github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_even6.py (about) 1 ############################################################################### 2 # Tested so far: 3 # EvtRpcRegisterLogQuery 4 # hEvtRpcRegisterLogQuery 5 # EvtRpcQueryNext 6 # hEvtRpcQueryNext 7 ############################################################################### 8 9 from __future__ import division 10 from __future__ import print_function 11 import unittest 12 try: 13 import ConfigParser 14 except ImportError: 15 import configparser as ConfigParser 16 17 from impacket.dcerpc.v5 import transport 18 from impacket.dcerpc.v5 import epm, even6 19 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY 20 from impacket.structure import hexdump 21 22 23 class EVEN6Tests(unittest.TestCase): 24 def connect(self, version): 25 rpctransport = transport.DCERPCTransportFactory(self.stringBinding) 26 if len(self.hashes) > 0: 27 lmhash, nthash = self.hashes.split(':') 28 else: 29 lmhash = '' 30 nthash = '' 31 if hasattr(rpctransport, 'set_credentials'): 32 # This method exists only for selected protocol sequences. 33 rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash) 34 dce = rpctransport.get_dce_rpc() 35 dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) 36 dce.connect() 37 if version == 1: 38 dce.bind(even6.MSRPC_UUID_EVEN6, transfer_syntax=self.ts) 39 else: 40 dce.bind(even6.MSRPC_UUID_EVEN6, transfer_syntax=self.ts) 41 42 return dce, rpctransport 43 44 def test_EvtRpcRegisterLogQuery_EvtRpcQueryNext(self): 45 dce, rpctransport = self.connect(2) 46 47 request = even6.EvtRpcRegisterLogQuery() 48 request['Path'] = 'Security\x00' 49 request['Query'] = '*\x00' 50 request['Flags'] = even6.EvtQueryChannelName | even6.EvtReadNewestToOldest 51 52 request.dump() 53 try: 54 resp = dce.request(request) 55 resp.dump() 56 except Exception as e: 57 return 58 59 log_handle = resp['Handle'] 60 61 request = even6.EvtRpcQueryNext() 62 request['LogQuery'] = log_handle 63 request['NumRequestedRecords'] = 5 64 request['TimeOutEnd'] = 1000 65 request['Flags'] = 0 66 request.dump() 67 try: 68 resp = dce.request(request) 69 resp.dump() 70 except Exception as e: 71 return 72 73 for i in range(resp['NumActualRecords']): 74 event_offset = resp['EventDataIndices'][i]['Data'] 75 event_size = resp['EventDataSizes'][i]['Data'] 76 event = resp['ResultBuffer'][event_offset:event_offset + event_size] 77 buff = b''.join(event) 78 print(hexdump(buff)) 79 80 def test_hEvtRpcRegisterLogQuery_hEvtRpcQueryNext(self): 81 dce, rpctransport = self.connect(2) 82 83 try: 84 resp = even6.hEvtRpcRegisterLogQuery(dce, 'Security\x00', '*\x00', even6.EvtQueryChannelName | even6.EvtReadNewestToOldest) 85 resp.dump() 86 except Exception as e: 87 return 88 89 log_handle = resp['Handle'] 90 91 try: 92 resp = even6.EvtRpcQueryNext(dce, log_handle, 5, 1000, 0) 93 resp.dump() 94 except Exception as e: 95 return 96 97 for i in range(resp['NumActualRecords']): 98 event_offset = resp['EventDataIndices'][i]['Data'] 99 event_size = resp['EventDataSizes'][i]['Data'] 100 event = resp['ResultBuffer'][event_offset:event_offset + event_size] 101 buff = ''.join([x.encode('hex') for x in event]).decode('hex') 102 print(hexdump(buff)) 103 104 class SMBTransport(EVEN6Tests): 105 def setUp(self): 106 EVEN6Tests.setUp(self) 107 configFile = ConfigParser.ConfigParser() 108 configFile.read('dcetests.cfg') 109 self.username = configFile.get('SMBTransport', 'username') 110 self.domain = configFile.get('SMBTransport', 'domain') 111 self.serverName = configFile.get('SMBTransport', 'servername') 112 self.password = configFile.get('SMBTransport', 'password') 113 self.machine = configFile.get('SMBTransport', 'machine') 114 self.hashes = configFile.get('SMBTransport', 'hashes') 115 self.stringBinding = r'ncacn_np:%s[\PIPE\eventlog]' % self.machine 116 self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0') 117 118 class SMBTransport64(EVEN6Tests): 119 def setUp(self): 120 EVEN6Tests.setUp(self) 121 configFile = ConfigParser.ConfigParser() 122 configFile.read('dcetests.cfg') 123 self.username = configFile.get('SMBTransport', 'username') 124 self.domain = configFile.get('SMBTransport', 'domain') 125 self.serverName = configFile.get('SMBTransport', 'servername') 126 self.password = configFile.get('SMBTransport', 'password') 127 self.machine = configFile.get('SMBTransport', 'machine') 128 self.hashes = configFile.get('SMBTransport', 'hashes') 129 self.stringBinding = r'ncacn_np:%s[\PIPE\eventlog]' % self.machine 130 self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0') 131 132 class TCPTransport(EVEN6Tests): 133 def setUp(self): 134 EVEN6Tests.setUp(self) 135 configFile = ConfigParser.ConfigParser() 136 configFile.read('dcetests.cfg') 137 self.username = configFile.get('TCPTransport', 'username') 138 self.domain = configFile.get('TCPTransport', 'domain') 139 self.serverName = configFile.get('TCPTransport', 'servername') 140 self.password = configFile.get('TCPTransport', 'password') 141 self.machine = configFile.get('TCPTransport', 'machine') 142 self.hashes = configFile.get('TCPTransport', 'hashes') 143 self.stringBinding = epm.hept_map(self.machine, even6.MSRPC_UUID_EVEN6, protocol='ncacn_ip_tcp') 144 self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0') 145 146 class TCPTransport64(EVEN6Tests): 147 def setUp(self): 148 EVEN6Tests.setUp(self) 149 configFile = ConfigParser.ConfigParser() 150 configFile.read('dcetests.cfg') 151 self.username = configFile.get('TCPTransport', 'username') 152 self.domain = configFile.get('TCPTransport', 'domain') 153 self.serverName = configFile.get('TCPTransport', 'servername') 154 self.password = configFile.get('TCPTransport', 'password') 155 self.machine = configFile.get('TCPTransport', 'machine') 156 self.hashes = configFile.get('TCPTransport', 'hashes') 157 self.stringBinding = epm.hept_map(self.machine, even6.MSRPC_UUID_EVEN6, protocol='ncacn_ip_tcp') 158 self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0') 159 160 # Process command-line arguments. 161 if __name__ == '__main__': 162 import sys 163 if len(sys.argv) > 1: 164 testcase = sys.argv[1] 165 suite = unittest.TestLoader().loadTestsFromTestCase(globals()[testcase]) 166 else: 167 suite = unittest.TestLoader().loadTestsFromTestCase(TCPTransport) 168 suite.addTests(unittest.TestLoader().loadTestsFromTestCase(TCPTransport64)) 169 unittest.TextTestRunner(verbosity=1).run(suite)