def KerberosInit():
hLsaConnection = HANDLE()
status = DWORD(0)
LPTR = (0x0000 | 0x0040)
MICROSOFT_KERBEROS_NAME_A = PWSTR()
MICROSOFT_KERBEROS_NAME_A = windll.kernel32.LocalAlloc(LPTR, len("Kerberos") + 1)
memmove(MICROSOFT_KERBEROS_NAME_A, "Kerberos", len("Kerberos"))
status = LsaConnectUntrusted(byref(hLsaConnection))
if status != STATUS_SUCCESS:
print "LsaConnectUntrusted, cannot get LSA handle, error %d " % status
windll.kernel32.LocalFree(MICROSOFT_KERBEROS_NAME_A)
return None, None
kerberosPackageName = UNICODE_STRING()
kerberosPackageName.Length = USHORT(8)
kerberosPackageName.MaximumLength = USHORT(9)
kerberosPackageName.Buffer = MICROSOFT_KERBEROS_NAME_A
dwKerberosAuthenticationPackageId = DWORD(0)
status = LsaLookupAuthenticationPackage(hLsaConnection, byref(kerberosPackageName), byref(dwKerberosAuthenticationPackageId))
windll.kernel32.LocalFree(MICROSOFT_KERBEROS_NAME_A)
if status == STATUS_SUCCESS:
return hLsaConnection, dwKerberosAuthenticationPackageId
else:
return None, None
def Get_TGS(hLsaConnection, dwKerberosAuthenticationPackageId, SPNentry):
LPTR = (0x0000 | 0x0040)
list_of_target = SPNentry["serviceprincipalname"].split(";")
for target in list_of_target:
szSPN = create_unicode_buffer(target.lower())
dwSPNSize = USHORT((len(target)) * sizeof(wchar_t))
dwTicketPayloadSize = DWORD(sizeof(KERB_RETRIEVE_TKT_REQUEST) + dwSPNSize.value)
KerbRetrieveEncodedTicketMessage = 8
KERB_ETYPE_RC4_HMAC_NT = 23
KERB_RETRIEVE_TICKET_DONT_USE_CACHE = (0x1)
dwKerbRetrieveTicketRequestAddress = windll.kernel32.LocalAlloc(LPTR, dwTicketPayloadSize.value)
pKerbRetrieveTicketRequest = cast(dwKerbRetrieveTicketRequestAddress, PKERB_RETRIEVE_TKT_REQUEST)
pKerbRetrieveTicketRequest.contents.MessageType = KerbRetrieveEncodedTicketMessage
# current logon session context
pKerbRetrieveTicketRequest.contents.LogonID = 0
# TargetName
pKerbRetrieveTicketRequest.contents.TargetName.Length = USHORT(dwSPNSize.value)
pKerbRetrieveTicketRequest.contents.TargetName.MaximumLength = USHORT(dwSPNSize.value + sizeof(wchar_t))
dwKerbRetrieveTicketRequestBufferAddress = dwKerbRetrieveTicketRequestAddress + sizeof(KERB_RETRIEVE_TKT_REQUEST)
memmove(dwKerbRetrieveTicketRequestBufferAddress, szSPN, pKerbRetrieveTicketRequest.contents.TargetName.Length)
pKerbRetrieveTicketRequest.contents.TargetName.Buffer = cast(dwKerbRetrieveTicketRequestBufferAddress, PWSTR)
pKerbRetrieveTicketRequest.contents.TicketFlags = ULONG(0)
pKerbRetrieveTicketRequest.contents.CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE
pKerbRetrieveTicketRequest.contents.EncryptionType = KERB_ETYPE_RC4_HMAC_NT
pKerbRetrieveTicketRequest.contents.CredentialsHandle = SecHandle()
pKerbRetrieveTicketResponse = PVOID()
pKerbRetrieveTicketResponse = cast(pKerbRetrieveTicketResponse, PKERB_RETRIEVE_TKT_RESPONSE)
dwProtocolStatus = DWORD(0)
status = LsaCallAuthenticationPackage(hLsaConnection, dwKerberosAuthenticationPackageId, pKerbRetrieveTicketRequest, dwTicketPayloadSize, byref(pKerbRetrieveTicketResponse), byref(dwTicketPayloadSize), byref(dwProtocolStatus))
windll.kernel32.LocalFree(pKerbRetrieveTicketRequest)
if status == STATUS_SUCCESS and dwProtocolStatus.value == STATUS_SUCCESS and dwTicketPayloadSize.value != 0:
pKerbRetrieveTicketResponse = cast(pKerbRetrieveTicketResponse, PKERB_RETRIEVE_TKT_RESPONSE)
pEncodedTicket = pKerbRetrieveTicketResponse.contents.Ticket.EncodedTicket
dwEncodedTicketSize = pKerbRetrieveTicketResponse.contents.Ticket.EncodedTicketSize
Ticket = ""
for i in range(dwEncodedTicketSize):
Ticket += hex(pEncodedTicket[i]).replace("0x",'').zfill(2)
LsaFreeReturnBuffer(pKerbRetrieveTicketResponse)
return Ticket
else:
print " [-] Cannot retrieve ticket for account '%s' and SPN '%s', status: %s ; protocolstatus: %s" % (SPNentry["samaccountname"], target, hex(status), hex(dwProtocolStatus.value))
print " [+] Trying the next one."
print "[-] Could not retrieve any ticket for account '%s' and the list of SPN: '%s'" % (SPNentry["samaccountname"], SPNentry["serviceprincipalname"])
return 0
def __init__(self, format, engine=CompressionEngine.Maximum):
self.format = USHORT(format)
self.format_engine = USHORT(format | engine)
CompressBufferWorkSpaceSize = ULONG(0)
CompressFragmentWorkSpaceSize = ULONG(0)
Rtl.GetCompressionWorkSpaceSize(
self.format_engine, byref(CompressBufferWorkSpaceSize),
byref(CompressFragmentWorkSpaceSize))
self.ws = create_string_buffer(CompressBufferWorkSpaceSize.value)
def getUsages(self, usagePage, linkCollection=0):
maxUsages = hidDll.HidP_MaxUsageListLength(self._reportType,
hidpi.USAGE(usagePage),
self._dev._pd)
numUsages = ctypes.c_long(maxUsages)
usageList = (hidpi.USAGE * maxUsages)()
check_HidP_status(hidDll.HidP_GetUsages, self._reportType,
hidpi.USAGE(usagePage), USHORT(linkCollection),
ctypes.byref(usageList), ctypes.byref(numUsages),
self._dev._pd, self._reportBuf, self._reportSize)
return usageList[0:numUsages.value]
def DeviceConnect(path, db, field, cid):
if debug: print('Connecting to:', path)
cached = 1
device_found = -1
for j in range(len(db)):
address = db[j]['hwid'].split('_')[1]
if address in path:
device_found = j
cached = db[j]['status'] != 'connected'
if device_found < 0:
return db
hDevice = windll.kernel32.CreateFileW(path, GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
None, OPEN_EXISTING, 0, None)
ServicesBufferCount = USHORT()
BT.BluetoothGATTGetServices(hDevice, 0, None, byref(ServicesBufferCount),
BLUETOOTH_GATT_FLAG_NONE)
ServicesBuffer = new(BTH_LE_GATT_SERVICE * ServicesBufferCount.value)
BT.BluetoothGATTGetServices(hDevice, ServicesBufferCount,
byref(ServicesBuffer),
byref(ServicesBufferCount),
BLUETOOTH_GATT_FLAG_NONE)
for Service in ServicesBuffer:
CharacteristicsBufferCount = USHORT(0)
hr = BT.BluetoothGATTGetCharacteristics(
hDevice, byref(Service), 0, None,
byref(CharacteristicsBufferCount), BLUETOOTH_GATT_FLAG_NONE)
CharacteristicsBuffer = new(BTH_LE_GATT_CHARACTERISTIC *
CharacteristicsBufferCount.value)
CharacteristicsBufferActual = USHORT(0)
BT.BluetoothGATTGetCharacteristics(hDevice, byref(Service),
CharacteristicsBufferCount,
byref(CharacteristicsBuffer),
byref(CharacteristicsBufferActual),
BLUETOOTH_GATT_FLAG_NONE)
for Characteristic in CharacteristicsBuffer:
uuid = Characteristic.CharacteristicUuid.ShortUuid
charValueDataSize = USHORT()
hr = BT.BluetoothGATTGetCharacteristicValue(
hDevice, byref(Characteristic), 0, None,
byref(charValueDataSize), BLUETOOTH_GATT_FLAG_NONE
if cached else BLUETOOTH_GATT_FLAG_FORCE_READ_FROM_DEVICE)
pCharValueBuffer = BTH_LE_GATT_CHARACTERISTIC_VALUE()
resize(pCharValueBuffer, charValueDataSize.value)
hr = BT.BluetoothGATTGetCharacteristicValue(
hDevice, byref(Characteristic), charValueDataSize,
byref(pCharValueBuffer), None, BLUETOOTH_GATT_FLAG_NONE
if cached else BLUETOOTH_GATT_FLAG_FORCE_READ_FROM_DEVICE)
StringValue = string_at(byref(pCharValueBuffer, sizeof(ULONG)))
arr = bytearray(StringValue)
if uuid == 0x2A19: # battery level
value = 0 if len(arr) < 1 else arr[0]
elif uuid == 0x2A01: # appearance
value = int(codecs.encode(arr, 'hex'), 16)
value = Appearance(value)
else: # string
value = str(StringValue.decode(errors='ignore'))
if debug: print('\t%X' % uuid, value)
if device_found != -1 and uuid == cid:
db[device_found][field] = value
return db