def test_packetHashesWINNTPacketPrivacy(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if hasattr(rpctransport, 'set_credentials'):
lmhash, nthash = self.hashes.split(':')
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, '', self.domain,
lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.set_max_fragment_size(1)
dce.set_credentials(*(rpctransport.get_credentials()))
dce.connect()
dce.set_auth_type(rpcrt.RPC_C_AUTHN_WINNT)
dce.set_auth_level(rpcrt.RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.bind(epm.MSRPC_UUID_PORTMAP)
resp = epm.hept_lookup(self.machine)
dce.disconnect()
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(lsad.MSRPC_UUID_LSAD, transfer_syntax = self.ts)
resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsad.POLICY_CREATE_SECRET | DELETE | lsad.POLICY_VIEW_LOCAL_INFORMATION)
return dce, rpctransport, resp['PolicyHandle']
def connect(self, stringBinding, bindUUID):
rpctransport = transport.DCERPCTransportFactory(stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(bindUUID, transfer_syntax=self.ts)
return dce, rpctransport
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax=self.ts)
resp = rrp.hOpenLocalMachine(
dce,
MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)
return dce, rpctransport, resp['phKey']
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
resp = nrpc.hNetrServerReqChallenge(dce, NULL,
self.serverName + '\x00',
'12345678')
resp.dump()
serverChallenge = resp['ServerChallenge']
if self.hashes == '':
ntHash = None
else:
ntHash = unhexlify(self.hashes.split(':')[1])
self.sessionKey = nrpc.ComputeSessionKeyStrongKey(
self.password, '12345678', serverChallenge, ntHash)
ppp = nrpc.ComputeNetlogonCredential('12345678', self.sessionKey)
try:
resp = nrpc.hNetrServerAuthenticate3(
dce, NULL, self.username + '\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
self.serverName + '\x00', ppp, 0x600FFFFF)
resp.dump()
except Exception, e:
if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:
raise
def test_packetWINNTPacketIntegrityKerberos(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain)
rpctransport.set_kerberos(True)
dce = rpctransport.get_dce_rpc()
dce.connect()
#dce.set_credentials(*(rpctransport.get_credentials()))
dce.set_auth_type(rpcrt.RPC_C_AUTHN_GSS_NEGOTIATE)
dce.set_auth_level(rpcrt.RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.bind(epm.MSRPC_UUID_PORTMAP)
request = epm.ept_lookup()
request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS
request['object'] = NULL
request['Ifid'] = NULL
request['vers_option'] = epm.RPC_C_VERS_ALL
request['max_ents'] = 499
resp = dce.request(request)
resp = dce.request(request)
resp.dump()
dce.disconnect()
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(lsat.MSRPC_UUID_LSAT, transfer_syntax = self.ts)
request = lsat.LsarOpenPolicy2()
request['SystemName'] = NULL
request['ObjectAttributes']['RootDirectory'] = NULL
request['ObjectAttributes']['ObjectName'] = NULL
request['ObjectAttributes']['SecurityDescriptor'] = NULL
request['ObjectAttributes']['SecurityQualityOfService'] = NULL
request['DesiredAccess'] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES
resp = dce.request(request)
return dce, rpctransport, resp['PolicyHandle']