def __init__(self, gssapi, target):
self.target = target
self.gssapi = gssapi
self.transport = None
self.auth_type = RPC_C_AUTHN_WINNT
if self.gssapi.kerberos is not None:
self.auth_type = RPC_C_AUTHN_GSS_NEGOTIATE
self.auth_level = RPC_C_AUTHN_LEVEL_NONE
self.ctx = 0
self.callid = 1
self.NDRSyntax = uuidtup_to_bin(
('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))
self.NDR64Syntax = uuidtup_to_bin(
('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0'))
self.transfer_syntax = self.NDRSyntax
self.transfer_syntax = uuidtup_to_bin(
('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))
self.__max_xmit_size = 0
self._max_user_frag = 0
self.__sequence = 0
self.__sessionKey = None
self.__clientSigningKey = None
self.__serverSigningKey = None
self.__clientSealingKey = None
self.__serverSealingKey = None
self.__clientSealingHandle = None
self.__serverSealingHandle = None
class DCERPC:
# Standard NDR Representation
NDRSyntax = uuidtup_to_bin(('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))
# NDR 64
NDR64Syntax = uuidtup_to_bin(
('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0'))
transfer_syntax = NDRSyntax
# Best way to learn how to use these calls is to grab the protocol standard
# so you understand what the call does, and then read the test case located
# at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
#
# Some calls have helper functions, which makes it even easier to use.
# They are located at the end of this file.
# Helper functions start with "h"<name of the call>.
# There are test cases for them too.
#
from aiosmb.dcerpc.v5 import system_errors
from aiosmb.dcerpc.v5.dtypes import WSTR, DWORD, LPWSTR, ULONG, LARGE_INTEGER, WORD, BYTE
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray, NDRUniVaryingArray, NDRSTRUCT
from aiosmb.dcerpc.v5.rpcrt import DCERPCException
from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin
MSRPC_UUID_EVEN6 = uuidtup_to_bin(('F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C', '1.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
################################################################################
# CONSTANTS
################################################################################
# Evt Path Flags
EvtQueryChannelName = 0x00000001
EvtQueryFilePath = 0x00000002
EvtReadOldestToNewest = 0x00000100
EvtReadNewestToOldest = 0x00000200
# They are located at the end of this file.
# Helper functions start with "h"<name of the call>.
# There are test cases for them too.
#
from aiosmb.dcerpc.v5.dtypes import NULL, DWORD, LPWSTR, ULONG, BOOL, LPBYTE, ULONGLONG, PGUID, USHORT, LPDWORD, WSTR, \
GUID, PBOOL, WIDESTR
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDR, NDRSTRUCT, NDRPOINTER, NDRPOINTERNULL, NDRUniConformantArray, NDRUNION
from aiosmb.dcerpc.v5.rpcrt import DCERPCException
from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin
from aiosmb.dcerpc.v5 import system_errors
from aiosmb.commons.utils.decorators import red, rr
from aiosmb.commons.exceptions import SMBException
MSRPC_UUID_SCMR = uuidtup_to_bin(
('367ABB81-9844-35F1-AD32-98F038001003', '2.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__(self):
key = self.error_code
if key in system_errors.ERROR_MESSAGES:
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
return 'SCMR SessionError: code: 0x%x - %s - %s' % (
self.error_code, error_msg_short, error_msg_verbose)
else:
return 'SCMR SessionError: unknown error code: 0x%x' % self.error_code
from aiosmb.crypto.DES import expand_DES_key
from asn1crypto.core import ObjectIdentifier
from aiosmb.crypto.symmetric import RC4, DES
from aiosmb.crypto.BASE import cipherMODE
##### THIS CODE NEEDS TO BE CLEANED UP!!!!
#from pyasn1.type import univ
#from impacket.crypto import transformKey
#try:
# from Cryptodome.Cipher import ARC4, DES
#except Exception:
# LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
# LOG.critical("See https://pypi.org/project/pycryptodomex/")
MSRPC_UUID_DRSUAPI = uuidtup_to_bin(
('E3514235-4B06-11D1-AB04-00C04FC2DCD2', '4.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__(self):
return 'DRSR SessionError: unknown error code: 0x%x' % self.error_code
################################################################################
# CONSTANTS
################################################################################
# 4.1.10.2.17 EXOP_ERR Codes
class EXOP_ERR(NDRENUM):
#
# Some calls have helper functions, which makes it even easier to use.
# They are located at the end of this file.
# Helper functions start with "h"<name of the call>.
# There are test cases for them too.
#
from __future__ import division
from __future__ import print_function
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDR, NDRPOINTERNULL, NDRUniConformantArray
from aiosmb.dcerpc.v5.dtypes import ULONG, LPWSTR, RPC_UNICODE_STRING, LPSTR, NTSTATUS, NULL, PRPC_UNICODE_STRING, PULONG, USHORT, PRPC_SID, LPBYTE
from aiosmb.dcerpc.v5.lsad import PRPC_UNICODE_STRING_ARRAY
from aiosmb.dcerpc.v5.structure import Structure
from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin
from aiosmb.dcerpc.v5.rpcrt import DCERPCException
MSRPC_UUID_EVEN = uuidtup_to_bin(
('82273FDC-E32A-18C3-3F78-827929DC23EA', '0.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
################################################################################
# CONSTANTS
################################################################################
# 2.2.2 EventType
EVENTLOG_SUCCESS = 0x0000
EVENTLOG_ERROR_TYPE = 0x0001
EVENTLOG_WARNING_TYPE = 0x0002
EVENTLOG_INFORMATION_TYPE = 0x0004
async def bind(self,
iface_uuid,
alter=0,
bogus_binds=0,
transfer_syntax=('8a885d04-1ceb-11c9-9fe8-08002b104860',
'2.0')):
"""
Performs bind operation. Does authentication and sets up the keys for further communication
"""
try:
bind = MSRPCBind()
#item['TransferSyntax']['Version'] = 1
ctx = self.ctx
for _ in range(bogus_binds):
item = CtxItem()
item['ContextID'] = ctx
item['TransItems'] = 1
item['ContextID'] = ctx
# We generate random UUIDs for bogus binds
item['AbstractSyntax'] = generate() + stringver_to_bin('2.0')
item['TransferSyntax'] = uuidtup_to_bin(transfer_syntax)
bind.addCtxItem(item)
self.ctx += 1
ctx += 1
# The true one :)
item = CtxItem()
item['AbstractSyntax'] = iface_uuid
item['TransferSyntax'] = uuidtup_to_bin(transfer_syntax)
item['ContextID'] = ctx
item['TransItems'] = 1
bind.addCtxItem(item)
packet = MSRPCHeader()
packet['type'] = MSRPC_BIND
packet['pduData'] = bind.getData()
packet['call_id'] = self.callid
if alter:
packet['type'] = MSRPC_ALTERCTX
if self.auth_level != RPC_C_AUTHN_LEVEL_NONE:
#authentication required
if self.auth_type == RPC_C_AUTHN_WINNT:
#seal flag MUST be turned on in the handshake flags!!!!!!!
#it is "signaled via the is_rpc variable"
auth, res, err = await self.gssapi.ntlm.authenticate(
None, is_rpc=True)
if err is not None:
return None, err
elif self.auth_type == RPC_C_AUTHN_NETLOGON:
return False, Exception(
'RPC_C_AUTHN_NETLOGON Not implemented!')
elif self.auth_type == RPC_C_AUTHN_GSS_NEGOTIATE:
auth, res, err = await self.gssapi.gssapi.authenticate(
None,
flags = GSSAPIFlags.GSS_C_CONF_FLAG |\
GSSAPIFlags.GSS_C_INTEG_FLAG | \
GSSAPIFlags.GSS_C_SEQUENCE_FLAG | \
GSSAPIFlags.GSS_C_REPLAY_FLAG | \
GSSAPIFlags.GSS_C_MUTUAL_FLAG | \
GSSAPIFlags.GSS_C_DCE_STYLE,
seq_number = 0,
is_rpc = True
)
if err is not None:
return None, err
else:
return None, Exception('Unsupported auth type!')
sec_trailer = SEC_TRAILER()
sec_trailer['auth_type'] = self.auth_type
sec_trailer['auth_level'] = self.auth_level
sec_trailer['auth_ctx_id'] = self.ctx + 79231
pad = (4 - (len(packet.get_packet()) % 4)) % 4
if pad != 0:
packet['pduData'] += b'\xFF' * pad
sec_trailer['auth_pad_len'] = pad
packet['sec_trailer'] = sec_trailer
packet['auth_data'] = auth
_, _ = await rr(self.transport.send(packet.get_packet()))
data, _ = await rr(self.recv_one())
resp = MSRPCHeader(data)
if resp['type'] == MSRPC_BINDACK or resp[
'type'] == MSRPC_ALTERCTX_R:
bindResp = MSRPCBindAck(resp.getData())
elif resp['type'] == MSRPC_BINDNAK or resp['type'] == MSRPC_FAULT:
if resp['type'] == MSRPC_FAULT:
resp = MSRPCRespHeader(resp.getData())
status_code = unpack('<L', resp['pduData'][:4])[0]
else:
resp = MSRPCBindNak(resp['pduData'])
status_code = resp['RejectedReason']
if status_code in rpc_status_codes:
return False, DCERPCException(error_code=status_code)
elif status_code in rpc_provider_reason:
return False, DCERPCException(
"Bind context rejected: %s" %
rpc_provider_reason[status_code])
else:
return False, DCERPCException(
'Unknown DCE RPC fault status code: %.8x' %
status_code)
else:
return False, DCERPCException(
'Unknown DCE RPC packet type received: %d' % resp['type'])
# check ack results for each context, except for the bogus ones
for ctx in range(bogus_binds + 1, bindResp['ctx_num'] + 1):
ctxItems = bindResp.getCtxItem(ctx)
if ctxItems['Result'] != 0:
msg = "Bind context %d rejected: " % ctx
msg += rpc_cont_def_result.get(
ctxItems['Result'],
'Unknown DCE RPC context result code: %.4x' %
ctxItems['Result'])
msg += "; "
reason = bindResp.getCtxItem(ctx)['Reason']
msg += rpc_provider_reason.get(
reason, 'Unknown reason code: %.4x' % reason)
if (ctxItems['Result'], reason) == (
2, 1
): # provider_rejection, abstract syntax not supported
msg += " (this usually means the interface isn't listening on the given endpoint)"
raise DCERPCException(msg)
# Save the transfer syntax for later use
self.transfer_syntax = ctxItems['TransferSyntax']
# The received transmit size becomes the client's receive size, and the received receive size becomes the client's transmit size.
self.__max_xmit_size = bindResp['max_rfrag']
if self.auth_level != RPC_C_AUTHN_LEVEL_NONE:
if self.auth_type == RPC_C_AUTHN_WINNT:
response, res, err = await self.gssapi.ntlm.authenticate(
bindResp['auth_data'], is_rpc=True)
if err is not None:
return None, err
self.__sessionKey = self.gssapi.ntlm.get_session_key()
elif self.auth_type == RPC_C_AUTHN_NETLOGON:
response = None
elif self.auth_type == RPC_C_AUTHN_GSS_NEGOTIATE:
response, res, err = await self.gssapi.gssapi.authenticate(
bindResp['auth_data'],
is_rpc = True,
flags = GSSAPIFlags.GSS_C_CONF_FLAG |\
GSSAPIFlags.GSS_C_INTEG_FLAG | \
GSSAPIFlags.GSS_C_SEQUENCE_FLAG | \
GSSAPIFlags.GSS_C_REPLAY_FLAG | \
GSSAPIFlags.GSS_C_MUTUAL_FLAG | \
GSSAPIFlags.GSS_C_DCE_STYLE
)
if err is not None:
return None, err
self.__sessionKey = self.gssapi.gssapi.get_session_key()
self.__sequence = 0
if self.auth_level in (RPC_C_AUTHN_LEVEL_CONNECT,
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY,
RPC_C_AUTHN_LEVEL_PKT_PRIVACY):
if self.auth_type == RPC_C_AUTHN_WINNT:
if self.gssapi.ntlm.is_extended_security() == True:
self.__clientSigningKey = self.gssapi.ntlm.get_signkey(
)
self.__serverSigningKey = self.gssapi.ntlm.get_signkey(
'Server')
self.__clientSealingKey = self.gssapi.ntlm.get_sealkey(
)
self.__serverSealingKey = self.gssapi.ntlm.get_sealkey(
'Server')
cipher3 = RC4(self.__clientSealingKey)
self.__clientSealingHandle = cipher3.encrypt
cipher4 = RC4(self.__serverSealingKey)
self.__serverSealingHandle = cipher4.encrypt
else:
# Same key for everything
self.__clientSigningKey = self.gssapi.ntlm.get_session_key(
)
self.__serverSigningKey = self.gssapi.ntlm.get_session_key(
)
self.__clientSealingKey = self.gssapi.ntlm.get_session_key(
)
self.__serverSealingKey = self.gssapi.ntlm.get_session_key(
)
cipher = RC4(self.__clientSigningKey)
self.__clientSealingHandle = cipher.encrypt
self.__serverSealingHandle = cipher.encrypt
elif self.auth_type == RPC_C_AUTHN_NETLOGON:
raise Exception(
'RPC_C_AUTHN_NETLOGON is not implemented!')
sec_trailer = SEC_TRAILER()
sec_trailer['auth_type'] = self.auth_type
sec_trailer['auth_level'] = self.auth_level
sec_trailer['auth_ctx_id'] = self.ctx + 79231
if response is not None:
if self.auth_type == RPC_C_AUTHN_GSS_NEGOTIATE:
alter_ctx = MSRPCHeader()
alter_ctx['type'] = MSRPC_ALTERCTX
alter_ctx['pduData'] = bind.getData()
alter_ctx['sec_trailer'] = sec_trailer
alter_ctx['auth_data'] = response
await rr(
self.transport.send(alter_ctx.get_packet(),
forceWriteAndx=1))
self.__sequence = 0
await rr(
self.recv_one()
) #recieving the result of alter_context command
self.__sequence = self.gssapi.gssapi.selected_authentication_context.seq_number
else:
auth3 = MSRPCHeader()
auth3['type'] = MSRPC_AUTH3
# pad (4 bytes): Can be set to any arbitrary value when set and MUST be
# ignored on receipt. The pad field MUST be immediately followed by a
# sec_trailer structure whose layout, location, and alignment are as
# specified in section 2.2.2.11
auth3[
'pduData'] = b' ' * 4 #SkelSec: I have spent 3 hours to find this bug, that I caused by replacing spaces to tabs :(
auth3['sec_trailer'] = sec_trailer
#SkelSec auth3['auth_data'] = response.getData()
auth3['auth_data'] = response
# Use the same call_id
self.callid = resp['call_id']
auth3['call_id'] = self.callid
await rr(
self.transport.send(auth3.get_packet(),
forceWriteAndx=1))
self.callid += 1
return resp, None # means packet is signed, if verifier is wrong it fails
except Exception as e:
return False, e
# There are test cases for them too.
#
import io
from os import stat
from aiosmb.dcerpc.v5.dtypes import ULONGLONG, UINT, USHORT, LPWSTR, DWORD, ULONG, NULL
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRUNION, NDRPOINTER, NDRUniConformantArray
from aiosmb.dcerpc.v5.ndr import NDRVaryingString
from aiosmb.dcerpc.v5.rpcrt import DCERPCException
from aiosmb.dcerpc.v5 import system_errors
from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin
from aiosmb.dcerpc.v5.structure import Structure
MSRPC_UUID_RPRN = uuidtup_to_bin(
('12345678-1234-ABCD-EF00-0123456789AB', '1.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__(self):
key = self.error_code
if key in system_errors.ERROR_MESSAGES:
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
return 'RPRN SessionError: code: 0x%x - %s - %s' % (
self.error_code, error_msg_short, error_msg_verbose)
else:
return 'RPRN SessionError: unknown error code: 0x%x' % self.error_code
# There are test cases for them too.
#
from aiosmb.dcerpc.v5.dtypes import ULONG, LONG, PRPC_SID, RPC_UNICODE_STRING, LPWSTR, PRPC_UNICODE_STRING, NTSTATUS, NULL
from aiosmb.dcerpc.v5.enum import Enum
from aiosmb.dcerpc.v5.lsad import LSAPR_HANDLE, PLSAPR_TRUST_INFORMATION_ARRAY
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRENUM, NDRPOINTER, NDRUniConformantArray
from aiosmb.dcerpc.v5.samr import SID_NAME_USE
from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin
from aiosmb.dcerpc.v5.rpcrt import DCERPCException
from struct import unpack, pack
from aiosmb import logger as LOG
from aiosmb.commons.utils.decorators import red, rr
MSRPC_UUID_LSAT = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
################################################################################
# CONSTANTS
################################################################################
# 2.2.10 ACCESS_MASK
POLICY_LOOKUP_NAMES = 0x00000800
################################################################################
# STRUCTURES
################################################################################
# 2.2.12 LSAPR_REFERENCED_DOMAIN_LIST
#
# Some calls have helper functions, which makes it even easier to use.
# They are located at the end of this file.
# Helper functions start with "h"<name of the call>.
# There are test cases for them too.
#
from aiosmb.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, LPBYTE, NULL, DWORD_PTR
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER
from aiosmb.dcerpc.v5.rpcrt import DCERPCException
from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin
from aiosmb.dcerpc.v5 import system_errors, hresult_errors
from aiosmb.commons.exceptions import SMBException
from aiosmb.dcerpc.v5.structure import Structure
MSRPC_UUID_ICPR = uuidtup_to_bin(
('91ae6020-9e3c-11cf-8d7c-00aa00c091be', '0.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__(self):
key = self.error_code
if key in hresult_errors.ERROR_MESSAGES:
error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
return 'ICPR SessionError: code: 0x%x - %s - %s' % (
self.error_code, error_msg_short, error_msg_verbose)
elif key & 0xffff in system_errors.ERROR_MESSAGES:
error_msg_short = system_errors.ERROR_MESSAGES[key & 0xffff][0]
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
from aiosmb.dcerpc.v5.rpcrt import DCERPCException
from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin
from aiosmb.dcerpc.v5 import system_errors
from aiosmb.commons.exceptions import SMBException
from aiosmb.dcerpc.v5.structure import Structure
#from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
#from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL, GUID, PSYSTEMTIME, SYSTEMTIME
#from impacket.structure import Structure
#from impacket import hresult_errors, system_errors
#from impacket.uuid import uuidtup_to_bin
#from impacket.dcerpc.v5.rpcrt import DCERPCException
MSRPC_UUID_TSCHS = uuidtup_to_bin(('86D35949-83C9-4044-B424-DB363231FD0C','1.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__( self ):
return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
################################################################################
# CONSTANTS
################################################################################
# 2.3.1 Constant Values
CNLEN = 15
DNLEN = CNLEN
UNLEN = 256
#
# Some calls have helper functions, which makes it even easier to use.
# They are located at the end of this file.
# Helper functions start with "h"<name of the call>.
# There are test cases for them too.
#
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRENUM, NDRUNION, NDRUniConformantArray, NDRUniFixedArray, \
NDRPOINTER
from aiosmb.dcerpc.v5.dtypes import NULL, WSTR, ULONG, LPWSTR, LONG, LARGE_INTEGER, WIDESTR, RPC_UNICODE_STRING, \
LPULONG, LPLONG
from aiosmb.dcerpc.v5 import system_errors
from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin
from aiosmb.dcerpc.v5.enum import Enum
from aiosmb.dcerpc.v5.rpcrt import DCERPCException
MSRPC_UUID_WKST = uuidtup_to_bin(('6BFFD098-A112-3610-9833-46C3F87E345A', '1.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__( self ):
key = self.error_code
if system_errors.ERROR_MESSAGES.has_key(key):
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
return 'WKST SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
else:
return 'WKST SessionError: unknown error code: 0x%x' % self.error_code
################################################################################
# They are located at the end of this file.
# Helper functions start with "h"<name of the call>.
# There are test cases for them too.
#
# ToDo:
# [ ] 2.2.2 Client-Side-Wrapped Secret
from __future__ import division
from __future__ import print_function
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray
from aiosmb.dcerpc.v5.dtypes import DWORD, NTSTATUS, GUID, RPC_SID, NULL
from aiosmb.dcerpc.v5.rpcrt import DCERPCException
from aiosmb.dcerpc.v5 import system_errors
from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin, string_to_bin
from aiosmb.dcerpc.v5.structure import Structure
MSRPC_UUID_BKRP = uuidtup_to_bin(('3dde7c30-165d-11d1-ab8f-00805f14db40', '1.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__( self ):
key = self.error_code
if key in system_errors.ERROR_MESSAGES:
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
return 'BKRP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
else:
return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code
################################################################################
async def amain():
try:
targets = []
ip = '10.10.10.2'
epm = EPM.from_address(ip)
_, err = await epm.connect()
if err is not None:
raise err
x, err = await epm.lookup()
if err is not None:
raise err
await epm.disconnect()
print(len(x))
#print(x)
for entry in x:
version = '%s.%s' % (entry['tower']['Floors'][0]['MajorVersion'],
entry['tower']['Floors'][0]['MinorVersion'])
uuidstr = bin_to_string(
entry['tower']['Floors'][0]['InterfaceUUID'])
service_uuid = uuidtup_to_bin((uuidstr, version))
#print(entry['tower']['Floors'][0]['InterfaceUUID'])
#print(version)
#print(service_uuid)
target, err = await EPM.create_target(ip, service_uuid)
print(err)
if err is not None:
if str(err).find('ept_s_not_registered') != -1:
continue
raise err
targets.append((uuidstr, service_uuid, target))
for uuidstr, service_uuid, target in targets:
#print('UUID: %s' % uuidstr)
#print('Target: %s' % target)
cred = SMBCredential(username='******',
domain='TEST',
secret='Passw0rd!1',
secret_type=SMBCredentialsSecretType.PASSWORD,
authentication_type=SMBAuthProtocol.NTLM,
settings=None,
target=None)
gssapi = AuthenticatorBuilder.to_spnego_cred(cred)
auth = DCERPCAuth.from_smb_gssapi(gssapi)
connection = DCERPC5Connection(auth, target)
connection.set_auth_level(RPC_C_AUTHN_LEVEL_CONNECT)
try:
_, err = await connection.connect()
if err is not None:
raise err
_, err = await connection.bind(service_uuid)
if err is not None:
raise err
req = DummyOp()
_, err = await connection.request(req)
if str(err).find('rpc_s_access_denied') == -1:
proto = 'UNK'
if uuidstr in KNOWN_PROTOCOLS:
proto = KNOWN_PROTOCOLS[uuidstr]
print('UUID : %s' % uuidstr)
print('proto: %s' % proto)
print('err : %s' % err)
print()
except Exception as e:
traceback.print_exc()
finally:
await connection.disconnect()
except Exception as e:
traceback.print_exc()
# at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
#
# Some calls have helper functions, which makes it even easier to use.
# They are located at the end of this file.
# Helper functions start with "h"<name of the call>.
# There are test cases for them too.
#
from aiosmb.dcerpc.v5 import system_errors
from aiosmb.dcerpc.v5.dtypes import ULONGLONG, UINT, USHORT, LPWSTR, DWORD, ULONG, NULL
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRUNION, NDRPOINTER, NDRUniConformantArray
from aiosmb.dcerpc.v5.rpcrt import DCERPCException
from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin, string_to_bin
from aiosmb.dcerpc.v5.rprn import DRIVER_INFO_2_ARRAY
MSRPC_UUID_PAR = uuidtup_to_bin(
('76F03F96-CDFD-44FC-A22C-64950A001209', '1.0'))
MSRPC_UUID_WINSPOOL = string_to_bin('9940CA8E-512F-4C58-88A9-61098D6896BD')
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__(self):
key = self.error_code
if key in system_errors.ERROR_MESSAGES:
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
return 'RPRN SessionError: code: 0x%x - %s - %s' % (
self.error_code, error_msg_short, error_msg_verbose)
else:
# They are located at the end of this file.
# Helper functions start with "h"<name of the call>.
# There are test cases for them too.
#
from struct import unpack, pack
from aiosmb import logger as LOG
from aiosmb.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantVaryingArray, NDRUniConformantArray
from aiosmb.dcerpc.v5.dtypes import DWORD, UUID, ULONG, LPULONG, BOOLEAN, SECURITY_INFORMATION, PFILETIME, \
RPC_UNICODE_STRING, FILETIME, NULL, MAXIMUM_ALLOWED, OWNER_SECURITY_INFORMATION, PWCHAR, PRPC_UNICODE_STRING
from aiosmb.dcerpc.v5.rpcrt import DCERPCException
from aiosmb.dcerpc.v5.uuid import uuidtup_to_bin
from aiosmb.commons.utils.decorators import red, rr
MSRPC_UUID_RRP = uuidtup_to_bin(
('338CD001-2244-31F1-AAAA-900038001003', '1.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__(self):
return 'RRP SessionError: unknown error code: 0x%x' % self.error_code
################################################################################
# CONSTANTS
################################################################################
# 2.2.2 PREGISTRY_SERVER_NAME
PREGISTRY_SERVER_NAME = PWCHAR
