Python impacket.dcerpc.v5.samr.hSamrOpenUser() Examples

The following are 17 code examples of impacket.dcerpc.v5.samr.hSamrOpenUser(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module impacket.dcerpc.v5.samr , or try the search function .
Example #1
Source File: test_samr.py    From PiBunny with MIT License 6 votes vote down vote up
def test_hSamrSetSecurityObject(self):
        dce, rpctransport, domainHandle  = self.connect()
        dce, rpctransport, domainHandle  = self.connect()

        resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,))
        resp.dump()

        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data'])
        resp.dump()
        userHandle = resp['UserHandle']
        resp = samr.hSamrQuerySecurityObject(dce, userHandle, dtypes.GROUP_SECURITY_INFORMATION)
        resp.dump()

        try:
            resp = samr.hSamrSetSecurityObject(dce, userHandle,dtypes.GROUP_SECURITY_INFORMATION ,resp['SecurityDescriptor']  )
            resp.dump()
        except Exception, e:
            if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0:
                raise 
Example #2
Source File: test_samr.py    From CVE-2017-7494 with GNU General Public License v3.0 6 votes vote down vote up
def test_hSamrSetSecurityObject(self):
        dce, rpctransport, domainHandle  = self.connect()
        dce, rpctransport, domainHandle  = self.connect()

        resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,))
        resp.dump()

        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data'])
        resp.dump()
        userHandle = resp['UserHandle']
        resp = samr.hSamrQuerySecurityObject(dce, userHandle, dtypes.GROUP_SECURITY_INFORMATION)
        resp.dump()

        try:
            resp = samr.hSamrSetSecurityObject(dce, userHandle,dtypes.GROUP_SECURITY_INFORMATION ,resp['SecurityDescriptor']  )
            resp.dump()
        except Exception, e:
            if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0:
                raise 
Example #3
Source File: test_samr.py    From cracke-dit with MIT License 6 votes vote down vote up
def test_hSamrSetSecurityObject(self):
        dce, rpctransport, domainHandle  = self.connect()
        dce, rpctransport, domainHandle  = self.connect()

        resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,))
        resp.dump()

        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data'])
        resp.dump()
        userHandle = resp['UserHandle']
        resp = samr.hSamrQuerySecurityObject(dce, userHandle, dtypes.GROUP_SECURITY_INFORMATION)
        resp.dump()

        try:
            resp = samr.hSamrSetSecurityObject(dce, userHandle,dtypes.GROUP_SECURITY_INFORMATION ,resp['SecurityDescriptor']  )
            resp.dump()
        except Exception, e:
            if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0:
                raise 
Example #4
Source File: test_samr.py    From Slackor with GNU General Public License v3.0 6 votes vote down vote up
def test_hSamrSetSecurityObject(self):
        dce, rpctransport, domainHandle  = self.connect()
        dce, rpctransport, domainHandle  = self.connect()

        resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,))
        resp.dump()

        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data'])
        resp.dump()
        userHandle = resp['UserHandle']
        resp = samr.hSamrQuerySecurityObject(dce, userHandle, dtypes.GROUP_SECURITY_INFORMATION)
        resp.dump()

        try:
            resp = samr.hSamrSetSecurityObject(dce, userHandle,dtypes.GROUP_SECURITY_INFORMATION ,resp['SecurityDescriptor']  )
            resp.dump()
        except Exception as e:
            if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0:
                raise

        resp = samr.hSamrCloseHandle(dce, userHandle)
        resp.dump() 
Example #5
Source File: test_samr.py    From CVE-2017-7494 with GNU General Public License v3.0 5 votes vote down vote up
def test_SamrSetSecurityObject(self):
        dce, rpctransport, domainHandle  = self.connect()

        resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,))
        resp.dump()

        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data'])
        resp.dump()
        userHandle = resp['UserHandle']
        request = samr.SamrQuerySecurityObject()
        request['ObjectHandle'] =  userHandle
        request['SecurityInformation'] =  dtypes.GROUP_SECURITY_INFORMATION
        resp = dce.request(request)
        resp.dump()

        request = samr.SamrSetSecurityObject()
        request['ObjectHandle'] =  userHandle
        request['SecurityInformation'] =  dtypes.GROUP_SECURITY_INFORMATION
        request['SecurityDescriptor'] = resp['SecurityDescriptor'] 
        #request.dump()
        try:
            resp = dce.request(request)
            resp.dump()
        except Exception, e:
            if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0:
                raise 
Example #6
Source File: test_samr.py    From PiBunny with MIT License 5 votes vote down vote up
def test_SamrSetSecurityObject(self):
        dce, rpctransport, domainHandle  = self.connect()

        resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,))
        resp.dump()

        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data'])
        resp.dump()
        userHandle = resp['UserHandle']
        request = samr.SamrQuerySecurityObject()
        request['ObjectHandle'] =  userHandle
        request['SecurityInformation'] =  dtypes.GROUP_SECURITY_INFORMATION
        resp = dce.request(request)
        resp.dump()

        request = samr.SamrSetSecurityObject()
        request['ObjectHandle'] =  userHandle
        request['SecurityInformation'] =  dtypes.GROUP_SECURITY_INFORMATION
        request['SecurityDescriptor'] = resp['SecurityDescriptor'] 
        #request.dump()
        try:
            resp = dce.request(request)
            resp.dump()
        except Exception, e:
            if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0:
                raise 
Example #7
Source File: test_samr.py    From PiBunny with MIT License 5 votes vote down vote up
def test_hSamrOpenUser(self):
        dce, rpctransport, domainHandle  = self.connect()
        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, samr.DOMAIN_USER_RID_ADMIN)

        resp.dump() 
Example #8
Source File: test_samr.py    From Slackor with GNU General Public License v3.0 5 votes vote down vote up
def test_SamrSetSecurityObject(self):
        dce, rpctransport, domainHandle  = self.connect()

        resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,))
        resp.dump()

        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data'])
        resp.dump()
        userHandle = resp['UserHandle']
        request = samr.SamrQuerySecurityObject()
        request['ObjectHandle'] =  userHandle
        request['SecurityInformation'] =  dtypes.GROUP_SECURITY_INFORMATION
        resp = dce.request(request)
        resp.dump()

        request = samr.SamrSetSecurityObject()
        request['ObjectHandle'] =  userHandle
        request['SecurityInformation'] =  dtypes.GROUP_SECURITY_INFORMATION
        request['SecurityDescriptor'] = resp['SecurityDescriptor'] 
        #request.dump()
        try:
            resp = dce.request(request)
            resp.dump()
        except Exception as e:
            if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0:
                raise

        resp = samr.hSamrCloseHandle(dce, userHandle)
        resp.dump() 
Example #9
Source File: test_samr.py    From Slackor with GNU General Public License v3.0 5 votes vote down vote up
def test_hSamrOpenUser(self):
        dce, rpctransport, domainHandle  = self.connect()
        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, samr.DOMAIN_USER_RID_ADMIN)

        resp.dump() 
Example #10
Source File: test_samr.py    From cracke-dit with MIT License 5 votes vote down vote up
def test_SamrSetSecurityObject(self):
        dce, rpctransport, domainHandle  = self.connect()

        resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,))
        resp.dump()

        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data'])
        resp.dump()
        userHandle = resp['UserHandle']
        request = samr.SamrQuerySecurityObject()
        request['ObjectHandle'] =  userHandle
        request['SecurityInformation'] =  dtypes.GROUP_SECURITY_INFORMATION
        resp = dce.request(request)
        resp.dump()

        request = samr.SamrSetSecurityObject()
        request['ObjectHandle'] =  userHandle
        request['SecurityInformation'] =  dtypes.GROUP_SECURITY_INFORMATION
        request['SecurityDescriptor'] = resp['SecurityDescriptor'] 
        #request.dump()
        try:
            resp = dce.request(request)
            resp.dump()
        except Exception, e:
            if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0:
                raise 
Example #11
Source File: test_samr.py    From cracke-dit with MIT License 5 votes vote down vote up
def test_hSamrOpenUser(self):
        dce, rpctransport, domainHandle  = self.connect()
        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, samr.DOMAIN_USER_RID_ADMIN)

        resp.dump() 
Example #12
Source File: test_samr.py    From CVE-2017-7494 with GNU General Public License v3.0 5 votes vote down vote up
def test_hSamrOpenUser(self):
        dce, rpctransport, domainHandle  = self.connect()
        resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, samr.DOMAIN_USER_RID_ADMIN)

        resp.dump() 
Example #13
Source File: samrdump.py    From Slackor with GNU General Public License v3.0 4 votes vote down vote up
def __fetchList(self, rpctransport):
        dce = rpctransport.get_dce_rpc()

        entries = []

        dce.connect()
        dce.bind(samr.MSRPC_UUID_SAMR)

        try:
            resp = samr.hSamrConnect(dce)
            serverHandle = resp['ServerHandle'] 

            resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
            domains = resp['Buffer']['Buffer']

            print('Found domain(s):')
            for domain in domains:
                print(" . %s" % domain['Name'])

            logging.info("Looking up users in domain %s" % domains[0]['Name'])

            resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )

            resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
            domainHandle = resp['DomainHandle']

            status = STATUS_MORE_ENTRIES
            enumerationContext = 0
            while status == STATUS_MORE_ENTRIES:
                try:
                    resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
                except DCERPCException as e:
                    if str(e).find('STATUS_MORE_ENTRIES') < 0:
                        raise 
                    resp = e.get_packet()

                for user in resp['Buffer']['Buffer']:
                    r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId'])
                    print("Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] ))
                    info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
                    entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
                    entries.append(entry)
                    samr.hSamrCloseHandle(dce, r['UserHandle'])

                enumerationContext = resp['EnumerationContext'] 
                status = resp['ErrorCode']

        except ListUsersException as e:
            logging.critical("Error listing users: %s" % e)

        dce.disconnect()

        return entries


# Process command-line arguments. 
Example #14
Source File: enumerid.py    From enumerid with BSD 3-Clause "New" or "Revised" License 4 votes vote down vote up
def enumerate_users_in_group(self, dce, domain_handle):
		request = samr.SamrOpenGroup()
		request['DomainHandle'] = domain_handle
		request['DesiredAccess'] = samr.MAXIMUM_ALLOWED
		request['GroupId'] = self.rid

		try:
			resp = dce.request(request)
		except samr.DCERPCSessionError:
				raise

		request = samr.SamrGetMembersInGroup()
		request['GroupHandle'] = resp['GroupHandle']
		resp = dce.request(request)
		self.log.info('[*] Group RID detected. Enumerating users/hosts in group..\n')

		try:
			rids = resp['Members']['Members']
		except AttributeError:
			self.log.info('[-] No users in group')
			return

		mutex = Lock()
		for rid in rids:
			try:
				resp = samr.hSamrOpenUser(dce, domain_handle, samr.MAXIMUM_ALLOWED, rid['Data'])
				rid_data = samr.hSamrQueryInformationUser2(dce, resp['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation)
			except samr.DCERPCSessionError as e:
				# Occasionally an ACCESS_DENIED is rasied even though the user has permissions?
				# Other times a STATUS_NO_SUCH_USER is raised when a rid apparently doesn't exist, even though it reported back as existing.
				self.log.debug(e)
				continue
			if self.fqdn:
				rid_data = rid_data['Buffer']['All']['UserName'].replace('$', '') + '.' + self.fqdn
			else:
				rid_data = rid_data['Buffer']['All']['UserName'].replace('$', '')
			samr.hSamrCloseHandle(dce, resp['UserHandle'])

			if self.dns_lookup:
				# Threading because DNS lookups are slow
				t = Thread(target=self.get_ip, args=(rid_data, mutex,))
				t.start()
			else:
				self.log.info(rid_data)
				self.data.append(rid_data) 
Example #15
Source File: enumerid.py    From enumerid with BSD 3-Clause "New" or "Revised" License 4 votes vote down vote up
def enumerate_user_info(self, dce, domain_handle):
		# Most of this method was built using logic from samrdump.py
		user_request = samr.hSamrOpenUser(dce, domain_handle, samr.MAXIMUM_ALLOWED, self.rid)
		self.log.info('[*] User RID detected. Enumerating information on user..\n')
		info = samr.hSamrQueryInformationUser(dce, user_request['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation)
		user = info['Buffer']['All']

		pass_last_set = self.expiration_check(user, 'PasswordLastSet')
		account_expires = self.expiration_check(user, 'AccountExpires')
		pass_expires = self.expiration_check(user, 'PasswordMustChange')
		pass_can_change = self.expiration_check(user, 'PasswordCanChange')
		last_logon = self.expiration_check(user, 'LastLogon')
		account_active = self.attribute_bool(user, samr.USER_ACCOUNT_DISABLED)
		user_may_change_pass = self.attribute_bool(user, samr.USER_CHANGE_PASSWORD)
		password_required = self.attribute_bool(user, samr.USER_PASSWORD_NOT_REQUIRED)

		workstations_allowed = user['WorkStations']

		if workstations_allowed == '':
			workstations_allowed = 'All'

		self.log.info('User name\t\t\t{0}'.format(user['UserName']))
		self.log.info('User RID\t\t\t{0}'.format(user['UserId']))
		self.log.info('Full Name\t\t\t{0}'.format(user['FullName']))
		self.log.info('Comment\t\t\t\t{0}'.format(user['AdminComment']))
		self.log.info("User's Comment\t\t\t\t{0}".format(user['UserComment']))
		self.log.info('Country/region code\t\t{0}'.format(user['CountryCode']))
		self.log.info('Account active\t\t\t{0}'.format(account_active))
		self.log.info('Account expires\t\t\t{0}\n'.format(account_expires))

		self.log.info('Password last set\t\t{0}'.format(pass_last_set))
		self.log.info('Password expires\t\t{0}'.format(pass_expires))
		self.log.info('Password changeable\t\t{0}'.format(pass_can_change))
		self.log.info('Password required\t\t{0}'.format(password_required))
		self.log.info('Bad Password Count\t\t{0}'.format(user['BadPasswordCount']))
		self.log.info('User may change password\t{0}\n'.format(user_may_change_pass))

		self.log.info('Workstations allowed\t\t{0}'.format(workstations_allowed))
		self.log.info('Logon script\t\t\t\t{0}'.format(user['ScriptPath']))
		self.log.info('User profile\t\t\t\t{0}'.format(user['ProfilePath']))
		self.log.info('Home directory\t\t\t{0}'.format(user['HomeDirectory']))
		self.log.info('Home directory drive\t\t{0}\n'.format(user['HomeDirectoryDrive']))

		self.log.info('Group Memberships')
		group_rids = samr.hSamrGetGroupsForUser(dce, user_request['UserHandle'])['Groups']['Groups']

		for i, group_rid in enumerate(group_rids):
			group_rid = group_rids[i]['RelativeId']
			group_request = samr.hSamrOpenGroup(dce, domain_handle, samr.MAXIMUM_ALLOWED, group_rid)
			group_info = samr.hSamrQueryInformationGroup(dce, group_request['GroupHandle'])
			group_name = group_info['Buffer']['General']['Name']
			group_comment = group_info['Buffer']['General']['AdminComment']
			self.log.info('Name: {0}\nDesc: {1}\n'.format(group_name, group_comment))

		samr.hSamrCloseHandle(dce, user_request['UserHandle'])
		samr.hSamrCloseHandle(dce, group_request['GroupHandle']) 
Example #16
Source File: samrdump.py    From LHF with GNU General Public License v3.0 4 votes vote down vote up
def __fetchList(self, rpctransport):
        dce = rpctransport.get_dce_rpc()

        entries = []

        dce.connect()
        dce.bind(samr.MSRPC_UUID_SAMR)

        try:
            resp = samr.hSamrConnect(dce)
            serverHandle = resp['ServerHandle'] 

            resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
            domains = resp['Buffer']['Buffer']

            print 'Found domain(s):'
            for domain in domains:
                print " . %s" % domain['Name']

            logging.info("Looking up users in domain %s" % domains[0]['Name'])

            resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )

            resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
            domainHandle = resp['DomainHandle']

            done = False
            
            status = STATUS_MORE_ENTRIES
            enumerationContext = 0
            while status == STATUS_MORE_ENTRIES:
                try:
                    resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
                except Exception, e:
                    if str(e).find('STATUS_MORE_ENTRIES') < 0:
                        raise 
                    resp = e.get_packet()

                for user in resp['Buffer']['Buffer']:
                    r = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, user['RelativeId'])
                    print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )
    
                    info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
                    entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
                    entries.append(entry)
                    samr.hSamrCloseHandle(dce, r['UserHandle'])

                enumerationContext = resp['EnumerationContext'] 
                status = resp['ErrorCode']

        except ListUsersException, e:
            logging.critical("Error listing users: %s" % e) 
Example #17
Source File: samrdump.py    From PiBunny with MIT License 4 votes vote down vote up
def __fetchList(self, rpctransport):
        dce = rpctransport.get_dce_rpc()

        entries = []

        dce.connect()
        dce.bind(samr.MSRPC_UUID_SAMR)

        try:
            resp = samr.hSamrConnect(dce)
            serverHandle = resp['ServerHandle'] 

            resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
            domains = resp['Buffer']['Buffer']

            print 'Found domain(s):'
            for domain in domains:
                print " . %s" % domain['Name']

            logging.info("Looking up users in domain %s" % domains[0]['Name'])

            resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )

            resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
            domainHandle = resp['DomainHandle']

            status = STATUS_MORE_ENTRIES
            enumerationContext = 0
            while status == STATUS_MORE_ENTRIES:
                try:
                    resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
                except DCERPCException, e:
                    if str(e).find('STATUS_MORE_ENTRIES') < 0:
                        raise 
                    resp = e.get_packet()

                for user in resp['Buffer']['Buffer']:
                    r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId'])
                    print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )
                    info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
                    entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
                    entries.append(entry)
                    samr.hSamrCloseHandle(dce, r['UserHandle'])

                enumerationContext = resp['EnumerationContext'] 
                status = resp['ErrorCode']

        except ListUsersException, e:
            logging.critical("Error listing users: %s" % e)