Python impacket.dcerpc.v5.transport.SMBTransport() Examples
The following are 30
code examples of impacket.dcerpc.v5.transport.SMBTransport().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.transport
, or try the search function
.
Example #1
Source File: serviceinstall.py From Slackor with GNU General Public License v3.0 | 6 votes |
def getShares(self): # Setup up a DCE SMBTransport with the connection already in place LOG.info("Requesting shares on %s....." % (self.connection.getRemoteHost())) try: self._rpctransport = transport.SMBTransport(self.connection.getRemoteHost(), self.connection.getRemoteHost(),filename = r'\srvsvc', smb_connection = self.connection) dce_srvs = self._rpctransport.get_dce_rpc() dce_srvs.connect() dce_srvs.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrShareEnum(dce_srvs, 1) return resp['InfoStruct']['ShareInfo']['Level1'] except: LOG.critical("Error requesting shares on %s, aborting....." % (self.connection.getRemoteHost())) raise
Example #2
Source File: smbmap.py From pentestly with GNU General Public License v3.0 | 6 votes |
def get_version(self, host): try: rpctransport = transport.SMBTransport(self.smbconn[host].getServerName(), self.smbconn[host].getRemoteHost(), filename = r'\srvsvc', smb_connection = self.smbconn[host]) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrServerGetInfo(dce, 102) info("Version Major: %d" % resp['InfoStruct']['ServerInfo102']['sv102_version_major']) info("Version Minor: %d" % resp['InfoStruct']['ServerInfo102']['sv102_version_minor']) info("Server Name: %s" % resp['InfoStruct']['ServerInfo102']['sv102_name']) info("Server Comment: %s" % resp['InfoStruct']['ServerInfo102']['sv102_comment']) info("Server UserPath: %s" % resp['InfoStruct']['ServerInfo102']['sv102_userpath']) info("Simultaneous Users: %d" % resp['InfoStruct']['ServerInfo102']['sv102_users']) except Exception as e: color('[!] RPC Access denied...oh well') color('[!]', e) exc_type, exc_obj, exc_tb = sys.exc_info() fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1] info(exc_type, fname, exc_tb.tb_lineno) sys.exit()
Example #3
Source File: smbrelayclient.py From CVE-2019-1040 with MIT License | 6 votes |
def isAdmin(self): rpctransport = SMBTransport(self.session.getRemoteHost(), 445, r'\svcctl', smb_connection=self.session) dce = rpctransport.get_dce_rpc() try: dce.connect() except: pass else: dce.bind(scmr.MSRPC_UUID_SCMR) try: # 0xF003F - SC_MANAGER_ALL_ACCESS # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx ans = scmr.hROpenSCManagerW(dce,'{}\x00'.format(self.target.hostname),'ServicesActive\x00', 0xF003F) return "TRUE" except scmr.DCERPCException as e: pass return "FALSE"
Example #4
Source File: polenum.py From ActiveReign with GNU General Public License v3.0 | 6 votes |
def dump(self, addr): """Dumps the list of users and shares registered present at addr. Addr is a valid host name or IP address. """ # Try all requested protocols until one works. for protocol in self.__protocols: protodef = SAMRDump.KNOWN_PROTOCOLS[protocol] port = protodef[1] rpctransport = transport.SMBTransport(addr, port, r'\samr',self.__username, self.__password) try: self.__fetchList(rpctransport) except Exception as e: self.logger.debug("PolEnum: Protocol failed: {0}".format(e)) else: # Got a response. No need for further iterations. self.__pretty_print() break
Example #5
Source File: ridrelay.py From ridrelay with GNU General Public License v3.0 | 6 votes |
def dump(self, SMBClient): """Dumps the list of users and shares registered present at addr. Addr is a valid host name or IP address. """ print('\n') rpctransport = transport.SMBTransport(SMBClient.getRemoteHost(), filename=r'\lsarpc', smb_connection=SMBClient) try: self.__fetchList(rpctransport) except Exception as e: print('\n\t[!] Protocol failed: {0}'.format(e)) else: # Got a response. No need for further iterations. self.__pretty_print()
Example #6
Source File: smbrelayclient.py From GhostPotato with MIT License | 6 votes |
def isAdmin(self): rpctransport = SMBTransport(self.session.getRemoteHost(), 445, r'\svcctl', smb_connection=self.session) dce = rpctransport.get_dce_rpc() try: dce.connect() except: pass else: dce.bind(scmr.MSRPC_UUID_SCMR) try: # 0xF003F - SC_MANAGER_ALL_ACCESS # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx ans = scmr.hROpenSCManagerW(dce,'{}\x00'.format(self.target.hostname),'ServicesActive\x00', 0xF003F) return "TRUE" except scmr.DCERPCException as e: pass return "FALSE"
Example #7
Source File: samrdump.py From LHF with GNU General Public License v3.0 | 6 votes |
def dump(self, addr): """Dumps the list of users and shares registered present at addr. Addr is a valid host name or IP address. """ logging.info('Retrieving endpoint list from %s' % addr) # Try all requested protocols until one works. entries = [] for protocol in self.__protocols: protodef = SAMRDump.KNOWN_PROTOCOLS[protocol] port = protodef[1] logging.info("Trying protocol %s..." % protocol) rpctransport = transport.SMBTransport(addr, port, r'\samr', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, doKerberos = self.__doKerberos) try: entries = self.__fetchList(rpctransport) except Exception, e: logging.critical(str(e)) else: # Got a response. No need for further iterations. break # Display results.
Example #8
Source File: smbclient.py From PiBunny with MIT License | 6 votes |
def do_info(self, line): if self.loggedIn is False: logging.error("Not logged in") return rpctransport = transport.SMBTransport(self.smb.getRemoteHost(), filename = r'\srvsvc', smb_connection = self.smb) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrServerGetInfo(dce, 102) print "Version Major: %d" % resp['InfoStruct']['ServerInfo102']['sv102_version_major'] print "Version Minor: %d" % resp['InfoStruct']['ServerInfo102']['sv102_version_minor'] print "Server Name: %s" % resp['InfoStruct']['ServerInfo102']['sv102_name'] print "Server Comment: %s" % resp['InfoStruct']['ServerInfo102']['sv102_comment'] print "Server UserPath: %s" % resp['InfoStruct']['ServerInfo102']['sv102_userpath'] print "Simultaneous Users: %d" % resp['InfoStruct']['ServerInfo102']['sv102_users']
Example #9
Source File: serviceinstall.py From cracke-dit with MIT License | 6 votes |
def getShares(self): # Setup up a DCE SMBTransport with the connection already in place LOG.info("Requesting shares on %s....." % (self.connection.getRemoteHost())) try: self._rpctransport = transport.SMBTransport(self.connection.getRemoteHost(), self.connection.getRemoteHost(),filename = r'\srvsvc', smb_connection = self.connection) dce_srvs = self._rpctransport.get_dce_rpc() dce_srvs.connect() dce_srvs.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrShareEnum(dce_srvs, 1) return resp['InfoStruct']['ShareInfo']['Level1'] except: LOG.critical("Error requesting shares on %s, aborting....." % (self.connection.getRemoteHost())) raise
Example #10
Source File: passpol.py From CrackMapExec with BSD 2-Clause "Simplified" License | 6 votes |
def dump(self): # Try all requested protocols until one works. for protocol in self.protocols: try: protodef = PassPolDump.KNOWN_PROTOCOLS[protocol] port = protodef[1] except KeyError: logging.debug("Invalid Protocol '{}'".format(protocol)) logging.debug("Trying protocol {}".format(protocol)) rpctransport = transport.SMBTransport(self.addr, port, r'\samr', self.username, self.password, self.domain, self.lmhash, self.nthash, self.aesKey, doKerberos = self.doKerberos) try: self.fetchList(rpctransport) except Exception as e: logging.debug('Protocol failed: {}'.format(e)) else: # Got a response. No need for further iterations. self.pretty_print() break return self.pass_pol
Example #11
Source File: smbrelayclient.py From Slackor with GNU General Public License v3.0 | 6 votes |
def isAdmin(self): rpctransport = SMBTransport(self.session.getRemoteHost(), 445, r'\svcctl', smb_connection=self.session) dce = rpctransport.get_dce_rpc() try: dce.connect() except: pass else: dce.bind(scmr.MSRPC_UUID_SCMR) try: # 0xF003F - SC_MANAGER_ALL_ACCESS # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx ans = scmr.hROpenSCManagerW(dce,'{}\x00'.format(self.target.hostname),'ServicesActive\x00', 0xF003F) return "TRUE" except scmr.DCERPCException as e: pass return "FALSE"
Example #12
Source File: cve_2017_7494.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def load_module(self, module): if int(self.sambaOld) == 1: module = '\\\PIPE\\' + module log("Trying to load module %s" % module) stringbinding = r'ncacn_np:%s[\pipe\%s]' % (self.sambaTarget, module) sb = transport.DCERPCStringBinding(stringbinding) na = sb.get_network_address() rpctransport = transport.SMBTransport(na, filename = module, smb_connection = self.smb) dce = rpctransport.get_dce_rpc() try: dce.connect() return True except KeyboardInterrupt: print "Aborted." sys.exit(0) except: log("Error: %s" % str(sys.exc_info()[1])) return False
Example #13
Source File: smbclient.py From Slackor with GNU General Public License v3.0 | 6 votes |
def do_info(self, line): if self.loggedIn is False: LOG.error("Not logged in") return rpctransport = transport.SMBTransport(self.smb.getRemoteHost(), filename = r'\srvsvc', smb_connection = self.smb) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrServerGetInfo(dce, 102) print("Version Major: %d" % resp['InfoStruct']['ServerInfo102']['sv102_version_major']) print("Version Minor: %d" % resp['InfoStruct']['ServerInfo102']['sv102_version_minor']) print("Server Name: %s" % resp['InfoStruct']['ServerInfo102']['sv102_name']) print("Server Comment: %s" % resp['InfoStruct']['ServerInfo102']['sv102_comment']) print("Server UserPath: %s" % resp['InfoStruct']['ServerInfo102']['sv102_userpath']) print("Simultaneous Users: %d" % resp['InfoStruct']['ServerInfo102']['sv102_users'])
Example #14
Source File: smbconnection.py From Slackor with GNU General Public License v3.0 | 5 votes |
def listShares(self): """ get a list of available shares at the connected target :return: a list containing dict entries for each share, raises exception if error """ # Get the shares through RPC from impacket.dcerpc.v5 import transport, srvs rpctransport = transport.SMBTransport(self.getRemoteName(), self.getRemoteHost(), filename=r'\srvsvc', smb_connection=self) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrShareEnum(dce, 1) return resp['InfoStruct']['ShareInfo']['Level1']['Buffer']
Example #15
Source File: serviceinstall.py From Slackor with GNU General Public License v3.0 | 5 votes |
def openSvcManager(self): LOG.info("Opening SVCManager on %s....." % self.connection.getRemoteHost()) # Setup up a DCE SMBTransport with the connection already in place self._rpctransport = transport.SMBTransport(self.connection.getRemoteHost(), self.connection.getRemoteHost(), filename = r'\svcctl', smb_connection = self.connection) self.rpcsvc = self._rpctransport.get_dce_rpc() self.rpcsvc.connect() self.rpcsvc.bind(scmr.MSRPC_UUID_SCMR) try: resp = scmr.hROpenSCManagerW(self.rpcsvc) except: LOG.critical("Error opening SVCManager on %s....." % self.connection.getRemoteHost()) raise Exception('Unable to open SVCManager') else: return resp['lpScHandle']
Example #16
Source File: patator_ext.py From project-black with GNU General Public License v2.0 | 5 votes |
def connect(self, host, port, user, password, sid): smbt = transport.SMBTransport(host, int(port), r'\lsarpc', user, password) dce = smbt.get_dce_rpc() dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT) op2 = lsat.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES) if sid is None: res = lsad.hLsarQueryInformationPolicy2(dce, op2['PolicyHandle'], lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation) sid = res['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() self.sid = sid self.policy_handle = op2['PolicyHandle'] return DCE_Connection(dce, smbt)
Example #17
Source File: smb.py From ActiveReign with GNU General Public License v3.0 | 5 votes |
def isAdmin(self): try: rpctransport = SMBTransport(self.host, self.port, r'\svcctl', smb_connection=self.con) dce = rpctransport.get_dce_rpc() try: dce.connect() except: pass else: dce.bind(scmr.MSRPC_UUID_SCMR) try: # 0xF003F - SC_MANAGER_ALL_ACCESS # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx ans = scmr.hROpenSCManagerW(dce, '{}\x00'.format(self.host), 'ServicesActive\x00', 0xF003F) self.admin = True return True except scmr.DCERPCException as e: pass except Exception as e: print(e) return False ################################ # Dump SAM / LSA # Methods were modified from: # https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py # https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py ################################
Example #18
Source File: rpc.py From ActiveReign with GNU General Public License v3.0 | 5 votes |
def create_rpc_con(self, pipe): # Here we build the DCE/RPC connection self.pipe = pipe binding_strings = dict() binding_strings['srvsvc'] = srvs.MSRPC_UUID_SRVS binding_strings['wkssvc'] = wkst.MSRPC_UUID_WKST binding_strings['samr'] = samr.MSRPC_UUID_SAMR binding_strings['svcctl'] = scmr.MSRPC_UUID_SCMR binding_strings['drsuapi'] = drsuapi.MSRPC_UUID_DRSUAPI if self.pipe == r'\drsuapi': string_binding = epm.hept_map(self.host, drsuapi.MSRPC_UUID_DRSUAPI, protocol='ncacn_ip_tcp') rpctransport = transport.DCERPCTransportFactory(string_binding) rpctransport.set_credentials(username=self.username, password=self.password,domain=self.domain, lmhash=self.lmhash,nthash=self.nthash) else: rpctransport = transport.SMBTransport(self.host, self.port, self.pipe,username=self.username, password=self.password, domain=self.domain, lmhash=self.lmhash,nthash=self.nthash) # SET TIMEOUT rpctransport.set_connect_timeout(self.timeout) dce = rpctransport.get_dce_rpc() if self.pipe == r'\drsuapi': dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) try: dce.connect() except socket.error: self.rpc_connection = None else: dce.bind(binding_strings[self.pipe[1:]]) self.rpc_connection = dce
Example #19
Source File: smbconnection.py From PiBunny with MIT License | 5 votes |
def listShares(self): """ get a list of available shares at the connected target :return: a list containing dict entries for each share, raises exception if error """ # Get the shares through RPC from impacket.dcerpc.v5 import transport, srvs rpctransport = transport.SMBTransport(self.getRemoteName(), self.getRemoteHost(), filename=r'\srvsvc', smb_connection=self) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrShareEnum(dce, 1) return resp['InfoStruct']['ShareInfo']['Level1']['Buffer']
Example #20
Source File: smbclient.py From PiBunny with MIT License | 5 votes |
def do_password(self, line): if self.loggedIn is False: logging.error("Not logged in") return from getpass import getpass newPassword = getpass("New Password:") rpctransport = transport.SMBTransport(self.smb.getRemoteHost(), filename = r'\samr', smb_connection = self.smb) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(samr.MSRPC_UUID_SAMR) samr.hSamrUnicodeChangePasswordUser2(dce, '\x00', self.username, self.password, newPassword, self.lmhash, self.nthash) self.password = newPassword self.lmhash = None self.nthash = None
Example #21
Source File: smbclient.py From PiBunny with MIT License | 5 votes |
def do_who(self, line): if self.loggedIn is False: logging.error("Not logged in") return rpctransport = transport.SMBTransport(self.smb.getRemoteHost(), filename = r'\srvsvc', smb_connection = self.smb) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10) for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']: print "host: %15s, user: %5s, active: %5d, idle: %5d" % ( session['sesi10_cname'][:-1], session['sesi10_username'][:-1], session['sesi10_time'], session['sesi10_idle_time'])
Example #22
Source File: raiseChild.py From PiBunny with MIT License | 5 votes |
def run(self, addr): rpctransport = transport.SMBTransport(addr, filename='/svcctl', smb_connection=self.__smbConnection) dce = rpctransport.get_dce_rpc() try: dce.connect() except Exception, e: logging.critical(str(e)) sys.exit(1)
Example #23
Source File: serviceinstall.py From PiBunny with MIT License | 5 votes |
def getShares(self): # Setup up a DCE SMBTransport with the connection already in place LOG.info("Requesting shares on %s....." % (self.connection.getRemoteHost())) try: self._rpctransport = transport.SMBTransport(self.connection.getRemoteHost(), self.connection.getRemoteHost(),filename = r'\srvsvc', smb_connection = self.connection) dce_srvs = self._rpctransport.get_dce_rpc() dce_srvs.connect() dce_srvs.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrShareEnum(dce_srvs, 1) return resp['InfoStruct']['ShareInfo']['Level1'] except: LOG.critical("Error requesting shares on %s, aborting....." % (self.connection.getRemoteHost())) raise
Example #24
Source File: serviceinstall.py From PiBunny with MIT License | 5 votes |
def openSvcManager(self): LOG.info("Opening SVCManager on %s....." % self.connection.getRemoteHost()) # Setup up a DCE SMBTransport with the connection already in place self._rpctransport = transport.SMBTransport(self.connection.getRemoteHost(), self.connection.getRemoteHost(),filename = r'\svcctl', smb_connection = self.connection) self.rpcsvc = self._rpctransport.get_dce_rpc() self.rpcsvc.connect() self.rpcsvc.bind(scmr.MSRPC_UUID_SCMR) try: resp = scmr.hROpenSCManagerW(self.rpcsvc) except: LOG.critical("Error opening SVCManager on %s....." % self.connection.getRemoteHost()) raise Exception('Unable to open SVCManager') else: return resp['lpScHandle']
Example #25
Source File: serviceinstall.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def getShares(self): # Setup up a DCE SMBTransport with the connection already in place LOG.info("Requesting shares on %s....." % (self.connection.getRemoteHost())) try: self._rpctransport = transport.SMBTransport(self.connection.getRemoteHost(), self.connection.getRemoteHost(),filename = r'\srvsvc', smb_connection = self.connection) dce_srvs = self._rpctransport.get_dce_rpc() dce_srvs.connect() dce_srvs.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrShareEnum(dce_srvs, 1) return resp['InfoStruct']['ShareInfo']['Level1'] except: LOG.critical("Error requesting shares on %s, aborting....." % (self.connection.getRemoteHost())) raise
Example #26
Source File: patator.py From patator with GNU General Public License v2.0 | 5 votes |
def connect(self, host, port, user, password, sid): smbt = transport.SMBTransport(host, int(port), r'\lsarpc', user, password) dce = smbt.get_dce_rpc() dce.connect() dce.bind(lsat.MSRPC_UUID_LSAT) op2 = lsat.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES) if sid is None: res = lsad.hLsarQueryInformationPolicy2(dce, op2['PolicyHandle'], lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation) sid = res['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() self.sid = sid self.policy_handle = op2['PolicyHandle'] return DCE_Connection(dce, smbt)
Example #27
Source File: serviceinstall.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def openSvcManager(self): LOG.info("Opening SVCManager on %s....." % self.connection.getRemoteHost()) # Setup up a DCE SMBTransport with the connection already in place self._rpctransport = transport.SMBTransport(self.connection.getRemoteHost(), self.connection.getRemoteHost(),filename = r'\svcctl', smb_connection = self.connection) self.rpcsvc = self._rpctransport.get_dce_rpc() self.rpcsvc.connect() self.rpcsvc.bind(scmr.MSRPC_UUID_SCMR) try: resp = scmr.hROpenSCManagerW(self.rpcsvc) except: LOG.critical("Error opening SVCManager on %s....." % self.connection.getRemoteHost()) raise Exception('Unable to open SVCManager') else: return resp['lpScHandle']
Example #28
Source File: smbconnection.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def listShares(self): """ get a list of available shares at the connected target :return: a list containing dict entries for each share, raises exception if error """ # Get the shares through RPC from impacket.dcerpc.v5 import transport, srvs rpctransport = transport.SMBTransport(self.getRemoteName(), self.getRemoteHost(), filename=r'\srvsvc', smb_connection=self) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrShareEnum(dce, 1) return resp['InfoStruct']['ShareInfo']['Level1']['Buffer']
Example #29
Source File: cve_2017_7494.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def try_copy_library(self, lib_name): rpctransport = transport.SMBTransport(self.smb.getRemoteName(), self.smb.getRemoteHost(), filename=r'\srvsvc', smb_connection=self.smb) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(srvs.MSRPC_UUID_SRVS) resp = srvs.hNetrShareEnum(dce, 2) l = [] ignore_shares = ["print$", "IPC$"] for share in resp['InfoStruct']['ShareInfo']['Level2']['Buffer']: share_name = share['shi2_netname'][:-1] share_path = self.translate_smb_path(share['shi2_path'][:-1]) l.append([share_name, share_path]) # Randomize the list of shares instead of going from the first to the last random.shuffle(l) if len(self.customBinary) < 1: real_file = self.get_real_library_name() else: real_file = self.customBinary log("Using %s" % real_file) for share in l: log("Trying to copy library '%s' to share '%s'" % (lib_name, share)) if self.try_put(share, lib_name, real_file): log("Done!") return share[1] return None
Example #30
Source File: requester.py From pywerview with GNU General Public License v3.0 | 5 votes |
def _create_rpc_connection(self, pipe): # Here we build the DCE/RPC connection self._pipe = pipe binding_strings = dict() binding_strings['srvsvc'] = srvs.MSRPC_UUID_SRVS binding_strings['wkssvc'] = wkst.MSRPC_UUID_WKST binding_strings['samr'] = samr.MSRPC_UUID_SAMR binding_strings['svcctl'] = scmr.MSRPC_UUID_SCMR binding_strings['drsuapi'] = drsuapi.MSRPC_UUID_DRSUAPI # TODO: try to fallback to TCP/139 if tcp/445 is closed if self._pipe == r'\drsuapi': string_binding = epm.hept_map(self._target_computer, drsuapi.MSRPC_UUID_DRSUAPI, protocol='ncacn_ip_tcp') rpctransport = transport.DCERPCTransportFactory(string_binding) rpctransport.set_credentials(username=self._user, password=self._password, domain=self._domain, lmhash=self._lmhash, nthash=self._nthash) else: rpctransport = transport.SMBTransport(self._target_computer, 445, self._pipe, username=self._user, password=self._password, domain=self._domain, lmhash=self._lmhash, nthash=self._nthash) rpctransport.set_connect_timeout(10) dce = rpctransport.get_dce_rpc() if self._pipe == r'\drsuapi': dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) try: dce.connect() except socket.error: self._rpc_connection = None else: dce.bind(binding_strings[self._pipe[1:]]) self._rpc_connection = dce