def dump(self, addr): """Dumps the list of users and shares registered present at addr. Addr is a valid host name or IP address. """ encoding = sys.getdefaultencoding() self.gom.echo('[+] Retrieving endpoint list from %s' % addr) # Try all requested protocols until one works. entries = [] for protocol in self.__protocols: protodef = SAMRDump.KNOWN_PROTOCOLS[protocol] port = protodef[1] self.gom.echo("[+] Trying protocol %s..." % protocol) rpctransport = transport.SMBTransport(addr, port, r'\samr', self.__username, self.__password) try: entries = self.__fetchList(rpctransport) except Exception, e: self.gom.echo('[!] Protocol failed: %s' % e) raise else: # Got a response. No need for further iterations. break
def doStuff(self, addr): encoding = sys.getdefaultencoding() # Try all requested protocols until one works. entries = [] for protocol in self.__protocols: protodef = WKSSVCstuff.KNOWN_PROTOCOLS[protocol] port = protodef[1] print "Trying protocol %s..." % protocol rpctransport = transport.SMBTransport(addr, port, r'\wkssvc', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: entries = self.__fetchData(rpctransport) except Exception, e: print 'Protocol failed: %s' % e raise else: # Got a response. No need for further iterations. break
def dump(self, addr): """Dumps the list of users and shares registered present at addr. Addr is a valid host name or IP address. """ encoding = sys.getdefaultencoding() print if (self.__username and self.__password): print '[+] Attaching to ' + addr + ' using ' + self.__username + ":" + self.__password elif (self.__username): print '[+] Attaching to ' + addr + ' using ' + self.__username else: print '[+] Attaching to ' + addr + ' using a NULL share' # Try all requested protocols until one works. entries = [] for protocol in self.__protocols: try: protodef = SAMRDump.KNOWN_PROTOCOLS[protocol] port = protodef[1] except KeyError, e: print "\n\t[!] Invalid Protocol \'%s\'\n" % protocol usage() sys.exit(1) print "\n\t[+] Trying protocol %s..." % protocol rpctransport = transport.SMBTransport(addr, port, r'\samr', self.__username, self.__password) try: entries = self.__fetchList(rpctransport) except Exception, e: print '\n\t[!] Protocol failed: %s' % e
def getregistryconnection(sconn, ip): global _dcerpctransport #reuse the existing smb connection for dcerpc _dcerpctransport = transport.SMBTransport(ip, 445, 'winreg', smb_connection=sconn) _dcerpctransport.connect() dce = _dcerpctransport.DCERPC_class(_dcerpctransport) dce.bind(winreg.MSRPC_UUID_WINREG) return winreg.DCERPCWinReg(dce)
def getShares(self): # Setup up a DCE SMBTransport with the connection already in place self._rpctransport = transport.SMBTransport('','',filename = r'\srvsvc', smb_server = self.client) self._dce = dcerpc.DCERPC_v5(self._rpctransport) self._dce.connect() self._dce.bind(srvsvc.MSRPC_UUID_SRVSVC) srv_svc = srvsvc.DCERPCSrvSvc(self._dce) resp = srv_svc.get_share_enum_1(self._rpctransport.get_dip()) return resp
def do_shares(self, line): rpctransport = transport.SMBTransport(self.smb.get_remote_name(), self.smb.get_remote_host(), filename=r'\srvsvc', smb_server=self.smb) dce = dcerpc.DCERPC_v5(rpctransport) dce.connect() dce.bind(srvsvc.MSRPC_UUID_SRVSVC) srv_svc = srvsvc.DCERPCSrvSvc(dce) resp = srv_svc.get_share_enum_1(rpctransport.get_dip()) for i in range(len(resp)): print resp[i]['NetName'].decode('utf-16')
def listShares(self): # Get the shares through RPC from impacket.dcerpc import transport, dcerpc, srvsvc rpctransport = transport.SMBTransport(self.getRemoteHost(), self.getRemoteHost(), filename=r'\srvsvc', smb_connection=self) dce = dcerpc.DCERPC_v5(rpctransport) dce.connect() dce.bind(srvsvc.MSRPC_UUID_SRVSVC) srv_svc = srvsvc.DCERPCSrvSvc(dce) resp = srv_svc.get_share_enum_1(rpctransport.get_dip()) return resp
def openSvcManager(self): print "[*] Opening SVCManager on %s....." % self.client.get_remote_host(), # Setup up a DCE SMBTransport with the connection already in place self._rpctransport = transport.SMBTransport('','',filename = r'\svcctl', smb_server = self.client) self._dce = dcerpc.DCERPC_v5(self._rpctransport) self._dce.connect() self._dce.bind(svcctl.MSRPC_UUID_SVCCTL) self.rpcsvc = svcctl.DCERPCSvcCtl(self._dce) resp = self.rpcsvc.OpenSCManagerW() if resp['ErrorCode'] == 0: print "OK" return resp['ContextHandle'] else: print "ERROR" return 0
def getShares(self): # Setup up a DCE SMBTransport with the connection already in place print "[*] Requesting shares on %s....." % (self.client.get_remote_host()) try: self._rpctransport = transport.SMBTransport('','',filename = r'\srvsvc', smb_server = self.client) self._dce = dcerpc.DCERPC_v5(self._rpctransport) self._dce.connect() self._dce.bind(srvsvc.MSRPC_UUID_SRVSVC) srv_svc = srvsvc.DCERPCSrvSvc(self._dce) resp = srv_svc.get_share_enum_1(self._rpctransport.get_dip()) return resp except: print "[!] Error requesting shares on %s, aborting....." % (self.client.get_remote_host()) raise
def do_info(self, line): rpctransport = transport.SMBTransport(self.smb.get_remote_name(), self.smb.get_remote_host(), filename=r'\srvsvc', smb_server=self.smb) dce = dcerpc.DCERPC_v5(rpctransport) dce.connect() dce.bind(srvsvc.MSRPC_UUID_SRVSVC) srv_svc = srvsvc.DCERPCSrvSvc(dce) resp = srv_svc.get_server_info_102(rpctransport.get_dip()) print "Version Major: %d" % resp['VersionMajor'] print "Version Minor: %d" % resp['VersionMinor'] print "Server Name: %s" % resp['Name'] print "Server Comment: %s" % resp['Comment'] print "Server UserPath: %s" % resp['UserPath'] print "Simultaneous Users: %d" % resp['Users']
def openSvcManager(self): #print "[*] Opening SVCManager on %s....." % self.connection.getRemoteHost() # Setup up a DCE SMBTransport with the connection already in place self._rpctransport = transport.SMBTransport( '', '', filename=r'\svcctl', smb_connection=self.connection) self._dce = dcerpc.DCERPC_v5(self._rpctransport) self._dce.connect() self._dce.bind(svcctl.MSRPC_UUID_SVCCTL) self.rpcsvc = svcctl.DCERPCSvcCtl(self._dce) try: resp = self.rpcsvc.OpenSCManagerW() except: print "[!] Error opening SVCManager on %s....." % self.connection.getRemoteHost( ) return 0 else: return resp['ContextHandle']
def getShares(self): """Return a list of shares on the remote windows server.""" # Setup up a DCE SMBTransport with the connection already in place print("[*] Requesting shares on %s....." % (self.connection.getRemoteHost())) try: self._rpctransport = transport.SMBTransport( '', '', filename=r'\srvsvc', smb_connection=self.connection) self._dce = dcerpc.DCERPC_v5(self._rpctransport) self._dce.connect() self._dce.bind(srvsvc.MSRPC_UUID_SRVSVC) srv_svc = srvsvc.DCERPCSrvSvc(self._dce) resp = srv_svc.get_share_enum_1(self._rpctransport.get_dip()) return resp except Exception: print("[!] Error requesting shares on %s, aborting....." % (self.connection.getRemoteHost())) raise
def DiscoverDNSport(target): trans = transport.SMBTransport(target, 139, 'epmapper') trans.connect() dce = dcerpc.DCERPC_v5(trans) dce.bind( uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0'))) pm = epm.DCERPCEpm(dce) handle = '\x00' * 20 while 1: dump = pm.portmap_dump(handle) if not dump.get_entries_num(): break handle = dump.get_handle() entry = dump.get_entry().get_entry() if (uuid.bin_to_string( entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'): port = entry.get_string_binding().split('[')[1][:-1] return int(port) print '[-] Could not locate DNS port; Target might not be running DNS'