def getDefaultLoginAccount(self):
     try:
         ans = rrp.hBaseRegOpenKey(self.__rrp, self.__regHandle, 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon')
         keyHandle = ans['phkResult']
         dataType, dataValue = rrp.hBaseRegQueryValue(self.__rrp, keyHandle, 'DefaultUserName')
         username = dataValue[:-1]
         dataType, dataValue = rrp.hBaseRegQueryValue(self.__rrp, keyHandle, 'DefaultDomainName')
         domain = dataValue[:-1]
         rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
         if len(domain) > 0:
             return '%s\\%s' % (domain,username)
         else:
             return username
     except:
         return None
Beispiel #2
0
    def test_hBaseRegQueryValue(self):
        dce, rpctransport, phKey = self.connect()

        resp = rrp.hBaseRegOpenKey(dce, phKey, 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\x00' )
        resp.dump()

        resp = rrp.hBaseRegQueryValue(dce, resp['phkResult'], 'ProductName\x00')
Beispiel #3
0
    def disable(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        self.rrp = remoteOps._RemoteOperations__rrp

        if self.rrp is not None:
            ans = rrp.hOpenLocalMachine(self.rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
            keyHandle = ans['phkResult']

            try:
                rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
            except:
                self.logger.success('UseLogonCredential registry key not present')

                try:
                    remoteOps.finish()
                except:
                    pass

                return

            try:
                #Check to make sure the reg key is actually deleted
                rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
            except DCERPCException:
                self.logger.success('UseLogonCredential registry key deleted successfully')
                
                try:
                    remoteOps.finish()
                except:
                    pass
Beispiel #4
0
    def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
        dce, rpctransport, phKey = self.connect()
        resp = rrp.hOpenClassesRoot(dce)
        resp.dump()
        regHandle = resp['phKey']

        resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
        resp.dump()
        phKey = resp['phkResult']

        try: 
            resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00',  rrp.REG_SZ, 'HOLA COMO TE VA\x00')
            resp.dump()
        except Exception as e:
            print e

        type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00')
        #print data

        resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00')
        resp.dump()

        resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00')
        resp.dump()
        self.assertTrue( 'HOLA COMO TE VA\x00' == data )
Beispiel #5
0
    def query(self, dce, keyName):
        # Let's strip the root key
        try:
            rootKey = keyName.split('\\')[0]
            subKey = '\\'.join(keyName.split('\\')[1:])
        except Exception:
            raise Exception('Error parsing keyName %s' % keyName)

        if rootKey.upper() == 'HKLM':
            ans = rrp.hOpenLocalMachine(dce)
        elif rootKey.upper() == 'HKU':
            ans = rrp.hOpenCurrentUser(dce)
        elif rootKey.upper() == 'HKCR':
            ans = rrp.hOpenClassesRoot(dce)
        else:
            raise Exception('Invalid root key %s ' % rootKey)

        hRootKey = ans['phKey']

        ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,
                                   samDesired=rrp.MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS | rrp.KEY_QUERY_VALUE)

        if self.__options.v:
            print keyName
            value = rrp.hBaseRegQueryValue(dce, ans2['phkResult'], self.__options.v)
            print '\t' + self.__options.v + '\t' + self.__regValues.get(value[0], 'KEY_NOT_FOUND') + '\t', str(value[1])
        elif self.__options.ve:
            print keyName
            value = rrp.hBaseRegQueryValue(dce, ans2['phkResult'], '')
            print '\t' + '(Default)' + '\t' + self.__regValues.get(value[0], 'KEY_NOT_FOUND') + '\t', str(value[1])
        elif self.__options.s:
            self.__print_all_subkeys_and_entries(dce, subKey + '\\', ans2['phkResult'], 0)
        else:
            print keyName
            self.__print_key_values(dce, ans2['phkResult'])
            i = 0
            while True:
                try:
                    key = rrp.hBaseRegEnumKey(dce, ans2['phkResult'], i)
                    print keyName + '\\' + key['lpNameOut'][:-1]
                    i += 1
                except Exception:
                    break
    def saveNTDS(self):
        logging.info('Searching for NTDS.dit')
        # First of all, let's try to read the target NTDS.dit registry entry
        ans = rrp.hOpenLocalMachine(self.__rrp)
        regHandle = ans['phKey']
        try:
            ans = rrp.hBaseRegOpenKey(self.__rrp, self.__regHandle, 'SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters')
            keyHandle = ans['phkResult']
        except:
            # Can't open the registry path, assuming no NTDS on the other end
            return None

        try:
            dataType, dataValue = rrp.hBaseRegQueryValue(self.__rrp, keyHandle, 'DSA Database file')
            ntdsLocation = dataValue[:-1]
            ntdsDrive = ntdsLocation[:2]
        except:
            # Can't open the registry path, assuming no NTDS on the other end
            return None

        rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
        rrp.hBaseRegCloseKey(self.__rrp, regHandle)

        logging.info('Registry says NTDS.dit is at %s. Calling vssadmin to get a copy. This might take some time' % ntdsLocation)
        # Get the list of remote shadows
        shadow, shadowFor = self.__getLastVSS()
        if shadow == '' or (shadow != '' and shadowFor != ntdsDrive):
            # No shadow, create one
            self.__executeRemote('%%COMSPEC%% /C vssadmin create shadow /For=%s' % ntdsDrive)
            shadow, shadowFor = self.__getLastVSS()
            shouldRemove = True
            if shadow == '':
                raise Exception('Could not get a VSS')
        else:
            shouldRemove = False

        # Now copy the ntds.dit to the temp directory
        tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'

        self.__executeRemote('%%COMSPEC%% /C copy %s%s %%SYSTEMROOT%%\\Temp\\%s' % (shadow, ntdsLocation[2:], tmpFileName))

        if shouldRemove is True:
            self.__executeRemote('%%COMSPEC%% /C vssadmin delete shadows /For=%s /Quiet' % ntdsDrive)

        self.__smbConnection.deleteFile('ADMIN$', 'Temp\\__output')

        remoteFileName = RemoteFile(self.__smbConnection, 'Temp\\%s' % tmpFileName)

        return remoteFileName
Beispiel #7
0
    def enum(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
        regHandle = ans['phKey']
        ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System')
        keyHandle = ans['phkResult']
        dataType, uac_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'EnableLUA')

        self.logger.success("Enumerating UAC status")
        if uac_value == 1:
            self.logger.highlight('1 - UAC Enabled')
        elif uac_value == 0:
            self.logger.highlight('0 - UAC Disabled')

        rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
        remoteOps.finish()
Beispiel #8
0
    def on_admin_login(self, context, connection):
        remoteOps = RemoteOperations(connection.conn, False)
        remoteOps.enableRegistry()

        ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
        regHandle = ans['phKey']
        ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System')
        keyHandle = ans['phkResult']
        dataType, uac_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'EnableLUA')

        if uac_value == 1:
            context.log.highlight('UAC Status: 1 (UAC Enabled)')
        elif uac_value == 0:
            context.log.highlight('UAC Status: 0 (UAC Disabled)')

        rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
        remoteOps.finish()
Beispiel #9
0
    def run(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
        regHandle = ans['phKey']
        ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System')
        keyHandle = ans['phkResult']
        dataType, uac_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'EnableLUA')

        print_succ("{} UAC status:".format(self.peer))
        if uac_value == 1:
            print_att('1 - UAC Enabled')
        elif uac_value == 0:
            print_att('0 - UAC Disabled')

        rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
        remoteOps.finish()
    def checkNoLMHashPolicy(self):
        logging.debug('Checking NoLMHash Policy')
        ans = rrp.hOpenLocalMachine(self.__rrp)
        self.__regHandle = ans['phKey']

        ans = rrp.hBaseRegOpenKey(self.__rrp, self.__regHandle, 'SYSTEM\\CurrentControlSet\\Control\\Lsa')
        keyHandle = ans['phkResult']
        try:
            dataType, noLMHash = rrp.hBaseRegQueryValue(self.__rrp, keyHandle, 'NoLmHash')
        except:
            noLMHash = 0

        if noLMHash != 1:
            logging.debug('LMHashes are being stored')
            return False

        logging.debug('LMHashes are NOT being stored')
        return True
Beispiel #11
0
    def wdigest_enable(self, context, smbconnection):
        remoteOps = RemoteOperations(smbconnection, False)
        remoteOps.enableRegistry()

        if remoteOps._RemoteOperations__rrp:
            ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00',  rrp.REG_DWORD, 1)

            rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00')

            if int(data) == 1:
                context.log.success('UseLogonCredential registry key created successfully')

        try:
            remoteOps.finish()
        except:
            pass
Beispiel #12
0
    def enable(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        self.rrp = remoteOps._RemoteOperations__rrp

        if self.rrp is not None:
            ans = rrp.hOpenLocalMachine(self.rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00',  rrp.REG_DWORD, '\x01\x00')

            rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')

            if int(data) == 1:
                self.logger.success('UseLogonCredential registry key created successfully')

        try:
            remoteOps.finish()
        except:
            pass
    def saveNTDS(self):
        logging.info('Searching for NTDS.dit')
        # First of all, let's try to read the target NTDS.dit registry entry
        ans = rrp.hOpenLocalMachine(self.__rrp)
        regHandle = ans['phKey']
        try:
            ans = rrp.hBaseRegOpenKey(
                self.__rrp, self.__regHandle,
                'SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters')
            keyHandle = ans['phkResult']
        except:
            # Can't open the registry path, assuming no NTDS on the other end
            return None

        try:
            dataType, dataValue = rrp.hBaseRegQueryValue(
                self.__rrp, keyHandle, 'DSA Database file')
            ntdsLocation = dataValue[:-1]
            ntdsDrive = ntdsLocation[:2]
        except:
            # Can't open the registry path, assuming no NTDS on the other end
            return None

        rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
        rrp.hBaseRegCloseKey(self.__rrp, regHandle)

        logging.info(
            'Registry says NTDS.dit is at %s. Calling vssadmin to get a copy. This might take some time'
            % ntdsLocation)
        # Get the list of remote shadows
        shadow, shadowFor = self.__getLastVSS()
        if shadow == '' or (shadow != '' and shadowFor != ntdsDrive):
            # No shadow, create one
            self.__executeRemote(
                '%%COMSPEC%% /C vssadmin create shadow /For=%s' % ntdsDrive)
            shadow, shadowFor = self.__getLastVSS()
            shouldRemove = True
            if shadow == '':
                raise Exception('Could not get a VSS')
        else:
            shouldRemove = False

        # Now copy the ntds.dit to the temp directory
        tmpFileName = ''.join(
            [random.choice(string.letters) for _ in range(8)]) + '.tmp'

        self.__executeRemote(
            '%%COMSPEC%% /C copy %s%s %%SYSTEMROOT%%\\Temp\\%s' %
            (shadow, ntdsLocation[2:], tmpFileName))

        if shouldRemove is True:
            self.__executeRemote(
                '%%COMSPEC%% /C vssadmin delete shadows /For=%s /Quiet' %
                ntdsDrive)

        self.__smbConnection.deleteFile('ADMIN$', 'Temp\\__output')

        remoteFileName = RemoteFile(self.__smbConnection,
                                    'Temp\\%s' % tmpFileName)

        return remoteFileName
Beispiel #14
0
class RRPTests(unittest.TestCase):
    def connect(self):
        rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
        if len(self.hashes) > 0:
            lmhash, nthash = self.hashes.split(':')
        else:
            lmhash = ''
            nthash = ''
        if hasattr(rpctransport, 'set_credentials'):
            # This method exists only for selected protocol sequences.
            rpctransport.set_credentials(self.username, self.password,
                                         self.domain, lmhash, nthash)
        dce = rpctransport.get_dce_rpc()
        #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
        dce.connect()
        dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax=self.ts)
        resp = rrp.hOpenLocalMachine(
            dce,
            MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)

        return dce, rpctransport, resp['phKey']

    def test_OpenClassesRoot(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.OpenClassesRoot()
        request['ServerName'] = NULL
        request['samDesired'] = MAXIMUM_ALLOWED
        resp = dce.request(request)
        resp.dump()

    def test_OpenCurrentUser(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.OpenCurrentUser()
        request['ServerName'] = NULL
        request['samDesired'] = MAXIMUM_ALLOWED
        resp = dce.request(request)
        resp.dump()

    def test_OpenLocalMachine(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.OpenLocalMachine()
        request['ServerName'] = NULL
        request['samDesired'] = MAXIMUM_ALLOWED
        resp = dce.request(request)
        resp.dump()

    def test_OpenPerformanceData(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.OpenPerformanceData()
        request['ServerName'] = NULL
        request['samDesired'] = MAXIMUM_ALLOWED
        resp = dce.request(request)
        resp.dump()

    def test_OpenUsers(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.OpenUsers()
        request['ServerName'] = NULL
        request['samDesired'] = MAXIMUM_ALLOWED
        resp = dce.request(request)
        resp.dump()

    def test_BaseRegCloseKey(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.BaseRegCloseKey()
        request['hKey'] = phKey
        resp = dce.request(request)
        resp.dump()

    def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
        dce, rpctransport, phKey = self.connect()
        resp = rrp.hOpenClassesRoot(dce)
        resp.dump()
        regHandle = resp['phKey']

        resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
        resp.dump()
        phKey = resp['phkResult']

        try:
            resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ,
                                        'HOLA COMO TE VA\x00')
            resp.dump()
        except Exception, e:
            print e

        type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00')
        #print data

        resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00')
        resp.dump()

        resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00')
        resp.dump()
        self.assertTrue('HOLA COMO TE VA\x00' == data)
Beispiel #15
0
    def checkUAC(self, dce):
        #
        try:
            ans = rrp.hOpenLocalMachine(dce)
            regHandle = ans['phKey']
        except Exception as e:
            logging.debug('Exception thrown when hOpenLocalMachine: %s',
                          str(e))
            return

        self.logger.highlight('UAC Status:')

        try:
            resp = rrp.hBaseRegOpenKey(
                dce, regHandle,
                'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
            )
            keyHandle = resp['phkResult']
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegOpenKey: %s', str(e))
            return

        #EnableLUA
        try:
            dataType, lua_uac_value = rrp.hBaseRegQueryValue(
                dce, keyHandle, 'EnableLUA')
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegQueryValue: %s',
                          str(e))
            lua_uac_value = 3
            pass
        #LocalAccountTokenFilterPolicy
        try:
            dataType, latfp_uac_value = rrp.hBaseRegQueryValue(
                dce, keyHandle, 'LocalAccountTokenFilterPolicy')
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegQueryValue: %s',
                          str(e))
            latfp_uac_value = 3
            pass
        #LocalAccountTokenFilterPolicy
        try:
            dataType, fat_uac_value = rrp.hBaseRegQueryValue(
                dce, keyHandle, 'FilterAdministratorToken')
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegQueryValue: %s',
                          str(e))
            fat_uac_value = 3
            pass

    #Results
        if lua_uac_value == 1:
            self.logger.highlight('    enableLua = 1  (default)   ')
        elif lua_uac_value == 0:
            self.logger.highlight('    enableLua = 0')
        else:
            self.logger.highlight('     enableLua key does not exist!')

        if latfp_uac_value == 1:
            self.logger.highlight('    LocalAccountTokenFilterPolicy = 1')
        elif latfp_uac_value == 0:
            self.logger.highlight(
                '    LocalAccountTokenFilterPolicy = 0  (default)')
        else:
            self.logger.highlight(
                '    LocalAccountTokenFilterPolicy key does not exist!')

        if fat_uac_value == 1:
            self.logger.highlight('    FilterAdministratorToken = 1    ')
        elif fat_uac_value == 0:
            self.logger.highlight('    FilterAdministratorToken = 0 (default)')
        else:
            self.logger.highlight(
                '    FilterAdministratorToken key does not exist!')

    # Analysis
        self.logger.highlight('')
        self.logger.highlight('UAC Analysis:')
        if lua_uac_value == 1:
            self.logger.highlight(
                'EnableLUA current setting means capabilities are determined by'
            )
            self.logger.highlight(
                '         LocalAccountTokenFilterPolicy and/or FilterAdministratorToken'
            )
            self.logger.highlight('')
        elif lua_uac_value == 0:
            self.logger.highlight(
                'High integrity access available to any member of the local admins group'
            )
            self.logger.highlight(
                '           using plaintext credentials or password hashes!')
            return

        if latfp_uac_value == 1:
            self.logger.highlight(
                'LocalAccountTokenFilterPolicy configured to allow remote connections with high integrity access tokens!'
            )
            return
        else:
            self.logger.highlight(
                'LocalAccountTokenFilterPolicy set to 0 tells us:')
            self.logger.highlight(
                '    High integrity access only possible using either the plaintext pass'
            )
            self.logger.highlight(
                '    or password hash of the RID 500 local administrator')
            self.logger.highlight('')

        if fat_uac_value == 1:
            self.logger.highlight(
                'FilterAdministratorToken set to 1 tells us High integrity access not available for RID 500 local administrator'
            )
        else:  # 0 or missing
            self.logger.highlight(
                'The FilterAdministratorToken setting should have no effect in this case'
            )
Beispiel #16
0
class RRPTests(unittest.TestCase):
    def connect_scmr(self):
        rpctransport = transport.DCERPCTransportFactory(
            r'ncacn_np:%s[\pipe\svcctl]' % self.machine)
        if len(self.hashes) > 0:
            lmhash, nthash = self.hashes.split(':')
        else:
            lmhash = ''
            nthash = ''
        if hasattr(rpctransport, 'set_credentials'):
            # This method exists only for selected protocol sequences.
            rpctransport.set_credentials(self.username, self.password,
                                         self.domain, lmhash, nthash)
        dce = rpctransport.get_dce_rpc()
        # dce.set_max_fragment_size(32)
        dce.connect()
        dce.bind(scmr.MSRPC_UUID_SCMR)
        lpMachineName = 'DUMMY\x00'
        lpDatabaseName = 'ServicesActive\x00'
        desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
                        scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | \
                        scmr.SERVICE_ENUMERATE_DEPENDENTS | scmr.SC_MANAGER_ENUMERATE_SERVICE

        resp = scmr.hROpenSCManagerW(dce, lpMachineName, lpDatabaseName,
                                     desiredAccess)
        scHandle = resp['lpScHandle']

        return dce, rpctransport, scHandle

    def connect(self):
        if self.rrpStarted is not True:
            dce, rpctransport, scHandle = self.connect_scmr()

            desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
                            scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS

            resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00',
                                       desiredAccess)
            resp.dump()
            serviceHandle = resp['lpServiceHandle']

            try:
                resp = scmr.hRStartServiceW(dce, serviceHandle)
            except Exception as e:
                if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >= 0:
                    pass
                else:
                    raise
            resp = scmr.hRCloseServiceHandle(dce, scHandle)
            self.rrpStarted = True

        rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
        if len(self.hashes) > 0:
            lmhash, nthash = self.hashes.split(':')
        else:
            lmhash = ''
            nthash = ''
        if hasattr(rpctransport, 'set_credentials'):
            # This method exists only for selected protocol sequences.
            rpctransport.set_credentials(self.username, self.password,
                                         self.domain, lmhash, nthash)
        dce = rpctransport.get_dce_rpc()
        #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
        dce.connect()
        dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax=self.ts)
        resp = rrp.hOpenLocalMachine(
            dce,
            MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)

        return dce, rpctransport, resp['phKey']

    def test_OpenClassesRoot(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.OpenClassesRoot()
        request['ServerName'] = NULL
        request['samDesired'] = MAXIMUM_ALLOWED
        resp = dce.request(request)
        resp.dump()

    def test_OpenCurrentUser(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.OpenCurrentUser()
        request['ServerName'] = NULL
        request['samDesired'] = MAXIMUM_ALLOWED
        resp = dce.request(request)
        resp.dump()

    def test_OpenLocalMachine(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.OpenLocalMachine()
        request['ServerName'] = NULL
        request['samDesired'] = MAXIMUM_ALLOWED
        resp = dce.request(request)
        resp.dump()

    def test_OpenPerformanceData(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.OpenPerformanceData()
        request['ServerName'] = NULL
        request['samDesired'] = MAXIMUM_ALLOWED
        resp = dce.request(request)
        resp.dump()

    def test_OpenUsers(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.OpenUsers()
        request['ServerName'] = NULL
        request['samDesired'] = MAXIMUM_ALLOWED
        resp = dce.request(request)
        resp.dump()

    def test_BaseRegCloseKey(self):
        dce, rpctransport, phKey = self.connect()
        request = rrp.BaseRegCloseKey()
        request['hKey'] = phKey
        resp = dce.request(request)
        resp.dump()

    def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
        dce, rpctransport, phKey = self.connect()
        resp = rrp.hOpenClassesRoot(dce)
        resp.dump()
        regHandle = resp['phKey']

        resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
        resp.dump()
        phKey = resp['phkResult']

        try:
            resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ,
                                        'HOLA COMO TE VA\x00')
            resp.dump()
        except Exception, e:
            print e

        type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00')
        #print data

        resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00')
        resp.dump()

        resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00')
        resp.dump()
        self.assertTrue('HOLA COMO TE VA\x00' == data)