Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python2
- from binascii import unhexlify
- from struct import pack, unpack
- from Crypto.Cipher import ARC4
- from impacket import ntlm
- from impacket.dcerpc.v5 import transport, epm, nrpc
- from impacket.dcerpc.v5.dtypes import NULL
- print('ddd')
- class xxx(object):
- def __init__(self):
- self.username = 'mmarkk'
- self.domain = 'in.ideco.ru'
- self.serverName = 'dc.in.ideco.ru'
- self.password = 'HUYTEBE'
- self.machine = '10.80.60.10'
- self.hashes = ''
- # print epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp')
- # TCP: self.stringBinding = epm.hept_map(self.machine, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
- self.stringBinding = r'ncacn_np:%s[\PIPE\netlogon]' % self.machine
- def connect(self):
- print 'sss'
- rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
- if len(self.hashes) > 0:
- lmhash, nthash = self.hashes.split(':')
- else:
- lmhash = ''
- nthash = ''
- if hasattr(rpctransport, 'set_credentials'):
- # This method exists only for selected protocol sequences.
- rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash)
- dce = rpctransport.get_dce_rpc()
- # dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
- print 'qwe'
- dce.connect()
- print 'asd'
- dce.bind(nrpc.MSRPC_UUID_NRPC)
- resp = nrpc.hNetrServerReqChallenge(dce, NULL, self.serverName + '\x00', '12345678')
- resp.dump()
- serverChallenge = resp['ServerChallenge']
- if self.hashes == '':
- ntHash = None
- else:
- ntHash = unhexlify(self.hashes.split(':')[1])
- self.sessionKey = nrpc.ComputeSessionKeyStrongKey(self.password, '12345678', serverChallenge, ntHash)
- ppp = nrpc.ComputeNetlogonCredential('12345678', self.sessionKey)
- try:
- resp = nrpc.hNetrServerAuthenticate3(dce, NULL, self.username + '\x00',
- nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
- self.serverName + '\x00', ppp, 0x600FFFFF)
- resp.dump()
- except Exception, e:
- if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:
- raise
- self.clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
- # dce.set_auth_type(RPC_C_AUTHN_NETLOGON)
- # dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
- # dce2 = dce.alter_ctx(nrpc.MSRPC_UUID_NRPC)
- # dce2.set_session_key(self.sessionKey)
- return dce, rpctransport
- def qwe(self):
- dce, rpctransport = self.connect()
- request = nrpc.NetrLogonSamLogonEx()
- request['LogonServer'] = '\x00'
- request['ComputerName'] = self.serverName + '\x00'
- request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
- request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation
- request['LogonInformation']['LogonInteractive']['Identity']['LogonDomainName'] = self.domain
- request['LogonInformation']['LogonInteractive']['Identity'][
- 'ParameterControl'] = 2 + 2 ** 14 + 2 ** 7 + 2 ** 9 + 2 ** 5 + 2 ** 11
- request['LogonInformation']['LogonInteractive']['Identity']['UserName'] = self.username
- request['LogonInformation']['LogonInteractive']['Identity']['Workstation'] = ''
- if len(self.hashes) > 0:
- lmhash, nthash = self.hashes.split(':')
- lmhash = unhexlify(lmhash)
- nthash = unhexlify(nthash)
- else:
- lmhash = ntlm.LMOWFv1(self.password)
- nthash = ntlm.NTOWFv1(self.password)
- rc4 = ARC4.new(self.sessionKey)
- lmhash = rc4.encrypt(lmhash)
- rc4 = ARC4.new(self.sessionKey)
- nthash = rc4.encrypt(nthash)
- request['LogonInformation']['LogonInteractive']['LmOwfPassword'] = lmhash
- request['LogonInformation']['LogonInteractive']['NtOwfPassword'] = nthash
- request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
- request['ExtraFlags'] = 1
- resp = dce.request(request)
- resp.dump()
- xxx().qwe()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
