github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_lsat.py (about) 1 ############################################################################### 2 # Tested so far: 3 # 4 # LsarGetUserName 5 # LsarLookupNames 6 # LsarLookupSids 7 # LsarLookupSids2 8 # LsarLookupNames3 9 # LsarLookupNames2 10 # 11 # Not yet: 12 # 13 # LsarLookupNames4 14 # LsarLookupSids3 15 # 16 # Shouldn't dump errors against a win7 17 # 18 ################################################################################ 19 20 from __future__ import division 21 from __future__ import print_function 22 import unittest 23 try: 24 import ConfigParser 25 except ImportError: 26 import configparser as ConfigParser 27 28 from impacket.dcerpc.v5 import transport 29 from impacket.dcerpc.v5 import lsat 30 from impacket.dcerpc.v5 import lsad 31 from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED, RPC_UNICODE_STRING 32 33 34 class LSATTests(unittest.TestCase): 35 def connect(self): 36 rpctransport = transport.DCERPCTransportFactory(self.stringBinding) 37 if len(self.hashes) > 0: 38 lmhash, nthash = self.hashes.split(':') 39 else: 40 lmhash = '' 41 nthash = '' 42 if hasattr(rpctransport, 'set_credentials'): 43 # This method exists only for selected protocol sequences. 44 rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) 45 dce = rpctransport.get_dce_rpc() 46 #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) 47 dce.connect() 48 dce.bind(lsat.MSRPC_UUID_LSAT, transfer_syntax = self.ts) 49 request = lsad.LsarOpenPolicy2() 50 request['SystemName'] = NULL 51 request['ObjectAttributes']['RootDirectory'] = NULL 52 request['ObjectAttributes']['ObjectName'] = NULL 53 request['ObjectAttributes']['SecurityDescriptor'] = NULL 54 request['ObjectAttributes']['SecurityQualityOfService'] = NULL 55 request['DesiredAccess'] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES 56 resp = dce.request(request) 57 58 return dce, rpctransport, resp['PolicyHandle'] 59 60 def test_LsarGetUserName(self): 61 dce, rpctransport, policyHandle = self.connect() 62 63 request = lsat.LsarGetUserName() 64 request['SystemName'] = NULL 65 request['UserName'] = NULL 66 request['DomainName'] = NULL 67 resp = dce.request(request) 68 resp.dump() 69 70 def test_hLsarGetUserName(self): 71 dce, rpctransport, policyHandle = self.connect() 72 73 resp = lsat.hLsarGetUserName(dce) 74 resp.dump() 75 76 def test_LsarLookupNames4(self): 77 # not working, I need netlogon here 78 dce, rpctransport, policyHandle = self.connect() 79 80 request = lsat.LsarLookupNames4() 81 request['Count'] = 2 82 name1 = RPC_UNICODE_STRING() 83 name1['Data'] = 'Administrator' 84 name2 = RPC_UNICODE_STRING() 85 name2['Data'] = 'Guest' 86 request['Names'].append(name1) 87 request['Names'].append(name2) 88 request['TranslatedSids']['Sids'] = NULL 89 request['LookupLevel'] = lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta 90 request['LookupOptions'] = 0x00000000 91 request['ClientRevision'] = 0x00000001 92 try: 93 resp = dce.request(request) 94 resp.dump() 95 except Exception as e: 96 # The RPC server MUST ensure that the RPC_C_AUTHN_NETLOGON security provider 97 # (as specified in [MS-RPCE] section 2.2.1.1.7) and at least 98 # RPC_C_AUTHN_LEVEL_PKT_INTEGRITY authentication level (as specified in 99 # [MS-RPCE] section 2.2.1.1.8) are used in this RPC message. 100 # Otherwise, the RPC server MUST return STATUS_ACCESS_DENIED. 101 if str(e).find('rpc_s_access_denied') < 0: 102 raise 103 104 def test_hLsarLookupNames4(self): 105 # not working, I need netlogon here 106 dce, rpctransport, policyHandle = self.connect() 107 108 try: 109 resp = lsat.hLsarLookupNames4(dce, ('Administrator', 'Guest')) 110 resp.dump() 111 except Exception as e: 112 # The RPC server MUST ensure that the RPC_C_AUTHN_NETLOGON security provider 113 # (as specified in [MS-RPCE] section 2.2.1.1.7) and at least 114 # RPC_C_AUTHN_LEVEL_PKT_INTEGRITY authentication level (as specified in 115 # [MS-RPCE] section 2.2.1.1.8) are used in this RPC message. 116 # Otherwise, the RPC server MUST return STATUS_ACCESS_DENIED. 117 if str(e).find('rpc_s_access_denied') < 0: 118 raise 119 120 def test_LsarLookupNames3(self): 121 dce, rpctransport, policyHandle = self.connect() 122 123 request = lsat.LsarLookupNames3() 124 request['PolicyHandle'] = policyHandle 125 request['Count'] = 2 126 name1 = RPC_UNICODE_STRING() 127 name1['Data'] = 'Administrator' 128 name2 = RPC_UNICODE_STRING() 129 name2['Data'] = 'Guest' 130 request['Names'].append(name1) 131 request['Names'].append(name2) 132 request['TranslatedSids']['Sids'] = NULL 133 request['LookupLevel'] = lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta 134 request['LookupOptions'] = 0x00000000 135 request['ClientRevision'] = 0x00000001 136 resp = dce.request(request) 137 resp.dump() 138 139 def test_hLsarLookupNames3(self): 140 dce, rpctransport, policyHandle = self.connect() 141 142 resp = lsat.hLsarLookupNames3(dce, policyHandle, ('Administrator', 'Guest')) 143 resp.dump() 144 145 def test_LsarLookupNames2(self): 146 dce, rpctransport, policyHandle = self.connect() 147 148 request = lsat.LsarLookupNames2() 149 request['PolicyHandle'] = policyHandle 150 request['Count'] = 2 151 name1 = RPC_UNICODE_STRING() 152 name1['Data'] = 'Administrator' 153 name2 = RPC_UNICODE_STRING() 154 name2['Data'] = 'Guest' 155 request['Names'].append(name1) 156 request['Names'].append(name2) 157 request['TranslatedSids']['Sids'] = NULL 158 request['LookupLevel'] = lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta 159 request['LookupOptions'] = 0x00000000 160 request['ClientRevision'] = 0x00000001 161 resp = dce.request(request) 162 resp.dump() 163 164 def test_hLsarLookupNames2(self): 165 dce, rpctransport, policyHandle = self.connect() 166 167 resp = lsat.hLsarLookupNames2(dce, policyHandle, ('Administrator', 'Guest')) 168 resp.dump() 169 170 def test_hLsarLookupNames(self): 171 dce, rpctransport, policyHandle = self.connect() 172 173 resp = lsat.hLsarLookupNames(dce, policyHandle, ('Administrator', 'Guest')) 174 resp.dump() 175 176 def test_LsarLookupNames(self): 177 dce, rpctransport, policyHandle = self.connect() 178 179 request = lsat.LsarLookupNames() 180 request['PolicyHandle'] = policyHandle 181 request['Count'] = 2 182 name1 = RPC_UNICODE_STRING() 183 name1['Data'] = 'Administrator' 184 name2 = RPC_UNICODE_STRING() 185 name2['Data'] = 'Guest' 186 request['Names'].append(name1) 187 request['Names'].append(name2) 188 request['TranslatedSids']['Sids'] = NULL 189 request['LookupLevel'] = lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta 190 resp = dce.request(request) 191 resp.dump() 192 193 def test_LsarLookupSids3(self): 194 # not working, I need netlogon here 195 dce, rpctransport, policyHandle = self.connect() 196 197 request = lsat.LsarLookupNames() 198 request['PolicyHandle'] = policyHandle 199 request['Count'] = 1 200 name1 = RPC_UNICODE_STRING() 201 name1['Data'] = 'Administrator' 202 request['Names'].append(name1) 203 request['TranslatedSids']['Sids'] = NULL 204 request['LookupLevel'] = lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta 205 resp = dce.request(request) 206 resp.dump() 207 domainSid = resp['ReferencedDomains']['Domains'][0]['Sid'].formatCanonical() 208 209 request = lsat.LsarLookupSids3() 210 sid1 = lsat.LSAPR_SID_INFORMATION() 211 sid1['Sid'].fromCanonical(domainSid + '-500') 212 sid2= lsat.LSAPR_SID_INFORMATION() 213 sid2['Sid'].fromCanonical(domainSid + '-501') 214 request['SidEnumBuffer']['Entries'] = 2 215 request['SidEnumBuffer']['SidInfo'].append(sid1) 216 request['SidEnumBuffer']['SidInfo'].append(sid2) 217 request['TranslatedNames']['Names'] = NULL 218 request['LookupLevel'] = lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta 219 request['LookupOptions'] = 0x00000000 220 request['ClientRevision'] = 0x00000001 221 try: 222 resp = dce.request(request) 223 resp.dump() 224 except Exception as e: 225 # The RPC server MUST ensure that the RPC_C_AUTHN_NETLOGON security provider 226 # (as specified in [MS-RPCE] section 2.2.1.1.7) and at least 227 # RPC_C_AUTHN_LEVEL_PKT_INTEGRITY authentication level (as specified in 228 # [MS-RPCE] section 2.2.1.1.8) are used in this RPC message. 229 # Otherwise, the RPC server MUST return STATUS_ACCESS_DENIED. 230 if str(e).find('rpc_s_access_denied') < 0: 231 raise 232 233 def test_LsarLookupSids2(self): 234 dce, rpctransport, policyHandle = self.connect() 235 236 request = lsat.LsarLookupNames() 237 request['PolicyHandle'] = policyHandle 238 request['Count'] = 1 239 name1 = RPC_UNICODE_STRING() 240 name1['Data'] = 'Administrator' 241 request['Names'].append(name1) 242 request['TranslatedSids']['Sids'] = NULL 243 request['LookupLevel'] = lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta 244 resp = dce.request(request) 245 resp.dump() 246 domainSid = resp['ReferencedDomains']['Domains'][0]['Sid'].formatCanonical() 247 248 request = lsat.LsarLookupSids2() 249 request['PolicyHandle'] = policyHandle 250 sid1 = lsat.LSAPR_SID_INFORMATION() 251 sid1['Sid'].fromCanonical(domainSid + '-500') 252 sid2= lsat.LSAPR_SID_INFORMATION() 253 sid2['Sid'].fromCanonical(domainSid + '-501') 254 request['SidEnumBuffer']['Entries'] = 2 255 request['SidEnumBuffer']['SidInfo'].append(sid1) 256 request['SidEnumBuffer']['SidInfo'].append(sid2) 257 request['TranslatedNames']['Names'] = NULL 258 request['LookupLevel'] = lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta 259 request['LookupOptions'] = 0x00000000 260 request['ClientRevision'] = 0x00000001 261 resp = dce.request(request) 262 resp.dump() 263 264 def test_hLsarLookupSids2(self): 265 dce, rpctransport, policyHandle = self.connect() 266 267 resp = lsat.hLsarLookupNames(dce, policyHandle, ('Administrator',)) 268 resp.dump() 269 domainSid = resp['ReferencedDomains']['Domains'][0]['Sid'].formatCanonical() 270 sids = list() 271 sids.append(domainSid + '-500') 272 sids.append(domainSid + '-501') 273 resp = lsat.hLsarLookupSids2(dce, policyHandle, sids) 274 resp.dump() 275 276 def test_LsarLookupSids(self): 277 dce, rpctransport, policyHandle = self.connect() 278 279 request = lsat.LsarLookupNames() 280 request['PolicyHandle'] = policyHandle 281 request['Count'] = 1 282 name1 = RPC_UNICODE_STRING() 283 name1['Data'] = 'Administrator' 284 request['Names'].append(name1) 285 request['TranslatedSids']['Sids'] = NULL 286 request['LookupLevel'] = lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta 287 resp = dce.request(request) 288 resp.dump() 289 domainSid = resp['ReferencedDomains']['Domains'][0]['Sid'].formatCanonical() 290 291 request = lsat.LsarLookupSids() 292 request['PolicyHandle'] = policyHandle 293 for i in range(1000): 294 sid = lsat.LSAPR_SID_INFORMATION() 295 sid['Sid'].fromCanonical(domainSid + '-%d' % (500+i)) 296 request['SidEnumBuffer']['SidInfo'].append(sid) 297 request['SidEnumBuffer']['Entries'] += 1 298 request['TranslatedNames']['Names'] = NULL 299 request['LookupLevel'] = lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta 300 try: 301 resp = dce.request(request) 302 resp.dump() 303 except Exception as e: 304 if str(e).find('STATUS_SOME_NOT_MAPPED') < 0: 305 raise 306 else: 307 resp = e.get_packet() 308 resp.dump() 309 310 def test_hLsarLookupSids(self): 311 dce, rpctransport, policyHandle = self.connect() 312 313 resp = lsat.hLsarLookupNames(dce, policyHandle, ('Administrator',)) 314 resp.dump() 315 domainSid = resp['ReferencedDomains']['Domains'][0]['Sid'].formatCanonical() 316 317 sids = list() 318 for i in range(1000): 319 sids.append(domainSid + '-%d' % (500+i)) 320 try: 321 resp = lsat.hLsarLookupSids(dce, policyHandle, sids ) 322 resp.dump() 323 except Exception as e: 324 if str(e).find('STATUS_SOME_NOT_MAPPED') < 0: 325 raise 326 else: 327 resp = e.get_packet() 328 resp.dump() 329 330 331 class SMBTransport(LSATTests): 332 def setUp(self): 333 LSATTests.setUp(self) 334 configFile = ConfigParser.ConfigParser() 335 configFile.read('dcetests.cfg') 336 self.username = configFile.get('SMBTransport', 'username') 337 self.domain = configFile.get('SMBTransport', 'domain') 338 self.serverName = configFile.get('SMBTransport', 'servername') 339 self.password = configFile.get('SMBTransport', 'password') 340 self.machine = configFile.get('SMBTransport', 'machine') 341 self.hashes = configFile.get('SMBTransport', 'hashes') 342 self.stringBinding = r'ncacn_np:%s[\PIPE\lsarpc]' % self.machine 343 self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0') 344 345 class SMBTransport64(LSATTests): 346 def setUp(self): 347 LSATTests.setUp(self) 348 configFile = ConfigParser.ConfigParser() 349 configFile.read('dcetests.cfg') 350 self.username = configFile.get('SMBTransport', 'username') 351 self.domain = configFile.get('SMBTransport', 'domain') 352 self.serverName = configFile.get('SMBTransport', 'servername') 353 self.password = configFile.get('SMBTransport', 'password') 354 self.machine = configFile.get('SMBTransport', 'machine') 355 self.hashes = configFile.get('SMBTransport', 'hashes') 356 self.stringBinding = r'ncacn_np:%s[\PIPE\lsarpc]' % self.machine 357 self.ts = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0') 358 359 360 # Process command-line arguments. 361 if __name__ == '__main__': 362 import sys 363 if len(sys.argv) > 1: 364 testcase = sys.argv[1] 365 suite = unittest.TestLoader().loadTestsFromTestCase(globals()[testcase]) 366 else: 367 suite = unittest.TestLoader().loadTestsFromTestCase(SMBTransport) 368 suite.addTests(unittest.TestLoader().loadTestsFromTestCase(SMBTransport64)) 369 unittest.TextTestRunner(verbosity=1).run(suite)