4 from optparse import OptionParser
6 def test_Connect(handle):
8 print 'testing samr_Connect'
12 r['access_mask'] = 0x02000000
14 result = dcerpc.samr_Connect(pipe, r)
15 dcerpc.samr_Close(pipe, result)
17 print 'testing samr_Connect2'
20 r['system_name'] = None
21 r['access_mask'] = 0x02000000
23 result = dcerpc.samr_Connect2(pipe, r)
24 dcerpc.samr_Close(pipe, result)
26 print 'testing samr_Connect3'
29 r['system_name'] = None
31 r['access_mask'] = 0x02000000
33 result = dcerpc.samr_Connect3(pipe, r)
34 dcerpc.samr_Close(pipe, result)
36 print 'testing samr_Connect4'
39 r['system_name'] = None
41 r['access_mask'] = 0x02000000
43 result = dcerpc.samr_Connect4(pipe, r)
44 dcerpc.samr_Close(pipe, result)
46 print 'testing samr_Connect5'
49 r['system_name'] = None
50 r['access_mask'] = 0x02000000
53 r['info']['info1'] = {}
54 r['info']['info1']['unknown1'] = 0
55 r['info']['info1']['unknown2'] = 0
57 result = dcerpc.samr_Connect5(pipe, r)
59 return result['handle']
61 def test_QuerySecurity(pipe, handle):
63 print 'testing samr_QuerySecurity'
69 result = dcerpc.samr_QuerySecurity(pipe, r)
74 s['sdbuf'] = result['sdbuf']
76 result = dcerpc.samr_SetSecurity(pipe, s)
78 result = dcerpc.samr_QuerySecurity(pipe, r)
80 def test_GetDomPwInfo(pipe, domain):
82 print 'testing samr_GetDomPwInfo'
87 r['name']['name_len'] = 0
88 r['name']['name_size'] = 0
89 r['name']['name'] = domain
91 result = dcerpc.samr_GetDomPwInfo(pipe, r)
93 r['name']['name'] = '\\\\%s' % domain
95 result = dcerpc.samr_GetDomPwInfo(pipe, r)
97 r['name']['name'] = '\\\\__NONAME__'
99 result = dcerpc.samr_GetDomPwInfo(pipe, r)
101 r['name']['name'] = '\\\\Builtin'
103 result = dcerpc.samr_GetDomPwInfo(pipe, r)
105 def test_RemoveMemberFromForeignDomain(pipe, domain_handle):
108 r['handle'] = domain_handle
110 r['sid']['sid_rev_num'] = 1
111 r['sid']['id_auth'] = [1, 2, 3, 4, 5, 6]
112 r['sid']['num_auths'] = 4
113 r['sid']['sub_auths'] = [7, 8, 9, 10]
115 result = dcerpc.samr_RemoveMemberFromForeignDomain(pipe, r)
117 def test_CreateUser2(pipe, domain_handle):
120 def test_LookupName(pipe, domain_handle, name):
123 r['handle'] = domain_handle
126 r['names'].append({'name_len': 0, 'name_size': 0, 'name': name})
128 result = dcerpc.samr_LookupNames(pipe, r)
130 rid = result['rids']['ids'][0]
133 r['names'].append({'name_len': 0, 'name_size': 0, 'name': 'xxNONAMExx'})
137 result = dcerpc.samr_LookupNames(pipe, r)
138 except dcerpc.NTSTATUS, arg:
139 if arg[0] != 0x00000107:
140 raise dcerpc.NTSTATUS(arg)
144 result = dcerpc.samr_LookupNames(pipe, r)
148 def test_OpenUser_byname(pipe, domain_handle, name):
150 rid = test_LookupName(pipe, domain_handle, name)
153 r['handle'] = domain_handle
154 r['access_mask'] = 0x02000000
157 result = dcerpc.samr_OpenUser(pipe, r)
159 return result['acct_handle']
161 def test_DeleteUser_byname(pipe, domain_handle, name):
163 user_handle = test_OpenUser_byname(pipe, domain_handle, name)
166 r['handle'] = user_handle
168 dcerpc.samr_DeleteUser(pipe, r)
170 def test_CreateUser(pipe, domain_handle):
173 r['handle'] = domain_handle
174 r['account_name'] = {}
175 r['account_name']['name_len'] = 0
176 r['account_name']['name_size'] = 0
177 r['account_name']['name'] = 'samrtorturetest'
178 r['access_mask'] = 0x02000000
181 result = dcerpc.samr_CreateUser(pipe, r)
182 except dcerpc.NTSTATUS, arg:
183 if arg[0] == 0xc0000022:
185 elif arg[0] == 0xc0000063:
186 test_DeleteUser_byname(pipe, domain_handle, 'samrtorturetest')
187 result = dcerpc.samr_CreateUser(pipe, r)
189 raise dcerpc.NTSTATUS(arg)
191 user_handle = result['acct_handle']
193 # samr_QueryUserInfo(), etc
195 def test_OpenDomain(pipe, handle, domain_sid):
197 print 'testing samr_OpenDomain'
201 r['access_mask'] = 0x02000000
202 r['sid'] = domain_sid
204 result = dcerpc.samr_OpenDomain(pipe, r)
206 domain_handle = result['domain_handle']
208 test_QuerySecurity(pipe, domain_handle)
210 test_RemoveMemberFromForeignDomain(pipe, domain_handle)
212 test_CreateUser2(pipe, domain_handle)
214 test_CreateUser(pipe, domain_handle)
216 def test_LookupDomain(pipe, handle, domain):
218 print 'testing samr_LookupDomain'
223 r['domain']['name_len'] = 0
224 r['domain']['name_size'] = 0
225 r['domain']['name'] = None
228 result = dcerpc.samr_LookupDomain(pipe, r)
229 except dcerpc.NTSTATUS, arg:
230 if arg[0] != 0xc000000d:
231 raise dcerpc.NTSTATUS(arg)
233 r['domain']['name'] = 'xxNODOMAINxx'
236 result = dcerpc.samr_LookupDomain(pipe, r)
237 except dcerpc.NTSTATUS, arg:
238 if arg[0] != 0xc00000df:
239 raise dcerpc.NTSTATUS(arg)
241 r['domain']['name'] = domain
243 result = dcerpc.samr_LookupDomain(pipe, r)
245 test_GetDomPwInfo(pipe, domain)
247 test_OpenDomain(pipe, handle, result['sid'])
249 def test_EnumDomains(pipe, handle):
251 print 'testing samr_EnumDomains'
255 r['resume_handle'] = 0
258 result = dcerpc.samr_EnumDomains(pipe, r)
260 for domain in result['sam']['entries']:
261 test_LookupDomain(pipe, handle, domain['name']['name'])
265 parser = OptionParser()
267 parser.add_option("-b", "--binding", action="store", type="string",
270 parser.add_option("-d", "--domain", action="store", type="string",
273 parser.add_option("-u", "--username", action="store", type="string",
276 parser.add_option("-p", "--password", action="store", type="string",
279 (options, args) = parser.parse_args()
281 if not options.binding:
282 parser.error('You must supply a binding string')
284 if not options.username or not options.password or not options.domain:
285 parser.error('You must supply a domain, username and password')
288 binding = options.binding
289 domain = options.domain
290 username = options.username
291 password = options.password
293 print 'Connecting...'
295 pipe = dcerpc.pipe_connect(binding,
296 dcerpc.DCERPC_SAMR_UUID, dcerpc.DCERPC_SAMR_VERSION,
297 domain, username, password)
299 handle = test_Connect(pipe)
301 test_QuerySecurity(pipe, handle)
303 test_EnumDomains(pipe, handle)