Python impacket.dcerpc.v5.lsat.POLICY_LOOKUP_NAMES Examples
The following are 14
code examples of impacket.dcerpc.v5.lsat.POLICY_LOOKUP_NAMES().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.lsat
, or try the search function
.
Example #1
Source File: test_lsat.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT, transfer_syntax = self.ts) request = lsat.LsarOpenPolicy2() request['SystemName'] = NULL request['ObjectAttributes']['RootDirectory'] = NULL request['ObjectAttributes']['ObjectName'] = NULL request['ObjectAttributes']['SecurityDescriptor'] = NULL request['ObjectAttributes']['SecurityQualityOfService'] = NULL request['DesiredAccess'] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES resp = dce.request(request) return dce, rpctransport, resp['PolicyHandle']
Example #2
Source File: test_lsat.py From cracke-dit with MIT License | 6 votes |
def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT, transfer_syntax = self.ts) request = lsat.LsarOpenPolicy2() request['SystemName'] = NULL request['ObjectAttributes']['RootDirectory'] = NULL request['ObjectAttributes']['ObjectName'] = NULL request['ObjectAttributes']['SecurityDescriptor'] = NULL request['ObjectAttributes']['SecurityQualityOfService'] = NULL request['DesiredAccess'] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES resp = dce.request(request) return dce, rpctransport, resp['PolicyHandle']
Example #3
Source File: test_lsat.py From Slackor with GNU General Public License v3.0 | 6 votes |
def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT, transfer_syntax = self.ts) request = lsad.LsarOpenPolicy2() request['SystemName'] = NULL request['ObjectAttributes']['RootDirectory'] = NULL request['ObjectAttributes']['ObjectName'] = NULL request['ObjectAttributes']['SecurityDescriptor'] = NULL request['ObjectAttributes']['SecurityQualityOfService'] = NULL request['DesiredAccess'] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES resp = dce.request(request) return dce, rpctransport, resp['PolicyHandle']
Example #4
Source File: test_lsat.py From PiBunny with MIT License | 6 votes |
def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT, transfer_syntax = self.ts) request = lsat.LsarOpenPolicy2() request['SystemName'] = NULL request['ObjectAttributes']['RootDirectory'] = NULL request['ObjectAttributes']['ObjectName'] = NULL request['ObjectAttributes']['SecurityDescriptor'] = NULL request['ObjectAttributes']['SecurityQualityOfService'] = NULL request['DesiredAccess'] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES resp = dce.request(request) return dce, rpctransport, resp['PolicyHandle']
Example #5
Source File: patator.py From patator with GNU General Public License v2.0 | 5 votes |
def connect(self, host, port, user, password, sid): smbt = transport.SMBTransport(host, int(port), r'\lsarpc', user, password) dce = smbt.get_dce_rpc() dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT) op2 = lsat.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES) if sid is None: res = lsad.hLsarQueryInformationPolicy2(dce, op2['PolicyHandle'], lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation) sid = res['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() self.sid = sid self.policy_handle = op2['PolicyHandle'] return DCE_Connection(dce, smbt)
Example #6
Source File: enum.py From Exchange2domain with MIT License | 5 votes |
def __resolveSids(self, sids): dce = self.__getDceBinding(self.__lsaBinding) dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT) resp = lsat.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES) policyHandle = resp['PolicyHandle'] resp = lsat.hLsarLookupSids(dce, policyHandle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta) names = [] for n, item in enumerate(resp['TranslatedNames']['Names']): names.append(u"{}\\{}".format(resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'].encode('utf-16-le'), item['Name'])) dce.disconnect() return names
Example #7
Source File: raiseChild.py From Slackor with GNU General Public License v3.0 | 5 votes |
def getParentSidAndAdminName(self, parentDC, creds): if self.__doKerberos is True: # In Kerberos we need the target's name machineNameOrIp = self.getDNSMachineName(gethostbyname(parentDC)) logging.debug('%s is %s' % (gethostbyname(parentDC), machineNameOrIp)) else: machineNameOrIp = gethostbyname(parentDC) logging.debug('Calling LSAT hLsarQueryInformationPolicy2()') stringBinding = r'ncacn_np:%s[\pipe\lsarpc]' % machineNameOrIp rpctransport = transport.DCERPCTransportFactory(stringBinding) if hasattr(rpctransport, 'set_credentials'): rpctransport.set_credentials(creds['username'], creds['password'], creds['domain'], creds['lmhash'], creds['nthash'], creds['aesKey']) rpctransport.set_kerberos(self.__doKerberos) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(MSRPC_UUID_LSAT) resp = hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | POLICY_LOOKUP_NAMES) policyHandle = resp['PolicyHandle'] resp = hLsarQueryInformationPolicy2(dce, policyHandle, POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation) domainSid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() # Now that we have the Sid, let's get the Administrator's account name sids = list() sids.append(domainSid+'-500') resp = hLsarLookupSids(dce, policyHandle, sids, LSAP_LOOKUP_LEVEL.LsapLookupWksta) adminName = resp['TranslatedNames']['Names'][0]['Name'] return domainSid, adminName
Example #8
Source File: enum.py From Slackor with GNU General Public License v3.0 | 5 votes |
def __resolveSids(self, sids): dce = self.__getDceBinding(self.__lsaBinding) dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT) resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES) policyHandle = resp['PolicyHandle'] resp = lsat.hLsarLookupSids(dce, policyHandle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta) names = [] for n, item in enumerate(resp['TranslatedNames']['Names']): names.append("{}\\{}".format(resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'].encode('utf-16-le'), item['Name'])) dce.disconnect() return names
Example #9
Source File: patator_ext.py From project-black with GNU General Public License v2.0 | 5 votes |
def connect(self, host, port, user, password, sid): smbt = transport.SMBTransport(host, int(port), r'\lsarpc', user, password) dce = smbt.get_dce_rpc() dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT) op2 = lsat.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES) if sid is None: res = lsad.hLsarQueryInformationPolicy2(dce, op2['PolicyHandle'], lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation) sid = res['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() self.sid = sid self.policy_handle = op2['PolicyHandle'] return DCE_Connection(dce, smbt)
Example #10
Source File: enum.py From CVE-2019-1040 with MIT License | 5 votes |
def __resolveSids(self, sids): dce = self.__getDceBinding(self.__lsaBinding) dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT) resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES) policyHandle = resp['PolicyHandle'] resp = lsat.hLsarLookupSids(dce, policyHandle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta) names = [] for n, item in enumerate(resp['TranslatedNames']['Names']): names.append("{}\\{}".format(resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'].encode('utf-16-le'), item['Name'])) dce.disconnect() return names
Example #11
Source File: raiseChild.py From PiBunny with MIT License | 5 votes |
def getParentSidAndAdminName(self, parentDC, creds): if self.__doKerberos is True: # In Kerberos we need the target's name machineNameOrIp = self.getDNSMachineName(gethostbyname(parentDC)) logging.debug('%s is %s' % (gethostbyname(parentDC), machineNameOrIp)) else: machineNameOrIp = gethostbyname(parentDC) logging.debug('Calling LSAT hLsarQueryInformationPolicy2()') stringBinding = r'ncacn_np:%s[\pipe\lsarpc]' % machineNameOrIp rpctransport = transport.DCERPCTransportFactory(stringBinding) if hasattr(rpctransport, 'set_credentials'): rpctransport.set_credentials(creds['username'], creds['password'], creds['domain'], creds['lmhash'], creds['nthash'], creds['aesKey']) rpctransport.set_kerberos(self.__doKerberos) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(MSRPC_UUID_LSAT) resp = hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | POLICY_LOOKUP_NAMES) policyHandle = resp['PolicyHandle'] resp = hLsarQueryInformationPolicy2(dce, policyHandle, POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation) domainSid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() # Now that we have the Sid, let's get the Administrator's account name sids = list() sids.append(domainSid+'-500') resp = hLsarLookupSids(dce, policyHandle, sids, LSAP_LOOKUP_LEVEL.LsapLookupWksta) adminName = resp['TranslatedNames']['Names'][0]['Name'] return domainSid, adminName
Example #12
Source File: goldenPac.py From Slackor with GNU General Public License v3.0 | 4 votes |
def getForestSid(self): logging.debug('Calling NRPC DsrGetDcNameEx()') stringBinding = r'ncacn_np:%s[\pipe\netlogon]' % self.__kdcHost rpctransport = transport.DCERPCTransportFactory(stringBinding) if hasattr(rpctransport, 'set_credentials'): rpctransport.set_credentials(self.__username,self.__password, self.__domain, self.__lmhash, self.__nthash) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(MSRPC_UUID_NRPC) resp = hDsrGetDcNameEx(dce, NULL, NULL, NULL, NULL, 0) forestName = resp['DomainControllerInfo']['DnsForestName'][:-1] logging.debug('DNS Forest name is %s' % forestName) dce.disconnect() logging.debug('Calling LSAT hLsarQueryInformationPolicy2()') stringBinding = r'ncacn_np:%s[\pipe\lsarpc]' % forestName rpctransport = transport.DCERPCTransportFactory(stringBinding) if hasattr(rpctransport, 'set_credentials'): rpctransport.set_credentials(self.__username,self.__password, self.__domain, self.__lmhash, self.__nthash) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(MSRPC_UUID_LSAT) resp = hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | POLICY_LOOKUP_NAMES) policyHandle = resp['PolicyHandle'] resp = hLsarQueryInformationPolicy2(dce, policyHandle, POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation) dce.disconnect() forestSid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() logging.info("Forest SID: %s"% forestSid) return forestSid
Example #13
Source File: goldenPac.py From PiBunny with MIT License | 4 votes |
def getForestSid(self): logging.debug('Calling NRPC DsrGetDcNameEx()') stringBinding = r'ncacn_np:%s[\pipe\netlogon]' % self.__kdcHost rpctransport = transport.DCERPCTransportFactory(stringBinding) if hasattr(rpctransport, 'set_credentials'): rpctransport.set_credentials(self.__username,self.__password, self.__domain, self.__lmhash, self.__nthash) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(MSRPC_UUID_NRPC) resp = hDsrGetDcNameEx(dce, NULL, NULL, NULL, NULL, 0) forestName = resp['DomainControllerInfo']['DnsForestName'][:-1] logging.debug('DNS Forest name is %s' % forestName) dce.disconnect() logging.debug('Calling LSAT hLsarQueryInformationPolicy2()') stringBinding = r'ncacn_np:%s[\pipe\lsarpc]' % forestName rpctransport = transport.DCERPCTransportFactory(stringBinding) if hasattr(rpctransport, 'set_credentials'): rpctransport.set_credentials(self.__username,self.__password, self.__domain, self.__lmhash, self.__nthash) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(MSRPC_UUID_LSAT) resp = hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | POLICY_LOOKUP_NAMES) policyHandle = resp['PolicyHandle'] resp = hLsarQueryInformationPolicy2(dce, policyHandle, POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation) dce.disconnect() forestSid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() logging.info("Forest SID: %s"% forestSid) return forestSid
Example #14
Source File: lookupsid.py From PiBunny with MIT License | 4 votes |
def __bruteForce(self, rpctransport, maxRid): dce = rpctransport.get_dce_rpc() entries = [] dce.connect() # Want encryption? Uncomment next line # But make SIMULTANEOUS variable <= 100 #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) # Want fragmentation? Uncomment next line #dce.set_max_fragment_size(32) dce.bind(lsat.MSRPC_UUID_LSAT) resp = lsat.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES) policyHandle = resp['PolicyHandle'] resp = lsad.hLsarQueryInformationPolicy2(dce, policyHandle, lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation) domainSid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() soFar = 0 SIMULTANEOUS = 1000 for j in range(maxRid/SIMULTANEOUS+1): if (maxRid - soFar) / SIMULTANEOUS == 0: sidsToCheck = (maxRid - soFar) % SIMULTANEOUS else: sidsToCheck = SIMULTANEOUS if sidsToCheck == 0: break sids = list() for i in xrange(soFar, soFar+sidsToCheck): sids.append(domainSid + '-%d' % i) try: lsat.hLsarLookupSids(dce, policyHandle, sids,lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta) except DCERPCException, e: if str(e).find('STATUS_NONE_MAPPED') >= 0: soFar += SIMULTANEOUS continue elif str(e).find('STATUS_SOME_NOT_MAPPED') >= 0: resp = e.get_packet() else: raise for n, item in enumerate(resp['TranslatedNames']['Names']): if item['Use'] != SID_NAME_USE.SidTypeUnknown: print "%d: %s\\%s (%s)" % ( soFar + n, resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'], item['Name'], SID_NAME_USE.enumItems(item['Use']).name) soFar += SIMULTANEOUS