smbRpc 0.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 301126aea359549d334c576f81e3984f45d1a77483980f9fa82963fadb112724
+  data.tar.gz: afea3703a681b4e4f12f411c36b2348b77ee7a07ffa295eefc1dd4c5ba18624e
+SHA512:
+  metadata.gz: aad2222fd4eca5c0edaddb75bffaea09d6c903f6341133ec1a98b86e26c98d2490efe26097650f61a3d87da5fdd9d435fb3a2c71fc13c3b4eb35cb9f6078804d
+  data.tar.gz: 42044cfd25b6fe7af0fd23ce4a212f31c22be6631c89318de50cf65be7e1964423774a8462f2ee5c297aea975642224466b0e9dbfec333c5a37acfdf5ba465a8

data/README.md

@@ -0,0 +1,11 @@
+his is a Windows RPC over SMB namepipe library modeled over the ruby_smb library.
+All function names and arguments were written to closely reflct the originals MS documented specifications.
+Currently I have only exposed some functions to the following namepipes.  I'll be adding more as I continue developing this project.
+
+epmapper
+samr
+srvsvc
+svcctl
+lsarpc
+
+Comments and suggestions are welcome, please email to rubysmbrpc@gmail.com

data/examples/enumLsa.rb

@@ -0,0 +1,44 @@
+#!/usr/bin/ruby
+require"smbRpc"
+
+ip = ARGV[0]
+port = 445
+user = ARGV[1]
+pass = ARGV[2]
+
+lsarpc = SmbRpc::Lsarpc.new(ip:ip, user:user, pass:pass)
+policy = lsarpc.openPolicy
+
+puts"PolicyDnsDomainInformation"
+p pddi = policy.queryInformationPolicy
+
+puts"\nPolicyLsaServerRoleInformation"
+p policy.queryInformationPolicy(informationClass:LSARPC_POLICY_INFORMATION_CLASS["PolicyLsaServerRoleInformation"])
+
+puts"\nLSA builtin Accounts"
+lsarpc.enumerateAccounts.each do |sid|
+  p sid
+  p lsarpc.lookupSids(sid:sid)
+end
+
+if !pddi[:dnsDomainName].nil?		#if enumerating DC
+  domain = pddi[:dnsDomainName] 
+  domSid = policy.lookupNames(name:domain)[:sid]
+else					#else workstation
+  domSid = policy.lookupNames(name:"guest")[:sid]
+end
+
+puts"\nrid 1000-1500"
+(1000..1500).each do |i|
+  begin
+    sid = "%s-%i"%[domSid, i] 
+    out = lsarpc.lookupSids(sid:sid)
+    (print"%s -> "%[sid];p out; puts"") if !out.nil?
+  rescue
+    next
+  end
+end
+
+lsarpc.close
+puts"-"*80
+

data/examples/enumSmbPipe.rb

@@ -0,0 +1,16 @@
+#!/usr/bin/ruby
+require"smbRpc"
+
+
+ip = ARGV[0]
+port = 445
+user = ARGV[1]
+pass = ARGV[2]
+
+epmapper = SmbRpc::Epmapper.new(ip:ip, user:user, pass:pass)
+epmapper.epmLookup.each do |e| 
+ puts "%s %s"%[e[:uuid], e[:smb]] if !e[:smb].nil?
+end
+
+epmapper.close
+puts"-"*80

data/lib/smbRpc.rb

@@ -0,0 +1,33 @@
+#!/usr/bin/ruby
+require"ruby_smb"
+require"bindata"
+require"windows_error/win32"
+require"smbhash"			#nice little library to make Lm/NTLM hash
+#require"windows_error/nt_status"	#already loaded by ruby_smb
+
+#$:.unshift(File.expand_path('.',__dir__))
+require"smbRpc/rpc"
+require"smbRpc/srvsvc"
+require"smbRpc/svcctl"
+require"smbRpc/lsarpc"
+require"smbRpc/epmapper"
+require"smbRpc/samr"
+require"smbRpc/updateRuby_smb"
+require"smbRpc/updateString"
+
+#require"rpc_packet"
+#require"endpoints"
+#require"constants"
+#require"ndrep"
+#require"srvsvc_packet"
+#require"svcctl_packet"
+
+#require_relative"endpoints"
+#require_relative"constants"
+#require_relative"ndrep"
+#require_relative"rpc"
+#require_relative"rpc_packet"
+#require_relative"srvsvc"
+#require_relative"srvsvc_packet"
+#require_relative"svcctl"
+#require_relative"svcctl_packet"

data/lib/smbRpc/epmapper.rb

@@ -0,0 +1,13 @@
+require"smbRpc/epmapper/epmLookup"
+require"smbRpc/epmapper/constants"
+
+module SmbRpc
+  class Epmapper < Rpc
+    def initialize(**argv)
+      super(argv)
+      self.connect
+      self.bind(pipe:"epmapper")
+    end
+end
+end
+

data/lib/smbRpc/epmapper/constants.rb

@@ -0,0 +1,28 @@
+EPM_PROTOCOL = {
+  "EPM_PROTOCOL_DNET_NSP" => 0x04,
+  "EPM_PROTOCOL_OSI_TP4" => 0x05,
+  "EPM_PROTOCOL_OSI_CLNS" => 0x06,
+  "EPM_PROTOCOL_TCP" => 0x07,
+  "EPM_PROTOCOL_UDP" => 0x08,
+  "EPM_PROTOCOL_IP" => 0x09,
+  "EPM_PROTOCOL_NCADG" => 0x0a,
+  "EPM_PROTOCOL_NCACN" => 0x0b,
+  "EPM_PROTOCOL_NCALRPC" => 0x0c,
+  "EPM_PROTOCOL_UUID" => 0x0d,
+  "EPM_PROTOCOL_IPX" => 0x0e,
+  "EPM_PROTOCOL_SMB" => 0x0f,
+  "EPM_PROTOCOL_NAMED_PIPE" => 0x10,
+  "EPM_PROTOCOL_NETBIOS" => 0x11,
+  "EPM_PROTOCOL_NETBEUI" => 0x12,
+  "EPM_PROTOCOL_SPX" => 0x13,
+  "EPM_PROTOCOL_NB_IPX" => 0x14,
+  "EPM_PROTOCOL_DSP" => 0x16,
+  "EPM_PROTOCOL_DDP" => 0x17,
+  "EPM_PROTOCOL_APPLETALK" => 0x18,
+  "EPM_PROTOCOL_VINES_SPP" => 0x1a,
+  "EPM_PROTOCOL_VINES_IPC" => 0x1b,
+  "EPM_PROTOCOL_STREETTALK" => 0x1c,
+  "EPM_PROTOCOL_HTTP" => 0x1f,
+  "EPM_PROTOCOL_UNIX_DS" => 0x20,
+  "EPM_PROTOCOL_NULL" => 0x21
+}

data/lib/smbRpc/epmapper/epmLookup.rb

@@ -0,0 +1,98 @@
+module SmbRpc
+  class Epmapper < Rpc
+    #https://svn.nmap.org/nmap-exp/drazen/var/IDL/epmapper.idl?p=25000
+    class Epm_LookupReq < BinData::Record
+      endian :little
+      request :request
+      uint32 :inquiry_type, :value => 0x0f
+      uint32 :object
+      uint32 :interface_id
+      uint32 :vers_option
+      string :entry_handle, :length => 20
+      uint32 :max_ents, :value => 1
+
+      def initialize_instance
+        super
+        entry_handle.value = get_parameter(:handle)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 2        #epm_Lookup
+      end
+    end
+
+    class Epm_floor < BinData::Record
+      endian :little
+      uint16 :lhsLength
+      uint8 :protocol
+      string :lhs_data, :length => lambda { lhsLength - 1 }
+      uint16 :rhsLength
+      string :rhs_data, :length => :rhsLength
+    end
+
+    class Epm_LookupRes < BinData::Record
+      endian :little
+      response :response
+      string :entry_handle, :length => 20
+      uint32 :num_ents
+
+      #epm_entry_t
+      uint32 :max_count
+      uint32 :offset
+      uint32 :actual_count
+      string :guid, :length => 16
+      uint32 :ref_id_tower
+      uint32 :annotation_offset
+      uint32 :annotation_length
+      choice :annotation, :selection => :annotation_length do
+        uint32 1 
+        string :default, :length => :annotation_length
+      end
+
+      #16 byte align
+      string :pad, :onlyif => lambda { annotation_length > 1 }, :length => lambda { (4 - ( annotation_length % 4 )) % 4  }
+
+      #epm_twr_t
+      uint32 :tower_length
+      uint32 :tower_len
+      uint16 :num_floors
+      array :floors, :type => :epm_floor, :initial_length => :num_floors
+      uint32 :windowsError
+    end
+
+    def epmLookup()
+      @handle = "\x00"*20
+      out = []
+      loop do
+        epm_LookupReq = Epm_LookupReq.new(handle:@handle)
+        epm_LookupRes = @file.ioctl_send_recv(epm_LookupReq).buffer
+        result = epm_LookupRes[-4,4].unpack("V")[0]
+        break if result == 0x16c9a0d6	#[MS-RPCE] There are no elements that satisfy the specified search criteria
+        epm_LookupRes.raise_not_error_success("epmLookup")
+        #https://msdn.microsoft.com/en-us/library/cc243786.aspx
+        #RPC over SMB MUST use a protocol identifier of 0x0F instead of 0x10, as specified in [C706] Appendix I.<4>
+        epm_LookupRes = Epm_LookupRes.read(epm_LookupRes)
+        h = {}
+        epm_LookupRes.floors.each do |e|
+          h[:uuid] = "%s.%i"%[uuidParse(e.lhs_data), e.rhs_data.unpack("v")[0]] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_UUID"]
+          h[:ndr] = "%s.%i"%[uuidParse(e.lhs_data), e.rhs_data.unpack("v")[0]] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_UUID"] && h.has_key?(:uuid)
+          h[:name_pipe] = "%s"%[e.rhs_data.gsub("\x00","")] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_NAMED_PIPE"]
+          h[:smb] = "%s"%[e.rhs_data.gsub("\x00","")] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_SMB"]
+          h[:netBios] = "%s"%[e.rhs_data.gsub("\x00","")] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_NETBIOS"]
+          h[:ip] = "%s"%[e.rhs_data.unpack("c*").join(".")] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_IP"]
+          h[:port] = "%i"%[e.rhs_data.unpack("v")[0]] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_TCP"]
+          h[:ncalrpc] = true if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_NCALRPC"]
+        end
+        out << h
+        @handle = epm_LookupRes.entry_handle
+      end
+      return out
+    end
+
+    def uuidParse(uuidBin)
+      return "%s-%s-%s-%s-%s %i"%[uuidBin[0,4].b.reverse.unpack("H*")[0], 
+        uuidBin[4,2].b.reverse.unpack("H*")[0], uuidBin[6,2].b.reverse.unpack("H*")[0], 
+        uuidBin[8,2].unpack("H*")[0], uuidBin[10,6].unpack("H*")[0], uuidBin[16,2].unpack("v")[0]]
+    end
+
+end
+end
+

data/lib/smbRpc/lsarpc.rb

@@ -0,0 +1,22 @@
+require"smbRpc/lsarpc/constants"
+require"smbRpc/lsarpc/openPolicy"
+require"smbRpc/lsarpc/close"
+require"smbRpc/lsarpc/queryInformationPolicy"
+require"smbRpc/lsarpc/enumerateAccounts"
+require"smbRpc/lsarpc/lookupSids"
+require"smbRpc/lsarpc/openAccount"
+require"smbRpc/lsarpc/enumeratePrivilegesAccount"
+require"smbRpc/lsarpc/lookupPrivilegeName"
+#require"smbRpc/lsarpc/querySecurityObject"
+require"smbRpc/lsarpc/lookupNames"
+
+module SmbRpc
+  class Lsarpc < Rpc
+    def initialize(**argv)
+      super(argv)
+      self.connect
+      self.bind(pipe:"lsarpc")
+    end
+end
+end
+

data/lib/smbRpc/lsarpc/close.rb

@@ -0,0 +1,48 @@
+
+module SmbRpc
+  class Lsarpc < Rpc
+
+    class LsarCloseReq < BinData::Record
+      endian :little
+      request :request
+      string :objectHandle, :length => 20
+      def initialize_instance
+        super
+        objectHandle.value = get_parameter(:handle)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 0        #LsarClose
+      end
+    end
+
+    class LsarCloseRes < BinData::Record
+      endian :little
+      request :request
+      string :objectHandle, :length => 20
+      uint32 :windowsError
+    end
+
+    def closePolicy()
+      if !@policyHandle.nil?
+        lsarCloseReq = LsarCloseReq.new(handle:@policyHandle)
+        lsarCloseRes = @file.ioctl_send_recv(lsarCloseReq).buffer
+        lsarCloseRes.raise_not_error_success("closeAccount")
+        @policyHandle = nil
+      end
+    end
+
+    def closeAccount()
+      if !@accountHandle.nil?
+        lsarCloseReq = LsarCloseReq.new(handle:@accountHandle)
+        lsarCloseRes = @file.ioctl_send_recv(lsarCloseReq).buffer
+        lsarCloseRes.raise_not_error_success("closeAccount")
+        @accountHandle = nil
+      end
+    end
+
+    def close()
+      closeAccount()      
+      closePolicy()      
+      super
+    end
+end
+end

data/lib/smbRpc/lsarpc/constants.rb

@@ -0,0 +1,54 @@
+LSARPC_ALL_ACCESS_MASK = {
+  "DELETE" => 0x00010000,
+  "READ_CONTROL" => 0x00020000,
+  "WRITE_DAC" => 0x00040000,
+  "WRITE_OWNER" => 0x00080000,
+  "MAXIMUM_ALLOWED" => 0x02000000
+}
+
+LSARPC_POLICY_ACCESS_MASK = {
+"POLICY_VIEW_LOCAL_INFORMATION" => 0x00000001,
+"POLICY_VIEW_AUDIT_INFORMATION" => 0x00000002,
+"POLICY_GET_PRIVATE_INFORMATION" => 0x00000004,
+"POLICY_TRUST_ADMIN" => 0x00000008,
+"POLICY_CREATE_ACCOUNT" => 0x00000010,
+"POLICY_CREATE_SECRET" => 0x00000020,
+"POLICY_CREATE_PRIVILEGE" => 0x00000040,
+"POLICY_SET_DEFAULT_QUOTA_LIMITS" => 0x00000080,
+"POLICY_SET_AUDIT_REQUIREMENTS" => 0x00000100,
+"POLICY_AUDIT_LOG_ADMIN" => 0x00000200,
+"POLICY_SERVER_ADMIN" => 0x00000400,
+"POLICY_LOOKUP_NAMES" => 0x00000800,
+"POLICY_NOTIFICATION" => 0x00001000
+}
+
+LSARPC_ACCOUNT_ACCESS_MASK = {
+  "ACCOUNT_VIEW" => 0x00000001,
+  "ACCOUNT_ADJUST_PRIVILEGES" => 0x00000002,
+  "ACCOUNT_ADJUST_QUOTAS" => 0x00000004,
+  "ACCOUNT_ADJUST_SYSTEM_ACCESS" => 0x00000008
+}
+
+#only these 2 looks interesting
+LSARPC_POLICY_INFORMATION_CLASS = {
+  "PolicyLsaServerRoleInformation" => 6,
+  "PolicyDnsDomainInformation" => 12
+}
+
+LSARPC_POLICY_LSA_SERVER_ROLE = {
+ "PolicyServerRoleBackup" => 2,
+  "PolicyServerRolePrimary" => 3
+}
+
+LSARPC_SID_NAME_USE = {
+  "SidTypeUser" => 1,
+  "SidTypeGroup" => 2,
+  "SidTypeDomain" => 3,
+  "SidTypeAlias" => 4,
+  "SidTypeWellKnownGroup" => 5,
+  "SidTypeDeletedAccount" => 6,
+  "SidTypeInvalid" => 7,
+  "SidTypeUnknown" => 8,
+  "SidTypeComputer" => 9,
+  "SidTypeLabel" => 10
+}

data/lib/smbRpc/lsarpc/enumerateAccounts.rb

@@ -0,0 +1,55 @@
+module SmbRpc
+  class Lsarpc < Rpc
+
+    class LsarEnumerateAccountsReq < BinData::Record
+      endian :little
+      request :request
+      string :policyHandle, :length => 20
+      uint32 :enumerationContext
+      uint32 :preferedMaximumLength, :value => 1024
+
+      def initialize_instance
+        super
+        policyHandle.value = get_parameter(:handle)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 11        #LsarEnumerateAccounts
+      end
+    end
+
+    class Sid_element < BinData::Record
+      endian :little
+      uint32 :sub_auth
+      rpc_sid :sid			#declared in lsaQueryInformationPolicy.rb
+    end
+
+    class Lsapr_account_enum_buffer < BinData::Record
+      endian :little
+      uint32 :entriesRead
+      uint32 :ref_id_sid, :initial_value => 1
+      uint32 :max_count, :value => :entriesRead
+      array :ref_id_information, :initial_length => :entriesRead, :type => :uint32, :initial_value => 1
+      array :information, :initial_length => :entriesRead, :type => :sid_element
+    end
+
+    class LsarEnumerateAccountsRes < BinData::Record
+      endian :little
+      response :response
+      uint32 :enumerationContext
+      lsapr_account_enum_buffer :enumerationBuffer
+      uint32 :windowsError
+    end
+
+    def enumerateAccounts()
+      lsarEnumerateAccountsReq = LsarEnumerateAccountsReq.new(handle:@policyHandle)
+      lsarEnumerateAccountsRes = @file.ioctl_send_recv(lsarEnumerateAccountsReq).buffer
+      lsarEnumerateAccountsRes.raise_not_error_success("enumerateAccounts")
+      lsarEnumerateAccountsRes = LsarEnumerateAccountsRes.read(lsarEnumerateAccountsRes)
+      sids = []
+      lsarEnumerateAccountsRes.enumerationBuffer.information.each do |e|
+        sids << e.sid.to_s
+      end
+      return sids
+    end
+
+end
+end