def __bruteForce(self, rpctransport, maxRid): # UDP only works over DCE/RPC version 4. if isinstance(rpctransport, transport.UDPTransport): dce = dcerpc_v4.DCERPC_v4(rpctransport) else: dce = dcerpc.DCERPC_v5(rpctransport) entries = [] dce.connect() # Want encryption? Uncomment next line #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) # Want fragmentation? Uncomment next line #dce.set_max_fragment_size(32) dce.bind(lsarpc.MSRPC_UUID_LSARPC) rpc = lsarpc.DCERPCLsarpc(dce) resp = rpc.LsarOpenPolicy2(rpctransport.get_dip(), access_mask=0x02000000) try: resp2 = rpc.LsarQueryInformationPolicy2( resp['ContextHandle'], lsarpc.POLICY_ACCOUNT_DOMAIN_INFORMATION) rootsid = resp2.formatDict()['sid'].formatCanonical() except Exception, e: print e
def __fetchList(self, rpctransport): # UDP only works over DCE/RPC version 4. if isinstance(rpctransport, transport.UDPTransport): dce = dcerpc_v4.DCERPC_v4(rpctransport) else: dce = dcerpc.DCERPC_v5(rpctransport) entries = [] dce.connect() dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) dce.bind(epm.MSRPC_UUID_PORTMAP) rpcepm = epm.DCERPCEpm(dce) resp = rpcepm.portmap_dump() while resp.get_entries_num() != 0: rpc_handle = resp.get_handle() ndrentry = resp.get_entry().get_entry() sb = transport.DCERPCStringBinding(ndrentry.get_string_binding()) entry = epm.EpmEntry(uuid.bin_to_string(ndrentry.get_uuid()), ndrentry.get_version(), ndrentry.get_annotation(), uuid.bin_to_string(ndrentry.get_objuuid()), sb.get_protocol_sequence(), sb.get_endpoint()) entries.append(entry) ## print str(entry) resp = rpcepm.portmap_dump(rpc_handle) dce.disconnect() return entries
def __fetchList(self, rpctransport): # UDP only works over DCE/RPC version 4. if isinstance(rpctransport, transport.UDPTransport): dce = dcerpc_v4.DCERPC_v4(rpctransport) else: dce = dcerpc.DCERPC_v5(rpctransport) entries = [] dce.connect() dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) dce.bind(epm.MSRPC_UUID_PORTMAP) rpcepm = epm.DCERPCEpm(dce) resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS) dce.disconnect() return resp
def doStuff(self, rpctransport): # UDP only works over DCE/RPC version 4. if isinstance(rpctransport, transport.UDPTransport): dce = dcerpc_v4.DCERPC_v4(rpctransport) else: dce = dcerpc.DCERPC_v5(rpctransport) #dce.set_credentials(self.__username, self.__password) dce.connect() #dce.set_max_fragment_size(1) #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY) dce.bind(svcctl.MSRPC_UUID_SVCCTL) rpc = svcctl.DCERPCSvcCtl(dce) ans = rpc.OpenSCManagerW() scManagerHandle = ans['ContextHandle'] ans = rpc.OpenServiceW(scManagerHandle, self.__service_name.encode('utf-16le')) serviceHandle = ans['ContextHandle'] if self.__action.upper() == 'START': print "Starting service %s" % self.__service_name rpc.StartServiceW(serviceHandle) rpc.CloseServiceHandle(serviceHandle) elif self.__action.upper() == 'STOP': print "Stopping service %s" % self.__service_name rpc.StopService(serviceHandle) rpc.CloseServiceHandle(serviceHandle) elif self.__action.upper() == 'DELETE': print "Deleting service %s" % self.__service_name rpc.DeleteService(serviceHandle) rpc.CloseServiceHandle(serviceHandle) elif self.__action.upper() == 'CONFIG': print "Querying service config for %s" % self.__service_name resp = rpc.QueryServiceConfigW(serviceHandle) print "TYPE : %2d - " % resp['QueryConfig'][ 'ServiceType'], if resp['QueryConfig']['ServiceType'] == 0x1: print "SERVICE_KERNLE_DRIVER" elif resp['QueryConfig']['ServiceType'] == 0x2: print "SERVICE_FILE_SYSTEM_DRIVER" elif resp['QueryConfig']['ServiceType'] == 0x10: print "SERVICE_WIN32_OWN_PROCESS" elif resp['QueryConfig']['ServiceType'] == 0x20: print "SERVICE_WIN32_SHARE_PROCESS" else: print "UNKOWN" print "START_TYPE : %2d - " % resp['QueryConfig'][ 'StartType'], if resp['QueryConfig']['StartType'] == 0x0: print "BOOT START" elif resp['QueryConfig']['StartType'] == 0x1: print "SYSTEM START" elif resp['QueryConfig']['StartType'] == 0x2: print "AUTO START" elif resp['QueryConfig']['StartType'] == 0x3: print "DEMAND START" elif resp['QueryConfig']['StartType'] == 0x4: print "DISABLED" else: print "UNKOWN" print "ERROR_CONTROL : %2d - " % resp['QueryConfig'][ 'ErrorControl'], if resp['QueryConfig']['ErrorControl'] == 0x0: print "IGNORE" elif resp['QueryConfig']['ErrorControl'] == 0x1: print "NORMAL" elif resp['QueryConfig']['ErrorControl'] == 0x2: print "SEVERE" elif resp['QueryConfig']['ErrorControl'] == 0x3: print "CRITICAL" else: print "UNKOWN" print "BINARY_PATH_NAME : %s" % resp['QueryConfig'][ 'BinaryPathName'].decode('utf-16le') print "LOAD_ORDER_GROUP : %s" % resp['QueryConfig'][ 'LoadOrderGroup'].decode('utf-16le') print "TAG : %d" % resp['QueryConfig']['TagID'] print "DISPLAY_NAME : %s" % resp['QueryConfig'][ 'DisplayName'].decode('utf-16le') print "DEPENDENCIES : %s" % resp['QueryConfig'][ 'Dependencies'].decode('utf-16le').replace('/', ' - ') print "SERVICE_START_NAME: %s" % resp['QueryConfig'][ 'ServiceStartName'].decode('utf-16le') elif self.__action.upper() == 'STATUS': print "Querying status for %s" % self.__service_name resp = rpc.QueryServiceStatus(serviceHandle) print "%30s - " % (self.__service_name), state = resp['CurrentState'] if state == svcctl.SERVICE_CONTINUE_PENDING: print "CONTINUE PENDING" elif state == svcctl.SERVICE_PAUSE_PENDING: print "PAUSE PENDING" elif state == svcctl.SERVICE_PAUSED: print "PAUSED" elif state == svcctl.SERVICE_RUNNING: print "RUNNING" elif state == svcctl.SERVICE_START_PENDING: print "START PENDING" elif state == svcctl.SERVICE_STOP_PENDING: print "STOP PENDING" elif state == svcctl.SERVICE_STOPPED: print "STOPPED" else: print "UNKOWN" elif self.__action.upper() == 'LIST': print "Listing services available on target" #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS ) #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS ) #resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL ) resp = rpc.EnumServicesStatusW(scManagerHandle) for i in range(len(resp)): print "%30s - %70s - " % (resp[i]['ServiceName'].decode( 'utf-16'), resp[i]['DisplayName'].decode('utf-16')), state = resp[i]['CurrentState'] if state == svcctl.SERVICE_CONTINUE_PENDING: print "CONTINUE PENDING" elif state == svcctl.SERVICE_PAUSE_PENDING: print "PAUSE PENDING" elif state == svcctl.SERVICE_PAUSED: print "PAUSED" elif state == svcctl.SERVICE_RUNNING: print "RUNNING" elif state == svcctl.SERVICE_START_PENDING: print "START PENDING" elif state == svcctl.SERVICE_STOP_PENDING: print "STOP PENDING" elif state == svcctl.SERVICE_STOPPED: print "STOPPED" else: print "UNKOWN" print "Total Services: %d" % len(resp) else: print "Unknown action %s" % self.__action rpc.CloseServiceHandle(scManagerHandle) dce.disconnect() return
def get_dce_rpc(self): if isinstance(self, UDPTransport): return dcerpc_v4.DCERPC_v4(self) else: return dcerpc.DCERPC_v5(self)