coercer.network.rpc

  1#!/usr/bin/env python3
  2# -*- coding: utf-8 -*-
  3# File name          : rpc.py
  4# Author             : soier (@s0i37)
  5# Date created       : 13 Jul 2023
  6
  7
  8import sys
  9import socket
 10from impacket.dcerpc.v5 import transport, epm
 11from impacket.uuid import uuidtup_to_bin
 12from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY
 13
 14
 15def portmap_discover(target, port=135):
 16    stringBinding = r'ncacn_ip_tcp:%s[%d]' % (target, port)
 17    rpctransport = transport.DCERPCTransportFactory(stringBinding)
 18    dce = rpctransport.get_dce_rpc()
 19    dce.connect()
 20    entries = epm.hept_lookup(None, dce=dce)
 21    endpoints = {}
 22    ports = set()
 23    for entry in entries:
 24        binding = epm.PrintStringBinding(entry['tower']['Floors'])
 25        uuid = str(entry['tower']['Floors'][0])
 26        _transport,dst = binding.split(":")
 27        try: endpoints[_transport]
 28        except: endpoints[_transport] = {}
 29        
 30        try: endpoints[_transport][uuid]
 31        except: endpoints[_transport][uuid] = set()
 32        if _transport == "ncacn_np":
 33            dst = dst.split("[")[1].split("]")[0]
 34        elif _transport == "ncacn_ip_tcp":
 35            dst = int(dst.split("[")[1].split("]")[0])
 36            ports.add(dst)
 37        elif _transport == "ncalrpc":
 38            dst = dst[1:-1]
 39        endpoints[_transport][uuid].add(dst)
 40    print("[*] DCERPC portmapper discovered ports: %s" % ",".join(list(map(str, ports))))
 41    return endpoints
 42
 43
 44def is_port_open(target, port, verbose=False):
 45    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 46    if verbose:
 47        print("         [>] Connecting to %s:%d ... " % (target, port), end="")
 48    sys.stdout.flush()
 49    try:
 50        s.connect((socket.gethostbyname(target), int(port)))
 51    except Exception as e:
 52        if verbose:
 53            print("\x1b[1;91mfail\x1b[0m")
 54            print("      [!] Something went wrong, check error status => %s" % str(e))
 55        s.close()
 56        return None
 57    else:
 58        if verbose:
 59            print("\x1b[1;92msuccess\x1b[0m")
 60        s.close()
 61        return True
 62
 63
 64def can_bind_to_interface_on_port(target, port, credentials, uuid, version, verbose=False):
 65    ncacn_target = r'ncacn_ip_tcp:%s[%d]' % (target, port)
 66    rpctransport = transport.DCERPCTransportFactory(ncacn_target)
 67    dce = rpctransport.get_dce_rpc()
 68    dce.set_credentials(credentials.username, credentials.password, credentials.domain, credentials.lmhash, credentials.nthash, None)
 69    dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
 70
 71    if verbose:
 72        print("         [>] Connecting to %s ... " % ncacn_target, end="")
 73    sys.stdout.flush()
 74    try:
 75        dce.connect()
 76    except Exception as e:
 77        if verbose:
 78            print("\x1b[1;91mfail\x1b[0m")
 79            print("      [!] Something went wrong, check error status => %s" % str(e))
 80        return False
 81
 82    if verbose:
 83        print("         [>] Binding to <uuid='%s', version='%s'> ... " % (uuid, version), end="")
 84    sys.stdout.flush()
 85    try:
 86        dce.bind(uuidtup_to_bin((uuid, version)))
 87    except Exception as e:
 88        if verbose:
 89            print("\x1b[1;91mfail\x1b[0m")
 90            print("         [!] Something went wrong, check error status => %s" % str(e))
 91        if "STATUS_PIPE_DISCONNECTED" in str(e):
 92            # SMB SessionError: STATUS_PIPE_DISCONNECTED()
 93            return False
 94        elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
 95            # SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
 96            return False
 97        elif "STATUS_ACCESS_DENIED" in str(e):
 98            # SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
 99            return False
100        elif "abstract_syntax_not_supported" in str(e):
101            # Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint)
102            return False
103        elif "Unknown DCE RPC packet type received" in str(e):
104            # Unknown DCE RPC packet type received: 11
105            return False
106        elif "Authentication type not recognized" in str(e):
107            # DCERPC Runtime Error: code: 0x8 - Authentication type not recognized
108            return False
109        else:
110            return True
111    else:
112        if verbose:
113            print("\x1b[1;92msuccess\x1b[0m")
114        return True
def portmap_discover(target, port=135):
16def portmap_discover(target, port=135):
17    stringBinding = r'ncacn_ip_tcp:%s[%d]' % (target, port)
18    rpctransport = transport.DCERPCTransportFactory(stringBinding)
19    dce = rpctransport.get_dce_rpc()
20    dce.connect()
21    entries = epm.hept_lookup(None, dce=dce)
22    endpoints = {}
23    ports = set()
24    for entry in entries:
25        binding = epm.PrintStringBinding(entry['tower']['Floors'])
26        uuid = str(entry['tower']['Floors'][0])
27        _transport,dst = binding.split(":")
28        try: endpoints[_transport]
29        except: endpoints[_transport] = {}
30        
31        try: endpoints[_transport][uuid]
32        except: endpoints[_transport][uuid] = set()
33        if _transport == "ncacn_np":
34            dst = dst.split("[")[1].split("]")[0]
35        elif _transport == "ncacn_ip_tcp":
36            dst = int(dst.split("[")[1].split("]")[0])
37            ports.add(dst)
38        elif _transport == "ncalrpc":
39            dst = dst[1:-1]
40        endpoints[_transport][uuid].add(dst)
41    print("[*] DCERPC portmapper discovered ports: %s" % ",".join(list(map(str, ports))))
42    return endpoints
def is_port_open(target, port, verbose=False):
45def is_port_open(target, port, verbose=False):
46    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
47    if verbose:
48        print("         [>] Connecting to %s:%d ... " % (target, port), end="")
49    sys.stdout.flush()
50    try:
51        s.connect((socket.gethostbyname(target), int(port)))
52    except Exception as e:
53        if verbose:
54            print("\x1b[1;91mfail\x1b[0m")
55            print("      [!] Something went wrong, check error status => %s" % str(e))
56        s.close()
57        return None
58    else:
59        if verbose:
60            print("\x1b[1;92msuccess\x1b[0m")
61        s.close()
62        return True
def can_bind_to_interface_on_port(target, port, credentials, uuid, version, verbose=False):
 65def can_bind_to_interface_on_port(target, port, credentials, uuid, version, verbose=False):
 66    ncacn_target = r'ncacn_ip_tcp:%s[%d]' % (target, port)
 67    rpctransport = transport.DCERPCTransportFactory(ncacn_target)
 68    dce = rpctransport.get_dce_rpc()
 69    dce.set_credentials(credentials.username, credentials.password, credentials.domain, credentials.lmhash, credentials.nthash, None)
 70    dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
 71
 72    if verbose:
 73        print("         [>] Connecting to %s ... " % ncacn_target, end="")
 74    sys.stdout.flush()
 75    try:
 76        dce.connect()
 77    except Exception as e:
 78        if verbose:
 79            print("\x1b[1;91mfail\x1b[0m")
 80            print("      [!] Something went wrong, check error status => %s" % str(e))
 81        return False
 82
 83    if verbose:
 84        print("         [>] Binding to <uuid='%s', version='%s'> ... " % (uuid, version), end="")
 85    sys.stdout.flush()
 86    try:
 87        dce.bind(uuidtup_to_bin((uuid, version)))
 88    except Exception as e:
 89        if verbose:
 90            print("\x1b[1;91mfail\x1b[0m")
 91            print("         [!] Something went wrong, check error status => %s" % str(e))
 92        if "STATUS_PIPE_DISCONNECTED" in str(e):
 93            # SMB SessionError: STATUS_PIPE_DISCONNECTED()
 94            return False
 95        elif "STATUS_OBJECT_NAME_NOT_FOUND" in str(e):
 96            # SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
 97            return False
 98        elif "STATUS_ACCESS_DENIED" in str(e):
 99            # SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
100            return False
101        elif "abstract_syntax_not_supported" in str(e):
102            # Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint)
103            return False
104        elif "Unknown DCE RPC packet type received" in str(e):
105            # Unknown DCE RPC packet type received: 11
106            return False
107        elif "Authentication type not recognized" in str(e):
108            # DCERPC Runtime Error: code: 0x8 - Authentication type not recognized
109            return False
110        else:
111            return True
112    else:
113        if verbose:
114            print("\x1b[1;92msuccess\x1b[0m")
115        return True