Python impacket.dcerpc.v5.dtypes.MAXIMUM_ALLOWED Examples
The following are 30
code examples of impacket.dcerpc.v5.dtypes.MAXIMUM_ALLOWED().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.dtypes
, or try the search function
.
.
Example #1
| Source File: test_samr.py From cracke-dit with MIT License | 6 votes |
|
def test_SamrOpenGroup(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrConnect()
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['ServerName'] = u'BETO\x00'
resp = dce.request(request)
request = samr.SamrOpenGroup()
request['DomainHandle'] = domainHandle
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0:
raise
Example #2
| Source File: test_rrp.py From cracke-dit with MIT License | 6 votes |
|
def test_BaseRegSaveKey(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenCurrentUser()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
request = rrp.BaseRegSaveKey()
request['hKey'] = resp['phKey']
request['lpFile'] = 'BETUSFILE2\x00'
request['pSecurityAttributes'] = NULL
resp = dce.request(request)
resp.dump()
# I gotta remove the file now :s
smb = rpctransport.get_smb_connection()
smb.deleteFile('ADMIN$', 'System32\\BETUSFILE2')
Example #3
| Source File: test_lsad.py From cracke-dit with MIT License | 6 votes |
|
def test_LsarOpenAccount(self):
dce, rpctransport, policyHandle = self.connect()
request = lsad.LsarEnumerateAccounts()
request['PolicyHandle'] = policyHandle
request['PreferedMaximumLength'] = 0xffffffff
resp = dce.request(request)
resp.dump()
request = lsad.LsarOpenAccount()
request['PolicyHandle'] = policyHandle
request['AccountSid'] = resp['EnumerationBuffer']['Information'][0]['Sid']
request['DesiredAccess'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
request = lsad.LsarClose()
request['ObjectHandle'] = resp['AccountHandle']
resp = dce.request(request)
resp.dump()
Example #4
| Source File: test_rrp.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax = self.ts)
resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)
return dce, rpctransport, resp['phKey']
Example #5
| Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_SamrOpenGroup(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrConnect()
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['ServerName'] = u'BETO\x00'
resp = dce.request(request)
request = samr.SamrOpenGroup()
request['DomainHandle'] = domainHandle
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0:
raise
Example #6
| Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_SamrSetMemberAttributesOfGroup(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrConnect()
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['ServerName'] = u'BETO\x00'
resp = dce.request(request)
request = samr.SamrOpenGroup()
request['DomainHandle'] = domainHandle
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS
resp = dce.request(request)
request = samr.SamrSetMemberAttributesOfGroup()
request['GroupHandle'] = resp['GroupHandle']
request['MemberId'] = samr.DOMAIN_USER_RID_ADMIN
request['Attributes'] = samr.SE_GROUP_ENABLED_BY_DEFAULT
resp = dce.request(request)
resp.dump()
Example #7
| Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_SamrEnumerateDomainsInSamServer(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrConnect()
request['ServerName'] = u'BETO\x00'
request['DesiredAccess'] = samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN
resp = dce.request(request)
request = samr.SamrEnumerateDomainsInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['EnumerationContext'] = 0
request['PreferedMaximumLength'] = 500
resp2 = dce.request(request)
resp2.dump()
request = samr.SamrLookupDomainInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['Name'] = resp2['Buffer']['Buffer'][0]['Name']
resp3 = dce.request(request)
resp3.dump()
request = samr.SamrOpenDomain()
request['ServerHandle'] = resp['ServerHandle']
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['DomainId'] = resp3['DomainId']
resp4 = dce.request(request)
resp4.dump()
Example #8
| Source File: test_rrp.py From cracke-dit with MIT License | 6 votes |
|
def test_BaseRegQueryValue(self):
dce, rpctransport, phKey = self.connect()
request = rrp.BaseRegOpenKey()
request['hKey'] = phKey
request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00'
request['dwOptions'] = 0x00000001
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
request = rrp.BaseRegQueryValue()
request['hKey'] = resp['phkResult']
request['lpValueName'] = 'ProductName\x00'
request['lpData'] = ' '*100
request['lpcbData'] = 100
request['lpcbLen'] = 100
resp = dce.request(request)
resp.dump()
Example #9
| Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_SamrAddMemberToGroup_SamrRemoveMemberFromGroup(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrConnect()
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['ServerName'] = u'BETO\x00'
resp = dce.request(request)
request = samr.SamrOpenGroup()
request['DomainHandle'] = domainHandle
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0:
raise
Example #10
| Source File: test_lsad.py From cracke-dit with MIT License | 6 votes |
|
def test_LsarCreateAccount_LsarDeleteObject(self):
dce, rpctransport, policyHandle = self.connect()
request = lsad.LsarQueryInformationPolicy2()
request['PolicyHandle'] = policyHandle
request['InformationClass'] = lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation
resp = dce.request(request)
sid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical()
sid = sid + '-9999'
request = lsad.LsarCreateAccount()
request['PolicyHandle'] = policyHandle
request['AccountSid'].fromCanonical(sid)
request['DesiredAccess'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
request = lsad.LsarDeleteObject()
request['ObjectHandle'] = resp['AccountHandle']
resp = dce.request(request)
resp.dump()
Example #11
| Source File: test_rrp.py From cracke-dit with MIT License | 6 votes |
|
def test_BaseRegEnumValue(self):
dce, rpctransport, phKey = self.connect()
request = rrp.BaseRegOpenKey()
request['hKey'] = phKey
request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00'
request['dwOptions'] = 0x00000001
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
request = rrp.BaseRegEnumValue()
request['hKey'] = resp['phkResult']
request['dwIndex'] = 6
request['lpValueNameIn'] = ' '*100
request['lpData'] = ' '*100
request['lpcbData'] = 100
request['lpcbLen'] = 100
resp = dce.request(request)
resp.dump()
Example #12
| Source File: test_rrp.py From cracke-dit with MIT License | 6 votes |
|
def test_BaseRegEnumKey(self):
dce, rpctransport, phKey = self.connect()
request = rrp.BaseRegOpenKey()
request['hKey'] = phKey
request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00'
request['dwOptions'] = 0x00000001
request['samDesired'] = MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS
resp = dce.request(request)
request = rrp.BaseRegEnumKey()
request['hKey'] = resp['phkResult']
request['dwIndex'] = 1
# I gotta access the fields mannually :s
request.fields['lpNameIn'].fields['MaximumLength'] = 510
request.fields['lpNameIn'].fields['Data'].fields['Data'].fields['MaximumCount'] = 255
request['lpClassIn'] = ' '*100
request['lpftLastWriteTime'] = NULL
resp = dce.request(request)
resp.dump()
Example #13
| Source File: test_rrp.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_BaseRegEnumKey(self):
dce, rpctransport, phKey = self.connect()
request = rrp.BaseRegOpenKey()
request['hKey'] = phKey
request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00'
request['dwOptions'] = 0x00000001
request['samDesired'] = MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS
resp = dce.request(request)
request = rrp.BaseRegEnumKey()
request['hKey'] = resp['phkResult']
request['dwIndex'] = 1
# I gotta access the fields mannually :s
request.fields['lpNameIn'].fields['MaximumLength'] = 510
request.fields['lpNameIn'].fields['Data'].fields['Data'].fields['MaximumCount'] = 255
request['lpClassIn'] = ' '*100
request['lpftLastWriteTime'] = NULL
resp = dce.request(request)
resp.dump()
Example #14
| Source File: test_rrp.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_BaseRegSaveKey(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenCurrentUser()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
request = rrp.BaseRegSaveKey()
request['hKey'] = resp['phKey']
request['lpFile'] = 'BETUSFILE2\x00'
request['pSecurityAttributes'] = NULL
resp = dce.request(request)
resp.dump()
# I gotta remove the file now :s
smb = rpctransport.get_smb_connection()
smb.deleteFile('ADMIN$', 'System32\\BETUSFILE2')
Example #15
| Source File: test_rrp.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_BaseRegEnumValue(self):
dce, rpctransport, phKey = self.connect()
request = rrp.BaseRegOpenKey()
request['hKey'] = phKey
request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00'
request['dwOptions'] = 0x00000001
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
request = rrp.BaseRegEnumValue()
request['hKey'] = resp['phkResult']
request['dwIndex'] = 6
request['lpValueNameIn'] = ' '*100
request['lpData'] = ' '*100
request['lpcbData'] = 100
request['lpcbLen'] = 100
resp = dce.request(request)
resp.dump()
Example #16
| Source File: test_samr.py From cracke-dit with MIT License | 6 votes |
|
def test_SamrEnumerateDomainsInSamServer(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrConnect()
request['ServerName'] = u'BETO\x00'
request['DesiredAccess'] = samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN
resp = dce.request(request)
request = samr.SamrEnumerateDomainsInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['EnumerationContext'] = 0
request['PreferedMaximumLength'] = 500
resp2 = dce.request(request)
resp2.dump()
request = samr.SamrLookupDomainInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['Name'] = resp2['Buffer']['Buffer'][0]['Name']
resp3 = dce.request(request)
resp3.dump()
request = samr.SamrOpenDomain()
request['ServerHandle'] = resp['ServerHandle']
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['DomainId'] = resp3['DomainId']
resp4 = dce.request(request)
resp4.dump()
Example #17
| Source File: test_samr.py From cracke-dit with MIT License | 6 votes |
|
def test_SamrAddMemberToGroup_SamrRemoveMemberFromGroup(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrConnect()
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['ServerName'] = u'BETO\x00'
resp = dce.request(request)
request = samr.SamrOpenGroup()
request['DomainHandle'] = domainHandle
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0:
raise
Example #18
| Source File: test_lsat.py From cracke-dit with MIT License | 6 votes |
|
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(lsat.MSRPC_UUID_LSAT, transfer_syntax = self.ts)
request = lsat.LsarOpenPolicy2()
request['SystemName'] = NULL
request['ObjectAttributes']['RootDirectory'] = NULL
request['ObjectAttributes']['ObjectName'] = NULL
request['ObjectAttributes']['SecurityDescriptor'] = NULL
request['ObjectAttributes']['SecurityQualityOfService'] = NULL
request['DesiredAccess'] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES
resp = dce.request(request)
return dce, rpctransport, resp['PolicyHandle']
Example #19
| Source File: test_lsad.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_LsarQuerySecret(self):
dce, rpctransport, policyHandle = self.connect()
request = lsad.LsarOpenSecret()
request['PolicyHandle'] = policyHandle
request['SecretName'] = 'DPAPI_SYSTEM'
request['DesiredAccess'] = MAXIMUM_ALLOWED
resp0 = dce.request(request)
resp0.dump()
request = lsad.LsarQuerySecret()
request['SecretHandle'] = resp0['SecretHandle']
request['EncryptedCurrentValue']['Buffer'] = NULL
request['EncryptedOldValue']['Buffer'] = NULL
request['OldValueSetTime'] = NULL
resp = dce.request(request)
resp.dump()
Example #20
| Source File: test_lsat.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(lsat.MSRPC_UUID_LSAT, transfer_syntax = self.ts)
request = lsat.LsarOpenPolicy2()
request['SystemName'] = NULL
request['ObjectAttributes']['RootDirectory'] = NULL
request['ObjectAttributes']['ObjectName'] = NULL
request['ObjectAttributes']['SecurityDescriptor'] = NULL
request['ObjectAttributes']['SecurityQualityOfService'] = NULL
request['DesiredAccess'] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES
resp = dce.request(request)
return dce, rpctransport, resp['PolicyHandle']
Example #21
| Source File: test_lsad.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_LsarGetSystemAccessAccount_LsarSetSystemAccessAccount(self):
dce, rpctransport, policyHandle = self.connect()
sid = 'S-1-5-32-544'
request = lsad.LsarOpenAccount()
request['PolicyHandle'] = policyHandle
request['AccountSid'].fromCanonical(sid)
request['DesiredAccess'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
request = lsad.LsarGetSystemAccessAccount()
request['AccountHandle'] = resp['AccountHandle']
resp2 = dce.request(request)
resp.dump()
request = lsad.LsarSetSystemAccessAccount()
request['AccountHandle'] = resp['AccountHandle']
request['SystemAccess'] = resp2['SystemAccess']
resp = dce.request(request)
resp.dump()
Example #22
| Source File: test_lsad.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_LsarCreateAccount_LsarDeleteObject(self):
dce, rpctransport, policyHandle = self.connect()
request = lsad.LsarQueryInformationPolicy2()
request['PolicyHandle'] = policyHandle
request['InformationClass'] = lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation
resp = dce.request(request)
sid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical()
sid = sid + '-9999'
request = lsad.LsarCreateAccount()
request['PolicyHandle'] = policyHandle
request['AccountSid'].fromCanonical(sid)
request['DesiredAccess'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
request = lsad.LsarDeleteObject()
request['ObjectHandle'] = resp['AccountHandle']
resp = dce.request(request)
resp.dump()
Example #23
| Source File: test_lsad.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_LsarOpenAccount(self):
dce, rpctransport, policyHandle = self.connect()
request = lsad.LsarEnumerateAccounts()
request['PolicyHandle'] = policyHandle
request['PreferedMaximumLength'] = 0xffffffff
resp = dce.request(request)
resp.dump()
request = lsad.LsarOpenAccount()
request['PolicyHandle'] = policyHandle
request['AccountSid'] = resp['EnumerationBuffer']['Information'][0]['Sid']
request['DesiredAccess'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
request = lsad.LsarClose()
request['ObjectHandle'] = resp['AccountHandle']
resp = dce.request(request)
resp.dump()
Example #24
| Source File: test_samr.py From cracke-dit with MIT License | 6 votes |
|
def test_SamrSetMemberAttributesOfGroup(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrConnect()
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['ServerName'] = u'BETO\x00'
resp = dce.request(request)
request = samr.SamrOpenGroup()
request['DomainHandle'] = domainHandle
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS
resp = dce.request(request)
request = samr.SamrSetMemberAttributesOfGroup()
request['GroupHandle'] = resp['GroupHandle']
request['MemberId'] = samr.DOMAIN_USER_RID_ADMIN
request['Attributes'] = samr.SE_GROUP_ENABLED_BY_DEFAULT
resp = dce.request(request)
resp.dump()
Example #25
| Source File: test_rrp.py From cracke-dit with MIT License | 6 votes |
|
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax = self.ts)
resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)
return dce, rpctransport, resp['phKey']
Example #26
| Source File: test_rrp.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_BaseRegQueryValue(self):
dce, rpctransport, phKey = self.connect()
request = rrp.BaseRegOpenKey()
request['hKey'] = phKey
request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00'
request['dwOptions'] = 0x00000001
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
request = rrp.BaseRegQueryValue()
request['hKey'] = resp['phkResult']
request['lpValueName'] = 'ProductName\x00'
request['lpData'] = ' '*100
request['lpcbData'] = 100
request['lpcbLen'] = 100
resp = dce.request(request)
resp.dump()
Example #27
| Source File: test_rrp.py From cracke-dit with MIT License | 5 votes |
|
def test_BaseRegQueryMultipleValues2(self):
dce, rpctransport, phKey = self.connect()
request = rrp.BaseRegOpenKey()
request['hKey'] = phKey
request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00'
request['dwOptions'] = 0x00000001
request['samDesired'] = MAXIMUM_ALLOWED | rrp.KEY_QUERY_VALUE
resp = dce.request(request)
resp.dump()
request = rrp.BaseRegQueryMultipleValues2()
item1 = rrp.RVALENT()
item1['ve_valuename'] = 'ProductName\x00'
item1['ve_valuelen'] = len('ProductName\x00')
item1['ve_valueptr'] = NULL
item1['ve_type'] = rrp.REG_SZ
item2 = rrp.RVALENT()
item2['ve_valuename'] = 'SystemRoot\x00'
item2['ve_valuelen'] = len('SystemRoot\x00')
item1['ve_valueptr'] = NULL
item2['ve_type'] = rrp.REG_SZ
item3 = rrp.RVALENT()
item3['ve_valuename'] = 'EditionID\x00'
item3['ve_valuelen'] = len('EditionID\x00')
item3['ve_valueptr'] = NULL
item3['ve_type'] = rrp.REG_SZ
request['hKey'] = resp['phkResult']
request['val_listIn'].append(item1)
request['val_listIn'].append(item2)
request['val_listIn'].append(item3)
request['num_vals'] = len(request['val_listIn'])
request['lpvalueBuf'] = list(' '*128)
request['ldwTotsize'] = 128
resp = dce.request(request)
resp.dump()
Example #28
| Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
|
def test_SamrOpenAlias(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrOpenAlias()
request['DomainHandle'] = domainHandle
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['AliasId'] = 25
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_NO_SUCH_ALIAS') < 0:
raise
Example #29
| Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
|
def test_SamrChangePasswordUser(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrCreateUser2InDomain()
request['DomainHandle'] = domainHandle
request['Name'] = 'testAccount'
request['AccountType'] = samr.USER_NORMAL_ACCOUNT
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE
#request.dump()
resp0 = dce.request(request)
resp0.dump()
oldPwd = ''
oldPwdHashNT = ntlm.NTOWFv1(oldPwd)
newPwd = 'ADMIN'
newPwdHashNT = ntlm.NTOWFv1(newPwd)
newPwdHashLM = ntlm.LMOWFv1(newPwd)
from impacket import crypto
request = samr.SamrChangePasswordUser()
request['UserHandle'] = resp0['UserHandle']
request['LmPresent'] = 0
request['OldLmEncryptedWithNewLm'] = NULL
request['NewLmEncryptedWithOldLm'] = NULL
request['NtPresent'] = 1
request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT)
request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT)
request['NtCrossEncryptionPresent'] = 0
request['NewNtEncryptedWithNewLm'] = NULL
request['LmCrossEncryptionPresent'] = 1
request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT)
resp = dce.request(request)
resp.dump()
# Delete the temp user
request = samr.SamrDeleteUser()
request['UserHandle'] = resp0['UserHandle']
resp = dce.request(request)
resp.dump()
Example #30
| Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
|
def test_hSamrGetMembersInGroup(self):
dce, rpctransport, domainHandle = self.connect()
request = samr.SamrOpenGroup()
request['DomainHandle'] = domainHandle
request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED
request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS
try:
resp = dce.request(request)
resp.dump()
except Exception, e:
if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0:
raise
