def bind(self, packet, bind): # Standard NDR Representation NDRSyntax = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0') resp = dcerpc.MSRPCBindAck() resp['type'] = dcerpc.MSRPC_BINDACK resp['flags'] = packet['flags'] resp['frag_len'] = 0 resp['auth_len'] = 0 resp['auth_data'] = '' resp['call_id'] = packet['call_id'] resp['max_tfrag'] = bind['max_tfrag'] resp['max_rfrag'] = bind['max_rfrag'] resp['assoc_group'] = 0x1234 resp['SecondaryAddrLen'] = 13 resp['SecondaryAddr'] = '\\PIPE\\srvsvc' resp['Pad'] = 'A' * ((4 - ( (resp["SecondaryAddrLen"] + dcerpc.MSRPCBindAck._SIZE) % 4)) % 4) resp['ctx_num'] = 0 data = bind['ctx_items'] ctx_items = '' for i in range(bind['ctx_num']): result = dcerpc.MSRPC_CONT_RESULT_USER_REJECT item = dcerpc.CtxItem(data) data = data[len(item):] # First we check the Transfer Syntax is NDR32, what we support #print "Trying to bind to: %s %s / %s %s" % (bin_to_uuidtup(item['AbstractSyntax']) + bin_to_uuidtup(item['TransferSyntax'])), if item['TransferSyntax'] == uuidtup_to_bin(NDRSyntax): # Now Check if the interface is what we listen reason = 1 # Default, Abstract Syntax not supported for i in self._listenUUIDS: if item['AbstractSyntax'] == i: # Match, we accept the bind request reason = 0 self._boundUUID = i else: # Fail the bind request for this context reason = 2 # Transfer Syntax not supported if reason == 0: result = dcerpc.MSRPC_CONT_RESULT_ACCEPT #print "... OK!" #else: # print "... ERROR!" resp['ctx_num'] += 1 itemResult = dcerpc.CtxItemResult() itemResult['Result'] = result itemResult['Reason'] = reason itemResult['TransferSyntax'] = uuidtup_to_bin(NDRSyntax) ctx_items += str(itemResult) resp['ctx_items'] = ctx_items resp['frag_len'] = len(str(resp)) self._clientSock.send(str(resp)) return None
def test_hept_map(self): MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC', '1.0')) resp = epm.hept_map(self.machine,MSRPC_UUID_SAMR) resp = epm.hept_map(self.machine, MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp') MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0')) resp = epm.hept_map(self.machine,MSRPC_UUID_ATSVC) MSRPC_UUID_SCMR = uuidtup_to_bin(('367ABB81-9844-35F1-AD32-98F038001003', '2.0')) resp = epm.hept_map(self.machine,MSRPC_UUID_SCMR, protocol = 'ncacn_ip_tcp')
def bind(self,packet, bind): # Standard NDR Representation NDRSyntax = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0') resp = dcerpc.MSRPCBindAck() resp['type'] = dcerpc.MSRPC_BINDACK resp['flags'] = packet['flags'] resp['frag_len'] = 0 resp['auth_len'] = 0 resp['auth_data'] = '' resp['call_id'] = packet['call_id'] resp['max_tfrag'] = bind['max_tfrag'] resp['max_rfrag'] = bind['max_rfrag'] resp['assoc_group'] = 0x1234 resp['SecondaryAddrLen'] = 13 resp['SecondaryAddr'] = '\\PIPE\\srvsvc' resp['Pad'] ='A'*((4-((resp["SecondaryAddrLen"]+dcerpc.MSRPCBindAck._SIZE) % 4))%4) resp['ctx_num'] = 0 data = bind['ctx_items'] ctx_items = '' for i in range(bind['ctx_num']): result = dcerpc.MSRPC_CONT_RESULT_USER_REJECT item = dcerpc.CtxItem(data) data = data[len(item):] # First we check the Transfer Syntax is NDR32, what we support #print "Trying to bind to: %s %s / %s %s" % (bin_to_uuidtup(item['AbstractSyntax']) + bin_to_uuidtup(item['TransferSyntax'])), if item['TransferSyntax'] == uuidtup_to_bin(NDRSyntax): # Now Check if the interface is what we listen reason = 1 # Default, Abstract Syntax not supported for i in self._listenUUIDS: if item['AbstractSyntax'] == i: # Match, we accept the bind request reason = 0 self._boundUUID = i else: # Fail the bind request for this context reason = 2 # Transfer Syntax not supported if reason == 0: result = dcerpc.MSRPC_CONT_RESULT_ACCEPT #print "... OK!" #else: # print "... ERROR!" resp['ctx_num'] += 1 itemResult = dcerpc.CtxItemResult() itemResult['Result'] = result itemResult['Reason'] = reason itemResult['TransferSyntax'] = uuidtup_to_bin(NDRSyntax) ctx_items += str(itemResult) resp['ctx_items'] = ctx_items resp['frag_len'] = len(str(resp)) self._clientSock.send(str(resp)) return None
def test_hlookup(self): resp = epm.hept_lookup(self.machine) #for entry in resp: # print epm.PrintStringBinding(entry['tower']['Floors'], self.machine) MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC', '1.0')) resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_SAMR) MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0')) resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_ATSVC) MSRPC_UUID_SCMR = uuidtup_to_bin(('367ABB81-9844-35F1-AD32-98F038001003', '2.0')) resp = epm.hept_lookup(self.machine, inquiry_type = epm.RPC_C_EP_MATCH_BY_IF, ifId = MSRPC_UUID_SCMR)
def test_RemoteGetClassObject(self): dce, rpctransport = self.connect() IID_IClassFactory = uuidtup_to_bin( ('00000001-0000-0000-C000-000000000046', '0.0')) scm = dcomrt.IRemoteSCMActivator(dce) iInterface = scm.RemoteGetClassObject(comev.CLSID_EventSystem, IID_IClassFactory) iInterface.RemRelease()
# Best way to learn how to use these calls is to grab the protocol standard # so you understand what the call does, and then read the test case located # at https://github.com/CoreSecurity/impacket/tree/master/impacket/testcases/SMB_RPC # # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray from mitmflib.impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, UCHAR, ULONG, LPDWORD, NULL from mitmflib.impacket import hresult_errors from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B','1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): key = self.error_code if hresult_errors.ERROR_MESSAGES.has_key(key): error_msg_short = hresult_errors.ERROR_MESSAGES[key][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1] return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code ################################################################################
# Description: # [MS-SRVS] interface implementation. # # TODO: NetServerEnum2 import array from struct import * import exceptions from mitmflib.impacket import ImpactPacket from mitmflib.impacket.structure import Structure from mitmflib.impacket import dcerpc from mitmflib.impacket.dcerpc import ndrutils from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_SRVSVC = uuidtup_to_bin( ('4B324FC8-1670-01D3-1278-5A47BF6EE188', '3.0')) # Error Codes ERROR_ACCESS_DENIED = 0x00000005 ERROR_INVALID_LEVEL = 0x0000007C ERROR_INVALID_PARAMETER = 0x00000057 ERROR_MORE_DATA = 0x000000EA ERROR_NOT_ENOUGH_MEMORY = 0x00000000 ERROR_FILE_NOT_FOUND = 0x00000002 ERROR_DUP_NAME = 0x00000034 ERROR_INVALID_DOMAINNAME = 0x000004BC ERROR_NOT_SUPPORTED = 0x00000032 ERROR_SERVICE_DOES_NOT_EXIST = 0x00000424 NERR_BufTooSmall = 0x0000084B NERR_ClientNameNotFound = 0x00000908 NERR_InvalidComputer = 0x0000092F
# # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from struct import pack from mitmflib.impacket import system_errors from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDR, NDRSTRUCT, NDRPOINTER, NDRPOINTERNULL, NDRUniConformantArray, NDRUNION from mitmflib.impacket.dcerpc.v5.dtypes import NULL, DWORD, LPWSTR, ULONG, BOOL, LPBYTE, ULONGLONG, PGUID, USHORT, LPDWORD, WSTR, \ GUID, PBOOL, WIDESTR from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_SCMR = uuidtup_to_bin( ('367ABB81-9844-35F1-AD32-98F038001003', '2.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): key = self.error_code if system_errors.ERROR_MESSAGES.has_key(key): error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'SCMR SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else: return 'SCMR SessionError: unknown error code: 0x%x' % self.error_code
# so you understand what the call does, and then read the test case located # at https://github.com/CoreSecurity/impacket/tree/master/impacket/testcases/SMB_RPC # # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray, NDRUniConformantVaryingArray from mitmflib.impacket.dcerpc.v5.epm import PRPC_IF_ID from mitmflib.impacket.dcerpc.v5.dtypes import ULONG, DWORD_ARRAY, ULONGLONG from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket import nt_errors MSRPC_UUID_MGMT = uuidtup_to_bin( ('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): key = self.error_code if nt_errors.ERROR_MESSAGES.has_key(key): error_msg_short = nt_errors.ERROR_MESSAGES[key][0] error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] return 'MGMT SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else: return 'MGMT SessionError: unknown error code: 0x%x' % self.error_code
# Author: Pablo A. Schachner # Alberto Solino # # Description: # LSARPC interface implementation. # from mitmflib.impacket.structure import Structure from mitmflib.impacket.dcerpc import ndrutils from mitmflib.impacket.dcerpc.samr import SAMR_RPC_SID_IDENTIFIER_AUTHORITY, SAMR_RPC_SID from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket.nt_errors import ERROR_MESSAGES import random from struct import pack, unpack MSRPC_UUID_LSARPC = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0')) # Constants # POLICY_INFORMATION_CLASS POLICY_AUDIT_LOG_INFORMATION = 1 POLICY_AUDIT_EVENTS_INFORMATION = 2 POLICY_PRIMARY_DOMAIN_INFORMATION = 3 POLICY_PD_ACCOUNT_INFORMATION = 4 POLICY_ACCOUNT_DOMAIN_INFORMATION = 5 POLICY_LSA_SERVER_ROLE_INFORMATION = 6 POLICY_REPLICA_SOURCE_INFORMATION = 7 POLICY_DEFAULT_QUOTA_INFORMATION = 8 POLICY_MODIFICATION_INFORMATION = 9 POLICY_AUDIT_FULL_SET_INFORMATION = 10 POLICY_AUDIT_FULL_QUERY_INFORMATION = 11
# for more information. # # $Id$ # # Author: Alberto Solino # # Description: # WKSSVC interface implementation. # from mitmflib.impacket.structure import Structure from mitmflib.impacket import dcerpc from mitmflib.impacket.dcerpc import ndrutils from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_WKSSVC = uuidtup_to_bin( ('6BFFD098-A112-3610-9833-46C3F87E345A', '1.0')) class WKSTA_TRANSPORT_INFO_0(Structure): structure = ( ('UnUsed', '<L'), ('NumberOfRemoteConnections', '<L'), ('RefId1', '<L'), ('RefId2', '<L'), ('IsRoutableTransport', '<L'), # ('TransportName',':',ndrutils.NDRStringW), # ('TransportAddress',':',ndrutils.NDRStringW), ) class WKSSVCNetrWkstaTransportEnum(Structure):
# Author: Alberto Solino # # Description: # SAMR (Security Account Manager Remote) interface implementation. # import array from time import strftime, gmtime from struct import * from mitmflib.impacket import ImpactPacket from mitmflib.impacket.dcerpc import ndrutils, dcerpc from mitmflib.impacket.structure import Structure from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC', '1.0')) KNOWN_SIDS = { } OP_NUM_CREATE_USER_IN_DOMAIN = 0xC OP_NUM_ENUM_USERS_IN_DOMAIN = 0xD OP_NUM_CREATE_ALIAS_IN_DOMAIN = 0xE def display_time(filetime_high, filetime_low, minutes_utc=0): if filetime_low == 4294967295L: r = "Infinity" return r d = filetime_high*4.0*1.0*(1<<30) d += filetime_low d *= 1.0e-7
# of the Apache Software License. See the accompanying LICENSE file # for more information. # # $Id$ # import array import struct from mitmflib.impacket import ImpactPacket from mitmflib.impacket import uuid from mitmflib.impacket import dcerpc from mitmflib.impacket.dcerpc import ndrutils from mitmflib.impacket.dcerpc import transport MSRPC_UUID_MGMT = uuid.uuidtup_to_bin(("afa8bd80-7d8a-11c9-bef4-08002b102989", "1.0")) class IfIdsRequestHeader(ImpactPacket.Header): OP_NUM = 0 def get_header_size(self): return 0 class IdIdsResponseHeader(ImpactPacket.Header): __SIZE = 12 def __init__(self, aBuffer = None): ImpactPacket.Header.__init__(self, IdIdsResponseHeader.__SIZE) self.endianness = '<' if aBuffer: self.load_header(aBuffer)
# This library will be deprecated soon. You should use impacket.dcerpc.v5 # # classes instead # ################################################################################ # Copyright (c) 2003-2012 CORE Security Technologies # # This software is provided under under a slightly modified version # of the Apache Software License. See the accompanying LICENSE file # for more information. # # $Id$ # from mitmflib.impacket.structure import Structure from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_SPOOLSS = uuidtup_to_bin( ('12345678-1234-ABCD-EF00-0123456789AB', '1.0')) def zeroize(s): return '\x00'.join(str(s)) + '\x00' class SpoolSS_DevModeContainer(Structure): alignment = 4 structure = ( ('cbBuf', '<L-DevMode'), ('pDevMode', '<L&DevMode'), ('DevMode', ':'), )
# so you understand what the call does, and then read the test case located # at https://github.com/CoreSecurity/impacket/tree/master/impacket/testcases/SMB_RPC # # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray from mitmflib.impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL, GUID, PSYSTEMTIME, SYSTEMTIME from mitmflib.impacket.structure import Structure from mitmflib.impacket import hresult_errors, system_errors from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_TSCHS = uuidtup_to_bin( ('86D35949-83C9-4044-B424-DB363231FD0C', '1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): key = self.error_code if hresult_errors.ERROR_MESSAGES.has_key(key): error_msg_short = hresult_errors.ERROR_MESSAGES[key][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1] return 'TSCH SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) elif system_errors.ERROR_MESSAGES.has_key(key & 0xffff): error_msg_short = system_errors.ERROR_MESSAGES[key & 0xffff][0]
def bind(self, uuid, alter = 0, bogus_binds = 0): bind = MSRPCBind() # Standard NDR Representation NDRSyntax = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0') # NDR 64 NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0') #item['TransferSyntax']['Version'] = 1 ctx = self._ctx for i in range(bogus_binds): item = CtxItem() item['ContextID'] = ctx item['TransItems'] = 1 item['ContextID'] = ctx # We generate random UUIDs for bogus binds item['AbstractSyntax'] = generate() + stringver_to_bin('2.0') item['TransferSyntax'] = uuidtup_to_bin(NDRSyntax) bind.addCtxItem(item) self._ctx += 1 ctx += 1 # The true one :) item = CtxItem() item['AbstractSyntax'] = uuid item['TransferSyntax'] = uuidtup_to_bin(NDRSyntax) item['ContextID'] = ctx item['TransItems'] = 1 bind.addCtxItem(item) packet = MSRPCHeader() packet['type'] = MSRPC_BIND packet['pduData'] = str(bind) packet['call_id'] = self.__callid if alter: packet['type'] = MSRPC_ALTERCTX if (self.__auth_level != RPC_C_AUTHN_LEVEL_NONE): if (self.__username is None) or (self.__password is None): self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, self.__TGT, self.__TGS = self._transport.get_credentials() if self.__auth_type == RPC_C_AUTHN_WINNT: auth = ntlm.getNTLMSSPType1('', self.__domain, signingRequired = True, use_ntlmv2 = self._transport.doesSupportNTLMv2()) elif self.__auth_type == RPC_C_AUTHN_NETLOGON: from mitmflib.impacket.dcerpc import netlogon auth = netlogon.getSSPType1(self.__username[:-1], self.__domain, signingRequired = True) sec_trailer = SEC_TRAILER() sec_trailer['auth_type'] = self.__auth_type sec_trailer['auth_level'] = self.__auth_level sec_trailer['auth_ctx_id'] = self._ctx + 79231 pad = (4 - (len(packet.get_packet()) % 4)) % 4 if pad != 0: packet['pduData'] = packet['pduData'] + '\xFF'*pad sec_trailer['auth_pad_len']=pad packet['sec_trailer'] = sec_trailer packet['auth_data'] = str(auth) self._transport.send(packet.get_packet()) s = self._transport.recv() if s != 0: resp = MSRPCHeader(s) else: return 0 #mmm why not None? if resp['type'] == MSRPC_BINDACK or resp['type'] == MSRPC_ALTERCTX_R: bindResp = MSRPCBindAck(str(resp)) elif resp['type'] == MSRPC_BINDNAK: resp = MSRPCBindNak(resp['pduData']) status_code = resp['RejectedReason'] if rpc_status_codes.has_key(status_code): raise Exception(rpc_status_codes[status_code], resp) elif rpc_provider_reason.has_key(status_code): raise Exception("Bind context rejected: %s" % rpc_provider_reason[status_code]) else: raise Exception('Unknown DCE RPC fault status code: %.8x' % status_code, resp) else: raise Exception('Unknown DCE RPC packet type received: %d' % resp['type']) # check ack results for each context, except for the bogus ones for ctx in range(bogus_binds+1,bindResp['ctx_num']+1): result = bindResp.getCtxItem(ctx)['Result'] if result != 0: msg = "Bind context %d rejected: " % ctx msg += rpc_cont_def_result.get(result, 'Unknown DCE RPC context result code: %.4x' % result) msg += "; " reason = bindResp.getCtxItem(ctx)['Reason'] msg += rpc_provider_reason.get(reason, 'Unknown reason code: %.4x' % reason) if (result, reason) == (2, 1): # provider_rejection, abstract syntax not supported msg += " (this usually means the interface isn't listening on the given endpoint)" raise Exception(msg, resp) self.__max_xmit_size = bindResp['max_tfrag'] if self.__auth_level != RPC_C_AUTHN_LEVEL_NONE: if self.__auth_type == RPC_C_AUTHN_WINNT: response, randomSessionKey = ntlm.getNTLMSSPType3(auth, bindResp['auth_data'], self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, use_ntlmv2 = self._transport.doesSupportNTLMv2()) self.__flags = response['flags'] elif self.__auth_type == RPC_C_AUTHN_NETLOGON: response = None self.__sequence = 0 if self.__auth_level in (RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY): if self.__auth_type == RPC_C_AUTHN_WINNT: if self.__flags & ntlm.NTLMSSP_NTLM2_KEY: self.__clientSigningKey = ntlm.SIGNKEY(self.__flags, randomSessionKey) self.__serverSigningKey = ntlm.SIGNKEY(self.__flags, randomSessionKey,"Server") self.__clientSealingKey = ntlm.SEALKEY(self.__flags, randomSessionKey) self.__serverSealingKey = ntlm.SEALKEY(self.__flags, randomSessionKey,"Server") # Preparing the keys handle states cipher3 = ARC4.new(self.__clientSealingKey) self.__clientSealingHandle = cipher3.encrypt cipher4 = ARC4.new(self.__serverSealingKey) self.__serverSealingHandle = cipher4.encrypt else: # Same key for everything self.__clientSigningKey = randomSessionKey self.__serverSigningKey = randomSessionKey self.__clientSealingKey = randomSessionKey self.__serverSealingKey = randomSessionKey cipher = ARC4.new(self.__clientSigningKey) self.__clientSealingHandle = cipher.encrypt self.__serverSealingHandle = cipher.encrypt elif self.__auth_type == RPC_C_AUTHN_NETLOGON: pass sec_trailer = SEC_TRAILER() sec_trailer['auth_type'] = self.__auth_type sec_trailer['auth_level'] = self.__auth_level sec_trailer['auth_ctx_id'] = self._ctx + 79231 if response is not None: auth3 = MSRPCHeader() auth3['type'] = MSRPC_AUTH3 # pad (4 bytes): Can be set to any arbitrary value when set and MUST be # ignored on receipt. The pad field MUST be immediately followed by a # sec_trailer structure whose layout, location, and alignment are as # specified in section 2.2.2.11 auth3['pduData'] = ' ' auth3['sec_trailer'] = sec_trailer auth3['auth_data'] = str(response) # Use the same call_id self.__callid = resp['call_id'] auth3['call_id'] = self.__callid self._transport.send(auth3.get_packet(), forceWriteAndx = 1) self.__callid += 1 return resp # means packet is signed, if verifier is wrong it fails
# so you understand what the call does, and then read the test case located # at https://github.com/CoreSecurity/impacket/tree/master/impacket/testcases/SMB_RPC # # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray from mitmflib.impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL, GUID, PSYSTEMTIME, SYSTEMTIME from mitmflib.impacket.structure import Structure from mitmflib.impacket import hresult_errors, system_errors from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_TSCHS = uuidtup_to_bin(('86D35949-83C9-4044-B424-DB363231FD0C','1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): key = self.error_code if hresult_errors.ERROR_MESSAGES.has_key(key): error_msg_short = hresult_errors.ERROR_MESSAGES[key][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1] return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) elif system_errors.ERROR_MESSAGES.has_key(key & 0xffff): error_msg_short = system_errors.ERROR_MESSAGES[key & 0xffff][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key & 0xffff][1] return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
def addCallbacks(self, UUID, callbacks): # Format is [opnum] = callback self._callbacks[uuidtup_to_bin(UUID)] = callbacks self._listenUUIDS.append(uuidtup_to_bin(UUID))
# # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from struct import unpack from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantVaryingArray, NDRUniConformantArray from mitmflib.impacket.dcerpc.v5.dtypes import DWORD, UUID, ULONG, LPULONG, BOOLEAN, SECURITY_INFORMATION, PFILETIME, \ RPC_UNICODE_STRING, FILETIME, NULL, MAXIMUM_ALLOWED, OWNER_SECURITY_INFORMATION, PWCHAR, PRPC_UNICODE_STRING from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException from mitmflib.impacket import system_errors from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_RRP = uuidtup_to_bin(('338CD001-2244-31F1-AAAA-900038001003', '1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): key = self.error_code if system_errors.ERROR_MESSAGES.has_key(key): error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'RRP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'RRP SessionError: unknown error code: 0x%x' % self.error_code ################################################################################
# Description: # WinReg (Windows Registry) interface implementation. # # ToDo: # [ ] Port all this to structure. Check svcctl.py import array import struct from mitmflib.impacket import dcerpc from mitmflib.impacket.dcerpc import ndrutils from mitmflib.impacket import ImpactPacket from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_WINREG = uuidtup_to_bin(("338CD001-2244-31F1-AAAA-900038001003", "1.0")) # Registry Security Access Mask values KEY_CREATE_LINK = 0x20 KEY_CREATE_SUB_KEY = 0x04 KEY_ENUMERATE_SUB_KEYS = 0x08 KEY_EXECUTE = 0x20019 KEY_NOTIFY = 0x10 KEY_QUERY_VALUE = 0x01 KEY_SET_VALUE = 0x02 KEY_ALL_ACCESS = 0xF003F KEY_READ = 0x20019 KEY_WRITE = 0x20006 # Registry Data types REG_NONE = 0 # No value type
# # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from struct import pack from mitmflib.impacket import system_errors from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDR, NDRSTRUCT, NDRPOINTER, NDRPOINTERNULL, NDRUniConformantArray, NDRUNION from mitmflib.impacket.dcerpc.v5.dtypes import NULL, DWORD, LPWSTR, ULONG, BOOL, LPBYTE, ULONGLONG, PGUID, USHORT, LPDWORD, WSTR, \ GUID, PBOOL, WIDESTR from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_SCMR = uuidtup_to_bin(('367ABB81-9844-35F1-AD32-98F038001003', '2.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): key = self.error_code if system_errors.ERROR_MESSAGES.has_key(key): error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'SCMR SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'SCMR SessionError: unknown error code: 0x%x' % self.error_code ################################################################################
# for more information. # # $Id$ # # Author: Alberto Solino # # Description: # WKSSVC interface implementation. # from mitmflib.impacket.structure import Structure from mitmflib.impacket import dcerpc from mitmflib.impacket.dcerpc import ndrutils from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_WKSSVC = uuidtup_to_bin(('6BFFD098-A112-3610-9833-46C3F87E345A','1.0')) class WKSTA_TRANSPORT_INFO_0(Structure): structure = ( ('UnUsed','<L'), ('NumberOfRemoteConnections','<L'), ('RefId1','<L'), ('RefId2','<L'), ('IsRoutableTransport','<L'), # ('TransportName',':',ndrutils.NDRStringW), # ('TransportAddress',':',ndrutils.NDRStringW), ) class WKSSVCNetrWkstaTransportEnum(Structure): opnum = 5 alignment = 4
# Author: Alberto Solino # # Description: # SAMR (Security Account Manager Remote) interface implementation. # import array from time import strftime, gmtime from struct import * from mitmflib.impacket import ImpactPacket from mitmflib.impacket.dcerpc import ndrutils, dcerpc from mitmflib.impacket.structure import Structure from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_SAMR = uuidtup_to_bin( ('12345778-1234-ABCD-EF00-0123456789AC', '1.0')) KNOWN_SIDS = {} OP_NUM_CREATE_USER_IN_DOMAIN = 0xC OP_NUM_ENUM_USERS_IN_DOMAIN = 0xD OP_NUM_CREATE_ALIAS_IN_DOMAIN = 0xE def display_time(filetime_high, filetime_low, minutes_utc=0): if filetime_low == 4294967295L: r = "Infinity" return r d = filetime_high * 4.0 * 1.0 * (1 << 30) d += filetime_low d *= 1.0e-7
# so you understand what the call does, and then read the test case located # at https://github.com/CoreSecurity/impacket/tree/master/impacket/testcases/SMB_RPC # # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray, NDRUniConformantVaryingArray from mitmflib.impacket.dcerpc.v5.epm import PRPC_IF_ID from mitmflib.impacket.dcerpc.v5.dtypes import ULONG, DWORD_ARRAY, ULONGLONG from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket import nt_errors MSRPC_UUID_MGMT = uuidtup_to_bin(('afa8bd80-7d8a-11c9-bef4-08002b102989','1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): key = self.error_code if nt_errors.ERROR_MESSAGES.has_key(key): error_msg_short = nt_errors.ERROR_MESSAGES[key][0] error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] return 'MGMT SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'MGMT SessionError: unknown error code: 0x%x' % self.error_code ################################################################################
# # $Id$ # # Author: Alberto Solino # # Description: # ATSVC implementation of some methods [MS-TSCH] # from struct import * from mitmflib.impacket.structure import Structure from mitmflib.impacket import dcerpc from mitmflib.impacket.dcerpc import ndrutils, dcerpc from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0')) MSRPC_UUID_SASEC = uuidtup_to_bin(('378E52B0-C0A9-11CF-822D-00AA0051E40F', '1.0')) MSRPC_UUID_TSS = uuidtup_to_bin(('86D35949-83C9-4044-B424-DB363231FD0C', '1.0')) # Constants S_OK = 0x00000000 S_FALSE = 0x00000001 E_OUTOFMEMORY = 0x80000002 E_ACCESSDENIED = 0x80000009 E_INVALIDARG = 0x80000003 E_FAIL = 0x80000008 E_UNEXPECTED = 0x8000FFFF # Structures class AT_INFO(Structure):
# This library will be deprecated soon. You should use impacket.dcerpc.v5 # # classes instead # ################################################################################ # Copyright (c) 2003-2012 CORE Security Technologies # # This software is provided under under a slightly modified version # of the Apache Software License. See the accompanying LICENSE file # for more information. # # $Id$ # from mitmflib.impacket.structure import Structure from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_SPOOLSS = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB', '1.0')) def zeroize(s): return '\x00'.join(str(s)) + '\x00' class SpoolSS_DevModeContainer(Structure): alignment = 4 structure = ( ('cbBuf','<L-DevMode'), ('pDevMode','<L&DevMode'), ('DevMode',':'), ) class SpoolSS_OpenPrinter(Structure): alignment = 4 opnum = 1
# # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from struct import unpack from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantVaryingArray, NDRUniConformantArray from mitmflib.impacket.dcerpc.v5.dtypes import DWORD, UUID, ULONG, LPULONG, BOOLEAN, SECURITY_INFORMATION, PFILETIME, \ RPC_UNICODE_STRING, FILETIME, NULL, MAXIMUM_ALLOWED, OWNER_SECURITY_INFORMATION, PWCHAR, PRPC_UNICODE_STRING from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException from mitmflib.impacket import system_errors from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_RRP = uuidtup_to_bin( ('338CD001-2244-31F1-AAAA-900038001003', '1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): key = self.error_code if system_errors.ERROR_MESSAGES.has_key(key): error_msg_short = system_errors.ERROR_MESSAGES[key][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] return 'RRP SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else: return 'RRP SessionError: unknown error code: 0x%x' % self.error_code
def test_RemoteGetClassObject(self): dce, rpctransport = self.connect() IID_IClassFactory = uuidtup_to_bin(('00000001-0000-0000-C000-000000000046','0.0')) scm = dcomrt.IRemoteSCMActivator(dce) iInterface = scm.RemoteGetClassObject(comev.CLSID_EventSystem, IID_IClassFactory) iInterface.RemRelease()
# Best way to learn how to use these calls is to grab the protocol standard # so you understand what the call does, and then read the test case located # at https://github.com/CoreSecurity/impacket/tree/master/impacket/testcases/SMB_RPC # # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray from mitmflib.impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, UCHAR, ULONG, LPDWORD, NULL from mitmflib.impacket import hresult_errors from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_ATSVC = uuidtup_to_bin( ('1FF70682-0A51-30E8-076D-740BE8CEE98B', '1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): key = self.error_code if hresult_errors.ERROR_MESSAGES.has_key(key): error_msg_short = hresult_errors.ERROR_MESSAGES[key][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1] return 'TSCH SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else: return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
# Author: Pablo A. Schachner # Alberto Solino # # Description: # LSARPC interface implementation. # from mitmflib.impacket.structure import Structure from mitmflib.impacket.dcerpc import ndrutils from mitmflib.impacket.dcerpc.samr import SAMR_RPC_SID_IDENTIFIER_AUTHORITY, SAMR_RPC_SID from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket.nt_errors import ERROR_MESSAGES import random from struct import pack, unpack MSRPC_UUID_LSARPC = uuidtup_to_bin( ('12345778-1234-ABCD-EF00-0123456789AB', '0.0')) # Constants # POLICY_INFORMATION_CLASS POLICY_AUDIT_LOG_INFORMATION = 1 POLICY_AUDIT_EVENTS_INFORMATION = 2 POLICY_PRIMARY_DOMAIN_INFORMATION = 3 POLICY_PD_ACCOUNT_INFORMATION = 4 POLICY_ACCOUNT_DOMAIN_INFORMATION = 5 POLICY_LSA_SERVER_ROLE_INFORMATION = 6 POLICY_REPLICA_SOURCE_INFORMATION = 7 POLICY_DEFAULT_QUOTA_INFORMATION = 8 POLICY_MODIFICATION_INFORMATION = 9 POLICY_AUDIT_FULL_SET_INFORMATION = 10 POLICY_AUDIT_FULL_QUERY_INFORMATION = 11
def bind(self, uuid, alter=0, bogus_binds=0): bind = MSRPCBind() # Standard NDR Representation NDRSyntax = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0') # NDR 64 NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0') #item['TransferSyntax']['Version'] = 1 ctx = self._ctx for i in range(bogus_binds): item = CtxItem() item['ContextID'] = ctx item['TransItems'] = 1 item['ContextID'] = ctx # We generate random UUIDs for bogus binds item['AbstractSyntax'] = generate() + stringver_to_bin('2.0') item['TransferSyntax'] = uuidtup_to_bin(NDRSyntax) bind.addCtxItem(item) self._ctx += 1 ctx += 1 # The true one :) item = CtxItem() item['AbstractSyntax'] = uuid item['TransferSyntax'] = uuidtup_to_bin(NDRSyntax) item['ContextID'] = ctx item['TransItems'] = 1 bind.addCtxItem(item) packet = MSRPCHeader() packet['type'] = MSRPC_BIND packet['pduData'] = str(bind) packet['call_id'] = self.__callid if alter: packet['type'] = MSRPC_ALTERCTX if (self.__auth_level != RPC_C_AUTHN_LEVEL_NONE): if (self.__username is None) or (self.__password is None): self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, self.__TGT, self.__TGS = self._transport.get_credentials( ) if self.__auth_type == RPC_C_AUTHN_WINNT: auth = ntlm.getNTLMSSPType1( '', self.__domain, signingRequired=True, use_ntlmv2=self._transport.doesSupportNTLMv2()) elif self.__auth_type == RPC_C_AUTHN_NETLOGON: from mitmflib.impacket.dcerpc import netlogon auth = netlogon.getSSPType1(self.__username[:-1], self.__domain, signingRequired=True) sec_trailer = SEC_TRAILER() sec_trailer['auth_type'] = self.__auth_type sec_trailer['auth_level'] = self.__auth_level sec_trailer['auth_ctx_id'] = self._ctx + 79231 pad = (4 - (len(packet.get_packet()) % 4)) % 4 if pad != 0: packet['pduData'] = packet['pduData'] + '\xFF' * pad sec_trailer['auth_pad_len'] = pad packet['sec_trailer'] = sec_trailer packet['auth_data'] = str(auth) self._transport.send(packet.get_packet()) s = self._transport.recv() if s != 0: resp = MSRPCHeader(s) else: return 0 #mmm why not None? if resp['type'] == MSRPC_BINDACK or resp['type'] == MSRPC_ALTERCTX_R: bindResp = MSRPCBindAck(str(resp)) elif resp['type'] == MSRPC_BINDNAK: resp = MSRPCBindNak(resp['pduData']) status_code = resp['RejectedReason'] if rpc_status_codes.has_key(status_code): raise Exception(rpc_status_codes[status_code], resp) elif rpc_provider_reason.has_key(status_code): raise Exception("Bind context rejected: %s" % rpc_provider_reason[status_code]) else: raise Exception( 'Unknown DCE RPC fault status code: %.8x' % status_code, resp) else: raise Exception('Unknown DCE RPC packet type received: %d' % resp['type']) # check ack results for each context, except for the bogus ones for ctx in range(bogus_binds + 1, bindResp['ctx_num'] + 1): result = bindResp.getCtxItem(ctx)['Result'] if result != 0: msg = "Bind context %d rejected: " % ctx msg += rpc_cont_def_result.get( result, 'Unknown DCE RPC context result code: %.4x' % result) msg += "; " reason = bindResp.getCtxItem(ctx)['Reason'] msg += rpc_provider_reason.get( reason, 'Unknown reason code: %.4x' % reason) if (result, reason) == ( 2, 1 ): # provider_rejection, abstract syntax not supported msg += " (this usually means the interface isn't listening on the given endpoint)" raise Exception(msg, resp) self.__max_xmit_size = bindResp['max_tfrag'] if self.__auth_level != RPC_C_AUTHN_LEVEL_NONE: if self.__auth_type == RPC_C_AUTHN_WINNT: response, randomSessionKey = ntlm.getNTLMSSPType3( auth, bindResp['auth_data'], self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, use_ntlmv2=self._transport.doesSupportNTLMv2()) self.__flags = response['flags'] elif self.__auth_type == RPC_C_AUTHN_NETLOGON: response = None self.__sequence = 0 if self.__auth_level in (RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY): if self.__auth_type == RPC_C_AUTHN_WINNT: if self.__flags & ntlm.NTLMSSP_NTLM2_KEY: self.__clientSigningKey = ntlm.SIGNKEY( self.__flags, randomSessionKey) self.__serverSigningKey = ntlm.SIGNKEY( self.__flags, randomSessionKey, "Server") self.__clientSealingKey = ntlm.SEALKEY( self.__flags, randomSessionKey) self.__serverSealingKey = ntlm.SEALKEY( self.__flags, randomSessionKey, "Server") # Preparing the keys handle states cipher3 = ARC4.new(self.__clientSealingKey) self.__clientSealingHandle = cipher3.encrypt cipher4 = ARC4.new(self.__serverSealingKey) self.__serverSealingHandle = cipher4.encrypt else: # Same key for everything self.__clientSigningKey = randomSessionKey self.__serverSigningKey = randomSessionKey self.__clientSealingKey = randomSessionKey self.__serverSealingKey = randomSessionKey cipher = ARC4.new(self.__clientSigningKey) self.__clientSealingHandle = cipher.encrypt self.__serverSealingHandle = cipher.encrypt elif self.__auth_type == RPC_C_AUTHN_NETLOGON: pass sec_trailer = SEC_TRAILER() sec_trailer['auth_type'] = self.__auth_type sec_trailer['auth_level'] = self.__auth_level sec_trailer['auth_ctx_id'] = self._ctx + 79231 if response is not None: auth3 = MSRPCHeader() auth3['type'] = MSRPC_AUTH3 # pad (4 bytes): Can be set to any arbitrary value when set and MUST be # ignored on receipt. The pad field MUST be immediately followed by a # sec_trailer structure whose layout, location, and alignment are as # specified in section 2.2.2.11 auth3['pduData'] = ' ' auth3['sec_trailer'] = sec_trailer auth3['auth_data'] = str(response) # Use the same call_id self.__callid = resp['call_id'] auth3['call_id'] = self.__callid self._transport.send(auth3.get_packet(), forceWriteAndx=1) self.__callid += 1 return resp # means packet is signed, if verifier is wrong it fails
# [MS-SRVS] interface implementation. # # TODO: NetServerEnum2 import array from struct import * import exceptions from mitmflib.impacket import ImpactPacket from mitmflib.impacket.structure import Structure from mitmflib.impacket import dcerpc from mitmflib.impacket.dcerpc import ndrutils from mitmflib.impacket.uuid import uuidtup_to_bin MSRPC_UUID_SRVSVC = uuidtup_to_bin(('4B324FC8-1670-01D3-1278-5A47BF6EE188', '3.0')) # Error Codes ERROR_ACCESS_DENIED = 0x00000005 ERROR_INVALID_LEVEL = 0x0000007C ERROR_INVALID_PARAMETER = 0x00000057 ERROR_MORE_DATA = 0x000000EA ERROR_NOT_ENOUGH_MEMORY = 0x00000000 ERROR_FILE_NOT_FOUND = 0x00000002 ERROR_DUP_NAME = 0x00000034 ERROR_INVALID_DOMAINNAME = 0x000004BC ERROR_NOT_SUPPORTED = 0x00000032 ERROR_SERVICE_DOES_NOT_EXIST = 0x00000424 NERR_BufTooSmall = 0x0000084B NERR_ClientNameNotFound = 0x00000908 NERR_InvalidComputer = 0x0000092F
# Best way to learn how to use these calls is to grab the protocol standard # so you understand what the call does, and then read the test case located # at https://github.com/CoreSecurity/impacket/tree/master/impacket/testcases/SMB_RPC # # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDRUniConformantArray from mitmflib.impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL from mitmflib.impacket import hresult_errors from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_SASEC = uuidtup_to_bin(('378E52B0-C0A9-11CF-822D-00AA0051E40F','1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): key = self.error_code if hresult_errors.ERROR_MESSAGES.has_key(key): error_msg_short = hresult_errors.ERROR_MESSAGES[key][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1] return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code ################################################################################
# Best way to learn how to use these calls is to grab the protocol standard # so you understand what the call does, and then read the test case located # at https://github.com/CoreSecurity/impacket/tree/master/impacket/testcases/SMB_RPC # # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h"<name of the call>. # There are test cases for them too. # from mitmflib.impacket.dcerpc.v5.ndr import NDRCALL, NDRUniConformantArray from mitmflib.impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL from mitmflib.impacket import hresult_errors from mitmflib.impacket.uuid import uuidtup_to_bin from mitmflib.impacket.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_SASEC = uuidtup_to_bin( ('378E52B0-C0A9-11CF-822D-00AA0051E40F', '1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__(self): key = self.error_code if hresult_errors.ERROR_MESSAGES.has_key(key): error_msg_short = hresult_errors.ERROR_MESSAGES[key][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1] return 'TSCH SessionError: code: 0x%x - %s - %s' % ( self.error_code, error_msg_short, error_msg_verbose) else: return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code