Updated secretsdump.py code for Windows 2003 DC support
parent
258a76b054
commit
dcfa80ba5b
|
@ -621,10 +621,10 @@ class RemoteOperations:
|
||||||
|
|
||||||
request['pmsgIn']['V8']['pUpToDateVecDest'] = NULL
|
request['pmsgIn']['V8']['pUpToDateVecDest'] = NULL
|
||||||
|
|
||||||
request['pmsgIn']['V8']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_PER_SYNC
|
request['pmsgIn']['V8']['ulFlags'] = drsuapi.DRS_INIT_SYNC | drsuapi.DRS_WRIT_REP
|
||||||
request['pmsgIn']['V8']['cMaxObjects'] = 1
|
request['pmsgIn']['V8']['cMaxObjects'] = 1
|
||||||
request['pmsgIn']['V8']['cMaxBytes'] = 0
|
request['pmsgIn']['V8']['cMaxBytes'] = 0
|
||||||
request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ | drsuapi.EXOP_REPL_SECRETS
|
request['pmsgIn']['V8']['ulExtendedOp'] = drsuapi.EXOP_REPL_OBJ
|
||||||
request['pmsgIn']['V8']['pPartialAttrSet'] = NULL
|
request['pmsgIn']['V8']['pPartialAttrSet'] = NULL
|
||||||
request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL
|
request['pmsgIn']['V8']['pPartialAttrSetEx1'] = NULL
|
||||||
request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = NULL
|
request['pmsgIn']['V8']['PrefixTableDest']['pPrefixEntry'] = NULL
|
||||||
|
@ -648,6 +648,12 @@ class RemoteOperations:
|
||||||
resp = e.get_packet()
|
resp = e.get_packet()
|
||||||
return resp
|
return resp
|
||||||
|
|
||||||
|
def ridToSid(self, rid):
|
||||||
|
if self.__samr is None:
|
||||||
|
self.connectSamr(self.getMachineNameAndDomain()[1])
|
||||||
|
resp = samr.hSamrRidToSid(self.__samr, self.__domainHandle , rid)
|
||||||
|
return resp['Sid']
|
||||||
|
|
||||||
def getMachineNameAndDomain(self):
|
def getMachineNameAndDomain(self):
|
||||||
if self.__smbConnection.getServerName() == '':
|
if self.__smbConnection.getServerName() == '':
|
||||||
# No serverName.. this is either because we're doing Kerberos
|
# No serverName.. this is either because we're doing Kerberos
|
||||||
|
@ -1402,8 +1408,13 @@ class NTDSHashes:
|
||||||
for user in resp['Buffer']['Buffer']:
|
for user in resp['Buffer']['Buffer']:
|
||||||
userName = user['Name']
|
userName = user['Name']
|
||||||
|
|
||||||
# Let's crack the user name into DS_FQDN_1779_NAME
|
userSid = self.__remoteOps.ridToSid(user['RelativeId'])
|
||||||
crackedName = self.__remoteOps.DRSCrackNames(drsuapi.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN, name = userName)
|
|
||||||
|
# Let's crack the user sid into DS_FQDN_1779_NAME
|
||||||
|
# In theory I shouldn't need to crack the sid. Instead
|
||||||
|
# I could use it when calling DRSGetNCChanges inside the DSNAME parameter.
|
||||||
|
# For some reason tho, I get ERROR_DS_DRA_BAD_DN when doing so.
|
||||||
|
crackedName = self.__remoteOps.DRSCrackNames(drsuapi.DS_NAME_FORMAT.DS_SID_OR_SID_HISTORY_NAME, drsuapi.DS_NAME_FORMAT.DS_FQDN_1779_NAME, name = userSid.formatCanonical())
|
||||||
|
|
||||||
if crackedName['pmsgOut']['V1']['pResult']['cItems'] == 1:
|
if crackedName['pmsgOut']['V1']['pResult']['cItems'] == 1:
|
||||||
userRecord = self.__remoteOps.DRSGetNCChanges(crackedName['pmsgOut']['V1']['pResult']['rItems'][0]['pName'][:-1])
|
userRecord = self.__remoteOps.DRSGetNCChanges(crackedName['pmsgOut']['V1']['pResult']['rItems'][0]['pName'][:-1])
|
||||||
|
|
Loading…
Reference in New Issue