Current File : //lib/python3/dist-packages/samba/emulate/traffic_packets.py
# Dispatch for various request types.
#
# Copyright (C) Catalyst IT Ltd. 2017
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os
import ctypes
import random
from samba.net import Net
from samba.dcerpc import security, drsuapi, nbt, lsa, netlogon, ntlmssp
from samba.dcerpc.netlogon import netr_WorkstationInformation
from samba.dcerpc.security import dom_sid
from samba.netbios import Node
from samba.ndr import ndr_pack
from samba.credentials import (
CLI_CRED_NTLMv2_AUTH,
MUST_USE_KERBEROS,
DONT_USE_KERBEROS
)
from samba import NTSTATUSError
from samba.ntstatus import (
NT_STATUS_OBJECT_NAME_NOT_FOUND,
NT_STATUS_NO_SUCH_DOMAIN
)
import samba
import dns.resolver
from ldb import SCOPE_BASE
def uint32(v):
return ctypes.c_uint32(v).value
def check_runtime_error(runtime, val):
if runtime is None:
return False
err32 = uint32(runtime.args[0])
if err32 == val:
return True
return False
name_formats = [
drsuapi.DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
drsuapi.DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
drsuapi.DRSUAPI_DS_NAME_FORMAT_DISPLAY,
drsuapi.DRSUAPI_DS_NAME_FORMAT_GUID,
drsuapi.DRSUAPI_DS_NAME_FORMAT_CANONICAL,
drsuapi.DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
drsuapi.DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX,
drsuapi.DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
drsuapi.DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY,
drsuapi.DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN,
drsuapi.DRSUAPI_DS_NAME_FORMAT_UPN_AND_ALTSECID,
drsuapi.DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT_NAME_SANS_DOMAIN_EX,
drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_GLOBAL_CATALOG_SERVERS,
drsuapi.DRSUAPI_DS_NAME_FORMAT_UPN_FOR_LOGON,
drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_WITH_DCS_IN_SITE,
drsuapi.DRSUAPI_DS_NAME_FORMAT_STRING_SID_NAME,
drsuapi.DRSUAPI_DS_NAME_FORMAT_ALT_SECURITY_IDENTITIES_NAME,
drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_NCS,
drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_DOMAINS,
drsuapi.DRSUAPI_DS_NAME_FORMAT_MAP_SCHEMA_GUID,
drsuapi.DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT_NAME_SANS_DOMAIN,
drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_ROLES,
drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_INFO_FOR_SERVER,
drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_FOR_DOMAIN_IN_SITE,
drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_DOMAINS_IN_SITE,
drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_IN_SITE,
drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_SITES,
]
def warning(message):
print("\033[37;41;1m" "Warning: %s" "\033[00m" % (message))
###############################################################################
#
# Packet generation functions:
#
# All the packet generation functions have the following form:
# packet_${protocol}_${opcode}(packet, conversation, context)
#
# The functions return true, if statistics should be collected for the packet
# false, the packet has been ignored.
#
# Where:
# protocol is the protocol, i.e. cldap, dcerpc, ...
# opcode is the protocol op code i.e. type of the packet to be
# generated.
#
# packet contains data about the captured/generated packet
# provides any extra data needed to generate the packet
#
# conversation Details of the current client/server interaction
#
# context state data for the current interaction
#
#
#
# The following protocols are not currently handled:
# smb
# smb2
# browser
# smb_netlogon
#
# The following drsuapi replication packets are currently ignored:
# DsReplicaSync
# DsGetNCChanges
# DsReplicaUpdateRefs
# Packet generators that do NOTHING are assigned to the null_packet
# function which allows the conversation generators to notice this and
# avoid a whole lot of pointless work.
def null_packet(packet, conversation, context):
return False
def packet_cldap_3(packet, conversation, context):
# searchRequest
net = Net(creds=context.creds, lp=context.lp)
net.finddc(domain=context.lp.get('realm'),
flags=(nbt.NBT_SERVER_LDAP |
nbt.NBT_SERVER_DS |
nbt.NBT_SERVER_WRITABLE))
return True
packet_cldap_5 = null_packet
# searchResDone
packet_dcerpc_0 = null_packet
# Request
# Can be ignored, it's the continuation of an existing conversation
packet_dcerpc_2 = null_packet
# Request
# Server response, so should be ignored
packet_dcerpc_3 = null_packet
packet_dcerpc_11 = null_packet
# Bind
# creation of the rpc dcerpc connection is managed by the higher level
# protocol drivers. So we ignore it when generating traffic
packet_dcerpc_12 = null_packet
# Bind_ack
# Server response, so should be ignored
packet_dcerpc_13 = null_packet
# Bind_nak
# Server response, so should be ignored
packet_dcerpc_14 = null_packet
# Alter_context
# Generated as part of the connect process
def packet_dcerpc_15(packet, conversation, context):
# Alter_context_resp
# This means it was GSSAPI/krb5 (probably)
# Check the kerberos_state and issue a diagnostic if kerberos not enabled
if context.user_creds.get_kerberos_state() == DONT_USE_KERBEROS:
warning("Kerberos disabled but have dcerpc Alter_context_resp "
"indicating Kerberos was used")
return False
def packet_dcerpc_16(packet, conversation, context):
# AUTH3
# This means it was NTLMSSP
# Check the kerberos_state and issue a diagnostic if kerberos enabled
if context.user_creds.get_kerberos_state() == MUST_USE_KERBEROS:
warning("Kerberos enabled but have dcerpc AUTH3 "
"indicating NTLMSSP was used")
return False
def packet_dns_0(packet, conversation, context):
# query
name, rtype = context.guess_a_dns_lookup()
dns.resolver.query(name, rtype)
return True
packet_dns_1 = null_packet
# response
# Server response, so should be ignored
def packet_drsuapi_0(packet, conversation, context):
# DsBind
context.get_drsuapi_connection_pair(True)
return True
NAME_FORMATS = [getattr(drsuapi, _x) for _x in dir(drsuapi)
if 'NAME_FORMAT' in _x]
def packet_drsuapi_12(packet, conversation, context):
# DsCrackNames
drs, handle = context.get_drsuapi_connection_pair()
names = drsuapi.DsNameString()
names.str = context.server
req = drsuapi.DsNameRequest1()
req.format_flags = 0
req.format_offered = 7
req.format_desired = random.choice(name_formats)
req.codepage = 1252
req.language = 1033 # German, I think
req.format_flags = 0
req.count = 1
req.names = [names]
(result, ctr) = drs.DsCrackNames(handle, 1, req)
return True
def packet_drsuapi_13(packet, conversation, context):
# DsWriteAccountSpn
req = drsuapi.DsWriteAccountSpnRequest1()
req.operation = drsuapi.DRSUAPI_DS_SPN_OPERATION_REPLACE
req.unknown1 = 0 # Unused, must be 0
req.object_dn = context.user_dn
req.count = 1 # only 1 name
spn_name = drsuapi.DsNameString()
spn_name.str = 'foo/{}'.format(context.username)
req.spn_names = [spn_name]
(drs, handle) = context.get_drsuapi_connection_pair()
(level, res) = drs.DsWriteAccountSpn(handle, 1, req)
return True
def packet_drsuapi_1(packet, conversation, context):
# DsUnbind
(drs, handle) = context.get_drsuapi_connection_pair()
drs.DsUnbind(handle)
del context.drsuapi_connections[-1]
return True
packet_drsuapi_2 = null_packet
# DsReplicaSync
# This is between DCs, triggered on a DB change
# Ignoring for now
packet_drsuapi_3 = null_packet
# DsGetNCChanges
# This is between DCs, trigger with DB operation,
# or DsReplicaSync between DCs.
# Ignoring for now
packet_drsuapi_4 = null_packet
# DsReplicaUpdateRefs
# Ignoring for now
packet_epm_3 = null_packet
# Map
# Will be generated by higher level protocol calls
def packet_kerberos_(packet, conversation, context):
# Use the presence of kerberos packets as a hint to enable kerberos
# for the rest of the conversation.
# i.e. kerberos packets are not explicitly generated.
context.user_creds.set_kerberos_state(MUST_USE_KERBEROS)
context.user_creds_bad.set_kerberos_state(MUST_USE_KERBEROS)
context.machine_creds.set_kerberos_state(MUST_USE_KERBEROS)
context.machine_creds_bad.set_kerberos_state(MUST_USE_KERBEROS)
context.creds.set_kerberos_state(MUST_USE_KERBEROS)
return False
packet_ldap_ = null_packet
# Unknown
# The ldap payload was probably encrypted so just ignore it.
def packet_ldap_0(packet, conversation, context):
# bindRequest
if packet.extra[5] == "simple":
# Perform a simple bind.
context.get_ldap_connection(new=True, simple=True)
else:
# Perform a sasl bind.
context.get_ldap_connection(new=True, simple=False)
return True
packet_ldap_1 = null_packet
# bindResponse
# Server response ignored for traffic generation
def packet_ldap_2(packet, conversation, context):
# unbindRequest
# pop the last one off -- most likely we're in a bind/unbind ping.
del context.ldap_connections[-1:]
return False
def packet_ldap_3(packet, conversation, context):
# searchRequest
(scope, dn_sig, filter, attrs, extra, desc, oid) = packet.extra
if not scope:
scope = SCOPE_BASE
samdb = context.get_ldap_connection()
dn = context.get_matching_dn(dn_sig)
# try to guess the search expression (don't bother for base searches, as
# they're only looking up a single object)
if (filter is None or filter == '') and scope != SCOPE_BASE:
filter = context.guess_search_filter(attrs, dn_sig, dn)
samdb.search(dn,
expression=filter,
scope=int(scope),
attrs=attrs.split(','),
controls=["paged_results:1:1000"])
return True
packet_ldap_4 = null_packet
# searchResEntry
# Server response ignored for traffic generation
packet_ldap_5 = null_packet
# Server response ignored for traffic generation
packet_ldap_6 = null_packet
packet_ldap_7 = null_packet
packet_ldap_8 = null_packet
packet_ldap_9 = null_packet
packet_ldap_16 = null_packet
packet_lsarpc_0 = null_packet
# lsarClose
packet_lsarpc_1 = null_packet
# lsarDelete
packet_lsarpc_2 = null_packet
# lsarEnumeratePrivileges
packet_lsarpc_3 = null_packet
# LsarQuerySecurityObject
packet_lsarpc_4 = null_packet
# LsarSetSecurityObject
packet_lsarpc_5 = null_packet
# LsarChangePassword
packet_lsarpc_6 = null_packet
# lsa_OpenPolicy
# We ignore this, but take it as a hint that the lsarpc handle should
# be over a named pipe.
#
def packet_lsarpc_14(packet, conversation, context):
# lsa_LookupNames
c = context.get_lsarpc_named_pipe_connection()
objectAttr = lsa.ObjectAttribute()
pol_handle = c.OpenPolicy2(u'', objectAttr,
security.SEC_FLAG_MAXIMUM_ALLOWED)
sids = lsa.TransSidArray()
names = [lsa.String("This Organization"),
lsa.String("Digest Authentication")]
level = lsa.LSA_LOOKUP_NAMES_ALL
count = 0
c.LookupNames(pol_handle, names, sids, level, count)
return True
def packet_lsarpc_15(packet, conversation, context):
# lsa_LookupSids
c = context.get_lsarpc_named_pipe_connection()
objectAttr = lsa.ObjectAttribute()
pol_handle = c.OpenPolicy2(u'', objectAttr,
security.SEC_FLAG_MAXIMUM_ALLOWED)
sids = lsa.SidArray()
sid = lsa.SidPtr()
x = dom_sid("S-1-5-7")
sid.sid = x
sids.sids = [sid]
sids.num_sids = 1
names = lsa.TransNameArray()
level = lsa.LSA_LOOKUP_NAMES_ALL
count = 0
c.LookupSids(pol_handle, sids, names, level, count)
return True
def packet_lsarpc_39(packet, conversation, context):
# lsa_QueryTrustedDomainInfoBySid
# Samba does not support trusted domains, so this call is expected to fail
#
c = context.get_lsarpc_named_pipe_connection()
objectAttr = lsa.ObjectAttribute()
pol_handle = c.OpenPolicy2(u'', objectAttr,
security.SEC_FLAG_MAXIMUM_ALLOWED)
domsid = security.dom_sid(context.domain_sid)
level = 1
try:
c.QueryTrustedDomainInfoBySid(pol_handle, domsid, level)
except NTSTATUSError as error:
# Object Not found is the expected result from samba,
# while No Such Domain is the expected result from windows,
# anything else is a failure.
if not check_runtime_error(error, NT_STATUS_OBJECT_NAME_NOT_FOUND) \
and not check_runtime_error(error, NT_STATUS_NO_SUCH_DOMAIN):
raise
return True
packet_lsarpc_40 = null_packet
# lsa_SetTrustedDomainInfo
# Not currently supported
packet_lsarpc_43 = null_packet
# LsaStorePrivateData
packet_lsarpc_44 = null_packet
# LsaRetrievePrivateData
packet_lsarpc_68 = null_packet
# LsarLookupNames3
def packet_lsarpc_76(packet, conversation, context):
# lsa_LookupSids3
c = context.get_lsarpc_connection()
sids = lsa.SidArray()
sid = lsa.SidPtr()
# Need a set
x = dom_sid("S-1-5-7")
sid.sid = x
sids.sids = [sid]
sids.num_sids = 1
names = lsa.TransNameArray2()
level = lsa.LSA_LOOKUP_NAMES_ALL
count = 0
lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
client_revision = lsa.LSA_CLIENT_REVISION_2
c.LookupSids3(sids, names, level, count, lookup_options, client_revision)
return True
def packet_lsarpc_77(packet, conversation, context):
# lsa_LookupNames4
c = context.get_lsarpc_connection()
sids = lsa.TransSidArray3()
names = [lsa.String("This Organization"),
lsa.String("Digest Authentication")]
level = lsa.LSA_LOOKUP_NAMES_ALL
count = 0
lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
client_revision = lsa.LSA_CLIENT_REVISION_2
c.LookupNames4(names, sids, level, count, lookup_options, client_revision)
return True
def packet_nbns_0(packet, conversation, context):
# query
n = Node()
try:
n.query_name("ANAME", context.server, timeout=4, broadcast=False)
except:
pass
return True
packet_nbns_1 = null_packet
# response
# Server response, not generated by the client
packet_rpc_netlogon_0 = null_packet
packet_rpc_netlogon_1 = null_packet
packet_rpc_netlogon_4 = null_packet
# NetrServerReqChallenge
# generated by higher level protocol drivers
# ignored for traffic generation
packet_rpc_netlogon_14 = null_packet
packet_rpc_netlogon_15 = null_packet
packet_rpc_netlogon_21 = null_packet
# NetrLogonDummyRoutine1
# Used to determine security settings. Triggered from schannel setup
# So no need for an explicit generator
packet_rpc_netlogon_26 = null_packet
# NetrServerAuthenticate3
# Triggered from schannel set up, no need for an explicit generator
def packet_rpc_netlogon_29(packet, conversation, context):
# NetrLogonGetDomainInfo [531]
c = context.get_netlogon_connection()
(auth, succ) = context.get_authenticator()
query = netr_WorkstationInformation()
c.netr_LogonGetDomainInfo(context.server,
context.netbios_name,
auth,
succ,
2, # TODO are there other values?
query)
return True
def packet_rpc_netlogon_30(packet, conversation, context):
# NetrServerPasswordSet2
c = context.get_netlogon_connection()
(auth, succ) = context.get_authenticator()
DATA_LEN = 512
# Set the new password to the existing password, this generates the same
# work load as a new value, and leaves the account password intact for
# subsequent runs
newpass = context.machine_creds.get_password().encode('utf-16-le')
pwd_len = len(newpass)
filler = [x if isinstance(x, int) else ord(x) for x in os.urandom(DATA_LEN - pwd_len)]
pwd = netlogon.netr_CryptPassword()
pwd.length = pwd_len
pwd.data = filler + [x if isinstance(x, int) else ord(x) for x in newpass]
context.machine_creds.encrypt_netr_crypt_password(pwd)
c.netr_ServerPasswordSet2(context.server,
# must ends with $, so use get_username instead
# of get_workstation here
context.machine_creds.get_username(),
context.machine_creds.get_secure_channel_type(),
context.netbios_name,
auth,
pwd)
return True
packet_rpc_netlogon_34 = null_packet
def packet_rpc_netlogon_39(packet, conversation, context):
# NetrLogonSamLogonEx [4331]
def connect(creds):
c = context.get_netlogon_connection()
# Disable Kerberos in cli creds to extract NTLM response
old_state = creds.get_kerberos_state()
creds.set_kerberos_state(DONT_USE_KERBEROS)
logon = samlogon_logon_info(context.domain,
context.netbios_name,
creds)
logon_level = netlogon.NetlogonNetworkTransitiveInformation
validation_level = netlogon.NetlogonValidationSamInfo4
netr_flags = 0
c.netr_LogonSamLogonEx(context.server,
context.machine_creds.get_workstation(),
logon_level,
logon,
validation_level,
netr_flags)
creds.set_kerberos_state(old_state)
context.last_samlogon_bad =\
context.with_random_bad_credentials(connect,
context.user_creds,
context.user_creds_bad,
context.last_samlogon_bad)
return True
def samlogon_target(domain_name, computer_name):
target_info = ntlmssp.AV_PAIR_LIST()
target_info.count = 3
computername = ntlmssp.AV_PAIR()
computername.AvId = ntlmssp.MsvAvNbComputerName
computername.Value = computer_name
domainname = ntlmssp.AV_PAIR()
domainname.AvId = ntlmssp.MsvAvNbDomainName
domainname.Value = domain_name
eol = ntlmssp.AV_PAIR()
eol.AvId = ntlmssp.MsvAvEOL
target_info.pair = [domainname, computername, eol]
return ndr_pack(target_info)
def samlogon_logon_info(domain_name, computer_name, creds):
target_info_blob = samlogon_target(domain_name, computer_name)
challenge = b"abcdefgh"
# User account under test
response = creds.get_ntlm_response(flags=CLI_CRED_NTLMv2_AUTH,
challenge=challenge,
target_info=target_info_blob)
logon = netlogon.netr_NetworkInfo()
logon.challenge = [x if isinstance(x, int) else ord(x) for x in challenge]
logon.nt = netlogon.netr_ChallengeResponse()
logon.nt.length = len(response["nt_response"])
logon.nt.data = [x if isinstance(x, int) else ord(x) for x in response["nt_response"]]
logon.identity_info = netlogon.netr_IdentityInfo()
(username, domain) = creds.get_ntlm_username_domain()
logon.identity_info.domain_name.string = domain
logon.identity_info.account_name.string = username
logon.identity_info.workstation.string = creds.get_workstation()
return logon
def packet_rpc_netlogon_40(packet, conversation, context):
# DsrEnumerateDomainTrusts
c = context.get_netlogon_connection()
c.netr_DsrEnumerateDomainTrusts(
context.server,
netlogon.NETR_TRUST_FLAG_IN_FOREST |
netlogon.NETR_TRUST_FLAG_OUTBOUND |
netlogon.NETR_TRUST_FLAG_INBOUND)
return True
def packet_rpc_netlogon_45(packet, conversation, context):
# NetrLogonSamLogonWithFlags [7]
def connect(creds):
c = context.get_netlogon_connection()
(auth, succ) = context.get_authenticator()
# Disable Kerberos in cli creds to extract NTLM response
old_state = creds.get_kerberos_state()
creds.set_kerberos_state(DONT_USE_KERBEROS)
logon = samlogon_logon_info(context.domain,
context.netbios_name,
creds)
logon_level = netlogon.NetlogonNetworkTransitiveInformation
validation_level = netlogon.NetlogonValidationSamInfo4
netr_flags = 0
c.netr_LogonSamLogonWithFlags(context.server,
context.machine_creds.get_workstation(),
auth,
succ,
logon_level,
logon,
validation_level,
netr_flags)
creds.set_kerberos_state(old_state)
context.last_samlogon_bad =\
context.with_random_bad_credentials(connect,
context.user_creds,
context.user_creds_bad,
context.last_samlogon_bad)
return True
def packet_samr_0(packet, conversation, context):
# Open
c = context.get_samr_context()
c.get_handle()
return True
def packet_samr_1(packet, conversation, context):
# Close
c = context.get_samr_context()
s = c.get_connection()
# close the last opened handle, may not always be accurate
# but will do for load simulation
if c.user_handle is not None:
s.Close(c.user_handle)
c.user_handle = None
elif c.group_handle is not None:
s.Close(c.group_handle)
c.group_handle = None
elif c.domain_handle is not None:
s.Close(c.domain_handle)
c.domain_handle = None
c.rids = None
elif c.handle is not None:
s.Close(c.handle)
c.handle = None
c.domain_sid = None
return True
def packet_samr_3(packet, conversation, context):
# QuerySecurity
c = context.get_samr_context()
s = c.get_connection()
if c.user_handle is None:
packet_samr_34(packet, conversation, context)
s.QuerySecurity(c.user_handle, 1)
return True
def packet_samr_5(packet, conversation, context):
# LookupDomain
c = context.get_samr_context()
s = c.get_connection()
h = c.get_handle()
d = lsa.String()
d.string = context.domain
c.domain_sid = s.LookupDomain(h, d)
return True
def packet_samr_6(packet, conversation, context):
# EnumDomains
c = context.get_samr_context()
s = c.get_connection()
h = c.get_handle()
s.EnumDomains(h, 0, 0)
return True
def packet_samr_7(packet, conversation, context):
# OpenDomain
c = context.get_samr_context()
s = c.get_connection()
h = c.get_handle()
if c.domain_sid is None:
packet_samr_5(packet, conversation, context)
c.domain_handle = s.OpenDomain(h,
security.SEC_FLAG_MAXIMUM_ALLOWED,
c.domain_sid)
return True
SAMR_QUERY_DOMAIN_INFO_LEVELS = [8, 12]
def packet_samr_8(packet, conversation, context):
# QueryDomainInfo [228]
c = context.get_samr_context()
s = c.get_connection()
if c.domain_handle is None:
packet_samr_7(packet, conversation, context)
level = random.choice(SAMR_QUERY_DOMAIN_INFO_LEVELS)
s.QueryDomainInfo(c.domain_handle, level)
return True
packet_samr_14 = null_packet
# CreateDomainAlias
# Ignore these for now.
def packet_samr_15(packet, conversation, context):
# EnumDomainAliases
c = context.get_samr_context()
s = c.get_connection()
if c.domain_handle is None:
packet_samr_7(packet, conversation, context)
s.EnumDomainAliases(c.domain_handle, 100, 0)
return True
def packet_samr_16(packet, conversation, context):
# GetAliasMembership
c = context.get_samr_context()
s = c.get_connection()
if c.domain_handle is None:
packet_samr_7(packet, conversation, context)
sids = lsa.SidArray()
sid = lsa.SidPtr()
sid.sid = c.domain_sid
sids.sids = [sid]
s.GetAliasMembership(c.domain_handle, sids)
return True
def packet_samr_17(packet, conversation, context):
# LookupNames
c = context.get_samr_context()
s = c.get_connection()
if c.domain_handle is None:
packet_samr_7(packet, conversation, context)
name = lsa.String(context.username)
c.rids = s.LookupNames(c.domain_handle, [name])
return True
def packet_samr_18(packet, conversation, context):
# LookupRids
c = context.get_samr_context()
s = c.get_connection()
if c.rids is None:
packet_samr_17(packet, conversation, context)
rids = []
for r in c.rids:
for i in r.ids:
rids.append(i)
s.LookupRids(c.domain_handle, rids)
return True
def packet_samr_19(packet, conversation, context):
# OpenGroup
c = context.get_samr_context()
s = c.get_connection()
if c.domain_handle is None:
packet_samr_7(packet, conversation, context)
rid = 0x202 # Users I think.
c.group_handle = s.OpenGroup(c.domain_handle,
security.SEC_FLAG_MAXIMUM_ALLOWED,
rid)
return True
def packet_samr_25(packet, conversation, context):
# QueryGroupMember
c = context.get_samr_context()
s = c.get_connection()
if c.group_handle is None:
packet_samr_19(packet, conversation, context)
s.QueryGroupMember(c.group_handle)
return True
def packet_samr_34(packet, conversation, context):
# OpenUser
c = context.get_samr_context()
s = c.get_connection()
if c.rids is None:
packet_samr_17(packet, conversation, context)
c.user_handle = s.OpenUser(c.domain_handle,
security.SEC_FLAG_MAXIMUM_ALLOWED,
c.rids[0].ids[0])
return True
def packet_samr_36(packet, conversation, context):
# QueryUserInfo
c = context.get_samr_context()
s = c.get_connection()
if c.user_handle is None:
packet_samr_34(packet, conversation, context)
level = 1
s.QueryUserInfo(c.user_handle, level)
return True
packet_samr_37 = null_packet
def packet_samr_39(packet, conversation, context):
# GetGroupsForUser
c = context.get_samr_context()
s = c.get_connection()
if c.user_handle is None:
packet_samr_34(packet, conversation, context)
s.GetGroupsForUser(c.user_handle)
return True
packet_samr_40 = null_packet
packet_samr_44 = null_packet
def packet_samr_57(packet, conversation, context):
# Connect2
c = context.get_samr_context()
c.get_handle()
return True
def packet_samr_64(packet, conversation, context):
# Connect5
c = context.get_samr_context()
c.get_handle()
return True
packet_samr_68 = null_packet
def packet_srvsvc_16(packet, conversation, context):
# NetShareGetInfo
s = context.get_srvsvc_connection()
server_unc = "\\\\" + context.server
share_name = "IPC$"
level = 1
s.NetShareGetInfo(server_unc, share_name, level)
return True
def packet_srvsvc_21(packet, conversation, context):
"""NetSrvGetInfo
FIXME: Level changed from 102 to 101 here, to bypass Windows error.
Level 102 will cause WERR_ACCESS_DENIED error against Windows, because:
> If the level is 102 or 502, the Windows implementation checks whether
> the caller is a member of one of the groups previously mentioned or
> is a member of the Power Users local group.
It passed against Samba since this check is not implemented by Samba yet.
refer to:
https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_80
"""
srvsvc = context.get_srvsvc_connection()
server_unc = "\\\\" + context.server
level = 101
srvsvc.NetSrvGetInfo(server_unc, level)
return True
Mini Shell