smbRpc 0.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/README.md +11 -0
- data/examples/enumLsa.rb +44 -0
- data/examples/enumSmbPipe.rb +16 -0
- data/lib/smbRpc.rb +33 -0
- data/lib/smbRpc/epmapper.rb +13 -0
- data/lib/smbRpc/epmapper/constants.rb +28 -0
- data/lib/smbRpc/epmapper/epmLookup.rb +98 -0
- data/lib/smbRpc/lsarpc.rb +22 -0
- data/lib/smbRpc/lsarpc/close.rb +48 -0
- data/lib/smbRpc/lsarpc/constants.rb +54 -0
- data/lib/smbRpc/lsarpc/enumerateAccounts.rb +55 -0
- data/lib/smbRpc/lsarpc/enumeratePrivilegesAccount.rb +49 -0
- data/lib/smbRpc/lsarpc/lookupNames.rb +74 -0
- data/lib/smbRpc/lsarpc/lookupPrivilegeName.rb +37 -0
- data/lib/smbRpc/lsarpc/lookupSids.rb +96 -0
- data/lib/smbRpc/lsarpc/openAccount.rb +49 -0
- data/lib/smbRpc/lsarpc/openPolicy.rb +52 -0
- data/lib/smbRpc/lsarpc/queryInformationPolicy.rb +92 -0
- data/lib/smbRpc/lsarpc/querySecurityObject.rb +75 -0
- data/lib/smbRpc/rpc.rb +5 -0
- data/lib/smbRpc/rpc/connection.rb +34 -0
- data/lib/smbRpc/rpc/constants.rb +64 -0
- data/lib/smbRpc/rpc/endpoints.rb +38 -0
- data/lib/smbRpc/rpc/ndrep.rb +24 -0
- data/lib/smbRpc/rpc/pdu.rb +40 -0
- data/lib/smbRpc/samr.rb +40 -0
- data/lib/smbRpc/samr/addMemberToAlias.rb +43 -0
- data/lib/smbRpc/samr/addMemberToGroup.rb +36 -0
- data/lib/smbRpc/samr/changePasswordUser.rb +64 -0
- data/lib/smbRpc/samr/closeHandle.rb +50 -0
- data/lib/smbRpc/samr/connect.rb +46 -0
- data/lib/smbRpc/samr/constants.rb +114 -0
- data/lib/smbRpc/samr/createAliasInDomain.rb +45 -0
- data/lib/smbRpc/samr/createGroupInDomain.rb +46 -0
- data/lib/smbRpc/samr/createUserInDomain.rb +48 -0
- data/lib/smbRpc/samr/deleteAlias.rb +35 -0
- data/lib/smbRpc/samr/deleteGroup.rb +35 -0
- data/lib/smbRpc/samr/deleteUser.rb +35 -0
- data/lib/smbRpc/samr/enumerateAliasesInDomain.rb +61 -0
- data/lib/smbRpc/samr/enumerateDomainsInSamServer.rb +52 -0
- data/lib/smbRpc/samr/enumerateGroupsInDomain.rb +60 -0
- data/lib/smbRpc/samr/enumerateUsersInDomain.rb +67 -0
- data/lib/smbRpc/samr/getMembersInAlias.rb +41 -0
- data/lib/smbRpc/samr/getMembersInGroup.rb +45 -0
- data/lib/smbRpc/samr/lookupDomainInSamServer.rb +41 -0
- data/lib/smbRpc/samr/lookupIdsInDomain.rb +52 -0
- data/lib/smbRpc/samr/lookupNamesInDomain.rb +55 -0
- data/lib/smbRpc/samr/openAlias.rb +39 -0
- data/lib/smbRpc/samr/openDomain.rb +48 -0
- data/lib/smbRpc/samr/openGroup.rb +39 -0
- data/lib/smbRpc/samr/openUser.rb +39 -0
- data/lib/smbRpc/samr/queryInformationUser.rb +182 -0
- data/lib/smbRpc/samr/removeMemberFromAlias.rb +43 -0
- data/lib/smbRpc/samr/removeMemberFromGroup.rb +34 -0
- data/lib/smbRpc/samr/setInformationUser.rb +53 -0
- data/lib/smbRpc/srvsvc.rb +12 -0
- data/lib/smbRpc/srvsvc/netShareEnum.rb +104 -0
- data/lib/smbRpc/srvsvc/serverGetInfo.rb +57 -0
- data/lib/smbRpc/svcctl.rb +20 -0
- data/lib/smbRpc/svcctl/closeService.rb +48 -0
- data/lib/smbRpc/svcctl/constants.rb +88 -0
- data/lib/smbRpc/svcctl/controlService.rb +48 -0
- data/lib/smbRpc/svcctl/createService.rb +68 -0
- data/lib/smbRpc/svcctl/deleteService.rb +31 -0
- data/lib/smbRpc/svcctl/enumServicesStatus.rb +96 -0
- data/lib/smbRpc/svcctl/openScm.rb +37 -0
- data/lib/smbRpc/svcctl/openService.rb +36 -0
- data/lib/smbRpc/svcctl/queryServiceConfig.rb +67 -0
- data/lib/smbRpc/svcctl/startService.rb +35 -0
- data/lib/smbRpc/updateRuby_smb.rb +3 -0
- data/lib/smbRpc/updateRuby_smb/client.rb +29 -0
- data/lib/smbRpc/updateRuby_smb/dcerpc.rb +30 -0
- data/lib/smbRpc/updateRuby_smb/ioctl_request.rb +53 -0
- data/lib/smbRpc/updateString.rb +3 -0
- data/lib/smbRpc/updateString/raise_not_error_success.rb +11 -0
- data/lib/smbRpc/updateString/to_des_ecb_lm.rb +34 -0
- data/smbRpc.gemspec +16 -0
- metadata +148 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 301126aea359549d334c576f81e3984f45d1a77483980f9fa82963fadb112724
|
4
|
+
data.tar.gz: afea3703a681b4e4f12f411c36b2348b77ee7a07ffa295eefc1dd4c5ba18624e
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: aad2222fd4eca5c0edaddb75bffaea09d6c903f6341133ec1a98b86e26c98d2490efe26097650f61a3d87da5fdd9d435fb3a2c71fc13c3b4eb35cb9f6078804d
|
7
|
+
data.tar.gz: 42044cfd25b6fe7af0fd23ce4a212f31c22be6631c89318de50cf65be7e1964423774a8462f2ee5c297aea975642224466b0e9dbfec333c5a37acfdf5ba465a8
|
data/README.md
ADDED
@@ -0,0 +1,11 @@
|
|
1
|
+
his is a Windows RPC over SMB namepipe library modeled over the ruby_smb library.
|
2
|
+
All function names and arguments were written to closely reflct the originals MS documented specifications.
|
3
|
+
Currently I have only exposed some functions to the following namepipes. I'll be adding more as I continue developing this project.
|
4
|
+
|
5
|
+
epmapper
|
6
|
+
samr
|
7
|
+
srvsvc
|
8
|
+
svcctl
|
9
|
+
lsarpc
|
10
|
+
|
11
|
+
Comments and suggestions are welcome, please email to rubysmbrpc@gmail.com
|
data/examples/enumLsa.rb
ADDED
@@ -0,0 +1,44 @@
|
|
1
|
+
#!/usr/bin/ruby
|
2
|
+
require"smbRpc"
|
3
|
+
|
4
|
+
ip = ARGV[0]
|
5
|
+
port = 445
|
6
|
+
user = ARGV[1]
|
7
|
+
pass = ARGV[2]
|
8
|
+
|
9
|
+
lsarpc = SmbRpc::Lsarpc.new(ip:ip, user:user, pass:pass)
|
10
|
+
policy = lsarpc.openPolicy
|
11
|
+
|
12
|
+
puts"PolicyDnsDomainInformation"
|
13
|
+
p pddi = policy.queryInformationPolicy
|
14
|
+
|
15
|
+
puts"\nPolicyLsaServerRoleInformation"
|
16
|
+
p policy.queryInformationPolicy(informationClass:LSARPC_POLICY_INFORMATION_CLASS["PolicyLsaServerRoleInformation"])
|
17
|
+
|
18
|
+
puts"\nLSA builtin Accounts"
|
19
|
+
lsarpc.enumerateAccounts.each do |sid|
|
20
|
+
p sid
|
21
|
+
p lsarpc.lookupSids(sid:sid)
|
22
|
+
end
|
23
|
+
|
24
|
+
if !pddi[:dnsDomainName].nil? #if enumerating DC
|
25
|
+
domain = pddi[:dnsDomainName]
|
26
|
+
domSid = policy.lookupNames(name:domain)[:sid]
|
27
|
+
else #else workstation
|
28
|
+
domSid = policy.lookupNames(name:"guest")[:sid]
|
29
|
+
end
|
30
|
+
|
31
|
+
puts"\nrid 1000-1500"
|
32
|
+
(1000..1500).each do |i|
|
33
|
+
begin
|
34
|
+
sid = "%s-%i"%[domSid, i]
|
35
|
+
out = lsarpc.lookupSids(sid:sid)
|
36
|
+
(print"%s -> "%[sid];p out; puts"") if !out.nil?
|
37
|
+
rescue
|
38
|
+
next
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
lsarpc.close
|
43
|
+
puts"-"*80
|
44
|
+
|
@@ -0,0 +1,16 @@
|
|
1
|
+
#!/usr/bin/ruby
|
2
|
+
require"smbRpc"
|
3
|
+
|
4
|
+
|
5
|
+
ip = ARGV[0]
|
6
|
+
port = 445
|
7
|
+
user = ARGV[1]
|
8
|
+
pass = ARGV[2]
|
9
|
+
|
10
|
+
epmapper = SmbRpc::Epmapper.new(ip:ip, user:user, pass:pass)
|
11
|
+
epmapper.epmLookup.each do |e|
|
12
|
+
puts "%s %s"%[e[:uuid], e[:smb]] if !e[:smb].nil?
|
13
|
+
end
|
14
|
+
|
15
|
+
epmapper.close
|
16
|
+
puts"-"*80
|
data/lib/smbRpc.rb
ADDED
@@ -0,0 +1,33 @@
|
|
1
|
+
#!/usr/bin/ruby
|
2
|
+
require"ruby_smb"
|
3
|
+
require"bindata"
|
4
|
+
require"windows_error/win32"
|
5
|
+
require"smbhash" #nice little library to make Lm/NTLM hash
|
6
|
+
#require"windows_error/nt_status" #already loaded by ruby_smb
|
7
|
+
|
8
|
+
#$:.unshift(File.expand_path('.',__dir__))
|
9
|
+
require"smbRpc/rpc"
|
10
|
+
require"smbRpc/srvsvc"
|
11
|
+
require"smbRpc/svcctl"
|
12
|
+
require"smbRpc/lsarpc"
|
13
|
+
require"smbRpc/epmapper"
|
14
|
+
require"smbRpc/samr"
|
15
|
+
require"smbRpc/updateRuby_smb"
|
16
|
+
require"smbRpc/updateString"
|
17
|
+
|
18
|
+
#require"rpc_packet"
|
19
|
+
#require"endpoints"
|
20
|
+
#require"constants"
|
21
|
+
#require"ndrep"
|
22
|
+
#require"srvsvc_packet"
|
23
|
+
#require"svcctl_packet"
|
24
|
+
|
25
|
+
#require_relative"endpoints"
|
26
|
+
#require_relative"constants"
|
27
|
+
#require_relative"ndrep"
|
28
|
+
#require_relative"rpc"
|
29
|
+
#require_relative"rpc_packet"
|
30
|
+
#require_relative"srvsvc"
|
31
|
+
#require_relative"srvsvc_packet"
|
32
|
+
#require_relative"svcctl"
|
33
|
+
#require_relative"svcctl_packet"
|
@@ -0,0 +1,28 @@
|
|
1
|
+
EPM_PROTOCOL = {
|
2
|
+
"EPM_PROTOCOL_DNET_NSP" => 0x04,
|
3
|
+
"EPM_PROTOCOL_OSI_TP4" => 0x05,
|
4
|
+
"EPM_PROTOCOL_OSI_CLNS" => 0x06,
|
5
|
+
"EPM_PROTOCOL_TCP" => 0x07,
|
6
|
+
"EPM_PROTOCOL_UDP" => 0x08,
|
7
|
+
"EPM_PROTOCOL_IP" => 0x09,
|
8
|
+
"EPM_PROTOCOL_NCADG" => 0x0a,
|
9
|
+
"EPM_PROTOCOL_NCACN" => 0x0b,
|
10
|
+
"EPM_PROTOCOL_NCALRPC" => 0x0c,
|
11
|
+
"EPM_PROTOCOL_UUID" => 0x0d,
|
12
|
+
"EPM_PROTOCOL_IPX" => 0x0e,
|
13
|
+
"EPM_PROTOCOL_SMB" => 0x0f,
|
14
|
+
"EPM_PROTOCOL_NAMED_PIPE" => 0x10,
|
15
|
+
"EPM_PROTOCOL_NETBIOS" => 0x11,
|
16
|
+
"EPM_PROTOCOL_NETBEUI" => 0x12,
|
17
|
+
"EPM_PROTOCOL_SPX" => 0x13,
|
18
|
+
"EPM_PROTOCOL_NB_IPX" => 0x14,
|
19
|
+
"EPM_PROTOCOL_DSP" => 0x16,
|
20
|
+
"EPM_PROTOCOL_DDP" => 0x17,
|
21
|
+
"EPM_PROTOCOL_APPLETALK" => 0x18,
|
22
|
+
"EPM_PROTOCOL_VINES_SPP" => 0x1a,
|
23
|
+
"EPM_PROTOCOL_VINES_IPC" => 0x1b,
|
24
|
+
"EPM_PROTOCOL_STREETTALK" => 0x1c,
|
25
|
+
"EPM_PROTOCOL_HTTP" => 0x1f,
|
26
|
+
"EPM_PROTOCOL_UNIX_DS" => 0x20,
|
27
|
+
"EPM_PROTOCOL_NULL" => 0x21
|
28
|
+
}
|
@@ -0,0 +1,98 @@
|
|
1
|
+
module SmbRpc
|
2
|
+
class Epmapper < Rpc
|
3
|
+
#https://svn.nmap.org/nmap-exp/drazen/var/IDL/epmapper.idl?p=25000
|
4
|
+
class Epm_LookupReq < BinData::Record
|
5
|
+
endian :little
|
6
|
+
request :request
|
7
|
+
uint32 :inquiry_type, :value => 0x0f
|
8
|
+
uint32 :object
|
9
|
+
uint32 :interface_id
|
10
|
+
uint32 :vers_option
|
11
|
+
string :entry_handle, :length => 20
|
12
|
+
uint32 :max_ents, :value => 1
|
13
|
+
|
14
|
+
def initialize_instance
|
15
|
+
super
|
16
|
+
entry_handle.value = get_parameter(:handle)
|
17
|
+
request.pduHead.frag_length = self.num_bytes
|
18
|
+
request.opnum.value = 2 #epm_Lookup
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
class Epm_floor < BinData::Record
|
23
|
+
endian :little
|
24
|
+
uint16 :lhsLength
|
25
|
+
uint8 :protocol
|
26
|
+
string :lhs_data, :length => lambda { lhsLength - 1 }
|
27
|
+
uint16 :rhsLength
|
28
|
+
string :rhs_data, :length => :rhsLength
|
29
|
+
end
|
30
|
+
|
31
|
+
class Epm_LookupRes < BinData::Record
|
32
|
+
endian :little
|
33
|
+
response :response
|
34
|
+
string :entry_handle, :length => 20
|
35
|
+
uint32 :num_ents
|
36
|
+
|
37
|
+
#epm_entry_t
|
38
|
+
uint32 :max_count
|
39
|
+
uint32 :offset
|
40
|
+
uint32 :actual_count
|
41
|
+
string :guid, :length => 16
|
42
|
+
uint32 :ref_id_tower
|
43
|
+
uint32 :annotation_offset
|
44
|
+
uint32 :annotation_length
|
45
|
+
choice :annotation, :selection => :annotation_length do
|
46
|
+
uint32 1
|
47
|
+
string :default, :length => :annotation_length
|
48
|
+
end
|
49
|
+
|
50
|
+
#16 byte align
|
51
|
+
string :pad, :onlyif => lambda { annotation_length > 1 }, :length => lambda { (4 - ( annotation_length % 4 )) % 4 }
|
52
|
+
|
53
|
+
#epm_twr_t
|
54
|
+
uint32 :tower_length
|
55
|
+
uint32 :tower_len
|
56
|
+
uint16 :num_floors
|
57
|
+
array :floors, :type => :epm_floor, :initial_length => :num_floors
|
58
|
+
uint32 :windowsError
|
59
|
+
end
|
60
|
+
|
61
|
+
def epmLookup()
|
62
|
+
@handle = "\x00"*20
|
63
|
+
out = []
|
64
|
+
loop do
|
65
|
+
epm_LookupReq = Epm_LookupReq.new(handle:@handle)
|
66
|
+
epm_LookupRes = @file.ioctl_send_recv(epm_LookupReq).buffer
|
67
|
+
result = epm_LookupRes[-4,4].unpack("V")[0]
|
68
|
+
break if result == 0x16c9a0d6 #[MS-RPCE] There are no elements that satisfy the specified search criteria
|
69
|
+
epm_LookupRes.raise_not_error_success("epmLookup")
|
70
|
+
#https://msdn.microsoft.com/en-us/library/cc243786.aspx
|
71
|
+
#RPC over SMB MUST use a protocol identifier of 0x0F instead of 0x10, as specified in [C706] Appendix I.<4>
|
72
|
+
epm_LookupRes = Epm_LookupRes.read(epm_LookupRes)
|
73
|
+
h = {}
|
74
|
+
epm_LookupRes.floors.each do |e|
|
75
|
+
h[:uuid] = "%s.%i"%[uuidParse(e.lhs_data), e.rhs_data.unpack("v")[0]] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_UUID"]
|
76
|
+
h[:ndr] = "%s.%i"%[uuidParse(e.lhs_data), e.rhs_data.unpack("v")[0]] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_UUID"] && h.has_key?(:uuid)
|
77
|
+
h[:name_pipe] = "%s"%[e.rhs_data.gsub("\x00","")] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_NAMED_PIPE"]
|
78
|
+
h[:smb] = "%s"%[e.rhs_data.gsub("\x00","")] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_SMB"]
|
79
|
+
h[:netBios] = "%s"%[e.rhs_data.gsub("\x00","")] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_NETBIOS"]
|
80
|
+
h[:ip] = "%s"%[e.rhs_data.unpack("c*").join(".")] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_IP"]
|
81
|
+
h[:port] = "%i"%[e.rhs_data.unpack("v")[0]] if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_TCP"]
|
82
|
+
h[:ncalrpc] = true if e.protocol == EPM_PROTOCOL["EPM_PROTOCOL_NCALRPC"]
|
83
|
+
end
|
84
|
+
out << h
|
85
|
+
@handle = epm_LookupRes.entry_handle
|
86
|
+
end
|
87
|
+
return out
|
88
|
+
end
|
89
|
+
|
90
|
+
def uuidParse(uuidBin)
|
91
|
+
return "%s-%s-%s-%s-%s %i"%[uuidBin[0,4].b.reverse.unpack("H*")[0],
|
92
|
+
uuidBin[4,2].b.reverse.unpack("H*")[0], uuidBin[6,2].b.reverse.unpack("H*")[0],
|
93
|
+
uuidBin[8,2].unpack("H*")[0], uuidBin[10,6].unpack("H*")[0], uuidBin[16,2].unpack("v")[0]]
|
94
|
+
end
|
95
|
+
|
96
|
+
end
|
97
|
+
end
|
98
|
+
|
@@ -0,0 +1,22 @@
|
|
1
|
+
require"smbRpc/lsarpc/constants"
|
2
|
+
require"smbRpc/lsarpc/openPolicy"
|
3
|
+
require"smbRpc/lsarpc/close"
|
4
|
+
require"smbRpc/lsarpc/queryInformationPolicy"
|
5
|
+
require"smbRpc/lsarpc/enumerateAccounts"
|
6
|
+
require"smbRpc/lsarpc/lookupSids"
|
7
|
+
require"smbRpc/lsarpc/openAccount"
|
8
|
+
require"smbRpc/lsarpc/enumeratePrivilegesAccount"
|
9
|
+
require"smbRpc/lsarpc/lookupPrivilegeName"
|
10
|
+
#require"smbRpc/lsarpc/querySecurityObject"
|
11
|
+
require"smbRpc/lsarpc/lookupNames"
|
12
|
+
|
13
|
+
module SmbRpc
|
14
|
+
class Lsarpc < Rpc
|
15
|
+
def initialize(**argv)
|
16
|
+
super(argv)
|
17
|
+
self.connect
|
18
|
+
self.bind(pipe:"lsarpc")
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
@@ -0,0 +1,48 @@
|
|
1
|
+
|
2
|
+
module SmbRpc
|
3
|
+
class Lsarpc < Rpc
|
4
|
+
|
5
|
+
class LsarCloseReq < BinData::Record
|
6
|
+
endian :little
|
7
|
+
request :request
|
8
|
+
string :objectHandle, :length => 20
|
9
|
+
def initialize_instance
|
10
|
+
super
|
11
|
+
objectHandle.value = get_parameter(:handle)
|
12
|
+
request.pduHead.frag_length = self.num_bytes
|
13
|
+
request.opnum.value = 0 #LsarClose
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
class LsarCloseRes < BinData::Record
|
18
|
+
endian :little
|
19
|
+
request :request
|
20
|
+
string :objectHandle, :length => 20
|
21
|
+
uint32 :windowsError
|
22
|
+
end
|
23
|
+
|
24
|
+
def closePolicy()
|
25
|
+
if !@policyHandle.nil?
|
26
|
+
lsarCloseReq = LsarCloseReq.new(handle:@policyHandle)
|
27
|
+
lsarCloseRes = @file.ioctl_send_recv(lsarCloseReq).buffer
|
28
|
+
lsarCloseRes.raise_not_error_success("closeAccount")
|
29
|
+
@policyHandle = nil
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
def closeAccount()
|
34
|
+
if !@accountHandle.nil?
|
35
|
+
lsarCloseReq = LsarCloseReq.new(handle:@accountHandle)
|
36
|
+
lsarCloseRes = @file.ioctl_send_recv(lsarCloseReq).buffer
|
37
|
+
lsarCloseRes.raise_not_error_success("closeAccount")
|
38
|
+
@accountHandle = nil
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
def close()
|
43
|
+
closeAccount()
|
44
|
+
closePolicy()
|
45
|
+
super
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
@@ -0,0 +1,54 @@
|
|
1
|
+
LSARPC_ALL_ACCESS_MASK = {
|
2
|
+
"DELETE" => 0x00010000,
|
3
|
+
"READ_CONTROL" => 0x00020000,
|
4
|
+
"WRITE_DAC" => 0x00040000,
|
5
|
+
"WRITE_OWNER" => 0x00080000,
|
6
|
+
"MAXIMUM_ALLOWED" => 0x02000000
|
7
|
+
}
|
8
|
+
|
9
|
+
LSARPC_POLICY_ACCESS_MASK = {
|
10
|
+
"POLICY_VIEW_LOCAL_INFORMATION" => 0x00000001,
|
11
|
+
"POLICY_VIEW_AUDIT_INFORMATION" => 0x00000002,
|
12
|
+
"POLICY_GET_PRIVATE_INFORMATION" => 0x00000004,
|
13
|
+
"POLICY_TRUST_ADMIN" => 0x00000008,
|
14
|
+
"POLICY_CREATE_ACCOUNT" => 0x00000010,
|
15
|
+
"POLICY_CREATE_SECRET" => 0x00000020,
|
16
|
+
"POLICY_CREATE_PRIVILEGE" => 0x00000040,
|
17
|
+
"POLICY_SET_DEFAULT_QUOTA_LIMITS" => 0x00000080,
|
18
|
+
"POLICY_SET_AUDIT_REQUIREMENTS" => 0x00000100,
|
19
|
+
"POLICY_AUDIT_LOG_ADMIN" => 0x00000200,
|
20
|
+
"POLICY_SERVER_ADMIN" => 0x00000400,
|
21
|
+
"POLICY_LOOKUP_NAMES" => 0x00000800,
|
22
|
+
"POLICY_NOTIFICATION" => 0x00001000
|
23
|
+
}
|
24
|
+
|
25
|
+
LSARPC_ACCOUNT_ACCESS_MASK = {
|
26
|
+
"ACCOUNT_VIEW" => 0x00000001,
|
27
|
+
"ACCOUNT_ADJUST_PRIVILEGES" => 0x00000002,
|
28
|
+
"ACCOUNT_ADJUST_QUOTAS" => 0x00000004,
|
29
|
+
"ACCOUNT_ADJUST_SYSTEM_ACCESS" => 0x00000008
|
30
|
+
}
|
31
|
+
|
32
|
+
#only these 2 looks interesting
|
33
|
+
LSARPC_POLICY_INFORMATION_CLASS = {
|
34
|
+
"PolicyLsaServerRoleInformation" => 6,
|
35
|
+
"PolicyDnsDomainInformation" => 12
|
36
|
+
}
|
37
|
+
|
38
|
+
LSARPC_POLICY_LSA_SERVER_ROLE = {
|
39
|
+
"PolicyServerRoleBackup" => 2,
|
40
|
+
"PolicyServerRolePrimary" => 3
|
41
|
+
}
|
42
|
+
|
43
|
+
LSARPC_SID_NAME_USE = {
|
44
|
+
"SidTypeUser" => 1,
|
45
|
+
"SidTypeGroup" => 2,
|
46
|
+
"SidTypeDomain" => 3,
|
47
|
+
"SidTypeAlias" => 4,
|
48
|
+
"SidTypeWellKnownGroup" => 5,
|
49
|
+
"SidTypeDeletedAccount" => 6,
|
50
|
+
"SidTypeInvalid" => 7,
|
51
|
+
"SidTypeUnknown" => 8,
|
52
|
+
"SidTypeComputer" => 9,
|
53
|
+
"SidTypeLabel" => 10
|
54
|
+
}
|
@@ -0,0 +1,55 @@
|
|
1
|
+
module SmbRpc
|
2
|
+
class Lsarpc < Rpc
|
3
|
+
|
4
|
+
class LsarEnumerateAccountsReq < BinData::Record
|
5
|
+
endian :little
|
6
|
+
request :request
|
7
|
+
string :policyHandle, :length => 20
|
8
|
+
uint32 :enumerationContext
|
9
|
+
uint32 :preferedMaximumLength, :value => 1024
|
10
|
+
|
11
|
+
def initialize_instance
|
12
|
+
super
|
13
|
+
policyHandle.value = get_parameter(:handle)
|
14
|
+
request.pduHead.frag_length = self.num_bytes
|
15
|
+
request.opnum.value = 11 #LsarEnumerateAccounts
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
class Sid_element < BinData::Record
|
20
|
+
endian :little
|
21
|
+
uint32 :sub_auth
|
22
|
+
rpc_sid :sid #declared in lsaQueryInformationPolicy.rb
|
23
|
+
end
|
24
|
+
|
25
|
+
class Lsapr_account_enum_buffer < BinData::Record
|
26
|
+
endian :little
|
27
|
+
uint32 :entriesRead
|
28
|
+
uint32 :ref_id_sid, :initial_value => 1
|
29
|
+
uint32 :max_count, :value => :entriesRead
|
30
|
+
array :ref_id_information, :initial_length => :entriesRead, :type => :uint32, :initial_value => 1
|
31
|
+
array :information, :initial_length => :entriesRead, :type => :sid_element
|
32
|
+
end
|
33
|
+
|
34
|
+
class LsarEnumerateAccountsRes < BinData::Record
|
35
|
+
endian :little
|
36
|
+
response :response
|
37
|
+
uint32 :enumerationContext
|
38
|
+
lsapr_account_enum_buffer :enumerationBuffer
|
39
|
+
uint32 :windowsError
|
40
|
+
end
|
41
|
+
|
42
|
+
def enumerateAccounts()
|
43
|
+
lsarEnumerateAccountsReq = LsarEnumerateAccountsReq.new(handle:@policyHandle)
|
44
|
+
lsarEnumerateAccountsRes = @file.ioctl_send_recv(lsarEnumerateAccountsReq).buffer
|
45
|
+
lsarEnumerateAccountsRes.raise_not_error_success("enumerateAccounts")
|
46
|
+
lsarEnumerateAccountsRes = LsarEnumerateAccountsRes.read(lsarEnumerateAccountsRes)
|
47
|
+
sids = []
|
48
|
+
lsarEnumerateAccountsRes.enumerationBuffer.information.each do |e|
|
49
|
+
sids << e.sid.to_s
|
50
|
+
end
|
51
|
+
return sids
|
52
|
+
end
|
53
|
+
|
54
|
+
end
|
55
|
+
end
|