-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathuserenum.py
More file actions
97 lines (78 loc) · 3.24 KB
/
userenum.py
File metadata and controls
97 lines (78 loc) · 3.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
from __future__ import division
from __future__ import print_function
import sys
import os
from pebble import ProcessPool
import argparse
try:
import ConfigParser
except ImportError:
import configparser as ConfigParser
import logging
from impacket import version
from impacket.dcerpc.v5 import transport
def run(username, password, domain, hashes, aesKey, doKerberos, kdcHost, remoteName, remoteHost):
lmhash = ''
nthash = ''
if hashes is not None:
lmhash, nthash = hashes.split(':')
stringbinding = r'ncacn_np:%s[\pipe\svcctl]' % remoteName
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(445)
rpctransport.setRemoteHost(remoteHost)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(username, password, domain, lmhash,nthash, aesKey)
rpctransport.set_kerberos(doKerberos, kdcHost)
scmr = rpctransport.get_dce_rpc()
try:
scmr.connect()
except Exception as e:
if str(e).find('KDC_ERR_PREAUTH_FAILED') != -1:
print(username)
if options.o is not None:
with open(options.o, 'a') as f:
f.write('{}\n'.format(username))
def mt_execute(username): # multithreading requires a function
try:
run(username, 'IUHFeruifgKI$F(jfeyrbuifer324!!!!!s', options.d, None, None, None, None, options.target, options.target)
except Exception as e:
print(str(e))
if __name__ == '__main__':
parser = argparse.ArgumentParser(add_help=True, description="")
parser.add_argument('-u', action='store', help='Username or path to file containing usernames 1 per line')
parser.add_argument('-d', action='store', help='FQDN to use')
parser.add_argument('-o', action='store', help='File to output to')
parser.add_argument('target', action='store', help='IP to check the account against')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
parser.add_argument('-threads', action='store', default=5, type=int, help='Number of threads to use (default=1)')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
# Init the example's logger theme
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
# Print the Library's installation path
logging.debug(version.getInstallationPath())
else:
logging.getLogger().setLevel(logging.INFO)
if options.d is None:
options.d = ''
users = []
users_cleaned = []
if os.path.isfile(options.u):
with open(options.u, 'r') as f:
users = f.readlines()
f.close()
for item in users:
item = item.replace("\r", "")
users_cleaned.append(item.replace("\n", ""))
else:
users_cleaned.append(options.u)
with ProcessPool(max_workers=options.threads) as thread_exe: # changed to pebble from concurrent futures because pebble supports timeout correctly
for username in users_cleaned:
try:
out = thread_exe.schedule(mt_execute, (username,))
except Exception as e:
print(str(e))