Import upstream version 0.2.0
Kali Janitor
3 years ago
12 | 12 | |
13 | 13 | ![License](https://img.shields.io/github/license/the-useless-one/pywerview.svg?maxAge=2592000) |
14 | 14 | ![Python versions](https://img.shields.io/pypi/pyversions/pywerview.svg?maxAge=2592000) |
15 | [![GitHub release](https://img.shields.io/github/release/the-useless-one/pywerview.svg?maxAge=2592001&label=GitHub%20release)](https://github.com/the-useless-one/pywerview/releases/latest) | |
15 | [![GitHub release](https://img.shields.io/github/release/the-useless-one/pywerview.svg?maxAge=2592000&label=GitHub%20release)](https://github.com/the-useless-one/pywerview/releases/latest) | |
16 | 16 | [![PyPI version](https://img.shields.io/pypi/v/pywerview.svg?maxAge=2592000)](https://pypi.python.org/pypi/pywerview) |
17 | 17 | |
18 | 18 | ## HISTORY |
26 | 26 | lmhash=str(), nthash=str(), queried_domain=str(), queried_sid=str(), |
27 | 27 | queried_name=str(), queried_sam_account_name=str(), ads_path=str(), |
28 | 28 | custom_filter=str()): |
29 | requester = NetRequester(domain_controller, domain, user, password, | |
30 | lmhash, nthash) | |
31 | return requester.get_adobject(queried_domain=queried_domain, | |
29 | requester = NetRequester(domain_controller, domain, user, password, | |
30 | lmhash, nthash) | |
31 | return requester.get_adobject(queried_domain=queried_domain, | |
32 | 32 | queried_sid=queried_sid, queried_name=queried_name, |
33 | 33 | queried_sam_account_name=queried_sam_account_name, |
34 | 34 | ads_path=ads_path, custom_filter=custom_filter) |
36 | 36 | def get_netuser(domain_controller, domain, user, password=str(), lmhash=str(), |
37 | 37 | nthash=str(), queried_username=str(), queried_domain=str(), ads_path=str(), |
38 | 38 | admin_count=False, spn=False, unconstrained=False, allow_delegation=False, |
39 | preauth_notreq=False, custom_filter=str()): | |
40 | requester = NetRequester(domain_controller, domain, user, password, | |
41 | lmhash, nthash) | |
42 | return requester.get_netuser(queried_username=queried_username, | |
39 | custom_filter=str()): | |
40 | requester = NetRequester(domain_controller, domain, user, password, | |
41 | lmhash, nthash) | |
42 | return requester.get_netuser(queried_username=queried_username, | |
43 | 43 | queried_domain=queried_domain, ads_path=ads_path, admin_count=admin_count, |
44 | 44 | spn=spn, unconstrained=unconstrained, allow_delegation=allow_delegation, |
45 | preauth_notreq=preauth_notreq, custom_filter=custom_filter) | |
45 | custom_filter=custom_filter) | |
46 | 46 | |
47 | 47 | def get_netgroup(domain_controller, domain, user, password=str(), |
48 | 48 | lmhash=str(), nthash=str(), queried_groupname='*', queried_sid=str(), |
49 | 49 | queried_username=str(), queried_domain=str(), ads_path=str(), |
50 | 50 | admin_count=False, full_data=False, custom_filter=str()): |
51 | requester = NetRequester(domain_controller, domain, user, password, | |
51 | requester = NetRequester(domain_controller, domain, user, password, | |
52 | 52 | lmhash, nthash) |
53 | return requester.get_netgroup(queried_groupname=queried_groupname, | |
53 | return requester.get_netgroup(queried_groupname=queried_groupname, | |
54 | 54 | queried_sid=queried_sid, queried_username=queried_username, |
55 | 55 | queried_domain=queried_domain, ads_path=ads_path, admin_count=admin_count, |
56 | 56 | full_data=full_data, custom_filter=custom_filter) |
60 | 60 | queried_os=str(), queried_sp=str(), queried_domain=str(), ads_path=str(), |
61 | 61 | printers=False, unconstrained=False, ping=False, full_data=False, |
62 | 62 | custom_filter=str()): |
63 | requester = NetRequester(domain_controller, domain, user, password, | |
64 | lmhash, nthash) | |
65 | return requester.get_netcomputer(queried_computername=queried_computername, | |
63 | requester = NetRequester(domain_controller, domain, user, password, | |
64 | lmhash, nthash) | |
65 | return requester.get_netcomputer(queried_computername=queried_computername, | |
66 | 66 | queried_spn=queried_spn, queried_os=queried_os, queried_sp=queried_sp, |
67 | 67 | queried_domain=queried_domain, ads_path=ads_path, printers=printers, |
68 | 68 | unconstrained=unconstrained, ping=ping, full_data=full_data, |
70 | 70 | |
71 | 71 | def get_netdomaincontroller(domain_controller, domain, user, password=str(), |
72 | 72 | lmhash=str(), nthash=str(), queried_domain=str()): |
73 | requester = NetRequester(domain_controller, domain, user, password, | |
74 | lmhash, nthash) | |
75 | return requester.get_netdomaincontroller(queried_domain=queried_domain) | |
73 | requester = NetRequester(domain_controller, domain, user, password, | |
74 | lmhash, nthash) | |
75 | return requester.get_netdomaincontroller(queried_domain=queried_domain) | |
76 | 76 | |
77 | 77 | def get_netfileserver(domain_controller, domain, user, password=str(), |
78 | 78 | lmhash=str(), nthash=str(), queried_domain=str(), target_users=list()): |
79 | requester = NetRequester(domain_controller, domain, user, password, | |
80 | lmhash, nthash) | |
81 | return requester.get_netfileserver(queried_domain=queried_domain, | |
79 | requester = NetRequester(domain_controller, domain, user, password, | |
80 | lmhash, nthash) | |
81 | return requester.get_netfileserver(queried_domain=queried_domain, | |
82 | 82 | target_users=target_users) |
83 | 83 | |
84 | 84 | def get_dfsshare(domain_controller, domain, user, password=str(), |
85 | 85 | lmhash=str(), nthash=str(), version=['v1', 'v2'], queried_domain=str(), |
86 | 86 | ads_path=str()): |
87 | requester = NetRequester(domain_controller, domain, user, password, | |
88 | lmhash, nthash) | |
89 | return requester.get_dfsshare(version=version, queried_domain=queried_domain, ads_path=ads_path) | |
87 | requester = NetRequester(domain_controller, domain, user, password, | |
88 | lmhash, nthash) | |
89 | return requester.get_dfsshare(version=version, queried_domain=queried_domain, ads_path=ads_path) | |
90 | 90 | |
91 | 91 | def get_netou(domain_controller, domain, user, password=str(), lmhash=str(), |
92 | 92 | nthash=str(), queried_domain=str(), queried_ouname='*', queried_guid=str(), |
93 | 93 | ads_path=str(), full_data=False): |
94 | requester = NetRequester(domain_controller, domain, user, password, | |
95 | lmhash, nthash) | |
96 | return requester.get_netou(queried_domain=queried_domain, | |
94 | requester = NetRequester(domain_controller, domain, user, password, | |
95 | lmhash, nthash) | |
96 | return requester.get_netou(queried_domain=queried_domain, | |
97 | 97 | queried_ouname=queried_ouname, queried_guid=queried_guid, ads_path=ads_path, |
98 | 98 | full_data=full_data) |
99 | 99 | |
100 | 100 | def get_netsite(domain_controller, domain, user, password=str(), lmhash=str(), |
101 | 101 | nthash=str(), queried_domain=str(), queried_sitename=str(), |
102 | 102 | queried_guid=str(), ads_path=str(), full_data=False): |
103 | requester = NetRequester(domain_controller, domain, user, password, | |
104 | lmhash, nthash) | |
105 | return requester.get_netsite(queried_domain=queried_domain, | |
103 | requester = NetRequester(domain_controller, domain, user, password, | |
104 | lmhash, nthash) | |
105 | return requester.get_netsite(queried_domain=queried_domain, | |
106 | 106 | queried_sitename=queried_sitename, queried_guid=queried_guid, |
107 | 107 | ads_path=ads_path, full_data=full_data) |
108 | 108 | |
109 | 109 | def get_netsubnet(domain_controller, domain, user, password=str(), |
110 | 110 | lmhash=str(), nthash=str(), queried_domain=str(), queried_sitename=str(), |
111 | 111 | ads_path=str(), full_data=False): |
112 | requester = NetRequester(domain_controller, domain, user, password, | |
113 | lmhash, nthash) | |
114 | return requester.get_netsubnet(queried_domain=queried_domain, | |
112 | requester = NetRequester(domain_controller, domain, user, password, | |
113 | lmhash, nthash) | |
114 | return requester.get_netsubnet(queried_domain=queried_domain, | |
115 | 115 | queried_sitename=queried_sitename, ads_path=ads_path, full_data=full_data) |
116 | ||
117 | def get_netdomaintrust(domain_controller, domain, user, password=str(), | |
118 | lmhash=str(), nthash=str(), queried_domain=str()): | |
119 | requester = NetRequester(domain_controller, domain, user, password, | |
120 | lmhash, nthash) | |
121 | return requester.get_netdomaintrust(queried_domain=queried_domain) | |
122 | 116 | |
123 | 117 | def get_netgroupmember(domain_controller, domain, user, password=str(), |
124 | 118 | lmhash=str(), nthash=str(), queried_groupname=str(), queried_sid=str(), |
125 | 119 | queried_domain=str(), ads_path=str(), recurse=False, use_matching_rule=False, |
126 | 120 | full_data=False, custom_filter=str()): |
127 | requester = NetRequester(domain_controller, domain, user, password, | |
128 | lmhash, nthash) | |
129 | return requester.get_netgroupmember(queried_groupname=queried_groupname, | |
121 | requester = NetRequester(domain_controller, domain, user, password, | |
122 | lmhash, nthash) | |
123 | return requester.get_netgroupmember(queried_groupname=queried_groupname, | |
130 | 124 | queried_sid=queried_sid, queried_domain=queried_domain, |
131 | 125 | ads_path=ads_path, recurse=recurse, |
132 | 126 | use_matching_rule=use_matching_rule, |
134 | 128 | |
135 | 129 | def get_netsession(target_computername, domain, user, password=str(), |
136 | 130 | lmhash=str(), nthash=str()): |
137 | requester = NetRequester(target_computername, domain, user, password, | |
138 | lmhash, nthash) | |
139 | return requester.get_netsession() | |
131 | requester = NetRequester(target_computername, domain, user, password, | |
132 | lmhash, nthash) | |
133 | return requester.get_netsession() | |
140 | 134 | |
141 | 135 | def get_netshare(target_computername, domain, user, password=str(), |
142 | 136 | lmhash=str(), nthash=str()): |
143 | requester = NetRequester(target_computername, domain, user, password, | |
144 | lmhash, nthash) | |
145 | return requester.get_netshare() | |
137 | requester = NetRequester(target_computername, domain, user, password, | |
138 | lmhash, nthash) | |
139 | return requester.get_netshare() | |
146 | 140 | |
147 | 141 | def get_localdisks(target_computername, domain, user, password=str(), |
148 | 142 | lmhash=str(), nthash=str()): |
149 | requester = NetRequester(target_computername, domain, user, password, | |
150 | lmhash, nthash) | |
151 | return requester.get_localdisks() | |
143 | requester = NetRequester(target_computername, domain, user, password, | |
144 | lmhash, nthash) | |
145 | return requester.get_localdisks() | |
152 | 146 | |
153 | 147 | def get_netdomain(domain_controller, domain, user, password=str(), |
154 | 148 | lmhash=str(), nthash=str()): |
155 | requester = NetRequester(domain_controller, domain, user, password, | |
156 | lmhash, nthash) | |
157 | return requester.get_netdomain() | |
149 | requester = NetRequester(domain_controller, domain, user, password, | |
150 | lmhash, nthash) | |
151 | return requester.get_netdomain() | |
158 | 152 | |
159 | 153 | def get_netloggedon(target_computername, domain, user, password=str(), |
160 | 154 | lmhash=str(), nthash=str()): |
161 | requester = NetRequester(target_computername, domain, user, password, | |
162 | lmhash, nthash) | |
163 | return requester.get_netloggedon() | |
155 | requester = NetRequester(target_computername, domain, user, password, | |
156 | lmhash, nthash) | |
157 | return requester.get_netloggedon() | |
164 | 158 | |
165 | 159 | def get_netlocalgroup(target_computername, domain_controller, domain, user, |
166 | 160 | password=str(), lmhash=str(), nthash=str(), queried_groupname=str(), |
167 | 161 | list_groups=False, recurse=False): |
168 | requester = NetRequester(target_computername, domain, user, password, | |
162 | requester = NetRequester(target_computername, domain, user, password, | |
169 | 163 | lmhash, nthash, domain_controller) |
170 | return requester.get_netlocalgroup(queried_groupname=queried_groupname, | |
164 | return requester.get_netlocalgroup(queried_groupname=queried_groupname, | |
171 | 165 | list_groups=list_groups, recurse=recurse) |
172 | 166 | |
173 | 167 | def get_netprocess(target_computername, domain, user, password=str(), |
174 | 168 | lmhash=str(), nthash=str()): |
175 | requester = NetRequester(target_computername, domain, user, password, | |
176 | lmhash, nthash) | |
177 | return requester.get_netprocess() | |
169 | requester = NetRequester(target_computername, domain, user, password, | |
170 | lmhash, nthash) | |
171 | return requester.get_netprocess() | |
178 | 172 | |
179 | 173 | def get_userevent(target_computername, domain, user, password=str(), |
180 | 174 | lmhash=str(), nthash=str(), event_type=['logon', 'tgt'], |
181 | 175 | date_start=5): |
182 | requester = NetRequester(target_computername, domain, user, password, | |
183 | lmhash, nthash) | |
184 | return requester.get_userevent(event_type=event_type, | |
176 | requester = NetRequester(target_computername, domain, user, password, | |
177 | lmhash, nthash) | |
178 | return requester.get_userevent(event_type=event_type, | |
185 | 179 | date_start=date_start) |
186 | 180 | |
187 | 181 | def get_netgpo(domain_controller, domain, user, password=str(), |
188 | 182 | lmhash=str(), nthash=str(), queried_gponame='*', |
189 | 183 | queried_displayname=str(), queried_domain=str(), ads_path=str()): |
190 | requester = GPORequester(domain_controller, domain, user, password, | |
191 | lmhash, nthash) | |
192 | return requester.get_netgpo(queried_gponame=queried_gponame, | |
184 | requester = GPORequester(domain_controller, domain, user, password, | |
185 | lmhash, nthash) | |
186 | return requester.get_netgpo(queried_gponame=queried_gponame, | |
193 | 187 | queried_displayname=queried_displayname, |
194 | 188 | queried_domain=queried_domain, ads_path=ads_path) |
195 | 189 | |
196 | 190 | def get_domainpolicy(domain_controller, domain, user, password=str(), |
197 | 191 | lmhash=str(), nthash=str(), source='domain', queried_domain=str(), |
198 | 192 | resolve_sids=False): |
199 | requester = GPORequester(domain_controller, domain, user, password, | |
200 | lmhash, nthash) | |
201 | ||
202 | return requester.get_domainpolicy(source=source, queried_domain=queried_domain, | |
193 | requester = GPORequester(domain_controller, domain, user, password, | |
194 | lmhash, nthash) | |
195 | ||
196 | return requester.get_domainpolicy(source=source, queried_domain=queried_domain, | |
203 | 197 | resolve_sids=resolve_sids) |
204 | 198 | |
205 | 199 | def get_gpttmpl(gpttmpl_path, domain_controller, domain, user, password=str(), lmhash=str(), |
206 | 200 | nthash=str()): |
207 | requester = GPORequester(domain_controller, domain, user, password, | |
208 | lmhash, nthash) | |
209 | ||
210 | return requester.get_gpttmpl(gpttmpl_path) | |
201 | requester = GPORequester(domain_controller, domain, user, password, | |
202 | lmhash, nthash) | |
203 | ||
204 | return requester.get_gpttmpl(gpttmpl_path) | |
211 | 205 | |
212 | 206 | def get_netgpogroup(domain_controller, domain, user, password=str(), lmhash=str(), |
213 | 207 | nthash=str(), queried_gponame='*', queried_displayname=str(), |
214 | 208 | queried_domain=str(), ads_path=str(), resolve_sids=False): |
215 | requester = GPORequester(domain_controller, domain, user, password, | |
216 | lmhash, nthash) | |
217 | ||
218 | return requester.get_netgpogroup(queried_gponame=queried_gponame, | |
209 | requester = GPORequester(domain_controller, domain, user, password, | |
210 | lmhash, nthash) | |
211 | ||
212 | return requester.get_netgpogroup(queried_gponame=queried_gponame, | |
219 | 213 | queried_displayname=queried_displayname, |
220 | 214 | queried_domain=queried_domain, |
221 | 215 | ads_path=ads_path, |
225 | 219 | nthash=str(), queried_computername=str(), |
226 | 220 | queried_ouname=str(), queried_domain=str(), |
227 | 221 | recurse=False): |
228 | requester = GPORequester(domain_controller, domain, user, password, | |
229 | lmhash, nthash) | |
230 | ||
231 | return requester.find_gpocomputeradmin(queried_computername=queried_computername, | |
222 | requester = GPORequester(domain_controller, domain, user, password, | |
223 | lmhash, nthash) | |
224 | ||
225 | return requester.find_gpocomputeradmin(queried_computername=queried_computername, | |
232 | 226 | queried_ouname=queried_ouname, |
233 | 227 | queried_domain=queried_domain, |
234 | 228 | recurse=recurse) |
236 | 230 | def find_gpolocation(domain_controller, domain, user, password=str(), lmhash=str(), |
237 | 231 | nthash=str(), queried_username=str(), queried_groupname=str(), |
238 | 232 | queried_localgroup=str(), queried_domain=str()): |
239 | requester = GPORequester(domain_controller, domain, user, password, | |
240 | lmhash, nthash) | |
241 | return requester.find_gpolocation(queried_username=queried_username, | |
233 | requester = GPORequester(domain_controller, domain, user, password, | |
234 | lmhash, nthash) | |
235 | ||
236 | return requester.find_gpolocation(queried_username=queried_username, | |
242 | 237 | queried_groupname=queried_groupname, |
243 | 238 | queried_localgroup=queried_localgroup, |
244 | 239 | queried_domain=queried_domain) |
105 | 105 | help='Query only users with adminCount=1') |
106 | 106 | get_netuser_parser.add_argument('--allow-delegation', action='store_true', |
107 | 107 | help='Return user accounts that are not marked as \'sensitive and not allowed for delegation\'') |
108 | get_netuser_parser.add_argument('--preauth-notreq', action='store_true', | |
109 | help='Search for users with the PREAUTH_NOT_REQUIRED account control') | |
110 | 108 | get_netuser_parser.add_argument('--spn', action='store_true', |
111 | 109 | help='Query only users with not-null Service Principal Names') |
112 | get_netuser_parser.add_argument('--custom-filter', dest='custom_filter', | |
113 | default=str(), help='Custom filter') | |
114 | 110 | get_netuser_parser.set_defaults(func=get_netuser) |
115 | 111 | |
116 | 112 | # Parser for the get-netgroup command |
226 | 222 | get_netsubnet_parser.add_argument('--full-data', action='store_true', |
227 | 223 | help='If set, returns full information on the subnets, otherwise, just the name') |
228 | 224 | get_netsubnet_parser.set_defaults(func=get_netsubnet) |
229 | ||
230 | # Parser for the get-netdomaintrust command | |
231 | get_netdomaintrust_parser = subparsers.add_parser('get-netdomaintrust', help='Returns a list of all the '\ | |
232 | 'trusts of the specified domain', parents=[ad_parser]) | |
233 | get_netdomaintrust_parser.add_argument('-d', '--domain', dest='queried_domain', | |
234 | help='Domain to query') | |
235 | get_netdomaintrust_parser.set_defaults(func=get_netdomaintrust) | |
236 | 225 | |
237 | 226 | # Parser for the get-netgpo command |
238 | 227 | get_netgpo_parser = subparsers.add_parser('get-netgpo', help='Get a list of all current '\ |
434 | 423 | invoke_eventhunter_parser.set_defaults(func=invoke_eventhunter) |
435 | 424 | |
436 | 425 | args = parser.parse_args() |
437 | if hasattr(args,'queried_groupname'): | |
438 | args.queried_groupname = args.queried_groupname.encode('utf-8').decode('latin1') | |
439 | 426 | if args.hashes: |
440 | 427 | try: |
441 | 428 | args.lmhash, args.nthash = args.hashes.split(':') |
451 | 438 | args.password = getpass('Password:') |
452 | 439 | |
453 | 440 | parsed_args = dict() |
454 | for k, v in vars(args).items(): | |
441 | for k, v in vars(args).iteritems(): | |
455 | 442 | if k not in ('func', 'hashes'): |
456 | 443 | parsed_args[k] = v |
457 | 444 | |
461 | 448 | #print >>sys.stderr, repr(e) |
462 | 449 | #sys.exit(-1) |
463 | 450 | |
464 | if results is not None: | |
465 | try: | |
466 | for x in results: | |
467 | x = str(x).encode('latin1').decode('utf-8') | |
468 | print(x) | |
469 | if '\n' in x: | |
470 | print('') | |
471 | except TypeError: | |
472 | print(results) | |
473 | ||
451 | try: | |
452 | for x in results: | |
453 | x = str(x) | |
454 | print x | |
455 | if '\n' in x: | |
456 | print '' | |
457 | except TypeError: | |
458 | print results | |
459 |
18 | 18 | |
19 | 19 | import codecs |
20 | 20 | from bs4 import BeautifulSoup |
21 | from io import BytesIO | |
21 | from StringIO import StringIO | |
22 | 22 | |
23 | 23 | from impacket.smbconnection import SMBConnection, SessionError |
24 | 24 | |
44 | 44 | return self._ldap_search(gpo_search_filter, GPO) |
45 | 45 | |
46 | 46 | def get_gpttmpl(self, gpttmpl_path): |
47 | content_io = BytesIO() | |
47 | content_io = StringIO() | |
48 | 48 | |
49 | 49 | gpttmpl_path_split = gpttmpl_path.split('\\') |
50 | target = self._domain_controller | |
50 | target = gpttmpl_path_split[2] | |
51 | 51 | share = gpttmpl_path_split[3] |
52 | 52 | file_name = '\\'.join(gpttmpl_path_split[4:]) |
53 | 53 | |
58 | 58 | |
59 | 59 | smb_connection.connectTree(share) |
60 | 60 | smb_connection.getFile(share, file_name, content_io.write) |
61 | ||
61 | 62 | try: |
62 | content = codecs.decode(content_io.getvalue(), 'utf-16le')[1:].replace('\r', '') | |
63 | content = codecs.decode(content_io.getvalue(), 'utf_16_le')[1:].replace('\r', '') | |
63 | 64 | except UnicodeDecodeError: |
64 | content = str(content_io.getvalue()).replace('\r', '') | |
65 | content = content_io.getvalue().replace('\r', '') | |
65 | 66 | |
66 | 67 | gpttmpl_final = GptTmpl(list()) |
67 | 68 | for l in content.split('\n'): |
111 | 112 | sids = member[1] |
112 | 113 | resolved_sids = list() |
113 | 114 | for sid in sids: |
114 | if not sid: | |
115 | continue | |
116 | 115 | try: |
117 | resolved_sid = net_requester.get_adobject(queried_sid=sid, queried_domain=queried_domain)[0] | |
116 | resolved_sid = net_requester.get_adobject(queried_sid=sid)[0] | |
118 | 117 | except IndexError: |
119 | 118 | resolved_sid = sid |
120 | 119 | else: |
137 | 136 | |
138 | 137 | groupsxml_path_split = groupsxml_path.split('\\') |
139 | 138 | gpo_name = groupsxml_path_split[6] |
140 | target = self._domain_controller | |
139 | target = groupsxml_path_split[2] | |
141 | 140 | share = groupsxml_path_split[3] |
142 | 141 | file_name = '\\'.join(groupsxml_path_split[4:]) |
143 | 142 | |
269 | 268 | self._password, self._lmhash, self._nthash) as net_requester: |
270 | 269 | for member in members: |
271 | 270 | try: |
272 | resolved_member = net_requester.get_adobject(queried_sid=member, queried_domain=queried_domain)[0] | |
271 | resolved_member = net_requester.get_adobject(queried_sid=member)[0] | |
273 | 272 | resolved_member = resolved_member.distinguishedname.split(',') |
274 | 273 | resolved_member_domain = '.'.join(resolved_member[1:]) |
275 | 274 | resolved_member = '{}\\{}'.format(resolved_member_domain, resolved_member[0]) |
282 | 281 | |
283 | 282 | for member in memberof: |
284 | 283 | try: |
285 | resolved_member = net_requester.get_adobject(queried_sid=member, queried_domain=queried_domain)[0] | |
284 | resolved_member = net_requester.get_adobject(queried_sid=member)[0] | |
286 | 285 | resolved_member = resolved_member.distinguishedname.split(',')[:2] |
287 | 286 | resolved_member = '{}\\{}'.format(resolved_member[1], resolved_member[0]) |
288 | 287 | resolved_member = resolved_member.replace('CN=', '').replace('DC=', '') |
351 | 350 | while groups_to_resolve: |
352 | 351 | group_to_resolve = groups_to_resolve.pop(0) |
353 | 352 | group_members = net_requester.get_netgroupmember(queried_sid=group_to_resolve, |
354 | queried_domain=queried_domain, | |
355 | 353 | full_data=True) |
356 | 354 | for group_member in group_members: |
357 | 355 | gpo_computer_admin = GPOComputerAdmin(list()) |
413 | 411 | object_groups = net_requester.get_netgroup(queried_username=object_sam_account_name, |
414 | 412 | queried_domain=queried_domain) |
415 | 413 | for object_group in object_groups: |
416 | try: | |
417 | object_group_sid = net_requester.get_adobject(queried_sam_account_name=object_group.samaccountname, | |
418 | queried_domain=queried_domain)[0].objectsid | |
419 | except IndexError: | |
420 | # We may have the name of the group, but not its sam account name | |
421 | try: | |
422 | object_group_sid = net_requester.get_adobject(queried_name=object_group.samaccountname, | |
423 | queried_domain=queried_domain)[0].objectsid | |
424 | except IndexError: | |
425 | # Freak accident when someone is a member of a group, but | |
426 | # we can't find the group in the AD | |
427 | continue | |
428 | ||
414 | object_group_sid = net_requester.get_adobject(queried_sam_account_name=object_group.samaccountname, | |
415 | queried_domain=queried_domain)[0].objectsid | |
429 | 416 | target_sid.append(object_group_sid) |
430 | 417 | |
431 | 418 | gpo_groups = list() |
432 | for gpo_group in self.get_netgpogroup(queried_domain=queried_domain): | |
419 | for gpo_group in self.get_netgpogroup(): | |
433 | 420 | try: |
434 | 421 | for member in gpo_group.members: |
435 | 422 | if not member.upper().startswith('S-1-5'): |
436 | 423 | try: |
437 | 424 | member = net_requester.get_adobject(queried_sam_account_name=member, |
438 | 425 | queried_domain=queried_domain)[0].objectsid |
439 | except (IndexError, AttributeError): | |
426 | except IndexError, AttributeError: | |
440 | 427 | continue |
441 | 428 | if (member.upper() in target_sid) or (member.lower() in target_sid): |
442 | 429 | if (local_sid.upper() in gpo_group.memberof) or \ |
135 | 135 | raise ValueError('No users to search for') |
136 | 136 | |
137 | 137 | def _build_workers(self, threads, worker_class, worker_args): |
138 | for i in range(threads): | |
138 | for i in xrange(threads): | |
139 | 139 | parent_pipe, worker_pipe = multiprocessing.Pipe() |
140 | 140 | self._parent_pipes.append(parent_pipe) |
141 | 141 | worker = worker_class(worker_pipe, self._domain, self._user, |
48 | 48 | def get_netuser(self, queried_username=str(), queried_domain=str(), |
49 | 49 | ads_path=str(), admin_count=False, spn=False, |
50 | 50 | unconstrained=False, allow_delegation=False, |
51 | preauth_notreq=False, | |
52 | 51 | custom_filter=str()): |
53 | 52 | |
54 | 53 | if unconstrained: |
59 | 58 | |
60 | 59 | if admin_count: |
61 | 60 | custom_filter += '(admincount=1)' |
62 | # LDAP filter from https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ | |
63 | if preauth_notreq: | |
64 | custom_filter += '(userAccountControl:1.2.840.113556.1.4.803:=4194304)' | |
61 | ||
65 | 62 | user_search_filter = '(samAccountType=805306368){}'.format(custom_filter) |
66 | 63 | if queried_username: |
67 | 64 | user_search_filter += '(samAccountName={})'.format(queried_username) |
68 | 65 | elif spn: |
69 | user_search_filter += '(servicePrincipalName=*)' | |
66 | user_search_filter += '(servicePrincipalName={})'.format(spn) | |
70 | 67 | |
71 | 68 | user_search_filter = '(&{})'.format(user_search_filter) |
72 | 69 | |
82 | 79 | results = list() |
83 | 80 | sam_account_name_to_resolve = [queried_username] |
84 | 81 | first_run = True |
82 | sam_account_name_already_resolved = list() | |
85 | 83 | while sam_account_name_to_resolve: |
86 | 84 | sam_account_name = sam_account_name_to_resolve.pop(0) |
87 | 85 | if first_run: |
91 | 89 | objects = self.get_adobject(queried_sam_account_name=sam_account_name, |
92 | 90 | queried_domain=queried_domain, |
93 | 91 | ads_path=ads_path, custom_filter=custom_filter) |
94 | objects += self.get_adobject(queried_name=sam_account_name, | |
95 | queried_domain=queried_domain, | |
96 | ads_path=ads_path, custom_filter=custom_filter) | |
97 | 92 | else: |
98 | 93 | objects = self.get_adobject(queried_sam_account_name=sam_account_name, |
99 | 94 | queried_domain=queried_domain) |
100 | objects += self.get_adobject(queried_name=sam_account_name, | |
101 | queried_domain=queried_domain) | |
102 | 95 | |
103 | 96 | for obj in objects: |
104 | 97 | try: |
182 | 175 | if len(split_path) >= 3: |
183 | 176 | return split_path[2] |
184 | 177 | |
185 | results = set() | |
178 | results = list() | |
186 | 179 | if target_users: |
187 | 180 | users = list() |
188 | 181 | for target_user in target_users: |
191 | 184 | users = self.get_netuser(queried_domain=queried_domain) |
192 | 185 | |
193 | 186 | for user in users: |
194 | for full_path in (user.homedirectory, user.scriptpath, user.profilepath): | |
195 | if not full_path: | |
196 | continue | |
197 | path = split_path(full_path) | |
198 | if path: | |
199 | results.add(path) | |
200 | ||
201 | final_results = list() | |
202 | for file_server_name in results: | |
203 | attributes = list() | |
204 | attributes.append({'type': 'dnshostname', 'vals': [file_server_name]}) | |
205 | final_results.append(adobj.FileServer(attributes)) | |
206 | ||
207 | return final_results | |
187 | if user.homedirectory: | |
188 | results.append(split_path(user.homedirectory)) | |
189 | if user.scriptpath: | |
190 | results.append(split_path(user.scriptpath)) | |
191 | if user.profilepath: | |
192 | results.append(split_path(user.profilepath)) | |
193 | ||
194 | return results | |
208 | 195 | |
209 | 196 | @LDAPRPCRequester._ldap_connection_init |
210 | 197 | def get_dfsshare(self, version=['v1', 'v2'], queried_domain=str(), ads_path=str()): |
330 | 317 | def _get_members(_groupname=str(), _sid=str()): |
331 | 318 | try: |
332 | 319 | if _groupname: |
333 | groups = self.get_netgroup(queried_groupname=_groupname, | |
334 | queried_domain=queried_domain, | |
335 | full_data=True) | |
320 | groups = self.get_netgroup(queried_groupname=_groupname, full_data=True) | |
336 | 321 | else: |
337 | 322 | if _sid: |
338 | 323 | queried_sid = _sid |
342 | 327 | self._password, self._lmhash, |
343 | 328 | self._nthash) as misc_requester: |
344 | 329 | queried_sid = misc_requester.get_domainsid(queried_domain) + '-512' |
345 | groups = self.get_netgroup(queried_sid=queried_sid, | |
346 | queried_domain=queried_domain, | |
347 | full_data=True) | |
330 | groups = self.get_netgroup(queried_sid=queried_sid, full_data=True) | |
348 | 331 | except IndexError: |
349 | 332 | raise ValueError('The group {} was not found'.format(_groupname)) |
350 | 333 | |
355 | 338 | if recurse and use_matching_rule: |
356 | 339 | group_memberof_filter = '(&(samAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:={}){})'.format(group.distinguishedname, custom_filter) |
357 | 340 | |
358 | members = self.get_netuser(custom_filter=group_memberof_filter, | |
359 | queried_domain=queried_domain) | |
341 | members = self.get_netuser(custom_filter=group_memberof_filter) | |
360 | 342 | else: |
361 | 343 | # TODO: range cycling |
362 | 344 | try: |
363 | 345 | for member in group.member: |
364 | 346 | dn_filter = '(distinguishedname={}){}'.format(member, custom_filter) |
365 | members += self.get_netuser(custom_filter=dn_filter, queried_domain=queried_domain) | |
366 | members += self.get_netgroup(custom_filter=dn_filter, queried_domain=queried_domain, full_data=True) | |
347 | members += self.get_netuser(custom_filter=dn_filter) | |
348 | members += self.get_netgroup(custom_filter=dn_filter, full_data=True) | |
367 | 349 | # The group doesn't have any members |
368 | 350 | except AttributeError: |
369 | 351 | continue |
412 | 394 | groups_to_process.append((member.membername, str())) |
413 | 395 | |
414 | 396 | return results |
415 | ||
416 | @LDAPRPCRequester._ldap_connection_init | |
417 | def get_netdomaintrust(self, queried_domain): | |
418 | trust_search_filter = '(&(objectClass=trustedDomain))' | |
419 | ||
420 | return self._ldap_search(trust_search_filter, adobj.Trust) | |
421 | 397 | |
422 | 398 | @LDAPRPCRequester._rpc_connection_init(r'\srvsvc') |
423 | 399 | def get_netsession(self): |
604 | 580 | # It's a domain member |
605 | 581 | else: |
606 | 582 | attributes['isdomain'] = True |
607 | if self._ldap_connection is not None: | |
583 | try: | |
584 | ad_object = self.get_adobject(queried_sid=member_sid)[0] | |
585 | member_dn = ad_object.distinguishedname | |
586 | member_domain = member_dn[member_dn.index('DC='):].replace('DC=', '').replace(',', '.') | |
608 | 587 | try: |
609 | ad_object = self.get_adobject(queried_sid=member_sid)[0] | |
610 | member_dn = ad_object.distinguishedname | |
611 | member_domain = member_dn[member_dn.index('DC='):].replace('DC=', '').replace(',', '.') | |
612 | try: | |
613 | attributes['name'] = '{}/{}'.format(member_domain, ad_object.samaccountname) | |
614 | except AttributeError: | |
615 | # Here, the member is a foreign security principal | |
616 | # TODO: resolve it properly | |
617 | attributes['name'] = '{}/{}'.format(member_domain, ad_object.objectsid) | |
618 | attributes['isgroup'] = ad_object.isgroup | |
619 | try: | |
620 | attributes['lastlogin'] = ad_object.lastlogon | |
621 | except AttributeError: | |
622 | attributes['lastlogin'] = str() | |
623 | except IndexError: | |
624 | # We did not manage to resolve this SID against the DC | |
625 | attributes['isdomain'] = False | |
626 | attributes['isgroup'] = False | |
627 | attributes['name'] = attributes['sid'] | |
588 | attributes['name'] = '{}/{}'.format(member_domain, ad_object.samaccountname) | |
589 | except AttributeError: | |
590 | # Here, the member is a foreign security principal | |
591 | # TODO: resolve it properly | |
592 | attributes['name'] = '{}/{}'.format(member_domain, ad_object.objectsid) | |
593 | attributes['isgroup'] = ad_object.isgroup | |
594 | try: | |
595 | attributes['lastlogin'] = ad_object.lastlogon | |
596 | except AttributeError: | |
628 | 597 | attributes['lastlogin'] = str() |
629 | else: | |
598 | except IndexError: | |
599 | # We did not manage to resolve this SID against the DC | |
600 | attributes['isdomain'] = False | |
630 | 601 | attributes['isgroup'] = False |
631 | attributes['name'] = str() | |
602 | attributes['name'] = attributes['sid'] | |
632 | 603 | attributes['lastlogin'] = str() |
633 | 604 | |
634 | 605 | results.append(rpcobj.RPCObject(attributes)) |
635 | 606 | |
636 | 607 | # If we recurse and the member is a domain group, we query every member |
637 | 608 | # TODO: implement check on self._domain_controller here? |
638 | if self._ldap_connection and self._domain_controller and recurse and attributes['isdomain'] and attributes['isgroup']: | |
609 | if self._domain_controller and recurse and attributes['isdomain'] and attributes['isgroup']: | |
639 | 610 | for domain_member in self.get_netgroupmember(full_data=True, recurse=True, queried_sid=attributes['sid']): |
640 | 611 | domain_member_attributes = dict() |
641 | 612 | domain_member_attributes['isdomain'] = True |
671 | 642 | |
672 | 643 | result_process = rpcobj.Process(attributes) |
673 | 644 | yield result_process |
674 | except Exception as e: | |
645 | except Exception, e: | |
675 | 646 | if str(e).find('S_FALSE') < 0: |
676 | 647 | raise e |
677 | 648 | else: |
720 | 691 | 'id': wmi_event_type} |
721 | 692 | result_event = rpcobj.Event(attributes) |
722 | 693 | yield result_event |
723 | except Exception as e: | |
694 | except Exception, e: | |
724 | 695 | if str(e).find('S_FALSE') < 0: |
725 | 696 | raise e |
726 | 697 | else: |
19 | 19 | from datetime import datetime |
20 | 20 | import inspect |
21 | 21 | import struct |
22 | import pyasn1 | |
23 | import codecs | |
24 | 22 | |
25 | 23 | class ADObject: |
26 | __uac_flags = {0x0000001: 'SCRIPT', | |
27 | 0x0000002: 'ACCOUNTDISABLE', | |
28 | 0x0000008: 'HOMEDIR_REQUIRED', | |
29 | 0x0000010: 'LOCKOUT', | |
30 | 0x0000020: 'PASSWD_NOTREQD', | |
31 | 0x0000040: 'PASSWD_CANT_CHANGE', | |
32 | 0x0000080: 'ENCRYPTED_TEXT_PWD_ALLOWED', | |
33 | 0x0000100: 'TEMP_DUPLICATE_ACCOUNT', | |
34 | 0x0000200: 'NORMAL_ACCOUNT', | |
35 | 0x0000800: 'INTERDOMAIN_TRUST_ACCOUNT', | |
36 | 0x0001000: 'WORKSTATION_TRUST_ACCOUNT', | |
37 | 0x0002000: 'SERVER_TRUST_ACCOUNT', | |
38 | 0x0010000: 'DONT_EXPIRE_PASSWORD', | |
39 | 0x0020000: 'MNS_LOGON_ACCOUNT', | |
40 | 0x0040000: 'SMARTCARD_REQUIRED', | |
41 | 0x0080000: 'TRUSTED_FOR_DELEGATION', | |
42 | 0x0100000: 'NOT_DELEGATED', | |
43 | 0x0200000: 'USE_DES_KEY_ONLY', | |
44 | 0x0400000: 'DONT_REQ_PREAUTH', | |
45 | 0x0800000: 'PASSWORD_EXPIRED', | |
46 | 0x1000000: 'TRUSTED_TO_AUTH_FOR_DELEGATION', | |
47 | 0x4000000: 'PARTIAL_SECRETS_ACCOUNT'} | |
48 | ||
49 | 24 | def __init__(self, attributes): |
50 | 25 | self.add_attributes(attributes) |
51 | 26 | |
55 | 30 | if t in ('logonhours', 'msds-generationid'): |
56 | 31 | value = str(attr['vals'][0]) |
57 | 32 | value = [ord(x) for x in value] |
58 | elif t in ('trustattributes', 'trustdirection', 'trusttype'): | |
59 | value = int(attr['vals'][0]) | |
60 | 33 | elif t in ('objectsid', 'ms-ds-creatorsid'): |
61 | value = codecs.encode(bytes(attr['vals'][0]),'hex') | |
62 | init_value = bytes(attr['vals'][0]) | |
34 | value = str(attr['vals'][0]).encode('hex') | |
35 | init_value = str(attr['vals'][0]) | |
63 | 36 | value = 'S-1-5' |
64 | for i in range(8, len(init_value), 4): | |
37 | for i in xrange(8, len(init_value), 4): | |
65 | 38 | value += '-{}'.format(str(struct.unpack('<I', init_value[i:i+4])[0])) |
66 | 39 | elif t == 'objectguid': |
67 | init_value = bytes(attr['vals'][0]) | |
40 | init_value = str(attr['vals'][0]) | |
68 | 41 | value = str() |
69 | 42 | value += '{}-'.format(hex(struct.unpack('<I', init_value[0:4])[0])[2:].zfill(8)) |
70 | 43 | value += '{}-'.format(hex(struct.unpack('<H', init_value[4:6])[0])[2:].zfill(4)) |
71 | 44 | value += '{}-'.format(hex(struct.unpack('<H', init_value[6:8])[0])[2:].zfill(4)) |
72 | value += '{}-'.format(codecs.encode(init_value,'hex')[16:20]) | |
73 | value += init_value.hex()[20:] | |
45 | value += '{}-'.format(init_value.encode('hex')[16:20]) | |
46 | value += init_value.encode('hex')[20:] | |
74 | 47 | elif t in ('dscorepropagationdata', 'whenchanged', 'whencreated'): |
75 | 48 | value = list() |
76 | 49 | for val in attr['vals']: |
88 | 61 | else: |
89 | 62 | try: |
90 | 63 | value = str(attr['vals'][0]) |
91 | except (IndexError, pyasn1.error.PyAsn1Error): | |
64 | except IndexError: | |
92 | 65 | value = str() |
93 | 66 | |
94 | 67 | setattr(self, t, value) |
104 | 77 | for member in members: |
105 | 78 | if not member[0].startswith('_'): |
106 | 79 | if member[0] == 'msmqdigests': |
107 | member_value = (',\n' + ' ' * (max_length + 2)).join(x.encode('utf-8').hex() for x in member[1]) | |
108 | elif member[0] == 'useraccountcontrol': | |
109 | member_value = list() | |
110 | for uac_flag, uac_label in ADObject.__uac_flags.items(): | |
111 | if int(member[1]) & uac_flag == uac_flag: | |
112 | member_value.append(uac_label) | |
80 | member_value = (',\n' + ' ' * (max_length + 2)).join(x.encode('hex') for x in member[1]) | |
113 | 81 | elif isinstance(member[1], list): |
114 | 82 | if member[0] in ('logonhours',): |
115 | 83 | member_value = member[1] |
116 | elif member[0] in ('usercertificate', | |
117 | 'protocom-sso-entries', 'protocom-sso-security-prefs',): | |
84 | elif member[0] in ('usercertificate',): | |
118 | 85 | member_value = (',\n' + ' ' * (max_length + 2)).join( |
119 | '{}...'.format(x.encode('utf-8').hex()[:100]) for x in member[1]) | |
86 | '{}...'.format(x.encode('hex')[:100]) for x in member[1]) | |
120 | 87 | else: |
121 | 88 | member_value = (',\n' + ' ' * (max_length + 2)).join(str(x) for x in member[1]) |
122 | 89 | elif member[0] in('msmqsigncertificates', 'userparameters', |
123 | 90 | 'jpegphoto', 'thumbnailphoto', 'usercertificate', |
124 | 91 | 'msexchmailboxguid', 'msexchmailboxsecuritydescriptor', |
125 | 'msrtcsip-userroutinggroupid', 'msexchumpinchecksum', | |
126 | 'protocom-sso-auth-data', 'protocom-sso-entries-checksum', | |
127 | 'protocom-sso-security-prefs-checksum', ): | |
128 | member_value = '{}...'.format(member[1].encode('utf-8').hex()[:100]) | |
92 | 'msrtcsip-userroutinggroupid', 'msexchumpinchecksum'): | |
93 | member_value = '{}...'.format(member[1].encode('hex')[:100]) | |
129 | 94 | else: |
130 | 95 | member_value = member[1] |
131 | 96 | s += '{}: {}{}\n'.format(member[0], ' ' * (max_length - len(member[0])), member_value) |
155 | 120 | class Computer(ADObject): |
156 | 121 | pass |
157 | 122 | |
158 | class FileServer(ADObject): | |
159 | pass | |
160 | ||
161 | 123 | class DFS(ADObject): |
162 | 124 | pass |
163 | 125 | |
171 | 133 | |
172 | 134 | class Subnet(ADObject): |
173 | 135 | pass |
174 | ||
175 | class Trust(ADObject): | |
176 | __trust_attrib = {0x1: 'non_transitive', 0x2: 'uplevel_only', | |
177 | 0x4: 'filter_sids', 0x8: 'forest_transitive', | |
178 | 0x10: 'cross_organization', 0x20: 'within_forest', | |
179 | 0x40: 'treat_as_external', | |
180 | 0x80: 'trust_uses_rc4_encryption', | |
181 | 0x100: 'trust_uses_aes_keys', | |
182 | 0X200: 'cross_organization_no_tgt_delegation', | |
183 | 0x400: 'pim_trust'} | |
184 | ||
185 | __trust_direction = {0: 'disabled', 1: 'inbound', | |
186 | 2: 'outbound', 3: 'bidirectional'} | |
187 | ||
188 | __trust_type = {1: 'windows_non_active_directory', | |
189 | 2: 'windows_active_directory', 3: 'mit'} | |
190 | ||
191 | def __init__(self, attributes): | |
192 | ad_obj = ADObject(attributes) | |
193 | self.targetname = ad_obj.name | |
194 | ||
195 | self.trustattributes = list() | |
196 | for attrib_flag, attrib_label in Trust.__trust_attrib.items(): | |
197 | if ad_obj.trustattributes & attrib_flag: | |
198 | self.trustattributes.append(attrib_label) | |
199 | ||
200 | self.trustdirection = Trust.__trust_direction.get(ad_obj.trustdirection, 'unknown') | |
201 | self.trusttype = Trust.__trust_type.get(ad_obj.trusttype, 'unknown') | |
202 | self.whencreated = ad_obj.whencreated | |
203 | self.whenchanged = ad_obj.whenchanged | |
204 | 136 | |
205 | 137 | class GPO(ADObject): |
206 | 138 | pass |
39 | 39 | value = value.rstrip('\x00') |
40 | 40 | if isinstance(value, str): |
41 | 41 | try: |
42 | value = value | |
42 | value = value.decode('utf-8') | |
43 | 43 | except UnicodeDecodeError: |
44 | 44 | pass |
45 | 45 |
17 | 17 | # Yannick Méheut [yannick (at) meheut (dot) org] - Copyright © 2016 |
18 | 18 | |
19 | 19 | import socket |
20 | import ntpath | |
20 | ||
21 | 21 | from impacket.ldap import ldap, ldapasn1 |
22 | 22 | from impacket.smbconnection import SMBConnection |
23 | 23 | from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY |
25 | 25 | from impacket.dcerpc.v5.dcom import wmi |
26 | 26 | from impacket.dcerpc.v5.dtypes import NULL |
27 | 27 | from impacket.dcerpc.v5.dcomrt import DCOMConnection |
28 | from impacket.dcerpc.v5.rpcrt import DCERPCException | |
29 | 28 | |
30 | 29 | class LDAPRequester(): |
31 | 30 | def __init__(self, domain_controller, domain=str(), user=(), password=str(), |
42 | 41 | self._ldap_connection = None |
43 | 42 | |
44 | 43 | def _get_netfqdn(self): |
45 | try: | |
46 | smb = SMBConnection(self._domain_controller, self._domain_controller) | |
47 | except socket.error: | |
48 | return str() | |
49 | ||
50 | smb.login(self._user, self._password, domain=self._domain, | |
51 | lmhash=self._lmhash, nthash=self._nthash) | |
44 | smb = SMBConnection(self._domain_controller, self._domain_controller) | |
45 | smb.login('', '') | |
52 | 46 | fqdn = smb.getServerDNSDomainName() |
53 | 47 | smb.logoff() |
54 | 48 | |
60 | 54 | self._domain = self._get_netfqdn() |
61 | 55 | |
62 | 56 | if not queried_domain: |
63 | queried_domain = self._get_netfqdn() | |
57 | queried_domain = self._domain | |
64 | 58 | self._queried_domain = queried_domain |
65 | 59 | |
66 | 60 | base_dn = str() |
81 | 75 | try: |
82 | 76 | ldap_connection = ldap.LDAPConnection('ldap://{}'.format(self._domain_controller), |
83 | 77 | base_dn, self._domain_controller) |
84 | ldap_connection.login(self._user, self._password, self._domain, | |
85 | self._lmhash, self._nthash) | |
86 | except ldap.LDAPSessionError as e: | |
78 | except ldap.LDAPSessionError, e: | |
87 | 79 | if str(e).find('strongerAuthRequired') >= 0: |
88 | 80 | # We need to try SSL |
89 | 81 | ldap_connection = ldap.LDAPConnection('ldaps://{}'.format(self._domain_controller), |
90 | 82 | base_dn, self._domain_controller) |
91 | ldap_connection.login(self._user, self._password, self._domain, | |
92 | self._lmhash, self._nthash) | |
93 | 83 | else: |
94 | 84 | raise e |
95 | except socket.error as e: | |
96 | return | |
85 | ||
86 | ldap_connection.login(self._user, self._password, self._domain, | |
87 | self._lmhash, self._nthash) | |
97 | 88 | |
98 | 89 | self._ldap_connection = ldap_connection |
99 | 90 | |
197 | 188 | if self._pipe == r'\drsuapi': |
198 | 189 | dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) |
199 | 190 | |
200 | try: | |
201 | dce.connect() | |
202 | except socket.error: | |
203 | self._rpc_connection = None | |
204 | else: | |
205 | dce.bind(binding_strings[self._pipe[1:]]) | |
206 | self._rpc_connection = dce | |
207 | ||
208 | def _create_wmi_connection(self, namespace='root\\cimv2'): | |
209 | try: | |
210 | self._dcom = DCOMConnection(self._target_computer, self._user, self._password, | |
211 | self._domain, self._lmhash, self._nthash) | |
212 | except DCERPCException: | |
213 | self._dcom = None | |
214 | else: | |
215 | i_interface = self._dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, | |
216 | wmi.IID_IWbemLevel1Login) | |
217 | i_wbem_level1_login = wmi.IWbemLevel1Login(i_interface) | |
218 | self._wmi_connection = i_wbem_level1_login.NTLMLogin(ntpath.join('\\\\{}\\'.format(self._target_computer), namespace), | |
219 | NULL, NULL) | |
191 | dce.connect() | |
192 | dce.bind(binding_strings[self._pipe[1:]]) | |
193 | ||
194 | self._rpc_connection = dce | |
195 | ||
196 | def _create_wmi_connection(self): | |
197 | self._dcom = DCOMConnection(self._target_computer, self._user, self._password, | |
198 | self._domain, self._lmhash, self._nthash) | |
199 | i_interface = self._dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, | |
200 | wmi.IID_IWbemLevel1Login) | |
201 | i_wbem_level1_login = wmi.IWbemLevel1Login(i_interface) | |
202 | self._wmi_connection = i_wbem_level1_login.NTLMLogin('\\\\{}\\root\\cimv2'.format(self._target_computer), | |
203 | NULL, NULL) | |
220 | 204 | |
221 | 205 | @staticmethod |
222 | 206 | def _rpc_connection_init(pipe=r'\srvsvc'): |
227 | 211 | if instance._rpc_connection: |
228 | 212 | instance._rpc_connection.disconnect() |
229 | 213 | instance._create_rpc_connection(pipe=pipe) |
230 | if instance._rpc_connection is None: | |
231 | return None | |
232 | 214 | return f(*args, **kwargs) |
233 | 215 | return wrapper |
234 | 216 | return decorator |
240 | 222 | instance = args[0] |
241 | 223 | if not instance._wmi_connection: |
242 | 224 | instance._create_wmi_connection() |
243 | if instance._dcom is None: | |
244 | return None | |
245 | 225 | return f(*args, **kwargs) |
246 | 226 | return wrapper |
247 | 227 | return decorator |
272 | 252 | def __enter__(self): |
273 | 253 | try: |
274 | 254 | LDAPRequester.__enter__(self) |
275 | except (socket.error, IndexError): | |
255 | except socket.error, IndexError: | |
276 | 256 | pass |
277 | 257 | # This should work every time |
278 | 258 | RPCRequester.__enter__(self) |