How to use the impacket.dcerpc.v5.dtypes.NULL function in impacket
To help you get started, we’ve selected a few impacket examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
ropnop / impacket_static_binaries / tests / SMB_RPC / test_lsat.py View on Github 
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(lsat.MSRPC_UUID_LSAT, transfer_syntax = self.ts)
request = lsat.LsarOpenPolicy2()
request['SystemName'] = NULL
request['ObjectAttributes']['RootDirectory'] = NULL
request['ObjectAttributes']['ObjectName'] = NULL
request['ObjectAttributes']['SecurityDescriptor'] = NULL
request['ObjectAttributes']['SecurityQualityOfService'] = NULL
request['DesiredAccess'] = MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES
resp = dce.request(request)
return dce, rpctransport, resp['PolicyHandle']def test_hRpcEnumPrinters(self):
dce, rpctransport = self.connect()
resp = rprn.hRpcEnumPrinters(dce, rprn.PRINTER_ENUM_LOCAL, NULL, 1)
hexdump(b''.join(resp['pPrinterEnum']))def hLsarLookupSids2(dce, policyHandle, sids, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
request = LsarLookupSids2()
request['PolicyHandle'] = policyHandle
request['SidEnumBuffer']['Entries'] = len(sids)
for sid in sids:
itemn = LSAPR_SID_INFORMATION()
itemn['Sid'].fromCanonical(sid)
request['SidEnumBuffer']['SidInfo'].append(itemn)
request['TranslatedNames']['Names'] = NULL
request['LookupLevel'] = lookupLevel
request['LookupOptions'] = lookupOptions
request['ClientRevision'] = clientRevision
return dce.request(request)def __wmiExec(self, command):
# Convert command to wmi exec friendly format
command = command.replace('%COMSPEC%', 'cmd.exe')
username, password, domain, lmhash, nthash, aesKey, _, _ = self.__smbConnection.getCredentials()
dcom = DCOMConnection(self.__smbConnection.getRemoteHost(), username, password, domain, lmhash, nthash, aesKey,
oxidResolver=False, doKerberos=self.__doKerberos, kdcHost=self.__kdcHost)
iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
iWbemServices= iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
iWbemLevel1Login.RemRelease()
win32Process,_ = iWbemServices.GetObject('Win32_Process')
win32Process.Create(command, '\\', None)
dcom.disconnect()request['pmsgIn']['V8']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_WRIT_REP
request['pmsgIn']['V8']['cMaxObjects'] = 1
request['pmsgIn']['V8']['cMaxBytes'] = 0
request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ
if self.__ppartialAttrSet is None:
self.__prefixTable = []
self.__ppartialAttrSet = drsuapi.PARTIAL_ATTR_VECTOR_V1_EXT()
self.__ppartialAttrSet['dwVersion'] = 1
self.__ppartialAttrSet['cAttrs'] = len(NTDSHashes.ATTRTYP_TO_ATTID)
for attId in NTDSHashes.ATTRTYP_TO_ATTID.values():
self.__ppartialAttrSet['rgPartialAttr'].append(drsuapi.MakeAttid(self.__prefixTable , attId))
request['pmsgIn']['V8']['pPartialAttrSet'] = self.__ppartialAttrSet
request['pmsgIn']['V8']['PrefixTableDest']['PrefixCount'] = len(self.__prefixTable)
request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = self.__prefixTable
request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL
return self.__drsr.request(request)def hOpenCurrentConfig(dce, samDesired = MAXIMUM_ALLOWED):
request = OpenCurrentConfig()
request['ServerName'] = NULL
request['samDesired'] = samDesired
return dce.request(request)LOG.error('Automation Server does not support type information for this object')
return {}
iTypeInfo = iInterface.GetTypeInfo()
iTypeAttr = iTypeInfo.GetTypeAttr()
for x in range(iTypeAttr['ppTypeAttr']['cFuncs']):
funcDesc = iTypeInfo.GetFuncDesc(x)
names = iTypeInfo.GetNames(funcDesc['ppFuncDesc']['memid'], 255)
print names['rgBstrNames'][0]['asData']
funcDesc.dump()
print '='*80
if names['pcNames'] > 0:
name = names['rgBstrNames'][0]['asData']
methods[name] = {}
for param in range(1, names['pcNames']):
methods[name][names['rgBstrNames'][param]['asData']] = ''
if funcDesc['ppFuncDesc']['elemdescFunc'] != NULL:
methods[name]['ret'] = funcDesc['ppFuncDesc']['elemdescFunc']['tdesc']['vt']
return methodslogging.info("SMBv2.1 dialect used")
else:
logging.info("SMBv3.0 dialect used")
else:
smbConnection = None
dcom = DCOMConnection(addr, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,
self.__aesKey, oxidResolver=True, doKerberos=self.__doKerberos, kdcHost=self.__kdcHost)
try:
iInterface = dcom.CoCreateInstanceEx(string_to_bin('49B2791A-B1AE-4C90-9B8E-E860BA07F889'), IID_IDispatch)
iMMC = IDispatch(iInterface)
resp = iMMC.GetIDsOfNames(('Document',))
dispParams = DISPPARAMS(None, False)
dispParams['rgvarg'] = NULL
dispParams['rgdispidNamedArgs'] = NULL
dispParams['cArgs'] = 0
dispParams['cNamedArgs'] = 0
resp = iMMC.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])
iDocument = IDispatch(self.getInterface(iMMC, resp['pVarResult']['_varUnion']['pdispVal']['abData']))
resp = iDocument.GetIDsOfNames(('ActiveView',))
resp = iDocument.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])
iActiveView = IDispatch(self.getInterface(iMMC, resp['pVarResult']['_varUnion']['pdispVal']['abData']))
pExecuteShellCommand = iActiveView.GetIDsOfNames(('ExecuteShellCommand',))[0]
pQuit = iMMC.GetIDsOfNames(('Quit',))[0]
self.shell = RemoteShell(self.__share, (iMMC, pQuit), (iActiveView, pExecuteShellCommand), smbConnection)
if self.__command != ' ':logging.info("SMBv1 dialect used")
elif dialect == SMB2_DIALECT_002:
logging.info("SMBv2.0 dialect used")
elif dialect == SMB2_DIALECT_21:
logging.info("SMBv2.1 dialect used")
else:
logging.info("SMBv3.0 dialect used")
else:
smbConnection = None
dcom = DCOMConnection(addr, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,
self.__aesKey, oxidResolver=True, doKerberos=self.__doKerberos, kdcHost=self.__kdcHost)
try:
iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
iWbemServices= iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
iWbemLevel1Login.RemRelease()
win32Process,_ = iWbemServices.GetObject('Win32_Process')
self.shell = RemoteShell(self.__share, win32Process, smbConnection)
if self.__command != ' ':
self.shell.onecmd(self.__command)
else:
self.shell.cmdloop()
except (Exception, KeyboardInterrupt) as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error(str(e))
if smbConnection is not None:
smbConnection.logoff()def checkNullString(string):
if string == NULL:
return string
if string[-1:] != '\x00':
return string + '\x00'
else:
return stringimpacket
Network protocols Constructors and Dissectors
Package Health Score
80 / 100Popular impacket functions
- impacket.dcerpc.v5.dcomrt.DCOMANSWER
- impacket.dcerpc.v5.dcomrt.DCOMCALL
- impacket.dcerpc.v5.dtypes.NULL
- impacket.dcerpc.v5.ndr.NDRCALL
- impacket.dcerpc.v5.ndr.NDRPOINTER
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- impacket.dcerpc.v5.ndr.NDRUniConformantArray
- impacket.dcerpc.v5.scmr
- impacket.dcerpc.v5.scmr.hRCloseServiceHandle
- impacket.dcerpc.v5.transport.DCERPCTransportFactory
- impacket.LOG
- impacket.LOG.debug
- impacket.LOG.error
- impacket.LOG.info
- impacket.smb
- impacket.smb.SMB
- impacket.smb.SMBCommand
- impacket.smbconnection.SMBConnection
- impacket.structure.Structure
- impacket.uuid.uuidtup_to_bin