Python win32security.ConvertSidToStringSid() Examples
The following are 15
code examples of win32security.ConvertSidToStringSid().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
win32security
, or try the search function
.
Example #1
Source File: authorizers.py From oss-ftp with MIT License | 7 votes |
def get_home_dir(self, username): """Return the user's profile directory, the closest thing to a user home directory we have on Windows. """ try: sid = win32security.ConvertSidToStringSid( win32security.LookupAccountName(None, username)[0]) except pywintypes.error as err: raise AuthorizerError(err) path = r"SOFTWARE\Microsoft\Windows NT" \ r"\CurrentVersion\ProfileList" + "\\" + sid try: key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, path) except WindowsError: raise AuthorizerError( "No profile directory defined for user %s" % username) value = winreg.QueryValueEx(key, "ProfileImagePath")[0] home = win32api.ExpandEnvironmentStrings(value) if not PY3 and not isinstance(home, unicode): home = home.decode('utf8') return home
Example #2
Source File: authorizers.py From oss-ftp with MIT License | 6 votes |
def get_home_dir(self, username): """Return the user's profile directory, the closest thing to a user home directory we have on Windows. """ try: sid = win32security.ConvertSidToStringSid( win32security.LookupAccountName(None, username)[0]) except pywintypes.error as err: raise AuthorizerError(err) path = r"SOFTWARE\Microsoft\Windows NT" \ r"\CurrentVersion\ProfileList" + "\\" + sid try: key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, path) except WindowsError: raise AuthorizerError( "No profile directory defined for user %s" % username) value = winreg.QueryValueEx(key, "ProfileImagePath")[0] home = win32api.ExpandEnvironmentStrings(value) if not PY3 and not isinstance(home, unicode): home = home.decode('utf8') return home
Example #3
Source File: authorizers.py From script-languages with MIT License | 6 votes |
def get_home_dir(self, username): """Return the user's profile directory, the closest thing to a user home directory we have on Windows. """ try: sid = win32security.ConvertSidToStringSid( win32security.LookupAccountName(None, username)[0]) except pywintypes.error as err: raise AuthorizerError(err) path = r"SOFTWARE\Microsoft\Windows NT" \ r"\CurrentVersion\ProfileList" + "\\" + sid try: key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, path) except WindowsError: raise AuthorizerError( "No profile directory defined for user %s" % username) value = winreg.QueryValueEx(key, "ProfileImagePath")[0] home = win32api.ExpandEnvironmentStrings(value) if not PY3 and not isinstance(home, unicode): home = home.decode('utf8') return home
Example #4
Source File: authorizers.py From pyftpdlib with MIT License | 6 votes |
def get_home_dir(self, username): """Return the user's profile directory, the closest thing to a user home directory we have on Windows. """ try: sid = win32security.ConvertSidToStringSid( win32security.LookupAccountName(None, username)[0]) except pywintypes.error as err: raise AuthorizerError(err) path = r"SOFTWARE\Microsoft\Windows NT" \ r"\CurrentVersion\ProfileList" + "\\" + sid try: key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, path) except WindowsError: raise AuthorizerError( "No profile directory defined for user %s" % username) value = winreg.QueryValueEx(key, "ProfileImagePath")[0] home = win32api.ExpandEnvironmentStrings(value) if not PY3 and not isinstance(home, unicode): home = home.decode('utf8') return home
Example #5
Source File: windows-privesc-check.py From WHP with Do What The F*ck You Want To Public License | 5 votes |
def dump_sd(object_name, object_type_s, sd, options={}): perms = all_perms if not sd: return dacl = sd.GetSecurityDescriptorDacl() if dacl == None: print "No Discretionary ACL" return [] owner_sid = sd.GetSecurityDescriptorOwner() try: owner_name, owner_domain, type = win32security.LookupAccountSid(remote_server, owner_sid) owner_fq = owner_domain + "\\" + owner_name except: try: owner_fq = owner_name = win32security.ConvertSidToStringSid(owner_sid) owner_domain = "" except: owner_domain = "" owner_fq = owner_name = None group_sid = sd.GetSecurityDescriptorGroup() try: group_name, group_domain, type = win32security.LookupAccountSid(remote_server, group_sid) group_fq = group_domain + "\\" + group_name except: try: group_fq = group_name = win32security.ConvertSidToStringSid(group_sid) group_domain = "" except: group_domain = "" group_fq = group_name = "[none]" if owner_info: print "\tOwner: " + str(owner_fq) print "\tGroup: " + str(group_fq) weak_perms = [] dump_acl(object_name, object_type_s, dacl, options) return
Example #6
Source File: windows-privesc-check.py From WHP with Do What The F*ck You Want To Public License | 5 votes |
def audit_passpol(): print print "[+] NetUserModalsGet 0,1,2,3" print try: data = win32net.NetUserModalsGet(remote_server, 0) for key in data.keys(): print "%s: %s" % (key, data[key]) data = win32net.NetUserModalsGet(remote_server, 1) for key in data.keys(): print "%s: %s" % (key, data[key]) data = win32net.NetUserModalsGet(remote_server, 2) for key in data.keys(): if key == 'domain_id': print "%s: %s" % (key, win32security.ConvertSidToStringSid(data[key])) elif key == 'lockout_threshold' and data[key] == '0': print "%s: %s (accounts aren't locked out)" % (key, data[key]) else: print "%s: %s" % (key, data[key]) data = win32net.NetUserModalsGet(remote_server, 3) for key in data.keys(): if key == 'lockout_threshold' and data[key] == 0: print "%s: %s (accounts aren't locked out)" % (key, data[key]) else: print "%s: %s" % (key, data[key]) except: print "[E] Couldn't get NetUserModals data" # Recursive function to find group members (and the member of any groups in those groups...)
Example #7
Source File: windowsprivcheck.py From LHF with GNU General Public License v3.0 | 5 votes |
def dump_sd(object_name, object_type_s, sd, options={}): perms = all_perms if not sd: return dacl = sd.GetSecurityDescriptorDacl() if dacl is None: print "No Discretionary ACL" return [] owner_sid = sd.GetSecurityDescriptorOwner() try: owner_name, owner_domain, type = win32security.LookupAccountSid(remote_server, owner_sid) owner_fq = owner_domain + "\\" + owner_name except: try: owner_fq = owner_name = win32security.ConvertSidToStringSid(owner_sid) owner_domain = "" except: owner_domain = "" owner_fq = owner_name = None group_sid = sd.GetSecurityDescriptorGroup() try: group_name, group_domain, type = win32security.LookupAccountSid(remote_server, group_sid) group_fq = group_domain + "\\" + group_name except: try: group_fq = group_name = win32security.ConvertSidToStringSid(group_sid) group_domain = "" except: group_domain = "" group_fq = group_name = "[none]" if owner_info: print "\tOwner: " + str(owner_fq) print "\tGroup: " + str(group_fq) weak_perms = [] dump_acl(object_name, object_type_s, dacl, options) return
Example #8
Source File: windowsprivcheck.py From LHF with GNU General Public License v3.0 | 5 votes |
def audit_passpol(): print print "[+] NetUserModalsGet 0,1,2,3" print try: data = win32net.NetUserModalsGet(remote_server, 0) for key in data.keys(): print "%s: %s" % (key, data[key]) data = win32net.NetUserModalsGet(remote_server, 1) for key in data.keys(): print "%s: %s" % (key, data[key]) data = win32net.NetUserModalsGet(remote_server, 2) for key in data.keys(): if key == 'domain_id': print "%s: %s" % (key, win32security.ConvertSidToStringSid(data[key])) elif key == 'lockout_threshold' and data[key] == '0': print "%s: %s (accounts aren't locked out)" % (key, data[key]) else: print "%s: %s" % (key, data[key]) data = win32net.NetUserModalsGet(remote_server, 3) for key in data.keys(): if key == 'lockout_threshold' and data[key] == 0: print "%s: %s (accounts aren't locked out)" % (key, data[key]) else: print "%s: %s" % (key, data[key]) except: print "[E] Couldn't get NetUserModals data" # Recursive function to find group members (and the member of any groups in those groups...)
Example #9
Source File: win32-identd.py From code with MIT License | 5 votes |
def reply_userid(self, fd, pid, owner): """Send a success reply and log owner information.""" try: local, remote = self.requests[fd] except KeyError: local, remote = 0, 0 sid, username, domain = owner username = username.replace(":", "_").replace("\r", "").replace("\n", " ") code = "USERID" info = "%s,%s:%s" % (self.os_name, "UTF-8", username) self.logEx("notice", "Successful query from %s." % format_addr(*fd.getpeername()), ("local", format_addr(*local)), ("remote", format_addr(*remote)), None, ("pid", pid), ("owner", win32security.ConvertSidToStringSid(sid)), ("user", username), ("domain", domain), None, ("reply", code), ("info", info),) return self.send_reply(fd, local[1], remote[1], code, info)
Example #10
Source File: windows-privesc-check.py From WHP with Do What The F*ck You Want To Public License | 4 votes |
def principle_is_trusted(principle, domain): if domain + "\\" + principle in trusted_principles_fq: return 1 if principle in trusted_principles: return 1 global tmp_trusted_principles_fq if domain + "\\" + principle in tmp_trusted_principles_fq: return 1 # Consider groups with zero members to be trusted too try: memberdict, total, rh = win32net.NetLocalGroupGetMembers(remote_server, principle , 1 , 0 , 100000 ) if len(memberdict) == 0: return 1 except: # If a user is a member of a trusted group (like administrators), then they are trusted try: group_attrs = win32net.NetUserGetLocalGroups(remote_server, principle) if set(group_attrs).intersection(set(trusted_principles)): return 1 except: pass return 0 # for memberinfo in memberdict: # print "\t" + memberinfo['name'] + " (" + win32security.ConvertSidToStringSid(memberinfo['sid']) + ")" # TODO ignore groups that only contain administrators # There are all possible objects. SE_OBJECT_TYPE (http://msdn.microsoft.com/en-us/library/aa379593(VS.85).aspx): # win32security.SE_UNKNOWN_OBJECT_TYPE # win32security.SE_FILE_OBJECT # win32security.SE_SERVICE # win32security.SE_PRINTER # win32security.SE_REGISTRY_KEY # win32security.SE_LMSHARE # win32security.SE_KERNEL_OBJECT # win32security.SE_WINDOW_OBJECT # win32security.SE_DS_OBJECT # win32security.SE_DS_OBJECT_ALL # win32security.SE_PROVIDER_DEFINED_OBJECT # win32security.SE_WMIGUID_OBJECT # win32security.SE_REGISTRY_WOW64_32KEY # object_type_s is one of # service # file # dir
Example #11
Source File: windows-privesc-check.py From WHP with Do What The F*ck You Want To Public License | 4 votes |
def check_weak_perms_sd(object_name, object_type_s, sd, perms): dacl= sd.GetSecurityDescriptorDacl() if dacl == None: print "No Discretionary ACL" return [] owner_sid = sd.GetSecurityDescriptorOwner() try: owner_name, owner_domain, type = win32security.LookupAccountSid(remote_server, owner_sid) owner_fq = owner_domain + "\\" + owner_name except: try: owner_fq = owner_name = win32security.ConvertSidToStringSid(owner_sid) owner_domain = "" except: owner_domain = "" owner_fq = owner_name = "INVALIDSID!" weak_perms = [] for ace_no in range(0, dacl.GetAceCount()): #print "[D] ACE #%d" % ace_no ace = dacl.GetAce(ace_no) flags = ace[0][1] try: principle, domain, type = win32security.LookupAccountSid(remote_server, ace[2]) except: principle = win32security.ConvertSidToStringSid(ace[2]) domain = "" #print "[D] ACE is for %s\\%s" % (principle, domain) #print "[D] ACE Perm mask: " + int2bin(ace[1]) #print "[D] ace_type: " + str(ace[0][0]) #print "[D] DACL: " + win32security.ConvertSecurityDescriptorToStringSecurityDescriptor(sd, win32security.SDDL_REVISION_1, win32security.DACL_SECURITY_INFORMATION) if principle_is_trusted(principle, domain): #print "[D] Ignoring trusted principle %s\\%s" % (principle, domain) continue if principle == "CREATOR OWNER": if principle_is_trusted(owner_name, owner_domain): continue else: principle = "CREATOR OWNER [%s]" % owner_fq for i in ("ACCESS_ALLOWED_ACE_TYPE", "ACCESS_DENIED_ACE_TYPE", "SYSTEM_AUDIT_ACE_TYPE", "SYSTEM_ALARM_ACE_TYPE"): if getattr(ntsecuritycon, i) == ace[0][0]: ace_type_s = i if not ace_type_s == "ACCESS_ALLOWED_ACE_TYPE": vprint("WARNING: Unimplmented ACE type encountered: " + ace_type_s + ". skipping.") continue for mod, perms_tuple in perms[object_type_s].iteritems(): for perm in perms_tuple: if getattr(mod, perm) & ace[1] == getattr(mod, perm): weak_perms.append([object_name, domain, principle, perm]) return weak_perms
Example #12
Source File: windows-privesc-check.py From WHP with Do What The F*ck You Want To Public License | 4 votes |
def dump_acl(object_name, object_type_s, sd, options={}): dacl = sd if dacl == None: print "No Discretionary ACL" return [] weak_perms = [] for ace_no in range(0, dacl.GetAceCount()): # print "[D] ACE #%d" % ace_no ace = dacl.GetAce(ace_no) flags = ace[0][1] try: principle, domain, type = win32security.LookupAccountSid(remote_server, ace[2]) except: principle = win32security.ConvertSidToStringSid(ace[2]) domain = "" mask = ace[1] if ace[1] < 0: mask = ace[1] + 2**32 if ignore_trusted and principle_is_trusted(principle, domain): # print "[D] Ignoring trusted principle %s\\%s" % (principle, domain) continue if principle == "CREATOR OWNER": if ignore_trusted and principle_is_trusted(owner_name, owner_domain): #print "[D] Ignoring trusted principle (creator owner) %s\\%s" % (principle, domain) continue else: principle = "CREATOR OWNER [%s\%s]" % (domain, principle) for i in ("ACCESS_ALLOWED_ACE_TYPE", "ACCESS_DENIED_ACE_TYPE", "SYSTEM_AUDIT_ACE_TYPE", "SYSTEM_ALARM_ACE_TYPE"): if getattr(ntsecuritycon, i) == ace[0][0]: ace_type_s = i ace_type_short = ace_type_s if ace_type_s == "ACCESS_DENIED_ACE_TYPE": ace_type_short = "DENY" if ace_type_s == "ACCESS_ALLOWED_ACE_TYPE": ace_type_short = "ALLOW" if weak_perms_only: perms = dangerous_perms_write else: perms = all_perms for mod, perms_tuple in perms[object_type_s].iteritems(): for perm in perms_tuple: #print "Checking for perm %s in ACE %s" % (perm, mask) if getattr(mod, perm) & mask == getattr(mod, perm): weak_perms.append([object_name, domain, principle, perm, ace_type_short]) print_weak_perms(object_type_s, weak_perms, options)
Example #13
Source File: windowsprivcheck.py From LHF with GNU General Public License v3.0 | 4 votes |
def principle_is_trusted(principle, domain): if domain + "\\" + principle in trusted_principles_fq: return 1 if principle in trusted_principles: return 1 global tmp_trusted_principles_fq if domain + "\\" + principle in tmp_trusted_principles_fq: return 1 # Consider groups with zero members to be trusted too try: memberdict, total, rh = win32net.NetLocalGroupGetMembers(remote_server, principle , 1 , 0 , 100000 ) if len(memberdict) == 0: return 1 except: # If a user is a member of a trusted group (like administrators), then they are trusted try: group_attrs = win32net.NetUserGetLocalGroups(remote_server, principle) if set(group_attrs).intersection(set(trusted_principles)): return 1 except: pass return 0 # for memberinfo in memberdict: # print "\t" + memberinfo['name'] + " (" + win32security.ConvertSidToStringSid(memberinfo['sid']) + ")" # TODO ignore groups that only contain administrators # There are all possible objects. SE_OBJECT_TYPE (http://msdn.microsoft.com/en-us/library/aa379593(VS.85).aspx): # win32security.SE_UNKNOWN_OBJECT_TYPE # win32security.SE_FILE_OBJECT # win32security.SE_SERVICE # win32security.SE_PRINTER # win32security.SE_REGISTRY_KEY # win32security.SE_LMSHARE # win32security.SE_KERNEL_OBJECT # win32security.SE_WINDOW_OBJECT # win32security.SE_DS_OBJECT # win32security.SE_DS_OBJECT_ALL # win32security.SE_PROVIDER_DEFINED_OBJECT # win32security.SE_WMIGUID_OBJECT # win32security.SE_REGISTRY_WOW64_32KEY # object_type_s is one of # service # file # dir
Example #14
Source File: windowsprivcheck.py From LHF with GNU General Public License v3.0 | 4 votes |
def check_weak_perms_sd(object_name, object_type_s, sd, perms): dacl= sd.GetSecurityDescriptorDacl() if dacl is None: print "No Discretionary ACL" return [] owner_sid = sd.GetSecurityDescriptorOwner() try: owner_name, owner_domain, type = win32security.LookupAccountSid(remote_server, owner_sid) owner_fq = owner_domain + "\\" + owner_name except: try: owner_fq = owner_name = win32security.ConvertSidToStringSid(owner_sid) owner_domain = "" except: owner_domain = "" owner_fq = owner_name = "INVALIDSID!" weak_perms = [] for ace_no in range(0, dacl.GetAceCount()): #print "[D] ACE #%d" % ace_no ace = dacl.GetAce(ace_no) flags = ace[0][1] try: principle, domain, type = win32security.LookupAccountSid(remote_server, ace[2]) except: principle = win32security.ConvertSidToStringSid(ace[2]) domain = "" #print "[D] ACE is for %s\\%s" % (principle, domain) #print "[D] ACE Perm mask: " + int2bin(ace[1]) #print "[D] ace_type: " + str(ace[0][0]) #print "[D] DACL: " + win32security.ConvertSecurityDescriptorToStringSecurityDescriptor(sd, win32security.SDDL_REVISION_1, win32security.DACL_SECURITY_INFORMATION) if principle_is_trusted(principle, domain): #print "[D] Ignoring trusted principle %s\\%s" % (principle, domain) continue if principle == "CREATOR OWNER": if principle_is_trusted(owner_name, owner_domain): continue else: principle = "CREATOR OWNER [%s]" % owner_fq for i in ("ACCESS_ALLOWED_ACE_TYPE", "ACCESS_DENIED_ACE_TYPE", "SYSTEM_AUDIT_ACE_TYPE", "SYSTEM_ALARM_ACE_TYPE"): if getattr(ntsecuritycon, i) == ace[0][0]: ace_type_s = i if not ace_type_s == "ACCESS_ALLOWED_ACE_TYPE": vprint("WARNING: Unimplmented ACE type encountered: " + ace_type_s + ". skipping.") continue for mod, perms_tuple in perms[object_type_s].iteritems(): for perm in perms_tuple: if getattr(mod, perm) & ace[1] == getattr(mod, perm): weak_perms.append([object_name, domain, principle, perm]) return weak_perms
Example #15
Source File: windowsprivcheck.py From LHF with GNU General Public License v3.0 | 4 votes |
def dump_acl(object_name, object_type_s, sd, options={}): dacl = sd if dacl is None: print "No Discretionary ACL" return [] weak_perms = [] for ace_no in range(0, dacl.GetAceCount()): # print "[D] ACE #%d" % ace_no ace = dacl.GetAce(ace_no) flags = ace[0][1] try: principle, domain, type = win32security.LookupAccountSid(remote_server, ace[2]) except: principle = win32security.ConvertSidToStringSid(ace[2]) domain = "" mask = ace[1] if ace[1] < 0: mask = ace[1] + 2**32 if ignore_trusted and principle_is_trusted(principle, domain): # print "[D] Ignoring trusted principle %s\\%s" % (principle, domain) continue if principle == "CREATOR OWNER": if ignore_trusted and principle_is_trusted(owner_name, owner_domain): #print "[D] Ignoring trusted principle (creator owner) %s\\%s" % (principle, domain) continue else: principle = "CREATOR OWNER [%s\%s]" % (domain, principle) for i in ("ACCESS_ALLOWED_ACE_TYPE", "ACCESS_DENIED_ACE_TYPE", "SYSTEM_AUDIT_ACE_TYPE", "SYSTEM_ALARM_ACE_TYPE"): if getattr(ntsecuritycon, i) == ace[0][0]: ace_type_s = i ace_type_short = ace_type_s if ace_type_s == "ACCESS_DENIED_ACE_TYPE": ace_type_short = "DENY" if ace_type_s == "ACCESS_ALLOWED_ACE_TYPE": ace_type_short = "ALLOW" if weak_perms_only: perms = dangerous_perms_write else: perms = all_perms for mod, perms_tuple in perms[object_type_s].iteritems(): for perm in perms_tuple: #print "Checking for perm %s in ACE %s" % (perm, mask) if getattr(mod, perm) & mask == getattr(mod, perm): weak_perms.append([object_name, domain, principle, perm, ace_type_short]) print_weak_perms(object_type_s, weak_perms, options)