Python impacket.dcerpc.v5.samr.USER_NORMAL_ACCOUNT Examples
The following are 27
code examples of impacket.dcerpc.v5.samr.USER_NORMAL_ACCOUNT().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.samr
, or try the search function
.
Example #1
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_SamrEnumerateUsersInDomain(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrEnumerateUsersInDomain() request['DomainHandle'] = domainHandle request['UserAccountControl'] = samr.USER_NORMAL_ACCOUNT request['EnumerationContext'] = 0 request['PreferedMaximumLength'] = 8192 status = nt_errors.STATUS_MORE_ENTRIES while status == nt_errors.STATUS_MORE_ENTRIES: try: resp4 = dce.request(request) except Exception, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp4 = e.get_packet() resp4['Buffer'].dump() request['EnumerationContext'] = resp4['EnumerationContext'] status = resp4['ErrorCode']
Example #2
Source File: test_samr.py From PiBunny with MIT License | 6 votes |
def test_SamrEnumerateUsersInDomain(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrEnumerateUsersInDomain() request['DomainHandle'] = domainHandle request['UserAccountControl'] = samr.USER_NORMAL_ACCOUNT request['EnumerationContext'] = 0 request['PreferedMaximumLength'] = 8192 status = nt_errors.STATUS_MORE_ENTRIES while status == nt_errors.STATUS_MORE_ENTRIES: try: resp4 = dce.request(request) except Exception, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp4 = e.get_packet() resp4['Buffer'].dump() request['EnumerationContext'] = resp4['EnumerationContext'] status = resp4['ErrorCode']
Example #3
Source File: test_samr.py From cracke-dit with MIT License | 6 votes |
def test_SamrEnumerateUsersInDomain(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrEnumerateUsersInDomain() request['DomainHandle'] = domainHandle request['UserAccountControl'] = samr.USER_NORMAL_ACCOUNT request['EnumerationContext'] = 0 request['PreferedMaximumLength'] = 8192 status = nt_errors.STATUS_MORE_ENTRIES while status == nt_errors.STATUS_MORE_ENTRIES: try: resp4 = dce.request(request) except Exception, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp4 = e.get_packet() resp4['Buffer'].dump() request['EnumerationContext'] = resp4['EnumerationContext'] status = resp4['ErrorCode']
Example #4
Source File: dump.py From CVE-2019-1040 with MIT License | 6 votes |
def getDomainUsers(self, enumerationContext=0): if self.__samr is None: self.connectSamr(self.getMachineNameAndDomain()[1]) try: resp = samr.hSamrEnumerateUsersInDomain(self.__samr, self.__domainHandle, userAccountControl=samr.USER_NORMAL_ACCOUNT | \ samr.USER_WORKSTATION_TRUST_ACCOUNT | \ samr.USER_SERVER_TRUST_ACCOUNT |\ samr.USER_INTERDOMAIN_TRUST_ACCOUNT, enumerationContext=enumerationContext) except DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() return resp
Example #5
Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 6 votes |
def test_SamrEnumerateUsersInDomain(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrEnumerateUsersInDomain() request['DomainHandle'] = domainHandle request['UserAccountControl'] = samr.USER_NORMAL_ACCOUNT request['EnumerationContext'] = 0 request['PreferedMaximumLength'] = 8192 status = nt_errors.STATUS_MORE_ENTRIES while status == nt_errors.STATUS_MORE_ENTRIES: try: resp4 = dce.request(request) except Exception as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp4 = e.get_packet() resp4['Buffer'].dump() request['EnumerationContext'] = resp4['EnumerationContext'] status = resp4['ErrorCode']
Example #6
Source File: secretsdump.py From Slackor with GNU General Public License v3.0 | 6 votes |
def getDomainUsers(self, enumerationContext=0): if self.__samr is None: self.connectSamr(self.getMachineNameAndDomain()[1]) try: resp = samr.hSamrEnumerateUsersInDomain(self.__samr, self.__domainHandle, userAccountControl=samr.USER_NORMAL_ACCOUNT | \ samr.USER_WORKSTATION_TRUST_ACCOUNT | \ samr.USER_SERVER_TRUST_ACCOUNT |\ samr.USER_INTERDOMAIN_TRUST_ACCOUNT, enumerationContext=enumerationContext) except DCERPCException as e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet() return resp
Example #7
Source File: secretsdump.py From smbwrapper with GNU General Public License v3.0 | 5 votes |
def getDomainUsers(self, enumerationContext=0): if self.__samr is None: self.connectSamr(self.getMachineNameAndDomain()[1]) try: resp = samr.hSamrEnumerateUsersInDomain(self.__samr, self.__domainHandle, userAccountControl=samr.USER_NORMAL_ACCOUNT, #| \ #samr.USER_WORKSTATION_TRUST_ACCOUNT | \ #samr.USER_SERVER_TRUST_ACCOUNT |\ #samr.USER_INTERDOMAIN_TRUST_ACCOUNT, enumerationContext=enumerationContext) except DCERPCException, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet()
Example #8
Source File: test_samr.py From PiBunny with MIT License | 5 votes |
def test_SamrChangePasswordUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() # Delete the temp user request = samr.SamrDeleteUser() request['UserHandle'] = resp0['UserHandle'] resp = dce.request(request) resp.dump()
Example #9
Source File: test_samr.py From PiBunny with MIT License | 5 votes |
def test_hSamrCreateUser2InDomain_hSamrDeleteUser(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrCreateUser2InDomain(dce, domainHandle, 'testAccount', samr.USER_NORMAL_ACCOUNT,samr.USER_READ_GENERAL | samr.DELETE ) resp.dump() resp = samr.hSamrDeleteUser(dce, resp['UserHandle']) resp.dump()
Example #10
Source File: test_samr.py From PiBunny with MIT License | 5 votes |
def test_SamrCreateUser2InDomain_SamrDeleteUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp = dce.request(request) resp.dump() request = samr.SamrDeleteUser() request['UserHandle'] = resp['UserHandle'] resp = dce.request(request) resp.dump()
Example #11
Source File: secretsdump.py From PiBunny with MIT License | 5 votes |
def getDomainUsers(self, enumerationContext=0): if self.__samr is None: self.connectSamr(self.getMachineNameAndDomain()[1]) try: resp = samr.hSamrEnumerateUsersInDomain(self.__samr, self.__domainHandle, userAccountControl=samr.USER_NORMAL_ACCOUNT | \ samr.USER_WORKSTATION_TRUST_ACCOUNT | \ samr.USER_SERVER_TRUST_ACCOUNT |\ samr.USER_INTERDOMAIN_TRUST_ACCOUNT, enumerationContext=enumerationContext) except DCERPCException, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet()
Example #12
Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 5 votes |
def test_SamrChangePasswordUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() # Delete the temp user request = samr.SamrDeleteUser() request['UserHandle'] = resp0['UserHandle'] resp = dce.request(request) resp.dump()
Example #13
Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 5 votes |
def test_hSamrCreateUser2InDomain_hSamrDeleteUser(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrCreateUser2InDomain(dce, domainHandle, 'testAccount', samr.USER_NORMAL_ACCOUNT,samr.USER_READ_GENERAL | samr.DELETE ) resp.dump() resp = samr.hSamrDeleteUser(dce, resp['UserHandle']) resp.dump()
Example #14
Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 5 votes |
def test_SamrCreateUser2InDomain_SamrDeleteUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp = dce.request(request) resp.dump() request = samr.SamrDeleteUser() request['UserHandle'] = resp['UserHandle'] resp = dce.request(request) resp.dump()
Example #15
Source File: secretsdump.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def getDomainUsers(self, enumerationContext=0): if self.__samr is None: self.connectSamr(self.getMachineNameAndDomain()[1]) try: resp = samr.hSamrEnumerateUsersInDomain(self.__samr, self.__domainHandle, userAccountControl=samr.USER_NORMAL_ACCOUNT | \ samr.USER_WORKSTATION_TRUST_ACCOUNT | \ samr.USER_SERVER_TRUST_ACCOUNT |\ samr.USER_INTERDOMAIN_TRUST_ACCOUNT, enumerationContext=enumerationContext) except DCERPCException, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet()
Example #16
Source File: dump.py From Exchange2domain with MIT License | 5 votes |
def getDomainUsers(self, enumerationContext=0): if self.__samr is None: self.connectSamr(self.getMachineNameAndDomain()[1]) try: resp = samr.hSamrEnumerateUsersInDomain(self.__samr, self.__domainHandle, userAccountControl=samr.USER_NORMAL_ACCOUNT | \ samr.USER_WORKSTATION_TRUST_ACCOUNT | \ samr.USER_SERVER_TRUST_ACCOUNT |\ samr.USER_INTERDOMAIN_TRUST_ACCOUNT, enumerationContext=enumerationContext) except DCERPCException, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet()
Example #17
Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
def test_SamrChangePasswordUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() # Delete the temp user request = samr.SamrDeleteUser() request['UserHandle'] = resp0['UserHandle'] resp = dce.request(request) resp.dump()
Example #18
Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
def test_hSamrCreateUser2InDomain_hSamrDeleteUser(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrCreateUser2InDomain(dce, domainHandle, 'testAccount', samr.USER_NORMAL_ACCOUNT,samr.USER_READ_GENERAL | samr.DELETE ) resp.dump() resp = samr.hSamrDeleteUser(dce, resp['UserHandle']) resp.dump()
Example #19
Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
def test_SamrCreateUser2InDomain_SamrDeleteUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp = dce.request(request) resp.dump() request = samr.SamrDeleteUser() request['UserHandle'] = resp['UserHandle'] resp = dce.request(request) resp.dump()
Example #20
Source File: secretsdump.py From cracke-dit with MIT License | 5 votes |
def getDomainUsers(self, enumerationContext=0): if self.__samr is None: self.connectSamr(self.getMachineNameAndDomain()[1]) try: resp = samr.hSamrEnumerateUsersInDomain(self.__samr, self.__domainHandle, userAccountControl=samr.USER_NORMAL_ACCOUNT | \ samr.USER_WORKSTATION_TRUST_ACCOUNT | \ samr.USER_SERVER_TRUST_ACCOUNT |\ samr.USER_INTERDOMAIN_TRUST_ACCOUNT, enumerationContext=enumerationContext) except DCERPCException, e: if str(e).find('STATUS_MORE_ENTRIES') < 0: raise resp = e.get_packet()
Example #21
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def test_SamrChangePasswordUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() # Delete the temp user request = samr.SamrDeleteUser() request['UserHandle'] = resp0['UserHandle'] resp = dce.request(request) resp.dump()
Example #22
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def test_hSamrCreateUser2InDomain_hSamrDeleteUser(self): dce, rpctransport, domainHandle = self.connect() resp = samr.hSamrCreateUser2InDomain(dce, domainHandle, 'testAccount', samr.USER_NORMAL_ACCOUNT,samr.USER_READ_GENERAL | samr.DELETE ) resp.dump() resp = samr.hSamrDeleteUser(dce, resp['UserHandle']) resp.dump()
Example #23
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def test_SamrCreateUser2InDomain_SamrDeleteUser(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp = dce.request(request) resp.dump() request = samr.SamrDeleteUser() request['UserHandle'] = resp['UserHandle'] resp = dce.request(request) resp.dump()
Example #24
Source File: test_samr.py From cracke-dit with MIT License | 4 votes |
def test_hSamrUnicodeChangePasswordUser2(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() try: resp = samr.hSamrUnicodeChangePasswordUser2(dce, '', 'testAccount', 'ADMIN', 'betus') resp.dump() except Exception, e: if str(e).find('STATUS_PASSWORD_RESTRICTION') < 0: raise # Delete the temp user
Example #25
Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 4 votes |
def test_hSamrUnicodeChangePasswordUser2(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() try: resp = samr.hSamrUnicodeChangePasswordUser2(dce, '', 'testAccount', 'ADMIN', 'betus') resp.dump() except Exception as e: if str(e).find('STATUS_PASSWORD_RESTRICTION') < 0: raise # Delete the temp user request = samr.SamrDeleteUser() request['UserHandle'] = resp0['UserHandle'] resp = dce.request(request) resp.dump()
Example #26
Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 4 votes |
def test_hSamrUnicodeChangePasswordUser2(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() try: resp = samr.hSamrUnicodeChangePasswordUser2(dce, '', 'testAccount', 'ADMIN', 'betus') resp.dump() except Exception, e: if str(e).find('STATUS_PASSWORD_RESTRICTION') < 0: raise # Delete the temp user
Example #27
Source File: test_samr.py From PiBunny with MIT License | 4 votes |
def test_hSamrUnicodeChangePasswordUser2(self): dce, rpctransport, domainHandle = self.connect() request = samr.SamrCreateUser2InDomain() request['DomainHandle'] = domainHandle request['Name'] = 'testAccount' request['AccountType'] = samr.USER_NORMAL_ACCOUNT request['DesiredAccess'] = dtypes.MAXIMUM_ALLOWED | samr.USER_READ_GENERAL | samr.DELETE #request.dump() resp0 = dce.request(request) resp0.dump() oldPwd = '' oldPwdHashNT = ntlm.NTOWFv1(oldPwd) newPwd = 'ADMIN' newPwdHashNT = ntlm.NTOWFv1(newPwd) newPwdHashLM = ntlm.LMOWFv1(newPwd) from impacket import crypto request = samr.SamrChangePasswordUser() request['UserHandle'] = resp0['UserHandle'] request['LmPresent'] = 0 request['OldLmEncryptedWithNewLm'] = NULL request['NewLmEncryptedWithOldLm'] = NULL request['NtPresent'] = 1 request['OldNtEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(oldPwdHashNT, newPwdHashNT) request['NewNtEncryptedWithOldNt'] = crypto.SamEncryptNTLMHash(newPwdHashNT, oldPwdHashNT) request['NtCrossEncryptionPresent'] = 0 request['NewNtEncryptedWithNewLm'] = NULL request['LmCrossEncryptionPresent'] = 1 request['NewLmEncryptedWithNewNt'] = crypto.SamEncryptNTLMHash(newPwdHashLM, newPwdHashNT) resp = dce.request(request) resp.dump() try: resp = samr.hSamrUnicodeChangePasswordUser2(dce, '', 'testAccount', 'ADMIN', 'betus') resp.dump() except Exception, e: if str(e).find('STATUS_PASSWORD_RESTRICTION') < 0: raise # Delete the temp user