Python impacket.dcerpc.v5.tsch.hSchRpcEnumTasks() Examples
The following are 5
code examples of impacket.dcerpc.v5.tsch.hSchRpcEnumTasks().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.tsch
, or try the search function
.
.
Example #1
| Source File: test_tsch.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_hSchRpcEnumTasks(self):
dce, rpctransport = self.connect(self.stringBindingAtSvc, tsch.MSRPC_UUID_TSCHS)
dce2, rpctransport = self.connect(self.stringBindingAtSvc, atsvc.MSRPC_UUID_ATSVC)
atInfo = AT_INFO()
atInfo['JobTime'] = NULL
atInfo['DaysOfMonth'] = 0
atInfo['DaysOfWeek'] = 0
atInfo['Flags'] = 0
atInfo['Command'] = '%%COMSPEC%% /C dir > %%SYSTEMROOT%%\\Temp\\BTO\x00'
resp = atsvc.hNetrJobAdd(dce2, NULL, atInfo)
resp.dump()
jobId = resp['pJobId']
resp = tsch.hSchRpcEnumTasks(dce, '\\')
resp.dump()
resp = atsvc.hNetrJobDel(dce2, NULL, jobId, jobId)
resp.dump()
Example #2
| Source File: test_tsch.py From cracke-dit with MIT License | 6 votes |
|
def test_hSchRpcEnumTasks(self):
dce, rpctransport = self.connect(self.stringBindingAtSvc, tsch.MSRPC_UUID_TSCHS)
dce2, rpctransport = self.connect(self.stringBindingAtSvc, atsvc.MSRPC_UUID_ATSVC)
atInfo = AT_INFO()
atInfo['JobTime'] = NULL
atInfo['DaysOfMonth'] = 0
atInfo['DaysOfWeek'] = 0
atInfo['Flags'] = 0
atInfo['Command'] = '%%COMSPEC%% /C dir > %%SYSTEMROOT%%\\Temp\\BTO\x00'
resp = atsvc.hNetrJobAdd(dce2, NULL, atInfo)
resp.dump()
jobId = resp['pJobId']
resp = tsch.hSchRpcEnumTasks(dce, '\\')
resp.dump()
resp = atsvc.hNetrJobDel(dce2, NULL, jobId, jobId)
resp.dump()
Example #3
| Source File: test_tsch.py From PiBunny with MIT License | 6 votes |
|
def test_hSchRpcEnumTasks(self):
dce, rpctransport = self.connect(self.stringBindingAtSvc, tsch.MSRPC_UUID_TSCHS)
dce2, rpctransport = self.connect(self.stringBindingAtSvc, atsvc.MSRPC_UUID_ATSVC)
atInfo = AT_INFO()
atInfo['JobTime'] = NULL
atInfo['DaysOfMonth'] = 0
atInfo['DaysOfWeek'] = 0
atInfo['Flags'] = 0
atInfo['Command'] = '%%COMSPEC%% /C dir > %%SYSTEMROOT%%\\Temp\\BTO\x00'
resp = atsvc.hNetrJobAdd(dce2, NULL, atInfo)
resp.dump()
jobId = resp['pJobId']
resp = tsch.hSchRpcEnumTasks(dce, '\\')
resp.dump()
resp = atsvc.hNetrJobDel(dce2, NULL, jobId, jobId)
resp.dump()
Example #4
| Source File: test_tsch.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def test_hSchRpcEnumTasks(self):
dce, rpctransport = self.connect(self.stringBindingAtSvc, tsch.MSRPC_UUID_TSCHS)
dce2, rpctransport = self.connect(self.stringBindingAtSvc, atsvc.MSRPC_UUID_ATSVC)
atInfo = AT_INFO()
atInfo['JobTime'] = NULL
atInfo['DaysOfMonth'] = 0
atInfo['DaysOfWeek'] = 0
atInfo['Flags'] = 0
atInfo['Command'] = '%%COMSPEC%% /C dir > %%SYSTEMROOT%%\\Temp\\BTO\x00'
try:
resp = atsvc.hNetrJobAdd(dce2, NULL, atInfo)
resp.dump()
except Exception as e:
if e.get_error_code() != ERROR_NOT_SUPPORTED:
raise
else:
# OpNum not supported, aborting test
return
jobId = resp['pJobId']
resp = tsch.hSchRpcEnumTasks(dce, '\\')
resp.dump()
resp = atsvc.hNetrJobDel(dce2, NULL, jobId, jobId)
resp.dump()
Example #5
| Source File: computer.py From BloodHound.py with MIT License | 4 votes |
|
def rpc_get_schtasks(self):
"""
Query the scheduled tasks via RPC. Requires admin privileges.
These credentials can be dumped with mimikatz via vault::cred
"""
# Blacklisted folders (Default ones)
blacklist = [u'Microsoft\x00']
# Start with the root folder
folders = ['\\']
tasks = []
schtaskusers = []
binding = r'ncacn_np:%s[\PIPE\atsvc]' % self.addr
try:
dce = self.dce_rpc_connect(binding, tsch.MSRPC_UUID_TSCHS, True)
if dce is None:
return
# Get root folder
resp = tsch.hSchRpcEnumFolders(dce, '\\')
for item in resp['pNames']:
data = item['Data']
if data not in blacklist:
folders.append('\\'+data)
# Enumerate the folders we found
# subfolders not supported yet
for folder in folders:
try:
resp = tsch.hSchRpcEnumTasks(dce, folder)
for item in resp['pNames']:
data = item['Data']
if folder != '\\':
# Make sure to strip the null byte
tasks.append(folder[:-1]+'\\'+data)
else:
tasks.append(folder+data)
except DCERPCException as e:
logging.debug('Error enumerating task folder %s: %s', folder, e)
for task in tasks:
try:
resp = tsch.hSchRpcRetrieveTask(dce, task)
# This returns a tuple (sid, logontype) or None
userinfo = ADUtils.parse_task_xml(resp['pXml'])
if userinfo:
if userinfo[1] == u'Password':
# Convert to byte string because our cache format is in bytes
schtaskusers.append(str(userinfo[0]))
logging.info('Found scheduled task %s on %s with stored credentials for SID %s',
task,
self.hostname,
userinfo[0])
except DCERPCException as e:
logging.debug('Error querying task %s: %s', task, e)
except DCERPCException as e:
logging.debug('Exception enumerating scheduled tasks: %s', e)
dce.disconnect()
return schtaskusers
