coercer.network.rpc
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : rpc.py 4# Author : soier (@s0i37) 5# Date created : 13 Jul 2023 6 7 8import sys 9import socket 10from impacket.dcerpc.v5 import transport, epm 11from impacket.uuid import uuidtup_to_bin 12from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY 13 14 15def portmap_discover(target, port=135): 16 stringBinding = r'ncacn_ip_tcp:%s[%d]' % (target, port) 17 rpctransport = transport.DCERPCTransportFactory(stringBinding) 18 dce = rpctransport.get_dce_rpc() 19 dce.connect() 20 entries = epm.hept_lookup(None, dce=dce) 21 endpoints = {} 22 ports = set() 23 for entry in entries: 24 binding = epm.PrintStringBinding(entry['tower']['Floors']) 25 uuid = str(entry['tower']['Floors'][0]) 26 _transport,dst = binding.split(":") 27 try: endpoints[_transport] 28 except: endpoints[_transport] = {} 29 30 try: endpoints[_transport][uuid] 31 except: endpoints[_transport][uuid] = set() 32 if _transport == "ncacn_np": 33 dst = dst.split("[")[1].split("]")[0] 34 elif _transport == "ncacn_ip_tcp": 35 dst = int(dst.split("[")[1].split("]")[0]) 36 ports.add(dst) 37 elif _transport == "ncalrpc": 38 dst = dst[1:-1] 39 endpoints[_transport][uuid].add(dst) 40 print("[*] DCERPC portmapper discovered ports: %s" % ",".join(list(map(str, ports)))) 41 return endpoints 42 43 44def is_port_open(target, port, verbose=False): 45 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 46 if verbose: 47 print(" [>] Connecting to %s:%d ... " % (target, port), end="") 48 sys.stdout.flush() 49 try: 50 s.connect((socket.gethostbyname(target), int(port))) 51 except Exception as e: 52 if verbose: 53 print("\x1b[1;91mfail\x1b[0m") 54 print(" [!] Something went wrong, check error status => %s" % str(e)) 55 s.close() 56 return None 57 else: 58 if verbose: 59 print("\x1b[1;92msuccess\x1b[0m") 60 s.close() 61 return True 62 63 64def can_bind_to_interface_on_port(target, port, credentials, uuid, version, verbose=False): 65 ncacn_target = r'ncacn_ip_tcp:%s[%d]' % (target, port) 66 rpctransport = transport.DCERPCTransportFactory(ncacn_target) 67 dce = rpctransport.get_dce_rpc() 68 dce.set_credentials(credentials.username, credentials.password, credentials.domain, credentials.lmhash, credentials.nthash, None) 69 dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) 70 71 if verbose: 72 print(" [>] Connecting to %s ... " % ncacn_target, end="") 73 sys.stdout.flush() 74 try: 75 dce.connect() 76 except Exception as e: 77 if verbose: 78 print("\x1b[1;91mfail\x1b[0m") 79 print(" [!] Something went wrong, check error status => %s" % str(e)) 80 return False 81 82 if verbose: 83 print(" [>] Binding to <uuid='%s', version='%s'> ... " % (uuid, version), end="") 84 sys.stdout.flush() 85 try: 86 dce.bind(uuidtup_to_bin((uuid, version))) 87 except Exception as e: 88 if verbose: 89 print("\x1b[1;91mfail\x1b[0m") 90 print(" [!] Something went wrong, check error status => %s" % str(e)) 91 if "STATUS_PIPE_DISCONNECTED" in str(e): 92 # SMB SessionError: STATUS_PIPE_DISCONNECTED() 93 return False 94 elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e): 95 # SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.) 96 return False 97 elif "STATUS_ACCESS_DENIED" in str(e): 98 # SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) 99 return False 100 elif "abstract_syntax_not_supported" in str(e): 101 # Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint) 102 return False 103 elif "Unknown DCE RPC packet type received" in str(e): 104 # Unknown DCE RPC packet type received: 11 105 return False 106 elif "Authentication type not recognized" in str(e): 107 # DCERPC Runtime Error: code: 0x8 - Authentication type not recognized 108 return False 109 else: 110 return True 111 else: 112 if verbose: 113 print("\x1b[1;92msuccess\x1b[0m") 114 return True
def
portmap_discover(target, port=135):
16def portmap_discover(target, port=135): 17 stringBinding = r'ncacn_ip_tcp:%s[%d]' % (target, port) 18 rpctransport = transport.DCERPCTransportFactory(stringBinding) 19 dce = rpctransport.get_dce_rpc() 20 dce.connect() 21 entries = epm.hept_lookup(None, dce=dce) 22 endpoints = {} 23 ports = set() 24 for entry in entries: 25 binding = epm.PrintStringBinding(entry['tower']['Floors']) 26 uuid = str(entry['tower']['Floors'][0]) 27 _transport,dst = binding.split(":") 28 try: endpoints[_transport] 29 except: endpoints[_transport] = {} 30 31 try: endpoints[_transport][uuid] 32 except: endpoints[_transport][uuid] = set() 33 if _transport == "ncacn_np": 34 dst = dst.split("[")[1].split("]")[0] 35 elif _transport == "ncacn_ip_tcp": 36 dst = int(dst.split("[")[1].split("]")[0]) 37 ports.add(dst) 38 elif _transport == "ncalrpc": 39 dst = dst[1:-1] 40 endpoints[_transport][uuid].add(dst) 41 print("[*] DCERPC portmapper discovered ports: %s" % ",".join(list(map(str, ports)))) 42 return endpoints
def
is_port_open(target, port, verbose=False):
45def is_port_open(target, port, verbose=False): 46 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 47 if verbose: 48 print(" [>] Connecting to %s:%d ... " % (target, port), end="") 49 sys.stdout.flush() 50 try: 51 s.connect((socket.gethostbyname(target), int(port))) 52 except Exception as e: 53 if verbose: 54 print("\x1b[1;91mfail\x1b[0m") 55 print(" [!] Something went wrong, check error status => %s" % str(e)) 56 s.close() 57 return None 58 else: 59 if verbose: 60 print("\x1b[1;92msuccess\x1b[0m") 61 s.close() 62 return True
def
can_bind_to_interface_on_port(target, port, credentials, uuid, version, verbose=False):
65def can_bind_to_interface_on_port(target, port, credentials, uuid, version, verbose=False): 66 ncacn_target = r'ncacn_ip_tcp:%s[%d]' % (target, port) 67 rpctransport = transport.DCERPCTransportFactory(ncacn_target) 68 dce = rpctransport.get_dce_rpc() 69 dce.set_credentials(credentials.username, credentials.password, credentials.domain, credentials.lmhash, credentials.nthash, None) 70 dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) 71 72 if verbose: 73 print(" [>] Connecting to %s ... " % ncacn_target, end="") 74 sys.stdout.flush() 75 try: 76 dce.connect() 77 except Exception as e: 78 if verbose: 79 print("\x1b[1;91mfail\x1b[0m") 80 print(" [!] Something went wrong, check error status => %s" % str(e)) 81 return False 82 83 if verbose: 84 print(" [>] Binding to <uuid='%s', version='%s'> ... " % (uuid, version), end="") 85 sys.stdout.flush() 86 try: 87 dce.bind(uuidtup_to_bin((uuid, version))) 88 except Exception as e: 89 if verbose: 90 print("\x1b[1;91mfail\x1b[0m") 91 print(" [!] Something went wrong, check error status => %s" % str(e)) 92 if "STATUS_PIPE_DISCONNECTED" in str(e): 93 # SMB SessionError: STATUS_PIPE_DISCONNECTED() 94 return False 95 elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e): 96 # SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.) 97 return False 98 elif "STATUS_ACCESS_DENIED" in str(e): 99 # SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) 100 return False 101 elif "abstract_syntax_not_supported" in str(e): 102 # Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint) 103 return False 104 elif "Unknown DCE RPC packet type received" in str(e): 105 # Unknown DCE RPC packet type received: 11 106 return False 107 elif "Authentication type not recognized" in str(e): 108 # DCERPC Runtime Error: code: 0x8 - Authentication type not recognized 109 return False 110 else: 111 return True 112 else: 113 if verbose: 114 print("\x1b[1;92msuccess\x1b[0m") 115 return True