Example #1
0
    def generate_auth(self, trustdom_secret):
        def arcfour_encrypt(key, data):
            c = RC4.RC4(key)
            return c.update(data)

        def string_to_array(what):
            blob = [0] * len(what)

            for i in range(len(what)):
                blob[i] = ord(what[i])
            return blob

        password_blob = string_to_array(trustdom_secret.encode('utf-16-le'))

        clear_value = drsblobs.AuthInfoClear()
        clear_value.size = len(password_blob)
        clear_value.password = password_blob

        clear_authentication_information = drsblobs.AuthenticationInformation()
        clear_authentication_information.LastUpdateTime = samba.unix2nttime(
            int(time.time()))
        clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR
        clear_authentication_information.AuthInfo = clear_value

        authentication_information_array = drsblobs.AuthenticationInformationArray(
        )
        authentication_information_array.count = 1
        authentication_information_array.array = [
            clear_authentication_information
        ]

        outgoing = drsblobs.trustAuthInOutBlob()
        outgoing.count = 1
        outgoing.current = authentication_information_array

        confounder = [3] * 512
        for i in range(512):
            confounder[i] = random.randint(0, 255)

        trustpass = drsblobs.trustDomainPasswords()
        trustpass.confounder = confounder

        trustpass.outgoing = outgoing
        trustpass.incoming = outgoing

        trustpass_blob = ndr_pack(trustpass)

        encrypted_trustpass = arcfour_encrypt(self._pipe.session_key,
                                              trustpass_blob)

        auth_blob = lsa.DATA_BUF2()
        auth_blob.size = len(encrypted_trustpass)
        auth_blob.data = string_to_array(encrypted_trustpass)

        auth_info = lsa.TrustDomainInfoAuthInfoInternal()
        auth_info.auth_blob = auth_blob
        self.auth_info = auth_info
Example #2
0
 def __extract_trusted_auth(self, info):
     """
     Returns in clear trusted domain account credentials
     """
     clear = None
     auth = drsblobs.trustAuthInOutBlob()
     auth.__ndr_unpack__(info['auth'])
     auth_array = auth.current.array[0]
     if auth_array.AuthType == lsa.TRUST_AUTH_TYPE_CLEAR:
         clear = ''.join(map(chr, auth_array.AuthInfo.password)).decode('utf-16-le')
     return clear
Example #3
0
 def __extract_trusted_auth(self, info):
     """
     Returns in clear trusted domain account credentials
     """
     clear = None
     auth = drsblobs.trustAuthInOutBlob()
     auth.__ndr_unpack__(info['auth'])
     auth_array = auth.current.array[0]
     if auth_array.AuthType == lsa.TRUST_AUTH_TYPE_CLEAR:
         clear = ''.join(map(
             chr, auth_array.AuthInfo.password)).decode('utf-16-le')
     return clear
Example #4
0
    def generate_auth(self, trustdom_secret):
        def arcfour_encrypt(key, data):
            c = RC4.RC4(key)
            return c.update(data)
        def string_to_array(what):
            blob = [0] * len(what)

            for i in range(len(what)):
                blob[i] = ord(what[i])
            return blob

        password_blob = string_to_array(trustdom_secret.encode('utf-16-le'))

        clear_value = drsblobs.AuthInfoClear()
        clear_value.size = len(password_blob)
        clear_value.password = password_blob

        clear_authentication_information = drsblobs.AuthenticationInformation()
        clear_authentication_information.LastUpdateTime = samba.unix2nttime(int(time.time()))
        clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR
        clear_authentication_information.AuthInfo = clear_value

        authentication_information_array = drsblobs.AuthenticationInformationArray()
        authentication_information_array.count = 1
        authentication_information_array.array = [clear_authentication_information]

        outgoing = drsblobs.trustAuthInOutBlob()
        outgoing.count = 1
        outgoing.current = authentication_information_array

        confounder = [3]*512
        for i in range(512):
            confounder[i] = random.randint(0, 255)

        trustpass = drsblobs.trustDomainPasswords()
        trustpass.confounder = confounder

        trustpass.outgoing = outgoing
        trustpass.incoming = outgoing

        trustpass_blob = ndr_pack(trustpass)

        encrypted_trustpass = arcfour_encrypt(self._pipe.session_key, trustpass_blob)

        auth_blob = lsa.DATA_BUF2()
        auth_blob.size = len(encrypted_trustpass)
        auth_blob.data = string_to_array(encrypted_trustpass)

        auth_info = lsa.TrustDomainInfoAuthInfoInternal()
        auth_info.auth_blob = auth_blob
        self.auth_info = auth_info
Example #5
0
    def join_setup_trusts(ctx):
        """provision the local SAM"""

        def arcfour_encrypt(key, data):
            from Crypto.Cipher import ARC4

            c = ARC4.new(key)
            return c.encrypt(data)

        def string_to_array(string):
            blob = [0] * len(string)

            for i in range(len(string)):
                blob[i] = ord(string[i])

            return blob

        print "Setup domain trusts with server %s" % ctx.server
        binding_options = ""  # why doesn't signing work here? w2k8r2 claims no session key
        lsaconn = lsa.lsarpc("ncacn_np:%s[%s]" % (ctx.server, binding_options), ctx.lp, ctx.creds)

        objectAttr = lsa.ObjectAttribute()
        objectAttr.sec_qos = lsa.QosInfo()

        pol_handle = lsaconn.OpenPolicy2("".decode("utf-8"), objectAttr, security.SEC_FLAG_MAXIMUM_ALLOWED)

        info = lsa.TrustDomainInfoInfoEx()
        info.domain_name.string = ctx.dnsdomain
        info.netbios_name.string = ctx.domain_name
        info.sid = security.dom_sid(ctx.domsid)
        info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
        info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
        info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_WITHIN_FOREST

        try:
            oldname = lsa.String()
            oldname.string = ctx.dnsdomain
            oldinfo = lsaconn.QueryTrustedDomainInfoByName(pol_handle, oldname, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
            print ("Removing old trust record for %s (SID %s)" % (ctx.dnsdomain, oldinfo.info_ex.sid))
            lsaconn.DeleteTrustedDomain(pol_handle, oldinfo.info_ex.sid)
        except RuntimeError:
            pass

        password_blob = string_to_array(ctx.trustdom_pass.encode("utf-16-le"))

        clear_value = drsblobs.AuthInfoClear()
        clear_value.size = len(password_blob)
        clear_value.password = password_blob

        clear_authentication_information = drsblobs.AuthenticationInformation()
        clear_authentication_information.LastUpdateTime = samba.unix2nttime(int(time.time()))
        clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR
        clear_authentication_information.AuthInfo = clear_value

        authentication_information_array = drsblobs.AuthenticationInformationArray()
        authentication_information_array.count = 1
        authentication_information_array.array = [clear_authentication_information]

        outgoing = drsblobs.trustAuthInOutBlob()
        outgoing.count = 1
        outgoing.current = authentication_information_array

        trustpass = drsblobs.trustDomainPasswords()
        confounder = [3] * 512

        for i in range(512):
            confounder[i] = random.randint(0, 255)

        trustpass.confounder = confounder

        trustpass.outgoing = outgoing
        trustpass.incoming = outgoing

        trustpass_blob = ndr_pack(trustpass)

        encrypted_trustpass = arcfour_encrypt(lsaconn.session_key, trustpass_blob)

        auth_blob = lsa.DATA_BUF2()
        auth_blob.size = len(encrypted_trustpass)
        auth_blob.data = string_to_array(encrypted_trustpass)

        auth_info = lsa.TrustDomainInfoAuthInfoInternal()
        auth_info.auth_blob = auth_blob

        trustdom_handle = lsaconn.CreateTrustedDomainEx2(pol_handle, info, auth_info, security.SEC_STD_DELETE)

        rec = {
            "dn": "cn=%s,cn=system,%s" % (ctx.dnsforest, ctx.base_dn),
            "objectclass": "trustedDomain",
            "trustType": str(info.trust_type),
            "trustAttributes": str(info.trust_attributes),
            "trustDirection": str(info.trust_direction),
            "flatname": ctx.forest_domain_name,
            "trustPartner": ctx.dnsforest,
            "trustAuthIncoming": ndr_pack(outgoing),
            "trustAuthOutgoing": ndr_pack(outgoing),
        }
        ctx.local_samdb.add(rec)

        rec = {
            "dn": "cn=%s$,cn=users,%s" % (ctx.forest_domain_name, ctx.base_dn),
            "objectclass": "user",
            "userAccountControl": str(samba.dsdb.UF_INTERDOMAIN_TRUST_ACCOUNT),
            "clearTextPassword": ctx.trustdom_pass.encode("utf-16-le"),
        }
        ctx.local_samdb.add(rec)
Example #6
0
    def _create_trust_relax(self, smbencrypt=True):
        creds = self.get_user_creds()

        if smbencrypt:
            creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
        else:
            creds.set_smb_encryption(SMB_ENCRYPTION_OFF)

        lp = self.get_loadparm()

        binding_string = ("ncacn_np:%s" %
                          (samba.tests.env_get_var_value('SERVER')))
        lsa_conn = lsa.lsarpc(binding_string, lp, creds)

        if smbencrypt:
            self.assertTrue(lsa_conn.transport_encrypted())
        else:
            self.assertFalse(lsa_conn.transport_encrypted())

        objectAttr = lsa.ObjectAttribute()
        objectAttr.sec_qos = lsa.QosInfo()

        pol_handle = lsa_conn.OpenPolicy2('', objectAttr,
                                          security.SEC_FLAG_MAXIMUM_ALLOWED)
        self.assertIsNotNone(pol_handle)

        name = lsa.String()
        name.string = "tests.samba.example.com"
        try:
            info = lsa_conn.QueryTrustedDomainInfoByName(
                pol_handle, name, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)

            lsa_conn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
        except RuntimeError:
            pass

        info = lsa.TrustDomainInfoInfoEx()
        info.domain_name.string = name.string
        info.netbios_name.string = "createtrustrelax"
        info.sid = security.dom_sid("S-1-5-21-538490383-3740119673-95748416")
        info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
        info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
        info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE

        password_blob = samba.string_to_byte_array(
            "password".encode('utf-16-le'))

        clear_value = drsblobs.AuthInfoClear()
        clear_value.size = len(password_blob)
        clear_value.password = password_blob

        clear_authentication_information = drsblobs.AuthenticationInformation()
        clear_authentication_information.LastUpdateTime = 0
        clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR
        clear_authentication_information.AuthInfo = clear_value

        authentication_information_array = drsblobs.AuthenticationInformationArray(
        )
        authentication_information_array.count = 1
        authentication_information_array.array = [
            clear_authentication_information
        ]

        outgoing = drsblobs.trustAuthInOutBlob()
        outgoing.count = 1
        outgoing.current = authentication_information_array

        trustdom_handle = None
        try:
            trustdom_handle = CreateTrustedDomainRelax(lsa_conn, pol_handle,
                                                       info,
                                                       security.SEC_STD_DELETE,
                                                       outgoing, outgoing)
        except samba.NTSTATUSError as nt:
            raise AssertionError(nt)
        except OSError as e:
            if smbencrypt:
                raise AssertionError(e)

        if smbencrypt:
            self.assertIsNotNone(trustdom_handle)
            lsa_conn.DeleteTrustedDomain(pol_handle, info.sid)
        else:
            self.assertIsNone(trustdom_handle)
Example #7
0
    def join_setup_trusts(ctx):
        '''provision the local SAM'''
        def arcfour_encrypt(key, data):
            from Crypto.Cipher import ARC4
            c = ARC4.new(key)
            return c.encrypt(data)

        def string_to_array(string):
            blob = [0] * len(string)

            for i in range(len(string)):
                blob[i] = ord(string[i])

            return blob

        print "Setup domain trusts with server %s" % ctx.server
        binding_options = ""  # why doesn't signing work here? w2k8r2 claims no session key
        lsaconn = lsa.lsarpc("ncacn_np:%s[%s]" % (ctx.server, binding_options),
                             ctx.lp, ctx.creds)

        objectAttr = lsa.ObjectAttribute()
        objectAttr.sec_qos = lsa.QosInfo()

        pol_handle = lsaconn.OpenPolicy2(''.decode('utf-8'), objectAttr,
                                         security.SEC_FLAG_MAXIMUM_ALLOWED)

        info = lsa.TrustDomainInfoInfoEx()
        info.domain_name.string = ctx.dnsdomain
        info.netbios_name.string = ctx.domain_name
        info.sid = security.dom_sid(ctx.domsid)
        info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
        info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
        info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_WITHIN_FOREST

        try:
            oldname = lsa.String()
            oldname.string = ctx.dnsdomain
            oldinfo = lsaconn.QueryTrustedDomainInfoByName(
                pol_handle, oldname, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
            print("Removing old trust record for %s (SID %s)" %
                  (ctx.dnsdomain, oldinfo.info_ex.sid))
            lsaconn.DeleteTrustedDomain(pol_handle, oldinfo.info_ex.sid)
        except RuntimeError:
            pass

        password_blob = string_to_array(ctx.trustdom_pass.encode('utf-16-le'))

        clear_value = drsblobs.AuthInfoClear()
        clear_value.size = len(password_blob)
        clear_value.password = password_blob

        clear_authentication_information = drsblobs.AuthenticationInformation()
        clear_authentication_information.LastUpdateTime = samba.unix2nttime(
            int(time.time()))
        clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR
        clear_authentication_information.AuthInfo = clear_value

        authentication_information_array = drsblobs.AuthenticationInformationArray(
        )
        authentication_information_array.count = 1
        authentication_information_array.array = [
            clear_authentication_information
        ]

        outgoing = drsblobs.trustAuthInOutBlob()
        outgoing.count = 1
        outgoing.current = authentication_information_array

        trustpass = drsblobs.trustDomainPasswords()
        confounder = [3] * 512

        for i in range(512):
            confounder[i] = random.randint(0, 255)

        trustpass.confounder = confounder

        trustpass.outgoing = outgoing
        trustpass.incoming = outgoing

        trustpass_blob = ndr_pack(trustpass)

        encrypted_trustpass = arcfour_encrypt(lsaconn.session_key,
                                              trustpass_blob)

        auth_blob = lsa.DATA_BUF2()
        auth_blob.size = len(encrypted_trustpass)
        auth_blob.data = string_to_array(encrypted_trustpass)

        auth_info = lsa.TrustDomainInfoAuthInfoInternal()
        auth_info.auth_blob = auth_blob

        trustdom_handle = lsaconn.CreateTrustedDomainEx2(
            pol_handle, info, auth_info, security.SEC_STD_DELETE)

        rec = {
            "dn": "cn=%s,cn=system,%s" % (ctx.dnsforest, ctx.base_dn),
            "objectclass": "trustedDomain",
            "trustType": str(info.trust_type),
            "trustAttributes": str(info.trust_attributes),
            "trustDirection": str(info.trust_direction),
            "flatname": ctx.forest_domain_name,
            "trustPartner": ctx.dnsforest,
            "trustAuthIncoming": ndr_pack(outgoing),
            "trustAuthOutgoing": ndr_pack(outgoing)
        }
        ctx.local_samdb.add(rec)

        rec = {
            "dn": "cn=%s$,cn=users,%s" % (ctx.forest_domain_name, ctx.base_dn),
            "objectclass": "user",
            "userAccountControl": str(samba.dsdb.UF_INTERDOMAIN_TRUST_ACCOUNT),
            "clearTextPassword": ctx.trustdom_pass.encode('utf-16-le')
        }
        ctx.local_samdb.add(rec)