github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_mimilib.py

github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_mimilib.py (about)

     1  ###############################################################################
     2  #  Tested so far: 
     3  #
     4  #
     5  #  Not yet:
     6  #
     7  #
     8  # Shouldn't dump errors against a win7
     9  #
    10  ################################################################################
    11  
    12  import unittest
    13  try:
    14      import ConfigParser
    15  except ImportError:
    16      import configparser as ConfigParser
    17  
    18  from impacket.dcerpc.v5 import transport
    19  from impacket.dcerpc.v5 import mimilib, epm
    20  from impacket.winregistry import hexdump
    21  
    22  
    23  class RRPTests(unittest.TestCase):
    24      def connect(self):
    25          rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
    26          rpctransport.set_connect_timeout(30000)
    27          #if hasattr(rpctransport, 'set_credentials'):
    28              # This method exists only for selected protocol sequences.
    29          #    rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
    30          dce = rpctransport.get_dce_rpc()
    31          #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
    32          dce.connect()
    33          dce.bind(mimilib.MSRPC_UUID_MIMIKATZ, transfer_syntax = self.ts)
    34          dh = mimilib.MimiDiffeH()
    35          blob = mimilib.PUBLICKEYBLOB()
    36          blob['y'] = dh.genPublicKey()[::-1]
    37          request = mimilib.MimiBind()
    38          request['clientPublicKey']['sessionType'] = mimilib.CALG_RC4
    39          request['clientPublicKey']['cbPublicKey'] = 144
    40          request['clientPublicKey']['pbPublicKey'] = blob.getData()
    41          resp = dce.request(request)
    42          blob = mimilib.PUBLICKEYBLOB(b''.join(resp['serverPublicKey']['pbPublicKey']))
    43          key = dh.getSharedSecret(blob['y'][::-1])
    44          pHandle = resp['phMimi']
    45  
    46          return dce, rpctransport, pHandle, key[-16:]
    47  
    48      def test_MimiBind(self):
    49          dce, rpctransport, pHandle, key = self.connect()
    50          dh = mimilib.MimiDiffeH()
    51          print('Our Public')
    52          print('='*80)
    53          hexdump(dh.genPublicKey())
    54  
    55          blob = mimilib.PUBLICKEYBLOB()
    56          blob['y'] = dh.genPublicKey()[::-1]
    57          request = mimilib.MimiBind()
    58          request['clientPublicKey']['sessionType'] = mimilib.CALG_RC4
    59          request['clientPublicKey']['cbPublicKey'] = 144
    60          request['clientPublicKey']['pbPublicKey'] = blob.getData()
    61  
    62          resp = dce.request(request)
    63          blob = mimilib.PUBLICKEYBLOB(b''.join(resp['serverPublicKey']['pbPublicKey']))
    64          print('='*80)
    65          print('Server Public')
    66          hexdump(blob['y'])
    67          print('='*80)
    68          print('Shared')
    69          hexdump(dh.getSharedSecret(blob['y'][::-1]))
    70          resp.dump()
    71  
    72      def test_MimiCommand(self):
    73          dce, rpctransport, pHandle, key = self.connect()
    74          from Cryptodome.Cipher import ARC4
    75          cipher = ARC4.new(key[::-1])
    76          command = cipher.encrypt('token::whoami\x00'.encode('utf-16le'))
    77          #command = cipher.encrypt('sekurlsa::logonPasswords\x00'.encode('utf-16le'))
    78          #command = cipher.encrypt('process::imports\x00'.encode('utf-16le'))
    79          request = mimilib.MimiCommand()
    80          request['phMimi'] = pHandle
    81          request['szEncCommand'] = len(command)
    82          request['encCommand'] = list(command)
    83          resp = dce.request(request)
    84          cipherText = b''.join(resp['encResult'])
    85          cipher = ARC4.new(key[::-1])
    86          plain = cipher.decrypt(cipherText)
    87          print('='*80)
    88          print(plain)
    89          #resp.dump()
    90  
    91      def test_MimiUnBind(self):
    92          dce, rpctransport, pHandle, key = self.connect()
    93          request = mimilib.MimiUnbind()
    94          request['phMimi'] = pHandle
    95          hexdump(request.getData())
    96          resp = dce.request(request)
    97          resp.dump()
    98  
    99  class TCPTransport(RRPTests):
   100      def setUp(self):
   101          RRPTests.setUp(self)
   102          configFile = ConfigParser.ConfigParser()
   103          configFile.read('dcetests.cfg')
   104          self.username = configFile.get('TCPTransport', 'username')
   105          self.domain   = configFile.get('TCPTransport', 'domain')
   106          self.serverName = configFile.get('TCPTransport', 'servername')
   107          self.password = configFile.get('TCPTransport', 'password')
   108          self.machine  = configFile.get('TCPTransport', 'machine')
   109          self.hashes   = configFile.get('TCPTransport', 'hashes')
   110          self.stringBinding = epm.hept_map(self.machine, mimilib.MSRPC_UUID_MIMIKATZ, protocol = 'ncacn_ip_tcp')
   111          self.ts = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0')
   112  
   113  
   114  # Process command-line arguments.
   115  if __name__ == '__main__':
   116      import sys
   117      if len(sys.argv) > 1:
   118          testcase = sys.argv[1]
   119          suite = unittest.TestLoader().loadTestsFromTestCase(globals()[testcase])
   120      else:
   121          suite = unittest.TestLoader().loadTestsFromTestCase(TCPTransport)
   122          #suite.addTests(unittest.TestLoader().loadTestsFromTestCase(SMBTransport64))
   123      unittest.TextTestRunner(verbosity=1).run(suite)