Coverage for /root/GitHubProjects/impacket/impacket/examples/ntlmrelayx/utils/enum.py : 17%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
2#
3# This software is provided under under a slightly modified version
4# of the Apache Software License. See the accompanying LICENSE file
5# for more information.
6#
7# Config utilities
8#
9# Author:
10# Ronnie Flathers / @ropnop
11#
12# Description:
13# Helpful enum methods for discovering local admins through SAMR and LSAT
15from impacket.dcerpc.v5 import transport, lsat, samr, lsad
16from impacket.dcerpc.v5.dtypes import MAXIMUM_ALLOWED
19class EnumLocalAdmins:
20 def __init__(self, smbConnection):
21 self.__smbConnection = smbConnection
22 self.__samrBinding = r'ncacn_np:445[\pipe\samr]'
23 self.__lsaBinding = r'ncacn_np:445[\pipe\lsarpc]'
25 def __getDceBinding(self, strBinding):
26 rpc = transport.DCERPCTransportFactory(strBinding)
27 rpc.set_smb_connection(self.__smbConnection)
28 return rpc.get_dce_rpc()
30 def getLocalAdmins(self):
31 adminSids = self.__getLocalAdminSids()
32 adminNames = self.__resolveSids(adminSids)
33 return adminSids, adminNames
35 def __getLocalAdminSids(self):
36 dce = self.__getDceBinding(self.__samrBinding)
37 dce.connect()
38 dce.bind(samr.MSRPC_UUID_SAMR)
39 resp = samr.hSamrConnect(dce)
40 serverHandle = resp['ServerHandle']
42 resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, 'Builtin')
43 resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp['DomainId'])
44 domainHandle = resp['DomainHandle']
45 resp = samr.hSamrOpenAlias(dce, domainHandle, desiredAccess=MAXIMUM_ALLOWED, aliasId=544)
46 resp = samr.hSamrGetMembersInAlias(dce, resp['AliasHandle'])
47 memberSids = []
48 for member in resp['Members']['Sids']:
49 memberSids.append(member['SidPointer'].formatCanonical())
50 dce.disconnect()
51 return memberSids
53 def __resolveSids(self, sids):
54 dce = self.__getDceBinding(self.__lsaBinding)
55 dce.connect()
56 dce.bind(lsat.MSRPC_UUID_LSAT)
57 resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)
58 policyHandle = resp['PolicyHandle']
59 resp = lsat.hLsarLookupSids(dce, policyHandle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)
60 names = []
61 for n, item in enumerate(resp['TranslatedNames']['Names']):
62 names.append("{}\\{}".format(resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'], item['Name']))
63 dce.disconnect()
64 return names