def __init__(self, gssapi, target): self.target = target self.gssapi = gssapi self.transport = None self.auth_type = RPC_C_AUTHN_WINNT if self.gssapi.kerberos is not None: self.auth_type = RPC_C_AUTHN_GSS_NEGOTIATE self.auth_level = RPC_C_AUTHN_LEVEL_NONE self.ctx = 0 self.callid = 1 self.NDRSyntax = uuidtup_to_bin( ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')) self.NDR64Syntax = uuidtup_to_bin( ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')) self.transfer_syntax = self.NDRSyntax self.transfer_syntax = uuidtup_to_bin( ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')) self.__max_xmit_size = 0 self._max_user_frag = 0 self.__sequence = 0 self.__sessionKey = None self.__clientSigningKey = None self.__serverSigningKey = None self.__clientSealingKey = None self.__serverSealingKey = None self.__clientSealingHandle = None self.__serverSealingHandle = None
class DCERPC: # Standard NDR Representation NDRSyntax = uuidtup_to_bin(('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')) # NDR 64 NDR64Syntax = uuidtup_to_bin( ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')) transfer_syntax = NDRSyntax
# Best way to learn how to use these calls is to grab the protocol standard # so you understand what the call does, and then read the test case located # at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC # # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from aiosmb.dcerpc.v5 import system_errors from aiosmb.dcerpc.v5.dtypes import WSTR, DWORD, LPWSTR, ULONG, LARGE_INTEGER, WORD, BYTE from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray, NDRUniVaryingArray, NDRSTRUCT from aiosmb.dcerpc.v5.rpcrt import DCERPCException from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin MSRPC_UUID_EVEN6 = uuidtup_to_bin(('F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C', '1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) ################################################################################ # CONSTANTS ################################################################################ # Evt Path Flags EvtQueryChannelName = 0x00000001 EvtQueryFilePath = 0x00000002 EvtReadOldestToNewest = 0x00000100 EvtReadNewestToOldest = 0x00000200
# They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from aiosmb.dcerpc.v5.dtypes import NULL, DWORD, LPWSTR, ULONG, BOOL, LPBYTE, ULONGLONG, PGUID, USHORT, LPDWORD, WSTR, \ GUID, PBOOL, WIDESTR from aiosmb.dcerpc.v5.ndr import NDRCALL, NDR, NDRSTRUCT, NDRPOINTER, NDRPOINTERNULL, NDRUniConformantArray, NDRUNION from aiosmb.dcerpc.v5.rpcrt import DCERPCException from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin from aiosmb.dcerpc.v5 import system_errors from aiosmb.commons.utils.decorators import red, rr from aiosmb.commons.exceptions import SMBException MSRPC_UUID_SCMR = uuidtup_to_bin( ('367ABB81-9844-35F1-AD32-98F038001003', '2.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): key = self.error_code if key in system_errors.ERROR_MESSAGES: error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'SCMR SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else: return 'SCMR SessionError: unknown error code: 0x%x' % self.error_code
from aiosmb.crypto.DES import expand_DES_key from asn1crypto.core import ObjectIdentifier from aiosmb.crypto.symmetric import RC4, DES from aiosmb.crypto.BASE import cipherMODE ##### THIS CODE NEEDS TO BE CLEANED UP!!!! #from pyasn1.type import univ #from impacket.crypto import transformKey #try: # from Cryptodome.Cipher import ARC4, DES #except Exception: # LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex") # LOG.critical("See https://pypi.org/project/pycryptodomex/") MSRPC_UUID_DRSUAPI = uuidtup_to_bin( ('E3514235-4B06-11D1-AB04-00C04FC2DCD2', '4.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): return 'DRSR SessionError: unknown error code: 0x%x' % self.error_code ################################################################################ # CONSTANTS ################################################################################ # 4.1.10.2.17 EXOP_ERR Codes class EXOP_ERR(NDRENUM):
# # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from __future__ import division from __future__ import print_function from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDR, NDRPOINTERNULL, NDRUniConformantArray from aiosmb.dcerpc.v5.dtypes import ULONG, LPWSTR, RPC_UNICODE_STRING, LPSTR, NTSTATUS, NULL, PRPC_UNICODE_STRING, PULONG, USHORT, PRPC_SID, LPBYTE from aiosmb.dcerpc.v5.lsad import PRPC_UNICODE_STRING_ARRAY from aiosmb.dcerpc.v5.structure import Structure from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin from aiosmb.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_EVEN = uuidtup_to_bin( ('82273FDC-E32A-18C3-3F78-827929DC23EA', '0.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) ################################################################################ # CONSTANTS ################################################################################ # 2.2.2 EventType EVENTLOG_SUCCESS = 0x0000 EVENTLOG_ERROR_TYPE = 0x0001 EVENTLOG_WARNING_TYPE = 0x0002 EVENTLOG_INFORMATION_TYPE = 0x0004
async def bind(self, iface_uuid, alter=0, bogus_binds=0, transfer_syntax=('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')): """ Performs bind operation. Does authentication and sets up the keys for further communication """ try: bind = MSRPCBind() #item['TransferSyntax']['Version'] = 1 ctx = self.ctx for _ in range(bogus_binds): item = CtxItem() item['ContextID'] = ctx item['TransItems'] = 1 item['ContextID'] = ctx # We generate random UUIDs for bogus binds item['AbstractSyntax'] = generate() + stringver_to_bin('2.0') item['TransferSyntax'] = uuidtup_to_bin(transfer_syntax) bind.addCtxItem(item) self.ctx += 1 ctx += 1 # The true one :) item = CtxItem() item['AbstractSyntax'] = iface_uuid item['TransferSyntax'] = uuidtup_to_bin(transfer_syntax) item['ContextID'] = ctx item['TransItems'] = 1 bind.addCtxItem(item) packet = MSRPCHeader() packet['type'] = MSRPC_BIND packet['pduData'] = bind.getData() packet['call_id'] = self.callid if alter: packet['type'] = MSRPC_ALTERCTX if self.auth_level != RPC_C_AUTHN_LEVEL_NONE: #authentication required if self.auth_type == RPC_C_AUTHN_WINNT: #seal flag MUST be turned on in the handshake flags!!!!!!! #it is "signaled via the is_rpc variable" auth, res, err = await self.gssapi.ntlm.authenticate( None, is_rpc=True) if err is not None: return None, err elif self.auth_type == RPC_C_AUTHN_NETLOGON: return False, Exception( 'RPC_C_AUTHN_NETLOGON Not implemented!') elif self.auth_type == RPC_C_AUTHN_GSS_NEGOTIATE: auth, res, err = await self.gssapi.gssapi.authenticate( None, flags = GSSAPIFlags.GSS_C_CONF_FLAG |\ GSSAPIFlags.GSS_C_INTEG_FLAG | \ GSSAPIFlags.GSS_C_SEQUENCE_FLAG | \ GSSAPIFlags.GSS_C_REPLAY_FLAG | \ GSSAPIFlags.GSS_C_MUTUAL_FLAG | \ GSSAPIFlags.GSS_C_DCE_STYLE, seq_number = 0, is_rpc = True ) if err is not None: return None, err else: return None, Exception('Unsupported auth type!') sec_trailer = SEC_TRAILER() sec_trailer['auth_type'] = self.auth_type sec_trailer['auth_level'] = self.auth_level sec_trailer['auth_ctx_id'] = self.ctx + 79231 pad = (4 - (len(packet.get_packet()) % 4)) % 4 if pad != 0: packet['pduData'] += b'\xFF' * pad sec_trailer['auth_pad_len'] = pad packet['sec_trailer'] = sec_trailer packet['auth_data'] = auth _, _ = await rr(self.transport.send(packet.get_packet())) data, _ = await rr(self.recv_one()) resp = MSRPCHeader(data) if resp['type'] == MSRPC_BINDACK or resp[ 'type'] == MSRPC_ALTERCTX_R: bindResp = MSRPCBindAck(resp.getData()) elif resp['type'] == MSRPC_BINDNAK or resp['type'] == MSRPC_FAULT: if resp['type'] == MSRPC_FAULT: resp = MSRPCRespHeader(resp.getData()) status_code = unpack('<L', resp['pduData'][:4])[0] else: resp = MSRPCBindNak(resp['pduData']) status_code = resp['RejectedReason'] if status_code in rpc_status_codes: return False, DCERPCException(error_code=status_code) elif status_code in rpc_provider_reason: return False, DCERPCException( "Bind context rejected: %s" % rpc_provider_reason[status_code]) else: return False, DCERPCException( 'Unknown DCE RPC fault status code: %.8x' % status_code) else: return False, DCERPCException( 'Unknown DCE RPC packet type received: %d' % resp['type']) # check ack results for each context, except for the bogus ones for ctx in range(bogus_binds + 1, bindResp['ctx_num'] + 1): ctxItems = bindResp.getCtxItem(ctx) if ctxItems['Result'] != 0: msg = "Bind context %d rejected: " % ctx msg += rpc_cont_def_result.get( ctxItems['Result'], 'Unknown DCE RPC context result code: %.4x' % ctxItems['Result']) msg += "; " reason = bindResp.getCtxItem(ctx)['Reason'] msg += rpc_provider_reason.get( reason, 'Unknown reason code: %.4x' % reason) if (ctxItems['Result'], reason) == ( 2, 1 ): # provider_rejection, abstract syntax not supported msg += " (this usually means the interface isn't listening on the given endpoint)" raise DCERPCException(msg) # Save the transfer syntax for later use self.transfer_syntax = ctxItems['TransferSyntax'] # The received transmit size becomes the client's receive size, and the received receive size becomes the client's transmit size. self.__max_xmit_size = bindResp['max_rfrag'] if self.auth_level != RPC_C_AUTHN_LEVEL_NONE: if self.auth_type == RPC_C_AUTHN_WINNT: response, res, err = await self.gssapi.ntlm.authenticate( bindResp['auth_data'], is_rpc=True) if err is not None: return None, err self.__sessionKey = self.gssapi.ntlm.get_session_key() elif self.auth_type == RPC_C_AUTHN_NETLOGON: response = None elif self.auth_type == RPC_C_AUTHN_GSS_NEGOTIATE: response, res, err = await self.gssapi.gssapi.authenticate( bindResp['auth_data'], is_rpc = True, flags = GSSAPIFlags.GSS_C_CONF_FLAG |\ GSSAPIFlags.GSS_C_INTEG_FLAG | \ GSSAPIFlags.GSS_C_SEQUENCE_FLAG | \ GSSAPIFlags.GSS_C_REPLAY_FLAG | \ GSSAPIFlags.GSS_C_MUTUAL_FLAG | \ GSSAPIFlags.GSS_C_DCE_STYLE ) if err is not None: return None, err self.__sessionKey = self.gssapi.gssapi.get_session_key() self.__sequence = 0 if self.auth_level in (RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY): if self.auth_type == RPC_C_AUTHN_WINNT: if self.gssapi.ntlm.is_extended_security() == True: self.__clientSigningKey = self.gssapi.ntlm.get_signkey( ) self.__serverSigningKey = self.gssapi.ntlm.get_signkey( 'Server') self.__clientSealingKey = self.gssapi.ntlm.get_sealkey( ) self.__serverSealingKey = self.gssapi.ntlm.get_sealkey( 'Server') cipher3 = RC4(self.__clientSealingKey) self.__clientSealingHandle = cipher3.encrypt cipher4 = RC4(self.__serverSealingKey) self.__serverSealingHandle = cipher4.encrypt else: # Same key for everything self.__clientSigningKey = self.gssapi.ntlm.get_session_key( ) self.__serverSigningKey = self.gssapi.ntlm.get_session_key( ) self.__clientSealingKey = self.gssapi.ntlm.get_session_key( ) self.__serverSealingKey = self.gssapi.ntlm.get_session_key( ) cipher = RC4(self.__clientSigningKey) self.__clientSealingHandle = cipher.encrypt self.__serverSealingHandle = cipher.encrypt elif self.auth_type == RPC_C_AUTHN_NETLOGON: raise Exception( 'RPC_C_AUTHN_NETLOGON is not implemented!') sec_trailer = SEC_TRAILER() sec_trailer['auth_type'] = self.auth_type sec_trailer['auth_level'] = self.auth_level sec_trailer['auth_ctx_id'] = self.ctx + 79231 if response is not None: if self.auth_type == RPC_C_AUTHN_GSS_NEGOTIATE: alter_ctx = MSRPCHeader() alter_ctx['type'] = MSRPC_ALTERCTX alter_ctx['pduData'] = bind.getData() alter_ctx['sec_trailer'] = sec_trailer alter_ctx['auth_data'] = response await rr( self.transport.send(alter_ctx.get_packet(), forceWriteAndx=1)) self.__sequence = 0 await rr( self.recv_one() ) #recieving the result of alter_context command self.__sequence = self.gssapi.gssapi.selected_authentication_context.seq_number else: auth3 = MSRPCHeader() auth3['type'] = MSRPC_AUTH3 # pad (4 bytes): Can be set to any arbitrary value when set and MUST be # ignored on receipt. The pad field MUST be immediately followed by a # sec_trailer structure whose layout, location, and alignment are as # specified in section 2.2.2.11 auth3[ 'pduData'] = b' ' * 4 #SkelSec: I have spent 3 hours to find this bug, that I caused by replacing spaces to tabs :( auth3['sec_trailer'] = sec_trailer #SkelSec auth3['auth_data'] = response.getData() auth3['auth_data'] = response # Use the same call_id self.callid = resp['call_id'] auth3['call_id'] = self.callid await rr( self.transport.send(auth3.get_packet(), forceWriteAndx=1)) self.callid += 1 return resp, None # means packet is signed, if verifier is wrong it fails except Exception as e: return False, e
# There are test cases for them too. # import io from os import stat from aiosmb.dcerpc.v5.dtypes import ULONGLONG, UINT, USHORT, LPWSTR, DWORD, ULONG, NULL from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRUNION, NDRPOINTER, NDRUniConformantArray from aiosmb.dcerpc.v5.ndr import NDRVaryingString from aiosmb.dcerpc.v5.rpcrt import DCERPCException from aiosmb.dcerpc.v5 import system_errors from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin from aiosmb.dcerpc.v5.structure import Structure MSRPC_UUID_RPRN = uuidtup_to_bin( ('12345678-1234-ABCD-EF00-0123456789AB', '1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): key = self.error_code if key in system_errors.ERROR_MESSAGES: error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'RPRN SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else: return 'RPRN SessionError: unknown error code: 0x%x' % self.error_code
# There are test cases for them too. # from aiosmb.dcerpc.v5.dtypes import ULONG, LONG, PRPC_SID, RPC_UNICODE_STRING, LPWSTR, PRPC_UNICODE_STRING, NTSTATUS, NULL from aiosmb.dcerpc.v5.enum import Enum from aiosmb.dcerpc.v5.lsad import LSAPR_HANDLE, PLSAPR_TRUST_INFORMATION_ARRAY from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRENUM, NDRPOINTER, NDRUniConformantArray from aiosmb.dcerpc.v5.samr import SID_NAME_USE from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin from aiosmb.dcerpc.v5.rpcrt import DCERPCException from struct import unpack, pack from aiosmb import logger as LOG from aiosmb.commons.utils.decorators import red, rr MSRPC_UUID_LSAT = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) ################################################################################ # CONSTANTS ################################################################################ # 2.2.10 ACCESS_MASK POLICY_LOOKUP_NAMES = 0x00000800 ################################################################################ # STRUCTURES ################################################################################ # 2.2.12 LSAPR_REFERENCED_DOMAIN_LIST
# # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from aiosmb.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, LPBYTE, NULL, DWORD_PTR from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER from aiosmb.dcerpc.v5.rpcrt import DCERPCException from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin from aiosmb.dcerpc.v5 import system_errors, hresult_errors from aiosmb.commons.exceptions import SMBException from aiosmb.dcerpc.v5.structure import Structure MSRPC_UUID_ICPR = uuidtup_to_bin( ('91ae6020-9e3c-11cf-8d7c-00aa00c091be', '0.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): key = self.error_code if key in hresult_errors.ERROR_MESSAGES: error_msg_short = hresult_errors.ERROR_MESSAGES[key][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1] return 'ICPR SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) elif key & 0xffff in system_errors.ERROR_MESSAGES: error_msg_short = system_errors.ERROR_MESSAGES[key & 0xffff][0]
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray from aiosmb.dcerpc.v5.rpcrt import DCERPCException from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin from aiosmb.dcerpc.v5 import system_errors from aiosmb.commons.exceptions import SMBException from aiosmb.dcerpc.v5.structure import Structure #from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray #from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL, GUID, PSYSTEMTIME, SYSTEMTIME #from impacket.structure import Structure #from impacket import hresult_errors, system_errors #from impacket.uuid import uuidtup_to_bin #from impacket.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_TSCHS = uuidtup_to_bin(('86D35949-83C9-4044-B424-DB363231FD0C','1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code ################################################################################ # CONSTANTS ################################################################################ # 2.3.1 Constant Values CNLEN = 15 DNLEN = CNLEN UNLEN = 256
# # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRENUM, NDRUNION, NDRUniConformantArray, NDRUniFixedArray, \ NDRPOINTER from aiosmb.dcerpc.v5.dtypes import NULL, WSTR, ULONG, LPWSTR, LONG, LARGE_INTEGER, WIDESTR, RPC_UNICODE_STRING, \ LPULONG, LPLONG from aiosmb.dcerpc.v5 import system_errors from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin from aiosmb.dcerpc.v5.enum import Enum from aiosmb.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_WKST = uuidtup_to_bin(('6BFFD098-A112-3610-9833-46C3F87E345A', '1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): key = self.error_code if system_errors.ERROR_MESSAGES.has_key(key): error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'WKST SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'WKST SessionError: unknown error code: 0x%x' % self.error_code ################################################################################
# They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # # ToDo: # [ ] 2.2.2 Client-Side-Wrapped Secret from __future__ import division from __future__ import print_function from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray from aiosmb.dcerpc.v5.dtypes import DWORD, NTSTATUS, GUID, RPC_SID, NULL from aiosmb.dcerpc.v5.rpcrt import DCERPCException from aiosmb.dcerpc.v5 import system_errors from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin, string_to_bin from aiosmb.dcerpc.v5.structure import Structure MSRPC_UUID_BKRP = uuidtup_to_bin(('3dde7c30-165d-11d1-ab8f-00805f14db40', '1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): key = self.error_code if key in system_errors.ERROR_MESSAGES: error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'BKRP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code ################################################################################
async def amain(): try: targets = [] ip = '10.10.10.2' epm = EPM.from_address(ip) _, err = await epm.connect() if err is not None: raise err x, err = await epm.lookup() if err is not None: raise err await epm.disconnect() print(len(x)) #print(x) for entry in x: version = '%s.%s' % (entry['tower']['Floors'][0]['MajorVersion'], entry['tower']['Floors'][0]['MinorVersion']) uuidstr = bin_to_string( entry['tower']['Floors'][0]['InterfaceUUID']) service_uuid = uuidtup_to_bin((uuidstr, version)) #print(entry['tower']['Floors'][0]['InterfaceUUID']) #print(version) #print(service_uuid) target, err = await EPM.create_target(ip, service_uuid) print(err) if err is not None: if str(err).find('ept_s_not_registered') != -1: continue raise err targets.append((uuidstr, service_uuid, target)) for uuidstr, service_uuid, target in targets: #print('UUID: %s' % uuidstr) #print('Target: %s' % target) cred = SMBCredential(username='******', domain='TEST', secret='Passw0rd!1', secret_type=SMBCredentialsSecretType.PASSWORD, authentication_type=SMBAuthProtocol.NTLM, settings=None, target=None) gssapi = AuthenticatorBuilder.to_spnego_cred(cred) auth = DCERPCAuth.from_smb_gssapi(gssapi) connection = DCERPC5Connection(auth, target) connection.set_auth_level(RPC_C_AUTHN_LEVEL_CONNECT) try: _, err = await connection.connect() if err is not None: raise err _, err = await connection.bind(service_uuid) if err is not None: raise err req = DummyOp() _, err = await connection.request(req) if str(err).find('rpc_s_access_denied') == -1: proto = 'UNK' if uuidstr in KNOWN_PROTOCOLS: proto = KNOWN_PROTOCOLS[uuidstr] print('UUID : %s' % uuidstr) print('proto: %s' % proto) print('err : %s' % err) print() except Exception as e: traceback.print_exc() finally: await connection.disconnect() except Exception as e: traceback.print_exc()
# at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC # # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from aiosmb.dcerpc.v5 import system_errors from aiosmb.dcerpc.v5.dtypes import ULONGLONG, UINT, USHORT, LPWSTR, DWORD, ULONG, NULL from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRUNION, NDRPOINTER, NDRUniConformantArray from aiosmb.dcerpc.v5.rpcrt import DCERPCException from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin, string_to_bin from aiosmb.dcerpc.v5.rprn import DRIVER_INFO_2_ARRAY MSRPC_UUID_PAR = uuidtup_to_bin( ('76F03F96-CDFD-44FC-A22C-64950A001209', '1.0')) MSRPC_UUID_WINSPOOL = string_to_bin('9940CA8E-512F-4C58-88A9-61098D6896BD') class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): key = self.error_code if key in system_errors.ERROR_MESSAGES: error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'RPRN SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else:
# They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from struct import unpack, pack from aiosmb import logger as LOG from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantVaryingArray, NDRUniConformantArray from aiosmb.dcerpc.v5.dtypes import DWORD, UUID, ULONG, LPULONG, BOOLEAN, SECURITY_INFORMATION, PFILETIME, \ RPC_UNICODE_STRING, FILETIME, NULL, MAXIMUM_ALLOWED, OWNER_SECURITY_INFORMATION, PWCHAR, PRPC_UNICODE_STRING from aiosmb.dcerpc.v5.rpcrt import DCERPCException from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin from aiosmb.commons.utils.decorators import red, rr MSRPC_UUID_RRP = uuidtup_to_bin( ('338CD001-2244-31F1-AAAA-900038001003', '1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): return 'RRP SessionError: unknown error code: 0x%x' % self.error_code ################################################################################ # CONSTANTS ################################################################################ # 2.2.2 PREGISTRY_SERVER_NAME PREGISTRY_SERVER_NAME = PWCHAR