def dump(self, addr):
"""Dumps the list of users and shares registered present at
addr. Addr is a valid host name or IP address.
"""
encoding = sys.getdefaultencoding()
self.gom.echo('[+] Retrieving endpoint list from %s' % addr)
# Try all requested protocols until one works.
entries = []
for protocol in self.__protocols:
protodef = SAMRDump.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
self.gom.echo("[+] Trying protocol %s..." % protocol)
rpctransport = transport.SMBTransport(addr, port, r'\samr',
self.__username,
self.__password)
try:
entries = self.__fetchList(rpctransport)
except Exception, e:
self.gom.echo('[!] Protocol failed: %s' % e)
raise
else:
# Got a response. No need for further iterations.
break
def doStuff(self, addr):
encoding = sys.getdefaultencoding()
# Try all requested protocols until one works.
entries = []
for protocol in self.__protocols:
protodef = WKSSVCstuff.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
print "Trying protocol %s..." % protocol
rpctransport = transport.SMBTransport(addr, port, r'\wkssvc',
self.__username,
self.__password,
self.__domain, self.__lmhash,
self.__nthash)
try:
entries = self.__fetchData(rpctransport)
except Exception, e:
print 'Protocol failed: %s' % e
raise
else:
# Got a response. No need for further iterations.
break
def dump(self, addr):
"""Dumps the list of users and shares registered present at
addr. Addr is a valid host name or IP address.
"""
encoding = sys.getdefaultencoding()
print
if (self.__username and self.__password):
print '[+] Attaching to ' + addr + ' using ' + self.__username + ":" + self.__password
elif (self.__username):
print '[+] Attaching to ' + addr + ' using ' + self.__username
else:
print '[+] Attaching to ' + addr + ' using a NULL share'
# Try all requested protocols until one works.
entries = []
for protocol in self.__protocols:
try:
protodef = SAMRDump.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
except KeyError, e:
print "\n\t[!] Invalid Protocol \'%s\'\n" % protocol
usage()
sys.exit(1)
print "\n\t[+] Trying protocol %s..." % protocol
rpctransport = transport.SMBTransport(addr, port, r'\samr',
self.__username,
self.__password)
try:
entries = self.__fetchList(rpctransport)
except Exception, e:
print '\n\t[!] Protocol failed: %s' % e
def getregistryconnection(sconn, ip):
global _dcerpctransport
#reuse the existing smb connection for dcerpc
_dcerpctransport = transport.SMBTransport(ip, 445, 'winreg', smb_connection=sconn)
_dcerpctransport.connect()
dce = _dcerpctransport.DCERPC_class(_dcerpctransport)
dce.bind(winreg.MSRPC_UUID_WINREG)
return winreg.DCERPCWinReg(dce)
def getShares(self):
# Setup up a DCE SMBTransport with the connection already in place
self._rpctransport = transport.SMBTransport('','',filename = r'\srvsvc', smb_server = self.client)
self._dce = dcerpc.DCERPC_v5(self._rpctransport)
self._dce.connect()
self._dce.bind(srvsvc.MSRPC_UUID_SRVSVC)
srv_svc = srvsvc.DCERPCSrvSvc(self._dce)
resp = srv_svc.get_share_enum_1(self._rpctransport.get_dip())
return resp
def do_shares(self, line):
rpctransport = transport.SMBTransport(self.smb.get_remote_name(),
self.smb.get_remote_host(),
filename=r'\srvsvc',
smb_server=self.smb)
dce = dcerpc.DCERPC_v5(rpctransport)
dce.connect()
dce.bind(srvsvc.MSRPC_UUID_SRVSVC)
srv_svc = srvsvc.DCERPCSrvSvc(dce)
resp = srv_svc.get_share_enum_1(rpctransport.get_dip())
for i in range(len(resp)):
print resp[i]['NetName'].decode('utf-16')
def listShares(self):
# Get the shares through RPC
from impacket.dcerpc import transport, dcerpc, srvsvc
rpctransport = transport.SMBTransport(self.getRemoteHost(),
self.getRemoteHost(),
filename=r'\srvsvc',
smb_connection=self)
dce = dcerpc.DCERPC_v5(rpctransport)
dce.connect()
dce.bind(srvsvc.MSRPC_UUID_SRVSVC)
srv_svc = srvsvc.DCERPCSrvSvc(dce)
resp = srv_svc.get_share_enum_1(rpctransport.get_dip())
return resp
def openSvcManager(self):
print "[*] Opening SVCManager on %s....." % self.client.get_remote_host(),
# Setup up a DCE SMBTransport with the connection already in place
self._rpctransport = transport.SMBTransport('','',filename = r'\svcctl', smb_server = self.client)
self._dce = dcerpc.DCERPC_v5(self._rpctransport)
self._dce.connect()
self._dce.bind(svcctl.MSRPC_UUID_SVCCTL)
self.rpcsvc = svcctl.DCERPCSvcCtl(self._dce)
resp = self.rpcsvc.OpenSCManagerW()
if resp['ErrorCode'] == 0:
print "OK"
return resp['ContextHandle']
else:
print "ERROR"
return 0
def getShares(self):
# Setup up a DCE SMBTransport with the connection already in place
print "[*] Requesting shares on %s....." % (self.client.get_remote_host())
try:
self._rpctransport = transport.SMBTransport('','',filename = r'\srvsvc', smb_server = self.client)
self._dce = dcerpc.DCERPC_v5(self._rpctransport)
self._dce.connect()
self._dce.bind(srvsvc.MSRPC_UUID_SRVSVC)
srv_svc = srvsvc.DCERPCSrvSvc(self._dce)
resp = srv_svc.get_share_enum_1(self._rpctransport.get_dip())
return resp
except:
print "[!] Error requesting shares on %s, aborting....." % (self.client.get_remote_host())
raise
def do_info(self, line):
rpctransport = transport.SMBTransport(self.smb.get_remote_name(),
self.smb.get_remote_host(),
filename=r'\srvsvc',
smb_server=self.smb)
dce = dcerpc.DCERPC_v5(rpctransport)
dce.connect()
dce.bind(srvsvc.MSRPC_UUID_SRVSVC)
srv_svc = srvsvc.DCERPCSrvSvc(dce)
resp = srv_svc.get_server_info_102(rpctransport.get_dip())
print "Version Major: %d" % resp['VersionMajor']
print "Version Minor: %d" % resp['VersionMinor']
print "Server Name: %s" % resp['Name']
print "Server Comment: %s" % resp['Comment']
print "Server UserPath: %s" % resp['UserPath']
print "Simultaneous Users: %d" % resp['Users']
def openSvcManager(self):
#print "[*] Opening SVCManager on %s....." % self.connection.getRemoteHost()
# Setup up a DCE SMBTransport with the connection already in place
self._rpctransport = transport.SMBTransport(
'', '', filename=r'\svcctl', smb_connection=self.connection)
self._dce = dcerpc.DCERPC_v5(self._rpctransport)
self._dce.connect()
self._dce.bind(svcctl.MSRPC_UUID_SVCCTL)
self.rpcsvc = svcctl.DCERPCSvcCtl(self._dce)
try:
resp = self.rpcsvc.OpenSCManagerW()
except:
print "[!] Error opening SVCManager on %s....." % self.connection.getRemoteHost(
)
return 0
else:
return resp['ContextHandle']
def getShares(self):
"""Return a list of shares on the remote windows server."""
# Setup up a DCE SMBTransport with the connection already in place
print("[*] Requesting shares on %s....." %
(self.connection.getRemoteHost()))
try:
self._rpctransport = transport.SMBTransport(
'', '', filename=r'\srvsvc', smb_connection=self.connection)
self._dce = dcerpc.DCERPC_v5(self._rpctransport)
self._dce.connect()
self._dce.bind(srvsvc.MSRPC_UUID_SRVSVC)
srv_svc = srvsvc.DCERPCSrvSvc(self._dce)
resp = srv_svc.get_share_enum_1(self._rpctransport.get_dip())
return resp
except Exception:
print("[!] Error requesting shares on %s, aborting....." %
(self.connection.getRemoteHost()))
raise
def DiscoverDNSport(target):
trans = transport.SMBTransport(target, 139, 'epmapper')
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(
uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0')))
pm = epm.DCERPCEpm(dce)
handle = '\x00' * 20
while 1:
dump = pm.portmap_dump(handle)
if not dump.get_entries_num():
break
handle = dump.get_handle()
entry = dump.get_entry().get_entry()
if (uuid.bin_to_string(
entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
port = entry.get_string_binding().split('[')[1][:-1]
return int(port)
print '[-] Could not locate DNS port; Target might not be running DNS'
