github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_bkrp.py (about) 1 ############################################################################### 2 # Tested so far: 3 # 4 # BackuprKey 5 # 6 # Shouldn't dump errors against a win7 7 # 8 ################################################################################ 9 10 from __future__ import division 11 from __future__ import print_function 12 13 import unittest 14 15 try: 16 import ConfigParser 17 except ImportError: 18 import configparser as ConfigParser 19 20 from impacket.dcerpc.v5 import transport 21 from impacket.dcerpc.v5 import bkrp 22 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY 23 from impacket.dcerpc.v5.dtypes import NULL 24 25 try: 26 from cryptography import x509 27 from cryptography.hazmat.backends import default_backend 28 except ImportError: 29 print("In order to run these test cases you need the cryptography package") 30 31 32 class BKRPTests(unittest.TestCase): 33 def connect(self): 34 rpctransport = transport.DCERPCTransportFactory(self.stringBinding) 35 if len(self.hashes) > 0: 36 lmhash, nthash = self.hashes.split(':') 37 else: 38 lmhash = '' 39 nthash = '' 40 if hasattr(rpctransport, 'set_credentials'): 41 # This method exists only for selected protocol sequences. 42 rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) 43 dce = rpctransport.get_dce_rpc() 44 dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) 45 dce.connect() 46 dce.bind(bkrp.MSRPC_UUID_BKRP, transfer_syntax = self.ts) 47 48 return dce, rpctransport 49 50 def test_BackuprKey_BACKUPKEY_BACKUP_GUID_BACKUPKEY_RESTORE_GUID(self): 51 dce, rpctransport = self.connect() 52 DataIn = b"Huh? wait wait, let me, let me explain something to you. Uh, I am not Mr. Lebowski; " \ 53 b"you're Mr. Lebowski. I'm the Dude. So that's what you call me. You know, uh, That, or uh, " \ 54 b"his Dudeness, or uh Duder, or uh El Duderino, if, you know, you're not into the whole brevity thing--uh." 55 request = bkrp.BackuprKey() 56 request['pguidActionAgent'] = bkrp.BACKUPKEY_BACKUP_GUID 57 request['pDataIn'] = DataIn 58 request['cbDataIn'] = len(DataIn) 59 request['dwParam'] = 0 60 61 resp = dce.request(request) 62 63 resp.dump() 64 65 wrapped = bkrp.WRAPPED_SECRET() 66 wrapped.fromString(b''.join(resp['ppDataOut'])) 67 wrapped.dump() 68 69 request = bkrp.BackuprKey() 70 request['pguidActionAgent'] = bkrp.BACKUPKEY_RESTORE_GUID 71 request['pDataIn'] = b''.join(resp['ppDataOut']) 72 request['cbDataIn'] = resp['pcbDataOut'] 73 request['dwParam'] = 0 74 75 resp = dce.request(request) 76 77 resp.dump() 78 79 assert(DataIn == b''.join(resp['ppDataOut'])) 80 81 def test_hBackuprKey_BACKUPKEY_BACKUP_GUID_BACKUPKEY_RESTORE_GUID(self): 82 dce, rpctransport = self.connect() 83 84 DataIn = b"Huh? wait wait, let me, let me explain something to you. Uh, I am not Mr. Lebowski; " \ 85 b"you're Mr. Lebowski. I'm the Dude. So that's what you call me. You know, uh, That, or uh, " \ 86 b"his Dudeness, or uh Duder, or uh El Duderino, if, you know, you're not into the whole brevity thing--uh." 87 resp = bkrp.hBackuprKey(dce, bkrp.BACKUPKEY_BACKUP_GUID, DataIn) 88 89 resp.dump() 90 91 wrapped = bkrp.WRAPPED_SECRET() 92 wrapped.fromString(b''.join(resp['ppDataOut'])) 93 wrapped.dump() 94 95 resp = bkrp.hBackuprKey(dce, bkrp.BACKUPKEY_RESTORE_GUID, b''.join(resp['ppDataOut'])) 96 97 resp.dump() 98 99 assert (DataIn == b''.join(resp['ppDataOut'])) 100 101 def test_BackuprKey_BACKUPKEY_BACKUP_GUID_BACKUPKEY_RESTORE_GUID_WIN2K(self): 102 dce, rpctransport = self.connect() 103 DataIn = b"Huh? wait wait, let me, let me explain something to you. Uh, I am not Mr. Lebowski; " \ 104 b"you're Mr. Lebowski. I'm the Dude. So that's what you call me. You know, uh, That, or uh, " \ 105 b"his Dudeness, or uh Duder, or uh El Duderino, if, you know, you're not into the whole brevity thing--uh." 106 request = bkrp.BackuprKey() 107 request['pguidActionAgent'] = bkrp.BACKUPKEY_BACKUP_GUID 108 request['pDataIn'] = DataIn 109 request['cbDataIn'] = len(DataIn) 110 request['dwParam'] = 0 111 112 resp = dce.request(request) 113 114 resp.dump() 115 116 wrapped = bkrp.WRAPPED_SECRET() 117 wrapped.fromString(b''.join(resp['ppDataOut'])) 118 wrapped.dump() 119 120 request = bkrp.BackuprKey() 121 request['pguidActionAgent'] = bkrp.BACKUPKEY_RESTORE_GUID_WIN2K 122 request['pDataIn'] = b''.join(resp['ppDataOut']) 123 request['cbDataIn'] = resp['pcbDataOut'] 124 request['dwParam'] = 0 125 126 resp = dce.request(request) 127 128 resp.dump() 129 130 assert(DataIn == b''.join(resp['ppDataOut'])) 131 132 def test_hBackuprKey_BACKUPKEY_BACKUP_GUID_BACKUPKEY_RESTORE_GUID_WIN2K(self): 133 dce, rpctransport = self.connect() 134 135 DataIn = b"Huh? wait wait, let me, let me explain something to you. Uh, I am not Mr. Lebowski; " \ 136 b"you're Mr. Lebowski. I'm the Dude. So that's what you call me. You know, uh, That, or uh, " \ 137 b"his Dudeness, or uh Duder, or uh El Duderino, if, you know, you're not into the whole brevity thing--uh." 138 resp = bkrp.hBackuprKey(dce, bkrp.BACKUPKEY_BACKUP_GUID, DataIn ) 139 140 resp.dump() 141 142 wrapped = bkrp.WRAPPED_SECRET() 143 wrapped.fromString(b''.join(resp['ppDataOut'])) 144 wrapped.dump() 145 146 resp = bkrp.hBackuprKey(dce, bkrp.BACKUPKEY_RESTORE_GUID_WIN2K, b''.join(resp['ppDataOut']) ) 147 148 resp.dump() 149 150 assert(DataIn == b''.join(resp['ppDataOut'])) 151 152 153 def test_BackuprKey_BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID(self): 154 dce, rpctransport = self.connect() 155 request = bkrp.BackuprKey() 156 request['pguidActionAgent'] = bkrp.BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID 157 request['pDataIn'] = NULL 158 request['cbDataIn'] = 0 159 request['dwParam'] = 0 160 161 resp = dce.request(request) 162 163 resp.dump() 164 165 #print "LEN: %d" % len(''.join(resp['ppDataOut'])) 166 #hexdump(''.join(resp['ppDataOut'])) 167 168 cert = x509.load_der_x509_certificate(b''.join(resp['ppDataOut']), default_backend()) 169 170 print(cert.subject) 171 print(cert.issuer) 172 print(cert.signature) 173 174 def test_hBackuprKey_BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID(self): 175 dce, rpctransport = self.connect() 176 request = bkrp.BackuprKey() 177 request['pguidActionAgent'] = bkrp.BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID 178 request['pDataIn'] = NULL 179 request['cbDataIn'] = 0 180 request['dwParam'] = 0 181 182 resp = bkrp.hBackuprKey(dce, bkrp.BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, NULL) 183 184 resp.dump() 185 186 #print "LEN: %d" % len(''.join(resp['ppDataOut'])) 187 #hexdump(''.join(resp['ppDataOut'])) 188 189 cert = x509.load_der_x509_certificate(b''.join(resp['ppDataOut']), default_backend()) 190 191 print(cert.subject) 192 print(cert.issuer) 193 print(cert.signature) 194 195 196 class SMBTransport(BKRPTests): 197 def setUp(self): 198 BKRPTests.setUp(self) 199 configFile = ConfigParser.ConfigParser() 200 configFile.read('dcetests.cfg') 201 self.username = configFile.get('SMBTransport', 'username') 202 self.domain = configFile.get('SMBTransport', 'domain') 203 self.serverName = configFile.get('SMBTransport', 'servername') 204 self.password = configFile.get('SMBTransport', 'password') 205 self.machine = configFile.get('SMBTransport', 'machine') 206 self.hashes = configFile.get('SMBTransport', 'hashes') 207 self.stringBinding = r'ncacn_np:%s[\PIPE\protected_storage]' % self.machine 208 self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0') 209 210 class SMBTransport64(BKRPTests): 211 def setUp(self): 212 BKRPTests.setUp(self) 213 configFile = ConfigParser.ConfigParser() 214 configFile.read('dcetests.cfg') 215 self.username = configFile.get('SMBTransport', 'username') 216 self.domain = configFile.get('SMBTransport', 'domain') 217 self.serverName = configFile.get('SMBTransport', 'servername') 218 self.password = configFile.get('SMBTransport', 'password') 219 self.machine = configFile.get('SMBTransport', 'machine') 220 self.hashes = configFile.get('SMBTransport', 'hashes') 221 self.stringBinding = r'ncacn_np:%s[\PIPE\protected_storage]' % self.machine 222 self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0') 223 224 # Process command-line arguments. 225 if __name__ == '__main__': 226 import sys 227 if len(sys.argv) > 1: 228 testcase = sys.argv[1] 229 suite = unittest.TestLoader().loadTestsFromTestCase(globals()[testcase]) 230 else: 231 suite = unittest.TestLoader().loadTestsFromTestCase(SMBTransport) 232 suite.addTests(unittest.TestLoader().loadTestsFromTestCase(SMBTransport64)) 233 unittest.TextTestRunner(verbosity=1).run(suite)