Example #1
0
def KerberosInit():
    hLsaConnection = HANDLE()

    status = DWORD(0)
    LPTR = (0x0000 | 0x0040)
    MICROSOFT_KERBEROS_NAME_A = PWSTR()

    MICROSOFT_KERBEROS_NAME_A = windll.kernel32.LocalAlloc(LPTR, len("Kerberos") + 1)

    memmove(MICROSOFT_KERBEROS_NAME_A, "Kerberos", len("Kerberos"))

    status = LsaConnectUntrusted(byref(hLsaConnection))

    if status != STATUS_SUCCESS:
        print "LsaConnectUntrusted, cannot get LSA handle, error %d " % status
        windll.kernel32.LocalFree(MICROSOFT_KERBEROS_NAME_A)
        return None, None

    kerberosPackageName = UNICODE_STRING()
    kerberosPackageName.Length = USHORT(8)
    kerberosPackageName.MaximumLength = USHORT(9)
    kerberosPackageName.Buffer = MICROSOFT_KERBEROS_NAME_A

    dwKerberosAuthenticationPackageId = DWORD(0)
    status = LsaLookupAuthenticationPackage(hLsaConnection, byref(kerberosPackageName), byref(dwKerberosAuthenticationPackageId))

    windll.kernel32.LocalFree(MICROSOFT_KERBEROS_NAME_A)

    if status == STATUS_SUCCESS:
        return hLsaConnection, dwKerberosAuthenticationPackageId
    else:
        return None, None
Example #2
0
def Get_TGS(hLsaConnection, dwKerberosAuthenticationPackageId, SPNentry):
    LPTR = (0x0000 | 0x0040)

    list_of_target = SPNentry["serviceprincipalname"].split(";")

    for target in list_of_target:
        szSPN = create_unicode_buffer(target.lower())
        dwSPNSize = USHORT((len(target)) * sizeof(wchar_t))

        dwTicketPayloadSize = DWORD(sizeof(KERB_RETRIEVE_TKT_REQUEST) + dwSPNSize.value)

        KerbRetrieveEncodedTicketMessage = 8
        KERB_ETYPE_RC4_HMAC_NT = 23
        KERB_RETRIEVE_TICKET_DONT_USE_CACHE = (0x1)

        dwKerbRetrieveTicketRequestAddress = windll.kernel32.LocalAlloc(LPTR, dwTicketPayloadSize.value)
        pKerbRetrieveTicketRequest = cast(dwKerbRetrieveTicketRequestAddress, PKERB_RETRIEVE_TKT_REQUEST)

        pKerbRetrieveTicketRequest.contents.MessageType = KerbRetrieveEncodedTicketMessage
        # current logon session context
        pKerbRetrieveTicketRequest.contents.LogonID = 0
        # TargetName
        pKerbRetrieveTicketRequest.contents.TargetName.Length = USHORT(dwSPNSize.value)
        pKerbRetrieveTicketRequest.contents.TargetName.MaximumLength = USHORT(dwSPNSize.value + sizeof(wchar_t))

        dwKerbRetrieveTicketRequestBufferAddress = dwKerbRetrieveTicketRequestAddress + sizeof(KERB_RETRIEVE_TKT_REQUEST)
        memmove(dwKerbRetrieveTicketRequestBufferAddress, szSPN, pKerbRetrieveTicketRequest.contents.TargetName.Length)
        pKerbRetrieveTicketRequest.contents.TargetName.Buffer = cast(dwKerbRetrieveTicketRequestBufferAddress, PWSTR)

        pKerbRetrieveTicketRequest.contents.TicketFlags = ULONG(0)
        pKerbRetrieveTicketRequest.contents.CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE
        pKerbRetrieveTicketRequest.contents.EncryptionType = KERB_ETYPE_RC4_HMAC_NT
        pKerbRetrieveTicketRequest.contents.CredentialsHandle = SecHandle()

        pKerbRetrieveTicketResponse = PVOID()
        pKerbRetrieveTicketResponse = cast(pKerbRetrieveTicketResponse, PKERB_RETRIEVE_TKT_RESPONSE)
        dwProtocolStatus = DWORD(0)

        status = LsaCallAuthenticationPackage(hLsaConnection, dwKerberosAuthenticationPackageId, pKerbRetrieveTicketRequest, dwTicketPayloadSize, byref(pKerbRetrieveTicketResponse), byref(dwTicketPayloadSize), byref(dwProtocolStatus))

        windll.kernel32.LocalFree(pKerbRetrieveTicketRequest)

        if status == STATUS_SUCCESS and dwProtocolStatus.value == STATUS_SUCCESS and dwTicketPayloadSize.value != 0:
            pKerbRetrieveTicketResponse = cast(pKerbRetrieveTicketResponse, PKERB_RETRIEVE_TKT_RESPONSE)
            pEncodedTicket = pKerbRetrieveTicketResponse.contents.Ticket.EncodedTicket
            dwEncodedTicketSize = pKerbRetrieveTicketResponse.contents.Ticket.EncodedTicketSize

            Ticket = ""
            for i in range(dwEncodedTicketSize):
                Ticket += hex(pEncodedTicket[i]).replace("0x",'').zfill(2)

            LsaFreeReturnBuffer(pKerbRetrieveTicketResponse)

            return Ticket
        else:
            print " [-] Cannot retrieve ticket for account '%s' and SPN '%s', status: %s ; protocolstatus: %s" % (SPNentry["samaccountname"], target, hex(status), hex(dwProtocolStatus.value))
            print " [+] Trying the next one."
    print "[-] Could not retrieve any ticket for account '%s' and the list of SPN: '%s'" % (SPNentry["samaccountname"], SPNentry["serviceprincipalname"])
    return 0
Example #3
0
 def __init__(self, format, engine=CompressionEngine.Maximum):
     self.format = USHORT(format)
     self.format_engine = USHORT(format | engine)
     CompressBufferWorkSpaceSize = ULONG(0)
     CompressFragmentWorkSpaceSize = ULONG(0)
     Rtl.GetCompressionWorkSpaceSize(
         self.format_engine, byref(CompressBufferWorkSpaceSize),
         byref(CompressFragmentWorkSpaceSize))
     self.ws = create_string_buffer(CompressBufferWorkSpaceSize.value)
Example #4
0
 def getUsages(self, usagePage, linkCollection=0):
     maxUsages = hidDll.HidP_MaxUsageListLength(self._reportType,
                                                hidpi.USAGE(usagePage),
                                                self._dev._pd)
     numUsages = ctypes.c_long(maxUsages)
     usageList = (hidpi.USAGE * maxUsages)()
     check_HidP_status(hidDll.HidP_GetUsages, self._reportType,
                       hidpi.USAGE(usagePage), USHORT(linkCollection),
                       ctypes.byref(usageList), ctypes.byref(numUsages),
                       self._dev._pd, self._reportBuf, self._reportSize)
     return usageList[0:numUsages.value]
def DeviceConnect(path, db, field, cid):
    if debug: print('Connecting to:', path)

    cached = 1
    device_found = -1
    for j in range(len(db)):
        address = db[j]['hwid'].split('_')[1]
        if address in path:
            device_found = j
            cached = db[j]['status'] != 'connected'
    if device_found < 0:
        return db

    hDevice = windll.kernel32.CreateFileW(path, GENERIC_READ,
                                          FILE_SHARE_READ | FILE_SHARE_WRITE,
                                          None, OPEN_EXISTING, 0, None)
    ServicesBufferCount = USHORT()
    BT.BluetoothGATTGetServices(hDevice, 0, None, byref(ServicesBufferCount),
                                BLUETOOTH_GATT_FLAG_NONE)
    ServicesBuffer = new(BTH_LE_GATT_SERVICE * ServicesBufferCount.value)
    BT.BluetoothGATTGetServices(hDevice, ServicesBufferCount,
                                byref(ServicesBuffer),
                                byref(ServicesBufferCount),
                                BLUETOOTH_GATT_FLAG_NONE)

    for Service in ServicesBuffer:
        CharacteristicsBufferCount = USHORT(0)
        hr = BT.BluetoothGATTGetCharacteristics(
            hDevice, byref(Service), 0, None,
            byref(CharacteristicsBufferCount), BLUETOOTH_GATT_FLAG_NONE)
        CharacteristicsBuffer = new(BTH_LE_GATT_CHARACTERISTIC *
                                    CharacteristicsBufferCount.value)
        CharacteristicsBufferActual = USHORT(0)
        BT.BluetoothGATTGetCharacteristics(hDevice, byref(Service),
                                           CharacteristicsBufferCount,
                                           byref(CharacteristicsBuffer),
                                           byref(CharacteristicsBufferActual),
                                           BLUETOOTH_GATT_FLAG_NONE)

        for Characteristic in CharacteristicsBuffer:
            uuid = Characteristic.CharacteristicUuid.ShortUuid
            charValueDataSize = USHORT()
            hr = BT.BluetoothGATTGetCharacteristicValue(
                hDevice, byref(Characteristic), 0, None,
                byref(charValueDataSize), BLUETOOTH_GATT_FLAG_NONE
                if cached else BLUETOOTH_GATT_FLAG_FORCE_READ_FROM_DEVICE)

            pCharValueBuffer = BTH_LE_GATT_CHARACTERISTIC_VALUE()
            resize(pCharValueBuffer, charValueDataSize.value)

            hr = BT.BluetoothGATTGetCharacteristicValue(
                hDevice, byref(Characteristic), charValueDataSize,
                byref(pCharValueBuffer), None, BLUETOOTH_GATT_FLAG_NONE
                if cached else BLUETOOTH_GATT_FLAG_FORCE_READ_FROM_DEVICE)

            StringValue = string_at(byref(pCharValueBuffer, sizeof(ULONG)))
            arr = bytearray(StringValue)

            if uuid == 0x2A19:  # battery level
                value = 0 if len(arr) < 1 else arr[0]
            elif uuid == 0x2A01:  # appearance
                value = int(codecs.encode(arr, 'hex'), 16)
                value = Appearance(value)
            else:  # string
                value = str(StringValue.decode(errors='ignore'))

            if debug: print('\t%X' % uuid, value)

            if device_found != -1 and uuid == cid:
                db[device_found][field] = value

    return db