Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1# Impacket - Collection of Python classes for working with network protocols. 

2# 

3# SECUREAUTH LABS. Copyright (C) 2018 SecureAuth Corporation. All rights reserved. 

4# 

5# This software is provided under a slightly modified version 

6# of the Apache Software License. See the accompanying LICENSE file 

7# for more information. 

8# 

9# Description: 

10# [MS-BKRP] Interface implementation 

11# 

12# Best way to learn how to use these calls is to grab the protocol standard 

13# so you understand what the call does, and then read the test case located 

14# at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC 

15# 

16# Some calls have helper functions, which makes it even easier to use. 

17# They are located at the end of this file. 

18# Helper functions start with "h"<name of the call>. 

19# There are test cases for them too. 

20# 

21# Author: 

22# Alberto Solino (@agsolino) 

23# 

24# ToDo: 

25# [ ] 2.2.2 Client-Side-Wrapped Secret 

26# 

27 

28from __future__ import division 

29from __future__ import print_function 

30from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray 

31from impacket.dcerpc.v5.dtypes import DWORD, NTSTATUS, GUID, RPC_SID, NULL 

32from impacket.dcerpc.v5.rpcrt import DCERPCException 

33from impacket import system_errors 

34from impacket.uuid import uuidtup_to_bin, string_to_bin 

35from impacket.structure import Structure 

36 

37MSRPC_UUID_BKRP = uuidtup_to_bin(('3dde7c30-165d-11d1-ab8f-00805f14db40', '1.0')) 

38 

39class DCERPCSessionError(DCERPCException): 

40 def __init__(self, error_string=None, error_code=None, packet=None): 

41 DCERPCException.__init__(self, error_string, error_code, packet) 

42 

43 def __str__( self ): 

44 key = self.error_code 

45 if key in system_errors.ERROR_MESSAGES: 

46 error_msg_short = system_errors.ERROR_MESSAGES[key][0] 

47 error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] 

48 return 'BKRP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) 

49 else: 

50 return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code 

51 

52################################################################################ 

53# CONSTANTS 

54################################################################################ 

55 

56BACKUPKEY_BACKUP_GUID = string_to_bin("7F752B10-178E-11D1-AB8F-00805F14DB40") 

57BACKUPKEY_RESTORE_GUID_WIN2K = string_to_bin("7FE94D50-178E-11D1-AB8F-00805F14DB40") 

58BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = string_to_bin("018FF48A-EABA-40C6-8F6D-72370240E967") 

59BACKUPKEY_RESTORE_GUID = string_to_bin("47270C64-2FC7-499B-AC5B-0E37CDCE899A") 

60 

61################################################################################ 

62# STRUCTURES 

63################################################################################ 

64class BYTE_ARRAY(NDRUniConformantArray): 

65 item = 'c' 

66 

67class PBYTE_ARRAY(NDRPOINTER): 

68 referent = ( 

69 ('Data', BYTE_ARRAY), 

70 ) 

71 

72# 2.2.4.1 Rc4EncryptedPayload Structure 

73class Rc4EncryptedPayload(Structure): 

74 structure = ( 

75 ('R3', '32s=""'), 

76 ('MAC', '20s=""'), 

77 ('SID', ':', RPC_SID), 

78 ('Secret', ':'), 

79 ) 

80 

81# 2.2.4 Secret Wrapped with Symmetric Key 

82class WRAPPED_SECRET(Structure): 

83 structure = ( 

84 ('SIGNATURE', '<L=1'), 

85 ('Payload_Length', '<L=0'), 

86 ('Ciphertext_Length', '<L=0'), 

87 ('GUID_of_Wrapping_Key', '16s=""'), 

88 ('R2', '68s=""'), 

89 ('_Rc4EncryptedPayload', '_-Rc4EncryptedPayload', 'self["Payload_Length"]'), 

90 ('Rc4EncryptedPayload', ':'), 

91 ) 

92 

93################################################################################ 

94# RPC CALLS 

95################################################################################ 

96# 3.1.4.1 BackuprKey(Opnum 0) 

97class BackuprKey(NDRCALL): 

98 opnum = 0 

99 structure = ( 

100 ('pguidActionAgent', GUID), 

101 ('pDataIn', BYTE_ARRAY), 

102 ('cbDataIn', DWORD), 

103 ('dwParam', DWORD), 

104 ) 

105 

106class BackuprKeyResponse(NDRCALL): 

107 structure = ( 

108 ('ppDataOut', PBYTE_ARRAY), 

109 ('pcbDataOut', DWORD), 

110 ('ErrorCode', NTSTATUS), 

111 ) 

112 

113################################################################################ 

114# OPNUMs and their corresponding structures 

115################################################################################ 

116OPNUMS = { 

117 0 : (BackuprKey, BackuprKeyResponse), 

118} 

119 

120################################################################################ 

121# HELPER FUNCTIONS 

122################################################################################ 

123def hBackuprKey(dce, pguidActionAgent, pDataIn, dwParam=0): 

124 request = BackuprKey() 

125 request['pguidActionAgent'] = pguidActionAgent 

126 request['pDataIn'] = pDataIn 

127 if pDataIn == NULL: 

128 request['cbDataIn'] = 0 

129 else: 

130 request['cbDataIn'] = len(pDataIn) 

131 request['dwParam'] = dwParam 

132 return dce.request(request)