def createKmsRequestBase(): requestDict = kmsRequestStruct() requestDict['versionMinor'] = config['KMSProtocolMinorVersion'] requestDict['versionMajor'] = config['KMSProtocolMajorVersion'] requestDict['isClientVm'] = 0 requestDict['licenseStatus'] = config['KMSClientLicenseStatus'] requestDict['graceTime'] = 43200 requestDict['applicationId'] = UUID( uuid.UUID(config['KMSClientAppID']).bytes_le) requestDict['skuId'] = UUID(uuid.UUID(config['KMSClientSkuID']).bytes_le) requestDict['kmsCountedId'] = UUID( uuid.UUID(config['KMSClientKMSCountedID']).bytes_le) requestDict['clientMachineId'] = UUID( uuid.UUID(config['cmid']).bytes_le if ( config['cmid'] is not None) else uuid.uuid4().bytes_le) requestDict[ 'previousClientMachineId'] = b'\0' * 16 #requestDict['clientMachineId'] # I'm pretty sure this is supposed to be a null UUID. requestDict['requiredClientCount'] = config['RequiredClientCount'] requestDict['requestTime'] = filetimes.dt_to_filetime( datetime.datetime.utcnow()) requestDict['machineName'] = (config['machineName'] if ( config['machineName'] is not None) else ''.join( random.choice(string.ascii_letters + string.digits) for i in range(random.randint(2, 63)))).encode('utf-16le') requestDict['mnPad'] = '\0'.encode('utf-16le') * ( 63 - len(requestDict['machineName'].decode('utf-16le'))) # Debug Stuff if config['debug']: print("Request Base Dictionary:", requestDict.dump()) return requestDict
def CreateRequestBase(): # Init requestDict requestDict = {} # KMS Protocol Version requestDict['MajorVer'] = config['KMSProtocolMajorVersion'] requestDict['MinorVer'] = config['KMSProtocolMinorVersion'] # KMS Client is NOT a VM requestDict['IsClientVM'] = 0 # License Status requestDict['LicenseStatus'] = config['KMSClientLicenseStatus'] # Grace Time requestDict['GraceTime'] = 43200 # Application ID requestDict['ApplicationId'] = uuid.UUID(config['KMSClientAppID']) # SKU ID requestDict['SkuId'] = uuid.UUID(config['KMSClientSkuID']) # KMS Counted ID requestDict['KmsCountedId'] = uuid.UUID(config['KMSClientKMSCountedID']) # CMID requestDict['ClientMachineId'] = uuid.uuid4() # Minimum Clients requestDict['RequiredClientCount'] = config['RequiredClientCount'] # Current Time requestDict['RequestTime'] = filetimes.dt_to_filetime(datetime.datetime.utcnow()) # Generate Random Machine Name (Up to 63 Characters) requestDict['MachineName'] = ''.join(random.choice(string.letters + string.digits) for i in range(32)) # Debug Stuff logging.debug("Request Base Dictionary:", requestDict) request = str() request += struct.pack('<H', requestDict['MinorVer']) request += struct.pack('<H', requestDict['MajorVer']) request += struct.pack('<I', requestDict['IsClientVM']) request += struct.pack('<I', requestDict['LicenseStatus']) request += struct.pack('<I', requestDict['GraceTime']) request += requestDict['ApplicationId'].bytes_le request += requestDict['SkuId'].bytes_le request += requestDict['KmsCountedId'].bytes_le request += requestDict['ClientMachineId'].bytes_le request += struct.pack('<I', requestDict['RequiredClientCount']) request += struct.pack('>Q', requestDict['RequestTime']) request += requestDict['ClientMachineId'].bytes_le request += requestDict['MachineName'].encode('utf-16le') request += ('\0' * 32).encode('utf-16le') logging.debug("Request Base:", binascii.b2a_hex(request), len(request)) return request
def build_pac(vec, logon_time): pacobj = Pac() pacobj.set_header() dt = datetime.strptime(logon_time, '%Y%m%d%H%M%SZ') logon_time2 = dt_to_filetime(dt) user_sid = lsa.lsa_get_user_sid(vec['ip'], account_name=vec['user'], username=vec['user'], password=vec['passphrase'], domain=vec['domain']) if not user_sid: return None pacobj.add_info_buffer( 1, PacLogonInformationIB({ 'user_name': vec['user'], 'user_sid': user_sid, 'domain_name': vec['domain'], 'logon_time': logon_time })) pacobj.add_info_buffer( 10, PacClientInfoIB({ 'clientID': logon_time2, 'name': vec['user'].encode('utf-16le'), 'nameLength': len(vec['user'].encode('utf-16le')) })) sig_srv = [7, "\x00" * 16] sig_kdc = [7, "\x00" * 16] pacobj.add_info_buffer( 6, PacSignatureDataIB({ 'type': sig_srv[0], 'data': sig_srv[1] })) pacobj.add_info_buffer( 7, PacSignatureDataIB({ 'type': sig_kdc[0], 'data': sig_kdc[1] })) pac = pacobj.pack() #pacobj.show() return pac
def createKmsRequestBase(): requestDict = kmsBase.kmsRequestStruct() requestDict['versionMinor'] = config['KMSProtocolMinorVersion'] requestDict['versionMajor'] = config['KMSProtocolMajorVersion'] requestDict['isClientVm'] = 0 requestDict['licenseStatus'] = config['KMSClientLicenseStatus'] requestDict['graceTime'] = 43200 requestDict['applicationId'] = UUID(uuid.UUID(config['KMSClientAppID']).bytes_le) requestDict['skuId'] = UUID(uuid.UUID(config['KMSClientSkuID']).bytes_le) requestDict['kmsCountedId'] = UUID(uuid.UUID(config['KMSClientKMSCountedID']).bytes_le) requestDict['clientMachineId'] = UUID(uuid.UUID(config['cmid']).bytes_le if (config['cmid'] is not None) else uuid.uuid4().bytes_le) requestDict['previousClientMachineId'] = '\0' * 16 #requestDict['clientMachineId'] # I'm pretty sure this is supposed to be a null UUID. requestDict['requiredClientCount'] = config['RequiredClientCount'] requestDict['requestTime'] = filetimes.dt_to_filetime(datetime.datetime.utcnow()) requestDict['machineName'] = (config['machineName'] if (config['machineName'] is not None) else ''.join(random.choice(string.letters + string.digits) for i in range(random.randint(2,63)))).encode('utf-16le') requestDict['mnPad'] = '\0'.encode('utf-16le') * (63 - len(requestDict['machineName'].decode('utf-16le'))) # Debug Stuff shell_message(nshell = 9) logging.debug("Request Base Dictionary: \n%s\n" % justify(requestDict.dump(print_to_stdout = False))) return requestDict
#tutorial 12 #how to set account expiration date in ad user account from pyad import * import datetime from filetimes import dt_to_filetime, utc user = pyad.adobject.ADObject.from_cn("aalamda") ed = dt_to_filetime(datetime.datetime(2025, 5, 11, 0, 0)) pyad.adobject.ADObject.update_attribute(user, "accountExpires", str(ed))
def _filetime_from_timestamp(timestamp): """ See filetimes.py for details """ # Timezones are hard, sorry moment = datetime.fromtimestamp(timestamp) delta_from_utc = moment - datetime.utcfromtimestamp(timestamp) return dt_to_filetime(moment, delta_from_utc)
def timestampGatherer(): global mode global statistics maxYear = 0 minYear = 0 #maxMonth=0 #minMonth=0 maxOffset = -12345 filepath = "" # разбираем аргументы исходя из выбранного режима if mode == 1: print("Режим 1: поиск с точностью до года") maxYear = int(sys.argv[2]) maxYear = dt_to_filetime(datetime(int(maxYear), 1, 1, 0, 0, tzinfo=utc)) minYear = int(sys.argv[3]) minYear = dt_to_filetime(datetime(int(minYear), 1, 1, 0, 0, tzinfo=utc)) filepath = sys.argv[4] if len(sys.argv) == 6: maxOffset = int(sys.argv[5], 16) if mode == 2: print("Режим 2: поиск с точностью до месяца") maxYear = int(sys.argv[2]) maxMonth = int(sys.argv[3]) maxYear = dt_to_filetime( datetime(int(maxYear), int(maxMonth), 1, 0, 0, tzinfo=utc)) minYear = int(sys.argv[4]) minMonth = int(sys.argv[5]) minYear = dt_to_filetime( datetime(int(minYear), int(minMonth), 1, 0, 0, tzinfo=utc)) filepath = sys.argv[6] if len(sys.argv) == 8: maxOffset = int(sys.argv[7], 16) if maxOffset != -12345: print("Максимальное смещение, в байтах: " + str(maxOffset)) # В этот момент у нас есть десятичные представления временных отметок # Windows. Однако, они слишком большие, для сравнения с ними нужно считать # много байт. Обрежем их так, чтобы проверять только три байта за раз # отрезаем первые три байта maxYear = hex(maxYear)[:7] minYear = hex(minYear)[:7] # переводим в десятичное число, выходит на несколько порядков меньше, # чем оригинальная временная отметка maxYear = int(maxYear, 16) minYear = int(minYear, 16) offset = -16 # первые 16 байтов на нулевом смещении, а не на 16 eightBytes = [] file = open(filepath, "rb") for bytes in file: for byte in bytes: if maxOffset == offset: break if len(eightBytes) == 8: # массив забился # Последние три байта в обратном порядке отвечают за год # и за месяц yearBytes = "" firstByte = eightBytes[7][2:] secondByte = eightBytes[6][2:] thirdByte = eightBytes[5][2:] # Дописываем нули в начало, если не хватает if len(firstByte) < 2: firstByte = "0" + firstByte if len(secondByte) < 2: secondByte = "0" + secondByte if len(thirdByte) < 2: thirdByte = "0" + thirdByte yearBytes = firstByte + secondByte + thirdByte year = int(yearBytes, 16) # сравниваем значение последних двух байт с границами if year > minYear and year < maxYear: print(hex(offset)) calculateDate(eightBytes) eightBytes = [] # временные отметки не могут пересекаться # иначе не очищаем массив, а сдвигаем и дополняем на один байт else: eightBytes.pop(0) eightBytes.append(hex(byte)) offset = offset + 1 if maxOffset == offset: break file.close() print() statisticsToFile()
def pack(self, with_padding=0): self.end = [] username = self['user_name'] domain_name = self['domain_name'] user_sid = self['user_sid'] logon_time = self['logon_time'] dt = datetime.strptime(logon_time, '%Y%m%d%H%M%SZ') logon_time = dt_to_filetime(dt) domain_sid, user_id = user_sid.rsplit('-', 1) user_id = int(user_id) out = '' # ElementId out += pack_u32(0x20000) # LogonTime out += pack_u64(logon_time) # LogoffTime out += pack_u64(0x7fffffffffffffff) # KickOffTime out += pack_u64(0x7fffffffffffffff) # PasswordLastSet out += pack_u64(0) # PasswordCanChange out += pack_u64(0) # PasswordMustChange out += pack_u64(0x7fffffffffffffff) # EffectiveName out += self._build_unicode_string(0x20004, username) # FullName out += self._build_unicode_string(0x20008, '') # LogonScript out += self._build_unicode_string(0x2000c, '') # ProfilePath out += self._build_unicode_string(0x20010, '') # HomeDirectory out += self._build_unicode_string(0x20014, '') # HomeDirectoryDrive out += self._build_unicode_string(0x20018, '') # LogonCount out += pack_u16(0) # BadPasswordCount out += pack_u16(0) # UserId out += pack_u32(user_id) # PrimaryGroupId out += pack_u32(513) # GroupCount out += pack_u32(5) # GroupIds[0] out += self._build_groups(0x2001c, [(513, SE_GROUP_ALL), (512, SE_GROUP_ALL), (520, SE_GROUP_ALL), (518, SE_GROUP_ALL), (519, SE_GROUP_ALL)]) # UserFlags out += pack_u32(0) # UserSessionKey out += pack_u64(0) + pack_u64(0) # LogonServer out += self._build_unicode_string(0x20020, '') # LogonDomainName out += self._build_unicode_string(0x20024, domain_name) # LogonDomainId out += self._build_sid(0x20028, domain_sid) # Reserved1 out += pack_u64(0) # UserAccountControl out += pack_u32(USER_NORMAL_ACCOUNT | USER_DONT_EXPIRE_PASSWORD) # SubAuthStatus out += pack_u32(0) # LastSuccessFulILogon out += pack_u64(0) # LastFailedILogon out += pack_u64(0) # FailedILogonCount out += pack_u32(0) # Reserved3 out += pack_u32(0) # SidCount out += pack_u32(0) # ExtraSids out += pack_u32(0) # ResourceGroupDomainSid out += pack_u32(0) # ResourceGroupCount out += pack_u32(0) # ResourceGroupIds out += pack_u32(0) end_str = '' for s in self.end: end_str += s end_str += chr(0) * ((len(s) + 3) / 4 * 4 - len(s)) out += end_str hdr = '\x01\x10\x08\x00\xcc\xcc\xcc\xcc' hdr += pack_u32(len(out)) + pack_u32(0) out = hdr + out if with_padding: out += '\x00' * self.padding(out) return out