python/samba/emulate/traffic_packets.py

   1 # Dispatch for various request types.
   2 #
   3 # Copyright (C) Catalyst IT Ltd. 2017
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18 import os
  19 import ctypes
  20 import random
  21
  22 from samba.net import Net
  23 from samba.dcerpc import security, drsuapi, nbt, lsa, netlogon, ntlmssp
  24 from samba.dcerpc.netlogon import netr_WorkstationInformation
  25 from samba.dcerpc.security import dom_sid
  26 from samba.netbios import Node
  27 from samba.ndr import ndr_pack
  28 from samba.credentials import (
  29     CLI_CRED_NTLMv2_AUTH,
  30     MUST_USE_KERBEROS,
  31     DONT_USE_KERBEROS
  32 )
  33 from samba import NTSTATUSError
  34 from samba.ntstatus import (
  35     NT_STATUS_OBJECT_NAME_NOT_FOUND,
  36     NT_STATUS_NO_SUCH_DOMAIN
  37 )
  38 from samba.dcerpc.misc import SEC_CHAN_WKSTA
  39 import samba
  40 samba.ensure_third_party_module("dns", "dnspython")
  41 import dns.resolver
  42
  43 def uint32(v):
  44     return ctypes.c_uint32(v).value
  45
  46
  47 def check_runtime_error(runtime, val):
  48     if runtime is None:
  49         return False
  50
  51     err32 = uint32(runtime[0])
  52     if err32 == val:
  53         return True
  54
  55     return False
  56
  57
  58 name_formats = [
  59     drsuapi.DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
  60     drsuapi.DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
  61     drsuapi.DRSUAPI_DS_NAME_FORMAT_DISPLAY,
  62     drsuapi.DRSUAPI_DS_NAME_FORMAT_GUID,
  63     drsuapi.DRSUAPI_DS_NAME_FORMAT_CANONICAL,
  64     drsuapi.DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
  65     drsuapi.DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX,
  66     drsuapi.DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
  67     drsuapi.DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY,
  68     drsuapi.DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN,
  69     drsuapi.DRSUAPI_DS_NAME_FORMAT_UPN_AND_ALTSECID,
  70     drsuapi.DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT_NAME_SANS_DOMAIN_EX,
  71     drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_GLOBAL_CATALOG_SERVERS,
  72     drsuapi.DRSUAPI_DS_NAME_FORMAT_UPN_FOR_LOGON,
  73     drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_WITH_DCS_IN_SITE,
  74     drsuapi.DRSUAPI_DS_NAME_FORMAT_STRING_SID_NAME,
  75     drsuapi.DRSUAPI_DS_NAME_FORMAT_ALT_SECURITY_IDENTITIES_NAME,
  76     drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_NCS,
  77     drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_DOMAINS,
  78     drsuapi.DRSUAPI_DS_NAME_FORMAT_MAP_SCHEMA_GUID,
  79     drsuapi.DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT_NAME_SANS_DOMAIN,
  80     drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_ROLES,
  81     drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_INFO_FOR_SERVER,
  82     drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_FOR_DOMAIN_IN_SITE,
  83     drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_DOMAINS_IN_SITE,
  84     drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_IN_SITE,
  85     drsuapi.DRSUAPI_DS_NAME_FORMAT_LIST_SITES,
  86 ]
  87
  88
  89 def warning(message):
  90     print("\033[37;41;1m" "Warning: %s" "\033[00m" % (message))
  91
  92 ###############################################################################
  93 #
  94 # Packet generation functions:
  95 #
  96 # All the packet generation functions have the following form:
  97 #  packet_${protocol}_${opcode}(packet, conversation, context)
  98 #
  99 #  The functions return true, if statistics should be collected for the packet
 100 #                      false, the packet has been ignored.
 101 #
 102 # Where:
 103 #   protocol is the protocol, i.e. cldap, dcerpc, ...
 104 #   opcode   is the protocol op code i.e. type of the packet to be
 105 #            generated.
 106 #
 107 #   packet contains data about the captured/generated packet
 108 #          provides any extra data needed to generate the packet
 109 #
 110 #   conversation Details of the current client/server interaction
 111 #
 112 #   context state data for the current interaction
 113 #
 114 #
 115 #
 116 # The following protocols are not currently handled:
 117 #     smb
 118 #     smb2
 119 #     browser
 120 #     smb_netlogon
 121 #
 122 # The following drsuapi replication packets are currently ignored:
 123 #     DsReplicaSync
 124 #     DsGetNCChanges
 125 #     DsReplicaUpdateRefs
 126
 127
 128 # Packet generators that do NOTHING are assigned to the null_packet
 129 # function which allows the conversation generators to notice this and
 130 # avoid a whole lot of pointless work.
 131 def null_packet(packet, conversation, context):
 132     return False
 133
 134
 135 def packet_cldap_3(packet, conversation, context):
 136     # searchRequest
 137     net = Net(creds=context.creds, lp=context.lp)
 138     net.finddc(domain=context.lp.get('realm'),
 139                flags=(nbt.NBT_SERVER_LDAP |
 140                       nbt.NBT_SERVER_DS |
 141                       nbt.NBT_SERVER_WRITABLE))
 142     return True
 143
 144
 145 packet_cldap_5 = null_packet
 146 # searchResDone
 147
 148 packet_dcerpc_0  = null_packet
 149 # Request
 150 # Can be ignored, it's the continuation of an existing conversation
 151
 152 packet_dcerpc_2 = null_packet
 153 # Request
 154 # Server response, so should be ignored
 155
 156 packet_dcerpc_3 = null_packet
 157
 158 packet_dcerpc_11 = null_packet
 159 # Bind
 160 # creation of the rpc dcerpc connection is managed by the higher level
 161 # protocol drivers. So we ignore it when generating traffic
 162
 163
 164 packet_dcerpc_12 = null_packet
 165 # Bind_ack
 166 # Server response, so should be ignored
 167
 168
 169 packet_dcerpc_13 = null_packet
 170 # Bind_nak
 171 # Server response, so should be ignored
 172
 173
 174 packet_dcerpc_14 = null_packet
 175 # Alter_context
 176 # Generated as part of the connect process
 177
 178
 179 def packet_dcerpc_15(packet, conversation, context):
 180     # Alter_context_resp
 181     # This means it was GSSAPI/krb5 (probably)
 182     # Check the kerberos_state and issue a diagnostic if kerberos not enabled
 183     if context.user_creds.get_kerberos_state() == DONT_USE_KERBEROS:
 184         warning("Kerberos disabled but have dcerpc Alter_context_resp "
 185                 "indicating Kerberos was used")
 186     return False
 187
 188
 189 def packet_dcerpc_16(packet, conversation, context):
 190     # AUTH3
 191     # This means it was NTLMSSP
 192     # Check the kerberos_state and issue a diagnostic if kerberos enabled
 193     if context.user_creds.get_kerberos_state() == MUST_USE_KERBEROS:
 194         warning("Kerberos enabled but have dcerpc AUTH3 "
 195                 "indicating NTLMSSP was used")
 196     return False
 197
 198
 199 def packet_dns_0(packet, conversation, context):
 200     # query
 201     name, rtype = context.guess_a_dns_lookup()
 202     dns.resolver.query(name, rtype)
 203     return True
 204
 205
 206 packet_dns_1 = null_packet
 207 # response
 208 # Server response, so should be ignored
 209
 210
 211 def packet_drsuapi_0(packet, conversation, context):
 212     # DsBind
 213     context.get_drsuapi_connection_pair(True)
 214     return True
 215
 216
 217 NAME_FORMATS = [getattr(drsuapi, _x) for _x in dir(drsuapi)
 218                 if 'NAME_FORMAT' in _x]
 219
 220
 221 def packet_drsuapi_12(packet, conversation, context):
 222     # DsCrackNames
 223     drs, handle = context.get_drsuapi_connection_pair()
 224
 225     names = drsuapi.DsNameString()
 226     names.str = context.server
 227
 228     req = drsuapi.DsNameRequest1()
 229     req.format_flags = 0
 230     req.format_offered = 7
 231     req.format_desired = random.choice(name_formats)
 232     req.codepage = 1252
 233     req.language = 1033  # German, I think
 234     req.format_flags = 0
 235     req.count = 1
 236     req.names = [names]
 237
 238     (result, ctr) = drs.DsCrackNames(handle, 1, req)
 239     return True
 240
 241
 242 def packet_drsuapi_13(packet, conversation, context):
 243     # DsWriteAccountSpn
 244     req = drsuapi.DsWriteAccountSpnRequest1()
 245     req.operation = drsuapi.DRSUAPI_DS_SPN_OPERATION_ADD
 246     (drs, handle) = context.get_drsuapi_connection_pair()
 247     (level, res) = drs.DsWriteAccountSpn(handle, 1, req)
 248     return True
 249
 250
 251 def packet_drsuapi_1(packet, conversation, context):
 252     # DsUnbind
 253     (drs, handle) = context.get_drsuapi_connection_pair()
 254     drs.DsUnbind(handle)
 255     del context.drsuapi_connections[-1]
 256     return True
 257
 258
 259 packet_drsuapi_2 = null_packet
 260 # DsReplicaSync
 261 # This is between DCs, triggered on a DB change
 262 # Ignoring for now
 263
 264
 265 packet_drsuapi_3 = null_packet
 266 # DsGetNCChanges
 267 # This is between DCs, trigger with DB operation,
 268 # or DsReplicaSync between DCs.
 269 # Ignoring for now
 270
 271
 272 packet_drsuapi_4 = null_packet
 273 # DsReplicaUpdateRefs
 274 # Ignoring for now
 275
 276
 277 packet_epm_3 = null_packet
 278 # Map
 279 # Will be generated by higher level protocol calls
 280
 281
 282 def packet_kerberos_(packet, conversation, context):
 283     # Use the presence of kerberos packets as a hint to enable kerberos
 284     # for the rest of the conversation.
 285     # i.e. kerberos packets are not explicitly generated.
 286     context.user_creds.set_kerberos_state(MUST_USE_KERBEROS)
 287     context.user_creds_bad.set_kerberos_state(MUST_USE_KERBEROS)
 288     context.machine_creds.set_kerberos_state(MUST_USE_KERBEROS)
 289     context.machine_creds_bad.set_kerberos_state(MUST_USE_KERBEROS)
 290     context.creds.set_kerberos_state(MUST_USE_KERBEROS)
 291     return False
 292
 293
 294 packet_ldap_ = null_packet
 295 # Unknown
 296 # The ldap payload was probably encrypted so just ignore it.
 297
 298
 299 def packet_ldap_0(packet, conversation, context):
 300     # bindRequest
 301     if packet.extra[5] == "simple":
 302         # Perform a simple bind.
 303         context.get_ldap_connection(new=True, simple=True)
 304     else:
 305         # Perform a sasl bind.
 306         context.get_ldap_connection(new=True, simple=False)
 307     return True
 308
 309
 310 packet_ldap_1 = null_packet
 311 # bindResponse
 312 # Server response ignored for traffic generation
 313
 314
 315 def packet_ldap_2(packet, conversation, context):
 316     # unbindRequest
 317     # pop the last one off -- most likely we're in a bind/unbind ping.
 318     del context.ldap_connections[-1:]
 319     return False
 320
 321
 322 def packet_ldap_3(packet, conversation, context):
 323     # searchRequest
 324
 325     (scope, dn_sig, filter, attrs, extra, desc, oid) = packet.extra
 326     if not scope:
 327         scope = 0
 328
 329     samdb = context.get_ldap_connection()
 330     dn = context.get_matching_dn(dn_sig)
 331
 332     samdb.search(dn,
 333                  scope=int(scope),
 334                  attrs=attrs.split(','),
 335                  controls=["paged_results:1:1000"])
 336     return True
 337
 338
 339 packet_ldap_4 = null_packet
 340 # searchResEntry
 341 # Server response ignored for traffic generation
 342
 343
 344 packet_ldap_5 = null_packet
 345 # Server response ignored for traffic generation
 346
 347 packet_ldap_6 = null_packet
 348
 349 packet_ldap_7 = null_packet
 350
 351 packet_ldap_8 = null_packet
 352
 353 packet_ldap_9 = null_packet
 354
 355 packet_ldap_16 = null_packet
 356
 357 packet_lsarpc_0 = null_packet
 358 # lsarClose
 359
 360 packet_lsarpc_1 = null_packet
 361 # lsarDelete
 362
 363 packet_lsarpc_2 = null_packet
 364 # lsarEnumeratePrivileges
 365
 366 packet_lsarpc_3 = null_packet
 367 # LsarQuerySecurityObject
 368
 369 packet_lsarpc_4 = null_packet
 370 # LsarSetSecurityObject
 371
 372 packet_lsarpc_5 = null_packet
 373 # LsarChangePassword
 374
 375 packet_lsarpc_6 = null_packet
 376 # lsa_OpenPolicy
 377 # We ignore this, but take it as a hint that the lsarpc handle should
 378 # be over a named pipe.
 379 #
 380
 381
 382 def packet_lsarpc_14(packet, conversation, context):
 383     # lsa_LookupNames
 384     c = context.get_lsarpc_named_pipe_connection()
 385
 386     objectAttr = lsa.ObjectAttribute()
 387     pol_handle = c.OpenPolicy2(u'', objectAttr,
 388                                security.SEC_FLAG_MAXIMUM_ALLOWED)
 389
 390     sids  = lsa.TransSidArray()
 391     names = [lsa.String("This Organization"),
 392              lsa.String("Digest Authentication")]
 393     level = lsa.LSA_LOOKUP_NAMES_ALL
 394     count = 0
 395     c.LookupNames(pol_handle, names, sids, level, count)
 396     return True
 397
 398
 399 def packet_lsarpc_15(packet, conversation, context):
 400     # lsa_LookupSids
 401     c = context.get_lsarpc_named_pipe_connection()
 402
 403     objectAttr = lsa.ObjectAttribute()
 404     pol_handle = c.OpenPolicy2(u'', objectAttr,
 405                                security.SEC_FLAG_MAXIMUM_ALLOWED)
 406
 407     sids = lsa.SidArray()
 408     sid = lsa.SidPtr()
 409
 410     x = dom_sid("S-1-5-7")
 411     sid.sid = x
 412     sids.sids = [sid]
 413     sids.num_sids = 1
 414     names = lsa.TransNameArray()
 415     level = lsa.LSA_LOOKUP_NAMES_ALL
 416     count = 0
 417
 418     c.LookupSids(pol_handle, sids, names, level, count)
 419     return True
 420
 421
 422 def packet_lsarpc_39(packet, conversation, context):
 423     # lsa_QueryTrustedDomainInfoBySid
 424     # Samba does not support trusted domains, so this call is expected to fail
 425     #
 426     c = context.get_lsarpc_named_pipe_connection()
 427
 428     objectAttr = lsa.ObjectAttribute()
 429
 430     pol_handle = c.OpenPolicy2(u'', objectAttr,
 431                                security.SEC_FLAG_MAXIMUM_ALLOWED)
 432
 433     domsid = security.dom_sid(context.domain_sid)
 434     level = 1
 435     try:
 436         c.QueryTrustedDomainInfoBySid(pol_handle, domsid, level)
 437     except NTSTATUSError as error:
 438         # Object Not found is the expected result from samba,
 439         # while No Such Domain is the expected result from windows,
 440         # anything else is a failure.
 441         if not check_runtime_error(error, NT_STATUS_OBJECT_NAME_NOT_FOUND) \
 442                 and not check_runtime_error(error, NT_STATUS_NO_SUCH_DOMAIN):
 443             raise
 444     return True
 445
 446
 447 packet_lsarpc_40 = null_packet
 448 # lsa_SetTrustedDomainInfo
 449 # Not currently supported
 450
 451
 452 packet_lsarpc_43 = null_packet
 453 # LsaStorePrivateData
 454
 455
 456 packet_lsarpc_44 = null_packet
 457 # LsaRetrievePrivateData
 458
 459
 460 packet_lsarpc_68 = null_packet
 461 # LsarLookupNames3
 462
 463
 464 def packet_lsarpc_76(packet, conversation, context):
 465     # lsa_LookupSids3
 466     c = context.get_lsarpc_connection()
 467     sids = lsa.SidArray()
 468     sid = lsa.SidPtr()
 469     # Need a set
 470     x = dom_sid("S-1-5-7")
 471     sid.sid = x
 472     sids.sids = [sid]
 473     sids.num_sids = 1
 474     names = lsa.TransNameArray2()
 475     level = lsa.LSA_LOOKUP_NAMES_ALL
 476     count = 0
 477     lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
 478     client_revision = lsa.LSA_CLIENT_REVISION_2
 479     c.LookupSids3(sids, names, level, count, lookup_options, client_revision)
 480     return True
 481
 482
 483 def packet_lsarpc_77(packet, conversation, context):
 484     # lsa_LookupNames4
 485     c = context.get_lsarpc_connection()
 486     sids  = lsa.TransSidArray3()
 487     names = [lsa.String("This Organization"),
 488              lsa.String("Digest Authentication")]
 489     level = lsa.LSA_LOOKUP_NAMES_ALL
 490     count = 0
 491     lookup_options = lsa.LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES
 492     client_revision = lsa.LSA_CLIENT_REVISION_2
 493     c.LookupNames4(names, sids, level, count, lookup_options, client_revision)
 494     return True
 495
 496
 497 def packet_nbns_0(packet, conversation, context):
 498     # query
 499     n = Node()
 500     try:
 501         n.query_name("ANAME", context.server, timeout=4, broadcast=False)
 502     except:
 503         pass
 504     return True
 505
 506
 507 packet_nbns_1 = null_packet
 508 # response
 509 # Server response, not generated by the client
 510
 511
 512 packet_rpc_netlogon_0 = null_packet
 513
 514 packet_rpc_netlogon_1 = null_packet
 515
 516 packet_rpc_netlogon_4 = null_packet
 517 # NetrServerReqChallenge
 518 # generated by higher level protocol drivers
 519 # ignored for traffic generation
 520
 521 packet_rpc_netlogon_14 = null_packet
 522
 523 packet_rpc_netlogon_15 = null_packet
 524
 525 packet_rpc_netlogon_21 = null_packet
 526 # NetrLogonDummyRoutine1
 527 # Used to determine security settings. Triggered from schannel setup
 528 # So no need for an explicit generator
 529
 530
 531 packet_rpc_netlogon_26 = null_packet
 532 # NetrServerAuthenticate3
 533 # Triggered from schannel set up, no need for an explicit generator
 534
 535
 536 def packet_rpc_netlogon_29(packet, conversation, context):
 537     # NetrLogonGetDomainInfo [531]
 538     c = context.get_netlogon_connection()
 539     (auth, succ) = context.get_authenticator()
 540     query = netr_WorkstationInformation()
 541
 542     c.netr_LogonGetDomainInfo(context.server,
 543                               context.netbios_name,
 544                               auth,
 545                               succ,
 546                               2,      # TODO are there other values?
 547                               query)
 548     return True
 549
 550
 551 def packet_rpc_netlogon_30(packet, conversation, context):
 552     # NetrServerPasswordSet2
 553     c = context.get_netlogon_connection()
 554     (auth, succ) = context.get_authenticator()
 555     DATA_LEN = 512
 556     # Set the new password to the existing password, this generates the same
 557     # work load as a new value, and leaves the account password intact for
 558     # subsequent runs
 559     newpass = context.machine_creds.get_password().encode('utf-16-le')
 560     pwd_len = len(newpass)
 561     filler  = [ord(x) for x in os.urandom(DATA_LEN - pwd_len)]
 562     pwd = netlogon.netr_CryptPassword()
 563     pwd.length = pwd_len
 564     pwd.data = filler + [ord(x) for x in newpass]
 565     context.machine_creds.encrypt_netr_crypt_password(pwd)
 566     c.netr_ServerPasswordSet2(context.server,
 567                               context.machine_creds.get_workstation(),
 568                               SEC_CHAN_WKSTA,
 569                               context.netbios_name,
 570                               auth,
 571                               pwd)
 572     return True
 573
 574
 575 packet_rpc_netlogon_34 = null_packet
 576
 577
 578 def packet_rpc_netlogon_39(packet, conversation, context):
 579     # NetrLogonSamLogonEx [4331]
 580     def connect(creds):
 581         c = context.get_netlogon_connection()
 582
 583         # Disable Kerberos in cli creds to extract NTLM response
 584         old_state = creds.get_kerberos_state()
 585         creds.set_kerberos_state(DONT_USE_KERBEROS)
 586
 587         logon = samlogon_logon_info(context.domain,
 588                                     context.netbios_name,
 589                                     creds)
 590         logon_level = netlogon.NetlogonNetworkTransitiveInformation
 591         validation_level = netlogon.NetlogonValidationSamInfo4
 592         netr_flags = 0
 593         c.netr_LogonSamLogonEx(context.server,
 594                                context.machine_creds.get_workstation(),
 595                                logon_level,
 596                                logon,
 597                                validation_level,
 598                                netr_flags)
 599
 600         creds.set_kerberos_state(old_state)
 601
 602     context.last_samlogon_bad =\
 603         context.with_random_bad_credentials(connect,
 604                                             context.user_creds,
 605                                             context.user_creds_bad,
 606                                             context.last_samlogon_bad)
 607     return True
 608
 609
 610 def samlogon_target(domain_name, computer_name):
 611     target_info = ntlmssp.AV_PAIR_LIST()
 612     target_info.count = 3
 613     computername = ntlmssp.AV_PAIR()
 614     computername.AvId = ntlmssp.MsvAvNbComputerName
 615     computername.Value = computer_name
 616
 617     domainname = ntlmssp.AV_PAIR()
 618     domainname.AvId = ntlmssp.MsvAvNbDomainName
 619     domainname.Value = domain_name
 620
 621     eol = ntlmssp.AV_PAIR()
 622     eol.AvId = ntlmssp.MsvAvEOL
 623     target_info.pair = [domainname, computername, eol]
 624
 625     return ndr_pack(target_info)
 626
 627
 628 def samlogon_logon_info(domain_name, computer_name, creds):
 629
 630     target_info_blob = samlogon_target(domain_name, computer_name)
 631
 632     challenge = b"abcdefgh"
 633     # User account under test
 634     response = creds.get_ntlm_response(flags=CLI_CRED_NTLMv2_AUTH,
 635                                        challenge=challenge,
 636                                        target_info=target_info_blob)
 637
 638     logon = netlogon.netr_NetworkInfo()
 639
 640     logon.challenge     = [ord(x) for x in challenge]
 641     logon.nt            = netlogon.netr_ChallengeResponse()
 642     logon.nt.length     = len(response["nt_response"])
 643     logon.nt.data       = [ord(x) for x in response["nt_response"]]
 644     logon.identity_info = netlogon.netr_IdentityInfo()
 645
 646     (username, domain)  = creds.get_ntlm_username_domain()
 647     logon.identity_info.domain_name.string  = domain
 648     logon.identity_info.account_name.string = username
 649     logon.identity_info.workstation.string  = creds.get_workstation()
 650
 651     return logon
 652
 653
 654 def packet_rpc_netlogon_40(packet, conversation, context):
 655     # DsrEnumerateDomainTrusts
 656     c = context.get_netlogon_connection()
 657     c.netr_DsrEnumerateDomainTrusts(
 658         context.server,
 659         netlogon.NETR_TRUST_FLAG_IN_FOREST |
 660         netlogon.NETR_TRUST_FLAG_OUTBOUND  |
 661         netlogon.NETR_TRUST_FLAG_INBOUND)
 662     return True
 663
 664
 665 def packet_rpc_netlogon_45(packet, conversation, context):
 666     # NetrLogonSamLogonWithFlags [7]
 667     def connect(creds):
 668         c = context.get_netlogon_connection()
 669         (auth, succ) = context.get_authenticator()
 670
 671         # Disable Kerberos in cli creds to extract NTLM response
 672         old_state = creds.get_kerberos_state()
 673         creds.set_kerberos_state(DONT_USE_KERBEROS)
 674
 675         logon = samlogon_logon_info(context.domain,
 676                                     context.netbios_name,
 677                                     creds)
 678         logon_level = netlogon.NetlogonNetworkTransitiveInformation
 679         validation_level = netlogon.NetlogonValidationSamInfo4
 680         netr_flags = 0
 681         c.netr_LogonSamLogonWithFlags(context.server,
 682                                       context.machine_creds.get_workstation(),
 683                                       auth,
 684                                       succ,
 685                                       logon_level,
 686                                       logon,
 687                                       validation_level,
 688                                       netr_flags)
 689
 690         creds.set_kerberos_state(old_state)
 691
 692     context.last_samlogon_bad =\
 693         context.with_random_bad_credentials(connect,
 694                                             context.user_creds,
 695                                             context.user_creds_bad,
 696                                             context.last_samlogon_bad)
 697     return True
 698
 699
 700 def packet_samr_0(packet, conversation, context):
 701     # Open
 702     c = context.get_samr_context()
 703     c.get_handle()
 704     return True
 705
 706
 707 def packet_samr_1(packet, conversation, context):
 708     # Close
 709     c = context.get_samr_context()
 710     s = c.get_connection()
 711     # close the last opened handle, may not always be accurate
 712     # but will do for load simulation
 713     if c.user_handle is not None:
 714         s.Close(c.user_handle)
 715         c.user_handle = None
 716     elif c.group_handle is not None:
 717         s.Close(c.group_handle)
 718         c.group_handle = None
 719     elif c.domain_handle is not None:
 720         s.Close(c.domain_handle)
 721         c.domain_handle = None
 722         c.rids          = None
 723     elif c.handle is not None:
 724         s.Close(c.handle)
 725         c.handle     = None
 726         c.domain_sid = None
 727     return True
 728
 729
 730 def packet_samr_3(packet, conversation, context):
 731     # QuerySecurity
 732     c = context.get_samr_context()
 733     s = c.get_connection()
 734     if c.user_handle is None:
 735         packet_samr_34(packet, conversation, context)
 736     s.QuerySecurity(c.user_handle, 1)
 737     return True
 738
 739
 740 def packet_samr_5(packet, conversation, context):
 741     # LookupDomain
 742     c = context.get_samr_context()
 743     s = c.get_connection()
 744     h = c.get_handle()
 745     d = lsa.String()
 746     d.string = context.domain
 747     c.domain_sid = s.LookupDomain(h, d)
 748     return True
 749
 750
 751 def packet_samr_6(packet, conversation, context):
 752     # EnumDomains
 753     c = context.get_samr_context()
 754     s = c.get_connection()
 755     h = c.get_handle()
 756     s.EnumDomains(h, 0, 0)
 757     return True
 758
 759
 760 def packet_samr_7(packet, conversation, context):
 761     # OpenDomain
 762     c = context.get_samr_context()
 763     s = c.get_connection()
 764     h = c.get_handle()
 765     if c.domain_sid is None:
 766         packet_samr_5(packet, conversation, context)
 767
 768     c.domain_handle = s.OpenDomain(h,
 769                                    security.SEC_FLAG_MAXIMUM_ALLOWED,
 770                                    c.domain_sid)
 771     return True
 772
 773
 774 SAMR_QUERY_DOMAIN_INFO_LEVELS = [8, 12]
 775
 776
 777 def packet_samr_8(packet, conversation, context):
 778     # QueryDomainInfo [228]
 779     c = context.get_samr_context()
 780     s = c.get_connection()
 781     if c.domain_handle is None:
 782         packet_samr_7(packet, conversation, context)
 783     level = random.choice(SAMR_QUERY_DOMAIN_INFO_LEVELS)
 784     s.QueryDomainInfo(c.domain_handle, level)
 785     return True
 786
 787
 788 packet_samr_14 = null_packet
 789 # CreateDomainAlias
 790 # Ignore these for now.
 791
 792
 793 def packet_samr_15(packet, conversation, context):
 794     # EnumDomainAliases
 795     c = context.get_samr_context()
 796     s = c.get_connection()
 797     if c.domain_handle is None:
 798         packet_samr_7(packet, conversation, context)
 799
 800     s.EnumDomainAliases(c.domain_handle, 100, 0)
 801     return True
 802
 803
 804 def packet_samr_16(packet, conversation, context):
 805     # GetAliasMembership
 806     c = context.get_samr_context()
 807     s = c.get_connection()
 808     if c.domain_handle is None:
 809         packet_samr_7(packet, conversation, context)
 810
 811     sids = lsa.SidArray()
 812     sid  = lsa.SidPtr()
 813     sid.sid = c.domain_sid
 814     sids.sids = [sid]
 815     s.GetAliasMembership(c.domain_handle, sids)
 816     return True
 817
 818
 819 def packet_samr_17(packet, conversation, context):
 820     # LookupNames
 821     c = context.get_samr_context()
 822     s = c.get_connection()
 823     if c.domain_handle is None:
 824         packet_samr_7(packet, conversation, context)
 825
 826     name = lsa.String(context.username)
 827     c.rids = s.LookupNames(c.domain_handle, [name])
 828     return True
 829
 830
 831 def packet_samr_18(packet, conversation, context):
 832     # LookupRids
 833     c = context.get_samr_context()
 834     s = c.get_connection()
 835     if c.rids is None:
 836         packet_samr_17(packet, conversation, context)
 837     rids = []
 838     for r in c.rids:
 839         for i in r.ids:
 840             rids.append(i)
 841     s.LookupRids(c.domain_handle, rids)
 842     return True
 843
 844
 845 def packet_samr_19(packet, conversation, context):
 846     # OpenGroup
 847     c = context.get_samr_context()
 848     s = c.get_connection()
 849     if c.domain_handle is None:
 850         packet_samr_7(packet, conversation, context)
 851
 852     rid = 0x202  # Users I think.
 853     c.group_handle = s.OpenGroup(c.domain_handle,
 854                                  security.SEC_FLAG_MAXIMUM_ALLOWED,
 855                                  rid)
 856     return True
 857
 858
 859 def packet_samr_25(packet, conversation, context):
 860     # QueryGroupMember
 861     c = context.get_samr_context()
 862     s = c.get_connection()
 863     if c.group_handle is None:
 864         packet_samr_19(packet, conversation, context)
 865     s.QueryGroupMember(c.group_handle)
 866     return True
 867
 868
 869 def packet_samr_34(packet, conversation, context):
 870     # OpenUser
 871     c = context.get_samr_context()
 872     s = c.get_connection()
 873     if c.rids is None:
 874         packet_samr_17(packet, conversation, context)
 875     c.user_handle = s.OpenUser(c.domain_handle,
 876                                security.SEC_FLAG_MAXIMUM_ALLOWED,
 877                                c.rids[0].ids[0])
 878     return True
 879
 880
 881 def packet_samr_36(packet, conversation, context):
 882     # QueryUserInfo
 883     c = context.get_samr_context()
 884     s = c.get_connection()
 885     if c.user_handle is None:
 886         packet_samr_34(packet, conversation, context)
 887     level = 1
 888     s.QueryUserInfo(c.user_handle, level)
 889     return True
 890
 891
 892 packet_samr_37 = null_packet
 893
 894
 895 def packet_samr_39(packet, conversation, context):
 896     # GetGroupsForUser
 897     c = context.get_samr_context()
 898     s = c.get_connection()
 899     if c.user_handle is None:
 900         packet_samr_34(packet, conversation, context)
 901     s.GetGroupsForUser(c.user_handle)
 902     return True
 903
 904
 905 packet_samr_40 = null_packet
 906
 907 packet_samr_44 = null_packet
 908
 909
 910 def packet_samr_57(packet, conversation, context):
 911     # Connect2
 912     c = context.get_samr_context()
 913     c.get_handle()
 914     return True
 915
 916
 917 def packet_samr_64(packet, conversation, context):
 918     # Connect5
 919     c = context.get_samr_context()
 920     c.get_handle()
 921     return True
 922
 923
 924 packet_samr_68 = null_packet
 925
 926
 927 def packet_srvsvc_16(packet, conversation, context):
 928     # NetShareGetInfo
 929     s = context.get_srvsvc_connection()
 930     server_unc = "\\\\" + context.server
 931     share_name = "netlogon"
 932     level = 1
 933     s.NetShareGetInfo(server_unc, share_name, level)
 934     return True
 935
 936
 937 def packet_srvsvc_21(packet, conversation, context):
 938     """NetSrvGetInfo
 939
 940     FIXME: Level changed from 102 to 101 here, to bypass Windows error.
 941
 942     Level 102 will cause WERR_ACCESS_DENIED error against Windows, because:
 943
 944         > If the level is 102 or 502, the Windows implementation checks whether
 945         > the caller is a member of one of the groups previously mentioned or
 946         > is a member of the Power Users local group.
 947
 948     It passed against Samba since this check is not implemented by Samba yet.
 949
 950     refer to:
 951
 952         https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_80
 953
 954     """
 955     srvsvc = context.get_srvsvc_connection()
 956     server_unc = "\\\\" + context.server
 957     level = 101
 958     srvsvc.NetSrvGetInfo(server_unc, level)
 959     return True