def rpcdump(self): logger.info('Retrieving RPC endpoint list') self.__rpc_connect() entries = self.__fetchList() endpoints = {} # Let's groups the UUIDs for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors'], self.trans.getRemoteName()) tmpUUID = str(entry['tower']['Floors'][0]) if endpoints.has_key(tmpUUID) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if epm.KNOWN_UUIDS.has_key( uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]): endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[uuidtup_to_bin( uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1] endpoints[tmpUUID]['Bindings'].append(binding) if epm.KNOWN_PROTOCOLS.has_key(tmpUUID[:36]): endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = 'N/A' # print 'Transfer Syntax: %s' % entry['Tower']['Floors'][1] for endpoint in endpoints.keys(): print 'Protocol: %s ' % endpoints[endpoint]['Protocol'] print 'Provider: %s ' % endpoints[endpoint]['EXE'] print 'UUID : %s %s' % (endpoint, endpoints[endpoint]['annotation']) print 'Bindings: ' for binding in endpoints[endpoint]['Bindings']: print ' %s' % binding print if entries: num = len(entries) if 1 == num: logger.info('Received one RPC endpoint') else: logger.info('Received %d endpoints' % num) else: logger.info('No endpoints found')
def dump(self, remoteName, remoteHost): """Dumps the list of endpoints registered with the mapper listening at addr. remoteName is a valid host name or IP address in string format. """ logging.info('Retrieving endpoint list from %s' % remoteName) entries = [] self.__stringbinding = self.KNOWN_PROTOCOLS[ self.__port]['bindstr'] % remoteName logging.debug('StringBinding %s' % self.__stringbinding) rpctransport = transport.DCERPCTransportFactory(self.__stringbinding) if self.__port in [139, 445]: # Setting credentials for SMB rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) # Setting remote host and port for SMB rpctransport.setRemoteHost(remoteHost) rpctransport.set_dport(self.__port) elif self.__port in [443]: # Setting credentials only for RPC Proxy, but not for the MSRPC level rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) # Usually when a server doesn't support NTLM, it also doesn't expose epmapper (nowadays # only RDG servers may potentially expose a epmapper via RPC Proxy). # # Also if the auth is not NTLM, there is no way to get a target # NetBIOS name, but epmapper ACL requires you to specify it. rpctransport.set_auth_type(AUTH_NTLM) else: # We don't need to authenticate to 135 and 593 ports pass try: entries = self.__fetchList(rpctransport) except Exception as e: # raise # This may contain UTF-8 error_text = 'Protocol failed: %s' % e logging.critical(error_text) if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text or \ RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or \ RPC_PROXY_CONN_A1_404_ERR in error_text or \ RPC_PROXY_CONN_A1_0X6BA_ERR in error_text: logging.critical( "This usually means the target does not allow " "to connect to its epmapper using RpcProxy.") return # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors']) tmpUUID = str(entry['tower']['Floors'][0]) if (tmpUUID in endpoints) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if uuid.uuidtup_to_bin( uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS: endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[ uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode( 'utf-8') endpoints[tmpUUID]['Bindings'].append(binding) if tmpUUID[:36] in epm.KNOWN_PROTOCOLS: endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" # print("Transfer Syntax: %s" % entry['tower']['Floors'][1]) for endpoint in list(endpoints.keys()): print("Protocol: %s " % endpoints[endpoint]['Protocol']) print("Provider: %s " % endpoints[endpoint]['EXE']) print("UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation'])) print("Bindings: ") for binding in endpoints[endpoint]['Bindings']: print(" %s" % binding) print("") if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
class RPCDump: KNOWN_PROTOCOLS = { '139/SMB': (r'ncacn_np:%s[\pipe\epmapper]', 139), '445/SMB': (r'ncacn_np:%s[\pipe\epmapper]', 445), '135/TCP': (r'ncacn_ip_tcp:%s', 135), } def __init__(self, protocols=None, username='', password='', domain='', hashes=None): if not protocols: protocols = RPCDump.KNOWN_PROTOCOLS.keys() self.__username = username self.__password = password self.__protocols = [protocols] self.__domain = domain self.__lmhash = '' self.__nthash = '' if hashes is not None: self.__lmhash, self.__nthash = hashes.split(':') def dump(self, addr): """Dumps the list of endpoints registered with the mapper listening at addr. Addr is a valid host name or IP address in string format. """ logging.info('Retrieving endpoint list from %s' % addr) # Try all requested protocols until one works. entries = [] for protocol in self.__protocols: protodef = RPCDump.KNOWN_PROTOCOLS[protocol] port = protodef[1] logging.info("Trying protocol %s..." % protocol) stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: entries = self.__fetchList(rpctransport) except Exception, e: logging.critical('Protocol failed: %s' % e) else: # Got a response. No need for further iterations. break # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors'], rpctransport.get_dip()) tmpUUID = str(entry['tower']['Floors'][0]) if endpoints.has_key(tmpUUID) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if ndrutils.KNOWN_UUIDS.has_key( uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]): endpoints[tmpUUID]['EXE'] = ndrutils.KNOWN_UUIDS[ uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1] endpoints[tmpUUID]['Bindings'].append(binding) if epm.KNOWN_PROTOCOLS.has_key(tmpUUID[:36]): endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" #print "Transfer Syntax: %s" % entry['Tower']['Floors'][1] for endpoint in endpoints.keys(): print "Protocol: %s " % endpoints[endpoint]['Protocol'] print "Provider: %s " % endpoints[endpoint]['EXE'] print "UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation']) print "Bindings: " for binding in endpoints[endpoint]['Bindings']: print " %s" % binding print "" if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
Author: Catalin Patulea <*****@*****.**> """ from __future__ import division from __future__ import print_function import sys import struct from impacket.examples import logger from impacket import uuid from impacket.dcerpc.v5.epm import KNOWN_UUIDS from impacket.dcerpc.v5 import transport, rpcrt, epm from impacket.dcerpc.v5 import mgmt uuid_database = set( uuid.string_to_uuidtup(line) for line in """ 00000001-0000-0000-c000-000000000046 v0.0 00000131-0000-0000-c000-000000000046 v0.0 00000132-0000-0000-c000-000000000046 v0.0 00000134-0000-0000-c000-000000000046 v0.0 00000136-0000-0000-c000-000000000046 v0.0 00000141-0000-0000-c000-000000000046 v0.0 00000143-0000-0000-c000-000000000046 v0.0 000001a0-0000-0000-c000-000000000046 v0.0 027947e1-d731-11ce-a357-000000000001 v0.0 04fcb220-fcfd-11cd-bec8-00aa0047ae4e v1.0 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 0a5a5830-58e0-11ce-a3cc-00aa00607271 v1.0 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.0
('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0'): listed, listening ('E60C73E6-88F9-11CF-9AF1-0020AF6E72F4', '2.0'): listed, listening Usually, only AFA8BD80-...-89, the MGMT interface, is not listed but always listening on any port. This is imposed by the DCERPC spec. Author: Catalin Patulea <*****@*****.**> """ import sys, struct from impacket import uuid from impacket.dcerpc import ndrutils from impacket.dcerpc.v5 import transport, rpcrt, epm from impacket.dcerpc.v5 import mgmt from impacket.examples import logger uuid_database = set(uuid.string_to_uuidtup(line) for line in """ 00000001-0000-0000-c000-000000000046 v0.0 00000131-0000-0000-c000-000000000046 v0.0 00000132-0000-0000-c000-000000000046 v0.0 00000134-0000-0000-c000-000000000046 v0.0 00000136-0000-0000-c000-000000000046 v0.0 00000141-0000-0000-c000-000000000046 v0.0 00000143-0000-0000-c000-000000000046 v0.0 000001a0-0000-0000-c000-000000000046 v0.0 027947e1-d731-11ce-a357-000000000001 v0.0 04fcb220-fcfd-11cd-bec8-00aa0047ae4e v1.0 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 0a5a5830-58e0-11ce-a3cc-00aa00607271 v1.0 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.0
('B9E79E60-3D52-11CE-AAA1-00006901293F', '0.2'): listed, listening ('C6F3EE72-CE7E-11D1-B71E-00C04FC3111A', '1.0'): listed, listening ('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0'): listed, listening ('E60C73E6-88F9-11CF-9AF1-0020AF6E72F4', '2.0'): listed, listening Usually, only AFA8BD80-...-89, the MGMT interface, is not listed but always listening on any port. This is imposed by the DCERPC spec. Author: Catalin Patulea <*****@*****.**> """ import sys, struct from impacket import uuid from impacket.dcerpc import transport, dcerpc, ndrutils from impacket.dcerpc import mgmt uuid_database = set(uuid.string_to_uuidtup(line) for line in """ 00000001-0000-0000-c000-000000000046 v0.0 00000131-0000-0000-c000-000000000046 v0.0 00000132-0000-0000-c000-000000000046 v0.0 00000134-0000-0000-c000-000000000046 v0.0 00000136-0000-0000-c000-000000000046 v0.0 00000141-0000-0000-c000-000000000046 v0.0 00000143-0000-0000-c000-000000000046 v0.0 000001a0-0000-0000-c000-000000000046 v0.0 027947e1-d731-11ce-a357-000000000001 v0.0 04fcb220-fcfd-11cd-bec8-00aa0047ae4e v1.0 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 0a5a5830-58e0-11ce-a3cc-00aa00607271 v1.0 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.0
def dump(self, remoteName, remoteHost): """Dumps the list of endpoints registered with the mapper listening at addr. remoteName is a valid host name or IP address in string format. """ logging.info('Retrieving endpoint list from %s' % remoteName) entries = [] stringbinding = self.KNOWN_PROTOCOLS[ self.__port]['bindstr'] % remoteName logging.debug('StringBinding %s' % stringbinding) rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(self.__port) if self.KNOWN_PROTOCOLS[self.__port]['set_host']: rpctransport.setRemoteHost(remoteHost) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: entries = self.__fetchList(rpctransport) except Exception as e: logging.critical('Protocol failed: %s' % e) # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors'], rpctransport.getRemoteHost()) tmpUUID = str(entry['tower']['Floors'][0]) if (tmpUUID in endpoints) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if uuid.uuidtup_to_bin( uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS: endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[ uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode( 'utf-8') endpoints[tmpUUID]['Bindings'].append(binding) if tmpUUID[:36] in epm.KNOWN_PROTOCOLS: endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" #print "Transfer Syntax: %s" % entry['Tower']['Floors'][1] for endpoint in list(endpoints.keys()): print("Protocol: %s " % endpoints[endpoint]['Protocol']) print("Provider: %s " % endpoints[endpoint]['EXE']) print("UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation'])) print("Bindings: ") for binding in endpoints[endpoint]['Bindings']: print(" %s" % binding) print("") if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
def dump(self, remoteName, remoteHost): """Dumps the list of endpoints registered with the mapper listening at addr. remoteName is a valid host name or IP address in string format. """ logging.info('Retrieving endpoint list from %s' % remoteName) entries = [] self.__stringbinding = self.KNOWN_PROTOCOLS[ self.__port]['bindstr'] % remoteName logging.debug('StringBinding %s' % self.__stringbinding) rpctransport = transport.DCERPCTransportFactory(self.__stringbinding) if self.__port in [139, 445]: # Setting credentials for SMB rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) # Setting remote host and port for SMB rpctransport.setRemoteHost(remoteHost) rpctransport.set_dport(self.__port) elif self.__port in [443]: # Setting credentials only for RpcProxy, but not for the RPC Transport rpctransport.set_proxy_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) else: # We don't need to authenticate to 135 and 593 ports pass try: entries = self.__fetchList(rpctransport) except Exception as e: #raise logging.critical('Protocol failed: %s' % e) if 'Invalid RPC Port' in str(e): logging.critical( "This usually means the target is a MS Exchange Server, " "which does not allow to connect to its epmapper using RpcProxy" ) if 'RPC Proxy CONN/A1 request failed, code: 0x6ba' in str(e): logging.critical( "This usually means the target has no ACL to connect to its epmapper using RpcProxy" ) # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors']) tmpUUID = str(entry['tower']['Floors'][0]) if (tmpUUID in endpoints) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if uuid.uuidtup_to_bin( uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS: endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[ uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode( 'utf-8') endpoints[tmpUUID]['Bindings'].append(binding) if tmpUUID[:36] in epm.KNOWN_PROTOCOLS: endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" #print("Transfer Syntax: %s" % entry['tower']['Floors'][1]) for endpoint in list(endpoints.keys()): print("Protocol: %s " % endpoints[endpoint]['Protocol']) print("Provider: %s " % endpoints[endpoint]['EXE']) print("UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation'])) print("Bindings: ") for binding in endpoints[endpoint]['Bindings']: print(" %s" % binding) print("") if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
def dump(self, remoteName, remoteHost): """Dumps the list of endpoints registered with the mapper listening at addr. remoteName is a valid host name or IP address in string format. """ logging.info('Retrieving endpoint list from %s' % remoteName) entries = [] stringbinding = self.KNOWN_PROTOCOLS[self.__port]['bindstr'] % remoteName logging.debug('StringBinding %s'%stringbinding) rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(self.__port) if self.KNOWN_PROTOCOLS[self.__port]['set_host']: rpctransport.setRemoteHost(remoteHost) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: entries = self.__fetchList(rpctransport) except Exception as e: logging.critical('Protocol failed: %s' % e) # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors'], rpctransport.getRemoteHost()) tmpUUID = str(entry['tower']['Floors'][0]) if (tmpUUID in endpoints) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS: endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode('utf-8') endpoints[tmpUUID]['Bindings'].append(binding) if tmpUUID[:36] in epm.KNOWN_PROTOCOLS: endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" #print "Transfer Syntax: %s" % entry['Tower']['Floors'][1] for endpoint in list(endpoints.keys()): print("Protocol: %s " % endpoints[endpoint]['Protocol']) print("Provider: %s " % endpoints[endpoint]['EXE']) print("UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation'])) print("Bindings: ") for binding in endpoints[endpoint]['Bindings']: print(" %s" % binding) print("") if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
Keytab.loadKeysFromKeytab (options.keytab, rpcuser, rpcdomain, options) options.k = True if options.aesKey is not None: options.k = True if rpcpass == '' and rpcuser != '' and options.hashes_rpc is None and options.no_pass is False and options.aesKey is None: from getpass import getpass rpcpass = getpass("Password for DCE/RPC communication:") if proxypass == '' and proxyuser != '' and options.hashes_rpcproxy is None: from getpass import getpass proxypass = getpass("Password for RPC proxy:") if options.uuid is not None: uuids = [uuid.string_to_uuidtup(options.uuid)] options.brute_uuids = True else: uuids = rpcdatabase.uuid_database try: lookuper = RPCMap(options.stringbinding, options.auth_level, options.brute_uuids, uuids, options.brute_opnums, options.opnum_max) lookuper.set_rpc_credentials(rpcuser, rpcpass, rpcdomain, options.hashes_rpc, options.aesKey, options.k, options.dc_ip) lookuper.set_proxy_credentials(proxyuser, proxypass, proxydomain, options.hashes_rpcproxy) lookuper.set_smb_info(options.target_ip, options.port) lookuper.connect() lookuper.do() lookuper.disconnect() except Exception as e: #raise logging.critical('Protocol failed: %s' % e)
class RPCDump: KNOWN_PROTOCOLS = { 135: {'bindstr': r'ncacn_ip_tcp:%s', 'set_host': False}, 139: {'bindstr': r'ncacn_np:%s[\pipe\epmapper]', 'set_host': True}, 445: {'bindstr': r'ncacn_np:%s[\pipe\epmapper]', 'set_host': True} } def __init__(self, username = '', password = '', domain='', hashes = None, port=135): self.__username = username self.__password = password self.__domain = domain self.__lmhash = '' self.__nthash = '' self.__port = port if hashes is not None: self.__lmhash, self.__nthash = hashes.split(':') def dump(self, remoteName, remoteHost): """Dumps the list of endpoints registered with the mapper listening at addr. remoteName is a valid host name or IP address in string format. """ logging.info('Retrieving endpoint list from %s' % remoteName) entries = [] stringbinding = self.KNOWN_PROTOCOLS[self.__port]['bindstr'] % remoteName logging.debug('StringBinding %s'%stringbinding) rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(self.__port) if self.KNOWN_PROTOCOLS[self.__port]['set_host']: rpctransport.setRemoteHost(remoteHost) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: entries = self.__fetchList(rpctransport) except Exception, e: logging.critical('Protocol failed: %s' % e) # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors'], rpctransport.getRemoteHost()) tmpUUID = str(entry['tower']['Floors'][0]) if endpoints.has_key(tmpUUID) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if epm.KNOWN_UUIDS.has_key(uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]): endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1] endpoints[tmpUUID]['Bindings'].append(binding) if epm.KNOWN_PROTOCOLS.has_key(tmpUUID[:36]): endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" #print "Transfer Syntax: %s" % entry['Tower']['Floors'][1] for endpoint in endpoints.keys(): print "Protocol: %s " % endpoints[endpoint]['Protocol'] print "Provider: %s " % endpoints[endpoint]['EXE'] print "UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation']) print "Bindings: " for binding in endpoints[endpoint]['Bindings']: print " %s" % binding print "" if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
def parse_EPM_Entry_Floors(entry_Floors): entry_Tower_Floor_Info = { 'UUID': [], 'NDR_UUID': [], 'IP': '', 'PIPE': [], 'NETBIOS': [], 'APPLICATION': '', 'PROTOCOL': '' } for floor in entry_Floors: protocol = floor.getData()[2] protocol = int(ord(protocol)) if protocol == PROTO_ID_UUID: floor_fields = floor.fields # import ipdb; ipdb.set_trace() floor_MajorVersion = floor_fields.get('MajorVersion') floor_MinorVersion = floor_fields.get('MinorVersion') floor_InterfaceIdent = floor_fields.get('InterfaceIdent') floor_RHSByteCount = floor_fields.get('RHSByteCount') # different UUID definition in EPMFloor Structure from (impacket/dcerpc/v5/epm.py) floor_InterfaceUUID = floor_fields.get('InterfaceUUID') floor_DataRepUuid = floor_fields.get('DataRepUuid') floor_LHSByteCount = floor_fields.get('LHSByteCount') floor_UUID = floor_InterfaceUUID if floor_InterfaceUUID else floor_DataRepUuid floor_UUIDStr = uuid.bin_to_string(floor_UUID) floor_Version = float("%s.%s" % (floor_MajorVersion, floor_MinorVersion)) if not floor_UUIDStr: continue if floor_UUIDStr.upper() in (NDR64_UUID, NDR32_UUID): entry_Tower_Floor_Info['NDR_UUID'] = (floor_UUIDStr, floor_Version) else: entry_Tower_Floor_Info['UUID'] = (floor_UUIDStr, floor_Version) elif protocol == PROTO_ID_IP: floor_fields = floor.fields entry_Tower_Floor_Info['IP'] = socket.inet_ntoa( floor_fields['RelatedData']) elif protocol in (PROTO_ID_NAMED_PIPES, PROTO_ID_NAMED_PIPES_2): floor_fields = floor.fields named_pipe = floor_fields.get('RelatedData') if not named_pipe: continue if named_pipe not in entry_Tower_Floor_Info['PIPE']: entry_Tower_Floor_Info['PIPE'].append(named_pipe) elif protocol == PROTO_ID_NETBIOS: floor_fields = floor.fields netbios_name = floor_fields.get('RelatedData') if not netbios_name: continue if netbios_name not in entry_Tower_Floor_Info['NETBIOS']: entry_Tower_Floor_Info['NETBIOS'].append(netbios_name) entry_UUID = entry_Tower_Floor_Info['UUID'] if entry_UUID: # Add APPLICATION Info into entry_Tower_Floor_Info _uuid, _ver = entry_UUID key = uuid.uuidtup_to_bin(uuid.string_to_uuidtup(_uuid))[:18] application = epm.KNOWN_UUIDS[key] if key in epm.KNOWN_UUIDS else 'N/A' entry_Tower_Floor_Info['APPLICATION'] = application # Add POTOCOL Info into entry_Tower_Floor_Info key = _uuid[:36] protocol = epm.KNOWN_PROTOCOLS[ key] if key in epm.KNOWN_PROTOCOLS else 'N/A' entry_Tower_Floor_Info['PROTOCOL'] = protocol return entry_Tower_Floor_Info
def on_login(self, context, connection): entries = [] lmhash = getattr(connection, "lmhash", "") nthash = getattr(connection, "nthash", "") self.__stringbinding = KNOWN_PROTOCOLS[ self.port]['bindstr'] % connection.host logging.debug('StringBinding %s' % self.__stringbinding) rpctransport = transport.DCERPCTransportFactory(self.__stringbinding) rpctransport.set_credentials(connection.username, connection.password, connection.domain, lmhash, nthash) rpctransport.setRemoteHost(connection.host) rpctransport.set_dport(self.port) try: entries = self.__fetchList(rpctransport) except Exception as e: error_text = 'Protocol failed: %s' % e logging.critical(error_text) if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text or \ RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or \ RPC_PROXY_CONN_A1_404_ERR in error_text or \ RPC_PROXY_CONN_A1_0X6BA_ERR in error_text: logging.critical( "This usually means the target does not allow " "to connect to its epmapper using RpcProxy.") return # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors']) tmpUUID = str(entry['tower']['Floors'][0]) if (tmpUUID in endpoints) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if uuid.uuidtup_to_bin( uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS: endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[ uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode( 'utf-8') endpoints[tmpUUID]['Bindings'].append(binding) if tmpUUID[:36] in epm.KNOWN_PROTOCOLS: endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" for endpoint in list(endpoints.keys()): if "MS-RPRN" in endpoints[endpoint]['Protocol']: logging.debug("Protocol: %s " % endpoints[endpoint]['Protocol']) logging.debug("Provider: %s " % endpoints[endpoint]['EXE']) logging.debug("UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation'])) logging.debug("Bindings: ") for binding in endpoints[endpoint]['Bindings']: logging.debug(" %s" % binding) logging.debug("") context.log.highlight('Spooler service enabled') break if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
('C6F3EE72-CE7E-11D1-B71E-00C04FC3111A', '1.0'): listed, listening ('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0'): listed, listening ('E60C73E6-88F9-11CF-9AF1-0020AF6E72F4', '2.0'): listed, listening Usually, only AFA8BD80-...-89, the MGMT interface, is not listed but always listening on any port. This is imposed by the DCERPC spec. Author: Catalin Patulea <*****@*****.**> """ import sys, struct from impacket import uuid from impacket.dcerpc import transport, dcerpc, dcerpc_v4, ndrutils from impacket.dcerpc import mgmt uuid_database = set( uuid.string_to_uuidtup(line) for line in """ 00000001-0000-0000-c000-000000000046 v0.0 00000131-0000-0000-c000-000000000046 v0.0 00000132-0000-0000-c000-000000000046 v0.0 00000134-0000-0000-c000-000000000046 v0.0 00000136-0000-0000-c000-000000000046 v0.0 00000141-0000-0000-c000-000000000046 v0.0 00000143-0000-0000-c000-000000000046 v0.0 000001a0-0000-0000-c000-000000000046 v0.0 027947e1-d731-11ce-a357-000000000001 v0.0 04fcb220-fcfd-11cd-bec8-00aa0047ae4e v1.0 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 0a5a5830-58e0-11ce-a3cc-00aa00607271 v1.0 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0