adtools/ParseUserhunter at master · dcsync/adtools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#!/usr/bin/env python3
# Parse PowerView's UserHunter output.

import sys
import os
import re
import argparse
import collections
import copy

import utils

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-u', '--user', action='append', help='Filter by user')
    parser.add_argument('--user-file', help='Filter by users from file')
    parser.add_argument('-c', '--computer', action='append', help='Filter by computer')
    parser.add_argument('--computer-file', help='Filter by computers from file')
    parser.add_argument('-C', '--by-computer', action='store_true', help='Sort by computer instead of by user')
    parser.add_argument('file', help='File to parse')
    args = parser.parse_args()

    # --user
    users = []
    if args.user:
        users += [user.lower() for user in args.user]

    # --user-file
    if args.user_file:
        with open(args.user_file, 'r') as fp:
            users += [user.strip().lower() for user in fp]

    # --computer
    computers = []
    if args.computer:
        computers += [computer.lower() for computer in args.computer]

    # --computer-file
    if args.computer_file:
        with open(args.computer_file, 'r') as fp:
            computers += [computer.strip().lower() for computer in fp]

    # read in file
    with open(args.file, 'r') as fp:
        items = []
        item = {}
        for line in fp:
            line = line.strip()

            if not line:
                # reset
                if item:
                    items.append(item)
                item = {}
            else:
                # add field to item
                parts = line.split(':')
                key = parts[0].strip().lower()
                value = parts[1].strip()
                item[key] = value

        if item:
            items.append(item)

        # de-duplicate
        new_items = []
        for item in items:
            new_item = copy.copy(item)
            new_item['sessions'] = items.count(item)
            if new_item not in new_items:
                new_items.append(new_item)
        items = new_items

        # filter items
        new_items = []
        for item in items:
            if users:
                if item['username'].lower() not in users:
                    continue

            if computers:
                if item['computername'].split('.')[0].lower() not in computers:
                    continue

            new_items.append(item)
        items = new_items

        # sort items
        grouped_items = collections.defaultdict(list)
        # --by-computer
        if args.by_computer:
            for item in items:
                grouped_items[item['computername']].append(item)
        else:
            for item in items:
                grouped_items[item['username']].append(item)

        # print it
        for group, items in grouped_items.items():
            print('--- {} ---'.format(group))

            for item in items:
                if 'userdomain' in item:
                    user = r'{}\{}'.format(item['userdomain'], item['username'])
                else:
                    user = item['username']

                out = r'{} sessions of {}@{}'.format(item['sessions'], user, item['computername'])

                if 'ipaddress' in item and item['computername'] != item['ipaddress']:
                    out += ' (IP {})'.format(item['ipaddress'])

                if item['localadmin'] == 'True':
                    out += ' (admin)'

                print(out)

            print()

if __name__ == '__main__':
    main()