Codebase list pywerview / a110486
Import upstream version 0.2.0 Kali Janitor 3 years ago
9 changed file(s) with 178 addition(s) and 327 deletion(s). Raw diff Collapse all Expand all
+1
-1
README.md less more
1212
1313 ![License](https://img.shields.io/github/license/the-useless-one/pywerview.svg?maxAge=2592000)
1414 ![Python versions](https://img.shields.io/pypi/pyversions/pywerview.svg?maxAge=2592000)
15 [![GitHub release](https://img.shields.io/github/release/the-useless-one/pywerview.svg?maxAge=2592001&label=GitHub%20release)](https://github.com/the-useless-one/pywerview/releases/latest)
15 [![GitHub release](https://img.shields.io/github/release/the-useless-one/pywerview.svg?maxAge=2592000&label=GitHub%20release)](https://github.com/the-useless-one/pywerview/releases/latest)
1616 [![PyPI version](https://img.shields.io/pypi/v/pywerview.svg?maxAge=2592000)](https://pypi.python.org/pypi/pywerview)
1717
1818 ## HISTORY
+80
-85
pywerview/cli/helpers.py less more
2626 lmhash=str(), nthash=str(), queried_domain=str(), queried_sid=str(),
2727 queried_name=str(), queried_sam_account_name=str(), ads_path=str(),
2828 custom_filter=str()):
29 requester = NetRequester(domain_controller, domain, user, password,
30 lmhash, nthash)
31 return requester.get_adobject(queried_domain=queried_domain,
29 requester = NetRequester(domain_controller, domain, user, password,
30 lmhash, nthash)
31 return requester.get_adobject(queried_domain=queried_domain,
3232 queried_sid=queried_sid, queried_name=queried_name,
3333 queried_sam_account_name=queried_sam_account_name,
3434 ads_path=ads_path, custom_filter=custom_filter)
3636 def get_netuser(domain_controller, domain, user, password=str(), lmhash=str(),
3737 nthash=str(), queried_username=str(), queried_domain=str(), ads_path=str(),
3838 admin_count=False, spn=False, unconstrained=False, allow_delegation=False,
39 preauth_notreq=False, custom_filter=str()):
40 requester = NetRequester(domain_controller, domain, user, password,
41 lmhash, nthash)
42 return requester.get_netuser(queried_username=queried_username,
39 custom_filter=str()):
40 requester = NetRequester(domain_controller, domain, user, password,
41 lmhash, nthash)
42 return requester.get_netuser(queried_username=queried_username,
4343 queried_domain=queried_domain, ads_path=ads_path, admin_count=admin_count,
4444 spn=spn, unconstrained=unconstrained, allow_delegation=allow_delegation,
45 preauth_notreq=preauth_notreq, custom_filter=custom_filter)
45 custom_filter=custom_filter)
4646
4747 def get_netgroup(domain_controller, domain, user, password=str(),
4848 lmhash=str(), nthash=str(), queried_groupname='*', queried_sid=str(),
4949 queried_username=str(), queried_domain=str(), ads_path=str(),
5050 admin_count=False, full_data=False, custom_filter=str()):
51 requester = NetRequester(domain_controller, domain, user, password,
51 requester = NetRequester(domain_controller, domain, user, password,
5252 lmhash, nthash)
53 return requester.get_netgroup(queried_groupname=queried_groupname,
53 return requester.get_netgroup(queried_groupname=queried_groupname,
5454 queried_sid=queried_sid, queried_username=queried_username,
5555 queried_domain=queried_domain, ads_path=ads_path, admin_count=admin_count,
5656 full_data=full_data, custom_filter=custom_filter)
6060 queried_os=str(), queried_sp=str(), queried_domain=str(), ads_path=str(),
6161 printers=False, unconstrained=False, ping=False, full_data=False,
6262 custom_filter=str()):
63 requester = NetRequester(domain_controller, domain, user, password,
64 lmhash, nthash)
65 return requester.get_netcomputer(queried_computername=queried_computername,
63 requester = NetRequester(domain_controller, domain, user, password,
64 lmhash, nthash)
65 return requester.get_netcomputer(queried_computername=queried_computername,
6666 queried_spn=queried_spn, queried_os=queried_os, queried_sp=queried_sp,
6767 queried_domain=queried_domain, ads_path=ads_path, printers=printers,
6868 unconstrained=unconstrained, ping=ping, full_data=full_data,
7070
7171 def get_netdomaincontroller(domain_controller, domain, user, password=str(),
7272 lmhash=str(), nthash=str(), queried_domain=str()):
73 requester = NetRequester(domain_controller, domain, user, password,
74 lmhash, nthash)
75 return requester.get_netdomaincontroller(queried_domain=queried_domain)
73 requester = NetRequester(domain_controller, domain, user, password,
74 lmhash, nthash)
75 return requester.get_netdomaincontroller(queried_domain=queried_domain)
7676
7777 def get_netfileserver(domain_controller, domain, user, password=str(),
7878 lmhash=str(), nthash=str(), queried_domain=str(), target_users=list()):
79 requester = NetRequester(domain_controller, domain, user, password,
80 lmhash, nthash)
81 return requester.get_netfileserver(queried_domain=queried_domain,
79 requester = NetRequester(domain_controller, domain, user, password,
80 lmhash, nthash)
81 return requester.get_netfileserver(queried_domain=queried_domain,
8282 target_users=target_users)
8383
8484 def get_dfsshare(domain_controller, domain, user, password=str(),
8585 lmhash=str(), nthash=str(), version=['v1', 'v2'], queried_domain=str(),
8686 ads_path=str()):
87 requester = NetRequester(domain_controller, domain, user, password,
88 lmhash, nthash)
89 return requester.get_dfsshare(version=version, queried_domain=queried_domain, ads_path=ads_path)
87 requester = NetRequester(domain_controller, domain, user, password,
88 lmhash, nthash)
89 return requester.get_dfsshare(version=version, queried_domain=queried_domain, ads_path=ads_path)
9090
9191 def get_netou(domain_controller, domain, user, password=str(), lmhash=str(),
9292 nthash=str(), queried_domain=str(), queried_ouname='*', queried_guid=str(),
9393 ads_path=str(), full_data=False):
94 requester = NetRequester(domain_controller, domain, user, password,
95 lmhash, nthash)
96 return requester.get_netou(queried_domain=queried_domain,
94 requester = NetRequester(domain_controller, domain, user, password,
95 lmhash, nthash)
96 return requester.get_netou(queried_domain=queried_domain,
9797 queried_ouname=queried_ouname, queried_guid=queried_guid, ads_path=ads_path,
9898 full_data=full_data)
9999
100100 def get_netsite(domain_controller, domain, user, password=str(), lmhash=str(),
101101 nthash=str(), queried_domain=str(), queried_sitename=str(),
102102 queried_guid=str(), ads_path=str(), full_data=False):
103 requester = NetRequester(domain_controller, domain, user, password,
104 lmhash, nthash)
105 return requester.get_netsite(queried_domain=queried_domain,
103 requester = NetRequester(domain_controller, domain, user, password,
104 lmhash, nthash)
105 return requester.get_netsite(queried_domain=queried_domain,
106106 queried_sitename=queried_sitename, queried_guid=queried_guid,
107107 ads_path=ads_path, full_data=full_data)
108108
109109 def get_netsubnet(domain_controller, domain, user, password=str(),
110110 lmhash=str(), nthash=str(), queried_domain=str(), queried_sitename=str(),
111111 ads_path=str(), full_data=False):
112 requester = NetRequester(domain_controller, domain, user, password,
113 lmhash, nthash)
114 return requester.get_netsubnet(queried_domain=queried_domain,
112 requester = NetRequester(domain_controller, domain, user, password,
113 lmhash, nthash)
114 return requester.get_netsubnet(queried_domain=queried_domain,
115115 queried_sitename=queried_sitename, ads_path=ads_path, full_data=full_data)
116
117 def get_netdomaintrust(domain_controller, domain, user, password=str(),
118 lmhash=str(), nthash=str(), queried_domain=str()):
119 requester = NetRequester(domain_controller, domain, user, password,
120 lmhash, nthash)
121 return requester.get_netdomaintrust(queried_domain=queried_domain)
122116
123117 def get_netgroupmember(domain_controller, domain, user, password=str(),
124118 lmhash=str(), nthash=str(), queried_groupname=str(), queried_sid=str(),
125119 queried_domain=str(), ads_path=str(), recurse=False, use_matching_rule=False,
126120 full_data=False, custom_filter=str()):
127 requester = NetRequester(domain_controller, domain, user, password,
128 lmhash, nthash)
129 return requester.get_netgroupmember(queried_groupname=queried_groupname,
121 requester = NetRequester(domain_controller, domain, user, password,
122 lmhash, nthash)
123 return requester.get_netgroupmember(queried_groupname=queried_groupname,
130124 queried_sid=queried_sid, queried_domain=queried_domain,
131125 ads_path=ads_path, recurse=recurse,
132126 use_matching_rule=use_matching_rule,
134128
135129 def get_netsession(target_computername, domain, user, password=str(),
136130 lmhash=str(), nthash=str()):
137 requester = NetRequester(target_computername, domain, user, password,
138 lmhash, nthash)
139 return requester.get_netsession()
131 requester = NetRequester(target_computername, domain, user, password,
132 lmhash, nthash)
133 return requester.get_netsession()
140134
141135 def get_netshare(target_computername, domain, user, password=str(),
142136 lmhash=str(), nthash=str()):
143 requester = NetRequester(target_computername, domain, user, password,
144 lmhash, nthash)
145 return requester.get_netshare()
137 requester = NetRequester(target_computername, domain, user, password,
138 lmhash, nthash)
139 return requester.get_netshare()
146140
147141 def get_localdisks(target_computername, domain, user, password=str(),
148142 lmhash=str(), nthash=str()):
149 requester = NetRequester(target_computername, domain, user, password,
150 lmhash, nthash)
151 return requester.get_localdisks()
143 requester = NetRequester(target_computername, domain, user, password,
144 lmhash, nthash)
145 return requester.get_localdisks()
152146
153147 def get_netdomain(domain_controller, domain, user, password=str(),
154148 lmhash=str(), nthash=str()):
155 requester = NetRequester(domain_controller, domain, user, password,
156 lmhash, nthash)
157 return requester.get_netdomain()
149 requester = NetRequester(domain_controller, domain, user, password,
150 lmhash, nthash)
151 return requester.get_netdomain()
158152
159153 def get_netloggedon(target_computername, domain, user, password=str(),
160154 lmhash=str(), nthash=str()):
161 requester = NetRequester(target_computername, domain, user, password,
162 lmhash, nthash)
163 return requester.get_netloggedon()
155 requester = NetRequester(target_computername, domain, user, password,
156 lmhash, nthash)
157 return requester.get_netloggedon()
164158
165159 def get_netlocalgroup(target_computername, domain_controller, domain, user,
166160 password=str(), lmhash=str(), nthash=str(), queried_groupname=str(),
167161 list_groups=False, recurse=False):
168 requester = NetRequester(target_computername, domain, user, password,
162 requester = NetRequester(target_computername, domain, user, password,
169163 lmhash, nthash, domain_controller)
170 return requester.get_netlocalgroup(queried_groupname=queried_groupname,
164 return requester.get_netlocalgroup(queried_groupname=queried_groupname,
171165 list_groups=list_groups, recurse=recurse)
172166
173167 def get_netprocess(target_computername, domain, user, password=str(),
174168 lmhash=str(), nthash=str()):
175 requester = NetRequester(target_computername, domain, user, password,
176 lmhash, nthash)
177 return requester.get_netprocess()
169 requester = NetRequester(target_computername, domain, user, password,
170 lmhash, nthash)
171 return requester.get_netprocess()
178172
179173 def get_userevent(target_computername, domain, user, password=str(),
180174 lmhash=str(), nthash=str(), event_type=['logon', 'tgt'],
181175 date_start=5):
182 requester = NetRequester(target_computername, domain, user, password,
183 lmhash, nthash)
184 return requester.get_userevent(event_type=event_type,
176 requester = NetRequester(target_computername, domain, user, password,
177 lmhash, nthash)
178 return requester.get_userevent(event_type=event_type,
185179 date_start=date_start)
186180
187181 def get_netgpo(domain_controller, domain, user, password=str(),
188182 lmhash=str(), nthash=str(), queried_gponame='*',
189183 queried_displayname=str(), queried_domain=str(), ads_path=str()):
190 requester = GPORequester(domain_controller, domain, user, password,
191 lmhash, nthash)
192 return requester.get_netgpo(queried_gponame=queried_gponame,
184 requester = GPORequester(domain_controller, domain, user, password,
185 lmhash, nthash)
186 return requester.get_netgpo(queried_gponame=queried_gponame,
193187 queried_displayname=queried_displayname,
194188 queried_domain=queried_domain, ads_path=ads_path)
195189
196190 def get_domainpolicy(domain_controller, domain, user, password=str(),
197191 lmhash=str(), nthash=str(), source='domain', queried_domain=str(),
198192 resolve_sids=False):
199 requester = GPORequester(domain_controller, domain, user, password,
200 lmhash, nthash)
201
202 return requester.get_domainpolicy(source=source, queried_domain=queried_domain,
193 requester = GPORequester(domain_controller, domain, user, password,
194 lmhash, nthash)
195
196 return requester.get_domainpolicy(source=source, queried_domain=queried_domain,
203197 resolve_sids=resolve_sids)
204198
205199 def get_gpttmpl(gpttmpl_path, domain_controller, domain, user, password=str(), lmhash=str(),
206200 nthash=str()):
207 requester = GPORequester(domain_controller, domain, user, password,
208 lmhash, nthash)
209
210 return requester.get_gpttmpl(gpttmpl_path)
201 requester = GPORequester(domain_controller, domain, user, password,
202 lmhash, nthash)
203
204 return requester.get_gpttmpl(gpttmpl_path)
211205
212206 def get_netgpogroup(domain_controller, domain, user, password=str(), lmhash=str(),
213207 nthash=str(), queried_gponame='*', queried_displayname=str(),
214208 queried_domain=str(), ads_path=str(), resolve_sids=False):
215 requester = GPORequester(domain_controller, domain, user, password,
216 lmhash, nthash)
217
218 return requester.get_netgpogroup(queried_gponame=queried_gponame,
209 requester = GPORequester(domain_controller, domain, user, password,
210 lmhash, nthash)
211
212 return requester.get_netgpogroup(queried_gponame=queried_gponame,
219213 queried_displayname=queried_displayname,
220214 queried_domain=queried_domain,
221215 ads_path=ads_path,
225219 nthash=str(), queried_computername=str(),
226220 queried_ouname=str(), queried_domain=str(),
227221 recurse=False):
228 requester = GPORequester(domain_controller, domain, user, password,
229 lmhash, nthash)
230
231 return requester.find_gpocomputeradmin(queried_computername=queried_computername,
222 requester = GPORequester(domain_controller, domain, user, password,
223 lmhash, nthash)
224
225 return requester.find_gpocomputeradmin(queried_computername=queried_computername,
232226 queried_ouname=queried_ouname,
233227 queried_domain=queried_domain,
234228 recurse=recurse)
236230 def find_gpolocation(domain_controller, domain, user, password=str(), lmhash=str(),
237231 nthash=str(), queried_username=str(), queried_groupname=str(),
238232 queried_localgroup=str(), queried_domain=str()):
239 requester = GPORequester(domain_controller, domain, user, password,
240 lmhash, nthash)
241 return requester.find_gpolocation(queried_username=queried_username,
233 requester = GPORequester(domain_controller, domain, user, password,
234 lmhash, nthash)
235
236 return requester.find_gpolocation(queried_username=queried_username,
242237 queried_groupname=queried_groupname,
243238 queried_localgroup=queried_localgroup,
244239 queried_domain=queried_domain)
+10
-24
pywerview/cli/main.py less more
105105 help='Query only users with adminCount=1')
106106 get_netuser_parser.add_argument('--allow-delegation', action='store_true',
107107 help='Return user accounts that are not marked as \'sensitive and not allowed for delegation\'')
108 get_netuser_parser.add_argument('--preauth-notreq', action='store_true',
109 help='Search for users with the PREAUTH_NOT_REQUIRED account control')
110108 get_netuser_parser.add_argument('--spn', action='store_true',
111109 help='Query only users with not-null Service Principal Names')
112 get_netuser_parser.add_argument('--custom-filter', dest='custom_filter',
113 default=str(), help='Custom filter')
114110 get_netuser_parser.set_defaults(func=get_netuser)
115111
116112 # Parser for the get-netgroup command
226222 get_netsubnet_parser.add_argument('--full-data', action='store_true',
227223 help='If set, returns full information on the subnets, otherwise, just the name')
228224 get_netsubnet_parser.set_defaults(func=get_netsubnet)
229
230 # Parser for the get-netdomaintrust command
231 get_netdomaintrust_parser = subparsers.add_parser('get-netdomaintrust', help='Returns a list of all the '\
232 'trusts of the specified domain', parents=[ad_parser])
233 get_netdomaintrust_parser.add_argument('-d', '--domain', dest='queried_domain',
234 help='Domain to query')
235 get_netdomaintrust_parser.set_defaults(func=get_netdomaintrust)
236225
237226 # Parser for the get-netgpo command
238227 get_netgpo_parser = subparsers.add_parser('get-netgpo', help='Get a list of all current '\
434423 invoke_eventhunter_parser.set_defaults(func=invoke_eventhunter)
435424
436425 args = parser.parse_args()
437 if hasattr(args,'queried_groupname'):
438 args.queried_groupname = args.queried_groupname.encode('utf-8').decode('latin1')
439426 if args.hashes:
440427 try:
441428 args.lmhash, args.nthash = args.hashes.split(':')
451438 args.password = getpass('Password:')
452439
453440 parsed_args = dict()
454 for k, v in vars(args).items():
441 for k, v in vars(args).iteritems():
455442 if k not in ('func', 'hashes'):
456443 parsed_args[k] = v
457444
461448 #print >>sys.stderr, repr(e)
462449 #sys.exit(-1)
463450
464 if results is not None:
465 try:
466 for x in results:
467 x = str(x).encode('latin1').decode('utf-8')
468 print(x)
469 if '\n' in x:
470 print('')
471 except TypeError:
472 print(results)
473
451 try:
452 for x in results:
453 x = str(x)
454 print x
455 if '\n' in x:
456 print ''
457 except TypeError:
458 print results
459
+14
-27
pywerview/functions/gpo.py less more
1818
1919 import codecs
2020 from bs4 import BeautifulSoup
21 from io import BytesIO
21 from StringIO import StringIO
2222
2323 from impacket.smbconnection import SMBConnection, SessionError
2424
4444 return self._ldap_search(gpo_search_filter, GPO)
4545
4646 def get_gpttmpl(self, gpttmpl_path):
47 content_io = BytesIO()
47 content_io = StringIO()
4848
4949 gpttmpl_path_split = gpttmpl_path.split('\\')
50 target = self._domain_controller
50 target = gpttmpl_path_split[2]
5151 share = gpttmpl_path_split[3]
5252 file_name = '\\'.join(gpttmpl_path_split[4:])
5353
5858
5959 smb_connection.connectTree(share)
6060 smb_connection.getFile(share, file_name, content_io.write)
61
6162 try:
62 content = codecs.decode(content_io.getvalue(), 'utf-16le')[1:].replace('\r', '')
63 content = codecs.decode(content_io.getvalue(), 'utf_16_le')[1:].replace('\r', '')
6364 except UnicodeDecodeError:
64 content = str(content_io.getvalue()).replace('\r', '')
65 content = content_io.getvalue().replace('\r', '')
6566
6667 gpttmpl_final = GptTmpl(list())
6768 for l in content.split('\n'):
111112 sids = member[1]
112113 resolved_sids = list()
113114 for sid in sids:
114 if not sid:
115 continue
116115 try:
117 resolved_sid = net_requester.get_adobject(queried_sid=sid, queried_domain=queried_domain)[0]
116 resolved_sid = net_requester.get_adobject(queried_sid=sid)[0]
118117 except IndexError:
119118 resolved_sid = sid
120119 else:
137136
138137 groupsxml_path_split = groupsxml_path.split('\\')
139138 gpo_name = groupsxml_path_split[6]
140 target = self._domain_controller
139 target = groupsxml_path_split[2]
141140 share = groupsxml_path_split[3]
142141 file_name = '\\'.join(groupsxml_path_split[4:])
143142
269268 self._password, self._lmhash, self._nthash) as net_requester:
270269 for member in members:
271270 try:
272 resolved_member = net_requester.get_adobject(queried_sid=member, queried_domain=queried_domain)[0]
271 resolved_member = net_requester.get_adobject(queried_sid=member)[0]
273272 resolved_member = resolved_member.distinguishedname.split(',')
274273 resolved_member_domain = '.'.join(resolved_member[1:])
275274 resolved_member = '{}\\{}'.format(resolved_member_domain, resolved_member[0])
282281
283282 for member in memberof:
284283 try:
285 resolved_member = net_requester.get_adobject(queried_sid=member, queried_domain=queried_domain)[0]
284 resolved_member = net_requester.get_adobject(queried_sid=member)[0]
286285 resolved_member = resolved_member.distinguishedname.split(',')[:2]
287286 resolved_member = '{}\\{}'.format(resolved_member[1], resolved_member[0])
288287 resolved_member = resolved_member.replace('CN=', '').replace('DC=', '')
351350 while groups_to_resolve:
352351 group_to_resolve = groups_to_resolve.pop(0)
353352 group_members = net_requester.get_netgroupmember(queried_sid=group_to_resolve,
354 queried_domain=queried_domain,
355353 full_data=True)
356354 for group_member in group_members:
357355 gpo_computer_admin = GPOComputerAdmin(list())
413411 object_groups = net_requester.get_netgroup(queried_username=object_sam_account_name,
414412 queried_domain=queried_domain)
415413 for object_group in object_groups:
416 try:
417 object_group_sid = net_requester.get_adobject(queried_sam_account_name=object_group.samaccountname,
418 queried_domain=queried_domain)[0].objectsid
419 except IndexError:
420 # We may have the name of the group, but not its sam account name
421 try:
422 object_group_sid = net_requester.get_adobject(queried_name=object_group.samaccountname,
423 queried_domain=queried_domain)[0].objectsid
424 except IndexError:
425 # Freak accident when someone is a member of a group, but
426 # we can't find the group in the AD
427 continue
428
414 object_group_sid = net_requester.get_adobject(queried_sam_account_name=object_group.samaccountname,
415 queried_domain=queried_domain)[0].objectsid
429416 target_sid.append(object_group_sid)
430417
431418 gpo_groups = list()
432 for gpo_group in self.get_netgpogroup(queried_domain=queried_domain):
419 for gpo_group in self.get_netgpogroup():
433420 try:
434421 for member in gpo_group.members:
435422 if not member.upper().startswith('S-1-5'):
436423 try:
437424 member = net_requester.get_adobject(queried_sam_account_name=member,
438425 queried_domain=queried_domain)[0].objectsid
439 except (IndexError, AttributeError):
426 except IndexError, AttributeError:
440427 continue
441428 if (member.upper() in target_sid) or (member.lower() in target_sid):
442429 if (local_sid.upper() in gpo_group.memberof) or \
+1
-1
pywerview/functions/hunting.py less more
135135 raise ValueError('No users to search for')
136136
137137 def _build_workers(self, threads, worker_class, worker_args):
138 for i in range(threads):
138 for i in xrange(threads):
139139 parent_pipe, worker_pipe = multiprocessing.Pipe()
140140 self._parent_pipes.append(parent_pipe)
141141 worker = worker_class(worker_pipe, self._domain, self._user,
+37
-66
pywerview/functions/net.py less more
4848 def get_netuser(self, queried_username=str(), queried_domain=str(),
4949 ads_path=str(), admin_count=False, spn=False,
5050 unconstrained=False, allow_delegation=False,
51 preauth_notreq=False,
5251 custom_filter=str()):
5352
5453 if unconstrained:
5958
6059 if admin_count:
6160 custom_filter += '(admincount=1)'
62 # LDAP filter from https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
63 if preauth_notreq:
64 custom_filter += '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
61
6562 user_search_filter = '(samAccountType=805306368){}'.format(custom_filter)
6663 if queried_username:
6764 user_search_filter += '(samAccountName={})'.format(queried_username)
6865 elif spn:
69 user_search_filter += '(servicePrincipalName=*)'
66 user_search_filter += '(servicePrincipalName={})'.format(spn)
7067
7168 user_search_filter = '(&{})'.format(user_search_filter)
7269
8279 results = list()
8380 sam_account_name_to_resolve = [queried_username]
8481 first_run = True
82 sam_account_name_already_resolved = list()
8583 while sam_account_name_to_resolve:
8684 sam_account_name = sam_account_name_to_resolve.pop(0)
8785 if first_run:
9189 objects = self.get_adobject(queried_sam_account_name=sam_account_name,
9290 queried_domain=queried_domain,
9391 ads_path=ads_path, custom_filter=custom_filter)
94 objects += self.get_adobject(queried_name=sam_account_name,
95 queried_domain=queried_domain,
96 ads_path=ads_path, custom_filter=custom_filter)
9792 else:
9893 objects = self.get_adobject(queried_sam_account_name=sam_account_name,
9994 queried_domain=queried_domain)
100 objects += self.get_adobject(queried_name=sam_account_name,
101 queried_domain=queried_domain)
10295
10396 for obj in objects:
10497 try:
182175 if len(split_path) >= 3:
183176 return split_path[2]
184177
185 results = set()
178 results = list()
186179 if target_users:
187180 users = list()
188181 for target_user in target_users:
191184 users = self.get_netuser(queried_domain=queried_domain)
192185
193186 for user in users:
194 for full_path in (user.homedirectory, user.scriptpath, user.profilepath):
195 if not full_path:
196 continue
197 path = split_path(full_path)
198 if path:
199 results.add(path)
200
201 final_results = list()
202 for file_server_name in results:
203 attributes = list()
204 attributes.append({'type': 'dnshostname', 'vals': [file_server_name]})
205 final_results.append(adobj.FileServer(attributes))
206
207 return final_results
187 if user.homedirectory:
188 results.append(split_path(user.homedirectory))
189 if user.scriptpath:
190 results.append(split_path(user.scriptpath))
191 if user.profilepath:
192 results.append(split_path(user.profilepath))
193
194 return results
208195
209196 @LDAPRPCRequester._ldap_connection_init
210197 def get_dfsshare(self, version=['v1', 'v2'], queried_domain=str(), ads_path=str()):
330317 def _get_members(_groupname=str(), _sid=str()):
331318 try:
332319 if _groupname:
333 groups = self.get_netgroup(queried_groupname=_groupname,
334 queried_domain=queried_domain,
335 full_data=True)
320 groups = self.get_netgroup(queried_groupname=_groupname, full_data=True)
336321 else:
337322 if _sid:
338323 queried_sid = _sid
342327 self._password, self._lmhash,
343328 self._nthash) as misc_requester:
344329 queried_sid = misc_requester.get_domainsid(queried_domain) + '-512'
345 groups = self.get_netgroup(queried_sid=queried_sid,
346 queried_domain=queried_domain,
347 full_data=True)
330 groups = self.get_netgroup(queried_sid=queried_sid, full_data=True)
348331 except IndexError:
349332 raise ValueError('The group {} was not found'.format(_groupname))
350333
355338 if recurse and use_matching_rule:
356339 group_memberof_filter = '(&(samAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:={}){})'.format(group.distinguishedname, custom_filter)
357340
358 members = self.get_netuser(custom_filter=group_memberof_filter,
359 queried_domain=queried_domain)
341 members = self.get_netuser(custom_filter=group_memberof_filter)
360342 else:
361343 # TODO: range cycling
362344 try:
363345 for member in group.member:
364346 dn_filter = '(distinguishedname={}){}'.format(member, custom_filter)
365 members += self.get_netuser(custom_filter=dn_filter, queried_domain=queried_domain)
366 members += self.get_netgroup(custom_filter=dn_filter, queried_domain=queried_domain, full_data=True)
347 members += self.get_netuser(custom_filter=dn_filter)
348 members += self.get_netgroup(custom_filter=dn_filter, full_data=True)
367349 # The group doesn't have any members
368350 except AttributeError:
369351 continue
412394 groups_to_process.append((member.membername, str()))
413395
414396 return results
415
416 @LDAPRPCRequester._ldap_connection_init
417 def get_netdomaintrust(self, queried_domain):
418 trust_search_filter = '(&(objectClass=trustedDomain))'
419
420 return self._ldap_search(trust_search_filter, adobj.Trust)
421397
422398 @LDAPRPCRequester._rpc_connection_init(r'\srvsvc')
423399 def get_netsession(self):
604580 # It's a domain member
605581 else:
606582 attributes['isdomain'] = True
607 if self._ldap_connection is not None:
583 try:
584 ad_object = self.get_adobject(queried_sid=member_sid)[0]
585 member_dn = ad_object.distinguishedname
586 member_domain = member_dn[member_dn.index('DC='):].replace('DC=', '').replace(',', '.')
608587 try:
609 ad_object = self.get_adobject(queried_sid=member_sid)[0]
610 member_dn = ad_object.distinguishedname
611 member_domain = member_dn[member_dn.index('DC='):].replace('DC=', '').replace(',', '.')
612 try:
613 attributes['name'] = '{}/{}'.format(member_domain, ad_object.samaccountname)
614 except AttributeError:
615 # Here, the member is a foreign security principal
616 # TODO: resolve it properly
617 attributes['name'] = '{}/{}'.format(member_domain, ad_object.objectsid)
618 attributes['isgroup'] = ad_object.isgroup
619 try:
620 attributes['lastlogin'] = ad_object.lastlogon
621 except AttributeError:
622 attributes['lastlogin'] = str()
623 except IndexError:
624 # We did not manage to resolve this SID against the DC
625 attributes['isdomain'] = False
626 attributes['isgroup'] = False
627 attributes['name'] = attributes['sid']
588 attributes['name'] = '{}/{}'.format(member_domain, ad_object.samaccountname)
589 except AttributeError:
590 # Here, the member is a foreign security principal
591 # TODO: resolve it properly
592 attributes['name'] = '{}/{}'.format(member_domain, ad_object.objectsid)
593 attributes['isgroup'] = ad_object.isgroup
594 try:
595 attributes['lastlogin'] = ad_object.lastlogon
596 except AttributeError:
628597 attributes['lastlogin'] = str()
629 else:
598 except IndexError:
599 # We did not manage to resolve this SID against the DC
600 attributes['isdomain'] = False
630601 attributes['isgroup'] = False
631 attributes['name'] = str()
602 attributes['name'] = attributes['sid']
632603 attributes['lastlogin'] = str()
633604
634605 results.append(rpcobj.RPCObject(attributes))
635606
636607 # If we recurse and the member is a domain group, we query every member
637608 # TODO: implement check on self._domain_controller here?
638 if self._ldap_connection and self._domain_controller and recurse and attributes['isdomain'] and attributes['isgroup']:
609 if self._domain_controller and recurse and attributes['isdomain'] and attributes['isgroup']:
639610 for domain_member in self.get_netgroupmember(full_data=True, recurse=True, queried_sid=attributes['sid']):
640611 domain_member_attributes = dict()
641612 domain_member_attributes['isdomain'] = True
671642
672643 result_process = rpcobj.Process(attributes)
673644 yield result_process
674 except Exception as e:
645 except Exception, e:
675646 if str(e).find('S_FALSE') < 0:
676647 raise e
677648 else:
720691 'id': wmi_event_type}
721692 result_event = rpcobj.Event(attributes)
722693 yield result_event
723 except Exception as e:
694 except Exception, e:
724695 if str(e).find('S_FALSE') < 0:
725696 raise e
726697 else:
+12
-80
pywerview/objects/adobjects.py less more
1919 from datetime import datetime
2020 import inspect
2121 import struct
22 import pyasn1
23 import codecs
2422
2523 class ADObject:
26 __uac_flags = {0x0000001: 'SCRIPT',
27 0x0000002: 'ACCOUNTDISABLE',
28 0x0000008: 'HOMEDIR_REQUIRED',
29 0x0000010: 'LOCKOUT',
30 0x0000020: 'PASSWD_NOTREQD',
31 0x0000040: 'PASSWD_CANT_CHANGE',
32 0x0000080: 'ENCRYPTED_TEXT_PWD_ALLOWED',
33 0x0000100: 'TEMP_DUPLICATE_ACCOUNT',
34 0x0000200: 'NORMAL_ACCOUNT',
35 0x0000800: 'INTERDOMAIN_TRUST_ACCOUNT',
36 0x0001000: 'WORKSTATION_TRUST_ACCOUNT',
37 0x0002000: 'SERVER_TRUST_ACCOUNT',
38 0x0010000: 'DONT_EXPIRE_PASSWORD',
39 0x0020000: 'MNS_LOGON_ACCOUNT',
40 0x0040000: 'SMARTCARD_REQUIRED',
41 0x0080000: 'TRUSTED_FOR_DELEGATION',
42 0x0100000: 'NOT_DELEGATED',
43 0x0200000: 'USE_DES_KEY_ONLY',
44 0x0400000: 'DONT_REQ_PREAUTH',
45 0x0800000: 'PASSWORD_EXPIRED',
46 0x1000000: 'TRUSTED_TO_AUTH_FOR_DELEGATION',
47 0x4000000: 'PARTIAL_SECRETS_ACCOUNT'}
48
4924 def __init__(self, attributes):
5025 self.add_attributes(attributes)
5126
5530 if t in ('logonhours', 'msds-generationid'):
5631 value = str(attr['vals'][0])
5732 value = [ord(x) for x in value]
58 elif t in ('trustattributes', 'trustdirection', 'trusttype'):
59 value = int(attr['vals'][0])
6033 elif t in ('objectsid', 'ms-ds-creatorsid'):
61 value = codecs.encode(bytes(attr['vals'][0]),'hex')
62 init_value = bytes(attr['vals'][0])
34 value = str(attr['vals'][0]).encode('hex')
35 init_value = str(attr['vals'][0])
6336 value = 'S-1-5'
64 for i in range(8, len(init_value), 4):
37 for i in xrange(8, len(init_value), 4):
6538 value += '-{}'.format(str(struct.unpack('<I', init_value[i:i+4])[0]))
6639 elif t == 'objectguid':
67 init_value = bytes(attr['vals'][0])
40 init_value = str(attr['vals'][0])
6841 value = str()
6942 value += '{}-'.format(hex(struct.unpack('<I', init_value[0:4])[0])[2:].zfill(8))
7043 value += '{}-'.format(hex(struct.unpack('<H', init_value[4:6])[0])[2:].zfill(4))
7144 value += '{}-'.format(hex(struct.unpack('<H', init_value[6:8])[0])[2:].zfill(4))
72 value += '{}-'.format(codecs.encode(init_value,'hex')[16:20])
73 value += init_value.hex()[20:]
45 value += '{}-'.format(init_value.encode('hex')[16:20])
46 value += init_value.encode('hex')[20:]
7447 elif t in ('dscorepropagationdata', 'whenchanged', 'whencreated'):
7548 value = list()
7649 for val in attr['vals']:
8861 else:
8962 try:
9063 value = str(attr['vals'][0])
91 except (IndexError, pyasn1.error.PyAsn1Error):
64 except IndexError:
9265 value = str()
9366
9467 setattr(self, t, value)
10477 for member in members:
10578 if not member[0].startswith('_'):
10679 if member[0] == 'msmqdigests':
107 member_value = (',\n' + ' ' * (max_length + 2)).join(x.encode('utf-8').hex() for x in member[1])
108 elif member[0] == 'useraccountcontrol':
109 member_value = list()
110 for uac_flag, uac_label in ADObject.__uac_flags.items():
111 if int(member[1]) & uac_flag == uac_flag:
112 member_value.append(uac_label)
80 member_value = (',\n' + ' ' * (max_length + 2)).join(x.encode('hex') for x in member[1])
11381 elif isinstance(member[1], list):
11482 if member[0] in ('logonhours',):
11583 member_value = member[1]
116 elif member[0] in ('usercertificate',
117 'protocom-sso-entries', 'protocom-sso-security-prefs',):
84 elif member[0] in ('usercertificate',):
11885 member_value = (',\n' + ' ' * (max_length + 2)).join(
119 '{}...'.format(x.encode('utf-8').hex()[:100]) for x in member[1])
86 '{}...'.format(x.encode('hex')[:100]) for x in member[1])
12087 else:
12188 member_value = (',\n' + ' ' * (max_length + 2)).join(str(x) for x in member[1])
12289 elif member[0] in('msmqsigncertificates', 'userparameters',
12390 'jpegphoto', 'thumbnailphoto', 'usercertificate',
12491 'msexchmailboxguid', 'msexchmailboxsecuritydescriptor',
125 'msrtcsip-userroutinggroupid', 'msexchumpinchecksum',
126 'protocom-sso-auth-data', 'protocom-sso-entries-checksum',
127 'protocom-sso-security-prefs-checksum', ):
128 member_value = '{}...'.format(member[1].encode('utf-8').hex()[:100])
92 'msrtcsip-userroutinggroupid', 'msexchumpinchecksum'):
93 member_value = '{}...'.format(member[1].encode('hex')[:100])
12994 else:
13095 member_value = member[1]
13196 s += '{}: {}{}\n'.format(member[0], ' ' * (max_length - len(member[0])), member_value)
155120 class Computer(ADObject):
156121 pass
157122
158 class FileServer(ADObject):
159 pass
160
161123 class DFS(ADObject):
162124 pass
163125
171133
172134 class Subnet(ADObject):
173135 pass
174
175 class Trust(ADObject):
176 __trust_attrib = {0x1: 'non_transitive', 0x2: 'uplevel_only',
177 0x4: 'filter_sids', 0x8: 'forest_transitive',
178 0x10: 'cross_organization', 0x20: 'within_forest',
179 0x40: 'treat_as_external',
180 0x80: 'trust_uses_rc4_encryption',
181 0x100: 'trust_uses_aes_keys',
182 0X200: 'cross_organization_no_tgt_delegation',
183 0x400: 'pim_trust'}
184
185 __trust_direction = {0: 'disabled', 1: 'inbound',
186 2: 'outbound', 3: 'bidirectional'}
187
188 __trust_type = {1: 'windows_non_active_directory',
189 2: 'windows_active_directory', 3: 'mit'}
190
191 def __init__(self, attributes):
192 ad_obj = ADObject(attributes)
193 self.targetname = ad_obj.name
194
195 self.trustattributes = list()
196 for attrib_flag, attrib_label in Trust.__trust_attrib.items():
197 if ad_obj.trustattributes & attrib_flag:
198 self.trustattributes.append(attrib_label)
199
200 self.trustdirection = Trust.__trust_direction.get(ad_obj.trustdirection, 'unknown')
201 self.trusttype = Trust.__trust_type.get(ad_obj.trusttype, 'unknown')
202 self.whencreated = ad_obj.whencreated
203 self.whenchanged = ad_obj.whenchanged
204136
205137 class GPO(ADObject):
206138 pass
+1
-1
pywerview/objects/rpcobjects.py less more
3939 value = value.rstrip('\x00')
4040 if isinstance(value, str):
4141 try:
42 value = value
42 value = value.decode('utf-8')
4343 except UnicodeDecodeError:
4444 pass
4545
+22
-42
pywerview/requester.py less more
1717 # Yannick Méheut [yannick (at) meheut (dot) org] - Copyright © 2016
1818
1919 import socket
20 import ntpath
20
2121 from impacket.ldap import ldap, ldapasn1
2222 from impacket.smbconnection import SMBConnection
2323 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY
2525 from impacket.dcerpc.v5.dcom import wmi
2626 from impacket.dcerpc.v5.dtypes import NULL
2727 from impacket.dcerpc.v5.dcomrt import DCOMConnection
28 from impacket.dcerpc.v5.rpcrt import DCERPCException
2928
3029 class LDAPRequester():
3130 def __init__(self, domain_controller, domain=str(), user=(), password=str(),
4241 self._ldap_connection = None
4342
4443 def _get_netfqdn(self):
45 try:
46 smb = SMBConnection(self._domain_controller, self._domain_controller)
47 except socket.error:
48 return str()
49
50 smb.login(self._user, self._password, domain=self._domain,
51 lmhash=self._lmhash, nthash=self._nthash)
44 smb = SMBConnection(self._domain_controller, self._domain_controller)
45 smb.login('', '')
5246 fqdn = smb.getServerDNSDomainName()
5347 smb.logoff()
5448
6054 self._domain = self._get_netfqdn()
6155
6256 if not queried_domain:
63 queried_domain = self._get_netfqdn()
57 queried_domain = self._domain
6458 self._queried_domain = queried_domain
6559
6660 base_dn = str()
8175 try:
8276 ldap_connection = ldap.LDAPConnection('ldap://{}'.format(self._domain_controller),
8377 base_dn, self._domain_controller)
84 ldap_connection.login(self._user, self._password, self._domain,
85 self._lmhash, self._nthash)
86 except ldap.LDAPSessionError as e:
78 except ldap.LDAPSessionError, e:
8779 if str(e).find('strongerAuthRequired') >= 0:
8880 # We need to try SSL
8981 ldap_connection = ldap.LDAPConnection('ldaps://{}'.format(self._domain_controller),
9082 base_dn, self._domain_controller)
91 ldap_connection.login(self._user, self._password, self._domain,
92 self._lmhash, self._nthash)
9383 else:
9484 raise e
95 except socket.error as e:
96 return
85
86 ldap_connection.login(self._user, self._password, self._domain,
87 self._lmhash, self._nthash)
9788
9889 self._ldap_connection = ldap_connection
9990
197188 if self._pipe == r'\drsuapi':
198189 dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
199190
200 try:
201 dce.connect()
202 except socket.error:
203 self._rpc_connection = None
204 else:
205 dce.bind(binding_strings[self._pipe[1:]])
206 self._rpc_connection = dce
207
208 def _create_wmi_connection(self, namespace='root\\cimv2'):
209 try:
210 self._dcom = DCOMConnection(self._target_computer, self._user, self._password,
211 self._domain, self._lmhash, self._nthash)
212 except DCERPCException:
213 self._dcom = None
214 else:
215 i_interface = self._dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,
216 wmi.IID_IWbemLevel1Login)
217 i_wbem_level1_login = wmi.IWbemLevel1Login(i_interface)
218 self._wmi_connection = i_wbem_level1_login.NTLMLogin(ntpath.join('\\\\{}\\'.format(self._target_computer), namespace),
219 NULL, NULL)
191 dce.connect()
192 dce.bind(binding_strings[self._pipe[1:]])
193
194 self._rpc_connection = dce
195
196 def _create_wmi_connection(self):
197 self._dcom = DCOMConnection(self._target_computer, self._user, self._password,
198 self._domain, self._lmhash, self._nthash)
199 i_interface = self._dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,
200 wmi.IID_IWbemLevel1Login)
201 i_wbem_level1_login = wmi.IWbemLevel1Login(i_interface)
202 self._wmi_connection = i_wbem_level1_login.NTLMLogin('\\\\{}\\root\\cimv2'.format(self._target_computer),
203 NULL, NULL)
220204
221205 @staticmethod
222206 def _rpc_connection_init(pipe=r'\srvsvc'):
227211 if instance._rpc_connection:
228212 instance._rpc_connection.disconnect()
229213 instance._create_rpc_connection(pipe=pipe)
230 if instance._rpc_connection is None:
231 return None
232214 return f(*args, **kwargs)
233215 return wrapper
234216 return decorator
240222 instance = args[0]
241223 if not instance._wmi_connection:
242224 instance._create_wmi_connection()
243 if instance._dcom is None:
244 return None
245225 return f(*args, **kwargs)
246226 return wrapper
247227 return decorator
272252 def __enter__(self):
273253 try:
274254 LDAPRequester.__enter__(self)
275 except (socket.error, IndexError):
255 except socket.error, IndexError:
276256 pass
277257 # This should work every time
278258 RPCRequester.__enter__(self)