def do_test():
dce = DCERPC(u'ncacn_np:%s[\\lsarpc]' % HOST, getsock=None)
dce.max_dcefrag = 100
dce.bind(u'12345778-1234-abcd-ef00-0123456789ab', u'0.0',
RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
# 1. Open
data = lsa.LSAOpenPolicy2Request(
SystemName='\\\\%s' % HOST,
DesiredAccess=lsa.LSA_POLICY_LOOKUP_NAMES).pack()
dce.call(lsa.LSA_COM_OPEN_POLICY2, data, response=True)
policy_handle = lsa.LSAOpenPolicy2Response(
dce.reassembled_data).get_handle()
# 2. Perform a lookup with valid names
data = lsa.LSALookupNames3Request(PolicyHandle=policy_handle,
NamesArray=USERS).pack()
dce.call(lsa.LSA_COM_LOOKUP_NAMES3, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status == 0:
resp = lsa.LSALookupNames3Response(dce.reassembled_data)
domains = resp.get_domains()
sids = resp.get_sids()
print sids
sids2 = [sid['Sid'] for sid in sids]
if sids2 != SIDS:
return False
else:
return False
# 3. Perform a lookup with invalid names
data = lsa.LSALookupNames3Request(PolicyHandle=policy_handle,
NamesArray=USERS + ['notvalid']).pack()
dce.call(lsa.LSA_COM_LOOKUP_NAMES3, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status != 0x107: # STATUS_SOME_NOT_MAPPED
return False
# 4. Perform a lookup with valid Sids
data = lsa.LSALookupSidsRequest(PolicyHandle=policy_handle,
Sids=SIDS).pack()
data = dce.call(lsa.LSA_COM_LOOKUP_SIDS, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status == 0:
resp = lsa.LSALookupSidsResponse(dce.reassembled_data)
domains = resp.get_domains()
names = resp.get_names()
else:
return False
# 5. Perform a lookup with invalid Sids
data = lsa.LSALookupSidsRequest(PolicyHandle=policy_handle,
Sids=SIDS + ['S-1-1337']).pack()
data = dce.call(lsa.LSA_COM_LOOKUP_SIDS, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status != 0x107: # STATUS_SOME_NOT_MAPPED
return False
# 6. Destroy the handle
data = lsa.LSACloseRequest(PolicyHandle=policy_handle).pack()
dce.call(lsa.LSA_COM_CLOSE, data, response=True)
ret = lsa.LSACloseResponse(dce.reassembled_data).get_return_value()
if ret:
return False
# Good :)
return True
def do_test():
dce = DCERPC(u'ncacn_np:%s[\\lsarpc]' % HOST,
getsock=None,
username=USERNAME,
password=PASSWORD)
dce.max_dcefrag = 100
dce.bind(u'12345778-1234-abcd-ef00-0123456789ab', u'0.0',
RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
# 1. Open
data = lsa.LSAOpenPolicy2Request(
SystemName='\\\\%s' % HOST,
DesiredAccess=lsa.LSA_POLICY_LOOKUP_NAMES).pack()
dce.call(lsa.LSA_COM_OPEN_POLICY2, data, response=True)
policy_handle = lsa.LSAOpenPolicy2Response(
dce.reassembled_data).get_handle()
# 2. Perform a lookup with valid names
data = lsa.LSALookupNames3Request(PolicyHandle=policy_handle,
NamesArray=USERS).pack()
dce.call(lsa.LSA_COM_LOOKUP_NAMES3, data, response=True)
answer = dce.reassembled_data[:-4]
if not answer or len(answer) < 4:
logging.error(
'[-] Failure! lsa.LSALookupNames3Request() did not return an answer.'
)
return False
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status == 0:
resp = lsa.LSALookupNames3Response(dce.reassembled_data)
domains = resp.get_domains()
sids = resp.get_sids()
logging.info(sids)
SIDS = [sid['Sid'] for sid in sids]
for s in SIDS:
rid = int(s.split('-')[-1])
if rid != 500 and (rid < 1100 or rid > 1200):
return False
else:
return False
# 3. Perform a lookup with invalid names
data = lsa.LSALookupNames3Request(PolicyHandle=policy_handle,
NamesArray=USERS + ['notvalid']).pack()
dce.call(lsa.LSA_COM_LOOKUP_NAMES3, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status != 0x107: # STATUS_SOME_NOT_MAPPED
return False
# 4. Perform a lookup with valid Sids
data = lsa.LSALookupSidsRequest(PolicyHandle=policy_handle,
Sids=SIDS).pack()
data = dce.call(lsa.LSA_COM_LOOKUP_SIDS, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status == 0:
resp = lsa.LSALookupSidsResponse(dce.reassembled_data)
domains = resp.get_domains()
names = resp.get_names()
else:
return False
# 5. Perform a lookup with invalid Sids
data = lsa.LSALookupSidsRequest(PolicyHandle=policy_handle,
Sids=SIDS + ['S-1-1337']).pack()
data = dce.call(lsa.LSA_COM_LOOKUP_SIDS, data, response=True)
answer = dce.reassembled_data[:-4]
status = unpack('<L', dce.reassembled_data[-4:])[0]
if status != 0xc0000078: # STATUS_INVALID_SID
return False
# 6. Destroy the handle
data = lsa.LSACloseRequest(PolicyHandle=policy_handle).pack()
dce.call(lsa.LSA_COM_CLOSE, data, response=True)
ret = lsa.LSACloseResponse(dce.reassembled_data).get_return_value()
if ret:
return False
# Good :)
return True