github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2024-10-18 05:00:39 -07:00
Code Issues Packages Projects Releases Wiki Activity
master
Responder/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/nrpc.py

2854 lines
90 KiB
Python
Raw Permalink Blame History

# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Author: Alberto Solino (@agsolino)
#
# Description:
# [MS-NRPC] Interface implementation
#
# Best way to learn how to use these calls is to grab the protocol standard
# so you understand what the call does, and then read the test case located
# at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
#
# Some calls have helper functions, which makes it even easier to use.
# They are located at the end of this file.
# Helper functions start with "h"<name of the call>.
# There are test cases for them too.
#
from struct import pack
from six import b
from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRENUM, NDRUNION, NDRPOINTER, NDRUniConformantArray, \
NDRUniFixedArray, NDRUniConformantVaryingArray
from impacket.dcerpc.v5.dtypes import WSTR, LPWSTR, DWORD, ULONG, USHORT, PGUID, NTSTATUS, NULL, LONG, UCHAR, PRPC_SID, \
GUID, RPC_UNICODE_STRING, SECURITY_INFORMATION, LPULONG
from impacket import system_errors, nt_errors
from impacket.uuid import uuidtup_to_bin
from impacket.dcerpc.v5.enum import Enum
from impacket.dcerpc.v5.samr import OLD_LARGE_INTEGER
from impacket.dcerpc.v5.lsad import PLSA_FOREST_TRUST_INFORMATION
from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.structure import Structure
from impacket import ntlm, crypto, LOG
import hmac
import hashlib
try:
from Cryptodome.Cipher import DES, AES, ARC4
except ImportError:
LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
LOG.critical("See https://pypi.org/project/pycryptodomex/")
MSRPC_UUID_NRPC = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB', '1.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__( self ):
key = self.error_code
if key in system_errors.ERROR_MESSAGES:
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
return 'NRPC SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
elif key in nt_errors.ERROR_MESSAGES:
error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1]
return 'NRPC SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
else:
return 'NRPC SessionError: unknown error code: 0x%x' % (self.error_code)
################################################################################
# CONSTANTS
################################################################################
# 2.2.1.2.5 NL_DNS_NAME_INFO
# Type
NlDnsLdapAtSite = 22
NlDnsGcAtSite = 25
NlDnsDsaCname = 28
NlDnsKdcAtSite = 30
NlDnsDcAtSite = 32
NlDnsRfc1510KdcAtSite = 34
NlDnsGenericGcAtSite = 36
# DnsDomainInfoType
NlDnsDomainName = 1
NlDnsDomainNameAlias = 2
NlDnsForestName = 3
NlDnsForestNameAlias = 4
NlDnsNdncDomainName = 5
NlDnsRecordName = 6
# 2.2.1.3.15 NL_OSVERSIONINFO_V1
# wSuiteMask
VER_SUITE_BACKOFFICE = 0x00000004
VER_SUITE_BLADE = 0x00000400
VER_SUITE_COMPUTE_SERVER = 0x00004000
VER_SUITE_DATACENTER = 0x00000080
VER_SUITE_ENTERPRISE = 0x00000002
VER_SUITE_EMBEDDEDNT = 0x00000040
VER_SUITE_PERSONAL = 0x00000200
VER_SUITE_SINGLEUSERTS = 0x00000100
VER_SUITE_SMALLBUSINESS = 0x00000001
VER_SUITE_SMALLBUSINESS_RESTRICTED = 0x00000020
VER_SUITE_STORAGE_SERVER = 0x00002000
VER_SUITE_TERMINAL = 0x00000010
# wProductType
VER_NT_DOMAIN_CONTROLLER = 0x00000002
VER_NT_SERVER = 0x00000003
VER_NT_WORKSTATION = 0x00000001
# 2.2.1.4.18 NETLOGON Specific Access Masks
NETLOGON_UAS_LOGON_ACCESS = 0x0001
NETLOGON_UAS_LOGOFF_ACCESS = 0x0002
NETLOGON_CONTROL_ACCESS = 0x0004
NETLOGON_QUERY_ACCESS = 0x0008
NETLOGON_SERVICE_ACCESS = 0x0010
NETLOGON_FTINFO_ACCESS = 0x0020
NETLOGON_WKSTA_RPC_ACCESS = 0x0040
# 3.5.4.9.1 NetrLogonControl2Ex (Opnum 18)
# FunctionCode
NETLOGON_CONTROL_QUERY = 0x00000001
NETLOGON_CONTROL_REPLICATE = 0x00000002
NETLOGON_CONTROL_SYNCHRONIZE = 0x00000003
NETLOGON_CONTROL_PDC_REPLICATE = 0x00000004
NETLOGON_CONTROL_REDISCOVER = 0x00000005
NETLOGON_CONTROL_TC_QUERY = 0x00000006
NETLOGON_CONTROL_TRANSPORT_NOTIFY = 0x00000007
NETLOGON_CONTROL_FIND_USER = 0x00000008
NETLOGON_CONTROL_CHANGE_PASSWORD = 0x00000009
NETLOGON_CONTROL_TC_VERIFY = 0x0000000A
NETLOGON_CONTROL_FORCE_DNS_REG = 0x0000000B
NETLOGON_CONTROL_QUERY_DNS_REG = 0x0000000C
NETLOGON_CONTROL_BACKUP_CHANGE_LOG = 0x0000FFFC
NETLOGON_CONTROL_TRUNCATE_LOG = 0x0000FFFD
NETLOGON_CONTROL_SET_DBFLAG = 0x0000FFFE
NETLOGON_CONTROL_BREAKPOINT = 0x0000FFFF
################################################################################
# STRUCTURES
################################################################################
# 3.5.4.1 RPC Binding Handles for Netlogon Methods
LOGONSRV_HANDLE = WSTR
PLOGONSRV_HANDLE = LPWSTR
# 2.2.1.1.1 CYPHER_BLOCK
class CYPHER_BLOCK(NDRSTRUCT):
structure = (
('Data', '8s=b""'),
)
def getAlignment(self):
return 1
NET_API_STATUS = DWORD
# 2.2.1.1.2 STRING
from impacket.dcerpc.v5.lsad import STRING
# 2.2.1.1.3 LM_OWF_PASSWORD
class CYPHER_BLOCK_ARRAY(NDRUniFixedArray):
def getDataLen(self, data, offset=0):
return len(CYPHER_BLOCK())*2
class LM_OWF_PASSWORD(NDRSTRUCT):
structure = (
('Data', CYPHER_BLOCK_ARRAY),
)
# 2.2.1.1.4 NT_OWF_PASSWORD
NT_OWF_PASSWORD = LM_OWF_PASSWORD
ENCRYPTED_NT_OWF_PASSWORD = NT_OWF_PASSWORD
# 2.2.1.3.4 NETLOGON_CREDENTIAL
class UCHAR_FIXED_ARRAY(NDRUniFixedArray):
align = 1
def getDataLen(self, data, offset=0):
return len(CYPHER_BLOCK())
class NETLOGON_CREDENTIAL(NDRSTRUCT):
structure = (
('Data',UCHAR_FIXED_ARRAY),
)
def getAlignment(self):
return 1
# 2.2.1.1.5 NETLOGON_AUTHENTICATOR
class NETLOGON_AUTHENTICATOR(NDRSTRUCT):
structure = (
('Credential', NETLOGON_CREDENTIAL),
('Timestamp', DWORD),
)
class PNETLOGON_AUTHENTICATOR(NDRPOINTER):
referent = (
('Data', NETLOGON_AUTHENTICATOR),
)
# 2.2.1.2.1 DOMAIN_CONTROLLER_INFOW
class DOMAIN_CONTROLLER_INFOW(NDRSTRUCT):
structure = (
('DomainControllerName', LPWSTR),
('DomainControllerAddress', LPWSTR),
('DomainControllerAddressType', ULONG),
('DomainGuid', GUID),
('DomainName', LPWSTR),
('DnsForestName', LPWSTR),
('Flags', ULONG),
('DcSiteName', LPWSTR),
('ClientSiteName', LPWSTR),
)
class PDOMAIN_CONTROLLER_INFOW(NDRPOINTER):
referent = (
('Data', DOMAIN_CONTROLLER_INFOW),
)
# 2.2.1.2.2 NL_SITE_NAME_ARRAY
class RPC_UNICODE_STRING_ARRAY(NDRUniConformantArray):
item = RPC_UNICODE_STRING
class PRPC_UNICODE_STRING_ARRAY(NDRPOINTER):
referent = (
('Data', RPC_UNICODE_STRING_ARRAY),
)
class NL_SITE_NAME_ARRAY(NDRSTRUCT):
structure = (
('EntryCount', ULONG),
('SiteNames', PRPC_UNICODE_STRING_ARRAY),
)
class PNL_SITE_NAME_ARRAY(NDRPOINTER):
referent = (
('Data', NL_SITE_NAME_ARRAY),
)
# 2.2.1.2.3 NL_SITE_NAME_EX_ARRAY
class RPC_UNICODE_STRING_ARRAY(NDRUniConformantArray):
item = RPC_UNICODE_STRING
class NL_SITE_NAME_EX_ARRAY(NDRSTRUCT):
structure = (
('EntryCount', ULONG),
('SiteNames', PRPC_UNICODE_STRING_ARRAY),
('SubnetNames', PRPC_UNICODE_STRING_ARRAY),
)
class PNL_SITE_NAME_EX_ARRAY(NDRPOINTER):
referent = (
('Data', NL_SITE_NAME_EX_ARRAY),
)
# 2.2.1.2.4 NL_SOCKET_ADDRESS
# 2.2.1.2.4.1 IPv4 Address Structure
class IPv4Address(Structure):
structure = (
('AddressFamily', '<H=0'),
('Port', '<H=0'),
('Address', '<L=0'),
('Padding', '<L=0'),
)
class UCHAR_ARRAY(NDRUniConformantArray):
item = 'c'
class PUCHAR_ARRAY(NDRPOINTER):
referent = (
('Data', UCHAR_ARRAY),
)
class NL_SOCKET_ADDRESS(NDRSTRUCT):
structure = (
('lpSockaddr', PUCHAR_ARRAY),
('iSockaddrLength', ULONG),
)
class NL_SOCKET_ADDRESS_ARRAY(NDRUniConformantArray):
item = NL_SOCKET_ADDRESS
# 2.2.1.2.5 NL_DNS_NAME_INFO
class NL_DNS_NAME_INFO(NDRSTRUCT):
structure = (
('Type', ULONG),
('DnsDomainInfoType', WSTR),
('Priority', ULONG),
('Weight', ULONG),
('Port', ULONG),
('Register', UCHAR),
('Status', ULONG),
)
# 2.2.1.2.6 NL_DNS_NAME_INFO_ARRAY
class NL_DNS_NAME_INFO_ARRAY(NDRUniConformantArray):
item = NL_DNS_NAME_INFO
class PNL_DNS_NAME_INFO_ARRAY(NDRPOINTER):
referent = (
('Data', NL_DNS_NAME_INFO_ARRAY),
)
class NL_DNS_NAME_INFO_ARRAY(NDRSTRUCT):
structure = (
('EntryCount', ULONG),
('DnsNamesInfo', PNL_DNS_NAME_INFO_ARRAY),
)
# 2.2.1.3 Secure Channel Establishment and Maintenance Structures
# ToDo
# 2.2.1.3.5 NETLOGON_LSA_POLICY_INFO
class NETLOGON_LSA_POLICY_INFO(NDRSTRUCT):
structure = (
('LsaPolicySize', ULONG),
('LsaPolicy', PUCHAR_ARRAY),
)
class PNETLOGON_LSA_POLICY_INFO(NDRPOINTER):
referent = (
('Data', NETLOGON_LSA_POLICY_INFO),
)
# 2.2.1.3.6 NETLOGON_WORKSTATION_INFO
class NETLOGON_WORKSTATION_INFO(NDRSTRUCT):
structure = (
('LsaPolicy', NETLOGON_LSA_POLICY_INFO),
('DnsHostName', LPWSTR),
('SiteName', LPWSTR),
('Dummy1', LPWSTR),
('Dummy2', LPWSTR),
('Dummy3', LPWSTR),
('Dummy4', LPWSTR),
('OsVersion', RPC_UNICODE_STRING),
('OsName', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('WorkstationFlags', ULONG),
('KerberosSupportedEncryptionTypes', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_WORKSTATION_INFO(NDRPOINTER):
referent = (
('Data', NETLOGON_WORKSTATION_INFO),
)
# 2.2.1.3.7 NL_TRUST_PASSWORD
class NL_TRUST_PASSWORD_FIXED_ARRAY(NDRUniFixedArray):
def getDataLen(self, data, offset=0):
return 512+4
def getAlignment(self):
return 1
class WCHAR_ARRAY(NDRUniFixedArray):
def getDataLen(self, data, offset=0):
return 512
class NL_TRUST_PASSWORD(NDRSTRUCT):
structure = (
('Buffer', WCHAR_ARRAY),
('Length', ULONG),
)
class PNL_TRUST_PASSWORD(NDRPOINTER):
referent = (
('Data', NL_TRUST_PASSWORD),
)
# 2.2.1.3.8 NL_PASSWORD_VERSION
class NL_PASSWORD_VERSION(NDRSTRUCT):
structure = (
('ReservedField', ULONG),
('PasswordVersionNumber', ULONG),
('PasswordVersionPresent', ULONG),
)
# 2.2.1.3.9 NETLOGON_WORKSTATION_INFORMATION
class NETLOGON_WORKSTATION_INFORMATION(NDRUNION):
commonHdr = (
('tag', DWORD),
)
union = {
1 : ('WorkstationInfo', PNETLOGON_WORKSTATION_INFO),
2 : ('LsaPolicyInfo', PNETLOGON_LSA_POLICY_INFO),
}
# 2.2.1.3.10 NETLOGON_ONE_DOMAIN_INFO
class NETLOGON_ONE_DOMAIN_INFO(NDRSTRUCT):
structure = (
('DomainName', RPC_UNICODE_STRING),
('DnsDomainName', RPC_UNICODE_STRING),
('DnsForestName', RPC_UNICODE_STRING),
('DomainGuid', GUID),
('DomainSid', PRPC_SID),
('TrustExtension', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class NETLOGON_ONE_DOMAIN_INFO_ARRAY(NDRUniConformantArray):
item = NETLOGON_ONE_DOMAIN_INFO
class PNETLOGON_ONE_DOMAIN_INFO_ARRAY(NDRPOINTER):
referent = (
('Data', NETLOGON_ONE_DOMAIN_INFO_ARRAY),
)
# 2.2.1.3.11 NETLOGON_DOMAIN_INFO
class NETLOGON_DOMAIN_INFO(NDRSTRUCT):
structure = (
('PrimaryDomain', NETLOGON_ONE_DOMAIN_INFO),
('TrustedDomainCount', ULONG),
('TrustedDomains', PNETLOGON_ONE_DOMAIN_INFO_ARRAY),
('LsaPolicy', NETLOGON_LSA_POLICY_INFO),
('DnsHostNameInDs', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('WorkstationFlags', ULONG),
('SupportedEncTypes', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DOMAIN_INFO(NDRPOINTER):
referent = (
('Data', NETLOGON_DOMAIN_INFO),
)
# 2.2.1.3.12 NETLOGON_DOMAIN_INFORMATION
class NETLOGON_DOMAIN_INFORMATION(NDRUNION):
commonHdr = (
('tag', DWORD),
)
union = {
1 : ('DomainInfo', PNETLOGON_DOMAIN_INFO),
2 : ('LsaPolicyInfo', PNETLOGON_LSA_POLICY_INFO),
}
# 2.2.1.3.13 NETLOGON_SECURE_CHANNEL_TYPE
class NETLOGON_SECURE_CHANNEL_TYPE(NDRENUM):
class enumItems(Enum):
NullSecureChannel = 0
MsvApSecureChannel = 1
WorkstationSecureChannel = 2
TrustedDnsDomainSecureChannel = 3
TrustedDomainSecureChannel = 4
UasServerSecureChannel = 5
ServerSecureChannel = 6
CdcServerSecureChannel = 7
# 2.2.1.3.14 NETLOGON_CAPABILITIES
class NETLOGON_CAPABILITIES(NDRUNION):
commonHdr = (
('tag', DWORD),
)
union = {
1 : ('ServerCapabilities', ULONG),
}
# 2.2.1.3.15 NL_OSVERSIONINFO_V1
class UCHAR_FIXED_ARRAY(NDRUniFixedArray):
def getDataLen(self, data, offset=0):
return 128
class NL_OSVERSIONINFO_V1(NDRSTRUCT):
structure = (
('dwOSVersionInfoSize', DWORD),
('dwMajorVersion', DWORD),
('dwMinorVersion', DWORD),
('dwBuildNumber', DWORD),
('dwPlatformId', DWORD),
('szCSDVersion', UCHAR_FIXED_ARRAY),
('wServicePackMajor', USHORT),
('wServicePackMinor', USHORT),
('wSuiteMask', USHORT),
('wProductType', UCHAR),
('wReserved', UCHAR),
)
class PNL_OSVERSIONINFO_V1(NDRPOINTER):
referent = (
('Data', NL_OSVERSIONINFO_V1),
)
# 2.2.1.3.16 NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1
class PLPWSTR(NDRPOINTER):
referent = (
('Data', LPWSTR),
)
class NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1(NDRSTRUCT):
structure = (
('ClientDnsHostName', PLPWSTR),
('OsVersionInfo', PNL_OSVERSIONINFO_V1),
('OsName', PLPWSTR),
)
# 2.2.1.3.17 NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES
class NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES(NDRUNION):
commonHdr = (
('tag', DWORD),
)
union = {
1 : ('V1', NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1),
}
# 2.2.1.3.18 NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1
class NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1(NDRSTRUCT):
structure = (
('HubName', PLPWSTR),
('OldDnsHostName', PLPWSTR),
('SupportedEncTypes', LPULONG),
)
# 2.2.1.3.19 NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES
class NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES(NDRUNION):
commonHdr = (
('tag', DWORD),
)
union = {
1 : ('V1', NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1),
}
# 2.2.1.4.1 LM_CHALLENGE
class CHAR_FIXED_8_ARRAY(NDRUniFixedArray):
def getDataLen(self, data, offset=0):
return 8
class LM_CHALLENGE(NDRSTRUCT):
structure = (
('Data', CHAR_FIXED_8_ARRAY),
)
# 2.2.1.4.15 NETLOGON_LOGON_IDENTITY_INFO
class NETLOGON_LOGON_IDENTITY_INFO(NDRSTRUCT):
structure = (
('LogonDomainName', RPC_UNICODE_STRING),
('ParameterControl', ULONG),
('Reserved', OLD_LARGE_INTEGER),
('UserName', RPC_UNICODE_STRING),
('Workstation', RPC_UNICODE_STRING),
)
class PNETLOGON_LOGON_IDENTITY_INFO(NDRPOINTER):
referent = (
('Data', NETLOGON_LOGON_IDENTITY_INFO),
)
# 2.2.1.4.2 NETLOGON_GENERIC_INFO
class NETLOGON_GENERIC_INFO(NDRSTRUCT):
structure = (
('Identity', NETLOGON_LOGON_IDENTITY_INFO),
('PackageName', RPC_UNICODE_STRING),
('DataLength', ULONG),
('LogonData', PUCHAR_ARRAY),
)
class PNETLOGON_GENERIC_INFO(NDRPOINTER):
referent = (
('Data', NETLOGON_GENERIC_INFO),
)
# 2.2.1.4.3 NETLOGON_INTERACTIVE_INFO
class NETLOGON_INTERACTIVE_INFO(NDRSTRUCT):
structure = (
('Identity', NETLOGON_LOGON_IDENTITY_INFO),
('LmOwfPassword', LM_OWF_PASSWORD),
('NtOwfPassword', NT_OWF_PASSWORD),
)
class PNETLOGON_INTERACTIVE_INFO(NDRPOINTER):
referent = (
('Data', NETLOGON_INTERACTIVE_INFO),
)
# 2.2.1.4.4 NETLOGON_SERVICE_INFO
class NETLOGON_SERVICE_INFO(NDRSTRUCT):
structure = (
('Identity', NETLOGON_LOGON_IDENTITY_INFO),
('LmOwfPassword', LM_OWF_PASSWORD),
('NtOwfPassword', NT_OWF_PASSWORD),
)
class PNETLOGON_SERVICE_INFO(NDRPOINTER):
referent = (
('Data', NETLOGON_SERVICE_INFO),
)
# 2.2.1.4.5 NETLOGON_NETWORK_INFO
class NETLOGON_NETWORK_INFO(NDRSTRUCT):
structure = (
('Identity', NETLOGON_LOGON_IDENTITY_INFO),
('LmChallenge', LM_CHALLENGE),
('NtChallengeResponse', STRING),
('LmChallengeResponse', STRING),
)
class PNETLOGON_NETWORK_INFO(NDRPOINTER):
referent = (
('Data', NETLOGON_NETWORK_INFO),
)
# 2.2.1.4.16 NETLOGON_LOGON_INFO_CLASS
class NETLOGON_LOGON_INFO_CLASS(NDRENUM):
class enumItems(Enum):
NetlogonInteractiveInformation = 1
NetlogonNetworkInformation = 2
NetlogonServiceInformation = 3
NetlogonGenericInformation = 4
NetlogonInteractiveTransitiveInformation = 5
NetlogonNetworkTransitiveInformation = 6
NetlogonServiceTransitiveInformation = 7
# 2.2.1.4.6 NETLOGON_LEVEL
class NETLOGON_LEVEL(NDRUNION):
union = {
NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation : ('LogonInteractive', PNETLOGON_INTERACTIVE_INFO),
NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveTransitiveInformation : ('LogonInteractiveTransitive', PNETLOGON_INTERACTIVE_INFO),
NETLOGON_LOGON_INFO_CLASS.NetlogonServiceInformation : ('LogonService', PNETLOGON_SERVICE_INFO),
NETLOGON_LOGON_INFO_CLASS.NetlogonServiceTransitiveInformation : ('LogonServiceTransitive', PNETLOGON_SERVICE_INFO),
NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkInformation : ('LogonNetwork', PNETLOGON_NETWORK_INFO),
NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation : ('LogonNetworkTransitive', PNETLOGON_NETWORK_INFO),
NETLOGON_LOGON_INFO_CLASS.NetlogonGenericInformation : ('LogonGeneric', PNETLOGON_GENERIC_INFO),
}
# 2.2.1.4.7 NETLOGON_SID_AND_ATTRIBUTES
class NETLOGON_SID_AND_ATTRIBUTES(NDRSTRUCT):
structure = (
('Sid', PRPC_SID),
('Attributes', ULONG),
)
# 2.2.1.4.8 NETLOGON_VALIDATION_GENERIC_INFO2
class NETLOGON_VALIDATION_GENERIC_INFO2(NDRSTRUCT):
structure = (
('DataLength', ULONG),
('ValidationData', PUCHAR_ARRAY),
)
class PNETLOGON_VALIDATION_GENERIC_INFO2(NDRPOINTER):
referent = (
('Data', NETLOGON_VALIDATION_GENERIC_INFO2),
)
# 2.2.1.4.9 USER_SESSION_KEY
USER_SESSION_KEY = LM_OWF_PASSWORD
# 2.2.1.4.10 GROUP_MEMBERSHIP
class GROUP_MEMBERSHIP(NDRSTRUCT):
structure = (
('RelativeId', ULONG),
('Attributes', ULONG),
)
class GROUP_MEMBERSHIP_ARRAY(NDRUniConformantArray):
item = GROUP_MEMBERSHIP
class PGROUP_MEMBERSHIP_ARRAY(NDRPOINTER):
referent = (
('Data', GROUP_MEMBERSHIP_ARRAY),
)
# 2.2.1.4.11 NETLOGON_VALIDATION_SAM_INFO
class LONG_ARRAY(NDRUniFixedArray):
def getDataLen(self, data, offset=0):
return 4*10
class NETLOGON_VALIDATION_SAM_INFO(NDRSTRUCT):
structure = (
('LogonTime', OLD_LARGE_INTEGER),
('LogoffTime', OLD_LARGE_INTEGER),
('KickOffTime', OLD_LARGE_INTEGER),
('PasswordLastSet', OLD_LARGE_INTEGER),
('PasswordCanChange', OLD_LARGE_INTEGER),
('PasswordMustChange', OLD_LARGE_INTEGER),
('EffectiveName', RPC_UNICODE_STRING),
('FullName', RPC_UNICODE_STRING),
('LogonScript', RPC_UNICODE_STRING),
('ProfilePath', RPC_UNICODE_STRING),
('HomeDirectory', RPC_UNICODE_STRING),
('HomeDirectoryDrive', RPC_UNICODE_STRING),
('LogonCount', USHORT),
('BadPasswordCount', USHORT),
('UserId', ULONG),
('PrimaryGroupId', ULONG),
('GroupCount', ULONG),
('GroupIds', PGROUP_MEMBERSHIP_ARRAY),
('UserFlags', ULONG),
('UserSessionKey', USER_SESSION_KEY),
('LogonServer', RPC_UNICODE_STRING),
('LogonDomainName', RPC_UNICODE_STRING),
('LogonDomainId', PRPC_SID),
('ExpansionRoom', LONG_ARRAY),
)
class PNETLOGON_VALIDATION_SAM_INFO(NDRPOINTER):
referent = (
('Data', NETLOGON_VALIDATION_SAM_INFO),
)
# 2.2.1.4.12 NETLOGON_VALIDATION_SAM_INFO2
class NETLOGON_SID_AND_ATTRIBUTES_ARRAY(NDRUniConformantArray):
item = NETLOGON_SID_AND_ATTRIBUTES
class PNETLOGON_SID_AND_ATTRIBUTES_ARRAY(NDRPOINTER):
referent = (
('Data', NETLOGON_SID_AND_ATTRIBUTES_ARRAY),
)
class NETLOGON_VALIDATION_SAM_INFO2(NDRSTRUCT):
structure = (
('LogonTime', OLD_LARGE_INTEGER),
('LogoffTime', OLD_LARGE_INTEGER),
('KickOffTime', OLD_LARGE_INTEGER),
('PasswordLastSet', OLD_LARGE_INTEGER),
('PasswordCanChange', OLD_LARGE_INTEGER),
('PasswordMustChange', OLD_LARGE_INTEGER),
('EffectiveName', RPC_UNICODE_STRING),
('FullName', RPC_UNICODE_STRING),
('LogonScript', RPC_UNICODE_STRING),
('ProfilePath', RPC_UNICODE_STRING),
('HomeDirectory', RPC_UNICODE_STRING),
('HomeDirectoryDrive', RPC_UNICODE_STRING),
('LogonCount', USHORT),
('BadPasswordCount', USHORT),
('UserId', ULONG),
('PrimaryGroupId', ULONG),
('GroupCount', ULONG),
('GroupIds', PGROUP_MEMBERSHIP_ARRAY),
('UserFlags', ULONG),
('UserSessionKey', USER_SESSION_KEY),
('LogonServer', RPC_UNICODE_STRING),
('LogonDomainName', RPC_UNICODE_STRING),
('LogonDomainId', PRPC_SID),
('ExpansionRoom', LONG_ARRAY),
('SidCount', ULONG),
('ExtraSids', PNETLOGON_SID_AND_ATTRIBUTES_ARRAY),
)
class PNETLOGON_VALIDATION_SAM_INFO2(NDRPOINTER):
referent = (
('Data', NETLOGON_VALIDATION_SAM_INFO2),
)
# 2.2.1.4.13 NETLOGON_VALIDATION_SAM_INFO4
class NETLOGON_VALIDATION_SAM_INFO4(NDRSTRUCT):
structure = (
('LogonTime', OLD_LARGE_INTEGER),
('LogoffTime', OLD_LARGE_INTEGER),
('KickOffTime', OLD_LARGE_INTEGER),
('PasswordLastSet', OLD_LARGE_INTEGER),
('PasswordCanChange', OLD_LARGE_INTEGER),
('PasswordMustChange', OLD_LARGE_INTEGER),
('EffectiveName', RPC_UNICODE_STRING),
('FullName', RPC_UNICODE_STRING),
('LogonScript', RPC_UNICODE_STRING),
('ProfilePath', RPC_UNICODE_STRING),
('HomeDirectory', RPC_UNICODE_STRING),
('HomeDirectoryDrive', RPC_UNICODE_STRING),
('LogonCount', USHORT),
('BadPasswordCount', USHORT),
('UserId', ULONG),
('PrimaryGroupId', ULONG),
('GroupCount', ULONG),
('GroupIds', PGROUP_MEMBERSHIP_ARRAY),
('UserFlags', ULONG),
('UserSessionKey', USER_SESSION_KEY),
('LogonServer', RPC_UNICODE_STRING),
('LogonDomainName', RPC_UNICODE_STRING),
('LogonDomainId', PRPC_SID),
('LMKey', CHAR_FIXED_8_ARRAY),
('UserAccountControl', ULONG),
('SubAuthStatus', ULONG),
('LastSuccessfulILogon', OLD_LARGE_INTEGER),
('LastFailedILogon', OLD_LARGE_INTEGER),
('FailedILogonCount', ULONG),
('Reserved4', ULONG),
('SidCount', ULONG),
('ExtraSids', PNETLOGON_SID_AND_ATTRIBUTES_ARRAY),
('DnsLogonDomainName', RPC_UNICODE_STRING),
('Upn', RPC_UNICODE_STRING),
('ExpansionString1', RPC_UNICODE_STRING),
('ExpansionString2', RPC_UNICODE_STRING),
('ExpansionString3', RPC_UNICODE_STRING),
('ExpansionString4', RPC_UNICODE_STRING),
('ExpansionString5', RPC_UNICODE_STRING),
('ExpansionString6', RPC_UNICODE_STRING),
('ExpansionString7', RPC_UNICODE_STRING),
('ExpansionString8', RPC_UNICODE_STRING),
('ExpansionString9', RPC_UNICODE_STRING),
('ExpansionString10', RPC_UNICODE_STRING),
)
class PNETLOGON_VALIDATION_SAM_INFO4(NDRPOINTER):
referent = (
('Data', NETLOGON_VALIDATION_SAM_INFO4),
)
# 2.2.1.4.17 NETLOGON_VALIDATION_INFO_CLASS
class NETLOGON_VALIDATION_INFO_CLASS(NDRENUM):
class enumItems(Enum):
NetlogonValidationUasInfo = 1
NetlogonValidationSamInfo = 2
NetlogonValidationSamInfo2 = 3
NetlogonValidationGenericInfo = 4
NetlogonValidationGenericInfo2 = 5
NetlogonValidationSamInfo4 = 6
# 2.2.1.4.14 NETLOGON_VALIDATION
class NETLOGON_VALIDATION(NDRUNION):
union = {
NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo : ('ValidationSam', PNETLOGON_VALIDATION_SAM_INFO),
NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo2 : ('ValidationSam2', PNETLOGON_VALIDATION_SAM_INFO2),
NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationGenericInfo2: ('ValidationGeneric2', PNETLOGON_VALIDATION_GENERIC_INFO2),
NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4 : ('ValidationSam4', PNETLOGON_VALIDATION_SAM_INFO4),
}
# 2.2.1.5.2 NLPR_QUOTA_LIMITS
class NLPR_QUOTA_LIMITS(NDRSTRUCT):
structure = (
('PagedPoolLimit', ULONG),
('NonPagedPoolLimit', ULONG),
('MinimumWorkingSetSize', ULONG),
('MaximumWorkingSetSize', ULONG),
('PagefileLimit', ULONG),
('Reserved', OLD_LARGE_INTEGER),
)
# 2.2.1.5.3 NETLOGON_DELTA_ACCOUNTS
class ULONG_ARRAY(NDRUniConformantArray):
item = ULONG
class PULONG_ARRAY(NDRPOINTER):
referent = (
('Data', ULONG_ARRAY),
)
class NETLOGON_DELTA_ACCOUNTS(NDRSTRUCT):
structure = (
('PrivilegeEntries', ULONG),
('PrivilegeControl', ULONG),
('PrivilegeAttributes', PULONG_ARRAY),
('PrivilegeNames', PRPC_UNICODE_STRING_ARRAY),
('QuotaLimits', NLPR_QUOTA_LIMITS),
('SystemAccessFlags', ULONG),
('SecurityInformation', SECURITY_INFORMATION),
('SecuritySize', ULONG),
('SecurityDescriptor', PUCHAR_ARRAY),
('DummyString1', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_ACCOUNTS(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_ACCOUNTS),
)
# 2.2.1.5.5 NLPR_SID_INFORMATION
class NLPR_SID_INFORMATION(NDRSTRUCT):
structure = (
('SidPointer', PRPC_SID),
)
# 2.2.1.5.6 NLPR_SID_ARRAY
class NLPR_SID_INFORMATION_ARRAY(NDRUniConformantArray):
item = NLPR_SID_INFORMATION
class PNLPR_SID_INFORMATION_ARRAY(NDRPOINTER):
referent = (
('Data', NLPR_SID_INFORMATION_ARRAY),
)
class NLPR_SID_ARRAY(NDRSTRUCT):
referent = (
('Count', ULONG),
('Sids', PNLPR_SID_INFORMATION_ARRAY),
)
# 2.2.1.5.7 NETLOGON_DELTA_ALIAS_MEMBER
class NETLOGON_DELTA_ALIAS_MEMBER(NDRSTRUCT):
structure = (
('Members', NLPR_SID_ARRAY),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_ALIAS_MEMBER(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_ALIAS_MEMBER),
)
# 2.2.1.5.8 NETLOGON_DELTA_DELETE_GROUP
class NETLOGON_DELTA_DELETE_GROUP(NDRSTRUCT):
structure = (
('AccountName', LPWSTR),
('DummyString1', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_DELETE_GROUP(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_DELETE_GROUP),
)
# 2.2.1.5.9 NETLOGON_DELTA_DELETE_USER
class NETLOGON_DELTA_DELETE_USER(NDRSTRUCT):
structure = (
('AccountName', LPWSTR),
('DummyString1', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_DELETE_USER(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_DELETE_USER),
)
# 2.2.1.5.10 NETLOGON_DELTA_DOMAIN
class NETLOGON_DELTA_DOMAIN(NDRSTRUCT):
structure = (
('DomainName', RPC_UNICODE_STRING),
('OemInformation', RPC_UNICODE_STRING),
('ForceLogoff', OLD_LARGE_INTEGER),
('MinPasswordLength', USHORT),
('PasswordHistoryLength', USHORT),
('MaxPasswordAge', OLD_LARGE_INTEGER),
('MinPasswordAge', OLD_LARGE_INTEGER),
('DomainModifiedCount', OLD_LARGE_INTEGER),
('DomainCreationTime', OLD_LARGE_INTEGER),
('SecurityInformation', SECURITY_INFORMATION),
('SecuritySize', ULONG),
('SecurityDescriptor', PUCHAR_ARRAY),
('DomainLockoutInformation', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('PasswordProperties', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_DOMAIN(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_DOMAIN),
)
# 2.2.1.5.13 NETLOGON_DELTA_GROUP
class NETLOGON_DELTA_GROUP(NDRSTRUCT):
structure = (
('Name', RPC_UNICODE_STRING),
('RelativeId', ULONG),
('Attributes', ULONG),
('AdminComment', RPC_UNICODE_STRING),
('SecurityInformation', USHORT),
('SecuritySize', ULONG),
('SecurityDescriptor', SECURITY_INFORMATION),
('DummyString1', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_GROUP(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_GROUP),
)
# 2.2.1.5.24 NETLOGON_RENAME_GROUP
class NETLOGON_RENAME_GROUP(NDRSTRUCT):
structure = (
('OldName', RPC_UNICODE_STRING),
('NewName', RPC_UNICODE_STRING),
('DummyString1', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_RENAME_GROUP(NDRPOINTER):
referent = (
('Data', NETLOGON_RENAME_GROUP),
)
# 2.2.1.5.14 NLPR_LOGON_HOURS
from impacket.dcerpc.v5.samr import SAMPR_LOGON_HOURS
NLPR_LOGON_HOURS = SAMPR_LOGON_HOURS
# 2.2.1.5.15 NLPR_USER_PRIVATE_INFO
class NLPR_USER_PRIVATE_INFO(NDRSTRUCT):
structure = (
('SensitiveData', UCHAR),
('DataLength', ULONG),
('Data', PUCHAR_ARRAY),
)
# 2.2.1.5.16 NETLOGON_DELTA_USER
class NETLOGON_DELTA_USER(NDRSTRUCT):
structure = (
('UserName', RPC_UNICODE_STRING),
('FullName', RPC_UNICODE_STRING),
('UserId', ULONG),
('PrimaryGroupId', ULONG),
('HomeDirectory', RPC_UNICODE_STRING),
('HomeDirectoryDrive', RPC_UNICODE_STRING),
('ScriptPath', RPC_UNICODE_STRING),
('AdminComment', RPC_UNICODE_STRING),
('WorkStations', RPC_UNICODE_STRING),
('LastLogon', OLD_LARGE_INTEGER),
('LastLogoff', OLD_LARGE_INTEGER),
('LogonHours', NLPR_LOGON_HOURS),
('BadPasswordCount', USHORT),
('LogonCount', USHORT),
('PasswordLastSet', OLD_LARGE_INTEGER),
('AccountExpires', OLD_LARGE_INTEGER),
('UserAccountControl', ULONG),
('EncryptedNtOwfPassword', PUCHAR_ARRAY),
('EncryptedLmOwfPassword', PUCHAR_ARRAY),
('NtPasswordPresent', UCHAR),
('LmPasswordPresent', UCHAR),
('PasswordExpired', UCHAR),
('UserComment', RPC_UNICODE_STRING),
('Parameters', RPC_UNICODE_STRING),
('CountryCode', USHORT),
('CodePage', USHORT),
('PrivateData', NLPR_USER_PRIVATE_INFO),
('SecurityInformation', SECURITY_INFORMATION),
('SecuritySize', ULONG),
('SecurityDescriptor', PUCHAR_ARRAY),
('ProfilePath', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_USER(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_USER),
)
# 2.2.1.5.25 NETLOGON_RENAME_USER
class NETLOGON_RENAME_USER(NDRSTRUCT):
structure = (
('OldName', RPC_UNICODE_STRING),
('NewName', RPC_UNICODE_STRING),
('DummyString1', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_RENAME_USER(NDRPOINTER):
referent = (
('Data', NETLOGON_RENAME_USER),
)
# 2.2.1.5.17 NETLOGON_DELTA_GROUP_MEMBER
class NETLOGON_DELTA_GROUP_MEMBER(NDRSTRUCT):
structure = (
('Members', PULONG_ARRAY),
('Attributes', PULONG_ARRAY),
('MemberCount', ULONG),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_GROUP_MEMBER(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_GROUP_MEMBER),
)
# 2.2.1.5.4 NETLOGON_DELTA_ALIAS
class NETLOGON_DELTA_ALIAS(NDRSTRUCT):
structure = (
('Name', RPC_UNICODE_STRING),
('RelativeId', ULONG),
('SecurityInformation', SECURITY_INFORMATION),
('SecuritySize', ULONG),
('SecurityDescriptor', PUCHAR_ARRAY),
('Comment', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_ALIAS(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_ALIAS),
)
# 2.2.1.5.23 NETLOGON_RENAME_ALIAS
class NETLOGON_RENAME_ALIAS(NDRSTRUCT):
structure = (
('OldName', RPC_UNICODE_STRING),
('NewName', RPC_UNICODE_STRING),
('DummyString1', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_RENAME_ALIAS(NDRPOINTER):
referent = (
('Data', NETLOGON_RENAME_ALIAS),
)
# 2.2.1.5.19 NETLOGON_DELTA_POLICY
class NETLOGON_DELTA_POLICY(NDRSTRUCT):
structure = (
('MaximumLogSize', ULONG),
('AuditRetentionPeriod', OLD_LARGE_INTEGER),
('AuditingMode', UCHAR),
('MaximumAuditEventCount', ULONG),
('EventAuditingOptions', PULONG_ARRAY),
('PrimaryDomainName', RPC_UNICODE_STRING),
('PrimaryDomainSid', PRPC_SID),
('QuotaLimits', NLPR_QUOTA_LIMITS),
('ModifiedId', OLD_LARGE_INTEGER),
('DatabaseCreationTime', OLD_LARGE_INTEGER),
('SecurityInformation', SECURITY_INFORMATION),
('SecuritySize', ULONG),
('SecurityDescriptor', PUCHAR_ARRAY),
('DummyString1', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_POLICY(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_POLICY),
)
# 2.2.1.5.22 NETLOGON_DELTA_TRUSTED_DOMAINS
class NETLOGON_DELTA_TRUSTED_DOMAINS(NDRSTRUCT):
structure = (
('DomainName', RPC_UNICODE_STRING),
('NumControllerEntries', ULONG),
('ControllerNames', PRPC_UNICODE_STRING_ARRAY),
('SecurityInformation', SECURITY_INFORMATION),
('SecuritySize', ULONG),
('SecurityDescriptor', PUCHAR_ARRAY),
('DummyString1', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_TRUSTED_DOMAINS(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_TRUSTED_DOMAINS),
)
# 2.2.1.5.20 NLPR_CR_CIPHER_VALUE
class UCHAR_ARRAY2(NDRUniConformantVaryingArray):
item = UCHAR
class PUCHAR_ARRAY2(NDRPOINTER):
referent = (
('Data', UCHAR_ARRAY2),
)
class NLPR_CR_CIPHER_VALUE(NDRSTRUCT):
structure = (
('Length', ULONG),
('MaximumLength', ULONG),
('Buffer', PUCHAR_ARRAY2),
)
# 2.2.1.5.21 NETLOGON_DELTA_SECRET
class NETLOGON_DELTA_SECRET(NDRSTRUCT):
structure = (
('CurrentValue', NLPR_CR_CIPHER_VALUE),
('CurrentValueSetTime', OLD_LARGE_INTEGER),
('OldValue', NLPR_CR_CIPHER_VALUE),
('OldValueSetTime', OLD_LARGE_INTEGER),
('SecurityInformation', SECURITY_INFORMATION),
('SecuritySize', ULONG),
('SecurityDescriptor', PUCHAR_ARRAY),
('DummyString1', RPC_UNICODE_STRING),
('DummyString2', RPC_UNICODE_STRING),
('DummyString3', RPC_UNICODE_STRING),
('DummyString4', RPC_UNICODE_STRING),
('DummyLong1', ULONG),
('DummyLong2', ULONG),
('DummyLong3', ULONG),
('DummyLong4', ULONG),
)
class PNETLOGON_DELTA_SECRET(NDRPOINTER):
referent = (
('Data', NETLOGON_DELTA_SECRET),
)
# 2.2.1.5.26 NLPR_MODIFIED_COUNT
class NLPR_MODIFIED_COUNT(NDRSTRUCT):
structure = (
('ModifiedCount', OLD_LARGE_INTEGER),
)
class PNLPR_MODIFIED_COUNT(NDRPOINTER):
referent = (
('Data', NLPR_MODIFIED_COUNT),
)
# 2.2.1.5.28 NETLOGON_DELTA_TYPE
class NETLOGON_DELTA_TYPE(NDRENUM):
class enumItems(Enum):
AddOrChangeDomain = 1
AddOrChangeGroup = 2
DeleteGroup = 3
RenameGroup = 4
AddOrChangeUser = 5
DeleteUser = 6
RenameUser = 7
ChangeGroupMembership = 8
AddOrChangeAlias = 9
DeleteAlias = 10
RenameAlias = 11
ChangeAliasMembership = 12
AddOrChangeLsaPolicy = 13
AddOrChangeLsaTDomain = 14
DeleteLsaTDomain = 15
AddOrChangeLsaAccount = 16
DeleteLsaAccount = 17
AddOrChangeLsaSecret = 18
DeleteLsaSecret = 19
DeleteGroupByName = 20
DeleteUserByName = 21
SerialNumberSkip = 22
# 2.2.1.5.27 NETLOGON_DELTA_UNION
class NETLOGON_DELTA_UNION(NDRUNION):
union = {
NETLOGON_DELTA_TYPE.AddOrChangeDomain : ('DeltaDomain', PNETLOGON_DELTA_DOMAIN),
NETLOGON_DELTA_TYPE.AddOrChangeGroup : ('DeltaGroup', PNETLOGON_DELTA_GROUP),
NETLOGON_DELTA_TYPE.RenameGroup : ('DeltaRenameGroup', PNETLOGON_DELTA_RENAME_GROUP),
NETLOGON_DELTA_TYPE.AddOrChangeUser : ('DeltaUser', PNETLOGON_DELTA_USER),
NETLOGON_DELTA_TYPE.RenameUser : ('DeltaRenameUser', PNETLOGON_DELTA_RENAME_USER),
NETLOGON_DELTA_TYPE.ChangeGroupMembership : ('DeltaGroupMember', PNETLOGON_DELTA_GROUP_MEMBER),
NETLOGON_DELTA_TYPE.AddOrChangeAlias : ('DeltaAlias', PNETLOGON_DELTA_ALIAS),
NETLOGON_DELTA_TYPE.RenameAlias : ('DeltaRenameAlias', PNETLOGON_DELTA_RENAME_ALIAS),
NETLOGON_DELTA_TYPE.ChangeAliasMembership : ('DeltaAliasMember', PNETLOGON_DELTA_ALIAS_MEMBER),
NETLOGON_DELTA_TYPE.AddOrChangeLsaPolicy : ('DeltaPolicy', PNETLOGON_DELTA_POLICY),
NETLOGON_DELTA_TYPE.AddOrChangeLsaTDomain : ('DeltaTDomains', PNETLOGON_DELTA_TRUSTED_DOMAINS),
NETLOGON_DELTA_TYPE.AddOrChangeLsaAccount : ('DeltaAccounts', PNETLOGON_DELTA_ACCOUNTS),
NETLOGON_DELTA_TYPE.AddOrChangeLsaSecret : ('DeltaSecret', PNETLOGON_DELTA_SECRET),
NETLOGON_DELTA_TYPE.DeleteGroupByName : ('DeltaDeleteGroup', PNETLOGON_DELTA_DELETE_GROUP),
NETLOGON_DELTA_TYPE.DeleteUserByName : ('DeltaDeleteUser', PNETLOGON_DELTA_DELETE_USER),
NETLOGON_DELTA_TYPE.SerialNumberSkip : ('DeltaSerialNumberSkip', PNLPR_MODIFIED_COUNT),
}
# 2.2.1.5.18 NETLOGON_DELTA_ID_UNION
class NETLOGON_DELTA_ID_UNION(NDRUNION):
union = {
NETLOGON_DELTA_TYPE.AddOrChangeDomain : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.AddOrChangeGroup : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.DeleteGroup : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.RenameGroup : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.AddOrChangeUser : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.DeleteUser : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.RenameUser : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.ChangeGroupMembership : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.AddOrChangeAlias : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.DeleteAlias : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.RenameAlias : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.ChangeAliasMembership : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.DeleteGroupByName : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.DeleteUserByName : ('Rid', ULONG),
NETLOGON_DELTA_TYPE.AddOrChangeLsaPolicy : ('Sid', PRPC_SID),
NETLOGON_DELTA_TYPE.AddOrChangeLsaTDomain : ('Sid', PRPC_SID),
NETLOGON_DELTA_TYPE.DeleteLsaTDomain : ('Sid', PRPC_SID),
NETLOGON_DELTA_TYPE.AddOrChangeLsaAccount : ('Sid', PRPC_SID),
NETLOGON_DELTA_TYPE.DeleteLsaAccount : ('Sid', PRPC_SID),
NETLOGON_DELTA_TYPE.AddOrChangeLsaSecret : ('Name', LPWSTR),
NETLOGON_DELTA_TYPE.DeleteLsaSecret : ('Name', LPWSTR),
}
# 2.2.1.5.11 NETLOGON_DELTA_ENUM
class NETLOGON_DELTA_ENUM(NDRSTRUCT):
structure = (
('DeltaType', NETLOGON_DELTA_TYPE),
('DeltaID', NETLOGON_DELTA_ID_UNION),
('DeltaUnion', NETLOGON_DELTA_UNION),
)
# 2.2.1.5.12 NETLOGON_DELTA_ENUM_ARRAY
class NETLOGON_DELTA_ENUM_ARRAY_ARRAY(NDRUniConformantArray):
item = NETLOGON_DELTA_ENUM
class PNETLOGON_DELTA_ENUM_ARRAY_ARRAY(NDRSTRUCT):
referent = (
('Data', NETLOGON_DELTA_ENUM_ARRAY_ARRAY),
)
class PNETLOGON_DELTA_ENUM_ARRAY(NDRPOINTER):
structure = (
('CountReturned', DWORD),
('Deltas', PNETLOGON_DELTA_ENUM_ARRAY_ARRAY),
)
# 2.2.1.5.29 SYNC_STATE
class SYNC_STATE(NDRENUM):
class enumItems(Enum):
NormalState = 0
DomainState = 1
GroupState = 2
UasBuiltInGroupState = 3
UserState = 4
GroupMemberState = 5
AliasState = 6
AliasMemberState = 7
SamDoneState = 8
# 2.2.1.6.1 DOMAIN_NAME_BUFFER
class DOMAIN_NAME_BUFFER(NDRSTRUCT):
structure = (
('DomainNameByteCount', ULONG),
('DomainNames', PUCHAR_ARRAY),
)
# 2.2.1.6.2 DS_DOMAIN_TRUSTSW
class DS_DOMAIN_TRUSTSW(NDRSTRUCT):
structure = (
('NetbiosDomainName', LPWSTR),
('DnsDomainName', LPWSTR),
('Flags', ULONG),
('ParentIndex', ULONG),
('TrustType', ULONG),
('TrustAttributes', ULONG),
('DomainSid', PRPC_SID),
('DomainGuid', GUID),
)
# 2.2.1.6.3 NETLOGON_TRUSTED_DOMAIN_ARRAY
class DS_DOMAIN_TRUSTSW_ARRAY(NDRUniConformantArray):
item = DS_DOMAIN_TRUSTSW
class PDS_DOMAIN_TRUSTSW_ARRAY(NDRPOINTER):
referent = (
('Data', DS_DOMAIN_TRUSTSW_ARRAY),
)
class NETLOGON_TRUSTED_DOMAIN_ARRAY(NDRSTRUCT):
structure = (
('DomainCount', DWORD),
('Domains', PDS_DOMAIN_TRUSTSW_ARRAY),
)
# 2.2.1.6.4 NL_GENERIC_RPC_DATA
class NL_GENERIC_RPC_DATA(NDRSTRUCT):
structure = (
('UlongEntryCount', ULONG),
('UlongData', PULONG_ARRAY),
('UnicodeStringEntryCount', ULONG),
('UnicodeStringData', PRPC_UNICODE_STRING_ARRAY),
)
class PNL_GENERIC_RPC_DATA(NDRPOINTER):
referent = (
('Data', NL_GENERIC_RPC_DATA),
)
# 2.2.1.7.1 NETLOGON_CONTROL_DATA_INFORMATION
class NETLOGON_CONTROL_DATA_INFORMATION(NDRUNION):
commonHdr = (
('tag', DWORD),
)
union = {
5 : ('TrustedDomainName', LPWSTR),
6 : ('TrustedDomainName', LPWSTR),
9 : ('TrustedDomainName', LPWSTR),
10 : ('TrustedDomainName', LPWSTR),
65534 : ('DebugFlag', DWORD),
8: ('UserName', LPWSTR),
}
# 2.2.1.7.2 NETLOGON_INFO_1
class NETLOGON_INFO_1(NDRSTRUCT):
structure = (
('netlog1_flags', DWORD),
('netlog1_pdc_connection_status', NET_API_STATUS),
)
class PNETLOGON_INFO_1(NDRPOINTER):
referent = (
('Data', NETLOGON_INFO_1),
)
# 2.2.1.7.3 NETLOGON_INFO_2
class NETLOGON_INFO_2(NDRSTRUCT):
structure = (
('netlog2_flags', DWORD),
('netlog2_pdc_connection_status', NET_API_STATUS),
('netlog2_trusted_dc_name', LPWSTR),
('netlog2_tc_connection_status', NET_API_STATUS),
)
class PNETLOGON_INFO_2(NDRPOINTER):
referent = (
('Data', NETLOGON_INFO_2),
)
# 2.2.1.7.4 NETLOGON_INFO_3
class NETLOGON_INFO_3(NDRSTRUCT):
structure = (
('netlog3_flags', DWORD),
('netlog3_logon_attempts', DWORD),
('netlog3_reserved1', DWORD),
('netlog3_reserved2', DWORD),
('netlog3_reserved3', DWORD),
('netlog3_reserved4', DWORD),
('netlog3_reserved5', DWORD),
)
class PNETLOGON_INFO_3(NDRPOINTER):
referent = (
('Data', NETLOGON_INFO_3),
)
# 2.2.1.7.5 NETLOGON_INFO_4
class NETLOGON_INFO_4(NDRSTRUCT):
structure = (
('netlog4_trusted_dc_name', LPWSTR),
('netlog4_trusted_domain_name', LPWSTR),
)
class PNETLOGON_INFO_4(NDRPOINTER):
referent = (
('Data', NETLOGON_INFO_4),
)
# 2.2.1.7.6 NETLOGON_CONTROL_QUERY_INFORMATION
class NETLOGON_CONTROL_QUERY_INFORMATION(NDRUNION):
commonHdr = (
('tag', DWORD),
)
union = {
1 : ('NetlogonInfo1', PNETLOGON_INFO_1),
2 : ('NetlogonInfo2', PNETLOGON_INFO_2),
3 : ('NetlogonInfo3', PNETLOGON_INFO_3),
4 : ('NetlogonInfo4', PNETLOGON_INFO_4),
}
# 2.2.1.8.1 NETLOGON_VALIDATION_UAS_INFO
class NETLOGON_VALIDATION_UAS_INFO(NDRSTRUCT):
structure = (
('usrlog1_eff_name', DWORD),
('usrlog1_priv', DWORD),
('usrlog1_auth_flags', DWORD),
('usrlog1_num_logons', DWORD),
('usrlog1_bad_pw_count', DWORD),
('usrlog1_last_logon', DWORD),
('usrlog1_last_logoff', DWORD),
('usrlog1_logoff_time', DWORD),
('usrlog1_kickoff_time', DWORD),
('usrlog1_password_age', DWORD),
('usrlog1_pw_can_change', DWORD),
('usrlog1_pw_must_change', DWORD),
('usrlog1_computer', LPWSTR),
('usrlog1_domain', LPWSTR),
('usrlog1_script_path', LPWSTR),
('usrlog1_reserved1', DWORD),
)
class PNETLOGON_VALIDATION_UAS_INFO(NDRPOINTER):
referent = (
('Data', NETLOGON_VALIDATION_UAS_INFO),
)
# 2.2.1.8.2 NETLOGON_LOGOFF_UAS_INFO
class NETLOGON_LOGOFF_UAS_INFO(NDRSTRUCT):
structure = (
('Duration', DWORD),
('LogonCount', USHORT),
)
# 2.2.1.8.3 UAS_INFO_0
class UAS_INFO_0(NDRSTRUCT):
structure = (
('ComputerName', '16s=""'),
('TimeCreated', ULONG),
('SerialNumber', ULONG),
)
def getAlignment(self):
return 4
# 2.2.1.8.4 NETLOGON_DUMMY1
class NETLOGON_DUMMY1(NDRUNION):
commonHdr = (
('tag', DWORD),
)
union = {
1 : ('Dummy', ULONG),
}
# 3.5.4.8.2 NetrLogonComputeServerDigest (Opnum 24)
class CHAR_FIXED_16_ARRAY(NDRUniFixedArray):
def getDataLen(self, data, offset=0):
return 16
################################################################################
# SSPI
################################################################################
# Constants
NL_AUTH_MESSAGE_NETBIOS_DOMAIN = 0x1
NL_AUTH_MESSAGE_NETBIOS_HOST = 0x2
NL_AUTH_MESSAGE_DNS_DOMAIN = 0x4
NL_AUTH_MESSAGE_DNS_HOST = 0x8
NL_AUTH_MESSAGE_NETBIOS_HOST_UTF8 = 0x10
NL_AUTH_MESSAGE_REQUEST = 0x0
NL_AUTH_MESSAGE_RESPONSE = 0x1
NL_SIGNATURE_HMAC_MD5 = 0x77
NL_SIGNATURE_HMAC_SHA256 = 0x13
NL_SEAL_NOT_ENCRYPTED = 0xffff
NL_SEAL_RC4 = 0x7A
NL_SEAL_AES128 = 0x1A
# Structures
class NL_AUTH_MESSAGE(Structure):
structure = (
('MessageType','<L=0'),
('Flags','<L=0'),
('Buffer',':'),
)
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is None:
self['Buffer'] = b'\x00'*4
class NL_AUTH_SIGNATURE(Structure):
structure = (
('SignatureAlgorithm','<H=0'),
('SealAlgorithm','<H=0'),
('Pad','<H=0xffff'),
('Flags','<H=0'),
('SequenceNumber','8s=""'),
('Checksum','8s=""'),
('_Confounder','_-Confounder','8'),
('Confounder',':'),
)
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is None:
self['Confounder'] = ''
class NL_AUTH_SHA2_SIGNATURE(Structure):
structure = (
('SignatureAlgorithm','<H=0'),
('SealAlgorithm','<H=0'),
('Pad','<H=0xffff'),
('Flags','<H=0'),
('SequenceNumber','8s=""'),
('Checksum','32s=""'),
('_Confounder','_-Confounder','8'),
('Confounder',':'),
)
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is None:
self['Confounder'] = ''
# Section 3.1.4.4.2
def ComputeNetlogonCredential(inputData, Sk):
k1 = Sk[:7]
k3 = crypto.transformKey(k1)
k2 = Sk[7:14]
k4 = crypto.transformKey(k2)
Crypt1 = DES.new(k3, DES.MODE_ECB)
Crypt2 = DES.new(k4, DES.MODE_ECB)
cipherText = Crypt1.encrypt(inputData)
return Crypt2.encrypt(cipherText)
# Section 3.1.4.4.1
def ComputeNetlogonCredentialAES(inputData, Sk):
IV=b'\x00'*16
Crypt1 = AES.new(Sk, AES.MODE_CFB, IV)
return Crypt1.encrypt(inputData)
# Section 3.1.4.3.1
def ComputeSessionKeyAES(sharedSecret, clientChallenge, serverChallenge, sharedSecretHash = None):
# added the ability to receive hashes already
if sharedSecretHash is None:
M4SS = ntlm.NTOWFv1(sharedSecret)
else:
M4SS = sharedSecretHash
hm = hmac.new(key=M4SS, digestmod=hashlib.sha256)
hm.update(clientChallenge)
hm.update(serverChallenge)
sessionKey = hm.digest()
return sessionKey[:16]
# 3.1.4.3.2 Strong-key Session-Key
def ComputeSessionKeyStrongKey(sharedSecret, clientChallenge, serverChallenge, sharedSecretHash = None):
# added the ability to receive hashes already
if sharedSecretHash is None:
M4SS = ntlm.NTOWFv1(sharedSecret)
else:
M4SS = sharedSecretHash
md5 = hashlib.new('md5')
md5.update(b'\x00'*4)
md5.update(clientChallenge)
md5.update(serverChallenge)
finalMD5 = md5.digest()
hm = hmac.new(M4SS, digestmod=hashlib.md5)
hm.update(finalMD5)
return hm.digest()
def deriveSequenceNumber(sequenceNum):
sequenceLow = sequenceNum & 0xffffffff
sequenceHigh = (sequenceNum >> 32) & 0xffffffff
sequenceHigh |= 0x80000000
res = pack('>L', sequenceLow)
res += pack('>L', sequenceHigh)
return res
def ComputeNetlogonSignatureAES(authSignature, message, confounder, sessionKey):
# [MS-NRPC] Section 3.3.4.2.1, point 7
hm = hmac.new(key=sessionKey, digestmod=hashlib.sha256)
hm.update(authSignature.getData()[:8])
# If no confidentiality requested, it should be ''
hm.update(confounder)
hm.update(bytes(message))
return hm.digest()[:8]+'\x00'*24
def ComputeNetlogonSignatureMD5(authSignature, message, confounder, sessionKey):
# [MS-NRPC] Section 3.3.4.2.1, point 7
md5 = hashlib.new('md5')
md5.update(b'\x00'*4)
md5.update(authSignature.getData()[:8])
# If no confidentiality requested, it should be ''
md5.update(confounder)
md5.update(bytes(message))
finalMD5 = md5.digest()
hm = hmac.new(sessionKey, digestmod=hashlib.md5)
hm.update(finalMD5)
return hm.digest()[:8]
def encryptSequenceNumberRC4(sequenceNum, checkSum, sessionKey):
# [MS-NRPC] Section 3.3.4.2.1, point 9
hm = hmac.new(sessionKey, digestmod=hashlib.md5)
hm.update(b'\x00'*4)
hm2 = hmac.new(hm.digest(), digestmod=hashlib.md5)
hm2.update(checkSum)
encryptionKey = hm2.digest()
cipher = ARC4.new(encryptionKey)
return cipher.encrypt(sequenceNum)
def decryptSequenceNumberRC4(sequenceNum, checkSum, sessionKey):
# [MS-NRPC] Section 3.3.4.2.2, point 5
return encryptSequenceNumberRC4(sequenceNum, checkSum, sessionKey)
def encryptSequenceNumberAES(sequenceNum, checkSum, sessionKey):
# [MS-NRPC] Section 3.3.4.2.1, point 9
IV = checkSum[:8] + checkSum[:8]
Cipher = AES.new(sessionKey, AES.MODE_CFB, IV)
return Cipher.encrypt(sequenceNum)
def decryptSequenceNumberAES(sequenceNum, checkSum, sessionKey):
# [MS-NRPC] Section 3.3.4.2.1, point 9
IV = checkSum[:8] + checkSum[:8]
Cipher = AES.new(sessionKey, AES.MODE_CFB, IV)
return Cipher.decrypt(sequenceNum)
def SIGN(data, confounder, sequenceNum, key, aes = False):
if aes is False:
signature = NL_AUTH_SIGNATURE()
signature['SignatureAlgorithm'] = NL_SIGNATURE_HMAC_MD5
if confounder == '':
signature['SealAlgorithm'] = NL_SEAL_NOT_ENCRYPTED
else:
signature['SealAlgorithm'] = NL_SEAL_RC4
signature['Checksum'] = ComputeNetlogonSignatureMD5(signature, data, confounder, key)
signature['SequenceNumber'] = encryptSequenceNumberRC4(deriveSequenceNumber(sequenceNum), signature['Checksum'], key)
return signature
else:
signature = NL_AUTH_SIGNATURE()
signature['SignatureAlgorithm'] = NL_SIGNATURE_HMAC_SHA256
if confounder == '':
signature['SealAlgorithm'] = NL_SEAL_NOT_ENCRYPTED
else:
signature['SealAlgorithm'] = NL_SEAL_AES128
signature['Checksum'] = ComputeNetlogonSignatureAES(signature, data, confounder, key)
signature['SequenceNumber'] = encryptSequenceNumberAES(deriveSequenceNumber(sequenceNum), signature['Checksum'], key)
return signature
def SEAL(data, confounder, sequenceNum, key, aes = False):
signature = SIGN(data, confounder, sequenceNum, key, aes)
sequenceNum = deriveSequenceNumber(sequenceNum)
XorKey = bytearray(key)
for i in range(len(XorKey)):
XorKey[i] = XorKey[i] ^ 0xf0
XorKey = bytes(XorKey)
if aes is False:
hm = hmac.new(XorKey, digestmod=hashlib.md5)
hm.update(b'\x00'*4)
hm2 = hmac.new(hm.digest(), digestmod=hashlib.md5)
hm2.update(sequenceNum)
encryptionKey = hm2.digest()
cipher = ARC4.new(encryptionKey)
cfounder = cipher.encrypt(confounder)
cipher = ARC4.new(encryptionKey)
encrypted = cipher.encrypt(data)
signature['Confounder'] = cfounder
return encrypted, signature
else:
IV = sequenceNum + sequenceNum
cipher = AES.new(XorKey, AES.MODE_CFB, IV)
cfounder = cipher.encrypt(confounder)
encrypted = cipher.encrypt(data)
signature['Confounder'] = cfounder
return encrypted, signature
def UNSEAL(data, auth_data, key, aes = False):
auth_data = NL_AUTH_SIGNATURE(auth_data)
XorKey = bytearray(key)
for i in range(len(XorKey)):
XorKey[i] = XorKey[i] ^ 0xf0
XorKey = bytes(XorKey)
if aes is False:
sequenceNum = decryptSequenceNumberRC4(auth_data['SequenceNumber'], auth_data['Checksum'], key)
hm = hmac.new(XorKey, digestmod=hashlib.md5)
hm.update(b'\x00'*4)
hm2 = hmac.new(hm.digest(), digestmod=hashlib.md5)
hm2.update(sequenceNum)
encryptionKey = hm2.digest()
cipher = ARC4.new(encryptionKey)
cfounder = cipher.encrypt(auth_data['Confounder'])
cipher = ARC4.new(encryptionKey)
plain = cipher.encrypt(data)
return plain, cfounder
else:
sequenceNum = decryptSequenceNumberAES(auth_data['SequenceNumber'], auth_data['Checksum'], key)
IV = sequenceNum + sequenceNum
cipher = AES.new(XorKey, AES.MODE_CFB, IV)
cfounder = cipher.decrypt(auth_data['Confounder'])
plain = cipher.decrypt(data)
return plain, cfounder
def getSSPType1(workstation='', domain='', signingRequired=False):
auth = NL_AUTH_MESSAGE()
auth['Flags'] = 0
auth['Buffer'] = b''
auth['Flags'] |= NL_AUTH_MESSAGE_NETBIOS_DOMAIN
if domain != '':
auth['Buffer'] = auth['Buffer'] + b(domain) + b'\x00'
else:
auth['Buffer'] += b'WORKGROUP\x00'
auth['Flags'] |= NL_AUTH_MESSAGE_NETBIOS_HOST
if workstation != '':
auth['Buffer'] = auth['Buffer'] + b(workstation) + b'\x00'
else:
auth['Buffer'] += b'MYHOST\x00'
auth['Flags'] |= NL_AUTH_MESSAGE_NETBIOS_HOST_UTF8
if workstation != '':
auth['Buffer'] += pack('<B',len(workstation)) + b(workstation) + b'\x00'
else:
auth['Buffer'] += b'\x06MYHOST\x00'
return auth
################################################################################
# RPC CALLS
################################################################################
# 3.5.4.3.1 DsrGetDcNameEx2 (Opnum 34)
class DsrGetDcNameEx2(NDRCALL):
opnum = 34
structure = (
('ComputerName',PLOGONSRV_HANDLE),
('AccountName', LPWSTR),
('AllowableAccountControlBits', ULONG),
('DomainName',LPWSTR),
('DomainGuid',PGUID),
('SiteName',LPWSTR),
('Flags',ULONG),
)
class DsrGetDcNameEx2Response(NDRCALL):
structure = (
('DomainControllerInfo',PDOMAIN_CONTROLLER_INFOW),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.3.2 DsrGetDcNameEx (Opnum 27)
class DsrGetDcNameEx(NDRCALL):
opnum = 27
structure = (
('ComputerName',PLOGONSRV_HANDLE),
('DomainName',LPWSTR),
('DomainGuid',PGUID),
('SiteName',LPWSTR),
('Flags',ULONG),
)
class DsrGetDcNameExResponse(NDRCALL):
structure = (
('DomainControllerInfo',PDOMAIN_CONTROLLER_INFOW),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.3.3 DsrGetDcName (Opnum 20)
class DsrGetDcName(NDRCALL):
opnum = 20
structure = (
('ComputerName',PLOGONSRV_HANDLE),
('DomainName',LPWSTR),
('DomainGuid',PGUID),
('SiteGuid',PGUID),
('Flags',ULONG),
)
class DsrGetDcNameResponse(NDRCALL):
structure = (
('DomainControllerInfo',PDOMAIN_CONTROLLER_INFOW),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.3.4 NetrGetDCName (Opnum 11)
class NetrGetDCName(NDRCALL):
opnum = 11
structure = (
('ServerName',LOGONSRV_HANDLE),
('DomainName',LPWSTR),
)
class NetrGetDCNameResponse(NDRCALL):
structure = (
('Buffer',LPWSTR),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.3.5 NetrGetAnyDCName (Opnum 13)
class NetrGetAnyDCName(NDRCALL):
opnum = 13
structure = (
('ServerName',PLOGONSRV_HANDLE),
('DomainName',LPWSTR),
)
class NetrGetAnyDCNameResponse(NDRCALL):
structure = (
('Buffer',LPWSTR),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.3.6 DsrGetSiteName (Opnum 28)
class DsrGetSiteName(NDRCALL):
opnum = 28
structure = (
('ComputerName',PLOGONSRV_HANDLE),
)
class DsrGetSiteNameResponse(NDRCALL):
structure = (
('SiteName',LPWSTR),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.3.7 DsrGetDcSiteCoverageW (Opnum 38)
class DsrGetDcSiteCoverageW(NDRCALL):
opnum = 38
structure = (
('ServerName',PLOGONSRV_HANDLE),
)
class DsrGetDcSiteCoverageWResponse(NDRCALL):
structure = (
('SiteNames',PNL_SITE_NAME_ARRAY),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.3.8 DsrAddressToSiteNamesW (Opnum 33)
class DsrAddressToSiteNamesW(NDRCALL):
opnum = 33
structure = (
('ComputerName',PLOGONSRV_HANDLE),
('EntryCount',ULONG),
('SocketAddresses',NL_SOCKET_ADDRESS_ARRAY),
)
class DsrAddressToSiteNamesWResponse(NDRCALL):
structure = (
('SiteNames',PNL_SITE_NAME_ARRAY),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.3.9 DsrAddressToSiteNamesExW (Opnum 37)
class DsrAddressToSiteNamesExW(NDRCALL):
opnum = 37
structure = (
('ComputerName',PLOGONSRV_HANDLE),
('EntryCount',ULONG),
('SocketAddresses',NL_SOCKET_ADDRESS_ARRAY),
)
class DsrAddressToSiteNamesExWResponse(NDRCALL):
structure = (
('SiteNames',PNL_SITE_NAME_EX_ARRAY),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.3.10 DsrDeregisterDnsHostRecords (Opnum 41)
class DsrDeregisterDnsHostRecords(NDRCALL):
opnum = 41
structure = (
('ServerName',PLOGONSRV_HANDLE),
('DnsDomainName',LPWSTR),
('DomainGuid',PGUID),
('DsaGuid',PGUID),
('DnsHostName',WSTR),
)
class DsrDeregisterDnsHostRecordsResponse(NDRCALL):
structure = (
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.3.11 DSRUpdateReadOnlyServerDnsRecords (Opnum 48)
class DSRUpdateReadOnlyServerDnsRecords(NDRCALL):
opnum = 48
structure = (
('ServerName',PLOGONSRV_HANDLE),
('ComputerName',WSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
('SiteName',LPWSTR),
('DnsTtl',ULONG),
('DnsNames',NL_DNS_NAME_INFO_ARRAY),
)
class DSRUpdateReadOnlyServerDnsRecordsResponse(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('DnsNames',NL_DNS_NAME_INFO_ARRAY),
('ErrorCode',NTSTATUS),
)
# 3.5.4.4.1 NetrServerReqChallenge (Opnum 4)
class NetrServerReqChallenge(NDRCALL):
opnum = 4
structure = (
('PrimaryName',PLOGONSRV_HANDLE),
('ComputerName',WSTR),
('ClientChallenge',NETLOGON_CREDENTIAL),
)
class NetrServerReqChallengeResponse(NDRCALL):
structure = (
('ServerChallenge',NETLOGON_CREDENTIAL),
('ErrorCode',NTSTATUS),
)
# 3.5.4.4.2 NetrServerAuthenticate3 (Opnum 26)
class NetrServerAuthenticate3(NDRCALL):
opnum = 26
structure = (
('PrimaryName',PLOGONSRV_HANDLE),
('AccountName',WSTR),
('SecureChannelType',NETLOGON_SECURE_CHANNEL_TYPE),
('ComputerName',WSTR),
('ClientCredential',NETLOGON_CREDENTIAL),
('NegotiateFlags',ULONG),
)
class NetrServerAuthenticate3Response(NDRCALL):
structure = (
('ServerCredential',NETLOGON_CREDENTIAL),
('NegotiateFlags',ULONG),
('AccountRid',ULONG),
('ErrorCode',NTSTATUS),
)
# 3.5.4.4.3 NetrServerAuthenticate2 (Opnum 15)
class NetrServerAuthenticate2(NDRCALL):
opnum = 15
structure = (
('PrimaryName',PLOGONSRV_HANDLE),
('AccountName',WSTR),
('SecureChannelType',NETLOGON_SECURE_CHANNEL_TYPE),
('ComputerName',WSTR),
('ClientCredential',NETLOGON_CREDENTIAL),
('NegotiateFlags',ULONG),
)
class NetrServerAuthenticate2Response(NDRCALL):
structure = (
('ServerCredential',NETLOGON_CREDENTIAL),
('NegotiateFlags',ULONG),
('ErrorCode',NTSTATUS),
)
# 3.5.4.4.4 NetrServerAuthenticate (Opnum 5)
class NetrServerAuthenticate(NDRCALL):
opnum = 5
structure = (
('PrimaryName',PLOGONSRV_HANDLE),
('AccountName',WSTR),
('SecureChannelType',NETLOGON_SECURE_CHANNEL_TYPE),
('ComputerName',WSTR),
('ClientCredential',NETLOGON_CREDENTIAL),
)
class NetrServerAuthenticateResponse(NDRCALL):
structure = (
('ServerCredential',NETLOGON_CREDENTIAL),
('ErrorCode',NTSTATUS),
)
# 3.5.4.4.5 NetrServerPasswordSet2 (Opnum 30)
class NetrServerPasswordSet2(NDRCALL):
opnum = 30
structure = (
('PrimaryName',PLOGONSRV_HANDLE),
('AccountName',WSTR),
('SecureChannelType',NETLOGON_SECURE_CHANNEL_TYPE),
('ComputerName',WSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
#('ClearNewPassword',NL_TRUST_PASSWORD),
('ClearNewPassword',NL_TRUST_PASSWORD_FIXED_ARRAY),
)
class NetrServerPasswordSet2Response(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('ErrorCode',NTSTATUS),
)
# 3.5.4.4.6 NetrServerPasswordSet (Opnum 6)
# 3.5.4.4.7 NetrServerPasswordGet (Opnum 31)
class NetrServerPasswordGet(NDRCALL):
opnum = 31
structure = (
('PrimaryName',PLOGONSRV_HANDLE),
('AccountName',WSTR),
('AccountType',NETLOGON_SECURE_CHANNEL_TYPE),
('ComputerName',WSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
)
class NetrServerPasswordGetResponse(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('EncryptedNtOwfPassword',ENCRYPTED_NT_OWF_PASSWORD),
('ErrorCode',NTSTATUS),
)
# 3.5.4.4.8 NetrServerTrustPasswordsGet (Opnum 42)
class NetrServerTrustPasswordsGet(NDRCALL):
opnum = 42
structure = (
('TrustedDcName',PLOGONSRV_HANDLE),
('AccountName',WSTR),
('SecureChannelType',NETLOGON_SECURE_CHANNEL_TYPE),
('ComputerName',WSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
)
class NetrServerTrustPasswordsGetResponse(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('EncryptedNewOwfPassword',ENCRYPTED_NT_OWF_PASSWORD),
('EncryptedOldOwfPassword',ENCRYPTED_NT_OWF_PASSWORD),
('ErrorCode',NTSTATUS),
)
# 3.5.4.4.9 NetrLogonGetDomainInfo (Opnum 29)
class NetrLogonGetDomainInfo(NDRCALL):
opnum = 29
structure = (
('ServerName',LOGONSRV_HANDLE),
('ComputerName',LPWSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('Level',DWORD),
('WkstaBuffer',NETLOGON_WORKSTATION_INFORMATION),
)
class NetrLogonGetDomainInfoResponse(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('DomBuffer',NETLOGON_DOMAIN_INFORMATION),
('ErrorCode',NTSTATUS),
)
# 3.5.4.4.10 NetrLogonGetCapabilities (Opnum 21)
class NetrLogonGetCapabilities(NDRCALL):
opnum = 21
structure = (
('ServerName',LOGONSRV_HANDLE),
('ComputerName',LPWSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('QueryLevel',DWORD),
)
class NetrLogonGetCapabilitiesResponse(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('ServerCapabilities',NETLOGON_CAPABILITIES),
('ErrorCode',NTSTATUS),
)
# 3.5.4.4.11 NetrChainSetClientAttributes (Opnum 49)
# 3.5.4.5.1 NetrLogonSamLogonEx (Opnum 39)
class NetrLogonSamLogonEx(NDRCALL):
opnum = 39
structure = (
('LogonServer',LPWSTR),
('ComputerName',LPWSTR),
('LogonLevel',NETLOGON_LOGON_INFO_CLASS),
('LogonInformation',NETLOGON_LEVEL),
('ValidationLevel',NETLOGON_VALIDATION_INFO_CLASS),
('ExtraFlags',ULONG),
)
class NetrLogonSamLogonExResponse(NDRCALL):
structure = (
('ValidationInformation',NETLOGON_VALIDATION),
('Authoritative',UCHAR),
('ExtraFlags',ULONG),
('ErrorCode',NTSTATUS),
)
# 3.5.4.5.2 NetrLogonSamLogonWithFlags (Opnum 45)
class NetrLogonSamLogonWithFlags(NDRCALL):
opnum = 45
structure = (
('LogonServer',LPWSTR),
('ComputerName',LPWSTR),
('Authenticator',PNETLOGON_AUTHENTICATOR),
('ReturnAuthenticator',PNETLOGON_AUTHENTICATOR),
('LogonLevel',NETLOGON_LOGON_INFO_CLASS),
('LogonInformation',NETLOGON_LEVEL),
('ValidationLevel',NETLOGON_VALIDATION_INFO_CLASS),
('ExtraFlags',ULONG),
)
class NetrLogonSamLogonWithFlagsResponse(NDRCALL):
structure = (
('ReturnAuthenticator',PNETLOGON_AUTHENTICATOR),
('ValidationInformation',NETLOGON_VALIDATION),
('Authoritative',UCHAR),
('ExtraFlags',ULONG),
('ErrorCode',NTSTATUS),
)
# 3.5.4.5.3 NetrLogonSamLogon (Opnum 2)
class NetrLogonSamLogon(NDRCALL):
opnum = 2
structure = (
('LogonServer',LPWSTR),
('ComputerName',LPWSTR),
('Authenticator',PNETLOGON_AUTHENTICATOR),
('ReturnAuthenticator',PNETLOGON_AUTHENTICATOR),
('LogonLevel',NETLOGON_LOGON_INFO_CLASS),
('LogonInformation',NETLOGON_LEVEL),
('ValidationLevel',NETLOGON_VALIDATION_INFO_CLASS),
)
class NetrLogonSamLogonResponse(NDRCALL):
structure = (
('ReturnAuthenticator',PNETLOGON_AUTHENTICATOR),
('ValidationInformation',NETLOGON_VALIDATION),
('Authoritative',UCHAR),
('ErrorCode',NTSTATUS),
)
# 3.5.4.5.4 NetrLogonSamLogoff (Opnum 3)
class NetrLogonSamLogoff(NDRCALL):
opnum = 3
structure = (
('LogonServer',LPWSTR),
('ComputerName',LPWSTR),
('Authenticator',PNETLOGON_AUTHENTICATOR),
('ReturnAuthenticator',PNETLOGON_AUTHENTICATOR),
('LogonLevel',NETLOGON_LOGON_INFO_CLASS),
('LogonInformation',NETLOGON_LEVEL),
)
class NetrLogonSamLogoffResponse(NDRCALL):
structure = (
('ReturnAuthenticator',PNETLOGON_AUTHENTICATOR),
('ErrorCode',NTSTATUS),
)
# 3.5.4.6.1 NetrDatabaseDeltas (Opnum 7)
class NetrDatabaseDeltas(NDRCALL):
opnum = 7
structure = (
('PrimaryName',LOGONSRV_HANDLE),
('ComputerName',WSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('DatabaseID',DWORD),
('DomainModifiedCount',NLPR_MODIFIED_COUNT),
('PreferredMaximumLength',DWORD),
)
class NetrDatabaseDeltasResponse(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('DomainModifiedCount',NLPR_MODIFIED_COUNT),
('DeltaArray',PNETLOGON_DELTA_ENUM_ARRAY),
('ErrorCode',NTSTATUS),
)
# 3.5.4.6.2 NetrDatabaseSync2 (Opnum 16)
class NetrDatabaseSync2(NDRCALL):
opnum = 16
structure = (
('PrimaryName',LOGONSRV_HANDLE),
('ComputerName',WSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('DatabaseID',DWORD),
('RestartState',SYNC_STATE),
('SyncContext',ULONG),
('PreferredMaximumLength',DWORD),
)
class NetrDatabaseSync2Response(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('SyncContext',ULONG),
('DeltaArray',PNETLOGON_DELTA_ENUM_ARRAY),
('ErrorCode',NTSTATUS),
)
# 3.5.4.6.3 NetrDatabaseSync (Opnum 8)
class NetrDatabaseSync(NDRCALL):
opnum = 8
structure = (
('PrimaryName',LOGONSRV_HANDLE),
('ComputerName',WSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('DatabaseID',DWORD),
('SyncContext',ULONG),
('PreferredMaximumLength',DWORD),
)
class NetrDatabaseSyncResponse(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('SyncContext',ULONG),
('DeltaArray',PNETLOGON_DELTA_ENUM_ARRAY),
('ErrorCode',NTSTATUS),
)
# 3.5.4.6.4 NetrDatabaseRedo (Opnum 17)
class NetrDatabaseRedo(NDRCALL):
opnum = 17
structure = (
('PrimaryName',LOGONSRV_HANDLE),
('ComputerName',WSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('ChangeLogEntry',PUCHAR_ARRAY),
('ChangeLogEntrySize',DWORD),
)
class NetrDatabaseRedoResponse(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('DeltaArray',PNETLOGON_DELTA_ENUM_ARRAY),
('ErrorCode',NTSTATUS),
)
# 3.5.4.7.1 DsrEnumerateDomainTrusts (Opnum 40)
class DsrEnumerateDomainTrusts(NDRCALL):
opnum = 40
structure = (
('ServerName',PLOGONSRV_HANDLE),
('Flags',ULONG),
)
class DsrEnumerateDomainTrustsResponse(NDRCALL):
structure = (
('Domains',NETLOGON_TRUSTED_DOMAIN_ARRAY),
('ErrorCode',NTSTATUS),
)
# 3.5.4.7.2 NetrEnumerateTrustedDomainsEx (Opnum 36)
class NetrEnumerateTrustedDomainsEx(NDRCALL):
opnum = 36
structure = (
('ServerName',PLOGONSRV_HANDLE),
)
class NetrEnumerateTrustedDomainsExResponse(NDRCALL):
structure = (
('Domains',NETLOGON_TRUSTED_DOMAIN_ARRAY),
('ErrorCode',NTSTATUS),
)
# 3.5.4.7.3 NetrEnumerateTrustedDomains (Opnum 19)
class NetrEnumerateTrustedDomains(NDRCALL):
opnum = 19
structure = (
('ServerName',PLOGONSRV_HANDLE),
)
class NetrEnumerateTrustedDomainsResponse(NDRCALL):
structure = (
('DomainNameBuffer',DOMAIN_NAME_BUFFER),
('ErrorCode',NTSTATUS),
)
# 3.5.4.7.4 NetrGetForestTrustInformation (Opnum 44)
class NetrGetForestTrustInformation(NDRCALL):
opnum = 44
structure = (
('ServerName',PLOGONSRV_HANDLE),
('ComputerName',WSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('Flags',DWORD),
)
class NetrGetForestTrustInformationResponse(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('ForestTrustInfo',PLSA_FOREST_TRUST_INFORMATION),
('ErrorCode',NTSTATUS),
)
# 3.5.4.7.5 DsrGetForestTrustInformation (Opnum 43)
class DsrGetForestTrustInformation(NDRCALL):
opnum = 43
structure = (
('ServerName',PLOGONSRV_HANDLE),
('TrustedDomainName',LPWSTR),
('Flags',DWORD),
)
class DsrGetForestTrustInformationResponse(NDRCALL):
structure = (
('ForestTrustInfo',PLSA_FOREST_TRUST_INFORMATION),
('ErrorCode',NTSTATUS),
)
# 3.5.4.7.6 NetrServerGetTrustInfo (Opnum 46)
class NetrServerGetTrustInfo(NDRCALL):
opnum = 46
structure = (
('TrustedDcName',PLOGONSRV_HANDLE),
('AccountName',WSTR),
('SecureChannelType',NETLOGON_SECURE_CHANNEL_TYPE),
('ComputerName',WSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
)
class NetrServerGetTrustInfoResponse(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('EncryptedNewOwfPassword',ENCRYPTED_NT_OWF_PASSWORD),
('EncryptedOldOwfPassword',ENCRYPTED_NT_OWF_PASSWORD),
('TrustInfo',PNL_GENERIC_RPC_DATA),
('ErrorCode',NTSTATUS),
)
# 3.5.4.8.1 NetrLogonGetTrustRid (Opnum 23)
class NetrLogonGetTrustRid(NDRCALL):
opnum = 23
structure = (
('ServerName',PLOGONSRV_HANDLE),
('DomainName',LPWSTR),
)
class NetrLogonGetTrustRidResponse(NDRCALL):
structure = (
('Rid',ULONG),
('ErrorCode',NTSTATUS),
)
# 3.5.4.8.2 NetrLogonComputeServerDigest (Opnum 24)
class NetrLogonComputeServerDigest(NDRCALL):
opnum = 24
structure = (
('ServerName',PLOGONSRV_HANDLE),
('Rid',ULONG),
('Message',UCHAR_ARRAY),
('MessageSize',ULONG),
)
class NetrLogonComputeServerDigestResponse(NDRCALL):
structure = (
('NewMessageDigest',CHAR_FIXED_16_ARRAY),
('OldMessageDigest',CHAR_FIXED_16_ARRAY),
('ErrorCode',NTSTATUS),
)
# 3.5.4.8.3 NetrLogonComputeClientDigest (Opnum 25)
class NetrLogonComputeClientDigest(NDRCALL):
opnum = 25
structure = (
('ServerName',PLOGONSRV_HANDLE),
('DomainName',LPWSTR),
('Message',UCHAR_ARRAY),
('MessageSize',ULONG),
)
class NetrLogonComputeClientDigestResponse(NDRCALL):
structure = (
('NewMessageDigest',CHAR_FIXED_16_ARRAY),
('OldMessageDigest',CHAR_FIXED_16_ARRAY),
('ErrorCode',NTSTATUS),
)
# 3.5.4.8.4 NetrLogonSendToSam (Opnum 32)
class NetrLogonSendToSam(NDRCALL):
opnum = 32
structure = (
('PrimaryName',PLOGONSRV_HANDLE),
('ComputerName',WSTR),
('Authenticator',NETLOGON_AUTHENTICATOR),
('OpaqueBuffer',UCHAR_ARRAY),
('OpaqueBufferSize',ULONG),
)
class NetrLogonSendToSamResponse(NDRCALL):
structure = (
('ReturnAuthenticator',NETLOGON_AUTHENTICATOR),
('ErrorCode',NTSTATUS),
)
# 3.5.4.8.5 NetrLogonSetServiceBits (Opnum 22)
class NetrLogonSetServiceBits(NDRCALL):
opnum = 22
structure = (
('ServerName',PLOGONSRV_HANDLE),
('ServiceBitsOfInterest',DWORD),
('ServiceBits',DWORD),
)
class NetrLogonSetServiceBitsResponse(NDRCALL):
structure = (
('ErrorCode',NTSTATUS),
)
# 3.5.4.8.6 NetrLogonGetTimeServiceParentDomain (Opnum 35)
class NetrLogonGetTimeServiceParentDomain(NDRCALL):
opnum = 35
structure = (
('ServerName',PLOGONSRV_HANDLE),
)
class NetrLogonGetTimeServiceParentDomainResponse(NDRCALL):
structure = (
('DomainName',LPWSTR),
('PdcSameSite',LONG),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.9.1 NetrLogonControl2Ex (Opnum 18)
class NetrLogonControl2Ex(NDRCALL):
opnum = 18
structure = (
('ServerName',PLOGONSRV_HANDLE),
('FunctionCode',DWORD),
('QueryLevel',DWORD),
('Data',NETLOGON_CONTROL_DATA_INFORMATION),
)
class NetrLogonControl2ExResponse(NDRCALL):
structure = (
('Buffer',NETLOGON_CONTROL_DATA_INFORMATION),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.9.2 NetrLogonControl2 (Opnum 14)
class NetrLogonControl2(NDRCALL):
opnum = 14
structure = (
('ServerName',PLOGONSRV_HANDLE),
('FunctionCode',DWORD),
('QueryLevel',DWORD),
('Data',NETLOGON_CONTROL_DATA_INFORMATION),
)
class NetrLogonControl2Response(NDRCALL):
structure = (
('Buffer',NETLOGON_CONTROL_DATA_INFORMATION),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.9.3 NetrLogonControl (Opnum 12)
class NetrLogonControl(NDRCALL):
opnum = 12
structure = (
('ServerName',PLOGONSRV_HANDLE),
('FunctionCode',DWORD),
('QueryLevel',DWORD),
('Data',NETLOGON_CONTROL_DATA_INFORMATION),
)
class NetrLogonControlResponse(NDRCALL):
structure = (
('Buffer',NETLOGON_CONTROL_DATA_INFORMATION),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.10.1 NetrLogonUasLogon (Opnum 0)
class NetrLogonUasLogon(NDRCALL):
opnum = 0
structure = (
('ServerName',PLOGONSRV_HANDLE),
('UserName',WSTR),
('Workstation',WSTR),
)
class NetrLogonUasLogonResponse(NDRCALL):
structure = (
('ValidationInformation',PNETLOGON_VALIDATION_UAS_INFO),
('ErrorCode',NET_API_STATUS),
)
# 3.5.4.10.2 NetrLogonUasLogoff (Opnum 1)
class NetrLogonUasLogoff(NDRCALL):
opnum = 1
structure = (
('ServerName',PLOGONSRV_HANDLE),
('UserName',WSTR),
('Workstation',WSTR),
)
class NetrLogonUasLogoffResponse(NDRCALL):
structure = (
('LogoffInformation',NETLOGON_LOGOFF_UAS_INFO),
('ErrorCode',NET_API_STATUS),
)
################################################################################
# OPNUMs and their corresponding structures
################################################################################
OPNUMS = {
0 : (NetrLogonUasLogon, NetrLogonUasLogonResponse),
1 : (NetrLogonUasLogoff, NetrLogonUasLogoffResponse),
2 : (NetrLogonSamLogon, NetrLogonSamLogonResponse),
3 : (NetrLogonSamLogoff, NetrLogonSamLogoffResponse),
4 : (NetrServerReqChallenge, NetrServerReqChallengeResponse),
5 : (NetrServerAuthenticate, NetrServerAuthenticateResponse),
# 6 : (NetrServerPasswordSet, NetrServerPasswordSetResponse),
7 : (NetrDatabaseDeltas, NetrDatabaseDeltasResponse),
8 : (NetrDatabaseSync, NetrDatabaseSyncResponse),
# 9 : (NetrAccountDeltas, NetrAccountDeltasResponse),
# 10 : (NetrAccountSync, NetrAccountSyncResponse),
11 : (NetrGetDCName, NetrGetDCNameResponse),
12 : (NetrLogonControl, NetrLogonControlResponse),
13 : (NetrGetAnyDCName, NetrGetAnyDCNameResponse),
14 : (NetrLogonControl2, NetrLogonControl2Response),
15 : (NetrServerAuthenticate2, NetrServerAuthenticate2Response),
16 : (NetrDatabaseSync2, NetrDatabaseSync2Response),
17 : (NetrDatabaseRedo, NetrDatabaseRedoResponse),
18 : (NetrLogonControl2Ex, NetrLogonControl2ExResponse),
19 : (NetrEnumerateTrustedDomains, NetrEnumerateTrustedDomainsResponse),
20 : (DsrGetDcName, DsrGetDcNameResponse),
21 : (NetrLogonGetCapabilities, NetrLogonGetCapabilitiesResponse),
22 : (NetrLogonSetServiceBits, NetrLogonSetServiceBitsResponse),
23 : (NetrLogonGetTrustRid, NetrLogonGetTrustRidResponse),
24 : (NetrLogonComputeServerDigest, NetrLogonComputeServerDigestResponse),
25 : (NetrLogonComputeClientDigest, NetrLogonComputeClientDigestResponse),
26 : (NetrServerAuthenticate3, NetrServerAuthenticate3Response),
27 : (DsrGetDcNameEx, DsrGetDcNameExResponse),
28 : (DsrGetSiteName, DsrGetSiteNameResponse),
29 : (NetrLogonGetDomainInfo, NetrLogonGetDomainInfoResponse),
30 : (NetrServerPasswordSet2, NetrServerPasswordSet2Response),
31 : (NetrServerPasswordGet, NetrServerPasswordGetResponse),
32 : (NetrLogonSendToSam, NetrLogonSendToSamResponse),
33 : (DsrAddressToSiteNamesW, DsrAddressToSiteNamesWResponse),
34 : (DsrGetDcNameEx2, DsrGetDcNameEx2Response),
35 : (NetrLogonGetTimeServiceParentDomain, NetrLogonGetTimeServiceParentDomainResponse),
36 : (NetrEnumerateTrustedDomainsEx, NetrEnumerateTrustedDomainsExResponse),
37 : (DsrAddressToSiteNamesExW, DsrAddressToSiteNamesExWResponse),
38 : (DsrGetDcSiteCoverageW, DsrGetDcSiteCoverageWResponse),
39 : (NetrLogonSamLogonEx, NetrLogonSamLogonExResponse),
40 : (DsrEnumerateDomainTrusts, DsrEnumerateDomainTrustsResponse),
41 : (DsrDeregisterDnsHostRecords, DsrDeregisterDnsHostRecordsResponse),
42 : (NetrServerTrustPasswordsGet, NetrServerTrustPasswordsGetResponse),
43 : (DsrGetForestTrustInformation, DsrGetForestTrustInformationResponse),
44 : (NetrGetForestTrustInformation, NetrGetForestTrustInformationResponse),
45 : (NetrLogonSamLogonWithFlags, NetrLogonSamLogonWithFlagsResponse),
46 : (NetrServerGetTrustInfo, NetrServerGetTrustInfoResponse),
# 48 : (DsrUpdateReadOnlyServerDnsRecords, DsrUpdateReadOnlyServerDnsRecordsResponse),
# 49 : (NetrChainSetClientAttributes, NetrChainSetClientAttributesResponse),
}
################################################################################
# HELPER FUNCTIONS
################################################################################
def checkNullString(string):
if string == NULL:
return string
if string[-1:] != '\x00':
return string + '\x00'
else:
return string
def hNetrServerReqChallenge(dce, primaryName, computerName, clientChallenge):
request = NetrServerReqChallenge()
request['PrimaryName'] = checkNullString(primaryName)
request['ComputerName'] = checkNullString(computerName)
request['ClientChallenge'] = clientChallenge
return dce.request(request)
def hNetrServerAuthenticate3(dce, primaryName, accountName, secureChannelType, computerName, clientCredential, negotiateFlags):
request = NetrServerAuthenticate3()
request['PrimaryName'] = checkNullString(primaryName)
request['AccountName'] = checkNullString(accountName)
request['SecureChannelType'] = secureChannelType
request['ClientCredential'] = clientCredential
request['ComputerName'] = checkNullString(computerName)
request['NegotiateFlags'] = negotiateFlags
return dce.request(request)
def hDsrGetDcNameEx2(dce, computerName, accountName, allowableAccountControlBits, domainName, domainGuid, siteName, flags):
request = DsrGetDcNameEx2()
request['ComputerName'] = checkNullString(computerName)
request['AccountName'] = checkNullString(accountName)
request['AllowableAccountControlBits'] = allowableAccountControlBits
request['DomainName'] = checkNullString(domainName)
request['DomainGuid'] = domainGuid
request['SiteName'] = checkNullString(siteName)
request['Flags'] = flags
return dce.request(request)
def hDsrGetDcNameEx(dce, computerName, domainName, domainGuid, siteName, flags):
request = DsrGetDcNameEx()
request['ComputerName'] = checkNullString(computerName)
request['DomainName'] = checkNullString(domainName)
request['DomainGuid'] = domainGuid
request['SiteName'] = siteName
request['Flags'] = flags
return dce.request(request)
def hDsrGetDcName(dce, computerName, domainName, domainGuid, siteGuid, flags):
request = DsrGetDcName()
request['ComputerName'] = checkNullString(computerName)
request['DomainName'] = checkNullString(domainName)
request['DomainGuid'] = domainGuid
request['SiteGuid'] = siteGuid
request['Flags'] = flags
return dce.request(request)
def hNetrGetAnyDCName(dce, serverName, domainName):
request = NetrGetAnyDCName()
request['ServerName'] = checkNullString(serverName)
request['DomainName'] = checkNullString(domainName)
return dce.request(request)
def hNetrGetDCName(dce, serverName, domainName):
request = NetrGetDCName()
request['ServerName'] = checkNullString(serverName)
request['DomainName'] = checkNullString(domainName)
return dce.request(request)
def hDsrGetSiteName(dce, computerName):
request = DsrGetSiteName()
request['ComputerName'] = checkNullString(computerName)
return dce.request(request)
def hDsrGetDcSiteCoverageW(dce, serverName):
request = DsrGetDcSiteCoverageW()
request['ServerName'] = checkNullString(serverName)
return dce.request(request)
def hNetrServerAuthenticate2(dce, primaryName, accountName, secureChannelType, computerName, clientCredential, negotiateFlags):
request = NetrServerAuthenticate2()
request['PrimaryName'] = checkNullString(primaryName)
request['AccountName'] = checkNullString(accountName)
request['SecureChannelType'] = secureChannelType
request['ClientCredential'] = clientCredential
request['ComputerName'] = checkNullString(computerName)
request['NegotiateFlags'] = negotiateFlags
return dce.request(request)
def hNetrServerAuthenticate(dce, primaryName, accountName, secureChannelType, computerName, clientCredential):
request = NetrServerAuthenticate()
request['PrimaryName'] = checkNullString(primaryName)
request['AccountName'] = checkNullString(accountName)
request['SecureChannelType'] = secureChannelType
request['ClientCredential'] = clientCredential
request['ComputerName'] = checkNullString(computerName)
return dce.request(request)
def hNetrServerPasswordGet(dce, primaryName, accountName, accountType, computerName, authenticator):
request = NetrServerPasswordGet()
request['PrimaryName'] = checkNullString(primaryName)
request['AccountName'] = checkNullString(accountName)
request['AccountType'] = accountType
request['ComputerName'] = checkNullString(computerName)
request['Authenticator'] = authenticator
return dce.request(request)
def hNetrServerTrustPasswordsGet(dce, trustedDcName, accountName, secureChannelType, computerName, authenticator):
request = NetrServerTrustPasswordsGet()
request['TrustedDcName'] = checkNullString(trustedDcName)
request['AccountName'] = checkNullString(accountName)
request['SecureChannelType'] = secureChannelType
request['ComputerName'] = checkNullString(computerName)
request['Authenticator'] = authenticator
return dce.request(request)
def hNetrServerPasswordSet2(dce, primaryName, accountName, secureChannelType, computerName, authenticator, clearNewPasswordBlob):
request = NetrServerPasswordSet2()
request['PrimaryName'] = checkNullString(primaryName)
request['AccountName'] = checkNullString(accountName)
request['SecureChannelType'] = secureChannelType
request['ComputerName'] = checkNullString(computerName)
request['Authenticator'] = authenticator
request['ClearNewPassword'] = clearNewPasswordBlob
return dce.request(request)
def hNetrLogonGetDomainInfo(dce, serverName, computerName, authenticator, returnAuthenticator=0, level=1):
request = NetrLogonGetDomainInfo()
request['ServerName'] = checkNullString(serverName)
request['ComputerName'] = checkNullString(computerName)
request['Authenticator'] = authenticator
if returnAuthenticator == 0:
request['ReturnAuthenticator']['Credential'] = b'\x00'*8
request['ReturnAuthenticator']['Timestamp'] = 0
else:
request['ReturnAuthenticator'] = returnAuthenticator
request['Level'] = 1
if level == 1:
request['WkstaBuffer']['tag'] = 1
request['WkstaBuffer']['WorkstationInfo']['DnsHostName'] = NULL
request['WkstaBuffer']['WorkstationInfo']['SiteName'] = NULL
request['WkstaBuffer']['WorkstationInfo']['OsName'] = ''
request['WkstaBuffer']['WorkstationInfo']['Dummy1'] = NULL
request['WkstaBuffer']['WorkstationInfo']['Dummy2'] = NULL
request['WkstaBuffer']['WorkstationInfo']['Dummy3'] = NULL
request['WkstaBuffer']['WorkstationInfo']['Dummy4'] = NULL
else:
request['WkstaBuffer']['tag'] = 2
request['WkstaBuffer']['LsaPolicyInfo']['LsaPolicy'] = NULL
return dce.request(request)
def hNetrLogonGetCapabilities(dce, serverName, computerName, authenticator, returnAuthenticator=0, queryLevel=1):
request = NetrLogonGetCapabilities()
request['ServerName'] = checkNullString(serverName)
request['ComputerName'] = checkNullString(computerName)
request['Authenticator'] = authenticator
if returnAuthenticator == 0:
request['ReturnAuthenticator']['Credential'] = b'\x00'*8
request['ReturnAuthenticator']['Timestamp'] = 0
else:
request['ReturnAuthenticator'] = returnAuthenticator
request['QueryLevel'] = queryLevel
return dce.request(request)
def hNetrServerGetTrustInfo(dce, trustedDcName, accountName, secureChannelType, computerName, authenticator):
request = NetrServerGetTrustInfo()
request['TrustedDcName'] = checkNullString(trustedDcName)
request['AccountName'] = checkNullString(accountName)
request['SecureChannelType'] = secureChannelType
request['ComputerName'] = checkNullString(computerName)
request['Authenticator'] = authenticator
return dce.request(request)
Reference in New Issue View Git Blame Copy Permalink