Python impacket.dcerpc.v5.lsat.hLsarLookupSids() Examples
The following are 12
code examples of impacket.dcerpc.v5.lsat.hLsarLookupSids().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.lsat
, or try the search function
.
.
Example #1
| Source File: test_lsat.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_hLsarLookupSids(self):
dce, rpctransport, policyHandle = self.connect()
resp = lsat.hLsarLookupNames(dce, policyHandle, ('Administrator',))
resp.dump()
domainSid = resp['ReferencedDomains']['Domains'][0]['Sid'].formatCanonical()
sids = list()
for i in range(1000):
sids.append(domainSid + '-%d' % (500+i))
try:
resp = lsat.hLsarLookupSids(dce, policyHandle, sids )
resp.dump()
except Exception, e:
if str(e).find('STATUS_SOME_NOT_MAPPED') < 0:
raise
else:
resp = e.get_packet()
resp.dump()
Example #2
| Source File: test_lsat.py From cracke-dit with MIT License | 6 votes |
|
def test_hLsarLookupSids(self):
dce, rpctransport, policyHandle = self.connect()
resp = lsat.hLsarLookupNames(dce, policyHandle, ('Administrator',))
resp.dump()
domainSid = resp['ReferencedDomains']['Domains'][0]['Sid'].formatCanonical()
sids = list()
for i in range(1000):
sids.append(domainSid + '-%d' % (500+i))
try:
resp = lsat.hLsarLookupSids(dce, policyHandle, sids )
resp.dump()
except Exception, e:
if str(e).find('STATUS_SOME_NOT_MAPPED') < 0:
raise
else:
resp = e.get_packet()
resp.dump()
Example #3
| Source File: test_lsat.py From Slackor with GNU General Public License v3.0 | 6 votes |
|
def test_hLsarLookupSids(self):
dce, rpctransport, policyHandle = self.connect()
resp = lsat.hLsarLookupNames(dce, policyHandle, ('Administrator',))
resp.dump()
domainSid = resp['ReferencedDomains']['Domains'][0]['Sid'].formatCanonical()
sids = list()
for i in range(1000):
sids.append(domainSid + '-%d' % (500+i))
try:
resp = lsat.hLsarLookupSids(dce, policyHandle, sids )
resp.dump()
except Exception as e:
if str(e).find('STATUS_SOME_NOT_MAPPED') < 0:
raise
else:
resp = e.get_packet()
resp.dump()
Example #4
| Source File: test_lsat.py From PiBunny with MIT License | 6 votes |
|
def test_hLsarLookupSids(self):
dce, rpctransport, policyHandle = self.connect()
resp = lsat.hLsarLookupNames(dce, policyHandle, ('Administrator',))
resp.dump()
domainSid = resp['ReferencedDomains']['Domains'][0]['Sid'].formatCanonical()
sids = list()
for i in range(1000):
sids.append(domainSid + '-%d' % (500+i))
try:
resp = lsat.hLsarLookupSids(dce, policyHandle, sids )
resp.dump()
except Exception, e:
if str(e).find('STATUS_SOME_NOT_MAPPED') < 0:
raise
else:
resp = e.get_packet()
resp.dump()
Example #5
| Source File: patator.py From patator with GNU General Public License v2.0 | 5 votes |
|
def execute(self, host, port='139', user='', password='', sid=None, rid=None, persistent='1'):
fp, _ = self.bind(host, port, user, password, sid)
if rid:
sid = '%s-%s' % (self.sid, rid)
else:
sid = self.sid
try:
res = lsat.hLsarLookupSids(fp, self.policy_handle, [sid], lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)
code, names = 0, []
for n, item in enumerate(res['TranslatedNames']['Names']):
names.append("%s\\%s (%s)" % (res['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'], item['Name'], SID_NAME_USE.enumItems(item['Use']).name[7:]))
except lsat.DCERPCSessionError:
code, names = 1, ['unknown'] # STATUS_NONE_MAPPED
if persistent == '0':
self.reset()
return self.Response(code, ', '.join(names))
# }}}
# POP {{{
Example #6
| Source File: enum.py From Exchange2domain with MIT License | 5 votes |
|
def __resolveSids(self, sids):
dce = self.__getDceBinding(self.__lsaBinding)
dce.connect()
dce.bind(lsat.MSRPC_UUID_LSAT)
resp = lsat.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)
policyHandle = resp['PolicyHandle']
resp = lsat.hLsarLookupSids(dce, policyHandle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)
names = []
for n, item in enumerate(resp['TranslatedNames']['Names']):
names.append(u"{}\\{}".format(resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'].encode('utf-16-le'), item['Name']))
dce.disconnect()
return names
Example #7
| Source File: raiseChild.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def getParentSidAndAdminName(self, parentDC, creds):
if self.__doKerberos is True:
# In Kerberos we need the target's name
machineNameOrIp = self.getDNSMachineName(gethostbyname(parentDC))
logging.debug('%s is %s' % (gethostbyname(parentDC), machineNameOrIp))
else:
machineNameOrIp = gethostbyname(parentDC)
logging.debug('Calling LSAT hLsarQueryInformationPolicy2()')
stringBinding = r'ncacn_np:%s[\pipe\lsarpc]' % machineNameOrIp
rpctransport = transport.DCERPCTransportFactory(stringBinding)
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(creds['username'], creds['password'], creds['domain'], creds['lmhash'],
creds['nthash'], creds['aesKey'])
rpctransport.set_kerberos(self.__doKerberos)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(MSRPC_UUID_LSAT)
resp = hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | POLICY_LOOKUP_NAMES)
policyHandle = resp['PolicyHandle']
resp = hLsarQueryInformationPolicy2(dce, policyHandle, POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation)
domainSid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical()
# Now that we have the Sid, let's get the Administrator's account name
sids = list()
sids.append(domainSid+'-500')
resp = hLsarLookupSids(dce, policyHandle, sids, LSAP_LOOKUP_LEVEL.LsapLookupWksta)
adminName = resp['TranslatedNames']['Names'][0]['Name']
return domainSid, adminName
Example #8
| Source File: enum.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def __resolveSids(self, sids):
dce = self.__getDceBinding(self.__lsaBinding)
dce.connect()
dce.bind(lsat.MSRPC_UUID_LSAT)
resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)
policyHandle = resp['PolicyHandle']
resp = lsat.hLsarLookupSids(dce, policyHandle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)
names = []
for n, item in enumerate(resp['TranslatedNames']['Names']):
names.append("{}\\{}".format(resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'].encode('utf-16-le'), item['Name']))
dce.disconnect()
return names
Example #9
| Source File: patator_ext.py From project-black with GNU General Public License v2.0 | 5 votes |
|
def execute(self, host, port='139', user='', password='', sid=None, rid=None, persistent='1'):
fp, _ = self.bind(host, port, user, password, sid)
if rid:
sid = '%s-%s' % (self.sid, rid)
else:
sid = self.sid
try:
res = lsat.hLsarLookupSids(fp, self.policy_handle, [sid], lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)
code, names = 0, []
for n, item in enumerate(res['TranslatedNames']['Names']):
names.append("%s\\%s (%s)" % (res['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'], item['Name'], SID_NAME_USE.enumItems(item['Use']).name[7:]))
except lsat.DCERPCSessionError:
code, names = 1, ['unknown'] # STATUS_NONE_MAPPED
if persistent == '0':
self.reset()
return self.Response(code, ', '.join(names))
# }}}
# POP {{{
Example #10
| Source File: enum.py From CVE-2019-1040 with MIT License | 5 votes |
|
def __resolveSids(self, sids):
dce = self.__getDceBinding(self.__lsaBinding)
dce.connect()
dce.bind(lsat.MSRPC_UUID_LSAT)
resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)
policyHandle = resp['PolicyHandle']
resp = lsat.hLsarLookupSids(dce, policyHandle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)
names = []
for n, item in enumerate(resp['TranslatedNames']['Names']):
names.append("{}\\{}".format(resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'].encode('utf-16-le'), item['Name']))
dce.disconnect()
return names
Example #11
| Source File: raiseChild.py From PiBunny with MIT License | 5 votes |
|
def getParentSidAndAdminName(self, parentDC, creds):
if self.__doKerberos is True:
# In Kerberos we need the target's name
machineNameOrIp = self.getDNSMachineName(gethostbyname(parentDC))
logging.debug('%s is %s' % (gethostbyname(parentDC), machineNameOrIp))
else:
machineNameOrIp = gethostbyname(parentDC)
logging.debug('Calling LSAT hLsarQueryInformationPolicy2()')
stringBinding = r'ncacn_np:%s[\pipe\lsarpc]' % machineNameOrIp
rpctransport = transport.DCERPCTransportFactory(stringBinding)
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(creds['username'], creds['password'], creds['domain'], creds['lmhash'],
creds['nthash'], creds['aesKey'])
rpctransport.set_kerberos(self.__doKerberos)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(MSRPC_UUID_LSAT)
resp = hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | POLICY_LOOKUP_NAMES)
policyHandle = resp['PolicyHandle']
resp = hLsarQueryInformationPolicy2(dce, policyHandle, POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation)
domainSid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical()
# Now that we have the Sid, let's get the Administrator's account name
sids = list()
sids.append(domainSid+'-500')
resp = hLsarLookupSids(dce, policyHandle, sids, LSAP_LOOKUP_LEVEL.LsapLookupWksta)
adminName = resp['TranslatedNames']['Names'][0]['Name']
return domainSid, adminName
Example #12
| Source File: lookupsid.py From PiBunny with MIT License | 4 votes |
|
def __bruteForce(self, rpctransport, maxRid):
dce = rpctransport.get_dce_rpc()
entries = []
dce.connect()
# Want encryption? Uncomment next line
# But make SIMULTANEOUS variable <= 100
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
# Want fragmentation? Uncomment next line
#dce.set_max_fragment_size(32)
dce.bind(lsat.MSRPC_UUID_LSAT)
resp = lsat.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)
policyHandle = resp['PolicyHandle']
resp = lsad.hLsarQueryInformationPolicy2(dce, policyHandle, lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation)
domainSid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical()
soFar = 0
SIMULTANEOUS = 1000
for j in range(maxRid/SIMULTANEOUS+1):
if (maxRid - soFar) / SIMULTANEOUS == 0:
sidsToCheck = (maxRid - soFar) % SIMULTANEOUS
else:
sidsToCheck = SIMULTANEOUS
if sidsToCheck == 0:
break
sids = list()
for i in xrange(soFar, soFar+sidsToCheck):
sids.append(domainSid + '-%d' % i)
try:
lsat.hLsarLookupSids(dce, policyHandle, sids,lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)
except DCERPCException, e:
if str(e).find('STATUS_NONE_MAPPED') >= 0:
soFar += SIMULTANEOUS
continue
elif str(e).find('STATUS_SOME_NOT_MAPPED') >= 0:
resp = e.get_packet()
else:
raise
for n, item in enumerate(resp['TranslatedNames']['Names']):
if item['Use'] != SID_NAME_USE.SidTypeUnknown:
print "%d: %s\\%s (%s)" % (
soFar + n, resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'], item['Name'],
SID_NAME_USE.enumItems(item['Use']).name)
soFar += SIMULTANEOUS
