1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
#!/usr/bin/python
import sys, os, string
from cmd import Cmd
from optparse import OptionParser
import dcerpc, samr
class rpcclient(Cmd):
prompt = 'rpcclient$ '
def __init__(self, binding, domain, username, password):
Cmd.__init__(self)
self.binding = binding
self.domain = domain
self.username = username
self.password = password
def emptyline(self):
# Default for empty line is to repeat last command - yuck
pass
def onecmd(self, line):
# Override the onecmd() method so we can trap error returns
try:
Cmd.onecmd(self, line)
except dcerpc.NTSTATUS, arg:
print 'The command returned an error: %s' % arg[1]
# Command handlers
def do_help(self, line):
"""Displays on-line help for rpcclient commands."""
Cmd.do_help(self, line)
def do_shell(self, line):
status = os.system(line)
if os.WIFEXITED(status):
if os.WEXITSTATUS(status) != 0:
print 'Command exited with code %d' % os.WEXITSTATUS(status)
else:
print 'Command exited with signal %d' % os.WTERMSIG(status)
def do_EOF(self, line):
"""Exits rpcclient."""
print
sys.exit(0)
# SAMR pipe commands
def do_SamrEnumDomains(self, line):
"""Enumerate domain names."""
usage = 'usage: SamrEnumDomains'
if line != '':
print usage
return
pipe = dcerpc.pipe_connect(
self.binding,
dcerpc.DCERPC_SAMR_UUID, dcerpc.DCERPC_SAMR_VERSION,
self.domain, self.username, self.password)
connect_handle = samr.Connect(pipe)
for i in connect_handle.EnumDomains():
print i
def do_SamrLookupDomain(self, line):
"""Return the SID for a domain."""
usage = 'SamrLookupDomain DOMAIN'
parser = OptionParser(usage)
options, args = parser.parse_args(string.split(line))
if len(args) != 1:
print 'usage:', usage
return
pipe = dcerpc.pipe_connect(
self.binding,
dcerpc.DCERPC_SAMR_UUID, dcerpc.DCERPC_SAMR_VERSION,
self.domain, self.username, self.password)
connect_handle = samr.Connect(pipe)
print connect_handle.LookupDomain(args[0])
if __name__ == '__main__':
# Parse command line
usage = 'rpcclient BINDING [options]'
if len(sys.argv) == 1:
print usage
sys.exit(1)
binding = sys.argv[1]
del(sys.argv[1])
if string.find(binding, ':') == -1:
binding = 'ncacn_np:' + binding
parser = OptionParser(usage)
parser.add_option('-U', '--username', action='store', type='string',
help='Use given credentials when connecting',
metavar='DOMAIN\\username%password',
dest='username')
parser.add_option('-c', '--command', action='store', type='string',
help='Execute COMMAND', dest='command')
options, args = parser.parse_args()
# Break --username up into domain, usernamd and password
if not options.username:
options.username = '%'
domain = ''
if string.find(options.username, '\\') != -1:
domain, options.username = string.split(options.username, '\\')
password = ''
if string.find(options.username, '%') != -1:
options.username, password = string.split(options.username, '%')
username = options.username
# Run command loop
c = rpcclient(binding, domain, username, password)
if options.command:
c.onecmd(options.command)
sys.exit(0)
while 1:
try:
c.cmdloop()
except KeyboardInterrupt:
print 'KeyboardInterrupt'
|
