Python impacket.dcerpc.v5.samr.hSamrOpenUser() Examples
The following are 17
code examples of impacket.dcerpc.v5.samr.hSamrOpenUser().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.samr
, or try the search function
.
Example #1
Source File: test_samr.py From PiBunny with MIT License | 6 votes |
def test_hSamrSetSecurityObject(self): dce, rpctransport, domainHandle = self.connect() dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,)) resp.dump() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data']) resp.dump() userHandle = resp['UserHandle'] resp = samr.hSamrQuerySecurityObject(dce, userHandle, dtypes.GROUP_SECURITY_INFORMATION) resp.dump() try: resp = samr.hSamrSetSecurityObject(dce, userHandle,dtypes.GROUP_SECURITY_INFORMATION ,resp['SecurityDescriptor'] ) resp.dump() except Exception, e: if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0: raise
Example #2
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_hSamrSetSecurityObject(self): dce, rpctransport, domainHandle = self.connect() dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,)) resp.dump() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data']) resp.dump() userHandle = resp['UserHandle'] resp = samr.hSamrQuerySecurityObject(dce, userHandle, dtypes.GROUP_SECURITY_INFORMATION) resp.dump() try: resp = samr.hSamrSetSecurityObject(dce, userHandle,dtypes.GROUP_SECURITY_INFORMATION ,resp['SecurityDescriptor'] ) resp.dump() except Exception, e: if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0: raise
Example #3
Source File: test_samr.py From cracke-dit with MIT License | 6 votes |
def test_hSamrSetSecurityObject(self): dce, rpctransport, domainHandle = self.connect() dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,)) resp.dump() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data']) resp.dump() userHandle = resp['UserHandle'] resp = samr.hSamrQuerySecurityObject(dce, userHandle, dtypes.GROUP_SECURITY_INFORMATION) resp.dump() try: resp = samr.hSamrSetSecurityObject(dce, userHandle,dtypes.GROUP_SECURITY_INFORMATION ,resp['SecurityDescriptor'] ) resp.dump() except Exception, e: if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0: raise
Example #4
Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 6 votes |
def test_hSamrSetSecurityObject(self): dce, rpctransport, domainHandle = self.connect() dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,)) resp.dump() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data']) resp.dump() userHandle = resp['UserHandle'] resp = samr.hSamrQuerySecurityObject(dce, userHandle, dtypes.GROUP_SECURITY_INFORMATION) resp.dump() try: resp = samr.hSamrSetSecurityObject(dce, userHandle,dtypes.GROUP_SECURITY_INFORMATION ,resp['SecurityDescriptor'] ) resp.dump() except Exception as e: if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0: raise resp = samr.hSamrCloseHandle(dce, userHandle) resp.dump()
Example #5
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def test_SamrSetSecurityObject(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,)) resp.dump() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data']) resp.dump() userHandle = resp['UserHandle'] request = samr.SamrQuerySecurityObject() request['ObjectHandle'] = userHandle request['SecurityInformation'] = dtypes.GROUP_SECURITY_INFORMATION resp = dce.request(request) resp.dump() request = samr.SamrSetSecurityObject() request['ObjectHandle'] = userHandle request['SecurityInformation'] = dtypes.GROUP_SECURITY_INFORMATION request['SecurityDescriptor'] = resp['SecurityDescriptor'] #request.dump() try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0: raise
Example #6
Source File: test_samr.py From PiBunny with MIT License | 5 votes |
def test_SamrSetSecurityObject(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,)) resp.dump() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data']) resp.dump() userHandle = resp['UserHandle'] request = samr.SamrQuerySecurityObject() request['ObjectHandle'] = userHandle request['SecurityInformation'] = dtypes.GROUP_SECURITY_INFORMATION resp = dce.request(request) resp.dump() request = samr.SamrSetSecurityObject() request['ObjectHandle'] = userHandle request['SecurityInformation'] = dtypes.GROUP_SECURITY_INFORMATION request['SecurityDescriptor'] = resp['SecurityDescriptor'] #request.dump() try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0: raise
Example #7
Source File: test_samr.py From PiBunny with MIT License | 5 votes |
def test_hSamrOpenUser(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, samr.DOMAIN_USER_RID_ADMIN) resp.dump()
Example #8
Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 5 votes |
def test_SamrSetSecurityObject(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,)) resp.dump() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data']) resp.dump() userHandle = resp['UserHandle'] request = samr.SamrQuerySecurityObject() request['ObjectHandle'] = userHandle request['SecurityInformation'] = dtypes.GROUP_SECURITY_INFORMATION resp = dce.request(request) resp.dump() request = samr.SamrSetSecurityObject() request['ObjectHandle'] = userHandle request['SecurityInformation'] = dtypes.GROUP_SECURITY_INFORMATION request['SecurityDescriptor'] = resp['SecurityDescriptor'] #request.dump() try: resp = dce.request(request) resp.dump() except Exception as e: if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0: raise resp = samr.hSamrCloseHandle(dce, userHandle) resp.dump()
Example #9
Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 5 votes |
def test_hSamrOpenUser(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, samr.DOMAIN_USER_RID_ADMIN) resp.dump()
Example #10
Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
def test_SamrSetSecurityObject(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.username,)) resp.dump() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_ALL_ACCESS | samr.USER_READ_GROUP_INFORMATION | samr.USER_WRITE_GROUP_INFORMATION, resp['RelativeIds']['Element'][0]['Data']) resp.dump() userHandle = resp['UserHandle'] request = samr.SamrQuerySecurityObject() request['ObjectHandle'] = userHandle request['SecurityInformation'] = dtypes.GROUP_SECURITY_INFORMATION resp = dce.request(request) resp.dump() request = samr.SamrSetSecurityObject() request['ObjectHandle'] = userHandle request['SecurityInformation'] = dtypes.GROUP_SECURITY_INFORMATION request['SecurityDescriptor'] = resp['SecurityDescriptor'] #request.dump() try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_BAD_DESCRIPTOR_FORMAT') <= 0: raise
Example #11
Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
def test_hSamrOpenUser(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, samr.DOMAIN_USER_RID_ADMIN) resp.dump()
Example #12
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def test_hSamrOpenUser(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, samr.DOMAIN_USER_RID_ADMIN) resp.dump()
Example #13
Source File: samrdump.py From Slackor with GNU General Public License v3.0 | 4 votes |
def __fetchList(self, rpctransport): dce = rpctransport.get_dce_rpc() entries = [] dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] print('Found domain(s):') for domain in domains: print(" . %s" % domain['Name']) logging.info("Looking up users in domain %s" % domains[0]['Name']) resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] ) resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId']) domainHandle = resp['DomainHandle'] status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext) except DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId']) print("Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )) info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (user['Name'], user['RelativeId'], info['Buffer']['All']) entries.append(entry) samr.hSamrCloseHandle(dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except ListUsersException as e: logging.critical("Error listing users: %s" % e) dce.disconnect() return entries # Process command-line arguments.
Example #14
Source File: enumerid.py From enumerid with BSD 3-Clause "New" or "Revised" License | 4 votes |
def enumerate_users_in_group(self, dce, domain_handle): request = samr.SamrOpenGroup() request['DomainHandle'] = domain_handle request['DesiredAccess'] = samr.MAXIMUM_ALLOWED request['GroupId'] = self.rid try: resp = dce.request(request) except samr.DCERPCSessionError: raise request = samr.SamrGetMembersInGroup() request['GroupHandle'] = resp['GroupHandle'] resp = dce.request(request) self.log.info('[*] Group RID detected. Enumerating users/hosts in group..\n') try: rids = resp['Members']['Members'] except AttributeError: self.log.info('[-] No users in group') return mutex = Lock() for rid in rids: try: resp = samr.hSamrOpenUser(dce, domain_handle, samr.MAXIMUM_ALLOWED, rid['Data']) rid_data = samr.hSamrQueryInformationUser2(dce, resp['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation) except samr.DCERPCSessionError as e: # Occasionally an ACCESS_DENIED is rasied even though the user has permissions? # Other times a STATUS_NO_SUCH_USER is raised when a rid apparently doesn't exist, even though it reported back as existing. self.log.debug(e) continue if self.fqdn: rid_data = rid_data['Buffer']['All']['UserName'].replace('$', '') + '.' + self.fqdn else: rid_data = rid_data['Buffer']['All']['UserName'].replace('$', '') samr.hSamrCloseHandle(dce, resp['UserHandle']) if self.dns_lookup: # Threading because DNS lookups are slow t = Thread(target=self.get_ip, args=(rid_data, mutex,)) t.start() else: self.log.info(rid_data) self.data.append(rid_data)
Example #15
Source File: enumerid.py From enumerid with BSD 3-Clause "New" or "Revised" License | 4 votes |
def enumerate_user_info(self, dce, domain_handle): # Most of this method was built using logic from samrdump.py user_request = samr.hSamrOpenUser(dce, domain_handle, samr.MAXIMUM_ALLOWED, self.rid) self.log.info('[*] User RID detected. Enumerating information on user..\n') info = samr.hSamrQueryInformationUser(dce, user_request['UserHandle'], samr.USER_INFORMATION_CLASS.UserAllInformation) user = info['Buffer']['All'] pass_last_set = self.expiration_check(user, 'PasswordLastSet') account_expires = self.expiration_check(user, 'AccountExpires') pass_expires = self.expiration_check(user, 'PasswordMustChange') pass_can_change = self.expiration_check(user, 'PasswordCanChange') last_logon = self.expiration_check(user, 'LastLogon') account_active = self.attribute_bool(user, samr.USER_ACCOUNT_DISABLED) user_may_change_pass = self.attribute_bool(user, samr.USER_CHANGE_PASSWORD) password_required = self.attribute_bool(user, samr.USER_PASSWORD_NOT_REQUIRED) workstations_allowed = user['WorkStations'] if workstations_allowed == '': workstations_allowed = 'All' self.log.info('User name\t\t\t{0}'.format(user['UserName'])) self.log.info('User RID\t\t\t{0}'.format(user['UserId'])) self.log.info('Full Name\t\t\t{0}'.format(user['FullName'])) self.log.info('Comment\t\t\t\t{0}'.format(user['AdminComment'])) self.log.info("User's Comment\t\t\t\t{0}".format(user['UserComment'])) self.log.info('Country/region code\t\t{0}'.format(user['CountryCode'])) self.log.info('Account active\t\t\t{0}'.format(account_active)) self.log.info('Account expires\t\t\t{0}\n'.format(account_expires)) self.log.info('Password last set\t\t{0}'.format(pass_last_set)) self.log.info('Password expires\t\t{0}'.format(pass_expires)) self.log.info('Password changeable\t\t{0}'.format(pass_can_change)) self.log.info('Password required\t\t{0}'.format(password_required)) self.log.info('Bad Password Count\t\t{0}'.format(user['BadPasswordCount'])) self.log.info('User may change password\t{0}\n'.format(user_may_change_pass)) self.log.info('Workstations allowed\t\t{0}'.format(workstations_allowed)) self.log.info('Logon script\t\t\t\t{0}'.format(user['ScriptPath'])) self.log.info('User profile\t\t\t\t{0}'.format(user['ProfilePath'])) self.log.info('Home directory\t\t\t{0}'.format(user['HomeDirectory'])) self.log.info('Home directory drive\t\t{0}\n'.format(user['HomeDirectoryDrive'])) self.log.info('Group Memberships') group_rids = samr.hSamrGetGroupsForUser(dce, user_request['UserHandle'])['Groups']['Groups'] for i, group_rid in enumerate(group_rids): group_rid = group_rids[i]['RelativeId'] group_request = samr.hSamrOpenGroup(dce, domain_handle, samr.MAXIMUM_ALLOWED, group_rid) group_info = samr.hSamrQueryInformationGroup(dce, group_request['GroupHandle']) group_name = group_info['Buffer']['General']['Name'] group_comment = group_info['Buffer']['General']['AdminComment'] self.log.info('Name: {0}\nDesc: {1}\n'.format(group_name, group_comment)) samr.hSamrCloseHandle(dce, user_request['UserHandle']) samr.hSamrCloseHandle(dce, group_request['GroupHandle'])
Example #16
Source File: samrdump.py From LHF with GNU General Public License v3.0 | 4 votes |
def __fetchList(self, rpctransport): dce = rpctransport.get_dce_rpc() entries = [] dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] print 'Found domain(s):' for domain in domains: print " . %s" % domain['Name'] logging.info("Looking up users in domain %s" % domains[0]['Name']) resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] ) resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId']) domainHandle = resp['DomainHandle'] done = False status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext) except Exception, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: r = samr.hSamrOpenUser(dce, domainHandle, samr.USER_READ_GENERAL | samr.USER_READ_PREFERENCES | samr.USER_READ_ACCOUNT, user['RelativeId']) print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] ) info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (user['Name'], user['RelativeId'], info['Buffer']['All']) entries.append(entry) samr.hSamrCloseHandle(dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except ListUsersException, e: logging.critical("Error listing users: %s" % e)
Example #17
Source File: samrdump.py From PiBunny with MIT License | 4 votes |
def __fetchList(self, rpctransport): dce = rpctransport.get_dce_rpc() entries = [] dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) try: resp = samr.hSamrConnect(dce) serverHandle = resp['ServerHandle'] resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle) domains = resp['Buffer']['Buffer'] print 'Found domain(s):' for domain in domains: print " . %s" % domain['Name'] logging.info("Looking up users in domain %s" % domains[0]['Name']) resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] ) resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId']) domainHandle = resp['DomainHandle'] status = STATUS_MORE_ENTRIES enumerationContext = 0 while status == STATUS_MORE_ENTRIES: try: resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext) except DCERPCException, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() for user in resp['Buffer']['Buffer']: r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId']) print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] ) info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation) entry = (user['Name'], user['RelativeId'], info['Buffer']['All']) entries.append(entry) samr.hSamrCloseHandle(dce, r['UserHandle']) enumerationContext = resp['EnumerationContext'] status = resp['ErrorCode'] except ListUsersException, e: logging.critical("Error listing users: %s" % e)