|
|
|
if self.hash is not None:
|
2023-05-02 15:17:59 +00:00
|
|
|
if self.hash.find(":") != -1:
|
|
|
|
self.lmhash, self.nthash = self.hash.split(":")
|
2021-06-24 18:37:54 +00:00
|
|
|
else:
|
|
|
|
self.nthash = self.hash
|
2023-05-02 15:17:59 +00:00
|
|
|
|
2021-06-24 18:37:54 +00:00
|
|
|
if self.password is None:
|
2023-05-02 15:17:59 +00:00
|
|
|
self.password = ""
|
2021-06-24 18:37:54 +00:00
|
|
|
|
|
|
|
def dump(self):
|
|
|
|
# Try all requested protocols until one works.
|
|
|
|
for protocol in self.protocols:
|
|
|
|
try:
|
|
|
|
protodef = UserSamrDump.KNOWN_PROTOCOLS[protocol]
|
|
|
|
port = protodef[1]
|
2023-09-20 15:59:16 +00:00
|
|
|
except KeyError:
|
2023-04-12 04:25:38 +00:00
|
|
|
self.logger.debug(f"Invalid Protocol '{protocol}'")
|
|
|
|
self.logger.debug(f"Trying protocol {protocol}")
|
|
|
|
rpctransport = transport.SMBTransport(
|
|
|
|
self.addr,
|
|
|
|
port,
|
|
|
|
r"\samr",
|
|
|
|
self.username,
|
|
|
|
self.password,
|
|
|
|
self.domain,
|
|
|
|
self.lmhash,
|
|
|
|
self.nthash,
|
|
|
|
self.aesKey,
|
2023-05-02 15:17:59 +00:00
|
|
|
doKerberos=self.doKerberos,
|
2023-04-12 04:25:38 +00:00
|
|
|
)
|
2021-06-24 18:37:54 +00:00
|
|
|
try:
|
|
|
|
self.fetchList(rpctransport)
|
2023-02-02 19:43:04 +00:00
|
|
|
break
|
2021-06-24 18:37:54 +00:00
|
|
|
except Exception as e:
|
2023-04-12 04:25:38 +00:00
|
|
|
self.logger.debug(f"Protocol failed: {e}")
|
2021-06-24 18:37:54 +00:00
|
|
|
return self.users
|
|
|
|
|
|
|
|
def fetchList(self, rpctransport):
|
|
|
|
dce = DCERPC_v5(rpctransport)
|
|
|
|
dce.connect()
|
|
|
|
dce.bind(samr.MSRPC_UUID_SAMR)
|
|
|
|
|
|
|
|
# Setup Connection
|
|
|
|
resp = samr.hSamrConnect2(dce)
|
2023-04-12 04:25:38 +00:00
|
|
|
if resp["ErrorCode"] != 0:
|
|
|
|
raise Exception("Connect error")
|
2021-06-24 18:37:54 +00:00
|
|
|
|
2023-05-02 15:17:59 +00:00
|
|
|
resp2 = samr.hSamrEnumerateDomainsInSamServer(
|
|
|
|
dce,
|
|
|
|
serverHandle=resp["ServerHandle"],
|
|
|
|
enumerationContext=0,
|
|
|
|
preferedMaximumLength=500,
|
|
|
|
)
|
2023-04-12 04:25:38 +00:00
|
|
|
if resp2["ErrorCode"] != 0:
|
|
|
|
raise Exception("Connect error")
|
2021-06-24 18:37:54 +00:00
|
|
|
|
2023-05-02 15:17:59 +00:00
|
|
|
resp3 = samr.hSamrLookupDomainInSamServer(
|
|
|
|
dce,
|
|
|
|
serverHandle=resp["ServerHandle"],
|
|
|
|
name=resp2["Buffer"]["Buffer"][0]["Name"],
|
|
|
|
)
|
2023-04-12 04:25:38 +00:00
|
|
|
if resp3["ErrorCode"] != 0:
|
|
|
|
raise Exception("Connect error")
|
2021-06-24 18:37:54 +00:00
|
|
|
|
2023-05-02 15:17:59 +00:00
|
|
|
resp4 = samr.hSamrOpenDomain(
|
|
|
|
dce,
|
|
|
|
serverHandle=resp["ServerHandle"],
|
|
|
|
desiredAccess=samr.MAXIMUM_ALLOWED,
|
|
|
|
domainId=resp3["DomainId"],
|
|
|
|
)
|
2023-04-12 04:25:38 +00:00
|
|
|
if resp4["ErrorCode"] != 0:
|
|
|
|
raise Exception("Connect error")
|
2021-06-24 18:37:54 +00:00
|
|
|
|
2023-04-12 04:25:38 +00:00
|
|
|
self.__domains = resp2["Buffer"]["Buffer"]
|
|
|
|
domainHandle = resp4["DomainHandle"]
|
2021-06-24 18:37:54 +00:00
|
|
|
# End Setup
|
|
|
|
|
|
|
|
status = STATUS_MORE_ENTRIES
|
|
|
|
enumerationContext = 0
|
|
|
|
while status == STATUS_MORE_ENTRIES:
|
|
|
|
try:
|
2023-05-08 18:39:36 +00:00
|
|
|
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext=enumerationContext)
|
2021-06-24 18:37:54 +00:00
|
|
|
except DCERPCException as e:
|
2023-04-12 04:25:38 +00:00
|
|
|
if str(e).find("STATUS_MORE_ENTRIES") < 0:
|
2023-04-21 10:20:47 +00:00
|
|
|
self.logger.fail("Error enumerating domain user(s)")
|
2023-05-02 15:17:59 +00:00
|
|
|
break
|
2021-06-24 18:37:54 +00:00
|
|
|
resp = e.get_packet()
|
2023-04-12 04:25:38 +00:00
|
|
|
self.logger.success("Enumerated domain user(s)")
|
|
|
|
for user in resp["Buffer"]["Buffer"]:
|
2023-05-08 18:39:36 +00:00
|
|
|
r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user["RelativeId"])
|
2023-10-15 18:35:45 +00:00
|
|
|
info_user = samr.hSamrQueryInformationUser2(dce, r["UserHandle"], samr.USER_INFORMATION_CLASS.UserAllInformation)["Buffer"]["All"]["AdminComment"]
|
|
|
|
self.logger.highlight(f"{self.domain}\\{user['Name']:<30} {info_user}")
|
2023-04-12 04:25:38 +00:00
|
|
|
self.users.append(user["Name"])
|
|
|
|
samr.hSamrCloseHandle(dce, r["UserHandle"])
|
|
|
|
|
|
|
|
enumerationContext = resp["EnumerationContext"]
|
|
|
|
status = resp["ErrorCode"]
|
2021-06-24 18:37:54 +00:00
|
|
|
|
|
|
|
dce.disconnect()
|