feat in net.py: add functionality to enable and disable user accounts (#1801)

* feat in net.py: add functionality to enable and disable user accounts

* fix: do not overwrite flags when enabling/disabling accounts

* call function create account with according flags in net.py

* refactor keep uac flags out of parameters of enable,disable function definitions

Author: marcobarlottini

examples/net.py

@@ -24,6 +24,8 @@
 #       python net.py Administrator:password@targetMachine group -name "Domain Admins"
 #       python net.py Administrator:password@targetMachine computer -name DC$
 #       python net.py Administrator:password@targetMachine group -name "Domain Admins" -join EvilUs3r
+#       python net.py Administrator:password@targetMachine user -enable EvilUs3r
+#       python net.py Administrator:password@targetMachine user -disable EvilUs3r
 #
 # Author:
 #   Alex Romero (@NtAlexio2)
@@ -215,11 +217,32 @@ def Remove(self, name):
             self._close_domain()
 
     def _hEnableAccount(self, user_handle):
+        user_account_control = samr.hSamrQueryInformationUser2(self._dce, user_handle, samr.USER_INFORMATION_CLASS.UserAllInformation)['Buffer']['All']['UserAccountControl']
         buffer = samr.SAMPR_USER_INFO_BUFFER()
         buffer['tag'] = samr.USER_INFORMATION_CLASS.UserControlInformation
-        buffer['Control']['UserAccountControl'] = samr.USER_ALL_ADMINCOMMENT
+        buffer['Control']['UserAccountControl'] = user_account_control ^ samr.USER_ACCOUNT_DISABLED
         samr.hSamrSetInformationUser2(self._dce, user_handle, buffer)
 
+    def _hDisableAccount(self, user_handle):
+        user_account_control = samr.hSamrQueryInformationUser2(self._dce, user_handle, samr.USER_INFORMATION_CLASS.UserAllInformation)['Buffer']['All']['UserAccountControl']
+        buffer = samr.SAMPR_USER_INFO_BUFFER()
+        buffer['tag'] = samr.USER_INFORMATION_CLASS.UserControlInformation
+        buffer['Control']['UserAccountControl'] = samr.USER_ACCOUNT_DISABLED | user_account_control
+        samr.hSamrSetInformationUser2(self._dce, user_handle, buffer)
+
+    def SetUserAccountControl(self, name, action):
+        info = self.Query(name)
+        domain_handle = self._open_domain()
+        try:
+            user_handle = self._get_user_handle(domain_handle, name)
+            if action == 'enable':
+                self._hEnableAccount(user_handle)
+            else:
+                self._hDisableAccount(user_handle)
+        finally:
+            self._close_domain()
+
+
 
 class Computer(User):
     def __init__(self, smbConnection):
@@ -358,6 +381,16 @@ def run(self, remoteName, remoteHost):
             actionObject.Remove(self.__options.remove)
             print("[+] {} account deleted succesfully!".format(self.__action))
 
+        elif self.__is_option_present(self.__options, 'enable'):
+            print("[*] Enabling {} account '{}'".format(self.__action, self.__options.enable))
+            actionObject.SetUserAccountControl(self.__options.enable, "enable")
+            print("[+] {} account enabled succesfully!".format(self.__action))
+
+        elif self.__is_option_present(self.__options, 'disable'):
+            print("[*] Disabling {} account '{}'".format(self.__action, self.__options.disable))
+            actionObject.SetUserAccountControl(self.__options.disable, "disable")
+            print("[+] {} account disabled succesfully!".format(self.__action))
+
         elif self.__is_option_present(self.__options, 'join'):
             print("[*] Adding user account '{}' to group '{}'".format(self.__options.join,self.__options.name))
             actionObject.Join(self.__options.name, self.__options.join)
@@ -466,12 +499,16 @@ def __is_option_present(self, options, option):
     user_parser.add_argument('-create', action="store", metavar = "NAME", help='Add new user account to domain/computer.')
     user_parser.add_argument('-remove', action="store", metavar = "NAME", help='Remove existing user account from domain/computer.')
     user_parser.add_argument('-newPasswd', action="store", metavar = "PASSWORD", help='New password to set for creating account.')
+    user_parser.add_argument('-enable', action="store", metavar = "NAME", help='Enables account.')
+    user_parser.add_argument('-disable', action="store", metavar = "NAME", help='Disables account.')
 
     computer_parser = subparsers.add_parser('computer', help='Enumerate all computers in domain level')
     computer_parser.add_argument('-name', action="store", metavar = "NAME", help='Display single computer information.')
     computer_parser.add_argument('-create', action="store", metavar = "NAME", help='Add new computer account to domain.')
     computer_parser.add_argument('-remove', action="store", metavar = "NAME", help='Remove existing computer account from domain.')
     computer_parser.add_argument('-newPasswd', action="store", metavar = "PASSWORD", help='New password to set for creating account.')
+    computer_parser.add_argument('-enable', action="store", metavar = "NAME", help='Enables account.')
+    computer_parser.add_argument('-disable', action="store", metavar = "NAME", help='Disables account.')
 
     localgroup_parser = subparsers.add_parser('localgroup', help='Enumerate local groups (aliases) of local computer')
     localgroup_parser.add_argument('-name', action="store", metavar = "NAME", help='Operate on single specific domain group account.')