def dump(self, remoteName, remoteHost):
stringbinding = epm.hept_map(remoteHost,
nrpc.MSRPC_UUID_NRPC,
protocol='ncacn_ip_tcp')
logging.info('StringBinding %s' % stringbinding)
rpctransport = transport.DCERPCTransportFactory(stringbinding)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
resp = nrpc.hNetrServerReqChallenge(dce, NULL, remoteName + '\x00',
b'12345678')
serverChallenge = resp['ServerChallenge']
ntHash = unhexlify(self.__nthash)
# Empty at this point
self.sessionKey = nrpc.ComputeSessionKeyAES('', b'12345678',
serverChallenge)
self.ppp = nrpc.ComputeNetlogonCredentialAES(b'12345678',
self.sessionKey)
try:
resp = nrpc.hNetrServerAuthenticate3(
dce, '\\\\' + remoteName + '\x00', self.__username + '$\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
remoteName + '\x00', self.ppp, 0x212fffff)
except Exception as e:
if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:
raise
self.clientStoredCredential = pack('<Q',
unpack('<Q', self.ppp)[0] + 10)
request = NetrServerPasswordSet2()
request['PrimaryName'] = '\\\\' + remoteName + '\x00'
request['AccountName'] = remoteName + '$\x00'
request[
'SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
request['Authenticator'] = self.update_authenticator()
request['ComputerName'] = remoteName + '\x00'
encpassword = nrpc.ComputeNetlogonCredentialAES(
self.__password, self.sessionKey)
indata = b'\x00' * (512 -
len(self.__password)) + self.__password + pack(
'<L', len(self.__password))
request['ClearNewPassword'] = nrpc.ComputeNetlogonCredentialAES(
indata, self.sessionKey)
result = dce.request(request)
print('Change password OK')
def authenticate(rpc_con, user):
Client_Challenge = bytes(random.getrandbits(8) for i in range(8))
status = nrpc.hNetrServerReqChallenge(rpc_con, NULL,
user.computer_name + '\x00',
Client_Challenge)
if (status == None or status['ErrorCode'] != 0):
print('Error NetrServerReqChallenge')
else:
Server_Challenge = status['ServerChallenge']
print("Client_Challenge : ", Client_Challenge)
print("Server_Challenge : ", Server_Challenge)
SessionKey = nrpc.ComputeSessionKeyAES(
user.account_password, Client_Challenge, Server_Challenge,
bytearray.fromhex(user.account_password))
print("Session_Key : ", SessionKey)
Credential = nrpc.ComputeNetlogonCredentialAES(Client_Challenge,
SessionKey)
print("Credential : ", Credential)
negotiateFlags = 0x612fffff
try:
resp = nrpc.hNetrServerAuthenticate3(
rpc_con, user.dc_name + '\x00', user.account_name + '\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
user.computer_name + '\x00', Credential, negotiateFlags)
Authenticator = nrpc.ComputeNetlogonAuthenticator(
Credential, SessionKey)
resp = nrpc.hNetrLogonGetCapabilities(rpc_con, user.dc_name,
user.computer_name,
Authenticator)
print("Secure Channel is UP !")
except Exception as e:
print('Unexpected error code from DC')
def authenticate(user):
Client_Challenge = bytes(random.getrandbits(8) for i in range(8))
status = nrpc.hNetrServerReqChallenge(user.rpc, NULL,
user.computer_name + '\x00',
Client_Challenge)
if (status == None or status['ErrorCode'] != 0):
fail(f'Error NetrServerReqChallenge')
else:
Server_Challenge = status['ServerChallenge']
print("Client_Challenge : ", Client_Challenge)
print("Server_Challenge : ", Server_Challenge)
SessionKey = nrpc.ComputeSessionKeyAES(
user.account_password, Client_Challenge, Server_Challenge,
bytearray.fromhex(user.account_password))
user.SetSessionKey(SessionKey)
print("Session_Key : ", SessionKey)
Credential = nrpc.ComputeNetlogonCredentialAES(Client_Challenge,
SessionKey)
print("Credential : ", Credential)
negotiateFlags = 0x612fffff
try:
_ = nrpc.hNetrServerAuthenticate3(
user.rpc, user.dc_name + '\x00', user.account_name + '\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
user.computer_name + '\x00', Credential, negotiateFlags)
Authenticator = nrpc.ComputeNetlogonAuthenticator(
Credential, SessionKey)
user.SetAuthenticator(Authenticator)
getCapabilities = nrpc.hNetrLogonGetCapabilities(
user.rpc, user.dc_name, user.computer_name, Authenticator)
serverCapabilities = getCapabilities["ServerCapabilities"]\
["ServerCapabilities"]
user.UpdateAuthenticator(getCapabilities["ReturnAuthenticator"]\
["Credential"])
print("Server Capabilities : " + str(serverCapabilities))
print("Secure Channel is UP !")
Menu(user)
except Exception as e:
fail(f'Unexpected error code from DC: {e}.')
def ComputeNetlogonCredentialAES(self, challenge):
return nrpc.ComputeNetlogonCredentialAES(
challenge,
self.sessionKey
)
def update_authenticator(self, plus=10):
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = nrpc.ComputeNetlogonCredentialAES(self.clientStoredCredential, self.sessionKey)
authenticator['Timestamp'] = plus
return authenticator