Python impacket.dcerpc.v5.wkst.hNetrWkstaUserEnum() Examples

The following are 9 code examples of impacket.dcerpc.v5.wkst.hNetrWkstaUserEnum(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module impacket.dcerpc.v5.wkst , or try the search function .
Example #1
Source File: rpc.py    From ActiveReign with GNU General Public License v3.0 6 votes vote down vote up
def get_netloggedon(self):
        self.loggedon = {}
        self.create_rpc_con(r'\wkssvc')
        try:
            resp = wkst.hNetrWkstaUserEnum(self.rpc_connection, 1)
        except DCERPCException as e:
            return list()

        results = list()
        for wksta_user in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']:
            self.loggedon[wksta_user['wkui1_username'].strip('\x00')] = {
                                    'domain'    : wksta_user['wkui1_logon_domain'].strip('\x00'),
                                    'logon_srv' : wksta_user['wkui1_logon_server'].strip('\x00'),
                                    'user'      : wksta_user['wkui1_username'].strip('\x00'),
                                }

        self.rpc_connection.disconnect() 
Example #2
Source File: test_wkst.py    From CVE-2017-7494 with GNU General Public License v3.0 5 votes vote down vote up
def test_hNetrWkstaUserEnum(self):
        dce, rpctransport = self.connect()
        resp = wkst.hNetrWkstaUserEnum(dce, 0)
        resp.dump()

        resp = wkst.hNetrWkstaUserEnum(dce, 1)
        resp.dump() 
Example #3
Source File: net.py    From pywerview with GNU General Public License v3.0 5 votes vote down vote up
def get_netloggedon(self):

        try:
            resp = wkst.hNetrWkstaUserEnum(self._rpc_connection, 1)
        except DCERPCException:
            return list()

        results = list()
        for wksta_user in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']:
            results.append(rpcobj.WkstaUser(wksta_user))

        return results

    # TODO: if self._target_computer == self._domain_controller, check that
    # self._domain_controller is indeed a domain controller 
Example #4
Source File: test_wkst.py    From cracke-dit with MIT License 5 votes vote down vote up
def test_hNetrWkstaUserEnum(self):
        dce, rpctransport = self.connect()
        resp = wkst.hNetrWkstaUserEnum(dce, 0)
        resp.dump()

        resp = wkst.hNetrWkstaUserEnum(dce, 1)
        resp.dump() 
Example #5
Source File: test_wkst.py    From Slackor with GNU General Public License v3.0 5 votes vote down vote up
def test_hNetrWkstaUserEnum(self):
        dce, rpctransport = self.connect()
        resp = wkst.hNetrWkstaUserEnum(dce, 0)
        resp.dump()

        resp = wkst.hNetrWkstaUserEnum(dce, 1)
        resp.dump() 
Example #6
Source File: computer.py    From BloodHound.py with MIT License 5 votes vote down vote up
def rpc_get_loggedon(self):
        """
        Query logged on users via RPC.
        Requires admin privs
        """
        binding = r'ncacn_np:%s[\PIPE\wkssvc]' % self.addr
        loggedonusers = set()
        dce = self.dce_rpc_connect(binding, wkst.MSRPC_UUID_WKST)
        if dce is None:
            logging.warning('Connection failed: %s', binding)
            return
        try:
            # 1 means more detail, including the domain
            resp = wkst.hNetrWkstaUserEnum(dce, 1)
            for record in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']:
                # Skip computer accounts
                if record['wkui1_username'][-2] == '$':
                    continue
                # Skip sessions for local accounts
                if record['wkui1_logon_domain'][:-1].upper() == self.samname.upper():
                    continue
                domain = record['wkui1_logon_domain'][:-1].upper()
                domain_entry = self.ad.get_domain_by_name(domain)
                if domain_entry is not None:
                    domain = ADUtils.ldap2domain(domain_entry['attributes']['distinguishedName'])
                logging.debug('Found logged on user at %s: %s@%s' % (self.hostname, record['wkui1_username'][:-1], domain))
                loggedonusers.add((record['wkui1_username'][:-1], domain))
        except DCERPCException as e:
            if 'rpc_s_access_denied' in str(e):
                logging.debug('Access denied while enumerating LoggedOn on %s, probably no admin privs', self.hostname)
            else:
                logging.debug('Exception connecting to RPC: %s', e)
        except Exception as e:
            if 'connection reset' in str(e):
                logging.debug('Connection was reset: %s', e)
            else:
                raise e

        dce.disconnect()
        return list(loggedonusers) 
Example #7
Source File: netview.py    From PiBunny with MIT License 5 votes vote down vote up
def getLoggedIn(self, target):
        if self.__targets[target]['Admin'] is False:
            return

        if self.__targets[target]['WKST'] is None:
            stringWkstBinding = r'ncacn_np:%s[\PIPE\wkssvc]' % target
            rpctransportWkst = transport.DCERPCTransportFactory(stringWkstBinding)
            if hasattr(rpctransportWkst, 'set_credentials'):
                # This method exists only for selected protocol sequences.
                rpctransportWkst.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,
                                                 self.__nthash, self.__aesKey)
                rpctransportWkst.set_kerberos(self.__doKerberos, self.__kdcHost)

            dce = rpctransportWkst.get_dce_rpc()
            dce.connect()
            dce.bind(wkst.MSRPC_UUID_WKST)
            self.__maxConnections -= 1
        else:
            dce = self.__targets[target]['WKST']

        try:
            resp = wkst.hNetrWkstaUserEnum(dce,1)
        except Exception, e:
            if str(e).find('Broken pipe') >= 0:
                # The connection timed-out. Let's try to bring it back next round
                self.__targets[target]['WKST'] = None
                self.__maxConnections += 1
                return
            elif str(e).upper().find('ACCESS_DENIED'):
                # We're not admin, bye
                dce.disconnect()
                self.__maxConnections += 1
                self.__targets[target]['Admin'] = False
                return
            else:
                raise 
Example #8
Source File: test_wkst.py    From PiBunny with MIT License 5 votes vote down vote up
def test_hNetrWkstaUserEnum(self):
        dce, rpctransport = self.connect()
        resp = wkst.hNetrWkstaUserEnum(dce, 0)
        resp.dump()

        resp = wkst.hNetrWkstaUserEnum(dce, 1)
        resp.dump() 
Example #9
Source File: smb.py    From Vibe with MIT License 4 votes vote down vote up
def sessions(self, targets):
		for target in targets:
			users = []
			try:
				target_computer = target
				self._create_rpc_connection(target_computer)
				print target_computer
				print "-----------------"
				smb = SMBConnection('*SMBSERVER', target_computer, sess_port=445, timeout=5)
				smb.login(self._user, self._password, self._domain)
				try:
					sess = wkst.hNetrWkstaUserEnum(self._rpc_connection, 1)
				except DCERPCException, e:
					users = []
					print colors.RD + "     [-]" + colors.NRM + " User does not have access"
					continue
				for wksta_user in sess['UserInfo']['WkstaUserInfo']['Level1']['Buffer']:
					userName = wksta_user['wkui1_username'][:-1]
					logonDomain = wksta_user['wkui1_logon_domain'][:-1]
					if "$" in userName:
						pass
					else:
						user = '%s\%s' % (logonDomain, userName)
						if user in users:
							pass
						else:
							users.append(user)
				print "  Currently Logged On"
				print "  -------------------"
				for user in users:
					print "     " + colors.GRN + "[+] " + colors.NRM + user
				del users
				share = 'C$'
				path = '\\Users\\*'
				read = smb.listPath(share, path)
				print "\n  Users Who Have Logged On"
				print "  -------------------------"
				for r in read:
					if r.get_longname() == "Public" or r.get_longname() == "All Users" or r.get_longname() == "Default" or r.get_longname() == "Default User" or r.get_longname() == "." or r.get_longname() == "..":
						pass
					else:
						if r.is_directory():
							print  colors.GRN + "     [+] " + colors.NRM + r.get_longname() + " lastlogon: " + time.ctime(float(r.get_mtime_epoch()))
			except UnboundLocalError as e:
				print target
				users = []
				print e
				print colors.RD + "     [-] " + colors.NRM + "User does not have access"
				continue