-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathadlookup.py
112 lines (98 loc) · 3.72 KB
/
adlookup.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/python
"""AD Lookup Tool.
Runs net user /domain and grabs the listing of domain users.
Then runs a query against each individual user to determine when the password was last changed.
This can be helpful during:
Pentests - Find those old service accounts that may have older passwords
IR - Find accounts that have been reactivated by an adversary
SOC - Which accounts are important to watch?
Audit - Do they do what they say they do?
Yes - there are commercial products that do this. Feel free not to use it if you don't see the need
Nicholas Albright - NMA-IO
"""
import re
import csv
import sys
import time
import queue
import threading
import subprocess
user_queue = queue.Queue()
resp_queue = queue.Queue()
def queryuser(uq, rq):
"""Run query for given username, return results."""
while not uq.empty():
username = uq.get()
if not username:
continue
try:
r = {}
q = subprocess.Popen(
['net', 'user', '/domain', username], stdout=subprocess.PIPE, stderr=subprocess.PIPE
).communicate()[0]
for line in q.splitlines():
if 'User name' in line:
r['User'] = re.search(r'User name[^\w]+([\w_\-0-9\.\!\$\^]+)', line).group(1)
elif 'Full Name' in line:
r['Full Name'] = re.search(r'Full Name[^\w]+([\w ]+)', line).group(1)
elif 'Account active' in line:
r['Account Active'] = re.search(r'Account active[^\w]+([\w]+)', line).group(1)
elif 'Last logon' in line:
r['Last Logon'] = re.search(r'Last logon[^\w\d]+([\w\d\/]+)', line).group(1)
elif 'Password last set' in line:
r['Password Set'] = re.search(r'Password last set[^\d]+([\d\/]+)', line).group(1)
elif 'Password expires' in line:
r['Password Expires'] = re.search(r'Password expires[^\w\d]+([\w\d\/]+)', line).group(1)
except:
return
rq.put(r)
if uq.empty():
return
def queryforusers():
"""Query domain for users."""
users = []
results = subprocess.Popen(
['net', 'user', '/domain'], stdout=subprocess.PIPE, stderr=subprocess.PIPE
).communicate()[0]
seek = False
for line in results.splitlines():
if '----------' in line:
seek = True
continue
if 'The command completed successfully.' in line:
continue
if not seek:
continue
users += [x for x in re.findall('[^\s]+', line) if (not x.startswith('$') or not x.endswith('$')) and x]
return users
def main():
"""Our Main Codeblock."""
proclist = []
userlist = queryforusers()
print 'Identified %s users!' % len(userlist)
outfilename = 'adlookup_%s_output.csv' % int(time.time())
try:
for user in userlist:
user_queue.put(user)
for i in range(12):
proc = threading.Thread(target=queryuser, args=(user_queue, resp_queue,))
proclist.append(proc)
proc.start()
for p in proclist:
p.join()
fn = ['User', 'Full Name', 'Account Active', 'Last Logon', 'Password Set', 'Password Expires']
outf = open(outfilename, 'wb')
wr = csv.DictWriter(outf, fn, delimiter=',', lineterminator='\n', quotechar='"')
wr.writeheader()
while not resp_queue.empty():
dict_data = resp_queue.get()
wr.writerow(dict_data)
outf.close()
print 'Wrote file: %s' % outfilename
except KeyboardInterrupt:
for p in proclist:
p.stop()
outf.close()
sys.exit('Captured Control-C')
if __name__ == '__main__':
main()