def rpcdump(self): logger.info('Retrieving RPC endpoint list') self.__rpc_connect() entries = self.__fetchList() endpoints = {} # Let's groups the UUIDs for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors'], self.trans.getRemoteName()) tmpUUID = str(entry['tower']['Floors'][0]) if endpoints.has_key(tmpUUID) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if epm.KNOWN_UUIDS.has_key( uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]): endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[uuidtup_to_bin( uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1] endpoints[tmpUUID]['Bindings'].append(binding) if epm.KNOWN_PROTOCOLS.has_key(tmpUUID[:36]): endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = 'N/A' # print 'Transfer Syntax: %s' % entry['Tower']['Floors'][1] for endpoint in endpoints.keys(): print 'Protocol: %s ' % endpoints[endpoint]['Protocol'] print 'Provider: %s ' % endpoints[endpoint]['EXE'] print 'UUID : %s %s' % (endpoint, endpoints[endpoint]['annotation']) print 'Bindings: ' for binding in endpoints[endpoint]['Bindings']: print ' %s' % binding print if entries: num = len(entries) if 1 == num: logger.info('Received one RPC endpoint') else: logger.info('Received %d endpoints' % num) else: logger.info('No endpoints found')
def dump(self, remoteName, remoteHost): """Dumps the list of endpoints registered with the mapper listening at addr. remoteName is a valid host name or IP address in string format. """ logging.info('Retrieving endpoint list from %s' % remoteName) entries = [] self.__stringbinding = self.KNOWN_PROTOCOLS[ self.__port]['bindstr'] % remoteName logging.debug('StringBinding %s' % self.__stringbinding) rpctransport = transport.DCERPCTransportFactory(self.__stringbinding) if self.__port in [139, 445]: # Setting credentials for SMB rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) # Setting remote host and port for SMB rpctransport.setRemoteHost(remoteHost) rpctransport.set_dport(self.__port) elif self.__port in [443]: # Setting credentials only for RPC Proxy, but not for the MSRPC level rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) # Usually when a server doesn't support NTLM, it also doesn't expose epmapper (nowadays # only RDG servers may potentially expose a epmapper via RPC Proxy). # # Also if the auth is not NTLM, there is no way to get a target # NetBIOS name, but epmapper ACL requires you to specify it. rpctransport.set_auth_type(AUTH_NTLM) else: # We don't need to authenticate to 135 and 593 ports pass try: entries = self.__fetchList(rpctransport) except Exception as e: # raise # This may contain UTF-8 error_text = 'Protocol failed: %s' % e logging.critical(error_text) if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text or \ RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or \ RPC_PROXY_CONN_A1_404_ERR in error_text or \ RPC_PROXY_CONN_A1_0X6BA_ERR in error_text: logging.critical( "This usually means the target does not allow " "to connect to its epmapper using RpcProxy.") return # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors']) tmpUUID = str(entry['tower']['Floors'][0]) if (tmpUUID in endpoints) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if uuid.uuidtup_to_bin( uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS: endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[ uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode( 'utf-8') endpoints[tmpUUID]['Bindings'].append(binding) if tmpUUID[:36] in epm.KNOWN_PROTOCOLS: endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" # print("Transfer Syntax: %s" % entry['tower']['Floors'][1]) for endpoint in list(endpoints.keys()): print("Protocol: %s " % endpoints[endpoint]['Protocol']) print("Provider: %s " % endpoints[endpoint]['EXE']) print("UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation'])) print("Bindings: ") for binding in endpoints[endpoint]['Bindings']: print(" %s" % binding) print("") if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
class RPCDump: KNOWN_PROTOCOLS = { '139/SMB': (r'ncacn_np:%s[\pipe\epmapper]', 139), '445/SMB': (r'ncacn_np:%s[\pipe\epmapper]', 445), '135/TCP': (r'ncacn_ip_tcp:%s', 135), } def __init__(self, protocols=None, username='', password='', domain='', hashes=None): if not protocols: protocols = RPCDump.KNOWN_PROTOCOLS.keys() self.__username = username self.__password = password self.__protocols = [protocols] self.__domain = domain self.__lmhash = '' self.__nthash = '' if hashes is not None: self.__lmhash, self.__nthash = hashes.split(':') def dump(self, addr): """Dumps the list of endpoints registered with the mapper listening at addr. Addr is a valid host name or IP address in string format. """ logging.info('Retrieving endpoint list from %s' % addr) # Try all requested protocols until one works. entries = [] for protocol in self.__protocols: protodef = RPCDump.KNOWN_PROTOCOLS[protocol] port = protodef[1] logging.info("Trying protocol %s..." % protocol) stringbinding = protodef[0] % addr rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(port) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: entries = self.__fetchList(rpctransport) except Exception, e: logging.critical('Protocol failed: %s' % e) else: # Got a response. No need for further iterations. break # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors'], rpctransport.get_dip()) tmpUUID = str(entry['tower']['Floors'][0]) if endpoints.has_key(tmpUUID) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if ndrutils.KNOWN_UUIDS.has_key( uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]): endpoints[tmpUUID]['EXE'] = ndrutils.KNOWN_UUIDS[ uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1] endpoints[tmpUUID]['Bindings'].append(binding) if epm.KNOWN_PROTOCOLS.has_key(tmpUUID[:36]): endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" #print "Transfer Syntax: %s" % entry['Tower']['Floors'][1] for endpoint in endpoints.keys(): print "Protocol: %s " % endpoints[endpoint]['Protocol'] print "Provider: %s " % endpoints[endpoint]['EXE'] print "UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation']) print "Bindings: " for binding in endpoints[endpoint]['Bindings']: print " %s" % binding print "" if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
def dump(self, remoteName, remoteHost): """Dumps the list of endpoints registered with the mapper listening at addr. remoteName is a valid host name or IP address in string format. """ logging.info('Retrieving endpoint list from %s' % remoteName) entries = [] stringbinding = self.KNOWN_PROTOCOLS[ self.__port]['bindstr'] % remoteName logging.debug('StringBinding %s' % stringbinding) rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(self.__port) if self.KNOWN_PROTOCOLS[self.__port]['set_host']: rpctransport.setRemoteHost(remoteHost) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: entries = self.__fetchList(rpctransport) except Exception as e: logging.critical('Protocol failed: %s' % e) # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors'], rpctransport.getRemoteHost()) tmpUUID = str(entry['tower']['Floors'][0]) if (tmpUUID in endpoints) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if uuid.uuidtup_to_bin( uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS: endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[ uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode( 'utf-8') endpoints[tmpUUID]['Bindings'].append(binding) if tmpUUID[:36] in epm.KNOWN_PROTOCOLS: endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" #print "Transfer Syntax: %s" % entry['Tower']['Floors'][1] for endpoint in list(endpoints.keys()): print("Protocol: %s " % endpoints[endpoint]['Protocol']) print("Provider: %s " % endpoints[endpoint]['EXE']) print("UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation'])) print("Bindings: ") for binding in endpoints[endpoint]['Bindings']: print(" %s" % binding) print("") if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
def dump(self, remoteName, remoteHost): """Dumps the list of endpoints registered with the mapper listening at addr. remoteName is a valid host name or IP address in string format. """ logging.info('Retrieving endpoint list from %s' % remoteName) entries = [] self.__stringbinding = self.KNOWN_PROTOCOLS[ self.__port]['bindstr'] % remoteName logging.debug('StringBinding %s' % self.__stringbinding) rpctransport = transport.DCERPCTransportFactory(self.__stringbinding) if self.__port in [139, 445]: # Setting credentials for SMB rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) # Setting remote host and port for SMB rpctransport.setRemoteHost(remoteHost) rpctransport.set_dport(self.__port) elif self.__port in [443]: # Setting credentials only for RpcProxy, but not for the RPC Transport rpctransport.set_proxy_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) else: # We don't need to authenticate to 135 and 593 ports pass try: entries = self.__fetchList(rpctransport) except Exception as e: #raise logging.critical('Protocol failed: %s' % e) if 'Invalid RPC Port' in str(e): logging.critical( "This usually means the target is a MS Exchange Server, " "which does not allow to connect to its epmapper using RpcProxy" ) if 'RPC Proxy CONN/A1 request failed, code: 0x6ba' in str(e): logging.critical( "This usually means the target has no ACL to connect to its epmapper using RpcProxy" ) # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors']) tmpUUID = str(entry['tower']['Floors'][0]) if (tmpUUID in endpoints) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if uuid.uuidtup_to_bin( uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS: endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[ uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode( 'utf-8') endpoints[tmpUUID]['Bindings'].append(binding) if tmpUUID[:36] in epm.KNOWN_PROTOCOLS: endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" #print("Transfer Syntax: %s" % entry['tower']['Floors'][1]) for endpoint in list(endpoints.keys()): print("Protocol: %s " % endpoints[endpoint]['Protocol']) print("Provider: %s " % endpoints[endpoint]['EXE']) print("UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation'])) print("Bindings: ") for binding in endpoints[endpoint]['Bindings']: print(" %s" % binding) print("") if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
class RPCDump: KNOWN_PROTOCOLS = { 135: {'bindstr': r'ncacn_ip_tcp:%s', 'set_host': False}, 139: {'bindstr': r'ncacn_np:%s[\pipe\epmapper]', 'set_host': True}, 445: {'bindstr': r'ncacn_np:%s[\pipe\epmapper]', 'set_host': True} } def __init__(self, username = '', password = '', domain='', hashes = None, port=135): self.__username = username self.__password = password self.__domain = domain self.__lmhash = '' self.__nthash = '' self.__port = port if hashes is not None: self.__lmhash, self.__nthash = hashes.split(':') def dump(self, remoteName, remoteHost): """Dumps the list of endpoints registered with the mapper listening at addr. remoteName is a valid host name or IP address in string format. """ logging.info('Retrieving endpoint list from %s' % remoteName) entries = [] stringbinding = self.KNOWN_PROTOCOLS[self.__port]['bindstr'] % remoteName logging.debug('StringBinding %s'%stringbinding) rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(self.__port) if self.KNOWN_PROTOCOLS[self.__port]['set_host']: rpctransport.setRemoteHost(remoteHost) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) try: entries = self.__fetchList(rpctransport) except Exception, e: logging.critical('Protocol failed: %s' % e) # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors'], rpctransport.getRemoteHost()) tmpUUID = str(entry['tower']['Floors'][0]) if endpoints.has_key(tmpUUID) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if epm.KNOWN_UUIDS.has_key(uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]): endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1] endpoints[tmpUUID]['Bindings'].append(binding) if epm.KNOWN_PROTOCOLS.has_key(tmpUUID[:36]): endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" #print "Transfer Syntax: %s" % entry['Tower']['Floors'][1] for endpoint in endpoints.keys(): print "Protocol: %s " % endpoints[endpoint]['Protocol'] print "Provider: %s " % endpoints[endpoint]['EXE'] print "UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation']) print "Bindings: " for binding in endpoints[endpoint]['Bindings']: print " %s" % binding print "" if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')
def on_login(self, context, connection): entries = [] lmhash = getattr(connection, "lmhash", "") nthash = getattr(connection, "nthash", "") self.__stringbinding = KNOWN_PROTOCOLS[ self.port]['bindstr'] % connection.host logging.debug('StringBinding %s' % self.__stringbinding) rpctransport = transport.DCERPCTransportFactory(self.__stringbinding) rpctransport.set_credentials(connection.username, connection.password, connection.domain, lmhash, nthash) rpctransport.setRemoteHost(connection.host) rpctransport.set_dport(self.port) try: entries = self.__fetchList(rpctransport) except Exception as e: error_text = 'Protocol failed: %s' % e logging.critical(error_text) if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text or \ RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or \ RPC_PROXY_CONN_A1_404_ERR in error_text or \ RPC_PROXY_CONN_A1_0X6BA_ERR in error_text: logging.critical( "This usually means the target does not allow " "to connect to its epmapper using RpcProxy.") return # Display results. endpoints = {} # Let's groups the UUIDS for entry in entries: binding = epm.PrintStringBinding(entry['tower']['Floors']) tmpUUID = str(entry['tower']['Floors'][0]) if (tmpUUID in endpoints) is not True: endpoints[tmpUUID] = {} endpoints[tmpUUID]['Bindings'] = list() if uuid.uuidtup_to_bin( uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS: endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[ uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]] else: endpoints[tmpUUID]['EXE'] = 'N/A' endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode( 'utf-8') endpoints[tmpUUID]['Bindings'].append(binding) if tmpUUID[:36] in epm.KNOWN_PROTOCOLS: endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[ tmpUUID[:36]] else: endpoints[tmpUUID]['Protocol'] = "N/A" for endpoint in list(endpoints.keys()): if "MS-RPRN" in endpoints[endpoint]['Protocol']: logging.debug("Protocol: %s " % endpoints[endpoint]['Protocol']) logging.debug("Provider: %s " % endpoints[endpoint]['EXE']) logging.debug("UUID : %s %s" % (endpoint, endpoints[endpoint]['annotation'])) logging.debug("Bindings: ") for binding in endpoints[endpoint]['Bindings']: logging.debug(" %s" % binding) logging.debug("") context.log.highlight('Spooler service enabled') break if entries: num = len(entries) if 1 == num: logging.info('Received one endpoint.') else: logging.info('Received %d endpoints.' % num) else: logging.info('No endpoints found.')