github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_rpcrt.py (about) 1 from __future__ import division 2 from __future__ import print_function 3 import unittest 4 try: 5 import ConfigParser 6 except ImportError: 7 import configparser as ConfigParser 8 9 from impacket.dcerpc.v5.ndr import NDRCALL 10 from impacket.dcerpc.v5 import transport, epm, samr 11 from impacket.dcerpc.v5.dtypes import NULL 12 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, \ 13 RPC_C_AUTHN_LEVEL_NONE, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_WINNT 14 from impacket.dcerpc.v5.dtypes import RPC_UNICODE_STRING 15 16 17 # aimed at testing just the DCERPC engine, not the particular 18 # endpoints (we should do specific tests for endpoints) 19 # here we're using EPM just because we need one, and it's the 20 # easiest one 21 22 class DCERPCTests(unittest.TestCase): 23 def connectDCE(self, username, password, domain, lm='', nt='', aesKey='', TGT=None, TGS=None, tfragment=0, 24 dceFragment=0, 25 auth_type=RPC_C_AUTHN_WINNT, auth_level=RPC_C_AUTHN_LEVEL_NONE, dceAuth=True, doKerberos=False, 26 bind=epm.MSRPC_UUID_PORTMAP): 27 rpctransport = transport.DCERPCTransportFactory(self.stringBinding) 28 29 if hasattr(rpctransport, 'set_credentials'): 30 # This method exists only for selected protocol sequences. 31 rpctransport.set_credentials(username, password, domain, lm, nt, aesKey, TGT, TGS) 32 rpctransport.set_kerberos(doKerberos, kdcHost=self.machine) 33 34 rpctransport.set_max_fragment_size(tfragment) 35 rpctransport.setRemoteName(self.serverName) 36 rpctransport.setRemoteHost(self.machine) 37 dce = rpctransport.get_dce_rpc() 38 dce.set_max_fragment_size(dceFragment) 39 if dceAuth is True: 40 dce.set_credentials(*(rpctransport.get_credentials())) 41 dce.connect() 42 dce.set_auth_type(auth_type) 43 dce.set_auth_level(auth_level) 44 dce.bind(bind) 45 46 return dce 47 48 def test_connection(self): 49 dce = self.connectDCE(self.username, self.password, self.domain, dceAuth=False) 50 dce.disconnect() 51 52 def test_connectionHashes(self): 53 lmhash, nthash = self.hashes.split(':') 54 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, dceAuth=False) 55 dce.disconnect() 56 57 def test_dceAuth(self): 58 dce = self.connectDCE(self.username, self.password, self.domain, dceAuth=True) 59 epm.hept_lookup(self.machine) 60 dce.disconnect() 61 62 def test_dceAuthKerberos(self): 63 dce = self.connectDCE(self.username, self.password, self.domain, dceAuth=True, doKerberos=True) 64 epm.hept_lookup(self.machine) 65 dce.disconnect() 66 67 def test_dceAuthHasHashes(self): 68 lmhash, nthash = self.hashes.split(':') 69 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, dceAuth=True) 70 epm.hept_lookup(self.machine) 71 dce.disconnect() 72 73 def test_dceAuthHasHashesKerberos(self): 74 lmhash, nthash = self.hashes.split(':') 75 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, dceAuth=True, doKerberos=True) 76 epm.hept_lookup(self.machine) 77 dce.disconnect() 78 79 def test_dceAuthHasAes128Kerberos(self): 80 dce = self.connectDCE(self.username, '', self.domain, '', '', self.aesKey128, dceAuth=True, doKerberos=True) 81 epm.hept_lookup(self.machine) 82 dce.disconnect() 83 84 def test_dceAuthHasAes256Kerberos(self): 85 dce = self.connectDCE(self.username, '', self.domain, '', '', self.aesKey256, dceAuth=True, doKerberos=True) 86 epm.hept_lookup(self.machine) 87 dce.disconnect() 88 89 def test_dceTransportFragmentation(self): 90 lmhash, nthash = self.hashes.split(':') 91 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, tfragment=1, dceAuth=True, doKerberos=False) 92 request = epm.ept_lookup() 93 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 94 request['object'] = NULL 95 request['Ifid'] = NULL 96 request['vers_option'] = epm.RPC_C_VERS_ALL 97 request['max_ents'] = 499 98 dce.request(request) 99 dce.disconnect() 100 101 def test_dceFragmentation(self): 102 lmhash, nthash = self.hashes.split(':') 103 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, dceFragment=1, dceAuth=True, doKerberos=False) 104 request = epm.ept_lookup() 105 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 106 request['object'] = NULL 107 request['Ifid'] = NULL 108 request['vers_option'] = epm.RPC_C_VERS_ALL 109 request['max_ents'] = 499 110 dce.request(request) 111 dce.disconnect() 112 113 def test_bigRequestMustFragment(self): 114 class dummyCall(NDRCALL): 115 opnum = 2 116 structure = ( 117 ('Name', RPC_UNICODE_STRING), 118 ) 119 lmhash, nthash = self.hashes.split(':') 120 oldBinding = self.stringBinding 121 self.stringBinding = epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp') 122 print(self.stringBinding) 123 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, dceFragment=0, 124 auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, auth_type=RPC_C_AUTHN_GSS_NEGOTIATE, 125 dceAuth=True, 126 doKerberos=True, bind=samr.MSRPC_UUID_SAMR) 127 self.stringBinding = oldBinding 128 129 request = samr.SamrConnect() 130 request['ServerName'] = b'BETO\x00' 131 request['DesiredAccess'] = samr.DELETE | samr.READ_CONTROL | samr.WRITE_DAC | samr.WRITE_OWNER | samr.ACCESS_SYSTEM_SECURITY | samr.GENERIC_READ | samr.GENERIC_WRITE | samr.GENERIC_EXECUTE | samr.SAM_SERVER_CONNECT | samr.SAM_SERVER_SHUTDOWN | samr.SAM_SERVER_INITIALIZE | samr.SAM_SERVER_CREATE_DOMAIN | samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN | samr.SAM_SERVER_READ | samr.SAM_SERVER_WRITE | samr.SAM_SERVER_EXECUTE 132 resp = dce.request(request) 133 request = samr.SamrEnumerateDomainsInSamServer() 134 request['ServerHandle'] = resp['ServerHandle'] 135 request['EnumerationContext'] = 0 136 request['PreferedMaximumLength'] = 500 137 dce.request(request) 138 try: 139 request = samr.SamrLookupDomainInSamServer() 140 request['ServerHandle'] = resp['ServerHandle'] 141 request['Name'] = 'A'*4500 142 dce.request(request) 143 except Exception as e: 144 if str(e).find('STATUS_NO_SUCH_DOMAIN') < 0: 145 raise 146 dce.disconnect() 147 148 def test_dceFragmentationWINNTPacketIntegrity(self): 149 lmhash, nthash = self.hashes.split(':') 150 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, dceFragment=1, 151 auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, dceAuth=True, doKerberos=False) 152 request = epm.ept_lookup() 153 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 154 request['object'] = NULL 155 request['Ifid'] = NULL 156 request['vers_option'] = epm.RPC_C_VERS_ALL 157 request['max_ents'] = 499 158 dce.request(request) 159 dce.disconnect() 160 161 def test_dceFragmentationWINNTPacketPrivacy(self): 162 lmhash, nthash = self.hashes.split(':') 163 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, dceFragment=1, 164 auth_level=RPC_C_AUTHN_LEVEL_PKT_PRIVACY, dceAuth=True, doKerberos=False) 165 request = epm.ept_lookup() 166 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 167 request['object'] = NULL 168 request['Ifid'] = NULL 169 request['vers_option'] = epm.RPC_C_VERS_ALL 170 request['max_ents'] = 499 171 dce.request(request) 172 dce.disconnect() 173 174 def test_dceFragmentationKerberosPacketIntegrity(self): 175 lmhash, nthash = self.hashes.split(':') 176 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, dceFragment=1, 177 auth_type=RPC_C_AUTHN_GSS_NEGOTIATE, 178 auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, dceAuth=True, doKerberos=True) 179 request = epm.ept_lookup() 180 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 181 request['object'] = NULL 182 request['Ifid'] = NULL 183 request['vers_option'] = epm.RPC_C_VERS_ALL 184 request['max_ents'] = 499 185 dce.request(request) 186 dce.disconnect() 187 188 def test_dceFragmentationKerberosPacketPrivacy(self): 189 lmhash, nthash = self.hashes.split(':') 190 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, dceFragment=1, 191 auth_type=RPC_C_AUTHN_GSS_NEGOTIATE, 192 auth_level=RPC_C_AUTHN_LEVEL_PKT_PRIVACY, dceAuth=True, doKerberos=True) 193 request = epm.ept_lookup() 194 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 195 request['object'] = NULL 196 request['Ifid'] = NULL 197 request['vers_option'] = epm.RPC_C_VERS_ALL 198 request['max_ents'] = 499 199 dce.request(request) 200 dce.disconnect() 201 202 def test_WINNTPacketIntegrity(self): 203 dce = self.connectDCE(self.username, self.password, self.domain, auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, 204 dceAuth=True, doKerberos=False) 205 request = epm.ept_lookup() 206 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 207 request['object'] = NULL 208 request['Ifid'] = NULL 209 request['vers_option'] = epm.RPC_C_VERS_ALL 210 request['max_ents'] = 499 211 dce.request(request) 212 dce.disconnect() 213 214 def test_KerberosPacketIntegrity(self): 215 dce = self.connectDCE(self.username, self.password, self.domain, auth_type=RPC_C_AUTHN_GSS_NEGOTIATE, 216 auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, dceAuth=True, doKerberos=True) 217 request = epm.ept_lookup() 218 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 219 request['object'] = NULL 220 request['Ifid'] = NULL 221 request['vers_option'] = epm.RPC_C_VERS_ALL 222 request['max_ents'] = 499 223 dce.request(request) 224 resp = dce.request(request) 225 resp.dump() 226 dce.disconnect() 227 228 def test_HashesWINNTPacketIntegrity(self): 229 lmhash, nthash = self.hashes.split(':') 230 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, 231 auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, dceAuth=True, doKerberos=False) 232 request = epm.ept_lookup() 233 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 234 request['object'] = NULL 235 request['Ifid'] = NULL 236 request['vers_option'] = epm.RPC_C_VERS_ALL 237 request['max_ents'] = 499 238 dce.request(request) 239 dce.disconnect() 240 241 def test_HashesKerberosPacketIntegrity(self): 242 lmhash, nthash = self.hashes.split(':') 243 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, auth_type=RPC_C_AUTHN_GSS_NEGOTIATE, 244 auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, dceAuth=True, doKerberos=True) 245 request = epm.ept_lookup() 246 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 247 request['object'] = NULL 248 request['Ifid'] = NULL 249 request['vers_option'] = epm.RPC_C_VERS_ALL 250 request['max_ents'] = 499 251 dce.request(request) 252 resp = dce.request(request) 253 resp.dump() 254 dce.disconnect() 255 256 def test_Aes128KerberosPacketIntegrity(self): 257 dce = self.connectDCE(self.username, '', self.domain, '', '', self.aesKey128, 258 auth_type=RPC_C_AUTHN_GSS_NEGOTIATE, auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, 259 dceAuth=True, doKerberos=True) 260 request = epm.ept_lookup() 261 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 262 request['object'] = NULL 263 request['Ifid'] = NULL 264 request['vers_option'] = epm.RPC_C_VERS_ALL 265 request['max_ents'] = 499 266 dce.request(request) 267 resp = dce.request(request) 268 resp.dump() 269 dce.disconnect() 270 271 def test_Aes256KerberosPacketIntegrity(self): 272 dce = self.connectDCE(self.username, '', self.domain, '', '', self.aesKey256, 273 auth_type=RPC_C_AUTHN_GSS_NEGOTIATE, auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, 274 dceAuth=True, doKerberos=True) 275 request = epm.ept_lookup() 276 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 277 request['object'] = NULL 278 request['Ifid'] = NULL 279 request['vers_option'] = epm.RPC_C_VERS_ALL 280 request['max_ents'] = 499 281 dce.request(request) 282 resp = dce.request(request) 283 resp.dump() 284 dce.disconnect() 285 286 def test_packetAnonWINNTPacketIntegrity(self): 287 # With SMB Transport this will fail with STATUS_ACCESS_DENIED 288 try: 289 dce = self.connectDCE('', '', '', auth_level=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY,dceAuth=False, doKerberos=False) 290 request = epm.ept_lookup() 291 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 292 request['object'] = NULL 293 request['Ifid'] = NULL 294 request['vers_option'] = epm.RPC_C_VERS_ALL 295 request['max_ents'] = 499 296 dce.request(request) 297 dce.disconnect() 298 except Exception as e: 299 if not (str(e).find('STATUS_ACCESS_DENIED') >=0 and self.stringBinding.find('ncacn_np') >=0): 300 raise 301 302 def test_WINNTPacketPrivacy(self): 303 dce = self.connectDCE(self.username, self.password, self.domain, auth_level=RPC_C_AUTHN_LEVEL_PKT_PRIVACY, 304 dceAuth=True, doKerberos=False) 305 request = epm.ept_lookup() 306 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 307 request['object'] = NULL 308 request['Ifid'] = NULL 309 request['vers_option'] = epm.RPC_C_VERS_ALL 310 request['max_ents'] = 499 311 dce.request(request) 312 dce.request(request) 313 dce.disconnect() 314 315 def test_KerberosPacketPrivacy(self): 316 dce = self.connectDCE(self.username, self.password, self.domain, auth_type=RPC_C_AUTHN_GSS_NEGOTIATE, 317 auth_level=RPC_C_AUTHN_LEVEL_PKT_PRIVACY, dceAuth=True, doKerberos=True) 318 request = epm.ept_lookup() 319 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 320 request['object'] = NULL 321 request['Ifid'] = NULL 322 request['vers_option'] = epm.RPC_C_VERS_ALL 323 request['max_ents'] = 499 324 dce.request(request) 325 resp = dce.request(request) 326 resp.dump() 327 dce.disconnect() 328 329 def test_HashesWINNTPacketPrivacy(self): 330 lmhash, nthash = self.hashes.split(':') 331 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, auth_level=RPC_C_AUTHN_LEVEL_PKT_PRIVACY, 332 dceAuth=True, doKerberos=False) 333 request = epm.ept_lookup() 334 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 335 request['object'] = NULL 336 request['Ifid'] = NULL 337 request['vers_option'] = epm.RPC_C_VERS_ALL 338 request['max_ents'] = 499 339 dce.request(request) 340 dce.disconnect() 341 342 def test_HashesKerberosPacketPrivacy(self): 343 lmhash, nthash = self.hashes.split(':') 344 dce = self.connectDCE(self.username, '', self.domain, lmhash, nthash, auth_type=RPC_C_AUTHN_GSS_NEGOTIATE, 345 auth_level=RPC_C_AUTHN_LEVEL_PKT_PRIVACY, dceAuth=True, doKerberos=True) 346 request = epm.ept_lookup() 347 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 348 request['object'] = NULL 349 request['Ifid'] = NULL 350 request['vers_option'] = epm.RPC_C_VERS_ALL 351 request['max_ents'] = 499 352 dce.request(request) 353 resp = dce.request(request) 354 resp.dump() 355 dce.disconnect() 356 357 def test_Aes128KerberosPacketPrivacy(self): 358 dce = self.connectDCE(self.username, '', self.domain, '', '', self.aesKey128, 359 auth_type=RPC_C_AUTHN_GSS_NEGOTIATE, auth_level=RPC_C_AUTHN_LEVEL_PKT_PRIVACY, 360 dceAuth=True, doKerberos=True) 361 request = epm.ept_lookup() 362 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 363 request['object'] = NULL 364 request['Ifid'] = NULL 365 request['vers_option'] = epm.RPC_C_VERS_ALL 366 request['max_ents'] = 499 367 dce.request(request) 368 resp = dce.request(request) 369 resp.dump() 370 dce.disconnect() 371 372 def test_Aes256KerberosPacketPrivacy(self): 373 dce = self.connectDCE(self.username, '', self.domain, '', '', self.aesKey256, 374 auth_type=RPC_C_AUTHN_GSS_NEGOTIATE, auth_level=RPC_C_AUTHN_LEVEL_PKT_PRIVACY, 375 dceAuth=True, doKerberos=True) 376 request = epm.ept_lookup() 377 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 378 request['object'] = NULL 379 request['Ifid'] = NULL 380 request['vers_option'] = epm.RPC_C_VERS_ALL 381 request['max_ents'] = 499 382 dce.request(request) 383 resp = dce.request(request) 384 resp.dump() 385 dce.disconnect() 386 387 def test_AnonWINNTPacketPrivacy(self): 388 # With SMB Transport this will fail with STATUS_ACCESS_DENIED 389 try: 390 dce = self.connectDCE('', '', '', auth_level=RPC_C_AUTHN_LEVEL_PKT_PRIVACY,dceAuth=False, doKerberos=False) 391 request = epm.ept_lookup() 392 request['inquiry_type'] = epm.RPC_C_EP_ALL_ELTS 393 request['object'] = NULL 394 request['Ifid'] = NULL 395 request['vers_option'] = epm.RPC_C_VERS_ALL 396 request['max_ents'] = 499 397 dce.request(request) 398 dce.disconnect() 399 except Exception as e: 400 if not (str(e).find('STATUS_ACCESS_DENIED') >=0 and self.stringBinding.find('ncacn_np') >=0): 401 raise 402 403 class TCPTransport(DCERPCTests): 404 def setUp(self): 405 DCERPCTests.setUp(self) 406 # Put specific configuration for target machine with SMB1 407 configFile = ConfigParser.ConfigParser() 408 configFile.read('dcetests.cfg') 409 self.username = configFile.get('TCPTransport', 'username') 410 self.domain = configFile.get('TCPTransport', 'domain') 411 self.serverName = configFile.get('TCPTransport', 'servername') 412 self.password = configFile.get('TCPTransport', 'password') 413 self.machine = configFile.get('TCPTransport', 'machine') 414 self.hashes = configFile.get('TCPTransport', 'hashes') 415 self.aesKey256= configFile.get('TCPTransport', 'aesKey256') 416 self.aesKey128= configFile.get('TCPTransport', 'aesKey128') 417 self.stringBinding = r'ncacn_ip_tcp:%s' % self.machine 418 419 class SMBTransport(DCERPCTests): 420 def setUp(self): 421 # Put specific configuration for target machine with SMB_002 422 DCERPCTests.setUp(self) 423 configFile = ConfigParser.ConfigParser() 424 configFile.read('dcetests.cfg') 425 self.username = configFile.get('SMBTransport', 'username') 426 self.domain = configFile.get('SMBTransport', 'domain') 427 self.serverName = configFile.get('SMBTransport', 'servername') 428 self.password = configFile.get('SMBTransport', 'password') 429 self.machine = configFile.get('SMBTransport', 'machine') 430 self.hashes = configFile.get('SMBTransport', 'hashes') 431 self.aesKey256= configFile.get('SMBTransport', 'aesKey256') 432 self.aesKey128= configFile.get('SMBTransport', 'aesKey128') 433 self.stringBinding = r'ncacn_np:%s[\pipe\epmapper]' % self.machine 434 435 if __name__ == "__main__": 436 import sys 437 if len(sys.argv) > 1: 438 testcase = sys.argv[1] 439 suite = unittest.TestLoader().loadTestsFromTestCase(globals()[testcase]) 440 else: 441 suite = unittest.TestLoader().loadTestsFromTestCase(TCPTransport) 442 suite.addTests(unittest.TestLoader().loadTestsFromTestCase(SMBTransport)) 443 unittest.TextTestRunner(verbosity=1).run(suite)