Python impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR Examples
The following are 30
code examples of impacket.dcerpc.v5.samr.MSRPC_UUID_SAMR().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.samr
, or try the search function
.
.
Example #1
| Source File: enum.py From CVE-2019-1040 with MIT License | 6 votes |
|
def __getLocalAdminSids(self):
dce = self.__getDceBinding(self.__samrBinding)
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, 'Builtin')
resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp['DomainId'])
domainHandle = resp['DomainHandle']
resp = samr.hSamrOpenAlias(dce, domainHandle, desiredAccess=MAXIMUM_ALLOWED, aliasId=544)
resp = samr.hSamrGetMembersInAlias(dce, resp['AliasHandle'])
memberSids = []
for member in resp['Members']['Sids']:
memberSids.append(member['SidPointer'].formatCanonical())
dce.disconnect()
return memberSids
Example #2
| Source File: goldenPac.py From Slackor with GNU General Public License v3.0 | 6 votes |
|
def getUserSID(self):
stringBinding = r'ncacn_np:%s[\pipe\samr]' % self.__kdcHost
rpctransport = transport.DCERPCTransportFactory(stringBinding)
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(self.__username,self.__password, self.__domain, self.__lmhash, self.__nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, self.__domain)
domainId = resp['DomainId']
resp = samr.hSamrOpenDomain(dce, serverHandle, domainId = domainId)
domainHandle = resp['DomainHandle']
resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.__username,))
# Let's pick the relative ID
rid = resp['RelativeIds']['Element'][0]['Data']
logging.info("User SID: %s-%s"% (domainId.formatCanonical(), rid))
return domainId, rid
Example #3
| Source File: enum.py From Slackor with GNU General Public License v3.0 | 6 votes |
|
def __getLocalAdminSids(self):
dce = self.__getDceBinding(self.__samrBinding)
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, 'Builtin')
resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp['DomainId'])
domainHandle = resp['DomainHandle']
resp = samr.hSamrOpenAlias(dce, domainHandle, desiredAccess=MAXIMUM_ALLOWED, aliasId=544)
resp = samr.hSamrGetMembersInAlias(dce, resp['AliasHandle'])
memberSids = []
for member in resp['Members']['Sids']:
memberSids.append(member['SidPointer'].formatCanonical())
dce.disconnect()
return memberSids
Example #4
| Source File: enum.py From Exchange2domain with MIT License | 6 votes |
|
def __getLocalAdminSids(self):
dce = self.__getDceBinding(self.__samrBinding)
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, 'Builtin')
resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp['DomainId'])
domainHandle = resp['DomainHandle']
resp = samr.hSamrOpenAlias(dce, domainHandle, desiredAccess=MAXIMUM_ALLOWED, aliasId=544)
resp = samr.hSamrGetMembersInAlias(dce, resp['AliasHandle'])
memberSids = []
for member in resp['Members']['Sids']:
memberSids.append(member['SidPointer'].formatCanonical())
dce.disconnect()
return memberSids
Example #5
| Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 6 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('TCPTransport', 'username')
self.domain = configFile.get('TCPTransport', 'domain')
self.serverName = configFile.get('TCPTransport', 'servername')
self.password = configFile.get('TCPTransport', 'password')
self.machine = configFile.get('TCPTransport', 'machine')
self.hashes = configFile.get('TCPTransport', 'hashes')
#print epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
# Process command-line arguments.
Example #6
| Source File: goldenPac.py From PiBunny with MIT License | 6 votes |
|
def getUserSID(self):
stringBinding = r'ncacn_np:%s[\pipe\samr]' % self.__kdcHost
rpctransport = transport.DCERPCTransportFactory(stringBinding)
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(self.__username,self.__password, self.__domain, self.__lmhash, self.__nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, self.__domain)
domainId = resp['DomainId']
resp = samr.hSamrOpenDomain(dce, serverHandle, domainId = domainId)
domainHandle = resp['DomainHandle']
resp = samr.hSamrLookupNamesInDomain(dce, domainHandle, (self.__username,))
# Let's pick the relative ID
rid = resp['RelativeIds']['Element'][0]['Data']
logging.info("User SID: %s-%s"% (domainId.formatCanonical(), rid))
return domainId, rid
Example #7
| Source File: test_samr.py From PiBunny with MIT License | 6 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('TCPTransport', 'username')
self.domain = configFile.get('TCPTransport', 'domain')
self.serverName = configFile.get('TCPTransport', 'servername')
self.password = configFile.get('TCPTransport', 'password')
self.machine = configFile.get('TCPTransport', 'machine')
self.hashes = configFile.get('TCPTransport', 'hashes')
#print epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
# Process command-line arguments.
Example #8
| Source File: secretsdump.py From PiBunny with MIT License | 5 votes |
|
def connectSamr(self, domain):
rpc = transport.DCERPCTransportFactory(self.__stringBindingSamr)
rpc.set_smb_connection(self.__smbConnection)
self.__samr = rpc.get_dce_rpc()
self.__samr.connect()
self.__samr.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(self.__samr)
serverHandle = resp['ServerHandle']
resp = samr.hSamrLookupDomainInSamServer(self.__samr, serverHandle, domain)
resp = samr.hSamrOpenDomain(self.__samr, serverHandle=serverHandle, domainId=resp['DomainId'])
self.__domainHandle = resp['DomainHandle']
self.__domainName = domain
Example #9
| Source File: test_samr.py From PiBunny with MIT License | 5 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('SMBTransport', 'username')
self.domain = configFile.get('SMBTransport', 'domain')
self.serverName = configFile.get('SMBTransport', 'servername')
self.password = configFile.get('SMBTransport', 'password')
self.machine = configFile.get('SMBTransport', 'machine')
self.hashes = configFile.get('SMBTransport', 'hashes')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')
self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')
Example #10
| Source File: smbclient.py From PiBunny with MIT License | 5 votes |
|
def do_password(self, line):
if self.loggedIn is False:
logging.error("Not logged in")
return
from getpass import getpass
newPassword = getpass("New Password:")
rpctransport = transport.SMBTransport(self.smb.getRemoteHost(), filename = r'\samr', smb_connection = self.smb)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
samr.hSamrUnicodeChangePasswordUser2(dce, '\x00', self.username, self.password, newPassword, self.lmhash, self.nthash)
self.password = newPassword
self.lmhash = None
self.nthash = None
Example #11
| Source File: rpc.py From ActiveReign with GNU General Public License v3.0 | 5 votes |
|
def create_rpc_con(self, pipe):
# Here we build the DCE/RPC connection
self.pipe = pipe
binding_strings = dict()
binding_strings['srvsvc'] = srvs.MSRPC_UUID_SRVS
binding_strings['wkssvc'] = wkst.MSRPC_UUID_WKST
binding_strings['samr'] = samr.MSRPC_UUID_SAMR
binding_strings['svcctl'] = scmr.MSRPC_UUID_SCMR
binding_strings['drsuapi'] = drsuapi.MSRPC_UUID_DRSUAPI
if self.pipe == r'\drsuapi':
string_binding = epm.hept_map(self.host, drsuapi.MSRPC_UUID_DRSUAPI, protocol='ncacn_ip_tcp')
rpctransport = transport.DCERPCTransportFactory(string_binding)
rpctransport.set_credentials(username=self.username, password=self.password,domain=self.domain, lmhash=self.lmhash,nthash=self.nthash)
else:
rpctransport = transport.SMBTransport(self.host, self.port, self.pipe,username=self.username, password=self.password, domain=self.domain, lmhash=self.lmhash,nthash=self.nthash)
# SET TIMEOUT
rpctransport.set_connect_timeout(self.timeout)
dce = rpctransport.get_dce_rpc()
if self.pipe == r'\drsuapi':
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
try:
dce.connect()
except socket.error:
self.rpc_connection = None
else:
dce.bind(binding_strings[self.pipe[1:]])
self.rpc_connection = dce
Example #12
| Source File: test_rpcrt.py From PiBunny with MIT License | 5 votes |
|
def test_bigRequestMustFragment(self):
class dummyCall(NDRCALL):
opnum = 2
structure = (
('Name', RPC_UNICODE_STRING),
)
lmhash, nthash = self.hashes.split(':')
oldBinding = self.stringBinding
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
print self.stringBinding
dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, dceFragment=0,
auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, auth_type=RPC_C_AUTHN_GSS_NEGOTIATE,
dceAuth=True,
doKerberos=True, bind=samr.MSRPC_UUID_SAMR)
self.stringBinding = oldBinding
request = samr.SamrConnect()
request['ServerName'] = u'BETO\x00'
request['DesiredAccess'] = samr.DELETE | samr.READ_CONTROL | samr.WRITE_DAC | samr.WRITE_OWNER | samr.ACCESS_SYSTEM_SECURITY | samr.GENERIC_READ | samr.GENERIC_WRITE | samr.GENERIC_EXECUTE | samr.SAM_SERVER_CONNECT | samr.SAM_SERVER_SHUTDOWN | samr.SAM_SERVER_INITIALIZE | samr.SAM_SERVER_CREATE_DOMAIN | samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN | samr.SAM_SERVER_READ | samr.SAM_SERVER_WRITE | samr.SAM_SERVER_EXECUTE
resp = dce.request(request)
request = samr.SamrEnumerateDomainsInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['EnumerationContext'] = 0
request['PreferedMaximumLength'] = 500
resp2 = dce.request(request)
try:
request = samr.SamrLookupDomainInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['Name'] = 'A'*4500
resp = dce.request(request)
except Exception, e:
if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0:
raise
Example #13
| Source File: dump.py From CVE-2019-1040 with MIT License | 5 votes |
|
def connectSamr(self, domain):
rpc = transport.DCERPCTransportFactory(self.__stringBindingSamr)
rpc.set_smb_connection(self.__smbConnection)
self.__samr = rpc.get_dce_rpc()
self.__samr.connect()
self.__samr.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(self.__samr)
serverHandle = resp['ServerHandle']
resp = samr.hSamrLookupDomainInSamServer(self.__samr, serverHandle, domain)
resp = samr.hSamrOpenDomain(self.__samr, serverHandle=serverHandle, domainId=resp['DomainId'])
self.__domainHandle = resp['DomainHandle']
self.__domainName = domain
Example #14
| Source File: test_samr.py From PiBunny with MIT License | 5 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('TCPTransport', 'username')
self.domain = configFile.get('TCPTransport', 'domain')
self.serverName = configFile.get('TCPTransport', 'servername')
self.password = configFile.get('TCPTransport', 'password')
self.machine = configFile.get('TCPTransport', 'machine')
self.hashes = configFile.get('TCPTransport', 'hashes')
#print epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')
Example #15
| Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('SMBTransport', 'username')
self.domain = configFile.get('SMBTransport', 'domain')
self.serverName = configFile.get('SMBTransport', 'servername')
self.password = configFile.get('SMBTransport', 'password')
self.machine = configFile.get('SMBTransport', 'machine')
self.hashes = configFile.get('SMBTransport', 'hashes')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')
self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
Example #16
| Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('TCPTransport', 'username')
self.domain = configFile.get('TCPTransport', 'domain')
self.serverName = configFile.get('TCPTransport', 'servername')
self.password = configFile.get('TCPTransport', 'password')
self.machine = configFile.get('TCPTransport', 'machine')
self.hashes = configFile.get('TCPTransport', 'hashes')
#print epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')
Example #17
| Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('SMBTransport', 'username')
self.domain = configFile.get('SMBTransport', 'domain')
self.serverName = configFile.get('SMBTransport', 'servername')
self.password = configFile.get('SMBTransport', 'password')
self.machine = configFile.get('SMBTransport', 'machine')
self.hashes = configFile.get('SMBTransport', 'hashes')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')
self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')
Example #18
| Source File: test_samr.py From PiBunny with MIT License | 5 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('SMBTransport', 'username')
self.domain = configFile.get('SMBTransport', 'domain')
self.serverName = configFile.get('SMBTransport', 'servername')
self.password = configFile.get('SMBTransport', 'password')
self.machine = configFile.get('SMBTransport', 'machine')
self.hashes = configFile.get('SMBTransport', 'hashes')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')
self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
Example #19
| Source File: test_samr.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
#rpctransport.set_dport(self.dport)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(samr.MSRPC_UUID_SAMR, transfer_syntax = self.ts)
request = samr.SamrConnect()
request['ServerName'] = 'BETO\x00'
request['DesiredAccess'] = samr.DELETE | samr.READ_CONTROL | samr.WRITE_DAC | samr.WRITE_OWNER | samr.ACCESS_SYSTEM_SECURITY | samr.GENERIC_READ | samr.GENERIC_WRITE | samr.GENERIC_EXECUTE | samr.SAM_SERVER_CONNECT | samr.SAM_SERVER_SHUTDOWN | samr.SAM_SERVER_INITIALIZE | samr.SAM_SERVER_CREATE_DOMAIN | samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN | samr.SAM_SERVER_READ | samr.SAM_SERVER_WRITE | samr.SAM_SERVER_EXECUTE
resp = dce.request(request)
request = samr.SamrEnumerateDomainsInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['EnumerationContext'] = 0
request['PreferedMaximumLength'] = 500
resp2 = dce.request(request)
request = samr.SamrLookupDomainInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['Name'] = resp2['Buffer']['Buffer'][0]['Name']
resp3 = dce.request(request)
request = samr.SamrOpenDomain()
request['ServerHandle'] = resp['ServerHandle']
request['DesiredAccess'] = samr.DOMAIN_READ_PASSWORD_PARAMETERS | samr.DOMAIN_READ_OTHER_PARAMETERS | samr.DOMAIN_CREATE_USER | samr.DOMAIN_CREATE_ALIAS | samr.DOMAIN_LOOKUP | samr.DOMAIN_LIST_ACCOUNTS | samr.DOMAIN_ADMINISTER_SERVER | samr.DELETE | samr.READ_CONTROL | samr.ACCESS_SYSTEM_SECURITY | samr.DOMAIN_WRITE_OTHER_PARAMETERS | samr.DOMAIN_WRITE_PASSWORD_PARAMS
request['DomainId'] = resp3['DomainId']
resp4 = dce.request(request)
return dce, rpctransport, resp4['DomainHandle']
Example #20
| Source File: secretsdump.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def connectSamr(self, domain):
rpc = transport.DCERPCTransportFactory(self.__stringBindingSamr)
rpc.set_smb_connection(self.__smbConnection)
self.__samr = rpc.get_dce_rpc()
self.__samr.connect()
self.__samr.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(self.__samr)
serverHandle = resp['ServerHandle']
resp = samr.hSamrLookupDomainInSamServer(self.__samr, serverHandle, domain)
resp = samr.hSamrOpenDomain(self.__samr, serverHandle=serverHandle, domainId=resp['DomainId'])
self.__domainHandle = resp['DomainHandle']
self.__domainName = domain
Example #21
| Source File: secretsdump.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def connectSamr(self, domain):
rpc = transport.DCERPCTransportFactory(self.__stringBindingSamr)
rpc.set_smb_connection(self.__smbConnection)
self.__samr = rpc.get_dce_rpc()
self.__samr.connect()
self.__samr.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(self.__samr)
serverHandle = resp['ServerHandle']
resp = samr.hSamrLookupDomainInSamServer(self.__samr, serverHandle, domain)
resp = samr.hSamrOpenDomain(self.__samr, serverHandle=serverHandle, domainId=resp['DomainId'])
self.__domainHandle = resp['DomainHandle']
self.__domainName = domain
Example #22
| Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
|
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
#rpctransport.set_dport(self.dport)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(samr.MSRPC_UUID_SAMR, transfer_syntax = self.ts)
request = samr.SamrConnect()
request['ServerName'] = u'BETO\x00'
request['DesiredAccess'] = samr.DELETE | samr.READ_CONTROL | samr.WRITE_DAC | samr.WRITE_OWNER | samr.ACCESS_SYSTEM_SECURITY | samr.GENERIC_READ | samr.GENERIC_WRITE | samr.GENERIC_EXECUTE | samr.SAM_SERVER_CONNECT | samr.SAM_SERVER_SHUTDOWN | samr.SAM_SERVER_INITIALIZE | samr.SAM_SERVER_CREATE_DOMAIN | samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN | samr.SAM_SERVER_READ | samr.SAM_SERVER_WRITE | samr.SAM_SERVER_EXECUTE
resp = dce.request(request)
request = samr.SamrEnumerateDomainsInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['EnumerationContext'] = 0
request['PreferedMaximumLength'] = 500
resp2 = dce.request(request)
request = samr.SamrLookupDomainInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['Name'] = resp2['Buffer']['Buffer'][0]['Name']
resp3 = dce.request(request)
request = samr.SamrOpenDomain()
request['ServerHandle'] = resp['ServerHandle']
request['DesiredAccess'] = samr.DOMAIN_READ_PASSWORD_PARAMETERS | samr.DOMAIN_READ_OTHER_PARAMETERS | samr.DOMAIN_CREATE_USER | samr.DOMAIN_CREATE_ALIAS | samr.DOMAIN_LOOKUP | samr.DOMAIN_LIST_ACCOUNTS | samr.DOMAIN_ADMINISTER_SERVER | samr.DELETE | samr.READ_CONTROL | samr.ACCESS_SYSTEM_SECURITY | samr.DOMAIN_WRITE_OTHER_PARAMETERS | samr.DOMAIN_WRITE_PASSWORD_PARAMS
request['DomainId'] = resp3['DomainId']
resp4 = dce.request(request)
return dce, rpctransport, resp4['DomainHandle']
Example #23
| Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
#rpctransport.set_dport(self.dport)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(samr.MSRPC_UUID_SAMR, transfer_syntax = self.ts)
request = samr.SamrConnect()
request['ServerName'] = u'BETO\x00'
request['DesiredAccess'] = samr.DELETE | samr.READ_CONTROL | samr.WRITE_DAC | samr.WRITE_OWNER | samr.ACCESS_SYSTEM_SECURITY | samr.GENERIC_READ | samr.GENERIC_WRITE | samr.GENERIC_EXECUTE | samr.SAM_SERVER_CONNECT | samr.SAM_SERVER_SHUTDOWN | samr.SAM_SERVER_INITIALIZE | samr.SAM_SERVER_CREATE_DOMAIN | samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN | samr.SAM_SERVER_READ | samr.SAM_SERVER_WRITE | samr.SAM_SERVER_EXECUTE
resp = dce.request(request)
request = samr.SamrEnumerateDomainsInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['EnumerationContext'] = 0
request['PreferedMaximumLength'] = 500
resp2 = dce.request(request)
request = samr.SamrLookupDomainInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['Name'] = resp2['Buffer']['Buffer'][0]['Name']
resp3 = dce.request(request)
request = samr.SamrOpenDomain()
request['ServerHandle'] = resp['ServerHandle']
request['DesiredAccess'] = samr.DOMAIN_READ_PASSWORD_PARAMETERS | samr.DOMAIN_READ_OTHER_PARAMETERS | samr.DOMAIN_CREATE_USER | samr.DOMAIN_CREATE_ALIAS | samr.DOMAIN_LOOKUP | samr.DOMAIN_LIST_ACCOUNTS | samr.DOMAIN_ADMINISTER_SERVER | samr.DELETE | samr.READ_CONTROL | samr.ACCESS_SYSTEM_SECURITY | samr.DOMAIN_WRITE_OTHER_PARAMETERS | samr.DOMAIN_WRITE_PASSWORD_PARAMS
request['DomainId'] = resp3['DomainId']
resp4 = dce.request(request)
return dce, rpctransport, resp4['DomainHandle']
Example #24
| Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('SMBTransport', 'username')
self.domain = configFile.get('SMBTransport', 'domain')
self.serverName = configFile.get('SMBTransport', 'servername')
self.password = configFile.get('SMBTransport', 'password')
self.machine = configFile.get('SMBTransport', 'machine')
self.hashes = configFile.get('SMBTransport', 'hashes')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')
self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')
Example #25
| Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('TCPTransport', 'username')
self.domain = configFile.get('TCPTransport', 'domain')
self.serverName = configFile.get('TCPTransport', 'servername')
self.password = configFile.get('TCPTransport', 'password')
self.machine = configFile.get('TCPTransport', 'machine')
self.hashes = configFile.get('TCPTransport', 'hashes')
#print epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')
Example #26
| Source File: test_samr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('SMBTransport', 'username')
self.domain = configFile.get('SMBTransport', 'domain')
self.serverName = configFile.get('SMBTransport', 'servername')
self.password = configFile.get('SMBTransport', 'password')
self.machine = configFile.get('SMBTransport', 'machine')
self.hashes = configFile.get('SMBTransport', 'hashes')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')
self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
Example #27
| Source File: test_rpcrt.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
|
def test_bigRequestMustFragment(self):
class dummyCall(NDRCALL):
opnum = 2
structure = (
('Name', RPC_UNICODE_STRING),
)
lmhash, nthash = self.hashes.split(':')
oldBinding = self.stringBinding
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
print self.stringBinding
dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, dceFragment=0,
auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, auth_type=RPC_C_AUTHN_GSS_NEGOTIATE,
dceAuth=True,
doKerberos=True, bind=samr.MSRPC_UUID_SAMR)
self.stringBinding = oldBinding
request = samr.SamrConnect()
request['ServerName'] = u'BETO\x00'
request['DesiredAccess'] = samr.DELETE | samr.READ_CONTROL | samr.WRITE_DAC | samr.WRITE_OWNER | samr.ACCESS_SYSTEM_SECURITY | samr.GENERIC_READ | samr.GENERIC_WRITE | samr.GENERIC_EXECUTE | samr.SAM_SERVER_CONNECT | samr.SAM_SERVER_SHUTDOWN | samr.SAM_SERVER_INITIALIZE | samr.SAM_SERVER_CREATE_DOMAIN | samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN | samr.SAM_SERVER_READ | samr.SAM_SERVER_WRITE | samr.SAM_SERVER_EXECUTE
resp = dce.request(request)
request = samr.SamrEnumerateDomainsInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['EnumerationContext'] = 0
request['PreferedMaximumLength'] = 500
resp2 = dce.request(request)
try:
request = samr.SamrLookupDomainInSamServer()
request['ServerHandle'] = resp['ServerHandle']
request['Name'] = 'A'*4500
resp = dce.request(request)
except Exception, e:
if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0:
raise
Example #28
| Source File: requester.py From pywerview with GNU General Public License v3.0 | 5 votes |
|
def _create_rpc_connection(self, pipe):
# Here we build the DCE/RPC connection
self._pipe = pipe
binding_strings = dict()
binding_strings['srvsvc'] = srvs.MSRPC_UUID_SRVS
binding_strings['wkssvc'] = wkst.MSRPC_UUID_WKST
binding_strings['samr'] = samr.MSRPC_UUID_SAMR
binding_strings['svcctl'] = scmr.MSRPC_UUID_SCMR
binding_strings['drsuapi'] = drsuapi.MSRPC_UUID_DRSUAPI
# TODO: try to fallback to TCP/139 if tcp/445 is closed
if self._pipe == r'\drsuapi':
string_binding = epm.hept_map(self._target_computer, drsuapi.MSRPC_UUID_DRSUAPI,
protocol='ncacn_ip_tcp')
rpctransport = transport.DCERPCTransportFactory(string_binding)
rpctransport.set_credentials(username=self._user, password=self._password,
domain=self._domain, lmhash=self._lmhash,
nthash=self._nthash)
else:
rpctransport = transport.SMBTransport(self._target_computer, 445, self._pipe,
username=self._user, password=self._password,
domain=self._domain, lmhash=self._lmhash,
nthash=self._nthash)
rpctransport.set_connect_timeout(10)
dce = rpctransport.get_dce_rpc()
if self._pipe == r'\drsuapi':
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
try:
dce.connect()
except socket.error:
self._rpc_connection = None
else:
dce.bind(binding_strings[self._pipe[1:]])
self._rpc_connection = dce
Example #29
| Source File: secretsdump.py From cracke-dit with MIT License | 5 votes |
|
def connectSamr(self, domain):
rpc = transport.DCERPCTransportFactory(self.__stringBindingSamr)
rpc.set_smb_connection(self.__smbConnection)
self.__samr = rpc.get_dce_rpc()
self.__samr.connect()
self.__samr.bind(samr.MSRPC_UUID_SAMR)
resp = samr.hSamrConnect(self.__samr)
serverHandle = resp['ServerHandle']
resp = samr.hSamrLookupDomainInSamServer(self.__samr, serverHandle, domain)
resp = samr.hSamrOpenDomain(self.__samr, serverHandle=serverHandle, domainId=resp['DomainId'])
self.__domainHandle = resp['DomainHandle']
self.__domainName = domain
Example #30
| Source File: test_samr.py From cracke-dit with MIT License | 5 votes |
|
def setUp(self):
SAMRTests.setUp(self)
configFile = ConfigParser.ConfigParser()
configFile.read('dcetests.cfg')
self.username = configFile.get('SMBTransport', 'username')
self.domain = configFile.get('SMBTransport', 'domain')
self.serverName = configFile.get('SMBTransport', 'servername')
self.password = configFile.get('SMBTransport', 'password')
self.machine = configFile.get('SMBTransport', 'machine')
self.hashes = configFile.get('SMBTransport', 'hashes')
self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')
self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')
