github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_nrpc.py (about) 1 ############################################################################### 2 # Tested so far: 3 # 4 # DsrGetDcNameEx2 5 # DsrGetDcNameEx 6 # DsrGetDcName 7 # NetrGetDCName 8 # NetrGetAnyDCName 9 # DsrGetSiteName 10 # DsrGetDcSiteCoverageW 11 # DsrAddressToSiteNamesW 12 # DsrAddressToSiteNamesExW 13 # DsrDeregisterDnsHostRecords 14 # NetrServerReqChallenge 15 # NetrServerAuthenticate3 16 # NetrServerAuthenticate2 17 # NetrServerAuthenticate 18 # NetrServerTrustPasswordsGet 19 # NetrLogonGetCapabilities 20 # NetrDatabaseDeltas 21 # NetrDatabaseSync2 22 # NetrDatabaseSync 23 # DsrEnumerateDomainTrusts 24 # NetrEnumerateTrustedDomainsEx 25 # NetrEnumerateTrustedDomains 26 # NetrGetForestTrustInformation 27 # DsrGetForestTrustInformation 28 # NetrServerGetTrustInfo 29 # NetrLogonGetTrustRid 30 # NetrLogonComputeServerDigest 31 # NetrLogonComputeClientDigest 32 # NetrLogonSendToSam 33 # NetrLogonSetServiceBits 34 # NetrLogonGetTimeServiceParentDomain 35 # NetrLogonControl2Ex 36 # NetrLogonControl2 37 # NetrLogonControl 38 # NetrLogonUasLogon 39 # NetrLogonGetDomainInfo 40 # 41 # Not yet: 42 # 43 # DSRUpdateReadOnlyServerDnsRecords 44 # NetrServerPasswordGet 45 # NetrLogonSamLogonEx 46 # NetrLogonSamLogonWithFlags 47 # NetrLogonSamLogon 48 # NetrLogonSamLogoff 49 # NetrDatabaseRedo 50 # 51 # Shouldn't dump errors against a win7 52 # 53 ################################################################################ 54 55 import unittest 56 try: 57 import ConfigParser 58 except ImportError: 59 import configparser as ConfigParser 60 from struct import pack, unpack 61 from binascii import unhexlify 62 63 from impacket.dcerpc.v5 import transport 64 from impacket.dcerpc.v5 import epm, nrpc 65 from impacket.dcerpc.v5.dtypes import NULL 66 from impacket import ntlm 67 68 69 class NRPCTests(unittest.TestCase): 70 def connect(self): 71 rpctransport = transport.DCERPCTransportFactory(self.stringBinding) 72 if len(self.machineUserHashes) > 0: 73 lmhash, nthash = self.machineUserHashes.split(':') 74 else: 75 lmhash = '' 76 nthash = '' 77 if hasattr(rpctransport, 'set_credentials'): 78 # This method exists only for selected protocol sequences. 79 rpctransport.set_credentials(self.machineUser, '', self.domain, lmhash, nthash) 80 dce = rpctransport.get_dce_rpc() 81 # dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) 82 dce.connect() 83 dce.bind(nrpc.MSRPC_UUID_NRPC) 84 resp = nrpc.hNetrServerReqChallenge(dce, NULL, self.serverName + '\x00', b'12345678') 85 resp.dump() 86 serverChallenge = resp['ServerChallenge'] 87 88 if self.machineUserHashes == '': 89 ntHash = None 90 else: 91 ntHash = unhexlify(self.machineUserHashes.split(':')[1]) 92 93 self.sessionKey = nrpc.ComputeSessionKeyStrongKey('', b'12345678', serverChallenge, ntHash) 94 95 ppp = nrpc.ComputeNetlogonCredential(b'12345678', self.sessionKey) 96 97 try: 98 resp = nrpc.hNetrServerAuthenticate3(dce, NULL, self.machineUser + '\x00', 99 nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel, 100 self.serverName + '\x00', ppp, 0x600FFFFF) 101 resp.dump() 102 except Exception as e: 103 if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0: 104 raise 105 106 self.clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10) 107 108 # dce.set_auth_type(RPC_C_AUTHN_NETLOGON) 109 # dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) 110 # dce2 = dce.alter_ctx(nrpc.MSRPC_UUID_NRPC) 111 # dce2.set_session_key(self.sessionKey) 112 113 return dce, rpctransport 114 115 def update_authenticator(self): 116 authenticator = nrpc.NETLOGON_AUTHENTICATOR() 117 authenticator['Credential'] = nrpc.ComputeNetlogonCredential(self.clientStoredCredential, self.sessionKey) 118 authenticator['Timestamp'] = 10 119 return authenticator 120 121 def test_DsrGetDcNameEx2(self): 122 dce, rpctransport = self.connect() 123 request = nrpc.DsrGetDcNameEx2() 124 request['ComputerName'] = NULL 125 request['AccountName'] = 'Administrator\x00' 126 request['AllowableAccountControlBits'] = 1 << 9 127 request['DomainName'] = NULL 128 request['DomainGuid'] = NULL 129 request['SiteName'] = NULL 130 request['Flags'] = 0 131 132 resp = dce.request(request) 133 resp.dump() 134 135 def test_hDsrGetDcNameEx2(self): 136 dce, rpctransport = self.connect() 137 resp = nrpc.hDsrGetDcNameEx2(dce, NULL, 'Administrator\x00', 1 << 9, NULL, NULL, NULL, 0) 138 resp.dump() 139 140 def test_DsrGetDcNameEx(self): 141 dce, rpctransport = self.connect() 142 request = nrpc.DsrGetDcNameEx() 143 request['ComputerName'] = NULL 144 request['DomainName'] = NULL 145 request['DomainGuid'] = NULL 146 request['SiteName'] = NULL 147 request['Flags'] = 0 148 149 resp = dce.request(request) 150 resp.dump() 151 152 def test_hDsrGetDcNameEx(self): 153 dce, rpctransport = self.connect() 154 resp = nrpc.hDsrGetDcNameEx(dce, NULL, NULL, NULL, NULL, 0) 155 resp.dump() 156 157 def test_DsrGetDcName(self): 158 dce, rpctransport = self.connect() 159 request = nrpc.DsrGetDcName() 160 request['ComputerName'] = NULL 161 request['DomainName'] = NULL 162 request['DomainGuid'] = NULL 163 request['SiteGuid'] = NULL 164 request['Flags'] = 0 165 166 resp = dce.request(request) 167 resp.dump() 168 169 def test_hDsrGetDcName(self): 170 dce, rpctransport = self.connect() 171 resp = nrpc.hDsrGetDcName(dce, NULL, NULL, NULL, NULL, 0) 172 resp.dump() 173 174 def test_NetrGetDCName(self): 175 dce, rpctransport = self.connect() 176 request = nrpc.NetrGetDCName() 177 request['ServerName'] = '\x00' * 20 178 request['DomainName'] = self.domain.split('.')[0] + '\x00' 179 180 resp = dce.request(request) 181 resp.dump() 182 183 def test_hNetrGetDCName(self): 184 dce, rpctransport = self.connect() 185 resp = nrpc.hNetrGetDCName(dce, '\x00' * 20, self.domain.split('.')[0] + '\x00') 186 resp.dump() 187 188 def test_NetrGetAnyDCName(self): 189 dce, rpctransport = self.connect() 190 request = nrpc.NetrGetAnyDCName() 191 request['ServerName'] = NULL 192 request['DomainName'] = self.domain + '\x00' 193 194 try: 195 resp = dce.request(request) 196 resp.dump() 197 except Exception as e: 198 if str(e).find('ERROR_NO_SUCH_DOMAIN') < 0: 199 raise 200 201 def test_hNetrGetAnyDCName(self): 202 dce, rpctransport = self.connect() 203 try: 204 resp = nrpc.hNetrGetAnyDCName(dce, '\x00' * 20, self.domain + '\x00') 205 resp.dump() 206 except Exception as e: 207 if str(e).find('ERROR_NO_SUCH_DOMAIN') < 0: 208 raise 209 210 def test_DsrGetSiteName(self): 211 dce, rpctransport = self.connect() 212 request = nrpc.DsrGetSiteName() 213 request['ComputerName'] = NULL 214 215 resp = dce.request(request) 216 resp.dump() 217 218 def test_hDsrGetSiteName(self): 219 dce, rpctransport = self.connect() 220 resp = nrpc.hDsrGetSiteName(dce, NULL) 221 resp.dump() 222 223 def test_DsrGetDcSiteCoverageW(self): 224 dce, rpctransport = self.connect() 225 request = nrpc.DsrGetDcSiteCoverageW() 226 request['ServerName'] = NULL 227 228 resp = dce.request(request) 229 resp.dump() 230 231 def test_hDsrGetDcSiteCoverageW(self): 232 dce, rpctransport = self.connect() 233 resp = nrpc.hDsrGetDcSiteCoverageW(dce, NULL) 234 resp.dump() 235 236 def test_DsrAddressToSiteNamesW(self): 237 dce, rpctransport = self.connect() 238 request = nrpc.DsrAddressToSiteNamesW() 239 request['ComputerName'] = NULL 240 request['EntryCount'] = 1 241 addr = nrpc.IPv4Address() 242 import socket 243 addr['AddressFamily'] = socket.AF_INET 244 addr['Port'] = 0 245 addr['Address'] = unpack('>L', socket.inet_aton(self.machine))[0] 246 socketAddress = nrpc.NL_SOCKET_ADDRESS() 247 socketAddress['lpSockaddr'] = list(addr.getData()) 248 socketAddress['iSockaddrLength'] = len(addr.getData()) 249 request['SocketAddresses'].append(socketAddress) 250 251 resp = dce.request(request) 252 resp.dump() 253 254 def test_hDsrAddressToSiteNamesW(self): 255 dce, rpctransport = self.connect() 256 request = nrpc.DsrAddressToSiteNamesW() 257 request['ComputerName'] = NULL 258 request['EntryCount'] = 1 259 addr = nrpc.IPv4Address() 260 import socket 261 addr['AddressFamily'] = socket.AF_INET 262 addr['Port'] = 0 263 addr['Address'] = unpack('>L', socket.inet_aton(self.machine))[0] 264 socketAddress = nrpc.NL_SOCKET_ADDRESS() 265 socketAddress['lpSockaddr'] = list(addr.getData()) 266 socketAddress['iSockaddrLength'] = len(addr.getData()) 267 request['SocketAddresses'].append(socketAddress) 268 269 resp = dce.request(request) 270 resp.dump() 271 272 def test_DsrAddressToSiteNamesExW(self): 273 dce, rpctransport = self.connect() 274 request = nrpc.DsrAddressToSiteNamesExW() 275 request['ComputerName'] = NULL 276 request['EntryCount'] = 1 277 addr = nrpc.IPv4Address() 278 import socket 279 addr['AddressFamily'] = socket.AF_INET 280 addr['Port'] = 0 281 addr['Address'] = unpack('>L', socket.inet_aton(self.machine))[0] 282 socketAddress = nrpc.NL_SOCKET_ADDRESS() 283 socketAddress['lpSockaddr'] = list(addr.getData()) 284 socketAddress['iSockaddrLength'] = len(addr.getData()) 285 request['SocketAddresses'].append(socketAddress) 286 287 resp = dce.request(request) 288 resp.dump() 289 290 def test_DsrDeregisterDnsHostRecords(self): 291 dce, rpctransport = self.connect() 292 request = nrpc.DsrDeregisterDnsHostRecords() 293 request['ServerName'] = NULL 294 request['DnsDomainName'] = 'BETUS\x00' 295 request['DomainGuid'] = NULL 296 request['DsaGuid'] = NULL 297 request['DnsHostName'] = 'BETUS\x00' 298 299 try: 300 resp = dce.request(request) 301 resp.dump() 302 except Exception as e: 303 if str(e).find('rpc_s_access_denied') < 0: 304 raise 305 306 def test_NetrServerReqChallenge_NetrServerAuthenticate3(self): 307 dce, rpctransport = self.connect() 308 request = nrpc.NetrServerReqChallenge() 309 request['PrimaryName'] = NULL 310 request['ComputerName'] = self.serverName + '\x00' 311 request['ClientChallenge'] = b'12345678' 312 313 resp = dce.request(request) 314 resp.dump() 315 serverChallenge = resp['ServerChallenge'] 316 317 if self.machineUserHashes == '': 318 ntHash = None 319 else: 320 ntHash = unhexlify(self.machineUserHashes.split(':')[1]) 321 322 sessionKey = nrpc.ComputeSessionKeyStrongKey(self.password, b'12345678', serverChallenge, ntHash) 323 324 ppp = nrpc.ComputeNetlogonCredential(b'12345678', sessionKey) 325 326 request = nrpc.NetrServerAuthenticate3() 327 request['PrimaryName'] = NULL 328 request['AccountName'] = self.machineUser + '\x00' 329 request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel 330 request['ComputerName'] = self.serverName + '\x00' 331 request['ClientCredential'] = ppp 332 request['NegotiateFlags'] = 0x600FFFFF 333 334 resp = dce.request(request) 335 resp.dump() 336 337 def test_hNetrServerReqChallenge_hNetrServerAuthenticate3(self): 338 dce, rpctransport = self.connect() 339 resp = nrpc.hNetrServerReqChallenge(dce, NULL, self.serverName + '\x00', b'12345678') 340 resp.dump() 341 serverChallenge = resp['ServerChallenge'] 342 343 if self.machineUserHashes == '': 344 ntHash = None 345 else: 346 ntHash = unhexlify(self.machineUserHashes.split(':')[1]) 347 348 sessionKey = nrpc.ComputeSessionKeyStrongKey(self.password, b'12345678', serverChallenge, ntHash) 349 350 ppp = nrpc.ComputeNetlogonCredential(b'12345678', sessionKey) 351 352 resp = nrpc.hNetrServerAuthenticate3(dce, NULL, self.machineUser + '\x00', 353 nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel 354 , self.serverName + '\x00', ppp, 0x600FFFFF) 355 resp.dump() 356 357 def test_NetrServerReqChallenge_hNetrServerAuthenticate2(self): 358 dce, rpctransport = self.connect() 359 request = nrpc.NetrServerReqChallenge() 360 request['PrimaryName'] = NULL 361 request['ComputerName'] = self.serverName + '\x00' 362 request['ClientChallenge'] = b'12345678' 363 364 resp = dce.request(request) 365 resp.dump() 366 serverChallenge = resp['ServerChallenge'] 367 368 if self.machineUserHashes == '': 369 ntHash = None 370 else: 371 ntHash = unhexlify(self.machineUserHashes.split(':')[1]) 372 373 sessionKey = nrpc.ComputeSessionKeyStrongKey(self.password, b'12345678', serverChallenge, ntHash) 374 375 ppp = nrpc.ComputeNetlogonCredential(b'12345678', sessionKey) 376 377 resp = nrpc.hNetrServerAuthenticate2(dce, NULL, self.machineUser + '\x00', 378 nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel 379 , self.serverName + '\x00', ppp, 0x600FFFFF) 380 resp.dump() 381 382 def test_hNetrServerReqChallenge_NetrServerAuthenticate2(self): 383 dce, rpctransport = self.connect() 384 resp = nrpc.hNetrServerReqChallenge(dce, NULL, self.serverName + '\x00', b'12345678') 385 resp.dump() 386 serverChallenge = resp['ServerChallenge'] 387 388 if self.machineUserHashes == '': 389 ntHash = None 390 else: 391 ntHash = unhexlify(self.machineUserHashes.split(':')[1]) 392 393 sessionKey = nrpc.ComputeSessionKeyStrongKey(self.password, b'12345678', serverChallenge, ntHash) 394 395 ppp = nrpc.ComputeNetlogonCredential(b'12345678', sessionKey) 396 397 request = nrpc.NetrServerAuthenticate2() 398 request['PrimaryName'] = NULL 399 request['AccountName'] = self.machineUser + '\x00' 400 request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel 401 request['ComputerName'] = self.serverName + '\x00' 402 request['ClientCredential'] = ppp 403 request['NegotiateFlags'] = 0x600FFFFF 404 405 resp = dce.request(request) 406 resp.dump() 407 408 def test_NetrServerReqChallenge_NetrServerAuthenticate(self): 409 dce, rpctransport = self.connect() 410 request = nrpc.NetrServerReqChallenge() 411 request['PrimaryName'] = NULL 412 request['ComputerName'] = self.serverName + '\x00' 413 request['ClientChallenge'] = b'12345678' 414 415 resp = dce.request(request) 416 resp.dump() 417 serverChallenge = resp['ServerChallenge'] 418 419 if self.machineUserHashes == '': 420 ntHash = None 421 else: 422 ntHash = unhexlify(self.machineUserHashes.split(':')[1]) 423 424 sessionKey = nrpc.ComputeSessionKeyStrongKey(self.password, b'12345678', serverChallenge, ntHash) 425 426 ppp = nrpc.ComputeNetlogonCredential(b'12345678', sessionKey) 427 428 request = nrpc.NetrServerAuthenticate() 429 request['PrimaryName'] = NULL 430 request['AccountName'] = self.machineUser + '\x00' 431 request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel 432 request['ComputerName'] = self.serverName + '\x00' 433 request['ClientCredential'] = ppp 434 435 try: 436 resp = dce.request(request) 437 resp.dump() 438 except Exception as e: 439 if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0: 440 raise 441 442 def test_hNetrServerReqChallenge_hNetrServerAuthenticate(self): 443 dce, rpctransport = self.connect() 444 resp = nrpc.hNetrServerReqChallenge(dce, NULL, self.serverName + '\x00', b'12345678') 445 resp.dump() 446 serverChallenge = resp['ServerChallenge'] 447 448 if self.machineUserHashes == '': 449 ntHash = None 450 else: 451 ntHash = unhexlify(self.machineUserHashes.split(':')[1]) 452 453 sessionKey = nrpc.ComputeSessionKeyStrongKey(self.password, b'12345678', serverChallenge, ntHash) 454 455 ppp = nrpc.ComputeNetlogonCredential(b'12345678', sessionKey) 456 457 resp.dump() 458 try: 459 resp = nrpc.hNetrServerAuthenticate(dce, NULL, self.machineUser + '\x00', 460 nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel, 461 self.serverName + '\x00', ppp) 462 resp.dump() 463 except Exception as e: 464 if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0: 465 raise 466 467 def test_NetrServerPasswordGet(self): 468 dce, rpctransport = self.connect() 469 request = nrpc.NetrServerPasswordGet() 470 request['PrimaryName'] = NULL 471 request['AccountName'] = self.machineUser + '\x00' 472 request['AccountType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel 473 request['ComputerName'] = self.serverName + '\x00' 474 request['Authenticator'] = self.update_authenticator() 475 476 try: 477 resp = dce.request(request) 478 resp.dump() 479 except Exception as e: 480 if str(e).find('STATUS_ACCESS_DENIED') < 0: 481 raise 482 483 def test_hNetrServerPasswordGet(self): 484 dce, rpctransport = self.connect() 485 try: 486 resp = nrpc.hNetrServerPasswordGet(dce, NULL, self.machineUser + '\x00', 487 nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel, 488 self.serverName + '\x00', self.update_authenticator()) 489 resp.dump() 490 except Exception as e: 491 if str(e).find('STATUS_ACCESS_DENIED') < 0: 492 raise 493 494 def test_NetrServerTrustPasswordsGet(self): 495 dce, rpctransport = self.connect() 496 request = nrpc.NetrServerTrustPasswordsGet() 497 request['TrustedDcName'] = NULL 498 request['AccountName'] = self.machineUser + '\x00' 499 request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel 500 request['ComputerName'] = self.serverName + '\x00' 501 request['Authenticator'] = self.update_authenticator() 502 503 resp = dce.request(request) 504 resp.dump() 505 506 def test_hNetrServerTrustPasswordsGet(self): 507 dce, rpctransport = self.connect() 508 resp = nrpc.hNetrServerTrustPasswordsGet(dce, NULL, self.machineUser, 509 nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel, 510 self.serverName, self.update_authenticator()) 511 resp.dump() 512 513 def test_NetrLogonGetDomainInfo(self): 514 dce, rpctransport = self.connect() 515 request = nrpc.NetrLogonGetDomainInfo() 516 request['ServerName'] = '\x00' * 20 517 request['ComputerName'] = self.serverName + '\x00' 518 request['Authenticator'] = self.update_authenticator() 519 request['ReturnAuthenticator']['Credential'] = b'\x00' * 8 520 request['ReturnAuthenticator']['Timestamp'] = 0 521 request['Level'] = 1 522 request['WkstaBuffer']['tag'] = 1 523 request['WkstaBuffer']['WorkstationInfo']['DnsHostName'] = NULL 524 request['WkstaBuffer']['WorkstationInfo']['SiteName'] = NULL 525 request['WkstaBuffer']['WorkstationInfo']['OsName'] = '' 526 request['WkstaBuffer']['WorkstationInfo']['Dummy1'] = NULL 527 request['WkstaBuffer']['WorkstationInfo']['Dummy2'] = NULL 528 request['WkstaBuffer']['WorkstationInfo']['Dummy3'] = NULL 529 request['WkstaBuffer']['WorkstationInfo']['Dummy4'] = NULL 530 resp = dce.request(request) 531 resp.dump() 532 533 def test_hNetrLogonGetDomainInfo(self): 534 dce, rpctransport = self.connect() 535 resp = nrpc.hNetrLogonGetDomainInfo(dce, '\x00' * 20, self.serverName, self.update_authenticator(), 0, 1) 536 resp.dump() 537 538 def test_NetrLogonGetCapabilities(self): 539 dce, rpctransport = self.connect() 540 request = nrpc.NetrLogonGetCapabilities() 541 request['ServerName'] = '\x00' * 20 542 request['ComputerName'] = self.serverName + '\x00' 543 request['Authenticator'] = self.update_authenticator() 544 request['ReturnAuthenticator']['Credential'] = b'\x00' * 8 545 request['ReturnAuthenticator']['Timestamp'] = 0 546 request['QueryLevel'] = 1 547 resp = dce.request(request) 548 resp.dump() 549 550 def test_hNetrLogonGetCapabilities(self): 551 dce, rpctransport = self.connect() 552 resp = nrpc.hNetrLogonGetCapabilities(dce, '\x00' * 20, self.serverName + '\x00', self.update_authenticator(), 553 0) 554 resp.dump() 555 556 def test_NetrLogonSamLogonEx(self): 557 dce, rpctransport = self.connect() 558 request = nrpc.NetrLogonSamLogonEx() 559 request['LogonServer'] = '\x00' 560 request['ComputerName'] = self.serverName + '\x00' 561 562 563 request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation 564 request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation 565 request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain.split('.')[0] 566 request['LogonInformation']['LogonInteractive']['Identity'][ 567 'ParameterControl'] = 2 + 2 ** 14 + 2 ** 7 + 2 ** 9 + 2 ** 5 + 2 ** 11 568 request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username 569 request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = '' 570 571 572 if len(self.hashes) > 0: 573 lmhash, nthash = self.hashes.split(':') 574 lmhash = unhexlify(lmhash) 575 nthash = unhexlify(nthash) 576 else: 577 lmhash = ntlm.LMOWFv1(self.password) 578 nthash = ntlm.NTOWFv1(self.password) 579 try: 580 from Cryptodome.Cipher import ARC4 581 except Exception: 582 print("Warning: You don't have any crypto installed. You need pycryptodomex") 583 print("See https://pypi.org/project/pycryptodomex/") 584 585 rc4 = ARC4.new(self.sessionKey) 586 lmhash = rc4.encrypt(lmhash) 587 rc4 = ARC4.new(self.sessionKey) 588 nthash = rc4.encrypt(nthash) 589 590 request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash 591 request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash 592 request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4 593 request['ExtraFlags'] = 1 594 try: 595 resp = dce.request(request) 596 resp.dump() 597 except Exception as e: 598 if str(e).find('STATUS_INTERNAL_ERROR') < 0: 599 raise 600 601 def test_NetrLogonSamLogonWithFlags(self): 602 dce, rpctransport = self.connect() 603 request = nrpc.NetrLogonSamLogonWithFlags() 604 request['LogonServer'] = '\x00' 605 request['ComputerName'] = self.serverName + '\x00' 606 request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation 607 request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation 608 request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain 609 request['LogonInformation']['LogonInteractive']['Identity'][ 610 'ParameterControl'] = 2 + 2 ** 14 + 2 ** 7 + 2 ** 9 + 2 ** 5 + 2 ** 11 611 request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username 612 request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = '' 613 if len(self.hashes) > 0: 614 lmhash, nthash = self.hashes.split(':') 615 lmhash = unhexlify(lmhash) 616 nthash = unhexlify(nthash) 617 else: 618 lmhash = ntlm.LMOWFv1(self.password) 619 nthash = ntlm.NTOWFv1(self.password) 620 621 try: 622 from Cryptodome.Cipher import ARC4 623 except Exception: 624 print("Warning: You don't have any crypto installed. You need pycryptodomex") 625 print("See https://pypi.org/project/pycryptodomex/") 626 627 rc4 = ARC4.new(self.sessionKey) 628 lmhash = rc4.encrypt(lmhash) 629 rc4 = ARC4.new(self.sessionKey) 630 nthash = rc4.encrypt(nthash) 631 632 request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash 633 request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash 634 request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4 635 request['Authenticator'] = self.update_authenticator() 636 request['ReturnAuthenticator']['Credential'] = b'\x00' * 8 637 request['ReturnAuthenticator']['Timestamp'] = 0 638 request['ExtraFlags'] = 0 639 try: 640 resp = dce.request(request) 641 resp.dump() 642 except Exception as e: 643 if str(e).find('STATUS_NO_SUCH_USER') < 0: 644 raise 645 646 def test_NetrLogonSamLogon(self): 647 dce, rpctransport = self.connect() 648 request = nrpc.NetrLogonSamLogon() 649 request['LogonServer'] = '\x00' 650 request['ComputerName'] = self.serverName + '\x00' 651 request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation 652 request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation 653 request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain 654 request['LogonInformation']['LogonInteractive']['Identity']['ParameterControl'] = 2 655 request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username 656 request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = '' 657 if len(self.hashes) > 0: 658 lmhash, nthash = self.hashes.split(':') 659 lmhash = unhexlify(lmhash) 660 nthash = unhexlify(nthash) 661 else: 662 lmhash = ntlm.LMOWFv1(self.password) 663 nthash = ntlm.NTOWFv1(self.password) 664 665 try: 666 from Cryptodome.Cipher import ARC4 667 except Exception: 668 print("Warning: You don't have any crypto installed. You need PyCrypto") 669 print("See http://www.pycrypto.org/") 670 671 rc4 = ARC4.new(self.sessionKey) 672 lmhash = rc4.encrypt(lmhash) 673 rc4 = ARC4.new(self.sessionKey) 674 nthash = rc4.encrypt(nthash) 675 676 request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash 677 request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash 678 request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo2 679 request['Authenticator'] = self.update_authenticator() 680 request['ReturnAuthenticator']['Credential'] = b'\x00' * 8 681 request['ReturnAuthenticator']['Timestamp'] = 0 682 try: 683 resp = dce.request(request) 684 resp.dump() 685 except Exception as e: 686 if str(e).find('STATUS_NO_SUCH_USER') < 0: 687 raise 688 689 def test_NetrDatabaseDeltas(self): 690 dce, rpctransport = self.connect() 691 request = nrpc.NetrDatabaseDeltas() 692 request['PrimaryName'] = '\x00' * 20 693 request['ComputerName'] = self.serverName + '\x00' 694 request['Authenticator'] = self.update_authenticator() 695 request['ReturnAuthenticator']['Credential'] = b'\x00' * 8 696 request['ReturnAuthenticator']['Timestamp'] = 0 697 request['DatabaseID'] = 0 698 # request['DomainModifiedCount'] = 1 699 request['PreferredMaximumLength'] = 0xffffffff 700 try: 701 resp = dce.request(request) 702 resp.dump() 703 except Exception as e: 704 if str(e).find('STATUS_NOT_SUPPORTED') < 0: 705 raise 706 707 def test_NetrDatabaseSync2(self): 708 dce, rpctransport = self.connect() 709 request = nrpc.NetrDatabaseSync2() 710 request['PrimaryName'] = '\x00' * 20 711 request['ComputerName'] = self.serverName + '\x00' 712 request['Authenticator'] = self.update_authenticator() 713 request['ReturnAuthenticator']['Credential'] = b'\x00' * 8 714 request['ReturnAuthenticator']['Timestamp'] = 0 715 request['DatabaseID'] = 0 716 request['RestartState'] = nrpc.SYNC_STATE.NormalState 717 request['SyncContext'] = 0 718 request['PreferredMaximumLength'] = 0xffffffff 719 try: 720 resp = dce.request(request) 721 resp.dump() 722 except Exception as e: 723 if str(e).find('STATUS_NOT_SUPPORTED') < 0: 724 raise 725 726 def test_NetrDatabaseSync(self): 727 dce, rpctransport = self.connect() 728 request = nrpc.NetrDatabaseSync() 729 request['PrimaryName'] = '\x00' * 20 730 request['ComputerName'] = self.serverName + '\x00' 731 request['Authenticator'] = self.update_authenticator() 732 request['ReturnAuthenticator']['Credential'] = b'\x00' * 8 733 request['ReturnAuthenticator']['Timestamp'] = 0 734 request['DatabaseID'] = 0 735 request['SyncContext'] = 0 736 request['PreferredMaximumLength'] = 0xffffffff 737 try: 738 resp = dce.request(request) 739 resp.dump() 740 except Exception as e: 741 if str(e).find('STATUS_NOT_SUPPORTED') < 0: 742 raise 743 744 def te_NetrDatabaseRedo(self): 745 dce, rpctransport = self.connect() 746 request = nrpc.NetrDatabaseRedo() 747 request['PrimaryName'] = '\x00' * 20 748 request['ComputerName'] = self.serverName + '\x00' 749 request['Authenticator'] = self.update_authenticator() 750 request['ReturnAuthenticator']['Credential'] = '\x00' * 8 751 request['ReturnAuthenticator']['Timestamp'] = 0 752 request['ChangeLogEntry'] = 0 753 request['ChangeLogEntrySize'] = 0 754 try: 755 resp = dce.request(request) 756 resp.dump() 757 except Exception as e: 758 if str(e).find('STATUS_NOT_SUPPORTED') < 0: 759 raise 760 761 def test_DsrEnumerateDomainTrusts(self): 762 dce, rpctransport = self.connect() 763 request = nrpc.DsrEnumerateDomainTrusts() 764 request['ServerName'] = NULL 765 request['Flags'] = 1 766 try: 767 resp = dce.request(request) 768 resp.dump() 769 except Exception as e: 770 if str(e).find('STATUS_NOT_SUPPORTED') < 0: 771 raise 772 773 def test_NetrEnumerateTrustedDomainsEx(self): 774 dce, rpctransport = self.connect() 775 request = nrpc.NetrEnumerateTrustedDomainsEx() 776 request['ServerName'] = NULL 777 try: 778 resp = dce.request(request) 779 resp.dump() 780 except Exception as e: 781 if str(e).find('STATUS_NOT_SUPPORTED') < 0: 782 raise 783 784 def test_NetrEnumerateTrustedDomains(self): 785 dce, rpctransport = self.connect() 786 request = nrpc.NetrEnumerateTrustedDomains() 787 request['ServerName'] = NULL 788 try: 789 resp = dce.request(request) 790 resp.dump() 791 except Exception as e: 792 if str(e).find('STATUS_NOT_SUPPORTED') < 0: 793 raise 794 795 def test_NetrGetForestTrustInformation(self): 796 dce, rpctransport = self.connect() 797 request = nrpc.NetrGetForestTrustInformation() 798 request['ServerName'] = NULL 799 request['ComputerName'] = self.serverName + '\x00' 800 request['Authenticator'] = self.update_authenticator() 801 request['ReturnAuthenticator']['Credential'] = b'\x00' * 8 802 request['ReturnAuthenticator']['Timestamp'] = 0 803 request['Flags'] = 0 804 try: 805 resp = dce.request(request) 806 resp.dump() 807 except Exception as e: 808 if str(e).find('STATUS_NOT_IMPLEMENTED') < 0: 809 raise 810 811 def test_DsrGetForestTrustInformation(self): 812 dce, rpctransport = self.connect() 813 request = nrpc.DsrGetForestTrustInformation() 814 request['ServerName'] = NULL 815 request['TrustedDomainName'] = self.domain + '\x00' 816 request['Flags'] = 0 817 try: 818 resp = dce.request(request) 819 resp.dump() 820 except Exception as e: 821 if str(e).find('ERROR_NO_SUCH_DOMAIN') < 0 and str(e).find('rpc_s_access_denied') < 0: 822 raise 823 824 def test_NetrServerGetTrustInfo(self): 825 dce, rpctransport = self.connect() 826 request = nrpc.NetrServerGetTrustInfo() 827 request['TrustedDcName'] = NULL 828 request['AccountName'] = self.machineUser + '\x00' 829 request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel 830 request['ComputerName'] = self.serverName + '\x00' 831 request['Authenticator'] = self.update_authenticator() 832 try: 833 resp = dce.request(request) 834 resp.dump() 835 except Exception as e: 836 if str(e).find('ERROR_NO_SUCH_DOMAIN') < 0: 837 raise 838 839 def test_hNetrServerGetTrustInfo(self): 840 dce, rpctransport = self.connect() 841 try: 842 resp = nrpc.hNetrServerGetTrustInfo(dce, NULL, self.machineUser, 843 nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel, 844 self.serverName, self.update_authenticator()) 845 resp.dump() 846 except Exception as e: 847 if str(e).find('ERROR_NO_SUCH_DOMAIN') < 0: 848 raise 849 850 def test_NetrLogonGetTrustRid(self): 851 dce, rpctransport = self.connect() 852 request = nrpc.NetrLogonGetTrustRid() 853 request['ServerName'] = NULL 854 request['DomainName'] = self.domain + '\x00' 855 try: 856 resp = dce.request(request) 857 resp.dump() 858 except Exception as e: 859 if str(e).find('rpc_s_access_denied') < 0: 860 raise 861 862 def test_NetrLogonComputeServerDigest(self): 863 dce, rpctransport = self.connect() 864 request = nrpc.NetrLogonComputeServerDigest() 865 request['ServerName'] = NULL 866 request['Rid'] = 1001 867 request['Message'] = b'HOLABETOCOMOANDAS\x00' 868 request['MessageSize'] = len(b'HOLABETOCOMOANDAS\x00') 869 try: 870 resp = dce.request(request) 871 resp.dump() 872 except Exception as e: 873 if str(e).find('rpc_s_access_denied') < 0: 874 raise 875 876 def test_NetrLogonComputeClientDigest(self): 877 dce, rpctransport = self.connect() 878 request = nrpc.NetrLogonComputeClientDigest() 879 request['ServerName'] = NULL 880 request['DomainName'] = self.domain + '\x00' 881 request['Message'] = b'HOLABETOCOMOANDAS\x00' 882 request['MessageSize'] = len(b'HOLABETOCOMOANDAS\x00') 883 try: 884 resp = dce.request(request) 885 resp.dump() 886 except Exception as e: 887 if str(e).find('rpc_s_access_denied') < 0: 888 raise 889 890 def test_NetrLogonSendToSam(self): 891 dce, rpctransport = self.connect() 892 request = nrpc.NetrLogonSendToSam() 893 request['PrimaryName'] = NULL 894 request['ComputerName'] = self.serverName + '\x00' 895 request['Authenticator'] = self.update_authenticator() 896 request['OpaqueBuffer'] = b'HOLABETOCOMOANDAS\x00' 897 request['OpaqueBufferSize'] = len(b'HOLABETOCOMOANDAS\x00') 898 try: 899 resp = dce.request(request) 900 resp.dump() 901 except Exception as e: 902 if str(e).find('STATUS_ACCESS_DENIED') < 0: 903 raise 904 905 def test_NetrLogonSetServiceBits(self): 906 dce, rpctransport = self.connect() 907 request = nrpc.NetrLogonSetServiceBits() 908 request['ServerName'] = NULL 909 request['ServiceBitsOfInterest'] = 1 << 7 910 request['ServiceBits'] = 1 << 7 911 try: 912 resp = dce.request(request) 913 resp.dump() 914 except Exception as e: 915 if str(e).find('rpc_s_access_denied') < 0: 916 raise 917 918 def te_NetrLogonGetTimeServiceParentDomain(self): 919 dce, rpctransport = self.connect() 920 request = nrpc.NetrLogonGetTimeServiceParentDomain() 921 request['ServerName'] = self.domain + '\x00' 922 try: 923 resp = dce.request(request) 924 resp.dump() 925 except Exception as e: 926 if str(e).find('rpc_s_access_denied') < 0: 927 raise 928 929 def test_NetrLogonControl2Ex(self): 930 dce, rpctransport = self.connect() 931 request = nrpc.NetrLogonControl2Ex() 932 request['ServerName'] = NULL 933 request['FunctionCode'] = nrpc.NETLOGON_CONTROL_FIND_USER 934 request['QueryLevel'] = 4 935 request['Data']['tag'] = 8 936 request['Data']['UserName'] = 'normaluser7\x00' 937 938 try: 939 resp = dce.request(request) 940 resp.dump() 941 except Exception as e: 942 if str(e).find('rpc_s_access_denied') < 0: 943 raise 944 945 def test_NetrLogonControl2(self): 946 dce, rpctransport = self.connect() 947 request = nrpc.NetrLogonControl2() 948 request['ServerName'] = NULL 949 request['FunctionCode'] = nrpc.NETLOGON_CONTROL_FIND_USER 950 request['QueryLevel'] = 4 951 request['Data']['tag'] = 8 952 request['Data']['UserName'] = 'normaluser7\x00' 953 954 try: 955 resp = dce.request(request) 956 resp.dump() 957 except Exception as e: 958 if str(e).find('rpc_s_access_denied') < 0: 959 raise 960 961 def test_NetrLogonControl(self): 962 dce, rpctransport = self.connect() 963 request = nrpc.NetrLogonControl() 964 request['ServerName'] = NULL 965 request['FunctionCode'] = nrpc.NETLOGON_CONTROL_QUERY 966 request['QueryLevel'] = 4 967 request['Data']['tag'] = 65534 968 request['Data']['DebugFlag'] = 1 969 try: 970 resp = dce.request(request) 971 resp.dump() 972 except Exception as e: 973 if str(e).find('ERROR_INVALID_LEVEL') < 0: 974 raise 975 976 def test_NetrLogonUasLogon(self): 977 dce, rpctransport = self.connect() 978 request = nrpc.NetrLogonUasLogon() 979 request['ServerName'] = NULL 980 request['UserName'] = 'normaluser7\x00' 981 request['Workstation'] = self.serverName + '\x00' 982 try: 983 resp = dce.request(request) 984 resp.dump() 985 except Exception as e: 986 if str(e).find('rpc_s_access_denied') < 0: 987 raise 988 989 def test_NetrLogonUasLogoff(self): 990 dce, rpctransport = self.connect() 991 request = nrpc.NetrLogonUasLogoff() 992 request['ServerName'] = NULL 993 request['UserName'] = 'normaluser7\x00' 994 request['Workstation'] = self.serverName + '\x00' 995 try: 996 resp = dce.request(request) 997 resp.dump() 998 except Exception as e: 999 if str(e).find('rpc_s_access_denied') < 0: 1000 raise 1001 1002 1003 class TCPTransport(NRPCTests): 1004 def setUp(self): 1005 NRPCTests.setUp(self) 1006 configFile = ConfigParser.ConfigParser() 1007 configFile.read('dcetests.cfg') 1008 self.username = configFile.get('TCPTransport', 'username') 1009 self.domain = configFile.get('TCPTransport', 'domain') 1010 self.serverName = configFile.get('TCPTransport', 'servername') 1011 self.password = configFile.get('TCPTransport', 'password') 1012 self.machine = configFile.get('TCPTransport', 'machine') 1013 self.hashes = configFile.get('TCPTransport', 'hashes') 1014 self.machineUser = configFile.get('TCPTransport', 'machineuser') 1015 self.machineUserHashes = configFile.get('TCPTransport', 'machineuserhashes') 1016 # print epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp') 1017 self.stringBinding = epm.hept_map(self.machine, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp') 1018 1019 1020 class SMBTransport(NRPCTests): 1021 def setUp(self): 1022 NRPCTests.setUp(self) 1023 configFile = ConfigParser.ConfigParser() 1024 configFile.read('dcetests.cfg') 1025 self.username = configFile.get('SMBTransport', 'username') 1026 self.domain = configFile.get('SMBTransport', 'domain') 1027 self.serverName = configFile.get('SMBTransport', 'servername') 1028 self.password = configFile.get('SMBTransport', 'password') 1029 self.machine = configFile.get('SMBTransport', 'machine') 1030 self.hashes = configFile.get('SMBTransport', 'hashes') 1031 self.machineUser = configFile.get('SMBTransport', 'machineuser') 1032 self.machineUserHashes = configFile.get('SMBTransport', 'machineuserhashes') 1033 self.stringBinding = r'ncacn_np:%s[\PIPE\netlogon]' % self.machine 1034 1035 1036 # Process command-line arguments. 1037 if __name__ == '__main__': 1038 import sys 1039 1040 if len(sys.argv) > 1: 1041 testcase = sys.argv[1] 1042 suite = unittest.TestLoader().loadTestsFromTestCase(globals()[testcase]) 1043 else: 1044 suite = unittest.TestLoader().loadTestsFromTestCase(SMBTransport) 1045 suite.addTests(unittest.TestLoader().loadTestsFromTestCase(TCPTransport)) 1046 unittest.TextTestRunner(verbosity=1).run(suite)