Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1# Impacket - Collection of Python classes for working with network protocols. 

2# 

3# SECUREAUTH LABS. Copyright (C) 2020 SecureAuth Corporation. All rights reserved. 

4# 

5# This software is provided under a slightly modified version 

6# of the Apache Software License. See the accompanying LICENSE file 

7# for more information. 

8# 

9# Description: 

10# Config utilities 

11# 

12# Helpful enum methods for discovering local admins through SAMR and LSAT 

13# 

14# Author: 

15# Ronnie Flathers / @ropnop 

16# 

17from impacket.dcerpc.v5 import transport, lsat, samr, lsad 

18from impacket.dcerpc.v5.dtypes import MAXIMUM_ALLOWED 

19 

20 

21class EnumLocalAdmins: 

22 def __init__(self, smbConnection): 

23 self.__smbConnection = smbConnection 

24 self.__samrBinding = r'ncacn_np:445[\pipe\samr]' 

25 self.__lsaBinding = r'ncacn_np:445[\pipe\lsarpc]' 

26 

27 def __getDceBinding(self, strBinding): 

28 rpc = transport.DCERPCTransportFactory(strBinding) 

29 rpc.set_smb_connection(self.__smbConnection) 

30 return rpc.get_dce_rpc() 

31 

32 def getLocalAdmins(self): 

33 adminSids = self.__getLocalAdminSids() 

34 adminNames = self.__resolveSids(adminSids) 

35 return adminSids, adminNames 

36 

37 def __getLocalAdminSids(self): 

38 dce = self.__getDceBinding(self.__samrBinding) 

39 dce.connect() 

40 dce.bind(samr.MSRPC_UUID_SAMR) 

41 resp = samr.hSamrConnect(dce) 

42 serverHandle = resp['ServerHandle'] 

43 

44 resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, 'Builtin') 

45 resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp['DomainId']) 

46 domainHandle = resp['DomainHandle'] 

47 resp = samr.hSamrOpenAlias(dce, domainHandle, desiredAccess=MAXIMUM_ALLOWED, aliasId=544) 

48 resp = samr.hSamrGetMembersInAlias(dce, resp['AliasHandle']) 

49 memberSids = [] 

50 for member in resp['Members']['Sids']: 

51 memberSids.append(member['SidPointer'].formatCanonical()) 

52 dce.disconnect() 

53 return memberSids 

54 

55 def __resolveSids(self, sids): 

56 dce = self.__getDceBinding(self.__lsaBinding) 

57 dce.connect() 

58 dce.bind(lsat.MSRPC_UUID_LSAT) 

59 resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES) 

60 policyHandle = resp['PolicyHandle'] 

61 resp = lsat.hLsarLookupSids(dce, policyHandle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta) 

62 names = [] 

63 for n, item in enumerate(resp['TranslatedNames']['Names']): 

64 names.append("{}\\{}".format(resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'], item['Name'])) 

65 dce.disconnect() 

66 return names