def rpcdump(self):
logger.info('Retrieving RPC endpoint list')
self.__rpc_connect()
entries = self.__fetchList()
endpoints = {}
# Let's groups the UUIDs
for entry in entries:
binding = epm.PrintStringBinding(entry['tower']['Floors'],
self.trans.getRemoteName())
tmpUUID = str(entry['tower']['Floors'][0])
if endpoints.has_key(tmpUUID) is not True:
endpoints[tmpUUID] = {}
endpoints[tmpUUID]['Bindings'] = list()
if epm.KNOWN_UUIDS.has_key(
uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]):
endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[uuidtup_to_bin(
uuid.string_to_uuidtup(tmpUUID))[:18]]
else:
endpoints[tmpUUID]['EXE'] = 'N/A'
endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1]
endpoints[tmpUUID]['Bindings'].append(binding)
if epm.KNOWN_PROTOCOLS.has_key(tmpUUID[:36]):
endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[
tmpUUID[:36]]
else:
endpoints[tmpUUID]['Protocol'] = 'N/A'
# print 'Transfer Syntax: %s' % entry['Tower']['Floors'][1]
for endpoint in endpoints.keys():
print 'Protocol: %s ' % endpoints[endpoint]['Protocol']
print 'Provider: %s ' % endpoints[endpoint]['EXE']
print 'UUID : %s %s' % (endpoint,
endpoints[endpoint]['annotation'])
print 'Bindings: '
for binding in endpoints[endpoint]['Bindings']:
print ' %s' % binding
print
if entries:
num = len(entries)
if 1 == num:
logger.info('Received one RPC endpoint')
else:
logger.info('Received %d endpoints' % num)
else:
logger.info('No endpoints found')
def dump(self, remoteName, remoteHost):
"""Dumps the list of endpoints registered with the mapper
listening at addr. remoteName is a valid host name or IP
address in string format.
"""
logging.info('Retrieving endpoint list from %s' % remoteName)
entries = []
self.__stringbinding = self.KNOWN_PROTOCOLS[
self.__port]['bindstr'] % remoteName
logging.debug('StringBinding %s' % self.__stringbinding)
rpctransport = transport.DCERPCTransportFactory(self.__stringbinding)
if self.__port in [139, 445]:
# Setting credentials for SMB
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
# Setting remote host and port for SMB
rpctransport.setRemoteHost(remoteHost)
rpctransport.set_dport(self.__port)
elif self.__port in [443]:
# Setting credentials only for RPC Proxy, but not for the MSRPC level
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
# Usually when a server doesn't support NTLM, it also doesn't expose epmapper (nowadays
# only RDG servers may potentially expose a epmapper via RPC Proxy).
#
# Also if the auth is not NTLM, there is no way to get a target
# NetBIOS name, but epmapper ACL requires you to specify it.
rpctransport.set_auth_type(AUTH_NTLM)
else:
# We don't need to authenticate to 135 and 593 ports
pass
try:
entries = self.__fetchList(rpctransport)
except Exception as e:
# raise
# This may contain UTF-8
error_text = 'Protocol failed: %s' % e
logging.critical(error_text)
if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text or \
RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or \
RPC_PROXY_CONN_A1_404_ERR in error_text or \
RPC_PROXY_CONN_A1_0X6BA_ERR in error_text:
logging.critical(
"This usually means the target does not allow "
"to connect to its epmapper using RpcProxy.")
return
# Display results.
endpoints = {}
# Let's groups the UUIDS
for entry in entries:
binding = epm.PrintStringBinding(entry['tower']['Floors'])
tmpUUID = str(entry['tower']['Floors'][0])
if (tmpUUID in endpoints) is not True:
endpoints[tmpUUID] = {}
endpoints[tmpUUID]['Bindings'] = list()
if uuid.uuidtup_to_bin(
uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS:
endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[
uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]]
else:
endpoints[tmpUUID]['EXE'] = 'N/A'
endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode(
'utf-8')
endpoints[tmpUUID]['Bindings'].append(binding)
if tmpUUID[:36] in epm.KNOWN_PROTOCOLS:
endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[
tmpUUID[:36]]
else:
endpoints[tmpUUID]['Protocol'] = "N/A"
# print("Transfer Syntax: %s" % entry['tower']['Floors'][1])
for endpoint in list(endpoints.keys()):
print("Protocol: %s " % endpoints[endpoint]['Protocol'])
print("Provider: %s " % endpoints[endpoint]['EXE'])
print("UUID : %s %s" %
(endpoint, endpoints[endpoint]['annotation']))
print("Bindings: ")
for binding in endpoints[endpoint]['Bindings']:
print(" %s" % binding)
print("")
if entries:
num = len(entries)
if 1 == num:
logging.info('Received one endpoint.')
else:
logging.info('Received %d endpoints.' % num)
else:
logging.info('No endpoints found.')
class RPCDump:
KNOWN_PROTOCOLS = {
'139/SMB': (r'ncacn_np:%s[\pipe\epmapper]', 139),
'445/SMB': (r'ncacn_np:%s[\pipe\epmapper]', 445),
'135/TCP': (r'ncacn_ip_tcp:%s', 135),
}
def __init__(self,
protocols=None,
username='',
password='',
domain='',
hashes=None):
if not protocols:
protocols = RPCDump.KNOWN_PROTOCOLS.keys()
self.__username = username
self.__password = password
self.__protocols = [protocols]
self.__domain = domain
self.__lmhash = ''
self.__nthash = ''
if hashes is not None:
self.__lmhash, self.__nthash = hashes.split(':')
def dump(self, addr):
"""Dumps the list of endpoints registered with the mapper
listening at addr. Addr is a valid host name or IP address in
string format.
"""
logging.info('Retrieving endpoint list from %s' % addr)
# Try all requested protocols until one works.
entries = []
for protocol in self.__protocols:
protodef = RPCDump.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
logging.info("Trying protocol %s..." % protocol)
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
try:
entries = self.__fetchList(rpctransport)
except Exception, e:
logging.critical('Protocol failed: %s' % e)
else:
# Got a response. No need for further iterations.
break
# Display results.
endpoints = {}
# Let's groups the UUIDS
for entry in entries:
binding = epm.PrintStringBinding(entry['tower']['Floors'],
rpctransport.get_dip())
tmpUUID = str(entry['tower']['Floors'][0])
if endpoints.has_key(tmpUUID) is not True:
endpoints[tmpUUID] = {}
endpoints[tmpUUID]['Bindings'] = list()
if ndrutils.KNOWN_UUIDS.has_key(
uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]):
endpoints[tmpUUID]['EXE'] = ndrutils.KNOWN_UUIDS[
uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]]
else:
endpoints[tmpUUID]['EXE'] = 'N/A'
endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1]
endpoints[tmpUUID]['Bindings'].append(binding)
if epm.KNOWN_PROTOCOLS.has_key(tmpUUID[:36]):
endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[
tmpUUID[:36]]
else:
endpoints[tmpUUID]['Protocol'] = "N/A"
#print "Transfer Syntax: %s" % entry['Tower']['Floors'][1]
for endpoint in endpoints.keys():
print "Protocol: %s " % endpoints[endpoint]['Protocol']
print "Provider: %s " % endpoints[endpoint]['EXE']
print "UUID : %s %s" % (endpoint,
endpoints[endpoint]['annotation'])
print "Bindings: "
for binding in endpoints[endpoint]['Bindings']:
print " %s" % binding
print ""
if entries:
num = len(entries)
if 1 == num:
logging.info('Received one endpoint.')
else:
logging.info('Received %d endpoints.' % num)
else:
logging.info('No endpoints found.')
Author: Catalin Patulea <*****@*****.**>
"""
from __future__ import division
from __future__ import print_function
import sys
import struct
from impacket.examples import logger
from impacket import uuid
from impacket.dcerpc.v5.epm import KNOWN_UUIDS
from impacket.dcerpc.v5 import transport, rpcrt, epm
from impacket.dcerpc.v5 import mgmt
uuid_database = set(
uuid.string_to_uuidtup(line) for line in """
00000001-0000-0000-c000-000000000046 v0.0
00000131-0000-0000-c000-000000000046 v0.0
00000132-0000-0000-c000-000000000046 v0.0
00000134-0000-0000-c000-000000000046 v0.0
00000136-0000-0000-c000-000000000046 v0.0
00000141-0000-0000-c000-000000000046 v0.0
00000143-0000-0000-c000-000000000046 v0.0
000001a0-0000-0000-c000-000000000046 v0.0
027947e1-d731-11ce-a357-000000000001 v0.0
04fcb220-fcfd-11cd-bec8-00aa0047ae4e v1.0
06bba54a-be05-49f9-b0a0-30f790261023 v1.0
0767a036-0d22-48aa-ba69-b619480f38cb v1.0
0a5a5830-58e0-11ce-a3cc-00aa00607271 v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.0
('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0'): listed, listening
('E60C73E6-88F9-11CF-9AF1-0020AF6E72F4', '2.0'): listed, listening
Usually, only AFA8BD80-...-89, the MGMT interface, is not listed but always
listening on any port. This is imposed by the DCERPC spec.
Author: Catalin Patulea <*****@*****.**>
"""
import sys, struct
from impacket import uuid
from impacket.dcerpc import ndrutils
from impacket.dcerpc.v5 import transport, rpcrt, epm
from impacket.dcerpc.v5 import mgmt
from impacket.examples import logger
uuid_database = set(uuid.string_to_uuidtup(line) for line in """
00000001-0000-0000-c000-000000000046 v0.0
00000131-0000-0000-c000-000000000046 v0.0
00000132-0000-0000-c000-000000000046 v0.0
00000134-0000-0000-c000-000000000046 v0.0
00000136-0000-0000-c000-000000000046 v0.0
00000141-0000-0000-c000-000000000046 v0.0
00000143-0000-0000-c000-000000000046 v0.0
000001a0-0000-0000-c000-000000000046 v0.0
027947e1-d731-11ce-a357-000000000001 v0.0
04fcb220-fcfd-11cd-bec8-00aa0047ae4e v1.0
06bba54a-be05-49f9-b0a0-30f790261023 v1.0
0767a036-0d22-48aa-ba69-b619480f38cb v1.0
0a5a5830-58e0-11ce-a3cc-00aa00607271 v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.0
('B9E79E60-3D52-11CE-AAA1-00006901293F', '0.2'): listed, listening
('C6F3EE72-CE7E-11D1-B71E-00C04FC3111A', '1.0'): listed, listening
('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0'): listed, listening
('E60C73E6-88F9-11CF-9AF1-0020AF6E72F4', '2.0'): listed, listening
Usually, only AFA8BD80-...-89, the MGMT interface, is not listed but always
listening on any port. This is imposed by the DCERPC spec.
Author: Catalin Patulea <*****@*****.**>
"""
import sys, struct
from impacket import uuid
from impacket.dcerpc import transport, dcerpc, ndrutils
from impacket.dcerpc import mgmt
uuid_database = set(uuid.string_to_uuidtup(line) for line in """
00000001-0000-0000-c000-000000000046 v0.0
00000131-0000-0000-c000-000000000046 v0.0
00000132-0000-0000-c000-000000000046 v0.0
00000134-0000-0000-c000-000000000046 v0.0
00000136-0000-0000-c000-000000000046 v0.0
00000141-0000-0000-c000-000000000046 v0.0
00000143-0000-0000-c000-000000000046 v0.0
000001a0-0000-0000-c000-000000000046 v0.0
027947e1-d731-11ce-a357-000000000001 v0.0
04fcb220-fcfd-11cd-bec8-00aa0047ae4e v1.0
06bba54a-be05-49f9-b0a0-30f790261023 v1.0
0767a036-0d22-48aa-ba69-b619480f38cb v1.0
0a5a5830-58e0-11ce-a3cc-00aa00607271 v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.0
def dump(self, remoteName, remoteHost):
"""Dumps the list of endpoints registered with the mapper
listening at addr. remoteName is a valid host name or IP
address in string format.
"""
logging.info('Retrieving endpoint list from %s' % remoteName)
entries = []
stringbinding = self.KNOWN_PROTOCOLS[
self.__port]['bindstr'] % remoteName
logging.debug('StringBinding %s' % stringbinding)
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(self.__port)
if self.KNOWN_PROTOCOLS[self.__port]['set_host']:
rpctransport.setRemoteHost(remoteHost)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
try:
entries = self.__fetchList(rpctransport)
except Exception as e:
logging.critical('Protocol failed: %s' % e)
# Display results.
endpoints = {}
# Let's groups the UUIDS
for entry in entries:
binding = epm.PrintStringBinding(entry['tower']['Floors'],
rpctransport.getRemoteHost())
tmpUUID = str(entry['tower']['Floors'][0])
if (tmpUUID in endpoints) is not True:
endpoints[tmpUUID] = {}
endpoints[tmpUUID]['Bindings'] = list()
if uuid.uuidtup_to_bin(
uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS:
endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[
uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]]
else:
endpoints[tmpUUID]['EXE'] = 'N/A'
endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode(
'utf-8')
endpoints[tmpUUID]['Bindings'].append(binding)
if tmpUUID[:36] in epm.KNOWN_PROTOCOLS:
endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[
tmpUUID[:36]]
else:
endpoints[tmpUUID]['Protocol'] = "N/A"
#print "Transfer Syntax: %s" % entry['Tower']['Floors'][1]
for endpoint in list(endpoints.keys()):
print("Protocol: %s " % endpoints[endpoint]['Protocol'])
print("Provider: %s " % endpoints[endpoint]['EXE'])
print("UUID : %s %s" %
(endpoint, endpoints[endpoint]['annotation']))
print("Bindings: ")
for binding in endpoints[endpoint]['Bindings']:
print(" %s" % binding)
print("")
if entries:
num = len(entries)
if 1 == num:
logging.info('Received one endpoint.')
else:
logging.info('Received %d endpoints.' % num)
else:
logging.info('No endpoints found.')
def dump(self, remoteName, remoteHost):
"""Dumps the list of endpoints registered with the mapper
listening at addr. remoteName is a valid host name or IP
address in string format.
"""
logging.info('Retrieving endpoint list from %s' % remoteName)
entries = []
self.__stringbinding = self.KNOWN_PROTOCOLS[
self.__port]['bindstr'] % remoteName
logging.debug('StringBinding %s' % self.__stringbinding)
rpctransport = transport.DCERPCTransportFactory(self.__stringbinding)
if self.__port in [139, 445]:
# Setting credentials for SMB
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
# Setting remote host and port for SMB
rpctransport.setRemoteHost(remoteHost)
rpctransport.set_dport(self.__port)
elif self.__port in [443]:
# Setting credentials only for RpcProxy, but not for the RPC Transport
rpctransport.set_proxy_credentials(self.__username,
self.__password, self.__domain,
self.__lmhash, self.__nthash)
else:
# We don't need to authenticate to 135 and 593 ports
pass
try:
entries = self.__fetchList(rpctransport)
except Exception as e:
#raise
logging.critical('Protocol failed: %s' % e)
if 'Invalid RPC Port' in str(e):
logging.critical(
"This usually means the target is a MS Exchange Server, "
"which does not allow to connect to its epmapper using RpcProxy"
)
if 'RPC Proxy CONN/A1 request failed, code: 0x6ba' in str(e):
logging.critical(
"This usually means the target has no ACL to connect to its epmapper using RpcProxy"
)
# Display results.
endpoints = {}
# Let's groups the UUIDS
for entry in entries:
binding = epm.PrintStringBinding(entry['tower']['Floors'])
tmpUUID = str(entry['tower']['Floors'][0])
if (tmpUUID in endpoints) is not True:
endpoints[tmpUUID] = {}
endpoints[tmpUUID]['Bindings'] = list()
if uuid.uuidtup_to_bin(
uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS:
endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[
uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]]
else:
endpoints[tmpUUID]['EXE'] = 'N/A'
endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode(
'utf-8')
endpoints[tmpUUID]['Bindings'].append(binding)
if tmpUUID[:36] in epm.KNOWN_PROTOCOLS:
endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[
tmpUUID[:36]]
else:
endpoints[tmpUUID]['Protocol'] = "N/A"
#print("Transfer Syntax: %s" % entry['tower']['Floors'][1])
for endpoint in list(endpoints.keys()):
print("Protocol: %s " % endpoints[endpoint]['Protocol'])
print("Provider: %s " % endpoints[endpoint]['EXE'])
print("UUID : %s %s" %
(endpoint, endpoints[endpoint]['annotation']))
print("Bindings: ")
for binding in endpoints[endpoint]['Bindings']:
print(" %s" % binding)
print("")
if entries:
num = len(entries)
if 1 == num:
logging.info('Received one endpoint.')
else:
logging.info('Received %d endpoints.' % num)
else:
logging.info('No endpoints found.')
def dump(self, remoteName, remoteHost):
"""Dumps the list of endpoints registered with the mapper
listening at addr. remoteName is a valid host name or IP
address in string format.
"""
logging.info('Retrieving endpoint list from %s' % remoteName)
entries = []
stringbinding = self.KNOWN_PROTOCOLS[self.__port]['bindstr'] % remoteName
logging.debug('StringBinding %s'%stringbinding)
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(self.__port)
if self.KNOWN_PROTOCOLS[self.__port]['set_host']:
rpctransport.setRemoteHost(remoteHost)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password, self.__domain,
self.__lmhash, self.__nthash)
try:
entries = self.__fetchList(rpctransport)
except Exception as e:
logging.critical('Protocol failed: %s' % e)
# Display results.
endpoints = {}
# Let's groups the UUIDS
for entry in entries:
binding = epm.PrintStringBinding(entry['tower']['Floors'], rpctransport.getRemoteHost())
tmpUUID = str(entry['tower']['Floors'][0])
if (tmpUUID in endpoints) is not True:
endpoints[tmpUUID] = {}
endpoints[tmpUUID]['Bindings'] = list()
if uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS:
endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]]
else:
endpoints[tmpUUID]['EXE'] = 'N/A'
endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode('utf-8')
endpoints[tmpUUID]['Bindings'].append(binding)
if tmpUUID[:36] in epm.KNOWN_PROTOCOLS:
endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[tmpUUID[:36]]
else:
endpoints[tmpUUID]['Protocol'] = "N/A"
#print "Transfer Syntax: %s" % entry['Tower']['Floors'][1]
for endpoint in list(endpoints.keys()):
print("Protocol: %s " % endpoints[endpoint]['Protocol'])
print("Provider: %s " % endpoints[endpoint]['EXE'])
print("UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation']))
print("Bindings: ")
for binding in endpoints[endpoint]['Bindings']:
print(" %s" % binding)
print("")
if entries:
num = len(entries)
if 1 == num:
logging.info('Received one endpoint.')
else:
logging.info('Received %d endpoints.' % num)
else:
logging.info('No endpoints found.')
Keytab.loadKeysFromKeytab (options.keytab, rpcuser, rpcdomain, options)
options.k = True
if options.aesKey is not None:
options.k = True
if rpcpass == '' and rpcuser != '' and options.hashes_rpc is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
rpcpass = getpass("Password for DCE/RPC communication:")
if proxypass == '' and proxyuser != '' and options.hashes_rpcproxy is None:
from getpass import getpass
proxypass = getpass("Password for RPC proxy:")
if options.uuid is not None:
uuids = [uuid.string_to_uuidtup(options.uuid)]
options.brute_uuids = True
else:
uuids = rpcdatabase.uuid_database
try:
lookuper = RPCMap(options.stringbinding, options.auth_level, options.brute_uuids, uuids, options.brute_opnums, options.opnum_max)
lookuper.set_rpc_credentials(rpcuser, rpcpass, rpcdomain, options.hashes_rpc, options.aesKey, options.k, options.dc_ip)
lookuper.set_proxy_credentials(proxyuser, proxypass, proxydomain, options.hashes_rpcproxy)
lookuper.set_smb_info(options.target_ip, options.port)
lookuper.connect()
lookuper.do()
lookuper.disconnect()
except Exception as e:
#raise
logging.critical('Protocol failed: %s' % e)
class RPCDump:
KNOWN_PROTOCOLS = {
135: {'bindstr': r'ncacn_ip_tcp:%s', 'set_host': False},
139: {'bindstr': r'ncacn_np:%s[\pipe\epmapper]', 'set_host': True},
445: {'bindstr': r'ncacn_np:%s[\pipe\epmapper]', 'set_host': True}
}
def __init__(self, username = '', password = '', domain='', hashes = None, port=135):
self.__username = username
self.__password = password
self.__domain = domain
self.__lmhash = ''
self.__nthash = ''
self.__port = port
if hashes is not None:
self.__lmhash, self.__nthash = hashes.split(':')
def dump(self, remoteName, remoteHost):
"""Dumps the list of endpoints registered with the mapper
listening at addr. remoteName is a valid host name or IP
address in string format.
"""
logging.info('Retrieving endpoint list from %s' % remoteName)
entries = []
stringbinding = self.KNOWN_PROTOCOLS[self.__port]['bindstr'] % remoteName
logging.debug('StringBinding %s'%stringbinding)
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(self.__port)
if self.KNOWN_PROTOCOLS[self.__port]['set_host']:
rpctransport.setRemoteHost(remoteHost)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password, self.__domain,
self.__lmhash, self.__nthash)
try:
entries = self.__fetchList(rpctransport)
except Exception, e:
logging.critical('Protocol failed: %s' % e)
# Display results.
endpoints = {}
# Let's groups the UUIDS
for entry in entries:
binding = epm.PrintStringBinding(entry['tower']['Floors'], rpctransport.getRemoteHost())
tmpUUID = str(entry['tower']['Floors'][0])
if endpoints.has_key(tmpUUID) is not True:
endpoints[tmpUUID] = {}
endpoints[tmpUUID]['Bindings'] = list()
if epm.KNOWN_UUIDS.has_key(uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]):
endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]]
else:
endpoints[tmpUUID]['EXE'] = 'N/A'
endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1]
endpoints[tmpUUID]['Bindings'].append(binding)
if epm.KNOWN_PROTOCOLS.has_key(tmpUUID[:36]):
endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[tmpUUID[:36]]
else:
endpoints[tmpUUID]['Protocol'] = "N/A"
#print "Transfer Syntax: %s" % entry['Tower']['Floors'][1]
for endpoint in endpoints.keys():
print "Protocol: %s " % endpoints[endpoint]['Protocol']
print "Provider: %s " % endpoints[endpoint]['EXE']
print "UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation'])
print "Bindings: "
for binding in endpoints[endpoint]['Bindings']:
print " %s" % binding
print ""
if entries:
num = len(entries)
if 1 == num:
logging.info('Received one endpoint.')
else:
logging.info('Received %d endpoints.' % num)
else:
logging.info('No endpoints found.')
def parse_EPM_Entry_Floors(entry_Floors):
entry_Tower_Floor_Info = {
'UUID': [],
'NDR_UUID': [],
'IP': '',
'PIPE': [],
'NETBIOS': [],
'APPLICATION': '',
'PROTOCOL': ''
}
for floor in entry_Floors:
protocol = floor.getData()[2]
protocol = int(ord(protocol))
if protocol == PROTO_ID_UUID:
floor_fields = floor.fields
# import ipdb; ipdb.set_trace()
floor_MajorVersion = floor_fields.get('MajorVersion')
floor_MinorVersion = floor_fields.get('MinorVersion')
floor_InterfaceIdent = floor_fields.get('InterfaceIdent')
floor_RHSByteCount = floor_fields.get('RHSByteCount')
# different UUID definition in EPMFloor Structure from (impacket/dcerpc/v5/epm.py)
floor_InterfaceUUID = floor_fields.get('InterfaceUUID')
floor_DataRepUuid = floor_fields.get('DataRepUuid')
floor_LHSByteCount = floor_fields.get('LHSByteCount')
floor_UUID = floor_InterfaceUUID if floor_InterfaceUUID else floor_DataRepUuid
floor_UUIDStr = uuid.bin_to_string(floor_UUID)
floor_Version = float("%s.%s" %
(floor_MajorVersion, floor_MinorVersion))
if not floor_UUIDStr: continue
if floor_UUIDStr.upper() in (NDR64_UUID, NDR32_UUID):
entry_Tower_Floor_Info['NDR_UUID'] = (floor_UUIDStr,
floor_Version)
else:
entry_Tower_Floor_Info['UUID'] = (floor_UUIDStr, floor_Version)
elif protocol == PROTO_ID_IP:
floor_fields = floor.fields
entry_Tower_Floor_Info['IP'] = socket.inet_ntoa(
floor_fields['RelatedData'])
elif protocol in (PROTO_ID_NAMED_PIPES, PROTO_ID_NAMED_PIPES_2):
floor_fields = floor.fields
named_pipe = floor_fields.get('RelatedData')
if not named_pipe: continue
if named_pipe not in entry_Tower_Floor_Info['PIPE']:
entry_Tower_Floor_Info['PIPE'].append(named_pipe)
elif protocol == PROTO_ID_NETBIOS:
floor_fields = floor.fields
netbios_name = floor_fields.get('RelatedData')
if not netbios_name: continue
if netbios_name not in entry_Tower_Floor_Info['NETBIOS']:
entry_Tower_Floor_Info['NETBIOS'].append(netbios_name)
entry_UUID = entry_Tower_Floor_Info['UUID']
if entry_UUID:
# Add APPLICATION Info into entry_Tower_Floor_Info
_uuid, _ver = entry_UUID
key = uuid.uuidtup_to_bin(uuid.string_to_uuidtup(_uuid))[:18]
application = epm.KNOWN_UUIDS[key] if key in epm.KNOWN_UUIDS else 'N/A'
entry_Tower_Floor_Info['APPLICATION'] = application
# Add POTOCOL Info into entry_Tower_Floor_Info
key = _uuid[:36]
protocol = epm.KNOWN_PROTOCOLS[
key] if key in epm.KNOWN_PROTOCOLS else 'N/A'
entry_Tower_Floor_Info['PROTOCOL'] = protocol
return entry_Tower_Floor_Info
def on_login(self, context, connection):
entries = []
lmhash = getattr(connection, "lmhash", "")
nthash = getattr(connection, "nthash", "")
self.__stringbinding = KNOWN_PROTOCOLS[
self.port]['bindstr'] % connection.host
logging.debug('StringBinding %s' % self.__stringbinding)
rpctransport = transport.DCERPCTransportFactory(self.__stringbinding)
rpctransport.set_credentials(connection.username, connection.password,
connection.domain, lmhash, nthash)
rpctransport.setRemoteHost(connection.host)
rpctransport.set_dport(self.port)
try:
entries = self.__fetchList(rpctransport)
except Exception as e:
error_text = 'Protocol failed: %s' % e
logging.critical(error_text)
if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text or \
RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or \
RPC_PROXY_CONN_A1_404_ERR in error_text or \
RPC_PROXY_CONN_A1_0X6BA_ERR in error_text:
logging.critical(
"This usually means the target does not allow "
"to connect to its epmapper using RpcProxy.")
return
# Display results.
endpoints = {}
# Let's groups the UUIDS
for entry in entries:
binding = epm.PrintStringBinding(entry['tower']['Floors'])
tmpUUID = str(entry['tower']['Floors'][0])
if (tmpUUID in endpoints) is not True:
endpoints[tmpUUID] = {}
endpoints[tmpUUID]['Bindings'] = list()
if uuid.uuidtup_to_bin(
uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS:
endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[
uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]]
else:
endpoints[tmpUUID]['EXE'] = 'N/A'
endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode(
'utf-8')
endpoints[tmpUUID]['Bindings'].append(binding)
if tmpUUID[:36] in epm.KNOWN_PROTOCOLS:
endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[
tmpUUID[:36]]
else:
endpoints[tmpUUID]['Protocol'] = "N/A"
for endpoint in list(endpoints.keys()):
if "MS-RPRN" in endpoints[endpoint]['Protocol']:
logging.debug("Protocol: %s " %
endpoints[endpoint]['Protocol'])
logging.debug("Provider: %s " % endpoints[endpoint]['EXE'])
logging.debug("UUID : %s %s" %
(endpoint, endpoints[endpoint]['annotation']))
logging.debug("Bindings: ")
for binding in endpoints[endpoint]['Bindings']:
logging.debug(" %s" % binding)
logging.debug("")
context.log.highlight('Spooler service enabled')
break
if entries:
num = len(entries)
if 1 == num:
logging.info('Received one endpoint.')
else:
logging.info('Received %d endpoints.' % num)
else:
logging.info('No endpoints found.')
('C6F3EE72-CE7E-11D1-B71E-00C04FC3111A', '1.0'): listed, listening
('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0'): listed, listening
('E60C73E6-88F9-11CF-9AF1-0020AF6E72F4', '2.0'): listed, listening
Usually, only AFA8BD80-...-89, the MGMT interface, is not listed but always
listening on any port. This is imposed by the DCERPC spec.
Author: Catalin Patulea <*****@*****.**>
"""
import sys, struct
from impacket import uuid
from impacket.dcerpc import transport, dcerpc, dcerpc_v4, ndrutils
from impacket.dcerpc import mgmt
uuid_database = set(
uuid.string_to_uuidtup(line)
for line in """
00000001-0000-0000-c000-000000000046 v0.0
00000131-0000-0000-c000-000000000046 v0.0
00000132-0000-0000-c000-000000000046 v0.0
00000134-0000-0000-c000-000000000046 v0.0
00000136-0000-0000-c000-000000000046 v0.0
00000141-0000-0000-c000-000000000046 v0.0
00000143-0000-0000-c000-000000000046 v0.0
000001a0-0000-0000-c000-000000000046 v0.0
027947e1-d731-11ce-a357-000000000001 v0.0
04fcb220-fcfd-11cd-bec8-00aa0047ae4e v1.0
06bba54a-be05-49f9-b0a0-30f790261023 v1.0
0767a036-0d22-48aa-ba69-b619480f38cb v1.0
0a5a5830-58e0-11ce-a3cc-00aa00607271 v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
