def __fetchList(self, rpctransport): # UDP only works over DCE/RPC version 4. if isinstance(rpctransport, transport.UDPTransport): dce = dcerpc_v4.DCERPC_v4(rpctransport) else: dce = dcerpc.DCERPC_v5(rpctransport) entries = [] dce.connect() dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) dce.bind(epm.MSRPC_UUID_PORTMAP) rpcepm = epm.DCERPCEpm(dce) resp = rpcepm.portmap_dump() while resp.get_entries_num() != 0: rpc_handle = resp.get_handle() ndrentry = resp.get_entry().get_entry() sb = transport.DCERPCStringBinding(ndrentry.get_string_binding()) entry = epm.EpmEntry(uuid.bin_to_string(ndrentry.get_uuid()), ndrentry.get_version(), ndrentry.get_annotation(), uuid.bin_to_string(ndrentry.get_objuuid()), sb.get_protocol_sequence(), sb.get_endpoint()) entries.append(entry) ## print str(entry) resp = rpcepm.portmap_dump(rpc_handle) dce.disconnect() return entries
def test_dceAuth(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) rpctransport.set_dport(self.dport) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain) dce = rpctransport.get_dce_rpc() dce.set_credentials(*(rpctransport.get_credentials())) dce.connect() dce.bind(epm.MSRPC_UUID_PORTMAP) rpcepm = epm.DCERPCEpm(dce) dce.disconnect()
def test_dceFragmentation(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) rpctransport.set_dport(self.dport) if hasattr(rpctransport, 'set_credentials'): lmhash, nthash = self.hashes.split(':') # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, '', self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() dce.set_max_fragment_size(1) dce.set_credentials(*(rpctransport.get_credentials())) dce.connect() dce.bind(epm.MSRPC_UUID_PORTMAP) rpcepm = epm.DCERPCEpm(dce) resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS) dce.disconnect()
def test_packetAnonWINNTPacketPrivacy(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) rpctransport.set_dport(self.dport) if hasattr(rpctransport, 'set_credentials'): lmhash, nthash = self.hashes.split(':') # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_max_fragment_size(1) dce.connect() dce.set_auth_type(dcerpc.RPC_C_AUTHN_WINNT) dce.set_auth_level(dcerpc.RPC_C_AUTHN_LEVEL_PKT_PRIVACY) dce.bind(epm.MSRPC_UUID_PORTMAP) rpcepm = epm.DCERPCEpm(dce) resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS) dce.disconnect()
def __fetchList(self, rpctransport): # UDP only works over DCE/RPC version 4. if isinstance(rpctransport, transport.UDPTransport): dce = dcerpc_v4.DCERPC_v4(rpctransport) else: dce = dcerpc.DCERPC_v5(rpctransport) entries = [] dce.connect() dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) dce.bind(epm.MSRPC_UUID_PORTMAP) rpcepm = epm.DCERPCEpm(dce) resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS) dce.disconnect() return resp
def DiscoverDNSport(target): trans = transport.SMBTransport(target, 139, 'epmapper') trans.connect() dce = dcerpc.DCERPC_v5(trans) dce.bind( uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0'))) pm = epm.DCERPCEpm(dce) handle = '\x00' * 20 while 1: dump = pm.portmap_dump(handle) if not dump.get_entries_num(): break handle = dump.get_handle() entry = dump.get_entry().get_entry() if (uuid.bin_to_string( entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'): port = entry.get_string_binding().split('[')[1][:-1] return int(port) print '[-] Could not locate DNS port; Target might not be running DNS'