def rawData(self):
ret = pack('<LLLL', 0x74747474, self._count, 0x47474747, self._max_count)
pos_ret = []
for i in xrange(0, self._count):
ret += pack('<L', self._elements[i].get_id())
data = self._elements[i].rawData()
ret += data[:8]
pos_ret += data[8:]
return ret + pos_ret
def rawData(self):
ret = pack('<LLLL', 0x74747474, self._count, 0x47474747, self._max_count)
pos_ret = []
for i in xrange(0, self._count):
ret += pack('<L', self._elements[i].get_id())
data = self._elements[i].rawData()
ret += data[:8]
pos_ret += data[8:]
return ret + pos_ret
def _transport_send(self, rpc_packet, forceWriteAndx = 0, forceRecv = 0):
if self.__auth_level == ntlm.NTLM_AUTH_CALL:
if rpc_packet.get_type() == MSRPC_REQUEST:
response = ntlm.NTLMAuthChallengeResponse(self.__username,self.__password, self._ntlm_challenge)
response['auth_ctx_id'] = self._ctx + 79231
response['auth_level'] = self.__auth_level
rpc_packet.set_auth_data(str(response))
if self.__auth_level in [ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY]:
verifier = ntlm.NTLMAuthVerifier()
verifier['auth_level'] = self.__auth_level
verifier['auth_ctx_id'] = self._ctx + 79231
verifier['data'] = ' '*12
rpc_packet.set_auth_data(str(verifier))
rpc_call = rpc_packet.child()
if self.__auth_level == ntlm.NTLM_AUTH_PKT_PRIVACY:
data = DCERPC_RawCall(rpc_call.OP_NUM)
data.setData(self.cipher_encrypt(rpc_call.get_packet()))
rpc_packet.contains(data)
crc = crc32(rpc_call.get_packet())
data = pack('<LLL',0,crc,self.sequence) # XXX 0 can be anything: randomize
data = self.cipher_encrypt(data)
verifier['data'] = data
rpc_packet.set_auth_data(str(verifier))
self.sequence += 1
self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv)
def _transport_send(self, rpc_packet, forceWriteAndx = 0, forceRecv = 0):
if self.__auth_level == ntlm.NTLM_AUTH_CALL:
if rpc_packet.get_type() == MSRPC_REQUEST:
response = ntlm.NTLMAuthChallengeResponse(self.__username,self.__password, self._ntlm_challenge)
response['auth_ctx_id'] = self._ctx + 79231
response['auth_level'] = self.__auth_level
rpc_packet.set_auth_data(str(response))
if self.__auth_level in [ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY]:
verifier = ntlm.NTLMAuthVerifier()
verifier['auth_level'] = self.__auth_level
verifier['auth_ctx_id'] = self._ctx + 79231
verifier['data'] = ' '*12
rpc_packet.set_auth_data(str(verifier))
rpc_call = rpc_packet.child()
if self.__auth_level == ntlm.NTLM_AUTH_PKT_PRIVACY:
data = DCERPC_RawCall(rpc_call.OP_NUM)
data.setData(self.cipher_encrypt(rpc_call.get_packet()))
rpc_packet.contains(data)
crc = crc32(rpc_call.get_packet())
data = pack('<LLL',0,crc,self.sequence) # XXX 0 can be anything: randomize
data = self.cipher_encrypt(data)
verifier['data'] = data
rpc_packet.set_auth_data(str(verifier))
self.sequence += 1
self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv)
def portmap_dump(self, rpc_handle='\x00' * 20):
if self.endianness == '>':
from impacket.structure import unpack, pack
try:
rpc_handle = ''.join(map(chr, rpc_handle))
except:
pass
uuid = list(unpack('<LLHHBB6s', rpc_handle))
rpc_handle = pack('>LLHHBB6s', *uuid)
lookup = EPMLookupRequestHeader(endianness=self.endianness)
lookup.set_handle(rpc_handle)
self._dcerpc.send(lookup)
data = self._dcerpc.recv()
resp = EPMRespLookupRequestHeader(data)
return resp
def portmap_dump(self, rpc_handle = '\x00'*20):
if self.endianness == '>':
from impacket.structure import unpack,pack
try:
rpc_handle = ''.join(map(chr, rpc_handle))
except:
pass
uuid = list(unpack('<LLHHBB6s', rpc_handle))
rpc_handle = pack('>LLHHBB6s', *uuid)
lookup = EPMLookupRequestHeader(endianness = self.endianness)
lookup.set_handle(rpc_handle);
self._dcerpc.send(lookup)
data = self._dcerpc.recv()
resp = EPMRespLookupRequestHeader(data)
return resp
def rawData(self):
return pack('<HHLLLL', self._length, self._size, 0x12345678,
self._max_len, self._offset,
self._length2) + self._name.encode('utf-16le')
def bind(self, uuid, alter = 0, bogus_binds = 0):
bind = MSRPCBind(endianness = self.endianness)
syntax = '\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60'
if self.endianness == '>':
syntax = unpack('<LHHBB6s', syntax)
syntax = pack('>LHHBB6s', *syntax)
uuid = list(unpack('<LHHBB6sHH', uuid))
uuid[-1] ^= uuid[-2]
uuid[-2] ^= uuid[-1]
uuid[-1] ^= uuid[-2]
uuid = pack('>LHHBB6sHH', *uuid)
ctx = 0
for i in range(bogus_binds):
bind.set_ctx_id(self._ctx, index = ctx)
bind.set_trans_num(1, index = ctx)
bind.set_if_binuuid('A'*20, index = ctx)
bind.set_xfer_syntax_binuuid(syntax, index = ctx)
bind.set_xfer_syntax_ver(2, index = ctx)
self._ctx += 1
ctx += 1
bind.set_ctx_id(self._ctx, index = ctx)
bind.set_trans_num(1, index = ctx)
bind.set_if_binuuid(uuid,index = ctx)
bind.set_xfer_syntax_binuuid(syntax, index = ctx)
bind.set_xfer_syntax_ver(2, index = ctx)
bind.set_ctx_num(ctx+1)
if alter:
bind.set_type(MSRPC_ALTERCTX)
if (self.__auth_level != ntlm.NTLM_AUTH_NONE):
if (self.__username is None) or (self.__password is None):
self.__username, self.__password, nth, lmh = self._transport.get_credentials()
auth = ntlm.NTLMAuthNegotiate()
auth['auth_level'] = self.__auth_level
auth['auth_ctx_id'] = self._ctx + 79231
bind.set_auth_data(str(auth))
self._transport.send(bind.get_packet())
s = self._transport.recv()
if s != 0:
resp = MSRPCBindAck(s)
else:
return 0 #mmm why not None?
if resp.get_type() == MSRPC_BINDNAK:
resp = MSRPCBindNak(s)
status_code = resp.get_reason()
if rpc_status_codes.has_key(status_code):
raise Exception(rpc_status_codes[status_code], resp)
else:
raise Exception('Unknown DCE RPC fault status code: %.8x' % status_code, resp)
self.__max_xmit_size = resp.get_max_tfrag()
if self.__auth_level != ntlm.NTLM_AUTH_NONE:
authResp = ntlm.NTLMAuthChallenge(data = resp.get_auth_data().tostring())
self._ntlm_challenge = authResp['challenge']
response = ntlm.NTLMAuthChallengeResponse(self.__username,self.__password, self._ntlm_challenge)
response['auth_ctx_id'] = self._ctx + 79231
response['auth_level'] = self.__auth_level
if self.__auth_level in (ntlm.NTLM_AUTH_CONNECT, ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY):
if self.__password:
key = ntlm.compute_nthash(self.__password)
if POW:
hash = POW.Digest(POW.MD4_DIGEST)
else:
hash = MD4.new()
hash.update(key)
key = hash.digest()
else:
key = '\x00'*16
if POW:
cipher = POW.Symmetric(POW.RC4)
cipher.encryptInit(key)
self.cipher_encrypt = cipher.update
else:
cipher = ARC4.new(key)
self.cipher_encrypt = cipher.encrypt
if response['flags'] & ntlm.NTLMSSP_KEY_EXCHANGE:
session_key = 'A'*16 # XXX Generate random session key
response['session_key'] = self.cipher_encrypt(session_key)
if POW:
cipher = POW.Symmetric(POW.RC4)
cipher.encryptInit(session_key)
self.cipher_encrypt = cipher.update
else:
cipher = ARC4.new(session_key)
self.cipher_encrypt = cipher.encrypt
self.sequence = 0
auth3 = MSRPCHeader()
auth3.set_type(MSRPC_AUTH3)
auth3.set_auth_data(str(response))
self._transport.send(auth3.get_packet(), forceWriteAndx = 1)
return resp # means packet is signed, if verifier is wrong it fails
def rawData(self):
return pack('<HHLLLL', self._length, self._size, 0x12345678, self._max_len, self._offset, self._length2) + self._name.encode('utf-16le')
def bind(self, uuid, alter=0, bogus_binds=0):
bind = MSRPCBind(endianness=self.endianness)
syntax = '\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60'
if self.endianness == '>':
syntax = unpack('<LHHBB6s', syntax)
syntax = pack('>LHHBB6s', *syntax)
uuid = list(unpack('<LHHBB6sHH', uuid))
uuid[-1] ^= uuid[-2]
uuid[-2] ^= uuid[-1]
uuid[-1] ^= uuid[-2]
uuid = pack('>LHHBB6sHH', *uuid)
ctx = 0
for i in range(bogus_binds):
bind.set_ctx_id(self._ctx, index=ctx)
bind.set_trans_num(1, index=ctx)
bind.set_if_binuuid('A' * 20, index=ctx)
bind.set_xfer_syntax_binuuid(syntax, index=ctx)
bind.set_xfer_syntax_ver(2, index=ctx)
self._ctx += 1
ctx += 1
bind.set_ctx_id(self._ctx, index=ctx)
bind.set_trans_num(1, index=ctx)
bind.set_if_binuuid(uuid, index=ctx)
bind.set_xfer_syntax_binuuid(syntax, index=ctx)
bind.set_xfer_syntax_ver(2, index=ctx)
bind.set_ctx_num(ctx + 1)
if alter:
bind.set_type(MSRPC_ALTERCTX)
if (self.__auth_level != ntlm.NTLM_AUTH_NONE):
if (self.__username is None) or (self.__password is None):
self.__username, self.__password, nth, lmh = self._transport.get_credentials(
)
auth = ntlm.NTLMAuthNegotiate()
auth['auth_level'] = self.__auth_level
auth['auth_ctx_id'] = self._ctx + 79231
bind.set_auth_data(str(auth))
self._transport.send(bind.get_packet())
s = self._transport.recv()
if s != 0:
resp = MSRPCBindAck(s)
else:
return 0 #mmm why not None?
if resp.get_type() == MSRPC_BINDNAK:
resp = MSRPCBindNak(s)
status_code = resp.get_reason()
if rpc_status_codes.has_key(status_code):
raise Exception(rpc_status_codes[status_code], resp)
else:
raise Exception(
'Unknown DCE RPC fault status code: %.8x' % status_code,
resp)
self.__max_xmit_size = resp.get_max_tfrag()
if self.__auth_level != ntlm.NTLM_AUTH_NONE:
authResp = ntlm.NTLMAuthChallenge(
data=resp.get_auth_data().tostring())
self._ntlm_challenge = authResp['challenge']
response = ntlm.NTLMAuthChallengeResponse(self.__username,
self.__password,
self._ntlm_challenge)
response['auth_ctx_id'] = self._ctx + 79231
response['auth_level'] = self.__auth_level
if self.__auth_level in (ntlm.NTLM_AUTH_CONNECT,
ntlm.NTLM_AUTH_PKT_INTEGRITY,
ntlm.NTLM_AUTH_PKT_PRIVACY):
if self.__password:
key = ntlm.compute_nthash(self.__password)
if POW:
hash = POW.Digest(POW.MD4_DIGEST)
else:
hash = MD4.new()
hash.update(key)
key = hash.digest()
else:
key = '\x00' * 16
if POW:
cipher = POW.Symmetric(POW.RC4)
cipher.encryptInit(key)
self.cipher_encrypt = cipher.update
else:
cipher = ARC4.new(key)
self.cipher_encrypt = cipher.encrypt
if response['flags'] & ntlm.NTLMSSP_KEY_EXCHANGE:
session_key = 'A' * 16 # XXX Generate random session key
response['session_key'] = self.cipher_encrypt(session_key)
if POW:
cipher = POW.Symmetric(POW.RC4)
cipher.encryptInit(session_key)
self.cipher_encrypt = cipher.update
else:
cipher = ARC4.new(session_key)
self.cipher_encrypt = cipher.encrypt
self.sequence = 0
auth3 = MSRPCHeader()
auth3.set_type(MSRPC_AUTH3)
auth3.set_auth_data(str(response))
self._transport.send(auth3.get_packet(), forceWriteAndx=1)
return resp # means packet is signed, if verifier is wrong it fails