Hello, and welcome to this course in which we're discussing using Python for impact. And our definition of impact here is drawn from the mitre attack framework. So it's normally some form of damage or other impact that an attacker can have as one of their final objectives on a system. In this video, we're going to be talking about using Python to remove access to user accounts on the system. And so this can be a significant impact because if we can deny access of certain users to the system. Then the system becomes unusable to them, unless and if they can force some sort of password reset to regain access to the system. And so we're going to take advantage generally of the platform library, because platform allows us to determine what type of system we're running on. On this particular example we've written for both Windows and Linux. So down here in our main function we call platform dot system, and test to see if the system is Windows. Otherwise, we're assuming that it's Linux. And once we know what type of system we're on, we need to identify the list of users on the system. And then identify if any of those are the user accounts who we want to deny access to. And then finally, change the password of any of those user accounts. So let's start with Windows. With Windows we're going to be taking advantage of wmi, which allows us access to Windows like underlying interfaces. And so we start by importing wmi and we're putting this import statement here because the wmi library is probably only going to be installed on Windows. And similarly pwd will probably only be installed on Linux and so by putting them inside our FL statements here, we prevent ourselves from having issues. Where the library is not found. So we're going to create an instance of wmi and call it w here. And then take advantage of it's Win32 user account function. And so when we call this function, what it's going to provide is a list of user account objects. Within those user account objects, there's a field for the username, and that's called user.Name. And we're just going to store that in a temporary variable username here. So with that username in mind we can determine whether or not this particular account meets our criteria for denying access, password change, etc. And so we'll do that with a change criteria function which is defined up here. And so the details of this particular function depend on your implementation of the system and what your criteria are. In this case, I have a couple of test user accounts called test user and user one on Windows and Linux systems. And so I'm saying that if it's one of those two accounts, we'll lock it out. That way, we don't lock out my actual user accounts on the system. And so the username or the name of the user account is in this list. We return true otherwise, we return false. And so, if we return true, we're going to print that we're changing the password. Provide the username that we're going to be changing the password for, and then, we'll call set windows password with that username and the new password, new paths. Moving up to set Windows password, we're going to take advantage of adsi from the Win32com library. And it's going to let us actually change that user password. We start by using the ADsGetObject function from adsi, and we're passing the command WinNT Localhost user, or this address, comma user. And so this format string multiple format string modifier here is going to map to the username we're passing in. So we'll be localhost slash that particular user. And then comment user. Once we have that object we can use the get info function, and then finally call set password to change the password on that user account. And so that gives us the ability to change the user password on Windows. Obviously, this is not a great password to change it to and could probably be brute forced a guest. However, we can easily generate a completely random password. Substituted in here and make it impossible for a test user or user one to regain access to their accounts. We can also do the same thing on Linux. So instead of wmi, we're going to be using pwd here, and we can use pwd get pw all to get a full list of the user accounts on the system. And so when we iterate over those, we can check the user ID's associated with those accounts. The root account on Linux has user ID of 0 and then typically depending on the flavor of Linux user accounts are going to start of either 500 or 1000. And so we can safely assumed that anything with UID over 500 likely going to be a user account. And so again, we can get the name of that user account storage and username, called change criteria to determine if it's one that we want to change the password for. If so, we'll print changing password and then call our set Linux password function. Up here on our set Linux password function. We're passing in a username and a password. And so in this case also had hard coded that username and password. And so we're going to echo dot E, and then you new pass line feed new pass. So we're passing in a copy of that password twice. And then we'll pipe it to the password command and then specify the username. And so if we have the appropriate permissions password will be called it'll prompt for a new password. We provided it, then it'll prompt for that new password again, we provided a second time and so that user's password will be changed. And so this demonstrates how we could remove access to a user account using Python both on Windows and on Linux. And so, let's give it a try. So, we'll use Python, AccountAccessRemoval.py, and obviously, we're on a Linux system, or on a Windows system here, so we hit Enter, and it doesn't work. And the reason why is the current user account on the system, or the current command prompt. Simply doesn't have the permissions to do this. We're trying to change the password on a different user account in a normal command prompt and so it quite rightly blocks that request. However, if we switch to an administrator command prompt note that we're running this one as administrator. You can do by right clicking on it going to more and then select Run as administrator. If we choose Python account access removal now, the password has changed successfully. And so whatever test users password was previously it's now new paths, or it could easily be something random and resistance to guessing or brute force. And so this particular Python code has a couple of different benefits to an attacker. One, they deny access to the account to the legitimate user by changing their password. In two, they could achieve access or password based access to this account. If you change the user account password to something that you know, then you can take advantage of that account in the future with password based authentication. The one major limitation here is that as we saw, we need a high level of permissions to accomplish this. We need to run this in the administrator command prompt in Windows. We need root level permissions or sudo on Linux. And so you need to achieve a high level of permissions on the system through privilege escalation or compromising administrator account before you'd be able to accomplish this particular type of impact on the system. Thank you.
