def createKmsRequestBase():
requestDict = kmsRequestStruct()
requestDict['versionMinor'] = config['KMSProtocolMinorVersion']
requestDict['versionMajor'] = config['KMSProtocolMajorVersion']
requestDict['isClientVm'] = 0
requestDict['licenseStatus'] = config['KMSClientLicenseStatus']
requestDict['graceTime'] = 43200
requestDict['applicationId'] = UUID(
uuid.UUID(config['KMSClientAppID']).bytes_le)
requestDict['skuId'] = UUID(uuid.UUID(config['KMSClientSkuID']).bytes_le)
requestDict['kmsCountedId'] = UUID(
uuid.UUID(config['KMSClientKMSCountedID']).bytes_le)
requestDict['clientMachineId'] = UUID(
uuid.UUID(config['cmid']).bytes_le if (
config['cmid'] is not None) else uuid.uuid4().bytes_le)
requestDict[
'previousClientMachineId'] = b'\0' * 16 #requestDict['clientMachineId'] # I'm pretty sure this is supposed to be a null UUID.
requestDict['requiredClientCount'] = config['RequiredClientCount']
requestDict['requestTime'] = filetimes.dt_to_filetime(
datetime.datetime.utcnow())
requestDict['machineName'] = (config['machineName'] if (
config['machineName'] is not None) else ''.join(
random.choice(string.ascii_letters + string.digits)
for i in range(random.randint(2, 63)))).encode('utf-16le')
requestDict['mnPad'] = '\0'.encode('utf-16le') * (
63 - len(requestDict['machineName'].decode('utf-16le')))
# Debug Stuff
if config['debug']:
print("Request Base Dictionary:", requestDict.dump())
return requestDict
def CreateRequestBase():
# Init requestDict
requestDict = {}
# KMS Protocol Version
requestDict['MajorVer'] = config['KMSProtocolMajorVersion']
requestDict['MinorVer'] = config['KMSProtocolMinorVersion']
# KMS Client is NOT a VM
requestDict['IsClientVM'] = 0
# License Status
requestDict['LicenseStatus'] = config['KMSClientLicenseStatus']
# Grace Time
requestDict['GraceTime'] = 43200
# Application ID
requestDict['ApplicationId'] = uuid.UUID(config['KMSClientAppID'])
# SKU ID
requestDict['SkuId'] = uuid.UUID(config['KMSClientSkuID'])
# KMS Counted ID
requestDict['KmsCountedId'] = uuid.UUID(config['KMSClientKMSCountedID'])
# CMID
requestDict['ClientMachineId'] = uuid.uuid4()
# Minimum Clients
requestDict['RequiredClientCount'] = config['RequiredClientCount']
# Current Time
requestDict['RequestTime'] = filetimes.dt_to_filetime(datetime.datetime.utcnow())
# Generate Random Machine Name (Up to 63 Characters)
requestDict['MachineName'] = ''.join(random.choice(string.letters + string.digits) for i in range(32))
# Debug Stuff
logging.debug("Request Base Dictionary:", requestDict)
request = str()
request += struct.pack('<H', requestDict['MinorVer'])
request += struct.pack('<H', requestDict['MajorVer'])
request += struct.pack('<I', requestDict['IsClientVM'])
request += struct.pack('<I', requestDict['LicenseStatus'])
request += struct.pack('<I', requestDict['GraceTime'])
request += requestDict['ApplicationId'].bytes_le
request += requestDict['SkuId'].bytes_le
request += requestDict['KmsCountedId'].bytes_le
request += requestDict['ClientMachineId'].bytes_le
request += struct.pack('<I', requestDict['RequiredClientCount'])
request += struct.pack('>Q', requestDict['RequestTime'])
request += requestDict['ClientMachineId'].bytes_le
request += requestDict['MachineName'].encode('utf-16le')
request += ('\0' * 32).encode('utf-16le')
logging.debug("Request Base:", binascii.b2a_hex(request), len(request))
return request
def CreateRequestBase():
# Init requestDict
requestDict = {}
# KMS Protocol Version
requestDict['MajorVer'] = config['KMSProtocolMajorVersion']
requestDict['MinorVer'] = config['KMSProtocolMinorVersion']
# KMS Client is NOT a VM
requestDict['IsClientVM'] = 0
# License Status
requestDict['LicenseStatus'] = config['KMSClientLicenseStatus']
# Grace Time
requestDict['GraceTime'] = 43200
# Application ID
requestDict['ApplicationId'] = uuid.UUID(config['KMSClientAppID'])
# SKU ID
requestDict['SkuId'] = uuid.UUID(config['KMSClientSkuID'])
# KMS Counted ID
requestDict['KmsCountedId'] = uuid.UUID(config['KMSClientKMSCountedID'])
# CMID
requestDict['ClientMachineId'] = uuid.uuid4()
# Minimum Clients
requestDict['RequiredClientCount'] = config['RequiredClientCount']
# Current Time
requestDict['RequestTime'] = filetimes.dt_to_filetime(datetime.datetime.utcnow())
# Generate Random Machine Name (Up to 63 Characters)
requestDict['MachineName'] = ''.join(random.choice(string.letters + string.digits) for i in range(32))
# Debug Stuff
logging.debug("Request Base Dictionary:", requestDict)
request = str()
request += struct.pack('<H', requestDict['MinorVer'])
request += struct.pack('<H', requestDict['MajorVer'])
request += struct.pack('<I', requestDict['IsClientVM'])
request += struct.pack('<I', requestDict['LicenseStatus'])
request += struct.pack('<I', requestDict['GraceTime'])
request += requestDict['ApplicationId'].bytes_le
request += requestDict['SkuId'].bytes_le
request += requestDict['KmsCountedId'].bytes_le
request += requestDict['ClientMachineId'].bytes_le
request += struct.pack('<I', requestDict['RequiredClientCount'])
request += struct.pack('>Q', requestDict['RequestTime'])
request += requestDict['ClientMachineId'].bytes_le
request += requestDict['MachineName'].encode('utf-16le')
request += ('\0' * 32).encode('utf-16le')
logging.debug("Request Base:", binascii.b2a_hex(request), len(request))
return request
def build_pac(vec, logon_time):
pacobj = Pac()
pacobj.set_header()
dt = datetime.strptime(logon_time, '%Y%m%d%H%M%SZ')
logon_time2 = dt_to_filetime(dt)
user_sid = lsa.lsa_get_user_sid(vec['ip'],
account_name=vec['user'],
username=vec['user'],
password=vec['passphrase'],
domain=vec['domain'])
if not user_sid:
return None
pacobj.add_info_buffer(
1,
PacLogonInformationIB({
'user_name': vec['user'],
'user_sid': user_sid,
'domain_name': vec['domain'],
'logon_time': logon_time
}))
pacobj.add_info_buffer(
10,
PacClientInfoIB({
'clientID': logon_time2,
'name': vec['user'].encode('utf-16le'),
'nameLength': len(vec['user'].encode('utf-16le'))
}))
sig_srv = [7, "\x00" * 16]
sig_kdc = [7, "\x00" * 16]
pacobj.add_info_buffer(
6, PacSignatureDataIB({
'type': sig_srv[0],
'data': sig_srv[1]
}))
pacobj.add_info_buffer(
7, PacSignatureDataIB({
'type': sig_kdc[0],
'data': sig_kdc[1]
}))
pac = pacobj.pack()
#pacobj.show()
return pac
def createKmsRequestBase():
requestDict = kmsBase.kmsRequestStruct()
requestDict['versionMinor'] = config['KMSProtocolMinorVersion']
requestDict['versionMajor'] = config['KMSProtocolMajorVersion']
requestDict['isClientVm'] = 0
requestDict['licenseStatus'] = config['KMSClientLicenseStatus']
requestDict['graceTime'] = 43200
requestDict['applicationId'] = UUID(uuid.UUID(config['KMSClientAppID']).bytes_le)
requestDict['skuId'] = UUID(uuid.UUID(config['KMSClientSkuID']).bytes_le)
requestDict['kmsCountedId'] = UUID(uuid.UUID(config['KMSClientKMSCountedID']).bytes_le)
requestDict['clientMachineId'] = UUID(uuid.UUID(config['cmid']).bytes_le if (config['cmid'] is not None) else uuid.uuid4().bytes_le)
requestDict['previousClientMachineId'] = '\0' * 16 #requestDict['clientMachineId'] # I'm pretty sure this is supposed to be a null UUID.
requestDict['requiredClientCount'] = config['RequiredClientCount']
requestDict['requestTime'] = filetimes.dt_to_filetime(datetime.datetime.utcnow())
requestDict['machineName'] = (config['machineName'] if (config['machineName'] is not None) else ''.join(random.choice(string.letters + string.digits) for i in range(random.randint(2,63)))).encode('utf-16le')
requestDict['mnPad'] = '\0'.encode('utf-16le') * (63 - len(requestDict['machineName'].decode('utf-16le')))
# Debug Stuff
shell_message(nshell = 9)
logging.debug("Request Base Dictionary: \n%s\n" % justify(requestDict.dump(print_to_stdout = False)))
return requestDict
#tutorial 12
#how to set account expiration date in ad user account
from pyad import *
import datetime
from filetimes import dt_to_filetime, utc
user = pyad.adobject.ADObject.from_cn("aalamda")
ed = dt_to_filetime(datetime.datetime(2025, 5, 11, 0, 0))
pyad.adobject.ADObject.update_attribute(user, "accountExpires", str(ed))
def _filetime_from_timestamp(timestamp):
""" See filetimes.py for details """
# Timezones are hard, sorry
moment = datetime.fromtimestamp(timestamp)
delta_from_utc = moment - datetime.utcfromtimestamp(timestamp)
return dt_to_filetime(moment, delta_from_utc)
def timestampGatherer():
global mode
global statistics
maxYear = 0
minYear = 0
#maxMonth=0
#minMonth=0
maxOffset = -12345
filepath = ""
# разбираем аргументы исходя из выбранного режима
if mode == 1:
print("Режим 1: поиск с точностью до года")
maxYear = int(sys.argv[2])
maxYear = dt_to_filetime(datetime(int(maxYear), 1, 1, 0, 0,
tzinfo=utc))
minYear = int(sys.argv[3])
minYear = dt_to_filetime(datetime(int(minYear), 1, 1, 0, 0,
tzinfo=utc))
filepath = sys.argv[4]
if len(sys.argv) == 6: maxOffset = int(sys.argv[5], 16)
if mode == 2:
print("Режим 2: поиск с точностью до месяца")
maxYear = int(sys.argv[2])
maxMonth = int(sys.argv[3])
maxYear = dt_to_filetime(
datetime(int(maxYear), int(maxMonth), 1, 0, 0, tzinfo=utc))
minYear = int(sys.argv[4])
minMonth = int(sys.argv[5])
minYear = dt_to_filetime(
datetime(int(minYear), int(minMonth), 1, 0, 0, tzinfo=utc))
filepath = sys.argv[6]
if len(sys.argv) == 8: maxOffset = int(sys.argv[7], 16)
if maxOffset != -12345:
print("Максимальное смещение, в байтах: " + str(maxOffset))
# В этот момент у нас есть десятичные представления временных отметок
# Windows. Однако, они слишком большие, для сравнения с ними нужно считать
# много байт. Обрежем их так, чтобы проверять только три байта за раз
# отрезаем первые три байта
maxYear = hex(maxYear)[:7]
minYear = hex(minYear)[:7]
# переводим в десятичное число, выходит на несколько порядков меньше,
# чем оригинальная временная отметка
maxYear = int(maxYear, 16)
minYear = int(minYear, 16)
offset = -16 # первые 16 байтов на нулевом смещении, а не на 16
eightBytes = []
file = open(filepath, "rb")
for bytes in file:
for byte in bytes:
if maxOffset == offset: break
if len(eightBytes) == 8: # массив забился
# Последние три байта в обратном порядке отвечают за год
# и за месяц
yearBytes = ""
firstByte = eightBytes[7][2:]
secondByte = eightBytes[6][2:]
thirdByte = eightBytes[5][2:]
# Дописываем нули в начало, если не хватает
if len(firstByte) < 2: firstByte = "0" + firstByte
if len(secondByte) < 2: secondByte = "0" + secondByte
if len(thirdByte) < 2: thirdByte = "0" + thirdByte
yearBytes = firstByte + secondByte + thirdByte
year = int(yearBytes, 16)
# сравниваем значение последних двух байт с границами
if year > minYear and year < maxYear:
print(hex(offset))
calculateDate(eightBytes)
eightBytes = [] # временные отметки не могут пересекаться
# иначе не очищаем массив, а сдвигаем и дополняем на один байт
else:
eightBytes.pop(0)
eightBytes.append(hex(byte))
offset = offset + 1
if maxOffset == offset: break
file.close()
print()
statisticsToFile()
def _filetime_from_timestamp(timestamp):
""" See filetimes.py for details """
# Timezones are hard, sorry
moment = datetime.fromtimestamp(timestamp)
delta_from_utc = moment - datetime.utcfromtimestamp(timestamp)
return dt_to_filetime(moment, delta_from_utc)
def pack(self, with_padding=0):
self.end = []
username = self['user_name']
domain_name = self['domain_name']
user_sid = self['user_sid']
logon_time = self['logon_time']
dt = datetime.strptime(logon_time, '%Y%m%d%H%M%SZ')
logon_time = dt_to_filetime(dt)
domain_sid, user_id = user_sid.rsplit('-', 1)
user_id = int(user_id)
out = ''
# ElementId
out += pack_u32(0x20000)
# LogonTime
out += pack_u64(logon_time)
# LogoffTime
out += pack_u64(0x7fffffffffffffff)
# KickOffTime
out += pack_u64(0x7fffffffffffffff)
# PasswordLastSet
out += pack_u64(0)
# PasswordCanChange
out += pack_u64(0)
# PasswordMustChange
out += pack_u64(0x7fffffffffffffff)
# EffectiveName
out += self._build_unicode_string(0x20004, username)
# FullName
out += self._build_unicode_string(0x20008, '')
# LogonScript
out += self._build_unicode_string(0x2000c, '')
# ProfilePath
out += self._build_unicode_string(0x20010, '')
# HomeDirectory
out += self._build_unicode_string(0x20014, '')
# HomeDirectoryDrive
out += self._build_unicode_string(0x20018, '')
# LogonCount
out += pack_u16(0)
# BadPasswordCount
out += pack_u16(0)
# UserId
out += pack_u32(user_id)
# PrimaryGroupId
out += pack_u32(513)
# GroupCount
out += pack_u32(5)
# GroupIds[0]
out += self._build_groups(0x2001c, [(513, SE_GROUP_ALL),
(512, SE_GROUP_ALL),
(520, SE_GROUP_ALL),
(518, SE_GROUP_ALL),
(519, SE_GROUP_ALL)])
# UserFlags
out += pack_u32(0)
# UserSessionKey
out += pack_u64(0) + pack_u64(0)
# LogonServer
out += self._build_unicode_string(0x20020, '')
# LogonDomainName
out += self._build_unicode_string(0x20024, domain_name)
# LogonDomainId
out += self._build_sid(0x20028, domain_sid)
# Reserved1
out += pack_u64(0)
# UserAccountControl
out += pack_u32(USER_NORMAL_ACCOUNT | USER_DONT_EXPIRE_PASSWORD)
# SubAuthStatus
out += pack_u32(0)
# LastSuccessFulILogon
out += pack_u64(0)
# LastFailedILogon
out += pack_u64(0)
# FailedILogonCount
out += pack_u32(0)
# Reserved3
out += pack_u32(0)
# SidCount
out += pack_u32(0)
# ExtraSids
out += pack_u32(0)
# ResourceGroupDomainSid
out += pack_u32(0)
# ResourceGroupCount
out += pack_u32(0)
# ResourceGroupIds
out += pack_u32(0)
end_str = ''
for s in self.end:
end_str += s
end_str += chr(0) * ((len(s) + 3) / 4 * 4 - len(s))
out += end_str
hdr = '\x01\x10\x08\x00\xcc\xcc\xcc\xcc'
hdr += pack_u32(len(out)) + pack_u32(0)
out = hdr + out
if with_padding:
out += '\x00' * self.padding(out)
return out
