def tes_oaut(self):
dce, rpctransport = self.connect()
IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046')
scm = dcomrt.IRemoteSCMActivator(dce)
iInterface = scm.RemoteCreateInstance(string_to_bin('4E14FBA2-2E22-11D1-9964-00C04FBBB345'), IID_IDispatch)
iDispatch = oaut.IDispatch(iInterface)
kk = iDispatch.GetTypeInfoCount()
kk.dump()
iTypeInfo = iDispatch.GetTypeInfo()
iTypeInfo.GetTypeAttr()
def tes_oaut(self):
dce, rpctransport = self.connect()
IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046')
scm = dcomrt.IRemoteSCMActivator(dce)
iInterface = scm.RemoteCreateInstance(string_to_bin('4E14FBA2-2E22-11D1-9964-00C04FBBB345'), IID_IDispatch)
iDispatch = oaut.IDispatch(iInterface)
kk = iDispatch.GetTypeInfoCount()
kk.dump()
iTypeInfo = iDispatch.GetTypeInfo()
iTypeInfo.GetTypeAttr()
def dacl_remove_ace(secdesc, guid, usersid, accesstype):
to_remove = None
binguid = string_to_bin(guid)
for ace in secdesc['Dacl'].aces:
sid = ace['Ace']['Sid'].formatCanonical()
# Is it the correct ACE type?
if ace['AceType'] != ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE:
continue
# Is it the correct SID?
if sid != usersid:
continue
# Does it apply to the correct property?
if ace['Ace']['ObjectType'] != binguid:
continue
# Does it have the correct mask?
if ace['Ace']['Mask']['Mask'] != accesstype:
continue
# We are still here -> this is the correct ACE
to_remove = ace
break
if to_remove:
# Found! Remove
secdesc['Dacl'].aces.remove(to_remove)
return True
else:
# Not found
return False
def tes_ie(self):
dce, rpctransport = self.connect()
scm = dcomrt.IRemoteSCMActivator(dce)
#iInterface = scm.RemoteCreateInstance(string_to_bin('0002DF01-0000-0000-C000-000000000046'),ie.IID_WebBrowser)
iInterface = scm.RemoteCreateInstance(string_to_bin('72C24DD5-D70A-438B-8A42-98424B88AFB8'),dcomrt.IID_IRemUnknown)
iDispatch = ie.IWebBrowser(iInterface)
resp = iDispatch.GetIDsOfNames(('Navigate',))
print resp
#sys.exit(1)
iTypeInfo = iDispatch.GetTypeInfo()
resp = iTypeInfo.GetTypeAttr()
#resp.dump()
for i in range(0,resp['ppTypeAttr']['cFuncs']):
resp = iTypeInfo.GetFuncDesc(i)
#resp.dump()
#resp2 = iTypeInfo.GetNames(resp['ppFuncDesc']['memid'])
#print resp2['rgBstrNames'][0]['asData']
resp = iTypeInfo.GetDocumentation(resp['ppFuncDesc']['memid'])
print resp['pBstrName']['asData']
#iEventSystem.get_EventObjectChangeEventClassID()
print "ACA"
iTypeInfo.RemRelease()
iDispatch.RemRelease()
sys.exit(1)
def tes_ie(self):
dce, rpctransport = self.connect()
scm = dcomrt.IRemoteSCMActivator(dce)
#iInterface = scm.RemoteCreateInstance(string_to_bin('0002DF01-0000-0000-C000-000000000046'),ie.IID_WebBrowser)
iInterface = scm.RemoteCreateInstance(
string_to_bin('72C24DD5-D70A-438B-8A42-98424B88AFB8'),
dcomrt.IID_IRemUnknown)
iDispatch = ie.IWebBrowser(iInterface)
resp = iDispatch.GetIDsOfNames(('Navigate', ))
print resp
#sys.exit(1)
iTypeInfo = iDispatch.GetTypeInfo()
resp = iTypeInfo.GetTypeAttr()
#resp.dump()
for i in range(0, resp['ppTypeAttr']['cFuncs']):
resp = iTypeInfo.GetFuncDesc(i)
#resp.dump()
#resp2 = iTypeInfo.GetNames(resp['ppFuncDesc']['memid'])
#print resp2['rgBstrNames'][0]['asData']
resp = iTypeInfo.GetDocumentation(resp['ppFuncDesc']['memid'])
print resp['pBstrName']['asData']
#iEventSystem.get_EventObjectChangeEventClassID()
print "ACA"
iTypeInfo.RemRelease()
iDispatch.RemRelease()
sys.exit(1)
def test_ie(self):
dce, rpctransport = self.connect()
scm = dcomrt.IRemoteSCMActivator(dce)
#iInterface = scm.RemoteCreateInstance(string_to_bin('0002DF01-0000-0000-C000-000000000046'), ie.IID_WebBrowser)
iInterface = scm.RemoteCreateInstance(
string_to_bin('72C24DD5-D70A-438B-8A42-98424B88AFB8'),
dcomrt.IID_IRemUnknown)
def get_dn_from_guid(guid, minimize=False):
if minimize:
# MS-OXNSPI
dn_template = "/guid="
else:
# MS-NSPI and MS-OXNSPI
dn_template = "/o=NT5/ou=00000000000000000000000000000000/cn="
return dn_template + string_to_bin(guid).hex()
def test_map(self):
dce, rpctransport = self.connect()
tower2 = '\x04\x00\x13\x00\r\xac\xbe\x00\xc1:\xd3KJ\xbf#\xbb\xefFc\xd0\x17\x01\x00\x02\x00\x00\x00\x13\x00\r\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x02\x00\x00\x00\x01\x00\x0c\x02\x00\x00\x00\x01\x00\x10\x18\x00LRPC-26b184043749be8892\x00'
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin(
'12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin(
'8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = '\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = '\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData(
) + protId.getData() + portAddr.getData() + hostAddr.getData()
#tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + pipeName.getData() + hostName.getData()
request = epm.ept_map()
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = str(tower)
#request.dumpRaw()
resp = dce.request(request)
resp.dump()
def test_map(self):
dce, rpctransport = self.connect()
tower2 = '\x04\x00\x13\x00\r\xac\xbe\x00\xc1:\xd3KJ\xbf#\xbb\xefFc\xd0\x17\x01\x00\x02\x00\x00\x00\x13\x00\r\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x02\x00\x00\x00\x01\x00\x0c\x02\x00\x00\x00\x01\x00\x10\x18\x00LRPC-26b184043749be8892\x00'
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = '\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = '\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData()
#tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + pipeName.getData() + hostName.getData()
request = epm.ept_map()
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = str(tower)
#request.dumpRaw()
resp = dce.request(request)
resp.dump()
def test_map(self):
dce, rpctransport = self.connect()
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin(
'12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin(
'8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = b'\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = b'\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData(
) + protId.getData() + portAddr.getData() + hostAddr.getData()
request = epm.ept_map()
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = tower.getData()
resp = dce.request(request)
resp.dump()
def get_dn_from_guid(guid, minimize=False):
if minimize:
# MS-OXNSPI
dn_template = "/guid="
else:
# MS-NSPI and MS-OXNSPI
dn_template = "/o=NT5/ou=00000000000000000000000000000000/cn="
guid_bin = string_to_bin(guid)
if PY2:
return "%s%s" % (dn_template, binascii.hexlify(guid_bin))
else:
return "%s%s" % (dn_template, str(binascii.hexlify(guid_bin), 'ascii'))
def create_object_ace(privguid, sid):
nace = ldaptypes.ACE()
nace['AceType'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE
nace['AceFlags'] = 0x00
acedata = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE()
acedata['Mask'] = ldaptypes.ACCESS_MASK()
acedata['Mask']['Mask'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CONTROL_ACCESS
acedata['ObjectType'] = string_to_bin(privguid)
acedata['InheritedObjectType'] = ''
acedata['Sid'] = ldaptypes.LDAP_SID()
acedata['Sid'].fromCanonical(sid)
acedata['Flags'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_OBJECT_TYPE_PRESENT
nace['Ace'] = acedata
return nace
def create_object_ace(privguid, sid):
nace = ldaptypes.ACE()
nace['AceType'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE
nace['AceFlags'] = 0x00
acedata = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE()
acedata['Mask'] = ldaptypes.ACCESS_MASK()
acedata['Mask']['Mask'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CONTROL_ACCESS
acedata['ObjectType'] = string_to_bin(privguid)
acedata['InheritedObjectType'] = ''
acedata['Sid'] = ldaptypes.LDAP_SID()
acedata['Sid'].fromCanonical(sid)
acedata['Flags'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_OBJECT_TYPE_PRESENT
nace['Ace'] = acedata
return nace
def test_map(self):
dce, rpctransport = self.connect()
tower = epm.EPMTower()
interface = epm.EPMRPCInterface()
interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC')
interface['MajorVersion'] = 1
interface['MinorVersion'] = 0
dataRep = epm.EPMRPCDataRepresentation()
dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860')
dataRep['MajorVersion'] = 2
dataRep['MinorVersion'] = 0
protId = epm.EPMProtocolIdentifier()
protId['ProtIdentifier'] = 0xb
pipeName = epm.EPMPipeName()
pipeName['PipeName'] = b'\x00'
portAddr = epm.EPMPortAddr()
portAddr['IpPort'] = 0
hostAddr = epm.EPMHostAddr()
import socket
hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0')
hostName = epm.EPMHostName()
hostName['HostName'] = b'\x00'
tower['NumberOfFloors'] = 5
tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData()
request = epm.ept_map()
request['max_towers'] = 4
request['map_tower']['tower_length'] = len(tower)
request['map_tower']['tower_octet_string'] = tower.getData()
resp = dce.request(request)
resp.dump()
from multiprocessing import Pool
from ldap3.utils.conv import escape_filter_chars
from impacket.ldap.ldaptypes import OBJECTTYPE_GUID_MAP
from impacket.uuid import string_to_bin, bin_to_string
from bloodhound.ad.utils import ADUtils
from dissect import cstruct
from io import BytesIO
import binascii
import pprint
# Extended rights and property GUID mapping, converted to binary so we don't have to do this
# for every comparison.
# Source: https://msdn.microsoft.com/en-us/library/cc223512.aspx
EXTRIGHTS_GUID_MAPPING = {
"GetChanges":
string_to_bin("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"),
"GetChangesAll":
string_to_bin("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"),
"WriteMember":
string_to_bin("bf9679c0-0de6-11d0-a285-00aa003049e2"),
"UserForceChangePassword":
string_to_bin("00299570-246d-11d0-a768-00aa006e0529"),
}
def parse_binary_acl(entry, entrytype, acl):
"""
Main ACL structure parse function.
This is offloaded to subprocesses and takes the current entry and the
acl data as argument. This is then returned and processed back in the main process
"""
# 5.113 LDAP_CONN_PROPERTIES
BND = 0x00000001
SSL = 0x00000002
UDP = 0x00000004
GC = 0x00000008
GSS = 0x00000010
NGO = 0x00000020
SPL = 0x00000040
MD5 = 0x00000080
SGN = 0x00000100
SL = 0x00000200
# 5.137 NTSAPI_CLIENT_GUID
NTDSAPI_CLIENT_GUID = string_to_bin('e24d201a-4fd6-11d1-a3da-0000f875ae0d')
# 5.139 NULLGUID
NULLGUID = string_to_bin('00000000-0000-0000-0000-000000000000')
# 5.205 USN
USN = LONGLONG
# 4.1.4.1.2 DRS_MSG_CRACKREQ_V1
DS_NAME_FLAG_GCVERIFY = 0x00000004
DS_NAME_FLAG_TRUST_REFERRAL = 0x00000008
DS_NAME_FLAG_PRIVATE_RESOLVE_FPOS = 0x80000000
DS_LIST_SITES = 0xFFFFFFFF
DS_LIST_SERVERS_IN_SITE = 0xFFFFFFFE
DS_LIST_DOMAINS_IN_SITE = 0xFFFFFFFD
if self.error_code in hresult_errors.ERROR_MESSAGES:
error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
error_msg_verbose = hresult_errors.ERROR_MESSAGES[
self.error_code][1]
return 'OAUT SessionError: code: 0x%x - %s - %s' % (
self.error_code, error_msg_short, error_msg_verbose)
else:
return 'OAUT SessionError: unknown error code: 0x%x' % (
self.error_code)
################################################################################
# CONSTANTS
################################################################################
# 1.9 Standards Assignments
IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046')
IID_ITypeInfo = string_to_bin('00020401-0000-0000-C000-000000000046')
IID_ITypeComp = string_to_bin('00020403-0000-0000-C000-000000000046')
IID_NULL = string_to_bin('00000000-0000-0000-0000-000000000000')
error_status_t = ULONG
LCID = DWORD
WORD = NDRUSHORT
# 2.2.2 IID
IID = GUID
# 2.2.3 LPOLESTR
LPOLESTR = LPWSTR
OLESTR = WSTR
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__( self ):
if hresult_errors.ERROR_MESSAGES.has_key(self.error_code):
error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1]
return 'OAUT SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
else:
return 'OAUT SessionError: unknown error code: 0x%x' % (self.error_code)
################################################################################
# CONSTANTS
################################################################################
# 1.9 Standards Assignments
IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046')
IID_ITypeInfo = string_to_bin('00020401-0000-0000-C000-000000000046')
IID_ITypeComp = string_to_bin('00020403-0000-0000-C000-000000000046')
IID_NULL = string_to_bin('00000000-0000-0000-0000-000000000000')
error_status_t = ULONG
LCID = DWORD
WORD = NDRUSHORT
# 2.2.2 IID
IID = GUID
# 2.2.3 LPOLESTR
LPOLESTR = LPWSTR
OLESTR = WSTR
def test_RChangeServiceConfig2W(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'TESTSVC\x00'
lpDisplayName = 'DisplayName\x00'
dwDesiredAccess = scmr.SERVICE_ALL_ACCESS
dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS
dwStartType = scmr.SERVICE_DEMAND_START
dwErrorControl = scmr.SERVICE_ERROR_NORMAL
lpBinaryPathName = 'binaryPath\x00'
lpLoadOrderGroup = NULL
lpdwTagId = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize)
resp.dump()
newHandle = resp['lpServiceHandle']
error = False
try:
request = scmr.RChangeServiceConfig2W()
request['hService'] = newHandle
request['Info']['dwInfoLevel'] = 1
request['Info']['Union']['tag'] = 1
request['Info']['Union']['psd']['lpDescription'] = u'betobeto\x00'
resp = dce.request(request)
resp.dump()
self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psd']['lpDescription'])
request['Info']['dwInfoLevel'] = 2
request['Info']['Union']['tag'] = 2
request['Info']['Union']['psfa']['lpRebootMsg'] = u'rebootMsg\00'
request['Info']['Union']['psfa']['lpCommand'] = u'lpCommand\00'
resp = dce.request(request)
resp.dump()
self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psfa']['lpRebootMsg'])
request['Info']['dwInfoLevel'] = 3
request['Info']['Union']['tag'] = 3
request['Info']['Union']['psda']['fDelayedAutostart'] = 1
resp = dce.request(request)
self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psda']['fDelayedAutostart'])
request['Info']['dwInfoLevel'] = 4
request['Info']['Union']['tag'] = 4
request['Info']['Union']['psfaf']['fFailureActionsOnNonCrashFailures'] = 1
resp = dce.request(request)
self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psfaf']['fFailureActionsOnNonCrashFailures'])
request['Info']['dwInfoLevel'] = 5
request['Info']['Union']['tag'] = 5
request['Info']['Union']['pssid']['dwServiceSidType'] = 1
resp = dce.request(request)
self.changeServiceAndQuery2(dce, request, request['Info']['Union']['pssid']['dwServiceSidType'])
request['Info']['dwInfoLevel'] = 6
request['Info']['Union']['tag'] = 6
request['Info']['Union']['psrp']['pRequiredPrivileges'] = list(u'SeAssignPrimaryTokenPrivilege\x00\x00'.encode('utf-16le'))
resp = dce.request(request)
self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psrp']['pRequiredPrivileges'])
request['Info']['dwInfoLevel'] = 7
request['Info']['Union']['tag'] = 7
request['Info']['Union']['psps']['dwPreshutdownTimeout'] = 22
resp = dce.request(request)
self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psps']['dwPreshutdownTimeout'])
request['Info']['dwInfoLevel'] = 8
request['Info']['Union']['tag'] = 8
#request.dump()
trigger = scmr.SERVICE_TRIGGER()
trigger['dwTriggerType'] = scmr.SERVICE_TRIGGER_TYPE_DOMAIN_JOIN
trigger['dwAction'] = scmr.SERVICE_TRIGGER_ACTION_SERVICE_START
trigger['pTriggerSubtype'] = string_to_bin(scmr.DOMAIN_JOIN_GUID)
item = scmr.SERVICE_TRIGGER_SPECIFIC_DATA_ITEM()
item['dwDataType'] = scmr.SERVICE_TRIGGER_DATA_TYPE_STRING
item['pData'] = list(u'FREEFLY\x00'.encode('utf-16le'))
#trigger['pDataItems'].append(item)
trigger['pDataItems'] = NULL
request['Info']['Union']['psti']['pTriggers'].append(trigger)
resp = dce.request(request)
#self.changeServiceAndQuery2(dce, request, '\x00')
request['Info']['dwInfoLevel'] = 9
request['Info']['Union']['tag'] = 9
request['Info']['Union']['pspn']['usPreferredNode'] = 22
# This one doesn't work
#resp = dce.request(request)
#self.changeServiceAndQuery2(dce, request, request['Info']['Union']['pspn']['usPreferredNode'])
request['Info']['dwInfoLevel'] = 10
request['Info']['Union']['tag'] = 10
request['Info']['Union']['psri']['eLowestRunLevel'] = 1
# This one doesn't work
#resp = dce.request(request)
#self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psri']['eLowestRunLevel'])
request['Info']['dwInfoLevel'] = 11
request['Info']['Union']['tag'] = 11
request['Info']['Union']['psma']['fIsManagedAccount'] = 1
# This one doesn't work
#resp = dce.request(request)
#self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psma']['fIsManagedAccount'])
except Exception, e:
import traceback
traceback.print_exc()
print e
error = True
pass
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__( self ):
key = self.error_code
if system_errors.ERROR_MESSAGES.has_key(key):
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
return 'BKRP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
else:
return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code
################################################################################
# CONSTANTS
################################################################################
BACKUPKEY_BACKUP_GUID = string_to_bin("7F752B10-178E-11D1-AB8F-00805F14DB40")
BACKUPKEY_RESTORE_GUID_WIN2K = string_to_bin("7FE94D50-178E-11D1-AB8F-00805F14DB40")
BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = string_to_bin("018FF48A-EABA-40C6-8F6D-72370240E967")
BACKUPKEY_RESTORE_GUID = string_to_bin("47270C64-2FC7-499B-AC5B-0E37CDCE899A")
################################################################################
# STRUCTURES
################################################################################
class BYTE_ARRAY(NDRUniConformantArray):
item = 'c'
class PBYTE_ARRAY(NDRPOINTER):
referent = (
('Data', BYTE_ARRAY),
)
def get_guid_from_dn(legacyDN):
legacyDN = str(legacyDN)
guid = legacyDN[legacyDN.rfind("=") + 1:]
return uuid.string_to_bin(guid)
def test_DRSGetNCChanges(self):
# Not yet working
dce, rpctransport, hDrs = self.connect()
request = drsuapi.DRSGetNCChanges()
request['hDrs'] = hDrs
request['dwInVersion'] = 10
request['pmsgIn']['tag'] =10
request['pmsgIn']['V10']['uuidDsaObjDest'] = string_to_bin('e85bbad7-0923-41cb-911e-3691d2014815')
request['pmsgIn']['V10']['uuidInvocIdSrc'] = string_to_bin('e85bbad7-0923-41cb-911e-3691d2014815')
#request['pmsgIn']['V10']['pNC'] = NULL
dsName = drsuapi.DSNAME()
dsName['SidLen'] = 0
dsName['Guid'] = drsuapi.NULLGUID
dsName['Sid'] = ''
#name = 'CN=NTDS Settings,CN=FREEFLY-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=FREEFLY,DC=NET'
#name = 'CN=admin,CN=Users,DC=FREEFLY,DC=NET'
name = 'CN=krbtgt,CN=Users,DC=FREEFLY,DC=NET'
#name = 'DC=FREEFLY,DC=NET'
#name = 'CN=Schema,CN=Configuration,DC=FREEFLY,DC=NET'
#name = 'CN=Aggregate,CN=Schema,CN=Configuration,DC=FREEFLY,DC=NET'
dsName['NameLen'] = len(name)
dsName['StringName'] = (name + '\x00')
dsName['structLen'] = len(dsName.getData())
request['pmsgIn']['V10']['pNC'] = dsName
request['pmsgIn']['V10']['usnvecFrom']['usnHighObjUpdate'] = 0
request['pmsgIn']['V10']['usnvecFrom']['usnHighPropUpdate'] = 0
request['pmsgIn']['V10']['pUpToDateVecDest'] = NULL
request['pmsgIn']['V10']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_PER_SYNC #| drsuapi.DRS_CRITICAL_ONLY
request['pmsgIn']['V10']['cMaxObjects'] = 50
request['pmsgIn']['V10']['cMaxBytes'] = 0
request['pmsgIn']['V10']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ | drsuapi.EXOP_REPL_SECRETS
request['pmsgIn']['V10']['pPartialAttrSet'] = NULL
request['pmsgIn']['V10']['pPartialAttrSetEx1'] = NULL
request['pmsgIn']['V10']['PrefixTableDest']['pPrefixEntry'] = NULL
#request['pmsgIn']['V10']['ulMoreFlags'] = 0
from impacket.winregistry import hexdump
print 'SESSION KEY'
hexdump(dce.get_session_key())
resp = dce.request(request)
resp.dump()
unicodePwdAttr = 589914
for attr in resp['pmsgOut']['V6']['pObjects']['Entinf']['AttrBlock']['pAttr']:
if attr['attrTyp'] == unicodePwdAttr:
print "Found encrypted unicodePwd"
encryptedUnicodePwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])
elif attr['attrTyp'] == 0x00090092:
import struct
userSid = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])[-4:]
userRid = struct.unpack('<L', userSid)[0]
print "Found RID ", userRid
ntHash = drsuapi.DecryptAttributeValue(dce, encryptedUnicodePwd)
# Now remove the DES layer
ntHash = drsuapi.removeDESLayer(ntHash, userRid)
print "User: %s" % name
print "HTHASH ", ntHash.encode('hex')
def test_RChangeServiceConfig2W(self):
dce, rpc_transport = self.connect()
scHandle = self.get_service_handle(dce)
newHandle = self.open_or_create_service(dce, scHandle, 'TESTSVC\x00',
'DisplayName\x00',
'binaryPath\x00')
error = False
try:
request = scmr.RChangeServiceConfig2W()
request['hService'] = newHandle
request['Info']['dwInfoLevel'] = 1
request['Info']['Union']['tag'] = 1
request['Info']['Union']['psd']['lpDescription'] = 'betobeto\x00'
resp = dce.request(request)
resp.dump()
self.changeServiceAndQuery2(
dce, request, request['Info']['Union']['psd']['lpDescription'])
request['Info']['dwInfoLevel'] = 2
request['Info']['Union']['tag'] = 2
request['Info']['Union']['psfa']['lpRebootMsg'] = 'rebootMsg\00'
request['Info']['Union']['psfa']['lpCommand'] = 'lpCommand\00'
resp = dce.request(request)
resp.dump()
self.changeServiceAndQuery2(
dce, request, request['Info']['Union']['psfa']['lpRebootMsg'])
request['Info']['dwInfoLevel'] = 3
request['Info']['Union']['tag'] = 3
request['Info']['Union']['psda']['fDelayedAutostart'] = 1
dce.request(request)
self.changeServiceAndQuery2(
dce, request,
request['Info']['Union']['psda']['fDelayedAutostart'])
request['Info']['dwInfoLevel'] = 4
request['Info']['Union']['tag'] = 4
request['Info']['Union']['psfaf'][
'fFailureActionsOnNonCrashFailures'] = 1
dce.request(request)
self.changeServiceAndQuery2(
dce, request, request['Info']['Union']['psfaf']
['fFailureActionsOnNonCrashFailures'])
request['Info']['dwInfoLevel'] = 5
request['Info']['Union']['tag'] = 5
request['Info']['Union']['pssid']['dwServiceSidType'] = 1
dce.request(request)
self.changeServiceAndQuery2(
dce, request,
request['Info']['Union']['pssid']['dwServiceSidType'])
request['Info']['dwInfoLevel'] = 6
request['Info']['Union']['tag'] = 6
request['Info']['Union']['psrp']['pRequiredPrivileges'] = list(
'SeAssignPrimaryTokenPrivilege\x00\x00'.encode('utf-16le'))
dce.request(request)
self.changeServiceAndQuery2(
dce, request,
request['Info']['Union']['psrp']['pRequiredPrivileges'])
request['Info']['dwInfoLevel'] = 7
request['Info']['Union']['tag'] = 7
request['Info']['Union']['psps']['dwPreshutdownTimeout'] = 22
dce.request(request)
self.changeServiceAndQuery2(
dce, request,
request['Info']['Union']['psps']['dwPreshutdownTimeout'])
request['Info']['dwInfoLevel'] = 8
request['Info']['Union']['tag'] = 8
#request.dump()
trigger = scmr.SERVICE_TRIGGER()
trigger['dwTriggerType'] = scmr.SERVICE_TRIGGER_TYPE_DOMAIN_JOIN
trigger['dwAction'] = scmr.SERVICE_TRIGGER_ACTION_SERVICE_START
trigger['pTriggerSubtype'] = string_to_bin(scmr.DOMAIN_JOIN_GUID)
item = scmr.SERVICE_TRIGGER_SPECIFIC_DATA_ITEM()
item['dwDataType'] = scmr.SERVICE_TRIGGER_DATA_TYPE_STRING
item['pData'] = list('FREEFLY\x00'.encode('utf-16le'))
#trigger['pDataItems'].append(item)
trigger['pDataItems'] = NULL
request['Info']['Union']['psti']['pTriggers'].append(trigger)
dce.request(request)
#self.changeServiceAndQuery2(dce, request, '\x00')
request['Info']['dwInfoLevel'] = 9
request['Info']['Union']['tag'] = 9
request['Info']['Union']['pspn']['usPreferredNode'] = 22
# This one doesn't work
#resp = dce.request(request)
#self.changeServiceAndQuery2(dce, request, request['Info']['Union']['pspn']['usPreferredNode'])
request['Info']['dwInfoLevel'] = 10
request['Info']['Union']['tag'] = 10
request['Info']['Union']['psri']['eLowestRunLevel'] = 1
# This one doesn't work
#resp = dce.request(request)
#self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psri']['eLowestRunLevel'])
request['Info']['dwInfoLevel'] = 11
request['Info']['Union']['tag'] = 11
request['Info']['Union']['psma']['fIsManagedAccount'] = 1
# This one doesn't work
#resp = dce.request(request)
#self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psma']['fIsManagedAccount'])
except Exception as e:
import traceback
traceback.print_exc()
print(e)
error = True
pass
scmr.hRDeleteService(dce, newHandle)
scmr.hRCloseServiceHandle(dce, newHandle)
scmr.hRCloseServiceHandle(dce, scHandle)
if error:
self.fail()
if (hresult_errors.ERROR_MESSAGES.has_key(self.error_code)):
error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
error_msg_verbose = hresult_errors.ERROR_MESSAGES[
self.error_code][1]
return 'SCMP SessionError: code: 0x%x - %s - %s' % (
self.error_code, error_msg_short, error_msg_verbose)
else:
return 'SCMP SessionError: unknown error code: 0x%x' % (
self.error_code)
################################################################################
# CONSTANTS
################################################################################
# 1.9 Standards Assignments
CLSID_ShadowCopyProvider = string_to_bin(
'0b5a2c52-3eb9-470a-96e2-6c6d4570e40f')
IID_IVssSnapshotMgmt = string_to_bin('FA7DF749-66E7-4986-A27F-E2F04AE53772')
IID_IVssEnumObject = string_to_bin('AE1C7110-2F60-11d3-8A39-00C04F72D8E3')
IID_IVssDifferentialSoftwareSnapshotMgmt = string_to_bin(
'214A0F28-B737-4026-B847-4F9E37D79529')
IID_IVssEnumMgmtObject = string_to_bin('01954E6B-9254-4e6e-808C-C9E05D007696')
IID_ShadowCopyProvider = string_to_bin('B5946137-7B9F-4925-AF80-51ABD60B20D5')
# 2.2.1.1 VSS_ID
class VSS_ID(NDRSTRUCT):
structure = (('Data', '16s=""'), )
def getAlignment(self):
return 2
if (hresult_errors.ERROR_MESSAGES.has_key(self.error_code)):
error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
error_msg_verbose = hresult_errors.ERROR_MESSAGES[
self.error_code][1]
return 'VDS SessionError: code: 0x%x - %s - %s' % (
self.error_code, error_msg_short, error_msg_verbose)
else:
return 'VDS SessionError: unknown error code: 0x%x' % (
self.error_code)
################################################################################
# CONSTANTS
################################################################################
# 1.9 Standards Assignments
CLSID_VirtualDiskService = string_to_bin(
'7D1933CB-86F6-4A98-8628-01BE94C9A575')
IID_IEnumVdsObject = string_to_bin('118610B7-8D94-4030-B5B8-500889788E4E')
IID_IVdsAdviseSink = string_to_bin('8326CD1D-CF59-4936-B786-5EFC08798E25')
IID_IVdsAsync = string_to_bin('D5D23B6D-5A55-4492-9889-397A3C2D2DBC')
IID_IVdsServiceInitialization = string_to_bin(
'4AFC3636-DB01-4052-80C3-03BBCB8D3C69')
IID_IVdsService = string_to_bin('0818A8EF-9BA9-40D8-A6F9-E22833CC771E')
IID_IVdsSwProvider = string_to_bin('9AA58360-CE33-4F92-B658-ED24B14425B8')
IID_IVdsProvider = string_to_bin('10C5E575-7984-4E81-A56B-431F5F92AE42')
error_status_t = ULONG
# 2.2.1.1.3 VDS_OBJECT_ID
VDS_OBJECT_ID = GUID
import threading
from multiprocessing import Pool
from ldap3.utils.conv import escape_filter_chars
from impacket.uuid import string_to_bin, bin_to_string
from bloodhound.ad.utils import ADUtils
from bloodhound.lib import cstruct
from io import BytesIO
import binascii
import pprint
from future.utils import iteritems, native_str
# Extended rights and property GUID mapping, converted to binary so we don't have to do this
# for every comparison.
# Source: https://msdn.microsoft.com/en-us/library/cc223512.aspx
EXTRIGHTS_GUID_MAPPING = {
"GetChanges": string_to_bin("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"),
"GetChangesAll": string_to_bin("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"),
"WriteMember": string_to_bin("bf9679c0-0de6-11d0-a285-00aa003049e2"),
"UserForceChangePassword": string_to_bin("00299570-246d-11d0-a768-00aa006e0529"),
}
def parse_binary_acl(entry, entrytype, acl, objecttype_guid_map):
"""
Main ACL structure parse function.
This is offloaded to subprocesses and takes the current entry and the
acl data as argument. This is then returned and processed back in the main process
"""
if not acl:
return entry, []
sd = SecurityDescriptor(BytesIO(acl))
relations = []
def __str__(self):
key = self.error_code
if key in system_errors.ERROR_MESSAGES:
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
return 'BKRP SessionError: code: 0x%x - %s - %s' % (
self.error_code, error_msg_short, error_msg_verbose)
else:
return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code
################################################################################
# CONSTANTS
################################################################################
BACKUPKEY_BACKUP_GUID = string_to_bin("7F752B10-178E-11D1-AB8F-00805F14DB40")
BACKUPKEY_RESTORE_GUID_WIN2K = string_to_bin(
"7FE94D50-178E-11D1-AB8F-00805F14DB40")
BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = string_to_bin(
"018FF48A-EABA-40C6-8F6D-72370240E967")
BACKUPKEY_RESTORE_GUID = string_to_bin("47270C64-2FC7-499B-AC5B-0E37CDCE899A")
################################################################################
# STRUCTURES
################################################################################
class BYTE_ARRAY(NDRUniConformantArray):
item = 'c'
class PBYTE_ARRAY(NDRPOINTER):
def hIpTransitionDeletev6Inv4Tunnel(dce, tunnel_guid):
request = IpTransitionDeletev6Inv4Tunnel()
request['TunnelGuid'] = uuid.string_to_bin(tunnel_guid)
return dce.request(request)
def getProviderName(self):
return ndrutils.uuid_to_exe(
uuid.string_to_bin(self.getUUID()) +
struct.pack('<H', self.getVersion()))
NSPI_DEFAULT_LOCALE = 0x00000409
# 2.2.5 Required Codepages
CP_TELETEX = 0x00004F25
CP_WINUNICODE = 0x000004B0
# 2.2.6.1 Comparison Flags
NORM_IGNORECASE = 1 << 0
NORM_IGNORENONSPACE = 1 << 1
NORM_IGNORESYMBOLS = 1 << 2
SORT_STRINGSORT = 1 << 12
NORM_IGNOREKANATYPE = 1 << 16
NORM_IGNOREWIDTH = 1 << 17
# 2.2.7 Permanent Entry ID GUID
GUID_NSPI = string_to_bin("C840A7DC-42C0-1A10-B4B9-08002B2FE182")
# 2.2.8 Positioning Minimal Entry IDs
MID_BEGINNING_OF_TABLE = 0x00000000
MID_END_OF_TABLE = 0x00000002
MID_CURRENT = 0x00000001
# 2.2.9 Ambiguous Name Resolution Minimal Entry IDs
MID_UNRESOLVED = 0x00000000
MID_AMBIGUOUS = 0x00000001
MID_RESOLVED = 0x00000002
# 2.2.10 Table Sort Orders
SortTypeDisplayName = 0
SortTypePhoneticDisplayName = 0x00000003
SortTypeDisplayName_RO = 0x000003E8
def test_RChangeServiceConfig2W(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'TESTSVC\x00'
lpDisplayName = 'DisplayName\x00'
dwDesiredAccess = scmr.SERVICE_ALL_ACCESS
dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS
dwStartType = scmr.SERVICE_DEMAND_START
dwErrorControl = scmr.SERVICE_ERROR_NORMAL
lpBinaryPathName = 'binaryPath\x00'
lpLoadOrderGroup = NULL
lpdwTagId = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
resp = scmr.hRCreateServiceW(
dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess,
dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName,
lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize,
lpServiceStartName, lpPassword, dwPwSize)
#resp.dump()
newHandle = resp['lpServiceHandle']
error = False
try:
request = scmr.RChangeServiceConfig2W()
request['hService'] = newHandle
request['Info']['dwInfoLevel'] = 1
request['Info']['Union']['tag'] = 1
request['Info']['Union']['psd']['lpDescription'] = u'betobeto\x00'
resp = dce.request(request)
#resp.dump()
self.changeServiceAndQuery2(
dce, request, request['Info']['Union']['psd']['lpDescription'])
request['Info']['dwInfoLevel'] = 2
request['Info']['Union']['tag'] = 2
request['Info']['Union']['psfa']['lpRebootMsg'] = u'rebootMsg\00'
request['Info']['Union']['psfa']['lpCommand'] = u'lpCommand\00'
resp = dce.request(request)
#resp.dump()
self.changeServiceAndQuery2(
dce, request, request['Info']['Union']['psfa']['lpRebootMsg'])
request['Info']['dwInfoLevel'] = 3
request['Info']['Union']['tag'] = 3
request['Info']['Union']['psda']['fDelayedAutostart'] = 1
resp = dce.request(request)
self.changeServiceAndQuery2(
dce, request,
request['Info']['Union']['psda']['fDelayedAutostart'])
request['Info']['dwInfoLevel'] = 4
request['Info']['Union']['tag'] = 4
request['Info']['Union']['psfaf'][
'fFailureActionsOnNonCrashFailures'] = 1
resp = dce.request(request)
self.changeServiceAndQuery2(
dce, request, request['Info']['Union']['psfaf']
['fFailureActionsOnNonCrashFailures'])
request['Info']['dwInfoLevel'] = 5
request['Info']['Union']['tag'] = 5
request['Info']['Union']['pssid']['dwServiceSidType'] = 1
resp = dce.request(request)
self.changeServiceAndQuery2(
dce, request,
request['Info']['Union']['pssid']['dwServiceSidType'])
request['Info']['dwInfoLevel'] = 6
request['Info']['Union']['tag'] = 6
request['Info']['Union']['psrp']['pRequiredPrivileges'] = list(
u'SeAssignPrimaryTokenPrivilege\x00\x00'.encode('utf-16le'))
resp = dce.request(request)
self.changeServiceAndQuery2(
dce, request,
request['Info']['Union']['psrp']['pRequiredPrivileges'])
request['Info']['dwInfoLevel'] = 7
request['Info']['Union']['tag'] = 7
request['Info']['Union']['psps']['dwPreshutdownTimeout'] = 22
resp = dce.request(request)
self.changeServiceAndQuery2(
dce, request,
request['Info']['Union']['psps']['dwPreshutdownTimeout'])
request['Info']['dwInfoLevel'] = 8
request['Info']['Union']['tag'] = 8
#request.dump()
trigger = scmr.SERVICE_TRIGGER()
trigger['dwTriggerType'] = scmr.SERVICE_TRIGGER_TYPE_DOMAIN_JOIN
trigger['dwAction'] = scmr.SERVICE_TRIGGER_ACTION_SERVICE_START
trigger['pTriggerSubtype'] = string_to_bin(scmr.DOMAIN_JOIN_GUID)
item = scmr.SERVICE_TRIGGER_SPECIFIC_DATA_ITEM()
item['dwDataType'] = scmr.SERVICE_TRIGGER_DATA_TYPE_STRING
item['pData'] = list(u'FREEFLY\x00'.encode('utf-16le'))
#trigger['pDataItems'].append(item)
trigger['pDataItems'] = NULL
request['Info']['Union']['psti']['pTriggers'].append(trigger)
resp = dce.request(request)
#self.changeServiceAndQuery2(dce, request, '\x00')
request['Info']['dwInfoLevel'] = 9
request['Info']['Union']['tag'] = 9
request['Info']['Union']['pspn']['usPreferredNode'] = 22
#resp = dce.request(request)
#self.changeServiceAndQuery2(dce, request, request['Info']['Union']['pspn']['usPreferredNode'])
request['Info']['dwInfoLevel'] = 10
request['Info']['Union']['tag'] = 10
request['Info']['Union']['psri']['eLowestRunLevel'] = 1
# This one doesn't work
#resp = dce.request(request)
#self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psri']['eLowestRunLevel'])
request['Info']['dwInfoLevel'] = 11
request['Info']['Union']['tag'] = 11
request['Info']['Union']['psma']['fIsManagedAccount'] = 1
# This one doesn't work
#resp = dce.request(request)
#self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psma']['fIsManagedAccount'])
except Exception, e:
import traceback
traceback.print_exc()
print e
error = True
pass
def get_packet( self ):
return self.packet
def __str__( self ):
if (hresult_errors.ERROR_MESSAGES.has_key(self.error_code)):
error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1]
return 'VDS SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
else:
return 'VDS SessionError: unknown error code: 0x%x' % (self.error_code)
################################################################################
# CONSTANTS
################################################################################
# 1.9 Standards Assignments
CLSID_VirtualDiskService = string_to_bin('7D1933CB-86F6-4A98-8628-01BE94C9A575')
IID_IEnumVdsObject = string_to_bin('118610B7-8D94-4030-B5B8-500889788E4E')
IID_IVdsAdviseSink = string_to_bin('8326CD1D-CF59-4936-B786-5EFC08798E25')
IID_IVdsAsync = string_to_bin('D5D23B6D-5A55-4492-9889-397A3C2D2DBC')
IID_IVdsServiceInitialization = string_to_bin('4AFC3636-DB01-4052-80C3-03BBCB8D3C69')
IID_IVdsService = string_to_bin('0818A8EF-9BA9-40D8-A6F9-E22833CC771E')
IID_IVdsSwProvider = string_to_bin('9AA58360-CE33-4F92-B658-ED24B14425B8')
IID_IVdsProvider = string_to_bin('10C5E575-7984-4E81-A56B-431F5F92AE42')
error_status_t = ULONG
# 2.2.1.1.3 VDS_OBJECT_ID
VDS_OBJECT_ID = GUID
################################################################################
# STRUCTURES
def getProviderName(self):
return ndrutils.uuid_to_exe(uuid.string_to_bin(self.getUUID()) + struct.pack('<H', self.getVersion()))
# 5.113 LDAP_CONN_PROPERTIES
BND = 0x00000001
SSL = 0x00000002
UDP = 0x00000004
GC = 0x00000008
GSS = 0x00000010
NGO = 0x00000020
SPL = 0x00000040
MD5 = 0x00000080
SGN = 0x00000100
SL = 0x00000200
# 5.137 NTSAPI_CLIENT_GUID
NTDSAPI_CLIENT_GUID = string_to_bin('e24d201a-4fd6-11d1-a3da-0000f875ae0d')
# 5.139 NULLGUID
NULLGUID = string_to_bin('00000000-0000-0000-0000-000000000000')
# 5.205 USN
USN = LONGLONG
# 4.1.4.1.2 DRS_MSG_CRACKREQ_V1
DS_NAME_FLAG_GCVERIFY = 0x00000004
DS_NAME_FLAG_TRUST_REFERRAL = 0x00000008
DS_NAME_FLAG_PRIVATE_RESOLVE_FPOS = 0x80000000
DS_LIST_SITES = 0xFFFFFFFF
DS_LIST_SERVERS_IN_SITE = 0xFFFFFFFE
DS_LIST_DOMAINS_IN_SITE = 0xFFFFFFFD
def nspi_dump_tables(self, options):
self.exch.set_output_type(options.output_type)
if options.lookup_type == None or options.lookup_type == 'MINIMAL':
propTags = NSPIAttacks.PROPS_MINUMAL
elif options.lookup_type == 'EXTENDED':
propTags = NSPIAttacks.PROPS_EXTENDED
elif options.lookup_type == 'GUIDS':
propTags = NSPIAttacks.PROPS_GUID
else:
# FULL
propTags = []
if options.name != None and options.name.lower() in ['gal', 'default global address list', 'global address list']:
logging.info("Lookuping Global Address List")
table_MId = 0
else:
# 2.2.8
# The client obtains Minimal Entry IDs for STAT ContainerID
# from the server's address book hierarchy table
#
# We cannot convert the GUID to a MId via NspiDNToMId or similar operations because it
# may not work in Multi-Tenant environments
self.exch.load_htable()
if options.guid != None:
logging.info("Search for an address book with objectGUID = %s" % options.guid)
guid = uuid.string_to_bin(options.guid)
name = None
else:
guid = None
name = options.name
table_MId = 0
for MId in self.exch.htable:
if MId == 0:
# GAL
continue
if guid is not None:
# -guid
if self.exch.htable[MId]['guid'] == guid:
logging.debug("MId %d is assigned for %s object" % (MId, options.guid))
logging.info("Lookuping %s" % self.exch.htable[MId]['name'])
table_MId = MId
break
else:
# -name
if self.exch.htable[MId]['name'] == name:
guid = uuid.bin_to_string(self.exch.htable[MId]['guid'])
logging.debug("MId %d is assigned for %s object" % (MId, guid))
logging.info("Lookuping address book with objectGUID = %s" % guid)
table_MId = MId
break
if table_MId == 0:
logging.error("Specified address book not found!")
sys.exit(1)
self.exch.req_print_table_rows(table_MId, propTags, options.rows_per_request)
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__( self ):
if hresult_errors.ERROR_MESSAGES.has_key(self.error_code):
error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1]
return 'SCMP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
else:
return 'SCMP SessionError: unknown error code: 0x%x' % self.error_code
################################################################################
# CONSTANTS
################################################################################
# 1.9 Standards Assignments
CLSID_ShadowCopyProvider = string_to_bin('0b5a2c52-3eb9-470a-96e2-6c6d4570e40f')
IID_IVssSnapshotMgmt = string_to_bin('FA7DF749-66E7-4986-A27F-E2F04AE53772')
IID_IVssEnumObject = string_to_bin('AE1C7110-2F60-11d3-8A39-00C04F72D8E3')
IID_IVssDifferentialSoftwareSnapshotMgmt = string_to_bin('214A0F28-B737-4026-B847-4F9E37D79529')
IID_IVssEnumMgmtObject = string_to_bin('01954E6B-9254-4e6e-808C-C9E05D007696')
IID_ShadowCopyProvider = string_to_bin('B5946137-7B9F-4925-AF80-51ABD60B20D5')
# 2.2.1.1 VSS_ID
class VSS_ID(NDRSTRUCT):
structure = (
('Data','16s=""'),
)
def getAlignment(self):
return 2
from multiprocessing import Pool
from ldap3.utils.conv import escape_filter_chars
from impacket.uuid import string_to_bin, bin_to_string
from bloodhound.ad.utils import ADUtils
from bloodhound.lib import cstruct
from io import BytesIO
import binascii
import pprint
from future.utils import iteritems, native_str
# Extended rights and property GUID mapping, converted to binary so we don't have to do this
# for every comparison.
# Source: https://msdn.microsoft.com/en-us/library/cc223512.aspx
EXTRIGHTS_GUID_MAPPING = {
"GetChanges":
string_to_bin("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"),
"GetChangesAll":
string_to_bin("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"),
"WriteMember":
string_to_bin("bf9679c0-0de6-11d0-a285-00aa003049e2"),
"UserForceChangePassword":
string_to_bin("00299570-246d-11d0-a768-00aa006e0529"),
"AllowedToAct":
string_to_bin("3f78c3e5-f79a-46bd-a0b8-9d18116ddc79"),
}
def parse_binary_acl(entry, entrytype, acl, objecttype_guid_map):
"""
Main ACL structure parse function.
This is offloaded to subprocesses and takes the current entry and the
# 5.113 LDAP_CONN_PROPERTIES
BND = 0x00000001
SSL = 0x00000002
UDP = 0x00000004
GC = 0x00000008
GSS = 0x00000010
NGO = 0x00000020
SPL = 0x00000040
MD5 = 0x00000080
SGN = 0x00000100
SL = 0x00000200
# 5.137 NTSAPI_CLIENT_GUID
NTDSAPI_CLIENT_GUID = string_to_bin("e24d201a-4fd6-11d1-a3da-0000f875ae0d")
# 5.139 NULLGUID
NULLGUID = string_to_bin("00000000-0000-0000-0000-000000000000")
# 5.205 USN
USN = LONGLONG
# 4.1.4.1.2 DRS_MSG_CRACKREQ_V1
DS_NAME_FLAG_GCVERIFY = 0x00000004
DS_NAME_FLAG_TRUST_REFERRAL = 0x00000008
DS_NAME_FLAG_PRIVATE_RESOLVE_FPOS = 0x80000000
DS_LIST_SITES = 0xFFFFFFFF
DS_LIST_SERVERS_IN_SITE = 0xFFFFFFFE
DS_LIST_DOMAINS_IN_SITE = 0xFFFFFFFD
# Some calls have helper functions, which makes it even easier to use.
# They are located at the end of this file.
# Helper functions start with "h"<name of the call>.
# There are test cases for them too.
#
# Author:
# Adam (@cube0x0)
#
from impacket import system_errors
from impacket.dcerpc.v5.dtypes import ULONGLONG, UINT, USHORT, LPWSTR, DWORD, ULONG, NULL
from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRUNION, NDRPOINTER, NDRUniConformantArray
from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.uuid import uuidtup_to_bin, string_to_bin
MSRPC_UUID_PAR = uuidtup_to_bin(('76F03F96-CDFD-44FC-A22C-64950A001209', '1.0'))
MSRPC_UUID_WINSPOOL = string_to_bin('9940CA8E-512F-4C58-88A9-61098D6896BD')
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__( self ):
key = self.error_code
if key in system_errors.ERROR_MESSAGES:
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
return 'RPRN SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
else:
return 'RPRN SessionError: unknown error code: 0x%x' % self.error_code
################################################################################
