📄 smb_sam.inc
字号:
# -*- Fundamental -*-## # (C) 2006 Tenable Network Security## This script is released under one of the Tenable Script Licenses and may not# be used from within scripts released under another license without the# authorization from Tenable Network Security Inc.## See the following licenses for details :# http://www.nessus.org/plugins/RegisteredFeed.pdf# http://www.nessus.org/plugins/TenableCommercial.pdf# http://www.nessus.org/plugins/DirectFeed.pdf# http://www.nessus.org/plugins/DirectFeedCommercial.pdf### @NOGPL@## smb_sam.inc # $Revision: 1.3 $##==================================================================## Section 6a. SAM API ##==================================================================##---------------------------------------------------------## Function : SamConnect2 ## Description : Connects to the remote SAM pipe. ## Return : ret[0] : registry handle ## ret[1] : registry pipe ## ret[2] : 1 (Pipe handle) ##---------------------------------------------------------#function SamConnect2 (){ local_var fid, ret, data, resp, rep; fid = bind_pipe (pipe:"\samr", uuid:"12345778-1234-abcd-ef00-0123456789ac", vers:1); if (isnull (fid)) return NULL; data = class_parameter (ref_id:0x00020000, name:"\"+session_get_hostname()) + raw_dword (d:0x30) ; # Access mask data = dce_rpc_pipe_request (fid:fid, code:OPNUM_SAMCONNECT2, data:data); if (!data) return NULL; # response structure : # Policy handle (20 bytes) # return code (dword) rep = dce_rpc_parse_response (fid:fid, data:data); if (!rep || (strlen (rep) != 24)) return NULL; resp = get_dword (blob:rep, pos:20); if (resp != STATUS_SUCCESS) return NULL; ret = NULL; ret[0] = substr (rep, 0, 19); ret[1] = fid; ret[2] = 1; return ret;}#---------------------------------------------------------## Function : SamEnumerateDomainsInSamServer ## Description : Name is explicit enough ## Return : Array of Domain Names ##---------------------------------------------------------#function SamEnumerateDomainsInSamServer (handle){ local_var data, resp, rep, ret, len, ref_id, count; local_var actual_count, max_count, offset, name, pos, i; data = handle[0] + # Handle raw_dword (d:0) + # NULL handle raw_dword (d:0xFFFFFFFF) ; # Max buf size data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_SAMENUMDOM, data:data); if (!data) return NULL; rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) < 24)) return NULL; resp = get_dword (blob:rep, pos:strlen(rep)-4); if (resp != STATUS_SUCCESS) return NULL; handle = get_dword (blob:rep, pos:0); ref_id = get_dword (blob:rep, pos:4); count = get_dword (blob:rep, pos:8); ref_id = get_dword (blob:rep, pos:12); max_count = get_dword (blob:rep, pos:16); # we don't care about size and ref_id pos = count * 12 + 20; ret = NULL; for (i=0; i<count; i++) { if (strlen (rep) < pos + 12) return NULL; max_count = get_dword (blob:rep, pos:pos); offset = get_dword (blob:rep, pos:pos+4); actual_count = get_dword (blob:rep, pos:pos+8); if (session_is_unicode() == 1) actual_count = actual_count * 2; if (strlen(rep) < pos + 12 + actual_count) return NULL; name = get_string2 (blob:rep, pos:pos + 12, len:actual_count); pos += actual_count + 12; while ((actual_count % 4) != 0) { actual_count ++; pos ++; } ret[i] = name; } return ret;}#---------------------------------------------------------## Function : SamLookupDomainInSamServer ## Description : Name is explicit enough ## Return : Domain SID ##---------------------------------------------------------#function SamLookupDomainInSamServer (handle, domain){ local_var data, resp, rep; data = handle[0] + # Handle class_parameter (ref_id:0x00020000, name:domain, size:TRUE, _null:FALSE); data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_SAMLOOKUP, data:data); if (!data) return NULL; rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) != 36)) return NULL; resp = get_dword (blob:rep, pos:strlen(rep)-4); if (resp != STATUS_SUCCESS) return NULL; return substr(rep, 8, strlen(rep)-5);}#---------------------------------------------------------## Function : SamOpenDomain ## Description : Open the given domain sid ## Return : ret[0] domain handle ## ret[1] FID ## ret[2] reserved ##---------------------------------------------------------#function SamOpenDomain (handle, sid, access){ local_var data, resp, rep, ret, len; data = handle[0] + # Handle raw_dword (d:access) + # Access mask raw_dword (d:ord(sid[1])) + # count sid ; # sid data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_SAMOPENDOM, data:data); if (!data) return NULL; # response structure : # Policy handle (20 bytes) # return code (dword) rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) != 24)) return NULL; resp = get_dword (blob:rep, pos:20); if (resp != STATUS_SUCCESS) return NULL; ret = NULL; ret[0] = substr (rep, 0, 19); ret[1] = handle[1]; ret[2] = 0; return ret;}#---------------------------------------------------------## Function : SamLookupNamesInDomain ## Description : search user in domain ## Return : user rid ## ## Note : Support only one name (not array) ##---------------------------------------------------------#function SamLookupNamesInDomain (handle, user){ local_var data, resp, rep, ret, len; data = handle[0] + # Handle raw_dword (d:1) + # count raw_dword (d:1000) + # max count raw_dword (d:0) + # offset raw_dword (d:1) + # actual count class_parameter (ref_id:0x00020000, name:user, size:TRUE, _null:FALSE); data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_SAMLOOKUPNAME, data:data); if (!data) return NULL; # response structure : # Policy handle (20 bytes) # return code (dword) rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) != 36)) return NULL; resp = get_dword (blob:rep, pos:32); if (resp != STATUS_SUCCESS) return NULL; return get_dword (blob:rep, pos:12);}#---------------------------------------------------------## Function : SamOpen ## Description : Open the given rid ## Return : ret[0] handle ## ret[1] FID ## ret[2] reserved ##---------------------------------------------------------#function SamOpen (handle, rid, access, code){ local_var data, resp, rep, ret, len; data = handle[0] + # Handle raw_dword (d:access) + # Access mask raw_dword (d:rid) ; # count data = dce_rpc_pipe_request (fid:handle[1], code:code, data:data); if (!data) return NULL; # response structure : # Policy handle (20 bytes) # return code (dword) rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) != 24)) return NULL; resp = get_dword (blob:rep, pos:20); if (resp != STATUS_SUCCESS) return NULL; ret = NULL; ret[0] = substr (rep, 0, 19); ret[1] = handle[1]; ret[2] = 0; return ret;}#---------------------------------------------------------## Function : SamOpenUser ## Description : Open the given user rid ## Return : ret[0] user handle ## ret[1] FID ## ret[2] reserved ##---------------------------------------------------------#function SamOpenUser (handle, rid, access){ return SamOpen (handle:handle, rid:rid, access:access, code:OPNUM_SAMOPENUSER);}#---------------------------------------------------------## Function : SamOpenGroup ## Description : Open the given group rid ## Return : ret[0] group handle ## ret[1] FID ## ret[2] reserved ##---------------------------------------------------------#function SamOpenGroup (handle, rid, access){ return SamOpen (handle:handle, rid:rid, access:access, code:OPNUM_SAMOPENGROUP);}#---------------------------------------------------------## Function : SamOpenAlias ## Description : Open the given alias ## Return : ret[0] alias handle ## ret[1] FID ## ret[2] reserved ##---------------------------------------------------------#function SamOpenAlias (handle, rid, access){ local_var data, resp, rep, ret, len; data = handle[0] + # Handle raw_dword (d:access) + # Access mask raw_dword (d:rid) ; # count data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_SAMOPENALIAS, data:data); if (!data) return NULL; # response structure : # Policy handle (20 bytes) # return code (dword) rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) != 24)) return NULL; resp = get_dword (blob:rep, pos:20); if (resp != STATUS_SUCCESS) return NULL; ret = NULL; ret[0] = substr (rep, 0, 19); ret[1] = handle[1]; ret[2] = 0; return ret;}#---------------------------------------------------------## Function : SamGetGroupsForUser ## Description : return user groups ## Return : array of rid ##---------------------------------------------------------#function SamGetGroupsForUser (handle){ local_var data, resp, rep, ret, len, i, pos, ref_id, count, max_count; data = handle[0] ; data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_SAMGETGROUPS, data:data); if (!data) return NULL; # response structure : # Policy handle (20 bytes) # return code (dword) rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) < 20)) return NULL; resp = get_dword (blob:rep, pos:strlen(rep-4)); if (resp != STATUS_SUCCESS) return NULL; ref_id = get_dword (blob:rep, pos:0); count = get_dword (blob:rep, pos:4); ref_id = get_dword (blob:rep, pos:8); max_count = get_dword (blob:rep, pos:12); pos = 16; if (strlen(rep) < pos + count * 8 + 4) return NULL;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -