Python impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED Examples
The following are 6
code examples of impacket.dcerpc.v5.samr.MAXIMUM_ALLOWED().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.samr
, or try the search function
.
Example #1
Source File: enumerid.py From enumerid with BSD 3-Clause "New" or "Revised" License | 6 votes |
def get_sid(self, name): self.log.info('[*] Looking up SID for {0}..'.format(name)) stringbinding = r'ncacn_np:{0}[\pipe\lsarpc]'.format(self.target) logging.debug('StringBinding {0}'.format(stringbinding)) rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(self.port) rpctransport.setRemoteHost(self.target) if hasattr(rpctransport, 'set_credentials'): rpctransport.set_credentials(self.username, self.password, self.domain) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT) resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsad.POLICY_LOOKUP_NAMES) policyHandle = resp['PolicyHandle'] resp = lsat.hLsarLookupNames(dce, policyHandle, (name,)) self.rid = resp['TranslatedSids']['Sids'][0]['RelativeId'] dce.disconnect() return
Example #2
Source File: passpol.py From CrackMapExec with BSD 2-Clause "Simplified" License | 4 votes |
def fetchList(self, rpctransport): dce = DCERPC_v5(rpctransport) dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) # Setup Connection resp = samr.hSamrConnect2(dce) if resp['ErrorCode'] != 0: raise Exception('Connect error') resp2 = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle=resp['ServerHandle'], enumerationContext=0, preferedMaximumLength=500) if resp2['ErrorCode'] != 0: raise Exception('Connect error') resp3 = samr.hSamrLookupDomainInSamServer(dce, serverHandle=resp['ServerHandle'], name=resp2['Buffer']['Buffer'][0]['Name']) if resp3['ErrorCode'] != 0: raise Exception('Connect error') resp4 = samr.hSamrOpenDomain(dce, serverHandle=resp['ServerHandle'], desiredAccess=samr.MAXIMUM_ALLOWED, domainId=resp3['DomainId']) if resp4['ErrorCode'] != 0: raise Exception('Connect error') self.__domains = resp2['Buffer']['Buffer'] domainHandle = resp4['DomainHandle'] # End Setup re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle, domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainPasswordInformation) self.__min_pass_len = re['Buffer']['Password']['MinPasswordLength'] or "None" self.__pass_hist_len = re['Buffer']['Password']['PasswordHistoryLength'] or "None" self.__max_pass_age = convert(int(re['Buffer']['Password']['MaxPasswordAge']['LowPart']), int(re['Buffer']['Password']['MaxPasswordAge']['HighPart'])) self.__min_pass_age = convert(int(re['Buffer']['Password']['MinPasswordAge']['LowPart']), int(re['Buffer']['Password']['MinPasswordAge']['HighPart'])) self.__pass_prop = d2b(re['Buffer']['Password']['PasswordProperties']) re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle, domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLockoutInformation) self.__rst_accnt_lock_counter = convert(0, re['Buffer']['Lockout']['LockoutObservationWindow'], lockout=True) self.__lock_accnt_dur = convert(0, re['Buffer']['Lockout']['LockoutDuration'], lockout=True) self.__accnt_lock_thres = re['Buffer']['Lockout']['LockoutThreshold'] or "None" re = samr.hSamrQueryInformationDomain2(dce, domainHandle=domainHandle, domainInformationClass=samr.DOMAIN_INFORMATION_CLASS.DomainLogoffInformation) self.__force_logoff_time = convert(re['Buffer']['Logoff']['ForceLogoff']['LowPart'], re['Buffer']['Logoff']['ForceLogoff']['HighPart']) self.pass_pol = {'min_pass_len': self.__min_pass_len, 'pass_hist_len': self.__pass_hist_len, 'max_pass_age': self.__max_pass_age, 'min_pass_age': self.__min_pass_age, 'pass_prop': self.__pass_prop, 'rst_accnt_lock_counter': self.__rst_accnt_lock_counter, 'lock_accnt_dur': self.__lock_accnt_dur, 'accnt_lock_thres': self.__accnt_lock_thres, 'force_logoff_time': self.__force_logoff_time}
Example #3
Source File: enumerid.py From enumerid with BSD 3-Clause "New" or "Revised" License | 4 votes |
def enumerate_user_info(self, dce, domain_handle): # Most of this method was built using logic from samrdump.py user_request = samr.hSamrOpenUser(dce, domain_handle, samr.MAXIMUM_ALLOWED, self.rid) self.log.info('[*] User RID detected. Enumerating information on user..\n') info = samr.hSamrQueryInformationUser(dce, user_request['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation) user = info['Buffer']['All'] pass_last_set = self.expiration_check(user, 'PasswordLastSet') account_expires = self.expiration_check(user, 'AccountExpires') pass_expires = self.expiration_check(user, 'PasswordMustChange') pass_can_change = self.expiration_check(user, 'PasswordCanChange') last_logon = self.expiration_check(user, 'LastLogon') account_active = self.attribute_bool(user, samr.USER_ACCOUNT_DISABLED) user_may_change_pass = self.attribute_bool(user, samr.USER_CHANGE_PASSWORD) password_required = self.attribute_bool(user, samr.USER_PASSWORD_NOT_REQUIRED) workstations_allowed = user['WorkStations'] if workstations_allowed == '': workstations_allowed = 'All' self.log.info('User name\t\t\t{0}'.format(user['UserName'])) self.log.info('User RID\t\t\t{0}'.format(user['UserId'])) self.log.info('Full Name\t\t\t{0}'.format(user['FullName'])) self.log.info('Comment\t\t\t\t{0}'.format(user['AdminComment'])) self.log.info("User's Comment\t\t\t\t{0}".format(user['UserComment'])) self.log.info('Country/region code\t\t{0}'.format(user['CountryCode'])) self.log.info('Account active\t\t\t{0}'.format(account_active)) self.log.info('Account expires\t\t\t{0}\n'.format(account_expires)) self.log.info('Password last set\t\t{0}'.format(pass_last_set)) self.log.info('Password expires\t\t{0}'.format(pass_expires)) self.log.info('Password changeable\t\t{0}'.format(pass_can_change)) self.log.info('Password required\t\t{0}'.format(password_required)) self.log.info('Bad Password Count\t\t{0}'.format(user['BadPasswordCount'])) self.log.info('User may change password\t{0}\n'.format(user_may_change_pass)) self.log.info('Workstations allowed\t\t{0}'.format(workstations_allowed)) self.log.info('Logon script\t\t\t\t{0}'.format(user['ScriptPath'])) self.log.info('User profile\t\t\t\t{0}'.format(user['ProfilePath'])) self.log.info('Home directory\t\t\t{0}'.format(user['HomeDirectory'])) self.log.info('Home directory drive\t\t{0}\n'.format(user['HomeDirectoryDrive'])) self.log.info('Group Memberships') group_rids = samr.hSamrGetGroupsForUser(dce, user_request['UserHandle'])['Groups']['Groups'] for i, group_rid in enumerate(group_rids): group_rid = group_rids[i]['RelativeId'] group_request = samr.hSamrOpenGroup(dce, domain_handle, samr.MAXIMUM_ALLOWED, group_rid) group_info = samr.hSamrQueryInformationGroup(dce, group_request['GroupHandle']) group_name = group_info['Buffer']['General']['Name'] group_comment = group_info['Buffer']['General']['AdminComment'] self.log.info('Name: {0}\nDesc: {1}\n'.format(group_name, group_comment)) samr.hSamrCloseHandle(dce, user_request['UserHandle']) samr.hSamrCloseHandle(dce, group_request['GroupHandle'])
Example #4
Source File: enumerid.py From enumerid with BSD 3-Clause "New" or "Revised" License | 4 votes |
def enumerate_users_in_group(self, dce, domain_handle): request = samr.SamrOpenGroup() request['DomainHandle'] = domain_handle request['DesiredAccess'] = samr.MAXIMUM_ALLOWED request['GroupId'] = self.rid try: resp = dce.request(request) except samr.DCERPCSessionError: raise request = samr.SamrGetMembersInGroup() request['GroupHandle'] = resp['GroupHandle'] resp = dce.request(request) self.log.info('[*] Group RID detected. Enumerating users/hosts in group..\n') try: rids = resp['Members']['Members'] except AttributeError: self.log.info('[-] No users in group') return mutex = Lock() for rid in rids: try: resp = samr.hSamrOpenUser(dce, domain_handle, samr.MAXIMUM_ALLOWED, rid['Data']) rid_data = samr.hSamrQueryInformationUser2(dce, resp['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation) except samr.DCERPCSessionError as e: # Occasionally an ACCESS_DENIED is rasied even though the user has permissions? # Other times a STATUS_NO_SUCH_USER is raised when a rid apparently doesn't exist, even though it reported back as existing. self.log.debug(e) continue if self.fqdn: rid_data = rid_data['Buffer']['All']['UserName'].replace('$', '') + '.' + self.fqdn else: rid_data = rid_data['Buffer']['All']['UserName'].replace('$', '') samr.hSamrCloseHandle(dce, resp['UserHandle']) if self.dns_lookup: # Threading because DNS lookups are slow t = Thread(target=self.get_ip, args=(rid_data, mutex,)) t.start() else: self.log.info(rid_data) self.data.append(rid_data)
Example #5
Source File: samrdump.py From Slackor with GNU General Public License v3.0 | 4 votes |
def __fetchList(self, rpctransport): dce = rpctransport.get_dce_rpc() entries = [] dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] print('Found domain(s):') for domain in domains: print(" . %s" % domain['Name']) logging.info("Looking up users in domain %s" % domains[0]['Name']) resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] ) resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId']) domainHandle = resp['DomainHandle'] status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext) except DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId']) print("Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )) info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (user['Name'], user['RelativeId'], info['Buffer']['All']) entries.append(entry) samr.hSamrCloseHandle(dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except ListUsersException as e: logging.critical("Error listing users: %s" % e) dce.disconnect() return entries # Process command-line arguments.
Example #6
Source File: samrdump.py From PiBunny with MIT License | 4 votes |
def __fetchList(self, rpctransport): dce = rpctransport.get_dce_rpc() entries = [] dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] print 'Found domain(s):' for domain in domains: print " . %s" % domain['Name'] logging.info("Looking up users in domain %s" % domains[0]['Name']) resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] ) resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId']) domainHandle = resp['DomainHandle'] status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext) except DCERPCException, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId']) print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] ) info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (user['Name'], user['RelativeId'], info['Buffer']['All']) entries.append(entry) samr.hSamrCloseHandle(dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except ListUsersException, e: logging.critical("Error listing users: %s" % e)