o

�/ap�@s�dd
lZdd
l
Z
dd
lZddlmZ
ddlmZmZmZm	Z	m
Z
mZ
ddlm
Z

ddlmZ
ddlmZ
ddlmZ
ddlmZmZmZ
dd	lmZ
dd
lmZmZ
dd
lZdd
lZddlm Z 
dd
�Z!dd�Z"ej#ej$ej%ej&ej'ej(ej)ej*ej+ej,ej-ej.ej/ej0ej1ej2ej3ej4ej5ej6ej7ej8ej9ej:ej;ej<ej=gZ>dd�Z?dd�Z@dd�ZAe@ZBe@ZCe@ZDe@ZEe@ZFe@ZGe@ZHe@ZIdd�ZJdd�ZKdd�ZLe@ZMdd�ZNdd�eOe�
D�
ZPd d!�ZQd"d#�ZRd$d%�ZSe@ZTe@ZUe@ZVe@ZWd&d'�ZXe@ZYd(d)�ZZe@Z[d*d+�Z\d,d-�Z]e@Z^e@Z_e@Z`e@Zae@Zbe@Zce@Zde@Zee@Zfe@Zge@Zhe@Zie@Zje@Zkd.d/�Zld0d1�Zmd2d3�Zne@Zoe@Zpe@Zqe@Zrd4d5�Zsd6d7�Ztd8d9�Zue@Zve@Zwe@Zxe@Zye@Zze@Z{e@Z|e@Z}d:d;�Z~d<d=�Ze@Z�d>d?�Z�d@dA�Z�dBdC�Z�dDdE�Z�dFdG�Z�dHdI�Z�dJdK�Z�dLdM�Z�dNdO�Z�dPdQ�Z�dRdS�Z�dTdUgZ�dVdW�Z�e@Z�dXdY�Z�dZd[�Z�d\d]�Z�d^d_�Z�d`da�Z�dbdc�Z�ddde�Z�dfdg�Z�e@Z�dhdi�Z�e@Z�e@Z�djdk�Z�dldm�Z�e@Z�dndo�Z�dpdq�Z�d
S)r�N)
�Net)�security�drsuapi�nbt�lsa�netlogon�ntlmssp)
�netr_WorkstationInformation)
�dom_sid)
�Node)
�ndr_pack)�CLI_CRED_NTLMv2_AUTH�MUST_USE_KERBEROS�DONT_USE_KERBEROS)
�
NTSTATUSError)�NT_STATUS_OBJECT_NAME_NOT_FOUND�NT_STATUS_NO_SUCH_DOMAIN)
�
SCOPE_BASEc

Cst�
|�
jS)
N)�ctypes�c_uint32�value)
�
v�r�?/usr/lib/python3/dist-packages/samba/emulate/traffic_packets.py�uint32*s
rcCs*|durd
St|j
d�
}||
krdSd
S)NFr
T)r�args)�runtime�val�err32rrr�check_runtime_error.s



rc

Cstd
|�

dS)NzWarning: %s)
�print)
�messagerrr�warningXs
r"c
Csd
S�NFr��packet�conversation�contextrrr�null_packet�s
r(cCs8t|j
|jd
�}|j|j�d�
tjtjBtjBd�
dS)N)�creds�lp�realm)�domain�flagsT)	rr)r*�finddc�getr�NBT_SERVER_LDAP�
NBT_SERVER_DS�NBT_SERVER_WRITABLE)r%r&r'�netrrr�packet_cldap_3�s


���r4cC�|j�
�tkrtd
�

dS)NzQKerberos disabled but have dcerpc Alter_context_resp indicating Kerberos was usedF)�
user_creds�get_kerberos_staterr"r$rrr�packet_dcerpc_15��
r8cCr5)NzBKerberos enabled but have dcerpc AUTH3 indicating NTLMSSP was usedF)r6r7rr"r$rrr�packet_dcerpc_16�r9r:cCs|��\}}t
j�||�
d
S�NT)�guess_a_dns_lookup�dns�resolver�query)r%r&r'�name�rtyperrr�packet_dns_0�s

rBcCs|�d
�

d
Sr;)
�get_drsuapi_connection_pairr$rrr�packet_drsuapi_0�s

rDc
Csg|]}
d|
vrtt
|
��qS)
�NAME_FORMAT)�getattrr)�.0�_xrrr�
<listcomp>�s
�
rIc	Csr|��\}}t
��}|j|_t
��}d
|_d|_t�	t
�
|_d|_d|_
d
|_d|_|g
|_|�|d|�\}}dS)Nr
�i�i	�
T)rCr�DsNameString�server�str�DsNameRequest1�format_flags�format_offered�random�choice�name_formats�format_desired�codepage�language�count�names�DsCrackNames)	r%r&r'�drs�handlerY�req�result�ctrrrr�packet_drsuapi_12�s









r`c	Csdt�
�}tj|_d
|_|j|_d|_t��}d�	|j
�
|_|g
|_|�
�\}}|�|d|�\}}dS)Nr
rKzfoo/{}T)r�DsWriteAccountSpnRequest1� DRSUAPI_DS_SPN_OPERATION_REPLACE�	operation�unknown1�user_dn�	object_dnrXrL�format�usernamerN�	spn_namesrC�DsWriteAccountSpn)	r%r&r'r]�spn_namer[r\�level�resrrr�packet_drsuapi_13�s









rncCs"|��\}}|�
|�

|jd
=dS)N���T)rC�DsUnbind�drsuapi_connections)r%r&r'r[r\rrr�packet_drsuapi_1
s



rrcCs@|j�
t�

|j�
t�

|j�
t�

|j�
t�

|j�
t�

d
Sr#)r6�set_kerberos_stater�user_creds_bad�
machine_creds�machine_creds_badr)r$rrr�packet_kerberos_
s




rwcCs2|jd
dkr|j
ddd�
dS|j
ddd�
dS)N��simpleT)�newryF)�extra�get_ldap_connectionr$rrr�
packet_ldap_00
s
�
r}cCs|jd
d�=dS)NroF)
�ldap_connectionsr$rrr�
packet_ldap_2@
s
rcCsx|j\}}}}}}}	|st
}|��}
|�|�
}|dus|d
kr*|t
kr*|�|||�}|
j||t|�
|�d�
dg
d�
dS)N��
,zpaged_results:1:1000)�
expression�scope�attrs�controlsT)r{rr|�get_matching_dn�guess_search_filter�search�int�split)r%r&r'r��dn_sig�filterr�r{�desc�oid�samdb�dnrrr�
packet_ldap_3G
s








�r�c
Cs\|��}t
��}|�d
|tj�}t
��}t
�d�
t
�d�
g}t
j}d}	|�	|||||	�
dS)Nr��This Organization�Digest Authenticationr
T)
� get_lsarpc_named_pipe_connectionr�ObjectAttribute�OpenPolicy2r�SEC_FLAG_MAXIMUM_ALLOWED�
TransSidArray�String�LSA_LOOKUP_NAMES_ALL�LookupNames)
r%r&r'�
c�
objectAttr�
pol_handle�sidsrYrlrXrrr�packet_lsarpc_14�
s

�

�


r�cCst|��}t
��}|�d
|tj�}t
��}t
��}td�
}||_	|g
|_
d|_t
��}	t
j
}
d}|�|||	|
|�
dS)Nr��S-1-5-7rKr
T)r�rr�r�rr��SidArray�SidPtrr
�sidr��num_sids�TransNameArrayr��
LookupSids)r%r&r'r�r�r�r�r��
xrYrlrXrrr�packet_lsarpc_15�
s 

�







r�c	
Cs�|��}t
��}|�d
|tj�}t�|j�
}d}z
|�|||�
WdSt	yG
}
zt
|t�s5t
|t�s<�WYd}~dSWYd}~dSd}~w
w)Nr�rKT)
r�rr�r�rr�r
�
domain_sid�QueryTrustedDomainInfoBySidrrrr)	r%r&r'r�r�r��domsidrl�errorrrr�packet_lsarpc_39�
s*
�


�

�
�
���r�cCsj|��}t
��}t
��}td
�
}||_|g
|_d|_t
��}t
j	}d}	t
j
}
t
j}|�||||	|
|�
dS)Nr�rKr
T)
�get_lsarpc_connectionrr�r�r
r�r�r��TransNameArray2r��'LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES�LSA_CLIENT_REVISION_2�LookupSids3)r%r&r'r�r�r�r�rYrlrX�lookup_options�client_revisionrrr�packet_lsarpc_76�
s











r�c
CsR|��}t
��}t
�d
�
t
�d�
g}t
j}d}t
j}t
j}	|�||||||	�
dS)Nr�r�r
T)r�r�TransSidArray3r�r�r�r��LookupNames4)
r%r&r'r�r�rYrlrXr�r�rrr�packet_lsarpc_77�
s


�




r�cCs.t�}z
|j
d
|jddd�
WdS


YdS)N�ANAME�F)�timeout�	broadcastT)r�
query_namerM)r%r&r'�
nrrr�
packet_nbns_0�
s

�

r�cCs6|��}|�
�\}}t�}|�|j|j||d
|�
dS)N�T)�get_netlogon_connection�get_authenticatorr	�netr_LogonGetDomainInforM�netbios_name)r%r&r'r��auth�succr?rrr�packet_rpc_netlogon_29#s






�r�cCs�|��}|�
�\}}d
}|j���d�
}t|�
}dd�t�||�
D�
}	t�	�}
||
_
|	dd�|D�
|
_|j�|
�

|�
|j|j��|j��|j||
�
dS)Niz	utf-16-lec
S�"g|]
}
t|
t
�r|
nt|
�
�qSr��
isinstancer��ord�rGr�rrrrI<�"z*packet_rpc_netlogon_30.<locals>.<listcomp>c
Sr�rr�r�rrrrI?r�T)r�r�ru�get_password�encode�len�os�urandomr�netr_CryptPassword�length�data�encrypt_netr_crypt_password�netr_ServerPasswordSet2rM�get_username�get_secure_channel_typer�)r%r&r'r�r�r��DATA_LEN�newpass�pwd_len�filler�pwdrrr�packet_rpc_netlogon_302s$












�r�c�(�f
d
d�}��|�j
�j�j��_dS)Nc
sd���}
|�
�}|�t�

t�j�j|�}tj}tj	}d
}|
�
�j�j�
�||||�
|�|�

dS�Nr
)r�r7rsr�samlogon_logon_infor,r�r�$NetlogonNetworkTransitiveInformation�NetlogonValidationSamInfo4�netr_LogonSamLogonExrMru�get_workstation)r)r��	old_state�logon�logon_level�validation_level�
netr_flags�
r'rr�connectQs$




�







�z'packet_rpc_netlogon_39.<locals>.connectT��with_random_bad_credentialsr6rt�last_samlogon_bad�r%r&r'r�rr�r�packet_rpc_netlogon_39Os


��r�cCs^t�
�}d
|_t��}tj|_|
|_t��}tj|_||_t��}tj|_|||g|_	t
|�
S)N�)r�AV_PAIR_LISTrX�AV_PAIR�MsvAvNbComputerName�AvId�Value�MsvAvNbDomainName�MsvAvEOL�pairr)�domain_name�
computer_name�target_info�computername�
domainname�eolrrr�samlogon_targetos








r
c	Cs�t||
�}d
}|j
t||d�}t��}dd�|D�
|_t��|_t|d�
|j_	dd�|dD�
|j_
t��|_|�
�\}}||jj_||jj_|��|jj_|S)Nsabcdefgh)r-�	challenger�c
Sr�rr�r�rrrrI�r�z'samlogon_logon_info.<locals>.<listcomp>�nt_responsec
Sr�rr�r�rrrrI�r�)r
�get_ntlm_responser
r�netr_NetworkInfor
�netr_ChallengeResponse�ntr�r�r��netr_IdentityInfo�
identity_info�get_ntlm_username_domainr��string�account_namer��workstation)	r�r�r)�target_info_blobr
�responser�rhr,rrrr��s"


�









r�cCs(|��}|�
|jtjtjBtjB�
d
Sr;)r��netr_DsrEnumerateDomainTrustsrMr�NETR_TRUST_FLAG_IN_FOREST�NETR_TRUST_FLAG_OUTBOUND�NETR_TRUST_FLAG_INBOUND�r%r&r'r�rrr�packet_rpc_netlogon_40�s



���r
cr�)Nc
	
st���}
��
�\}}|��}|�t�

t�j�j|�}tj	}tj
}d
}|
��j�j
��||||||�
|�|�

dSr�)r�r�r7rsrr�r,r�rr�r��netr_LogonSamLogonWithFlagsrMrur�)	r)r�r�r�r�r�r�r�r�r�rrr��s*





�









�	z'packet_rpc_netlogon_45.<locals>.connectTr�r�rr�r�packet_rpc_netlogon_45�s


��r
cC�|��}|�
�
d
Sr;��get_samr_context�
get_handler
rrr�
packet_samr_0��

r
cCs�|��}|�
�}|jdu
r|�|j�

d|_d
S|jdu
r(|�|j�

d|_d
S|jdu
r;|�|j�

d|_d|_d
S|jdu
rL|�|j�

d|_d|_d
Sr;)	r
�get_connection�user_handle�Close�group_handle�
domain_handle�ridsr\r��r%r&r'r��
srrr�
packet_samr_1�s(




�

	
�



�



r(
cCs8|��}|�
�}|jdurt||
|�
|�|jd
�
dS�NrKT)r
r 
r!
�packet_samr_34�
QuerySecurityr&
rrr�
packet_samr_3�s





r,
cCs:|��}|�
�}|��}t��}|j|_|�||�|_d
Sr;)	r
r 
r
rr�r,r

�LookupDomainr�)r%r&r'r�r'
�
h�
drrr�
packet_samr_5�s





r0
cCs*|��}|�
�}|��}|�|d
d
�
dS�Nr
T)r
r 
r
�EnumDomains�r%r&r'r�r'
r.
rrr�
packet_samr_6�s




r4
cCsF|��}|�
�}|��}|jdurt||
|�
|�|tj|j�|_d
Sr;)	r
r 
r
r�r0
�
OpenDomainrr�r$
r3
rrr�
packet_samr_7s






�r6
��cCsB|��}|�
�}|jdurt||
|�
t�t�
}|�|j|�
d
Sr;)r
r 
r$
r6
rRrS�SAMR_QUERY_DOMAIN_INFO_LEVELS�QueryDomainInfo�r%r&r'r�r'
rlrrr�
packet_samr_8s







r<
cCs:|��}|�
�}|jdurt||
|�
|�|jd
d�
dS)N�dr
T)r
r 
r$
r6
�EnumDomainAliasesr&
rrr�packet_samr_15's




r?
cCsX|��}|�
�}|jdurt||
|�
t��}t��}|j|_|g
|_	|�
|j|�
d
Sr;)r
r 
r$
r6
rr�r�r�r�r��GetAliasMembership)r%r&r'r�r'
r�r�rrr�packet_samr_162s








rA
cCsH|��}|�
�}|jdurt||
|�
t�|j�
}|�|j|g
�|_d
Sr;)	r
r 
r$
r6
rr�rhr�r%
)r%r&r'r�r'
r@rrr�packet_samr_17As





rB
cCs^|��}|�
�}|jdurt||
|�
g}|jD]
}|jD]}|�|�

qq|�|j|�
d
Sr;)r
r 
r%
rB
�ids�append�
LookupRidsr$
)r%r&r'r�r'
r%
�
r�
irrr�packet_samr_18Ms









�
rH
cCsB|��}|�
�}|jdurt||
|�
d
}|�|jtj|�|_dS)NiT)r
r 
r$
r6
�	OpenGrouprr�r#
)r%r&r'r�r'
�ridrrr�packet_samr_19[s






�rK
cC�6|��}|�
�}|jdurt||
|�
|�|j�

d
Sr;)r
r 
r#
rK
�QueryGroupMemberr&
rrr�packet_samr_25i�





rN
cCsJ|��}|�
�}|jdurt||
|�
|�|jtj|jd
jd
�|_	dSr1
)
r
r 
r%
rB
�OpenUserr$
rr�rC
r!
r&
rrrr*
ss






�r*
cCs<|��}|�
�}|jdurt||
|�
d
}|�|j|�
dSr)
)r
r 
r!
r*
�
QueryUserInfor;
rrr�packet_samr_36s






rR
cCrL
r;)r
r 
r!
r*
�GetGroupsForUserr&
rrr�packet_samr_39�rO
rT
cCr
r;r
r
rrr�packet_samr_57�r
rU
cCr
r;r
r
rrr�packet_samr_64�r
rV
cCs,|��}d
|j
}d}d}|�|||�
dS)N�\\zIPC$rKT)�get_srvsvc_connectionrM�NetShareGetInfo)r%r&r'r'
�
server_unc�
share_namerlrrr�packet_srvsvc_16�s





r\
cCs&|��}d
|j
}d}|�||�
dS)a*NetSrvGetInfo

    FIXME: Level changed from 102 to 101 here, to bypass Windows error.

    Level 102 will cause WERR_ACCESS_DENIED error against Windows, because:

        > If the level is 102 or 502, the Windows implementation checks whether
        > the caller is a member of one of the groups previously mentioned or
        > is a member of the Power Users local group.

    It passed against Samba since this check is not implemented by Samba yet.

    refer to:

        https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_80

    rW
�eT)rX
rM�
NetSrvGetInfo)r%r&r'�srvsvcrZ
rlrrr�packet_srvsvc_21�s





r`
)�r�rrR�	samba.netr�samba.dcerpcrrrrrr�samba.dcerpc.netlogonr	�samba.dcerpc.securityr
�
samba.netbiosr�	samba.ndrr�samba.credentialsr
rr�sambar�samba.ntstatusrr�dns.resolverr=�ldbrrr� DRSUAPI_DS_NAME_FORMAT_FQDN_1779�"DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT�DRSUAPI_DS_NAME_FORMAT_DISPLAY�DRSUAPI_DS_NAME_FORMAT_GUID� DRSUAPI_DS_NAME_FORMAT_CANONICAL�%DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL�#DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX�(DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL�)DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY�!DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN�'DRSUAPI_DS_NAME_FORMAT_UPN_AND_ALTSECID�6DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT_NAME_SANS_DOMAIN_EX�2DRSUAPI_DS_NAME_FORMAT_LIST_GLOBAL_CATALOG_SERVERS�$DRSUAPI_DS_NAME_FORMAT_UPN_FOR_LOGON�4DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_WITH_DCS_IN_SITE�&DRSUAPI_DS_NAME_FORMAT_STRING_SID_NAME�3DRSUAPI_DS_NAME_FORMAT_ALT_SECURITY_IDENTITIES_NAME�DRSUAPI_DS_NAME_FORMAT_LIST_NCS�#DRSUAPI_DS_NAME_FORMAT_LIST_DOMAINS�&DRSUAPI_DS_NAME_FORMAT_MAP_SCHEMA_GUID�3DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT_NAME_SANS_DOMAIN�!DRSUAPI_DS_NAME_FORMAT_LIST_ROLES�+DRSUAPI_DS_NAME_FORMAT_LIST_INFO_FOR_SERVER�6DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_FOR_DOMAIN_IN_SITE�+DRSUAPI_DS_NAME_FORMAT_LIST_DOMAINS_IN_SITE�+DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_IN_SITE�!DRSUAPI_DS_NAME_FORMAT_LIST_SITESrTr"r(r4�packet_cldap_5�packet_dcerpc_0�packet_dcerpc_2�packet_dcerpc_3�packet_dcerpc_11�packet_dcerpc_12�packet_dcerpc_13�packet_dcerpc_14r8r:rB�packet_dns_1rD�dir�NAME_FORMATSr`rnrr�packet_drsuapi_2�packet_drsuapi_3�packet_drsuapi_4�packet_epm_3rw�packet_ldap_r}�
packet_ldap_1rr��
packet_ldap_4�
packet_ldap_5�
packet_ldap_6�
packet_ldap_7�
packet_ldap_8�
packet_ldap_9�packet_ldap_16�packet_lsarpc_0�packet_lsarpc_1�packet_lsarpc_2�packet_lsarpc_3�packet_lsarpc_4�packet_lsarpc_5�packet_lsarpc_6r�r�r��packet_lsarpc_40�packet_lsarpc_43�packet_lsarpc_44�packet_lsarpc_68r�r�r��
packet_nbns_1�packet_rpc_netlogon_0�packet_rpc_netlogon_1�packet_rpc_netlogon_4�packet_rpc_netlogon_14�packet_rpc_netlogon_15�packet_rpc_netlogon_21�packet_rpc_netlogon_26r�r��packet_rpc_netlogon_34r�r
r�r
r
r
r(
r,
r0
r4
r6
r9
r<
�packet_samr_14r?
rA
rB
rH
rK
rN
r*
rR
�packet_samr_37rT
�packet_samr_40�packet_samr_44rU
rV
�packet_samr_68r\
r`
rrrr�<module>
s


 


































�*



 #