NT_STATUS_OBJECT_NAME_NOT_FOUND,
NT_STATUS_NO_SUCH_DOMAIN
)
-from samba.dcerpc.misc import SEC_CHAN_WKSTA
import samba
-samba.ensure_third_party_module("dns", "dnspython")
import dns.resolver
+
def uint32(v):
return ctypes.c_uint32(v).value
if runtime is None:
return False
- err32 = uint32(runtime[0])
+ err32 = uint32(runtime.args[0])
if err32 == val:
return True
def packet_drsuapi_13(packet, conversation, context):
# DsWriteAccountSpn
req = drsuapi.DsWriteAccountSpnRequest1()
- req.operation = drsuapi.DRSUAPI_DS_SPN_OPERATION_ADD
+ req.operation = drsuapi.DRSUAPI_DS_SPN_OPERATION_REPLACE
+ req.unknown1 = 0 # Unused, must be 0
+ req.object_dn = context.user_dn
+ req.count = 1 # only 1 name
+ spn_name = drsuapi.DsNameString()
+ spn_name.str = 'foo/{}'.format(context.username)
+ req.spn_names = [spn_name]
(drs, handle) = context.get_drsuapi_connection_pair()
(level, res) = drs.DsWriteAccountSpn(handle, 1, req)
return True
# subsequent runs
newpass = context.machine_creds.get_password().encode('utf-16-le')
pwd_len = len(newpass)
- filler = [ord(x) for x in os.urandom(DATA_LEN - pwd_len)]
+ filler = [x if isinstance(x, int) else ord(x) for x in os.urandom(DATA_LEN - pwd_len)]
pwd = netlogon.netr_CryptPassword()
pwd.length = pwd_len
- pwd.data = filler + [ord(x) for x in newpass]
+ pwd.data = filler + [x if isinstance(x, int) else ord(x) for x in newpass]
context.machine_creds.encrypt_netr_crypt_password(pwd)
c.netr_ServerPasswordSet2(context.server,
- context.machine_creds.get_workstation(),
- SEC_CHAN_WKSTA,
+ # must ends with $, so use get_username instead
+ # of get_workstation here
+ context.machine_creds.get_username(),
+ context.machine_creds.get_secure_channel_type(),
context.netbios_name,
auth,
pwd)
logon = netlogon.netr_NetworkInfo()
- logon.challenge = [ord(x) for x in challenge]
+ logon.challenge = [x if isinstance(x, int) else ord(x) for x in challenge]
logon.nt = netlogon.netr_ChallengeResponse()
logon.nt.length = len(response["nt_response"])
- logon.nt.data = [ord(x) for x in response["nt_response"]]
+ logon.nt.data = [x if isinstance(x, int) else ord(x) for x in response["nt_response"]]
+
logon.identity_info = netlogon.netr_IdentityInfo()
(username, domain) = creds.get_ntlm_username_domain()
# NetShareGetInfo
s = context.get_srvsvc_connection()
server_unc = "\\\\" + context.server
- share_name = "netlogon"
+ share_name = "IPC$"
level = 1
s.NetShareGetInfo(server_unc, share_name, level)
return True
def packet_srvsvc_21(packet, conversation, context):
- # NetSrvGetInfo
+ """NetSrvGetInfo
+
+ FIXME: Level changed from 102 to 101 here, to bypass Windows error.
+
+ Level 102 will cause WERR_ACCESS_DENIED error against Windows, because:
+
+ > If the level is 102 or 502, the Windows implementation checks whether
+ > the caller is a member of one of the groups previously mentioned or
+ > is a member of the Power Users local group.
+
+ It passed against Samba since this check is not implemented by Samba yet.
+
+ refer to:
+
+ https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_80
+
+ """
srvsvc = context.get_srvsvc_connection()
server_unc = "\\\\" + context.server
- level = 102
+ level = 101
srvsvc.NetSrvGetInfo(server_unc, level)
return True