def test_hDRSCrackNames(self): dce, rpctransport, hDrs, DsaObjDest = self.connect() name = 'Administrator' formatOffered = drsuapi.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN formatDesired = drsuapi.DS_STRING_SID_NAME resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, formatOffered, formatDesired, (name, )) resp.dump() name = 'CN=NTDS Settings,CN=FREEFLY-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=FREEFLY,DC=NET' resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, drsuapi.DS_NAME_FORMAT.DS_UNIQUE_ID_NAME, (name, )) resp.dump() name = 'CN=NTDS Settings,CN=FREEFLY-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=FREEFLY,DC=NET' resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, drsuapi.DS_STRING_SID_NAME, (name, )) resp.dump() name = 'FREEFLY.NET' #name = '' resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, drsuapi.DS_LIST_ROLES, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, (name, )) resp.dump()
def test_hDRSCrackNames(self): dce, rpctransport, hDrs, DsaObjDest = self.connect() name = 'Administrator' formatOffered = drsuapi.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN formatDesired = drsuapi.DS_STRING_SID_NAME resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, formatOffered, formatDesired, (name, )) resp.dump() name = 'CN=NTDS Settings,CN=DC1-WIN2012,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=%s,DC=%s' % ( self.domain.split('.')[0], self.domain.split('.')[1]) resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, drsuapi.DS_NAME_FORMAT.DS_UNIQUE_ID_NAME, (name, )) resp.dump() name = 'CN=NTDS Settings,CN=DC1-WIN2012,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=%s,DC=%s' % ( self.domain.split('.')[0], self.domain.split('.')[1]) resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, drsuapi.DS_STRING_SID_NAME, (name, )) resp.dump() name = self.domain.upper() #name = '' resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, drsuapi.DS_LIST_ROLES, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, (name, )) resp.dump()
def DRSCrackNames(self, formatOffered=drsuapi.DS_NAME_FORMAT.DS_DISPLAY_NAME, formatDesired=drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, name=''): if self.__drsr is None: self.__connectDrds() resp = drsuapi.hDRSCrackNames(self.__drsr, self.__hDrs, 0, formatOffered, formatDesired, (name,)) return resp
def test_hDRSCrackNames(self): dce, rpctransport, hDrs = self.connect() name = 'Administrator' formatOffered = drsuapi.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN formatDesired = drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, formatOffered, formatDesired, (name,)) resp.dump() name = 'CN=NTDS Settings,CN=FREEFLY-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=FREEFLY,DC=NET' resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, drsuapi.DS_NAME_FORMAT.DS_UNIQUE_ID_NAME, (name,)) resp.dump() name = 'CN=NTDS Settings,CN=FREEFLY-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=FREEFLY,DC=NET' resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, drsuapi.DS_STRING_SID_NAME, (name,)) resp.dump()
def test_hDRSCrackNames(self): dce, rpctransport, hDrs = self.connect() name = 'Administrator' formatOffered = drsuapi.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN formatDesired = drsuapi.DS_USER_PRINCIPAL_NAME_FOR_LOGON resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, formatOffered, formatDesired, (name,)) resp.dump()
def test_hDRSCrackNames(self): dce, rpctransport, hDrs, DsaObjDest = self.connect() name = 'Administrator' formatOffered = drsuapi.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN formatDesired = drsuapi.DS_STRING_SID_NAME resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, formatOffered, formatDesired, (name,)) resp.dump() name = 'CN=NTDS Settings,CN=DC1-WIN2012,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=%s,DC=%s' % (self.domain.split('.')[0],self.domain.split('.')[1]) resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, drsuapi.DS_NAME_FORMAT.DS_UNIQUE_ID_NAME, (name,)) resp.dump() name = 'CN=NTDS Settings,CN=DC1-WIN2012,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=%s,DC=%s' % (self.domain.split('.')[0],self.domain.split('.')[1]) resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, drsuapi.DS_STRING_SID_NAME, (name,)) resp.dump() name = self.domain.upper() #name = '' resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, drsuapi.DS_LIST_ROLES, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, (name,)) resp.dump()
def aaaa_DRSVerifyNames(self): # Not Yet working dce, rpctransport, hDrs = self.connect() name = 'CN=Administrator,CN=Users,DC=FREEFLY,DC=NET' formatOffered = drsuapi.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN_EX formatDesired = drsuapi.DS_USER_PRINCIPAL_NAME_FOR_LOGON resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, formatOffered, formatDesired, (name,)) #resp.dump() request = drsuapi.DRSVerifyNames() request['hDrs'] = hDrs request['dwInVersion'] = 1 request['pmsgIn']['tag'] = 1 request['pmsgIn']['V1']['dwFlags'] = drsuapi.DRS_VERIFY_SAM_ACCOUNT_NAMES request['pmsgIn']['V1']['cNames'] = 1 #pDsName = drsuapi.PDSNAME() dsName = drsuapi.DSNAME() dsName['SidLen'] = 0 dsName['Guid'] = drsuapi.NULLGUID dsName['Sid'] = '' dsName['NameLen'] = len(name) dsName['StringName'] = name + '\x00' dsName['structLen'] = len(dsName.getData()) request['pmsgIn']['V1']['rpNames'].append(dsName) request['pmsgIn']['V1']['RequiredAttrs']['pAttr'] = NULL #request['pmsgIn']['V1']['RequiredAttrs']['attrCount'] = 3 #attr = drsuapi.ATTR() #attr[''] = #attr[''] = #attr[''] = #request['pmsgIn']['V1']['RequiredAttrs']['pAttr'].append(attr) request['pmsgIn']['V1']['PrefixTable']['pPrefixEntry'] = NULL #request.dump() resp = dce.request(request) for entry in resp['pmsgOut']['V6']['PrefixTableSrc']['pPrefixEntry']: entry.dump()
def aaaa_DRSVerifyNames(self): # Not Yet working dce, rpctransport, hDrs = self.connect() name = 'CN=Administrator,CN=Users,DC=FREEFLY,DC=NET' formatOffered = drsuapi.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN_EX formatDesired = drsuapi.DS_USER_PRINCIPAL_NAME_FOR_LOGON resp = drsuapi.hDRSCrackNames(dce, hDrs, 0, formatOffered, formatDesired, (name,)) resp.dump() request = drsuapi.DRSVerifyNames() request['hDrs'] = hDrs request['dwInVersion'] = 1 request['pmsgIn']['tag'] = 1 request['pmsgIn']['V1']['dwFlags'] = drsuapi.DRS_VERIFY_SAM_ACCOUNT_NAMES request['pmsgIn']['V1']['cNames'] = 1 #pDsName = drsuapi.PDSNAME() dsName = drsuapi.DSNAME() dsName['SidLen'] = 0 dsName['Guid'] = drsuapi.NULLGUID dsName['Sid'] = '' dsName['NameLen'] = len(name) dsName['StringName'] = name + '\x00' dsName['structLen'] = len(dsName.getData()) request['pmsgIn']['V1']['rpNames'].append(dsName) request['pmsgIn']['V1']['RequiredAttrs']['pAttr'] = NULL #request['pmsgIn']['V1']['RequiredAttrs']['attrCount'] = 3 #attr = drsuapi.ATTR() #attr[''] = #attr[''] = #attr[''] = #request['pmsgIn']['V1']['RequiredAttrs']['pAttr'].append(attr) request['pmsgIn']['V1']['PrefixTable']['pPrefixEntry'] = NULL request.dump() resp = dce.request(request) resp.dump()
def convert_sidtont4(self, sid): # We get a DRS handle, shamelessly stolen from secretsdump.py request = drsuapi.DRSBind() request['puuidClientDsa'] = drsuapi.NTDSAPI_CLIENT_GUID drs = drsuapi.DRS_EXTENSIONS_INT() drs['cb'] = len(drs) #- 4 drs['dwFlags'] = drsuapi.DRS_EXT_GETCHGREQ_V6 | drsuapi.DRS_EXT_GETCHGREPLY_V6 | drsuapi.DRS_EXT_GETCHGREQ_V8 | \ drsuapi.DRS_EXT_STRONG_ENCRYPTION drs['SiteObjGuid'] = drsuapi.NULLGUID drs['Pid'] = 0 drs['dwReplEpoch'] = 0 drs['dwFlagsExt'] = 0 drs['ConfigObjGUID'] = drsuapi.NULLGUID drs['dwExtCaps'] = 0xffffffff request['pextClient']['cb'] = len(drs) request['pextClient']['rgb'] = list(str(drs)) hdrs = self._rpc_connection.request(request)['phDrs'] resp = drsuapi.hDRSCrackNames(self._rpc_connection, hdrs, 0x0, 11, 2, (sid,)) return resp['pmsgOut']['V1']['pResult']['rItems'][0]['pName']