Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. 

2# 

3# This software is provided under under a slightly modified version 

4# of the Apache Software License. See the accompanying LICENSE file 

5# for more information. 

6# 

7# Config utilities 

8# 

9# Author: 

10# Ronnie Flathers / @ropnop 

11# 

12# Description: 

13# Helpful enum methods for discovering local admins through SAMR and LSAT 

14 

15from impacket.dcerpc.v5 import transport, lsat, samr, lsad 

16from impacket.dcerpc.v5.dtypes import MAXIMUM_ALLOWED 

17 

18 

19class EnumLocalAdmins: 

20 def __init__(self, smbConnection): 

21 self.__smbConnection = smbConnection 

22 self.__samrBinding = r'ncacn_np:445[\pipe\samr]' 

23 self.__lsaBinding = r'ncacn_np:445[\pipe\lsarpc]' 

24 

25 def __getDceBinding(self, strBinding): 

26 rpc = transport.DCERPCTransportFactory(strBinding) 

27 rpc.set_smb_connection(self.__smbConnection) 

28 return rpc.get_dce_rpc() 

29 

30 def getLocalAdmins(self): 

31 adminSids = self.__getLocalAdminSids() 

32 adminNames = self.__resolveSids(adminSids) 

33 return adminSids, adminNames 

34 

35 def __getLocalAdminSids(self): 

36 dce = self.__getDceBinding(self.__samrBinding) 

37 dce.connect() 

38 dce.bind(samr.MSRPC_UUID_SAMR) 

39 resp = samr.hSamrConnect(dce) 

40 serverHandle = resp['ServerHandle'] 

41 

42 resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, 'Builtin') 

43 resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp['DomainId']) 

44 domainHandle = resp['DomainHandle'] 

45 resp = samr.hSamrOpenAlias(dce, domainHandle, desiredAccess=MAXIMUM_ALLOWED, aliasId=544) 

46 resp = samr.hSamrGetMembersInAlias(dce, resp['AliasHandle']) 

47 memberSids = [] 

48 for member in resp['Members']['Sids']: 

49 memberSids.append(member['SidPointer'].formatCanonical()) 

50 dce.disconnect() 

51 return memberSids 

52 

53 def __resolveSids(self, sids): 

54 dce = self.__getDceBinding(self.__lsaBinding) 

55 dce.connect() 

56 dce.bind(lsat.MSRPC_UUID_LSAT) 

57 resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES) 

58 policyHandle = resp['PolicyHandle'] 

59 resp = lsat.hLsarLookupSids(dce, policyHandle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta) 

60 names = [] 

61 for n, item in enumerate(resp['TranslatedNames']['Names']): 

62 names.append("{}\\{}".format(resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'], item['Name'])) 

63 dce.disconnect() 

64 return names