def tes_oaut(self): dce, rpctransport = self.connect() IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046') scm = dcomrt.IRemoteSCMActivator(dce) iInterface = scm.RemoteCreateInstance(string_to_bin('4E14FBA2-2E22-11D1-9964-00C04FBBB345'), IID_IDispatch) iDispatch = oaut.IDispatch(iInterface) kk = iDispatch.GetTypeInfoCount() kk.dump() iTypeInfo = iDispatch.GetTypeInfo() iTypeInfo.GetTypeAttr()
def dacl_remove_ace(secdesc, guid, usersid, accesstype): to_remove = None binguid = string_to_bin(guid) for ace in secdesc['Dacl'].aces: sid = ace['Ace']['Sid'].formatCanonical() # Is it the correct ACE type? if ace['AceType'] != ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE: continue # Is it the correct SID? if sid != usersid: continue # Does it apply to the correct property? if ace['Ace']['ObjectType'] != binguid: continue # Does it have the correct mask? if ace['Ace']['Mask']['Mask'] != accesstype: continue # We are still here -> this is the correct ACE to_remove = ace break if to_remove: # Found! Remove secdesc['Dacl'].aces.remove(to_remove) return True else: # Not found return False
def tes_ie(self): dce, rpctransport = self.connect() scm = dcomrt.IRemoteSCMActivator(dce) #iInterface = scm.RemoteCreateInstance(string_to_bin('0002DF01-0000-0000-C000-000000000046'),ie.IID_WebBrowser) iInterface = scm.RemoteCreateInstance(string_to_bin('72C24DD5-D70A-438B-8A42-98424B88AFB8'),dcomrt.IID_IRemUnknown) iDispatch = ie.IWebBrowser(iInterface) resp = iDispatch.GetIDsOfNames(('Navigate',)) print resp #sys.exit(1) iTypeInfo = iDispatch.GetTypeInfo() resp = iTypeInfo.GetTypeAttr() #resp.dump() for i in range(0,resp['ppTypeAttr']['cFuncs']): resp = iTypeInfo.GetFuncDesc(i) #resp.dump() #resp2 = iTypeInfo.GetNames(resp['ppFuncDesc']['memid']) #print resp2['rgBstrNames'][0]['asData'] resp = iTypeInfo.GetDocumentation(resp['ppFuncDesc']['memid']) print resp['pBstrName']['asData'] #iEventSystem.get_EventObjectChangeEventClassID() print "ACA" iTypeInfo.RemRelease() iDispatch.RemRelease() sys.exit(1)
def tes_ie(self): dce, rpctransport = self.connect() scm = dcomrt.IRemoteSCMActivator(dce) #iInterface = scm.RemoteCreateInstance(string_to_bin('0002DF01-0000-0000-C000-000000000046'),ie.IID_WebBrowser) iInterface = scm.RemoteCreateInstance( string_to_bin('72C24DD5-D70A-438B-8A42-98424B88AFB8'), dcomrt.IID_IRemUnknown) iDispatch = ie.IWebBrowser(iInterface) resp = iDispatch.GetIDsOfNames(('Navigate', )) print resp #sys.exit(1) iTypeInfo = iDispatch.GetTypeInfo() resp = iTypeInfo.GetTypeAttr() #resp.dump() for i in range(0, resp['ppTypeAttr']['cFuncs']): resp = iTypeInfo.GetFuncDesc(i) #resp.dump() #resp2 = iTypeInfo.GetNames(resp['ppFuncDesc']['memid']) #print resp2['rgBstrNames'][0]['asData'] resp = iTypeInfo.GetDocumentation(resp['ppFuncDesc']['memid']) print resp['pBstrName']['asData'] #iEventSystem.get_EventObjectChangeEventClassID() print "ACA" iTypeInfo.RemRelease() iDispatch.RemRelease() sys.exit(1)
def test_ie(self): dce, rpctransport = self.connect() scm = dcomrt.IRemoteSCMActivator(dce) #iInterface = scm.RemoteCreateInstance(string_to_bin('0002DF01-0000-0000-C000-000000000046'), ie.IID_WebBrowser) iInterface = scm.RemoteCreateInstance( string_to_bin('72C24DD5-D70A-438B-8A42-98424B88AFB8'), dcomrt.IID_IRemUnknown)
def get_dn_from_guid(guid, minimize=False): if minimize: # MS-OXNSPI dn_template = "/guid=" else: # MS-NSPI and MS-OXNSPI dn_template = "/o=NT5/ou=00000000000000000000000000000000/cn=" return dn_template + string_to_bin(guid).hex()
def test_map(self): dce, rpctransport = self.connect() tower2 = '\x04\x00\x13\x00\r\xac\xbe\x00\xc1:\xd3KJ\xbf#\xbb\xefFc\xd0\x17\x01\x00\x02\x00\x00\x00\x13\x00\r\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x02\x00\x00\x00\x01\x00\x0c\x02\x00\x00\x00\x01\x00\x10\x18\x00LRPC-26b184043749be8892\x00' tower = epm.EPMTower() interface = epm.EPMRPCInterface() interface['InterfaceUUID'] = string_to_bin( '12345778-1234-ABCD-EF00-0123456789AC') interface['MajorVersion'] = 1 interface['MinorVersion'] = 0 dataRep = epm.EPMRPCDataRepresentation() dataRep['DataRepUuid'] = string_to_bin( '8a885d04-1ceb-11c9-9fe8-08002b104860') dataRep['MajorVersion'] = 2 dataRep['MinorVersion'] = 0 protId = epm.EPMProtocolIdentifier() protId['ProtIdentifier'] = 0xb pipeName = epm.EPMPipeName() pipeName['PipeName'] = '\x00' portAddr = epm.EPMPortAddr() portAddr['IpPort'] = 0 hostAddr = epm.EPMHostAddr() import socket hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0') hostName = epm.EPMHostName() hostName['HostName'] = '\x00' tower['NumberOfFloors'] = 5 tower['Floors'] = interface.getData() + dataRep.getData( ) + protId.getData() + portAddr.getData() + hostAddr.getData() #tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + pipeName.getData() + hostName.getData() request = epm.ept_map() request['max_towers'] = 4 request['map_tower']['tower_length'] = len(tower) request['map_tower']['tower_octet_string'] = str(tower) #request.dumpRaw() resp = dce.request(request) resp.dump()
def test_map(self): dce, rpctransport = self.connect() tower2 = '\x04\x00\x13\x00\r\xac\xbe\x00\xc1:\xd3KJ\xbf#\xbb\xefFc\xd0\x17\x01\x00\x02\x00\x00\x00\x13\x00\r\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x02\x00\x00\x00\x01\x00\x0c\x02\x00\x00\x00\x01\x00\x10\x18\x00LRPC-26b184043749be8892\x00' tower = epm.EPMTower() interface = epm.EPMRPCInterface() interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC') interface['MajorVersion'] = 1 interface['MinorVersion'] = 0 dataRep = epm.EPMRPCDataRepresentation() dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860') dataRep['MajorVersion'] = 2 dataRep['MinorVersion'] = 0 protId = epm.EPMProtocolIdentifier() protId['ProtIdentifier'] = 0xb pipeName = epm.EPMPipeName() pipeName['PipeName'] = '\x00' portAddr = epm.EPMPortAddr() portAddr['IpPort'] = 0 hostAddr = epm.EPMHostAddr() import socket hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0') hostName = epm.EPMHostName() hostName['HostName'] = '\x00' tower['NumberOfFloors'] = 5 tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData() #tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + pipeName.getData() + hostName.getData() request = epm.ept_map() request['max_towers'] = 4 request['map_tower']['tower_length'] = len(tower) request['map_tower']['tower_octet_string'] = str(tower) #request.dumpRaw() resp = dce.request(request) resp.dump()
def test_map(self): dce, rpctransport = self.connect() tower = epm.EPMTower() interface = epm.EPMRPCInterface() interface['InterfaceUUID'] = string_to_bin( '12345778-1234-ABCD-EF00-0123456789AC') interface['MajorVersion'] = 1 interface['MinorVersion'] = 0 dataRep = epm.EPMRPCDataRepresentation() dataRep['DataRepUuid'] = string_to_bin( '8a885d04-1ceb-11c9-9fe8-08002b104860') dataRep['MajorVersion'] = 2 dataRep['MinorVersion'] = 0 protId = epm.EPMProtocolIdentifier() protId['ProtIdentifier'] = 0xb pipeName = epm.EPMPipeName() pipeName['PipeName'] = b'\x00' portAddr = epm.EPMPortAddr() portAddr['IpPort'] = 0 hostAddr = epm.EPMHostAddr() import socket hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0') hostName = epm.EPMHostName() hostName['HostName'] = b'\x00' tower['NumberOfFloors'] = 5 tower['Floors'] = interface.getData() + dataRep.getData( ) + protId.getData() + portAddr.getData() + hostAddr.getData() request = epm.ept_map() request['max_towers'] = 4 request['map_tower']['tower_length'] = len(tower) request['map_tower']['tower_octet_string'] = tower.getData() resp = dce.request(request) resp.dump()
def get_dn_from_guid(guid, minimize=False): if minimize: # MS-OXNSPI dn_template = "/guid=" else: # MS-NSPI and MS-OXNSPI dn_template = "/o=NT5/ou=00000000000000000000000000000000/cn=" guid_bin = string_to_bin(guid) if PY2: return "%s%s" % (dn_template, binascii.hexlify(guid_bin)) else: return "%s%s" % (dn_template, str(binascii.hexlify(guid_bin), 'ascii'))
def create_object_ace(privguid, sid): nace = ldaptypes.ACE() nace['AceType'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE nace['AceFlags'] = 0x00 acedata = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE() acedata['Mask'] = ldaptypes.ACCESS_MASK() acedata['Mask']['Mask'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CONTROL_ACCESS acedata['ObjectType'] = string_to_bin(privguid) acedata['InheritedObjectType'] = '' acedata['Sid'] = ldaptypes.LDAP_SID() acedata['Sid'].fromCanonical(sid) acedata['Flags'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_OBJECT_TYPE_PRESENT nace['Ace'] = acedata return nace
def test_map(self): dce, rpctransport = self.connect() tower = epm.EPMTower() interface = epm.EPMRPCInterface() interface['InterfaceUUID'] = string_to_bin('12345778-1234-ABCD-EF00-0123456789AC') interface['MajorVersion'] = 1 interface['MinorVersion'] = 0 dataRep = epm.EPMRPCDataRepresentation() dataRep['DataRepUuid'] = string_to_bin('8a885d04-1ceb-11c9-9fe8-08002b104860') dataRep['MajorVersion'] = 2 dataRep['MinorVersion'] = 0 protId = epm.EPMProtocolIdentifier() protId['ProtIdentifier'] = 0xb pipeName = epm.EPMPipeName() pipeName['PipeName'] = b'\x00' portAddr = epm.EPMPortAddr() portAddr['IpPort'] = 0 hostAddr = epm.EPMHostAddr() import socket hostAddr['Ip4addr'] = socket.inet_aton('0.0.0.0') hostName = epm.EPMHostName() hostName['HostName'] = b'\x00' tower['NumberOfFloors'] = 5 tower['Floors'] = interface.getData() + dataRep.getData() + protId.getData() + portAddr.getData() + hostAddr.getData() request = epm.ept_map() request['max_towers'] = 4 request['map_tower']['tower_length'] = len(tower) request['map_tower']['tower_octet_string'] = tower.getData() resp = dce.request(request) resp.dump()
from multiprocessing import Pool from ldap3.utils.conv import escape_filter_chars from impacket.ldap.ldaptypes import OBJECTTYPE_GUID_MAP from impacket.uuid import string_to_bin, bin_to_string from bloodhound.ad.utils import ADUtils from dissect import cstruct from io import BytesIO import binascii import pprint # Extended rights and property GUID mapping, converted to binary so we don't have to do this # for every comparison. # Source: https://msdn.microsoft.com/en-us/library/cc223512.aspx EXTRIGHTS_GUID_MAPPING = { "GetChanges": string_to_bin("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"), "GetChangesAll": string_to_bin("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"), "WriteMember": string_to_bin("bf9679c0-0de6-11d0-a285-00aa003049e2"), "UserForceChangePassword": string_to_bin("00299570-246d-11d0-a768-00aa006e0529"), } def parse_binary_acl(entry, entrytype, acl): """ Main ACL structure parse function. This is offloaded to subprocesses and takes the current entry and the acl data as argument. This is then returned and processed back in the main process """
# 5.113 LDAP_CONN_PROPERTIES BND = 0x00000001 SSL = 0x00000002 UDP = 0x00000004 GC = 0x00000008 GSS = 0x00000010 NGO = 0x00000020 SPL = 0x00000040 MD5 = 0x00000080 SGN = 0x00000100 SL = 0x00000200 # 5.137 NTSAPI_CLIENT_GUID NTDSAPI_CLIENT_GUID = string_to_bin('e24d201a-4fd6-11d1-a3da-0000f875ae0d') # 5.139 NULLGUID NULLGUID = string_to_bin('00000000-0000-0000-0000-000000000000') # 5.205 USN USN = LONGLONG # 4.1.4.1.2 DRS_MSG_CRACKREQ_V1 DS_NAME_FLAG_GCVERIFY = 0x00000004 DS_NAME_FLAG_TRUST_REFERRAL = 0x00000008 DS_NAME_FLAG_PRIVATE_RESOLVE_FPOS = 0x80000000 DS_LIST_SITES = 0xFFFFFFFF DS_LIST_SERVERS_IN_SITE = 0xFFFFFFFE DS_LIST_DOMAINS_IN_SITE = 0xFFFFFFFD
if self.error_code in hresult_errors.ERROR_MESSAGES: error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[ self.error_code][1] return 'OAUT SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else: return 'OAUT SessionError: unknown error code: 0x%x' % ( self.error_code) ################################################################################ # CONSTANTS ################################################################################ # 1.9 Standards Assignments IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046') IID_ITypeInfo = string_to_bin('00020401-0000-0000-C000-000000000046') IID_ITypeComp = string_to_bin('00020403-0000-0000-C000-000000000046') IID_NULL = string_to_bin('00000000-0000-0000-0000-000000000000') error_status_t = ULONG LCID = DWORD WORD = NDRUSHORT # 2.2.2 IID IID = GUID # 2.2.3 LPOLESTR LPOLESTR = LPWSTR OLESTR = WSTR
def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): if hresult_errors.ERROR_MESSAGES.has_key(self.error_code): error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] return 'OAUT SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'OAUT SessionError: unknown error code: 0x%x' % (self.error_code) ################################################################################ # CONSTANTS ################################################################################ # 1.9 Standards Assignments IID_IDispatch = string_to_bin('00020400-0000-0000-C000-000000000046') IID_ITypeInfo = string_to_bin('00020401-0000-0000-C000-000000000046') IID_ITypeComp = string_to_bin('00020403-0000-0000-C000-000000000046') IID_NULL = string_to_bin('00000000-0000-0000-0000-000000000000') error_status_t = ULONG LCID = DWORD WORD = NDRUSHORT # 2.2.2 IID IID = GUID # 2.2.3 LPOLESTR LPOLESTR = LPWSTR OLESTR = WSTR
def test_RChangeServiceConfig2W(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'TESTSVC\x00' lpDisplayName = 'DisplayName\x00' dwDesiredAccess = scmr.SERVICE_ALL_ACCESS dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS dwStartType = scmr.SERVICE_DEMAND_START dwErrorControl = scmr.SERVICE_ERROR_NORMAL lpBinaryPathName = 'binaryPath\x00' lpLoadOrderGroup = NULL lpdwTagId = NULL lpDependencies = NULL dwDependSize = 0 lpServiceStartName = NULL lpPassword = NULL dwPwSize = 0 resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize) resp.dump() newHandle = resp['lpServiceHandle'] error = False try: request = scmr.RChangeServiceConfig2W() request['hService'] = newHandle request['Info']['dwInfoLevel'] = 1 request['Info']['Union']['tag'] = 1 request['Info']['Union']['psd']['lpDescription'] = u'betobeto\x00' resp = dce.request(request) resp.dump() self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psd']['lpDescription']) request['Info']['dwInfoLevel'] = 2 request['Info']['Union']['tag'] = 2 request['Info']['Union']['psfa']['lpRebootMsg'] = u'rebootMsg\00' request['Info']['Union']['psfa']['lpCommand'] = u'lpCommand\00' resp = dce.request(request) resp.dump() self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psfa']['lpRebootMsg']) request['Info']['dwInfoLevel'] = 3 request['Info']['Union']['tag'] = 3 request['Info']['Union']['psda']['fDelayedAutostart'] = 1 resp = dce.request(request) self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psda']['fDelayedAutostart']) request['Info']['dwInfoLevel'] = 4 request['Info']['Union']['tag'] = 4 request['Info']['Union']['psfaf']['fFailureActionsOnNonCrashFailures'] = 1 resp = dce.request(request) self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psfaf']['fFailureActionsOnNonCrashFailures']) request['Info']['dwInfoLevel'] = 5 request['Info']['Union']['tag'] = 5 request['Info']['Union']['pssid']['dwServiceSidType'] = 1 resp = dce.request(request) self.changeServiceAndQuery2(dce, request, request['Info']['Union']['pssid']['dwServiceSidType']) request['Info']['dwInfoLevel'] = 6 request['Info']['Union']['tag'] = 6 request['Info']['Union']['psrp']['pRequiredPrivileges'] = list(u'SeAssignPrimaryTokenPrivilege\x00\x00'.encode('utf-16le')) resp = dce.request(request) self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psrp']['pRequiredPrivileges']) request['Info']['dwInfoLevel'] = 7 request['Info']['Union']['tag'] = 7 request['Info']['Union']['psps']['dwPreshutdownTimeout'] = 22 resp = dce.request(request) self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psps']['dwPreshutdownTimeout']) request['Info']['dwInfoLevel'] = 8 request['Info']['Union']['tag'] = 8 #request.dump() trigger = scmr.SERVICE_TRIGGER() trigger['dwTriggerType'] = scmr.SERVICE_TRIGGER_TYPE_DOMAIN_JOIN trigger['dwAction'] = scmr.SERVICE_TRIGGER_ACTION_SERVICE_START trigger['pTriggerSubtype'] = string_to_bin(scmr.DOMAIN_JOIN_GUID) item = scmr.SERVICE_TRIGGER_SPECIFIC_DATA_ITEM() item['dwDataType'] = scmr.SERVICE_TRIGGER_DATA_TYPE_STRING item['pData'] = list(u'FREEFLY\x00'.encode('utf-16le')) #trigger['pDataItems'].append(item) trigger['pDataItems'] = NULL request['Info']['Union']['psti']['pTriggers'].append(trigger) resp = dce.request(request) #self.changeServiceAndQuery2(dce, request, '\x00') request['Info']['dwInfoLevel'] = 9 request['Info']['Union']['tag'] = 9 request['Info']['Union']['pspn']['usPreferredNode'] = 22 # This one doesn't work #resp = dce.request(request) #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['pspn']['usPreferredNode']) request['Info']['dwInfoLevel'] = 10 request['Info']['Union']['tag'] = 10 request['Info']['Union']['psri']['eLowestRunLevel'] = 1 # This one doesn't work #resp = dce.request(request) #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psri']['eLowestRunLevel']) request['Info']['dwInfoLevel'] = 11 request['Info']['Union']['tag'] = 11 request['Info']['Union']['psma']['fIsManagedAccount'] = 1 # This one doesn't work #resp = dce.request(request) #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psma']['fIsManagedAccount']) except Exception, e: import traceback traceback.print_exc() print e error = True pass
DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): key = self.error_code if system_errors.ERROR_MESSAGES.has_key(key): error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'BKRP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code ################################################################################ # CONSTANTS ################################################################################ BACKUPKEY_BACKUP_GUID = string_to_bin("7F752B10-178E-11D1-AB8F-00805F14DB40") BACKUPKEY_RESTORE_GUID_WIN2K = string_to_bin("7FE94D50-178E-11D1-AB8F-00805F14DB40") BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = string_to_bin("018FF48A-EABA-40C6-8F6D-72370240E967") BACKUPKEY_RESTORE_GUID = string_to_bin("47270C64-2FC7-499B-AC5B-0E37CDCE899A") ################################################################################ # STRUCTURES ################################################################################ class BYTE_ARRAY(NDRUniConformantArray): item = 'c' class PBYTE_ARRAY(NDRPOINTER): referent = ( ('Data', BYTE_ARRAY), )
def get_guid_from_dn(legacyDN): legacyDN = str(legacyDN) guid = legacyDN[legacyDN.rfind("=") + 1:] return uuid.string_to_bin(guid)
def test_DRSGetNCChanges(self): # Not yet working dce, rpctransport, hDrs = self.connect() request = drsuapi.DRSGetNCChanges() request['hDrs'] = hDrs request['dwInVersion'] = 10 request['pmsgIn']['tag'] =10 request['pmsgIn']['V10']['uuidDsaObjDest'] = string_to_bin('e85bbad7-0923-41cb-911e-3691d2014815') request['pmsgIn']['V10']['uuidInvocIdSrc'] = string_to_bin('e85bbad7-0923-41cb-911e-3691d2014815') #request['pmsgIn']['V10']['pNC'] = NULL dsName = drsuapi.DSNAME() dsName['SidLen'] = 0 dsName['Guid'] = drsuapi.NULLGUID dsName['Sid'] = '' #name = 'CN=NTDS Settings,CN=FREEFLY-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=FREEFLY,DC=NET' #name = 'CN=admin,CN=Users,DC=FREEFLY,DC=NET' name = 'CN=krbtgt,CN=Users,DC=FREEFLY,DC=NET' #name = 'DC=FREEFLY,DC=NET' #name = 'CN=Schema,CN=Configuration,DC=FREEFLY,DC=NET' #name = 'CN=Aggregate,CN=Schema,CN=Configuration,DC=FREEFLY,DC=NET' dsName['NameLen'] = len(name) dsName['StringName'] = (name + '\x00') dsName['structLen'] = len(dsName.getData()) request['pmsgIn']['V10']['pNC'] = dsName request['pmsgIn']['V10']['usnvecFrom']['usnHighObjUpdate'] = 0 request['pmsgIn']['V10']['usnvecFrom']['usnHighPropUpdate'] = 0 request['pmsgIn']['V10']['pUpToDateVecDest'] = NULL request['pmsgIn']['V10']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_PER_SYNC #| drsuapi.DRS_CRITICAL_ONLY request['pmsgIn']['V10']['cMaxObjects'] = 50 request['pmsgIn']['V10']['cMaxBytes'] = 0 request['pmsgIn']['V10']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ | drsuapi.EXOP_REPL_SECRETS request['pmsgIn']['V10']['pPartialAttrSet'] = NULL request['pmsgIn']['V10']['pPartialAttrSetEx1'] = NULL request['pmsgIn']['V10']['PrefixTableDest']['pPrefixEntry'] = NULL #request['pmsgIn']['V10']['ulMoreFlags'] = 0 from impacket.winregistry import hexdump print 'SESSION KEY' hexdump(dce.get_session_key()) resp = dce.request(request) resp.dump() unicodePwdAttr = 589914 for attr in resp['pmsgOut']['V6']['pObjects']['Entinf']['AttrBlock']['pAttr']: if attr['attrTyp'] == unicodePwdAttr: print "Found encrypted unicodePwd" encryptedUnicodePwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal']) elif attr['attrTyp'] == 0x00090092: import struct userSid = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])[-4:] userRid = struct.unpack('<L', userSid)[0] print "Found RID ", userRid ntHash = drsuapi.DecryptAttributeValue(dce, encryptedUnicodePwd) # Now remove the DES layer ntHash = drsuapi.removeDESLayer(ntHash, userRid) print "User: %s" % name print "HTHASH ", ntHash.encode('hex')
def test_RChangeServiceConfig2W(self): dce, rpc_transport = self.connect() scHandle = self.get_service_handle(dce) newHandle = self.open_or_create_service(dce, scHandle, 'TESTSVC\x00', 'DisplayName\x00', 'binaryPath\x00') error = False try: request = scmr.RChangeServiceConfig2W() request['hService'] = newHandle request['Info']['dwInfoLevel'] = 1 request['Info']['Union']['tag'] = 1 request['Info']['Union']['psd']['lpDescription'] = 'betobeto\x00' resp = dce.request(request) resp.dump() self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psd']['lpDescription']) request['Info']['dwInfoLevel'] = 2 request['Info']['Union']['tag'] = 2 request['Info']['Union']['psfa']['lpRebootMsg'] = 'rebootMsg\00' request['Info']['Union']['psfa']['lpCommand'] = 'lpCommand\00' resp = dce.request(request) resp.dump() self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psfa']['lpRebootMsg']) request['Info']['dwInfoLevel'] = 3 request['Info']['Union']['tag'] = 3 request['Info']['Union']['psda']['fDelayedAutostart'] = 1 dce.request(request) self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psda']['fDelayedAutostart']) request['Info']['dwInfoLevel'] = 4 request['Info']['Union']['tag'] = 4 request['Info']['Union']['psfaf'][ 'fFailureActionsOnNonCrashFailures'] = 1 dce.request(request) self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psfaf'] ['fFailureActionsOnNonCrashFailures']) request['Info']['dwInfoLevel'] = 5 request['Info']['Union']['tag'] = 5 request['Info']['Union']['pssid']['dwServiceSidType'] = 1 dce.request(request) self.changeServiceAndQuery2( dce, request, request['Info']['Union']['pssid']['dwServiceSidType']) request['Info']['dwInfoLevel'] = 6 request['Info']['Union']['tag'] = 6 request['Info']['Union']['psrp']['pRequiredPrivileges'] = list( 'SeAssignPrimaryTokenPrivilege\x00\x00'.encode('utf-16le')) dce.request(request) self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psrp']['pRequiredPrivileges']) request['Info']['dwInfoLevel'] = 7 request['Info']['Union']['tag'] = 7 request['Info']['Union']['psps']['dwPreshutdownTimeout'] = 22 dce.request(request) self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psps']['dwPreshutdownTimeout']) request['Info']['dwInfoLevel'] = 8 request['Info']['Union']['tag'] = 8 #request.dump() trigger = scmr.SERVICE_TRIGGER() trigger['dwTriggerType'] = scmr.SERVICE_TRIGGER_TYPE_DOMAIN_JOIN trigger['dwAction'] = scmr.SERVICE_TRIGGER_ACTION_SERVICE_START trigger['pTriggerSubtype'] = string_to_bin(scmr.DOMAIN_JOIN_GUID) item = scmr.SERVICE_TRIGGER_SPECIFIC_DATA_ITEM() item['dwDataType'] = scmr.SERVICE_TRIGGER_DATA_TYPE_STRING item['pData'] = list('FREEFLY\x00'.encode('utf-16le')) #trigger['pDataItems'].append(item) trigger['pDataItems'] = NULL request['Info']['Union']['psti']['pTriggers'].append(trigger) dce.request(request) #self.changeServiceAndQuery2(dce, request, '\x00') request['Info']['dwInfoLevel'] = 9 request['Info']['Union']['tag'] = 9 request['Info']['Union']['pspn']['usPreferredNode'] = 22 # This one doesn't work #resp = dce.request(request) #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['pspn']['usPreferredNode']) request['Info']['dwInfoLevel'] = 10 request['Info']['Union']['tag'] = 10 request['Info']['Union']['psri']['eLowestRunLevel'] = 1 # This one doesn't work #resp = dce.request(request) #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psri']['eLowestRunLevel']) request['Info']['dwInfoLevel'] = 11 request['Info']['Union']['tag'] = 11 request['Info']['Union']['psma']['fIsManagedAccount'] = 1 # This one doesn't work #resp = dce.request(request) #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psma']['fIsManagedAccount']) except Exception as e: import traceback traceback.print_exc() print(e) error = True pass scmr.hRDeleteService(dce, newHandle) scmr.hRCloseServiceHandle(dce, newHandle) scmr.hRCloseServiceHandle(dce, scHandle) if error: self.fail()
if (hresult_errors.ERROR_MESSAGES.has_key(self.error_code)): error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[ self.error_code][1] return 'SCMP SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else: return 'SCMP SessionError: unknown error code: 0x%x' % ( self.error_code) ################################################################################ # CONSTANTS ################################################################################ # 1.9 Standards Assignments CLSID_ShadowCopyProvider = string_to_bin( '0b5a2c52-3eb9-470a-96e2-6c6d4570e40f') IID_IVssSnapshotMgmt = string_to_bin('FA7DF749-66E7-4986-A27F-E2F04AE53772') IID_IVssEnumObject = string_to_bin('AE1C7110-2F60-11d3-8A39-00C04F72D8E3') IID_IVssDifferentialSoftwareSnapshotMgmt = string_to_bin( '214A0F28-B737-4026-B847-4F9E37D79529') IID_IVssEnumMgmtObject = string_to_bin('01954E6B-9254-4e6e-808C-C9E05D007696') IID_ShadowCopyProvider = string_to_bin('B5946137-7B9F-4925-AF80-51ABD60B20D5') # 2.2.1.1 VSS_ID class VSS_ID(NDRSTRUCT): structure = (('Data', '16s=""'), ) def getAlignment(self): return 2
if (hresult_errors.ERROR_MESSAGES.has_key(self.error_code)): error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[ self.error_code][1] return 'VDS SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else: return 'VDS SessionError: unknown error code: 0x%x' % ( self.error_code) ################################################################################ # CONSTANTS ################################################################################ # 1.9 Standards Assignments CLSID_VirtualDiskService = string_to_bin( '7D1933CB-86F6-4A98-8628-01BE94C9A575') IID_IEnumVdsObject = string_to_bin('118610B7-8D94-4030-B5B8-500889788E4E') IID_IVdsAdviseSink = string_to_bin('8326CD1D-CF59-4936-B786-5EFC08798E25') IID_IVdsAsync = string_to_bin('D5D23B6D-5A55-4492-9889-397A3C2D2DBC') IID_IVdsServiceInitialization = string_to_bin( '4AFC3636-DB01-4052-80C3-03BBCB8D3C69') IID_IVdsService = string_to_bin('0818A8EF-9BA9-40D8-A6F9-E22833CC771E') IID_IVdsSwProvider = string_to_bin('9AA58360-CE33-4F92-B658-ED24B14425B8') IID_IVdsProvider = string_to_bin('10C5E575-7984-4E81-A56B-431F5F92AE42') error_status_t = ULONG # 2.2.1.1.3 VDS_OBJECT_ID VDS_OBJECT_ID = GUID
import threading from multiprocessing import Pool from ldap3.utils.conv import escape_filter_chars from impacket.uuid import string_to_bin, bin_to_string from bloodhound.ad.utils import ADUtils from bloodhound.lib import cstruct from io import BytesIO import binascii import pprint from future.utils import iteritems, native_str # Extended rights and property GUID mapping, converted to binary so we don't have to do this # for every comparison. # Source: https://msdn.microsoft.com/en-us/library/cc223512.aspx EXTRIGHTS_GUID_MAPPING = { "GetChanges": string_to_bin("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"), "GetChangesAll": string_to_bin("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"), "WriteMember": string_to_bin("bf9679c0-0de6-11d0-a285-00aa003049e2"), "UserForceChangePassword": string_to_bin("00299570-246d-11d0-a768-00aa006e0529"), } def parse_binary_acl(entry, entrytype, acl, objecttype_guid_map): """ Main ACL structure parse function. This is offloaded to subprocesses and takes the current entry and the acl data as argument. This is then returned and processed back in the main process """ if not acl: return entry, [] sd = SecurityDescriptor(BytesIO(acl)) relations = []
def __str__(self): key = self.error_code if key in system_errors.ERROR_MESSAGES: error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'BKRP SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else: return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code ################################################################################ # CONSTANTS ################################################################################ BACKUPKEY_BACKUP_GUID = string_to_bin("7F752B10-178E-11D1-AB8F-00805F14DB40") BACKUPKEY_RESTORE_GUID_WIN2K = string_to_bin( "7FE94D50-178E-11D1-AB8F-00805F14DB40") BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = string_to_bin( "018FF48A-EABA-40C6-8F6D-72370240E967") BACKUPKEY_RESTORE_GUID = string_to_bin("47270C64-2FC7-499B-AC5B-0E37CDCE899A") ################################################################################ # STRUCTURES ################################################################################ class BYTE_ARRAY(NDRUniConformantArray): item = 'c' class PBYTE_ARRAY(NDRPOINTER):
def hIpTransitionDeletev6Inv4Tunnel(dce, tunnel_guid): request = IpTransitionDeletev6Inv4Tunnel() request['TunnelGuid'] = uuid.string_to_bin(tunnel_guid) return dce.request(request)
def getProviderName(self): return ndrutils.uuid_to_exe( uuid.string_to_bin(self.getUUID()) + struct.pack('<H', self.getVersion()))
NSPI_DEFAULT_LOCALE = 0x00000409 # 2.2.5 Required Codepages CP_TELETEX = 0x00004F25 CP_WINUNICODE = 0x000004B0 # 2.2.6.1 Comparison Flags NORM_IGNORECASE = 1 << 0 NORM_IGNORENONSPACE = 1 << 1 NORM_IGNORESYMBOLS = 1 << 2 SORT_STRINGSORT = 1 << 12 NORM_IGNOREKANATYPE = 1 << 16 NORM_IGNOREWIDTH = 1 << 17 # 2.2.7 Permanent Entry ID GUID GUID_NSPI = string_to_bin("C840A7DC-42C0-1A10-B4B9-08002B2FE182") # 2.2.8 Positioning Minimal Entry IDs MID_BEGINNING_OF_TABLE = 0x00000000 MID_END_OF_TABLE = 0x00000002 MID_CURRENT = 0x00000001 # 2.2.9 Ambiguous Name Resolution Minimal Entry IDs MID_UNRESOLVED = 0x00000000 MID_AMBIGUOUS = 0x00000001 MID_RESOLVED = 0x00000002 # 2.2.10 Table Sort Orders SortTypeDisplayName = 0 SortTypePhoneticDisplayName = 0x00000003 SortTypeDisplayName_RO = 0x000003E8
def test_RChangeServiceConfig2W(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'TESTSVC\x00' lpDisplayName = 'DisplayName\x00' dwDesiredAccess = scmr.SERVICE_ALL_ACCESS dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS dwStartType = scmr.SERVICE_DEMAND_START dwErrorControl = scmr.SERVICE_ERROR_NORMAL lpBinaryPathName = 'binaryPath\x00' lpLoadOrderGroup = NULL lpdwTagId = NULL lpDependencies = NULL dwDependSize = 0 lpServiceStartName = NULL lpPassword = NULL dwPwSize = 0 resp = scmr.hRCreateServiceW( dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize) #resp.dump() newHandle = resp['lpServiceHandle'] error = False try: request = scmr.RChangeServiceConfig2W() request['hService'] = newHandle request['Info']['dwInfoLevel'] = 1 request['Info']['Union']['tag'] = 1 request['Info']['Union']['psd']['lpDescription'] = u'betobeto\x00' resp = dce.request(request) #resp.dump() self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psd']['lpDescription']) request['Info']['dwInfoLevel'] = 2 request['Info']['Union']['tag'] = 2 request['Info']['Union']['psfa']['lpRebootMsg'] = u'rebootMsg\00' request['Info']['Union']['psfa']['lpCommand'] = u'lpCommand\00' resp = dce.request(request) #resp.dump() self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psfa']['lpRebootMsg']) request['Info']['dwInfoLevel'] = 3 request['Info']['Union']['tag'] = 3 request['Info']['Union']['psda']['fDelayedAutostart'] = 1 resp = dce.request(request) self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psda']['fDelayedAutostart']) request['Info']['dwInfoLevel'] = 4 request['Info']['Union']['tag'] = 4 request['Info']['Union']['psfaf'][ 'fFailureActionsOnNonCrashFailures'] = 1 resp = dce.request(request) self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psfaf'] ['fFailureActionsOnNonCrashFailures']) request['Info']['dwInfoLevel'] = 5 request['Info']['Union']['tag'] = 5 request['Info']['Union']['pssid']['dwServiceSidType'] = 1 resp = dce.request(request) self.changeServiceAndQuery2( dce, request, request['Info']['Union']['pssid']['dwServiceSidType']) request['Info']['dwInfoLevel'] = 6 request['Info']['Union']['tag'] = 6 request['Info']['Union']['psrp']['pRequiredPrivileges'] = list( u'SeAssignPrimaryTokenPrivilege\x00\x00'.encode('utf-16le')) resp = dce.request(request) self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psrp']['pRequiredPrivileges']) request['Info']['dwInfoLevel'] = 7 request['Info']['Union']['tag'] = 7 request['Info']['Union']['psps']['dwPreshutdownTimeout'] = 22 resp = dce.request(request) self.changeServiceAndQuery2( dce, request, request['Info']['Union']['psps']['dwPreshutdownTimeout']) request['Info']['dwInfoLevel'] = 8 request['Info']['Union']['tag'] = 8 #request.dump() trigger = scmr.SERVICE_TRIGGER() trigger['dwTriggerType'] = scmr.SERVICE_TRIGGER_TYPE_DOMAIN_JOIN trigger['dwAction'] = scmr.SERVICE_TRIGGER_ACTION_SERVICE_START trigger['pTriggerSubtype'] = string_to_bin(scmr.DOMAIN_JOIN_GUID) item = scmr.SERVICE_TRIGGER_SPECIFIC_DATA_ITEM() item['dwDataType'] = scmr.SERVICE_TRIGGER_DATA_TYPE_STRING item['pData'] = list(u'FREEFLY\x00'.encode('utf-16le')) #trigger['pDataItems'].append(item) trigger['pDataItems'] = NULL request['Info']['Union']['psti']['pTriggers'].append(trigger) resp = dce.request(request) #self.changeServiceAndQuery2(dce, request, '\x00') request['Info']['dwInfoLevel'] = 9 request['Info']['Union']['tag'] = 9 request['Info']['Union']['pspn']['usPreferredNode'] = 22 #resp = dce.request(request) #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['pspn']['usPreferredNode']) request['Info']['dwInfoLevel'] = 10 request['Info']['Union']['tag'] = 10 request['Info']['Union']['psri']['eLowestRunLevel'] = 1 # This one doesn't work #resp = dce.request(request) #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psri']['eLowestRunLevel']) request['Info']['dwInfoLevel'] = 11 request['Info']['Union']['tag'] = 11 request['Info']['Union']['psma']['fIsManagedAccount'] = 1 # This one doesn't work #resp = dce.request(request) #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psma']['fIsManagedAccount']) except Exception, e: import traceback traceback.print_exc() print e error = True pass
def get_packet( self ): return self.packet def __str__( self ): if (hresult_errors.ERROR_MESSAGES.has_key(self.error_code)): error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] return 'VDS SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'VDS SessionError: unknown error code: 0x%x' % (self.error_code) ################################################################################ # CONSTANTS ################################################################################ # 1.9 Standards Assignments CLSID_VirtualDiskService = string_to_bin('7D1933CB-86F6-4A98-8628-01BE94C9A575') IID_IEnumVdsObject = string_to_bin('118610B7-8D94-4030-B5B8-500889788E4E') IID_IVdsAdviseSink = string_to_bin('8326CD1D-CF59-4936-B786-5EFC08798E25') IID_IVdsAsync = string_to_bin('D5D23B6D-5A55-4492-9889-397A3C2D2DBC') IID_IVdsServiceInitialization = string_to_bin('4AFC3636-DB01-4052-80C3-03BBCB8D3C69') IID_IVdsService = string_to_bin('0818A8EF-9BA9-40D8-A6F9-E22833CC771E') IID_IVdsSwProvider = string_to_bin('9AA58360-CE33-4F92-B658-ED24B14425B8') IID_IVdsProvider = string_to_bin('10C5E575-7984-4E81-A56B-431F5F92AE42') error_status_t = ULONG # 2.2.1.1.3 VDS_OBJECT_ID VDS_OBJECT_ID = GUID ################################################################################ # STRUCTURES
def getProviderName(self): return ndrutils.uuid_to_exe(uuid.string_to_bin(self.getUUID()) + struct.pack('<H', self.getVersion()))
def nspi_dump_tables(self, options): self.exch.set_output_type(options.output_type) if options.lookup_type == None or options.lookup_type == 'MINIMAL': propTags = NSPIAttacks.PROPS_MINUMAL elif options.lookup_type == 'EXTENDED': propTags = NSPIAttacks.PROPS_EXTENDED elif options.lookup_type == 'GUIDS': propTags = NSPIAttacks.PROPS_GUID else: # FULL propTags = [] if options.name != None and options.name.lower() in ['gal', 'default global address list', 'global address list']: logging.info("Lookuping Global Address List") table_MId = 0 else: # 2.2.8 # The client obtains Minimal Entry IDs for STAT ContainerID # from the server's address book hierarchy table # # We cannot convert the GUID to a MId via NspiDNToMId or similar operations because it # may not work in Multi-Tenant environments self.exch.load_htable() if options.guid != None: logging.info("Search for an address book with objectGUID = %s" % options.guid) guid = uuid.string_to_bin(options.guid) name = None else: guid = None name = options.name table_MId = 0 for MId in self.exch.htable: if MId == 0: # GAL continue if guid is not None: # -guid if self.exch.htable[MId]['guid'] == guid: logging.debug("MId %d is assigned for %s object" % (MId, options.guid)) logging.info("Lookuping %s" % self.exch.htable[MId]['name']) table_MId = MId break else: # -name if self.exch.htable[MId]['name'] == name: guid = uuid.bin_to_string(self.exch.htable[MId]['guid']) logging.debug("MId %d is assigned for %s object" % (MId, guid)) logging.info("Lookuping address book with objectGUID = %s" % guid) table_MId = MId break if table_MId == 0: logging.error("Specified address book not found!") sys.exit(1) self.exch.req_print_table_rows(table_MId, propTags, options.rows_per_request)
def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): if hresult_errors.ERROR_MESSAGES.has_key(self.error_code): error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] return 'SCMP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'SCMP SessionError: unknown error code: 0x%x' % self.error_code ################################################################################ # CONSTANTS ################################################################################ # 1.9 Standards Assignments CLSID_ShadowCopyProvider = string_to_bin('0b5a2c52-3eb9-470a-96e2-6c6d4570e40f') IID_IVssSnapshotMgmt = string_to_bin('FA7DF749-66E7-4986-A27F-E2F04AE53772') IID_IVssEnumObject = string_to_bin('AE1C7110-2F60-11d3-8A39-00C04F72D8E3') IID_IVssDifferentialSoftwareSnapshotMgmt = string_to_bin('214A0F28-B737-4026-B847-4F9E37D79529') IID_IVssEnumMgmtObject = string_to_bin('01954E6B-9254-4e6e-808C-C9E05D007696') IID_ShadowCopyProvider = string_to_bin('B5946137-7B9F-4925-AF80-51ABD60B20D5') # 2.2.1.1 VSS_ID class VSS_ID(NDRSTRUCT): structure = ( ('Data','16s=""'), ) def getAlignment(self): return 2
from multiprocessing import Pool from ldap3.utils.conv import escape_filter_chars from impacket.uuid import string_to_bin, bin_to_string from bloodhound.ad.utils import ADUtils from bloodhound.lib import cstruct from io import BytesIO import binascii import pprint from future.utils import iteritems, native_str # Extended rights and property GUID mapping, converted to binary so we don't have to do this # for every comparison. # Source: https://msdn.microsoft.com/en-us/library/cc223512.aspx EXTRIGHTS_GUID_MAPPING = { "GetChanges": string_to_bin("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"), "GetChangesAll": string_to_bin("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"), "WriteMember": string_to_bin("bf9679c0-0de6-11d0-a285-00aa003049e2"), "UserForceChangePassword": string_to_bin("00299570-246d-11d0-a768-00aa006e0529"), "AllowedToAct": string_to_bin("3f78c3e5-f79a-46bd-a0b8-9d18116ddc79"), } def parse_binary_acl(entry, entrytype, acl, objecttype_guid_map): """ Main ACL structure parse function. This is offloaded to subprocesses and takes the current entry and the
# 5.113 LDAP_CONN_PROPERTIES BND = 0x00000001 SSL = 0x00000002 UDP = 0x00000004 GC = 0x00000008 GSS = 0x00000010 NGO = 0x00000020 SPL = 0x00000040 MD5 = 0x00000080 SGN = 0x00000100 SL = 0x00000200 # 5.137 NTSAPI_CLIENT_GUID NTDSAPI_CLIENT_GUID = string_to_bin("e24d201a-4fd6-11d1-a3da-0000f875ae0d") # 5.139 NULLGUID NULLGUID = string_to_bin("00000000-0000-0000-0000-000000000000") # 5.205 USN USN = LONGLONG # 4.1.4.1.2 DRS_MSG_CRACKREQ_V1 DS_NAME_FLAG_GCVERIFY = 0x00000004 DS_NAME_FLAG_TRUST_REFERRAL = 0x00000008 DS_NAME_FLAG_PRIVATE_RESOLVE_FPOS = 0x80000000 DS_LIST_SITES = 0xFFFFFFFF DS_LIST_SERVERS_IN_SITE = 0xFFFFFFFE DS_LIST_DOMAINS_IN_SITE = 0xFFFFFFFD
# Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # # Author: # Adam (@cube0x0) # from impacket import system_errors from impacket.dcerpc.v5.dtypes import ULONGLONG, UINT, USHORT, LPWSTR, DWORD, ULONG, NULL from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRUNION, NDRPOINTER, NDRUniConformantArray from impacket.dcerpc.v5.rpcrt import DCERPCException from impacket.uuid import uuidtup_to_bin, string_to_bin MSRPC_UUID_PAR = uuidtup_to_bin(('76F03F96-CDFD-44FC-A22C-64950A001209', '1.0')) MSRPC_UUID_WINSPOOL = string_to_bin('9940CA8E-512F-4C58-88A9-61098D6896BD') class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): key = self.error_code if key in system_errors.ERROR_MESSAGES: error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'RPRN SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'RPRN SessionError: unknown error code: 0x%x' % self.error_code ################################################################################