Coverage for /root/GitHubProjects/impacket/impacket/examples/ntlmrelayx/utils/enum.py : 17%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# Impacket - Collection of Python classes for working with network protocols.
2#
3# SECUREAUTH LABS. Copyright (C) 2020 SecureAuth Corporation. All rights reserved.
4#
5# This software is provided under a slightly modified version
6# of the Apache Software License. See the accompanying LICENSE file
7# for more information.
8#
9# Description:
10# Config utilities
11#
12# Helpful enum methods for discovering local admins through SAMR and LSAT
13#
14# Author:
15# Ronnie Flathers / @ropnop
16#
17from impacket.dcerpc.v5 import transport, lsat, samr, lsad
18from impacket.dcerpc.v5.dtypes import MAXIMUM_ALLOWED
21class EnumLocalAdmins:
22 def __init__(self, smbConnection):
23 self.__smbConnection = smbConnection
24 self.__samrBinding = r'ncacn_np:445[\pipe\samr]'
25 self.__lsaBinding = r'ncacn_np:445[\pipe\lsarpc]'
27 def __getDceBinding(self, strBinding):
28 rpc = transport.DCERPCTransportFactory(strBinding)
29 rpc.set_smb_connection(self.__smbConnection)
30 return rpc.get_dce_rpc()
32 def getLocalAdmins(self):
33 adminSids = self.__getLocalAdminSids()
34 adminNames = self.__resolveSids(adminSids)
35 return adminSids, adminNames
37 def __getLocalAdminSids(self):
38 dce = self.__getDceBinding(self.__samrBinding)
39 dce.connect()
40 dce.bind(samr.MSRPC_UUID_SAMR)
41 resp = samr.hSamrConnect(dce)
42 serverHandle = resp['ServerHandle']
44 resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, 'Builtin')
45 resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp['DomainId'])
46 domainHandle = resp['DomainHandle']
47 resp = samr.hSamrOpenAlias(dce, domainHandle, desiredAccess=MAXIMUM_ALLOWED, aliasId=544)
48 resp = samr.hSamrGetMembersInAlias(dce, resp['AliasHandle'])
49 memberSids = []
50 for member in resp['Members']['Sids']:
51 memberSids.append(member['SidPointer'].formatCanonical())
52 dce.disconnect()
53 return memberSids
55 def __resolveSids(self, sids):
56 dce = self.__getDceBinding(self.__lsaBinding)
57 dce.connect()
58 dce.bind(lsat.MSRPC_UUID_LSAT)
59 resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)
60 policyHandle = resp['PolicyHandle']
61 resp = lsat.hLsarLookupSids(dce, policyHandle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)
62 names = []
63 for n, item in enumerate(resp['TranslatedNames']['Names']):
64 names.append("{}\\{}".format(resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'], item['Name']))
65 dce.disconnect()
66 return names