Python impacket.dcerpc.v5.dtypes.MAXIMUM_ALLOWED Examples
The following are 30
code examples of impacket.dcerpc.v5.dtypes.MAXIMUM_ALLOWED().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.dtypes
, or try the search function
.
Example #1
Source File: test_samr.py From cracke-dit with MIT License | 6 votes |
def test_SamrOpenGroup(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrConnect() request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['ServerName'] = u'BETO\x00' resp = dce.request(request) request = samr.SamrOpenGroup() request['DomainHandle'] = domainHandle request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0: raise
Example #2
Source File: test_rrp.py From cracke-dit with MIT License | 6 votes |
def test_BaseRegSaveKey(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenCurrentUser() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() request = rrp.BaseRegSaveKey() request['hKey'] = resp['phKey'] request['lpFile'] = 'BETUSFILE2\x00' request['pSecurityAttributes'] = NULL resp = dce.request(request) resp.dump() # I gotta remove the file now :s smb = rpctransport.get_smb_connection() smb.deleteFile('ADMIN$', 'System32\\BETUSFILE2')
Example #3
Source File: test_lsad.py From cracke-dit with MIT License | 6 votes |
def test_LsarOpenAccount(self): dce, rpctransport, policyHandle = self.connect() request = lsad.LsarEnumerateAccounts() request['PolicyHandle'] = policyHandle request['PreferedMaximumLength'] = 0xffffffff resp = dce.request(request) resp.dump() request = lsad.LsarOpenAccount() request['PolicyHandle'] = policyHandle request['AccountSid'] = resp['EnumerationBuffer']['Information'][0]['Sid'] request['DesiredAccess'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() request = lsad.LsarClose() request['ObjectHandle'] = resp['AccountHandle'] resp = dce.request(request) resp.dump()
Example #4
Source File: test_rrp.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax = self.ts) resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS) return dce, rpctransport, resp['phKey']
Example #5
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_SamrOpenGroup(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrConnect() request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['ServerName'] = u'BETO\x00' resp = dce.request(request) request = samr.SamrOpenGroup() request['DomainHandle'] = domainHandle request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0: raise
Example #6
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_SamrSetMemberAttributesOfGroup(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrConnect() request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['ServerName'] = u'BETO\x00' resp = dce.request(request) request = samr.SamrOpenGroup() request['DomainHandle'] = domainHandle request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS resp = dce.request(request) request = samr.SamrSetMemberAttributesOfGroup() request['GroupHandle'] = resp['GroupHandle'] request['MemberId'] = samr.DOMAIN_USER_RID_ADMIN request['Attributes'] = samr.SE_GROUP_ENABLED_BY_DEFAULT resp = dce.request(request) resp.dump()
Example #7
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_SamrEnumerateDomainsInSamServer(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrConnect() request['ServerName'] = u'BETO\x00' request['DesiredAccess'] = samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN resp = dce.request(request) request = samr.SamrEnumerateDomainsInSamServer() request['ServerHandle'] = resp['ServerHandle'] request['EnumerationContext'] = 0 request['PreferedMaximumLength'] = 500 resp2 = dce.request(request) resp2.dump() request = samr.SamrLookupDomainInSamServer() request['ServerHandle'] = resp['ServerHandle'] request['Name'] = resp2['Buffer']['Buffer'][0]['Name'] resp3 = dce.request(request) resp3.dump() request = samr.SamrOpenDomain() request['ServerHandle'] = resp['ServerHandle'] request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['DomainId'] = resp3['DomainId'] resp4 = dce.request(request) resp4.dump()
Example #8
Source File: test_rrp.py From cracke-dit with MIT License | 6 votes |
def test_BaseRegQueryValue(self): dce, rpctransport, phKey = self.connect() request = rrp.BaseRegOpenKey() request['hKey'] = phKey request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' request['dwOptions'] = 0x00000001 request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() request = rrp.BaseRegQueryValue() request['hKey'] = resp['phkResult'] request['lpValueName'] = 'ProductName\x00' request['lpData'] = ' '*100 request['lpcbData'] = 100 request['lpcbLen'] = 100 resp = dce.request(request) resp.dump()
Example #9
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_SamrAddMemberToGroup_SamrRemoveMemberFromGroup(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrConnect() request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['ServerName'] = u'BETO\x00' resp = dce.request(request) request = samr.SamrOpenGroup() request['DomainHandle'] = domainHandle request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0: raise
Example #10
Source File: test_lsad.py From cracke-dit with MIT License | 6 votes |
def test_LsarCreateAccount_LsarDeleteObject(self): dce, rpctransport, policyHandle = self.connect() request = lsad.LsarQueryInformationPolicy2() request['PolicyHandle'] = policyHandle request['InformationClass'] = lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation resp = dce.request(request) sid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() sid = sid + '-9999' request = lsad.LsarCreateAccount() request['PolicyHandle'] = policyHandle request['AccountSid'].fromCanonical(sid) request['DesiredAccess'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() request = lsad.LsarDeleteObject() request['ObjectHandle'] = resp['AccountHandle'] resp = dce.request(request) resp.dump()
Example #11
Source File: test_rrp.py From cracke-dit with MIT License | 6 votes |
def test_BaseRegEnumValue(self): dce, rpctransport, phKey = self.connect() request = rrp.BaseRegOpenKey() request['hKey'] = phKey request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' request['dwOptions'] = 0x00000001 request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) request = rrp.BaseRegEnumValue() request['hKey'] = resp['phkResult'] request['dwIndex'] = 6 request['lpValueNameIn'] = ' '*100 request['lpData'] = ' '*100 request['lpcbData'] = 100 request['lpcbLen'] = 100 resp = dce.request(request) resp.dump()
Example #12
Source File: test_rrp.py From cracke-dit with MIT License | 6 votes |
def test_BaseRegEnumKey(self): dce, rpctransport, phKey = self.connect() request = rrp.BaseRegOpenKey() request['hKey'] = phKey request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' request['dwOptions'] = 0x00000001 request['samDesired'] = MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS resp = dce.request(request) request = rrp.BaseRegEnumKey() request['hKey'] = resp['phkResult'] request['dwIndex'] = 1 # I gotta access the fields mannually :s request.fields['lpNameIn'].fields['MaximumLength'] = 510 request.fields['lpNameIn'].fields['Data'].fields['Data'].fields['MaximumCount'] = 255 request['lpClassIn'] = ' '*100 request['lpftLastWriteTime'] = NULL resp = dce.request(request) resp.dump()
Example #13
Source File: test_rrp.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_BaseRegEnumKey(self): dce, rpctransport, phKey = self.connect() request = rrp.BaseRegOpenKey() request['hKey'] = phKey request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' request['dwOptions'] = 0x00000001 request['samDesired'] = MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS resp = dce.request(request) request = rrp.BaseRegEnumKey() request['hKey'] = resp['phkResult'] request['dwIndex'] = 1 # I gotta access the fields mannually :s request.fields['lpNameIn'].fields['MaximumLength'] = 510 request.fields['lpNameIn'].fields['Data'].fields['Data'].fields['MaximumCount'] = 255 request['lpClassIn'] = ' '*100 request['lpftLastWriteTime'] = NULL resp = dce.request(request) resp.dump()
Example #14
Source File: test_rrp.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_BaseRegSaveKey(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenCurrentUser() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() request = rrp.BaseRegSaveKey() request['hKey'] = resp['phKey'] request['lpFile'] = 'BETUSFILE2\x00' request['pSecurityAttributes'] = NULL resp = dce.request(request) resp.dump() # I gotta remove the file now :s smb = rpctransport.get_smb_connection() smb.deleteFile('ADMIN$', 'System32\\BETUSFILE2')
Example #15
Source File: test_rrp.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_BaseRegEnumValue(self): dce, rpctransport, phKey = self.connect() request = rrp.BaseRegOpenKey() request['hKey'] = phKey request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' request['dwOptions'] = 0x00000001 request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) request = rrp.BaseRegEnumValue() request['hKey'] = resp['phkResult'] request['dwIndex'] = 6 request['lpValueNameIn'] = ' '*100 request['lpData'] = ' '*100 request['lpcbData'] = 100 request['lpcbLen'] = 100 resp = dce.request(request) resp.dump()
Example #16
Source File: test_samr.py From cracke-dit with MIT License | 6 votes |
def test_SamrEnumerateDomainsInSamServer(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrConnect() request['ServerName'] = u'BETO\x00' request['DesiredAccess'] = samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN resp = dce.request(request) request = samr.SamrEnumerateDomainsInSamServer() request['ServerHandle'] = resp['ServerHandle'] request['EnumerationContext'] = 0 request['PreferedMaximumLength'] = 500 resp2 = dce.request(request) resp2.dump() request = samr.SamrLookupDomainInSamServer() request['ServerHandle'] = resp['ServerHandle'] request['Name'] = resp2['Buffer']['Buffer'][0]['Name'] resp3 = dce.request(request) resp3.dump() request = samr.SamrOpenDomain() request['ServerHandle'] = resp['ServerHandle'] request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['DomainId'] = resp3['DomainId'] resp4 = dce.request(request) resp4.dump()
Example #17
Source File: test_samr.py From cracke-dit with MIT License | 6 votes |
def test_SamrAddMemberToGroup_SamrRemoveMemberFromGroup(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrConnect() request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['ServerName'] = u'BETO\x00' resp = dce.request(request) request = samr.SamrOpenGroup() request['DomainHandle'] = domainHandle request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0: raise
Example #18
Source File: test_lsat.py From cracke-dit with MIT License | 6 votes |
def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT, transfer_syntax = self.ts) request = lsat.LsarOpenPolicy2() request['SystemName'] = NULL request['ObjectAttributes']['RootDirectory'] = NULL request['ObjectAttributes']['ObjectName'] = NULL request['ObjectAttributes']['SecurityDescriptor'] = NULL request['ObjectAttributes']['SecurityQualityOfService'] = NULL request['DesiredAccess'] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES resp = dce.request(request) return dce, rpctransport, resp['PolicyHandle']
Example #19
Source File: test_lsad.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_LsarQuerySecret(self): dce, rpctransport, policyHandle = self.connect() request = lsad.LsarOpenSecret() request['PolicyHandle'] = policyHandle request['SecretName'] = 'DPAPI_SYSTEM' request['DesiredAccess'] = MAXIMUM_ALLOWED resp0 = dce.request(request) resp0.dump() request = lsad.LsarQuerySecret() request['SecretHandle'] = resp0['SecretHandle'] request['EncryptedCurrentValue']['Buffer'] = NULL request['EncryptedOldValue']['Buffer'] = NULL request['OldValueSetTime'] = NULL resp = dce.request(request) resp.dump()
Example #20
Source File: test_lsat.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT, transfer_syntax = self.ts) request = lsat.LsarOpenPolicy2() request['SystemName'] = NULL request['ObjectAttributes']['RootDirectory'] = NULL request['ObjectAttributes']['ObjectName'] = NULL request['ObjectAttributes']['SecurityDescriptor'] = NULL request['ObjectAttributes']['SecurityQualityOfService'] = NULL request['DesiredAccess'] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES resp = dce.request(request) return dce, rpctransport, resp['PolicyHandle']
Example #21
Source File: test_lsad.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_LsarGetSystemAccessAccount_LsarSetSystemAccessAccount(self): dce, rpctransport, policyHandle = self.connect() sid = 'S-1-5-32-544' request = lsad.LsarOpenAccount() request['PolicyHandle'] = policyHandle request['AccountSid'].fromCanonical(sid) request['DesiredAccess'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() request = lsad.LsarGetSystemAccessAccount() request['AccountHandle'] = resp['AccountHandle'] resp2 = dce.request(request) resp.dump() request = lsad.LsarSetSystemAccessAccount() request['AccountHandle'] = resp['AccountHandle'] request['SystemAccess'] = resp2['SystemAccess'] resp = dce.request(request) resp.dump()
Example #22
Source File: test_lsad.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_LsarCreateAccount_LsarDeleteObject(self): dce, rpctransport, policyHandle = self.connect() request = lsad.LsarQueryInformationPolicy2() request['PolicyHandle'] = policyHandle request['InformationClass'] = lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation resp = dce.request(request) sid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() sid = sid + '-9999' request = lsad.LsarCreateAccount() request['PolicyHandle'] = policyHandle request['AccountSid'].fromCanonical(sid) request['DesiredAccess'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() request = lsad.LsarDeleteObject() request['ObjectHandle'] = resp['AccountHandle'] resp = dce.request(request) resp.dump()
Example #23
Source File: test_lsad.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_LsarOpenAccount(self): dce, rpctransport, policyHandle = self.connect() request = lsad.LsarEnumerateAccounts() request['PolicyHandle'] = policyHandle request['PreferedMaximumLength'] = 0xffffffff resp = dce.request(request) resp.dump() request = lsad.LsarOpenAccount() request['PolicyHandle'] = policyHandle request['AccountSid'] = resp['EnumerationBuffer']['Information'][0]['Sid'] request['DesiredAccess'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() request = lsad.LsarClose() request['ObjectHandle'] = resp['AccountHandle'] resp = dce.request(request) resp.dump()
Example #24
Source File: test_samr.py From cracke-dit with MIT License | 6 votes |
def test_SamrSetMemberAttributesOfGroup(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrConnect() request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['ServerName'] = u'BETO\x00' resp = dce.request(request) request = samr.SamrOpenGroup() request['DomainHandle'] = domainHandle request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS resp = dce.request(request) request = samr.SamrSetMemberAttributesOfGroup() request['GroupHandle'] = resp['GroupHandle'] request['MemberId'] = samr.DOMAIN_USER_RID_ADMIN request['Attributes'] = samr.SE_GROUP_ENABLED_BY_DEFAULT resp = dce.request(request) resp.dump()
Example #25
Source File: test_rrp.py From cracke-dit with MIT License | 6 votes |
def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax = self.ts) resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS) return dce, rpctransport, resp['phKey']
Example #26
Source File: test_rrp.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_BaseRegQueryValue(self): dce, rpctransport, phKey = self.connect() request = rrp.BaseRegOpenKey() request['hKey'] = phKey request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' request['dwOptions'] = 0x00000001 request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() request = rrp.BaseRegQueryValue() request['hKey'] = resp['phkResult'] request['lpValueName'] = 'ProductName\x00' request['lpData'] = ' '*100 request['lpcbData'] = 100 request['lpcbLen'] = 100 resp = dce.request(request) resp.dump()
Example #27
Source File: test_rrp.py From cracke-dit with MIT License | 5 votes |
def test_BaseRegQueryMultipleValues2(self): dce, rpctransport, phKey = self.connect() request = rrp.BaseRegOpenKey() request['hKey'] = phKey request['lpSubKey'] = 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' request['dwOptions'] = 0x00000001 request['samDesired'] = MAXIMUM_ALLOWED | rrp.KEY_QUERY_VALUE resp = dce.request(request) resp.dump() request = rrp.BaseRegQueryMultipleValues2() item1 = rrp.RVALENT() item1['ve_valuename'] = 'ProductName\x00' item1['ve_valuelen'] = len('ProductName\x00') item1['ve_valueptr'] = NULL item1['ve_type'] = rrp.REG_SZ item2 = rrp.RVALENT() item2['ve_valuename'] = 'SystemRoot\x00' item2['ve_valuelen'] = len('SystemRoot\x00') item1['ve_valueptr'] = NULL item2['ve_type'] = rrp.REG_SZ item3 = rrp.RVALENT() item3['ve_valuename'] = 'EditionID\x00' item3['ve_valuelen'] = len('EditionID\x00') item3['ve_valueptr'] = NULL item3['ve_type'] = rrp.REG_SZ request['hKey'] = resp['phkResult'] request['val_listIn'].append(item1) request['val_listIn'].append(item2) request['val_listIn'].append(item3) request['num_vals'] = len(request['val_listIn']) request['lpvalueBuf'] = list(' '*128) request['ldwTotsize'] = 128 resp = dce.request(request) resp.dump()
Example #28
Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
def test_SamrOpenAlias(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrOpenAlias() request['DomainHandle'] = domainHandle request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['AliasId'] = 25 try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_NO_SUCH_ALIAS') < 0: raise
Example #29
Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
def test_SamrChangePasswordUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() # Delete the temp user request = samr.SamrDeleteUser() request['UserHandle'] = resp0['UserHandle'] resp = dce.request(request) resp.dump()
Example #30
Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
def test_hSamrGetMembersInGroup(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrOpenGroup() request['DomainHandle'] = domainHandle request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED request['GroupId'] = samr.DOMAIN_GROUP_RID_USERS try: resp = dce.request(request) resp.dump() except Exception, e: if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0: raise