def __fetchList(self, rpctransport):
# UDP only works over DCE/RPC version 4.
if isinstance(rpctransport, transport.UDPTransport):
dce = dcerpc_v4.DCERPC_v4(rpctransport)
else:
dce = dcerpc.DCERPC_v5(rpctransport)
entries = []
dce.connect()
dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
dce.bind(epm.MSRPC_UUID_PORTMAP)
rpcepm = epm.DCERPCEpm(dce)
resp = rpcepm.portmap_dump()
while resp.get_entries_num() != 0:
rpc_handle = resp.get_handle()
ndrentry = resp.get_entry().get_entry()
sb = transport.DCERPCStringBinding(ndrentry.get_string_binding())
entry = epm.EpmEntry(uuid.bin_to_string(ndrentry.get_uuid()),
ndrentry.get_version(),
ndrentry.get_annotation(),
uuid.bin_to_string(ndrentry.get_objuuid()),
sb.get_protocol_sequence(), sb.get_endpoint())
entries.append(entry)
## print str(entry)
resp = rpcepm.portmap_dump(rpc_handle)
dce.disconnect()
return entries
def test_dceAuth(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
rpctransport.set_dport(self.dport)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain)
dce = rpctransport.get_dce_rpc()
dce.set_credentials(*(rpctransport.get_credentials()))
dce.connect()
dce.bind(epm.MSRPC_UUID_PORTMAP)
rpcepm = epm.DCERPCEpm(dce)
dce.disconnect()
def test_dceFragmentation(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
rpctransport.set_dport(self.dport)
if hasattr(rpctransport, 'set_credentials'):
lmhash, nthash = self.hashes.split(':')
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, '', self.domain,
lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.set_max_fragment_size(1)
dce.set_credentials(*(rpctransport.get_credentials()))
dce.connect()
dce.bind(epm.MSRPC_UUID_PORTMAP)
rpcepm = epm.DCERPCEpm(dce)
resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS)
dce.disconnect()
def test_packetAnonWINNTPacketPrivacy(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
rpctransport.set_dport(self.dport)
if hasattr(rpctransport, 'set_credentials'):
lmhash, nthash = self.hashes.split(':')
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_max_fragment_size(1)
dce.connect()
dce.set_auth_type(dcerpc.RPC_C_AUTHN_WINNT)
dce.set_auth_level(dcerpc.RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.bind(epm.MSRPC_UUID_PORTMAP)
rpcepm = epm.DCERPCEpm(dce)
resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS)
dce.disconnect()
def __fetchList(self, rpctransport):
# UDP only works over DCE/RPC version 4.
if isinstance(rpctransport, transport.UDPTransport):
dce = dcerpc_v4.DCERPC_v4(rpctransport)
else:
dce = dcerpc.DCERPC_v5(rpctransport)
entries = []
dce.connect()
dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
dce.bind(epm.MSRPC_UUID_PORTMAP)
rpcepm = epm.DCERPCEpm(dce)
resp = rpcepm.lookup('', inquireType=epm.RPC_C_EP_ALL_ELTS)
dce.disconnect()
return resp
def DiscoverDNSport(target):
trans = transport.SMBTransport(target, 139, 'epmapper')
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(
uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0')))
pm = epm.DCERPCEpm(dce)
handle = '\x00' * 20
while 1:
dump = pm.portmap_dump(handle)
if not dump.get_entries_num():
break
handle = dump.get_handle()
entry = dump.get_entry().get_entry()
if (uuid.bin_to_string(
entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
port = entry.get_string_binding().split('[')[1][:-1]
return int(port)
print '[-] Could not locate DNS port; Target might not be running DNS'
