def __bruteForce(self, rpctransport, maxRid):
# UDP only works over DCE/RPC version 4.
if isinstance(rpctransport, transport.UDPTransport):
dce = dcerpc_v4.DCERPC_v4(rpctransport)
else:
dce = dcerpc.DCERPC_v5(rpctransport)
entries = []
dce.connect()
# Want encryption? Uncomment next line
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
# Want fragmentation? Uncomment next line
#dce.set_max_fragment_size(32)
dce.bind(lsarpc.MSRPC_UUID_LSARPC)
rpc = lsarpc.DCERPCLsarpc(dce)
resp = rpc.LsarOpenPolicy2(rpctransport.get_dip(),
access_mask=0x02000000)
try:
resp2 = rpc.LsarQueryInformationPolicy2(
resp['ContextHandle'],
lsarpc.POLICY_ACCOUNT_DOMAIN_INFORMATION)
rootsid = resp2.formatDict()['sid'].formatCanonical()
except Exception, e:
print e
def __fetchList(self, rpctransport):
# UDP only works over DCE/RPC version 4.
if isinstance(rpctransport, transport.UDPTransport):
dce = dcerpc_v4.DCERPC_v4(rpctransport)
else:
dce = dcerpc.DCERPC_v5(rpctransport)
entries = []
dce.connect()
dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
dce.bind(epm.MSRPC_UUID_PORTMAP)
rpcepm = epm.DCERPCEpm(dce)
resp = rpcepm.portmap_dump()
while resp.get_entries_num() != 0:
rpc_handle = resp.get_handle()
ndrentry = resp.get_entry().get_entry()
sb = transport.DCERPCStringBinding(ndrentry.get_string_binding())
entry = epm.EpmEntry(uuid.bin_to_string(ndrentry.get_uuid()),
ndrentry.get_version(),
ndrentry.get_annotation(),
uuid.bin_to_string(ndrentry.get_objuuid()),
sb.get_protocol_sequence(), sb.get_endpoint())
entries.append(entry)
## print str(entry)
resp = rpcepm.portmap_dump(rpc_handle)
dce.disconnect()
return entries
def __fetchList(self, rpctransport):
# UDP only works over DCE/RPC version 4.
if isinstance(rpctransport, transport.UDPTransport):
dce = dcerpc_v4.DCERPC_v4(rpctransport)
else:
dce = dcerpc.DCERPC_v5(rpctransport)
entries = []
dce.connect()
dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
dce.bind(epm.MSRPC_UUID_PORTMAP)
rpcepm = epm.DCERPCEpm(dce)
resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS)
dce.disconnect()
return resp
def doStuff(self, rpctransport):
# UDP only works over DCE/RPC version 4.
if isinstance(rpctransport, transport.UDPTransport):
dce = dcerpc_v4.DCERPC_v4(rpctransport)
else:
dce = dcerpc.DCERPC_v5(rpctransport)
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(svcctl.MSRPC_UUID_SVCCTL)
rpc = svcctl.DCERPCSvcCtl(dce)
ans = rpc.OpenSCManagerW()
scManagerHandle = ans['ContextHandle']
ans = rpc.OpenServiceW(scManagerHandle,
self.__service_name.encode('utf-16le'))
serviceHandle = ans['ContextHandle']
if self.__action.upper() == 'START':
print "Starting service %s" % self.__service_name
rpc.StartServiceW(serviceHandle)
rpc.CloseServiceHandle(serviceHandle)
elif self.__action.upper() == 'STOP':
print "Stopping service %s" % self.__service_name
rpc.StopService(serviceHandle)
rpc.CloseServiceHandle(serviceHandle)
elif self.__action.upper() == 'DELETE':
print "Deleting service %s" % self.__service_name
rpc.DeleteService(serviceHandle)
rpc.CloseServiceHandle(serviceHandle)
elif self.__action.upper() == 'CONFIG':
print "Querying service config for %s" % self.__service_name
resp = rpc.QueryServiceConfigW(serviceHandle)
print "TYPE : %2d - " % resp['QueryConfig'][
'ServiceType'],
if resp['QueryConfig']['ServiceType'] == 0x1:
print "SERVICE_KERNLE_DRIVER"
elif resp['QueryConfig']['ServiceType'] == 0x2:
print "SERVICE_FILE_SYSTEM_DRIVER"
elif resp['QueryConfig']['ServiceType'] == 0x10:
print "SERVICE_WIN32_OWN_PROCESS"
elif resp['QueryConfig']['ServiceType'] == 0x20:
print "SERVICE_WIN32_SHARE_PROCESS"
else:
print "UNKOWN"
print "START_TYPE : %2d - " % resp['QueryConfig'][
'StartType'],
if resp['QueryConfig']['StartType'] == 0x0:
print "BOOT START"
elif resp['QueryConfig']['StartType'] == 0x1:
print "SYSTEM START"
elif resp['QueryConfig']['StartType'] == 0x2:
print "AUTO START"
elif resp['QueryConfig']['StartType'] == 0x3:
print "DEMAND START"
elif resp['QueryConfig']['StartType'] == 0x4:
print "DISABLED"
else:
print "UNKOWN"
print "ERROR_CONTROL : %2d - " % resp['QueryConfig'][
'ErrorControl'],
if resp['QueryConfig']['ErrorControl'] == 0x0:
print "IGNORE"
elif resp['QueryConfig']['ErrorControl'] == 0x1:
print "NORMAL"
elif resp['QueryConfig']['ErrorControl'] == 0x2:
print "SEVERE"
elif resp['QueryConfig']['ErrorControl'] == 0x3:
print "CRITICAL"
else:
print "UNKOWN"
print "BINARY_PATH_NAME : %s" % resp['QueryConfig'][
'BinaryPathName'].decode('utf-16le')
print "LOAD_ORDER_GROUP : %s" % resp['QueryConfig'][
'LoadOrderGroup'].decode('utf-16le')
print "TAG : %d" % resp['QueryConfig']['TagID']
print "DISPLAY_NAME : %s" % resp['QueryConfig'][
'DisplayName'].decode('utf-16le')
print "DEPENDENCIES : %s" % resp['QueryConfig'][
'Dependencies'].decode('utf-16le').replace('/', ' - ')
print "SERVICE_START_NAME: %s" % resp['QueryConfig'][
'ServiceStartName'].decode('utf-16le')
elif self.__action.upper() == 'STATUS':
print "Querying status for %s" % self.__service_name
resp = rpc.QueryServiceStatus(serviceHandle)
print "%30s - " % (self.__service_name),
state = resp['CurrentState']
if state == svcctl.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == svcctl.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == svcctl.SERVICE_PAUSED:
print "PAUSED"
elif state == svcctl.SERVICE_RUNNING:
print "RUNNING"
elif state == svcctl.SERVICE_START_PENDING:
print "START PENDING"
elif state == svcctl.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == svcctl.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
elif self.__action.upper() == 'LIST':
print "Listing services available on target"
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = rpc.EnumServicesStatusW(scManagerHandle)
for i in range(len(resp)):
print "%30s - %70s - " % (resp[i]['ServiceName'].decode(
'utf-16'), resp[i]['DisplayName'].decode('utf-16')),
state = resp[i]['CurrentState']
if state == svcctl.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == svcctl.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == svcctl.SERVICE_PAUSED:
print "PAUSED"
elif state == svcctl.SERVICE_RUNNING:
print "RUNNING"
elif state == svcctl.SERVICE_START_PENDING:
print "START PENDING"
elif state == svcctl.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == svcctl.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
print "Total Services: %d" % len(resp)
else:
print "Unknown action %s" % self.__action
rpc.CloseServiceHandle(scManagerHandle)
dce.disconnect()
return
def get_dce_rpc(self):
if isinstance(self, UDPTransport):
return dcerpc_v4.DCERPC_v4(self)
else:
return dcerpc.DCERPC_v5(self)