async def amain():
try:
from aiosmb.commons.connection.credential import SMBCredential, SMBAuthProtocol, SMBCredentialsSecretType
from aiosmb.commons.connection.authbuilder import AuthenticatorBuilder
from aiosmb.dcerpc.v5.common.connection.authentication import DCERPCAuth
ip = '10.10.10.2'
target, err = await EPM.create_target(ip, TSCHRPC().service_uuid)
if err is not None:
raise err
cred = SMBCredential(username='******',
domain='TEST',
secret='Passw0rd!1',
secret_type=SMBCredentialsSecretType.PASSWORD,
authentication_type=SMBAuthProtocol.NTLM,
settings=None,
target=None)
gssapi = AuthenticatorBuilder.to_spnego_cred(cred)
auth = DCERPCAuth.from_smb_gssapi(gssapi)
connection = DCERPC5Connection(auth, target)
service, err = await TSCHRPC.from_rpcconnection(connection,
perform_dummy=True)
if err is not None:
raise err
async for task, err in service.list_tasks():
if err is not None:
raise err
print(task)
except Exception as e:
traceback.print_exc()
def get_smb_cred(self,
authtype: SMBAuthProtocol,
target: SMBTarget = None,
settings: dict = None):
stype = None
secret = None
if self.krb_rc4_hmac is not None:
stype = SMBCredentialsSecretType.NT
secret = self.krb_rc4_hmac
elif self.nt_hash is not None:
stype = SMBCredentialsSecretType.NT
secret = self.nt_hash
elif self.krb_aes128 is not None:
stype = SMBCredentialsSecretType.AES
secret = self.krb_aes128
elif self.krb_aes256 is not None:
stype = SMBCredentialsSecretType.AES
secret = self.krb_aes256
if stype is None:
raise Exception('Couldnt figure out correct stype for customcred!')
return SMBCredential(username=self.username,
domain=self.domain,
secret=secret,
secret_type=stype,
authentication_type=authtype,
settings=settings,
target=target)
async def domain_test(connection_string, domain_name, out_file = None, json_out = False):
target = SMBTarget.from_connection_string(connection_string)
credential = SMBCredential.from_connection_string(connection_string)
spneg = AuthenticatorBuilder.to_spnego_cred(credential, target)
async with SMBConnection(spneg, target) as connection:
await connection.login()
async with SMBDomain(domain_name, connection=connection) as domain:
logging.debug('Connecting to SAMR')
try:
await domain.open(access_level = samr.DOMAIN_ALL_ACCESS)
except Exception as e:
logging.exception('Failed to create domain object')
info = await domain.get_info()
async for user_name, user_sid in domain.list_users():
print(user_name, user_sid)
try:
user_handle = await domain.open_user(user_sid, access_level = samr.USER_ALL_ACCESS)
#x = await domain.get_security_info(user_handle)
user_info = await domain.get_user_info(user_handle)
#async for group_sid in domain.get_user_group_memberships(user_handle):
# print(group_sid)
except Exception as e:
print(e)
continue
#async for name, sid in domain.list_groups():
# print(name, sid)
print('Done!')
def get_smb_connection(self, cmd):
try:
hostname, ip = self.get_target_address(cmd.target)
res, domain, username, password = self.get_stored_cred(cmd.creds)
if res is False:
raise Exception('Could not find user creds!')
target = SMBTarget(ip=ip,
hostname=hostname,
timeout=1,
dc_ip=domain,
protocol=SMBConnectionProtocol.TCP)
target.preferred_dialects = SMB2_NEGOTIATE_DIALTECTS_2
auth_type = SMBAuthProtocol.NTLM
secret_type = SMBCredentialsSecretType.PASSWORD
credential = SMBCredential(username=username,
domain=domain,
secret=password,
secret_type=secret_type,
authentication_type=auth_type,
settings=None,
target=target)
print(target)
print(credential)
gssapi = AuthenticatorBuilder.to_spnego_cred(credential, target)
connection = SMBConnection(gssapi, target)
return connection, None
except Exception as e:
traceback.print_exc()
return None, e
def get_credential(self):
return SMBCredential(username=self.username,
domain=self.domain,
secret=self.secret,
secret_type=self.secret_type,
authentication_type=self.authentication_protocol,
settings=self.auth_settings,
target=self.ip)
def get_credential(self): if self.credential is not None: return copy.deepcopy(self.credential) return SMBCredential( username = self.username, domain = self.domain, secret = self.secret, secret_type = self.secret_type, authentication_type = self.authentication_protocol, settings = self.auth_settings, target = self.ip, altname = self.altname, altdomain = self.altdomain )
def get_smb_cred(self,
authtype_str: str,
target: SMBTarget = None,
settings: dict = None):
stype = None
authtype_str = authtype_str.upper()
dbstype = self.stype.upper()
if dbstype == 'SSPIPROXY':
if authtype_str == 'NTLM':
authtype = SMBAuthProtocol.SSPIPROXY_NTLM
stype = SMBCredentialsSecretType.NT
if authtype_str == 'KERBEROS':
authtype = SMBAuthProtocol.SSPIPROXY_KERBEROS
stype = SMBCredentialsSecretType.NT
else:
authtype = SMBAuthProtocol(authtype_str)
if dbstype in ['PW', 'PASSWORD', 'PASS']:
stype = SMBCredentialsSecretType.PASSWORD
elif dbstype in ['AES', 'AES128', 'AES256']:
stype = SMBCredentialsSecretType.AES
elif dbstype in ['KEYTAB']:
stype = SMBCredentialsSecretType.KEYTAB
elif dbstype in ['KIRBI']:
stype = SMBCredentialsSecretType.KIRBI
if authtype == SMBAuthProtocol.NTLM:
if dbstype in ['RC4', 'NT']:
stype = SMBCredentialsSecretType.NT
if stype is None:
raise Exception('Couldnt figure out correct stype for customcred!')
return SMBCredential(username=self.username,
domain=self.domain,
secret=self.secret,
secret_type=stype,
authentication_type=authtype,
settings=settings,
target=target)
async def amain():
try:
targets = []
ip = '10.10.10.2'
epm = EPM.from_address(ip)
_, err = await epm.connect()
if err is not None:
raise err
x, err = await epm.lookup()
if err is not None:
raise err
await epm.disconnect()
print(len(x))
#print(x)
for entry in x:
version = '%s.%s' % (entry['tower']['Floors'][0]['MajorVersion'],
entry['tower']['Floors'][0]['MinorVersion'])
uuidstr = bin_to_string(
entry['tower']['Floors'][0]['InterfaceUUID'])
service_uuid = uuidtup_to_bin((uuidstr, version))
#print(entry['tower']['Floors'][0]['InterfaceUUID'])
#print(version)
#print(service_uuid)
target, err = await EPM.create_target(ip, service_uuid)
print(err)
if err is not None:
if str(err).find('ept_s_not_registered') != -1:
continue
raise err
targets.append((uuidstr, service_uuid, target))
for uuidstr, service_uuid, target in targets:
#print('UUID: %s' % uuidstr)
#print('Target: %s' % target)
cred = SMBCredential(username='******',
domain='TEST',
secret='Passw0rd!1',
secret_type=SMBCredentialsSecretType.PASSWORD,
authentication_type=SMBAuthProtocol.NTLM,
settings=None,
target=None)
gssapi = AuthenticatorBuilder.to_spnego_cred(cred)
auth = DCERPCAuth.from_smb_gssapi(gssapi)
connection = DCERPC5Connection(auth, target)
connection.set_auth_level(RPC_C_AUTHN_LEVEL_CONNECT)
try:
_, err = await connection.connect()
if err is not None:
raise err
_, err = await connection.bind(service_uuid)
if err is not None:
raise err
req = DummyOp()
_, err = await connection.request(req)
if str(err).find('rpc_s_access_denied') == -1:
proto = 'UNK'
if uuidstr in KNOWN_PROTOCOLS:
proto = KNOWN_PROTOCOLS[uuidstr]
print('UUID : %s' % uuidstr)
print('proto: %s' % proto)
print('err : %s' % err)
print()
except Exception as e:
traceback.print_exc()
finally:
await connection.disconnect()
except Exception as e:
traceback.print_exc()